http://www.nau.edu/its/security/Information Security at Northern Arizona University10en-USThu, 17 Jul 2008 12:12:07 GMTThu, 17 Jul 2008 12:12:07 GMThttp://www5.nau.edu/its/security/newsalerts/ASP.NETHarper.Johnson@nau.eduAsk-ASD@nau.eduhttp://www5.nau.edu/its/security/newsalerts/?id=8<p> New laptop computers are more powerful, have longer lasting batteries, are lighter in weight than their predecessors, and readily take advantage of the wireless networking being installed all around the NAU campus. As such, we have seen an increase in laptop use and several spurts of laptop theft. </p> <p> Being ever more vigilant about cyber crime and identity theft, you’ve likely taken steps to secure the data on your laptop. You’ve installed a firewall. You update your antivirus software. You protect your information with a strong password. You encrypt your data, and you’re far too smart to fall for those emails that ask for your personal information. |nBut what about the physical laptop itself? A minor distraction is all it takes for your laptop to vanish. If it does, you may lose more than an expensive piece of hardware. The fact is, if your data protections aren’t up to par, that sensitive and valuable information in your laptop may be a magnet for an identity thief. </p> <p> Chances are you’ve heard stories about stolen laptops on the news or from friends and colleagues. None of us thinks his or her own laptop will be stolen—at least not until you find the trunk of your car pried open, notice that your laptop isn’t waiting at the other side of airport security, or get a refill at the local java joint only to turn around and find only exposed tabletop where your laptop once was. </p> <p> OnGuardOnline, a website managed by the federal government that is devoted to computer security, protecting personal information, and guarding against Internet fraud, suggests keeping these tips in mind when you take your laptop out and about: </p> <p> Treat your laptop like cash. If you had a wad of money sitting on the table at the library, would you turn your back on it—even for just a minute? Would you put it in checked luggage? Leave it on the backseat of your car? Of course not. Keep a careful eye on your laptop just as you would a pile of cash. </p> <p> Keep it locked. Whether you’re using your laptop in the office, a hotel, or some other public place, a security device can make it more difficult for someone to steal it. Use a laptop security cable and attach it to something immovable or to a heavy piece of furniture that’s difficult to move—say, a table or a desk. </p> <p> Keep it off the floor. No matter where you are in public—at a conference, a coffee shop, or a registration desk—avoid putting your laptop on the floor. If you must put it down, place it between your feet or at least up against your leg so that you’re aware of it. </p> ,p> Keep your passwords elsewhere. Remembering strong passwords or access numbers can be difficult. However, leaving either in a laptop carrying case or on your laptop is like leaving the keys in your car. There’s no reason to make it easy for a thief to get to your personal or corporate information. </p> <p> Mind the bag. When you take your laptop on the road, carrying it in a computer case may advertise what’s inside. Consider using a suitcase, a padded briefcase, a backpack, or even an ugly tote bag instead. </p> <p> Get it out of the car. Don’t leave your laptop in the car—not on the seat, not in the trunk. Parked cars are a favorite target of laptop thieves; don’t help them by leaving your laptop unattended. If you must leave your laptop behind, keep it out of sight. </p> <p> Don’t leave it “for just a minute.” Your conference colleagues seem trustworthy, so you’re comfortable leaving your laptop while you network during a break. The people at the coffee shop seem nice, so you ask them to keep an eye on it while you use the restroom. Don’t leave your laptop unguarded—even for a minute. Take it with you if you can, or at least use a cable to secure it to something heavy. </p> <p> Pay strict attention in airports. Keep your eye on your laptop as you go through security. Hold onto it until the person in front of you has gone through the metal detector—and keep an eye out when it emerges on the other side of the screener. The confusion and shuffle of security checkpoints can be fertile ground for theft. </p> <p> Be vigilant in hotels. If you stay in hotels, a security cable may not be enough. Try not to leave your laptop out in your room. Rather, use the safe in your room if there is one. If you’re using a security cable to lock down your laptop, consider hanging the “do not disturb” sign on your door. </p> <p> Use bells and whistles. Depending on your security needs, an alarm can be a useful tool. Some laptop alarms sound when there’s unexpected motion or when the computer moves outside a specified range around you. Or consider a kind of “lo-jack” for your laptop: a program that reports the location of your stolen laptop once it’s connected to the Internet. </p> <p> Where to turn for help. If your personal laptop is stolen, report it immediately to the local authorities. If it’s your university laptop that’s missing, notify the local authorities and then immediately notify your supervisor. Then go to www.nau.edu/security, click on “report an incident,” and