Featured Topics

Encryption issues and best practices:

• The encryption key is an essential component to encrypting and decrypting your information.  If your encryption key is lost or damaged you will lose the ability to recover the encrypted information!  Back up your encryption certificate and key to preserve access to your data.
• Encryption is only as strong as the password protecting it!  Never share this password with anyone and always use a strong, unique password for all of your encrypted data.  Note, you can lose the ability to recover your data if you forget the password protecting your encryption key!  Given this, you might consider investing in password manager software which provides a central and secure location to store all account passwords, PINS, and other sensitive information.  Examples of such software include: KeePass, Password Safe, PINs, RoboForm, and Turbopasswords. 
• Encryption will not protect your device against theft, viruses, malware, unpatched vulnerabilities, or social engineering attacks (1).  Enable your firewall and always install security patches immediately to ensure you are protected from existing vulnerabilities. 

Visit http://makeitsafe.missouri.edu for more great tips, security news, and all the latest alerts!

References:

1.  SANS Institute.  (2011).  Understanding encryption.  Retrieved from, http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201107_en.pdf. 

2.  Microsoft.  (2013).  Encrypt or decrypt a folder or file.  Retrieved from, http://windows.microsoft.com/en-us/windows-vista/encrypt-or-decrypt-a-folder-or-file. 

3.  Apple.  (2013).  How to create a password-protected (encrypted) disk image.  Retrieved from, http://support.apple.com/kb/ht1578. 

4.  Castle, A.  (2013).  How to encrypt (almost) anything.  Retrieved from, http://www.pcworld.com/article/2025462/how-to-encrypt-almost-anything.html. 

5.  SANS Institute.  (2002).  Remote access VPN’s, a basic look.  Retrieved from, http://www.giac.org/paper/gsec/2141/remote-access-vpns-basic/102778. 

6.  Division of IT.  (2012).  Secure TransmIT.  Retrieved from, http://doit.missouri.edu/security/secure-transmit/. 

7.  Microsoft.  (2013)  Password protect documents, workbooks, and presentations.  Retrieved from, http://office.microsoft.com/en-us/word-help/password-protect-documents-workbooks-and-presentations-HA010148333.aspx. 

8.  Microsoft.  (2013).  Back up Encrypting File System (EFS) certificate.  Retrieved from, http://windows.microsoft.com/en-us/windows-vista/back-up-encrypting-file-system-efs-certificate. 

From Surfing Waves to Surfing the World Wide Web: Be Safe Online While Traveling

(May 14, 2013)

Picture this:  You are sitting in a lounge chair strategically placed under an umbrella constructed of palm leaves.  The sun is at your back and the ocean waves are crashing against the shore gently in front of you.  The ocean seems endless, blue and white cascades moving in and out.  The warm white sand is soft and tacky between your toes.  Here, right now in this place, you feel the weight of responsibility lifted. 

The philosophy of vacation is quite simple:  Relax, rejuvenate, be carefree, and most of all enjoy yourself.   While some may choose to break waves at a tropical hotspot destination; others may take to the open road; the daring may elect to defy gravity by climbing Mount Everest; and others may pick a culturally enriching international destination.  No matter where your journey takes you, do not allow yourself to become careless with security! 

One of the most effective ways to protect yourself when traveling is to take preventive measures before your departure (1).  Complete the following actions before leaving home: 

1. Update your operating system, applications, and anti-virus software on your mobile devices.  Operating systems, applications, and anti-virus software all offer periodic updates containing vital security patches.  Keep your system on current versions.
2.  Ensure your firewall is enabled.  This prevents others from connecting to your device over the network.
3. Encrypt confidential information stored on your devices.  Most mobile devices come with encryption capabilities built in.  If not, you may install encryption applications.  You should consult your vendor’s application store or marketplace for information on what is available.
4. Enable the automatic lock screen and use a strong password, passphrase, pattern, or PIN to unlock the device.  Activate the lock-out screen with a reasonably short idle timeout, make your PIN or password unique to each device, and never share your PIN or password. 
5. Configure your device for remote wiping.  In the event that your device is lost or stolen, remote wiping allows you the capability to erase all data and personal information stored on the device (2).  Affix a label to the back of your device with your name, email, and phone number to increase the likelihood of misplaced belongings being returned to you.
6. Do not post travel plans on social media sites.  You should always limit the amount of personal information you share on these sites.  While your account may be setup securely, you have no control over how your friends setup their accounts.    

 Follow these best practices while you are traveling:

1. Use sponsored Wi-Fi networks hosted by legitimate organizations and pay attention to the Wi-Fi encryption types.  Your online activities can be monitored by others while you are connected to a public network.  Protect yourself by ensuring you are on a legitimate Wi-Fi connection.  Look for posted signs found in hotel lobbies, airport terminals, or cafés displaying the name of the supported Wi-Fi network.  Also, the most common Wi-Fi encryption types (ordered by most secure to least secure) are: WPA2, WPA, and WEP. 
2. Limit your web browsing to well-known and trusted websites and use encryption when possible. Utilizing email and web browsing features poses the threat of phishing scams, malicious sites, infected attachments, and other scams.  Use SSL encryption (https://) for web browsing when possible.  An Https:// browser session automatically encrypts data transmitted over the Internet. Also, most email service providers offer an encryption option.  If available, enable the SSL option for your email. 
3. Keep optional network connections, such as Bluetooth and Wi-Fi, turned off when not in use. If using these features in public, limit the amount of personal information you view. SMS, MMS, Bluetooth and synchronization are all potential attack routes.
4. Limit your use of public computers to casual web browsing only.  Public computers may be infected with malware or keyloggers.  If you have no choice but to use a public computer to make a transaction or to communicate sensitive information, you should assume any information shared could be compromised.  Keep track of the accounts you accessed on a public computer and change your passwords immediately once you are on a trusted computer and network.
5. Turn off cookies and autofill options.  If your mobile device automatically enters passwords and login information into websites you visit frequently, turn this feature off.  While convenient, these options pose privacy threats. 
6. Always keep your device on you or locked in a secure location.  You should place mobile devices in your carryon luggage, do not check these items.  There is no guarantee your luggage will arrive to your destination at the same time as you do and there is always a risk of baggage being ransacked before you obtain it.  If you are on a road trip, you should lock electronics in the glove compartment or rear storage of the vehicle. 

 What if you follow all these best practices and still get hacked?  Change your password immediately.  For suggestions on creating a strong password, visit the Division of IT’s MakeITSafe password safety page.  If your device has been compromised, misplaced, or stolen you should employ remote wiping.  If you did not configure your device for remote wiping beforehand, you still have the capability to wipe your Microsoft Exchange account.  Faculty, staff, and students may request remote wiping of their University email account, contacts, and calendar.  For assistance with this process, contact the IT Help Desk at 882-5000. 

