Tag Archive: Security

Encrypting Evernote Notes

Evernote

If you are an Evernote user, you are likely aware that there was a security breech last week. As a result, users were required to reset their passwords to ensure their accounts were not compromised. While the passwords that were obtained were encrypted, the fact that the data within Evernote accounts is not encrypted has come to light. While you are not able to encrypt everything in Evernote, there is a method to encrypt text notes.

Evernote Encryption Dialogue

The following method should work on your Mac or PC. Within the program, you can highlight the portion of text you would like to encrypt. Mac users would command click and PC users can right click to bring up a menu.  Selecting the menu brings up a new window where you will select your password.  You will be prompted to enter the password twice, and will be  informed that Evernote does not store this password.  You may provide a password hint in case you forget the password, but you will not be able to retrieve the password once it is set.  As with all your passwords, be sure that you do not write it down in an easily-accessible location, if you indeed must write it down.

Evernote Encryption Password

Once you have set the password, you should see an indication that the text has been encrypted. You will be unable to read your text until you decrypt it, whether for a single instance or for the duration the app is open. Provided you remember your password, you may also permanently decrypt your note.

Evernote Encrypted Text

Evernote Decrypt dialogue

It is important to note that you will have to go through this process for each note you wish to encrypt. There is currently not an option for encrypting a folder. It is also interesting to note that when using the web-based version of Evernote, the password is not transmitted to the server. This is designed to further secure your encrypted file.

Evernote Web Password Dialog

When transmitting any information to the web, it is always good to be careful. Check for https connections with sensitive data, and be sure you trust the network you are on before submitting personal information. Public Wi-Fi access is not secure, so please exercise caution at your local coffee place if you are browsing the internet or using web-based apps. If you have any questions about Evernote, or about being safe on the web, be sure to ask one of us on the IS team. We’d be happy to provide additional information. You may also view some helpful tips from the Information Security folks here.

Information Security Reminder

cd-lockIn today’s technology-driven world, we are asked to provide usernames and passwords, install productivity applications for effective work habits, and share information via the Internet.

It is important to remember that some third-party applications do not keep content encrypted on their servers, leaving sensitive data vulnerable. Therefore, it is important that you select unique passwords for each username you maintain.

In addition, according to our Secure Computing protocols at the University, you should perform the following:

  1. Update Flash, Java & Adobe Reader and other Browser Plug-ins frequently, malware targets older versions of software
  2. Think before you click a link or open a file!
  3. Update Windows and Office or Mac OS X automatically
  4. Keep your firewall set to ON (Control panel/Windows Firewall)
  5. Set a secure password and locking screensaver, please click here for secure password suggestions,  http://community.pepperdine.edu/it/security/policies/strongpassword.htm
  6. Back up your PC or Mac regularly
  7. Use up-to-date antivirus
  8. Don’t share or download copyrighted media
  9. When loaning your computer to a friend, give them access to a Guest Account

For more information about Information Security, please visit the Pepperdine University webpage on the subject at http://community.pepperdine.edu/it/security/policies/

 

Java 7 Security Threat Patched

On January 10, 2013 the Department of Homeland security issued a warning that users should disable Java in their web browsers.  A security threat was discovered that presented a risk installation of malware which could lead to the loss of personal financial data.  The details of the Homeland Security warning may be found here.

By January 13, Java announced a patch for the vulnerability, and posted details here. As a precaution, Oracle, the firm that owns Java, is setting Java security on high by default, which should assist in protecting users unfamiliar with computer security. It also, as of Java 7 Update 10 made it easier to disable Java from within a web browser. This feature carries over into Update 11, which is the patch that was released to address the current vulnerability. Homeland Security has continued to recommend disabling Java, as there are other threats that still need to be patched.

Firefox and Chrome are being recommended over Internet Explorer for internet browsing. Java plugins need explicit permissions to activate on these browsers, which helps alert a user to a potential threat. You can learn how to disable Java in your browser here. The Information Services team will be happy to assist the Pepperdine School of Law community as well.

As always, it is important to be careful when browsing the internet, as there are numerous threats out there. Before entering any personal or financial information, be sure that the site is secure, which will be indicated by an https at the beginning of the address. Some browsers add color codes to indicate when a site is secured, and most offer a padlock icon. You should learn what your specific browser offers so you can safely transmit information.

The Information Technology department at Pepperdine features a number of useful security tips. Be sure to bookmark their site to stay up to speed with current security issues.

Better Passwords

Some time ago Gilbert wrote a Password Quiz, warning users that they shouldn’t reuse passwords on multiple websites and services. This is fantastic advice. He even linked to some recommended Password Managers to help you keep your passwords safe while promoting good password practices. I’d like to go a bit further and offer you some tips about how to make good passwords.

Here’s the new thinking about passwords: for almost all accounts you should try to use padding to make passwords long, but easy to remember. And you should write down part of your passwords.

