Archive for January 2013

Passwords: Be Creative!

by in , , , , , 0

If you can't remember hard passwords no matter how hard you try, put your password in parenthesis. baseball38 is a weak password, but (baseball38) is much better.

Whenever you change your password, you should always change at least half of it and when you do, change the parentheses as well. You can change the parentheses to asterisks, exclamation points or dollar signs. *sallyandbob39* is better than sallyandbob39, and !jimandbetty93! is better than jimandbetty93.

It's 10 p.m. Do you know whom your kids are chatting with online?

by in , , , , 0

While social networking sites can increase a person's circle of friends, they also can increase exposure to people with less than friendly intentions. Here are tips for helping your kids use social networking sites safely:

  1. Help your kids understand what information should be private. 
  2. Explain that kids should post only information that you - and they - are comfortable with others seeing. 
  3. Use privacy settings to restrict who can access and post on your child's website. 
  4. Remind your kids that once they post information online, they can't take it back. 
  5. Talk to your kids about avoiding sex talk online. 
  6. Tell your kids to trust their gut if they have suspicions. If they ever feel uncomfortable or threatened by anything online, encourage them to tell you.

January 2013 - secureCI Monthly Newsletter

by in , , , 0

secureCI presents Ouch!

The SANS Monthly Information Security Bulletin at Channel Islands


In This Issue…
• What is Java?
• Risks of Java
• Best Defenses

Java

OVERVIEW
Software refers to programs or applications you install and use on your computer every day.  Examples include your web browser, word processor, email client, video games and movie players.  The problem with most software is that it is written to run only on specific computers.  For example, software written for Microsoft Windows can run only on Microsoft Windows computers; it cannot run on an Apple Mac computer.  The same applies for software written for Apple's Mac; it can only run on a Mac computer.

Java is different.  It is a computer language that allows programmers to write software you can run on many different types of computers, such as Microsoft Windows and Apple Mac.  To enable programs developed in Java to work on your computer, you need to have Java (often called the Java runtime environment) installed on your computer.  In this newsletter, we are going to explain the dangers of having Java installed on your computer and what you can do to protect your computer.  Note: Javascript and Java are two entirely different things.  This newsletter applies to Java

WHAT ARE THE RISKS?
A common method cyber attackers use to hack into computers is to develop special programs that take advantage of and exploit weaknesses in your computer’s software. These weaknesses are usually specific to  one type of computer. This means the hacking tools they develop to attack Microsoft Windows computers  work only on Microsoft Windows; their tools do not work on any other type of computer such as an Apple Mac, or vice versa.

This limits who they can attack and how.  Java is different. Since it is designed to work on almost any computer, cyber criminals can create a single attack tool that can potentially hack almost any computer in the world as long as it has Java installed. This makes Java’s weaknesses an attractive target for attackers, as they can hack more computers with less effort. Also, Java is complex, which means it can have many weaknesses.

Finally, most people do not even know what Java is or if they have it installed. As a result, Java has become a popular target for cyber criminals.

BEST DEFENSE
Ultimately, the best defense is simple: if you are not using any programs or applications that require Java, then do not install it on your computer. Only install Java if you absolutely require it. If you are not sure if you have Java already installed on your computer, there is a simple way to check. Simply go to the Java website listed below to check if you have Java installed. Be sure to only check if you have Java installed; do not actually install it.

http://www.java.com/en/download/installed.jsp

If you discover you do have Java installed but you no longer need it, uninstall Java from your computer.

IF YOU MUST...
If you absolutely must have Java installed, there are several things you can do to protect yourself.

1.  KEEP IT CURRENT
Make sure you always have the latest version of Java installed on your computer. Old or outdated versions of Java have many known vulnerabilities, making it easy for cyber criminals to hack into your computer. In addition future releases of Java may have additional security features. Keeping Java updated is relatively simple for Windows computers. To verify the version of Java on your computer, click on the Java icon in the Control Panel and confirm you have the latest version installed and that it is configured for automatic updating. If you do not have the latest version, be sure to update it through the Java Control Panel.

