Center for Information Technology Services
IT Security - Tip of the Day
October 31, 2013
Don't Let Spammers See Your "Out of Office" RepliesConfiguring your email program to automatically return "Out of Office" notifications to email senders is good for internal mail system users, but it can provide confirmation of an email address to a spammer, if permitted to leave the corporate network. Configure your message replies to recognize only trusted domain addresses or block your notifications outbound at the firewall.
For home users, never say you are not home, but rather "away from the computer right now", and don't specify for how long. You don't want to advertise your absence.
People Forget, Computers Don'tIn 2003, the British Government published a report on Iraq's security and intelligence organizations. Then a Cambridge University lecturer discovered that much of the document was copied from three different articles, one written by a graduate student. How did he know? The document contained a listing of the last 10 edits, even showing the names of the people who worked on the file.
Hidden data can often be found within Microsoft Office documents particularly Word. Whenever you exchange documents with clients, either convert them to PDF format (WYSIWYG) or else run them through Microsoft's Hidden Data Removal tool.
For more info, and to download Microsoft's Hidden Data Removal tool, see http://www.microsoft.com/downloads/.
Four Tips to Help Keep Your Computer Secure
-- Ramkumar Raghavan
If you are a victim of identity theft, report it immediatelyHere are some things you should do.
Think twice before posting pictures of yourself or your family and friendsPhotographs often contain information that could be used to identify you or the places you visit frequently. Never post unflattering or embarrassing pictures (no matter how funny) that could come back to haunt you. Carefully examine photos for identifying information such as the name of your school, the name of a sports team or organization you belong to, the address of the place you work or your favorite social hangout. Do not give out the full name of a child in your captions. One mother was very concerned to see her son's wrestling picture online with his full name. Pictures can also be copied or altered and used on other websites in ways that might be detrimental to your reputation.
Make sure your personal information is protected when you do business onlineAlways read the privacy statement before you fill in the blanks. You should also verify that the site is using encryption before you submit any information — look for https in the web address and for a padlock or key in the lower right corner of your browser. Don't send your personal information (social security number, credit card number, etc.) in an email or through instant messaging.
Don't Let Personnel Issues Become Security Issues; Terminate Computer Access Before You End a Contract or Tell People They Are FiredShortly before a labor union strike in August 2006, two Los Angeles transportation engineers allegedly disconnected traffic signals at four busy intersections. Subsequently, these disgruntled employees were accused of unauthorized access to a computer, identity theft and unauthorized disruption or denial of computer services. The danger imposed on the public based on these acts was significant even IF there were no accidents as a result of this action. Had the Department of Transportation revoked computer access as soon as it terminated the contracts of the two engineers, LA would have avoided the risk to the public. P.S. It took the city days to get the traffic control system back to normal.
Recycle electronic equipmentBefore you get rid of electronics, be sure you have important files and then clear them of all data. Then look for places to donate or recycle. Most states have banned computers and components from landfills. To find recycling programs in your area, surf to your favorite search engine and type "computer recycling." You'll get a list of nonprofit groups, individuals, and academic institutions.
Know your IMEI?
Did you know there is a unique serial number that identifies each mobile phone? Press *#06# on your phone's keypad, and it will display a 15 digit number. Make a record of that number, it is your International Mobile Equipment Identity (IMEI) number; and, if the phone is lost or stolen, the phone can be identified even if a new SIM card is added. Your provider can also block others from using the phone on their network, which could help protect you against expensive 1-900 phone calls and similar mischief.
Revoking security access isn't always enoughA California man has been arrested for interfering with computers at the California Independent System Operator (Cal-ISO) agency, which controls the state's power transmission lines and runs its energy trading markets. Even though Lonnie C. Denison's security access had been suspended at the request of his employer because of an employee dispute, he allegedly gained physical access to the facility with his card key. Once inside, Denison allegedly broke the glass protecting an emergency power cut-off station and pushed the button, causing much of the data center to shut down. Cal-ISO was unable to access the energy trading market, but the power transmission grid was unaffected.
Can you hear me now? Do NOT trust your cell phone Bluetooth earpieceMany cell phone Bluetooth hands-free earpieces have a default pin of 0000. A hacker with a Bluetooth antenna can connect to your earpiece and eavesdrop on everything that you are saying. In fact, they can even transmit to it. Think that's unlikely? Check out the YouTube video at: http://www.youtube.com/watch?v=1c-jzYAH2gw
Don't click the "unsubscribe" link at the bottom of unsolicited emailsSpam filters are catching most unwanted e-mail, but some might still reach you. Most spam is designed to get you to respond with your own email or to click a link to "unsubscribe." When you respond or click the "unsubscribe" link, the sender takes your email address and adds it to a SPAM database of active email addresses. You might then start to receive a large amount of SPAM in your inbox. Do not respond or click the "unsubscribe" links.
