ARE Information Technology

Cyber Trends for 2010

2010-01-26T13:24:00.005-05:00

As we begin the new year, it’s an opportune time to assess the cyber security landscape and prepare for what new challenges may lie ahead, as well as what current threats may continue.

What Are the Cyber Trends for 2010?

•Malware, worms, and Trojan horses: These will continue to spread by email, instant messaging, malicious websites, and infected non-malicious websites. Some websites will automatically download the malware without the user’s knowledge or ntervention. This is known as a “drive-by download.” Other methods will require the users to click on a link or button.

•Botnets and zombies: These threats will continue to proliferate as the attack techniques evolve and become available to a broader audience, with less technical knowledge required to launch successful attacks. Botnets designed to steal data are improving their encryption capabilities and thus becoming more difficult to detect.

•Scareware – fake/rogue security software: There are millions of different versions of malware, with hundreds more being created and used every day. This type of scam can be particularly profitable for cyber criminals -- as many users believe the pop-up warnings telling them their system is infected and are lured into downloading and paying for the special software to “protect” their system.

•Attacks on client-side software - With users keeping their operating systems patched, client-side software vulnerabilities are now an increasingly popular means of attacking systems. Client-side software includes things like Internet browsers, media players, PDF readers, etc. This software will continue to have vulnerabilities and subsequently be targeted by various malwares.

•Ransom attacks occur when a user or company is hit by malware that encrypts their hard drives or they are hit with a Distributed Denial of Service Attack (DDOS) attack. The cyber criminals then notify the user or company that if they pay a small fee, the DDOS attack will stop or the hard drive will be unencrypted. This type of attack has existed for a number of years and is now it is gaining in popularity.

•Social Network Attacks: Social network attacks will be one of the major sources of attacks in 2010 because of the volume of users and the amount of personal information that is posted. Users’ inherent trust in their online friends is what makes these networks a prime target. For example, users may be prompted to follow a link on someone's page, which could bring users to a malicious website.

•Cloud Computing: Cloud computing is a growing trend due to its considerable cost savings opportunities for organizations. Cloud computing refers to a type of computing that relies on sharing computing resources rather than maintaining and supporting local servers. The growing use of cloud computing will make it a prime target for attack.

•Web Applications: There continues to be a large number of websites and online applications developed with inadequate security controls. These security gaps can lead to the compromise of the site and potentially to the site’s visitors.

•Budget cuts will be a problem for security personnel and a boon to cyber criminals. With less money to update software, hire personnel and implement security controls enterprises will be trying to do more with less. By not having up-to-date software, appropriate security controls or enough personnel to secure and monitor the networks, organizations will be more vulnerable.

What Can I Do?

The following are helpful tips to assist in minimizing risk:

•Properly configure and patch operating systems, browsers, and other software programs.
•Use and regularly update firewalls, anti-virus, and anti-spyware programs.
•Be cautious about all communications; think before you click. Use common sense when communicating with users you DO and DO NOT know.
•Do not open email or related attachments from un-trusted sources.

Additional Information:
• IBM’s Top Security Trends for 2010: http://www.internetnews.com/security/article.php/3849636/

• Symantec’s Top Security Trends for 2010: http://www.internetnews.com/security/article.php/3849371

• SANS Top Cyber Security Risks:
http://www.sans.org/top-cyber-security-risks/

• Bankinfosecurity.com article:
http://www.bankinfosecurity.com/articles.php?art_id=1926

• PC World:
http://www.pcworld.com/article/182889/new_banking_trojan_horses_gain_polish.html

• Panda Labs 2009 Annual Malware Report:
http://www.pandasecurity.com/img/enc/Annual_Report_Pandalabs_2009.pdf

2010-01-06T11:37:00.001-05:00

Automatic Software Updates and Patching

Security vulnerabilities are flaws in the software that could allow someone to potentially compromise your system. Each year, the volume of software security vulnerabilities discovered increases, and the hacking tools available to exploit these vulnerabilities become more readily available and easier to use. Vulnerabilities in commonly used programs such as Adobe PDF Reader, QuickTime, Adobe Flash and Microsoft Office are prime targets of attacks on computers connected to the Internet. Recent statistics reported show that 48% of the cyber attacks identified in the second quarter of 2009 were targeted against vulnerabilities in Adobe Acrobat/Adobe Reader1 and in October 2009 Microsoft released patches for a record number of security holes. No entity is immune to vulnerabilities, so we must ensure we understand the risks and take appropriate mitigation steps.

