The University of Arizona

arizona.edu

Security Tips

TIP 1: UPDATE YOUR OPERATING SYSTEM AND OTHER SOFTWARE

Whether you are a Mac, Windows, or Linux user, installing operating system updates and patches is critical. A majority of the time exploits are publicized before hackers know about them. Software patches are then released within a few days of notification.

Windows users, Microsoft usually releases security patches the second Tuesday of every month and this is known as “Patch Tuesday”. Make sure you check for updates on your work and home computers at least once per week. Better yet, configure your computer to receive automatic updates every Tuesday evening.

Linux users can use the “apt-get” command line tool for software updates.

Mac users go to the “Apple” menu and then select “Software Update”. You will need to enter an Administrator account name and password.

TIP 2: USE ANTIVIRUS AND ANTISPYWARE SOFTWARE

As an employee of the University you are most likely running “Sophos Endpoint Security and Control” on your work station. If you don’t have Sophos, Nortons Antivirus, McAfee or another antivirus application on your work computer, contact your technical support person and make install arrangements.

If you don’t have a technical support person, follow this link: https://softwarelicense.arizona.edu download and install the correct version of Sophos on your computer. Sophos is available for Windows, Mac, Linux, and Solaris and it is available at no cost to UA faculty, staff, and students, both for use on campus systems and personal workstations at home.

Most likely you are running antivirus software but NOT antispyware. Sophos has built in spyware capabilities however, it’s best to have at least two antispyware apps. The highest rated Windows spyware software is Spy Sweeper but it will cost you $20. Personally I feel Malwarebytes is the best “free” spyware software that doesn’t constantly remind you to buy the pro version. Install Malwarebytes at home and update and run it at least once a week.

For Mac users, you can purchase MacScan for $29.

ClamAV comes with the Ubuntu Linux product. For those of you running “Redhat” you can download the install package of ClamAV at http://pkgs.repoforge.org/clamav/

One other application for Windows users that is a must is called WinPatrol. WinPatrol monitors changes on your computer and catches malicious code. (It also catches legitimate code but it’s up to you to decide). There is a little Scotty dog in the taskbar that remains running in the background at all times to help protect your computer. The dog barks a warning and gives you a pop-up window anytime something is trying to make a change to your system.

TIP 3: CHOOSING A STRONG PASSWORD

I can’t over emphasis using a strong password. With the speed of today’s computers and the sophistication of password cracking applications, a strong password is critical.

Make your password as long as possible. The longer the password, the harder it is to guess or to find by trying all possible combinations, (i.e., a brute force attack on your password). Passwords of 14 characters or more is recommended. To make it easy to remember, choose a passphrase like:

4Score&7yearsagoour4Fathers!

Because of the length, write it down on a piece of paper and carry it in your wallet or purse next to your credit cards. That’s a much safer location than under your mouse pad or in your desk drawer.

Use numbers, punctuation marks, symbols, upper and lower case letters.

Don’t use single dictionary words especially without numbers and symbols for hackers are using dictionary attack applications. Try not to use personal information such as your birthday, the name of your partner or child, and especially not your phone number.

If you wish for more guidance, you can refer to the University of Arizona’s password policy at: http://uits.arizona.edu/services/uaconnect/password

TIP 4: BACK UP YOUR DATA

Backing up your work and home computer data is critical to avoid major loss. In the event of hardware malfunction or a hacker compromise, you will want a back-up of your data. Data comes in the form of documents, bookmarks, email, photos, music, video, and tax files. Anything you can lose that would cause you suffering, back it up. The most reliable and easy-to-recover back-up method is to use an external hard drive connected to your computer via USB.

For Windows users, the most flexible and free back-up software application I have used is fbackup. If you are not backing up your data at home, here is the website to download fbackup: http://www.fbackup.com/ after downloading, run the executable and follow the defaults. Once installed, run the application for configuration. To configure, click New, Select Advanced Mode, under General, name your back-up, under Destination, select External Drive, under Sources you will add Folders or Files, under Type, select Mirror and choose the radio box “select mirror as default backup type”, now select Scheduler, click Add, check the radio button “with built-in scheduler, click OK, a scheduling back-up window will appear.