Java is software that can expose you to additional risk.
If you do not need Java then do not install it.
If you do need Java always be sure to run the latest version.

For Apple Mac computers, the options for Java are more complex. In an effort to better protect its users, Apple distributes and updates its own release of Java based on Java 1.6. As long as you keep your Mac operating system updated and current, you will keep this version of Java updated also. Apple users can update their Mac computers to Java 1.7 by downloading Java from the Java website; however, you then have to maintain and update that version yourself.

2.  DISABLE BROWSER PLUGIN
One of the most common ways that cyber criminals hack Java is through your web browser. If you have Java installed, your browser will have what is called a Java plugin, which lets your browser use Java. When you connect to a malicious website, bad guys may hack your computer through your Java plugin.
However, very few websites require Java to work, so in most cases you can safely disable your browser’s Java plugin. How you disable your browser’s plugin depends on what type of browser you have. Most browsers have a Preference or Settings option where you can disable your browser’s Java plugin. In addition, newer versions of Java can disable Java plugins from the Java Control Panel. If you do find a website that requires Java to work, you can then enable it for only that website, then disable it when you are done.

RESOURCES
Some of the links have been shortened for greater readability using the TinyURL service. To mitigate security issues, OUCH! always uses TinyURL’s preview feature, which shows you the ultimate destination of the link  and asks your permission before proceeding to it.


What is Java?:
http://preview.tinyurl.com/7l7jvb8

Uninstalling Java on Windows:
http://preview.tinyurl.com/4x66uco

Uninstalling Java 7 on a Mac:
http://preview.tinyurl.com/cowkxy4

Disabling Your Browser’s Java Plugin:
http://preview.tinyurl.com/cwptsxv

Browsercheck:
http://browsercheck.qualys.com

Common Security Terms:
http://preview.tinyurl.com/6wkpae5

SANS Security Tip of the Day:
http://preview.tinyurl.com/6s2wrkp



LEARN MORE
Subscribe to the monthly OUCH! security awareness newsletter, access the OUCH! archives, and learn more about SANS security awareness solutions by visiting http://www.securingthehuman.org. OUCH! is distributed under the Creative Commons BY-NC-ND 3.0 license.

Don't get hooked by a Phishing expedition!

by in , , , , , , 0

Here are a few tips to help prevent getting hooked by a phisher:

  1. Don't reply to email or pop-up messages that ask for personal or financial information.
  2. Don't don't click on links in email messages that you're not familiar with or that ask for personal or financial information.
  3. Don't cut and paste a link from the message into your Web browser -- phishers can make links look like they go one place, but actually send you to a different site.
  4. Use anti-virus and anti-spyware software, as well as a two-way firewall, and update them all regularly.
  5. Don't send personal or financial information by email.  Email transmits data in open text!
  6. Be cautious about opening any attachment or downloading any files from emails you receive regardless of who sent them.
For more information on Phishing visit http://onguardonline.gov/phishing.html for more information.

New Privacy Awareness Video Now Available!

by in , , , , 0

SANS and EDUCAUSE have developed a free privacy awareness video that colleges and universities can use during Data Privacy Month in January, and throughout the year, in their privacy education and training efforts. High and low resolution versions of the video are available.

Attackers Using Fake Chrome Updates to Lure Victims

by in , , , , 0

Google patched nearly two dozen security vulnerabilities in Chrome on Thursday and a day later attackers have begun circulating fake Google Chrome updates that actually are part of a scam related to the Zeus botnet and is designed to steal online banking credentials, among other things.  Follow this link to view the full article from Threatpost.

Security Vulnerability Found in Microsoft's Internet Explorer

by in , , , 0

Internet Explorer users beware, there is a new zero day (previously unknown, unpatched vulnerability) attack targeting your browser.  Follow this link to view the details and what you can do at this time.