1
2
Contents
Introduction UA Information Security Acceptable Use and Best Practices Best Security Practices for Home and Personal Use Seven Practices for Computer Security Protection of Confidential Information What Is Confidential Information at The University of Alabama? Preventing Confidential Data Breaches at UA Recent Spear Phishing at UA Why Do People Steal Someone’s Identity? What If I Suspect My Identity Has Been Stolen? How Can I Protect Myself from Personal Identity Theft? What Is Phishing? What Are E-mail Scams? Social Networking Sites at UA Social Networking Cautions How to Be Cyber Safe Helpful Links Viruses, Worms, Spyware, and Other Malware University of Alabama Virus and Spyware Protection Protect Your Personal Computer from Viruses, Spyware, and Hackers Viruses, Worms, Spyware, and Other Malware Definitions Computer Disposal and Information Destruction Disposal and Reuse of Information Assets at The University of Alabama Disposal and Reuse of Personal Home Computers and Storage Devices Online Shopping and Online Investing Online Shopping and Online Investing Cautions How to Be Cyber Safe Helpful Links Copyright Information The University of Alabama Copyright Policy What Happens When the University Gets Notified of Copyright Infringement? How to Be Cyber Safe Helpful Links Laptop Security Security for University of Alabama Laptops Personal Home Laptop Security Helpful Links Wireless Security Use of The University of Alabama’s Wireless Networks Security for Home Wireless Networks Helpful Links Security of Mobile Devices and Physical Security Awareness Security of UA provided Mobile Devices Security of Personal Mobile Devices Other Personal Protection Considerations Links to Other Valuable Security Awareness Information
3
4 5 5 5 6 6 6 6 7 7 8 8 9 10 10 11 12 13 13 13 14 15 15 15 16 16 16 17 17 18 18 18 18 18 19 19 19 19 19 19 20 20 20 20 21 21
Every day we read or hear about identity theft, credit card fraud, Internet scams, or other computer related crimes. It almost seems impossible to protect our confidential information in such an open, technology-driven environment. While the Internet provides a wealth of information, entertainment, communications, products and services, it also contains a venue for an unbelievable range of malicious activity. Hopefully, this security pamphlet will provide an overview of some basic practices that can be used to protect confidential information at The University of Alabama, as well as practices we can all use in the protection of our personal information. The concepts in this publication are not intended to be the basis for a comprehensive security program, but to provide awareness about the basic steps we each need to take to reduce the risk of falling victim to a computer-related crime. The following pages will provide basic security information in a wide range of areas including general security practices, social networking, viruses, worms and other malware, computer and computer component disposal, online shopping and investing, copyright information, wireless security and laptop/mobile device security. Regularly reviewing this information will help us all stay sharp and be vigilant about protecting our information in the ever expanding technological world.
4
UA Information Security Acceptable Use and Best Practices
The Computer Resources Acceptable Use and Security Policy describes the five guidelines concerning the use of the University’s computers, computer networks, and computer resources. The Office of Information Technology Policy Web site contains several other policies related to the following areas: • Administrative Data Security Policies and Standards • Information Security Plan • Copyright Information • Virtual Hosts at the University of Alabama • Guidelines for Administrative Mass Mailing to Students • Campus Network Infrastructure Policy Statement • Cellular Telephone Policy (for University-owned telephones)
The University of Alabama has several key polices related to the use of its information assets. New policies are currently being created to aid in the identification and protection of confidential information at the University. In general, information assets at the University should be used for University business only. Occasional personal use of electronic media may be allowed within certain limitations at the discretion of your manager. It is important that we treat all confidential information at the University the same way we would treat our own personally identifiable information.
Best Security Practices for Home and Personal Use
The privacy of University information must be maintained at all times including information in electronic and paper form. Information assets must not be used to disrupt normal activities at the University or used in an obscene, threatening, or harassing manner. Every employee at the University has the responsibility to protect information including passwords and back up critical data (that is not centrally managed). Also, every employee has the responsibility to report a breach of any security system or the abuse and/or misuse of University information. Employees should make themselves aware of civil and/or criminal penalties related to the abuse and misuse of University assets and certain critical University information.
Seven Practices for Computer Security OnGuard, Online provides a wonderful set of security recommendations including these seven practices for computer security: 1. 2. 3. 4. 5. 6. 7.
The following key policies should be reviewed at least annually.
Protect your information. It’s valuable. Know who you’re dealing with. Use security software that updates automatically. Keep your operating system and Web browser up-to-date, and learn about their security features. Keep your passwords safe, secure, and strong. Back up important files. Learn what to do in an e-emergency.
For more detail, visit their Web site at http://www.onguardonline.gov/topics/computersecurity.aspx.
The University Acceptable Use Policy describes the expectations related to the use of University computer accounts, the use of shared resources, privacy, the respectful exchange of ideas and information, and your personal responsibility. The University Terms of Use of Computer Accounts describes the 13 conditions related to the terms and use of computer accounts. 5
Protection of Confidential Information
Preventing Confidential Data Breaches at UA
What Is Confidential Information at The University of Alabama? Confidential information generally includes data that is protected by government, industry, or contractual obligation. Here are a few examples:
Malicious individuals, normally external to the University, will try very creative ways to compromise systems including breaching weaknesses in our systems and using social engineering information from you or me. One common breach method is to find weaknesses in the protection of our systems and exploit those weaknesses. It is important that we keep our systems patched and up-to-date with antivirus software. It is also important that we reduce the risk of exposure by protecting systems from open access from the Internet. The University is currently undergoing a review of such protection and making significant changes to reduce risk.
• • • • • • •
Student information including campus wide IDs as defined by FERPA (Family Educational Rights and Privacy Act) Certain research data Health information and health records (HIPAA) Social Security numbers Credit card and debit card data Certain employee information Certain financial information
Another method for gaining access to systems or information is called phishing which is a technique that attempts to obtain confidential information through a seemingly legitimate request.
