National Cyber Security Awareness Month (NCSAM)

Information Technology Services is championing various events throughout the month October in recognition of National Cyber Security Awarenss Month. Please check out our NCSAM 2012 list of webcast that ITS excited to sponsor.

Staying Safe Online

The most serious economic and national security challenges we face are cyber threats. America’s economic prosperity and competitiveness in the 21st Century depends on effective cybersecurity. Every Internet user has a role to play in securing cyberspace and ensuring the safety of themselves and their families online. Check out the information below for ideas on what you can do to be safe online.

• Good Security Habits
• Securing Mobile Devices
• Phishing and Other Social Engineering Scams
• Social Networking Security
• Securing Your Home Wireless Network

Good Security Habits

produced by US-CERT

There are some simple habits you can adopt that, if performed consistently, may dramatically reduce the chances that the information on your computer will be lost or corrupted.

How can you minimize the access other people have to your information?

You may be able to easily identify people who could, legitimately or not, gain physical access to your computer—family members, roommates, co-workers, members of a cleaning crew, and maybe others. Identifying the people who could gain remote access to your computer becomes much more difficult. As long as you have a computer and connect it to a network, you are vulnerable to someone or something else accessing or corrupting your information; however, you can develop habits that make it more difficult.

• Lock your computer when you are away from it. Even if you only step away from your computer for a few minutes, it’s enough time for someone else to destroy or corrupt your information. Locking your computer prevents another person from being able to simply sit down at your computer and access all of your information.

• Disconnect your computer from the Internet when you aren’t using it. The development of technologies such as DSL and cable modems have made it possible for users to be online all the time, but this convenience comes with risks. The likelihood that attackers or viruses scanning the network for available computers will target your computer becomes much higher if your computer is always connected. Depending on what method you use to connect to the Internet, disconnecting may mean disabling a wireless connection, turning off your computer or modem, or disconnecting cables. When you are connected, make sure that you have a firewall enabled (see Understanding Firewalls for more information).

• Evaluate your security settings. Most software, including browsers and email programs, offers a variety of features that you can tailor to meet your needs and requirements. Enabling certain features to increase convenience or functionality may leave you more vulnerable to being attacked. It is important to examine the settings, particularly the security settings, and select options that meet your needs without putting you at increased risk. If you install a patch or a new version of the software, or if you hear of something that might affect your settings, reevaluate your settings to make sure they are still appropriate (see Understanding Patches, Safeguarding Your Data, and Evaluating Your Web Browser’s Security Settings for more information).

What other steps can you take?

Sometimes the threats to your information aren’t from other people but from natural or technological causes. Although there is no way to control or prevent these problems, you can prepare for them and try to minimize the damage.

• Protect your computer against power surges and brief outages. Aside from providing outlets to plug in your computer and all of its peripherals, some power strips protect your computer against power surges. Many power strips now advertise compensation if they do not effectively protect your computer. Power strips alone will not protect you from power outages, but there are products that do offer an uninterruptible power supply when there are power surges or outages. During a lightning storm or construction work that increases the odds of power surges, consider shutting your computer down and unplugging it from all power sources.

• Back up all of your data. Whether or not you take steps to protect yourself, there will always be a possibility that something will happen to destroy your data. You have probably already experienced this at least once— losing one or more files due to an accident, a virus or worm, a natural event, or a problem with your equipment. Regularly backing up your data on a CD or network reduces the stress and other negative consequences that result from losing important information (see Real-World Warnings Keep You Safe Online for more information). Determining how often to back up your data is a personal decision. If you are constantly adding or changing data, you may find weekly backups to be the best alternative; if your content rarely changes, you may decide that your backups do not need to be as frequent. You don’t need to back up software that you own on CD-ROM or DVD-ROM—you can reinstall the software from the original media if necessary.

return to top

Securing Mobile Devices

In today’s digital age, when most of the population interacts with some aspect of the Internet with numerous types of mobile digital devices, it is essential to be aware of the inherent risks that may exist when you’re connected to the ‘Net. Your digital wireless device most likely contains data about you and your surfing habits that you would consider confidential. For example, many people store their online bank account passwords on these devices. GPS data recording travel activity is often stored there as well. This poses the question: what steps can you take to help protect that sensitive information from falling into the wrong hands?

