Archive for July 2012

07/30/12 Tip of the Day!

by Neal Fisch in passwords, security, tips 0

Don't use information related to yourself as a password

Students at a school in London exploited a teacher's poor password selection to access grades and other school records. The teacher had used his daughter's name as a password, but became suspicious when students made reference to an excursion, which had not yet been announced, so he changed his password to the registration number of his car, which was parked outside the school every day. When he received complaints from other teachers about grades being leaked, he changed it again, this time to his postcode. The students in question cracked this within days too.

07/27/12 - Tip of the Day!

by Neal Fisch in data security, passwords, security, tips 0

If you get up from your computer, lock it!

"I sent an email to your boss letting him know what you really think of him". This Notepad message was on my screen when I got back to my cubicle after getting up to stretch my legs. What? I had been gone for 180 seconds -- three quick minutes. Lucky for me, the note turned out to be from our systems administrator who wanted to make a point. All it takes is about one minute for a disgruntled colleague to send a message on your behalf to the boss and there is no way for you to prove you didn't send it. In about 30 seconds, a cracker could install a keystroke logger to capture everything you type including company secrets, user names and passwords. In about 15 seconds, a passerby could delete all your documents.

07/25/12 - Tip of the Day!

by Neal Fisch in data security, phishing scams, security, tips 0

Check and make sure your friend did really send that great screensaver

A common method of transmitting malware is by infecting some unsuspecting user's computer and then using that computer to infect others. One simple way to do this is for a hacker to hijack your address book and send copies of the malware to everyone in that address book. Of course, YOU need to be enticed to run the malware, and the best way to do that is to fool you into thinking the attachment is something else. If a friend or acquaintance sends you a "great screensaver" or something similar, which you were not expecting, take a few minutes to confirm that person really sent it. If they know nothing about it, then delete the message.

07/20/12 - Tip of the Day!

by Neal Fisch in data cleanup, data security, security 0

Paper Files Have to be Protected Too

You've probably heard that to err is human, but to foul things up completely you need a computer. We know it's important to protect the big databases that we store, but we can't ignore paper records. The amount of information held on paper may be much smaller, but many of the most serious leaks happen through very human methods — reports stolen from desktops or read over someone's shoulder. Keep sensitive paper files locked away when they are not being used and don't read them in public places.

07/17/12 - Tip of the Day!

by Neal Fisch in data security, phishing scams, security, spear phishing attack, tips 0

Don't Trust Links Sent in Email Messages

A common fraud, called "phishing", sends messages that appear to be from a bank, shop or auction, giving a link to a fake website and asking you to follow that link and confirm your account details. The fraudsters then use your account details to buy stuff or transfer money out of the account. These fake sites can be hard to spot, so no reputable organization will send a message requesting your confidential information.

07/10/12 - Tip of the Day!

by Neal Fisch in data security, passwords, security 0

Do not allow Internet Explorer to store passwords for you

Stored passwords allow anyone who can access your machine to log in to your web accounts as you. In addition, there are numerous utilities that can expose that hidden information and actually reveal the password. If you've reused that password for other logins, many systems or web sites could be compromised.

07/09/12 - Tip of the Day!

by Neal Fisch in awareness, data security, security, tips 0

If you're not sure you've seen an incident, report it anyway.

Most security folks (and IT folks, for that matter) would rather hear about a problem from you than to figure it out afterwards while troubleshooting a system failure. If a phone call from User Support doesn't sound quite right, if a common email announcement is just a little off, or if a caller on the phone is too stressed to remember his or her password — don't be pressured and don't be rushed. Rush and pressure are among the "social engineering" hacker's best tools. Ask for help! Call your supervisor, call your IT group, and call your InfoSec group on the spot for assistance. You are as responsible (or more) to the whole company as you are to the one person on the phone! Don't let one person's stress jeopardize the organization's information security.

07/06/12 - Tip of the Day!

by Neal Fisch in counterfeit websites, data security, passwords, phishing scams, security, spyware, tips 0

Don't Click to Agree without Reading the Small Print

Some free software passes your information on to advertisers, changes your PC or downloads other software without asking you. Some suppliers will claim that this is OK because you agreed to this. How? People often click on the "agree" button to accept 20 pages of difficult legal jargon they don't understand. But buried in the middle can be a sentence allowing the software to do whatever it likes. You can argue in court that the terms aren't reasonable, but then it will be too late — the damage has been done and your PC is broken. Learn from other people's pain: if terms and conditions are hard to understand, it is probably deliberate. If it isn't worth the trouble to read the conditions, don't risk using the software.

July 2012 - secureCI Ouch! Monthly Bulletin

by Neal Fisch in data cleanup, data security, newsletter, security 0

secureCI presents Ouch!

The SANS Monthly Information Security Bulletin at Channel Islands

Link to SANS Institute Ouch! Monthly Newsletter

In This Issue.....