 References: 

1.  SANS institute. (2011). Staying Secure Online While Traveling. Retrieved from http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201104_en.pdf. 
2. Kugler, L.  (2011).  9 Ways to Keep Your Mobile Devices Secure While Traveling.  Retrieved from, http://www.pcworld.com/article/218671/9_ways_to_keep_your_mobile_devices_secure_while_traveling.html. 

Social Engineering: Hacking the Human Operating System

(May 14, 2013)

You are sitting at your desk when your office phone rings.  You answer.  The voice on the other end is pleasant.  “Hello.  My name is Steven.  I am with the University’s IT department.  How are you today?”  After a few short exchanges, Steven gets to the point.  “We have been monitoring our network due to abundance of suspicious activity.   I am calling you today because your device has been identified as one of the sources for this malicious network traffic.  We believe you may have inadvertently installed malevolent malware and I would like to use this time to assist you in removing it.  Before we begin, let me verify a few account details with you.”  Steven states the following:  your name, your department, your title, your phone number, and your user name for your University account.  You confirm all of these details are true.  Steven replies, “Great, thank you!  Now, to further assist you, can you please provide me with your University password?”  He tells you he is going to remote into your machine and run an anti-malware tool. 

Do you give Steven your password?  The correct answer is NO!  First, NEVER share your password.  Second, Steven simply provided you with directory information when he confirmed your identity.   It may have seemed legitimate, but anyone can access the directory and most of us publish our information.  Lastly, what do you really know about Steven?

Social engineering is a psychological attack used to exploit human vulnerabilities.  While the schemes often vary, the overall goal remains the same.  Social engineers will say or do just about anything to obtain sensitive information from you.  Technical knowledge is often unnecessary for a successful social engineering scam; in fact, most of these ploys merely rely on adept social skills (1).  Technology cannot protect you from being a victim of a social engineering scam (2).  Awareness is your best defense! 

Follow these best practices to protect yourself from social engineering attacks:

• Be alert and do not rely on identification alone for authentication.  Gather specifics about the person soliciting personal information from you before obliging to their request.  Who are they?  Where do they work?  What is the call regarding?  Politely ask for a call back number and tell them you will get in touch with them at a more convenient time.  This grants you the opportunity to do some investigation beforehand and you can call them back when you are clear of all distractions.    
• Never share your password!  A legitimate organization will never ask for your password. 
• Pay attention to the information requested.  If you are asked for details that the organization is already privy to, do not provide the information.  For instance, you should be suspicious if your supposed credit card company is calling you to confirm your credit card number and security code.  Additionally, it should be considered suspect if someone from your supposed bank wants to confirm your account number and routing number. 
• Keep your guard up.  Social engineers will use several methods to gain your trust and cooperation.  You should be leery of individuals being overly friendly, aggressive, or insistent as these are common social engineering tactics.  Bottom line, if you do not feel comfortable then you should trust your instincts. 
• Be aware of your office surroundings.  If you see someone you do not recognize roaming the vicinity then address them.   They could simply be lost or they could be looking for information left carelessly unattended.  Always lock up personal items and confidential information when you leave your area.  Additionally, if you work in a building where ID badges are required to gain entrance then do not allow strangers to follow you in.  This is called ‘tailgating’ and it is a very common approach used by social engineers. 
• Report suspicious activity.  Inform your direct supervisor or the police if you believe the situation warrants their involvement. 

Visit http://makeitsafe.missouri.edu for more great tips, security news, and all the latest alerts!

References:

1.  Sans Institute.  (2004).  Social Engineering.  Retrieved from, http://www.sans.org/reading_room/whitepapers/engineering/social-engineering_1365. 

2.  Sans Institute.  (July 2012).  The Tech-Support Phone Call Scam.  Retrieved from, http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201207_en.pdf. 

SMiShing Is Nothing to ‘LOL’ About :)

(May 14, 2013)

Text messaging is innate for most mobile phone users.  In fact, more than 80% of the US population owns a mobile phone and 70% of these individuals regularly send or receive texts (1).  Short Message Service (SMS) texting offers a casual, relaxed communication platform where by emoticons and abbreviations are the norm.  There is nothing complex or ornate about text messages, thus adding to their appeal.  However, as we acquire a more lax mindset with this technology we become susceptible to cyber threats. 

More than 6 billion SMS text messages were sent per day in the United States in 2011 (1), skyrocketing mobile phones to one of the largest targets for exploitation in intricate phishing attacks commonly referred to as SMiSing.  SMiShing texts attempt to entice users into providing personally identifiable information or credit card details by offering glorious prize winnings such as high dollar gift cards and sought after devices like iPads.  SMiShers will also try to coerce users through hoax account notices involving banks and large corporations.  

Awareness is your best line of defense against SMiShing attacks!  Follow these best practices to reduce your vulnerability to SMiShing: 

• Never provide sensitive information via text.  Regardless of whether or not you know the recipient text messaging is not a secure method for data transmission.   
• Do not respond to unsolicited messages or spam.  If you receive a text requesting personal or account information you should delete it immediately.  Be suspicious of all unknown senders and unsolicited messages.  Additionally, replying to spam messages confirms you have an active phone number and increases your odds for more spam and SMiShing attacks (4). 
• Do not click on links within a message.  Clicking on links within messages can install malware which allows attackers to gather information directly from your phone. 
• Enroll your phone on the National Do Not Call Registry.  The Do Not Call Registry is managed by the Federal Trade Commission; this service restricts the amount of telemarketing phone calls you receive (2). 
• Report SMiShing. SMiShing and text spam complaints can be filed with the Federal Trade Commission (2).   

 Visit http://makeitsafe.missouri.edu for more great tips, security news, and all the latest alerts!

References:

1.  Forrester Blogs.  (2012).  SMS Usage Remains Strong in the US:  6 Billion SMS Messages are Sent Each Day.  Retrieved from, http://blogs.forrester.com/michael_ogrady/12-06-19-sms_usage_remains_strong_in_the_us_6_billion_sms_messages_are_sent_each_day. 

2.  Federal Trade Commission.  (2013).  Text Message Spam.  Retrieved from, http://www.consumer.ftc.gov/articles/0350-text-message-spam. 

3.  Federal Bureau of Investigation.  (2010).  SMiShing and Vishing.  Retrieved from, http://www.fbi.gov/news/stories/2010/november/cyber_112410/cyber_112410. 

