Personal Information Securityand Malware Awareness

Workshop

Bard College at Simon’s RockInformation Technology Services

(ITS)Summer 2012

(Please sign in on the attendance sheet so we know you’ve been here!)

What are we doing here?• Brief intro to (some of) the information protection

laws that apply to Simon’s Rock– Especially the 2010 “Mass. Privacy Law”, which is the

reason you have to attend this session.

• Strategies for protecting the private data we work with.– Needs to be a college-wide effort.– Reduce the amount of private data we store, Restrict

access to what we do store, and Encrypt any that leaves campus.

• Defenses against individual attacks on our personal accounts and computers.– Unique passwords, required to wake system– Software updates– Recognizing fraudulent emails and websites

Warm Up:If Nothing Else, Remember This:• Legitimate online service providers,

including ITS staff and your bank, will never, ever ask you for your password by e-mail. (Watch out for fake login links by email, too.)

What is ProtectedPersonal Information?

Depends which law is defining it! (We have to comply with lots of ‘em!)Assume financial, academic, and health data need to be protected.

• FERPA — Family Education Right to Privacy Act • PCI — Payment Card Industry regulations• HIPAA — Health Insurance Portability and Accountability

Act• MA CMR 201 17 — “Standards for the Protection of

Personal Information of Residents of the Commonwealth” (aka the “Massachusetts Privacy Law”) This is the big one…• IANAL — I Am Not A Lawyer : This is a very brief overview, and I don’t really know what I’m talking about.

FERPA*– FERPA covers living students and alumni, and

protects their academic records.– Also, each institution defines “student directory

information” (Ours is in our Student Handbook)– Everything else is “non-directory information”– Simon’s Rock may release directory

information– We may not release non-directory information

without prior consent of the student, except in specific circumstances (such as a subpoena)

– A student may request that even their directory information not be published

*(ask Heidi and Moira if you desire more details)

• Directory Information @ Simon’s Rock– student’s name;– addresses (home, campus, and

email); – telephone numbers (home and

campus); – major or field of study; – date and place of birth;– full- or part-time status; – enrollment dates;

FERPA (more)• In general, faculty and staff have access to

personally identifiable, non-directory information about students as long as they have a legitimate educational interest in it, in other words a "need to know."

• Releasing personally identifiable non-directory information to others without prior permission from the student or alumnus/a is illegal.

– date of graduation (past or anticipated);

– current grade level (first-year, sophomore, junior, or senior);

– graduation information as published in the commencement program.

PCI*: Credit Card Transactions• Any entity which collects payments with

credit cards is contractually bound to follow the Payment Card Industry (PCI) Standard to protect information related to credit-card transactions.

• The PCI standard provides very specific guidelines on how to protect such information in both paper and electronic formats.

• Failure to comply can result in withholding of credit card revenue to pay fines & penalties.

• See https://www.pcisecuritystandards.org*I’m not sure if we have a resident expert on PCI. (I’m not it.)

PCI (more) :

Credit Cards at Simon’s Rock

– Kilpatrick Athletic Center– Admissions– Development and Alumni Relations

• Phone-a-thons?

– Business Office – Chartwells and Bookstore– Others?

HIPAA*• Protect Personal Health Information

– Personal Health Information (PHI) must be protected, including information about:• Health Status• Provision of Health Care• Payment for Health Care• In general, any information about a patient’s medical

record or medical payment history is protected.

– HIPAA defines administrative, physical, and technical safeguards for protecting PHI

– HIPAA applies to faculty, staff, and student information

– (FERPA also covers student health information, since it is non-directory information)

*We pretty much depend on Health Services staff to deal with HIPAA.

MA CMR 201 17* (Mass Privacy Law) • Protects Personal Financial Information

(PFI)– Mass. definition: A person’s name with

their:• Social Security Number (SSN)• Driver’s License or State-issued ID Number• Financial Account Number• Credit Card Number

• Information in any format: paper or digital

• Protection applies to all Mass. residents:– Students, Alumni, Employees, Guest speakers,

contractors,…and everybody else.

*Janice is probably our best resource on this, plus there is lots of data on-line, because it is a recent law and all MA businesses have been scrambling to comply.

