Information Security Tips
Week of: 04/15/2013
Scammers Targeting UConn….We’re On To You!
Recently, some staff from UConn have received calls from scammers who try to get the person to log into their computer in order to stop viruses from being downloaded on their computers. The caller claims that they are from Microsoft or another company and they need access to your computer in order to ‘fix’ it.
They will try to get you to go to malicious websites that look legitimate. Unknowing victims will then install the virus (which gives the scammers full access to their computer) and the scammer will then attempt to receive payment for ‘fixing’ their computer, which is just another scam to get their bank information.
Remember…if you receive an unsolicited call from someone claiming to be from Microsoft Tech Support, hang up. They do not make these kinds of calls. Also, do not trust anyone who calls to ‘fix’ your computer over the phone.
Week of: 04/01/2013
Lock It When You Leave It
Never leave your computer logged in when you walk away, not even for a minute. Make it a habit to log off your workstation whenever you get up.
Remember to always leave your Windows computer locked by:
- Pressing the keyboard shortcut combination of the Windows logo key and the letter “L” on a Microsoft natural keyboard. Get it? Leave Windows by pressing the Windows logo + L keys together to lock it up; or,
- Ctrl+Alt+Delete keys together, and then press <ENTER>.
Remember to always leave your Mac computer locked by:
- Using the keyboard shortcut of holding down the Control+Shift+Eject keys together. This will lock the Mac screen if you have enabled this setting under “System Preferences”.
If you do not have the password required feature enabled, then follow these simple steps to set this up on any Mac:
- Launch “System Preferences”.
- Open the “Security & Privacy” preference pane and select the “General” tab.
- Click the checkbox next to “Require password after sleep and screen saver” – you can select either immediately or a preferred time interval.
- Close “System Preferences”.
Week of: 03/11/2013
Phishing Not Fishing
Phishing email messages are designed to steal your money and your identity. Cybercriminals can do this by installing malicious software on your computer or stealing personal information off of your computer.
How can you detect a phishing email?
- Cybercriminals are not known for their grammar and spelling. If you notice mistakes in an email, it might be a scam.
- Don’t click on links in a suspicious email. Rest your mouse (but don’t click) on the link to see if the address matches the link that was typed in the message.
- The website address (URL) can provide clues as to whether you are about to be scammed. Keywords in the URL, such as verify or update, can be an indication that the URL is a scam site. So too can URLs that contain just numbers.
Security tips can also be accessed at: http://security.uconn.edu/ and click on the security tip of the week icon located in the top right-hand corner of the screen.
Week of: 02/18/2013
Learning From Password Mistakes
This is a tale of a man named Harold.
Harold is a well-respected, highly astute, IT system administrator. For him, logging in and out of systems is like breathing. He does it a hundred times a day. However, even the most technical minds can make mistakes….
One day, Harold began his routine of accessing a system. He was prompted with the typical “username” and “password” fields to complete. Harold, who took his eyes off the screen for a brief second, began entering his credentials. Without realizing it, he entered his password into the username field and hit <Enter>. When he finally looked at the screen, and noticed his mistake, he re-entered his credentials correctly and continued with his workday.To Harold, it was a simple mistake with no consequences.
Boy was he wrong!
What Harold did not consider were the audit logs that are typically generated for login events. The system log for that “simple mistake” would have looked like this:
Anyone with access to these logs would be able to ascertain the correct username/password combination for Harold, and once anyone other than yourself has accessed it, it should be considered compromised.
Moral of this tale: If you mistakenly enter your password into the username field and click <Enter>, you must consider your password compromised and change your password immediately.
Week of: 01/15/2013
Are You Protecting UConn?
Do you know UConn is only as secure as your least reliable employee allows it to be? Make sure you are stewards of personal and University data. Employees should know not to open suspicious links in email, tweets, posts, online ads, messages or attachments – even if they know the source.
Protecting the University’s resources is the responsibility of each and everyone of us.
Remember if an email or message seems suspicious, it most likely is an attack. Also, the University of Connecticut will NEVER ask for a user to provide his/her password. If you are not sure, contact the UITS help desk (firstname.lastname@example.org) or the information security team (email@example.com).
Week of: 12/10/2012
Password Faux Pas
This is a tale of a woman named Katie. She prided herself in knowing the difference in “fake/phishing” email scams versus genuine emails. She even shared her knowledge with those around her in the hopes of protecting others from the cyber crimes that plague law-abiding citizens of this great country.
One day, while at work, she needed to communicate a username and password combination to three of her co-workers so that they could each access a system. (The password is very complicated and difficult for her to remember, so she wrote it down and left it hidden on her desk.)
She considered walking the information over to them, but then decided, “no, they are trustworthy souls, I can email the information to them without harm.”.
Boy, was she wrong!
