Data privacy is something that we all must embrace as part of our daily lives.  From the way we pay for our groceries to the federal legislation efforts to safeguard online reputations, data privacy has a growing impact on our lives. The Office of the Chief Information Officer is taking part in this initiative, recognizing January 2012 as Data Privacy Month.

The OCIO provides privacy tips on its Buckeye Secure site. Use this information to keep yourself, your family and our community safe throughout Data Privacy month and for the rest of 2012.

Test your data privacy know-how

Check our Data Privacy Day 2012 article for hints to the crossword below. Upon completion of the puzzle, you have the option to enter your name and e-mail to be entered into a prize drawing. Two randomly-drawn winners will be securely disposing of their sensitive data on paper with their very own cross-cut shredders. Winners will be announced the week of February 6. OCIO employees can participate in the puzzle, but are not eligible to win.

NOTE: This contest is now closed, but feel free to test your knowledge!

Questions

Across

• 1. In November 2010 Facebook settled a privacy lawsuit with who?
• 2. The Office of the CIO provides privacy tips at buckeye________.osu.edu.
• 3. With Near Field Communication, consumers can pay a participating retailer by tapping their __________ to a scanner.
• 4. Technology used to make payments by waving your credit card, rather than swiping.

Down

• 5. Review your _______ report to detect issues.
• 6. A recent study at this university had 100% of participants with privacy settings showing or hiding different information than they intended.
• 7. This feature can embed data revealing your location in the photos you post online.
• 8. The DIY method for protecting your smartcard from being scanned without your approval is wrapping it in _________.
• 9. Preserving your security requires maintenance of digital and what other kind of records?
• 10. Before using an application or new technology feature, know how it works and read the ________ policy.

Top Times

1. Time: by what does fatigue mean on 2012-03-22
2. Time: by what does fatigue mean on 2012-03-22
3. Time: by what does fatigue mean on 2012-03-22
4. Time: by what does fatigue mean on 2012-03-22
5. Time: by what does fatigue mean on 2012-03-22

Your Social Life:

Do you realize the permanence of the information you publish publicly on your social media profile? Even those who are conscious of maintaining a polished online reputation might not realize the difficulty of managing their social media site’s privacy settings appropriately: A recent study at Columbia University had 100% of participants with Facebook privacy settings that didn’t show and hide the information they had wanted to.

In November 2011 Facebook settled a lawsuit with the Federal Trade Commission (FTC) after Facebook had shared user information publicly, despite ensuring their customers that private information would be safeguarded. Some Facebook users might have been deterred after hearing this news, but others are likely feeling safer now that the privacy practices of their favorite social media platform is being scrutinized. As a result of this case, Facebook will undergo privacy audits every other year for the next 20 years. They have also dedicated two chief privacy officers and other resources to meet privacy standards.

To learn more about Facebook security or adjust your settings, see the “privacy settings” page of your account. To access privacy settings, click the arrow in the upper right corner of your home page.

Picture hosting and sharing via sites like Twitter and Flickr can share your location if you aren’t careful. Smartphones will embed your geographic location, and that data is embedded in the files posted online. On most phones it is simple to disable the geotagging feature, though many users are unaware that this information is being collected to begin with.

Need help with figuring out how to disable geotagging? Contact your mobile provider.

Your Money:

While it’s obvious that a spammer sent an e-mail claiming to be a Nigerian widow seeking to transfer $10 million USD, sometimes things aren’t that clear. Identity theft isn’t a new crime in the US or abroad, but the methods used to access this data are ever changing.

New payment methods are coming to the forefront of the Data Privacy Discussions. Smart cards are now replacing credit cards. These new cards have chips that hold your account number and expiration date and a tiny radio antenna that allows the cardholder to send information to a retailer’s smart card reader.

There is some debate about how risky these cards actually are. Since the conventional credit card’s magnetic strip contains more information (such as your 3-digit security code), some say the risk of identity theft posed by smart cards is negligible in comparison. Others, however, recognize the risk of having your card scanned by a stranger – the smart card readers are available for purchase online. The card readers must be in very close proximity but they can read through a wallet, purse or pocket. Potential data thieves who use this method could only make purchases from vendors who don’t ask for more information such as your security code.

RFID (Radio Frequency Identification) cards have yet to replace the conventional payment methods of a credit card, so the smart chips are an additional source of data in addition to the magnetic strip and embossed numbers on the card. Ultimately it is up to each consumer to decide whether the benefits of waving rather than swiping are worth the potential threat.

