Archive for 2012

Don't allow Internet Explorer to store passwords for you.

by in , , , , 0

Stored passwords allow anyone who can access your machine to log in to your web accounts as you.  In addition, there are numerous utilities that can expose that hidden information and actually reveal the password.  If you've reused that password for other logins, many systems or web sites could be compromised.

December 2012 - secureCI Monthly Newsletter

by in , , , , , 0


secureCI presents Ouch!

The SANS Monthly Information Security Bulletin at Channel Islands


In This Issue…
• Starting Secure
• Staying Secure
• Recovery

Seven Steps to a Secure Computer

OVERVIEW

While handheld devices such as smartphones and tablets provide new ways for us to leverage technology, computers are often still the primary tool we use for our professional and personal lives.  As a result, your computer, whether at work or at home, still remains a primary target for cyber criminals.  By following the seven simple steps outlined below, you can help secure your computer and protect it against most known attacks.

1.  STARTING SECURE

The first step to a secure computer is starting with a computer you can trust.  If you purchased a new computer directly from a well-known vendor, then you should be able trust it and the pre-installed software. If you have purchased a used computer, then do not trust it.  The used computer may have been accidentally (or intentionally) infected by the previous owner.  Trying to secure a computer that is already infected does no good.  The first step you should take after acquiring a used computer is reformat the hard drive and re-install the operating system (be sure to ask someone you trust for help if you are not sure how to do this).

2.  UPDATING

The next step is updating your computer.  Cyber attackers are always identifying new weaknesses in computers and their applications.  When computer and software vendors learn about these new  vulnerabilities, they develop and release fixes, called updates or patches, to fix the problem.  When you purchase a new computer or re-install the operating system, your computer is most likely already out of date. As such, the first step you want to take is connect to the Internet and update your computer’s operating system. Be sure that when you do connect to the Internet, your new computer is protected behind a firewall or home Wi-Fi access point.  In addition, most computer operating systems, including Windows and OS X (and even many applications), have an automatic updating feature built-in.  Enable automated updating to check for updates at least once a day; this helps ensure your computer will remain updated and secure.  If a vendor releases a patch that you have to manually install, be sure to install it as soon as possible.

3.  SECURITY SOFTWARE

Once your computer is updated you want to ensure you have security software installed and enabled.  The two most common types of security software are anti-virus and firewalls. Anti-virus helps identify infected files you may have downloaded or shared with others and stops these malicious files from harming your computer.  Firewalls act like a virtual policeman; they determine who can and cannot talk to your computer. Many security vendors now offer entire security software suites that include firewall, anti-virus and other software options.  You may want to consider purchasing an entire security package.

4.  ACCOUNTS

Every person that has authorized access to your computer should have their own separate account protected by a unique, strong password. Never share accounts. If this is a personal computer for home use, create a separate account for each member of your own family, especially children.  This way you can apply different controls to each user (such as parental controls for your children) and track who did what. In addition, grant each user the minimum privileges they need to use the computer. Never give someone administrative access unless they absolutely need it, including yourself. Only use administrative privileges when you need them, such as to install software or changing a system configuration.

By following these simple steps you can help ensure a secure computer.


5.  SECURITY ON THE GO

If your computer is portable, such as a laptop, you may want to consider full disk encryption (FDE). Encryption helps ensure that the data on your computer is protected even if you lose it.  You may also want to ensure the computer screen is password locked, so people cannot access the system when you are away from it. Finally, some laptops now support remote location and/or wiping to help you locate a missing laptop or permanently erase sensitive data if it cannot be recovered.

6.  USING THE COMPUTER

No amount of technology can protect your computer against every threat.  While everything we have covered so far will help secure your computer, the last element we have to secure is you, the computer user. Know and understand that bad guys are always trying to trick you.  If you receive a message that seems odd or suspicious, don’t click on any links or attachments.  If someone calls you telling your computer is infected and you need to install software, this is most likely a scam.  In many ways you are the best defense for your computer, not technology.

7.  BACKUPS

Finally, even if you take all the steps we have covered, there is always a chance your computer can get hacked, have a hard drive failure or some other catastrophe.  Your last defense is backups.  We highly recommend you regularly backup any important information (documents, pictures, videos, etc) to either an external hard drive or use a backup Cloud service, or perhaps even both.

RESOURCES
Some of the links have been shortened for greater readability using the TinyURL service. To mitigate security issues, OUCH! always uses TinyURL’s preview feature, which shows you the ultimate destination of the link  and asks your permission before proceeding to it.

Free Security Checkups:
http://preview.tinyurl.com/bxph6a8

Microsoft Security
http://www.microsoft.com/security

Mac OS X Security:
http://preview.tinyurl.com/abl6xm7

Common Security Terms:
https://www.icloud.com/6wkpae5

Common Security Terms:
http://preview.tinyurl.com/6wkpae5

SANS Security Tip of the Day:
http://preview.tinyurl.com/6s2wrkp


LEARN MORE
Subscribe to the monthly OUCH! security awareness newsletter, access the OUCH! archives, and learn more about SANS security awareness solutions by visiting http://www.securingthehuman.org. OUCH! is distributed under the Creative Commons BY-NC-ND 3.0 license.

Read Error Messages and Checkboxes

by in , , , 0


When you see an error message pop up on the screen, read it!  You may not understand everything, but if you look through the message, you can get what the message is trying to convey.  Hackers can sometimes generate errors to collect everything you type and everything that comes up on your screen.  If you don't understand the error, at least capture the error screen.  To do that, hold down the shift key and press the key labeled "Print Screen" or "PrtSc".  That will put the screen into short-term storage called the clipboard.  Then open an e-mail message, right click on the message body and select "paste".  Now you can print it or send it to the help desk (helpdesk@csuci.edu) for further analysis.

Don't click the "unsubscribe" link at the bottom of unsolicited emails

by in , , , , 0

Spam filters do a good job of catching most unwanted e-mail, but some might still reach you.  Most spam is designed to get you to respond with your own email or to click a link to "unsubscribe".  When you respond or click the "unsubscribe" link, the sender can take your email address and add it to a SPAM database of active email addresses.  You might then start receiving large amounts of SPAM in your inbox.  To be on the safe side, don't respond or click the "unsubscribe" links on any unsolicited emails.

