A-Z Index     help.missouri.edu    
home

Featured Topics

Password Safety in the Digital Age

password-security.png

(August 15, 2014)

As children we would use passwords as a means to keep “intruders” out of our secret hideouts.  While the context of how we use a password has changed since childhood, the necessity of having a strong password is now more important than ever.  Today password protection is your first line of defense against many cyber threats.  Your username and password are the most common means for verifying your identity online.  Think of how many times per day you use these components to log into your computer, access accounts and websites, and to transmit sensitive information.  While technology has made routine chores simpler and faster, it has also increased our vulnerability to cyber-attacks.  Here are a few examples of what these attackers are doing with YOUR account information:  Sending threatening email on your behalf; accessing websites to purchase items with your credit card information you have saved on the site; accessing, modifying, or deleting documents stored on your computer or on any other central file server you have permission to access; and using your University credentials to gain access to confidential information.  As society becomes further immersed into the digital age, it becomes even more important to keep your guard up!  

Protect your password by following these best practices:

  • Never share your password with anyone.  There have been reported cases where individuals pretending to be IT staff or system administrators will ask for your password.  Your password protects your information and no one, including an IT professional, should ever need it. 
  • Do not enter your password into suspicious websites.  Phishing scams use spoof email, pop-up messages, or fraudulent URLs to deceive users into disclosing account passwords, credit card numbers, bank account information, their Social Security number, or other confidential information.  While attempts are made to block these types of emails they can still end up in your inbox.  If you get a request to provide your password or other personal information, please do not respond to the message.  Either delete this message or report it to abuse@missouri.edu.  When reporting phishing, you need to send the email as an attachment.  For instructions on how to attach an email click here.
  • Be cautious when using a public space.  When using a public computer, you should never save items to the machine, always clear your cookies and cache, and sign off before you leave.  When using public Wi-Fi on your own portable device, limit the amount of personal information you view.
  • Routinely change your password.  You should change your passwords at least annually and ensure you have designated a strong password.  It is best to choose a separate login ID and password for each website you access.  To change you University password, log into the Password Manager tool.  Visit the Division of IT’s MakeITSafe page for suggestions and tips on creating a strong password. 
  • Avoid the “save password” feature.  This feature is provided to users through Internet browsers and is often offered when visiting websites which require login credentials or when setting up a new email client.  It is much more secure to enter the password each time you visit a site, therefore, you should always opt out of this feature. 
  • Do not record passwords in a place where they can be compromised.  This includes cellular phones and other portable devices.  It also includes a sticky note pasted onto your monitor or under your keyboard!  Password manager software provides a central and secure location to store all account passwords, PINS, and other sensitive information.  Many of the software options include a feature for password generation which will automatically create a new random password for each of your individual accounts.  Examples of password manager software includes:  KeePass, Password Safe, PINs, RoboForm, and Turbopasswords.  Some of the aforementioned software products are free, others require a nominal fee.  If you are interested in obtaining a password manager product, please review all the options available in order to choose the best product for your needs.   
  • Watch for signs of misuse.  Common signs include:  Sent emails in your ‘sent items’ folder which you do not remember composing; new icons, programs, files or start menu items which you did not install; and noticeable performance degradation on your machine. 

 If your password has been compromised or you notice suspicious activity on your accounts, change the password immediately.  If this vulnerability relates to your University account, you are required to report the incident.  Please review the mandatory reporting requirement at http://infosec.missouri.edu/hr/mandatory-reporting.html.

Finding the Silver Lining with Cloud-Based Computing Services

cloud-computing.png

(July 17, 2014)

It’s the perfect summer day; the sun is shining brightly and there is a gentle breeze with the smell of freshly cut grass lingering in the air.  Lying flat on your back, you gaze up at the sky.  Directly above you is a large, cottony-white cumulus cloud mass.  You can see its edges and swells. This formation is massive and it slowly appears to be moving through the atmosphere.  Though you cannot physically touch it, you instill trust in this form recognizing that it means you no harm.

However, what happens when the cloud is even less tangible?  When the massive formation is actually an intricate infrastructure system existing in the Internet atmosphere?  Do you instill the same amount of trust?  Does this cloud really mean you no harm?

The cloud is an effective, powerful, and prolific technological tool specifically designed to store and manage your data and files over the Internet (as opposed to using your computer’s local hard drive).  Programs and applications may also be administered via cloud services.  Essentially, you could access the cloud from anywhere in the world at any time and from any and all of your devices.  However, as the saying goes, “with great power comes great responsibility.”  Thus, you must be aware of the risks when granting a service provider access to your private data in order to utilize cloud computing services. 

You should consider the following factors before you leap into the cloud:

Security:  How secure is the transfer of your data?  Is encryption employed during all transmissions (uploads and downloads)?  How is your data stored in the cloud?  Is your information encrypted during storage?  If so, who has access to decrypt the files?  Who maintains the encryption keys?

Privacy:  Who has access to your data when it is stored in the cloud?  Can the service provider’s employees or any third-party partners access your data? 

Backups:  Is your data backed up?  If so, how often and what exactly is backed up?  How long are these backups maintained and can you access them for recovery if you need to?

Support:  How do you contact customer support?  What is their average response time?

Continuity of service:  Are there scheduled downtimes for maintenance, upgrades, and repairs?  If so, how often?  What is their plan for unexpected outages?  What type of service availability can they guarantee? 

Sharing:  How much control do you have when you are collaborating with others?  Can you restrict down to specific files and folders?  Are there security settings offered which allow you to manage what information is passed to someone else or third-party entities? 

As you can see, it takes time and effort to determine the appropriate cloud-based service which will meet your specific needs.  MU employees and students already have an approved cloud storage service available to them.  "Box" is a cloud-based file storage and collaboration service available at no cost to all Columbia campus and UM System employees as well as MU students.  Visit http://doit.missouri.edu/services/data-docs-files/box.html for details regarding this service and instructions on how to initiate enrollment. 

For more great tips, security news and all the latest alerts, visit http://makeitsafe.missouri.edu/. 

References:

Griffith, E.  (2013).  What is cloud computing?  Retrieved from, http://www.pcmag.com/article2/0,2817,2372164,00.asp. 

SANS Institute.  (2012).  Using the cloud safely.  Retrieved from, http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201206_en.pdf. 

The Electronic Graveyard: Do Not Let Old Technology Haunt You!

shredit.jpg

(June 9, 2014)

Are first generation electronics cramping your style? Are you tired of watching what used to be considered cutting-edge technology depreciate and collect dust in front of your eyes? Or, is it simply time to purge the designated electronic waste drawer in your home? Regardless of your motivation to rid yourself of old technology, always remember to sanitize a device before you discard, recycle, donate, repurpose, or sell it!

There are countless news stories of confidential and private information getting leaked due to old electronic devices being discarded before the hard drive was wiped clean. For criminals and identity thieves, retrieving useful remnants of information is surprisingly easy and even more valuable than the device itself. Permanently deleting information from a hard drive is more challenging than one might expect.

There are many widely held misconceptions regarding data disposal. Simply deleting files, dragging items to the recycle bin or trash folder, reformatting the disk or deleting disk partitions, or even encrypting files are all examples of unsecure methods for destroying data. However, sanitizing a device permanently purges all the data and personally identifiable information stored upon it. Therefore, to completely obliterate data, you have two options: physically destroy the device or sanitize it!

    1. Physically destroying the device. A device can normally be destroyed through the use of heat, a strong magnetic field, or by shredding, crushing, or any other aggressive methods which may require special tools and safety precautions.
    1. Sanitizing a device by securely wiping magnetic drives. Using a special software tool, you can overwrite every bit and byte on your disk. In doing so, your original information will never be accessible again. There are several issues to consider as you prepare to wipe your hard drive or other media devices:
    • Once you start the wiping process, there is no turning back. Make backups of any pertinent files you may need for future use.
    • Secure wiping requires a special-purpose program. Examples are SDelete (for any operating system), DBAN (for Windows), or Disk Utility (for Mac). Typically a CD or USB key is required to start the computer and run the tool to sanitize the entire drive. Make sure the tool you use has a feature to wipe the entire drive, not just the empty space. For additional assistance, please contact your IT Professional or IT Tech Support at 882-5000.
    • Adhere to data disposal policies. The University campus and the hospital have policies dictating the appropriate methods for data disposal to ensure confidentiality of the data and compliance with software licensing contracts.

Need to destroy a University-owned device? The Division of IT (DoIT) hosts ShredIT data disposal events biannually. ShredIT events are open to the University system, MU campus, and Hospital departments at no charge for University-owned equipment. Department IT Pros are notified of these events and are encouraged to participate. Simply bring the media to our announced location and DoIT will take care of the disposal for you.

From Surfing Waves to Surfing the World Wide Web: Be Safe Online While Traveling

travel-image.png

(May 13, 2014)

Picture this:  You are sitting in a lounge chair strategically placed under an umbrella constructed of palm leaves.  The sun is at your back and the ocean waves are crashing against the shore gently in front of you.  The ocean seems endless, blue and white cascades moving in and out.  The warm white sand is soft and tacky between your toes.  Here, right now in this place, you feel the weight of responsibility lifted. 

The philosophy of vacation is quite simple:  Relax, rejuvenate, be carefree, and most of all enjoy yourself.   While some may choose to break waves at a tropical hotspot destination; others may take to the open road; the daring may elect to defy gravity by climbing Mount Everest; and others may pick a culturally enriching international destination.  No matter where your journey takes you, do not allow yourself to become careless with security! 

One of the most effective ways to protect yourself when traveling is to take preventive measures before your departure (1).  Complete the following actions before leaving home: 

  1. Update your operating system, applications, and anti-virus software on your mobile devices.  Operating systems, applications, and anti-virus software all offer periodic updates containing vital security patches.  Keep your system on current versions.
  2.  Ensure your firewall is enabled.  This prevents others from connecting to your device over the network.
  3. Encrypt confidential information stored on your devices.  Most mobile devices come with encryption capabilities built in.  If not, you may install encryption applications.  You should consult your vendor’s application store or marketplace for information on what is available.
  4. Enable the automatic lock screen and use a strong password, passphrase, pattern, or PIN to unlock the device.  Activate the lock-out screen with a reasonably short idle timeout, make your PIN or password unique to each device, and never share your PIN or password. 
  5. Configure your device for remote wiping.  In the event that your device is lost or stolen, remote wiping allows you the capability to erase all data and personal information stored on the device (2).  Affix a label to the back of your device with your name, email, and phone number to increase the likelihood of misplaced belongings being returned to you.
  6. Do not post travel plans on social media sites.  You should always limit the amount of personal information you share on these sites.  While your account may be setup securely, you have no control over how your friends setup their accounts.    

 Follow these best practices while you are traveling:

  1. Use sponsored Wi-Fi networks hosted by legitimate organizations and pay attention to the Wi-Fi encryption types.  Your online activities can be monitored by others while you are connected to a public network.  Protect yourself by ensuring you are on a legitimate Wi-Fi connection.  Look for posted signs found in hotel lobbies, airport terminals, or cafés displaying the name of the supported Wi-Fi network.  Also, the most common Wi-Fi encryption types (ordered by most secure to least secure) are: WPA2, WPA, and WEP. 
  2. Limit your web browsing to well-known and trusted websites and use encryption when possible. Utilizing email and web browsing features poses the threat of phishing scams, malicious sites, infected attachments, and other scams.  Use SSL encryption (https://) for web browsing when possible.  An Https:// browser session automatically encrypts data transmitted over the Internet. Also, most email service providers offer an encryption option.  If available, enable the SSL option for your email. 
  3. Keep optional network connections, such as Bluetooth and Wi-Fi, turned off when not in use. If using these features in public, limit the amount of personal information you view. SMS, MMS, Bluetooth and synchronization are all potential attack routes.
  4. Limit your use of public computers to casual web browsing only.  Public computers may be infected with malware or keyloggers.  If you have no choice but to use a public computer to make a transaction or to communicate sensitive information, you should assume any information shared could be compromised.  Keep track of the accounts you accessed on a public computer and change your passwords immediately once you are on a trusted computer and network.
  5. Turn off cookies and autofill options.  If your mobile device automatically enters passwords and login information into websites you visit frequently, turn this feature off.  While convenient, these options pose privacy threats. 
  6. Always keep your device on you or locked in a secure location.  You should place mobile devices in your carryon luggage, do not check these items.  There is no guarantee your luggage will arrive to your destination at the same time as you do and there is always a risk of baggage being ransacked before you obtain it.  If you are on a road trip, you should lock electronics in the glove compartment or rear storage of the vehicle. 