4.  NBC News.  (2013).  SMiShing  Text Messages Seek Your Credit Card Info.  Retrieved from, http://www.nbcnews.com/technology/technolog/smishing-text-messages-seek-your-credit-card-info-947348. 

Don’t Neglect Your “LOVE” for Technology This Valentine’s Day!

(May 14, 2013)

I rely on you to always be there;

to help me engage and keep me close to those I hold dear.

I don’t buy you flowers or candies or take you out on dates;

but I may expect you to help me find my soul mate!

I don’t feel judged by you, even when you give me a little nudge;

I know you just want to guard me from all that cyber sludge! 

You don’t ask me for much;

just that I use anti-virus protection and occasionally back my stuff up!

It shouldn’t require a special February holiday for me to profess;  

Yet as Valentine’s Day approaches, I must confess: 

I love you, technology! 

I promise to update you, protect you, and always pay these dues;

I will avoid spam and phishing and use caution on the World Wide Web by listening to your cues!   

Technology can be both amazing and horrifying all at the same time.  Today’s devices offer tremendous features and power; however, they also expose us to a magnitude of risk.  In order to minimize threats, ensure your devices are safely configured and be attuned to some basic security measures.    

Follow our best practices to show L-O-V-E to your technological devices!

1.  Always keep your devices up-to-date. Operating systems, applications, web browsers, and anti-virus software all offer periodic updates containing vital security patches.  Install security patches immediately to ensure you are protected from existing vulnerabilities. 

2.  Ensure your firewall is enabled. This prevents others from connecting to your device over the network.

3.  Create backups.  Make backups regularly of your system and any pertinent files you may need to access.  Store a copy of your backups in a safe place.  Data corruption and hardware/software failures are unfortunate risks related to all technology.  ‘The computer ate my homework’ is never a good excuse!

4.  Enable the automatic lock screen and use a strong password, passphrase, pattern, or PIN to unlock the device. Activate the lock-out screen with a reasonably short idle timeout.  Make your PIN or password unique to each device, and never share your PIN or password with anyone!  Also, routinely change your PIN or password; you should reset it at least annually. 

5.  Keep optional network connections, such as Bluetooth and Wi-Fi, turned off when not in use. SMS, MMS, Bluetooth and synchronization are all potential attack routes.  When using these features in public, limit the amount of personal information you view.  Never access, transmit, or receive sensitive information over an unsecure Wi-Fi network! 

6.  Limit your web browsing to well-known and trusted websites and use encryption when possible. Utilizing email and web browsing features poses the threat of phishing scams, malicious sites, infected attachments, and other scams. Use SSL encryption (example:  https://<website>) for web browsing when possible.

7.  Never email sensitive information. Email is not a secure method for transmitting or saving sensitive information such as financial information, Social Security numbers, et cetera. 

8.  Do not open attachments from unknown sources or click on direct links provided in an email. Attachments can contain viruses that allow cyber attackers to gain control of your computer system.  Additionally, avoid clicking on links provided in an email. If you get an email from what appears to be a known source, such as your bank or a store, type their web address into your browser and access your account directly. If you are unsure of the exact destination site use a search engine to look up the company.

9.  Turn off cookies and auto-fill options. Turn off features which automatically enter your password and login information into websites.  While convenient, these options pose privacy threats.

10.  Never leave your device unaccompanied when you are in public spaces.  Additionally, configure your mobile devices for remote wiping. Remote wiping provides you with the capability to erase all data and personal information stored on that device if it should become lost or stolen.

 For more great tips, security news and all the latest alerts, visit http://makeitsafe.missouri.edu/.

Password Safety in the Digital Age

(January 9, 2013)

As children we would use passwords as a means to keep “intruders” out of our secret hideouts.  While the context of how we use a password has changed since childhood, the necessity of having a strong password is now more important than ever.  Today password protection is your first line of defense against many cyber threats.  Your username and password are the most common means for verifying your identity online.  Think of how many times per day you use these components to log into your computer, access accounts and websites, and to transmit sensitive information.  While technology has made routine chores simpler and faster, it has also increased our vulnerability to cyber-attacks.  Here are a few examples of what these attackers are doing with YOUR account information:  Sending threatening email on your behalf; accessing websites to purchase items with your credit card information you have saved on the site; accessing, modifying, or deleting documents stored on your computer or on any other central file server you have permission to access; and using your University credentials to gain access to confidential information.  As society becomes further immersed into the digital age, it becomes even more important to keep your guard up!  

Protect your password by following these best practices:

• Never share your password with anyone.  There have been reported cases where individuals pretending to be IT staff or system administrators will ask for your password.  Your password protects your information and no one, including an IT professional, should ever need it. 
• Do not enter your password into suspicious websites.  Phishing scams use spoof email, pop-up messages, or fraudulent URLs to deceive users into disclosing account passwords, credit card numbers, bank account information, their Social Security number, or other confidential information.  While attempts are made to block these types of emails they can still end up in your inbox.  If you get a request to provide your password or other personal information, please do not respond to the message.  Either delete this message or report it to abuse@missouri.edu.  When reporting phishing, you need to send the email as an attachment.  For instructions on how to attach an email click here.
• Be cautious when using a public space.  When using a public computer, you should never save items to the machine, always clear your cookies and cache, and sign off before you leave.  When using public Wi-Fi on your own portable device, limit the amount of personal information you view.
• Routinely change your password.  You should change your passwords at least annually and ensure you have designated a strong password.  It is best to choose a separate login ID and password for each website you access.  To change you University password, log into the Password Manager tool.  Visit the Division of IT’s MakeITSafe page for suggestions and tips on creating a strong password. 
• Avoid the “save password” feature.  This feature is provided to users through Internet browsers and is often offered when visiting websites which require login credentials or when setting up a new email client.  It is much more secure to enter the password each time you visit a site, therefore, you should always opt out of this feature. 
• Do not record passwords in a place where they can be compromised.  This includes cellular phones and other portable devices.  It also includes a sticky note pasted onto your monitor or under your keyboard!  Password manager software provides a central and secure location to store all account passwords, PINS, and other sensitive information.  Many of the software options include a feature for password generation which will automatically create a new random password for each of your individual accounts.  Examples of password manager software includes:  KeePass, Password Safe, PINs, RoboForm, and Turbopasswords.  Some of the aforementioned software products are free, others require a nominal fee.  If you are interested in obtaining a password manager product, please review all the options available in order to choose the best product for your needs.   
• Watch for signs of misuse.  Common signs include:  Sent emails in your ‘sent items’ folder which you do not remember composing; new icons, programs, files or start menu items which you did not install; and noticeable performance degradation on your machine. 

