Friday, November 1, 2013

Congratulations to our Prize Winners!


The results of this afternoon's prize drawing are in and here are our winners:

  • Beatpill bluetooth speaker system - Ann Salchow, Information Resources
  • iPod Shuffle - Kahlia Ford, Biostatistics
  • $10 Amazon gift certificate - Susan Hudson, Cancer Center
  • FREE Lunch from Courtyard Cafe - Judy Brohammer, School of Medicine
  • FREE Lunch from Courtyard Cafe - Gail Alvarez, Information Resources
The Information Security staff would like to thank everyone that participated in and helped us organize this week's events for National Computer Security Awareness Month. We hope you found it to be both educational and fun!

For those that have asked....we'll be posting all the slides and handouts from the sessions here in the next few days. If you couldn't join us this week, we'll be hosting these same sessions beginning in November.  And Black Friday shopping season is coming up, so we hope you'll join us for our session titled "Safe Shopping Online".

Stay safe!

Take the CyberSecurity Pledge

This year's celebration of National Cyber Security Awareness Month  is coming to a close, and we hope that all of you had fun while learning about the important role each of us plays in securing cyberspace.  

Please consider joining with thousands of other individuals across the country who are asserting their commitment to online safety by making the National Cyber Pledge affirming that you will take security seriously and use safe computing practices both at home and at work.

I pledge to:

  • Take personal responsibility for security and use good security practices.
  • Pause and consider the risk before I connect to the Internet.
  • Lock my computer whenever I leave my work area.
  • Treat my mobile device like the powerful computer it is, and protect it -- both physically as well as by activating security features such as password and anti-lock, anti-virus software, and remote wipe.
  • Use strong passwords, and create a separate one for each account.
  • Never share my password with anyone.
  • Follow my organization's policy and promptly report all security incidents or concerns to my organization's security office or contact.
  • Safeguard sensitive data from any inappropriate disclosure.
  • Not post personal, sensitive, or non-public information on social media.
  • Not participate in any cyber bullying activities.
  • Raise awareness of good security practices among my family, friends, colleagues, and community.
 
If you do the pledge, please encourage your friends, family, co-workers, and neighbors—everyone you can—to do the same!  If we each pledge to do our part to make our piece of cyber space just a little bit more secure, we can truly make a difference in helping protect our nation's cyber assets.

Join Us For Lunch Today: Mobile Devices and Cloud Security

Our last session is today!  We hope you can join us today from noon to 1 p.m. for:

 

We have had an overwhelming number of people sign up and have moved to a bigger room so that everyone can attend.
Note that the session has been moved from 1049 School of Nursing to Lied Auditorium.

 
And don't forget about those great prizes we're giving away!  Attendees will gain 2 more entries into the weekly prize raffle that will happen at 3:30 this afternoon.

Thursday, October 31, 2013

Join Us for Lunch Today: Privacy and Social Media

"Great discussion!"
 
"Fantastic!"
 
"Awesome!."

Those are just some of the great comments we received as feedback from yesterday's Lunch 'n Learn session on password management.  Today's session promises to be just as good and is jampacked with information that you need to keep yourself and your family safe when they use social media.  Best of all, it's all FREE!
 
We hope you can join us today from noon to 1 p.m. for:
 
 
And don't forget about those great prizes we're giving away!  Attendees will gain 2 more entries into the weekly prize raffle.
 

Wednesday, October 30, 2013

It's the Hottest New Game: Secdoku!


Two more days left of National Computer Security Awareness Month and it's time for another fun game.
 
Sudoku fans will love this twist on their beloved game from Native Intelligence, Inc.. 
 
First the rules:  Each of the 9 grids, each row, and each column must spell out the word "SECURITY".   The same letter cannot appear more than once in a grid, row or column.
 
 
 
Good luck!
 
(If you give up, you can find the answers here.)

Tuesday, October 29, 2013

Join Us for Lunch Today: Top 10 FREE Security Tools

"Very informative!"
 
"Thanks for the handout.  I'm definitely going to use it!"
 
"Could you repeat this one? Many of my co-workers could
benefit from this info."

Those are just some of the great comments we received as feedback from yesterday's Lunch 'n Learn session on password management.  Today's session promises to be just as good and is jampacked with information that every computer user needs to know.  Best of all, it's all FREE!
 
We hope you can join us today from noon to 1 p.m. for:
 
 
And don't forget about those great prizes we're giving away!  Attendees will gain 2 more entries into the weekly prize raffle.