MA CMR 201 17 (more)

• Mass. businesses must develop, implement and maintain a comprehensive Written Information Security Program (WISP) to…

–Designate “one or more employees to design, implement and coordinate” the program

–Put in place processes for “Inventorying paper, electronic and other records, computing systems, and storage media, including laptops and portable devices used to store personal information, to identify those records containing personal information.”

–Put in place “administrative, technical, and physical safeguards to ensure the security and confidentiality of such records”

MA CMR 201 17 (still more)

• WISP requirements continued…–“Verify that third-party service providers with access to personal information have the capacity to protect such personal information”

–Provide “Education and training of employees on the proper use of the computer security system and the importance of personal information security”

• But, having the WISP written down is one thing, making it work to actually protect data depends on all of us.

The law has regulations about Information Security Breaches, defined as unauthorized use or acquisition of personal information that “creates a substantial risk of identity theft or fraud.”

So, a breach means the release (or potential release) of either:- Unencrypted personal financial information- Unencrypted data capable of compromising

personal financial information (e.g. usernames & passwords)

MA CMR 201 17 (omg, more)

If a breach or possible breach occurs in Massachusetts:

Business and other organizations in MA must notify- MA Office of Consumer Affairs and Business Regulation- The Massachusetts Attorney General- The individuals whose information is at risk

The notification to the State must include: – The nature and circumstances of the breach– The number of Mass residents involved – Steps that have been taken to deal with the breach

The notification to involved individuals must include– Consumers’ right to obtain a police report – Instructions for requesting a credit report security freeze– BUT, should not include the nature of the breach or number

of MA residents involved.

MA CMR 201 17 (more, more, more!)

Information Security Breach

Williams Breach: October, 2009Data loss occurred when a college-owned laptop

computer was stolen from user’s car.Steps necessary to respond to this breach:

• Interviewed laptop owner about information on laptop

• Scanned laptop backup files for protected financial information and health data

– Protected data was found (Names w/ SSN’s), so laws in 39 states and many foreign countries probably apply, depending on residency of leaked individuals

• Williams obtained legal assistance and contracted for breach counseling services

Where did the Williams’ SSN’s come from?

• Excel files of pre-2006 class rosters from the old Student System (SIS)

• E-mail messages related to paying individuals such as guest speakers, performers, referees

• Unsolicited e-mail messages that contained protected personal data.

Williams Breach: Cleanup Process• Compiled list of residential and e-mail

addresses for approximately 750 potential victims

• Notified potential victims by mail and by e-mail, sent all-campus e-mail notice

• Responded to phone calls and e-mails

• Financial costs to handle this breach included staff time, legal assistance and breach counseling services. Costs exceeded $50,000.

• Note: If the laptop had been encrypted, the only loss would have been the cost of the laptop. (Hint: Do not store Simon’s Rock PPI on an unencrypted portable device!)

(Aside) Fun Fact: if your personal data is involved in a data breach, you get aFree Credit Report Security Freeze

Any consumer in Massachusetts, New York, or Vermont may place a security freeze on his or her credit report by sending a request in writing, by mail, to all 3 consumer reporting agencies (EquiFax, Experian, TransUnion).

There’s no fee for victims or their spouses for placing or removing a security freeze on a credit report. You can prove you’re a victim by sending a copy of a police report. All other consumers must pay a $5-$10 fee.

See the Consumers Union web site for more information: www.consumersunion.org

Discussion break (pop quiz?)

• You are the advisor to a first-year student. Their parent emails you and is concerned that the student is not doing well in classes, and asks if you can check with the student’s professors and let the parent know.

Can you do this? What regulations might apply?