New technology like the Google Wallet also allows you to ‘tap and pay,’ but with your smart phone instead of your credit card. With Near Field Communication (NFC), buyers can wave their phone in front of a scanner, similar to the RFID cards. The likelihood of this technology replacing our conventional payment methods is also up in the air. Some users express worry for having such important, personal data across many accounts and platforms all in one centralized device. Creators of Google Wallet claim their method to be safer than a credit card that’s simply swiped and signed, since Google Wallet is locked with a PIN.

Know Your Legal Rights:

Some privacy activists are campaigning for legislation to impose regulations on advertisers, app builders and other developers to improve privacy and transparency in their technology. Some current legislative issues include geotracking with mobile applications, and enforcing companies to write shorter privacy policies in more layman’s terms.

Protecting children’s online reputation has been a focus of the Federal Trade Commission for over a decade, and last year the Commission called for broader protection of privacy than their 1998 Children’s Online Privacy Protection Act currently ensures. The revision to expand the definition of Personal Data protected under the Act was proposed last September to include a child’s geolocation, facial recognition technology and personal data collected via cookies for targeted advertising purposes.

The formerly mentioned facial recognition technology brings privacy concerns for young and old. This growing technology enables facial features to serve as identifiers that could potentially be matched up with social media pictures or used for identification and accessing secure environments. Over the last two months the FTC has been hosting workshops and forums for feedback about what kind of regulation might be helpful in reducing privacy risks with this technology.

What can you do to help protect yourself?

• Clean House – many institutions are changing the way they keep paper records with sensitive information, and you should too. Get rid of paper documents with account or social security numbers by shredding them. Also consider the sensitive data on your computer. It might be an antiquated machine requiring too much maintenance to be worth keeping, but the hard drive might still be accessible, and will put you at risk if it falls into the wrong hands. Learn how to dispose of your computer safely.
• Know Before You ‘Go’ – Empower yourself by reading up on new technology and how it works. Don’t use features for mobile devices, payment methods or applications if you aren’t familiar with what kind of information they access. You might even decide that the convenience of an application or feature outweighs the privacy risk, if it is slight enough. Make that decision from an informed standpoint.
• Security Savvy Shopping – Trust your instincts, along with the knowledge of what current scams are taking place, while making a purchase. Check your credit and debit cards for a RFID chip; then decide what security measures to take. Some consumers wrap their smart cards in aluminum foil. Wallets and sleeves with aluminum layers inside are also available for purchase. You can alternatively request a new card without the RFID technology.
• Credit Monitoring – Following the steps to protect your sensitive information significantly lowers your risk, but it does not make you immune to data or identity theft. Early detection can be just as important as prevention. One way to detect problems early is by simply reviewing your credit report. You can get a free report at annualcreditreport.com annually. The sooner you find something unfamiliar on your report, the easier it will be to resolve that inconsistency.

Want to Know More?

The Office of the Chief Information Officer provides more privacy tips on its Buckeye Secure site. Use this information to keep yourself, your family and our community safe throughout Data Privacy month and for the rest of 2012.

For more information on data security, contact Julie Talbot-Hubbard at talbot-hubbard.1@osu.edu or 614-292-7831.

Test your data privacy know-how in our crossword puzzle!

NEVER give your confidential or sensitive information to anyone over the phone or e-mail. Please remember to always validate the authenticity of whoever is on the other end prior to releasing confidential or sensitive information.

To help protect yourself, review the information on the OCIO Buckeye Secure site at ocio.osu.edu/buckeyesecure.

Share/Bookmark

Affected Systems

• Microsoft Windows
• Mac OS X 10.5-10.7 Note: Mac OS X 10.4 is not supported by the PGP 10.2 client. The old 9.9.1 client will continue to be supported.

PGP Whole Disk Encryption provides comprehensive full disk encryption for all data on desktops, laptops, and removable media. PGP protects data from unauthorized access, providing strong security for intellectual property, customer and partner data. A PGP license is required.

For questions regarding PGP, contact your department network administer or the IT Service Desk at 8help@osu.edu.

Share/Bookmark

Creating Individual Accounts

Everyone associated with The Ohio State University gets an Ohio State Username (lastname.#) and over one million identities are managed with the new IdM system. This includes student applicants, students, faculty and staff employees, and guests. With my.osu.edu, Ohio State Username activation is a self-service process, allowing Ohio State community members to have an active account and access to university resources quickly.