Protecting Your System and Your Network

by in , , , , , , 0


In lieu of recent network cleanup activity I wanted to take this time to remind everyone of a couple of items that will help protect your system and your networks from virus attacks.

Attaching External Storage Devices
Before attaching any external storage devices to your computer whether it's a USB thumb drive or a large external hard drive, please run a virus scan on it before making the final connection.  This will save you alot of grief in the long run.

Clicking on Unknown Links in Email
If you receive an email and are asked to click on a link, unless you're expecting to receive an email with a link you may want to contact the person who sent the email before clicking that link.  The email could be a phishing or website spoofing scam that can either load unwanted malware or virus software onto your machine, or try and get you to give up personal information.  In either case, making a short phone call or sending a quick text or email will be worth not having to rebuild you machine.

Five Security Tips!

by in , , , , 0

  1. Warning Messages:  If you don't understand a warning message, say no and contact IT support for assistance.  It's easier to go back afterward and say yes if you need to than be sorry and have to IT support rebuild your machine.
  2. Certificates:  If you don't understand a website certificate message, say no and consult IT support.  It's easier to go back and say yes if you need to than be sorry and have to rebuild your credit.
  3. Antivirus:  Running antivirus does not slow your computer down nearly as much as a virus does.
  4. Back-up:  Backing up your data may seem like a waste of time — um, until you spill coffee all over your laptop.
  5. Passwords:  Writing down your password around your desk is about as secure as leaving a $20 bill lying on the dashboard of your car. How well do you trust anyone these days?

Effectively Delete Your Files

by in , , , , , 0

When you delete a file, depending on your operating system and your settings, the file may be transferred to your trash or recycle bin.  This "holding area" essentially protects you from yourself - if you accidentally delete a file, you can easily restore it.  Unfortunately, an unauthorized person may also be able to retrieve it.  Do the files in your recycle bin include credit card information, passwords, medical, or other personal data?  Does it contain sensitive corporate information?  


Trash Bin, Recycle Bin

Empty your trash or recycle bin on a regular basis to ensure that deleted information stays deleted!

November 2012 - secureCI Monthly Newsletter

by in , , , 0

secureCI presents Ouch!

The SANS Monthly Information Security Bulletin at Channel Islands


In This Issue…
• Overview
• Precautions You Can Take Now
• What to Do If Your Device is Lost or Stolen

Losing Your Mobile Device

OVERVIEW
Mobile devices are used for communication and for obtaining and sharing information. As a result, they often contain sensitive information, including email, text messages, voicemail, calendar events, location tracking, photos and videos. If your mobile device is lost or stolen, anyone who has physical access to your device can potentially access all this information and expose you, your contacts and your organization to serious risk. In this newsletter, we discuss the steps you can take to protect the information on your device in case it is lost or stolen.

Note: Most of this advice applies to your personal devices. If your mobile device was issued or authorized by your organization and contains organizational data, then be sure to follow your organization’s policies for securing mobile devices and for reporting loss or theft.

PRECAUTIONS YOU CAN TAKE NOW
One of the most effective ways you can protect your information is to secure your device while you still have it. A great place to start is enabling some type of access protection, such as a PIN, password or pattern lock. This helps ensure that only authorized users can use and access the information on your device.

  • PIN: A PIN (Personal Identification Number) is a number you have to enter to gain access to your mobile device.
  • Password: A password on mobile devices works the same way as a password on your computer or online account. This is an option you can enable on most smartphones. A strong password affords greater security than a PIN.
  • Pattern Lock: A pattern lock is a unique pattern that you draw on the screen of the device.

Strongly consider enabling the option to wipe your device after a certain number of failed access attempts, which can protect your device if it falls into the wrong hands. However, if you do enable this feature, be cautious of curious children. Regardless of the authentication mechanism you use, make sure that you do not share your PIN, password or pattern lock with anyone else and that it is hard for people to guess.

  • Remote Tracking & Wiping: Most mobile devices support software that can remotely locate and/or remotely erase your information from a missing device. You may have to install or configure special software while you still possess the device. iPhones and iPads come with this feature, called “Find My iPhone,” and it is enabled using an Apple ID. BlackBerry devices must be tied to a BES server or similar application in order to remotely wipe your device. Android devices must have special software installed for remotely locating and wiping your device.
  • Encryption: If someone has physical access to your mobile device, they can use advanced technologies and attempt to bypass your password or PIN and access the data stored on it. Encryption protects your data against these more advanced types of attacks. Some mobile devices come with encryption built in, while others require you to enable the functionality or install encryption software. iPhones and iPads provide built-in hardware encryption that is automatically enabled. Without your password, your data is protected. The Android has built-in encryption that can be activated in the Security menu.
  • Backups: Backups help ensure you can recover your information quickly from a lost or stolen device.  Backups should be performed regularly, and can be done using the following methods:
    • Backup directly to your computer.
    • iCloud is provided as a free service to all iPhone, iPad and iPod users. The user can select to back up their contacts, email, calendar, pictures, music and other files to an iCloud account.
    • Google Cloud is a free backup service for Android devices. The features of the Google Cloud are similar to the iCloud.

By taking some simple steps now, you can protect yourself if you lose any of your mobile devices.


WHAT TO DO IF YOUR DEVICE IS LOST OR STOLEN
Follow these steps to protect your personal information if your device is lost or stolen:

  • If the missing device was issued to you by Channel Islands and/or contains work-related data, then report the  loss immediately to the T&C Help Desk (helpdesk@csuci.edu or 805-437-8552) and follow their instructions.
  • If you installed tracking software on your mobile device, you will most likely have the option to wipe your data. Wiping the device will erase all of your personal information from the device and eliminate the risk of your data being accessed. If your device was stolen, you may want to contact law enforcement before wiping the device and notify them that you have enabled location tracking on the device. If stolen, you should not attempt to recover your device yourself.
  • Contact your Network Service or Phone Provider to alert them that your mobile device has been lost or  stolen. They may be able to put a lock on your phone number to ensure no one can use your device to make  any phone calls until you get it replaced.
  • Once you have purchased a replacement, you can use your backups to recover your information.

