To learn more about information security and how to keep yourself, family, and friends secure subscribe to OUCH!, the free, monthly security awareness newsletter, now published in over twenty languages. More at the OUCH! homepage.
If you MUST open an attachment received in an email, make sure the email was sent from a known source. Read the accompanying email text to make sure it really sounds like it came from the apparent sender — check for a signature and other recognized patterns.
November 19, 2014
If you're not sure you've seen an incident, report it anyway
Most security folks (and IT folks, for that matter) would rather hear about a problem from you than to figure it out afterwards while troubleshooting a system failure. If a phone call from User Support doesn't sound quite right, if a common email announcement is just a little off, or if a caller on the phone is too stressed to remember his or her password — don't be pressured and don't be rushed. Rush and pressure are among the "social engineering" hacker's best tools. Ask for help! Call your supervisor, call your IT group, and call your InfoSec group on the spot for assistance. You are as responsible (or more) to the whole company as you are to the one person on the phone! Don't let one person's stress jeopardize the organization's information security.
November 18, 2014
Check and make sure your friend sent that great screensaver
A common method of transmitting malware is by infecting some unsuspecting user's computer and then using that computer to infect others. One simple way to do this is for a hacker to hijack your address book and send copies of the malware to everyone in that address book. Of course, YOU need to be enticed to run the malware, and the best way to do that is to fool you into thinking the attachment is something else. If a friend or acquaintance sends you a "great screensaver" or something like that, which you were not expecting, take a few minutes to confirm that person really sent it. If they know nothing about it, then delete the message.
November 17, 2014
Shh! Don't say it out loud. The cubes have ears
Office workspaces seem to be smaller and smaller. It is therefore harder to keep secrets when everyone is within earshot. When necessary use handwritten notes for transferring confidential information, and then shred the papers when done.
November 16, 2014
Use variations on a strong "core" password
It's tough to remember a series of strong passwords and use a different one for each online system or site you access. The temptation is to use the same password for several or all systems and sites. That's a bad idea -- if a Bad Guy gets a hold of your password, he'll have the key that fits all of your doors. Instead, create a strong "core" password and then unique variations on it for each online system or site system you use. Here's a strong password: 5P0ky!3Z. It contains 8 characters, a mixture of uppercase and lowercase letters, at least one number and one non-alphanumeric character or symbol, and no personally identifiable information. By adding a character or two at the beginning or the end, you can have many variations to use for each system or site -- effectively creating a new strong password for each one. Remember to change your "core" password and its variations on a regular basis.
- Carl Hill, Toronto, Canada
November 15, 2014
Don't open email about Michael Jackson
When a major news event happens, cyber criminals send email with a subject line related to the event and include an attachment that is malware to infect your computer and make it part of a botnet for sending SPAM and conducting other illegal activities. You can see examples of these catchy subject lines at http://www.flickr.com/photos/panda_security/with/3256919391/
November 14, 2014
Make your password long.
At least eight characters long, and the longer the better. Passwords shorter than 8 characters are easy to crack. Follow these password rules. Avoid common words and proper names. Use both uppercase and lowercase letters, numbers, and symbols. Trouble is, who can remember a password like Fm79$#Xk? Try a passphrase instead: When I was 7, my dog Dolly went to Heaven. This contains 42 easy-to-remember characters, follows all the rules, and is in plain English. (Not every system will accept passphrases; when in doubt, try it out.) The odds against anyone cracking it even with the help of a supercomputer are astronomical. Make your passphrase original. Don't use familiar or famous quotations. Don't use any real names especially your own, your family members, or your pets. Nonsensical passphrases are the hardest to crack.
November 13, 2014
Periodically check your credit report
Get a copy of your credit report from each of the three major credit bureaus every year. (Federal law gives you the right to one free credit report from the three credit bureaus: Equifax, Experian, and TransUnion — http://www.ftc.gov/bcp/conline/pubs/credit/freereports.htm.) Check the reports to make sure everything is accurate. Consider staggering the requests and obtain one report every four months. That way, you can watch for signs of identity theft (i.e. inquiries that were not generated by you, accounts you didn't open).
