Information Security

With a password you protect data on your computer, tablet and smartphone. Data that is personal and important to you, but could be worth money to malicious parties. So take the protection of your data seriously. You don't want them to end up on the street, or worse.

Hackers will try anything to find out about your passwords. Phishing (via e-mail) and smishing (via a text message) are forms of abuse that receive publicity almost every day. But you can lose passwords in much easier ways: because you are careless with keeping them secret, for example because you have shared your password with someone else. Or because you log into online services from any device you can find. And let's face it, do you still use that same simple and oh-so-easy-to-remember password all the time and everywhere?

All very easy... also for a hacker!
Of course it's hard to think of difficult passwords for everything, but know that hackers often use computers that try to log into your accounts using a list of passwords. And because a computer doesn't get tired, it can do this quickly and also for a very long time. So a simple and easy to remember password is easily cracked.

The possible length of a password varies by service, but in general, the longer the password and the more variation in characters, the "stronger" the password. Such a password may be difficult for a hacker to guess or for a computer to crack, but it often has the disadvantage of being difficult to remember.

Hence the possibility is offered by more and more services to use a "passphrase". Although this is longer than a password, it is also easier to remember than just a random combination of characters. A 'passphrase' is a password consisting of several words, in the form of a sentence.

How do you use a password or passphrase?
Once you use codes, passwords or 'passphrases', it is important that they remain secret and are as different from each other as possible.

• Never share your strong password/passphrases. This is an obvious one. In the unlikely event that your bank account is looted and it later transpires that you have shared the password with someone else, then you are liable for the damage! Also be careful when using a password: are you sure no one can look over your shoulder?
• Use a strong password/passphrase for each service. If you lose your password or it gets hacked, the damage is limited.
• Preferably only log in from trusted sources, so from your institution or your own PC, tablet or smartphone. Do not log in to your online services from an internet café or someone else's laptop. You don't know if these are safe (key-loggers/skimming) and also, traces can always be left behind.
• Do not click on links in e-mails or text messages (phishing, smishing) to log in to your bank, for example. This also applies to social media accounts on WhapsApp and Facebook, to name but a few. Because, are you sure these are from the intended organization? Always go directly to the relevant website. Doubt about the legitimacy of an email? Call the sender.
• Change your password/passphrase periodically. A plain old password with 8 to 12 characters changes once a year. A passphrase has a longer shelf life.
• Increasingly, services are offering free two-factor authentication as an additional protection. Examples include software-based 'authenticators' such as those from Apple, Microsoft and Google that you can install on your smartphone and which generate a code that you must enter on the login page. Or a code is sent to you by SMS every time you try to log in. At VU we also use two-factor authentication via Azure MFA, Tiqr or Yubikey.

How do you remember your password?
Of course you need to be able to remember a strong password/passphrase. If you have trouble with this, you can use a mnemonic. You can also use a password manager. There are free programs available, although their functionality is less than the paid versions. 

• Password manager (free via Google), via BING). From Surfspot, you can purchase a version for Windows, MAC, iOS or Android as a student or employee at a greatly reduced rate.
• Use an understandable and logical passphrase.
• If using a passphrase is not possible, switch to a strong password that is based on an easy to remember passphrase.

How do you choose your password?
Well, you've probably figured out by now that just the name of your cat is probably not the best password. Also names of your family, your partner or birth dates are relatively easy for an interested hacker to look up or even to guess.

1. If you have no choice but to use a password with limited length, choose the strongest possible password based on a passphrase. You may have to check the terms and conditions of the service to see which characters you can and cannot use or what the maximum password length is, but assume the following:

• Use at least eight characters, preferably more. Twelve or more is recommended.
• A combination of a capital letter, a standard letter and at least one number.
• Include at least one alternate character that is not part of the above character set: !, #, @ or $.