RESOURCES
Some of the links have been shortened for greater readability using the TinyURL service. To mitigate security issues, OUCH! always uses TinyURL’s preview feature, which shows you the ultimate destination of the link  and asks your permission before proceeding to it.

20 Android Security Apps:
http://preview.tinyurl.com/27qbb6w

10 iOS Security Apps
http://preview.tinyurl.com/bumb8vv

Google Cloud:
http://preview.tinyurl.com/cy49ntb

iCloud:
https://www.icloud.com/#find

Common Security Terms:
http://preview.tinyurl.com/6wkpae5

SANS Security Tip of the Day:
http://preview.tinyurl.com/6s2wrkp


LEARN MORE
Subscribe to the monthly OUCH! security awareness newsletter, access the OUCH! archives, and learn more about SANS security awareness solutions by visiting us at http://www.securingthehuman.org. OUCH! is distributed under the Creative Commons BY-NC-ND 3.0 license.

Save your work to the network file share.

by in , , , 0

A computer user working on a critical project was saving their analysis document on their desktop. Unfortunately, the desktop was located on their local hard drive and local hard drives were not automatically being backed up. When the hard disk failed, they lost the file and had to work through nights and a weekend to make up for the lost time. CI utilizes network backups so that your important files get backed up. P.S... important files don't include things like vacation pictures, or music files which can overburden the backup system.

Paper Files Need to be Protected Too!

by in , , , , 1

You've probably heard that "To err is human, but to foul things up completely you need a computer". It's important to protect the big databases where we store our data, but we can't ignore paper records. The amount of information held on paper may be much smaller, but many of the most serious leaks happen through very human methods — reports stolen from desktops or read over someone's shoulder. Keep sensitive paper files locked away when they are not being used and don't read them in public places.

Secure Your Wireless Router

by in , , 0

When setting up a wireless network at home, it's not unusual to be able to connect to your neighbor's unsecured wireless router. Not only can you have used his bandwidth for free, but if inclined, you could have used the connection for illegal activities. If the police came looking, they may not have been able to prove the activity didn't come from one of their computers.

Properly securing your wireless network isn't difficult. Review your routers manual for changing the SSID to something unique, turning on WPA (avoid WEP) for authentication, TKIP for encryption, and using MAC address filtering.

Shh! Don't say it out loud. The cubes have ears.

by in , , , , 0


Office work spaces seem to be getting smaller and smaller. This makes it  harder to keep conversations confidential when groups of people are within earshot. When necessary, use handwritten notes for transferring/discussing confidential information, and then shred the papers when done.

Read error messages and check-boxes.

by in , , , 0


When you see an error message pop up on the screen, read it! You may not understand everything, but if you look through the message, you can get the gist of what is going on. Hackers can sometimes generate errors to collect everything you type and everything that comes up on your screen. If you don't understand an error, you should at least capture the error screen.  To do that, hold down the shift key and press the key labeled "Print Screen" or "PrtSc".  This will put the screen into short-term storage called the clipboard. Then open an e-mail message, right click on the message body and select "paste".  Now you can print the error message or send it to tech support for further analysis.

BEWARE of Phishing Scams!

by in , , , 0

We've all received them, emails from a seemingly trusted source like a bank, delivery company or even your own place of employment, claiming there was some type of issue or another requiring you to offer up some personal information or click on a link or button to help clear the issue up. If you receive an email of this sort DO NOT CLICK ON ANY LINK OR OFFER UP ANY INFORMATION!


This is a common form of security attack called a phishing or spear phishing scam.

Groups attempting to steal personal information will often use e-mails that appear to originate from a trusted source to try and trick a user into entering valid credentials at a fake website. Typically the e-mail and the web site look like they are part of a bank or some other organization the user is doing business with.

If you receive an email like this and you think it may be fraudulent, please report it immediately to the T&C Helpdesk at X8552 or helpdesk@csuci.edu. They will assist you and instruct you on how to remove it effectively.

Remember...  nobody from T&C will ever ask you for any personal information, including your password!

Think twice before posting pictures of yourself or your family and friends.

by in , , , , 0


Photographs often contain information that could be used to identify you or the places you visit frequently. Never post unflattering or embarrassing pictures (no matter how funny) that could come back to haunt you. Carefully examine photos for identifying information such as the name of your school, the name of a sports team or organization you belong to, the address of the place you work or your favorite social hangout. Do not give out the full name of a child in your captions. One mother was very concerned to see her son's wrestling picture online with his full name. Pictures can also be copied or altered and used on other websites in ways that might be detrimental to your reputation.

Is your online shopping site secure?

by in , , 0

When banking and shopping online, make sure websites are security enabled. Look for web addresses with “https://” or “shttp://”. “Http://” is not secure. Learn more at http://staysafeonline.org/stay-safe-online/protect-your-personal-information/online-shopping

Don't Accept Offers of "Free PC Scans" That Pop up When You Use the Internet

by in , 0

Secure Computers LLC paid a $1,000,000 fine for offering "free spyware scans" that told users their systems had been infected with spyware, even if the system was clean. They are not the only ones doing this — when you surf the Web you are still likely to see pop-up windows like that. Some "scans" don't just give misleading results; they actually try to install unwanted software on your PC. Often the screen pop-ups only have a "scan" button and no "cancel" or "quit" option. In fact they could interfere with your PC no matter which of the buttons you choose. Be safe: close pop-ups like this by clicking on the X in the top right corner of the browser window. Better yet, use a pop-up blocker software.

(You can view the article on Secure Computers LLC here - http://www.atg.wa.gov/pressrelease.aspx?id=5926).

October 2012 - secureCI Monthly Newsletter

by in , 0


secureCI presents Ouch!

