Cybersecurity Awareness Tips

What is National Cybersecurity Awareness Month?

Cybersecurity Awareness Month is observed every October. It was created as a collaborative effort between government and industry to ensure everyone has the resources they need to stay safer and more secure online.

• Why You Shouldn't Bring Your Own Wireless Router to UAH
• Better Passwords: Passphrases and Fake Email Addresses
• Staying Safe on Social Media

Cybersecurity Awareness Month is currently co-led by the National Cybersecurity Alliance (NCSA) and the Cybersecurity and Infrastructure Agency (CISA), which is part of the Department of Homeland Security (DHS). It was started in 2004 as a broad educational effort to help keep Americans safe and secure online.

In 2009, NCSA and DHS introduced themes for each National Cybersecurity Awareness Month and expanded that in 2011 to include weekly themes.

UAH has embraced this month dedicated to Cybersecurity Awareness to begin its new Cybersecurity Education, Training, and Awareness program. The UAH Office of Information Technology (OIT) will provide cybersecurity education opportunities, newsletters, and fun activities throughout the year.

Feel free to reach out to me with any cybersecurity questions or concerns you may have.

Remember to do your part, #BeCyberSmart

Why You Shouldn’t Bring Your Own Wireless Router to UAH

By Jeremy Shelley, CISO, and Wendy Worlund, Manager of Client Services
ciso@uah.edu

As we are all settling into the Fall semester, I wanted to call attention to a major security risk: connecting wireless routers to the UAH network.

The installation of devices like “wireless routers” is prohibited by the UAH Office of Information Technology (OIT) without written approval from the UAH Chief Information Security Officer. This is enforced in accordance with the Appropriate Use of IT Resources Policy.

Unauthorized devices create security problems as well as cause performance and service issues for users. They permit unauthorized access to the network, which can enable malicious activities either directly or via an “infected” device. Many security compromises begin with unauthorized network access or unsanctioned network use. Activity on UAH networks is tracked, and you could be unwittingly permitting someone to do something through your network connection. By providing an unauthorized wireless network, you could be held accountable for the actions of others. The devices frequently impact the proper operation of the network. We often receive reports of network problems that are traced back to unauthorized devices handing out incorrect IP addresses on the network. Similar to the case of that cellular network extender, user devices may try to associate with non-UAH wireless access; those unaware users experience network problems that are then reported to OIT for resolution. In some cases, these routers are not properly secured and other users may compromise the router and use it for malicious purposes – gathering private user data or snooping on user activity.

OIT provides robust network access throughout the UAH campus that should meet your connectivity needs. Users are prohibited from “extending” network access using their own devices. The security of the entire UAH network is critical to the successful operation of campus services, and all users are accountable for using IT resources in an ethical and lawful manner that is consistent with all UAH policies, and which does not negatively impact the performance or security of the UAH network. Bringing in a home wireless network device certainly violates the rules above.

If you are experiencing network issues, please contact the help desk at helpdesk@uah.edu to let us know. We will be happy to assist you.

back to top

Better Passwords: Passphrases and Fake Email Addresses

By Jeremy Shelley, CISO
ciso@uah.edu

I can hear what you’re thinking, “Great. It’s another password article. Let me guess, he’s going to ask us to make better passwords.”

Well, yes, but I’m also going to give you a couple of tools to help you generate longer, more secure passwords that are easier to memorize.

“Impossible,” you may be thinking. “This new CISO is completely off his rocker.” That may or may not be true but it has nothing to do with passwords.

Using passwords to secure a user account was first suggested and implemented by Fernando Corbato at MIT. Like any technology that is more than 60 years old, passwords are definitely showing their age. Modern computers are able to crack simple passwords by simple brute force in fractions of a second. See the chart which contains data that was sourced from howsecureismypassword.net. Longer and more complex passwords that include upper and lower case letters, numbers, and symbols are a surefire way to improve the security of your account and all of the data that is important to you.

The problem is that longer random passwords are extremely difficult for we humans to remember. Sure, the password “}r!UpW^,cA"&b9PE” is a great password but not easy for most people to keep in their memory banks for long. Before you ask, that’s not my password. However, if you look up the most commonly used passwords that were disclosed in data leaks, it’s almost comical with “123456” being the most common password. Before you ask, that’s not my password either.

So how do we make long passwords that are easy to remember? I’m glad you asked. There are two simple ways that I recommend to people: Pass Phrases and Fake Email Addresses.

Passphrases

Passphrases can be phrases, words, and dates that are easy to remember but make long sequences that are hard for computer to brute force. I first heard about pass phrases from an online webcomic called XKCD and its “correct horse battery staple” panel. The author’s math may have been off but the concept was intriguing.

