ITS Security Tip of the Week Archive
Protecting sensitive data is everyone’s responsibility, to increase awareness of careless online habits and assist in creating good practices ITS offer these security tips. Please contact the ITS security team at firstname.lastname@example.org for more information or if you have any questions about the security of your personal information.
Sensitive Information Paper Document Disposal (May 21, 2012)
Sensitive information is defined in UH Policy E2.214 and includes information like social security number, student records, health information, personal financial information, drivers license numbers, etc. Read the policy for more information. If sensitive UH information is disclosed it may be classified as a breach and require legal action causing possible harm to the affected individuals, UH reputation, and legal fees and fines.
The major focus of document disposal is related to digital information disposal such as hard drives, flash drives, CD’s, and digital files. However, paper documents with sensitive information tossed in the trash can be retrieved by a dumpster diver and is legal if the dumpster is in a public place. Dumpster diving is the act of sifting through a persons or businesses trash looking for discarded items that can be reused. Dumpster diving does not sound like a desirable activity, but it is a highly effective way for attackers to gather sensitive information that can be used by the attacker for monetary gain.
Dumpster diving is only one example of exposing sensitive information that has been discarded. Sensitive papers left out in the open can be seen and retrieved by attackers. Papers may accidentally be left in a public place, fly out of a vehicle, or be used as scratch paper. In all these examples you are putting your personal information or your business information at risk.
So what should you do? First of all, limiting and reducing the amount of sensitive information printed will reduce the risk of accidental disclosure. Secondly, documents with sensitive information should be stored in a secure area and accessible by only those with a need to view the information. Documents should be stored in a locked file cabinet, locked storage room, or other secure area. Finally, when it comes time to dispose of the documents they should be shredded prior to disposal. The best method for shredding sensitive information is using a cross-cut shredder small enough so the data can not be reconstructed. Using a strip-cut shredder is not secure if someone wants to reconstruct the information. This NY Times article documents two examples of document reconstruction.
Reminder (May 14, 2012)
Protecting sensitive data is everyone’s responsibility, to increase awareness of careless online habits and assist in creating good practices ITS encourages you to review these weekly tips. Have you changed your password(s)? If not refer to the password tips from Week 1, 2, 3 and 4.
Password Management (May 7, 2012)
Protecting sensitive data is everyone’s responsibility, to increase awareness of careless online habits and assist in creating good practices ITS encourages you to review these weekly tips.
An important part of password security is password storing and management. Having a strong and secure password is pointless if everyone knows it. While having your password in your head is the most secure way to store it, with all of the different websites and passwords people must maintain today sometimes it is impossible to remember them all. Here are some tips on how to securely store usernames and passwords.
1. Never post your password on your monitor or on a post it under the keyboard or mouse. Those are the first places people with physical access to your computer will check.
2. Use a password manager. These applications install on your computer or smart phone and can store many usernames and passwords. If you use a password manager it is important that you remember that master password and use a pin code to protect your smart phone device. Always close the application when you are done using it and use a screen saver password to ensure no one can access your passwords if you walk away from your computer. You would also want to ensure you backup the management database in case of hardware failure. More information on password managers can be found at http://lifehacker.com/5042616/five-best-password-managers
3. Some applications such as Facebook offer a feature called “Trusted Friends” that will help you recover your password if you ever get locked out. By enabling this feature you don’t have to worry about giving someone your password if you ever get locked out. Facebook would just send a security code to each friend and you would need to collect all 3 of them in order to log in. Be very careful about who you select as a trusted friend. More information on Trusted friends https://www.facebook.com/help/?faq=119897751441086
Examples of Password Exploits (April 30, 2012)
Protecting sensitive data is everyone’s responsibility, to increase awareness of careless online habits and assist in creating good practices ITS encourages you to review these weekly tips.
Password security is one of the weakest links to accessing data. There have been many examples of data breaches involving passwords, for example phishing emails are when a user provides the password willingly, key loggers installed on computers that will capture passwords without the users knowledge, cyber attackers using password crackers to capture and break passwords, or the largest number of passwords and login credentials are stolen from databases for instance Sony BMG Music, Sony Pictures, Facebook, Gmail, and Sony Play Station (PSN) to name a few of the recent breaches.
What can you do to protect your login information?
· When possible create a login name that is unique and is not your name, account number, or other information directly linked to you.
· Always create a strong password, no dictionary words, use upper & lower case, special characters, no less than 8 characters – the longer the better, but most importantly something you can remember and not write down.
· Create different usernames and passwords for the various accounts you subscribe to. The reason you need multiple user names and passwords is because if a Hacker gets your account information it can be used to gain access to all your accounts using the same password. For example with the Sony breach mentioned above they found that 92 % of the users had the same password across the accounts. Read the eWeek article Therefore, the login credentials you use for Facebook should not be the same one you use for your bank account.