November 12, 2014
Some Tips to Protect against Identity Theft
Do not sign the back of your credit cards. Instead put "PHOTO ID REQUIRED"; although merchants and their employees are still hit-and-miss on actually checking that ID, more of them are paying attention.
When you order your checks, don't list any telephone number. You can always write it on the check at the time of the transaction. If you have a PO Box, use that instead of your home address or your work address.
Be aware of which credit cards you carry now have embedded RFID chips because the information on one of those chips can be read surreptitiously by someone near you using a simple hand-held scanner.
Place the contents of your wallet on a photocopy machine. Do both sides of each license, credit card, etc. You will know what you had in your wallet and all of the account numbers and phone numbers to call and cancel. Store those photo copies in a secure place and refresh it when you change cards.
November 11, 2014
Protect Your Social Security Number
Avoid using your social security number whenever you can. Many places use social security numbers for user identification. Ask to use an alternate number if possible. In addition, don't print it on personal checks. Your Social Security number is the key to most of your financial information which makes it a prime target for criminals. Only give it out when absolutely necessary.
November 10, 2014
If you get up from your computer, lock it!
"I sent an email to your boss letting him know what you really think of him". This Notepad message was on my screen when I got back to my cubicle after getting up to stretch my legs. What? I had been gone for 180 seconds -- three quick minutes. Lucky for me, the note turned out to be from our systems administrator who wanted to make a point. All it takes is about one minute for a disgruntled colleague to send a message on your behalf to the boss and there is no way for you to prove you didn't send it. In about 30 seconds, a cracker could install a keystroke logger to capture everything you type including company secrets, user names and passwords. In about 15 seconds, a passerby could delete all your documents.
November 9, 2014
Beware of Shoulder Surfing
A person who is standing near as you fill out a form, enter your PIN number, or punch in your calling card numbers may be doing more than just waiting their turn. To help prevent shoulder surfing, shield your paperwork from view using your body and cup your hand over the keypad.
Submitted by Nitin Dewan
November 8, 2014
Revoking security access isn't always enough
A California man has been arrested for interfering with computers at the California Independent System Operator (Cal-ISO) agency, which controls the state's power transmission lines and runs its energy trading markets. Even though Lonnie C. Denison's security access had been suspended at the request of his employer because of an employee dispute, he allegedly gained physical access to the facility with his card key. Once inside, Denison allegedly broke the glass protecting an emergency power cut-off station and pushed the button, causing much of the data center to shut down. Cal-ISO was unable to access the energy trading market, but the power transmission grid was unaffected.
November 7, 2014
Use anti-virus software
Make sure you have anti-virus software installed on your computer and update it regularly.
Warning: Out-of-date anti-virus software will not protect your computer from new viruses.
November 6, 2014
Just because your company's spam filter, virus filter and other defenses let an email through, doesn't mean it's harmless
Last year, one organization narrowly avoided a virus infestation. Alerts led them to the email in-boxes of the virus authors. To sneak in a virus, hackers used encrypted zip files, which went past filters because they couldn't be scanned. The organization caught it with the very last line of defense — desktop antivirus software, which triggered after the users had plugged in the password to see the zip file contents! Had the bad guys written something new, instead of using off-the-shelf script kiddie code that was in standard pattern files, there could have been a major outbreak. Long story short: End-user awareness about email and attachments is every bit as important as antivirus filters and firewalls. EVERY USER is an important part of hacker defense!
November 5, 2014
Hackers aren't the only threat to your computer
Food and drink are common causes of computer damage. Try to keep them away from your computer and removable devices. Liquids can be especially damaging to laptops. If a spill occurs, you should clean up the mess as soon as possible. A cup with a firm lid is a great idea — it helps limit a spill.
As the network administrator at a small firm, I've been fighting spyware and spam for years. At first I had to rely on www.techguy.org, which provides legitimate links to free anti-spyware programs. One day I needed one of those programs in a hurry. I did a Google search and clicked on the first link I found in the Google hit list. The link took me to a "hijacked" website. Pop-ups immediately came up on my pc. Fortunately I knew how to stop them before anything was downloaded [When a popup is showing on your desktop — don't click on it! Right click on the Windows Taskbar item and choose Close]. Since then, I never clicked on the first Google hit link again. I always use the Google "cached" link to check the link first.