Apply Patches Often

Updating your mobile device with the latest software patches from the manufactures reduces the number of break-in points that attackers can use against you. Many of the attacks performed today are a result of unpatched devices. By frequently applying the latest patches from the device vendor, you reduce the risk of an unwanted break-in.

Turn Off GPS

If you’re not using GPS functionality, disable it on the phone. This will have the added benefit of extending battery life.

Use Anti-Virus Software

If anti-virus software exists for your platform, install it and keep it updated. Choose software only from known reputable vendors; don’t install software from untrusted sites or from popup warnings.

Avoid High Risk Surfing

Resist the urge to do online banking on your mobile device. If you must do so, do not have the application remember the password. Also, use strong passwords that are changed frequently. Many people today recognize the need for strong passwords, but they often use the same password for all of their website logins. Should an attacker break the password to just one site, he would then have easy access to all the other sites, too. To prevent this from happening, use unique, strong passwords for each website login.

More Tips for Securing Mobile Devices

Here are some additional resources for information on securing mobile devices:

• Internet2 – Mobile Internet Device Security Guidelines
• Internet2 – Ten Steps to Secure Your Mobile Device
• Stanford University – Guidelines for Securing Mobile Devices
• Educause – Smartphone Privacy & Security: What Should We Teach Our Users?

return to top

Phishing and Other Social Engineering Scams

The Internet is wild and untamed. While there are many useful and productive reasons to be surfing, there will always be nefarious groups attempting to steal your private information one way or another. One common technique these groups use is phishing, also called webpage spoofing. Phishing is a form of social engineering attack, where internet thieves attempt to manipulate you into performing certain actions or divulging your confidential information. Phishing attempts to get you to give up your confidential information by pretending to be a legitimate website or e-mail. The e-mails or web pages may look very convincing at first glance; many people don’t notice any difference from genuine content, which is why it is used so frequently. Once the user turns over their sensitive information (such as login credentials or credit card numbers), they will begin almost immediately to find ways to profit from this information. They may attempt to log into your campus account and access your student or finacial information or they may try to access your online bank accounts, which can harm you, the University, or both.

Technology can help reduce the risks from phishing, but there is much you must do to stay as protected as possible. Let’s examine some key things to be looking out for to avoid being a victim of a phising attack.

Fake UIS Site Example

Below are sample screenshots from a recent fake site claiming to be the UIS Blackboard site.

From first glance, this site appears very much like the real, valid UIS Blackboard site. However, there are some key elements missing from this site. Let’s take a closer look.

Fake site viewed from Internet Explorer 9

There are several warning signs shown here to be looking out for including:

• The location starts with http:// not https://
• The location site (the part of the location URL in bold) is not “uis.edu”
• There is no security lock displayed

Fake site viewed from Firefox 6

In Firefox, in addition to the warning indicators listed above, when you click on the icon to the left of the location, it also displays the following important information:

• The web site’s identity cannot be verified
• The connection to the web site is not encrypted

Valid UIS Site

Now let’s compare the screenshots from the valid UIS Blackboad Learning site.

Real site viewed from Internet Explorer 9

Again, there are several key things to be looking for including:

• The location starts with https://
• The location site (the part of the location URL in bold) is “uis.edu”
• The security lock is displayed

Real site viewed from Firefox 6

In Firefox, when you click on the icon to the left of the location, it also displays the following important information:

• The web site’s identity is verified to be uis.edu
• The connection to the web site is encrypted

Tips for Safe Surfing

By following the tips that follow, you can dramatically reduce the risk that your confidential information will be used againt you or the University via phishing attacks such as the one shown above.