For Mac users, “Time Machine” is the default back up application that comes with every OS X computer. Back-up configuration is very user friendly and easy to configure for backing up to an external drive.

For Ubuntu Linux users, “rsync” gives you the ability to back-up your personal data and the ability to copy over only the files that have been modified or added since the last time you backed up.

TIP 5: HOW MALWARE WORKS

Our College’s best computer security measure is education. Therefore, I will describe malware and how malware gets on your computer. Hackers can attack a computer in multiple ways. The most common methods they use are fake software, e-mail attachments, and direct hacking.

The Malware terms you are most likely familiar with are; spyware, Trojan horse, rootkit.

Spyware - "Drive by Download"

Scenario: You click on a link in a search result which takes you to a website and you immediately get pop-ups. You close the pop-up pages but get weird errors. You think nothing harmful could have come of it because you simply "drove by" the website. You didn't download or install anything. However your computer had a software flaw (missing security patches and updates) that let the website install spyware without your permission. You didn't get a warning because the software flaw was in the programming of your web browser. You now have spyware resident on your computer so what you type in web forms, login pages, chat sessions and what sites you visit can all be sent to a hacker's website.

The lesson: frequently install security and software updates to your operating system, your applications, and your web browsers.

Trojan Horse

You down-load a cool calculator program and install it. The calculator works fine. In a few days you start to have problems with your computer and when you search on the internet you start to get annoying pop-ups. Then you start to get popups at random when you are not searching the internet. The malicious pop-up program was most likely hidden away inside the calculator program. The installation also may have implanted itself inside programs that already existed on your computer. This makes it difficult to remove.

Rootkit in e-mail attachment Your friend sends you a funny video, when you double click on it you get a security warning, but you want to see it so you click OK to get past the warning. However nothing happened, the video didn't play, you think nothing of it or that maybe it was a bad copy. Later you talk to your friend who says they didn't send you a video. Something did happen in the background when you clicked on the video, malware was installed. There is no way to know the intent behind it. You may not notice anything but now your computer could be used as a bot net drone to attack web sites or other computers.

TIP 6: SPOOFING

Most likely 99.9% of all University employees have experienced email spoofing. Because it is so common, the subject warrants attention. Email spoofing is when the sender address and other parts of an email header are forged to make it appear as if the email came from a trusted source. The most common spoof is an email from your bank. This email usually redirects you to a fake engineered website that looks like an online banking site where the victim then inputs their account details and password thus giving up banking information to the bad guy.

The perpetrators of such email spoofing are called Phishers. Phishers try and trick people into giving up confidential information. Besides banks, phishers can also send email that appears to come from inside the University or any other organization you may belong to. In the past, many Aggies have received emails that appeared to come from the College Network Lab administrators asking us to confirm account details or change our passwords.

Always be suspicious of emails asking for confidential information. Also, never click a link within unsolicited emails asking for user details and passwords. If you need to contact your bank, another organization, or your administrator do not use links embedded in an email but visit the official website directly through your browser or pick up the phone.

TIP 7: KEYLOGGING

Keylogging is when keystrokes from your keyboard are covertly recorded by a malicious user. Keylogging has become one of the most common malware applications because it is financially lucrative.

How do you become infected with a keylogger? In an earlier security tip, I covered the most common delivery method of a keylogger, it’s called "drive-by download". Drive-by download is a spyware application that is installed on your computer without your knowledge simply by visiting a particular website. By opening a zipped file or clicking on a malicious pop-up ad, the keylogger is unknowingly installed on your computer. Now any credit card numbers you may use to purchase items or pay bills online can be recorded and sent to the bad guys.

Solution: Updating and installing patches to your operating system and using an application like Sophos that protects you against spyware, adware, and viruses is your best defense against keylogging spyware. Windows users can also install the free version of Malwarebytes at: (Copy and paste this site into your browser URL)

http://www.filehippo.com/download_malwarebytes_anti_malware/

Malwarebytes detects spyware and will find and eliminate most keyloggers.

