Back Up Your Files

Eventually, we all have an accident or get hacked. And when we do, backups are often the only way to recover. Backups are cheap and easy; make sure you are backing up all of your personal information at home (such as family photos) on a regular basis.

To learn more about backing up your data at Northwestern, visit our page Backing Up Data at Northwestern

To learn more, check out this SANS OUCH! newsletter.

Source: SANS Security Awareness Tip of the Day

Publicly Exposed Fitmetrix User Data

In the News 

Social media platforms and tech giants aren’t the only companies struggling to secure user data. In MindBody-owned Fitmetrix Exposed Millions of User Records-Thanks to Servers Without Passwords, Zach Whittaker at TechCrunch discusses a vulnerability in Fitmetrix’s data storage that left servers containing millions of user records exposed to the public. Whittaker explains that certain servers were not secured with a password leaving personal information easily accessible. While Whittaker reports that MindBody has secured the affected servers, he clarifies that the company has not yet issued a direct response to its customers regarding the incident.  

Our Take 

We often do not think about the security of our account information when the account acts as a bridge between other services. Accounts containing financial or medical information are often the accounts customers value the protection of the most. However, using cloud-based services such as Fitmetrix requires the same amount of vigilance on the consumer’s end to ensure that sensitive information is stored as securely as possible. The dangers that arise when companies fail to adequately protect user data includes potential identity theft and physical threats if location tracking information is compromised. While MindBody insisted that financial information was not accessible, the data that was exposed, including full contact information and geographical trends of users could jeopardize the physical safety of users. When inputting information into any online account, think about the information you are providing before you enter every last detail of your life into a company used by millions. 

Recommendations 

Follow Northwestern Information Security’s tips to be proactive about securing your data:  

  • Understand the risks of putting your personal information into the world, and only share what you have to  
  • Minimize the number of accounts that have direct access to your bank account or card numbers 
  • Don’t reuse your account passwords, and take advantage of multi-factor authentication where possible.
  • Stay up to date on news regarding recent fraud and phishing attacks to see if you may have been affected

The Five Worst Security Mistakes End Users Make

  1. Failing to install anti-virus, keep its signatures up to date, and apply it to all files.
  2. Opening unsolicited e-mail attachments without verifying their source and checking their content first, or executing games or screen savers or other programs from untrusted sources.
  3. Failing to install security patches-especially for Microsoft Office, Microsoft Internet Explorer, Firefox, and Netscape.
  4. Not making and testing backups.
  5. Being connected to more than one network such as wireless and a physical Ethernet or using a modem while connected through a local area network.

 

Source: Mistakes People Make That Lead to Security Breaches

 

Don’t Lose That Device

Did you know you are 100 times more likely to lose a laptop or mobile devices than have it stolen? When you are traveling, always double-check to make sure you have your devices with you, such as when leaving airport security, exiting your taxi or check out of your hotel.

To learn more about device security at Northwestern visit our Secure Northwestern page.

To learn more, check out this SANS OUCH! newsletter.

Source: SANS Security Awareness Tip of the Day

Vimeo Lawsuit RE Privacy

In the News 

Biometric data misuse makes the news in a legal case. In Vimeo Slapped With Lawsuit Over Biometrics Privacy Policy, Lindsey O’Donnell at Threatpost discusses a recent lawsuit regarding a lack of user consent for storing and using biometric data. O’Donnell explains that the video platform used the photos and videos uploaded to the platform in violation of The Illinois Biometrics Information Privacy Act, which regulates biometric data obtained by various companies. 

Our Take 

Although the use of video streaming and social media platforms is designed for sharing aspects of one’s personal life, privacy and transparency regarding privacy policies on these sites continue to be a challenge. All too frequently, companies misuse user data without explicit consent leading to a cycle of mistrust in companies. However, it is also all too common for users to accept a company, app, or platform’s policies without reading through their rights and the rights they forfeit to the company by accepting the terms of their agreement. In the case of Vimeo, the company did not request access to this biometric information and as such, the fault is on the company. As more and more companies are held in violation of The Illinois Biometrics Information Privacy Act, the need for consent regarding user data and especially biometric information will become of increased importance.   

Recommendations 

How can you protect the privacy of your personal information?   

  • Understand the risks of putting your personal information into the world, and only share what you have to 
  • Refrain from sharing highly personal information on apps and platforms except whenever possible 
  • Carefully read the privacy and data policy prior to accepting and creating any new account 

New Amazon Alexa Products

In the News 

Voice assistants are expanding their market. Is Amazon’s Alexa ready to leave home and become a wearable voice assistant? Tom Warren at TechCrunch discusses three new Amazon Alexa products that were recently announced and their potential for the expansion of Alexa devices outside of the home. The three products, Echo Buds, Echo Loop, and Echo Frames aim to bring Amazon into the market for daily voice assistants on the go.   

