Since iOS 14/IpadOS 14/MacOS 11, Apple has been warning you about insecure passwords or if your password has been leaked. You also get notifications if you use a service that has been hacked. But sometimes it sounds more serious than it is.
If you use iCloud Keychain, you have access to your important passwords on all your devices. This makes it possible to use a difficult password for each service, without having to memorize it all. Now it may well happen that you get notifications that your password has been leaked. What to do in such a case you can read below.Receive notifications in case of leaked passwords
If you want to receive a notification if a service you use has been hacked, here’s how to turn it on:
- Go to the Settings app on your iPhone or iPad.
- Tap Passwords and log in with Touch ID or Face ID.
- Tap Security Advice.
- Flip the switch under Detect hacked passwords.
Suppose you get a notification that there is a leaked password. Is that an immediate reason to take action? Yes! But it doesn’t always have to mean something bad.
Take a look at what’s wrong with the password. For example, there may be an easy-to-guess password, or one that you have used on multiple websites.
iCloud Keychain usually also shows the link to the website, where you can change your password. If you click on this, you will be sent to the original website, where you once created the password. Although the chance is not that great, it is good to check if you actually ended up at the real website, i.e. at rabobank.co.uk and not at rabobanck.cn. Especially Russian (.ru) and Chinese (.cu) domain names are often suspicious. Dutch banks do not use foreign web domains to do your banking. With a critical eye, you can often see if you’re on the right track.
Have you indeed created an easy to guess password, or a password you have already used 100 times elsewhere, then our urgent advice is to change your password!
If it is an unimportant web service that you never use anymore, or if you have already set a different password, you can ignore the message. But keep in mind that passwords captured in one hack are used to log into countless other sites. Simply because criminals know that people often reuse the same passwords.
If you want to do it thoroughly, then it is recommended to go through Settings > Password > Security Advice (on IOS/IpadOS). You will find a list of all insecure passwords and advice on how to improve your password.
For example, if you entered the password ‘123456’ for a website, Apple warns that it is an easy to guess password. Such passwords are still widely used and therefore regularly turn up in various hacks. Another example is “qwerty”, but also a password that you might think is ingenious, such as “w4chtw00rd”, is easy for malicious people to guess.
You can then change the password. There is also the possibility to delete the password, but this does not solve the problem. It only makes your poorly chosen password invisible to yourself, but the account and password still exist and the data can still be misused.
Apple compares your passwords with lists of frequently leaked passwords. This makes use of services such as Have I Been Pwned, with which 1Password also works closely. You can check at any time via this website whether your email address has been leaked, possibly in combination with the password.
Mid-2020 the rollout of Windows 10 on all devices managed by NHL Stenden University of Applied Sciences started.
As soon as Windows 10 is installed on a laptop managed by NHL Stenden University of Applied Sciences, disk encryption will be enabled by default.
The MacBooks provided by NHL Stenden Hogeschool will also have disk encryption enabled by default.
(unfortunately this page of the Dutch DPA is not available in English. Try Google Translate or Deepl).
1. Open the website: https://myanalytics.microsoft.com
2. Log in with your NHL Stenden email address and password and click on the “gearwheel”
3. click on “Settings” or MyAnalytics
4. Click “On”
It will change into
5. Confirm the settings by clicking on “Save”
In systems running OS X Yosemite 10.10 and newer, Apple encourages you to turn on FileVault 2 during setup. So, if you’re using a newer Mac, there’s every chance that your files are already being encrypted.
Here’s how to check:
- Click on the Apple menu and select System Preferences.
- Select Privacy & Security.
- Click on the FileVault tab and the status will be displayed.
Before you turn on FileVault, be aware that the initial encryption process can take hours. However, it does run in the background so you can continue using your Mac as normal, albeit not at peak levels of performance.
Also, FileVault encrypts the entire disk. Any additional users will need to be enabled so that they can unlock the disk by entering their password.
How to turn on FileVault disk encryption
- Click on the Apple menu and select System Preferences.
- Select Privacy & Security.
- Click on the FileVault tab, then click the lock in the bottom left corner of the window.
- Enter your administrator name and password and click Unlock.
- Click Turn On FileVault.
- Choose whether you want to link your iCloud account to FileVault to unlock the disk and reset your password or create a recovery key and click Continue.
- Click Restart to reboot your Mac and begin the encryption process.
- Locate the hard drive you want to encrypt under “This PC” in Windows Explorer.
