November 22, 2008
Use a password protected screen saver
Desktop computers should be locked, or logged off when the user steps away from the terminal. Password protecting the Windows screen saver is "locking" the desktop. To do this, right click on the desktop and go to "Properties"; select the "Screen Saver" tab; and check "On resume, password protect".

November 21, 2008
Don't Let Personnel Issues Become Security Issues; Terminate Computer Access Before You End a Contract or Tell People They Are Fired
Shortly before a labor union strike in August 2006, two Los Angeles transportation engineers allegedly disconnected traffic signals at four busy intersections. Subsequently, these disgruntled employees were accused of unauthorized access to a computer, identity theft and unauthorized disruption or denial of computer services. The danger imposed on the public based on these acts was significant even IF there were no accidents as a result of this action. Had the Department of Transportation revoked computer access as soon as it terminated the contracts of the two engineers, LA would have avoided the risk to the public. P.S. It took the city days to get the traffic control system back to normal.

November 20, 2008
Stop! Nobody Sends Email to Dead People!
One type of Phishing (fake emails to trick you into sharing your private financial details) is to send a note claiming to want to send you a sum of money but not being able to because they have been told you are deceased. The idea is for you to prove you are not dead by giving up your financial information. As always, if it sounds too good to be true, it is probably not true. If someone wants to contact you in order to give you a large sum of money, they will almost certainly do it by certified mail, not by email.

November 19, 2008
If you download FREE software...Make sure you don't get more than you bargain for
Free software that you download could be just what you think it is — a single software package. However, many times free software comes bundled with other unwanted, harmful programs including spyware, viruses, or even Trojan horse programs. To help keep your computer free from unwanted guests, make sure the site you are downloading from is one you know and trust. Also verify that your operating system and anti-virus software have been updated and patched BEFORE you click the download button!

November 18, 2008
Do NOT open unknown or unexpected e-mail attachments
This morning I got an e-mail from my boss with an attachment. My boss is a man of few words on e-mail. If he wants to explain or discuss something with me, he picks up the phone. When he wants me to read or edit something we have talked about, he sends it to me. Even though the subject line was a date, the e-mail had no text, AND my boss hadn't told me he was sending me an attachment, I opened it because it was from my boss at an e-mail address I recognized. Bad move. Imagine my surprise when my Norton anti-virus screen popped up with a message that the attachment contained a virus and had been deleted. Hackers had spoofed his address and I had fallen for it.

November 17, 2008
Just because your company's spam filter, virus filter and other defenses let an email through, doesn't mean it's harmless
Last year, one organization narrowly avoided a virus infestation. Alerts led them to the email in-boxes of the virus authors. To sneak in a virus, hackers used encrypted zip files, which went past filters because they couldn't be scanned. The organization caught it with the very last line of defense — desktop antivirus software, which triggered after the users had plugged in the password to see the zip file contents! Had the bad guys written something new, instead of using off-the-shelf script kiddie code that was in standard pattern files, there could have been a major outbreak. Long story short: End-user awareness about email and attachments is every bit as important as antivirus filters and firewalls. EVERY USER is an important part of hacker defense!

November 16, 2008
Make your password complex.
A good password should contain a mix of all the four types of characters: uppercase and lowercase letters, numbers, and symbols. Any character on your Windows or Mac keyboard is legal in a password you make for your own computer. Remember to include at least 8 characters and avoid common words and proper names. Some characters may be illegal for certain networked systems; when in doubt, try it out. Another way to make your password complex is to base it on a word in a foreign language with a least 8 letters, avoiding common words and proper names. Just add a number, a symbol, and a capital letter or two as you go.

November 15, 2008
Email isn't the only online communication that has security risks
Instant Messaging has become a popular way for people to communicate over the Internet. In some instances it has even replaced email. What some people don't realize, however, is that instant messaging has many of the same security threats that email does... and then some. Instant messaging can transfer viruses and other malware, provide an access point for Trojans, and give hackers an easy way to find victims. If you use instant messaging on a regular basis, you need to be aware of the security risks associated with it and take steps to protect yourself. See the following links for more on instant messaging safety.

• http://www.wiredsafety.org/safety/chat_safety/im/index.html
• http://www.kidsturncentral.com/topics/computers/im5.htm
• http://www.microsoft.com/athome/security/online/imsafety.mspx

November 14, 2008
Be Skeptical When You Read Your Email
Keep asking Why should I believe that? It is important to remember that you can't trust the "from" address on e-mail from outside the organization, as it is often faked by fraudsters and viruses. If you didn't expect a message, link, or attachment from someone, ask yourself why you should trust that it really came from the apparent sender, and that it's safe. When in doubt, it's a good idea to call and verify that they sent you the message.