 If your password has been compromised or you notice suspicious activity on your accounts, change the password immediately.  If this vulnerability relates to your University account, you are required to report the incident.  Please review the mandatory reporting requirement at http://doit.missouri.edu/security/response/

At Work, Nothing is Personal: Compartmentalizing Your Inbox

(January 9, 2013)

Throughout the years email has become one of our most readily used forms of communication.  You cannot buy something online, register a product, or even leave a store without someone asking you for your email address.  In fact, we use it so often we can become desensitized to its true purpose and desired intention. 

The objective for your email account should differ widely depending on whether it is your University account or your personal account.  As a best practice, your University account should be regarded as work-related and reserved for what it has been truly designed for:  University business.  Use your personal account for everything else such as personal communications, coupons, purchase confirmations, product registries and updates, and so forth. 

Here are few reasons why it is essential to compartmentalize your private and professional electronic communications:

It enhances your security consciousness.  If you do not offer your University email address to financial organizations (such as your bank or PayPal) you can be certain that the emails you receive through your University inbox claiming to be from one of these entities is truly a phishing attempt.  The best approach with phishing is to simply delete the message.  If you would like to report it, you may send it to abuse@missouri.edu.  When reporting phishing, please send the original email as an attachment by dragging and dropping it into a new message box.

Your University email account maybe more secure if you are using it for professional use only.  You should not use your University account for non-work related website registrations.  Registering your information with various sites can be risky as some sites are less secure than others.  If your personal account becomes compromised due to insecurities, the integrity of your University account will remain intact.  Note:  you should have different passwords for each of your accounts and each site you access! 

It improves your productivity and helps you stay organized.  Personal emails or spam can interfere with your work and increase the likelihood of important work-related emails getting over looked or lost within the mix.  Separate email accounts grants you the opportunity to direct non-work items to your other email account making it easier for you to stay on task while at work.

There are legal obligations regarding the accessibility of your sent/received email.  There may be a legal need to review University communications in which case your email communications may be made available.  Most people would prefer their personal communications not be scrutinized or reviewed as part of this process, thus even more incentive to have separate professional and personal email accounts. 

The University’s spam filtering tools may block certain inbound emails.   The University employs spam filtering tools in an effort to reduce unwanted inbound email.  The University will accept requests for email address exceptions (this is known as whitelisting); however, the requestor must be able to provide legitimate cause for this exception.  Whitelisting requests that do not pertain to University business may be declined. 

‘Twas the Night before Cyber Monday: Tips for Staying Secure While Shopping Online

(January 9, 2013)

‘Twas the Night before Cyber Monday:  Tips for Staying Secure While Shopping Online

‘Twas the night before Cyber Monday and all through the house not a creature was stirring...well except for me and my computer mouse!  The stockings were hung by the electric fireplace with care, in hopes that Cyber Monday sales would bring Christmas cheer.   The children were nestled all snug in their beds, while visions of a new Xbox and iPods danced in their heads!  When all of the sudden an Internet ad arose such a Facebook chatter; I swiftly clicked on the thread to see what was the matter.  I opened a new browser tab like the Flash, tore open the ad and revealed a HUGE coupon stash!  I knew in that moment I would be better than St. Nick!  I whistled, and shouted, and called them by name; Now, Best Buy! Now, New Egg! Now, Target and Lowes!  On, Amazon!  On, Walmart! On, Macy’s and Kohl’s.  Now shop away, shop away, shop away all!  Lucky me, I didn’t even have to go to the mall!

Electronic retail is a non-shopper’s holiday shopping dream come true!  The lines are nonexistent, the wait time is short, and your online shopping cart will never present you with a squeaky or wobbly wheel.  It truly is the best of both worlds.  You can stay home and shop from your computer in your warm and comfy pajamas and slippers.  Not only that, but the parking is close and you do not have to watch strangers duke it out over the last Furby (admit it.  They are kind of creepy!)  However, online shopping does pose some security risks. 

Follow our best practices to ensure you holiday shopping goes without a hitch!

1.  Utilize anti-virus protection and make sure you firewall is on.  Your operating system, anti-virus software, and web browser must also be kept up-to-date with the latest security patches. 

2.  Limit your web browsing to well-known and trusted websites and use encryption when possible.  Encrypted websites contain an https:// web address and most browsers will display a padlock icon as a visual symbol for encryption.  However, an encrypted website alone is not sufficient evidence of a merchant’s integrity!  Encryption helps protect information in transit; it does not enforce regulations over a merchant’s business practices (1). 

3.  Be aware of your surroundings.  You should never use unsecured networks (such as public wireless networks) or public computers for making online purchases.

4.  Double check your domain names.  Almost all reputable vendors have registered domain names which match their company name, such as: www.<companyname>.com.  Check your spelling; subtle misspellings of company names are often used by phishers seeking to lure you to counterfeit websites (1).

5.  Employ strong password safety.  If the vendor requires account creation, use a strong and unique password for each individual site.  If possible, opt out of automatically saving your credit information.  It is safer to enter these details each time you return to the site to make a purchase.  

6.  Select your payment method carefully.  Prepaid credit cards and gift cards are optimal.  Also, regular credit cards are required to provide basic purchase protection securities to their customers.  If you use your credit card, you should monitor your account activity regularly and report unauthorized charges immediately (1).  In addition, the safest and easiest way to make a purchase with a smaller vendor is to use a third-party payment service, such as Paypal, which acts as the intermediary between you and the vendor. 

7.  Read other customer’s feedback about the vendor and merchandise.  Read both positive and negative comments from other consumers to help you make educated decisions before you make a purchase (1). 

8.  Be an informed consumer.  The merchant’s website should tell you if the product is in stock, provide you with a choice of shipping methods, and offer you a timeline of when you will receive your merchandise (1).  Never commit to buying something if the bottom-line price is ambiguous.   

9.  Know the return policy before you buy!  Before you make an online purchase, understand your rights when it comes to returns, exchanges, refunds, and credits (1).  Will there be a restocking fee or a shipping charge for returning the merchandise? 

10.  Take your time and price shop!   From the safety of your couch you might be tempted to drop your defense.  Just because you are not in the thick of random elbow jabs and shopping cart Indy car races doesn’t mean you should stop looking out for your best interest!  Shopping at home offers you the luxury to stop and think before being swayed by ‘cheap’ impulse buys; it also grants you the opportunity to check other online competitors in order to make sure you are getting the best deal for your money.    

For more great tips, security news and all the latest alerts, visit http://makeitsafe.missouri.edu/.

References:

1.  SANS Institute.  (2010).  Safer online shopping.  Retrieved from, http://www.securingthehuman.org/newsletters/ouch/issues/201006.pdf. 