- Right-click the target drive and choose “Turn on BitLocker.”
- Choose “Enter a Password.”
- Enter a secure password.
- Choose “How to Enable Your Recovery Key” which you’ll use to access your drive if you lose your password. You can print it, save it as a file to your hard drive, save it as a file to a USB drive, or save the key to your Microsoft account.
- Choose “Encrypt Entire Drive.” This option is more secure and encrypts files you marked for deletion.
- Unless you need your drive to be compatible with older Windows machines, choose “New Encryption Mode.”
- Click “Start Encrypting” to begin the encryption process. Note that this will require a computer restart if you’re encrypting your boot drive. The encryption will take some time, but it will run in the background, and you’ll still be able to use your computer while it runs.
Note: BitLocker is not available on Windows 10 Home edition, but there is a similar feature for device encryption.
Phishing (derived from the English fishing for ‘fishing’) revolves around emails that at first glance seem quite normal. Such a message usually contains an invented reason to get you to enter personal data or install a malicious program. For example, a phishing email contains a link to a forged bank login page or tries to trick you into opening an attachment.
The NHL Stenden Hogeschool spam filter already blocks most spam and phishing messages. But cyber criminals are getting smarter and smarter and so phishing emails sometimes end up in your inbox. If that happens, you have to delete such a message immediately.
How do you recognise phishing? There’s no perfect way. But there are many ways to protect yourself. Below you’ll find 10 tips on how to recognize phishing.
If you have clicked on a link and/or entered information, in particular your username and password, please report this ALWAYS via the e-mail address email@example.com or by telephone at the service area via 058-251 2552.
1. Do you know the sender?
Does an unknown sender ask you to open an attachment (e.g. an invoice), click on a link or check personal details (such as login details, bank details or credit card details)?
Don’t do it and delete the mail immediately!
2. Fraudsters with a fake address
A lot of senders pretend to be from a well-known company. For example, the ‘eBay billing service’. Sometimes you recognize these fraudsters immediately because they use a dubious e-mail address, such as firstname.lastname@example.org. But even reliable-looking addresses are sometimes fake. So don’t rely blindly on a correct e-mail address.
3. ‘Dear customer’
Real emails from companies usually use your name in the preamble. Phishing mails usually have a general preamble, such as “Dear customer”. But sometimes cybercriminals do have your name and appeal to you. So here, too, the rule is: pay close attention.
4. Don’t let the pressure be put on you
“Only valid today! – Check your details as soon as possible, otherwise your credit card will be blocked! – Last reminder! Phishing emails often try to put pressure on you. But don’t ever allow that, because a serious sender doesn’t work this way. So check such an e-mail message extra carefully before you decide to respond. And note: in the Netherlands, credit card companies and banks never ask for your personal details to be checked or entered by e-mail.
5. Look fo speling mistaks
Phishingmails can often be identified by spelling mistakes, a layout that is not entirely correct, strange translations or strange characters. However, the e-mails of cyber criminals are becoming more and more difficult to distinguish from real e-mails. So, just to be on the safe side, follow the steps below.
6. The infamous link
Does the e-mail ask you to click on a link? Then check that link very carefully. For example, a Dutch bank or credit card company will never send an e-mail containing a link that you have to click on in order to check your personal data.
Please note: the link displayed does not necessarily have to be the same as the technical link. So if the link is called www.jouwbank.nl, a completely different address may be hidden under it. Always check this and don’t take any risks.
7. The wrong address
And what if a link is reliable? Appearances are often deceptive. Let’s take eBay and ABNAMRO as an example: the real addresses are www.ebay.com and www.abnamro.nl. Wrong addresses always deviate a little from this or have a strange extension. For example: www.ebay.to, www.ebey.com, abnam.ro/login, www.abnamro-inloggen.com.
8. Attachments #1
Phishing messages often contain attachments, the content of which is unclear or which resemble an invoice. Such files can be dangerous because they may contain viruses or other harmful software.
Never open attachments that end in .bat, .exe, .com, .cmd, .vbs. A file called factuur.exe is most likely to contain malicious software. And if a zip file is sent with it, this is very likely also a fraud.
9. Attachments #2
Also be careful with attachments that contain a .doc, .docx, .ppt or .xls file. These may seem innocent Office documents, but they can contain dangerous scripts. So only open these documents if the sender is known (e.g. a colleague). And be wary too. In Office applications like Word and Excel and in your operating system, you can disable certain scripts. Check this before opening an unknown file.