2. Prefer to use a passphrase!

• Use a combination of four or more random words with a minimum of sixteen characters, uppercase and standard letters intermingled.
• Replace certain letters with a character, for example, a ! for an 'i', a 0 (zero) for an o, $ for an 's', @ for an 'a', and so on,
• Sdd alternative characters such as a #, -, _

If you can't come up with a password yourself, you can try an online tool like a password generator

Not done!
Just to be clear, here are some examples that are easy for anyone to guess:

• 123456
• qwerty
• welcome01
• "Facebook01!" or "F@c3B0oK" for the Facebook service. The same principle of course applies to Tw!tT3r, Wh@t$@Pp and other services.

So don't do it!

So how to do it?

• If you use a password manager, it usually offers the opportunity to generate passwords using special characters, punctuation and length of your choice.
• If you can't or don't want to use this, then it is useful to think of a set of rules that your passwords and passphrases must adhere to. 

Suppose you like nice cold beer on tap. 'I like nice cold beer on tap' is a nice passphrase then. You could also use 'The name of my cat is George', provided you have a cat named George of course. But in this example we will take the beer-passphrase and make a few rules for it. We then make these rules apply to all of our other passphrases. We then just need to remember our passphrases and the set of rules. 

If we want to make the above beer passphrase stronger, then in this example we choose to remove all the spaces. That's rule one. 

Second, we're going to replace certain letters with an alternate character or punctuation mark. A ! for an 'i', a 0 (zero) for an o, $ for an 's', @ for an 'a'. We are then left with '!kh0uv@nl3kk3rb!3rv@nd3t@p'. 

The third rule we come up with is: every first letter after an alternative character or punctuation mark becomes a capital letter: '!Kh0Uv@Nl3Kk3Rb!3Rv@Nd3T@p' 

As a fourth line, add another special character, for example always in the first position and we get: '#Kh0Uv@Nl3Kk3Rb!3Rv@Nd3T@p' If you are dealing with a service that only accepts a certain number of characters, you can shorten the sequence: '#Kh0Uv@Nl3Kk' (twelve characters). 

To conclude
Check once in a while that your login details have not fallen into the wrong hands, for example at haveibeenpwned.com. More and more password managers can also perform such a check.

You have probably heard of it: ransomware. In plain English: hostage software. Currently, ransomware is one of the biggest Internet threats. And no, not only for companies like the MediaMarkt, or other institutions. You too can become a victim of this.

What is ransomware?
Ransomware is a type of malicious software designed to invade your device. It then encrypts the files on it (cryptoware) or otherwise makes them inaccessible. In doing so, hackers almost always take into account the type of device and the operating system running on your computer. Only after you pay a ransom - the 'ransom' - can you get a code to access your files. Payment of the ransom is almost always in the form of Bitcoins. This makes locating and prosecuting the perpetrators almost impossible. 

The VU has a policy that it will not pay ransom to cybercriminals. You must decide for yourself whether, if you are ever affected by an attack, you want to do so. Do know that by paying you are actually helping to popularize this form of cybercrime. Apart from that, it regularly happens that despite a payment, the victim does not receive a code.

How do you get ransomware?
Usually a device is infected via a malicious email with a link that is clicked on. Of course, everyone knows that you should not just click on links in an email message. But cybercriminals try to trick you into doing so anyway. For example, with a promise of a prize won: click here to collect your prize! Or you may receive a message about a traffic fine, a debt collection order, or a failed delivery attempt of a mail package. Details are supposedly found in the attachment. A somewhat less common variation is that your favorite website displays an interactive ad from a third party, which in reality has been hacked. All you have to do is click on it...

What happens after you click on the link is anyone's guess. A malicious piece of software is downloaded to your device or executed from the file attachment you opened and your device becomes infected.

What can you do about ransomware?
The chances of losing important files are extremely high with ransomware. Therefore, it is of the utmost importance that you prevent infection. Admittedly, with (Apple's) macOS and Linux you run less risk, but these systems can also be hit.

- The simplest thing: keep all software up-to-date, such as operating system, internet browser, browser add-ons and handy programs, such as Adobe Reader. Vendors regularly improve their products and fix weaknesses found in their software.