Monday, October 28, 2013

Online Security Scavenger Hunt

Who wants an extra entry into the prize drawing this week?  Okay, okay....sit down and warm up your keyboard because we're going on a whirlwind tour of the Internet to learn some tips and trivia that will help us stay secure.    And, if you can't make our Lunch 'n Learn sessions, this is a way you can still get in on winning a prize.

It's an online security scavenger hunt!



Rules of the Hunt
  • You must answer all 8 questions correctly to be eligible for the prize drawing.
  • Submit your answers to Information Security via email (kumc-security@kumc.edu) with the subject line "NCSAM Answers".
  • Entries must be received by 3 p.m. on Friday, November 1st.
  • All eligible entries meeting these requirements will receive one entry into the prize drawing on Friday.
  • You must be an employee or student of the University, UKP, RI or other University-affiliated organization to win a prize. Unfortunately, Hospital staff are not eligible to win.

Ready to get started?  Here are the questions.  Good luck!

~~**~~**~~**~~**~~**~~**~~**~~**~~**~~**~~**~~**~~**~~**~~**~~

1.       The University considers the protection of protected health information, social security numbers and other sensitive data to be extremely important.  What does the Sensitive Information policy say about sharing sensitive information with third-party online application services like iCloud, Google or Amazon?  (HINT: Go here)

2.       Watch this quick video on phishing from Penn State (it’s just 2 minutes long, we promise!)  How many people fall victim to phishing scams every year in the United States?

3.       If you’re using Windows XP or Microsoft Office 2003, you’ll need to upgrade soon because Microsoft is no longer going to issue security updates for those versions.  What’s the date that support for Windows XP will end?  (HINT: look here)

4.       Poor Mat Honan got hacked and lost everything on his iPhone, iPad and Macbook.  While there are many, name one thing that he could have done to prevent it from happening.

5.       Checking your credit report every three months is an important way to make sure that someone doesn’t open bank accounts or loans in your name in an effort to steal your identity. What is the ONLY authorized website where you can request free copies your credit reports?  (HINT:  Visit the FTC’s website)

6.       Watch this video from SANS on safe social networking.  What’s the best way to protect yourself do to protect yourself on social networking sites?

7.      According to McAfee’s 10 Quick Tips to Mobile Security e-Guide, what’s the #1 thing you should do to protect your smartphone or tablet?  (HINT:  Google the name of the e-guide to find it.)

8.       Watch this video from OnGuardOnline.gov to learn some general tips on computer security.  What you should you do if you get a pop-up on your screen that says you have a virus and need to buy some software to remove it?

Handout from Today's Password Management Lunch 'n Learn

If you couldn't make it today's Lunch 'n Learn, don't worry!  We'll be doing another one of these sessions in the near future. In the meantime, here's the handout on KeePass, the FREE password management software that we use here in Information Security.  We highly recommend it! 

It works on PC, Mac and mobile devices so you can have your passwords at your fingertips when you need them.  With KeePass, you just need to remember your master password to get into the password database.  It can even generate passwords for you and log you into websites securely.

We highly recommend it! 
Click on the picture to open the file.

Join Us for Lunch Today: Got (Too Many) Passwords?

We're kicking our celebration of National Computer Security Awareness Month into high gear this week with contests, prizes and 4 Lunch 'n Learns on topics that affect all of us in our online lives.  Want to know more about upcoming events and how to win?  Check out the main NCSAM post.

Why not join us for today's Lunch n' Learn topic on managing all those passwords you have to keep track of?



Everyone gets 2 entries into the prize raffle for each session they attend, so this is a great way to really rack up the points and increase your chance for winning one of our great prizes.

Hope to see you there!
 
p.s.  The online contest starts later today.  Check back here for more details on how you can get an additional entry into the prize raffle.

Friday, October 25, 2013

Spam, Spam, Spam and SPAM!


The number one email or call that we get in Information Security is about how to deal with the volume of annoying spam messages. So we thought we'd devote today's post to what spam is, how to avoid getting on the dreaded "spammler's list" and what you should do if you think you receive too much spam.

What is Spam?

Well, some might say it's a delicious, canned meat-like product.  We're talking about a different type of spam - the unsolicited commercial or bulk e-mail that you didn't request and that clutters up our mailboxes on a daily basis.  Spam usually contains advertisements for services or products but there can be other types as well:
  • Phishing scams that ask for personal information or passwords
  • Foreign bank scams or advance fee fraud schemes (click here to see one of these)
  • Payroll or IRS scams (click here to see one received at KUMC)
  • Pyramid and other "Get Rich Quick" or "Make Money Fast" schemes
  • Quack health products and remedies
  • Ads for adult web sites
  • Chain letters
 
 
How can I avoid getting spam in work or personal email?