The SANS Monthly Information Security Bulletin at Channel Islands

  • Your Accounts
  • Your Devices
  • Your Information

Hacked: Now What?


OVERVIEW
No matter how many steps you take to protect yourself or your information, there is still a chance you will get hacked. Like driving a car, no matter how safe you are, sooner or later you most likely will have an accident. However, you can still protect yourself, even after you have been compromised. The sooner you detect an incident, and the faster you respond to it, the greater chance you have of reducing the harm. To help you prepare, we discuss different ways to determine if your computers, accounts, or information have been compromised, and how you can best respond. For responding, most of our advice applies to your personal life. If you have a work related device, work account, or work information hacked, report the incident to the CI Help Desk (Phone: 805 437-8552 / eMail: helpdesk@csuci.edu) or the security team immediately, and then follow their instructions.


YOUR ACCOUNTS
You probably have numerous online accounts for everything from online banking and shopping to email and social networking. Keeping track of them and identifying when an account is compromised can be a constant challenge. Here are some steps to help you identify and respond to compromised accounts. 

Symptoms:
  • You can no longer log in to the website, even though you know your password is correct.
  • Your friends or co-workers are receiving emails from you -- emails that you never sent.
  • Someone is posting messages on your social networking page (such as Facebook or Twitter), posing as you.
  • Someone is transferring money out of your online bank account.
  • Contact information or other settings on your online accounts are being changed without your knowledge or consent.
  • A website or service provider publicly announces they have been hacked and user accounts or passwords have been compromised.

Response:

  • If you can still log in, change your password immediately.   As always, be sure to use strong passwords.
  • If you can’t log in, contact the service provider or website immediately.  Most online providers provide some way to notify them that your account has been hacked.  These methods can include an online form, an email address to contact, or a phone number to call.  
  • Once you have regained access, review all of your account settings to make sure nothing has been changed by the attacker. 
  • Make sure you change your password on any other accounts that have the same password.

The sooner you identify you have been compromised
and the faster you respond, 
the more you can minimize the harm.


YOUR DEVICES
With the explosion of mobile devices, we now have even more things to protect. Once attackers control your device, they have the ability to intercept every action you take on that device. Here are some steps to help you identify and respond to infected devices. 

Symptoms:
  • Your computer is taking you to websites you do not want to go to.
  • Your computer is running programs that you never installed.
  • Your anti-virus reports an infected file.
  • Anti-virus and system updates are failing.
  • Your device is continually crashing.
  • Your smart phone is making expensive calls or purchasing apps without your permission.
Respond:
  • Perform a full scan with your updated anti-virus solution. If it detects any infected files, follow the steps it recommends. You may want to consider running a secondary security scan from online scanners.
  • If your device cannot be secured by your security software, or you want to ensure it is fully recovered.
  • Consider re-installing the operating system or performing a full factory reset, installing the latest version of your anti-virus, and recovering your data from backup (you are doing regular backups of your personal data, correct?).
YOUR INFORMATION
Protecting your own information, such as your Social Security Number, medical history, or purchase history, is challenging, since you often do not control this data. Instead, organizations like your health care provider, your credit card company, or your school store and maintain this data. Here are some steps to help you identify when your personal information has been compromised and how to respond. 

Symptoms:
  • A service provider announces or informs you they had an incident and your data may have been compromised, such as your credit card number or your medical history.
  • You see unauthorized charges on your credit card.
  • Your credit reports indicate loan applications you do not recognize.
  • Your health insurance is processing claims for treatments you did not receive.
  • You receive letters for overdue payments on accounts that you did not open. 
Response:
  • Call your credit card issuer immediately. Have them cancel the credit card and issue a new one. This is a free service your credit card company should provide.
  • Contact your service provider. For example, if you believe there is fraud with your insurance account or bank account, call your insurance company or bank. 
  • During any filing process, always document all conversations with date, time, and the name of the person you talked to. Keep copies of all written correspondence and use certified mail to show proof of delivery.

RESOURCES
Some of the links have been shortened for greater readability using the TinyURL service. To mitigate security issues, OUCH! always uses TinyURL’s preview feature, which shows you the ultimate destination of the link and asks your permission before proceeding to it.

How I Got Hacked:
http://preview.tinyurl.com/8q2jwsu

Free Online Security Scanners:
http://preview.tinyurl.com/9ky9s6w

Internet Crime Complaint Center:
http://www.ic3.gov/default.aspx

Identity Theft Resource Center:
http://www.idtheftcenter.org/

Facebook Hacked Page:
www.facebook.com/help/hacked


Common Security Terms:
http://preview.tinyurl.com/6wkpae5

SANS Security tip of the Day:
http://preview.tinyurl.com/6s2wrkp


LEARN MORESubscribe to the monthly OUCH! security awareness newsletter, access the OUCH! archives, and learn more about SANS security awareness solutions by visiting us at http://www.securingthehuman.org.  OUCH! is distributed under the Creative Commons BY-NC-ND 3.0 license.

Lock your workstation before you leave your desk

by in , 0

Did you know there are keyboard shortcuts other than CRTL+ALT+DEL that you can use to lock your desktop? This will prevent people from walking up and snooping on your computer. You can save a keystroke by simultaneously pressing the Windows key + L. The Windows key has four wavy squares.

Or, to make things even easier, create a desktop shortcut.
  1. Right click any empty area of your desktop 
  2. Click New 
  3. Click Shortcut 
  4. Type in the following: rundll32.exe user32.dll, LockWorkStation 
  5. Click Next 
  6. Name your shortcut 
Click Finish Now it's as easy as a double click!

Should I Click on that Link?

by in , , 0

We've all received them, emails from a seemingly trusted source like a bank or delivery company claiming there was some type of issue or another requiring you to offer up some personal information or click on a link or button to help clear the issue up. This is a common form of security attack call a phishing or spear phishing scam.