- You are not there yet: install an antivirus program. Not only on your Windows laptop but also on your Android smartphone and/or your Apple device. Through Surfspot you can purchase one at a discounted rate,

- Always look carefully at the title of an email or who it comes from. If you don't bank with a particular bank, it's not likely that they will send you an email asking you to verify your account.... right?

- So don't just click on attachments and links in emails unless you're sure it's trusted. In doubt? Then take a look at the website of the Fraudehelpdesk. Here is an overview of the latest trouble known to them.

- Pay attention to the extension of a downloaded file. Ransomware is often disguised as a different kind of file, for example as a PDF document or ZIP file. It also happens that the fake extension actually masks an executable file. Enable 'show file extensions' so that you can see through such a disguise. You can have a suspicious file analyzed for free by an online tool such as VirusTotal. In doing so, you also contribute to informing the security community.

- Be careful not to turn on macros in third-party Office documents, especially if the document asks you to do so.

- Make regular backups. In the event of a ransomware infection, this is often the only recourse to reverse the loss of all your data. A tip: don't leave your backup device constantly connected to your laptop and only connect and disconnect it when you are actually making a backup. This will prevent your backup from becoming encrypted as well.

- For bulk storage, preferably use a cloud solution that has version control.

- Increasingly, services are offering free multi-factor authentication as an additional protection.

Traditional methods require an extra piece of hardware (for example, a USB device (Yubikey) or a scanner), which issues a code. That code must be entered on the login page. There are also credit card-sized cards that must be inserted into a reader. A modern application is that of the software-based 'authenticator'. Such as those of Apple, Microsoft and Google that you can install on your smartphone and which generate a code that you must enter on a login page. The VU also uses this methodLinks to an external site. for a number of applications.

- Join in the fight against ransomware and other junk by reporting fake emails to the Fraud Help Desk.

I am a victim of ransomware. What now?

- Call in the police, always file a report.

- Get out and immediately check all your devices with an anti-malware tool. Sometimes renowned antivirus software providers such as Avast, HitmanPro, Kaspersky, Norton and McaFee provide a free program that could make your files accessible again.

- If you use a smart network or cloud storage, you can probably use version control to recover files. In that case, though, avoid re-infection and make sure the infected device has already been cleaned by an anti-malware tool. Better yet, have all your devices scanned.

- If you still can't get your important files back, it will probably cost you money. If you have really lost important files, consider getting professional help.

• Make sure that you lock or shut down your computer when you leave your workstation and that your workstation can only be unlocked using a password.
• Secure your laptop using a lock to prevent thieves absconding with your device after you leave it on your desk at night. Or better yet: make sure your laptop is safely stored away.

When you log on to a public Wi-Fi network, hackers can access the data on your phone or computer. Hackers use special equipment to create a network ID that sounds familiar to you (for example like the Dutch Railways network Wi-Fi on the train). When you log in, you end up on the hacker’s network instead of the network you thought you would be using. Hackers are also able to recreate privacy-sensitive websites, such as the DigiD site or your bank’s website. You will then believe that you are visiting these websites, but in reality you have been directed to a hacker’s website.

Tips for safely using Wi-Fi:

1. Do not send any privacy-sensitive information using public Wi-Fi connections (Wi-Fi connections that do not require a password). When you log on to Facebook for example, you’re also sending your login information!
2. Automatically turn off the find Wi-Fi networks function on your phone.
3. Use a VPN connection such as EduVPN. VPN stands for Virtual Private Network and is an encrypted internet connection that prevents others from listening in.
4. If you see two Wi-Fi networks with the same name where you’re only expecting to see one, then do not connect to either.
5. Immediately disconnect from the network if you notice that you have not been asked to pay for a paid service.
6. Only connect to wireless networks that offer sufficient protection using for example WPA2 encryption.
7. If there is no Wi-Fi network available, use your mobile phone as an Internet hotspot.

It’s not secure to send confidential files by regular email. When you frequently need to share documents with the same party, Zivver (up to 5TB) or SURFfilesender (up to 500GB) is a better option is to share documents with encryption. This eliminates the need for emailing documents.