There are several things you can do to avoid getting on the spammer's list of addresses.  The first is perhaps the most important:

  1. It may not seem like the right thing to do, but DO NOT respond to spam "Remove Me" e-mail addresses. This just confirms to the spammer that your email address belongs to a real, live human and their messages are getting through.  The effect is that they sell your email address to other spammers and you get even more spam!
  2. Subscribe only to product emails or discussion lists that you are sure you want to receive. 
  3. Check the Privacy Policy on the website before you give them your email address to subscribe to receive updates.  If it doesn't say they won't sell your information, think carefully about whether or not you really want to give them your personal information or email address.
  4. Use one email address for communication with family or friends and a separate email address for receiving product updates, emails from websites, newsgroups or bulletin boards, or unmoderated discussion lists.  You'll be amazed how much spam that second account will receive, but it will keep your important email "clean".
  5. If you receive only a small amount of spam, you may want to simply delete the messages and forget about it.

What does KUMC do to keep spam out of your mailbox?

KUMC has deployed Barracuda spam firewalls to identify and block approximately 96% of all inbound e-mail messages.  Yes!  96% of all the email we receive is spam!

The system can learn what is unwanted email and you can train it by clicking on the "Mark as Spam" button in Outlook when you receive a spam or phishing email.  The more messages that you mark as spam, the faster the system learns what is unwanted in your mailbox.  You can also block certain senders from sending you email.  For more information on how to change your Barracuda spam settings, click here.

And, as always, if you receive a phishing email that is asking for personal information or a password, or you're just not sure if an email is legitimate or not, forward it to Information Security at kumc-security@kumc.edu.

Thursday, October 24, 2013

Prize Announcement!

The wait is over.  And now for the good stuff ... prizes!  Information Security has some really great stuff to give away next week as our National Computer Security Awareness Week celebration really ramps up.  Here's just a partial list of the goodies that you can win*:

 * Must be a an employee or student of KUMC, UKP, RI or other University-affiliated organization to win. 

How can you enter to win?

On Monday, October 28th, we'll be posting an online scavenger hunt and everyone that completes the game successfully will get one entry into the prize raffle.

And, if you want some extra tries at the prizes while learning some cool info at the same time, it's not too late to sign up for any of the four great Lunch n' Learn sessions that are planned for next week.  Attendees will get 2 entries into the raffle pool.  Here's a summary of each session:

Monday, October 28th: Got (Too Many) Passwords?
Description: Passwords, passwords, passwords for your bank site, your personal and work email, Facebook, and on and on. How do you keep track of all of them? Bring your lunch and learn about a FREE and secure way to manage your passwords, including how to make sure they're always available when you need them.
 
Description: A new computer taken out of the box and connected to the Internet is easily taken over by a hacker within minutes. If you've got a computer, you need to arm yourself with the right tools to fight this constant battle. Bring your lunch and learn about the FREE security tools that are a must-have for any PC owner.
 
Description: Social media sites like Facebook and Instragram are great for keeping track of friends and sharing your everyday life with those you love. But there's also a dark side to sharing your information on these types of sites. Bring your lunch and find out how companies and criminals use the information and photos that you share on these sites and what YOU can do to protect yourself on social media.
 
Description: Smartphones, iPads, tablets and other mobile devices are literally changing the way we work and play. But do you know how to protect your shiny new device from hackers? And just what does it mean to store your data "in the cloud"? Bring your lunch and your questions as we discuss security issues related to mobile devices and storing data in the cloud.

You can sign up by clicking on the link above or by clicking on the thumbnail for each session on the bar to the right.

We hope you'll join us in the celebration!

Wednesday, October 23, 2013

Safe Shopping Online

Cyber Monday (the Monday after Thanksgiving) and online shopping throughout the entire holiday season have become increasingly popular in recent years, and the trend is expected to continue this season. According to MarketLive, an e-commerce software and solutions provider, online shoppers in the U.S. are projected to spend more than $54 billion this holiday season, nearly a 17 percent increase over the $47 billion spent last year. The increase in online shopping coincides with an increase in mobile device use, and more shoppers will be using special holiday smartphone apps to find the best deals.
Before you click or tap to buy that "must have" item on your holiday list, check out these tips below to make sure you're doing everything you can to avoid becoming a victim of cyber crime:


  1. Secure your mobile device and computer. Be sure to keep the operating system and application software updated/patched on all of your computers and mobile devices. Be sure to check that any anti-virus/antispyware software installed is running and receiving automatic updates. Confirm that your firewall is enabled.
  2. Know and trust your online shopping merchants. Limit your online shopping to merchants you know and trust. If you have questions about a merchant, check with the Better Business Bureau or the Federal Trade Commission. Confirm the online seller's physical address and phone number in case you have questions or problems.