Here’s the FERPA

form that all

students fill out:

Bard College at Simon’s Rock

Office of the Registrar - - - - - - - - - - - - - - - - - - - - - - - - -

Student Grade Release Authorization - Update Please print clearly Today’s Date: _______________________________ Student ID: _______________________________ First Name: _______________________________ Last Name: _______________________________ Parent/Guardian 1 Name & Address Parent/Guardian 2 Name & Address _______________________________ _______________________________ _______________________________ _______________________________ _______________________________ _______________________________ _______________________________ _______________________________ Home Phone: ______________________ Home Phone: ______________________ Cell Phone: ________________________ Cell Phone: ________________________ Work Phone: _______________________ Work Phone: _______________________ Email Address: _____________________ Email Address: _____________________ STUDENT - PLEASE READ CAREFULLY AND SIGN BELOW: Because Bard College at Simon’s Rock students are younger than traditional college students, we encourage and generally expect there to be more open communication between the College and students’ parents and guardians than is usual. However, in compliance with the Federal Family Education Rights and Privacy Act of 1974 (FERPA), Bard College at Simon's Rock only releases educational information if the student has provided written consent authorizing access to such information (e.g. student records, academic reports, attendance concerns and notices, grade reports)*. The student’s signature on this document allows employees of Bard College at Simon’s Rock to release this information to those individuals identified in the section “Release Educational Information To”. Students may request a change in this authorization by submitting a written notice to the Office of the Registrar. *FERPA does allow parents of dependent children access to educational records (even if a student has not provided consent) by providing proof of dependent status to the Office of the Registrar. I have reviewed this form and have written in any necessary changes. _______________________________________________ _______________________ STUDENT SIGNATURE DATE

Release Academic Information to (please check): Parent/Guardian 1 Parent/Guardian 2

Part II: Okay, so what do we do?• How do we comply with all these laws?

• We need to determine what “Protected” data we really need to have, and then figure out how to actually protect it.

• (Disclaimer: This data protection is not something ITS can magically make happen!)

Data Security Guiding Principles• Reduce!

– Don’t collect personal data you don’t need

– Don’t store data you won’t need again

• Restrict!– Keep protected data in secure locations

• Paper docs in locked drawers or closets• Electronic docs stay on central servers• Password required to see your screen!

• Encrypt!– Protected electronic data that leaves

Simon’s Rock must be encrypted. (Also: Why is it leaving? Is it going to someone with a legitimate need for it?)

Shared Responsibility for Data Security

Responsibility of Staff DepartmentsEach department head is responsible for ensuring the appropriate protection of information within his or her area. Every employee is responsible for protecting the data they use and store, both electronic and on paper.

Responsibility of FacultyEvery faculty member is responsible for ensuring the confidentiality of any information they collect or use, both electronic and on paper. The Dean of Academic Affairs and Division heads should be aware of protected information handled by their divisions.

What about your office?

• Goal: Minimize the potential risks from information leaks

• If you don’t need it, get rid of it (use a shredder if it’s paper)

• Be skeptical of requests for information– Don’t disclose protected information to

just anyone!

What about your office?

• Does your office handle legally-protected or confidential information?– Do you know what protected data you have?

• Workgroups should audit their stored data to confirm that old confidential docs are still required.

• If you’re not sure what’s protected, ask!– Photocopies of checks?– Credit card info on scrap paper until it is processed?

• Does your office or department have policies and procedures for protecting confidential information?

What about your office?

• Does your office send or receive confidential information via e-mail? – Encrypt them when you send (details later)– Delete them from email when you receive them

• Does your office use a shredder?– Or the secure document disposal can at Business Office.

• Do you lock up your files when the office is closed?

• Does your computer need a password to wake from sleep?

• Do you lock the screen when you are away from your desk?

Goal: Each department that handles PPI has an Information Usage Policy• An information usage policy explains

– What information is confidential– How to protect confidential information– How to handle requests for information,

both internal and external– When and how to dispose of confidential

information – What the consequences are if the policy

isn’t followed

ITS can help (somewhat)• Locate data with PPI (part of your office

audit!)– We have software called Identity Finder which will

search documents (Word, Excel, pdfs) and email for things that look like PPI

– Often finds SS#s, Credit Card #s, Bank Account #s and passwords in clear text.

– Such data should be removed from your computer:• Delete if not needed• Store only on the server if possible.

• Install Full-Disk encryption on all college laptops– Truecrypt on Windows, File Vault on Macs– Requires extra password to decrypt for boot– Hard disk unreadable without decryption

Part III: Getting Personal —Securing PCs (including home PCs)

• Some elements are software based, e.g. system updates, secure password storage.

• Mostly human based: Learn to recognize fake emails and bogus websites

• BUT: The bad guys are getting better and better. Malware and web-based attacks get more sophisticated and more effective.

