Online Security and Privacy: Tips and Tricks Navigating Today’s Digital Minefield Penn Professional Staff Assembly April 6, 2011 Office of Information Security: • John Lupton •
Download ReportTranscript Online Security and Privacy: Tips and Tricks Navigating Today’s Digital Minefield Penn Professional Staff Assembly April 6, 2011 Office of Information Security: • John Lupton •
Online Security and Privacy: Tips and Tricks Navigating Today’s Digital Minefield Penn Professional Staff Assembly April 6, 2011 Office of Information Security: • John Lupton • Melissa Muth Office of Audit, Compliance and Privacy • Maura Johnston • Lauren Steinfeld Basic Strong Security Practices Penn’s Computer Security Policy defines the following requirements for devices on PennNet: • Set strong passwords (e.g. WrS@PpS82da) – Don’t share accounts on home computer! • Apply security patches using built-in methods – Windows: Automatic Updates – Mac: Software Update • • Use built-in firewalls Run anti-virus software – Symantec/Norton free to Penn folks! – www.upenn.edu/computing/product 2 Basic Strong Security Practices In addition, we recommend the following: • Vet software before installing – much is malicious – Could snoop (Kazaa), steal data, or take control – Check with your LSP or www.cnet.com/downloads • Wireless at home: – Set strong password for wireless access point – Enable encryption • Wireless on the road: – Don’t use for anything that should be secret (passwords, credit card numbers) 3 Password Issues • • Still the primary authentication factor Users still tend to choose poor, easily cracked passwords – – – – • • Kids/spouses/pets names Favorite singers, sports stars, movie stars, etc. Based on home or email address, birthday, phone number, etc. Other bits of personal data that others would likely know Varying length requirements across differing platforms and operating systems Varying complexity standards – e.g., Some require “special characters,” others expressly disallow them – Some do not permit certain characters in specific locations, e.g., 1st character cannot be numeric, etc. • • People still give them away “Password Fatigue” – how many accounts, how many passwords? 4 Password Generator Tools • Windows - the Advanced Password Generator from Segobit Software: http://www.segobit.com/apg.htm • Mac - Password Assistant http://www.codepoetry.net/products/passwordassistant • DON'T use an online password generator! You have no way of knowing what the web site operator is doing with your password. 5 Passwords – Best Practices • Longer + more complex = STRONGER!! – – – • The more random in appearance, the better – – – • ‘OeiA;f@11’ is MUCH stronger than ‘B1llyApril6’ Use your own “catchphrase” to “build” a semi-random password Avoid using names, dictionary words Use “password vault” software to manage the passwords you accumulate – – • • • Increase length from 8 to 12 AND use special characters increases cracking difficulty by factor of nearly 100 million (and defeats “rainbow tables”) As of 3/29/2011, PennKey passwords now required to be at least 8 characters Use passphrases where permitted (e.g., Windows XP and later) KeePass Password Safe is popular for Windows Mac OS X comes with one: Keychain Access NEVER give away or expose your passwords NEVER send them via email NEVER provide them over an unknown/untrusted web interface 6 Email: A Range of Perils • • Clear text transmission . . . And so much more QA your “To” and “Cc” lines every time: – Reply to all errors – Listserv errors • Message may go to full list even though it was sent “from” an individual • Listserv may be configured to reveal who is on the list (and that itself may be sensitive) – Auto fill -- a huge risk • Cloud services – Compliance issues: privacy and security, litigation holds, export controls . . . – Business continuity – Guidance on Cloud 7 Anatomy of a Phishing Attack Subject: Date: From: Email Shutdown Notice!! Fri, 8 Oct 2010 09:44:25 +0200 "Alice Hobbs"<[email protected]> Dear Webmail User, This message is from the Webmail Support team to all email users. We are currently carrying out an upgrade on our system, […]. We are also having congestions due to the anonymous registration of email accounts, so we are shutting down email accounts deemed to be inactive. Your email account is listed among those requiring update. To resolve this problem, simply click to reply to