ITS Department talks security, password safety
Facebook, Gmail, Twitter, the iCloud, computers, cell phones, and even the mySLU portal are all tools common among SLU students for work and for recreation. Many users automatically type in their username and password, and are immediately led to the application or device of their choice, without giving it a second thought. Generally, we think nothing of these actions; they are standard procedures. However, these usernames, passwords and passcodes make inviting targets for cybercriminals, and anyone—from national celebrities to SLU students, faculty and staff—can and has been targeted.
Celebrities’ Apple iCloud accounts were recently compromised by criminals, who stole and then shared compromising photos online. The iCloud, which stored backups of photos taken on iPhones, was compromised by criminals who abused the password-reset features offered by Apple. The photos were then stolen, and the FBI eventually got involved, attempting to track down the criminals while also trying to erase the images from the Internet and prevent the pictures from being shared.
Although in this case, the hackers targeted high-profile, high-value celebrities, Nick Lewis, SLU’s Director and Information Security Officer in ITS says that the mistakes that these celebrities made in choosing weak passwords are mistakes that many people make, including SLU students, faculty and staff.
“There are only so many passwords that a person can remember. It becomes very difficult to keep track of more than a few,” says Lewis.
Compounding this obstacle to more safely securing online data is the fact that SLU students, faculty, and staff have been targets of malicious phone calls and phishing scams. Phone calls in the past have come from individuals claiming to be from Microsoft, informing the call recipient of something wrong with their computer. As the caller gradually gains the victim’s trust, they are able to then solicit personal information from the individual. Emails have included statements saying that the computer has a problem or that the computer has run out of disk space, requiring that more must be downloaded.
One similar email in Aug. 2013, led to a data breach in which criminals could potentially have compromised health records. The attack was conducted on SLU and many other regional universities, and although SLU worked diligently with the FBI and contained the incident, other schools suffered more extensive damage.
However, despite the problems that have occurred in the past, and the difficulty in remembering a different password for each website, Lewis says that there are a plethora of options available for those who wish to increase the security on their personal accounts.
One option is a password manager, according to Lewis. “I use a password manager. I store all my passwords in a manager called Password Safe, which allows me to look up any password I need from a secure location.”
Another method of better securing data that is being pushed by Lewis is multifactor authentication.
Multifactor authentication is when three phases of authenticating a user are used. The first factor is widely known; it is a password, and it is referred to as “something you know.” However, the other two factors are not widely used. When utilized, however, Lewis believes they will be able to provide much stronger security.
One of these factors is “something you are,” also known as biometrics, which require fingerprint scanners or iris scanners, among other new technologies. While biometrics authentication is not widely used, and is difficult and unnecessary to implement, according to Lewis, for anything but the most confidential data, another security tactic does have potential to be made widely available.
This last option is “something you have,” which boils down to any token or device that someone may own. For example, a person’s phone could be connected to his laptop, making it completely impossible for anyone to log into the laptop without the phone being in the same vicinity. This type of protection would provide further verification of the identity of the person attempting to log into the computer, and would give students the option to reduce the risk of someone illegitimately gaining access to their accounts.
However, despite all these new technologies that could provide added security, Lewis says that the best way to avoid being a victim is simply to be careful. He advises students to be wary when giving out personal information, and he also suggests students keep their devices updated.
“Students should set their devices to automatically update—or automagically update, as I call it. This way, the applications will update themselves without you having to worry,” says Lewis.
One of the main goals of Lewis, and the ITS Department itself, is to help raise awareness for information security. The department wants to give students, faculty, and staff the tools they need to avoid being victimized by cybercriminals.
“We want to help people help themselves. If we give you more options for security, then you can help increase the protections around your devices,” says Lewis.