Actual Activations as of October 31 (click to enlarge)

Another improvement in service is the ability for anyone with an Ohio State Username to use self-service to reset a forgotten password. By selecting and answering five security questions, individuals create a way to reset their forgotten password anytime, anywhere, and without contacting support professionals.

By the conclusion of autumn quarter 2011, everyone with an Ohio State Username will have reset their password at my.osu.edu. For faculty, staff, and students, this initial password change also provides the opportunity to manage one less account and password by synching with OSU Wireless. Since my.osu.edu went live in August, more than 17,000 individuals have logged on to the OSU Wireless network with their lastname.# usernames and new passwords.

Accessing OSU Wireless with an Ohio State Username and new password is easier with the help of configuration tools provided by the Office of the CIO. The wireless utility automatically configures devices with Mac OS X 10.7 (Lion), Apple iOS, or Windows operating systems including 7, Vista and XP. Users with Mac OS X 10.5 or 10.6 can follow the video tutorial for step-by-step configuration instructions. A Knowledge Base of resources regarding OSU Wireless is also available through the IT Service Desk.

Managing Sponsored Guests

A new, secure university process is in effect for creating and managing sponsored guest accounts. There are three main roles to be familiar with:

A new role, Sponsored Guest Admin Authorizer, has been created in each of the colleges and university offices. This provides local control and visibility to the colleges and departmental units to manage guests who require a unique Ohio State Username for access to university resources such as Carmen. Sponsored guests may also receive university e-mail and calendaring services by special request to the IT Service Desk.

A guest requiring access to university resources must be sponsored by a current Ohio State faculty or staff member, who takes on the role of Sponsor. The Sponsor is responsible for obtaining the approval from the appropriate authority within the specific college or department, and overseeing the guest’s activities while using university resources. The Sponsor also works with the Sponsored Guest Administrator to collect the appropriate identity information from the guest. Sponsored Guest Administrators have the ability to add, search for, and edit guests through my.osu.edu.

No Longer Affiliated (NLA)

An active affiliation status is equivalent to authorizing security access to university systems. The new NLA inactivation rules address this risk by automatically deactivating account access upon last effective date of employment or as defined for other affiliation types.

Recognizing the need for continued communication in certain circumstances, an employee terminated (not for cause) will have their lastname.# access inactivated on the effective date of termination, but may continue forwarding to a personal e-mail address for 180 days, as long as this information is collected during the roll-off process and entered into the HR system. The improved sponsored guest process will also allow departments to identify instances where an individual needs a renewal of access. A major increase in security posture is achieved by IdM’s ability to immediately terminate access to connected systems for someone who leaves the university for cause.

Managing E-mail Delivery

Ohio State’s faculty and staff have the option to deliver e-mail to the University E-mail Service, including to a departmental address. Students can choose to deliver their university e-mail to Buckeye Mail or another service provider such as Gmail or Hotmail. Since my.osu.edu has been live, the site has assisted in the migration of more than 4,000 faculty and staff mailbox users and more than 64,000 users who deliver to another service, including departmental systems. This collaboration helps the university move towards its goal of one university e-mail system.

For questions and more information, contact the IT Service Desk at 8help@osu.edu.

Share/Bookmark

The IT Security tour of campus 2011 continues this month with a stop at the OSU Medical Center building at 600 Ackerman Rd. Thanks to Tre Smith and the OSU Medical Center for hosting our monthly meeting.

The gathering will take place in room E2038 and will cover the usual topics along with a presentation from Kaspersky engineers on the capabilities of the company’s Anti-malware detection solution (the same engine powers Microsoft’s Forefront product).

Those interested in Information Security topics should join us for this demonstration and other ongoing conversations.

Directions and information about our meeting location is included in this wonderful and completely not malware infected PDF:

Share/Bookmark

Julie Talbot-Hubbard

In her new role, Talbot-Hubbard will be responsible for the development, implementation and monitoring of a strategic, comprehensive enterprise information security program to ensure the availability, integrity and confidentiality of university information.

Talbot-Hubbard, who comes to Ohio State from Cardinal Health, has been the director of Information Security and Risk Management since 2008. In this role, she was the leader of the Information Security and Risk Management organization, responsible for IT risk assessments, management of the IT Risk Policy and Security Baseline Lifecycle based off of ISO 27002 (information security standard), oversight of the Risk Advisory Board, the IT Business Continuity and Disaster Recovery Program, security event management and data loss prevention.