As October is National Cyber Security Awareness Month (NCSAM), to help support cyber security awareness, the SANS Institute (www.sans.org) has posted the five minute online security awareness video "Email and Instant Messaging" covering the risks of using these technologies (including phishing scams, infected attachments, and drive-by downloads), and the steps you can take to protect yourself.  This video will be available through October 15th when a new video will replace it.

Please take the time to view this informative video.

Be Skeptical When You Read Your Email

by in , , 0

Keep asking "Why should I believe that?" It's important to remember that you can't trust the "from" address on e-mail from outside the organization, as it's often faked by fraudsters and viruses. If you didn't expect a message, link, or attachment from someone, ask yourself why you should trust that it really came from the apparent sender, and that it's safe. When in doubt, it's a good idea to call and verify that they sent you the message.

09/26/12 - Tip of the Day!

by in , , 0

Effectively delete files 

When you delete a file, depending on your operating system and your settings, the file may be transferred to your trash or recycle bin. This "holding area" essentially protects you from yourself—if you accidentally delete a file, you can easily restore it. An unauthorized person will also be able to retrieve it. Does your recycle bin include credit card information, passwords, medical, or other personal data? Is there sensitive corporate information? Empty the trash or recycle bin on a regular basis to ensure that deleted information stays deleted.

09/24/12 - Tip of the Day!

by in , , 0

Don't Click to Agree without Reading the Small Print 

Some free software passes your information on to advertisers, changes your PC or downloads other software without asking you. Some suppliers will claim that this is OK because you agreed to this. How? People often click on the "agree" button to accept 20 pages of difficult legal jargon they don't understand. But buried in the middle can be a sentence allowing the software to do whatever it likes. You can argue in court that the terms aren't reasonable, but then it will be too late — the damage has been done and your PC is broken. Learn from other people's pain: if terms and conditions are hard to understand, it is probably deliberate. If it isn't worth the trouble to read the conditions, don't risk using the software.

09/19/12 Tip of the Day!

by in , 0


Don't share your password-even with an assistant or close coworker

Here are two examples of why you should never share your ID and password with anyone.

A salesperson relied on his assistant every day, trusting them with his user name and password. Eventually they quit, but not before they deleted all of the salesperson's sent e-mail and saved files... Turns out they never performed backed up the computer either.

Several coworkers used the same ID and password to log in to their systems—it seemed easier for them that way.  The time came to change their password and they forgot to tell each other they were changing the password.  One by one they all began calling the help desk to get the password reset for their shared ID. The end result was they began locking each other out of their computers and finally getting reprimanded for sharing the ID and password in the first place.

09/17/12 - Tip of the Day!

by in , , , 0


We've all received them, emails from a seemingly trusted source like a bank or delivery company claiming there was some type of issue or another requiring you to offer up some personal information or click on a link or button to help clear the issue up. If you receive an email of this sort DO NOT CLICK ON ANY LINK OR OFFER UP ANY INFORMATION!

This is a common form of security attack call a phishing or spear phishing scam.

Groups attempting to steal personal information will often use e-mails that appear to originate from a trusted source to try and trick a user into entering valid credentials at a fake website. Typically the e-mail and the web site look like they are part of a bank or some other organization the user is doing business with.

If you receive an email like this and you are certain it is fraudulent, please report it immediately to the T&C Helpdesk at X8552 or helpdesk@csuci.edu. They will assist you and instruct you on how to remove it effectively.

09/10/12 - Tip of the Day!

by in , , 0


Eight Tips for Creating Bulletproof Passwords.

Strong passwords are an important way to protect your data from theft – and to avoid joining the more than nine million Americans victimized by identity theft each year. Darya Gudkova, head of content analysis and research for Kaspersky, also emphasizes the need for strong passwords. She recommends long passwords with a mix of different characters and letters. She also throws in several different languages to make her own passwords even tougher to crack. How do you create a bulletproof password that hackers can't crack? These tips from myID.com can help you set passwords that will keep your data stays secure.


Ban the basics!
Never use words found in a dictionary, even written backwards, in another language, or with a simple number following.

Personal is Predicable! 
Anyone who knows you could guess your password if it uses your name or username, birthday, pet or favorite team, band or movie.

Size Matters! 
The longer the better. Passwords should be at least 8-14 characters and mix upper and lowercase letters, special characters and numbers.

Hooked on Mnemonics! 
Try working a mnemonic phrase into your password. For example, “Theres no place like home” would be translated to “TNPLH”.

Sell-By-Dates. 
Change passwords for online bank or credit card accounts every 1 to 2 months; others are good for maybe a few months. Mark your calendar.

To each his own. 
Don’t use the same password or similar patterns (word plus repeated number for example), so one cracked password doesn’t unlock all accounts.

Keep it secret, keep it safe. 
You would think people wouldn't need to be reminded of this but....  Don’t share passwords or store them on your computer or mobile device. The best place to store them is in your head or a locked safe.

PASSWORD is not a password. 
If an admin sets your password to PASSWORD change it FAST!

September 2012 - secureCI Monthly Newsletter

by in , , 0


secureCI presents Ouch!

The SANS Monthly Information Security Bulletin at Channel Islands

  • Overview
  • Example of a Counterfeit Website
  • Protecting Yourself


Counterfeit Websites


OVERVIEW
One of the advantages of shopping online is the ability to find the product or service you want, but at lower prices. Criminals know this and will take advantage of your desire to find an online bargain. Criminals will create fake websites that appear legitimate, but will sell you counterfeit goods or even worse, simply not deliver anything at all. In this newsletter we give an example of such an attack and then explain how you can protect yourself from similar fraud.

EXAMPLE OF A COUNTERFEIT WEBSITE
Let’s pretend you need to purchase a baby carrier, perhaps as a gift for a friend who has a newborn. You decide to look for a bargain online and begin with a search for baby carriers, specifically BRAND X baby carriers as you know that is what your friend prefers. You quickly discover that multiple sites sell the same baby carrier, however the prices vary greatly. You select the website that has the cheapest prices and purchase the product online. Several weeks later you receive the product, only to discover it does not look quite right – some of the pieces are wrong, the material is defective, or the product is outdated. You attempt to call the website to return the product only to discover there is no phone number. You then e-mail the website but never receive a response to any of your complaints. You just purchased a counterfeit (or stolen)
product from a counterfeit website.