  3. Look for “https” when making an online purchase. The "s" in “https” stands for "secure” and indicates that communication with the webpage is encrypted. If you submit your credit card information through an organization's website, be sure to look for indicators that the site is secure. Look for a padlock or key icon in the browser's status bar and be sure “https” appears in the website’s address bar before making an online purchase. You should also make sure that your browser software is current and up-to-date.
  4. Password protect your mobile device and computer. It’s the simplest and one of the most important steps to take to secure your mobile device and computer. If you need to create an account with the merchant, be sure to use a strong password. Use at least eight characters, with numbers, special characters, and upper and lower case letters. Adhere to the tenant “a unique password for every unique site.”
  5. Do not respond to pop-ups. When a window pops up promising you cash or gift cards for answering a question or taking a survey, close it by pressing Control + F4 for Windows and Command + W for Macs.
  6. Avoid scams and fraud. Don’t ever give your financial information or personal information over e-mail or text. Be aware of unsolicited communications purporting to represent stores or charities. Always think before you click on e-mails you receive asking for donations and contact the organization directly to verify the request. Information on many current scams can be found on the website of the Internet Crime Complaint Center, a partnership between the Federal Bureau of Investigation and the National White Collar Crime Center.
  7. Do not use public computers or public wireless for your online shopping. Public computers may contain malicious software that steals your credit card information when you place your order. Additionally, criminals may be intercepting traffic on public wireless networks to steal credit card numbers and other confidential information.
  8. Pay by credit card, not debit card. The safest way to shop on the Internet is to pay with a credit card rather than debit card, as credit cards are protected by the Fair Credit Billing Act and may reduce your liability if your information was used improperly.
  9. Print your online transactions. Print or save records of your online transactions, including the product description and price, the online receipt, and the e-mails you send and receive from the seller. Carefully review your credit card statements as soon as you receive them to confirm that all charges are legitimate. Contact your credit card company immediately if you have unauthorized charges on your account.
  10. Review privacy policies. Review the privacy policy for the website/merchant you are visiting. Know what information the merchant is collecting about you, how it will be stored, how it will be used, and if it will be shared with others.
What to do if you encounter problems with an online shopping site?

Contact the seller or the site operator directly to resolve any issues. You may also contact the following:
 
 Your State Attorney General's Office - www.naag.org/current-attorneys-general.php
 The Better Business Bureau - www.bbb.org
 The Federal Trade Commission - http://www.ftccomplaintassistant.gov

For additional information about safe online shopping, please visit the following sites:
 Privacy Rights Clearinghouse - https://www.privacyrights.org/Privacy-When-You-Shop
 Internet Crime Complaint Center - http://www.ic3.gov/media/2010/101118.aspx
 Smartphone Security - Android vs. iOS
 
This material has been adapted from an original article by the MS-ISAC.

Tuesday, October 22, 2013

Dealing with Cyberbullying

Cyberbullying refers to practice of using technology to harass, or bully, someone else. Bullies used to be restricted to methods such as physical intimidation, postal mail, or the telephone. Now, developments in electronic media offer forums such as email, instant messaging, web pages, and digital photos to add to the arsenal. Computers, cell phones, and PDAs are current tools that are being used to conduct an old practice.

Forms of cyberbullying can range in severity from cruel or embarrassing rumors to threats, harassment, or stalking. It can affect any age group; however, teenagers and young adults are common victims, and cyberbullying is a growing problem in schools.

Why has cyberbullying become such a problem?
The relative anonymity of the internet is appealing for bullies because it enhances the intimidation and makes tracing the activity more difficult. Some bullies also find it easier to be more vicious because there is no personal contact. Unfortunately, the internet and email can also increase the visibility of the activity. Information or pictures posted online or forwarded in mass emails can reach a larger audience faster than more traditional methods, causing more damage to the victims. And because of the amount of personal information available online, bullies may be able to arbitrarily choose their victims.

Cyberbullying may also indicate a tendency toward more serious behavior. While bullying has always been an unfortunate reality, most bullies grow out of it. Cyberbullying has not existed long enough to have solid research, but there is evidence that it may be an early warning for more violent behavior.