Other information can be deemed confidential based on the needs of the University. All confidential University information should be protected from inappropriate disclosure or use. Treat this information as you would your own personally identifiable information – in some cases it includes your personal information.
Recent Spear Phishing at UA Phishing is a general attempt to gain access to user IDs, passwords, account numbers, or other personal information. Spear phishing is a more targeted attempt at gaining information. Below are a couple of examples of spear phishing attacks targeting University of Alabama e-mail accounts.
It is critical that all University employees understand the privacy of student information as described by the Family Educational Rights and Privacy Act (FERPA). It is recommended that this policy on confidentiality be reviewed by all employees at least annually.
EXAMPLE 1: From: Email Support Desk [mailto:abtech12@gmail. com] Sent: Tuesday, June 30, 2009 5:39 AM Subject: Confirm Your University of Alabama (Service Upgraded) University of Alabama Support Desk Attention: This is to inform you that we are carrying out a site upgrade, as a mailbox subscriber, we are carrying out a (inactive email-accounts) clean-up process to enable service upgrade efficiency. Please be informed that we will delete all mail accounts that are non functioning.
Electronic Health Information (EHI) must also be protected from inappropriate use. Any employee that comes in contact with any health information or works in an area that contains health information is required by the Health Insurance Portability and Accountability Act (HIPPA) to attend annual privacy and security training. HIPAA privacy and security training is available at the University HIPAA Web site. 6
You are to provide your email account details as follows (This will confirm your University of Alabama mailbox Login/usage Frequency): *User name: *Password: *Date of birth: Failure to do this, your email address will be deactivated from our database. University of Alabama Support Desk Copyright © 2009 The University of Alabama | Tuscaloosa, AL 35487
your password immediately and notify the security department at the Office of Information Technology. Why Do People Steal Someone’s Identity? A combination of your name, address, date of birth, Social Security number, healthcare provider, and other information can be used to steal your identity. Why do people want to steal someone’s identity? Identities can be sold for profit. They can be used to open credit under your name to make a large purchase and abandon payment. This leaves you explaining why your credit rating has dropped, and you can’t get any credit. There have been cases where people have used stolen identities to make purchases and actually pay for the items because they cannot get credit under their names due to personal credit problems. This could also affect your credit rating.
EXAMPLE 2: From: adelkoszta@eastlink.ca [mailto:adelkoszta@ eastlink.ca] Sent: Sunday, February 22, 2009 8:11 PM Subject: Webmail Upgrade
Identities can be stolen to obtain healthcare. People who do not have health insurance or cannot get health insurance for themselves or family members could attempt to use yours.
To Join in the Recent Upgrade Taking Place at bama. ua.edu, You must Reply to this email by Providing your email Address and Password in the space below, Email Address : EMAIl Password :
What If I Suspect My Identity Has Been Stolen? Contact law enforcement immediately if you believe that your personal information has been fraudulently used. Place a fraud alert on your credit files. This free service will automatically notify you before new accounts can be opened in your name, or before creditors can make changes to your existing accounts for at least 90 days. You can activate fraud alerts by calling one of the credit bureaus listed below. The fraud alert will automatically be sent to the other two, and all three agencies will send you a free credit report.
These requests did not originate from the University of Alabama although they can be quite convincing to some users. First and most important, NO ONE FROM THE UNIVERSITY OF ALABAMA WILL ASK YOU TO SEND YOUR PASSWORD (OR DATE OF BIRTH) IN AN E-MAIL. Second, notice the “FROM” addresses in each example: Email Support Desk [mailto:abtech12@gmail.com], @gmail. com instead of @ua.edu., and adelkoszta@eastlink.ca [mailto:adelkoszta@eastlink.ca], @eastlink.ca instead of @ua.edu. The “FROM” addresses can be spoofed to look like legitimate University addresses, but don’t be fooled by that. If you receive a message that appears to be phishing, forward a copy of the message to security@ua.edu and delete it from your inbox.
• Transunion: 1-800-680-7289; www.transunion.com • Equifax: 1-800-525-6285; www.equifax.com • Experian: 1-888-397-3742; www.experian.com
If accounts are compromised, they can be used to launch SPAM e-mail using the compromised account and University of Alabama resources. If you accidentally reply to a phishing request with your University of Alabama username and password, change 7
Even if you have no reason to believe your identity has been stolen, best practice is to regularly check all your accounts for unusual activity. To do so, utilize the free credit reports at least annually. Equifax, Transunion, and Experian all offer additional services for a fee to allow for more frequent monitoring and fraud alerting. Also, the Federal Trade Commission provides helpful information for individuals who are concerned about their personal information, but have no evidence the information is being used: • FTC Identity Theft Hotline: dial 1-877-438-4338, and then press 3. • FTC Identity Theft Web site: http://www.ftc.gov/idtheft The Social Security Administration also maintains a fraud line at 1-800-269-0271.
How can I protect myself from Personal Identity Theft? There are many ways that your personal information can be stolen. Information can be compromised through weaknesses in businesses that you have trusted with your personal information. Most businesses will notify you via mail if this has occurred, but this is not a guarantee. This could include compromises of Web sites where you make purchases. Make sure you only frequent well known, trusted sites when you use your credit or debit card to make electronic purchases. Also, avoid leaking personal information through phishing or other e-mail scams. What Is Phishing? Phishing is an attempt to send you what looks like a legitimate request for personal information in order to steal your personal information. Some are general in nature, and some specific. All ask for IDs, passwords, credit card numbers, bank account numbers or other personal information. Below is an example of a bank phishing attempt:
8
Your bank, credit card company, or other business affiliates should have your ID, password, credit card number, Social Security number, bank account number, or other confidential information. You should never have to tell them in an e-mail or be redirected to a Web site where you are requested to enter personal information. One sure clue you’ve received a bogus phishing request from what appears to be a financial institution might be the fact that you’ve never done business with the referenced institution. But if you do receive a request from what appears to be an institution you do business with, the bank personnel should never ask for account numbers, IDs, passwords, or Social Security numbers. Some phishing attempts look very convincing like the one below. If the bank requests that you contact it, use your normal method for dealing with your financial institution. Call it from an officially published number or access its Web site from the officially published bank Web site name. If you look carefully at the link, the site is actually “goodbox-pc.com.” The bankofamerica.com comes after the / in the url.
