Archive for September 2012

09/26/12 - Tip of the Day!

by in , , 0

Effectively delete files 

When you delete a file, depending on your operating system and your settings, the file may be transferred to your trash or recycle bin. This "holding area" essentially protects you from yourself—if you accidentally delete a file, you can easily restore it. An unauthorized person will also be able to retrieve it. Does your recycle bin include credit card information, passwords, medical, or other personal data? Is there sensitive corporate information? Empty the trash or recycle bin on a regular basis to ensure that deleted information stays deleted.

09/24/12 - Tip of the Day!

by in , , 0

Don't Click to Agree without Reading the Small Print 

Some free software passes your information on to advertisers, changes your PC or downloads other software without asking you. Some suppliers will claim that this is OK because you agreed to this. How? People often click on the "agree" button to accept 20 pages of difficult legal jargon they don't understand. But buried in the middle can be a sentence allowing the software to do whatever it likes. You can argue in court that the terms aren't reasonable, but then it will be too late — the damage has been done and your PC is broken. Learn from other people's pain: if terms and conditions are hard to understand, it is probably deliberate. If it isn't worth the trouble to read the conditions, don't risk using the software.

09/19/12 Tip of the Day!

by in , 0


Don't share your password-even with an assistant or close coworker

Here are two examples of why you should never share your ID and password with anyone.

A salesperson relied on his assistant every day, trusting them with his user name and password. Eventually they quit, but not before they deleted all of the salesperson's sent e-mail and saved files... Turns out they never performed backed up the computer either.

Several coworkers used the same ID and password to log in to their systems—it seemed easier for them that way.  The time came to change their password and they forgot to tell each other they were changing the password.  One by one they all began calling the help desk to get the password reset for their shared ID. The end result was they began locking each other out of their computers and finally getting reprimanded for sharing the ID and password in the first place.

09/17/12 - Tip of the Day!

by in , , , 0


We've all received them, emails from a seemingly trusted source like a bank or delivery company claiming there was some type of issue or another requiring you to offer up some personal information or click on a link or button to help clear the issue up. If you receive an email of this sort DO NOT CLICK ON ANY LINK OR OFFER UP ANY INFORMATION!

This is a common form of security attack call a phishing or spear phishing scam.

Groups attempting to steal personal information will often use e-mails that appear to originate from a trusted source to try and trick a user into entering valid credentials at a fake website. Typically the e-mail and the web site look like they are part of a bank or some other organization the user is doing business with.

If you receive an email like this and you are certain it is fraudulent, please report it immediately to the T&C Helpdesk at X8552 or helpdesk@csuci.edu. They will assist you and instruct you on how to remove it effectively.

09/10/12 - Tip of the Day!

by in , , 0


Eight Tips for Creating Bulletproof Passwords.

Strong passwords are an important way to protect your data from theft – and to avoid joining the more than nine million Americans victimized by identity theft each year. Darya Gudkova, head of content analysis and research for Kaspersky, also emphasizes the need for strong passwords. She recommends long passwords with a mix of different characters and letters. She also throws in several different languages to make her own passwords even tougher to crack. How do you create a bulletproof password that hackers can't crack? These tips from myID.com can help you set passwords that will keep your data stays secure.


Ban the basics!
Never use words found in a dictionary, even written backwards, in another language, or with a simple number following.

Personal is Predicable! 
Anyone who knows you could guess your password if it uses your name or username, birthday, pet or favorite team, band or movie.

Size Matters! 
The longer the better. Passwords should be at least 8-14 characters and mix upper and lowercase letters, special characters and numbers.

Hooked on Mnemonics! 
Try working a mnemonic phrase into your password. For example, “Theres no place like home” would be translated to “TNPLH”.

Sell-By-Dates. 
Change passwords for online bank or credit card accounts every 1 to 2 months; others are good for maybe a few months. Mark your calendar.

To each his own. 
Don’t use the same password or similar patterns (word plus repeated number for example), so one cracked password doesn’t unlock all accounts.

Keep it secret, keep it safe. 
You would think people wouldn't need to be reminded of this but....  Don’t share passwords or store them on your computer or mobile device. The best place to store them is in your head or a locked safe.

PASSWORD is not a password. 
If an admin sets your password to PASSWORD change it FAST!

September 2012 - secureCI Monthly Newsletter

by in , , 0


secureCI presents Ouch!