It’s not enough to consider the sender or receiver of an email. What Katie didn’t know was that email doesn’t provide encryption – that the information is open to anyone who is looking for it.
- Never give your username and password to anyone.
- Never assume what you send in an email is protected – E-mail is insecure by default because it is more like a postcard, not a sealed envelope.
- Never write down your password and leave it on your desk or under your keyboard – If you must write something down, jot down a hint or clue that will help jog your memory or store the written password in a secure, locked place.
Week of: 11/05/2012
Beware of Shortened URLs
Can I preview a shorten link before clicking on it?
Short links…shortened URLs…Tiny URLs. Whatever you call them, their purpose is the same. Link shortening services such as Bitly, TinyURL, and over 200 others, allow users to take a link that might be too long to post within the confines of a twitter post and generate a shorter link that redirects to the longer URL that the user wants to post.
Not only does the link not look anything like the original, it completely obscures the intended link destination. There is no way by looking at the short link that you can tell what the intended target link is. All you see in the short link is the link shortening service site name followed by a string of seemingly random numbers and letters.
Why is this a bad thing? If I was an Internet-based bad guy and wanted to trick you into visiting a link that would install malware on your computer, you would be more likely to fall for clicking http://tinyurl.com/82w7hgf then you would be for visiting http://badguysite.123.this.is.a nasty.virus.and.will.infect.your.computer.exe. The tiny URL doesn’t have anything in it that would tip you off to the fact that it is a malware link
Some of the shortening services also offer you a way to preview the complete link before clicking on it. If you aren’t so sure about where a bitly link will direct it is possible to preview the bitly link before clicking on it.
- To do this simply add a + sign to the end of any shortlink in your browser. For example, for http://bit.ly/Wn2Xdz just enter http://bit.ly/Wn2Xdz+ into your browser and you’ll be sent to a preview page for the link.
TinyURL offers a similar sevice on their website: http://tinyurl.com/preview.php.
Week of: 11/05/2012
Get to Know Your Data
You’ve heard of identity theft and how it hurts regular people, but do you know where the data comes from to perform identity theft? Many times, criminals steal data from large organizations like UConn and the data is stolen because of human error, misconfigured computers, or mishandled confidential data. How do you make sure that the data on your computer isn’t used to perform identity theft? Getting to know your data is the first step!
The Information Security Office has purchased Identity Finder software for your work and home computers. All faculty, staff, and students are encouraged to use Identity Finder to find confidential data, such as Social Security numbers and credit card numbers, on any computer that you use. Then, you will know where the most valuable data is stored on your computer, email, and removable drives. Once you know, you can delete the data, encrypt it, or find more effective ways to protect it.
Take time to find and protect your data now!
For information on using Identity Finder at home, work, and school, please visit http://identityfinder.uconn.edu.
Week of: 10/22/2012
Does Secure = Private?
Data on your UConn workstation is secure – but is it private? UConn, as a public university and State agency, is covered by Connecticut’s Freedom of Information Act. That means any record created or maintained by faculty or staff is presumed to be available to the public, except under certain circumstances. And that includes your email and any other non-University data or information you store on your University device.
Week of: 10/11/2012
Be Skeptical When You Read Your Email
Why should I believe that? It is important to remember that you can’t trust the “from” address on e-mail as it is often faked by fraudsters and viruses. If you didn’t expect a message, link, or attachment from someone, ask yourself why you should trust that it really came from the apparent sender, and that it’s safe. Also, if you are asked to provide your password, it is most definitely phishing.
Week of: 10/08/2012
Secure Your Smartphone
You probably store a lot of personal and financial information on your smartphone that you would not want revealed if it is lost or stolen. Here are four ways that you can help increase mobile phone safety and secure your smartphone.
- Protect your phone with a password or Personal Identification Number (PIN). If you use your phone to access your UConn email or intranet, protect your smartphone with a password.
- Be careful when you install apps on your phone. Apps can do nearly everything these days, from streamlining your social networking to changing the channels on your TV. No matter what kind of phone you have, install apps from a trusted source.
- Install updates for your phone. Just as you do on your computer, install all updates for your phone and for the apps on your phone.
Week of: 09/24/2012
Protect Yourself from Identity Thefts
Do not sign the back of your credit cards. Instead put “PHOTO ID REQUIRED”; although merchants and their employees are still hit-and-miss on actually checking that ID, more of them are paying attention.
When you order your checks, don’t list any telephone number. You can always write it on the check at the time of the transaction. If you have a PO Box, use that instead of your home address or your work address.
Be aware of which credit cards you carry now have embedded RFID chips because the information on one of those chips can be read surreptitiously by someone near you using a simple hand-held scanner.
Week of: 09/10/2012
Do not allow web browsers to store passwords for you.
Stored passwords allow anyone who can access your machine to log in to your web accounts as you. In addition, there are numerous utilities that can expose that hidden information and actually reveal the password. If you’ve reused that password for other logins, many systems or web sites could be compromised.