complete the incident form. </p> <p> If it’s your personal laptop and you fear that your information may be misused by an identity thief, visit www.ftc.gov/idtheft for more information. </p> Don.Olson@nau.eduSun, 11 May 2008 17:00:00 GMThttp://www5.nau.edu/its/security/newsalerts/?id=8http://www5.nau.edu/its/security/newsalerts/?id=7<p> Staying connected everywhere all the time—that’s what it’s about, isn’t it? To be sure, that’s where we’re headed according to the common wisdom on the future of computing. Apple even introduced the thinnest laptop ever, the MacBook Air, designed around the notion that everything, including installation of new applications, can occur via the airwaves. Clearly, the future of computing is going to be wireless, freeing us to truly carry our lives, our work, and what has become essentially our other brain, everywhere. </p> <p> On the road to this ultimate Xanadu, however, we still have to make do with occasionally spotty network coverage, but at least these days you can connect at your favorite coffee house, or at the airport, around a university, or in most corporate settings. You might even surf on a stray network that’s available without password protection if the signal bleeds over to your location. </p> <p> But just because you can does not mean you should. Lagging far behind the increasing availability of wireless networks and free Internet hotspot expansion is the dissemination of knowledge about what constitutes a safe connecting. Even if you are sending email or buying that killer guitar on eBay through a secure server, it may be possible that if you are doing it through a free wireless connection, you might be broadcasting private information into the clear air. And that means that someone without your interests at heart could be siphoning off that same data to enrich himself at your expense. </p> <p> Consider the scenario: You open your laptop at an airport or at Buzz’s Buzz Barn coffee house and you’re asked if you’d like to join the available network. Why not? It’s free, and you’ve got some time to kill. Pretty soon you’re upping your bid on that kitschy clown painting on eBay, selling ten thousand shares of Google, and logging into your email account. However, while you may think you are connected directly to the airport server or Buzz’s secure network, in fact you have connected to their networks through another party’s computer, and that person is now recording every byte you send, including your passwords, credit card information, brokerage account data, and your love poem to your significant other. </p> <p> What has happened is a “man-in-the-middle” attack, also known as the “evil twin,” where you mistakenly have connected to a WiFi hotspot which has been set up by an identity thief who is there to steal your personal information. He makes his WiFi connection look like something legitimate for the area you’re in. And if he’s a particularly malevolent sort, he may also be infecting your computer with some nasty viruses that you’ll unwittingly take back to the office or to your home. </p> <p>Or perhaps someone is simply running a packet sniffer to copy everything that flies between your laptop and the wireless access point. This is pretty easy to do on an unsecured network, by the way. The tools to capture credit card numbers and passwords are available for free through the Internet. </p> <p> Although you should be cautious, it’s not something to lose sleep over. The dangers do indeed exist, but as with |nall dangers in life, if you learn the avoidance and counter strategies, and then you can put them out of your mind. </p> <p> Learn what you need to protect yourself, despite the expense of losing that so wonderfully and totally integrated-into-the-global-grid feeling. Security feels pretty good too. Here are some precautions to take. </p> <ul> <li>Use VPN—Virtual Private Network whenever possible. This provides a secure connection all the way from your laptop to the server you’re using. You can learn all about it at www4.nau.edu/its/mensa/services/vpn. One caveat—set up your VPN on a secure network before you use it in public. Setting it up at Buzz’s Buzz Barn is a bad idea.</li <li>Even if you are using NAU’s VPN or another VPN, remember that once you leave the network—you open another browser to connect to Yahoo!, for example—you may no longer be on a secure connection. If you’re not certain you’re secure, then assume you’re not.</li> <li>Make sure that you’re actually connecting to the wireless router provided by the airport or business you’re expecting. In an airport look for signs that give the network name. At a coffee house, ask what the name of their official network access point is. Don’t simply pick one out of a list that comes up when you go to connect. Know what and where you’re connecting to.</li> <li>Turn off shared folders, files, and print sharing. Think of your data as cash in your pocket. Who would you want to have it?</li> <li>Look over your shoulder. Even if you’re using VPN on a legitimate WiFi connection, beware of your neighbors “shoulder surfing” as you send and receive information. Although people do this simply out of boredom or proximity, this low-tech approach is often quite successful for those with less-than-honorable intent. One single compromised password can get very, very costly.