Letter from the CISO, Vol 1 Issue 11
Washington University Community:
There are only two things to worry about—that things will never get back to normal, or . . . that they already have.
In other words, the only constant in life is change, and Information Security is no exception.
I sometimes worry that I am constantly barraging you with guidance on protecting yourself and us all from cyber-attacks and criminals. And worse, that today’s guidance is inconsistent with the guidance of just a few years ago.
Here are four changes I feel compelled to tell you about.
Change 1: Using DUO “Push” is WAY better than “Passcodes.”
When we first started using DUO for 2-Factor Authentication, we cut the number of successful attacks on WashU accounts by over 99%. It didn’t matter how people used DUO; the same benefit was there.
However, the bad guys have responded and figured out ways to get around DUO 2FA. In fact, in March, we saw them use two different ways of getting past DUO.
In the first case, simple and well-written phishing emails enticed users to click on links that looked (almost) identical to WUSTL Key login screens—complete with the WashU crest. After collecting username and password, the scam moved to an equally well-designed window to collect the users’ passcodes.
In the second case, a user was first phished for his password and then subjected to a flood of push requests in an “MFA Fatigue” attack. The user eventually approved a push request, even though he wasn’t trying to log in. He just wanted to make it stop. In hindsight, changing his password would have avoided a lot of trouble, but I empathize with his frustration at the time and can understand that the attack didn’t allow him to think it through.
To prevent this going forward, we are planning to change a setting in DUO to prevent more than a small number of consecutive, unapproved push requests in a short period of time.
Bottom line: Please, please, please, switch to using “Push” DUO authentication wherever possible as soon as possible. It is one of the rarest things in Information Security—something both easier and more secure!
Over the coming weeks, we’ll be working on disabling passcodes for all users who don’t need them and providing secure alternatives for situations where “push” won’t work.
Change 2: Why doesn’t the SSL padlock in your web browser mean what it used to?
We used to tell everyone to look for the padlock next to the website address in their web browser. It meant that the information sent back and forth to the website was encrypted and therefore protected from people listening on the network and that the website was probably legitimate because most criminals didn’t bother getting the certificates needed to secure the connection.
Unfortunately, the bad guys figured out how to get certificates, and now your communication with them is encrypted over such links, but only until it gets to the bad guys.
Now you need to look for the padlock, but also look very carefully at the website address to make sure it is the right one. Don’t click on ‘www.wustI.edu’; that’s an upper case “I” in the address, not a lower case “L”. Telling them apart visually is nearly impossible! And if you end up there, don’t log in or enter your personal information, even if there is a padlock.
Change 3: Why should you use a password manager, even the one in your web browser?
You need a Password Manager ASAP! It’s vitally important that you use different passwords for all your different online accounts so that if one of your account passwords is stolen, it doesn’t compromise a bunch of other accounts. But keeping track of a bunch of different passwords is nearly impossible. I keep track of hundreds of unique passwords for my online accounts in my password manager. If you don’t feel like installing one of the ones we recommend [see https://informationsecurity.wustl.edu/letter-from-the-ciso-vol-1-issue-2/ or https://informationsecurity.wustl.edu/ask-the-experts-password-management/ for more information.], you should now feel comfortable using the remember password feature of your web browser.
Whether a password manager or the browser’s remember password feature, you also enjoy the benefit that neither will automatically enter your password if the website name doesn’t match. That is, it would notice the difference between ‘www.wustI.edu’ (with an upper case “I”, and ‘www.wustl.edu’ (with a lower case “L”), which is great since I can’t tell them apart (and I just typed them).
Not too long ago, we strongly argued against using the remember password features because the browsers stored them in clear text, available to everyone who used the computer. Now they use good encryption, hidden behind either your login password or sometimes a special account for your browser. You still have to remember and be able to type this password, but if you follow my advice to use long “passphrases” in https://informationsecurity.wustl.edu/letter-from-the-ciso-vol-1-issue-2/, this shouldn’t be too difficult. And better to have to remember one password than many.
Change 4: How to check hyperlinks in email messages.
For some time, we’ve recommended hovering your mouse over links in email messages to see where the link will take you. For example, in the incident I mentioned above, the email message showed the link connect.wustl.edu, but that was just a label on top of the link ‘http://net-real.co.jp/wustl.edu/connect.wustl.edu’, which has all the right letters for WashU, but really points to ‘net-real.co.jp’!
As mentioned in last month’s issue of SECURED!, we are actively working to implement a Microsoft Office 365 security feature called “Safe Links” which will rewrite links to start with ‘https://nam10.safelinks.protection.outlook.com/?url=’ and then continue with an encoding of the original link, while adding a “hover text” that shows you “Original URL: and the original URL.” The purpose of this is two-fold. First, it allows analysis of the original link to make sure it doesn’t point to a malicious site and for us to block access to that site should it prove dangerous. Second, if we don’t immediately figure out that the link is malicious, we can tell exactly and precisely who clicked on it and, therefore, who may need help to remove malware or reset their passwords.
We are really looking forward to adding this protection for all of us.
Thank you for reading and being part of the University’s Information Security team!
Good luck and be careful out there!
-Chris Shull, CISO