How can you protect yourself or your children?
  1. Teach your children good online habits. Explain the risks of technology, and teach children how to be responsible online (see Keeping Children Safe Online for more information). Reduce their risk of becoming cyberbullies by setting guidelines for and monitoring their use of the internet and other electronic media (cell phones, PDAs, etc.).
  2. Keep lines of communication open.  Regularly talk to your children about their online activities so that they feel comfortable telling you if they are being victimized.
  3. Watch for warning signs. If you notice changes in your child's behavior, try to identify the cause as soon as possible. If cyberbullying is involved, acting early can limit the damage.
  4. Limit availability of personal information. Limiting the number of people who have access to contact information or details about interests, habits, or employment reduces exposure to bullies that you or your child do not know. This may limit the risk of becoming a victim and may make it easier to identify the bully if you or your child are victimized.
  5. Avoid escalating the situation.  Responding with hostility is likely to provoke a bully and escalate the situation. Depending on the circumstances, consider ignoring the issue. Often, bullies thrive on the reaction of their victims. Other options include subtle actions. For example, you may be able to block the messages on social networking sites or stop unwanted emails by changing the email address. If you continue to get messages at the new email address, you may have a stronger case for legal action.
  6. Document the activity.  Keep a record of any online activity (emails, web pages, instant messages, etc.), including relevant dates and times. In addition to archiving an electronic version, consider printing a copy.
  7. Report cyberbullying to the appropriate authorities. If you or your child are being harassed or threatened, report the activity. Many schools have instituted bullying programs, so school officials may have established policies for dealing with activity that involves students. If necessary, contact your local law enforcement. Law enforcement agencies have different policies, but your local police department or FBI branch are good starting points. Unfortunately, there is a distinction between free speech and punishable offenses, but the legal implications should be decided by the law enforcement officials and the prosecutors.
 
Additional information:
The following organizations offer additional information about this topic:

National Crime Prevention Council

This information was produced by US-CERT and republished for non-commercial use as outlined in their Privacy & Use policy.

Monday, October 21, 2013

Test Your Phishing Knowledge

We're a little over halfway through National Computer Security Awareness Month, so how about a game to test your knowledge of phishing and other email scams? 

It only takes a couple of minutes and it's lots of fun.  Who knows - you might learning something as well!

Saturday, October 19, 2013

Thursday, October 17, 2013

Most Dangerous Celebrity


Lily Collins, daughter of Genesis musician Phil Collins, and star of movies such as The Mortal Instruments: City of Bones and Mirror, Mirror has the dubious honor of recently being dubbed 2013's Most Dangerous Celebrity. 

This is the seventh year that McAfee has ranked the riskiness of searching for certain celebrities on the web. If you search for Lily, you have a 14.5% chance of landing on a website that will infect your computer with spyware, adware, viruses or other malware that are designed to steal your password, email address or other personal information.  Be careful what you search for!

If you need tool that will help you decide what sites are good or bad, we recommend you consider using McAfee's SiteAdvisor software.  The price can't be beat (it's free) and it works with almost every major browser, including those on mobile devices.  SiteAdvisor works by adding color-coded ratings to your browser search:  green for a good site, yellow for questionable sites, and red for sites known to be malicious.

Wednesday, October 16, 2013

Time for Some Fun!

Can you find all the security-related words below?

Tuesday, October 15, 2013

Avoiding Social Engineering Attacks

What is a social engineering attack?

In a social engineering attack, an attacker uses human interaction (social skills) to obtain or compromise information about an organization or its computer systems. An attacker may seem unassuming and respectable, possibly claiming to be a new employee, repair person, or researcher and even offering credentials to support that identity. However, by asking questions, he or she may be able to piece together enough information to infiltrate an organization's network. If an attacker is not able to gather enough information from one source, he or she may contact another source within the same organization and rely on the information from the first source to add to his or her credibility.

What is a phishing attack?

Phishing is a form of social engineering. Phishing attacks use email or malicious websites to solicit personal information by posing as a trustworthy organization. For example, an attacker may send email seemingly from a reputable credit card company or financial institution that requests account information, often suggesting that there is a problem. When users respond with the requested information, attackers can use it to gain access to the accounts.

Phishing attacks may also appear to come from other types of organizations, such as charities. Attackers often take advantage of current events and certain times of the year, such as
  • natural disasters (e.g., Hurricane Katrina, Indonesian tsunami)
  • epidemics and health scares (e.g., H1N1)
  • economic concerns (e.g., IRS scams)
  • major political elections
  • holidays
How do you avoid being a victim?
  • Protect your password.  At KUMC, Information Resources will never ask for your password and you should never share your password with anyone, including your supervisor.   At home, remember that your bank and other companies that you do business with do NOT need your password for any reason.
  • Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about employees or other internal information. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity.
  • Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person's authority to have the information.
  • Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email.
  • Don't send sensitive information over the Internet before checking a website's security (see Protecting Your Privacy for more information).
  • Pay attention to the URL of a website. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net).
  • If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided on a website connected to the request; instead, check previous statements for contact information. Information about known phishing attacks is also available online from groups such as the Anti-Phishing Working Group.
  • Take advantage of any anti-phishing features offered by your email and web browser software.