October is National Cyber Security Awareness Month

(September 19, 2012)

October is recognized as National Cyber Security Awareness Month.  In support of this effort, the Division of IT will host our annual MU Security Awareness Month.   MU Security Awareness Month consists of a series of free workshops which will bring subject matter experts to MU for a variety of security related topics.  The intent is to educate MU faculty, staff, and students about computer and information security.  Some of the workshops will be more technical or IT Professional driven; however, the sessions are open to all MU faculty, staff, and students.  Audience participation is encouraged, so please bring your questions and take full advantage of the experts that will be on-hand to answer them!

More info: Security Awareness Month

Password Safety in the Digital Age

(August 21, 2012)

As children we would use passwords as a means to keep “intruders” out of our secret hideouts.  While the context of how we use a password has changed since childhood, the necessity of having a strong password is now more important than ever.  Today password protection is your first line of defense against many cyber threats.  Your username and password are the most common means for verifying your identity online.  Think of how many times per day you use these components to log into your computer, access accounts and websites, and to transmit sensitive information.  While technology has made routine chores simpler and faster, it has also increased our vulnerability to cyber-attacks.  Here are a few examples of what these attackers are doing with YOUR account information:  Sending threatening email on your behalf; accessing websites to purchase items with your credit card information you have saved on the site; accessing, modifying, or deleting documents stored on your computer or on any other central file server you have permission to access; and using your University credentials to gain access to confidential information.  As society becomes further immersed into the digital age, it becomes even more important to keep your guard up!  

Protect your password by following these best practices:

• Never share your password with anyone.  There have been reported cases where individuals pretending to be IT staff or system administrators will ask for your password.  Your password protects your information and no one, including an IT professional, should ever need it. 
• Do not enter your password into suspicious websites.  Phishing scams use spoof email, pop-up messages, or fraudulent URLs to deceive users into disclosing account passwords, credit card numbers, bank account information, their Social Security number, or other confidential information.  While attempts are made to block these types of emails they can still end up in your inbox.  If you get a request to provide your password or other personal information, please do not respond to the message.  Either delete this message or report it to abuse@missouri.edu.  When reporting phishing, you need to send the email as an attachment.  For instructions on how to attach an email click here.
• Be cautious when using a public space.  When using a public computer, you should never save items to the machine, always clear your cookies and cache, and sign off before you leave.  When using public Wi-Fi on your own portable device, limit the amount of personal information you view.
• Routinely change your password.  You should change your passwords at least annually and ensure you have designated a strong password.  It is best to choose a separate login ID and password for each website you access.  To change you University password, log into the Password Manager tool.  Visit the Division of IT’s MakeITSafe page for suggestions and tips on creating a strong password. 
• Avoid the “save password” feature.  This feature is provided to users through Internet browsers and is often offered when visiting websites which require login credentials or when setting up a new email client.  It is much more secure to enter the password each time you visit a site, therefore, you should always opt out of this feature. 
• Do not record passwords in a place where they can be compromised.  This includes cellular phones and other portable devices.  It also includes a sticky note pasted onto your monitor or under your keyboard!  Password manager software provides a central and secure location to store all account passwords, PINS, and other sensitive information.  Many of the software options include a feature for password generation which will automatically create a new random password for each of your individual accounts.  Examples of password manager software includes:  KeePass, Password Safe, PINs, RoboForm, and Turbopasswords.  Some of the aforementioned software products are free, others require a nominal fee.  If you are interested in obtaining a password manager product, please review all the options available in order to choose the best product for your needs.   
• Watch for signs of misuse.  Common signs include:  Sent emails in your ‘sent items’ folder which you do not remember composing; new icons, programs, files or start menu items which you did not install; and noticeable performance degradation on your machine. 

 If your password has been compromised or you notice suspicious activity on your accounts, change the password immediately.  If this vulnerability relates to your University account, you are required to report the incident.  Please review the mandatory reporting requirement at http://doit.missouri.edu/security/response/

From Surfing Waves to Surfing the World Wide Web: Be Safe Online While Traveling

(July 13, 2012)

Picture this:  You are sitting in a lounge chair strategically placed under an umbrella constructed of palm leaves.  The sun is at your back and the ocean waves are crashing against the shore gently in front of you.  The ocean seems endless, blue and white cascades moving in and out.  The warm white sand is soft and tacky between your toes.  Here, right now in this place, you feel the weight of responsibility lifted. 

The philosophy of vacation is quite simple:  Relax, rejuvenate, be carefree, and most of all enjoy yourself.   While some may choose to break waves at a tropical hotspot destination; others may take to the open road; the daring may elect to defy gravity by climbing Mount Everest; and others may pick a culturally enriching international destination.  No matter where your journey takes you, do not allow yourself to become careless with security! 

One of the most effective ways to protect yourself when traveling is to take preventive measures before your departure (1).  Complete the following actions before leaving home: 

1. Update your operating system, applications, and anti-virus software on your mobile devices.  Operating systems, applications, and anti-virus software all offer periodic updates containing vital security patches.  Keep your system on current versions.
2.  Ensure your firewall is enabled.  This prevents others from connecting to your device over the network.
3. Encrypt confidential information stored on your devices.  Most mobile devices come with encryption capabilities built in.  If not, you may install encryption applications.  You should consult your vendor’s application store or marketplace for information on what is available.
4. Enable the automatic lock screen and use a strong password, passphrase, pattern, or PIN to unlock the device.  Activate the lock-out screen with a reasonably short idle timeout, make your PIN or password unique to each device, and never share your PIN or password. 
5. Configure your device for remote wiping.  In the event that your device is lost or stolen, remote wiping allows you the capability to erase all data and personal information stored on the device (2).  Affix a label to the back of your device with your name, email, and phone number to increase the likelihood of misplaced belongings being returned to you.
6. Do not post travel plans on social media sites.  You should always limit the amount of personal information you share on these sites.  While your account may be setup securely, you have no control over how your friends setup their accounts.    

