MIT Certificates Expire on July 31

If you haven’t done so already, be sure to renew your MIT personal web certificates and at the same time update your password (if the password is over a year old). Pick a strong password so that it’s less likely to be compromised.

Renewal of personal web certificates is not automatic, so plan to renew to ensure continued access to MIT’s secure applications, including Atlas, Benefits, SAPweb, WebSIS and software downloads.

This year, signing up for Duo Authentication (see above article) is added as an option, but next year when certificates expire it will be required, including for students.

LastPass Network Breach

On June 15, 2015, LastPass sent out a notice to its customers regarding suspicious activity on its network. The details of the activity are posted here.

LastPass Enterprise is a password management system that will be rolled out to the MIT community this summer. LastPass Enterprise encompasses access to data and passwords via Windows, Mac OS X and mobile native clients, as well as via any web browser. It is a convenient solution for the password problem of teams and unlocks features such as shared password folders and secure notes.

You can find information about LastPass Enterprise via the MIT LastPass FAQ. Note that LastPass Enterprise for MIT includes two-factor authentication using Duo, which provides an added layer of security for your account.

See the KB for answers to questions you may have about the LastPass security breach.

The Secret Life of Passwords

This rather long but very interesting NY Times article discusses what our passwords mean to us. Some people describe them as cryptic poetry, some passwords hold meaningful memories or reminders, some are playful, others dark and serious.

It’s a fascinating read if you have the time.

Risks to Information When Traveling

This recent NY Times article outlines the ways your data can fall into the hands of snoops and thieves if you’re not careful when traveling. The tips the article lists include some great security best practices.

1. Take only what you need. If you can, take a loaner laptop or one that contains only what you need for the trip and nothing more. Alternatively, if you must take sensitive data, carry it on a memory stick.

2. Use encryption. Encryption can be added to MIT laptops, mobile devices and memory sticks. To learn more about how to use and enable encryption, see:

3. Install a virtual private network (VPN). The VPN that MIT provides gives users an encrypted network connection, even when accessing the Internet via public or open wifi (such as at a hotel or cafe). This prevents anyone on the same public wifi from accessing your communications. Install the VPN client from the IS&T website:

4. Protect using a password. If you must take a phone, laptop or tablet with you on your trip, make sure it has a code or password on it. Some smartphones now have fingerprint sensors for locking/unlocking. Choose a strong password for your laptops (learn how). Create strong passwords for the mobile apps or websites you use for accessing sensitive information, and don’t leave passwords written down and stored near the devices you use them for.

5. Use layered protection. This means, for example, having extra copies of files safely stored elsewhere (not on your computer’s hard drive), or having your files backed up within the cloud. MIT offers CrashPlan, the new backup service that replaces TSM. Mobile devices can also use CrashPlan via CrashPlan apps.

Note: while having files in Dropbox can be convenient for sharing files with other colleagues, if you have installed Dropbox on your computer, the files are accessible to a thief who has stolen your computer. A recommendation would be to remove the DropBox folder from the computer prior to traveling and to access your Dropbox files via the Dropbox website. On mobile devices, the folder can be password protected within the Dropbox app. See these security tips for Dropbox users.

Find more tips for MIT Travelers in this KB article.

Funny: Forgot Password

Have you ever forgotten a password? Comedian Don Friesen goes on a hilarious rant that is completely relatable.

Watch the 5 minute video on YouTube.

Over a Billion Stolen Credentials Amassed

Earlier this month, the NY Times reported that a Russian crime ring has amassed 1.2 billion user name and password combinations and more than 500 million email addresses from the Internet. According to security firm Hold Security, many of the sites from which the credentials were stolen are still vulnerable.

There is a concern among the security community that keeping personal information out of the hands of thieves is increasingly a losing battle. Last December, 40 million credit card numbers and 70 million addresses, phone numbers and additional pieces of personal information were stolen from Target by Eastern European hackers. This latest discovery, however, prompts security experts to call for improved identity protection on the web.

Read the full story online.

As a result of the large amount of usernames and passwords that have fallen into the hands of criminals, one NY Times reporter came up with a two-step plan to prevent hackers from getting into his online accounts. He contacted all of the companies with which he does online financial transactions to find out if they support multi-factor authentication. He writes about his experience here.

If you are concerned about your online accounts and whether they are secure enough, you may want to take some similar steps or be proactive in other ways. One suggestion I would make — until all companies offer multi-factor authentication — is to update your passwords on a regular basis and manage them using a password storage manager, either LastPass, 1Password or KeePass.

Personal Certificates Renewal Time

Every year at MIT personal web certificates expire on July 31. Renewal is not automatic, so for continued access to MIT’s secure web applications, such as Atlas, WebSIS, COEUS Lite, and ePaystubs, be sure to renew your certificate.

When you obtain your personal certificate, if you haven’t changed your password for over a year, you will be prompted to do so as an additional security measure. You may want to review password strength requirements before choosing a new one.

Certificates obtained after June 30, 2014 are valid until July 31, 2015.