 What if you follow all these best practices and still get hacked?  Change your password immediately.  For suggestions on creating a strong password, visit the Division of IT’s MakeITSafe password safety page.  If your device has been compromised, misplaced, or stolen you should employ remote wiping.  If you did not configure your device for remote wiping beforehand, you still have the capability to wipe your Microsoft Exchange account.  Faculty, staff, and students may request remote wiping of their University email account, contacts, and calendar.  For assistance with this process, contact the IT Help Desk at 882-5000. 

 References: 

  1.  SANS institute. (2011). Staying Secure Online While Traveling. Retrieved from http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201104_en.pdf
  2. Kugler, L.  (2011).  9 Ways to Keep Your Mobile Devices Secure While Traveling.  Retrieved from, http://www.pcworld.com/article/218671/9_ways_to_keep_your_mobile_devices_secure_while_traveling.html

Decommissioning Microsoft XP: The Expiration of a Flagship Operating System

xp.png

(March 19, 2014)

The year 2001 marked many technological triumphs: Apple released the iPod, Wikipedia emerges as a free-content online encyclopedia, the spacecraft known as Mars Odyssey began orbiting the red planet, and Bill Gates deemed Windows XP “the best operating system Microsoft has ever built (1).”  In turn, Windows XP became Microsoft’s flagship operating system (OS) lasting 13 years on the market. 

However, all good things must eventually come to an end…and soon!  Microsoft has announced Windows XP’s retirement date effective April 8th, 2014. This will affect millions of users world-wide as it is estimated that approximately 25% of the world’s desktop computers are still running on this OS (2).  Are you one of these users?  If so, please consider the risks of continued usage and follow our tips to migrate to a new platform. 

Risks:

  • Microsoft will no longer provide security updates, non-security hot fixes, free or paid assisted support, or online technical content updates for XP (3). 
  • Anti-virus software alone will not be able to protect you once your operating system is unsupported.  Consequently, XP users become extremely vulnerable to cyber-criminal exploits. 
  • XP users will begin to experience degraded performance since Microsoft will no longer be adding new features or fixing instability issues (2).

Thus, friends, it is time to purge your old OS and embrace the new!

Making the change:

  • University employees running XP on University equipment should contact their IT professional for assistance.
  • You need to use an actively supported operating system in order to keep yourself protected.  This means you may have to invest in an entirely new computer as older systems are not always able to support the newer operating systems (2).  Research your options carefully and make the right choice for you.  For instance, converting to Windows 7 might be an easier transition than Windows 8.  Another operating system for consideration is Apple’s Mac OS X; however, choose OS X 10.7 or higher since Apple is no longer providing updates for snow leopard or its predecessors (4).   

Are you unable to upgrade your OS by April 8th?  If so, follow these best practices:

  • Use your Windows XP computer only for the applications and functionalities which are a necessity.  For instance, some older programs will not function properly in newer platforms.  If you cannot upgrade these programs and must continue to use them for business purposes, then reserve your Windows XP computer only for these applications (2).  Systems with out-of-date operating systems are not allowed on University networks.    
  • If you have to browse the Internet on your Windows XP computer then you should use Mozilla Firefox, Google Chrome, or Opera as your browser.  For the time being, these vendors will continue to support these browsers and offer updates for them on the XP platform (2). 
  • Do not use any built-in applications in Windows XP which opens files from the Internet (2). 
  • Ensure your anti-virus software is still supported and updated for Windows XP (2).
  • Continually back up all data on your Windows XP computer and remove sensitive files in case your computer gets infected (2). 

For more great tips, security news and all the latest alerts, visit http://makeitsafe.missouri.edu/.

References:

1. Microsoft.  (2001).  Windows XP to take the PC to new heights.  Retrieved from, http://www.microsoft.com/en-us/news/press/2001/aug01/08-24winxprtmpr.aspx

2.  SANS Institute.  (2014).  The End of Windows XP.  Retrieved from, http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201403_en.pdf.

3.  Foley, M.  (2013).  Microsoft warns Windows XP users risk 'zero day forever'.  Retrieved from, http://www.zdnet.com/microsoft-warns-windows-xp-users-risk-zero-day-forever-7000019503/.

4.  Keizer, G.  (2014).  Apple retires Snow Leopard from support, leaves 1 in 5 Macs vulnerable to attacks.  Retrieved from, http://www.computerworld.com/s/article/9246609/Apple_retires_Snow_Leopard_from_support_leaves_1_in_5_Macs_vulnerable_to_attacks

Don’t Neglect Your “LOVE” for Technology This Valentine’s Day!

love.jpg

(February 7, 2014)

I rely on you to always be there;

to help me engage and keep me close to those I hold dear.

I don’t buy you flowers or candies or take you out on dates;

but I may expect you to help me find my soul mate!

I don’t feel judged by you, even when you give me a little nudge;

I know you just want to guard me from all that cyber sludge! 

You don’t ask me for much;

just that I use anti-virus protection and occasionally back my stuff up!

It shouldn’t require a special February holiday for me to profess;  

Yet as Valentine’s Day approaches, I must confess: 

I love you, technology! 

I promise to update you, protect you, and always pay these dues;

I will avoid spam and phishing and use caution on the World Wide Web by listening to your cues!   

 

Technology can be both amazing and horrifying all at the same time.  Today’s devices offer tremendous features and power; however, they also expose us to a magnitude of risk.  In order to minimize threats, ensure your devices are safely configured and be attuned to some basic security measures.    

Follow our best practices to show L-O-V-E to your technological devices!

1.  Always keep your devices up-to-date. Operating systems, applications, web browsers, and anti-virus software all offer periodic updates containing vital security patches.  Install security patches immediately to ensure you are protected from existing vulnerabilities. 

2.  Ensure your firewall is enabled. This prevents others from connecting to your device over the network.

3.  Create backups.  Make backups regularly of your system and any pertinent files you may need to access.  Store a copy of your backups in a safe place.  Data corruption and hardware/software failures are unfortunate risks related to all technology.  ‘The computer ate my homework’ is never a good excuse!

4.  Enable the automatic lock screen and use a strong password, passphrase, pattern, or PIN to unlock the device. Activate the lock-out screen with a reasonably short idle timeout.  Make your PIN or password unique to each device, and never share your PIN or password with anyone!  Also, routinely change your PIN or password; you should reset it at least annually. 

5.  Keep optional network connections, such as Bluetooth and Wi-Fi, turned off when not in use. SMS, MMS, Bluetooth and synchronization are all potential attack routes.  When using these features in public, limit the amount of personal information you view.  Never access, transmit, or receive sensitive information over an unsecure Wi-Fi network! 

6.  Limit your web browsing to well-known and trusted websites and use encryption when possible. Utilizing email and web browsing features poses the threat of phishing scams, malicious sites, infected attachments, and other scams. Use SSL encryption (example:  https://<website>) for web browsing when possible.

7.  Never email sensitive information. Email is not a secure method for transmitting or saving sensitive information such as financial information, Social Security numbers, et cetera. 

8.  Do not open attachments from unknown sources or click on direct links provided in an email. Attachments can contain viruses that allow cyber attackers to gain control of your computer system.  Additionally, avoid clicking on links provided in an email. If you get an email from what appears to be a known source, such as your bank or a store, type their web address into your browser and access your account directly. If you are unsure of the exact destination site use a search engine to look up the company.

9.  Turn off cookies and auto-fill options. Turn off features which automatically enter your password and login information into websites.  While convenient, these options pose privacy threats.

10.  Never leave your device unaccompanied when you are in public spaces.  Additionally, configure your mobile devices for remote wiping. Remote wiping provides you with the capability to erase all data and personal information stored on that device if it should become lost or stolen.

 For more great tips, security news and all the latest alerts, visit http://makeitsafe.missouri.edu/.

Data Privacy: How big is your digital footprint?

data.png

(January 15, 2014)

Imagine a fresh blanket of snow or tacky plane of sand in front of you.  Envision slowly stepping onto this surface and take note of the footprint left behind.  Assessing the size and shape of the imprint is easy to do because we are aware of the dimensions of our foot.  However, there is another type of footprint we may not be accustomed to measuring.  Our digital footprint is less tangible than the one left behind us as we walk over an impressionable surface, nevertheless it still exists.  We are all members of a digital society; consequently, our online activities, interactions, and behaviors cast a mold which becomes unique to our online presence.  This virtual impression is known as our digital footprint. 

Why is it so important to measure this?  The metadata collected through your usage of a digital environment can immensely impact aspects of your daily life such as your privacy, security, and digital reputation (1).  Your digital content can be accessed for numerous reasons, some more harmful than others.  For example, your digital footprint can keep you from getting a job, being admitted into college or a prestigious association, or it can even prevent you from obtaining a loan (1). Even more threatening is how it can increase your probability of exploitation by cyber-criminals.  A profile is generated when fragments of your digital content get pieced together.  This profile can be used for social engineering attacks and identity theft (1). 

January 28th is recognized as Data Privacy Day.  Follow these best practices to minimize your digital footprint and protect your privacy:

  • Map your footprint.  Make a list of your personal accounts including social networking sites and other general websites (such as Amazon, eBay, Gmail, etc) (2).  Make mental note of all the aliases and user names you have created and use multiple search engines to conduct Internet searches of your name and other personal details (2).  Your results will provide you with a measurement of your digital footprint.     

  • Manage your social networking privacy options and post with caution.  Social networking sites have various levels of privacy settings which enable you to restrict access to the personal information you share and to whom you share it with (2).  Typically, the default is set to public so you will need to manually restrict your settings and then confirm whether this automatically updated older posts.  If not, you will want to manage these posts accordingly.  Additionally, always use discretion when posting comments, photos, status updates, and even likes to other pages.  Liking a general page or participating in online social games often gives outsiders access to your personal social networking information including those members in your friends list.      

  • Use prudence when interacting online through public forums.  Be thoughtful of how your comments can be interpreted when you interact with others through message boards, blogs, and/or news outlets (1).  Create impersonal aliases instead of using personal identifiers in your user names.    

  • Manage your cookies and research your options for browsers.  Cookies track your browsing history and target you for specific ads related to your search interests (3).  Internet browsers have various settings to manage cookies; the best option is to disable them all together or at least delete them as you close your browser sessions.  Some Internet browsers allow you to enable a private browsing session which prevents the browser from storing any information about the websites you have visited during the session (3).   Also, when considering your browser options, you should review policies on how long your search history is cached.  Even though you may have deleted searches from your personal device’s history, your Internet browser provider may cache this information for 30 days or longer (2). 

  • Consider paying with pre-paid cards or cash.   Pre-paid cards and cash options make it difficult to track your purchases or identity (3). 

  • Seek assistance when you cannot personally delete data associated with yourself.  Usually an email request to the site owner will suffice to get the data deleted (2).  Be vigilant and take this extra step when you need to. 

     

    References:

    1.  Smith, T.  (2012).  Managing your digital footprint:  think before you post.  Retrieved from, http://www.dhses.ny.gov/ocs/awareness-training-events/news/2012-08.cfm

    2.  Hayter, A.  (2012).  Reducing your digital footprint.  Retrieved from, http://news.yahoo.com/reducing-digital-footprint-184900908.html

    3.  Singer, N.  (2013).  Ways to make your online tracks harder to follow.  Retrieved from, http://bits.blogs.nytimes.com/2013/06/19/ways-to-make-your-online-tracks-harder-to-follow-2/?_r=0.