Our Take 

Smart devices have become a part of everyday life, often making daily activities easier or more enjoyable. From ever-advancing smartphone technologies to smart speakers and smartwatches, technology has become embedded in society. However, along with the benefits of smart technologies, comes the increased risk of exposure and lack of privacy from sharing personal information. Smart speakers have been controversial in many instances due to the devices listening to conversations without user consent and from data breaches where user information is stored. While these devices can be valuable when used safely, smart speaker integration into more portable devices can increase the risk for data exposure. It is crucial that if you choose to use one of Amazon’s new Alexa products to supplement your daily activities, be careful of the information and how much information you share with the devices and around the devices themselves.  

Recommendations 

How can you protect the privacy of your personal information while using smart tech?   

  • Understand the risks of putting your personal information into the world, and only share what you have to 
  • Utilize security settings on smart devices and turn them off when they are not in use  
  • Understand the legal rights and practices of companies that store your data  
  • Stay up to date on news regarding recent data breaches and news to see if you may have been affected 

Data Vulnerability on Apple Devices Using Keyboard Extensions

In the News 

Can third-party keyboards be causing you more harm than good? In Apple warns that third-party keyboards on iOS 13 and iPadOS can send data to the internet without permission, Chris Welch at The Verge discusses a vulnerability in the most recent iOS13 and iPadOS which compromises the security and privacy of personal data. Welch details that the use of third-party keyboards including Grammarly might export the data that you type and other content onto the internet without explicit user consent. Welch clarifies that Apple automatically forces the use of the iOS keyboard when a password is required, so passwords were not compromised in this situation. Welch states that a patch for this error is currently being tested and should be available soon. 

Our Take 

As more and more of our daily lives become connected to smart devices and computers, it is critical that users maintain a level of autonomy in where their data goes. The countless stories in the past few years about data misuse have sparked privacy regulation and heightened sensitivity about the need for user consent. Apple’s update vulnerability directly contradicts the privacy and security-focused mindset that they have recently been advertising. While some users may have already secured their data from their keyboards or may not care if keyboards use their data, the error elevates the level of distrust many consumers have in the tech industry. Regardless of whether you use third-party keyboards or not, be sure to update your iOS when the new version is released to ensure your data is secured in the best way possible! 

Recommendations 

How can you protect the privacy of your personal data?   

  • Understand the risks of putting your personal information into the world, and only share what you have to 
  • Utilize additional security/privacy measures and settings on apps, accounts, and platforms whenever possible  
  • Only install software, programs, and keyboards that you can verify are safe and secure
  • Refrain from discussing and typing highly sensitive information without additional encryption protection 
  • Make sure to update your devices and programs frequently to avoid running a compromised edition 
  • Always evaluate the positives and negatives of installing a plug-in, keyboard, or software edition to see if it is worth it 

Compromised Internet Explorer Impacts Many Microsoft Windows Users

In the News 

Urgent patches for flaws in software and devices have become the new norm. In Microsoft urges Windows users to install an emergency security patch, Zack Whittaker at TechCrunch discusses how Windows users running Internet Explorer could have been compromised allowing an attacker to gain control of your device. Internet Explorer 9, 10, and 11 were impacted. Whittaker explains that the vulnerability was being exploited, but details into the extent of the exploitation have yet to be disclosed. Whittaker details that this emergency patch is not commonplace for Microsoft as they issue monthly updates as well. 

Our Take 

Although Microsoft issues patches for its systems regularly, the need for an emergency patch is cause for alarm. The vulnerability that could allow attackers to gain full control of your devices can have damaging repercussions not only in terms of your personal data stored on a device, but also in terms of your financial information and other sensitive personal information. The compromised system, versions of Internet Explorer, are not unusual apps to use for daily activities making this vulnerability all the more dangerous. Additionally, with the scope of the exploitation unknown, the damage could be larger or smaller than estimated.   

Recommendations 

How can you protect the privacy of your personal information?   

  • Understand the risks of putting your personal information into the world, and only share what you have to 
  • Ensure that you are running the most secure version of a program, app, or system by updating your devices regularly 
  • Refrain from clicking on any unfamiliar links or tabs  
  • Learn how to spot a phishing attack 

Never Respond to Emails Asking for Personal Information

Companies you do business with should never ask for your account information, credit card numbers or password in an email. If you have any questions about an email you receive that supposedly came from your financial institution or service provider, find their number on their website and call them.

If you ever do receive a scam or phishing email, please be sure to forward it to security@u.northwestern.edu

As part of the University’s continued commitment to providing a secure computing environment to the University community, Northwestern IT provides a list of reported scam email attempts recently targeting Northwestern HERE.

To learn more, check out this SANS OUCH! newsletter.

Source: SANS Security Awareness Tip of the Day