Month: December 2017

ACLU Criticizes Excessive Internet Filtering Controls in Schools

The Children’s Internet Protection Act (CIPA) requires Internet filtering controls in schools to be applied to block obscene images, child pornography, or other images that could be harmful to minors.

Compliance with the Children’s Internet Protection Act is not mandatory, but a lack of Internet filtering controls in schools means that it is not possible to receive discounts under the e-rate program – an initiative that makes telecommunications and Internet services more affordable for schools. The discounts are considerable. Schools can reduce their telecommunications costs by up to 90%.

Consequently, many schools choose to comply with CIPA and apply Internet filtering controls to block inappropriate website content. However, Internet filtering controls in schools are often overly restrictive, and are not only used to block obscene content, but other material with important educational value.

A recent report by the American Civil Liberties Union (ACLU) of Rhode Island, has revealed that many schools are choosing to use their Internet filters to block a broad range of website content – Far more than is necessary to comply with CIPA.

The latest report is a follow-on study from a 2013 investigation into Internet filtering controls in schools in Rhode Island. Four years ago, the ACLU study found that teachers were being hampered by Internet filters and prevented from using the Internet to educate students. Students were also blocked from accessing information relevant to their studies.

Since that initial report was released, the Rhode Island Department of Education (RIDE) released guidance for schools on Internet filtering, following the passage of a new state law that required Internet filtering controls in schools to foster academic freedom.

For the latest report, ACLU requested copies of Internet filtering policies from school districts to determine whether state laws were being followed and if Internet filtering controls in schools had improved following the model policy issued by RIDE.

33 school districts responded to the request, but only five of the schools had an Internet filtering policy in place, and out of those five, three were not in compliance with the new state law.

Critics of Internet filtering controls in schools often point out that in an effort to block obscene and sexual content, topics such as sex education are accidentally blocked. However, the report suggests that the blocking of such content by Rhode Island schools was not always accidental.

It is important for children to be able to have their questions answered on sex. Schools are often the only places where children can access such educational content. UCLU found that it was common for sex education content to be blocked by filters in Rhode Island schools.

Other topics that were commonly blocked were material related to drugs, tobacco, alcohol, terrorism, and religion. ACLU pointed out that the Internet filtering controls prevented students from researching topics such as the medicinal use of marijuana, fetal alcohol syndrome, abortion, or the opioid epidemic in the United States.

Some schools had even more restrictive filers in place that prevented students and staff from accessing topics such as hobbies, dictionaries, news and political websites, humor and information about alternative sexual lifestyles.

The Internet filtering law in Rhode Island requires schools to have an Internet filtering policy that explains why a particular category of website content is blocked to ensure transparency, and to list who is responsible for making the decision about blocking that category.

A mechanism must also be put in place that allows staff and students to request the lifting of a block (whitelisting a website for example) to allow educational content to be accessed. Yet the report showed that in many cases, staff and students had to wait for excessively long periods before their request was honored.

The law requires a list to be maintained of all requests and for those lists to be assessed annually to determine whether filtering controls need to be altered. RIDE’s model Internet filtering policy must also be adopted to ensure academic freedom.

ACLU said, “Without adoption and implementation of strong policies across the board, we will continue to see an array of issues involving the over-filtering of our schools’ Internet systems, which will continue to negatively impact students from accessing information and teachers from making use of helpful educational tools.”

Using a clunky system that blocks valuable content will be damaging to children’s education. Internet content filtering in schools is important, but it is also important for a technological control to be implemented that is not overly restrictive.

With WebTitan, it is possible to block obscene content and to comply with CIPA, without restricting access to important educational content. Category filters are accurate, and thanks to highly granular controls, adjusting filtering settings is a quick and straightforward process. With WebTitan, schools can quickly fine tune their filters and process staff and student requests to unblock content and comply with both CIPA and state laws.

If you are looking for an alternative solution that allows you to carefully control the content that can be accessed over the Internet by staff and students, that allows different controls to be applied for different users, user groups, age groups, and is also easy to use, contact the TitanHQ team today and find out about the difference WebTitan can make.

