Online Security and Privacy: Tips and Tricks

Navigating Today’s Digital Minefield

Penn Professional Staff AssemblyApril 6, 2011

Office of Information Security:• John Lupton• Melissa Muth

Office of Audit, Compliance and Privacy• Maura Johnston• Lauren Steinfeld

Basic Strong Security Practices

Penn’s Computer Security Policy defines the following requirements for devices on PennNet:

• Set strong passwords (e.g. WrS@PpS82da)– Don’t share accounts on home computer!

• Apply security patches using built-in methods– Windows: Automatic Updates– Mac: Software Update

• Use built-in firewalls

• Run anti-virus software – Symantec/Norton free to Penn folks!– www.upenn.edu/computing/product

2

Basic Strong Security Practices

In addition, we recommend the following:

• Vet software before installing – much is malicious– Could snoop (Kazaa), steal data, or take control– Check with your LSP or www.cnet.com/downloads

• Wireless at home: – Set strong password for wireless access point– Enable encryption

• Wireless on the road:– Don’t use for anything that should be secret (passwords, credit card

numbers)

3

Password Issues• Still the primary authentication factor• Users still tend to choose poor, easily cracked passwords

– Kids/spouses/pets names– Favorite singers, sports stars, movie stars, etc.– Based on home or email address, birthday, phone number, etc.– Other bits of personal data that others would likely know

• Varying length requirements across differing platforms and operating systems• Varying complexity standards

– e.g., Some require “special characters,” others expressly disallow them– Some do not permit certain characters in specific locations, e.g., 1st character cannot

be numeric, etc.• People still give them away• “Password Fatigue” – how many accounts, how many passwords?

4

Password Generator Tools

• Windows - the Advanced Password Generator from Segobit Software:http://www.segobit.com/apg.htm

• Mac - Password Assistanthttp://www.codepoetry.net/products/passwordassistant

• DON'T use an online password generator! You have no way of knowing whatthe web site operator is doing with your password.

5

Passwords – Best Practices• Longer + more complex = STRONGER!!

– Increase length from 8 to 12 AND use special characters increases cracking difficulty by factor of nearly 100 million (and defeats “rainbow tables”)

– As of 3/29/2011, PennKey passwords now required to be at least 8 characters– Use passphrases where permitted (e.g., Windows XP and later)

• The more random in appearance, the better– ‘OeiA;f@11’ is MUCH stronger than ‘B1llyApril6’– Use your own “catchphrase” to “build” a semi-random password– Avoid using names, dictionary words

• Use “password vault” software to manage the passwords you accumulate– KeePass Password Safe is popular for Windows– Mac OS X comes with one: Keychain Access

• NEVER give away or expose your passwords• NEVER send them via email• NEVER provide them over an unknown/untrusted web interface

6

Email: A Range of Perils

• Clear text transmission . . . And so much more

• QA your “To” and “Cc” lines every time:– Reply to all errors– Listserv errors

• Message may go to full list even though it was sent “from” an individual

• Listserv may be configured to reveal who is on the list (and that itself may be sensitive)

– Auto fill -- a huge risk

• Cloud services– Compliance issues: privacy and security, litigation holds, export

controls . . .– Business continuity– Guidance on Cloud

7

Anatomy of a Phishing AttackSubject: Email Shutdown Notice!! Date: Fri, 8 Oct 2010 09:44:25 +0200 From: "Alice Hobbs"<melissa@jhaadvertising.com>

Dear Webmail User,

This message is from the Webmail Support team to all email users. We are currently carrying out an upgrade on our system, […]. We are also having congestions due to the anonymous registration of email accounts, so we are shutting down email accounts deemed to be inactive.

Your email account is listed among those requiring update. To resolve this problem, simply click to reply to this message and enter your User Name here (_____________) And Password Here (___________) to have your email account Cleared against this virus. Failure to comply will lead to the termination of your Email Account.

Hoping to serve you better,

Alice Hobbs Webmail Support

8

Anatomy of a Phishing Attack

From: University of Pennsylvania <webmasterr@upenn.edu>

Reply-To: <webmasterr@upenn.edu> Date: Wed, 6 Apr 2011 11:02:43 -0400 Subject: Announcement <http://www.upenn.edu/>

We have upgraded our server to new secured 2011 version. This is to enable your webmail account take a new look with new functions and help protect against spam e-mails. You are required to upgrade your account to 2011 version by clicking here:

http://www.123contactform.com/contact-form-barnetda-142435.html or on the secure link below: https:/secure.upenn.edu http://www.123contactform.com/contact-form-

barnetda-142435.html© 2011 University of Pennsylvania

9

Be wary!

• Be protective of passwords and financial data

• Don’t click on the link

• Don’t send your sensitive data in email

• If you think it may be legitimate:– Call sender at known good phone number– Visit sender at known web address and log into account

• Penn will NEVER ask you for your password!

10

Hoaxes, Scams & Frauds• If it looks too good to be true, it is. Don’t fall for “419” scams that claim you

are going to receive millions.• Craigslist:

– Be careful when accepting payment for an item you are selling (especially if it is from a foreign country). Cashier’s checks can be forged. After shipping the item, you will find out later from your bank it was fake.

– Some people will try and contact you to find out times you will not be at home so they can rob you. Always stay in control and never tell them you won’t be home during that time.

• Facebook: – Be wary of emails or Facebook messages people forward you. Some people will create a hoax

and get others scared which ends up being spread all over the Internet. Do a little research before forwarding.

• “Pop-up” windows/Fake Anti-virus:– “Virus Found On Your System! Download our product and clean it for $29.95!”– Close the windows using the “handles” provided by the operating system; DO NOT click on

buttons inside the windows.

11

“Be Your Own Detective!”

• Most hoaxes and frauds return year after year, and don’t change all that much– “Olympic Torch Virus”– April 15/IRS

• Google is a powerful tool in giving you an idea about how legitimate it is– Plug names, phone numbers, phrases, titles (like “Olympic torch virus”) into a search

box– You’ll likely be surprised how many informative hits you get

• Other excellent, searchable sites for tracking hoaxes and scams– www.snopes.com– www.scambusters.org– urbanlegends.about.com– www.quatloos.com

12

Facebook and Privacy

• Anything on your Facebook wall can be distributed as widely as a “friend” wants it to go. It can also exist permanently if a “friend” wants it to.

• Facebook privacy settings, nevertheless, are still quite valuable and should be understood and used.

TIPS: (Demo)• Tip 1: Always use the Customize Button • Tip 2: Make “Friends Lists” and use them when you post, share photos. • Tip 3: Be restrictive on “Photos and Videos I’m Tagged In” • Tip 4: Don’t include birthday, address, cell phone information at all

13

Use Online Banking Safely

• Many advantages, including saving time, postage, paper• Safe?

– Use sites operated by FDIC-insured banks that offer secure, encrypted services• Most offer multiple security levels

– Most important: choose strong password• And protect it!

– What about banking by smartphone?• Don’t respond to emails asking for account-related information

– Call bank, using number you look up yourself– Don’t trust links in emails

• Enter bank web address yourself

• Don’t email sensitive information such as bank account #s or passwords to anyone

14

Choose Smartphone Apps with Care

• Fun, but also potential threat to confidential data– Wallpaper app sent personal identity information to developer’s server

• What can you do to help protect yourself?– Only download apps from trusted sources– Download app updates regularly, especially for banking and payments– Use phone’s built-in security components– Consider use of commercially-available tools (e.g., Lookout)– Be aware -- don’t automatically OK app requests to access info– Backup important data– Check bill every month

15