Week of: 08/27/2012
Spear Phishing, It’s Not the Latest Olympic Sport!
It is the start of the semester when everyone is busy and people can be easily caught off guard. First and foremost, do not respond to any email that is an unknown source, especially if it has a “Click Here” to provide personally identifiable information. Delete these emails immediately to avoid compromising yourself and the institution.
Phishing: The goal of phishing is not to infect your computer but to steal your information. Criminals do this by sending emails pretending to be someone you trust, such as your Help Center, email administrator or bank. The emails will inform you that your bank account needs to be updated. They will include a login link to your bank for you to update your information.
However, the email is a scam. If you click on the link it directs you to a website resembling your bank, but in reality it was developed and is controlled by the cybercriminal. If you enter your information, you are providing your online personal information to cyber criminals who will use it to steal your identity and perhaps your money. Never visit your bank or any other important website by clicking on links in an email. Instead, always type the known URL in your browser so you know you are going to the correct website.
Spear Phishing: Cyber criminals have developed an even more dangerous type of attack called Spear Phishing. This type of attack is when criminals target you or UConn. Instead of sending out millions of emails, they only send a few emails specifically targeting certain individualswithin UConn. The reason these targeted attacks are more dangerous isbecause the criminals do extensive research first. They learn who works at UConn, who we communicate with and what our internal emails look like. They then create customized emails based on this information and send these emails to specific individuals. As a result, when the intended target receives these emails they can be fooled andfall victim. Since there are so few emails being sent, spear phishing attacks are harder to detect. These attacks are often missed by antivirus or email filters.
Remember if an email or message seems suspicious, it most likely is an attack, and the University of Connecticut will NEVER ask for a user to provide hisher password. If you are not sure, contact the UITS help desk (firstname.lastname@example.org) or the information security team (email@example.com).
Week of: 08/20/2012
Be better than James Bond!
In Casino Royale, Bond chooses a password to protect a multi-million pound money transfer. What does he choose? His girlfriend’s name – doh! Why bother torturing him when you could just guess his cunning plans? We can all do better than that. For most situations a password should be 8 characters long and be a mixture of letters, numbers and other characters and it should conform to company policy. It should not be a word you would find in a dictionary, the name of your spouse, partner, child, pet, favorite band or any of these followed by a single digit. Use common sense – Razorlight1 isn’t a good choice if you have a poster of the band behind your desk.
Week of: 08/13/2012
Nobody from the Help Desk needs your password.
While watching some scenarios in some videos on computer security, one of the audience members turned bright red. After the video, she confided in me that she had once received a call from “The Help Desk” saying that they needed her password to trouble-shoot a problem they were having backing up her files. She provided it. Fortunately, she thought about it and 5 minutes later called the help desk to confirm. The help desk staff immediately locked her account and had her drop by with ID so they could provide her with a new password.
The UITS Help Center would like to remind everyone that they will NEVER request that you divulge your password.
Week of: 08/6/2012
Don’t Trust Links Sent in Email Messages
A common fraud, called “phishing”, sends messages that appear to be from a bank, shop or auction, giving a link to a fake website and asking you to follow that link and confirm your account details. The fraudsters then use your account details to buy stuff or transfer money out of the account. These fake sites can be hard to spot, so no reputable organization will send a message requesting your confidential information.
Week of: 7/30/2012
If you get up from your computer, lock it!
“I sent an email to your boss letting him know what you really think of him”. This Notepad message was on my screen when I got back to my cubicle after getting up to stretch my legs. What? I had been gone for 180 seconds — three quick minutes. Lucky for me, the note turned out to be from our systems administrator who wanted to make a point. All it takes is about one minute for a disgruntled colleague to send a message on your behalf to the boss and there is no way for you to prove you didn’t send it. In about 30 seconds, a cracker could install a keystroke logger to capture everything you type including company secrets, user names and passwords. In about 15 seconds, a passerby could delete all your documents.
Week Of: 7/23/2012
Effectively Delete Files.
When you delete a file, depending on your operating system and your settings, the file may be transferred to your trash or recycle bin. This “holding area” essentially protects you from yourself—if you accidentally delete a file, you can easily restore it. An unauthorized person will also be able to retrieve it. Empty the trash or recycle bin on a regular basis to ensure that deleted information stays deleted.
Week Of: 7/16/2012
Choose a password that’s hard to crack.
When choosing a password, try to make it by writing a sentence that you can easily remember. For example: “Los Angeles Lakers will win the NBA tournament this year”. Then pick up the first letters of each word and also add at the beginning or at the end (or at both parts) some special characters and numbers.
For example, with the last sentence you could get the password: =3LALwwtNtty$.
This method lets you come up with easy-to-remember passwords that are also hard to crack. And you avoid the need to write such a long password down in order to remember it.