How is data is lost or stolen?Via Physical Access:• Theft of computer, external drives, flash drives, CDs,

smartphones• Carelessness with passwords: Written in obvious places,

passwords or hints too simple, home wifi router passwords left at default value.

• It just takes seconds to read saved Firefox passwords, or to install monitoring software.

Via the Network:• E-mail phishing scams – users reply with passwords• Server hacks: Password files stolen and decrypted via “brute

force”, then any recovered usernames/passwords are tried on other services.

• Viruses / spyware used to install key-loggers or other monitoring software remotely– Includes “Drive by” web hacks. Malware code hacked into legit

website infects your computer when you visit.• Wireless data sniffing

Install ALL updates to key software• Updates come out so frequently,

because new exploits of bugs & security flaws are discovered all the time. – (Can you get the fixes installed before you

get hacked by the new malware?)• Important Software to Update:

– Windows or Mac OS– AntiVirus definitions– Java

– Adobe Reader– Adobe Flash player– Firefox (and all browsers)

Or: http://ninite.com : Select, install, and update software

Simple computer security

• Don’t use post-its to manage your passwords – Use a program with strong encryption to store passwords

• http://keepass.info • https://lastpass.com

• Don’t store passwords in Firefox (no encryption)• If you must write passwords down, keep them in your wallet.• If you have your own office: keep the door locked when away• If you work in a public area, lock your screen when you leave

– Windows: Press Windows-key + L to lock without logging out.– Macintosh: Apple Menu > Sleep. (Also, see next point!)

• Require a password when your computer wakes from sleep• Laptop security cable: Cheap, prevents opportunistic theft.

E-mail and PPI • E-mail & files sent over the Internet

containing PPI must be encrypted. – E-mail may pass through many servers en-

route to its destination– Our users often read email on small

devices that are not encrypted and that can be easily lost.

– Most computer email clients keep local copies of e-mails that can be read by anyone with access to the system

• For these reasons, any un-encrypted PPI in an email counts as a potential data breach.

Received email with PPI

• Some bozo un-aware parent sends you an email with an unencrypted PDF of their tax return attached. What do you?– Get this document out of your email box!– Download the document if you need it– Delete the message, and Empty your

trash.– If you need to forward it to another staff

member, encrypt the file you downloaded, email the encrypted version, and delete the file.

Sending PPI (Encryption basics)

• Encryption is scrambling a file using complex mathematics and a password.– Without the password, the file is random gibberish.– The password allows the file to be decrypted back to

the original readable form, using similar complex math

– Some encryption schemes are “weak” and can’t be used.

• Choose a password, encrypt the file of PPI, and attach the encrypted version to an email– Don’t send the password via email! (Call or skype or

something to get it to the recipient)– Don’t use your regular system password!– If you send many files to this recipient, you can use

the same password for all of them

Encrypting Microsoft Office files• MS Office (since 2007) has strong

encryption. So, password protect Word and Excel files of PPI directly in Office.– Must use the new .docx or .xlsx file

fomats —encryption of the older .DOC or .XLS versions is weak, and there are free websites that can decrypt these files without the password.

– (Recipient must have Office 2007 or later to read such files.)

– To encrypt: File menu > Info. Click “Protect…” button, then select “Encrypt with password.”

Encryption for other files (PDF, etc.)• Zip files have adequate encryption.

So, put the file or files you need to send into a zip file, and then add a password.– Use a long passphrase, as zip encryption

is weaker with short passwords.– Older Macs will not open password-

protected zip files without additional (free) software.

• The password scheme built-in to PDF files is very weak. Use password protected zip files instead

Traveling with a computer• Before you leave, think about what it would mean if your laptop

were stolen or lost – are you sure you need it on your trip?• Consider a loaner with no personal data.• If you just need to check email you can use a smart phone.• Do not EVER leave a laptop in a parked car in a city – this is by

far the most common way that laptops are stolen• Don’t check your laptop when flying – in general don’t let your

computer out of your sight.• If using a public wireless network, use https sites to prevent

data sniffing

If your laptop is stolen, contact ITS immediately and change your Simon’s Rock password (consider it compromised)

We are often required to log into web sites. How can you tell if the site is legitimate? First, any site with a login must be https://, not http://