    4.  National Cyber Security Alliance.  (2014).  Respecting privacy, safeguarding data, enabling trust.  Retrieved from, https://www.staysafeonline.org/data-privacy-day/about

Ransomware: PAY UP or you will NEVER see your computer’s data again!

exploit

(February 20, 2014)

“YOU HAVE THREE DAYS TO PAY THIS RANSOM OR YOU WILL LOSE YOUR FILES FOREVER!”  Ransom.  The very essence of this word causes an adrenaline surge that induces intense bodily reactions.  Your hands begin to shake; palms are sweating.  Your eyes clench shut in response to the deep throb forming at your temples.  Heart pulsations are penetrating from deep within your inner ears.  Your chest is tightening with each shallow breath you draw in.  It’s emotional and physical warfare—and you are extremely unprepared for this battle!

CryptoLocker is among the many variations of ransomware lurking in cyber space today (1).  Users inadvertently install this grisly malware by opening malicious email attachments or clicking on links supplied in phishing emails (1).  Once engaged, the malware installs itself in the “Documents and Settings” folder and begins to encrypt any files you have stored on network file shares and drives as well as attached USB drives and external hard drives (2).  Ransomware has the potential to become a systemic problem; once one computer on a shared network becomes infected, mapped network drives will likely be targeted as well (1).       

Victims of ransomware are presented with a pop-up window which will dictate the terms of the ransom...AFTER all their files have been encrypted (3).  Payment is always directed through a third-party source, such as MoneyPak and Bitcoin (1).  A time clock will begin to countdown the hours and minutes until destruction of the decryption key (2).  The cybercriminal retains the only copy of the private decryption key, which is unique to each victim’s computer; therefore, there is no chance of data recovery without paying the extortion (3). 

However, it is important to note that payment does not guarantee access to the decryption key; you are dealing with criminals after all!  In fact, law enforcement officials strongly advise against paying these attackers.  There are prevention methods to mitigate your loss from malware attacks.  Follow these best practices to beat the crooks at their own game!
• Enable your firewall and keep your anti-virus, operating system, and software up-to-date.  Ransomware is usually installed through malicious attachments and links supplied in phishing emails; however, some cybercriminals are using existing malware infections or other security holes as ‘backdoors’ to infect users (3). 
• Review your access control settings on network shares.  Do not grant yourself or any other users write access to files that should be set to read only (3).  Remove all access to files you do not need to see; this will prevent any malware from viewing and stealing them as well (3). 
• Do not grant administrative privileges to your user accounts.  Malware infected Administrator accounts are much more destructive than an infected user account (3).  The built-in Administrator account should be reserved for setup and disaster recovery only; create a separate Administrator account for those rare instances when you need heightened privileges (4).  Each user should have a unique user account for daily tasks which includes email, games, social networking, web surfing, etc. (4). 
• DO NOT click on direct links provided in an email.  Ransomware has been spreading through fake emails designed to mimic legitimate businesses as well as spoofed FedEx and UPS tracking notices (1).  Therefore, even if it appears to be from a known source (PayPal, your bank, or credit card agency), never click on a direct link supplied in an email.  Type the company’s web address directly into your browser to access your personal accounts. 
• Do not open attachments from unknown sources. Attachments can contain viruses that allow cyber attackers to gain control of your computer system and files.  Delete spam and phishing emails immediately.   NEVER ‘unsubscribe’ or respond to these types of messages.  
• Backup your operating system and important files.  Backups can mitigate your loss if you become a victim of malware or if you experience a hardware failure.  Store the backup copies offline in a secure location (3). 

Already infected?
• Immediately disconnect the infected machine from all wired and wireless networks and consult a security expert regarding malware removal (1).
• Change all of your online account passwords and network passwords.  Once the malware is removed, change all system passwords (1).
• Report ransomware infections to the Information Security and Access Management (ISAM) team at isam@missouri.edu.  

For more great tips, security news and all the latest alerts, visit http://makeitsafe.missouri.edu/.  

References:
1.  United States Computer Emergency Readiness Team (US-CERT).  (2013).  CryptoLocker ransomware infections.  Retrieved from, http://www.us-cert.gov/ncas/alerts/TA13-309A.  
2.  Neal, R.  (2013).  CryptoLocker virus:  new malware holds computers for ransom, demands $300 within 100 hours and threatens to encrypt hard drive.  Retrieved from, http://www.ibtimes.com/cryptolocker-virus-new-malware-holds-computers-ransom-demands-300-within-100-hours-threatens-encrypt.  
3.  Ducklin, P.  (2013).  CryptoLocker ransomware-see how it works, learn about prevention, cleanup and recovery.  Retrieved from, http://nakedsecurity.sophos.com/2013/10/18/CryptoLocker-ransomware-see-how-it-works-learn-about-prevention-cleanup-and-recovery/.  
4.  Johansson, J.  (2008).  Security watch:  why you should disable the Administrator account.  Retrieved from, http://technet.microsoft.com/en-us/magazine/2006.01.securitywatch.aspx.  

‘Twas the Night before Cyber Monday: Tips for Secure Online Shopping

shopping-cart.png

(February 20, 2014)

‘Twas the night before Cyber Monday and all through the house not a creature was stirring...well except for me and my computer mouse!  The stockings were hung by the electric fireplace with care, in hopes that Cyber Monday sales would bring Christmas cheer.   The children were nestled all snug in their beds, while visions of a new Xbox and iPods danced in their heads!  When all of the sudden an Internet ad arose such a Facebook chatter; I swiftly clicked on the thread to see what was the matter.  I opened a new browser tab like the Flash, tore open the ad and revealed a HUGE coupon stash!  I knew in that moment I would be better than St. Nick!  I whistled, and shouted, and called them by name; Now, Best Buy! Now, New Egg! Now, Target and Lowes!  On, Amazon!  On, Walmart! On, Macy’s and Kohl’s.  Now shop away, shop away, shop away all!  Lucky me, I didn’t even have to make a trip to the mall!
 
Electronic retail is a non-shopper’s holiday shopping dream come true!  The lines are nonexistent, the wait time is short, and your online shopping cart will never present you with a squeaky or wobbly wheel.  It truly is the best of both worlds; you can stay home and shop from your computer while wearing your warm and comfy pajamas and slippers.  Not only that, but the parking is close and you do not have to watch strangers duke it out over the last Furby (admit it.  They are kind of creepy!)  However, online shopping does pose some security risks.  Follow these best practices to ensure your online shopping experience goes without a hitch!

1.  Utilize anti-virus protection, keep your system up-to-date, and make sure your firewall is on.  Your firewall prevents others from connecting to your device over the network; this is a great first line of defense!  However, you should also employ anti-virus software in order to protect you from malware and other nasty viruses which can harvest information from your device.  Keep in mind that your operating system, anti-virus software, and web browser must be kept up-to-date with the latest security patches. 

2.  Limit your web browsing to well-known and trusted websites and use encryption when possible.  Encrypted websites contain an https:// web address and most browsers will display a padlock icon as a visual symbol for encryption.  However, an encrypted website alone is not sufficient evidence of a merchant’s integrity!  Encryption helps protect information in transit; it does not enforce regulations over a merchant’s business practices (1). 

3.  Be aware of your surroundings.  If you decide to brave the madness of the outside world during the holiday shopping frenzy, use caution when electronically accessing your information.  Never use unsecured networks (such as public Wi-Fi networks or public computers) to make online purchases.  Also, since your online activity can be monitored by others while you are connected to a public network, you should never access your private online accounts (such as credit card and online banking sites). 

4.  Double check your domain names.  Almost all reputable vendors have registered domain names which match their company name, such as: www.<companyname>.com.  Check your spelling; subtle misspellings of company names are often used by phishers seeking to lure you to counterfeit websites (1).

5.  Employ strong password safety.  If the vendor requires account creation, use a strong and unique password for each individual site.  If possible, opt out of automatically saving your credit information.  It is safer to reenter these details each time you return to the site to make a purchase.  

6.  Select your payment method carefully.  Prepaid credit cards and gift cards are optimal choices for online transactions.  Regular credit cards are required to provide basic purchase protection securities to their customers so credit cards are a better payment option than a debit card.  However, if you use your credit card online, you should monitor your account activity regularly and report unauthorized charges immediately (1).  Also, the safest and easiest way to make a purchase with a smaller vendor is to use a third-party payment service, such as Paypal, which acts as the intermediary between you and the vendor. 

7.  Read other customer’s feedback about the vendor and merchandise.  Read both positive and negative comments from other consumers to help you make educated decisions before you make a purchase (1). 

8.  Be an informed consumer.  The merchant’s website should tell you if the product is in stock, provide you with a choice of shipping methods, and offer you a timeline of when you will receive your merchandise (1).  Never commit to buying something if the bottom-line price is ambiguous.   

9.  Know the return policy before you buy!  Understand your rights when it comes to returns, exchanges, refunds, and credits BEFORE you make an online purchase (1).  Is there a restocking fee or a shipping charge for returning the merchandise? 

10.  Take your time and price shop!   You can be tempted to drop your defense when you are shopping from your living room sofa.  However, just because you are not in the thick of random elbow jabs and shopping cart Indy car races doesn’t mean you should stop looking out for your own best interest!  Shopping at home offers you the luxury to stop and think before being swayed by ‘cheap’ impulse buys; it also grants you the opportunity to check other online competitors in order to make sure you are getting the best bargain.    

For more great tips, security news and all the latest alerts, visit http://makeitsafe.missouri.edu/.

 

References:

1.  SANS Institute.  (2010).  Safer online shopping.  Retrieved from, http://www.securingthehuman.org/newsletters/ouch/issues/201006.pdf.
 

One for All and All for One: We Are All Responsible for Cyber Security

national-cyber-security-awareness-month.png

(October 1, 2013)

We are an Internet-driven society living digitally connected lives.  Web connectivity expands beyond just our homes and workspaces as mobile devices have become the craze of the future.  Most of us handle personal and professional business electronically, because the Internet provides us with the ability to expand our lives from local to global.  Even if you find yourself in the less technologically driven sector of the population, your information still passes through the information superhighway on a regular basis.  Financial transactions, healthcare information, biographical/demographical data, et cetera pass through the virtual realm at some point.

No one entity is solely responsible for safeguarding the Internet; it is a community resource and we all have a role in protecting our digital society.  We can do this by following best practices, implementing stronger security guidelines, expanding online security awareness,  and through continued training and educational opportunities.  Simply put, become engaged and get involved!

The month of October is recognized as National Cyber Security Awareness Month!  Throughout this month, the Division of IT will be hosting a series of free workshops in order to educate our users about computer and information security.  Visit http://makeitsafe.missouri.edu/awareness.html to learn more about each presentation topic and to view the complete schedule of presentations and events. 
Please join us in safeguarding our digital society!  

References:
National Cyber Security Alliance.  (2013).  National Cyber Security Awareness Month.  Retrieved from, http://www.staysafeonline.org/ncsam/about

“There’s an App for that!” Safeguarding your Mobile Device

mobile-security.jpg

(September 11, 2013)

Need to check your cash flow before you go out Friday night?  “There’s an app for that!”  Curious if you are still the highest bidder on an auction?  “There’s an app for that!”  Interested in staying in touch with friends and family via social networking?  You guessed it, “there’s an app for that” too! 

Mobile devices are products such as smartphones, media tablets, media players, and e-readers.  These devices boast portability, ease of use, and an abundance of applications which allow users to stay connected to the world through pocket-sized technology.  Given the growing complexity of their tiny operating systems and the limited security controls currently offered, an emerging concern is how to safeguard these compact devices.

Simply put, many users overlook the fact that they are carrying a device with the same functionality and processing power of any other networked computer, thus placing themselves at great risk for exploitation.  With new vulnerabilities discovered every day, there is a need to protect the data saved, accessed, and distributed from mobile devices. 