Stored Information
Wiping your Device
SIM Cards / SD Cards
Options for Disposal

Safely Disposing of Your Mobile Device

OVERVIEW
Mobile devices, such as smart-phones and tablets, continue to advance and innovate at an astonishing rate. As a result, many of us replace our mobile devices as often as every 18 months. A key question becomes, What are you doing with your older devices? Many people simply dispose of their older mobile devices with little thought about all the personal data they have accumulated. However, a surprising amount of personal information is stored on these older devices. If your devices are not securely wiped before disposal, this information can easily be recovered, exposing you or your organization to tremendous risk.

STORED INFORMATION
Mobile devices store far more sensitive data then you may realize, perhaps more than your computer. When you dispose of your device you could be exposing the following information:

The contact details for everyone in your address book, including family, friends, and co-workers
Call history, including inbound, outbound, and missed calls
Text messages or logged chat sessions
Location history based on GPS coordinates or cell tower history
Web browsing history, cookies, and cached pages
Personal photos, videos, audio recordings, and emails
Stored passwords and access to personal accounts, such as your voicemail

WIPING YOUR DEVICE
Before you begin securely wiping your mobile device, consider whether or not you want to back up any of your data, such as photos, videos, or any other information. Once you’ve followed the steps below, you will not be able to recover any of your data. In addition, if your mobile device was issued to you by your employer or has any organizational data stored on it, be sure to check with your supervisor about proper backup and disposal procedures before following the steps below. Unfortunately, just deleting your data is not enough, it can still be recovered. We recommend that you use the device “factory reset” function to remove all data from the device and return it to the condition it was in when you bought it.
We have found that factory reset will provide the most secure method for removing data from your mobile device. The location of the factory reset function varies among devices; listed below are the steps for the most popular devices.

• Apple iOS Devices : Settings > General > Reset > Erase All Content and Settings
• Android Devices : Settings > Privacy > Factory Data Reset
• Windows Phones : Settings > About > Reset Your Phone
• BlackBerry Phones : Options > Security Options > Security Wipe

If you still have questions about how to perform a factory reset, check your owner’s manual or the manufacturer’s website. Another option is to take your mobile device to the store you bought it from and get help resetting it from a trained technician. Remember, simply deleting your personal data is not enough as it can be easily recovered.

SIM CARDS
In addition to the data stored on your device, you also need to consider what to do with your SIM (Subscriber Identity Module) card. Many mobile devices use a SIM card to uniquely identify you and your account information when you place and receive calls on a mobile network. When you perform a factory reset on your device, the SIM card retains information about your account. If you are keeping your phone number and moving to a new phone, talk to the phone salesperson about transferring your SIM card to the
new phone. If this is not possible (for example, if your new phone uses a different size SIM card) keep your old SIM card and physically shred or destroy it to prevent someone else from re-using it.

EXTERNAL STORAGE CARDS
Some mobile devices utilize an external SD (Secure Digital) card for additional storage. These storage cards often contain pictures, smart phone applications, and other sensitive content. Remember to remove any external storage cards from your mobile device prior to disposal (for some devices, your SD cards may be hidden in the battery compartment of your device). These cards can often be reused in new mobile devices or can be used as generic storage on your computer with a USB adapter. If reusing your SD card is not possible, then just like your old SIM card, we recommend you physically destroy it.

OPTIONS FOR DISPOSAL
When it comes to disposing of your old mobile device, instead of throwing it out, consider recycling it instead. Most carriers offer a discount on your next purchase when you recycle. Another option is to donate your mobile device to the charitable cause of your choice. Below are just some of the many places you can either recycle or donate your mobile device.

Verizon Recycling

http://preview.tinyurl.com/6r398bq

Sprint Recycling

http://preview.tinyurl.com/cdzfcmu

AT&T Recycling

http://preview.tinyurl.com/cm23qgf

Recycling Mobile Phones

http://preview.tinyurl.com/csa3ak7

EPA Mobile Phone Donations Site

http://preview.tinyurl.com/clulu8x

National Coalition Against Domestic Violence
http://preview.tinyurl.com/l48kw4

Operation Gratitude

http://preview.tinyurl.com/7lefuob

RESOURCES
Some of the links shown below have been shortened for greater readability using the TinyURL service. To mitigate security issues, OUCH! always uses TinyURL’s preview feature, which shows you the ultimate destination of the link and asks your permission before proceeding to it.

Common Security Terms:
http://preview.tinyurl.com/6wkpae5

SANS Security Tip of the Day:
http://preview.tinyurl.com/6s2wrkp

LEARN MORE
Subscribe to the monthly OUCH! security awareness newsletter, access the OUCH! archives, and learn more about SANS security awareness solutions by visiting us at http://www.securingthehuman.org. OUCH! is distributed under the Creative Commons BY-NC-ND 3.0 license.