TIP 8: SOCIAL NETWORKING

When conversations come up about social networking they’re for the most part synonymous with Facebook and Twitter. Most people aren’t aware that social networking can place you and your family at great risk to crime.

Social networking sites sometimes have poor security that allow bad guys to access personal information which is then used to hack your computer, your bank account, and other secure sites you may visit. In 2009 both Twitter and Facebook users experienced information compromises. Not only can your computer be compromised but also your HOME!

Scenario: Pretend you have a Facebook account that is either open to the public or you friend anyone who is a friend of a friend of a friend. Therefore you have over 600 friends. This opens up your account to many unknown people and one of those unknowns happens to be casing your Facebook page and has begun following you on Twitter.

By using Facebook, Twitter, and online directory assistance, the unknown now knows your name, your street address, your favorite activities, and has used Google Earth street view to case your neighborhood and home. The Holidays roll around and you’re excited about going to visit relatives. You go on Facebook to tell all your “friends” how lucky you are to be going on Holiday for two weeks. Mr. Unknown now has all the information they need to rob your house while you’re gone.

Statistics: 78 percent of burglars use Facebook, Twitter, and Google Street view to conduct robberies. Most robberies occur during day light hours.

Solution: Log into Facebook, go to the top right corner and select the down arrow. Go to privacy settings and select friends. Also, edit your profile and remove “too” much information and then unfriend all those people you really don’t know personally. Lastly, don’t ever post your specific location or vacation information. If your children have a Facebook page, sit down with them and make these changes.

TIP 9: IS YOUR SMART PHONE TOO SMART?

Tip 9 could be considered an extension of Tip 8. Smartphones are the fastest selling electronic item in the World. When Apple released the iPhone 4s, they sold 4 million devices in 3 days. (That’s $199 X 4 million.) The problem lies not in the amount of devices themselves but in the advanced technology. Android, iPhone, and Blackberry devices have a location sharing feature that tags each photo you take with a GPS location.

Scenario: You’re a mother/father of two children ages 5 and 3. You take the kids to the playground taking photos with your smart phone. You also take photos of the kids in their bedrooms playing with their latest Holiday gifts from grandma and grandpa. So that your extended family members can see how cute your kids are, you post these photos on Facebook. What you also unknowingly post is the exact latitude and longitude location of your children’s playground and bedrooms. The location is embedded in the photo and easily obtained using programs like iPhoto. This may be a useful feature if you’re posting photos on Google Earth otherwise it’s TMI and could place your family in danger.

Even if you don’t have kids and don’t share photos, you may wish to shut this sharing feature down. There is an instance of a young lady in a bar/restaurant posting photos on Facebook directly from her smart phone, location feature enabled and a stalker was able to track her to that location.

Solution: If you own an Android, go to camera settings and turn off GPS tagging. With the iPhone, go to settings, click general, locate location services and slide camera to turn off. For Blackberry, Go into picture-taking mode (via Home Screen, click "Camera" icon), press the Menu button and choose "Options". Set the "Geo-tagging" setting to be "Disabled". Save the updated settings.

TIP 10: FRAUDULENT WEBSITES

How can you tell if a website is legitimate or a scam? Some websites look very professional and they entice shoppers with great prices on popular products. It’s difficult to know whether a professional looking website has a real reputable company behind it, a shoddy company, or an out-and-out scam. There is no single indicator that is proof of a scam however below are "12 tips” of things to look for before you give your credit card information to any website.

