To learn more about information security and how to keep yourself, family, and friends secure subscribe to OUCH!, the free, monthly security awareness newsletter, now published in over twenty languages. More at the OUCH! homepage.
Food and drink are common causes of computer damage. Try to keep them away from your computer and removable devices. Liquids can be especially damaging to laptops. If a spill occurs, you should clean up the mess as soon as possible. A cup with a firm lid is a great idea — it helps limit a spill.
A common fraud, called "phishing", sends messages that appear to be from a bank, shop or auction, giving a link to a fake website and asking you to follow that link and confirm your account details. The fraudsters then use your account details to buy stuff or transfer money out of the account. These fake sites can be hard to spot, so no reputable organization will send a message requesting your confidential information.
December 9, 2013
Three Tips for Safer Online Transactions
Make sure that the URL of the website begins with https (not http). Https ensures that your username, password, credit card number, expiration date and other information are sent from your computer to the site in encrypted form. Encryption helps to make your connection secure and reduces the risk that malicious people may intercept the information your enter and make illegal use of it.
A yellow icon that looks like a padlock at the lower right corner of your browser window confirms that you have a secure connection.
Some websites present a certificate of authenticity when you browse to them as a way to assure you that the site is legitimate. Check to make sure the certificate is valid and has not expired. If you are satisfied with the validity of the certificate, click on the link that takes you to the site itself. An invalid or expired certificate may indicate that the site neither authentic nor secure.
December 8, 2013
Don't check "remember my password" boxes
Numerous programs offer the option of "remembering" your password. Unfortunately, many of them have no built-in security measures to protect that information. Some programs actually store the password in clear text in a file on the computer. This means anyone with access to the computer can read the password. It's best to retype your password each time you log in eliminating the possibility that someone will be able to steal or use it.
December 7, 2013
Change your password on a schedule.
Passwords are like bubble gum; they are better when fresh. The longer and more complex your password is, the harder it is to crack, and the less often you'll need to change it. If you use an 8-character password, you should change it about every six months. Remember: Never use a password with less than 8 characters. If you use a 9-character password and follow the rules about uppercase and lowercase letters, numbers, and symbols, it will stay fresh for a whole year. If you can't remember the last time you changed your password, it's time to change it.
December 6, 2013
Don't use unauthorized software
It may be tempting to use useful-looking software that you can get free on the Internet, but these tools may carry a hidden cost. Installing them may often cause other programs to stop working and it can take a long time for your IT teams to track down the problem. More seriously, they can display unwanted ads, slow your PC down or make it less secure by letting the PC download more ads from the Internet. Most seriously, they can be infected by viruses or spyware that are intended to damage your PC or steal confidential information.
December 5, 2013
Choose a password that's hard to crack
When choosing a password, try to make it by writing a sentence that you can easily remember. For example: "Los Angeles Lakers will win the NBA tournament this year". Then pick up the first letters of each word and also add at the beginning or at the end (or at both parts) some special characters and numbers. For example, with the last sentence you could get the password: =3LALwwtNtty$. This method lets you come up with easy-to-remember passwords that are also hard to crack. And you avoid the need to write such a long password down in order to remember it.
December 4, 2013
Don't Investigate a Security Problem Unless You Are Authorized by the System Owner
A security specialist was suspicious after donating to a charity website and not getting an acknowledgement. So he ran a couple of tests on the site to see if it was what it claimed to be. Unfortunately, he set off the site's security alarms, ending up convicted of a crime under the UK Computer Misuse Act and out of a job. At work, rather than trying to check by yourself, report suspected problems inside your company to your manager, IT area or security team. Aside from getting into trouble, you could destroy evidence or confuse people who are investigating an issue. http://www.channelregister.co.uk/2005/10/06/tsunami_hacker_convicted/
December 3, 2013
Use common sense when reviewing your email
If you did not order a new laptop, then you should not be receiving an update on its shipping status. Delete these emails.
December 2, 2013
Patch and update on a regular basis
Because hackers are constantly looking for vulnerabilities, it is important to keep your software up to date and patched. Unpatched, out-of-date systems are a leading cause of security incidents. Take the time to ensure you have the most recent patches and updates installed.