November 13, 2008
Do not use the same password for everything
An attendee of a training program for a new software package to set up login accounts mentioned using the same password for everything to make it easy to remember. As a security professional, I said that this was a bad idea because, if the password was disclosed, the "bad guy" would have the keys to all their information. The attendee scoffed and told me it did not matter because the password was a word from a foreign language. The person then sat down to create his account on the computer that was attached to the overhead projector. He typed his password into a non-masked field, exposing it to everyone in the room. My security advice was proven true.

November 12, 2008
Use anti-virus software
Make sure you have anti-virus software installed on your computer and update it regularly.

Warning: Out-of-date anti-virus software will not protect your computer from new viruses.

November 11, 2008
Don't give away your data when you give away your handheld device
Be careful before you resell or give away your handheld devices like Palms. The new owner can uncover data. At a minimum, figure out how to reset it to the factory standard. Refer to your manual or call the manufacturer. For more information on deleting data: http://www.informit.com/guides/content.asp?g=security&seqNum=234&rl=1

November 10, 2008
Don't Let Spammers See Your "Out of Office" Replies
Configuring your email program to automatically return "Out of Office" notifications to email senders is good for internal mail system users, but it can provide confirmation of an email address to a spammer, if permitted to leave the corporate network. Configure your message replies to recognize only trusted domain addresses or block your notifications outbound at the firewall.

For home users, never say you are not home, but rather "away from the computer right now", and don't specify for how long. You don't want to advertise your absence.

November 9, 2008
Beware of USB flash drive's autoplay feature
A white hat hacker broke into a bank and left 20 USB tokens lying around the parking lot of the bank for employees to find. When they plugged in the USB token, the Trojan backdoor was installed on the employees' computers and the hacker was into the banks network! Some employees claimed they were being helpful — trying to find the token's owner, others were curious about the token's content, still others thought they had scored a huge USB token and tried unsuccessfully to reformat the token. Unfortunately the new "U3 Technology" on these tokens prevented a hidden partition from being deleted, and it contained a remote access Trojan which installed itself by emulating a cdrom and using WinXP's Cdrom autoplay feature.

November 8, 2008
Can you hear me now? Do NOT trust your cell phone Bluetooth earpiece
Many cell phone Bluetooth hands-free earpieces have a default pin of 0000. A hacker with a Bluetooth antenna can connect to your earpiece and eavesdrop on everything that you are saying. In fact, they can even transmit to it. Think that's unlikely? Check out the YouTube video at: http://www.youtube.com/watch?v=1c-jzYAH2gw

November 7, 2008
Don't tell anybody your password
This warning includes your systems administrator, who NEVER needs your password. One day I received an e-mail from "Support@Waidele.info", saying they needed my password for maintenance, and if I did not go to a webpage and give it to them, they would suspend my account. As it turns out, I'm the one in charge of "waidele.info" — so I'm the one who gives out accounts and does maintenance. Things might have ended differently if I had had an account with googlemail.com or aol.com. Then the senders would have called themselves "support@aol.com" and I might have been fooled.

November 6, 2008
Change your password on a schedule.
Passwords are like bubble gum; they are better when fresh. The longer and more complex your password is, the harder it is to crack, and the less often you'll need to change it. If you use an 8-character password, you should change it about every six months. Remember: Never use a password with less than 8 characters. If you use a 9-character password and follow the rules about uppercase and lowercase letters, numbers, and symbols, it will stay fresh for a whole year. If you can't remember the last time you changed your password, it's time to change it.

November 5, 2008
Place a fraud alert to protect against identity theft
By the time I placed a fraud alert on my credit information, almost two weeks had passed since my wallet was stolen. By then, all the damage had been done.

If your wallet or credit card is stolen, call the three national credit reporting organizations immediately to place a fraud alert on your name and Social Security number. The alert means any company that checks your credit has to contact you to authorize new credit.

Here are numbers you always need to contact if your wallet, etc., has been stolen:

1. Equifax: 1-800-525-6285
2. Experian (formerly TRW): 1-888-397-3742
3. Trans Union: 1-800-680-7289
4. Social Security Administration (fraud line): 1-800-269-0271

You can get a free credit report once a year from each of the three credit reporting agencies. They have set up a web site for this: https://www.annualcreditreport.com/cra/index.jsp

November 4, 2008
Make sure the site you're ordering from protects your information crossing the Internet
This is shown by either a closed lock or an unbroken key at the bottom of the browser window. You can also check to see if the URL begins with https://. While https by itself is not an indication of a secure site, when it is combined with the lock or the unbroken key, then it indicates your data is being encrypted from prying eyes as it crosses the Internet. If you have https without the lock or key in the browser, then it has been faked and is not secure. Sometimes you may also encounter a pop up box that indicates you are about to enter or leave a secure area.