</li> <li>Keep your security software up to date. Hackers never take a day off!</li> <li>Never take a free ride on an unknown WiFi network just because it’s there and free. Consider the possibility that someone has baited a trap for you by leaving his network open to your access. Don’t be the signal thief rat caught under the wire trap bale when it snaps down, squeezing your passwords and credit card data out of you.</li> <li>If you use email via WiFi, consider forwarding your mail to a junk address that you use solely when connected wirelessly. This can prevent a malicious attacker from attacking your legitimate email account if your password is compromised to the junk account.</li> <li>If you are using Internet Explorer as your browser, turn off “Use Inline AutoComplete” under Internet Options Advanced settings. This prevents your machine from caching, or storing, your userID and password.\</li> <li>Never check any box offering to remember you by your computer or your username and password.</li> <li>Finally, be aware that even if operating through an encrypted channel, a technique known as “sidejacking” can be used to capture your cookies from transactions on social networking sites. Sometimes cookies contain login :information if the user has asked the site to “remember” his login and password. So although it’s tedious, type it in new rather than acquiescing to convenience, but only on a secure connection!</li> </ul> <p> It really is going to be a big, wide, wonderful WiFi world someday, and there’s no reason to tread in fear. Just be aware and be prepared. </p> Don.Olson@nau.eduSun, 11 May 2008 17:00:00 GMThttp://www5.nau.edu/its/security/newsalerts/?id=7http://www5.nau.edu/its/security/newsalerts/?id=6<p> <b>May 11, 2007 -</b> In 1995, the authoritative and somber voiceover by actor Sam Waterston was ominous: "You need to feel safe. And that's harder to do nowadays, because robots may strike at any time." </p> <p> Of course, this was only a fake television commercial presented on <em>Saturday Night Live</em> for Old Glory Insurance's policies offering protection to senior citizens from robot attacks. It's still a funny bit to watch. But now the robots really are attacking. Although they don't threaten with their metal claws, they now attack by enlisting legions of new allies--the zombie computers. This powerful rogue army is rampaging across the globe, and even worse, you might be an unwitting accomplice in the recruitment of the malevolent mass, known as <em>botnets</em>. Imagine <em>Night of the Living Dead</em> in cyberspace. We now face <em>Attack of the Botnets</em>. </p> <p> "WARNING: Persons denying the existence of robots may be robots themselves." </p> <p> Among the richest environments for botnet infiltration, according to a <em>New York Times</em> article from January 6, 2007, are university networks. With their high-speed Internet capabilities, vast computing resources, large databases, and population of users that includes students, faculty, and staff members who may not be aware of the part they play in the creation of criminal botnet attack forces, universities are a prime target for criminal elements. According to Internet pioneer David J. Farber, quoted in the <em>Times</em> article, "It represents a threat but it's one that is hard to explain… the scope of the problem is still not clear to most people." This is no longer idle vandalism by cut-and-paste script kiddies, but serious illegal activity by professional criminals. </p> <p> On our campus, computer users take advantage of the services offered within the university and also from the greater Internet community: e-mail, web surfing, music downloading, interactive gaming, Internet chat sessions, picture sharing, blogging and countless other activities. Therein lurks the danger. Because so many of these services cost nothing and are easy to access, they mask the insidious threat that may creep beneath the seductive user interface and friendly banter. By clicking that attachment to an email with subject line "Sign Up for Sweepstakes!!!!" you could be enabling code that might turn your laptop into a zombie under the control of robot masters unknown to you. </p> <p> Large collections of such pirated systems can be commanded remotely to send out spam mailings or to search files for financial or security data. With 650 million computers now connected to the Internet worldwide, the opportunities are attractive to cyber criminals. Botnets are made up of programs running on many machines cooperatively under the control of a central automated authority, which in turn is controlled by a determined human somewhere in the world. And with criminals willing to pay money for access to restricted information or to send out millions of emails offering fake prizes to lure in yet more unknowing users, there is a lot of profit for the controllers of botnets. </p> <p> To give an idea of the extent of this capability, one botnet ring broken up in the Netherlands in late 2005 had commandeered a network of 1.5 <em>million</em> computers. Given the multiplicative power of nodes linked together, this is an astounding figure. And remember, the vast majority of the owners of these machines had no idea that their resources were being used for illegal activity. It is estimated that 80 to 90 percent of all spam --that e-mail we all love so dearly-- is sent by such zombie networks. </p> <p> Despite the robust security measures taken at institutions like <acronym title="Northern Arizona University">NAU</acronym>, in order to keep the Internet open and useful some of the responsibility has to be borne by the end users themselves by applying a few common sense security rules: </p> <ul> <li>Never, <em>ever</em> share your passwords or account information.