Benefits of WebTitan

  • Create a safe and secure web browsing environment.
  • Comply with CIPA and qualify for E-Rate discounts
  • Block malicious websites and malware downloads.
  • Block material contained in the child abuse image content URL list (CAIC List) and other third-party blacklists.
  • Accurately filter web content through 53 pre-set categories and up to 10 custom categories.
  • Filter by keyword and keyword score.
  • Inspect encrypted websites.
  • Filter content in 200 languages.
  • Apply time-based filtering controls.
  • Filter the Internet across multiple WiFi hotspots.
  • Protect students when learning remotely.
  • Manage access points through a single web-based administration panel.
  • Delegate management of access points.
  • Schedule and run reports on demand with real time-views of Internet activity and extensive drill down reporting.
  • Integrate the solution into existing security and monitoring systems.

You can also take advantage of a Free Trial of the solution to see for yourself how easy it is to use and maintain, and how effective it is at blocking access to content you do not want to be accessed by students, on or off the network.

Are Password Managers Safe?

Passwords should be complex and difficult to guess, but that makes them difficult to remember, so what about using password managers to get around that problem? Are password managers safe and secure? Are they better than attempting to remember passwords for every one of your accounts?

First of all, it is worth considering that most people have a great deal of passwords to remember – email accounts (work and personal), social media accounts, bank accounts, retail sites, and just about every other online service. If you rarely venture online and do not make online purchases, that means you will need to learn a handful of passwords (and change them regularly!).

Most people will have many passwords. Far too many to remember. That means people tend to choose easy to remember – and easy to guess – passwords and tend to reuse passwords on multiple sites.

These poor security practices are a recipe for disaster. In the case of password reuse, if one password is guessed, multiple accounts can be compromised. So, are password managers safe? If that is the alternative, then most definitely.

With a password manager you can generate a strong and impossible to remember password for every online account. That makes each of those accounts more secure. Emmanuel Schalit, CEO of Dashline, a popular password manager, said, “Sometimes, it’s better to put all your eggs in the same basket if that basket is more secure than the one you would be able to build on your own.”

That does mean that if the server used by the password manager company is hacked, you do stand to lose all of your passwords. Bear in mind that no server can ever be 100% secure. There have been hacks of password manager servers and vulnerabilities have been discovered (see below). Password managers are not risk-free. Fortunately, password managers encrypt passwords, so even if a server is compromised, it would be unlikely that all of your passwords would be revealed.

That said, you will need to set a master password to access your password manager. Since you are essentially replacing all of your unique passwords with a single password, if the master password is guessed, then your account can be accessed and with it, all of your passwords. To keep password managers safe and secure, it is important to use a strong and complex password for your account – preferably a passphrase of upwards of 12 characters and you should change that password every three months.

If you use a cloud-based password manager, it is possible that when that service goes down, you will not be able to access your own account. Fortunately, downtime is rare, and it would still be possible to reset your passwords. You could also consider keeping a local copy of your passwords and encrypting that file. In a worst-case scenario, such as the password manager company going bust, you would always have a copy. Some services will also allow you to sync your encrypted backups with the service to ensure local copies are kept up to date.

Flaws Discovered in Password Managers

Tavis Ormandy, a renowned researcher from the Google Project Zero team, recently discovered a flaw in Keeper Password Manager that could potentially be exploited to gain access to a user’s entire vault of stored passwords. The Keeper Password Manager flaw could not be exploited remotely without any user interaction. However, if the user was lured onto a specially crafted website while logged into their password manager, the attacker could inject malicious code to execute privileged code in the browser extension and gain access to the account. Fortunately, when Keeper was alerted to the flaw, it was rapidly addressed before the flaw could be exploited.

Last year Ormandy also discovered a flaw in LastPass, one of the most popular password managers. Similarly, that flaw could be exploited by luring the user to a specially crafted webpage via a phishing email. Similarly, that flaw was rapidly addressed. The LastPass server was also hacked the year before, with the attackers gaining access to some users’ information. LastPass reports that while it was hacked, users’ passwords were not revealed.

These flaws do go to show that while password managers are safe, vulnerabilities may exist, and even a password manager can potentially be hacked.

Are Password Managers Safe to Use?

So, are password managers safe? They can be, but as with any other software, vulnerabilities may exist that can leave your passwords exposed. It is therefore essential to ensure that password manager extensions/software are kept up to date, as is the case with all other software and operating systems.

Security is only as good as the weakest link, so while your password manager is safe, you will need to use a complex master password to prevent unauthorized individuals from accessing your password manager account. If that password is weak and easily guessable, it will be vulnerable to a brute force attack.

