Center for Information Technology Services

IT Security - Tip of the Day

October 31, 2013

Don't Let Spammers See Your "Out of Office" Replies

Configuring your email program to automatically return "Out of Office" notifications to email senders is good for internal mail system users, but it can provide confirmation of an email address to a spammer, if permitted to leave the corporate network. Configure your message replies to recognize only trusted domain addresses or block your notifications outbound at the firewall.

For home users, never say you are not home, but rather "away from the computer right now", and don't specify for how long. You don't want to advertise your absence.




People Forget, Computers Don't

In 2003, the British Government published a report on Iraq's security and intelligence organizations. Then a Cambridge University lecturer discovered that much of the document was copied from three different articles, one written by a graduate student. How did he know? The document contained a listing of the last 10 edits, even showing the names of the people who worked on the file.

Hidden data can often be found within Microsoft Office documents particularly Word. Whenever you exchange documents with clients, either convert them to PDF format (WYSIWYG) or else run them through Microsoft's Hidden Data Removal tool.

For more info, and to download Microsoft's Hidden Data Removal tool, see

Four Tips to Help Keep Your Computer Secure

  1. Anti-virus. A reliable, effective anti-virus program with the latest updates. Both licensed and free anti-virus software are available. Whichever you use, make sure it scans incoming and outgoing emails for malware.
  2. Anti-spyware. Reliable effective anti-spyware is a must for securing your computer. Both licensed and free anti-virus software, such as Windows Defender, are available.
  3. Two-way Personal Firewall. Two-way personal firewall software monitors network traffic to and from your computer and helps block malicious communications.
  4. Anti-Keylogger software. Anti-Keylogger software products, like AntiLogger and Keyscrambler Personal, help prevent what you type on your computer, especially sensitive information such as the usernames, passwords, and financial information you use in making online transactions, from being hijacked by Bad Guys.

-- Ramkumar Raghavan


If you are a victim of identity theft, report it immediately

Here are some things you should do.
  1. Contact the three major credit bureaus and have them place a fraud alert on your credit report.
  2. If a credit card was involved, contact the credit card company and close the account.
  3. Contact your local law enforcement agency and file a report.
  4. File a complaint with the Federal Trade Commission.
  5. Document all conversations so you know whom you spoke to and when.

Think twice before posting pictures of yourself or your family and friends

Photographs often contain information that could be used to identify you or the places you visit frequently. Never post unflattering or embarrassing pictures (no matter how funny) that could come back to haunt you. Carefully examine photos for identifying information such as the name of your school, the name of a sports team or organization you belong to, the address of the place you work or your favorite social hangout. Do not give out the full name of a child in your captions. One mother was very concerned to see her son's wrestling picture online with his full name. Pictures can also be copied or altered and used on other websites in ways that might be detrimental to your reputation.

Make sure your personal information is protected when you do business online

Always read the privacy statement before you fill in the blanks. You should also verify that the site is using encryption before you submit any information — look for https in the web address and for a padlock or key in the lower right corner of your browser. Don't send your personal information (social security number, credit card number, etc.) in an email or through instant messaging.

Don't Let Personnel Issues Become Security Issues; Terminate Computer Access Before You End a Contract or Tell People They Are Fired

Shortly before a labor union strike in August 2006, two Los Angeles transportation engineers allegedly disconnected traffic signals at four busy intersections. Subsequently, these disgruntled employees were accused of unauthorized access to a computer, identity theft and unauthorized disruption or denial of computer services. The danger imposed on the public based on these acts was significant even IF there were no accidents as a result of this action. Had the Department of Transportation revoked computer access as soon as it terminated the contracts of the two engineers, LA would have avoided the risk to the public. P.S. It took the city days to get the traffic control system back to normal.

Recycle electronic equipment

Before you get rid of electronics, be sure you have important files and then clear them of all data. Then look for places to donate or recycle. Most states have banned computers and components from landfills. To find recycling programs in your area, surf to your favorite search engine and type "computer recycling." You'll get a list of nonprofit groups, individuals, and academic institutions.

Know your IMEI?

Did you know there is a unique serial number that identifies each mobile phone? Press *#06# on your phone's keypad, and it will display a 15 digit number. Make a record of that number, it is your International Mobile Equipment Identity (IMEI) number; and, if the phone is lost or stolen, the phone can be identified even if a new SIM card is added. Your provider can also block others from using the phone on their network, which could help protect you against expensive 1-900 phone calls and similar mischief.