Do you still sometimes receive a confidential file in your mailbox? Copy the file to a secure environment (such as SURFdrive) and delete the original attachment from your mailbox.

To use Zivver go to ServiceNow and search for 'Zivver'

When you are traveling and work requires access to VU services, please pay attention to the following points to prevent a security incident leading to damage on the VU network:

• At educational and research institutions, you can usually use institutional access via Eduroam, but always check whether this is a legitimate point and if necessary check with that institution! Consider using the  Eduroam app (EN)
• Do not use on public or hotel wifi, and even if an Eduroam point is available, try to use the 4G network of your phone and EduVPN where possible, as this is more secure.
• Try to log in to VU systems as little as possible. The less often you use your account information, the less chance that your data will be captured.
• Secure your devices with a password and encryption.
• Use VU Onedrive for file storage and sharing and turn to SURFdrive in an emergency. Under no circumstances use commercial storage services!
• Do not use public computers, for example in hotel lobbies.
• Pay attention to your surroundings when you log in, prevent someone from looking over your shoulder.
• When you return, change your passwords that you used during your trip. You can change your password by clicking on your profile in the dashboard.
• Call (+31 20 5980000) the VU if your laptop or other VU devices are stolen/lost or email the IT Service Desk

500GB personal cloud storage service with encryption, synchronisation and sharing within Dutch education and research.

For employees, a secure alternative to commercial cloud storage services such as Dropbox. SURFdrive makes it easy to synchronise and share files with other users. With SURFdrive, SURF complies with Dutch and European privacy legislation; you retain ownership of the data and it is stored in the Netherlands. 

500 GB storage space
Each user has 500 GB of storage space. Offline synchronisation allows you to access your files from anywhere at any time. It is also possible to give guest users access to files. Data is stored and transmitted in encrypted form. 

Access to SURFdrive
SURFdrive is accessed using your VUnetID. SURFdrive can be accessed from all popular computers, tablets and smartphones based on Windows, Linux, OS X, iOS and Android. For the best user experience, install the SURFdrive software or use a web browser. On your own device, you can install the software yourself at www.surfdrive.nl.  

Features
SURFdrive offers the following services, among others 

- Offline synchronisation so you can access your files locally;
- Easy and secure file sharing within the teaching and research community;
- Share documents with guest users;
- real-time visibility of changes made to documents by others;
- Optimised for use with smartphones and/or tablets
- 30-day backup & recovery
- 99.5% availability. 

If you are considering storing research data on SURFdrive, first check the Storage Finder for the best solutions: https://vu.nl/en/research/storagefinder

You can mitigate the risks that the VU runs by consciously dealing with information security. Here are some actions you can take to help keep the VU safe.

eduVPN
Install this virtual private network (VPN) to use the internet more securely. Especially if you work from home!

Authentication tool Azure MFA
This tool prevents TiQr, almost all account abuse, and helps you as a student employee to keep the campus safe.

Register drove machines
By turning off 'red' devices, the VU has more grip during data leaks, theft, and improper use of VU equipment. For more information [click here].

Be aware of unusual emails
If in doubt about an unusual e-mail from, for example, your supervisor: always contact this person personally before taking any action. If there is a case of phishing or ransomware, report it immediately to the [IT service desk.]

Scan and update your workspace - Install a virus scanner
When was the last time you asked yourself the following questions: when was your workplace at home and/or on-campus last installed for viruses? When was your device last provided with the latest updates? What passwords are stored locally, intentionally, or unintentionally? When was the last time you changed it? Who all have access to your computer and should they all have access? And so there are many more things to think of that you can do in a short time, but that you never really do just like that.

Phishing
One of the most common forms of internet fraud is phishing, a method of defrauding people by closing them to a fake (banking) website. This is done by, for example, reporting that your password has expired or that something strange is going on with your declaration. The link in the email is often a copy of the real website. Let's work together. A simple click can be enough to shut down an organization like the Vrije Universiteit.