To ensure that you are protected, follow these 10 simple best practices:

  1.   Enable a PIN, passcode, or pattern.  According to a Sophos survey from 2011, 67% of mobile phone users have not enabled password protection on their device! This is your strongest defense in protecting yourself from unwanted use.  Activate the lock-out screen with a reasonably short idle timeout, make your PIN or passcode unique to each device, change it frequently and never share your PIN or passcode.
  2.   Never store sensitive data.  Passwords, financial information, social security numbers et cetera should never be sent from or saved on your mobile device. 
  3. Keep your operating system and applications current.  Just like any other computer, mobile device operating systems have updates that contain vital security patches. 
  4. Only download applications from trusted sources and just install the applications you need.  Remember, the more applications installed the greater potential for vulnerabilities, so be sensible when downloading all those free applications.
  5.  Always read installation prompts before downloading applications and software.  Carefully examine the information for which you are allowing access, such as personal information about yourself, your device, and your location.  The information retrieved from your device needs to be logical based on the type of application or software you are downloading. 
  6.  Keep optional network connections, such as Bluetooth and Wi-Fi, turned off when not in use.  If using these features in public, limit the amount of personal information you view.  SMS, MMS, Bluetooth and synchronization are all potential attack routes.
  7.  Limit your web browsing to well-known and trusted websites and use encryption when possible.  Utilizing email and web browsing features poses the threat of phishing scams, malicious sites, infected attachments, and other scams.  Use SSL encryption (https://) for web browsing when possible.
  8.   Employ remote wiping in the event your device becomes misplaced or stolen.   Remote wiping allows you to erase all data and information stored on your device after so many failed login attempts. Attach an ID label to the back of your device with your name and details of how you can be reached to optimize your chances of the device being returned.
  9. Data sanitize your device prior to disposing of it.  Some devices have built-in features that allow you to securely erase all data.  Never dispose of a device without removing all personal information.
  10. Know the policy.  Before accessing work-related services or email, verify that it is permissible with your employer’s policies.  Also, familiarize yourself with the University’s mandatory reporting policy for lost or stolen mobile devices, found at http://infosec.missouri.edu/hr/mandatory-reporting.html

 

For more great tips, security news and all the latest alerts, visit http://makeitsafe.missouri.edu/.

 

 References:

Penido, C.  (2011).  Smart phone security, protecting today’s most useful-and vulnerable-technology.  Retrieved

from, http://www.nyu.edu/its/connect/w11/mobilesecurity.html.

SANS institute.  (Feb. 2011).  Using your smartphone securely.  Retrieved from,

http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201102_en.pdf.

Sophos.  (Aug. 2011).  67 percent of mobile phone consumers don’t have password protection on their mobile

phones.  Retrieved from, http://www.sophos.com/en-us/press-office/press-releases/2011/08/67-percent-of-consumers-do-not-have-password-protection-on-their-mobile-phones.aspx. United States Computer Emergency Readiness Team (US-CERT).  (2010).  Technical information paper-TIP-10-105-

01, cyber threats to mobile devices.  Retrieved from, http://www.us-cert.gov/reading_room/TIP10-105-01.pdf.

University of Missouri Human Resource Security, Mandatory Reporting Requirement.  Retrieved from,

http://infosec.missouri.edu/hr/mandatory-reporting.html.

Email Etiquette: Minding Your Electronic Manners

email.png

(September 11, 2013)

Admit it, at least once in your life you have accidently sent an email to the wrong person.  Chances are you have also inadvertently hit reply all when you really just intended to respond to one or two of the recipients.  Maybe you have even sent an email that you later apologized for because the recipient was not able to discern your tone within the written content.  In 2012, 144 billion emails were sent and received per day worldwide (1).  An email faux pas is bound to be committed at some point given our heavy reliance on electronic communication; however, effective and proper written communication is attainable when you learn from the most common email missteps.

Follow these best practices in order to keep your proverbial foot out of your mouth when communicating electronically:

  • Know when email is not your best option!  You have no control over an email once you hit send.  An email has the potential to go viral very quickly.  Private matters should not be communicated electronically just to avoid uncomfortable face-to-face conversations.  Also, remember the University has an obligation to access your email communications when legal requests for these records arise. 
  • Represent your best self.  email may emit a casual vibe, but you should know your target audience and present yourself accordingly.  Keep professional emails precise, straightforward, and formal.  You may customize your fonts and stationary, but be aware of how it may reflect on you.  Also, do not rely on spell check alone to catch errors. 
  • Be aware that the recipient will not be able to use verbal cues or body language to decipher your tone.  email has a tendency to feel abrasive; salutations can often offer warmth to written communications.   In addition, sarcasm is often lost in written form; therefore, it is best just to be upfront.    
  • Simmer down before you shoot off an email!  If you sense yourself getting emotional while drafting an email you should wait to send it.  Save the draft and read it again after you have had a chance to calm down. 
  • Always verify the name and email address of the recipient BEFORE you hit send.  Most of the time auto-complete will provide you with email recipient options as you type a name in the ‘to’ field.  While this is a nice feature it can be a detriment as well.   Always double check your recipients before clicking send!
  • Use distribution lists wisely.  Distribution lists are a fast and easy way to send an email to a large group of people.  However, before sending a note to potentially hundreds or thousands of members you should be confident that the email correspondence is appropriate for mass distribution.  When content only applies to a subset of members you are in fact spamming the rest of the group.  Another consideration is the maintenance of the distribution list group members.  If a distribution list is not kept current you could be sending sensitive information to members who are no longer privy to that information.  
  • ‘Reply All’ with care.  Do not choose ‘reply all’ if your response is sensitive or you have a question for just one of the email receivers.  Before sending your communication you should review the ‘to’ field to verify you are not responding to the entire group. 

For more great tips, security news and all the latest alerts, visit http://makeitsafe.missouri.edu/.

References:

1.  Radicati group.  (2012).  Email statistics report, 2012-2016.  Retrieved from, http://www.radicati.com/wp/wp-content/uploads/2012/04/Email-Statistics-Report-2012-2016-Executive-Summary.pdf

2.  Sans institute.  (2012)  Email dos and don’ts.  Retrieved from, http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201203_en.pdf

3.  Krotz, J.  (2011).  Got email manners?  See these dos and don’ts.  Retrieved from, http://www.microsoft.com/business/en-us/resources/technology/communications/got-email-manners-see-these-dos-and-donts.aspx?fbid=L6uvD0TdDOu

Standing at the Crossroads of Where ‘Needs-to-Know’ Meets ‘Least Privilege’

principle-of-least-privilege.jpg

(September 11, 2013)

Lean in.  Closer...a little bit closer.  Ok, that’s good.  Next you hear faint whisper, it’s almost inaudible.  Lips are softly moving across these four words:  Shhh...It’s a secret.  S-E-C-R-E-T.  These six little letters strung together cause an immediate physical response.  Your ears perk up.  Your skin begins to tingle as goose bumps rise along the top of your flesh.  This reaction is uncontrolled, a natural instinct of sorts.  You know in this moment you are about to be privy to something only shared with a few and for some reason, unbeknownst to you at the time, you have been given security clearance.

Just as certain information is intentionally kept from the general populace so should access to particular IT resources.  The principle of least privilege requires that each member be granted only the set of privileges necessary in order to perform their assigned duties or authorized tasks (1).  The overall goal is to reduce opportunities and risk for intentional or accidental misuse of systems or information (1). The benefits of the principle of least privilege include:  increased security, increased manageability through policy standardization, and increased compliance efforts with statutes and regulations such as FERPA and HIPAA. 

Not sure where to start when employing the principle of least privilege?  Follow these best practices!

  • Enforce the separation of duties:  Define the user’s tasks, consider the responsibilities and privileges that are necessary to perform those functions, and enforce the separation of duties when necessary (2).   As an example, a staff member serving as a developer should not also function as a security administrator or system administrator.    
  • Establish authentication access control mechanisms:  Requiring users to authenticate with their unique individual credentials when accessing databases, applications, Intranet sites, and other services provides assurance that only the intended users are able to access these resources (1). 
  • Employ time frames when necessary:  Certain events may require a user’s privileges to be elevated, but these considerations should also account for the element of time (1).  Add a begin and end date for the elevated access and review access accordingly.    
  • Utilize the access control methods that are available:  Access to certain IT resources can be easily managed and limited through methods such as group memberships and group policies.
  • Invoke access registration and termination policies:  Permissions for public folders, databases, applications, Intranet sites, and services should be reviewed at least biannually or during a staff change.

For more great tips, security news and all the latest alerts, visit http://makeitsafe.missouri.edu/

Encryption: Decoder Ring Not Included

encryption.png

(April 16, 2014)

It’s as though you are standing in the temple staring at dimly lit walls cast with shadows from your flaming torch.  You have narrowly escaped the clutches of danger to get here and it all comes down to this.  The key to unlocking the riches is in the hieroglyphics encrypted on the walls in front of you.  You know you must decipher these symbols properly or face dire consequences.  You can feel your heartbeat drumming in your ears.  You take a deep breath and close your eyes.  You sense the darkness surrounding you.  It feels as though you are being asphyxiated with each passing second. You draw in another breath in an attempt to steady the uncontrollable shaking of your hands.  You open your eyes and focus.  Under your breath you mutter...“Now what was that darn password to that encryption key again?!?”

What is encryption? 

  • Encryption is a method used to maintain confidentiality of your digital information.  It is the process of converting legible information into a format that is unrecognizable to anyone except the intended recipient.  In order to do so, encryption employs a mathematical formula (known as a cipher) and a key which converts plain text into cipher text (1).  To decrypt the information, an individual would need to use the same encryption formula (i.e. cipher or program) as well as your unique key (1).  Keys are typically a long sequence of numbers secured by authentication mechanisms such as passwords, tokens, or biometrics (1). 
  • Most devices (such as computers, smartphones, tablets, USB drives, and external hard drives) have encryption functionality already built into them.  If not, these devices can be encrypted by simply installing encryption software or by purchasing applications from your vendor’s app store (1). 
  • Encryption is a relatively straightforward process.   The encryption technique you choose will depend on the degree of sensitive information you store.  However, encryption alone will not protect you from targeted cyber-attacks. 

What are the different types of encryption available? 

  • Full Disk Encryption (FDE) encrypts all data on your hard drive, including any temporary files (1).  This is the best encryption option if you have a lot of sensitive information stored on a device.  There are several options for FDE.  In fact, BitLocker Drive Encryption comes standard with certain editions of Windows Vista, Windows 7, and Windows 8.  For Mac users, FileVault 2 is included in OS X Lion or Mountain Lion. 
  • Another option is to just encrypt specific files or folders that contain sensitive information.  Visit Microsoft’s site at http://windows.microsoft.com for instructions pertaining to Windows machines.  Mac users should refer to Apple’s knowledgebase at http://support.apple.com/kb/ht1578.   If you just want to encrypt specific Microsoft Office documents (such as Word, PowerPoint, and Excel documents), visit http://office.microsoft.com
  • Using an encrypted network channel is essential when you are conducting sensitive online exchanges, such as purchase transactions and online banking (1).  In general, most Wi-Fi connections are considered unsecure because they rarely require a password to gain access; thus, allowing anyone in the vicinity the ability to monitor your online activities.  The most common type of online browsing encryption is Hypertext Transfer Protocol Secure (HTTPS).  An https:// browser session automatically encrypts data transmitted over the Internet (1).  Many e-mail providers encrypt the transmission of email through the use of SSL (Secure Socket Layer) (1).  If your e-mail provider does not provide this, you should switch to a provider that does.
  • University employees can encrypt the content of email messages sent to a non-University recipient.  To do this, faculty and staff must subscribe to the Ironport encryption service.  This service is available for a nominal fee and requires setup assistance from your departmental IT Professional.  University of Missouri Hospital staff are automatically enabled for this service and should contact the Hospital Help Desk with any questions regarding e-mail encryption.      
  • Secure TransmIT provides University faculty and staff the ability to safely transfer electronic files that cannot or should not be sent via the e-mail system due to the file size, file type, or the need for enhanced security (6). Using either your University e-mail account or a web browser, you can send files via a fully encrypted transmission to anyone with a valid e-mail address (6).  Recipients will receive an e-mail with instructions on how to access their file and will be given a one-time-use password which is necessary to retrieve the file (6).  Contact the IT Help Desk at 573-882-5000 to enroll in the Secure TransmIT service (6). 
  • Lastly, Virtual Private Networking (VPN)  should be employed when you are accessing University resources from an unsecure network off campus.  VPN creates a secure ‘virtual tunnel’ which allows the user to send and receive data across shared or public networks just as if they were part of the private network (5).  VPN employs all the same functionality, security, and management policies of the private network (5). 