The idea is that you pick a phrase you can remember, like “Huntsville Havoc 2019 Champions” and make slight modifications to the phrase like adding an exclamation point to the end or _ where the spaces are. If you do both, your password becomes “Huntsville_Havoc_2019_Champions!” That’s a 32 character password. According to HowSecureIsMyPassword.net it will take a modern computer approximately 1 hundred tredecillion years to brute force that password. That’s a 1 followed by 44 zeroes in years. Either I’ll be gone by then or turned into a computer myself and can pick a new password.

While picking valid English words for your password does weaken the overall security a bit, it might mean your password can be brute force guessed in 500 years instead of a timeline approaching the theorized heat death of the universe. Other passwords generated using this method include:

• MoarMarvelMoviesPlease?
• Cybersecurity AwarenessMonth_2021
• The M@sked Singer!

All of these passwords have uppercase, lowercase, numbers, and symbols and would be easy for you to remember. Before you ask, those aren’t my password either.

Fake Email Addresses

The fake email address method of generating passwords is something I came up with years ago when I was teaching password security at a local company. The idea is a simple one: make up a FAKE email address for you to use as a password. It should go without saying but you should NOT use your UAH or personal email addresses as a password to any system anywhere. This method hinges on your making a fake email address that isn’t associated with you.

This email address can be anything you enjoy. Think about hobbies you have, movies you like, activities you love and make a fake email address. For example, let’s say you love The Los Angeles Lakers whose best player (as of this writing) is LeBron James who wears #23. You could make a password of LeBronJames@Lakers#23.com. Is that a valid address that can receive email? It doesn’t matter because you are using it as a password, not as an email address. That password is 25 characters long, contains all 4 categories of characters (upper case, lower case, numbers, and symbols) and would take a computer 28 nonillion years to crack. That’s 28 followed by 30 zeroes. That’s plenty of time to make it until the next required password change.

Other passwords that can be generated using this technique include:

• Dovetail@Woodworking2x4.com
• Macchio@CobraKai3.com
• Immelmann@ILove2Fly.net

By using one of these techniques you can generate long and strong passwords that are easy for you to remember. Regardless of the method you use, please be sure to secure your password, select something you can remember and do not write it down.

back to top

Staying Safe on Social Media

By Jeremy Shelley, CISO
ciso@uah.edu

According to broadbandsearch.net, the average time spent on social network sites was 144 minutes per person per day. We all spend a lot of time on Instagram, Facebook, Tik Tok, YouTube, Reddit, and other social media sites. These platforms are extremely easy ways to stay connected with friends and family as well as have fun.

The ease with which we can use such sites can make it far too easy for us to provide too much detail about our lives and potentially give away too much information. It’s a good idea to periodically review your configuration settings and make sure you’re staying safe on these platforms:

Set your profiles to private. Most sites’ default settings allow people you do not know to view sensitive information you put on social media such as birthdays, geolocation, and relatives you have linked to. Consider setting your profiles to “friends/followers only.”

Remember that anything you post can be shared by others. Even with strong privacy settings in place, it is important that you come to terms with the fact that what you post online is never really private and can be shared. It is therefore important that you always think before you post. Once it’s posted, it’s always posted. 70% of employers stated that they use candidates’ social media profiles as part of the screening process.

Know and manage your friends. You don’t have to accept every friend request that is sent your way. There are untold numbers of fake profiles on various social media sites which will send out hundreds of friend requests. If you don’t know the person, do not accept the friend request. If you’re trying to create a public persona, consider creating a “fan page” that encourages follower participation without revealing any of your private information. Use your personal profile to keep contact with your friends that you know (and trust) in real life.

Be honest with friends if you are uncomfortable with what they shared. If someone posts something about you that makes you uncomfortable, let them know that you’re not comfortable sharing that information.

Know what to do if someone is harassing you. Make sure you know what steps you need to take on a social media platform if you are being harassed or threatened. Remove them from your friends list, block them, and report them to the appropriate personnel at that social media site.

Keep unique, secure passwords or passphrases for your social media presence. Do not use your UAH password on any social media site.

Turn off Geolocation if you are going to be away from home for an extended time. If you are going on vacation and your home or dorm room will be unoccupied for a few days or a week or more, disable the geolocation tagging on the social media site. If you post a photo from the beach while on Spring Break, all of your followers know you’re in Florida and not in your apartment. That could let a potential burglar know the best time to break into your apartment.

By taking a few common sense steps, you can protect your online presence and keep your identity safe. Do your part. #BeCyberSmart

back to top