November 3, 2008
Do not allow Internet Explorer to store passwords for you
Stored passwords allow anyone who can access your machine to log in to your web accounts as you. In addition, there are numerous utilities that can expose that hidden information and actually reveal the password. If you've reused that password for other logins, many systems or web sites could be compromised.

November 2, 2008
Save your files to a network server
A computer user working on a critical project was saving the analysis document on his Windows desktop. Unfortunately, the Windows desktop was located on the local hard drive and local hard drives were not automatically being backed up. When his hard disk failed, he lost the file and had to work through nights and a weekend to make up for the lost time. If your company permits network backups or remote storage, be sure you back up your important files. PS. Important files don't include things like vacation pictures, which can overburden the backup system. Ask the help desk for advice on where such files should be saved.

November 1, 2008
Avoid spam in your IM email account
Did you ever sign up with an Instant Messenger client so that you could chat with your buddies? Perhaps you have more than one running on the desktop. Each popular IM client comes conveniently with an Email account, and each time there is an email associated with your IM screen name, you receive a notice with this account filling up. You can prevent the spam or any email notices from appearing by using a single filter. Since I added the following filter on my email account attached to my Yahoo IM, I no longer get these notifications. Simply add a filter that the From/ Address includes @ to go directly to trash. You will be able to communicate with all your IM buddies without the hassle of being notified of items coming into the inbox.

October 31, 2008
Revoking security access isn't always enough
A California man has been arrested for interfering with computers at the California Independent System Operator (Cal-ISO) agency, which controls the state's power transmission lines and runs its energy trading markets. Even though Lonnie C. Denison's security access had been suspended at the request of his employer because of an employee dispute, he allegedly gained physical access to the facility with his card key. Once inside, Denison allegedly broke the glass protecting an emergency power cut-off station and pushed the button, causing much of the data center to shut down. Cal-ISO was unable to access the energy trading market, but the power transmission grid was unaffected.

October 30, 2008
Be better than James Bond
In Casino Royale, Bond chooses a password to protect a multi-million pound money transfer. What does he choose? His girlfriend's name - doh! Why bother torturing him when you could just guess his cunning plans? We can all do better than that. For most situations a password should be 8 characters long and be a mixture of letters, numbers and other characters and it should conform to company policy. It should not be a word you would find in a dictionary, the name of your spouse, partner, child, pet, favorite band or any of these followed by a single digit. Use common sense - Razorlight1 isn't a good choice if you have a poster of the band behind your desk.

October 29, 2008
Secure your Wireless Router
When setting up a wireless network at home, I was surprised to be able to connect to my neighbor's unsecured wireless router. Not only could I have used his bandwidth for free, but had I been so inclined, I could have used the connection for illegal activities. If the police came looking, he may not have been able to prove the activity didn't come from one of his computers. Properly securing wireless is not hard. Look in the manual for changing the SSID to something unique, turning on WPA (avoid WEP) for authentication and TKIP for encryption, and using MAC address filtering.

October 28, 2008
Recycle electronic equipment
Before you get rid of electronics, be sure you have important files and then clear them of all data. Then look for places to donate or recycle. Most states have banned computers and components from landfills. To find recycling programs in your area, surf to your favorite search engine and type "computer recycling." You'll get a list of nonprofit groups, individuals, and academic institutions.

October 27, 2008
Five Security Tips

1. If you don't understand the warning message, say no and consult IT support. It's easier to go back and say yes if you need to than be sorry and have to rebuild your machine.
2. Certificates: If you don't understand a website certificate message, say no and consult IT support. It is easier to go back and say yes if you need to than be sorry and have to rebuild your credit.
3. Antivirus: Running antivirus does not slow your computer down nearly as much as a virus does.
4. Back-up: Backing up your data may seem like a waste of time — er, until you spill coffee all over your laptop.
5. Passwords: Writing down your password around your desk is about as secure as leaving a $20 bill lying on the dashboard of your car. How well do you trust anyone these days?

October 26, 2008
When selecting a screen name...make sure it doesn't say too much about you
Screen names that hint at personal interests, hobbies, or favorite sports, combined with other clues in your profile will give enough information for someone to figure out who you are and where they can find you.

October 25, 2008
Don't plug in USB drives that you find lying around. Criminals can use them to steal your data
People's natural curiosity and desire to help were exploited by consultant Steve Stasiukonis, who was hired to check security awareness at a credit union. He loaded malicious software on old thumbnail drives and left the drives on the ground and tables in the parking lot and smoking areas. Each time a curious, helpful person plugged any of the thumb drives into his computer, it loaded software and reported who had taken the bait. His test was harmless, but criminals can use the same technique to take control of our computers. The full story can be found at this link: http://www.darkreading.com/document.asp?doc_id=95556&WT.svl=column1_1