Encryption issues and best practices:

  • The encryption key is an essential component to encrypting and decrypting your information.  If your encryption key is lost or damaged you will lose the ability to recover the encrypted information!  Back up your encryption certificate and key to preserve access to your data.
  • Encryption is only as strong as the password protecting it!  Never share this password with anyone and always use a strong, unique password for all of your encrypted data.  Note, you can lose the ability to recover your data if you forget the password protecting your encryption key!  Given this, you might consider investing in password manager software which provides a central and secure location to store all account passwords, PINS, and other sensitive information.  Examples of such software include: KeePass, Password Safe, PINs, RoboForm, and Turbopasswords. 
  • Encryption will not protect your device against theft, viruses, malware, unpatched vulnerabilities, or social engineering attacks (1).  Enable your firewall and always install security patches immediately to ensure you are protected from existing vulnerabilities. 

Visit http://makeitsafe.missouri.edu for more great tips, security news, and all the latest alerts!

References:

1.  SANS Institute.  (2011).  Understanding encryption.  Retrieved from, http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201107_en.pdf

2.  Microsoft.  (2013).  Encrypt or decrypt a folder or file.  Retrieved from, http://windows.microsoft.com/en-us/windows-vista/encrypt-or-decrypt-a-folder-or-file

3.  Apple.  (2013).  How to create a password-protected (encrypted) disk image.  Retrieved from, http://support.apple.com/kb/ht1578

4.  Castle, A.  (2013).  How to encrypt (almost) anything.  Retrieved from, http://www.pcworld.com/article/2025462/how-to-encrypt-almost-anything.html

5.  SANS Institute.  (2002).  Remote access VPN’s, a basic look.  Retrieved from, http://www.giac.org/paper/gsec/2141/remote-access-vpns-basic/102778

6.  Division of IT.  (2012).  Secure TransmIT.  Retrieved from, http://doit.missouri.edu/security/secure-transmit/

7.  Microsoft.  (2013)  Password protect documents, workbooks, and presentations.  Retrieved from, http://office.microsoft.com/en-us/word-help/password-protect-documents-workbooks-and-presentations-HA010148333.aspx

8.  Microsoft.  (2013).  Back up Encrypting File System (EFS) certificate.  Retrieved from, http://windows.microsoft.com/en-us/windows-vista/back-up-encrypting-file-system-efs-certificate

From Surfing Waves to Surfing the World Wide Web: Be Safe Online While Traveling

travel-image.png

(September 11, 2013)

Picture this:  You are sitting in a lounge chair strategically placed under an umbrella constructed of palm leaves.  The sun is at your back and the ocean waves are crashing against the shore gently in front of you.  The ocean seems endless, blue and white cascades moving in and out.  The warm white sand is soft and tacky between your toes.  Here, right now in this place, you feel the weight of responsibility lifted. 

The philosophy of vacation is quite simple:  Relax, rejuvenate, be carefree, and most of all enjoy yourself.   While some may choose to break waves at a tropical hotspot destination; others may take to the open road; the daring may elect to defy gravity by climbing Mount Everest; and others may pick a culturally enriching international destination.  No matter where your journey takes you, do not allow yourself to become careless with security! 

One of the most effective ways to protect yourself when traveling is to take preventive measures before your departure (1).  Complete the following actions before leaving home: 

  1. Update your operating system, applications, and anti-virus software on your mobile devices.  Operating systems, applications, and anti-virus software all offer periodic updates containing vital security patches.  Keep your system on current versions.
  2.  Ensure your firewall is enabled.  This prevents others from connecting to your device over the network.
  3. Encrypt confidential information stored on your devices.  Most mobile devices come with encryption capabilities built in.  If not, you may install encryption applications.  You should consult your vendor’s application store or marketplace for information on what is available.
  4. Enable the automatic lock screen and use a strong password, passphrase, pattern, or PIN to unlock the device.  Activate the lock-out screen with a reasonably short idle timeout, make your PIN or password unique to each device, and never share your PIN or password. 
  5. Configure your device for remote wiping.  In the event that your device is lost or stolen, remote wiping allows you the capability to erase all data and personal information stored on the device (2).  Affix a label to the back of your device with your name, email, and phone number to increase the likelihood of misplaced belongings being returned to you.
  6. Do not post travel plans on social media sites.  You should always limit the amount of personal information you share on these sites.  While your account may be setup securely, you have no control over how your friends setup their accounts.    

 Follow these best practices while you are traveling:

  1. Use sponsored Wi-Fi networks hosted by legitimate organizations and pay attention to the Wi-Fi encryption types.  Your online activities can be monitored by others while you are connected to a public network.  Protect yourself by ensuring you are on a legitimate Wi-Fi connection.  Look for posted signs found in hotel lobbies, airport terminals, or cafés displaying the name of the supported Wi-Fi network.  Also, the most common Wi-Fi encryption types (ordered by most secure to least secure) are: WPA2, WPA, and WEP. 
  2. Limit your web browsing to well-known and trusted websites and use encryption when possible. Utilizing email and web browsing features poses the threat of phishing scams, malicious sites, infected attachments, and other scams.  Use SSL encryption (https://) for web browsing when possible.  An Https:// browser session automatically encrypts data transmitted over the Internet. Also, most email service providers offer an encryption option.  If available, enable the SSL option for your email. 
  3. Keep optional network connections, such as Bluetooth and Wi-Fi, turned off when not in use. If using these features in public, limit the amount of personal information you view. SMS, MMS, Bluetooth and synchronization are all potential attack routes.
  4. Limit your use of public computers to casual web browsing only.  Public computers may be infected with malware or keyloggers.  If you have no choice but to use a public computer to make a transaction or to communicate sensitive information, you should assume any information shared could be compromised.  Keep track of the accounts you accessed on a public computer and change your passwords immediately once you are on a trusted computer and network.
  5. Turn off cookies and autofill options.  If your mobile device automatically enters passwords and login information into websites you visit frequently, turn this feature off.  While convenient, these options pose privacy threats. 
  6. Always keep your device on you or locked in a secure location.  You should place mobile devices in your carryon luggage, do not check these items.  There is no guarantee your luggage will arrive to your destination at the same time as you do and there is always a risk of baggage being ransacked before you obtain it.  If you are on a road trip, you should lock electronics in the glove compartment or rear storage of the vehicle. 

 What if you follow all these best practices and still get hacked?  Change your password immediately.  For suggestions on creating a strong password, visit the Division of IT’s MakeITSafe password safety page.  If your device has been compromised, misplaced, or stolen you should employ remote wiping.  If you did not configure your device for remote wiping beforehand, you still have the capability to wipe your Microsoft Exchange account.  Faculty, staff, and students may request remote wiping of their University email account, contacts, and calendar.  For assistance with this process, contact the IT Help Desk at 882-5000. 

 References: 

  1.  SANS institute. (2011). Staying Secure Online While Traveling. Retrieved from http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201104_en.pdf
  2. Kugler, L.  (2011).  9 Ways to Keep Your Mobile Devices Secure While Traveling.  Retrieved from, http://www.pcworld.com/article/218671/9_ways_to_keep_your_mobile_devices_secure_while_traveling.html

Social Engineering: Hacking the Human Operating System

social-engineering.png

(May 14, 2013)

You are sitting at your desk when your office phone rings.  You answer.  The voice on the other end is pleasant.  “Hello.  My name is Steven.  I am with the University’s IT department.  How are you today?”  After a few short exchanges, Steven gets to the point.  “We have been monitoring our network due to abundance of suspicious activity.   I am calling you today because your device has been identified as one of the sources for this malicious network traffic.  We believe you may have inadvertently installed malevolent malware and I would like to use this time to assist you in removing it.  Before we begin, let me verify a few account details with you.”  Steven states the following:  your name, your department, your title, your phone number, and your user name for your University account.  You confirm all of these details are true.  Steven replies, “Great, thank you!  Now, to further assist you, can you please provide me with your University password?”  He tells you he is going to remote into your machine and run an anti-malware tool. 

Do you give Steven your password?  The correct answer is NO!  First, NEVER share your password.  Second, Steven simply provided you with directory information when he confirmed your identity.   It may have seemed legitimate, but anyone can access the directory and most of us publish our information.  Lastly, what do you really know about Steven?

Social engineering is a psychological attack used to exploit human vulnerabilities.  While the schemes often vary, the overall goal remains the same.  Social engineers will say or do just about anything to obtain sensitive information from you.  Technical knowledge is often unnecessary for a successful social engineering scam; in fact, most of these ploys merely rely on adept social skills (1).  Technology cannot protect you from being a victim of a social engineering scam (2).  Awareness is your best defense! 

Follow these best practices to protect yourself from social engineering attacks:

  • Be alert and do not rely on identification alone for authentication.  Gather specifics about the person soliciting personal information from you before obliging to their request.  Who are they?  Where do they work?  What is the call regarding?  Politely ask for a call back number and tell them you will get in touch with them at a more convenient time.  This grants you the opportunity to do some investigation beforehand and you can call them back when you are clear of all distractions.    
  • Never share your password!  A legitimate organization will never ask for your password. 
  • Pay attention to the information requested.  If you are asked for details that the organization is already privy to, do not provide the information.  For instance, you should be suspicious if your supposed credit card company is calling you to confirm your credit card number and security code.  Additionally, it should be considered suspect if someone from your supposed bank wants to confirm your account number and routing number. 
  • Keep your guard up.  Social engineers will use several methods to gain your trust and cooperation.  You should be leery of individuals being overly friendly, aggressive, or insistent as these are common social engineering tactics.  Bottom line, if you do not feel comfortable then you should trust your instincts. 
  • Be aware of your office surroundings.  If you see someone you do not recognize roaming the vicinity then address them.   They could simply be lost or they could be looking for information left carelessly unattended.  Always lock up personal items and confidential information when you leave your area.  Additionally, if you work in a building where ID badges are required to gain entrance then do not allow strangers to follow you in.  This is called ‘tailgating’ and it is a very common approach used by social engineers. 
  • Report suspicious activity.  Inform your direct supervisor or the police if you believe the situation warrants their involvement. 

Visit http://makeitsafe.missouri.edu for more great tips, security news, and all the latest alerts!

References:

1.  Sans Institute.  (2004).  Social Engineering.  Retrieved from, http://www.sans.org/reading_room/whitepapers/engineering/social-engineering_1365

2.  Sans Institute.  (July 2012).  The Tech-Support Phone Call Scam.  Retrieved from, http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201207_en.pdf

SMiShing Is Nothing to ‘LOL’ About :)

smishing.jpg

(May 14, 2013)

Text messaging is innate for most mobile phone users.  In fact, more than 80% of the US population owns a mobile phone and 70% of these individuals regularly send or receive texts (1).  Short Message Service (SMS) texting offers a casual, relaxed communication platform where by emoticons and abbreviations are the norm.  There is nothing complex or ornate about text messages, thus adding to their appeal.  However, as we acquire a more lax mindset with this technology we become susceptible to cyber threats. 

More than 6 billion SMS text messages were sent per day in the United States in 2011 (1), skyrocketing mobile phones to one of the largest targets for exploitation in intricate phishing attacks commonly referred to as SMiSing.  SMiShing texts attempt to entice users into providing personally identifiable information or credit card details by offering glorious prize winnings such as high dollar gift cards and sought after devices like iPads.  SMiShers will also try to coerce users through hoax account notices involving banks and large corporations.  

Awareness is your best line of defense against SMiShing attacks!  Follow these best practices to reduce your vulnerability to SMiShing: 

  • Never provide sensitive information via text.  Regardless of whether or not you know the recipient text messaging is not a secure method for data transmission.   
  • Do not respond to unsolicited messages or spam.  If you receive a text requesting personal or account information you should delete it immediately.  Be suspicious of all unknown senders and unsolicited messages.  Additionally, replying to spam messages confirms you have an active phone number and increases your odds for more spam and SMiShing attacks (4). 
  • Do not click on links within a message.  Clicking on links within messages can install malware which allows attackers to gather information directly from your phone. 
  • Enroll your phone on the National Do Not Call Registry.  The Do Not Call Registry is managed by the Federal Trade Commission; this service restricts the amount of telemarketing phone calls you receive (2). 
  • Report SMiShing. SMiShing and text spam complaints can be filed with the Federal Trade Commission (2).   

 Visit http://makeitsafe.missouri.edu for more great tips, security news, and all the latest alerts!