 Follow these best practices while you are traveling:

1. Use sponsored Wi-Fi networks hosted by legitimate organizations and pay attention to the Wi-Fi encryption types.  Your online activities can be monitored by others while you are connected to a public network.  Protect yourself by ensuring you are on a legitimate Wi-Fi connection.  Look for posted signs found in hotel lobbies, airport terminals, or cafés displaying the name of the supported Wi-Fi network.  Also, the most common Wi-Fi encryption types (ordered by most secure to least secure) are: WPA2, WPA, and WEP. 
2. Limit your web browsing to well-known and trusted websites and use encryption when possible. Utilizing email and web browsing features poses the threat of phishing scams, malicious sites, infected attachments, and other scams.  Use SSL encryption (https://) for web browsing when possible.  An Https:// browser session automatically encrypts data transmitted over the Internet. Also, most email service providers offer an encryption option.  If available, enable the SSL option for your email. 
3. Keep optional network connections, such as Bluetooth and Wi-Fi, turned off when not in use. If using these features in public, limit the amount of personal information you view. SMS, MMS, Bluetooth and synchronization are all potential attack routes.
4. Limit your use of public computers to casual web browsing only.  Public computers may be infected with malware or keyloggers.  If you have no choice but to use a public computer to make a transaction or to communicate sensitive information, you should assume any information shared could be compromised.  Keep track of the accounts you accessed on a public computer and change your passwords immediately once you are on a trusted computer and network.
5. Turn off cookies and autofill options.  If your mobile device automatically enters passwords and login information into websites you visit frequently, turn this feature off.  While convenient, these options pose privacy threats. 
6. Always keep your device on you or locked in a secure location.  You should place mobile devices in your carryon luggage, do not check these items.  There is no guarantee your luggage will arrive to your destination at the same time as you do and there is always a risk of baggage being ransacked before you obtain it.  If you are on a road trip, you should lock electronics in the glove compartment or rear storage of the vehicle. 

 What if you follow all these best practices and still get hacked?  Change your password immediately.  For suggestions on creating a strong password, visit the Division of IT’s MakeITSafe password safety page.  If your device has been compromised, misplaced, or stolen you should employ remote wiping.  If you did not configure your device for remote wiping beforehand, you still have the capability to wipe your Microsoft Exchange account.  Faculty, staff, and students may request remote wiping of their University email account, contacts, and calendar.  For assistance with this process, contact the IT Help Desk at 882-5000. 

 References: 

1.  SANS institute. (2011). Staying Secure Online While Traveling. Retrieved from http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201104_en.pdf. 
2. Kugler, L.  (2011).  9 Ways to Keep Your Mobile Devices Secure While Traveling.  Retrieved from, http://www.pcworld.com/article/218671/9_ways_to_keep_your_mobile_devices_secure_while_traveling.html. 

Identity Theft: Indecent Impersonation

(June 14, 2012)

Ask yourself one question, “If you could be anyone else in the world, who would it be?”  Most likely it would be an individual of this caliber:  a leader, a mogul, a literary, a philanthropic, a worldly traveler, an actor, an inventor, et cetera.  Your admiration for this individual may inspire you to emulate aspects of their character, values, or beliefs in an effort to become a better version of yourself.  Imitation is one the sincerest forms of flattery, right?  Well, as it turns out, this is not always the case. 

According to the Federal Trade Commission (FTC), as many as 9 million Americans have their identities stolen each year (1).  Identity theft is an ever increasing crime with alarming consequences for its victims.   It can take countless dollars and years to rectify the damage caused by this offense.  Ironically, identity theft starts with just simple pieces of personally identifiable information such as name, Social Security number, credit card numbers, and other financial account information (1).  It becomes damaging when this information is combined together. 

Awareness is the most effective weapon against many forms of identity theft.  You should be aware of how information is stolen, know how to protect your information, and know what to do if you are a victim of identity theft.  There are a variety of methods used to obtain personally identifiable information, such as:  rummaging through your garbage for bills and other paper statements; stealing your credit card information as they are processing the card for a legitimate purchase; filing a change of address on your behalf to divert billing information and credit card applications to another location; stealing your wallet or purse; or through phishing scams (1). 

Once they have your personal information, identity thieves use it in a variety of ways.  It can be used for credit card fraud; phone or utilities fraud; bank and finance fraud; Governmental documents fraud; or to rent a home, seek medical care, or used during a police arrest (1).  Watch for these signs of identity theft:  unexplainable debits on your accounts, inaccurate information on your credit report, missing paper statements and bills you typically receive monthly, receiving a credit card for which you did not apply, getting denied credit for reasons unknown to you, or getting calls from debt collectors for accounts you are unaware of (1). 

Follow these best practices to safeguard your information:

1.  Before disclosing any personal information you should ask three important questions:  who will have access to the information, how is the information handled, and how is it disposed of when it is no longer needed.  If your Social Security number (SSN) is requested, ask if there is another form of identification that can be provided in lieu of your SSN. 
2. Do not carry your Social Security card, birth certificate, passport, extra credit cards, or any other personal cards in your wallet or purse when they are unnecessary.  Store these items in a safe undisclosed location. 
3. Do not give personal information over the phone, Internet, or through the mail unless you have initiated the contact and are certain of the legitimacy of the business you are working with.  Email is never a secure method for transmitting or saving sensitive information such as passwords, financial information, Social Security numbers, et cetera.
4. Shred paper statements with personally identifiable information and account numbers on them when they are no longer needed.  Examples include:  credit card receipts and statements, explanation of benefits for medical services, billing statements, and pre-approved credit card offers or checks.  You can opt out of prescreened offers of credit and insurance at www.optoutprescreen.com.
5. Obtain a copy of your credit report each year from the three major credit reporting agencies (Equifax, Experian, and TransUnion) and review them for any unusual activity.
6. Review bank and credit card statements at least once a month.      
7. Limit web browsing and web purchases to well-known and trusted websites only.  If you initiate a transaction, look for a secure SSL encryption as well as indicators (such as the padlock symbol) which confirm the site is secure for transmissions.
8. Turn on your firewall and use anti-virus software to prevent uninvited access into your computer files.  Anti-virus software, operating systems, and web browsers periodically offer updates which contain security patches.  Make sure you update these items regularly.
9. Be cautious when using a public space.  When using a public computer, never save items to the machine, clear your cookies and cache, and sign off before you leave.  Also, if you are in a public space using Wi-Fi, limit the amount of personal information you view.
10. Read website privacy policies.  These policies provide you with details regarding how the site maintains accuracy, access, security, and control of the personal information it collects and whether it provides this information to third parties.  Also, adjust settings on social media sites to private and limit the amount of personal information you disclose. 

If you are a victim of identity theft, take the following actions:  Place a fraud alert on your credit report, order new copies of your credit report from each of the credit reporting agencies to review, and create an identity theft report.  Visit the Federal Trade Commission site for more detailed information. 

References:

1. Federal Trade Commission.  (2012).  Fighting back against identity theft.  Retrieved from, http://www.ftc.gov/bcp/edu/microsites/idtheft/consumers/about-identity-theft.html. 

The Electronic Graveyard: Do Not Let Old Technology Haunt You!

(May 15, 2012)

Are first generation electronics cramping your style?  Are you tired of watching what used to be considered cutting-edge technology depreciate and collect dust in front of your eyes?  Or, is it simply time to purge the designated electronic waste drawer in your home?  Regardless of your motivation to rid yourself of old technology, always remember to sanitize a device before you discard, recycle, donate, repurpose, or sell it!