IT Service Desk - For general questions

Availability by mail and telephone on working days from 07:30 – 17:00 hrs

Email: servicedesk.it@vu.nl

Phone: 020 59 80000

Location VU

Desk VU Main Building: 0A-11

W&N building counter: M0-20

More information about the IT Service Desk

Turn off your computer and contact the IT service desk as soon as possible.

IT Service Desk

Availability by mail and telephone on working days from 07:30 – 17:00 hrs

Email: servicedesk.it@vu.nl

Phone: 020 59 80000

Location VU

Desk VU Main Building: 0A-11

W&N building counter: M0-20

  More information about the IT Service Desk

In case of a serious threat and when you cannot contact the service IT desk
Security and Operations Control Center of the VU (SOCC)

Information security indicators reach the SOCC via the IT Service Desk.

E-mail: socc@vu.nl (preferred)

Phone: 020 598 71 59

For emergencies outside office hours: Tel: 020 598 22 22

More information about the SOCC

The following also applies here: contact the IT service desk.

IT Service Desk

Availability by mail and telephone on working days from 07:30 – 17:00 hrs

Email: servicedesk.it@vu.nl

Phone: 020 59 80000

Location VU

Counter VU Main Building: 0A-11

W&N building counter: M0-20

More information about the IT Service Desk

What is a data breach?

A (possible) data breach occurs when personal data is involved in a (security) incident. For example, consider the following situations:

* An HR advisor loses his tablet, which contains the application letters and CVs of all applicants from the past year.

* Personal data of students of a faculty is accidentally sent to the wrong recipient.

* Phishing emails are sent from a VU account containing a link to a malicious, external website.

* An open day invitation will be sent to the prospective students with the email addresses in the "To" or "CC" field, allowing each recipient to see the other recipients' email addresses.

* The VU is the victim of a ransomware attack. As a result, all data is encrypted. There are no backups available and the data cannot be recovered.

* A researcher's laptop, which contains personal data of participants in the research, is stolen.

The VU is obliged to report a data breach within 72 hours to the Dutch Data Protection Authority (AP), the Dutch supervisory authority for the protection of personal data. The Data Protection Officer (DPO) is responsible for handling a data breach. However, as an employee you have an important role in detecting data leaks. If you think that there is (or may be) a data breach, report this immediately to the IT Service Desk.

Not all possible data breaches need to be reported to the AP. If a data breach does not pose a risk to the person(s) in question, this is not necessary. This analysis will be made by the DPO, where necessary in collaboration with other VU employees.

Phishing is a form of internet fraud in which cyber criminals try to steal personal data or passwords, for example via e-mail or whatsapp. This website of the Ministry of Economic Affairs and Climate describes in detail how to recognize phishing.

1. Bank or government email

Many phishing attacks are done in the name of banks or the government, such as the tax authorities or DigiD.

2. “Click here to login”

Always be alert to emails with links. Avoid links by going to the relevant website yourself.

3. “Something is going to go wrong”

Pay close attention if this is in the e-mail. It can be a tactic to chase you so that you are less alert.

4. “Watch out! Important"

With this text, malicious parties can try to mislead you. So be vigilant.

5. “Urgent” or “urgent”

Always be wary of these words and don't be rushed into making mistakes.

6. Exclamation mark on email

A colleague can give urgency to an email by adding a (red) exclamation mark to the email. Phishing scammers also use this.

7. No personal salutation

An important email often contains a personal salutation. If this is missing, this may indicate a phishing attack.

8. Sender email address looks strange

Always check the sender's email address. If this looks different than you are used to, give the sender a call.

9. Unexpected request from acquaintance

Do you receive a strange or unexpected request from someone you know? Then check this via another channel with this acquaintance. It could be a scam (Spoofing).

10. Quotation or invoice as attachment

Attachments (e.g. PDFs or Word documents) are often used to install malware. So be critical when opening attachments.

11. Language Errors

Although this is decreasing, many phishing messages still contain language errors and carelessness.

12. Current world news

Current events are often used in phishing campaigns, such as fake corona messages that appear to come from the government.