July 2, 2009
Passwords: Be creative
If you can't remember hard passwords no matter how hard you try, put your password in parenthesis. baseball38 is a weak password. (baseball38) is much better.

When you change your password, you should always change at least half of it and when you do, change the parentheses as well. Change the parentheses to asterisks, exclamation points or dollar signs. *sallyandbob39* is better than sallyandbob39, and !jimandbetty93! is better than jimandbetty93.

July 1, 2009
If you get up from your computer, lock it!
"I sent an email to your boss letting him know what you really think of him". This Notepad message was on my screen when I got back to my cubicle after getting up to stretch my legs. What? I had been gone for 180 seconds -- three quick minutes. Lucky for me, the note turned out to be from our systems administrator who wanted to make a point. All it takes is about one minute for a disgruntled colleague to send a message on your behalf to the boss and there is no way for you to prove you didn't send it. In about 30 seconds, a cracker could install a keystroke logger to capture everything you type including company secrets, user names and passwords. In about 15 seconds, a passerby could delete all your documents.

June 30, 2009
Be careful with cybercafé computers
Cybercafés offer a convenient way to use a networked computer when you are away from home or office. But be careful. It's impossible for an ordinary user to tell what the state of their security might be. Since anyone can use them for anything, they have probably been exposed to viruses, worms, Trojans, keyloggers, and other nasty malware. Should you use them at all? They're okay for casual web browsing, but they're NOT okay for connecting to your email, which may contain personal information; to any secure system, like the network or server at your office, bank or credit union; or for shopping online.

June 29, 2009
If your browser questions a website's security, stop, think, and verify.

When visiting the "https" secure sites of banks and online shopping retailers, you may see an onscreen warning, such as "There is a problem with the website's security certificate" or "Secure Connection Failed." Don't just click to continue or to make an exception. The warning may only indicate that there is a harmless temporary problem with the site or with the network. But it can also mean that the site is bogus or has been compromised by hackers, and someone is listening in on your conversation with your bank or retailer.

Be smart. Contact your bank or retailer by phone to find out if they know about a problem with their website or the network. Don't be the next victim of fraud.

June 28, 2009
Avoid Ad-hoc wireless networks
Disable automatic connection to any new networks and limit your connections to access point (infrastructure) networks only:

• Click the "Start" button and navigate to the "Control Panel" and then to "Network Connections."
• Right mouse-click on the "Wireless Network Connection" and choose "Properties".
• Pick the "Wireless Networks" tab, then the "Advanced" button:
  • Make sure that the check box next to "automatically connect to non-preferred networks" is not checked.
  • Click on Access point (infrastructure) networks only to avoid ad hoc networks.

This configuration prevents you from automatically connecting to any new networks and refuses all ad-hoc networks, which have the potential to monitor traffic that passes through them.

June 27, 2009
Print out important documents
A digital photography expert told me that CDs are expected to "live" for up to ten years. I want kids—and maybe grandkids—to see photos, so I print the best ones. Same goes for documents: print important files so that they are accessible in future decades. Of course, you want to back up these files too.

June 26, 2009
Don't open email about Michael Jackson
When a major news event happens, cyber criminals send email with a subject line related to the event and include an attachment that is malware to infect your computer and make it part of a botnet for sending SPAM and conducting other illegal activities. You can see examples of these catchy subject lines at http://www.flickr.com/photos/panda_security/with/3256919391/

June 25, 2009
Don't be duped by Internet Fraud
We all get offers that seem too good to be true. Whether they come by email or appear on web sites, they are often clever schemes designed to dupe the gullible. Don't be tricked by Internet Fraud. For more information see http://www.lookstoogoodtobetrue.com.

June 24, 2009
See just how "Security Aware" you really are
Do you believe you're a little more Security Aware? Can you identify the threats that exist in your environment and the steps you should take to avoid them? Take the following quizzes and find out.

• Phishing http://www.onguardonline.gov/games/phishing-scams.aspx
• Spyware http://www.onguardonline.gov/games/beware-spyware.aspx
• Identity Theft http://www.onguardonline.gov/games/id-theft-faceoff.aspx
• Social Networking http://www.onguardonline.gov/games/friend-finder.aspx

June 23, 2009
Effectively delete files
When you delete a file, depending on your operating system and your settings, the file may be transferred to your trash or recycle bin. This "holding area" essentially protects you from yourself—if you accidentally delete a file, you can easily restore it. An unauthorized person will also be able to retrieve it. Does your recycle bin include credit card information, passwords, medical, or other personal data? Is there sensitive corporate information? Empty the trash or recycle bin on a regular basis to ensure that deleted information stays deleted.