She has a degree in Business Administration from Miami University and completed the Smith Executive Education Program. She has received Certified Business Continuity Professional, Certified in the Governance of Enterprise IT, and Certified Information Systems Auditor certifications. And, was recently honored as the Information Security Executive of 2010 for the Central Region, sponsored by T.E.N.

Talbot-Hubbard’s office will be in located in 480 Baker Systems Engineering. She can be reached at talbot-hubbard.1@osu.edu.

Share/Bookmark

Recently, the android app store removed 50 or more applications found to have been infected by the DrdDream trojan. This malicious code was embedded in innocuous applications and performed data mining on users and reported information back to command & control nodes through the phone’s wireless network. It was not a single incident and other bad software like “spyeye” and “GoldDream.A” prey upon user text and SMS messages.

Even when our user community is not performing business functions on these devices, the IT community here at OSU needs to begin investigating tools and techniques of safeguarding the organization. Device vendors and service providers are beginning to recognize the need to protect smartphones and other devices. AT&T and Sprint both recently began working with anti-malware vendors like McAfee and Juniper Systems to address these emerging threats.

The university at this time does not have a standard tool or technique for protecting our users and their mobile devices. However,  here are some suggestions you can make to your Faculty and Staff while our organization evaluates the approach to these issues and renders direction.

Tools:
Lookout Mobile Security – this free tool for Android phones has limited capabilities but is known to protect against common forms of Android malware.

Security Approaches:
Most users fail to recognize that smartphones and mobile devices carry many of the same risks as laptops or desktops. They understand the need for security software because we’ve done a pretty good job of instilling that criteria into their business practices over the last few years. It’s time to do the same thing for smartphones. Users of these devices should be encouraged to adopt security settings and be cautioned to become just as cautious installing “unknown” or “unverified” applications on their phones as they would be installing software on their PCs.

Many of the same concerns about how to detect legitimate applications exist in the mobile world as do on the PC, but in general we need to begin talking about how we discourage users from exposing themselves to undue risk by grabbing every free application available. Free is seldom really free, there are often hidden strings.

Using new devices is always a struggle of convenience and expertise. We don’t expect users to become security professionals just to install the latest Angry Birds clone, but in this new frontier of mobile devices we need to help them understand the inherent risks incumbent in early adoption. We need to help users understand that applications that run games don’t need the same privileges as system software, and to blindly agree to permissions just so they can jump into that game or cool application is the kind of nievate that the bad guys rely upon.

When downloading an app, users should pay attention to the permissions it requests. For instance, most games don’t need access to your email app or your contact manager.

Also important is considering the source of the application – while the Android Marketplace is host to some poisoned applications, it’s far more likely to be safe than some random website hosted out on the Internet. We should encourage our users to do research before installing, and research from more legitimate websites, not just a random Google hit.

iPad/iPhone users may be looking at the more open Android market and laughing thanks to Apple’s more controlling approach, but remember that iOS marketplace items have slipped by with malicious code in them already, despite Apple’s filtering. No platform is completely safe from these threats since security is often a catch up exercise with these rapidly evolving platforms.

Our users want to use these devices to perform personal and professional business and we should not be standing in the way of this trend. Instead, as It professionals it is important that we work with our users to find safe and secure methods of applying these tools.

If you have suggestions on ways the university community can work to enable a secure approach to mobile devices, please share them on the various mailing lists, such as distcons, or e-mail them to sines.22@osu.edu.

Share/Bookmark

The Windows System Administration Working Group, with that goal in mind, recently came together and developed a Group Policy Template to help Windows administrators quickly configure critical servers to comply with many of the elements of the current Critical Server Security Standard.

Administrators who are interested in applying this template to existing servers and for use in deploying new systems can find it hosted on the OCIO IT Security portal (https://portal.infosec.ohio-state.edu). Windows AD Sysadmins are encouraged to build any OU GPOs from this template to help with consistent adoption of the standard.

OCIO IT Security encourages Windows administrators to take advantage of this template and would like to extend thanks to the security minded community for contributing this aid to the entire university It community.

Note: This template was designed under Windows Server 2008 and may change slightly when applied to Windows Server 2008 R2 or Windows Server 2003. Always confirm the setting changes when applying a GPO template to ensure compatibility with your local configurations and policies.

Share/Bookmark