What happened is that criminals simply copied the legitimate website of the original manufacturer (in this case
BRAND X baby carrier), posted this website under a new domain name that they control, and then significantly lowered the prices to encourage people to buy from this rogue website. The items they deliver to you are counterfeit, stolen, or used products, or they simply do not send anything at all. As such, whatever they charge is pure profit for them.


PROTECTING YOURSELF
We understand that you want to leverage the Internet for the best possible shopping experience. Here are several steps you can take to protect yourself from attacks like these.
  • If the pricing seems to be good to be true, be very suspicious.
  • Call their support number. Wait ... no support number or contact listed to call? Another red flag.
  • Often the criminals that set up these counterfeit websites are not native speakers of the website’s language. The e-mails they send you may have poor grammar or simple spelling mistakes. In the case of one counterfeit baby carrier website, one of their e-mails opened with, "We wish to welcome you to BRAND X baby carrier, Cheap baby carrier BRAND X, on sale,Free shipping." Respectable businesses have their e-mails proofread before sending them to real customers. When you see poor grammar or spelling, be very suspicious.
  • Criminals will often use the brand name of the goods you are searching for in the URL so they look legitimate to you. But they also frequently change the URLs of their counterfeit websites, making it harder to shut them down. As a result, criminals will often use several different domain names and email addresses during the purchasing process. For example, in our example of the baby carrier website, the cyber criminals may have one domain name for the website (such as www.brandxbabycarriers.com), another domain name for the e-mails they send you (such as from sales@brandxcarrierstogo.com), and a third domain name for support e-mails (such as! support@babycarriersbrandx.com). All these different domains are another big red flag.
  • Legitimate organizations should always use encryption during the online purchasing process. If encryption is not used for the online transaction, then do not buy from the website. You can determine if the website is using encryption if the URL has HTTPS and your browser is showing the padlock.
  • Do a search on the name or URL of the online store and see if anyone else has posted any complaints about the website indicating fraud. For example, if you are purchasing items from www.brandxbabycarrier.com, do a search on that URL first and see if others are complaining about fraudulent goods.
  • Use PayPal or other mechanisms that do not reveal your underlying credit card information to the merchant. For example some credit card providers will give you one-time use credit-card numbers. Another option is to use gift cards.
  • Consider using security software that helps rate the trust level of websites you visit.
  • If you are concerned that you cannot tell if a site is legitimate or not, then do not use the site. Purchase the product from a well known site you trust instead. You may not get the best deal, but you will be able to trust the product and the return policy.
  • If you do fall victim to online fraud, report it to the Federal Trade Communication or the law enforcement agency of your country. In addition, call your credit card provider and cancel your existing credit card to protect yourself from any further online fraud, and ask them to issue you a new one.
RESOURCES
Some of the links have been shortened for greater readability using the TinyURL service. To mitigate security issues, OUCH! always uses TinyURL’s preview feature, which shows you the ultimate destination of the link and asks your permission before proceeding to it.

Web of Trust:
http://www.mywot.com/

SiteAdvisor:
https://www.siteadvisor.com/

Reporting Complaints to FTC:
https://www.ftccomplaintassistant.gov/

Common Security Terms:
http://preview.tinyurl.com/6wkpae5

SANS Security Tip of the Day:
http://preview.tinyurl.com/6s2wrkp



LEARN MORESubscribe to the monthly OUCH! security awareness newsletter, access the OUCH! archives, and learn more about SANS security awareness solutions by visiting us at http://www.securingthehuman.org.  OUCH! is distributed under the Creative Commons BY-NC-ND 3.0 license.

08/31/2012 - Tip of the Day!

by in , , , 0

Do not allow Internet Explorer to store passwords for you

Stored passwords allow anyone who can access your machine to log in to your web accounts as you. In addition, there are numerous utilities that can expose that hidden information and actually reveal the password. If you've reused that password for other logins, many systems or web sites could be compromised.

08/02/12 - Tip of the Day!

by in , , 0

Always log off your own computer. 

Do not let anyone else offer to do it for youOne of our branch supervisors was offering to log her staff off for them, so they didn't have to wait, and could get on with their evenings away from work. She wouldn't really log them off, though, but would just turn off their computer monitors. Once the staff had left for the evening, she would go back to the computers to see who was still signed in to the banking software. If she found someone still signed in, the supervisor would then defraud the bank, using her staff's IDs to cover her tracks.

August 2012 - secureCI Monthly Security Newsletter

by in , , , , 0

secureCI presents Ouch!

The SANS Monthly Information Security Bulletin at Channel Islands

  • The Scam
  • Protecting Yourself


The Tech-Support Phone Call Scam


OVERVIEW
At the heart of many cyber attacks are criminals attempting to fool you out of your money or trick you into giving them your personal information. Common examples of this are fraudulent e-mails, called phishing, that pretend to come from a person or company you trust, such as your friend or your bank. While such e-mail attacks are still a threat, criminals are also calling potential victims on the phone. In this newsletter we explain how such a phone scam works, specifically a common tech-support scam, and what you can do to protect yourself.

THE SCAM
No two scams are ever exactly the same, however they often include many of the elements you are about to read here. You receive a phone call from a person claiming to be from a computer support company associated with Microsoft or another legitimate company. They claim to have detected your computer behaving abnormally, such as scanning the Internet, and believe it is infected with a virus. They explain they are investigating the issue and offer to help you secure your computer. They then use a variety of technical terms and take you through confusing steps to convince you that your computer is infected, scaring you into ultimately buying their product.