this message and enter your User Name here (_____________) And Password Here (___________) to have your email account Cleared against this virus. Failure to comply will lead to the termination of your Email Account. Hoping to serve you better, Alice Hobbs Webmail Support 8 Anatomy of a Phishing Attack From: Reply-To: Date: Subject: University of Pennsylvania <[email protected]> <[email protected]> Wed, 6 Apr 2011 11:02:43 -0400 Announcement <http://www.upenn.edu/> We have upgraded our server to new secured 2011 version. This is to enable your webmail account take a new look with new functions and help protect against spam e-mails. You are required to upgrade your account to 2011 version by clicking here: http://www.123contactform.com/contact-form-barnetda-142435.html or on the secure link below: https:/secure.upenn.edu http://www.123contactform.com/contact-formbarnetda-142435.html © 2011 University of Pennsylvania 9 Be wary! • • • • Be protective of passwords and financial data Don’t click on the link Don’t send your sensitive data in email If you think it may be legitimate: – Call sender at known good phone number – Visit sender at known web address and log into account • Penn will NEVER ask you for your password! 10 Hoaxes, Scams & Frauds • • If it looks too good to be true, it is. Don’t fall for “419” scams that claim you are going to receive millions. Craigslist: – – • Facebook: – • Be careful when accepting payment for an item you are selling (especially if it is from a foreign country). Cashier’s checks can be forged. After shipping the item, you will find out later from your bank it was fake. Some people will try and contact you to find out times you will not be at home so they can rob you. Always stay in control and never tell them you won’t be home during that time. Be wary of emails or Facebook messages people forward you. Some people will create a hoax and get others scared which ends up being spread all over the Internet. Do a little research before forwarding. “Pop-up” windows/Fake Anti-virus: – – “Virus Found On Your System! Download our product and clean it for $29.95!” Close the windows using the “handles” provided by the operating system; DO NOT click on buttons inside the windows. 11 “Be Your Own Detective!” • Most hoaxes and frauds return year after year, and don’t change all that much – “Olympic Torch Virus” – April 15/IRS • Google is a powerful tool in giving you an idea about how legitimate it is – Plug names, phone numbers, phrases, titles (like “Olympic torch virus”) into a search box – You’ll likely be surprised how many informative hits you get • Other excellent, searchable sites for tracking hoaxes and scams – – – – www.snopes.com www.scambusters.org urbanlegends.about.com www.quatloos.com 12 Facebook and Privacy • Anything on your Facebook wall can be distributed as widely as a “friend” wants it to go. It can also exist permanently if a “friend” wants it to. • Facebook privacy settings, nevertheless, are still quite valuable and should be understood and used. TIPS: (Demo) • Tip 1: Always use the Customize Button • Tip 2: Make “Friends Lists” and use them when you post, share photos. • Tip 3: Be restrictive on “Photos and Videos I’m Tagged In” • Tip 4: Don’t include birthday, address, cell phone information at all 13 Use Online Banking Safely • • Many advantages, including saving time, postage, paper Safe? – Use sites operated by FDIC-insured banks that offer secure, encrypted services • Most offer multiple security levels – Most important: choose strong password • And protect it! – What about banking by smartphone? • Don’t respond to emails asking for account-related information – Call bank, using number you look up yourself – Don’t trust links in emails • Enter bank web address yourself • Don’t email sensitive information such as bank account #s or passwords to anyone 14 Choose Smartphone Apps with Care • • Fun, but also potential threat to confidential data – Wallpaper app sent personal identity information to developer’s server What can you do to help protect yourself? – Only download apps from trusted sources – Download app updates regularly, especially for banking and payments – Use phone’s built-in security components – Consider use of commercially-available tools (e.g., Lookout) – Be aware -- don’t automatically OK app requests to access info – Backup important data – Check bill every month 15