The SANS Monthly Information Security Bulletin at Channel Islands

  • Overview
  • Example of a Counterfeit Website
  • Protecting Yourself


Counterfeit Websites


OVERVIEW
One of the advantages of shopping online is the ability to find the product or service you want, but at lower prices. Criminals know this and will take advantage of your desire to find an online bargain. Criminals will create fake websites that appear legitimate, but will sell you counterfeit goods or even worse, simply not deliver anything at all. In this newsletter we give an example of such an attack and then explain how you can protect yourself from similar fraud.

EXAMPLE OF A COUNTERFEIT WEBSITE
Let’s pretend you need to purchase a baby carrier, perhaps as a gift for a friend who has a newborn. You decide to look for a bargain online and begin with a search for baby carriers, specifically BRAND X baby carriers as you know that is what your friend prefers. You quickly discover that multiple sites sell the same baby carrier, however the prices vary greatly. You select the website that has the cheapest prices and purchase the product online. Several weeks later you receive the product, only to discover it does not look quite right – some of the pieces are wrong, the material is defective, or the product is outdated. You attempt to call the website to return the product only to discover there is no phone number. You then e-mail the website but never receive a response to any of your complaints. You just purchased a counterfeit (or stolen)
product from a counterfeit website.

What happened is that criminals simply copied the legitimate website of the original manufacturer (in this case
BRAND X baby carrier), posted this website under a new domain name that they control, and then significantly lowered the prices to encourage people to buy from this rogue website. The items they deliver to you are counterfeit, stolen, or used products, or they simply do not send anything at all. As such, whatever they charge is pure profit for them.


PROTECTING YOURSELF
We understand that you want to leverage the Internet for the best possible shopping experience. Here are several steps you can take to protect yourself from attacks like these.
  • If the pricing seems to be good to be true, be very suspicious.
  • Call their support number. Wait ... no support number or contact listed to call? Another red flag.
  • Often the criminals that set up these counterfeit websites are not native speakers of the website’s language. The e-mails they send you may have poor grammar or simple spelling mistakes. In the case of one counterfeit baby carrier website, one of their e-mails opened with, "We wish to welcome you to BRAND X baby carrier, Cheap baby carrier BRAND X, on sale,Free shipping." Respectable businesses have their e-mails proofread before sending them to real customers. When you see poor grammar or spelling, be very suspicious.
  • Criminals will often use the brand name of the goods you are searching for in the URL so they look legitimate to you. But they also frequently change the URLs of their counterfeit websites, making it harder to shut them down. As a result, criminals will often use several different domain names and email addresses during the purchasing process. For example, in our example of the baby carrier website, the cyber criminals may have one domain name for the website (such as www.brandxbabycarriers.com), another domain name for the e-mails they send you (such as from sales@brandxcarrierstogo.com), and a third domain name for support e-mails (such as! support@babycarriersbrandx.com). All these different domains are another big red flag.
  • Legitimate organizations should always use encryption during the online purchasing process. If encryption is not used for the online transaction, then do not buy from the website. You can determine if the website is using encryption if the URL has HTTPS and your browser is showing the padlock.
  • Do a search on the name or URL of the online store and see if anyone else has posted any complaints about the website indicating fraud. For example, if you are purchasing items from www.brandxbabycarrier.com, do a search on that URL first and see if others are complaining about fraudulent goods.
  • Use PayPal or other mechanisms that do not reveal your underlying credit card information to the merchant. For example some credit card providers will give you one-time use credit-card numbers. Another option is to use gift cards.
  • Consider using security software that helps rate the trust level of websites you visit.
  • If you are concerned that you cannot tell if a site is legitimate or not, then do not use the site. Purchase the product from a well known site you trust instead. You may not get the best deal, but you will be able to trust the product and the return policy.
  • If you do fall victim to online fraud, report it to the Federal Trade Communication or the law enforcement agency of your country. In addition, call your credit card provider and cancel your existing credit card to protect yourself from any further online fraud, and ask them to issue you a new one.
RESOURCES
Some of the links have been shortened for greater readability using the TinyURL service. To mitigate security issues, OUCH! always uses TinyURL’s preview feature, which shows you the ultimate destination of the link and asks your permission before proceeding to it.

Web of Trust:
http://www.mywot.com/

SiteAdvisor:
https://www.siteadvisor.com/

Reporting Complaints to FTC:
https://www.ftccomplaintassistant.gov/

Common Security Terms:
http://preview.tinyurl.com/6wkpae5

SANS Security Tip of the Day:
http://preview.tinyurl.com/6s2wrkp



LEARN MORESubscribe to the monthly OUCH! security awareness newsletter, access the OUCH! archives, and learn more about SANS security awareness solutions by visiting us at http://www.securingthehuman.org.  OUCH! is distributed under the Creative Commons BY-NC-ND 3.0 license.