What do you do if you think you are a victim?
  • If you believe you might have revealed sensitive information about your organization, report it to the appropriate people within the organization (call (913) 588-7995 at KUMC). They can be alert for any suspicious or unusual activity.
  • If you believe your financial accounts may be compromised, contact your financial institution immediately and close any accounts that may have been compromised. Watch for any unexplainable charges to your account.
  • Immediately change any passwords you might have revealed. If you used the same password for multiple resources, make sure to change it for each account, and do not use that password in the future.
  • Watch for other signs of identity theft (see Preventing and Responding to Identity Theft for more information).
  • Consider reporting the attack to the police, and file a report with the Federal Trade Commission.
This information was adapted from an original production by US-CERT and republished for non-commercial use as outlined in their Privacy & Use policy.

Thursday, October 10, 2013

What To Do If You're "Infected"

How do you know your computer is infected?

Unfortunately, there is no particular way to identify that your computer has been infected with malicious code. Some infections may completely destroy files and shut down your computer, while others may only subtly affect your computer's normal operations. Be aware of any unusual or unexpected behaviors. If you are running anti-virus software, it may alert you that it has found malicious code on your computer. The anti-virus software may be able to clean the malicious code automatically, but if it can't, you will need to take additional steps.

What can you do if you are infected?

Minimize the damage .  If you are at work, contact Information Resources immediately by calling (913) 588-7995. The sooner they can investigate and clean your computer, the less damage to your computer and other computers on the network. If you are on your home computer or a laptop, disconnect your computer from the internet. By removing the internet connection, you prevent an attacker or virus from being able to access your computer and perform tasks such as locating personal data, manipulating or deleting files, or using your computer to attack other computers.

Remove the malicious code.  If you have anti-virus software installed on your computer, update the virus definitions (if possible), and perform a manual scan of your entire system. If you do not have anti-virus software, you can purchase it at a local computer store (see Understanding Anti-Virus Software for more information). If the software can't locate and remove the infection, you may need to reinstall your operating system, usually with a system restore disk that is often supplied with a new computer. Note that reinstalling or restoring the operating system typically erases all of your files and any additional software that you have installed on your computer. After reinstalling the operating system and any other software, install all of the appropriate patches to fix known vulnerabilities (see Understanding Patches for more information).

How can you reduce the risk of another infection?

Dealing with the presence of malicious code on your computer can be a frustrating experience that can cost you time, money, and data. The following recommendations will build your defense against future infections:
  • use and maintain anti-virus software - Anti-virus software recognizes and protects your computer against most known viruses. However, attackers are continually writing new viruses, so it is important to keep your anti-virus software current.
  • change your passwords - Your original passwords may have been compromised during the infection, so you should change them. This includes passwords for web sites that may have been cached in your browser. Make the passwords difficult for attackers to guess (see Choosing and Protecting Passwords for more information).
  • keep software up to date - Install software patches so that attackers can't take advantage of known problems or vulnerabilities. Many operating systems offer automatic updates. If this option is available, you should enable it.
  • install or enable a firewall - Firewalls may be able to prevent some types of infection by blocking malicious traffic before it can enter your computer (see Understanding Firewalls for more information). Some operating systems actually include a firewall, but you need to make sure it is enabled.
  • use anti-spyware tools - Spyware is a common source of viruses, but you can minimize the number of infections by using a legitimate program that identifies and removes spyware (see Recognizing and Avoiding Spyware for more information).
  • follow good security practices - Take appropriate precautions when using email and web browsers so that you reduce the risk that your actions will trigger an infection.
As a precaution, maintain backups of your files on CDs or DVDs so that you have saved copies if you do get infected again.

Additional information:
  • Recovering from a Trojan Horse or Virus
  • Before You Connect a New Computer to the Internet
  • Securing Your Web Browser

This information was adapted from an original production by US-CERT and republished for non-commercial use as outlined in their Privacy & Use policy.