Next, check the “domain” – which of these could be Simon’s Rock sites:

https://www.simons-rockrewards.com/https://simons-rock.edu.technical-support.com/ https://technical-support.simons-rock.edu/

The domain is the last two words between the “http://” or “https://” and the next “/”

Same format as email addresses: xyz@simons-rock.edu or xyz@aol.com

Any Simon’s Rock site will be //xyz.simons-rock.edu/Any American Express site will be //xyz.americanexpress.com/https://www.simons-rock.edu/go/x is legitimate because the domain is

correct

Web Security

Email Security + Phishing

• NEVER FORGET: It is easy to spoof the From: address in an email. • Does the From: address match the Reply-to: address (if not, beware)• Phishing emails often start out “your account has been used to send spam”

or “we are doing maintenance on our webmail system” – then they ask that you reply with your username and password

• There will never be a reason to give anyone your password by email – honestly. (Also, be careful of email links to login sites.)

• Note: E-mail notifications to the community from Simon’s Rock ITS will always be from an individual listed at ITS in the campus staff directory, not from a generic name like “Help Desk”. (But, the directory is on-line, so a smart spammer could use it to find a good from address.)

Phishing is the fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication.

Find the “phishing” cluesFrom: ”Bard College at Simon’s Rock" <webmaster@simons-rock.edu>

Date: February 13, 2009 11:25:45 AM ESTSubject: Webmail SubscriberReply-To: supportss@live.com

Attn. Webmail User,We regret to announce to you that we will be making some vital maintainance

on our webmail. During this process you might have login problems in signing into your Online account, but to prevent this you have to confirm your account immediately after you receive this notification.

Your simons-rock.edu Account ConfirmationName:E-mail ID:E-mail Password:Date of birth:

Your account shall remain active after you have successfully confirmedyour account details.

ThanksBard College at Simon’s Rock

Webmail Support Team

“Phishing” clues shown in yellowFrom: ”Bard College at Simon’s Rock" <webmaster@simons-rock.edu>

Date: February 13, 2009 11:25:45 AM ESTSubject: Webmail Subscriber (Missing email list “tag”, e.g [Faculty] )Reply-To: supportss@live.comAttn. Webmail User,We regret to announce to you that we will be making some vital maintainance on our webmail. During this process you might have login problems in signing into your Online account, but to prevent this you have to confirm your account immediately after you receive this notification.Your simons-rock.edu Account Confirmation

Name:E-mail ID:E-mail Password:Date of birth:Your account shall remain active after you have successfully confirmedyour account details.

ThanksBard College at Simon’s RockWebmail Support Team

Phishing Detection: Check the links!• HTML format emails let the sender “hide” the target URL address of a link behind descriptive text, which can be set to look like a different URL.

Hold the cursor over the link text to see the actual link address. (Mac Mail shown.)

Note that it is simple to copy graphics from the web…

More Check the Links!• With Webmail (and Thunderbird), the actual link is

shown in the “Status Bar” at the bottom of the window.

A Phish that Worked at Simon’s Rock• The following spam went to some faculty and staff:

This is not a particularly strong effort:hrdept@-t-com.me ?tech.support@admin.in.th ?!Undisclosed recipients?!?Helpdesk.4-all.org ??!!

But, it did the trick!

Aside: Sophos missed this. Forward it as an attachment to: is-spam@labs.sophos.com

False positives to:not-spam@labs.sophos.com

Here’s the Web Site linked to in that spam:

Although this page does not seem much like a Simon’s Rock website, one employee logged in to this site. The attackers used the stolen credentials to send spam via our webmail server, a few per second. Unhappily, it was the 4th of July weekend…

Another successful attack: WilliamsWebmail site copy• On Monday Sept. 29, 2009, a bogus email was

sent with the subject line “Read Email Security Message” to many hundreds of Williams employees and students.  The email had an attachment with a link to a bogus Williams webmail site.