What are E-mail Scams? E-mail scams are attempts to steal money from the recipient in very creative ways. According to hoax-slayer (www.hoax-slayer.com), the following is an example of one of the oldest scams: The so-called “Nigerian scam” is one of the longest running that I know about. In fact, it predates the Internet and e-mail. The scams are also known as “419 scams” after the appropriate part of the Nigerian criminal code. The scammers still use surface mail and faxes as well as email. There are a great many versions of this scam. Although many originate out of Nigeria, hence the generic term “Nigerian scam,” it is certainly not only Nigerian based criminals that send them. In spite of the longevity of this type of scam and the large amounts of publicity that it has received, many people around the world are still being conned out of substantial sums of money. I regularly receive enquiries from Internet users who have received Nigerian scam emails and do not know what they are about. 9
Basically, the scam works like this. You receive an unsolicited message that masquerades as some manner of business proposition, request for assistance, notice of a potential inheritance, or opportunity to help a charity. In fact, there is a seemingly endless array of cover stories that the scammers use in order to draw potential victims into the con. In spite of this diversity, virtually all of the scam messages share a common theme. The messages all claim that your help is needed to access a large sum of money, usually many millions of dollars.
directly or steal the victim’s identity. OnGuard Online offers more information, quizzes, and games that will help you learn to identify identity theft: http://www.onguardonline.gov/topics/computersecurity.aspx.
Social Networking Sites at UA
The scammers use a variety of stories to explain why they need your help to access the funds.
Social networking Web sites, like Facebook, MySpace, LinkedIn, Twitter, iTunes University, and YouTube are online communities that allow people to interact with family, friends, and others who may have similar interests. Even The University of Alabama has a presence on Facebook, Twitter, and other social networking sites. These Web sites provide numerous ways for people to communicate with each other, including instant messaging (IM), e-mail, blogs, forums, and video and photo uploads. Social networking sites are both public and anonymous. Although this does not make them inherently dangerous, it attracts cyber criminals looking to steal identities, scam for money, and spread computer viruses. Most social networking sites typically do not do enough to protect their communities from these dangers. It falls to individuals to know the risks and protect themselves when using these sites.
For example: • They may claim that political climate or legal issues preclude them from accessing funds in a foreign bank account. • They may claim that your last name is the same as that of the deceased person who owned the account and suggest that you act as the Next of Kin of this person in order to gain access to the funds. • They may claim that a rich businessman, who has a terminal illness, needs your help to distribute his wealth to charity. The messages offer to let you keep a significant percentage of the funds in question in exchange for your assistance. This percentage is the bait that the scammers use to entice potential victims deeper into the scam. Once a recipient has taken the bait, and initiated a dialogue with the scammers, he or she will soon receive requests for “fees” that the scammer claims are necessary for processing costs, tax and legal fees, or bribes to local officials.
Social Networking Cautions When using social networking sites, be aware of these potential dangers to your privacy and security: • Phishing and Identity Theft – As the name implies, phishing is a scam where cyber criminals try to lure unsuspecting victims into revealing personal or financial information like Social Security numbers, credit card numbers, and date of birth. Cyber criminals bait their victims with spam, instant messages, browser pop-ups, and phony Web sites. When victims click on the links in these communications, they may be tricked into providing personal information. Cyber criminals use this information to steal victims’ identities for their own financial gain. With victims’ names, Social
The scammers will warn the victim that these advance fees need to be paid before the funds can be procured. In reality, the supposed funds do not exist. The major purpose of these scam messages is to trick recipients into parting with their money in the form of these advance fees. Fraudulent requests for fees will usually continue until the victim realizes he or she is being conned and stops sending money. In some cases, the scammers gain enough information to access the victim’s bank account 10
• Sexual exploitation – The anonymous nature of social networking sites allows sexual predators to make contact with a potential victim without the victim guessing the identity and intentions of the predator. Predators may pose as friends or acquaintances who try to lure the victim into a face-to-face meeting. Predators may also remain entirely anonymous, using clues in photographs and profile information to find out information about victims, such as where victims live or when they go to school. They can then go to that location to meet, stalk, or otherwise harass victims.
Security numbers, and dates of birth, they can set up credit cards in victims’ names or try to transfer funds from victims’ banks to their own accounts. In some phishing schemes, the cyber criminals pose as friends or acquaintances from the victim’s social network. These “friends” may steal personal information off of the victim’s profile page or even personally contact the victim in order to phish for the private information. • Loss of privacy – Some social networking sites share your private information with third-party companies by allowing them to run applications which collect potentially private information. On Facebook, many applications, such as games and polls, require you to provide them access to your profile page. By consenting to this, you may be allowing third-party companies and Web sites to access your profile information such as your address or phone number. • Viruses & Malware – Viruses are computer programs that can copy themselves and infect a computer without the knowledge of the owner. Viruses can spread from one computer to another. They may allow others to steal your information, damage your computer, or take over your computer for malicious intent. Social networking sites are fast growing breeding grounds for new viruses, which conceal themselves by posing as friends who request to be added or as applications that you download to your profile page. In March 2009, a new virus called “Koobface” spread throughout MySpace, Twitter, and Facebook. The virus posed as a spam message from the social networking sites containing a link to a video. When members of the social networks went to the link to download the video, they got infected. The virus commandeered their Web surfing activities and attempted to collect personal information from them. • Cyberbullying - Cyberbullying occurs when a person using a social networking site is threatened, harassed, humiliated, or embarrassed by another individual or group. Cyberbullying can take many forms. It can range from persistently sending e-mails to someone who has said he/she wanted no further contact with the sender, to threats, sexual remarks, posting of false accusations or embarrassing photographs, and hate speech. Cyberbullying is a real threat that can lead to the death of the bullied individual.