• When going to a site that request login credentials or other sensitive data, type in the URL manually rather than clicking on links from e-mails, search engine search results, or other untrusted sources.
• When you arrive at the site, before entering any sensitive information, take a moment and verify that the security markers you expect are present:
  • Does the URL start with https://? If the URL does not start with https:// (the ‘s’ is the most important piece), there is a stronger chance that any information you provide could be stolen.
  • Get in the habit of looking at the address line. Were you directed to “https://bb.uis.edu”? Does the address line display something different like “http://www.gotyouscammed.com/bb.uis.edu?” Be aware of where you are going.
  • Does the site provide identity information? Legitimate sites will be able to offer proof that they are legitimate. Use the browser’s security features to verify that the site has been shown to be legitimate.
• Don’t use the links in an email, instant message, or chat to get to any web page if you suspect the message might not be authentic or you don’t know the sender.
• If you think you may have provided login credentials to a fake site, CHANGE YOUR LOGIN PASSWORD IMMEDIATELY! Do not wait till later as thieves can quickly begin using your credential to access more of your sensitive information.

For more ideas on protecting yourself agains scams and fraud while online, see the Anti-Phishing Working Group website. Additional information on protecting yourself from social engineering attacks is also available on the Homeland Security website. If you need additional assistance related to a phishing or other social engineering attack, please contact the UIS Technology Support Center at (217) 206-6000 or e-mail them at techsupport@uis.edu.

return to top

Social Networking Security

Facebook, Twitter, and More

By now you probably know that social networking sites such as Facebook, Twitter and LinkedIn have become integral to the daily lives of millions of people around the world, people who use these services to keep family and friends updated, connect with colleagues and communities, and to simply have a forum to express themselves.
You’re probably also seen headlines like these:

• Students fear Facebook posts will hurt job prospects
• California Identity Thief Busted with 300K Victim Profiles
• Your private details on Facebook are at risk
• ‘Obama Dead’ Hoax Sweeps Twitter After Fox News Feed Hack

What many of us want to know is, how can we reap the benefits of social networking without becoming a news headline ourselves?

Tips for Using Social Networking Sites

The good news is that there are several steps you can take to make your social media activities work for you and not against you. Here are some tips from the US-CERT:

• Limit the amount of personal information you post – Do not post information that would make you vulnerable, such as your address or information about your schedule or routine. If your connections post information about you, make sure the combined information is not more than you would be comfortable with strangers knowing. Also be considerate when posting information, including photos, about your connections.
• Remember that the internet is a public resource – Only post information you are comfortable with anyone seeing. This includes information and photos in your profile and in blogs and other forums. Also, once you post information online, you can’t retract it. Even if you remove the information from a site, saved or cached versions may still exist on other people’s computers.
• Be wary of strangers – The internet makes it easy for people to misrepresent their identities and motives. Consider limiting the people who are allowed to contact you on these sites. If you interact with people you do not know, be cautious about the amount of information you reveal or agreeing to meet them in person.
• Be skeptical – Don’t believe everything you read online. People may post false or misleading information about various topics, including their own identities. This is not necessarily done with malicious intent; it could be unintentional, an exaggeration, or a joke. Take appropriate precautions, though, and try to verify the authenticity of any information before taking any action.
• Evaluate your settings – Take advantage of a site’s privacy settings. The default settings for some sites may allow anyone to see your profile, but you can customize your settings to restrict access to only certain people. There is still a risk that private information could be exposed despite these restrictions, so don’t post anything that you wouldn’t want the public to see. Sites may change their options periodically, so review your security and privacy settings regularly to make sure that your choices are still appropriate.
• Be wary of third-party applications - Third-party applications may provide entertainment or functionality, but use caution when deciding which applications to enable. Avoid applications that seem suspicious, and modify your settings to limit the amount of information the applications can access.
• Use strong passwords – Protect your account with passwords that cannot easily be guessed. If your password is compromised, someone else may be able to access your account and pretend to be you.
• Check privacy policies – Some sites may share information such as email addresses or user preferences with other companies. This may lead to an increase in spam. Also, try to locate the policy for handling referrals to make sure that you do not unintentionally sign your friends up for spam. Some sites will continue to send email messages to anyone you refer until they join.
• Keep software, particularly your web browser, up to date – Install software updates so that attackers cannot take advantage of known problems or vulnerabilities. Many operating systems offer automatic updates. If this option is available, you should enable it.