• The email itself was not particularly believable, but the fake webmail site was a perfect copy of Williams’ real site.  The only way to tell it was fake was to look at the domain information, which was:

http://www.jctaiwan.com/~jctaiwan/webmail.williams.edu/

Preventing Malware, Viruses, Spyware

• Spyware is like a virus specifically designed to steal information.• Worst-case Malware allows attacker to remotely control your

computer:– Send spam from hosts with no direct link to actual source– Use clusters of compromised hosts for mass attacks on other web targets– Record keystrokes and web traffic to obtain user’s financial account logins,

etc.

• Keep up to date with AV, OS, Browser, Java, and Adobe patches. • Tools for home use:

– Microsoft Security Essentials : Simple, lightweight AV free from Microsoft. – Malwarebytes.org : Free removal tool – MalwareBytes AntiMalware (MBAM) Run if

you have a problem. (Download file is mbam-setup-versionnumber.exe : Be careful of the ads for other stuff on the download page. You want only the mbam-setup… file)

Malware, short for malicious software, is designed to infiltrate or damage a computer system without the owner's informed consent. The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code covering viruses, spyware, trojan horses, worms, rogues, etc.

Common ways to get Malware:

• Beware of online pop-up ads pretending to be a malware scanner.

• Beware of online videos that claim you need to install special software to play the video.

• Email attachments – Don’t open it unless you are sure. Check with the sender. This includes e-cards, Word documents and PDFs.

• Web links in email – Don’t follow it unless you know for sure where it goes. (Check the actual link address, not the “pretty” version.)

• Don’t download hacked versions of expensive software — who knows what else the hacker might have added?

• Don’t add random software to your system if you can live without it– E.g. WeatherBug, popup Smiley-face tools, fancy screen savers, etc.

• However, some malware can get you if you merely visit an infected website. Sorry.

Rogue Security Software• Rogue security software (“Fake Anti-Virus”) is software that misleads

users into paying for the fake removal of malware. • Typically you get a pop-up window while on the web alerting you that you

have viruses or spyware on the computer and offering to clean it up. If you accept the offer the program installs itself, then will continuously try to get you to pay for a “professional version” – which does nothing, except maybe remove itself.

• Sometimes these rogue programs will not be picked up by real anti-virus software because you agreed to install the software.

• One program that does very well at removing this type of software is Malwarebytes AntiMalware (MBAM) from malwarebytes.org.

A partial list of know rogue security software. Just the a’s!!

Advanced Cleaner, AlfaCleaner, Alpha AntiVirus, AntiSpyCheck 2.1, AntiSpyStorm, AntiSpyware 2009, AntiSpyware Bot, AntiSpywareExpert, AntiSpywareMaster, AntiSpywareSuite, AntiSpyware Shield, Antivermins, Antivirus 2008, Antivirus 2009, Antivirus 2010, Antivirus 360, Antivirus Pro 2009, AntiVirus Gold, Antivirus Master, Antivirus XP 2008, Antivirus Pro 2010, Antivirus System PRO, Avatod Antispyware 8.0, Awola

Security recap1. Physical security can usually be attained by applying

common sense and a little care – treat your computer like a passport or your wallet or purse.

2. Apply important software updates as soon as you are prompted.

3. Your office computer is a business tool – don’t use it like a home entertainment system. This may help avoid some malware

4. Wireless is everywhere and incredibly convenient, but anyone can receive your traffic (traffic generally meaning whatever you are typing in a web browser). If you are doing anything off-campus that requires a username and password, or requires entry of confidential information make sure the website is https://

5. Your username and password protect a lot more than just YOUR personal info – they may give access to many people’s PPI on college systems.

Quick Quizzes

You’re traveling without a computer and want to see if you were paid on time. You find an internet café, pay for access, and log in to your online banking web site. You note that the username/password page in the web browser on the computer you’re using is encrypted (using https://). Should you log in?

Quick Quizzes

Which of these web addresses (URL’s) are legitimate Simon’s Rock addresses?

http://simons-rock.techno.com/index.htmlhttp://collegeinfo.simons-rock

.edu/about.htmlhttp://system1.rewards.simons-rock

.edu.x.com/https://webmail.simons-rock.edu/https://webmail.simons-rock

.collegebound.net/

If Nothing Else, What should you remember?

?

Questions?

Many thanks to Williams College OIT for use of their PowerPoint presentation and for sharing their specific

exploit examples. WWII Posters from American Merchant Marine at War,

www.usmm.org