Revoking security access isn't always enough

A California man has been arrested for interfering with computers at the California Independent System Operator (Cal-ISO) agency, which controls the state's power transmission lines and runs its energy trading markets. Even though Lonnie C. Denison's security access had been suspended at the request of his employer because of an employee dispute, he allegedly gained physical access to the facility with his card key. Once inside, Denison allegedly broke the glass protecting an emergency power cut-off station and pushed the button, causing much of the data center to shut down. Cal-ISO was unable to access the energy trading market, but the power transmission grid was unaffected.

Can you hear me now? Do NOT trust your cell phone Bluetooth earpiece

Many cell phone Bluetooth hands-free earpieces have a default pin of 0000. A hacker with a Bluetooth antenna can connect to your earpiece and eavesdrop on everything that you are saying. In fact, they can even transmit to it. Think that's unlikely? Check out the YouTube video at:

Don't click the "unsubscribe" link at the bottom of unsolicited emails

Spam filters are catching most unwanted e-mail, but some might still reach you. Most spam is designed to get you to respond with your own email or to click a link to "unsubscribe." When you respond or click the "unsubscribe" link, the sender takes your email address and adds it to a SPAM database of active email addresses. You might then start to receive a large amount of SPAM in your inbox. Do not respond or click the "unsubscribe" links.

Report or challenge strangers in your office

Visitors and staff should wear badges. Others you don't recognize may be opportunist thieves who have walked past reception or found an open back door. Grab a co-worker and politely ask if they need some assistance or report them to your security or reception staff. Thieves are as likely to steal your purse or wallet as they are to take company property, so it is in everyone's interest to keep our premises safe.

If your browser questions a website's security, stop, think, and verify.

When visiting the "https" secure sites of banks and online shopping retailers, you may see an onscreen warning, such as "There is a problem with the website's security certificate" or "Secure Connection Failed." Don't just click to continue or to make an exception. The warning may only indicate that there is a harmless temporary problem with the site or with the network. But it can also mean that the site is bogus or has been compromised by hackers, and someone is listening in on your conversation with your bank or retailer.

Be smart. Contact your bank or retailer by phone to find out if they know about a problem with their website or the network. Don't be the next victim of fraud.


Use Outlook? Use the Auto-Preview, not the Reading Pane

If you are using an older version of Outlook, or if you have managed to reset the security level for e-mails, then you may be at some risk for HTML script-based exploits. Auto-Preview displays the first three lines of the message, enough to identify whether the message is valid, and it displays faster. Here is how to use it.
Disable the Reading Pane and Enable Auto Preview:
  1. Open Outlook.
  2. Choose View -> Reading Pane -> Off
  3. Choose View -> AutoPreview
  4. Now you can see what is Junk, and which ones may have an HTML payload.

No free lunch

A new round of bogus pop-ups offers to scan your computer for infections and vulnerabilities for free. Do not take the bait! By allowing this kind of scan, you may be giving Bad Guys access to your personal information.

Some Tips to Protect against Identity Theft

  1. Do not sign the back of your credit cards. Instead put "PHOTO ID REQUIRED"; although merchants and their employees are still hit-and-miss on actually checking that ID, more of them are paying attention.
  2. When you order your checks, don't list any telephone number. You can always write it on the check at the time of the transaction. If you have a PO Box, use that instead of your home address or your work address.
  3. Be aware of which credit cards you carry now have embedded RFID chips because the information on one of those chips can be read surreptitiously by someone near you using a simple hand-held scanner.
  4. Place the contents of your wallet on a photocopy machine. Do both sides of each license, credit card, etc. You will know what you had in your wallet and all of the account numbers and phone numbers to call and cancel. Store those photo copies in a secure place and refresh it when you change cards.

Get a separate email address for postings

To secure your data and reduce SPAM sent to your business as well as to your private email account, get a dedicated address for internet postings. Never use your business email address for posting guestbook entries, votes, or questions and answers in forums and surveys. It's good to be reachable in these situations, but best to be anonymous.


Be careful with cybercafe computers

Cybercafe's offer a convenient way to use a networked computer when you are away from home or office. But be careful. It's impossible for an ordinary user to tell what the state of their security might be. Since anyone can use them for anything, they have probably been exposed to viruses, worms, Trojans, keyloggers, and other nasty malware. Should you use them at all? They're okay for casual web browsing, but they're NOT okay for connecting to your email, which may contain personal information; to any secure system, like the network or server at your office, bank or credit union; or for shopping online.