Refer to the UH askus on compromised UH Usernames http://www.hawaii.edu/askus/1064
UH Policy E2.210 (April 23, 2012)
Passwords are an important key to keeping information secure. For this reason users are responsible for adamantly protecting their personal passwords as described in UH policy E2.210. The following is an excerpt from policy E2.210 III. Responsible use, B. Principles of Responsible Use.
1. Users must adamantly protect their personal passwords
Passwords are the basic security mechanism, which authenticate individuals as eligible to use University resources. The username and password also authorize individuals to perform specific actions based on the identity of the user, such as permitting students to drop classes or faculty to view class lists. Many legal and ethical violations begin when the culprit obtains use of someone else’s password, wittingly or unwittingly shared.
Passwords should be chosen that are difficult to guess and should not be written down. Experts recommend changing passwords on a regular basis. Under no circumstances should a password be shared with a family member, friend or acquaintance, much less any stranger or caller. Appendix C contains a guide to the selection and management of personal passwords. Users should immediately report any suspected unauthorized use of their username to their system administrator.
Please refer to the policy E2.210 link above for additional information on password use.
Creating Strong Passwords (April 16, 2012)
Usernames and Passwords are the most common form of security used to authenticate a Users access to computer systems. Whether creating a password for your UH account or your personal accounts the following guidelines will help to ensure only you have access to your data. It is essential to keep your passwords private, create strong passwords, use different passwords for different accounts, and change them regularly. The following are guidelines for password security:
· Do not use personal information or dictionary words in any language because they are easily guessed or cracked.
· Use different passwords for work, personal, email, banking, on-line purchases, etc., because if your password is compromised you want to limit the damage the hacker can do.
· Make an effort to change your passwords at least annually, but the security community recommends changing passwords regularly, at least quarterly.
· Do not reuse passwords.
· Create a long password, preferably no less than 8 characters – the longer the better.
· Use a combination of upper and lowercase letters, numbers, and special characters.
· Microsoft provides a site for you to check your password strength. This should give you an idea of how to create strong passwords. https://www.microsoft.com/protect/fraud/passwords/checker.aspx
University of Hawaii also provides a site to check your password strength:
· The following are examples of creating strong complex passwords that are easily remembered:
1. Combine parts of words and use capital letters, special characters and numbers. Example: safR3cdsP0$al is a combination from: safe records disposal.
2. Create a password based on a song title, song lyric, movie line, or phrase.
a. Example: Ig2te$&bg4tw uses the first letter from the following sentence I go to town every Saturday and buy groceries for the week.
b. Example: swH4t$ubthr from the song lyric She works hard for the money you better treat her right, by Charli Baltimore.
c. Example: Term2HastaLaVistabby from Terminator 2 - Hasta La Vista, Baby
Home Wireless Router Security Settings (April 9, 2012)
Enable network encryption, WPA2 is the most secure encryption for wireless. However it may not work with some devices.
Change your networks SSID name. Do not use the default name provided by the manufacturer and do not use personal information that can identify the location. Choose a name so you can easily identify it and others can avoid it. Hiding the SSID will not prevent a skilled attacker from discovering the network.
Filter MAC addresses on your router. You can configure your wireless router to only allow devices you specify on your home network by adding their MAC address to your wireless routers settings. A Media Access Control (MAC) address is a unique number assigned to devices. As usual the bad guys have ways around this safeguard as well, but it can slow them down. Locating Your Devices MAC Address
You can reduce the Range of the Wireless Signal by placing the router in a part of the building that provides the best signal for the wireless users but keep it away from windows that would make the signal available to outsiders. Also, if you are in an apartment or shared building you can reduce the signal range on the router by changing the mode to 802.11g.
For further info see the article: How to Secure Your Wireless Home Network
Standard Security Safeguards for Wireless & Wired Networks …. Build a fortress and keep it maintained. (April 2, 2012)
When Cyber Criminals find vulnerabilities in software they use them to exploit the computer/network, so you should keep all applications including your operating system patched. Some applications automatically check for available updates when you are connected to the Internet.
Also, you should check your routers manufacturer website to ensure your router is running the latest firmware. The firmware is embedded software that implements network and security protocols for that specific model of hardware device.
You should install a firewall on your computer that will provide some protection against attacks. You should also configure the firewall on your router if you have one. A firewall is a software program or piece of hardware that helps screen out hackers, viruses, and worms that try to reach your computer over the Internet.
Install virus protection software and keep it up-to-date. New vulnerabilities are discovered daily so if you are not updating the virus definitions you will not be protected from new malware.
When not in use power off your network devices to save power and keep the bad guys out.
Use strong passwords and create a unique strong administrator password for your router.
Security Recommendations for Wireless Use (March 26, 2012)
In order to be cyber secure you need to understand the threats and risks related to wireless use. For example, if you are in a public area such as an airport and you want to access the Internet your wireless device will search for a connection. Now since we would rather get FREE wireless when we see a connection that is open (free – no password required) we jump on it and start surfing. However, unknowingly the source of the access is actually a rogue access point. A cyber criminal with the intent of stealing information may have planted a rogue access point in the area.