How to be Cyber Safe Here are some precautions you can take to improve your chances of a safe online experience on a social networking site: • Keep private information private. Don’t ever post your Social Security number, street address, and family financial information, and don’t choose a screen name that gives away too much personal information. Be extremely cautious about who can access your full name, school, and phone number. Refrain from making or posting plans and activities on your site where someone might be able to guess where you will be at a given time. • Use privacy settings to restrict who can access and post on your Web site. Some social networking sites have strong privacy settings. Use these settings to limit who can view your online profile. • Only approve friend requests from people you know. What good are privacy settings if you allow everyone to be your friend? • Only post information that you are comfortable with others seeing. Even if privacy settings are turned on, your profile may be seen by a broader audience. Think about language used in a blog and what kind of pictures and videos you post. Avoid posting
11
• Be skeptical of e-mail and instant messaging to avoid getting hooked. While new friends and classmates may be seeking you out online, don’t let your guard down to incoming messages from unknown senders. Do not open e-mail attachments or click on links in instant messages from anyone unless you are expecting them. Verify any attachments before opening and scan with updated anti-virus software first. Don’t reply to e-mail or pop-up messages that ask for personal or financial information, and don’t click on links in the message. Phishers can make links look like they go one place, but they actually send you to a different site where you may contract a virus or have your password stolen. • Be careful of who is watching you when you update your profile or status from a mobile device. You may be revealing personal information to someone who is looking over your shoulder.
provocative photos or intimate details online, even in private e-mails. You may be damaging your reputation with employers or teachers or putting yourself at risk for harassment. Look at the backgrounds of the pictures to make sure you are not giving out any identifying information without realizing it. The name of a mall, the license plate of your car, signs, or the name of your sports team on your jersey all contain information that can reveal your location. • Protect your friends’ privacy, and ask them to do the same for you. Ask your friends before posting something about them, and check what they are posting about you. Even if you are careful, they may not be and may be putting you at risk. • Be nice online and treat people the way you want to be treated. Online actions, including spreading rumors, forwarding private messages, and harassment, can have real-world consequences. Sometimes these consequences can include legal action! • Trust your instincts. If you feel threatened by someone or uncomfortable because of something online, you should report your concerns to the police and to the social networking site. Most sites have links to report abusive, suspicious, or inappropriate online behavior. • Avoid in-person meetings. Others can only physically harm you in person. Don’t assume you “know” someone you have only met online. Instead of meeting a 19-year old college student, you could be meeting a 40-year old sexual predator. If you do decide to meet an online buddy, never go alone. • Always make sure you are at the real social networking site when you enter your credentials. You can do this by double checking the address bar to make sure you are in the right place before you log in. Sometimes phishers will create Web sites that are made to look like the real social networking Web site in order to steal your login and password. Once they have that information, they can steal your personal information, impersonate you, or vandalize your profile in an attempt to embarrass or harass you. If a social networking Web site sends you an e-mail asking for your login and password, delete the e-mail immediately. Real social networking sites will never ask you for that information.
Helpful Links • The University of Alabama’s iTunes U site http://itunes.ua.edu/ • The University of Alabama’s Facebook pagehttp://www.facebook.com/search/?q=University+of+Al abama&init=quick#/universityofalabama?ref=search&s id=569674611.1698149934..1 • The University of Alabama on Twitter http://twitter.com/UofAlabama • Facebook Security http://www.facebook.com/security • MySpace Safety http://www.myspace.com/index.cfm?fuseaction=cms. viewpage&placement=safety_pagehome • Twitter’s Privacy Policy - http://twitter.com/privacy • LinkedIn Privacy Policy http://www.linkedin.com/static?key=privacy_policy • YouTube Safety Center - http://www.google. com/support/youtube/bin/request.py?contact_ type=abuse&hl=en-US • StopCyberbullying.org http://www.stopcyberbullying.org/ • World phishing statistics - http://www.avira.com/en/ threats/section/worldphishing/top/7/index.html
12
Protect your Personal Computer from Viruses, Spyware, and Hackers
Viruses, Worms, Spyware and Other Malware University of Alabama Virus and Spyware Protection Employees at the University are protected from viruses and other malicious software through multiple layers of defense. As e-mail enters our network, we have a gateway that protects our users from unwanted SPAM and viruses. This gateway has antivirus software loaded as a first line of defense. Our SPAM gateway regularly blocks over 98% of the mail that is delivered to the University as either SPAM or malicious code. Next the e-mail is delivered to our Exchange servers, which also run antivirus software as a second layer of defense. Then the e-mail is delivered to our employees’ desktops, which also run antivirus software. Our desktops protect us from viruses and other malicious software that may be contained in e-mail, delivered from the Internet through browsing, or written to our systems in many other ways.
It is critical that you provide basic protection for your personal computing environment to protect your computer and any confidential data you may have on your computer. As a general rule of thumb, it is strongly recommended you perform the following actions: • Keep your computer desktop firewall turned on. • Keep your operating system and other software patches up-to-date. • Keep your antivirus software and antivirus signatures up-to-date. • Perform regular (at least monthly) checks for adware, spyware, and other malware using a reputable utility. Desktop firewall and anti-virus software or subscriptions can be purchased online or from computer resellers. Here are some of the leading desktop firewall and antivirus software vendors. In many cases, vendors offer an Internet Security suite that combines a desktop
Although this approach sounds very extensive, it is never 100%. New threats can be introduced before the antivirus vendors can deliver protection. Systems may somehow get out of date with protection signatures from the antivirus vendors. The University is in the process of implementing a layer of antivirus management tools to aid in the monitoring of our antivirus deployment. Once in place, the University will have a mechanism to better manage and improve protection from antivirus risks.
