To learn more about information security and how to keep yourself, family, and friends secure subscribe to OUCH!, the free, monthly security awareness newsletter, now published in over twenty languages. More at the OUCH! homepage.
It may be tempting to use useful-looking software that you can get free on the Internet, but these tools may carry a hidden cost. Installing them may often cause other programs to stop working and it can take a long time for your IT teams to track down the problem. More seriously, they can display unwanted ads, slow your PC down or make it less secure by letting the PC download more ads from the Internet. Most seriously, they can be infected by viruses or spyware that are intended to damage your PC or steal confidential information.
August 1, 2014
Beware of Shoulder Surfing
A person who is standing near as you fill out a form, enter your PIN number, or punch in your calling card numbers may be doing more than just waiting their turn. To help prevent shoulder surfing, shield your paperwork from view using your body and cup your hand over the keypad.
Submitted by Nitin Dewan
July 31, 2014
Passwords: Be creative
If you can't remember hard passwords no matter how hard you try, put your password in parenthesis. baseball38 is a weak password. (baseball38) is much better.
When you change your password, you should always change at least half of it and when you do, change the parentheses as well. Change the parentheses to asterisks, exclamation points or dollar signs. *sallyandbob39* is better than sallyandbob39, and !jimandbetty93! is better than jimandbetty93.
July 30, 2014
Don't tell ANYONE your password
One way someone could learn your password is to phone you claiming to be from another part of your organization, maybe your IT or Audit teams, and say they need your account details to let them investigate problem. This should never be necessary. Good systems are set up so that nobody but you will ever know your password and authorized IT workers have their own accounts giving them access to what they need.
July 29, 2014
Make your password complex.
A good password should contain a mix of all the four types of characters: uppercase and lowercase letters, numbers, and symbols. Any character on your Windows or Mac keyboard is legal in a password you make for your own computer. Remember to include at least 8 characters and avoid common words and proper names. Some characters may be illegal for certain networked systems; when in doubt, try it out. Another way to make your password complex is to base it on a word in a foreign language with a least 8 letters, avoiding common words and proper names. Just add a number, a symbol, and a capital letter or two as you go.
July 28, 2014
Don't use e-mail to send private messages
In a hospital romance right out of prime time television, one young woman involved in a three-way love triangle used her personal hotmail account to send romantic messages. She got a response she definitely did not expect: the party she had been cheating on cracked into her hotmail account, printed out some very personal messages and posted them on the message board at the small town supermarket for all to see. Moral of the story: protect your passwords. And PS. As long as you're planning on getting fired, you're better off spending time working on your resume than sending romantic e-mails that you don't want publicized.
July 27, 2014
Don't leave thumb drives or other small devices lying around
Laptops and handheld devices like Palms aren't the only things that can be stolen from your workspace. When not in use, thumb drives and other small valuable devices (wireless cards, headphones, cell phones, etc.) should be stored in a safe place. At the very least, put them in a desk drawer so they're out of sight. Don't tempt a thief!
July 26, 2014
Don't download sets of pictures from the Internet
A user downloaded a set of photos of pop icon Paris Hilton for her Windows desktop. Windows asked her to say yes to executing the file when she got it. Assuming it was just pictures, she agreed. Within a couple of hours, she knew something was wrong when her computer started to slow down to the point where she was unable to use it. Even when she rebooted, she couldn't launch her own programs. The IT department determined that she had downloaded a Trojan program along with the photo: her freebie photo had a malicious payload attached that used her computer to send out spam for a bad guy. Her computer had to be rebuilt to eliminate the program. She lost most of the day and a lot of her personal computer settings in the process.
July 25, 2014
Beware of USB flash drive's autoplay feature
A white hat hacker broke into a bank and left 20 USB tokens lying around the parking lot of the bank for employees to find. When they plugged in the USB token, the Trojan backdoor was installed on the employees' computers and the hacker was into the banks network! Some employees claimed they were being helpful — trying to find the token's owner, others were curious about the token's content, still others thought they had scored a huge USB token and tried unsuccessfully to reformat the token. Unfortunately the new "U3 Technology" on these tokens prevented a hidden partition from being deleted, and it contained a remote access Trojan which installed itself by emulating a cdrom and using WinXP's Cdrom autoplay feature.
July 24, 2014
Protect your home wireless networks
No matter how friendly you are, you wouldn't let your neighbor read your bank statements and private letters. If you have a wireless network in your house and don't protect it, you could be doing just that. As they come "out of the box", most wireless networks let anyone in range connect to them and that could also let them see your PC and your email. It is worth taking a few extra minutes when setting them up to enable the encryption settings. Briefly, if you don't understand the jargon, WPA is better than WEP.