For example, they may begin by asking you to download and install a program from their website or use online services that will give them remote access to your computer so they can troubleshoot and confirm the problem. These tools are usually legitimate remote access tools, such as LogMeIn.com or ShowMyPC.com, so they most likely will not be flagged by your antivirus software. With you on the phone, the scammer will then remotely walk you through various programs and settings on your computer. The person will attempt to convince you that he or she is taking actions to investigate the virus infection that is supposedly plaguing your computer. The caller may even begin to disable legitimate services that are always present on a Windows computer, claiming the services are actually malicious programs. By disabling or even crippling your computer, they are attempting to scare you into believing that your computer is badly infected and the only way you can fix the problem is by purchasing their product or paying for an expensive annual subscription service. Their ultimate goal is to gain control of your computer, get your money, and potentially harvest your personal information.

Remember, everything these criminals are telling you is a lie; do not fall for such attacks. The reason criminals use the telephone instead of e-mail is that there is very little technology that can protect you from phone call scams like this. In addition, phone calls are a powerful way for criminals to convey emotion and a sense of urgency, thus increasing their chances of fooling you. The best protection from attacks like this is not  technology, but yourself.

PROTECTING YOURSELF

At times legitimate companies whose services you use, such as your bank or your credit card company, may call you to confirm your account information, or to update you on a purchase. The challenge is determining when these phone calls are from legitimate companies and when they are scams. Here are some key steps to protect yourself.
  • When someone asks you for information over the phone or asks you to take an action, be suspicious and confirm the person’s identity first. Ask what company the person works for. If you have never heard of the company before, then there is a good chance this is an attack. If this is a legitimate company you know, then simply tell the person this is not a good time for you to talk. Ask for a name and employee number and  explain that you will call back. Then go to the organization’s website or other information that you already have on file, get the phone number from there, and call the company back.
  • If the phone caller is creating a sense of urgency or creating tremendous pressure for you to take action right away, this is most likely a scam. Do not trust them.
  • Do not rely on Caller-ID alone to authenticate a caller. It is easy for criminals to spoof the Caller-ID or create fake Caller-IDs so they can pretend to be calling from a legitimate  company when they really are not.
  • Never give your password over the phone. No legitimate organization will ever ask you for your password.
  • Never give an organization information they should already possess. For example, if your bank is calling you, the caller should already have your account number.


Be very suspicious of any caller asking for remote access to your computers or pressuring you to buy a computer security product, these phone calls are most likely a scam.



RESOURCES
Some of the links shown below have been shortened for greater readability using the TinyURL service. To mitigate security issues, OUCH! always uses TinyURL’s preview feature, which shows you the ultimate destination of the link and asks your permission before proceeding to it. 

Recording of Actual Tech-Support Scams:
http://preview.tinyurl.com/cbg9kku

Microsoft on Tech-Support Scams:
http://preview.tinyurl.com/cxpwkc9

Symantec on Tech-support Scams:
http://preview.tinyurl.com/244raev

Reporting Scams:
https://www.ftccomplaintassistant.gov

ISC Survey on Tech-Support Scams:
https://isc.sans.edu/reportfakecall.html

Common Security Terms:
http://preview.tinyurl.com/6wkpae5 

LEARN MORE
Subscribe to the monthly OUCH! security awareness newsletter, access the OUCH! archives, and learn more about SANS security awareness solutions by visiting us at http://www.securingthehuman.org.  OUCH! is distributed under the Creative Commons BY-NC-ND 3.0 license.

07/30/12 Tip of the Day!

by in , , 0

Don't use information related to yourself as a password

Students at a school in London exploited a teacher's poor password selection to access grades and other school records. The teacher had used his daughter's name as a password, but became suspicious when students made reference to an excursion, which had not yet been announced, so he changed his password to the registration number of his car, which was parked outside the school every day. When he received complaints from other teachers about grades being leaked, he changed it again, this time to his postcode. The students in question cracked this within days too.

07/27/12 - Tip of the Day!

by in , , , 0

If you get up from your computer, lock it! 

"I sent an email to your boss letting him know what you really think of him". This Notepad message was on my screen when I got back to my cubicle after getting up to stretch my legs. What? I had been gone for 180 seconds -- three quick minutes. Lucky for me, the note turned out to be from our systems administrator who wanted to make a point. All it takes is about one minute for a disgruntled colleague to send a message on your behalf to the boss and there is no way for you to prove you didn't send it. In about 30 seconds, a cracker could install a keystroke logger to capture everything you type including company secrets, user names and passwords. In about 15 seconds, a passerby could delete all your documents.

07/25/12 - Tip of the Day!

by in , , , 0


Check and make sure your friend did really send that great screensaver

A common method of transmitting malware is by infecting some unsuspecting user's computer and then using that computer to infect others. One simple way to do this is for a hacker to hijack your address book and send copies of the malware to everyone in that address book. Of course, YOU need to be enticed to run the malware, and the best way to do that is to fool you into thinking the attachment is something else. If a friend or acquaintance sends you a "great screensaver" or something similar, which you were not expecting, take a few minutes to confirm that person really sent it. If they know nothing about it, then delete the message.       

07/20/12 - Tip of the Day!

by in , , 0

Paper Files Have to be Protected Too


You've probably heard that to err is human, but to foul things up completely you need a computer. We know it's important to protect the big databases that we store, but we can't ignore paper records. The amount of information held on paper may be much smaller, but many of the most serious leaks happen through very human methods — reports stolen from desktops or read over someone's shoulder.  Keep sensitive paper files locked away when they are not being used and don't read them in public places.

07/17/12 - Tip of the Day!

by in , , , , 0


Don't Trust Links Sent in Email Messages

A common fraud, called "phishing", sends messages that appear to be from a bank, shop or auction, giving a link to a fake website and asking you to follow that link and confirm your account details. The fraudsters then use your account details to buy stuff or transfer money out of the account. These fake sites can be hard to spot, so no reputable organization will send a message requesting your confidential information.    

07/10/12 - Tip of the Day!

by in , , 0


Do not allow Internet Explorer to store passwords for you

Stored passwords allow anyone who can access your machine to log in to your web accounts as you.  In addition, there are numerous utilities that can expose that hidden information and actually reveal the password.  If you've reused that password for other logins, many systems or web sites could be compromised.

07/09/12 - Tip of the Day!

by in , , , 0


If you're not sure you've seen an incident, report it anyway.

