Hacking isn’t magic, it’s persistence. Hackers and cyber criminals take advantage of simple mistakes and misconfigurations to access your money, files, and messages. Sophisticated attacks take more time and expose tricks that attackers prefer to keep secret. This means the more basics you do well, the more likely an attacker will simply move on to the next target. In this guide we will cover:
Social Engineering
Social Engineering is a technical term for scams, fraud, and confidence tricks. Follow these steps to protect yourself.
Recognize
The most common form of social engineering used by hackers is phishing. Phishing can come via email, text, or social media message. The days of misspelled words and bad grammar are long behind us. Phishing messages from sophisticated attackers look legitimate. We can no longer tell you with certainty how a phishing message will look, but there are two characteristics which seem to be common.
Phishing messages will ask you to do something new, or something ordinary in a new way.
Phishing messages will make you feel anxious, scared, excited or curious so you react quickly.
Be mindful of how you feel while reading email. If something feels off- slow down and don’t click any links or files in that message.
Alternatives to Clicking
If you have a message that you think might be phishing, skip the links and go to the source. Here are some examples of what that might look like:
- Did a colleague ask you to send a file to them? Contact the colleague and confirm the request via voice.
- Were you directed by the support desk to install an update? Call the Service Desk to confirm.
- Is your password in need of a reset? Go to the service directly and check for notifications.
Report
If you believe the message you have received is a phishing message, report it. You can forward phishing messages to phishing@harvard.edu. If the message wasn’t an email, call your local support desk. This information can help us protect other people in the community who may be tricked into clicking.
Understand your Online Presence
Phishing messages can become very convincing when details of your life and work are public. Social media options are under your control while press releases, blogs, and journalism will not be. To see how strangers might see you on the web, look at your social media profiles in a private or incognito window.
Want to make changes? StaySafeOnline has privacy settings and policies for major online services consolidated in one place.
https://staysafeonline.org/stay-safe-online/managing-your-privacy/manage...
To keep an eye on what is said about you and your work online, consider setting up a Google alert for your name or department.
Passwords
The first computer password system was created at MIT in 1962. The first password theft occurred at MIT in 1962. Despite a rocky history, passwords will likely be with us for the foreseeable future, so we should make sure they are secure.
Creating Strong Passwords
Acronym Method
-
Write a sentence that is meaningful to you (I won’t go on another cruise- I got seasick and lost my hat.)
-
Turn it into an acronym (Iwtgoac-Igs&lmh.)
Passphrase Method
-
Choose 4-5 letters (LMJUP)
-
Make a phrase that uses words that start with these letters. (letmejump,Upromised!)
Risks of Re-Use
Every time a password is reused, it increases the chances that someone will see it. These passwords end up in large batches on the Dark Web and are added to massive wordlists used by password cracking tools. https://HaveIBeenPwned.com is a great resource to see if your accounts have been part of a breach, or if your passwords are in a password list.
Password Managers
Most people can remember one or two strong passwords, but how can we have strong unique passwords for the hundreds of accounts we use? Most security experts recommend a Password Manager. Password managers create, store, and autofill passwords for you. All you need to do is remember the password to your Password manager.
1Password, Bitwarden and Dashlane are examples of reliable retail password managers. KeePass is an open source password manager with strong community support.
If you’re affiliated with Harvard, you can get a 1Password Business and Family account for no charge: https://security.harvard.edu/password-managers
Login Verification
Login verification ensures it's you logging into your account, not just someone who has your password. It is the single most important security feature you can enable to protect your accounts online. It goes by many names such as Multifactor Authentication (MFA), 2-Factor authentication (2FA) and two step verification. No matter what it’s called, login verification combines something you know (password) with something you have (usually your phone).
Supported Services
Most online services support some form of login verification. Your email and social media accounts should all have login verification enabled. For instructions, visit https://2fa.directory where you’ll find a listing of hundreds of services and the types of login verification they support.
Types of Login Verification
Login Verification can happen in many ways. These are the most common.
SMS: The most common form of login verification. You are sent a text with a code and that code is typed into the login screen.
QR Codes: QR codes are stored in an authentication app such as Google Authenticator or Duo. The information in the code generates time-based one-time passwords.
Physical Token: A physical token generates one-time codes. The codes can be read off the token, or the token is plugged into the device and tapped.
SIM Swapping Protection
SMS is the most used way to perform login verification. Unsurprisingly it’s the one most attacked by hackers. Attackers will purchase a new phone and sim card and trick your mobile provider to port your number to their new card. Mobile providers have different options for protecting against SIM Swapping as well as numbers to call if you think your phone has been compromised.
T-Mobile: Account Takeover Protection
https://www.t-mobile.com/support/plans-features/account-takeover-protection
1-800-937-8997
ATT: Wireless Passcode
https://www.att.com/support/article/wireless/KM1049472/
1-800-331-0500
Verizon: Port Freeze
Call *611 and request a port freeze.
1-800-922-0204
Secure Configuration
If you click an unsafe link or open an unsafe file, a secure configuration can act as a second layer of security.
Apply Updates
Updating your software makes it incompatible with most exploit tools used by hackers to steal data and money. Make sure to accept the automatic updates and restart your computer or phone at least weekly.
Remove Unneeded Software
Software that you’re no longer using can still be used by attackers to compromise your computer. Uninstall software that you no longer use. You can always reinstall it again if you need it later. Sideloading/Jailbreaking Cell phone operating systems were designed with security in mind. This security can be circumvented by “sideloading” apps or jailbreaking phones. This allows you to install software that wasn’t vetted through an App store. Make sure your phone hasn’t been jailbroken and you don’t install apps from third party app stores.
Unsupported Devices and Hardware
Eventually, manufacturers will stop supplying updates to the products you use. If your software, computer, or phone is no longer supported, it’s time to replace it.
Additional Resources
Harvard Information Security - https://security.harvard.edu
Central location for Information Security content for Harvard University Harvard
Global Support Services - https://www.globalsupport.harvard.edu/
Logistical support for people travelling internationally for Harvard
Harvard VPN - https://vpn.harvard.edu
Connect to the University through a secure tunnel to protect against attackers on your local network.
Facebook Protect - https://www.facebook.com/gpa/facebook-protect
Advanced security for certain Facebook users, currently limited to political campaigns.
Google Advanced Protection - https://landing.google.com/advancedprotection/
Heightened security settings for Google account users
EFF Surveillance Self Defense Guides - https://ssd.eff.org/
Specialized guidance for activists, journalists, and researchers in privacy-hostile environments
Virus Total - https://www.virustotal.com
Online malware scanner for individual files
Signal - https://signal.org/en/
Secure messaging platform for mobile and desktop communication.