10. Attachments #3
Finally, some operating systems hide the extension (such as .exe, .txt, etc.). A potentially harmful file like ‘factuur.txt.exe’ can then be seen as a relatively harmless ‘factuur.txt’ file.
When in doubt, the rule is always:
Phishing via Whatsapp is starting to take on increasingly larger forms.
There are already some employees at NHL Stenden University who have suffered this kind of phishing. The “scammers” often present themselves as acquaintances and ask you for money.
Phishing via WhatsApp, how does that work?
Some scammers send you a fake message, supposedly from WhatsApp, with logo and all. They say it will cost money to send a WhatsApp message. Or they report that you need to update the app. If you click, you must enter your telephone number. NEVER do this!
Where do many people fall for?
Some scammers pose as an acquaintance or family member. They send you an app and ask you for money. They use a stolen photo.
The scammer sends a text message to the victim and immediately says that his telephone number has changed. The victim does not hesitate because he recognizes his son on the profile picture. The ‘son’ simply found that photo somewhere and set it as his own profile photo.
If the victim indicates that he wants to consult by telephone, the plan threatens to fail. The scammer knows how to avert that danger. The money is transferred, but if the victim finds out that he has been scammed, the payment can often not be reversed.
How do you recognize WhatsApp phishing?
These scammers often say that they are family. They use the excuse that they have lost their phone and now have a different phone number. They think that you want to help and that you click without thinking.
Step-by-step this goes as follows:
- A ‘known’ person sends you an app from an unknown number (the profile photo is correct).
- This ‘known’ person is in need of money and asks you to advance money.
- There is (a lot of) rush.
- The ‘known’ does not want to communicate in any other way, or he claims that this is not possible.
What should you do if you receive such a false message?
Ask via another channel if the sender has sent you this app. For example, send an email or call the number you know. And if it is indeed not right, immediately notify the police and say that it is phishing.
Why do you have to call the police?
These scammers often make many victims in a short time. So these offenders want to catch them. The sooner it is reported, the more likely the police are to catch them in the collar.
An increasing amount of data is
made available via the SharePoint environment.
We frequently get asked whether the data on local shared drives
(e.g. I, U, or M drive) can be moved to the SharePoint environment without any objections and
whether users can do this themselves.
In principle, a user can do this
Please note, however, that the ways in which rights are arranged on the shared drives
are NOT copied when data are copied.
This may mean that information is now available to everyone. This is
often not desirable. This applies in particular when data
are copied from the I drive (former NHL).
If in doubt, ALWAYS contact the
Service Platform. This prevents
The NHL Stenden Data Protection Council (DPC) is a consultative and advisory body for policy in the area of privacy (protection of personal data) and security (information security).
The DPC is composed of
representatives from all academies, liaison units, and departments. The members
of the Information Security Steering Group are by default part of the DPC.
The daily management of the DPC consists of the Data Protection Officer and the Security Officer, both of whom are members of the Executive Staff.
The meetings are led by the DPO.
The members play an active role within their academy, service, or liaison unit and have direct access to and influence on the Management Team.
The General Data Protection Regulation (GDPR), in force since May 2018, introduces the concept of ‘pseudonymised data’ as a preferred solution for the use of personal data outside the production environment.
Below, we discuss the difference between pseudonymised and anonymised data and which of the two is most suitable for software testing.
In the case of pseudonymisation:
– Personal data are still traceable
– GDPR STILL applies.
In the case of anonymisation:
– Personal data cannot be traced back to original data
– GDPR NO LONGER applies.
These two processes are discussed in more detail below.
“The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.”
The name Jan de Vries is replaced by the code 4#dfes42d4 This is done, for example, by means of encryption. After encryption, the responsible organisation is still able to identify the person concerned. The algorithm always produces the same pseudonym for the example of Jan de Vries and a lot of information about Mr de Vries can therefore be retrieved with knowledge of the algorithm.