There are countless news stories of confidential and private information getting leaked due to old electronic devices being discarded before the hard drive was wiped clean.  For criminals and identity thieves, retrieving useful remnants of information is surprisingly easy and even more valuable than the device itself.  Permanently deleting information from a hard drive is more challenging than one might expect. 

There are many widely held misconceptions regarding data disposal.  Simply deleting files, dragging items to the recycle bin or trash folder, reformatting the disk or deleting disk partitions, or even encrypting files are all examples of unsecure methods for destroying data.  However, sanitizing a device permanently purges all the data and personally identifiable information stored upon it.  Therefore, to completely obliterate data, you have two options:  physically destroy the device or sanitize it!    

1.  Physically destroying the device.  A device can normally be destroyed through the use of heat, a strong magnetic field, or by shredding, crushing, or any other aggressive methods which may require special tools and safety precautions.
2. Sanitizing a device by securely wiping magnetic drives.  Using a special software tool, you can overwrite every bit and byte on your disk.  In doing so, your original information will never be accessible again.  There are several issues to consider as you prepare to wipe your hard drive or other media devices: 

• Once you start the wiping process, there is no turning back.  Make backups of any pertinent files you may need for future use.
• Secure wiping requires a special-purpose program.  Examples are SDelete (for any operating system), DBAN (for Windows), or Disk Utility (for Mac).  Typically a CD or USB key is required to start the computer and run the tool to sanitize the entire drive.  Make sure the tool you use has a feature to wipe the entire drive, not just the empty space.  For additional assistance, please contact your IT Pro or the Help desk at 882-5000. 
• Adhere to data disposal policies.  The University and the Hospital have policies dictating the appropriate methods for data disposal to ensure confidentiality of the data and compliance with software licensing contracts.

 Need to destroy a University-owned device? The Division of IT (DoIT) hosts ShredIT data disposal events biannually.  ShredIT events are open to the University system, MU campus, and Hospital departments at no charge for University-owned equipment.  Department IT Pros are notified of these events and are encouraged to participate.  Simply bring the media to our announced location and DoIT will take care of the disposal for you. 

ShredIT spring cleaning event!

Date: Thursday, May 31, 2012

Collection Time: Between 2-4 pm

Location: Telecom Building loading dock.  Please do not drop off any items prior to 2 pm on Thursday, May 31st!

 Visit our Make IT Safe site for additional security awareness best practice tips and security related news.

 References:

SANS institute.  (2011).  Securely Disposing of Computers and Other Storage Devices.  Retrieved from,

                http://www.securingthehuman.org/newsletters/ouch/issues/201101.pdf.

“There’s an App for that!” Safeguarding your Mobile Device

(April 12, 2012)

Need to check your cash flow before you go out Friday night?  “There’s an app for that!”  Curious if you are still the highest bidder on an auction?  “There’s an app for that!”  Interested in staying in touch with friends and family via social networking?  You guessed it, “there’s an app for that” too! 

Mobile devices are products such as smartphones, media tablets, media players, and e-readers.  These devices boast portability, ease of use, and an abundance of applications which allow users to stay connected to the world through pocket-sized technology.  Given the growing complexity of their tiny operating systems and the limited security controls currently offered, an emerging concern is how to safeguard these compact devices.

Simply put, many users overlook the fact that they are carrying a device with the same functionality and processing power of any other networked computer, thus placing themselves at great risk for exploitation.  With new vulnerabilities discovered every day, there is a need to protect the data saved, accessed, and distributed from mobile devices. 

To ensure that you are protected, follow these 10 simple best practices:

1.   Enable a PIN, passcode, or pattern.  According to a Sophos survey from 2011, 67% of mobile phone users have not enabled password protection on their device! This is your strongest defense in protecting yourself from unwanted use.  Activate the lock-out screen with a reasonably short idle timeout, make your PIN or passcode unique to each device, change it frequently and never share your PIN or passcode.
2.   Never store sensitive data.  Passwords, financial information, social security numbers et cetera should never be sent from or saved on your mobile device. 
3. Keep your operating system and applications current.  Just like any other computer, mobile device operating systems have updates that contain vital security patches. 
4. Only download applications from trusted sources and just install the applications you need.  Remember, the more applications installed the greater potential for vulnerabilities, so be sensible when downloading all those free applications.
5.  Always read installation prompts before downloading applications and software.  Carefully examine the information for which you are allowing access, such as personal information about yourself, your device, and your location.  The information retrieved from your device needs to be logical based on the type of application or software you are downloading. 
6.  Keep optional network connections, such as Bluetooth and Wi-Fi, turned off when not in use.  If using these features in public, limit the amount of personal information you view.  SMS, MMS, Bluetooth and synchronization are all potential attack routes.
7.  Limit your web browsing to well-known and trusted websites and use encryption when possible.  Utilizing email and web browsing features poses the threat of phishing scams, malicious sites, infected attachments, and other scams.  Use SSL encryption (https://) for web browsing when possible.
8.   Employ remote wiping in the event your device becomes misplaced or stolen.   Remote wiping allows you to erase all data and information stored on your device after so many failed login attempts. Attach an ID label to the back of your device with your name and details of how you can be reached to optimize your chances of the device being returned.
9. Data sanitize your device prior to disposing of it.  Some devices have built-in features that allow you to securely erase all data.  Never dispose of a device without removing all personal information.
10. Know the policy.  Before accessing work-related services or email, verify that it is permissible with your employer’s policies.  Also, familiarize yourself with the University’s mandatory reporting policy for lost or stolen mobile devices, found at http://infosec.missouri.edu/hr/mandatory-reporting.html. 

For more great tips, security news and all the latest alerts, visit http://makeitsafe.missouri.edu/.

 References:

Penido, C.  (2011).  Smart phone security, protecting today’s most useful-and vulnerable-technology.  Retrieved

from, http://www.nyu.edu/its/connect/w11/mobilesecurity.html.

SANS institute.  (Feb. 2011).  Using your smartphone securely.  Retrieved from,

http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201102_en.pdf.

Sophos.  (Aug. 2011).  67 percent of mobile phone consumers don’t have password protection on their mobile

phones.  Retrieved from, http://www.sophos.com/en-us/press-office/press-releases/2011/08/67-percent-of-consumers-do-not-have-password-protection-on-their-mobile-phones.aspx. United States Computer Emergency Readiness Team (US-CERT).  (2010).  Technical information paper-TIP-10-105-

01, cyber threats to mobile devices.  Retrieved from, http://www.us-cert.gov/reading_room/TIP10-105-01.pdf.