Report or challenge strangers in your officeVisitors and staff should wear badges. Others you don't recognize may be opportunist thieves who have walked past reception or found an open back door. Grab a co-worker and politely ask if they need some assistance or report them to your security or reception staff. Thieves are as likely to steal your purse or wallet as they are to take company property, so it is in everyone's interest to keep our premises safe.
If your browser questions a website's security, stop, think, and verify.
When visiting the "https" secure sites of banks and online shopping retailers, you may see an onscreen warning, such as "There is a problem with the website's security certificate" or "Secure Connection Failed." Don't just click to continue or to make an exception. The warning may only indicate that there is a harmless temporary problem with the site or with the network. But it can also mean that the site is bogus or has been compromised by hackers, and someone is listening in on your conversation with your bank or retailer.
Be smart. Contact your bank or retailer by phone to find out if they know about a problem with their website or the network. Don't be the next victim of fraud.
Use Outlook? Use the Auto-Preview, not the Reading PaneIf you are using an older version of Outlook, or if you have managed to reset the security level for e-mails, then you may be at some risk for HTML script-based exploits. Auto-Preview displays the first three lines of the message, enough to identify whether the message is valid, and it displays faster. Here is how to use it.
Disable the Reading Pane and Enable Auto Preview:
No free lunchA new round of bogus pop-ups offers to scan your computer for infections and vulnerabilities for free. Do not take the bait! By allowing this kind of scan, you may be giving Bad Guys access to your personal information.
Some Tips to Protect against Identity Theft
Get a separate email address for postings
To secure your data and reduce SPAM sent to your business as well as to your private email account, get a dedicated address for internet postings. Never use your business email address for posting guestbook entries, votes, or questions and answers in forums and surveys. It's good to be reachable in these situations, but best to be anonymous.
Be careful with cybercafe computers
Cybercafe's offer a convenient way to use a networked computer when you are away from home or office. But be careful. It's impossible for an ordinary user to tell what the state of their security might be. Since anyone can use them for anything, they have probably been exposed to viruses, worms, Trojans, keyloggers, and other nasty malware. Should you use them at all? They're okay for casual web browsing, but they're NOT okay for connecting to your email, which may contain personal information; to any secure system, like the network or server at your office, bank or credit union; or for shopping online.
Lock it when you leave it
Never leave your computer logged in when you walk away, not even for a minute. Make it a habit to log off your workstation whenever you get up. Remember to always leave your Windows computer by pressing the keyboard shortcut combination of the Windows logo key and the letter "L" on a Microsoft natural keyboard. Get it? Leave Windows by pressing the Windows logo + L keys together to lock it up.
If you weren't expecting an attachment, write back and request that sender embeds text in email
When you see your anti-virus package "scanning" a Word or Excel file, the odds are VERY high that it won't find any of the important new vulnerabilities nation states and rich criminals are using to get past the most sophisticated defenses. Don't open email attachments unless you were expecting them. Send a note back and ask the person to embed the text in a simple email. This matters to your career. The people who break this rule will be the reason their organization's data are stolen and they won't be able to hide.
Keep it off the floor
No matter where you are in public - at a conference, a coffee shop, or a registration desk - avoid putting your laptop on the floor. If you must put it down, place it between your feet or at least up against your leg, so that you're aware of it.
Get it out of the car
Don't leave your laptop in the car - not on the seat, not in the trunk. Parked cars are a favorite target of laptop thieves; don't help them by leaving your laptop unattended. If you must leave your laptop behind, keep it out of sight.
Treat your laptop like cash
If you had a wad of money sitting out in a public place, would you turn your back on it - even for just a minute? Would you put it in checked luggage? Leave it on the backseat of your car? Of course not. Keep a careful eye on your laptop just as you would a pile of cash.
Treat your laptop like you want to keep it
Thinking of taking your laptop on the road? It's a great way to work and stay in touch when you're out and about, but you need to take some steps to keep your laptop safe-and in your possession. Here are some things you can do to keep track of your laptop:
When you log out, log out completely
Closing or minimizing your browser or typing in a new web address when you're done using your online account may not be enough to prevent others from gaining access to your account information. Instead, click on the "log out" button to terminate your online session. In addition, don't permit your browser to "remember" your username and password information. If this browser feature is active, anyone using your computer will have access to your investment account information.
VoIP: It's a phone, it's a computer, it's...
Voice over Internet Protocol (VoIP) is one way people are making and receiving telephone calls using an Internet connection rather than a regular phone line. VoIP services can also be attacked by computer viruses, worms, or spam over Internet telephony (SPIT). Here is how it works: VoIP converts your phone call -- actually, the voice signal from your phone -- into a digital signal that travels over the Internet to the person you are calling. If you are calling a plain old telephone number, the signal is converted back at the other end. If you're comfortable with new technology, you may want to learn more about VoIP. It's smart to do some research on this technology before signing up for it.
10 Scams to Screen from Your Email
Don't get hooked by a Phishing expedition
Don't let spyware control your computer use
Lower your risk by taking the following steps: