Be sure to sure read our earlier article for incoming freshmen: Creating an MIT online identity
Welcome to MIT! It is important to understand that MIT and its community members are targets for hackers and scammers. Here are some essential steps that you should take to keep your computer, data, and personal information safe, including software and services that the Institute licenses for use by all community members free of charge.
It’s a good idea to take these steps before you arrive on campus, so you will be ready for attackers, phishing schemes, and thieves from day one.
Enable automatic updates
One of the easiest things you can do to protect your computer or mobile device is to enable automatic updates of its operating system and applications. Not applying critical security patches and updates can leave your device vulnerable to attack.
Create strong, unique passwords
Together with Duo multi-factor authentication, your Kerberos account is used to access a wide range of MIT applications and services, such as email, the MIT Secure network, Athena, and WebSIS. Be sure to choose a strong, unique password (or better yet, a pass phrase) for all of your accounts, and never use your Kerberos password on a non-Kerberos enabled system.
Using the same password for multiple sites is never a good idea; once a password is compromised, attackers will try to access your accounts on other sites and services.
Use a password manager
Keeping track of all those different, complex passwords can be difficult. That’s where a password manager comes in.
IS&T offers LastPass Enterprise to MIT community members for free. LastPass remembers all of your passwords for you and can generate original, secure passwords. A master password and Duo multi-factor authentication are required to access your account’s password vault. All of your passwords are encrypted before they are stored on LastPass servers. The KB has a guide on how to sign up.
Run security software on your devices
CrowdStrike protects your computer by looking for bad behaviors instead of just known bad files. Certain actions are logged to a central repository where they are analyzed for anomalous or suspicious activity using CrowdStrike’s machine learning algorithms. CrowdStrike is available from the IS&T website for Linux, Mac, and Windows clients.
Public and private IPs
Once on campus, students can request a hostname and IP address for devices connected to the MIT network (MITnet) via ethernet. You can specify whether the address is public or private. Devices with public IP addresses are able to accept connections from the internet, but it’s important to note that they are not protected by the Institute’s firewalls. Devices with private IP addresses are able to connect out to the internet, but unable to accept incoming connections from outside MITnet, and are protected by the Institute’s firewalls.
If you would like to connect to your device remotely, be sure to use a strong, unique password or pass phrase, and limit access to known IP ranges, if possible. If you choose a public IP, you could restrict access to the MIT VPN IP ranges, for example. Private IP addresses are also reachable from outside MITnet by first connecting to the Institute’s VPN.
Back up regularly
Backing up your computer regularly and automatically enables you to recover quickly from a lost, stolen, damaged, or compromised computer. IS&T offers CrashPlan, a cloud-based backup solution.
Go to IS&T’s CrashPlan page to download the software, then select “New Account” and login with your Kerberos user ID and password. Once that’s done, CrashPlan will automatically back up all your data. It will continue to run in the background once the initial backup finishes, ensuring that new files and changes are saved to the cloud.
Cloud storage services like Dropbox and Google Drive are not substitutes for full system backups. Only true backup services like CrashPlan will allow you to fully recover all of the data, applications, and information on your computer in case of disaster.
Encrypt and tag your devices
It’s advisable to never leave your portable devices (laptops, phones, etc.) unattended, but you can take steps to protect your devices and information in case they are lost or stolen.
Implement whole disk encryption to protect the information on your devices. You’ll notice no difference in performance once your computer’s data is encrypted. IS&T recommends BitLocker for Windows and FileVault for Macs. For your mobile phone, enabling encryption is as easy as setting a password. Be sure to keep your encryption password safe by using a password manager like LastPass.
Laptop tagging and registration is a free service for MIT community members, offered by IS&T with the support of the MIT Police. A STOP plate on a lost laptop or tablet can help return it to its rightful owner. The plate also works as a visual deterrent for thieves looking to quickly resell equipment. The plates are difficult to remove after being glued to the computer’s topcase but if thieves are successful at removing it, a “tattoo” stating that it is stolen property is left behind.
STOP plates can also help return the device to its rightful owner. The plates have a barcode and unique ID number registered to you. If your device is found there is a 24-hour toll-free recovery hotline number on the plate and the tattoo. The plate is not a GPS device and cannot be used to track your device should it be stolen.
Beware of phishing scams
MIT community members are popular targets for email scams like phishing. Attackers try to trick recipients into sharing passwords through fake login pages, installing malware through malicious attachments, or purchasing gift cards. Common scams pretend to be from IS&T, department heads and deans, or other companies and services you may use (e.g., UPS). The best defense against phishing attempts is to not click on links or download attachments in any email that you weren’t expecting, even from someone you may know.
If you are ever unsure about the legitimacy of an email message or want to report phishy emails please forward the email as an attachment to email@example.com. The IS&T Security team will take steps to protect the community from the scam. You can also review examples of phishy emails that others at MIT have received in the MIT Phishbowl.
IS&T is here to help!
If you have any security-related questions or need to report a security incident while at MIT email the IS&T Security Team at firstname.lastname@example.org.
Keep an eye out for more blog posts to help you and other incoming freshmen get ready for MIT, and feel free to contact IS&T’s Service Desk with any computing questions 24 hours a day, 7 days a week.