More Social Networking Tips

For even more tips on how to help keep your social networking experiences both safe and secure, have a look at these online resources:

• US-CERT: Socializing Securely: Using Social Networking Services
• INTERNET2: Social Networking Security
• StaySafeOnline: Safety Tips for Social Networking
• ZoneAlarm: Six Tips for Social Media Security

return to top

Securing Your Home Wireless Network

While for many of us our primary use of computers and networks is limited to our campus work or studies, more and more of us are also setting up home networks so that we can enjoy the benefits of hooking up our computers, game consoles, and even televisions to the Internet from home. Home wireless network device manufactures usually make these devices as easy to use as possible, which can (and often does) equate to also being relatively unsecure as well.

But as long as you can get connected to the Internet, why should you care about the security of your home network? Securing your home wireless network is important because if you don’t, your neighbors can use your Internet connection for whatever they want, including streaming videos and downloading inappropriate or illegal content. Their use of your network could result in harm to your systems ranging from simply slower network performance to increased ISP charges, breaking into your computers, and spying on your networking activities. Even worse, hackers can use your internet connection to upload illegal materials, and the FBI will come knocking at your door.

Tips for Keeping You Home Network Secured

So what should you do to keep these things from happening to you? Here are a few tips to get you started:

• Implement Security Settings on the Wireless Network: First, start by changing the default administrative password on the wireless device (default passwords are widely known by hackers). The wireless network should then be protected using Wi-Fi Protected Access 2 (WPA2) instead of WEP (Wired Equivalent Privacy). Using current technology, WEP encryption can be broken in minutes (if not seconds) by an attacker, which afterwards allows the attacker to view all traffic passed on the wireless network. It is important to note that older client systems and access points may not support WPA2 and will require a software or hardware upgrade. When researching for suitable replacement devices, ensure that the device is WPA2-Personal certified. Finally, disable the remote administration feature of your wireless device unless you absolutely need to manage it away from home.
• Migrate to a Modern OS and Hardware Platform: Both Windows 7 and Macintosh OS X operating systems provide substantial security enhancements over earlier operating system versions. Many of these security features are enabled by default, automatically helping to prevent many common attacks. Additionally, ensure that the OS automatic update feature is enabled to help keep your system protected from newly-discovered security holes.
• Limit Use of Administrator Accounts: The first account that is typically created when configuring a new computer for the first time is the local administrator account. Using such an account for day-to-day activities makes it much easier for malware to gain control of your system. A non-privileged “user” account should be created and used for the bulk of activities conducted on the computer including web browsing, email access, and document creation/editing. The privileged administrator account should only be used to install updates or software, and reconfigure the host as needed.
• Enable Firewalls: In its simplest form, a firewall is a system that controls access across the network. In the context of home networks, a firewall typically takes one of two forms: a software firewall – specialized software running on an individual computer, or a hardware firewall – a dedicated device designed to protect one or more computers.Both types of firewalls allow the user to define access policies for inbound connections to the computers they are protecting. Most firewalls intended for home use come with pre-configured security policies from which the user chooses, and some allow the user to customize these policies for their specific needs. Intruders are constantly scanning home user systems for known vulnerabilities. Network firewalls (whether software or hardware-based) can provide some degree of protection against these attacks.

Want to Know More?

If you’re interested in finding out more about ways to keep your home network secure or how to stay safe on public wireless networks, have a look at these additional online resources:

• NSA: Best Practices for Keeping Your Home Network Secure
• US-CERT: Using Wireless Technology Securely
• CERT: Home Network Security
• SANS Institute: Building A Secure Home Network
• FTC: Wise Up about Wi-Fi: Tips for Using Public Wireless Networks

return to top