Are you skeptical? After all, this is very different advice than you’ve been given in the past. Technology experts are always insisting that crazy passwords like G5x$TrY&6 are the best way to keep your accounts secure. But with advances of technology and with the complexity of managing many different passwords, this conventional wisdom is officially out-of-date.

So, how do you  chose great passwords and write them down so that you never forget them, but never have to worry about them being unsafe?

First, come up with a key. This is the most important step of this process. You must pick a very short, but unusual, 3 or 4 letter word. You must never tell anyone this word. Never write this word down. This is your secret key to all your passwords.

Don’t pick something obvious. It shouldn’t be one of the 5000 Most Common English Words. You might think this is hard, but actually things like goo and bah work just fine as well as our good friend to the left: pony is a great word.

Once you have your key, then fulfill any password requirements the website or program require. So, if you need numbers or symbols add as necessary to comply with complexity requirements. Then pad the password. What is padding? Just fill in the remaining characters with a single symbol such as the letter a or a period.

What does this look like? For a website named KoolStuff.com that requires a letter a number and a symbol and allows 14 character passwords you type:

pony + 6 + # + ........

What do you write down? KoolStuff 6#.8

This seems complicated, but it isn’t. You have the website name and then you know to use your secret key, then type the next characters and then the last two characters are the padding. In this case, eight periods.

The point is that no one can figure out this password and since you can write it down you never need to memorize it. You can have a bunch of these on a slip of paper in your wallet. Even if your wallet got stolen, you’d be safe.

Now, the only exception you need to remember is that you should never use these high powered passwords on any low grade website. For low-grade websites (anything that only connects via http instead of https is a good indicator of low-grade security) you should just use an ordinary password and write it down on your cheat sheet. The key here is that you don’t want to give away your secret key word to a low-grade security site like a bulletin board or a blog.

Now you have new password super-powers! Because your passwords are long and because they take advantage of something called two-factor authentication, you have easy to use but highly secure passwords.

Security is Physical

Here’s a quick video I pulled out of a presentation of mine about security. It highlights the importance of physical security.

http://www.youtube.com/watch?v=h70PRJLeHYM

The slides above are about devices and how to secure them quickly, but don’t forget your Apple and Windows Personal Computers! Don’t miss out on Matt’s great post about Keeping your Laptop Safe.

Finally, when you walk away from your computer always lock it!

For Windows computers use:
Windows Key + L

For Apple computers turn on password required for screen saver and use:
CTRL + SHIFT + EJECT

Pepperdine Password Quiz

True or False: It is against Pepperdine policy to reuse your Pepperdine password for any other web service.

 

 

 

 

 

It’s true, it is against Pepperdine policy to reuse your MyID password for other accounts or sites.

When you reuse your Pepperdine MyID password on Internet sites or accounts, you are making yourself vulnerable to attacks on your Pepperdine account, finances, grades, and more. In 2011 alone, millions of passwords were stolen from Internet sites like Sony Entertainment and Gawker. In 2012, more than 6 million LinkedIn passwords were compromised.

If you use the same password over many sites, the security of your password is only as good as the security of each individual website you use that password. And if one site is compromised, your entire web presence is compromised. Your author actually uses a different 20 digit passphrase for every single website he uses and its actually quite easy to manage using a Password Manager.

Password Managers

A password manager is a software program that securely stores many passwords and IDs with the goal of making multiple passwords easier to access and use. A password manager can be very helpful to people who have lots of passwords. Read more about password managers here.

http://community.pepperdine.edu/it/security/password/passmgrs.htm

If that seems like too much work, its probably because it is, but that all depends on how you value your security. Strong passwords take a hacker with lots of computing power a very long time to guess. And if all your passwords are different, having your password compromised on LinkedIn just means that you only have to change that password and not have to worry about your Pepperdine account, Bank account, or whatever password that you may also be using that password on.

If the thieves find a connection to Pepperdine, they will use your account to send spam or attack your identity. This has already happened at Pepperdine!

Sending Large Email Attachments, Securely

Two different problems are both solved by one great service largely unknown to Pepperdine users: Secure Attachments.

This service powered by Accellion is available to anyone with a Pepperdine email address and allows sending even very large files via encrypted email attachments. Normally the attachment size for files in email systems is restricted and most users don’t have much email quota to spare. Accellion gets around this by using a web-based email client and receipt system. Since nothing but a link is sent in the actual email, all these files are encrypted for the best possible protection.

After logging into https://attachments.pepperdine.edu/ Accellion provides a web-based email client that allows user to attach large files (up to 20GB) for sending to others. To be able to login and use Accellion, users must have a Pepperdine email address, but Pepperdine users can email attachments to anyone!

Additional features such as notification on delivery are available.