TIP: Don’t get popped by the pop-ups! While browsing the Internet, you may come across a pop-up window or ad that claims that your computer is infected with viruses, Trojans, etc., and offers to scan your system for free. In most cases, these are scams trying to get their own malware, Trojan, or virus implanted into your system. Close the “warning” and scan your own system with the software you installed or one from our list. Surf Smart!
Students, faculty, or staff at The University of Alabama have free access to the latest McAfee antivirus software for personal use to combat these threats (http://www. oit.ua.edu/software/index.html).
13
firewall, antivirus, and sometimes other protections into a single package of tools made to work well together and provide better protection.
security/en-us/zonealarm-pc-security-free-firewall.htm Free anti-virus programs: AVG - http://free.avg.com Avast Home Edition http://www.avast.com/eng/avast_4_home.html Free anti-spyware programs: Spybot - http://www.safer-networking.org SuperAntiSpyware http://www.superantispyware.com ZoneAlarm Spy Blocker Toolbar http://www.zonealarm.com/security/en-us/spyblockerdownload.htm Free anti-adware program: Ad-Aware - http://www.lavasoft.com Free anti-malware programs: Malwarebytes - http://www.malwarebytes.org AVG LinkScanner - http://linkscanner.avg.com Revo Uninstaller Freeware http://www.revouninstaller.com/revo_uninstaller_free_ download.html
McAfee Store - http://home.mcafee.com/Store McAfee Threat Center (Virus Information) http://vil.nai.com/vil McAfee Avert Stinger Tool http://vil.nai.com/vil/stinger Symantec Store - http://shop.symantecstore.com Norton Viruses & Risks http://www.symantec.com/norton/security_response Norton Removal Tools http://www.symantec.com/norton/security_response/ removaltools.jsp Trend Micro Store - http://store.trendmicro.com Trend Micro Threat Encyclopedia http://threatinfo.trendmicro.com CA Store - http://shop.ca.com CA Global Security Advisor http://www.ca.com/securityadvisor Kaspersky Store - http://usa.kaspersky.com/store Kaspersky Virus List - http://www.viruslist.com
Viruses, Worms, Spyware and Other Malware Definitions • Malware is malicious software designed to infiltrate a computer without the owner’s consent. Usually hostile, intrusive, and/or annoying software, it includes viruses, worms, Trojan horses, spyware, adware, rootkits, crimeware, and other malicious, unwanted software. • Viruses are types of software designed to interfere with computer operation and spread from one computer to another. A virus requires a host application to reproduce. • Worms are software programs designed to copy themselves from one computer to another without human interaction. Because worms can copy themselves automatically, they can spread very quickly and clog entire networks. • Trojan Horses are types of malware that masquerade as benign applications. Trojan horses are not self-replicating and require interaction with a hacker to fulfill their purpose (i.e. exploit vulnerability and/or provide unauthorized access into a computer system). • Spyware is software designed to collect and send personal information to a third party and change system
In addition to these leading commercial products, some very good firewall, anti-virus, anti-spyware, and antiadware programs are available for free on the Internet. Most free versions include updates, but any further support would require upgrading to the commercial version. Free Internet Security suite (firewall/anti-virus/antimalware): COMODO - http://www.comodo.com/home/internetsecurity/free-internet-security.php Free firewall programs: Agnitum OUTPOST Firewall Free http://free.agnitum.com ZoneAlarm free firewall - http://www.zonealarm.com/ 14
configuration settings generally without appropriately obtaining consent. Spyware programs are usually associated with adware programs. • Adware is software that displays advertisements on your computer. Most adware programs are unknowingly installed by installing “free” Internet software. Many companies provide “free” software in exchange for advertising on your display. • Rootkit software is designed to hide the fact that a computer system has been compromised. Rootkits typically use subversion or evasion of standard operating system security scan and surveillance mechanisms (antivirus or anti-spyware scans). • Botnet is a collection of software bots (robots) that run autonomously and automatically. Compromised computers generally run software under a common command-and-control infrastructure. The botnet originator can control the group of compromised computers remotely usually for nefarious purposes. • Crimeware is malware specifically designed to automate cyber crime (i.e. perpetrate identity theft for financial gain).
removal. Undelete utilities or data recovery software can be used to recover the files assumed destroyed. Disposal and Reuse of Information Assets at The University of Alabama The University of Alabama uses Active KillDisk to clean up drives before they are transferred to another internal department or outside the University. Active KillDisk is a free, powerful, and compact hard drive and partition eraser utility that completely destroys all data on hard drives, excluding any possibility of future recovery of deleted files and folders. Active KillDisk also conforms to US DoD cleaning and sanitizing standard (DoD 5220.00-M). Active KillDisk can freely be downloaded from http://www.killdisk.com/downloadfree.htm. Shred CDs and DVDs if no longer needed. Disposal and Reuse of Personal Home Computers and Storage Devices Be aware of any personal data you may have stored on CD, DVD, diskette, internal/external hard drives, and/ or old computers with drives inside. Prior to disposal (including transfer of the computer to a friend or nonprofit organization), you should use special software to erase the data off of the system or physically destroy the storage device. Your personal information should be appropriately removed and not just deleted.