</li> <li>Always use combinations of upper- and lower-case letters, numbers, and special characters in passwords to defeat brute force dictionary-based cracking schemes.</li> <li>Don't use the same password on every account.</li> <li>Don't permit your web browser to store your passwords for you.</li> <li>Never send your password in a session that you did not initiate--that is, don't respond to requests for passwords if you have not sought out the requesting site for your own purposes. Be sure you know the entity requiring it. </li> <li>Never respond to an email request for your passwords. No responsible outfit ever solicits your password or account information with an out-of-the-blue email. Don't believe subject lines like "Your account is overdrawn," or "In response to your request."</li> <li>Never click on attachments on e-mails that are from sources unknown to you</li> <li>Whenever spam e-mails offer a killer deal on some item or service, the odds strongly favor that a rip-off is in progress. Never respond to these come-ons. If it seems like an unbelievable deal, it's most likely because it's false.</li> <li>Use a firewall program that alerts you to unexpected use of outgoing connections on your computer.</li> <li>Never leave your computer unattended when you are logged into any of your private accounts.</li> <li>Regularly run anti-virus software to check for worms, Trojan horses, and viruses on your computer.</li> <li>Report any suspected hostile attack to Information Technology Services.</li> </ul> <p> The response to these concerted attacks on innocent institutions and users requires a dual-edged counter by the service providers <em>and</em> their customers. Security is everybody's business. </p> <p> "So, don't cower under your afghan any longer. Make a choice. Old Glory Insurance. For when the metal ones decide to come for you--and they will." </p> <p> Prophetic words indeed, Mr. Waterston. </p>Don.Olson@nau.eduFri, 11 May 2007 17:00:00 GMThttp://www5.nau.edu/its/security/newsalerts/?id=6http://www5.nau.edu/its/security/newsalerts/?id=5<p> <b>February 2, 2007 -</b> Apparently, you can't go back into the past, but you can certainly borrow from the past. We see it every day: clothes from the seventies, the T-bird from Ford, even talk of a Police reunion tour. With each instance, we see that there has been a slight update to the original, and yet still enough of the original remains intact to invoke images of a kinder, gentler, past which time and nostalgia have placed in our memories. </p> <p> Well, wake up! Will Rogers once said, "Things ain't what they used to be and probably never was." </p> <p> One thing that has been reincarnated from that "kinder, gentler past" is the phone scam. With the aid of computer technology, it too has been given a slight update from the original and is now referred to as vishing. </p> <p> Vishing which is the combination of Voice and Phishing is one more approach to stealing your personal identity or financial data. As we have been bombarded by the waves of web and e-mail scams bombard us, we have slowly forgotten the dangers of the past for the dangers of today. And as we have adapted and become more careful to avoid the computer scam of the day, the criminal element has adapted by bringing back a thing of comfort from the past, the telephone transaction. Yet this time they are using Voice Over Internet Protocol, or <span title="V O I P">VoIP</span>, to hide their trail. </p> <p> In vishing, instead of receiving an e-mail claiming that your account has been compromised, the message is delivered via a <span title="V O I P">VoIP</span> system. The message might claim that your credit card has been illegally used or that there has been unusual activity on the account. It then requests you to call the number in the message immediately to protect your credit. </p> <p> If you call the number, you will get an automated system which asks you to enter your account information for verification. Once you have entered your account number the system may disconnect or it may request that you continue to press keys for additional information. Once you have divulged that information your account has truly been compromised. This entire process can be automated with call control programs that can work tirelessly through a collection of numbers or a specific geographic area, and it only takes a tiny response rate to make it profitable. </p> <p> Phone scams were here long before the computer arrived on the scene. Treat these calls just as you would any "phishy" e-mail or web-scam. Don't reply to the request, and contact your financial institution using only the methods you have already established. </p> <p> As George Wildman Ball said, "Nostalgia is a seductive liar." </p> <p> So remember the past and protect your future. </p>Harper.Johnson@nau.eduFri, 02 Feb 2007 12:00:00 GMThttp://www5.nau.edu/its/security/newsalerts/?id=5