Pseudonymisation is thereforereversible and as such these still are personal data that fall under the GDPR. Opinion WP216 describes the complexity and near impossibility of processing detailed personal data in such a way that they no longer constitutes personal data. This is only possible in specific and very well-designed processes. The regulators write the following:
“It is therefore essential to understand that if a data controller does not delete the original (identifiable) data at event level, and passes on part of that data set (for example, after deleting or masking/enclosing identifiable data), the resulting data set still falls under the denominator of personal data. Only where the controller aggregates the data to such an extent that individual events are no longer identifiable can the resulting dataset be considered anonymous. For example, when an organisation collects data on traveller movements, individual travel patterns at event level are still assimilated to personal data for each party as long as the controller (or any other party) has access to the original raw data, even if the directly identifying data (‘identifiers’) have been deleted from the dataset transmitted to third parties.”
In other words: you can mask, hash, blank, pseudonymise and anonymise, but as long as you do not aggregate (merge data into groups) and the original data still exist, each processed set remains a set of personal data.
Pseudonymisation does reduce the risk of data abuse in the event of a data breach, because one needs to know how the algorithm operates.
This method is not really suitable for testing purposes. For example, if you have tests where you must check whether the first name starts with a certain letter, this is not possible. Or if you have pseudonymised the date of birth, you can no longer perform tests in which you must perform a check based on the date of birth (e.g. age > 21).
Anonymisation (data masking)
The concept ‘anonymous’ or ‘anonymisation’ is not defined in the legal text. Nevertheless, the word occurs at a crucial point. Recital 26 says:
“Data protection principles should therefore not apply to anonymous data…”
In other words: If data are anonymous, the law does not apply. What this actually means, and what would probably have been clearer, is: “…. to data that are no personal data (any more)”. For the law applies to “the processing of personal data” (Article 2(1)) and an article (4(1)) that applies to personal data does exist, containing the following: “all information about an identified or identifiable natural person”.
Data masking is a method in which the data are processed according to certain rules. There are several methods to do this A few examples are given below:
- Shuffle (whether or not conditioned)
For example, surnames may be swapped.
Certain fields can be emptied
- First day
The days in a date can be replaced by a 1
Data can be replaced by fictitious data from another file
Data are replaced on the basis of predefined rules
Anonymisation is irreversible: After masking, data are no longer personal data. If these data occur outside of the production environment, there is no potential data breach even after entry into force of the GDPR. This is therefore a good method to make production data suitable for test purposes.
- Obviously, an important precondition is that all traceable personal data are masked.
- Anonymisation must be carried out by authorised persons and in compliance with the applicable rules. This is because before anonymisation, personal data are still subject to the GDPR rules.
We speak of a data breach when someone has access to privacy-sensitive information that does not concern them.
12 common examples:
- A stolen or lost laptop
- A stolen or lost telephone or iPad
- A lost USB stick containing personal data
- An email with sensitive personal information that was sent to the wrong person
- An email with an attachment consisting of a list of personal data that was sent to the wrong person
- A folder or document on SharePoint or OneDrive containing sensitive information about individuals or lists of personal data that are shared with the wrong individual
- An information system that allows you to access data that are not intended for you
- A printout with an overview of (sensitive) personal data that was not collected from the printer
- Lists or overviews of personal data of students or staff on public, free platforms such as Dropbox
- A medical certificate from a student or employee that ends up in the wrong place
- Someone with a falsified or hacked account accessing your or anyone else’s information
- Ransomware or malware preventing you from accessing your files.
What are personal data?
All information that can be traced back to a real person.
How do I know when to report a data breach?
Perform this simple test:
- Would you condone random people receiving this information on you?
- If yes, do you believe that all your students or colleagues would condone having their personal information shared with strangers?
If it concerns personal data and the answer to either question is no, you must report the (suspected) data breach.
Do you have any doubts whether it is in fact a data breach?
Report in case of doubt!
For professional use (e.g. leaflet or website) you must obtain permission. You must be able to prove that you have this permission The rules for internal use at the institution are less strict. Please realise that a student or graduate always has the right to have the imagery removed.
Are you obliged to ask all those included in an address database for permission each time you send out mailings?
Ideally, these address databases will be linked to the (new) CRM system in the near future. Until that time, you can use the text below in each invitation:
Your contact details are in our database. We assume that you would like to remain informed about our activities in the future as well. We only use your details for this purpose and will never pass them on to third parties. If you want to be removed from our database, please send an email with the text ‘remove my details’.
Many emails are still sent out with a multitude of addressees in CC. It looks awful and recipients also have to scroll down far before reaching the actual message. But this is also undesirable from the point of view of privacy. Email addresses are personal data and must be treated with care.