University of Missouri Human Resource Security, Mandatory Reporting Requirement.  Retrieved from,

http://infosec.missouri.edu/hr/mandatory-reporting.html.

To Download or Not to Download: That is the Question

(March 15, 2012)

Do you download music, movies, or books online?  If so, are you doing it legally?  Copyright violations have serious civil and criminal penalties.  Make yourself aware of the law and University policy to avoid legal and punitive action. 

What is the Law?  The Digital Millennium Copyright Act of 1998 (DMCA) is a federal copyright law protecting authorship rights of intellectual works such as books, movies, and music.  This provision ensures that only the author or the author's assignees have the legal authority to copy, distribute, create derivative works, or perform or exhibit protected works. 

What if I pay for downloads?  Downloading music, videos, books, and games from a file sharing network with unauthorized copies of copyrighted material is a federal offense.  Some file sharing networks charge a membership fee to join; simply paying this fee does not necessarily guarantee this service is legal.  Check the terms and agreements section before you download.  If you are purchasing the rights to a product from a file sharing network, then you have legally obtained the product and you are authorized to use it for personal, noncommercial use.  An example of this legal service is iTunes. 

I paid for it.  I can copy it, right?  Another common misconception is that you may duplicate and distribute copyrighted materials as long as the intent is not to sell the duplications.  However, the act of copying and distributing someone else's work violates an author's rights.  Just because you have legally obtained a product, such as a CD, DVD, or an MP3, does not mean you have unlimited rights to it.  Downloading an MP3 from iTunes and copying it for a friend is illegal.   

What should I do to comply with the law and evade legal litigation? 

1. Familiarize yourself with the DMCA and University policy.  All users of University of Missouri computer networks, equipment, or connecting resources are held to the University’s Acceptable Use Policy (AUP).  Carefully read and understand your obligations as a user.
2. Unsubscribe from illegal peer-to-peer files sharing networks.  MU policy prohibits the use of all peer-to-peer applications such as BitTorrent and eMule. In accordance with this policy, these types of download applications are blocked by network administrators.  Any individual attempting to circumvent these blocks will be in violation of the University’s file sharing policy.
3. Purge any illegally obtained materials.  Remove any copyrighted materials unlawfully obtained from any device on which it is stored, and stop illegal downloading of copyright materials immediately. 
4. Follow this simple rule of thumb.  If you would typically pay for it, then it is probably protected by copyright.  Take the DMCA quiz to test your knowledge. For a list of legal alternatives and known legitimate download services visit: http://www.educause.edu/legalcontent.

If you have any questions, please contact isam@missouri.edu.

Gone Phishing? Don't Take the Bait, Protect Yourself from Online Poachers!

(February 15, 2012)

You sign into your email account and notice you have a message with the subject line of Urgent! Your Account Has Been Compromised! The email body states, "We suspect unauthorized transactions on your account. Please log into your account using the below link and confirm your banking details. Failure to do so will result in the suspension of your account." The intention of this type of email is to instill panic. Anxiety is a normal response, especially when you believe someone else has access to your bank account information and could be making fraudulent charges. The cyber attacker is relying on a reaction, whether that means clicking on a link provided, opening an attachment, or responding to the request for information.

Phishing scams are becoming more sophisticated and thus seemingly legitimate to users. In order to gain trust, most cyber attackers will send spoof emails using company logos and company contact information and then direct users to counterfeit URLs. While designed to appear authentic, these websites are actually controlled by the attacker. Phishing attacks often have one of the following objectives, to harvest personally identifiable information and banking/credit card data, or to take control and infect your computer through malicious links and attachments. In 2007, the number of victims of phishing attacks escalated to 3.6 million U.S. adults, a loss of over 3.2 billion dollars (1).

Follow these best practices to prevent getting snagged!

1. Turn on your firewall and use anti-virus software. Anti-virus software and web browsers periodically offer updates, which contain security patches, so these items need updated regularly. Also, make sure your operating system and applications are up to date.
2. Never email sensitive information. Email is not a secure method for transmitting or saving sensitive information such as passwords, financial information, Social Security numbers, et cetera.
3. Routinely change your password. You should change your passwords at least annually and ensure that it is a strong password. It is best to choose a separate login ID and password for each website you access. Unauthorized users can send spam, threats, and other fraudulent emails on your behalf once they have your login credentials. Change your password immediately if your account information has been exposed. Remember, your password is the major form of protection for your computer account and the University resources that you have permission to access. For suggestions on creating a strong password, visit the Division of IT MakeITSafe passwords page.
4. Limit your web browsing to well-known and trusted websites and use encryption. Use SSL encryption (https://) for web browsing when possible. If you initiate a transaction, look for a secure SSL encryption as well as indicators that the site is secure for transmissions, such as the padlock symbol.
5. Check bank and credit card statements regularly. Watch for any unauthorized charges and report it immediately.
6. Be suspicious of email. Beware of email requiring immediate attention and demanding personal information or account information. Other suspicious indicators include spelling/grammatical mistakes, an overall generic tone, and an ambiguous website link.
7. Do not click on direct links. Avoid clicking on direct links provided in an email. If you get an email from what appears to be a known source, such as your bank or a store, then type their web address directly into your browser. If you are unsure of the exact destination site, use a search engine to look up the company.
8. Do not open attachments from unknown sources. Attachments can contain viruses that allow cyber attackers to gain control of your computer system. If they gain access to your email directory or social media networks they can send malicious emails on your behalf.
9. Be cautious when using a public space. If you are using a public computer, never save items to the machine, clear your cookies and cache, and sign off before you leave. Also, if you are in a public space using Wi-Fi, limit the amount of personal information you view.
10. If it seems too good to be true, it is probably an attack. Help report phishing! Open a new email message and address it to abuse@missouri.edu. Drag and drop the phishing email from your inbox into this new email message as an attachment. If you are unable to attach the item in this manner, forward the original message to abuse@missouri.edu. You will need to paste the header information into this message. For instructions on internet headers, see http://doit.missouri.edu/security/response/headers.html.

References:

1. Gartner, Inc. (2007). Gartner survey shows phishing attacks escalated in 2007; more than $3 billion lost to these attacks. Retrieved from http://www.gartner.com/it/page.jsp?id=565125.
2. Federal Trade Commission (FTC). (2006). How not to get hooked by a 'phishing' scam. Retrieved from http://www.ftc.gov/bcp/edu/pubs/consumer/alerts/alt127.shtm.
3. SANS institute. (Dec. 2011). E-mail phishing and scams. Retrieved from http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201112_en.pdf.

More info: Phishing