References:

1.  Forrester Blogs.  (2012).  SMS Usage Remains Strong in the US:  6 Billion SMS Messages are Sent Each Day.  Retrieved from, http://blogs.forrester.com/michael_ogrady/12-06-19-sms_usage_remains_strong_in_the_us_6_billion_sms_messages_are_sent_each_day

2.  Federal Trade Commission.  (2013).  Text Message Spam.  Retrieved from, http://www.consumer.ftc.gov/articles/0350-text-message-spam

3.  Federal Bureau of Investigation.  (2010).  SMiShing and Vishing.  Retrieved from, http://www.fbi.gov/news/stories/2010/november/cyber_112410/cyber_112410

4.  NBC News.  (2013).  SMiShing  Text Messages Seek Your Credit Card Info.  Retrieved from, http://www.nbcnews.com/technology/technolog/smishing-text-messages-seek-your-credit-card-info-947348

Don’t Neglect Your “LOVE” for Technology This Valentine’s Day!

love.jpg

(May 14, 2013)

I rely on you to always be there;

to help me engage and keep me close to those I hold dear.

I don’t buy you flowers or candies or take you out on dates;

but I may expect you to help me find my soul mate!

I don’t feel judged by you, even when you give me a little nudge;

I know you just want to guard me from all that cyber sludge! 

You don’t ask me for much;

just that I use anti-virus protection and occasionally back my stuff up!

It shouldn’t require a special February holiday for me to profess;  

Yet as Valentine’s Day approaches, I must confess: 

I love you, technology! 

I promise to update you, protect you, and always pay these dues;

I will avoid spam and phishing and use caution on the World Wide Web by listening to your cues!   

 

Technology can be both amazing and horrifying all at the same time.  Today’s devices offer tremendous features and power; however, they also expose us to a magnitude of risk.  In order to minimize threats, ensure your devices are safely configured and be attuned to some basic security measures.    

Follow our best practices to show L-O-V-E to your technological devices!

1.  Always keep your devices up-to-date. Operating systems, applications, web browsers, and anti-virus software all offer periodic updates containing vital security patches.  Install security patches immediately to ensure you are protected from existing vulnerabilities. 

2.  Ensure your firewall is enabled. This prevents others from connecting to your device over the network.

3.  Create backups.  Make backups regularly of your system and any pertinent files you may need to access.  Store a copy of your backups in a safe place.  Data corruption and hardware/software failures are unfortunate risks related to all technology.  ‘The computer ate my homework’ is never a good excuse!

4.  Enable the automatic lock screen and use a strong password, passphrase, pattern, or PIN to unlock the device. Activate the lock-out screen with a reasonably short idle timeout.  Make your PIN or password unique to each device, and never share your PIN or password with anyone!  Also, routinely change your PIN or password; you should reset it at least annually. 

5.  Keep optional network connections, such as Bluetooth and Wi-Fi, turned off when not in use. SMS, MMS, Bluetooth and synchronization are all potential attack routes.  When using these features in public, limit the amount of personal information you view.  Never access, transmit, or receive sensitive information over an unsecure Wi-Fi network! 

6.  Limit your web browsing to well-known and trusted websites and use encryption when possible. Utilizing email and web browsing features poses the threat of phishing scams, malicious sites, infected attachments, and other scams. Use SSL encryption (example:  https://<website>) for web browsing when possible.

7.  Never email sensitive information. Email is not a secure method for transmitting or saving sensitive information such as financial information, Social Security numbers, et cetera. 

8.  Do not open attachments from unknown sources or click on direct links provided in an email. Attachments can contain viruses that allow cyber attackers to gain control of your computer system.  Additionally, avoid clicking on links provided in an email. If you get an email from what appears to be a known source, such as your bank or a store, type their web address into your browser and access your account directly. If you are unsure of the exact destination site use a search engine to look up the company.

9.  Turn off cookies and auto-fill options. Turn off features which automatically enter your password and login information into websites.  While convenient, these options pose privacy threats.

10.  Never leave your device unaccompanied when you are in public spaces.  Additionally, configure your mobile devices for remote wiping. Remote wiping provides you with the capability to erase all data and personal information stored on that device if it should become lost or stolen.

 For more great tips, security news and all the latest alerts, visit http://makeitsafe.missouri.edu/.

Password Safety in the Digital Age

password-security.png

(January 9, 2013)

As children we would use passwords as a means to keep “intruders” out of our secret hideouts.  While the context of how we use a password has changed since childhood, the necessity of having a strong password is now more important than ever.  Today password protection is your first line of defense against many cyber threats.  Your username and password are the most common means for verifying your identity online.  Think of how many times per day you use these components to log into your computer, access accounts and websites, and to transmit sensitive information.  While technology has made routine chores simpler and faster, it has also increased our vulnerability to cyber-attacks.  Here are a few examples of what these attackers are doing with YOUR account information:  Sending threatening email on your behalf; accessing websites to purchase items with your credit card information you have saved on the site; accessing, modifying, or deleting documents stored on your computer or on any other central file server you have permission to access; and using your University credentials to gain access to confidential information.  As society becomes further immersed into the digital age, it becomes even more important to keep your guard up!  

Protect your password by following these best practices:

  • Never share your password with anyone.  There have been reported cases where individuals pretending to be IT staff or system administrators will ask for your password.  Your password protects your information and no one, including an IT professional, should ever need it. 
  • Do not enter your password into suspicious websites.  Phishing scams use spoof email, pop-up messages, or fraudulent URLs to deceive users into disclosing account passwords, credit card numbers, bank account information, their Social Security number, or other confidential information.  While attempts are made to block these types of emails they can still end up in your inbox.  If you get a request to provide your password or other personal information, please do not respond to the message.  Either delete this message or report it to abuse@missouri.edu.  When reporting phishing, you need to send the email as an attachment.  For instructions on how to attach an email click here.
  • Be cautious when using a public space.  When using a public computer, you should never save items to the machine, always clear your cookies and cache, and sign off before you leave.  When using public Wi-Fi on your own portable device, limit the amount of personal information you view.
  • Routinely change your password.  You should change your passwords at least annually and ensure you have designated a strong password.  It is best to choose a separate login ID and password for each website you access.  To change you University password, log into the Password Manager tool.  Visit the Division of IT’s MakeITSafe page for suggestions and tips on creating a strong password. 
  • Avoid the “save password” feature.  This feature is provided to users through Internet browsers and is often offered when visiting websites which require login credentials or when setting up a new email client.  It is much more secure to enter the password each time you visit a site, therefore, you should always opt out of this feature. 
  • Do not record passwords in a place where they can be compromised.  This includes cellular phones and other portable devices.  It also includes a sticky note pasted onto your monitor or under your keyboard!  Password manager software provides a central and secure location to store all account passwords, PINS, and other sensitive information.  Many of the software options include a feature for password generation which will automatically create a new random password for each of your individual accounts.  Examples of password manager software includes:  KeePass, Password Safe, PINs, RoboForm, and Turbopasswords.  Some of the aforementioned software products are free, others require a nominal fee.  If you are interested in obtaining a password manager product, please review all the options available in order to choose the best product for your needs.   
  • Watch for signs of misuse.  Common signs include:  Sent emails in your ‘sent items’ folder which you do not remember composing; new icons, programs, files or start menu items which you did not install; and noticeable performance degradation on your machine. 

 If your password has been compromised or you notice suspicious activity on your accounts, change the password immediately.  If this vulnerability relates to your University account, you are required to report the incident.  Please review the mandatory reporting requirement at http://doit.missouri.edu/security/response/

At Work, Nothing is Personal: Compartmentalizing Your Inbox

personal-email.png

(January 9, 2013)

Throughout the years email has become one of our most readily used forms of communication.  You cannot buy something online, register a product, or even leave a store without someone asking you for your email address.  In fact, we use it so often we can become desensitized to its true purpose and desired intention. 

The objective for your email account should differ widely depending on whether it is your University account or your personal account.  As a best practice, your University account should be regarded as work-related and reserved for what it has been truly designed for:  University business.  Use your personal account for everything else such as personal communications, coupons, purchase confirmations, product registries and updates, and so forth. 

Here are few reasons why it is essential to compartmentalize your private and professional electronic communications:

It enhances your security consciousness.  If you do not offer your University email address to financial organizations (such as your bank or PayPal) you can be certain that the emails you receive through your University inbox claiming to be from one of these entities is truly a phishing attempt.  The best approach with phishing is to simply delete the message.  If you would like to report it, you may send it to abuse@missouri.edu.  When reporting phishing, please send the original email as an attachment by dragging and dropping it into a new message box.

Your University email account maybe more secure if you are using it for professional use only.  You should not use your University account for non-work related website registrations.  Registering your information with various sites can be risky as some sites are less secure than others.  If your personal account becomes compromised due to insecurities, the integrity of your University account will remain intact.  Note:  you should have different passwords for each of your accounts and each site you access! 

It improves your productivity and helps you stay organized.  Personal emails or spam can interfere with your work and increase the likelihood of important work-related emails getting over looked or lost within the mix.  Separate email accounts grants you the opportunity to direct non-work items to your other email account making it easier for you to stay on task while at work.

There are legal obligations regarding the accessibility of your sent/received email.  There may be a legal need to review University communications in which case your email communications may be made available.  Most people would prefer their personal communications not be scrutinized or reviewed as part of this process, thus even more incentive to have separate professional and personal email accounts. 

The University’s spam filtering tools may block certain inbound emails.   The University employs spam filtering tools in an effort to reduce unwanted inbound email.  The University will accept requests for email address exceptions (this is known as whitelisting); however, the requestor must be able to provide legitimate cause for this exception.  Whitelisting requests that do not pertain to University business may be declined. 

‘Twas the Night before Cyber Monday: Tips for Staying Secure While Shopping Online

shopping-cart.png

(January 9, 2013)

‘Twas the Night before Cyber Monday:  Tips for Staying Secure While Shopping Online

‘Twas the night before Cyber Monday and all through the house not a creature was stirring...well except for me and my computer mouse!  The stockings were hung by the electric fireplace with care, in hopes that Cyber Monday sales would bring Christmas cheer.   The children were nestled all snug in their beds, while visions of a new Xbox and iPods danced in their heads!  When all of the sudden an Internet ad arose such a Facebook chatter; I swiftly clicked on the thread to see what was the matter.  I opened a new browser tab like the Flash, tore open the ad and revealed a HUGE coupon stash!  I knew in that moment I would be better than St. Nick!  I whistled, and shouted, and called them by name; Now, Best Buy! Now, New Egg! Now, Target and Lowes!  On, Amazon!  On, Walmart! On, Macy’s and Kohl’s.  Now shop away, shop away, shop away all!  Lucky me, I didn’t even have to go to the mall!

Electronic retail is a non-shopper’s holiday shopping dream come true!  The lines are nonexistent, the wait time is short, and your online shopping cart will never present you with a squeaky or wobbly wheel.  It truly is the best of both worlds.  You can stay home and shop from your computer in your warm and comfy pajamas and slippers.  Not only that, but the parking is close and you do not have to watch strangers duke it out over the last Furby (admit it.  They are kind of creepy!)  However, online shopping does pose some security risks. 

Follow our best practices to ensure you holiday shopping goes without a hitch!

1.  Utilize anti-virus protection and make sure you firewall is on.  Your operating system, anti-virus software, and web browser must also be kept up-to-date with the latest security patches. 

2.  Limit your web browsing to well-known and trusted websites and use encryption when possible.  Encrypted websites contain an https:// web address and most browsers will display a padlock icon as a visual symbol for encryption.  However, an encrypted website alone is not sufficient evidence of a merchant’s integrity!  Encryption helps protect information in transit; it does not enforce regulations over a merchant’s business practices (1). 

3.  Be aware of your surroundings.  You should never use unsecured networks (such as public wireless networks) or public computers for making online purchases.

4.  Double check your domain names.  Almost all reputable vendors have registered domain names which match their company name, such as: www.<companyname>.com.  Check your spelling; subtle misspellings of company names are often used by phishers seeking to lure you to counterfeit websites (1).

5.  Employ strong password safety.  If the vendor requires account creation, use a strong and unique password for each individual site.  If possible, opt out of automatically saving your credit information.  It is safer to enter these details each time you return to the site to make a purchase.  