Tuesday, October 8, 2013

Protect Your Personal Information

Here's another set of tips from our friends at StopThinkConnect.org on how to protect your personal information:

  • Secure your accounts: Ask for protection beyond passwords. Many account providers now offer additional ways for you verify who you are before you conduct business on that site.
  • Make passwords long and strong: Combine capital and lowercase letters with numbers and symbols to create a more secure password.
  • Unique account, unique password: Separate passwords for every account helps to thwart cybercriminals.
  • Write it down and keep it safe: Everyone can forget a password. Keep a list that’s stored in a safe, secure place away from your computer.
  • Own your online presence: When available, set the privacy and security settings on websites to your comfort level for information sharing. It’s ok to limit how and with whom you share information.

  • Friday, October 4, 2013

    Major Adobe Data Breach

    On October 3, 2013, Adobe announced that it had been a victim of a cyber attack that resulted in a data breach. This breach resulted in attacker(s) gaining access to the detailed information belonging to 38 million customers.  The information includes:
     
    • Customer names
    • Encrypted credit or debit card numbers
    • Expiration dates
    • Other information relating to orders

    Adobe also acknowledged that the attacker(s) have gained access to the source code for Adobe Acrobat, ColdFusion, and ColdFusion Builder.

    Adobe will be emailing all customers who have been affected by this breach and informing them to change their passwords, as well as providing additional guidance to help safeguard against potential misuse of the compromised data if their credit or debit card numbers were part of the breach.
     
    Please note that it's likely that attackers will attempt to take advantage of this breach by sending fake emails that appear to come from Adobe.  If you receive an email related to this breach, do NOT click any links or reply with any information. 

    Our recommendations for anyone who may be affected by this breach are as follows:
    1. Check to see if you are affected by entering your email address at http://adobe.cynic.al/.
    2. Change passwords for all Adobe accounts.
    3. Change passwords for any other accounts that may use the same password as your account on Adobe.com.  (Remember:  it's not a good idea to use the same password on multiple websites!)
    4. Monitor financial accounts that are used for purchasing Adobe products for fraudulent activity.
    For more information, see Adobe's website at http://blogs.adobe.com/conversations/2013/10/important-customer-security-announcement.html.

    Recognizing Fake Antivirus Software

    What is fake antivirus?

    Fake antivirus is malicious software (malware) designed to steal information from unsuspecting users by mimicking legitimate security software. The malware makes numerous system modifications making it extremely difficult to terminate unauthorized activities and remove the program. It also causes realistic, interactive security warnings to be displayed to the computer user.

    How can my computer become infected with fake antivirus?

    Criminals distribute this type of malware using search engines, emails, social networking sites, internet advertisements and other malware. They leverage advanced social engineering methodologies and popular technologies to maximize number of infected computers.

    How will I know if I am infected?

    The presence of pop-ups displaying unusual security warnings and asking for credit card or personal information is the most obvious method of identifying a fake antivirus infection.

    What can I do to protect myself?

    There are lots of things you can do to protect yourself from these antivirus scams:
    • Become familiar with how your antivirus works and make sure it is always up to date.
    • Be cautious when visiting web links or opening attachments from unknown senders.
    • See Using Caution with Email Attachments for more information.
    • Keep software patched and updated.
    • See Understanding Patches for more information on the importance of software patching.
    • To purchase or renew software subscriptions, visit the vendor sites directly.
    • Monitor your credit cards for unauthorized activity.
    This information was adapted from an original production by US-CERT and republished for non-commercial use as outlined in their Privacy & Use policy.

    Thursday, October 3, 2013

    Keep a Clean Machine

    Here are some simple tips from our friends at StopThinkConnect.org on how to keep your computer secure:
       
    • Keep security software current: Having the latest security software, web browser, and operating system are the best defenses against viruses, malware, and other online threats.
    • Automate software updates: Many software programs will automatically connect and update to defend against known risks. Turn on automatic updates if that’s an available option.
    • Protect all devices that connect to the Internet: Along with computers, smart phones, gaming systems, and other web-enabled devices also need protection from viruses and malware.
    • Plug & scan: “USBs” and other external devices can be infected by viruses and malware. Use your security software to scan them.
    Want more tips on how to stay safe and secure online?  Visit the Stop.Think.Connect page at http://stopthinkconnect.org/tips-and-advice/.

    Wednesday, October 2, 2013

    Passphrases, Not Passwords

     
    Did you know that the average person's password is fairly easy to guess?  Most people use their name or something personal about them in their passwords, so hackers use dictionaries of common English names, numbers and words to hack passwords.  In fact, you can see the list of the top 10,000 passwords here.  (Hopefully you're isn't on the list!)  But perhaps what's even more startling is that current software has been successfully used to crack passwords that are 55 characters long!

    But you don't need to be one of those average people...  Instead, think about replacing your out of date passwords with strong passphrases.  What's that?  What's a passphrase and how do I pick one?  We're glad you asked. 