December 1, 2013
Beware of Shoulder Surfing
A person who is standing near as you fill out a form, enter your PIN number, or punch in your calling card numbers may be doing more than just waiting their turn. To help prevent shoulder surfing, shield your paperwork from view using your body and cup your hand over the keypad.
Submitted by Nitin Dewan
November 30, 2013
If you print it, go get it right away!
Dont leave important, sensitive, or confidential material lying around the office. Common printing areas are frequented by people coming and going. Often you will be in line to pick up your documents and others may handle them before you. This leads to unnecessary information disclosures. One boss had a print job disappear, and had e-mailed the whole floor about it. The pages never turned up. Always use the closest print station, or a dedicated printer for confidential information, and go get it right away!
November 29, 2013
Backup important files on a regular basis
Backup important files on a regular basis and store the backups in a safe place. (Preferably off site.) You can backup files to removable disk or save copies to network shares. Unfortunately, it's not a matter of "if" you'll lose files one way or another; it's a matter of "when".
November 28, 2013
Limit the amount of personal information you post about yourself, your friends, and your family
As a general rule, don't post anything you wouldn't want the world to see or know about. Think of social networking sites like MySpace as giant billboards. The good guys (teachers, law enforcement officials, future employers, family members) and the bad guys (predators, stalkers, and con artists) can all view the information you post. You should also control who can view your information by restricting access to your pages.
November 27, 2013
Review your credit reports routinely
The Fair Credit Reporting Act (FCRA) requires each of the nationwide consumer reporting companies — Equifax, Experian, and TransUnion — to provide you with a free copy of your credit report, at your request, once every 12 months. Take advantage of these free reports, and verify the information that they contain. - Don Young
November 26, 2013
Change that password!
A woman has been fined GBP 500 (US $975) for reading email messages from her previous employer's account. Susan Holmes had worked for a nanny agency that accepted registration forms through an AOL email account. The company neglected to change the account password after Holmes left, which allowed her access to the information. The company became suspicious after a noticeable decline in the amount of email they received on the account in the first few months of 2007. AOL connection logs revealed IP addresses that eventually led to Holmes being identified as the culprit. Last week, she pleaded guilty to unauthorized access to a computer, in violation of Section One of the Computer Misuse Act 1990.
November 25, 2013
Check for encryption or secure sites when providing confidential information online
Credit card and online banking sites are convenient and easy ways to purchase and handle financial transactions. They are also the most frequently spoofed or "faked" sites for phishing scams. Information you provide to online banking and shopping sites should be encrypted and the site's URL should begin with https. Some browsers have an icon representing a lock at the lower right of the browser window. For more information about phishing, please visit http://www.onguardonline.gov/phishing.html
November 24, 2013
Use variations on a strong "core" password
It's tough to remember a series of strong passwords and use a different one for each online system or site you access. The temptation is to use the same password for several or all systems and sites. That's a bad idea -- if a Bad Guy gets a hold of your password, he'll have the key that fits all of your doors. Instead, create a strong "core" password and then unique variations on it for each online system or site system you use. Here's a strong password: 5P0ky!3Z. It contains 8 characters, a mixture of uppercase and lowercase letters, at least one number and one non-alphanumeric character or symbol, and no personally identifiable information. By adding a character or two at the beginning or the end, you can have many variations to use for each system or site -- effectively creating a new strong password for each one. Remember to change your "core" password and its variations on a regular basis.
- Carl Hill, Toronto, Canada
November 23, 2013
Securing your wireless network - priceless!
Laptop: $1,000 Wireless router: $100 Being able to connect to the Internet with peace of mind, knowing that you did it safely: priceless.
Wireless networks are inherently unsafe because anyone within range can use them and potentially steal your information if these networks are not set up properly. If you don't know what needs to be done to secure them, get help from a technical friend or use a professional from the store where you bought it.