In addition to a complex master password, you should take some additional precautions. It would be wise not to use your password manager to save the password to your bank account. You should use two-factor authentication so if a new device attempts to connect to any of your online accounts, you will receive an alert on your trusted device or via email.

As an additional protection, businesses that allow the use of password managers should consider implementing a web filtering solution that prevents users from visiting known malicious websites where vulnerabilities could be exploited. By restricting access to certain categories of website, or whitelists of allowable sites, the risk of web-based attacks can be reduced to a low and acceptable level.

Password managers should also be used with other security solutions that provide visibility into who is accessing resources. Identity and access management solutions will help IT managers determine when accounts have been breached, and will raise flags when anomalous activity is detected.

HTTPS Phishing Websites Soar as Cybercriminals Embrace SSL

HTTPS phishing websites have increased significantly this year, to the point that more HTTPS phishing websites are now being registered than legitimate websites with SSL certificates, according to a new analysis by PhishLabs.

If a website starts with HTTPS it means that a SSL certificate is held by the site owner, that the connection between your browser and the website is encrypted, and you are protected from man-in-the-middle attacks. It was not long ago that a green padlock next to the URL, along with a web address starting with HTTPS, meant you could be reasonably confident that that the website you were visiting was genuine. That is no longer the case, yet many people still believe that to be true.

According to PhisLabs, a recent survey showed that 80% of respondents felt the green padlock and HTTPS indicated the site was legitimate and/or secure. The truth is that all it means is traffic between the browser and the website is encrypted. That will prevent information being intercepted, but if you are on a phishing website, it doesn’t matter whether it is HTTP or HTTPS. The end result will be the same.

Over the past couple of years there has been a major push to move websites from HTTP to HTTPS, and most businesses have now made the switch. This was in part due to Google and Firefox issuing warnings about websites that lacked SSL certificates, alerting visitors that entering sensitive information on the sites carried a risk. Since October, Google has been labelling websites as Not Secure in the URL via the Chrome browser.

Such warnings are sufficient to see web visitors leave in their droves and visit other sites where they are better protected. It is no surprise that businesses have sat up and taken notice and made the switch. According to Let’s Encrypt, 65% of websites are now on HTTPS, compared to just 45% in 2016.

However, it is not only legitimate businesses that are switching to secure websites. Phishers are taking advantage of the benefits that come from HTTPS websites. Namely trust.

Consumer trust in HTTPS means cybercriminals who register HTTPS sites can easily add legitimacy to their malicious websites. It is therefore no surprise that HTTPS phishing websites are increasing. As more legitimate websites switch to HTTPS, more phishing websites are registered with SSL certificates. If that were not the case, the fact that a website started with HTTP would be a clear indicator that it may be malicious and cybercriminals would be at a distinct disadvantage.

What is a surprise is the extent to which HTTPS is being abused by scammers. The PhishLabs report shows that in the third quarter of 2017, almost a quarter of phishing websites were hosted on HTTPS pages. Twice the number seen in the previous quarter. An analysis of phishing sites spoofing Apple and PayPal showed that three quarters are hosted on HTTPS pages. Figures from 2016 show that less than 3% of phishing sites were using HTTPS. In 2015 it was just 1%.

While checks are frequently performed on websites before a SSL certificate is issued, certification companies do not check all websites, which allows the scammers to obtain SSL certificates. Many websites are registered before any content is uploaded, so even a check of the site would not provide any clues that the site will be used for malicious purposes. Once the certificate is obtained, malicious content is uploaded.

The PhishLabs report also shows there is an approximate 50/50 spread between websites registered by scammers and legitimate websites that have been compromised and loaded with phishing webpages. Just because a site is secure, it does not mean all plugins are kept up to date and neither that the latest version of the CMS is in use. Vulnerabilities exist on many websites and hackers are quick to take advantage.

The rise in HTTPS phishing websites is bad news for consumers and businesses alike. Consumers should be wary that HTTPS is no guarantee that website is legitimate. Businesses that have restricted Internet access to only allow HTTPS websites to be visited may have a false sense of security that they are protected from phishing and other malicious sites, when that is far from being the case.

For the best protection, businesses should consider implementing a web filter that scans the content of webpages to identify malicious sites, and that the solution is capable of decrypting secure sites to perform scans of the content.

For more information on how a web filter can help to protect your organization from phishing and malware downloads, give the TitanHQ sales team a call today.