Computer Disposal and Information Destruction
Free eraser tools: • Activ KillDisk http://www.killdisk.com/downloadfree.htm • Eraser - http://eraser.heidi.ie Commercial eraser tools: • Norton Utilities http://www.symantec.com/norton/norton-utilities • White Canyon WipeDrive5 http://www.whitecanyon.com/wipedrive-erase-harddrive.php
Confidential information can remain “hidden” on hard drives and other storage devices and even walk out the door with old surplus equipment. Always remember – deleted files are not really deleted, and the new owner of hardware will clean out the old data. Prior to disposal, computer systems should be sanitized and secured. Hard drives must be wiped to ensure no data, intellectual property, or confidential University information remains, avoiding the risk of exposing sensitive information or violating government and/or industry regulations. There is always a chance to recover deleted files even after using standard operating system commands such as FDISK, FORMAT utilities, or DELETE for data 15
Online Shopping and Online Investing
and Web advertisements from “reputable” sources like charities, credit card companies, and companies offering exotic investment opportunities. Some of these con games, like the “Nigerian Money Offer,” are well known. • Privacy concerns – “Cookies” are small files placed on your computer during online browsing that allow companies to collect marketing information about you and the Web pages you visit. Online retailers can use this information to market products to you based on your Web browsing behavior by creating annoying “pop-ups” in your browser for products based on the sites you visit. Some less scrupulous retailers may even sell your information to other companies so that they may advertise their products or services to you through e-mail spam or direct phone marketing. • Viruses – Some Web sites can infect your computer with viruses in an attempt to steal information, take control of your computer, or disrupt your use of the computer. These programs may not only keep track of what Web sites you visit on the Internet, but also can track what you type on your keyboard, including your personal information.
Spending and managing money online is becoming increasingly popular with consumers. Online retailers like Amazon.com and auction Web sites like eBay provide access to products and services that might not be available in a shopper’s local stores. Purchasing from these Web sites can also save the shopper time and help to avoid crowds and long checkout lines. Online investing sites, like eTrade and Scottrade, allow consumers to buy and sell stocks and other commodities without leaving the house. While managing one’s own financial transactions online can be very rewarding, it is not without risk. According to a June, 2009 Consumer Reports survey, nearly 2 million households reported that they had been the victims of identity theft committed over the Internet. Two-thirds of those said the incident occurred because of an online purchase. Without the assurances that shoppers and investors take for granted in face-to-face financial transactions, like knowing who they are giving their credit card and personal information to, how do consumers know who to trust? “Be skeptical” should always be the motto of doing business on the Internet.
How to be Cyber Safe
Online Shopping and Online Investing Cautions When shopping or investing online, be aware of these potential dangers to your privacy and security:
• Know your merchant. Even when shopping at a site that seems trustworthy, first check it out with the Better Business Bureau’s online services. Many independent sites like Google and auction sites like eBay keep seller ratings that can help you to make an informed decision about whom you do business with. You can also use common sense when deciding whether to shop at an online Web site. Is the store well known and reputable, or does it look like the merchant is an amateur? Can you find the store’s privacy and security policies? Can you find a contact phone number in case you need to talk to a sales person or support person? Can you find information about returning merchandise? Reputable Web sites will have all this information in an obvious place for you to find. • Shop and invest only at secure Web sites. Secure Web sites encrypt the information that is transferred between you and the online store. This means that only
• Phishing and identity theft – Imposters posing as trustworthy retailers or as acquaintances may try to steal your personal information, like your credit card number, date of birth, or mother’s maiden name for their own financial gain or for malicious activity. These imposters use an e-mail scam, known as phishing, to trick you into sending them your personal information. Once they have hooked you, they will use your identity to set up bank accounts or apply for credit cards. • Cyberscams and fraud - Scams and fraud exist online just like they do on television or in print. Be skeptical of an online merchant’s hyped-up claims of product effectiveness, potential high earnings, or “inside information.” Many scams come in the form of e-mails 16
you and the retailer will see your private information, like a credit card number. You can tell a Web site is secure if has https:// at the beginning of its URL. You can also look for a padlock or unbroken key symbol at the bottom of your screen. • Shop only with a credit card. If something should go wrong, you will be protected under the Fair Credit Billing Act. You have the right to dispute charges against your credit card and can withhold payment during a creditor investigation. You do not have this protection with the other payment options like debit cards, ATM cards, check cards, bank checks, and cash. Using only one credit card for all online purchases is a good practice. • Protect your privacy. Know what information merchants are collecting, how they will use it, and whether they will share it with others. Retailers need some information to fill your order, but may ask for much more. Answer only those questions on online forms that are required. These normally have an asterisk (*) next to them. Leave the optional information fields blank. Never use public kiosks to do online shopping or banking. You never know who might be looking over your shoulder. • Never give out your Social Security number. A Social Security number is never required to shop online. Providing a Social Security number could lead to identity theft. • Keep your passwords private. The most secure sites will have you create an online account with an account name and password. Keep this information private, change passwords periodically, and use different passwords for different sites. Never share your passwords with others. • Keep good records. After purchasing online, print out a copy of your order and check this against your credit card bills to make sure that your account has not been used without your permission. • Don’t e-mail personal or financial information. The University will never ask you for your e-mail password through an e-mail request. A financial institution will never ask you for sensitive financial information such as account numbers, credit card numbers, and the associated PINs or passwords in an e-mail. Please forward University-related phishing
attempts to security@ua.edu. Helpful Links • The Better Business Bureau can be used to research on-line merchants and report fraud – www.bbb.org • Additional ways to protect yourself while online shopping can be found at the Privacy Rights Clearing House - http://www.privacyrights.org/fs/fs23-shopping. htm • Safeshopping.org has tips for practicing safe online shopping -- http://www.safeshopping.org/ • Details of the Nigerian Money Offer and other scams can be found at http://www.fraud.org/. • Consumer Reports cybercrime survey - http://www. consumerreports.org/cro/magazine-archive/june-2009/ electronics-computers/state-of-the-net/overview/stateof-the-net-ov.htm
Copyright Information Copyright refers to the legal protection of an author’s “original works of authorship.” Original works can include the written word, drama, music, art, and images. Copyright law also extends to digital formats, like software, and digital copies of original works that may be posted on the Internet. The Copyright Act of 1976 gives the owners of copyrights exclusive rights to their copyrighted works, including the right to allow or disallow others from creating a reproduction of the copyrighted work. At UA, understanding copyright is important to students, faculty, and staff. Faculty must know the provisions of “Fair Use” in order to distribute copyrighted articles or sections of books as class materials. Fair use allows for the limited use of copyrighted materials without requiring the permission of the rights holder. Students and staff must be aware of the dangers of peer-to-peer file sharing programs like BitTorent and LimeWire, which can be used to legally make 17
How to be Cyber Safe
copies of CDs and DVDs for home use, but also allow for the illegal sharing of these copyrighted materials over the Internet. If you have any questions about what constitutes “fair use” and what cannot be distributed, please consult UA copyright policy.
