December News from Information Security

Welcome to one of the strangest Decembers we’ve ever had here at Berry. It is certainly the strangest of my 30 years here. The students are gone, but not done. Finals loom for some of them, then almost two full months of no school. What will we do in the silence?

I’m sure we all have different answers to that question, so I’ll leave it hanging rhetorically.

This newsletter will be a little different from previous ones. We’ll be focusing on a minimal number of topics, but for one in particular I will ask for a couple of extra minutes of reading time from you.

If you have perused this site much you will know that I post breach and data exposure announcements here periodically, usually when they affect a good number of the community. If you’ve been unlucky enough to be impacted by a breach, you may have received an email from me explaining what data was exposed and what you should do about it.

A recent notification came to me, announcing that 189 emails belonging to Berry community members had information exposed, specifically passwords. Most breaches affect no more than a couple dozen Berry email addresses and when I get the notices I will sort through them, compose an email and send it out to those affected. This number of emails was larger, but still manageable. Then I read further into the announcement. Those 189 emails were scattered across more than 23,000 potential websites and services. The data did not include enough information to determine which email address went with what service or website.

The bottom line is, 189 Berry community members, who could be faculty, staff, students, alumni, or even retirees, have had a password for some service exposed. You can find out if you were one of these 189 by going to the Have I Been Pwned website and putting in your Berry email address in the search form.

You may find that in addition to this massive exposure notification containing 226 million unique emails, named Cit0day, you may have had information related to your Berry email address exposed by other data breaches. I encourage you to not only check your Berry email, but your personal email accounts as well, and those of your family if you are so inclined. I also strongly encourage you to sign up for notifications from Have I Been Pwned. The link (Notify Me) is at the top of the main page there. It is free and if your email address shows up in a data breach, you’ll get an email notification directly from Have I Been Pwned giving you as much information about the breach as is available.

The important question, once you determine that you are indeed affected by a data breach is this – What do I do now?

Generally, I will suggest you change your password for the service or website that experienced the breach, check that your account information is correct, and if financial data was involved, to closely monitor your bank account and credit card accounts. In the case of the Cit0day notification, you will have no idea which of your twenty to one hundred or more accounts has been affected. What do you do then?

The “nuke the site from orbit” approach would be to reset the password on EVERY account you have. Do you even know all of your accounts? Who hasn’t signed up on a site for a specific purpose, never to return? What data might you have had to give up to create that account? Did it include a credit/debit card number or bank account number?

The real question to ask at this time, if you are affected by the Cit0day announcement is – Did I reuse the password for this account, whatever account it was? Realizing, again, that there is no way to tell what specific service or website exposed the password.

That question leads to the next – How many other accounts are now vulnerable because I reused this exposed password? The scary part is, you don’t have an answer to this question, because you don’t know what account is compromised.

Which leads to the most important question in this article – Why are you not using a password manager to create a unique password for EVERY account, service, and website you use?  Yes, it takes time to set it up.  For some, time is money, right? How much does thirty minutes cost you? The entire amount in your bank account? Unlikely. The maximum amount on your credit line? Probably not.

If you had used a password manager to create a unique password for your account on whichever site among the 23,000 possible  ones that were affected , the potential damage to you would have been limited to that one site. If you reused a password, or worse, use the same password for everything, then the damage could be much greater.

Please, if you are not using a password manager now to manage your accounts, start using one. I’ve written on the subject multiple times here in the monthly newsletter and during Cybersecurity Awareness Months, both this year and in years past (all of which are available from the main menu of this site).

Take a few minutes and visit the links below. Check out the flyer linked at the Quick Info page for some password managers. If you don’t want to follow links,  just type “best password manager” into your favorite search engine. There are password managers for all platforms (Windows, macOS, Linux, Android, iOS, web browsers), needs, and budgets.

Quick Info page on Password Managers

In-depth knowledge article on password managers on this site

Why you need a password manager flyer (PDF)

Two-sided password flyer linked in the Quick Info page above (PDF)

Good password policies flyer with a paragraph at the bottom about password managers (PDF) Don’t try to use the link at the bottom, it is broken.

Because the link in the above PDF is broken, here is a link to a great article on password managers-the good, the bad, the ugly, and the beautiful. My apologies for the pop-up ads, but the article is worth the annoyance. If you read nothing else, read this article.

Whew! That was password managers. The next and final item I want to emphasize in this newsletter is multifactor authentication (MFA). MFA is coming to all accounts at Berry – faculty, staff, and students. With some personnel issues that have come up, the rollout may be delayed a bit, but it is still coming.

Again, I have written about this multiple times over the course of maintaining this site. There is a Quick Info page on MFA for the impatient, or you can go read the instructions for setting up MFA here on the main Berry website. If you are still unclear about why we are requiring this, check out this FAQ article, also on the main Berry website.

You can still request MFA for your account by emailing computing@berry.edu.

If I’m not covering a topic of information security you are interested in or concerned about, please let me know. I want to be your first and best resource on information security, so let me know how I can help and inform you.
If you’re not following Berry OIT on Facebook (@BerryCollegeOIT), Twitter (@berryoit), or Instagram (@berrycollegeoit), you should be, as more information from OIT and specifically Information Security, will be provided using these outlets.

Remember you can always check back here for warnings about current phishing emails, confirmations of valid emails you might have a question about, and data breach notifications. There’s also the Q&A section, where you can ask a question and get an answer directly from me.

Food for Thought

Featured Image: Photo by Science in HD on Unsplash

Author

(Visited 103 times, 1 visits today)