November 22, 2013
If you're not sure you've seen an incident, report it anyway
Most security folks (and IT folks, for that matter) would rather hear about a problem from you than to figure it out afterwards while troubleshooting a system failure. If a phone call from User Support doesn't sound quite right, if a common email announcement is just a little off, or if a caller on the phone is too stressed to remember his or her password — don't be pressured and don't be rushed. Rush and pressure are among the "social engineering" hacker's best tools. Ask for help! Call your supervisor, call your IT group, and call your InfoSec group on the spot for assistance. You are as responsible (or more) to the whole company as you are to the one person on the phone! Don't let one person's stress jeopardize the organization's information security.
November 21, 2013
Don't make that call!
If you receive an email asking you to call an 800 number related to a banking issue, don't call the number. Your credit card has a phone number on the back as do your account statements. Be safe, don't call a phone number listed in an email; instead look the number up on your account statements. There is a new attack called Vishing, designed to have you call a fake, automated answering system, and get you to enter your account number and other sensitive information.
November 20, 2013
Print out important documents
A digital photography expert told me that CDs are expected to "live" for up to ten years. I want kids—and maybe grandkids—to see photos, so I print the best ones. Same goes for documents: print important files so that they are accessible in future decades. Of course, you want to back up these files too.
November 19, 2013
Don't Click to Agree without Reading the Small Print
Some free software passes your information on to advertisers, changes your PC or downloads other software without asking you. Some suppliers will claim that this is OK because you agreed to this. How? People often click on the "agree" button to accept 20 pages of difficult legal jargon they don't understand. But buried in the middle can be a sentence allowing the software to do whatever it likes. You can argue in court that the terms aren't reasonable, but then it will be too late — the damage has been done and your PC is broken. Learn from other people's pain: if terms and conditions are hard to understand, it is probably deliberate. If it isn't worth the trouble to read the conditions, don't risk using the software.
November 18, 2013
Don't open email about Michael Jackson
When a major news event happens, cyber criminals send email with a subject line related to the event and include an attachment that is malware to infect your computer and make it part of a botnet for sending SPAM and conducting other illegal activities. You can see examples of these catchy subject lines at http://www.flickr.com/photos/panda_security/with/3256919391/
November 17, 2013
Many people think that 'formatting' a hard drive will wipe out all the data so it cannot be recovered
Not so. To prevent the possibility of future recovery, use a third-party, low-level hard drive formatting tool, such as Killdisk (downloadable at no charge from www.killdisk.com) to overwrite data on the hard drive with a random sequence of 1's and 0's.
November 16, 2013
Nobody from the Help Desk needs your password
While watching some scenarios in some videos on computer security, one of the audience members turned bright red. After the video, she confided in me that she had once received a call from "The Help Desk" saying that they needed her password to trouble-shoot a problem they were having backing up her files. She provided it. Fortunately, she thought about it and 5 minutes later called the help desk to confirm. The help desk staff immediately locked her account and had her drop by with ID so they could provide her with a new password.
November 15, 2013
Avoid opening email attachments
If you MUST open an attachment received in an email, make sure the email was sent from a known source. Read the accompanying email text to make sure it really sounds like it came from the apparent sender — check for a signature and other recognized patterns.
November 14, 2013
If you download FREE software...Make sure you don't get more than you bargain for
Free software that you download could be just what you think it is — a single software package. However, many times free software comes bundled with other unwanted, harmful programs including spyware, viruses, or even Trojan horse programs. To help keep your computer free from unwanted guests, make sure the site you are downloading from is one you know and trust. Also verify that your operating system and anti-virus software have been updated and patched BEFORE you click the download button!
November 13, 2013
Never respond to an email asking for personal information
Companies you do business with should never ask for account information, credit card numbers or PIN information in an email message. If you have any questions about an email you receive that supposedly comes from your financial institution, call the local branch office. Do NOT respond to the email.
November 12, 2013
Use a password protected screen saver
Desktop computers should be locked, or logged off when the user steps away from the terminal. Password protecting the Windows screen saver is "locking" the desktop. To do this, right click on the desktop and go to "Properties"; select the "Screen Saver" tab; and check "On resume, password protect".