Enhanced Personal Security Guide

Hacking isn’t magic, it’s persistence. Hackers and cyber criminals take advantage of simple mistakes and misconfigurations to access your money, files, and messages. Sophisticated attacks take more time and expose tricks that attackers prefer to keep secret. This means the more basics you do well, the more likely an attacker will simply move on to the next target. In this guide we will cover:

Social Engineering

Social Engineering is a technical term for scams, fraud, and confidence tricks. Follow these steps to protect yourself.

Recognize

The most common form of social engineering used by hackers is phishing. Phishing can come via email, text, or social media message. The days of misspelled words and bad grammar are long behind us. Phishing messages from sophisticated attackers look legitimate. We can no longer tell you with certainty how a phishing message will look, but there are two characteristics which seem to be common.

Phishing messages will ask you to do something new, or something ordinary in a new way.

Phishing messages will make you feel anxious, scared, excited or curious so you react quickly.

Be mindful of how you feel while reading email. If something feels off- slow down and don’t click any links or files in that message.

Alternatives to Clicking

If you have a message that you think might be phishing, skip the links and go to the source. Here are some examples of what that might look like:

  • Did a colleague ask you to send a file to them? Contact the colleague and confirm the request via voice.
  • Were you directed by the support desk to install an update? Call the Service Desk to confirm.
  • Is your password in need of a reset? Go to the service directly and check for notifications.

Report

If you believe the message you have received is a phishing message, report it. You can forward phishing messages to phishing@harvard.edu. If the message wasn’t an email, call your local support desk. This information can help us protect other people in the community who may be tricked into clicking.

Understand your Online Presence

Phishing messages can become very convincing when details of your life and work are public. Social media options are under your control while press releases, blogs, and journalism will not be. To see how strangers might see you on the web, look at your social media profiles in a private or incognito window.

Want to make changes? StaySafeOnline has privacy settings and policies for major online services consolidated in one place.

https://staysafeonline.org/stay-safe-online/managing-your-privacy/manage...

To keep an eye on what is said about you and your work online, consider setting up a Google alert for your name or department.

https://www.google.com/alerts

Passwords

The first computer password system was created at MIT in 1962. The first password theft occurred at MIT in 1962. Despite a rocky history, passwords will likely be with us for the foreseeable future, so we should make sure they are secure.

Creating Strong Passwords

A strong password is over twenty characters long, unique and something that isn’t guessable. That may seem challenging, but there are a few methods to create strong passwords that are easy to remember.
 
Acronym Method
  1. Write a sentence that is meaningful to you (I won’t go on another cruise- I got seasick and lost my hat.)

  2. Turn it into an acronym (Iwtgoac-Igs&lmh.)

Passphrase Method
  1. Choose 4-5 letters (LMJUP)

  2. Make a phrase that uses words that start with these letters. (letmejump,Upromised!)

Risks of Re-Use

Every time a password is reused, it increases the chances that someone will see it. These passwords end up in large batches on the Dark Web and are added to massive wordlists used by password cracking tools. https://HaveIBeenPwned.com is a great resource to see if your accounts have been part of a breach, or if your passwords are in a password list.

Password Managers

Most people can remember one or two strong passwords, but how can we have strong unique passwords for the hundreds of accounts we use? Most security experts recommend a Password Manager. Password managers create, store, and autofill passwords for you. All you need to do is remember the password to your Password manager.

1Password, Bitwarden and Dashlane are examples of reliable retail password managers. KeePass is an open source password manager with strong community support.

If you’re affiliated with Harvard, you can get a 1Password Business and Family account for no charge: https://security.harvard.edu/password-managers

Login Verification

Login verification ensures it's you logging into your account, not just someone who has your password. It is the single most important security feature you can enable to protect your accounts online. It goes by many names such as Multifactor Authentication (MFA), 2-Factor authentication (2FA) and two step verification. No matter what it’s called, login verification combines something you know (password) with something you have (usually your phone).

Supported Services

Most online services support some form of login verification. Your email and social media accounts should all have login verification enabled. For instructions, visit https://2fa.directory where you’ll find a listing of hundreds of services and the types of login verification they support.

Types of Login Verification

Login Verification can happen in many ways. These are the most common.

SMS: The most common form of login verification. You are sent a text with a code and that code is typed into the login screen.

QR Codes: QR codes are stored in an authentication app such as Google Authenticator or Duo. The information in the code generates time-based one-time passwords.

Physical Token: A physical token generates one-time codes. The codes can be read off the token, or the token is plugged into the device and tapped.

SIM Swapping Protection

SMS is the most used way to perform login verification. Unsurprisingly it’s the one most attacked by hackers. Attackers will purchase a new phone and sim card and trick your mobile provider to port your number to their new card. Mobile providers have different options for protecting against SIM Swapping as well as numbers to call if you think your phone has been compromised.

T-Mobile: Account Takeover Protection

https://www.t-mobile.com/support/plans-features/account-takeover-protection

1-800-937-8997

ATT: Wireless Passcode

https://www.att.com/support/article/wireless/KM1049472/

1-800-331-0500

Verizon: Port Freeze

Call *611 and request a port freeze.

1-800-922-0204

Secure Configuration

If you click an unsafe link or open an unsafe file, a secure configuration can act as a second layer of security.

Apply Updates

Updating your software makes it incompatible with most exploit tools used by hackers to steal data and money. Make sure to accept the automatic updates and restart your computer or phone at least weekly.

Remove Unneeded Software

Software that you’re no longer using can still be used by attackers to compromise your computer. Uninstall software that you no longer use. You can always reinstall it again if you need it later. Sideloading/Jailbreaking Cell phone operating systems were designed with security in mind. This security can be circumvented by “sideloading” apps or jailbreaking phones. This allows you to install software that wasn’t vetted through an App store. Make sure your phone hasn’t been jailbroken and you don’t install apps from third party app stores.

Unsupported Devices and Hardware

Eventually, manufacturers will stop supplying updates to the products you use. If your software, computer, or phone is no longer supported, it’s time to replace it.

Additional Resources

Harvard Information Security - https://security.harvard.edu

Central location for Information Security content for Harvard University Harvard

Global Support Services - https://www.globalsupport.harvard.edu/

Logistical support for people travelling internationally for Harvard

Harvard VPN - https://vpn.harvard.edu

Connect to the University through a secure tunnel to protect against attackers on your local network.

Facebook Protect - https://www.facebook.com/gpa/facebook-protect

Advanced security for certain Facebook users, currently limited to political campaigns.

Google Advanced Protection - https://landing.google.com/advancedprotection/

Heightened security settings for Google account users

EFF Surveillance Self Defense Guides - https://ssd.eff.org/

Specialized guidance for activists, journalists, and researchers in privacy-hostile environments

Virus Total - https://www.virustotal.com

Online malware scanner for individual files

Signal - https://signal.org/en/

Secure messaging platform for mobile and desktop communication.

See also: Guides