    These 5 tips will help you out:
    1. Choose a phrase that's at least five words long. You might start with your favorite book, song, movie or a quote. Longer passwords are harder to guess than shorter ones, so you could use the entire phrase as your password.  We still recommend doing Step 2.  If the application won't allow such long passwords, then you could use the first letters of each word as your password. For example, the first letters of the book title "The Cat in the Hat" are: tcith. This step protects you from a dictionary attack, in which someone tries to crack your phrase using known words (and proper names).
    2. Alter some of it. The hardest to guess passwords\passphrases are "complex", which means they use a mix of numbers, symbols and upper and lower case letters.  Take your passphrase from Step 1 and replace some lowercase letters with capital letters, numbers or symbols. For example: Tc!tH capitalizes the first and last letter and replaces the "i" with an exclamation point. (You could replace an "a" with the "@" symbol too.) Make it simple; don't write your system down.
    3. Customize the password for each use. Add a character or three to the core password to ensure that every pass phrase is at least seven characters long and includes a number. Generate an extra letter and number based on the name of the program you're accessing. For example: g6Tc!tH could be a password for a Google Gmail account, adding an "o" for the last letter of Google, and a 6, for the number of letters in Google.
    4. Write down your hint. Now you can write down a mnemonic device that will jog your memory without being obvious to anyone else. Hide this piece of paper or keep it in your wallet. For example, you could write down "basic: cat" to recall the Dr. Seuss title.
    5. Establish different levels of passwords. Use different core phrases to develop passwords for online banking, for accounts that use your credit card and for those that don't involve financial information.
    6. Change your passwords often.  If you can't change your password every 90 days, use daylight-saving time as the reminder to change your passwords.  If you don't change them and someone is able to get them, this will stop them from using your accounts for a long period of time.
    Want to test how long it would take a hacker to crack your password?  You can test a password over at HowSecureIsMyPassword.net.  But don't put in your actual passwords!!!

    Tuesday, October 1, 2013

    Happy National Computer Security Awareness Month!

    NCSAM It's finally here! National Computer Security Awareness Month starts today and the entire KUMC campus is celebrating throughout the month of October with both online and face-to-face opportunities to learn more about how to keep you, your family, and your data safe and secure. Each day on this blog, we'll focus on a different risk or threat such as phishing, iPad and mobile device security, social media privacy, or keeping track of all those passwords.  It will be a learning experience, but it will be a fun one....we promise!

    During the week of October 28th, we hope you'll bring your lunch and join us for all four of the following Lunch 'n Learn sessions from 12 to 1 p.m. 
    (You can sign up now using the links below):

    Monday, October 28th:  Got (Too Many) Passwords?
    Description:  Passwords, passwords, passwords for your bank site, your personal and work email, Facebook, and on and on. How do you keep track of all of them? Bring your lunch and learn about a FREE and secure way to manage your passwords, including how to make sure they're always available when you need them.

    Tuesday, October 29th:  Defend Yourself: Top 10 FREE Security Tools
    Description:  A new computer taken out of the box and connected to the Internet is easily taken over by a hacker within minutes. If you've got a computer, you need to arm yourself with the right tools to fight this constant battle. Bring your lunch and learn about the FREE security tools that are a must-have for any PC owner.

    Thursday, October 31st:  R U My Friend? Privacy and Social Media
    Description: Social media sites like Facebook and Instragram are great for keeping track of friends and sharing your everyday life with those you love. But there's also a dark side to sharing your information on these types of sites. Bring your lunch and find out how companies and criminals use the information and photos that you share on these sites and what YOU can do to protect yourself on social media.

    Friday, November 1st:   Mobile Revolution: Mobile Device and Cloud Security
    Description: Smartphones, iPads, tablets and other mobile devices are literally changing the way we work and play. But do you know how to protect your shiny new device from hackers? And just what does it mean to store your data "in the cloud"? Bring your lunch and your questions as we discuss security issues related to mobile devices and storing data in the cloud.


     
    The more you participate, the more chances you have to win one of the great prizes* to be raffled off on November 1st!  And, even if you can' t make one of the sessions, you can still enter the raffle by participating in the online treasure hunt starting October 28th.
     *Prizes to be announced later this month.

    We hope you'll join us in the celebration!

    UPDATE 10/24/13:  Prizes for this year have been announced and they look great.  Click here to find out details on what prizes are available and how you can enter to win. 

    UPDATE 10/28/13: The online security scavenger hunt is now open.  Even if you can't find time to attend the Lunch 'n Learn sessions, completing the hunt will give you an entry into the prize drawing on Friday.  Good luck!