November 3, 2014
Be skeptical and trust your instincts
People often post false or misleading information concerning their identities and interests. In most instances, this is done with good intentions as a way to avoid disclosing personal information. However, there are also people who fabricate information with malicious intent. If you ever feel threatened or uncomfortable with someone you encounter online, take the time to report the incident. Most social networking sites like MySpace provide several mechanisms for reporting inappropriate behavior.
November 2, 2014
Nobody from the Help Desk needs your password
While watching some scenarios in some videos on computer security, one of the audience members turned bright red. After the video, she confided in me that she had once received a call from "The Help Desk" saying that they needed her password to trouble-shoot a problem they were having backing up her files. She provided it. Fortunately, she thought about it and 5 minutes later called the help desk to confirm. The help desk staff immediately locked her account and had her drop by with ID so they could provide her with a new password.
November 1, 2014
Keep your password secret
Your password is like your bank account PIN - if you give your PIN to someone else, your bank is unlikely to pay you back if it is used to steal from your account. Likewise, your company expects you to use your password to stop others misusing your computer account. If you share your password, you may be held responsible for what other people do with it.
If you weren't expecting an attachment, write back and request that sender embeds text in email
When you see your anti-virus package "scanning" a Word or Excel file, the odds are VERY high that it won't find any of the important new vulnerabilities nation states and rich criminals are using to get past the most sophisticated defenses. Don't open email attachments unless you were expecting them. Send a note back and ask the person to embed the text in a simple email. This matters to your career. The people who break this rule will be the reason their organization's data are stolen and they won't be able to hide.
October 30, 2014
Keep it off the floor
No matter where you are in public - at a conference, a coffee shop, or a registration desk - avoid putting your laptop on the floor. If you must put it down, place it between your feet or at least up against your leg, so that you're aware of it.
Don't leave your laptop in the car - not on the seat, not in the trunk. Parked cars are a favorite target of laptop thieves; don't help them by leaving your laptop unattended. If you must leave your laptop behind, keep it out of sight.
If you had a wad of money sitting out in a public place, would you turn your back on it - even for just a minute? Would you put it in checked luggage? Leave it on the backseat of your car? Of course not. Keep a careful eye on your laptop just as you would a pile of cash.
Thinking of taking your laptop on the road? It's a great way to work and stay in touch when you're out and about, but you need to take some steps to keep your laptop safe-and in your possession. Here are some things you can do to keep track of your laptop:
Treat it like cash.
Get it out of the car...don't ever leave it behind.
Keep it locked...use a security cable.
Keep it off the floor...or at least between your feet.
Keep passwords separate...not near the laptop or case.
Don't leave it "for just a sec"...no matter where you are.
Pay attention in airports...especially at security.
Use bells and whistles...if you've got an alarm, turn it on.
Closing or minimizing your browser or typing in a new web address when you're done using your online account may not be enough to prevent others from gaining access to your account information. Instead, click on the "log out" button to terminate your online session. In addition, don't permit your browser to "remember" your username and password information. If this browser feature is active, anyone using your computer will have access to your investment account information.
Voice over Internet Protocol (VoIP) is one way people are making and receiving telephone calls using an Internet connection rather than a regular phone line. VoIP services can also be attacked by computer viruses, worms, or spam over Internet telephony (SPIT). Here is how it works: VoIP converts your phone call -- actually, the voice signal from your phone -- into a digital signal that travels over the Internet to the person you are calling. If you are calling a plain old telephone number, the signal is converted back at the other end. If you're comfortable with new technology, you may want to learn more about VoIP. It's smart to do some research on this technology before signing up for it.
It's 10 p.m. Do you know whom your kids are chatting with online?
While social networking sites can increase a person's circle of friends, they also can increase exposure to people with less than friendly intentions. Here are tips for helping your kids use social networking sites safely:
Help your kids understand what information should be private.
Explain that kids should post only information that you - and they - are comfortable with others seeing.
Use privacy settings to restrict who can access and post on your child's website.
Remind your kids that once they post information online, they can't take it back.
Talk to your kids about avoiding sex talk online.
Tell your kids to trust their gut if they have suspicions. If they ever feel uncomfortable or threatened by anything online, encourage them to tell you.