• Be aware of the University’s copyright policy, including what constitutes “fair use” of copyrighted materials. • Steer clear of Internet peer-to-peer and file software like BitTorent and LimeWire and file sharing networks which can host copyrighted materials against the wishes of the copyright owners. • Limit the distribution of online class and research information by password-protecting your Web site or files. See the Helpful Links section for how to do this.
The University of Alabama Copyright Policy It is illegal to violate any of the rights provided by the copyright law to the owner of the copyright. For example, like all Internet service providers, the University of Alabama is subject to the Digital Millennium Copyright Act (DMCA). This means that when a copyright holder notifies the University that someone is downloading or sharing copyrighted material, the University must take steps to stop this activity.
Helpful Links • UA’s Copyright Policy http://www.ua.edu/copyright.html • OIT’s Copyright Information http://oit.ua.edu/policies/copyright.html • Web site password protection tool http://helpdesk.ua.edu/web/protect.html • The Copyright Site helps to explain what copyright is to educatorshttp://education.ua.edu/copyright/index.html
At UA, sharing music, television shows, or movies can result in loss of ResNet service, sanctions through Student Judicial Affairs, and a lawsuit from the copyright holder. Some University of Alabama students have received notices of pending legal action from copyright infringement. Settling these cases can cost thousands of dollars! What Happens When the University Gets Notified of Copyright Infringement?
Laptop Security
• Notices of individual accounts allegedly sharing music will be investigated. The account information is identified and access to the network is blocked until the individual has indicated that sharing of media has been disabled. • When the University receives a preservation notice, the individuals’ accounts are identified and account holders are notified that data is being retained at the request of a legal representative associated with an alleged copyright violation. • When pre-litigation notices are sent to the University by a legal representative associated with a copyright violation, the individuals’ accounts are identified and account holders are notified of the pre-litigation information. Generally, the individual has 20 days to reply back to the legal representative and settle out of court.
In an open campus environment, special care should be taken to deter theft and prevent unauthorized access to confidential information. A few easy steps can be taken to ensure the physical safety of and limit access to your data: • Keep the laptop out of sight. • Choose an inconspicuous carrying case. • Keep the laptop close at hand. • Label and tag the laptop and all accessories. • Treat it like cash. • Get it out of the car…don’t ever leave it behind. • Keep it locked…use a security cable. • Keep it off the floor…or at least between your feet. • Keep passwords separate, not near the laptop or case. • Don’t leave it “for just a sec”…no matter where you are. • Pay attention in public settings, especially to security. 18
“LoJack” type software exists that will allow for the tracking, and in some cases, the recovery of your laptop or desktop computer. Absolute Software LoJack is an example of a company that sells software to track and recover your computer: see their Web site at http://www.absolute.com/products/lojack.
Security for University of Alabama Laptops If you use a UA laptop, verify that your IT group has encrypted or plans to encrypt your system. The University of Alabama is in the early stages of a campuswide laptop hard drive encryption effort. The goal is to greatly reduce the risk of losing confidential data; such a loss could lead to identity theft and tarnish the reputation of the University.
Helpful Links For further information on the protection of laptops, go to OnGuard Online http://www.onguardonline.gov/topics/laptop-security. aspx.
How widespread is this type of loss of confidential data? Based on a study by Dell and the Ponemon Institute published in June 2008, about 12,000 laptops are lost in airports each week. The study included 106 major U.S. airports and 800 business travelers. Nearly half of the travelers said their laptops contained confidential information. It is amazing to think that 600,000 laptops are lost annually just in airports.
Wireless Security Wireless Internet access can offer convenience and mobility, but you should take steps to protect your wireless network and the computers on it.
Although many people are too embarrassed to report the loss of a laptop, if confidential data is involved, then security disclosures are required by regulation in 44 states as well as the District of Columbia, Puerto Rico, and the Virgin Islands. In 2009 alone, 39 laptops containing almost 1.9 million confidential records have been reported stolen. However, if a laptop is encrypted, a breach does not have to be disclosed.
Use of The University of Alabama’s Wireless Networks The University currently has a wireless network available in many areas across campus. To use this network, you must have a computer with a wireless network adapter. Over the next year, the UA WPA (Wi-Fi Protected Access) wireless network will be implemented to provide a higher level of security for wireless connections.
Many people say their laptops don’t have any confidential information or never leave the office so they really don’t need to encrypt their hard drives. However, the University of Alabama’s Office of Information Technology (OIT) requires that all laptops be encrypted regardless and also hard drives in desktop machines that contain confidential information. The objective is to encrypt all University laptop hard drives; this includes both Windows based machines as well as the new Apples.
UA allows students, faculty, and staff access to the wireless network using their myBama accounts. The UA HelpDesk Web site can provide assistance in setting up your system to use the UA wireless network: http://helpdesk.ua.edu/internet/wireless.html. For more information on ResNet, see http://oit.ua.edu/services/resnet/. Security for Home Wireless Networks More users are establishing wireless networks in their homes for convenience and mobility. To reduce the risk of personal data exposure and unwanted use of the
Personal Home Laptop Security You should also consider protecting any confidential or personally identifiable information you store on your personal laptop computer as well. To encrypt your personal laptop hard drive and prevent unauthorized access to stored data, free software is available at http://www.truecrypt.org/. 19
network, some basic security steps should be considered: • Change default administrative passwords on the wireless device. • Disable remote management of your wireless device, if remote administration is allowed. • Change the default SSID (Service Set Identifier). • Do not broadcast your SSID. • Enable WiFi Protected Access (WPA) – it is stronger than Wired Equivalent Privacy (WEP) for encryption of your data in transit over your wireless network. • Enable MAC Address (Media Access Control Address) filtering – only allow MAC addresses for the communications cards on your computers. • Turn off your wireless network when not in use. • Follow good security practices for all computers on your network: make sure all patches are up-to-date and automatically performed, use antivirus and antispyware software, and make sure the firewall is on. • Don’t assume that public “hot spots” are secure. Assume that other people can access any information you see or send over a public wireless network.