Lock it when you leave it

Never leave your computer logged in when you walk away, not even for a minute. Make it a habit to log off your workstation whenever you get up. Remember to always leave your Windows computer by pressing the keyboard shortcut combination of the Windows logo key and the letter "L" on a Microsoft natural keyboard. Get it? Leave Windows by pressing the Windows logo + L keys together to lock it up.


If you weren't expecting an attachment, write back and request that sender embeds text in email

When you see your anti-virus package "scanning" a Word or Excel file, the odds are VERY high that it won't find any of the important new vulnerabilities nation states and rich criminals are using to get past the most sophisticated defenses. Don't open email attachments unless you were expecting them. Send a note back and ask the person to embed the text in a simple email. This matters to your career. The people who break this rule will be the reason their organization's data are stolen and they won't be able to hide.


Keep it off the floor

No matter where you are in public - at a conference, a coffee shop, or a registration desk - avoid putting your laptop on the floor. If you must put it down, place it between your feet or at least up against your leg, so that you're aware of it.


Get it out of the car

Don't leave your laptop in the car - not on the seat, not in the trunk. Parked cars are a favorite target of laptop thieves; don't help them by leaving your laptop unattended. If you must leave your laptop behind, keep it out of sight.


Treat your laptop like cash

If you had a wad of money sitting out in a public place, would you turn your back on it - even for just a minute? Would you put it in checked luggage? Leave it on the backseat of your car? Of course not. Keep a careful eye on your laptop just as you would a pile of cash.


Treat your laptop like you want to keep it

Thinking of taking your laptop on the road? It's a great way to work and stay in touch when you're out and about, but you need to take some steps to keep your laptop safe-and in your possession. Here are some things you can do to keep track of your laptop:

  • Treat it like cash.

  • Get it out of the car...don't ever leave it behind.

  • Keep it locked...use a security cable.

  • Keep it off the floor...or at least between your feet.

  • Keep passwords separate...not near the laptop or case.

  • Don't leave it "for just a sec" matter where you are.

  • Pay attention in airports...especially at security.

  • Use bells and whistles...if you've got an alarm, turn it on.


When you log out, log out completely

Closing or minimizing your browser or typing in a new web address when you're done using your online account may not be enough to prevent others from gaining access to your account information. Instead, click on the "log out" button to terminate your online session. In addition, don't permit your browser to "remember" your username and password information. If this browser feature is active, anyone using your computer will have access to your investment account information.


VoIP: It's a phone, it's a computer, it's...

Voice over Internet Protocol (VoIP) is one way people are making and receiving telephone calls using an Internet connection rather than a regular phone line. VoIP services can also be attacked by computer viruses, worms, or spam over Internet telephony (SPIT). Here is how it works: VoIP converts your phone call -- actually, the voice signal from your phone -- into a digital signal that travels over the Internet to the person you are calling. If you are calling a plain old telephone number, the signal is converted back at the other end. If you're comfortable with new technology, you may want to learn more about VoIP. It's smart to do some research on this technology before signing up for it.


10 Scams to Screen from Your Email


It's 10 p.m. Do you know whom your kids are chatting with online?

While social networking sites can increase a person's circle of friends, they also can increase exposure to people with less than friendly intentions. Here are tips for helping your kids use social networking sites safely:

  • Help your kids understand what information should be private.

  • Explain that kids should post only information that you - and they - are comfortable with others seeing.

  • Use privacy settings to restrict who can access and post on your child's website.

  • Remind your kids that once they post information online, they can't take it back.

  • Talk to your kids about avoiding sex talk online.

  • Tell your kids to trust their gut if they have suspicions. If they ever feel uncomfortable or threatened by anything online, encourage them to tell you.


Don't get hooked by a Phishing expedition

  • Don't reply to email or pop-up messages that ask for personal or financial information, and don't click on links in the message.

  • Don't cut and paste a link from the message into your Web browser -- phishers can make links look like they go one place, but actually send you to a different site.

  • Use anti-virus and anti-spyware software, as well as a two-way firewall, and update them all regularly.

  • Don't send personal or financial information by email.

  • Be cautious about opening any attachment or downloading any files from emails you receive regardless of who sent them.


Don't let spyware control your computer use

Lower your risk by taking the following steps:

  • Update your operating system and Web browser software, and set your browser security high enough to detect unauthorized downloads.

  • Use anti-virus and anti-spyware software, as well as a two-way firewall, and update them all regularly.

  • Download free software only from sites you know and trust. Enticing free software downloads frequently contain other software, including spyware.

  • Don't click on links in pop-ups.

  • Don't click on links in spam or pop-ups that claim to offer anti-spyware software