July 23, 2014
Don't plug in USB drives that you find lying around. Criminals can use them to steal your data
People's natural curiosity and desire to help were exploited by consultant Steve Stasiukonis, who was hired to check security awareness at a credit union. He loaded malicious software on old thumbnail drives and left the drives on the ground and tables in the parking lot and smoking areas. Each time a curious, helpful person plugged any of the thumb drives into his computer, it loaded software and reported who had taken the bait. His test was harmless, but criminals can use the same technique to take control of our computers. The full story can be found at this link: http://www.darkreading.com/document.asp?doc_id=95556&WT.svl=column1_1
July 22, 2014
Check and make sure your friend sent that great screensaver
A common method of transmitting malware is by infecting some unsuspecting user's computer and then using that computer to infect others. One simple way to do this is for a hacker to hijack your address book and send copies of the malware to everyone in that address book. Of course, YOU need to be enticed to run the malware, and the best way to do that is to fool you into thinking the attachment is something else. If a friend or acquaintance sends you a "great screensaver" or something like that, which you were not expecting, take a few minutes to confirm that person really sent it. If they know nothing about it, then delete the message.
July 21, 2014
Protect files with a password
Your most important files can be protected with a password. For example, in Microsoft Word, you can create a password to open and a password to modify a file. Just go to Tools | Options and click the Security tab. Remember the password so you don't lock yourself out!
July 20, 2014
If your browser questions a website's security, stop, think, and verify.
When visiting the "https" secure sites of banks and online shopping retailers, you may see an onscreen warning, such as "There is a problem with the website's security certificate" or "Secure Connection Failed." Don't just click to continue or to make an exception. The warning may only indicate that there is a harmless temporary problem with the site or with the network. But it can also mean that the site is bogus or has been compromised by hackers, and someone is listening in on your conversation with your bank or retailer.
Be smart. Contact your bank or retailer by phone to find out if they know about a problem with their website or the network. Don't be the next victim of fraud.
July 19, 2014
Only deal with reputable companies that you know and trust
At the very least be sure the company has a physical address and phone number. If you haven't done business with the company before, visit the Better Business Bureau online (http://www.bbbonline.org) and do some research. Check the company's website for feedback from previous customers.
July 18, 2014
Don't fall for phishing schemes
Could you tell if an email message requesting personal information was legitimate? In most cases you can trust your instincts (if an email message looks suspicious, it probably is). However there are some messages that look like the real thing but aren't. If an email message contains any of the following phrases, there's a good chance it could be a phishing scheme.
We need to verify your account information.
If you don't respond immediately, your account will be cancelled.
Click the link below to update your information.
Take the following Phishing Quizzes and see how good you are at identifying phishing schemes.
When selecting a screen name...make sure it doesn't say too much about you
Screen names that hint at personal interests, hobbies, or favorite sports, combined with other clues in your profile will give enough information for someone to figure out who you are and where they can find you.
July 16, 2014
Backup important files on a regular basis
Backup important files on a regular basis and store the backups in a safe place. (Preferably off site.) You can backup files to removable disk or save copies to network shares. Unfortunately, it's not a matter of "if" you'll lose files one way or another; it's a matter of "when".
July 15, 2014
Turn off your wireless AP when it's not in use
Power off your wireless access point (AP) when you know you won't be at home or when it's not in use. Your AP can't be accessed by hackers when it is not powered on. So, turn it off and limit the amount of time you leave yourself open to attack.
July 14, 2014
Can you hear me now? Do NOT trust your cell phone Bluetooth earpiece
Many cell phone Bluetooth hands-free earpieces have a default pin of 0000. A hacker with a Bluetooth antenna can connect to your earpiece and eavesdrop on everything that you are saying. In fact, they can even transmit to it. Think that's unlikely? Check out the YouTube video at: http://www.youtube.com/watch?v=1c-jzYAH2gw
July 13, 2014
Don't tell anybody your password
This warning includes your systems administrator, who NEVER needs your password. One day I received an e-mail from "Support@Waidele.info", saying they needed my password for maintenance, and if I did not go to a webpage and give it to them, they would suspend my account. As it turns out, I'm the one in charge of "waidele.info" — so I'm the one who gives out accounts and does maintenance. Things might have ended differently if I had had an account with googlemail.com or aol.com. Then the senders would have called themselves "firstname.lastname@example.org" and I might have been fooled.