June 22, 2009
When selecting a screen name...make sure it doesn't say too much about you
Screen names that hint at personal interests, hobbies, or favorite sports, combined with other clues in your profile will give enough information for someone to figure out who you are and where they can find you.

June 21, 2009
Periodically check your credit report
Get a copy of your credit report from each of the three major credit bureaus every year. (Federal law gives you the right to one free credit report from the three credit bureaus: Equifax, Experian, and TransUnion — http://www.ftc.gov/bcp/conline/pubs/credit/freereports.htm.) Check the reports to make sure everything is accurate. Consider staggering the requests and obtain one report every four months. That way, you can watch for signs of identity theft (i.e. inquiries that were not generated by you, accounts you didn't open).

June 20, 2009
Shh! Don't say it out loud. The cubes have ears
Office workspaces seem to be smaller and smaller. It is therefore harder to keep secrets when everyone is within earshot. When necessary use handwritten notes for transferring confidential information, and then shred the papers when done.

June 19, 2009
Turn off your wireless AP when it's not in use
Power off your wireless access point (AP) when you know you won't be at home or when it's not in use. Your AP can't be accessed by hackers when it is not powered on. So, turn it off and limit the amount of time you leave yourself open to attack.

June 18, 2009
Prevent USB Drives from Spreading Viruses
When you stick a thumb drive infected with a worm like Conficker/Downadup into a clean system, the normally handy AutoPlay feature launches the worm and spreads the infection. You can prevent this by flipping the master switch. Here's how:

1. Click on the "Start" button and pick "Run."
2. Enter the text GPEDIT.MSC and press Enter. After a moment, the Group Policy editor window will open.
3. In the left panel, double-click on "Computer Configuration."
4. Double-click on "Administrative Templates."
5. Double-click on "System."
6. In the right panel near the bottom of the list, double-click on "Turn off autoplay."/
7. The default setting is the "Not configured." Put a bullet in "Enabled."
8. Make sure "Turn off Autoplay on:" is set to "All drives."
9. Click on "Apply," and then "OK".
10. Close the Group Policy editor window.

June 17, 2009
Think twice before posting pictures of yourself or your family and friends
Photographs often contain information that could be used to identify you or the places you visit frequently. Never post unflattering or embarrassing pictures (no matter how funny) that could come back to haunt you. Carefully examine photos for identifying information such as the name of your school, the name of a sports team or organization you belong to, the address of the place you work or your favorite social hangout. Do not give out the full name of a child in your captions. One mother was very concerned to see her son's wrestling picture online with his full name. Pictures can also be copied or altered and used on other websites in ways that might be detrimental to your reputation.

June 16, 2009
Protect files with a password
Your most important files can be protected with a password. For example, in Microsoft Word, you can create a password to open and a password to modify a file. Just go to Tools | Options and click the Security tab. Remember the password so you don't lock yourself out!

June 15, 2009
Recycle electronic equipment
Before you get rid of electronics, be sure you have important files and then clear them of all data. Then look for places to donate or recycle. Most states have banned computers and components from landfills. To find recycling programs in your area, surf to your favorite search engine and type "computer recycling." You'll get a list of nonprofit groups, individuals, and academic institutions.

June 14, 2009
Don't be an unintentional spammer
If you're like most people, you've probably received at least one hoax or chain letter in your inbox. What should you do with the next one you receive? Delete it! Why you ask? Because chain letters and hoaxes have the potential to cause problems (lots of network traffic or just filling up someone's inbox) and they can also be very annoying. Visit the following sites to find out more about hoaxes and chain letters.

• http://www.snopes.com
• http://www.breakthechain.org
• http://hoaxbusters.ciac.org

June 13, 2009
DO NOT install Microsoft patches or updates sent by email (They are fake)
Microsoft never sends out patches or updates by email. There are no exceptions. Keep that in mind and you won't be a victim of a Microsoft patch hoax. The first time I received one of these, I sat down at my workstation and saw an email message from Microsoft telling me to install the patch they had handily supplied as an attachment. I knew this was bogus immediately. We sent out a voicemail quickly warning all employees not to fall for opening attachments that offer to install any kind of software. That was March, 1999. Every 18 months or so, someone tries this hoax again by crafting and sending out a phony email complete with a Microsoft look-alike logo, spoofed return address, links, etc., and some text assuring you that this is all the real thing. It isn't.