Most security folks (and IT folks, for that matter) would rather hear about a problem from you than to figure it out afterwards while troubleshooting a system failure. If a phone call from User Support doesn't sound quite right, if a common email announcement is just a little off, or if a caller on the phone is too stressed to remember his or her password — don't be pressured and don't be rushed. Rush and pressure are among the "social engineering" hacker's best tools. Ask for help! Call your supervisor, call your IT group, and call your InfoSec group on the spot for assistance. You are as responsible (or more) to the whole company as you are to the one person on the phone! Don't let one person's stress jeopardize the organization's information security.

07/06/12 - Tip of the Day!

by in , , , , , , 0


Don't Click to Agree without Reading the Small Print

Some free software passes your information on to advertisers, changes your PC or downloads other software without asking you.  Some suppliers will claim that this is OK because you agreed to this.  How?  People often click on the "agree" button to accept 20 pages of difficult legal jargon they don't understand.  But buried in the middle can be a sentence allowing the software to do whatever it likes.  You can argue in court that the terms aren't reasonable, but then it will be too late — the damage has been done and your PC is broken.  Learn from other people's pain: if terms and conditions are hard to understand, it is probably deliberate.  If it isn't worth the trouble to read the conditions, don't risk using the software.       

July 2012 - secureCI Ouch! Monthly Bulletin

by in , , , 0

secureCI presents Ouch!

The SANS Monthly Information Security Bulletin at Channel Islands

  • Stored Information
  • Wiping your Device
  • SIM Cards / SD Cards
  • Options for Disposal

Safely Disposing of Your Mobile Device

OVERVIEW
Mobile devices, such as smart-phones and tablets, continue to advance and innovate at an astonishing rate. As a result, many of us replace our mobile devices as often as every 18 months. A key question becomes, What are you doing with your older devices? Many people simply dispose of their older mobile devices with little thought about all the personal data they have accumulated. However, a surprising amount of personal information is stored on these older devices. If your devices are not securely wiped before disposal, this information can easily be recovered, exposing you or your organization to tremendous risk.

STORED INFORMATION
Mobile devices store far more sensitive data then you may realize, perhaps more than your computer. When you dispose of your device you could be exposing the following information:
  • The contact details for everyone in your address book, including family, friends, and co-workers
  • Call history, including inbound, outbound, and missed calls
  • Text messages or logged chat sessions
  • Location history based on GPS coordinates or cell tower history
  • Web browsing history, cookies, and cached pages
  • Personal photos, videos, audio recordings, and emails
  • Stored passwords and access to personal accounts, such as your voicemail
WIPING YOUR DEVICE
Before you begin securely wiping your mobile device, consider whether or not you want to back up any of your data, such as photos, videos, or any other information. Once you’ve followed the steps below, you will not be able to recover any of your data. In addition, if your mobile device was issued to you by your employer or has any organizational data stored on it, be sure to check with your supervisor about proper backup and disposal procedures before following the steps below. Unfortunately, just deleting your data is not enough, it can still be recovered. We recommend that you use the device “factory reset” function to remove all data from the device and return it to the condition it was in when you bought it.
We have found that factory reset will provide the most secure method for removing data from your mobile device. The location of the factory reset function varies among devices; listed below are the steps for the most popular devices.

• Apple iOS Devices : Settings > General > Reset > Erase All Content and Settings
• Android Devices     : Settings > Privacy > Factory Data Reset
• Windows Phones    : Settings > About > Reset Your Phone
• BlackBerry Phones : Options > Security Options > Security Wipe

If you still have questions about how to perform a factory reset, check your owner’s manual or the manufacturer’s website. Another option is to take your mobile device to the store you bought it from and get help resetting it from a trained technician. Remember, simply deleting your personal data is not enough as it can be easily recovered.

SIM CARDS
In addition to the data stored on your device, you also need to consider what to do with your SIM (Subscriber Identity Module) card. Many mobile devices use a SIM card to uniquely identify you and your account information when you place and receive calls on a mobile network. When you perform a factory reset on your device, the SIM card retains information about your account. If you are keeping your phone number and moving to a new phone, talk to the phone salesperson about transferring your SIM card to the
new phone. If this is not possible (for example, if your new phone uses a different size SIM card) keep your old SIM card and physically shred or destroy it to prevent someone else from re-using it.

EXTERNAL STORAGE CARDS
Some mobile devices utilize an external SD (Secure Digital) card for additional storage. These storage cards often contain pictures, smart phone applications, and other sensitive content. Remember to remove any external storage cards from your mobile device prior to disposal (for some devices, your SD cards may be hidden in the battery compartment of your device). These cards can often be reused in new mobile devices or can be used as generic storage on your computer with a USB adapter. If reusing your SD card is not possible, then just like your old SIM card, we recommend you physically destroy it.

OPTIONS FOR DISPOSAL
When it comes to disposing of your old mobile device, instead of throwing it out, consider recycling it instead. Most carriers offer a discount on your next purchase when you recycle. Another option is to donate your mobile device to the charitable cause of your choice. Below are just some of the many places you can either recycle or donate your mobile device.


Verizon Recycling

Sprint Recycling

AT&T Recycling

Recycling Mobile Phones

EPA Mobile Phone Donations Site

National Coalition Against Domestic Violence
http://preview.tinyurl.com/l48kw4 

Operation Gratitude


RESOURCES
Some of the links shown below have been shortened for greater readability using the TinyURL service. To mitigate security issues, OUCH! always uses TinyURL’s preview feature, which shows you the ultimate destination of the link and asks your permission before proceeding to it. 

Common Security Terms:
http://preview.tinyurl.com/6wkpae5 

SANS Security Tip of the Day:
http://preview.tinyurl.com/6s2wrkp 

LEARN MORE
Subscribe to the monthly OUCH! security awareness newsletter, access the OUCH! archives, and learn more about SANS security awareness solutions by visiting us at http://www.securingthehuman.org.  OUCH! is distributed under the Creative Commons BY-NC-ND 3.0 license.