6.  Select your payment method carefully.  Prepaid credit cards and gift cards are optimal.  Also, regular credit cards are required to provide basic purchase protection securities to their customers.  If you use your credit card, you should monitor your account activity regularly and report unauthorized charges immediately (1).  In addition, the safest and easiest way to make a purchase with a smaller vendor is to use a third-party payment service, such as Paypal, which acts as the intermediary between you and the vendor. 

7.  Read other customer’s feedback about the vendor and merchandise.  Read both positive and negative comments from other consumers to help you make educated decisions before you make a purchase (1). 

8.  Be an informed consumer.  The merchant’s website should tell you if the product is in stock, provide you with a choice of shipping methods, and offer you a timeline of when you will receive your merchandise (1).  Never commit to buying something if the bottom-line price is ambiguous.   

9.  Know the return policy before you buy!  Before you make an online purchase, understand your rights when it comes to returns, exchanges, refunds, and credits (1).  Will there be a restocking fee or a shipping charge for returning the merchandise? 

10.  Take your time and price shop!   From the safety of your couch you might be tempted to drop your defense.  Just because you are not in the thick of random elbow jabs and shopping cart Indy car races doesn’t mean you should stop looking out for your best interest!  Shopping at home offers you the luxury to stop and think before being swayed by ‘cheap’ impulse buys; it also grants you the opportunity to check other online competitors in order to make sure you are getting the best deal for your money.    

For more great tips, security news and all the latest alerts, visit http://makeitsafe.missouri.edu/.

References:

1.  SANS Institute.  (2010).  Safer online shopping.  Retrieved from, http://www.securingthehuman.org/newsletters/ouch/issues/201006.pdf

October is National Cyber Security Awareness Month

national-cyber-security-awareness-month.png

(September 19, 2012)

October is recognized as National Cyber Security Awareness Month.  In support of this effort, the Division of IT will host our annual MU Security Awareness Month.   MU Security Awareness Month consists of a series of free workshops which will bring subject matter experts to MU for a variety of security related topics.  The intent is to educate MU faculty, staff, and students about computer and information security.  Some of the workshops will be more technical or IT Professional driven; however, the sessions are open to all MU faculty, staff, and students.  Audience participation is encouraged, so please bring your questions and take full advantage of the experts that will be on-hand to answer them!

More info: Security Awareness Month

Password Safety in the Digital Age

password-security.png

(August 21, 2012)

As children we would use passwords as a means to keep “intruders” out of our secret hideouts.  While the context of how we use a password has changed since childhood, the necessity of having a strong password is now more important than ever.  Today password protection is your first line of defense against many cyber threats.  Your username and password are the most common means for verifying your identity online.  Think of how many times per day you use these components to log into your computer, access accounts and websites, and to transmit sensitive information.  While technology has made routine chores simpler and faster, it has also increased our vulnerability to cyber-attacks.  Here are a few examples of what these attackers are doing with YOUR account information:  Sending threatening email on your behalf; accessing websites to purchase items with your credit card information you have saved on the site; accessing, modifying, or deleting documents stored on your computer or on any other central file server you have permission to access; and using your University credentials to gain access to confidential information.  As society becomes further immersed into the digital age, it becomes even more important to keep your guard up!  

Protect your password by following these best practices:

  • Never share your password with anyone.  There have been reported cases where individuals pretending to be IT staff or system administrators will ask for your password.  Your password protects your information and no one, including an IT professional, should ever need it. 
  • Do not enter your password into suspicious websites.  Phishing scams use spoof email, pop-up messages, or fraudulent URLs to deceive users into disclosing account passwords, credit card numbers, bank account information, their Social Security number, or other confidential information.  While attempts are made to block these types of emails they can still end up in your inbox.  If you get a request to provide your password or other personal information, please do not respond to the message.  Either delete this message or report it to abuse@missouri.edu.  When reporting phishing, you need to send the email as an attachment.  For instructions on how to attach an email click here.
  • Be cautious when using a public space.  When using a public computer, you should never save items to the machine, always clear your cookies and cache, and sign off before you leave.  When using public Wi-Fi on your own portable device, limit the amount of personal information you view.
  • Routinely change your password.  You should change your passwords at least annually and ensure you have designated a strong password.  It is best to choose a separate login ID and password for each website you access.  To change you University password, log into the Password Manager tool.  Visit the Division of IT’s MakeITSafe page for suggestions and tips on creating a strong password. 
  • Avoid the “save password” feature.  This feature is provided to users through Internet browsers and is often offered when visiting websites which require login credentials or when setting up a new email client.  It is much more secure to enter the password each time you visit a site, therefore, you should always opt out of this feature. 
  • Do not record passwords in a place where they can be compromised.  This includes cellular phones and other portable devices.  It also includes a sticky note pasted onto your monitor or under your keyboard!  Password manager software provides a central and secure location to store all account passwords, PINS, and other sensitive information.  Many of the software options include a feature for password generation which will automatically create a new random password for each of your individual accounts.  Examples of password manager software includes:  KeePass, Password Safe, PINs, RoboForm, and Turbopasswords.  Some of the aforementioned software products are free, others require a nominal fee.  If you are interested in obtaining a password manager product, please review all the options available in order to choose the best product for your needs.   
  • Watch for signs of misuse.  Common signs include:  Sent emails in your ‘sent items’ folder which you do not remember composing; new icons, programs, files or start menu items which you did not install; and noticeable performance degradation on your machine. 

 If your password has been compromised or you notice suspicious activity on your accounts, change the password immediately.  If this vulnerability relates to your University account, you are required to report the incident.  Please review the mandatory reporting requirement at http://doit.missouri.edu/security/response/

From Surfing Waves to Surfing the World Wide Web: Be Safe Online While Traveling

travel-image.png

(July 13, 2012)

Picture this:  You are sitting in a lounge chair strategically placed under an umbrella constructed of palm leaves.  The sun is at your back and the ocean waves are crashing against the shore gently in front of you.  The ocean seems endless, blue and white cascades moving in and out.  The warm white sand is soft and tacky between your toes.  Here, right now in this place, you feel the weight of responsibility lifted. 

The philosophy of vacation is quite simple:  Relax, rejuvenate, be carefree, and most of all enjoy yourself.   While some may choose to break waves at a tropical hotspot destination; others may take to the open road; the daring may elect to defy gravity by climbing Mount Everest; and others may pick a culturally enriching international destination.  No matter where your journey takes you, do not allow yourself to become careless with security! 

One of the most effective ways to protect yourself when traveling is to take preventive measures before your departure (1).  Complete the following actions before leaving home: 

  1. Update your operating system, applications, and anti-virus software on your mobile devices.  Operating systems, applications, and anti-virus software all offer periodic updates containing vital security patches.  Keep your system on current versions.
  2.  Ensure your firewall is enabled.  This prevents others from connecting to your device over the network.
  3. Encrypt confidential information stored on your devices.  Most mobile devices come with encryption capabilities built in.  If not, you may install encryption applications.  You should consult your vendor’s application store or marketplace for information on what is available.
  4. Enable the automatic lock screen and use a strong password, passphrase, pattern, or PIN to unlock the device.  Activate the lock-out screen with a reasonably short idle timeout, make your PIN or password unique to each device, and never share your PIN or password. 
  5. Configure your device for remote wiping.  In the event that your device is lost or stolen, remote wiping allows you the capability to erase all data and personal information stored on the device (2).  Affix a label to the back of your device with your name, email, and phone number to increase the likelihood of misplaced belongings being returned to you.
  6. Do not post travel plans on social media sites.  You should always limit the amount of personal information you share on these sites.  While your account may be setup securely, you have no control over how your friends setup their accounts.    

 Follow these best practices while you are traveling:

  1. Use sponsored Wi-Fi networks hosted by legitimate organizations and pay attention to the Wi-Fi encryption types.  Your online activities can be monitored by others while you are connected to a public network.  Protect yourself by ensuring you are on a legitimate Wi-Fi connection.  Look for posted signs found in hotel lobbies, airport terminals, or cafés displaying the name of the supported Wi-Fi network.  Also, the most common Wi-Fi encryption types (ordered by most secure to least secure) are: WPA2, WPA, and WEP. 
  2. Limit your web browsing to well-known and trusted websites and use encryption when possible. Utilizing email and web browsing features poses the threat of phishing scams, malicious sites, infected attachments, and other scams.  Use SSL encryption (https://) for web browsing when possible.  An Https:// browser session automatically encrypts data transmitted over the Internet. Also, most email service providers offer an encryption option.  If available, enable the SSL option for your email. 
  3. Keep optional network connections, such as Bluetooth and Wi-Fi, turned off when not in use. If using these features in public, limit the amount of personal information you view. SMS, MMS, Bluetooth and synchronization are all potential attack routes.
  4. Limit your use of public computers to casual web browsing only.  Public computers may be infected with malware or keyloggers.  If you have no choice but to use a public computer to make a transaction or to communicate sensitive information, you should assume any information shared could be compromised.  Keep track of the accounts you accessed on a public computer and change your passwords immediately once you are on a trusted computer and network.
  5. Turn off cookies and autofill options.  If your mobile device automatically enters passwords and login information into websites you visit frequently, turn this feature off.  While convenient, these options pose privacy threats. 
  6. Always keep your device on you or locked in a secure location.  You should place mobile devices in your carryon luggage, do not check these items.  There is no guarantee your luggage will arrive to your destination at the same time as you do and there is always a risk of baggage being ransacked before you obtain it.  If you are on a road trip, you should lock electronics in the glove compartment or rear storage of the vehicle. 

 What if you follow all these best practices and still get hacked?  Change your password immediately.  For suggestions on creating a strong password, visit the Division of IT’s MakeITSafe password safety page.  If your device has been compromised, misplaced, or stolen you should employ remote wiping.  If you did not configure your device for remote wiping beforehand, you still have the capability to wipe your Microsoft Exchange account.  Faculty, staff, and students may request remote wiping of their University email account, contacts, and calendar.  For assistance with this process, contact the IT Help Desk at 882-5000. 

 References: 

  1.  SANS institute. (2011). Staying Secure Online While Traveling. Retrieved from http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201104_en.pdf
  2. Kugler, L.  (2011).  9 Ways to Keep Your Mobile Devices Secure While Traveling.  Retrieved from, http://www.pcworld.com/article/218671/9_ways_to_keep_your_mobile_devices_secure_while_traveling.html

Identity Theft: Indecent Impersonation

identity-theft.png

(June 14, 2012)

Ask yourself one question, “If you could be anyone else in the world, who would it be?”  Most likely it would be an individual of this caliber:  a leader, a mogul, a literary, a philanthropic, a worldly traveler, an actor, an inventor, et cetera.  Your admiration for this individual may inspire you to emulate aspects of their character, values, or beliefs in an effort to become a better version of yourself.  Imitation is one the sincerest forms of flattery, right?  Well, as it turns out, this is not always the case. 

According to the Federal Trade Commission (FTC), as many as 9 million Americans have their identities stolen each year (1).  Identity theft is an ever increasing crime with alarming consequences for its victims.   It can take countless dollars and years to rectify the damage caused by this offense.  Ironically, identity theft starts with just simple pieces of personally identifiable information such as name, Social Security number, credit card numbers, and other financial account information (1).  It becomes damaging when this information is combined together. 

Awareness is the most effective weapon against many forms of identity theft.  You should be aware of how information is stolen, know how to protect your information, and know what to do if you are a victim of identity theft.  There are a variety of methods used to obtain personally identifiable information, such as:  rummaging through your garbage for bills and other paper statements; stealing your credit card information as they are processing the card for a legitimate purchase; filing a change of address on your behalf to divert billing information and credit card applications to another location; stealing your wallet or purse; or through phishing scams (1). 

Once they have your personal information, identity thieves use it in a variety of ways.  It can be used for credit card fraud; phone or utilities fraud; bank and finance fraud; Governmental documents fraud; or to rent a home, seek medical care, or used during a police arrest (1).  Watch for these signs of identity theft:  unexplainable debits on your accounts, inaccurate information on your credit report, missing paper statements and bills you typically receive monthly, receiving a credit card for which you did not apply, getting denied credit for reasons unknown to you, or getting calls from debt collectors for accounts you are unaware of (1). 