• Do not store confidential information on the phone (credit card numbers, SSN, PINs, etc.). • Keep it close at hand. • Enable any identification screen with “If found please call (alternate number).” • Treat it like cash. • Never leave it behind. • Keep it locked up. • Don’t leave it “for just a sec.” • Pay attention in public settings. • Use bells and whistles. Turn your alarm on. • Disable Bluetooth when not actively transmitting information. Switch Bluetooth devices to hidden mode. Security of UA Provided Mobile Devices It is common for employees to use mobile devices to keep up with meetings and e-mails. Many employees deal with confidential information or sensitive subjects in e-mail on a regular basis. Even address books and contact information could be used to get information for malicious purposes, so enable a password on your University provided mobile device. If the device has e-mail capabilities and is stolen, call OIT Security FIRST. The device may be remotely erased.
Helpful Links http://www.onguardonline.gov/topics/wireless-security. aspx http://reviews.cnet.com/2300-3688_7-6568745.html http://www.wikihow.com/Secure-Your-Wireless-HomeNetwork
Security of Personal Mobile Devices Care should be taken with all your personal mobile devices. If a device is lost or stolen, contact your provider to disable service and avoid any unwanted charges. iPhones using “Mobile Me” can be remotely wiped when lost if phone/data services are still available. • If you are interested in tracking and wiping stolen personal Blackberry devices, take a look at: http://www.vapssky.com/roblock_bb.aspx. • To view a very enlightening video on mobile phone tapping, tracking, threats, and security vulnerabilities (viewed over 4 million times), go to http://www.youtube.com/watch?v=uCyKcoDaofg. • To find out how to protect yourself from the threats like those shown in the video above, go to http://www. youtube.com/watch?v=ldx0vDr5npE and http://www. smobilesystems.com/. • To see how AT&T offers GPS tracking of your phone or your family phones, go to https://familymap. wireless.att.com/finder-att-family/welcome.htm.
Security of Mobile Devices and Physical Security Awareness Often overlooked when considering sensitive information, the mobile phone or smartphone continues to increase in computing ability and in the amount of confidential data it stores in e-mail, text messages, and pictures, etc. That along with the increased monetary value for theft makes it a prime target. Ways to protect your mobile phone: • Enable the password/pin screen lock. 20
com/protect • Microsoft Security Tips & Talk - http://blogs.msdn. com/securitytipstalk • Microsoft Security Response Center - http://blogs. technet.com/msrc • Digizen - http://www.digizen.org • CERT - http://www.cert.org • Social Security - http://www.ssa.gov • Federal Trade Commission Privacy & Security http://www.ftc.gov/bcp/menus/consumer/tech/privacy. shtm • CCleaner – freeware system optimization, privacy and cleaning tool -http://www.ccleaner.com/download • Sygate Personal Firewall - http://www.tucows.com/ preview/213160 • Spamfighter Standard Free http://www.spamfighter.com/Download_Download.asp • Thunderbird 2- safe e-mail client http://www.mozillamessaging.com/en-US/ thunderbird/download/?product=thunderbird2.0.0.21&os=win&lang=en-US • MozBackup – Mozilla backup utility http://mozbackup.jasnapaka.com/download.php • Sysinternals Suite – Windows troubleshooting utilities - http://technet.microsoft.com/en-us/sysinternals/ bb842062.aspx • (ISC)2 Blog - http://blog.isc2.org • ThinkUKnow - http://www.thinkuknow.com • Fox News CyberSecurity Center - http://www. foxnews.com/scitech/cybersecurity • GovInfo Security - http://www.govinfosecurity.com • Homeland Security – Cyber Security - http://www. comw.org/tct/homelandcybersec.html • IATAC Digest - http://iac.dtic.mil/iatac/digest/ ia_digest_current.html • InfoSecurity - http://www.infosecurity-us.com • IT Security Roundup http://roundup.scmagazineblogs.com • Wired Safety - http://wiredsafety.org
Other Personal Protection Considerations • Make sure you set passwords on mobile devices. Most come with a feature that will automatically “wipe” the data off of the device if the password is entered incorrectly multiple times. Don’t leave personal devices lying around. Also, secure personal items (purses, wallets, and checkbooks) while in public places. • Consider a backup strategy for your personal information, both electronic and paper. Back up your PC and keep a copy in your safety deposit box or other safe location out of the house. Make copies of digital photos on CD/DVD and store offsite (in case of fire). • Consider other safety-related practices: Have the post office and paper hold delivery while you are on vacation. Put a light on a timer in your house. Don’t put too much information on away messages on the phone, e-mail, or social networking sites. • Alert credit card companies if you are leaving the country and making charges to prevent credit card companies’ fraud software from disabling your charging privileges. Keep credit card numbers and theft notification numbers separate from your credit cards and in a secure location (safety deposit box, etc.). • Be aware of your surroundings. Make sure your personal belongings are safe and not a target for professional pick pocket teams working in groups.
Links to Other Valuable Security Awareness Information • University of Alabama Cyber Safety http://cybersafe.ua.edu • (ISC)2 Cyber Exchange - http://cyberexchange.isc2. org • OnGuard Online - http://www.onguardonline.gov • Childnet Sorted - http://childnet.com/sorted • Stay Safe Online - http://www.staysafeonline.org • Microsoft Security at Home - http://www.microsoft. 21
22