July 12, 2014
Use caution when opening email attachments
Email attachments are a common tool for attackers because forwarding email is so simple. Users often open attachments that appear to come from someone they know or an organization they do business with. Almost any type of file can be attached to an email message, so attackers have more freedom with the types of viruses they can send. If your email program includes an option to automatically download email attachments, DON'T take it. Doing so could immediately expose your computer to any viruses included in the email attachments.
July 11, 2014
Don't use information related to yourself as a password
Students at a school in London exploited a teacher's poor password selection to access grades and other school records. The teacher had used his daughter's name as a password, but became suspicious when students made reference to an excursion, which had not yet been announced, so he changed his password to the registration number of his car, which was parked outside the school every day. When he received complaints from other teachers about grades being leaked, he changed it again, this time to his postcode. The students in question cracked this within days too.
July 10, 2014
Always log off your own computer. Do not let anyone else offer to do it for you
One of our branch supervisors was offering to log her staff off for them, so they didn't have to wait, and could get on with their evenings away from work. She wouldn't really log them off, though, but would just turn off their computer monitors. Once the staff had left for the evening, she would go back to the computers to see who was still signed in to the banking software. If she found someone still signed in, the supervisor would then defraud the bank, using her staff's IDs to cover her tracks.
July 9, 2014
Lock your workstation before you leave your desk
Did you know there are keyboard shortcuts other than CRTL+ALT+DEL that you can use to lock your desktop? This will prevent people from walking up and snooping on your computer. You can save a keystroke by simultaneously pressing the Windows key + L. The Windows key has four wavy squares.
Or, to make things even easier, create a desktop shortcut.
Right click any empty area of your desktop
Type in the following: rundll32.exe user32.dll, LockWorkStation
Name your shortcut
Now it's as easy as a double click!
July 8, 2014
Letting Family or Friends Use Your Employer's Computers Can Be Bad for You
A candidate for Parliament in the UK received a lot of bad publicity when people took offense at a message her husband sent from her Council email account. She isn't the first person to get into trouble over a family member misusing their work email account or PC. Very few organizations let employees' families use their PCs. If you work from home on a corporate PC, then check your company policy and clarify boundaries with household members. (http://news.bbc.co.uk/1/hi/uk_politics/6121646.stm?ls)
July 7, 2014
Avoid Ad-hoc wireless networks
Disable automatic connection to any new networks and limit your connections to access point (infrastructure) networks only:
Click the "Start" button and navigate to the "Control Panel" and then to "Network Connections."
Right mouse-click on the "Wireless Network Connection" and choose "Properties".
Pick the "Wireless Networks" tab, then the "Advanced" button:
Make sure that the check box next to "automatically connect to non-preferred networks" is not checked.
Click on Access point (infrastructure) networks only to avoid ad hoc networks.
This configuration prevents you from automatically connecting to any new networks and refuses all ad-hoc networks, which have the potential to monitor traffic that passes through them.
July 6, 2014
Always lock your computer (by pressing CTRL + ALT + DELETE and hitting "Enter") before walking away from it
Locking your computer before leaving it unattended prevents anyone else from accessing it while you are away. This is especially important when there are customers in your office. Leaving your computer unlocked can expose customer data to a third party. Even when there is no one in your office, data could be exposed if your computer screen faces an outside window, especially on the ground floor.
July 5, 2014
Don't Accept Offers of "Free PC Scans" That Pop up When You Use the Internet
Secure Computers LLC paid a $1,000,000 fine for offering "free spyware scans" that told users their systems had been infected with spyware, even if the system was clean. They are not the only ones doing this — when you surf the Web you are still likely to see pop-up windows like that. Some "scans" don't just give misleading results; they actually try to install unwanted software on your PC. Often the screen pop-ups only have a "scan" button and no "cancel" or "quit" option. In fact they could interfere with your PC no matter which of the buttons you choose. Be safe: close pop-ups like this by clicking on the X in the top right corner of the browser window. Better yet, use a pop-up blocker software (http://www.vnunet.com/vnunet/news/2170208/security-firm-pay-million-false).
July 4, 2014
Wireless Hotspots...limit activity to web surfing only
A hotspot is an open wireless network that is available (open) to everyone. An example would be the wireless network at your favorite coffee shop. These networks hook computers into the public Internet — handy but dangerous. Because wireless hotspots are for open use, they don't provide much protection for your data. When using a wireless hotspot try to limit activity to web surfing only. You should also disable peer-to-peer networking, file sharing, and remote access. Always use a good personal firewall and of course make sure all your software including your operating system (like Windows) is up to date and patched. You should never use hotspots for online banking, bill paying, or for making purchases that require you to give out confidential information such as a credit card number.