Protecting Your Mac

Though Windows users have become accustomed to regular malicious attacks, Apple’s Macintosh users have remained largely untouched. There are a number of reasons for this; ranging from the inherent security of Mac, Linux, and Unix computers to the fact that until the last few years Apple presented a relatively small target to hackers. Regardless of the reasons Mac users have enjoyed a mostly virus-free existence, the events of the last few months have shown us that things are changing.

Several malicious programs have infected Mac computers in recent months. First was the Flashback trojan, called Flashback.K. It was quickly followed by SabPub, and Flashback.S. Apple has released security updates to address these issues. If you have not installed your Mac security updates, it is highly recommended that you do so quickly. There are links to Apple’s descriptions below, but you should be able to simply use the system update to take care of things.

Flashback.K

This trojan infected computers through a Java vulnerability. Oracle issued a patch, which Windows users received in February. This trojan was particularly challenging, as it was written in a custom programming language. Over 650,000 Mac users were infected. To see if your Mac is infected, you can follow the instructions provided by F-Secure. Apple has since provided a patch and a security update, which may make this fix obsolete.

Apple’s support page provides a link for OSX Lion users that don’t use Java here. Users of OSX Lion 2012 – 003 can find the Java patch here. Users of OSX 10.6 Update 8 can get the Java patch here.

Flashback.K altered the way users viewed the web, and exploited Google Ads to generate revenue. It created a means of artificially clicking on ads. It does this by altering search results pages on a user’s browser. You can read more about Flashback.K here.

SabPub.a

Shortly after the Flashback.K patch, a new Mac virus hit the press. This one used a Microsoft Office vulnerability. This vulnerability also included Java. There have been a few variants of this trojan as well. You can read more about the SabPub trojan here.

Flashback.S

Flashback made another pass at the end of April with a variant named Flashback.S. It, like its predecessor, used a Java exploit. There are several other variants of this trojan out there, largely targeting the un-patched Mac computers. As with Flashback.K, this does not need an administrative password to install. You can read more about Flashback.S here.

What Now?

Though these infections spread quickly, there is no need to panic. By being careful during web browsing and paying attention to program installation requests you can keep yourself relatively safe. Apple provides a page with useful tips on keeping your computing experience virus and malware-free. Check out their security tips here. In general, only follow links to trusted sites, don’t install unknown programs, and make sure you keep your security updates current.

Phishing Expeditions

Today’s post is a public service announcement. The sort that need to be made from time to time, but that is expected to be passed over by many of those most in need of it’s timely advice. Take a moment, even if this seems a trivial matter to read this most excellent article from our Information Security group on Phishing.

Excerpt:

Information Technology

PHISHING EXPEDITIONS

When a criminal is seeking to harvest your personal information, take over your computer or gain access to your account for the purpose of sending SPAM, they will often send out masses of deceptive emails. They are hoping some small percentage of the recipients will be trusting or unwary and respond, click a link or open an attachment so they can profit. This type of mass email is called phishing. Each new version of these emails is considered a phishing “campaign” or “expedition”.

Security Advisement

Recently there have been notable security problems with the personal email accounts of some in our community. Pepperdine makes considerable and diligent efforts to secure your private information, as of yet none of the incidents are related to Pepperdine systems.

However, whether dealing with Pepperdine network access, or your own personal email accounts (Gmail, Yahoo, or your home internet providers), all security efforts by professionals working on the behalf of users are ineffective if users don’t participate substantially. Consider for a moment that all the technical wizardry of firewalls, anti-virus, encrypted storage, secret questions, and other measures are undone if a user uses simple passwords or logs in from unsecured locations.

With these recent break-ins it is a good opportunity to remember that passwords should be complex. Pepperdine systems demand a certain level of complexity, but other, personal accounts may not. Please self-assess the quality of the passwords used on personal accounts. Do they include a number? That’s good. Do they include a word found in a dictionary or any portion of a name? That’s not advised. For more security you may want to consider adding a symbol to your password such as a semi-colon or dollar sign or increasing the length of the password to 8 or even 14 characters.

Also remember that using a public computer, perhaps in an internet cafe, public library, airport or conference center might be unwise without additional precautions taken. If you must use one of these unsecured locations to login to important email, financial or Pepperdine systems consider speaking with the local staff about security precautions you can take.

Finally, there is one other consideration that few people consider. While your banks, utility companies and government agencies may have very secure websites, if you list your personal email address as a contact with them (for such things as password-resets when you forget your account passwords) then anyone who gains access to your personal email account may also obtain access to all of your other accounts as well. Consider an additional level of vigilance to protect such an important account’s security to safe guard your electronic identity.

Thank you for considering these security recommendations. Please see any member of the Information Services staff for more detailed suggestions or advice addressing your specific digital security needs.

Additionally a wealth of self-service information is available from the University IT Security website:
http://services.pepperdine.edu/it/security/