So! I have access to the Internet for FREE why do I care if it is a rogue access point? Well, the cyber criminal now has access to hijack your web traffic and can re-direct your connection to false websites, steal your information, spoof your email address (send email as you) creating havoc for the people in your address book. One thing you can do to protect your Internet Session is to use encryption. Secure sessions will have a HTTPS in the URL not HTTP. The article below written by Jan Wiewiora describes some risks of using unsecure Wireless in detail.
Wireless Security: When Free Isn't Worth the Risk by Jan Wiewiora
Securing your Home Wireless Network (Wi-Fi) (March 19, 2012)
Today’s generation is very dependent on the Internet, due to its widespread use in every area of our lives. These days we no longer sit at a desk to access the Internet we need the ability to access the Internet and network peripherals remotely and allow multiple household members access the network resources at the same time. Some common uses are email, social networking, gaming, Internet phone and video, home entertainment, printing, faxing, file sharing, Internet appliances, e-commerce, and more.
Since Wi-Fi networks are relatively easy to set up and offer many benefits for easy access, many people install their own home network. However, if the networks are not set up with security in mind it is extremely easy for a Hacker to access the network.
It is important to change your router administrator password and use a very strong password because that is the key to your network kingdom. Also you should select strong encryption, preferably WPA2. Refer to the SANS Newsletter that describes ways to secure your home network.
Using Open Wireless Networks (March 12, 2012)
Be cautious when using open wireless networks for example McDonalds, Starbucks, Airports, and many others who offer public wireless access. There are several risks you must be aware of and take steps to protect your information.
1. Hackers may be “sniffing” the wireless network traffic. A (packet) sniffer is a program that intercepts and decodes network traffic broadcast. Hackers can sniff traffic remotely and do not need to install software on the wireless network. They can be sitting comfortably anywhere in the area or out on the street.
2. Hackers may have installed a “keylogger” on public computers that will capture everything you type on the keyboard including usernames, passwords, and urls.
3. There are many more ways the Hackers can intercept and collect information transmitted on the public wireless networks.
Safeguards to protect your information:
1. Do not use Open wireless networks for personal banking or other transactions where you provide sensitive information like bank account information, social security number, etc.
- If you must use an Open network to transmit confidential information, change your password as soon as possible from a secure private network.
For additional safeguards when using a laptop and wireless networks read the AskUs article, Best Practices for Laptop Users.
Location-Based Features (March 5, 2012)
Tip: Be cautious about using services with location-based features. With location services enabled, pictures uploaded from a smart phone could include specific location data.
With an estimated 1.2 billion active mobile-broadband subscriptions being used worldwide people are constantly providing location-based data on themselves, often unwittingly. The benefits of the data can be outweighed by privacy risks; without full disclosure by your service provider on how data is used/shared you could be opening yourself up to data theft and perhaps personal harm. Reviewing Mashable’s 5 Privacy Tips for Location-Based Services is a first step in understanding your responsibilities in using location-based features.
Social Networking Security (February 27, 2012)
Tip: Be familiar with all social network site security settings and insure that they are set correctly.
In the 18-month period between May 2010 and November 2011 Facebook changed its’ privacy policies eight times without warning to users, including security settings that affect how third parties access users' telephone numbers and addresses. It’s extremely important that if you participate in social networking that you routinely review your privacy settings and manage the passwords that you use; ITS shares some options for doing so you in the AskUs article Strategies In Setting Secure Passwords For Social Networking.
Posting Photos/Videos (February 20, 2012)
Tip: Think carefully about personal information such as photos/videos before posting to online social networking sites.
With new tools being invented each day such as cameras/phones that can post photos/videos within seconds to social media sites it’s best to think twice in the moment before posting something online. Friends of friends could “share” your images before you are even aware that they are doing so; first impressions of you may be formed before you even meet someone eye-to-eye. This Who’s Watching article lists some cautions that you should consider: Too Much Information - on social networking sites, you may be giving away more than you think.
Strong Passwords (February 13, 2012)
Tip: Use strong passwords on all sites and do not use a UH password for other online account access.
A passwords strength is not only measured by its’ length but also by its’ complexity; the combination of special characters, numbers, and the alphabet that are used to form it. The more unusual the combination the more strength the password has against being guessed or deciphered by automated software that is designed to search out “easy” passwords. UH provides help for you in creating strong passwords; read the AskUs article Password Guidelines.
Your Personal Data (February 6, 2012)
Tip: Avoid sharing personal information such as birthdates, home addresses, phone numbers, social security numbers, financial information, or travel plans.
Always assume that nothing posted online is private. Your information can be accessed by unscrupulous hackers or noted by thieves who can use it to impersonate you or invade your privacy while you travel. See the AskUs article Nothing Posted Is Private.