Contacts - A reputable transactional website that is selling something will have contact information including company names, their registered business name ("inc', or ltd", etc.), a physical address, a mailing address, an email address or contact form and a phone number. They operate in the open. Can you reach them? Call the contact phone number. Can you reach them during normal business hours in their time zone? Did you get a person or a recording? If you went into voicemail, were you able to reach a live person? Where are they based? Go to www.whois.net and look up their domain name. Are they based in the U.S., UK, or another western country, or in a country that has weak consumer protection laws or enforcement such as Eastern European countries, China, Russia or Asia? Private listing in Whois or the listing names are associated with other scams. A private listing is fine for a personal website, a blog, or an information-only website, but if your business is selling something the Whois entry should identify the company that owns the domain. Do the links on the website work? A few broken links here and there are normal, but if a majority are broken that may indicate a website that was slapped together quickly. Unrelated photos or content. Do the pictures, links and content on the pages match the theme and purpose of the page and website? Vague or inaccurate information - Reputable marketers have access to the product details and know you will want them. Scammers just cut and paste what they can find. Cloned content - Are the photos and text copied from other websites? Misdirection - if you type in a web address, but it redirects to a different web address that can be a sign of a scam. Misrepresentation - Do the terms and conditions or product and services match the advertising and content on their pages? Hidden or hard to find terms and conditions - If the terms are generic and not likely to impact the use of the product or costs, it may not be an issue. But if their terms include buried requirements that cost you money or make the product or service less useful, that's a scam! No listing in related aggregate websites like the Better Business Bureau or related website reviews (like Shopzilla, Shopping.com, Bizrate). The bigger and more reputable firms will show up elsewhere in listings for their industry.

TIP 11: SECURE WEBSITES

This tip is a continuation of tip 10 concerning fraudulent websites. However, this is copied, with permission, from the “Tech Tips” of Andy Medina, Information Technology Support Analyst, Senior for CALS.

Whenever you are on a website that displays or requests personal or financial information (such as a banking website), be sure the connection to the website is "secure." The address or URL should start with HTTPS instead of the normal HTTP (example: https://chaseonline.chase.com/Logon.aspx). The purpose of a secure connection is that traffic between your web browser and the website is encrypted, and such things as passwords or credit card numbers are not visible to anyone that might be eavesdropping on the connection. This is not to be confused with a VPN connection where the traffic between your computer and a VPN "end point" (not the website) is encrypted and the traffic, once it leaves the VPN end point, might not be encrypted. So, even if you are using a VPN connection, always be sure that the HTTPS appearsin the address bar to be sure you have a secure connection to that web site.

Embellishing on Andy’s blog, below are 4 ways to smart online purchases:

1) Use credit cards, not debit cards (debit cards can provide bad guys access to your checking account).

2) Research every site before you order and only shop with trusted retailers.

3) Always save copies of your receipts and check them against your statements.

4) Don’t purchase items while using public computers or a shared public wireless network.

TIP 12: UAWIFI - DO NOT USE UAPUBLIC

This tip is specific to the University campus WiFi and laptops. The campus security statistics for 2011 were just released and the highest incidence of infections occurred to laptops. Most of the infected laptops were using campus wireless called UAPublic, an unsecure wireless network not meant for faculty, staff or student use.

Connecting wirelessly to UAPublic leaves you vulnerable. Instead, use your NetID and password to login to the UAWiFi for a secure wireless network. The laptop data, information and/or identity you save could be yours.

TIP 13: FAKE ANTI-VIRUS OR ROGUE SECURITY SOFTWARE

Rogue Security Software or fake anti-virus software has been around since 2008. It is a form of internet fraud using computer malware that deceives users into paying for fake anti-virus software for the removal of malware. It claims to get rid of malware but instead installs malware on your computer.

The fake antivirus software looks very official and even pretends to update its virus definitions. First you will receive a pop-up window that claims your computer is infected with all kinds of trojans and worms. Typically there will also be a shield in the bottom right hand corner of your task bar. If you receive a pop-up window at any time that says “AV Security 2012” with a scan results window, a big ALARM button, and a ”Remove Threats” button in the bottom right corner, DO NOT click remove threats. If you do, it won’t remove the fake threats but ask you to purchase the fake software while it installs nasty stuff on your computer.

If you do click to remove the threats, it’s possible a rootkit may be bundled with the Rogue. The rootkit will terminate some of the processes in your Windows registry or the file system thus hiding itself. Once installed, it attempts to gather credit card data from your computer and send it to the bad guys. Rogue Security Software is difficult to remove and will most likely require a professional technician.