June 12, 2009
Better safe than sorry: If you're unsure that a file or program is clean, scan it for malware before you open or install it
Find out if a file or program of 10MB or less is free of malware by uploading it to www.virustotal.com, a free service which scans submissions using a combination of antivirus engines. VirusTotal detects viruses, worms, Trojans, and other kinds of malware that any one antivirus application might miss.

June 11, 2009
Use variations on a strong "core" password

It's tough to remember a series of strong passwords and use a different one for each online system or site you access. The temptation is to use the same password for several or all systems and sites. That's a bad idea -- if a Bad Guy gets a hold of your password, he'll have the key that fits all of your doors. Instead, create a strong "core" password and then unique variations on it for each online system or site system you use. Here's a strong password: 5P0ky!3Z. It contains 8 characters, a mixture of uppercase and lowercase letters, at least one number and one non-alphanumeric character or symbol, and no personally identifiable information. By adding a character or two at the beginning or the end, you can have many variations to use for each system or site -- effectively creating a new strong password for each one. Remember to change your "core" password and its variations on a regular basis.

- Carl Hill, Toronto, Canada

June 10, 2009
Beware of USB flash drive's autoplay feature
A white hat hacker broke into a bank and left 20 USB tokens lying around the parking lot of the bank for employees to find. When they plugged in the USB token, the Trojan backdoor was installed on the employees' computers and the hacker was into the banks network! Some employees claimed they were being helpful — trying to find the token's owner, others were curious about the token's content, still others thought they had scored a huge USB token and tried unsuccessfully to reformat the token. Unfortunately the new "U3 Technology" on these tokens prevented a hidden partition from being deleted, and it contained a remote access Trojan which installed itself by emulating a cdrom and using WinXP's Cdrom autoplay feature.

June 9, 2009
Report or challenge strangers in your office
Visitors and staff should wear badges. Others you don't recognize may be opportunist thieves who have walked past reception or found an open back door. Grab a co-worker and politely ask if they need some assistance or report them to your security or reception staff. Thieves are as likely to steal your purse or wallet as they are to take company property, so it is in everyone's interest to keep our premises safe.

June 8, 2009
Don't fall for phishing schemes
Could you tell if an email message requesting personal information was legitimate? In most cases you can trust your instincts (if an email message looks suspicious, it probably is). However there are some messages that look like the real thing but aren't. If an email message contains any of the following phrases, there's a good chance it could be a phishing scheme.

1. We need to verify your account information.
2. If you don't respond immediately, your account will be cancelled.
3. Click the link below to update your information.

Take the following Phishing Quizzes and see how good you are at identifying phishing schemes.

• http://www.washingtonpost.com/wp-srv/technology/articles/phishingtest.html
• http://www.sonicwall.com/phishing/

June 7, 2009
Don't reply to unsolicited email messages (spam)
By responding, you only confirm that your email address is active. Another thing you shouldn't do is click the "remove me" link in the message. Links in email can point to an IP address other than the one you think it references. The best thing you can do is delete the message. Many free email service providers will allow you to easily report it as spam if you received it through MSN hotmail, Yahoo!, AOL or GMail.

June 6, 2009
Watch out for shoulder surfers
Watch out for shoulder surfers who read over your shoulder or try to steal your password. If you have your back to the door or an open cubical wall, get a rear view mirror to stick up and watch behind you when youre typing. This also prevents office pranksters from sneaking up on you. When in public places, such as Internet cafes, always try to sit with your back to a wall to prevent onlookers. Glass walls dont count — thieves can look right through them!

June 5, 2009
Use a password in only one place.
Reusing passwords or using the same password all over the place is like carrying one key that unlocks your house, your car, your office, your briefcase, and your safety deposit box. If you reuse passwords for more than one computer, account, website, or other secure system, keep in mind that all of those computers, accounts, websites and secure systems will be only as secure as the least secure system on which you have used that password. Don't enter your password on untrusted systems. One lost key could let a thief unlock all the doors. Remember: Change your passwords on a schedule to keep them fresh.

June 4, 2009
Be skeptical and trust your instincts
People often post false or misleading information concerning their identities and interests. In most instances, this is done with good intentions as a way to avoid disclosing personal information. However, there are also people who fabricate information with malicious intent. If you ever feel threatened or uncomfortable with someone you encounter online, take the time to report the incident. Most social networking sites like MySpace provide several mechanisms for reporting inappropriate behavior.