In line with the General Data Protection Regulation, we should observe some restraint. Therefore, abide by this rule of thumb: If there are more than seven CCs, include them as BCCs
Do you want to send and receive files in a swift, secure, and simple way? SURFfilesender allows you to send large files, for example files with research data. The program is also suitable for smaller files such as reports. The files are stored in the Netherlands and encrypted for extra security. Please find SURFfilesender here (link).
So please stop using WeTransfer. WeTransfer is a free service. In the case of free products/services, it is usually the user who is the product. In addition, WeTransfer stores files in the USA, which can cause privacy issues.
SURFfilesender: for any file format
Large files with research data (up to 500 GB) can easily be sent with SURFfilesender. You can use the service for data such as genome sequences and astronomic observations. But SURFfilesender is also suitable for smaller files, such as reports.
Safely and securely encrypted
SURFfilesender transfers your files in a secure manner. Uploaded files are stored in the Netherlands for 21 days at most. While SURFfilesender is secure by default, you can opt for added security in the form of encryption. Files up to 2 GB can be sent in encrypted form. You send a key to the receiver through a different channel, for example by phone or text message. The receiver enters this key to download the file. This lets you control access to your valuable research data or other privacy-sensitive files.
Swift and user-friendly
SURFfilesender is very easy to use. You do not need to install any software to send or receive files. Sender and receiver only require an up-to-date browser. SURFfilesender is linked to SURFconext, which allows you to simply log in with your institution account. It is also possible to use SURFfilesender as a guest user meaning that files can be exchanged with people who do not have a license.
Legal note: The use of this service requires processing personal data. Legally, NHL Stenden University of Applied Sciences is the controller of the processing, while SURF acts as data processor on behalf of the institution.
SURF processes the following personal data:
- First name
- Last name
- Email address
- Log data
- IP address
- Subject of transferred file
- Subject of transferred voucher
- Subject of downloaded file
- File name
- eduPersonTargetedID (a random set of symbols used by SURFfilesender to distinguish users)
- Receiver email address
Personal data should only be accessible if there is a clear purpose and legal basis. This of course applies to educational institutions when they wish to inform students of their results. However, there is no purpose and legal basis to also inform fellow students. Therefore, the distribution of lists of grades which include the results from multiple students is against the regulations.
The GDPR is clear about it: do not keep data longer than necessary. The HBO selection list gives the retention periods for various types of documents. The prerequisite is that you ensure proper security of the personal data (both digitally and physically).
The names of participants in a meeting can always be recorded. Otherwise, exercise a lot of restraint when it comes to personal information. In any case, never write down specific personal details such as concrete details about illnesses, ethnicity or religion. Only send the minutes to participants of the meeting and to a very limited group of persons who have to read the minutes. If the information needs to be distributed to a wider audience, make a management summary or a version without personal data.
Ideally – better: in the longer term this will be a requirement – the personnel information system allows employees to specify whether their address details can be shared for post, gifts and the like. As long as this has not been arranged, the person who wants to send a card can have it posted by someone who, on the basis of their position, has access to the address details. If this is not possible for some reason, apply common sense. Do you have reason to doubt the sincerity of the request or do you have other objections? If not, you can share the address, preferably on a post-it and not as a digital file.
The GDPR came into effect on 25 May, while we are still working on implementing the new regulations. Fortunately this is no reason for concern. We satisfy the basic requirements and are currently developing this further. Even though there are still many questions in the organisation, we are actually well on the way: we have been mentioned nationally as a front runner in the area of data protection in higher education.
A safe cloud environment for now for the former Stenden is Microsoft365 OneDrive. Make sure that you do not share files with others if that is not the intention! For the former NHL this is Google Drive, that you can find via Google Apps. It is important that you use the Google Drive of your NHL account.
The website datacare.nhlstenden.com is primarily intended to make you aware of the importance of privacy and security. You can read a lot of information here about things that you need to consider. We provide specific instructions in the form of information meetings. From the Executive Staff the security officer (Freek Bosscha) and the data protection officer (Willem Bakker) give advice on request.
It applies for internal use that personal details (for example of students) are accessible on the basis of ‘need to know’. Only those who need the personal details in question, may see them. For example: a lecturer wants to email an assessment to a student, with a graduation coordinator and SCC lecturer in the CC. The key question in this is whether all parties actually need this assessment. If that is the case, then they may be copied in the CC. What is not allowed, for example, is to send an entire list with personal details to all employees of a programme. Therefore when sending any personal details think carefully: does every recipient need this information?