Follow these best practices to safeguard your information:

  1.  Before disclosing any personal information you should ask three important questions:  who will have access to the information, how is the information handled, and how is it disposed of when it is no longer needed.  If your Social Security number (SSN) is requested, ask if there is another form of identification that can be provided in lieu of your SSN. 
  2. Do not carry your Social Security card, birth certificate, passport, extra credit cards, or any other personal cards in your wallet or purse when they are unnecessary.  Store these items in a safe undisclosed location. 
  3. Do not give personal information over the phone, Internet, or through the mail unless you have initiated the contact and are certain of the legitimacy of the business you are working with.  Email is never a secure method for transmitting or saving sensitive information such as passwords, financial information, Social Security numbers, et cetera.
  4. Shred paper statements with personally identifiable information and account numbers on them when they are no longer needed.  Examples include:  credit card receipts and statements, explanation of benefits for medical services, billing statements, and pre-approved credit card offers or checks.  You can opt out of prescreened offers of credit and insurance at www.optoutprescreen.com.
  5. Obtain a copy of your credit report each year from the three major credit reporting agencies (Equifax, Experian, and TransUnion) and review them for any unusual activity.
  6. Review bank and credit card statements at least once a month.      
  7. Limit web browsing and web purchases to well-known and trusted websites only.  If you initiate a transaction, look for a secure SSL encryption as well as indicators (such as the padlock symbol) which confirm the site is secure for transmissions.
  8. Turn on your firewall and use anti-virus software to prevent uninvited access into your computer files.  Anti-virus software, operating systems, and web browsers periodically offer updates which contain security patches.  Make sure you update these items regularly.
  9. Be cautious when using a public space.  When using a public computer, never save items to the machine, clear your cookies and cache, and sign off before you leave.  Also, if you are in a public space using Wi-Fi, limit the amount of personal information you view.
  10. Read website privacy policies.  These policies provide you with details regarding how the site maintains accuracy, access, security, and control of the personal information it collects and whether it provides this information to third parties.  Also, adjust settings on social media sites to private and limit the amount of personal information you disclose. 

If you are a victim of identity theft, take the following actions:  Place a fraud alert on your credit report, order new copies of your credit report from each of the credit reporting agencies to review, and create an identity theft report.  Visit the Federal Trade Commission site for more detailed information. 

References:

  1. Federal Trade Commission.  (2012).  Fighting back against identity theft.  Retrieved from, http://www.ftc.gov/bcp/edu/microsites/idtheft/consumers/about-identity-theft.html

 

The Electronic Graveyard: Do Not Let Old Technology Haunt You!

shred-it.jpg

(May 15, 2012)

Are first generation electronics cramping your style?  Are you tired of watching what used to be considered cutting-edge technology depreciate and collect dust in front of your eyes?  Or, is it simply time to purge the designated electronic waste drawer in your home?  Regardless of your motivation to rid yourself of old technology, always remember to sanitize a device before you discard, recycle, donate, repurpose, or sell it!

There are countless news stories of confidential and private information getting leaked due to old electronic devices being discarded before the hard drive was wiped clean.  For criminals and identity thieves, retrieving useful remnants of information is surprisingly easy and even more valuable than the device itself.  Permanently deleting information from a hard drive is more challenging than one might expect. 

There are many widely held misconceptions regarding data disposal.  Simply deleting files, dragging items to the recycle bin or trash folder, reformatting the disk or deleting disk partitions, or even encrypting files are all examples of unsecure methods for destroying data.  However, sanitizing a device permanently purges all the data and personally identifiable information stored upon it.  Therefore, to completely obliterate data, you have two options:  physically destroy the device or sanitize it!    

  1.  Physically destroying the device.  A device can normally be destroyed through the use of heat, a strong magnetic field, or by shredding, crushing, or any other aggressive methods which may require special tools and safety precautions.
  2. Sanitizing a device by securely wiping magnetic drives.  Using a special software tool, you can overwrite every bit and byte on your disk.  In doing so, your original information will never be accessible again.  There are several issues to consider as you prepare to wipe your hard drive or other media devices: 
  • Once you start the wiping process, there is no turning back.  Make backups of any pertinent files you may need for future use.
  • Secure wiping requires a special-purpose program.  Examples are SDelete (for any operating system), DBAN (for Windows), or Disk Utility (for Mac).  Typically a CD or USB key is required to start the computer and run the tool to sanitize the entire drive.  Make sure the tool you use has a feature to wipe the entire drive, not just the empty space.  For additional assistance, please contact your IT Pro or the Help desk at 882-5000. 
  • Adhere to data disposal policies.  The University and the Hospital have policies dictating the appropriate methods for data disposal to ensure confidentiality of the data and compliance with software licensing contracts.

 Need to destroy a University-owned device? The Division of IT (DoIT) hosts ShredIT data disposal events biannually.  ShredIT events are open to the University system, MU campus, and Hospital departments at no charge for University-owned equipment.  Department IT Pros are notified of these events and are encouraged to participate.  Simply bring the media to our announced location and DoIT will take care of the disposal for you. 

ShredIT spring cleaning event!

Date: Thursday, May 31, 2012
Collection Time: Between 2-4 pm
Location: Telecom Building loading dock.  Please do not drop off any items prior to 2 pm on Thursday, May 31st!

 Visit our Make IT Safe site for additional security awareness best practice tips and security related news.

 References:

SANS institute.  (2011).  Securely Disposing of Computers and Other Storage Devices.  Retrieved from,

                http://www.securingthehuman.org/newsletters/ouch/issues/201101.pdf.

To Download or Not to Download: That is the Question

dmca.jpg

(March 15, 2012)

Do you download music, movies, or books online?  If so, are you doing it legally?  Copyright violations have serious civil and criminal penalties.  Make yourself aware of the law and University policy to avoid legal and punitive action. 

What is the Law?  The Digital Millennium Copyright Act of 1998 (DMCA) is a federal copyright law protecting authorship rights of intellectual works such as books, movies, and music.  This provision ensures that only the author or the author's assignees have the legal authority to copy, distribute, create derivative works, or perform or exhibit protected works. 

What if I pay for downloads?  Downloading music, videos, books, and games from a file sharing network with unauthorized copies of copyrighted material is a federal offense.  Some file sharing networks charge a membership fee to join; simply paying this fee does not necessarily guarantee this service is legal.  Check the terms and agreements section before you download.  If you are purchasing the rights to a product from a file sharing network, then you have legally obtained the product and you are authorized to use it for personal, noncommercial use.  An example of this legal service is iTunes. 

I paid for it.  I can copy it, right?  Another common misconception is that you may duplicate and distribute copyrighted materials as long as the intent is not to sell the duplications.  However, the act of copying and distributing someone else's work violates an author's rights.  Just because you have legally obtained a product, such as a CD, DVD, or an MP3, does not mean you have unlimited rights to it.  Downloading an MP3 from iTunes and copying it for a friend is illegal.   

What should I do to comply with the law and evade legal litigation? 

  1. Familiarize yourself with the DMCA and University policy.  All users of University of Missouri computer networks, equipment, or connecting resources are held to the University’s Acceptable Use Policy (AUP).  Carefully read and understand your obligations as a user.
  2. Unsubscribe from illegal peer-to-peer files sharing networks.  MU policy prohibits the use of all peer-to-peer applications such as BitTorrent and eMule. In accordance with this policy, these types of download applications are blocked by network administrators.  Any individual attempting to circumvent these blocks will be in violation of the University’s file sharing policy.
  3. Purge any illegally obtained materials.  Remove any copyrighted materials unlawfully obtained from any device on which it is stored, and stop illegal downloading of copyright materials immediately. 
  4. Follow this simple rule of thumb.  If you would typically pay for it, then it is probably protected by copyright.  Take the DMCA quiz to test your knowledge. For a list of legal alternatives and known legitimate download services visit: http://www.educause.edu/legalcontent.

If you have any questions, please contact isam@missouri.edu.

Gone Phishing? Don't Take the Bait, Protect Yourself from Online Poachers!

(February 15, 2012)

You sign into your email account and notice you have a message with the subject line of Urgent! Your Account Has Been Compromised! The email body states, "We suspect unauthorized transactions on your account. Please log into your account using the below link and confirm your banking details. Failure to do so will result in the suspension of your account." The intention of this type of email is to instill panic. Anxiety is a normal response, especially when you believe someone else has access to your bank account information and could be making fraudulent charges. The cyber attacker is relying on a reaction, whether that means clicking on a link provided, opening an attachment, or responding to the request for information.

Phishing scams are becoming more sophisticated and thus seemingly legitimate to users. In order to gain trust, most cyber attackers will send spoof emails using company logos and company contact information and then direct users to counterfeit URLs. While designed to appear authentic, these websites are actually controlled by the attacker. Phishing attacks often have one of the following objectives, to harvest personally identifiable information and banking/credit card data, or to take control and infect your computer through malicious links and attachments. In 2007, the number of victims of phishing attacks escalated to 3.6 million U.S. adults, a loss of over 3.2 billion dollars (1).

Follow these best practices to prevent getting snagged!

  1. Turn on your firewall and use anti-virus software. Anti-virus software and web browsers periodically offer updates, which contain security patches, so these items need updated regularly. Also, make sure your operating system and applications are up to date.
  2. Never email sensitive information. Email is not a secure method for transmitting or saving sensitive information such as passwords, financial information, Social Security numbers, et cetera.
  3. Routinely change your password. You should change your passwords at least annually and ensure that it is a strong password. It is best to choose a separate login ID and password for each website you access. Unauthorized users can send spam, threats, and other fraudulent emails on your behalf once they have your login credentials. Change your password immediately if your account information has been exposed. Remember, your password is the major form of protection for your computer account and the University resources that you have permission to access. For suggestions on creating a strong password, visit the Division of IT MakeITSafe passwords page.
  4. Limit your web browsing to well-known and trusted websites and use encryption. Use SSL encryption (https://) for web browsing when possible. If you initiate a transaction, look for a secure SSL encryption as well as indicators that the site is secure for transmissions, such as the padlock symbol.
  5. Check bank and credit card statements regularly. Watch for any unauthorized charges and report it immediately.
  6. Be suspicious of email. Beware of email requiring immediate attention and demanding personal information or account information. Other suspicious indicators include spelling/grammatical mistakes, an overall generic tone, and an ambiguous website link.
  7. Do not click on direct links. Avoid clicking on direct links provided in an email. If you get an email from what appears to be a known source, such as your bank or a store, then type their web address directly into your browser. If you are unsure of the exact destination site, use a search engine to look up the company.
  8. Do not open attachments from unknown sources. Attachments can contain viruses that allow cyber attackers to gain control of your computer system. If they gain access to your email directory or social media networks they can send malicious emails on your behalf.
  9. Be cautious when using a public space. If you are using a public computer, never save items to the machine, clear your cookies and cache, and sign off before you leave. Also, if you are in a public space using Wi-Fi, limit the amount of personal information you view.
  10. If it seems too good to be true, it is probably an attack. Help report phishing! Open a new email message and address it to abuse@missouri.edu. Drag and drop the phishing email from your inbox into this new email message as an attachment. If you are unable to attach the item in this manner, forward the original message to abuse@missouri.edu. You will need to paste the header information into this message. For instructions on internet headers, see http://doit.missouri.edu/security/response/headers.html.

References:

  1. Gartner, Inc. (2007). Gartner survey shows phishing attacks escalated in 2007; more than $3 billion lost to these attacks. Retrieved from http://www.gartner.com/it/page.jsp?id=565125.
  2. Federal Trade Commission (FTC). (2006). How not to get hooked by a 'phishing' scam. Retrieved from http://www.ftc.gov/bcp/edu/pubs/consumer/alerts/alt127.shtm.
  3. SANS institute. (Dec. 2011). E-mail phishing and scams. Retrieved from http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201112_en.pdf.

More info: Phishing

Password Security

University of Missouri / UM System
Division of Information Technology
615 Locust Street, Columbia, MO 65211
(573)882-2000

Copyright 2009 Curators of the University of Missouri.
DMCA and other copyright information.
An equal opportunity/affirmative action institution.