Why do I need to update my software?

One of the basic tenets of computer security is to update your operating system and other software installed on your computer. Software updates fix problems in the software, add functionality, and most importantly, fix vulnerabilities that impact the security of the software and subsequently your computer. These vulnerabilities can lead to your computer—and information that resides on it—being compromised. Exploitation of vulnerabilities may occur by opening documents, viewing an email which contains malicious code or visiting a web site hosting malicious content. Seventy percent of the top 100 web sites hosted malicious content or contained a link designed to redirect users to malicious sites.2

What is a software patch (fix) and when should I install software patches?

Patches are often called "fixes." A patch is software that is used to correct a problem to an application (software program) or an operating system. Computer companies are continuously addressing security holes (i.e. vulnerabilities) in computer software which could be used to infect your computer with a virus, spyware or worse. When vulnerabilities are discovered, the software vendor typically issues a fix (i.e. patch) to correct the problem. This fix should be applied as soon as possible since the average time for someone to try to exploit this security hole can be as little as a few minutes. Most major software companies will periodically release patches, usually downloadable from the Internet, that correct very specific problems in their software programs.

My computer includes hundreds of software programs-- which ones do I need to update and how often?

One of the challenges facing the average computer user is to know which software needs to be updated and how often. Software programs that communicate or interact with the Internet are especially susceptible to attacks and should be kept at a vendor-supported version and current on all patches.

Many software programs include a feature called “auto update.” This feature allows the computer to check for updates at periodic intervals. The software will automatically check for updates and save them to your computer. Some updates will instruct you to “reboot” your computer before the software update can be applied.

At a minimum, you should enable the auto update feature on the following products:
* Anti-virus and Anti-spam signatures: anti-virus and anti-spam software requires regular updates to virus and spam signatures to remain effective. New viruses and other types of malware appear every day and the anti-virus/anti-spam vendors release new signatures on a daily basis to stay on top of the new threats.
* Windows Office software: Word, Excel, Outlook, etc. – (see below for updating Windows software)
* Internet Browsers: e.g., Internet Explorer (Microsoft), Firefox (Mozilla), Safari (Apple) and Chrome (Google). Make sure you update any software you use for browsing the Internet.
* Adobe products: e.g., Adobe Reader, Adobe Acrobat, Flash, Shockwave
* Media Players: e.g., Windows Media Player (Microsoft), QuickTime (Apple), Real Player (Real Networks) and Flash Player (Adobe)
* Java (Sun Microsystems): Java is software that is installed on most computers to allow users to play online games, conduct online chats, and view images in 3D, among other functions. It is also used for Intranet applications and other e-business solutions.
* Other software programs that communicate or interact with the Internet, like e-mail, web servers, and remote desktop software are especially susceptible to attacks and should be kept current on patches and version levels.

It is very important to promptly download and patch your operating system and programs whenever security updates or “service packs” become available. These patches are created to protect systems against potential attacks. Be aware that attacks sometimes occur before updates are released.

How do I update my Microsoft Windows programs?
Windows Update is a Microsoft service that provides updates for the Windows operating system and other Microsoft software. Installing Windows updates, such as “service packs” and other patches, is necessary to keep your Windows system secure. To activate Windows Update, go to Settings/Control Panel/Automatic Updates. When you turn on Automatic Updates, Windows routinely checks the Windows Update web site for high-priority updates that can help protect your computer from the latest viruses and other security threats. These updates can include security updates, critical updates, and “service packs.” Depending on the setting you choose, Windows automatically downloads and installs any high-priority updates that your computer needs, or notifies you as these updates become available. Be sure to set the auto updates to daily, as patches can be released at any time.

*Note* Many organizations have formal processes to patch systems that will automatically update all appropriate software. In these situations, no end user action is required.

For more information, please visit the monthly cyber security newsletter tips at: www.msisac.org/awareness/news/

Protecting Portable Devices: Physical Security

2009-12-03T16:07:00.003-05:00

Many computer users, especially those who travel for business, rely on laptops and PDAs because they are small and easily transported. But while these characteristics make them popular and convenient, they also make them an ideal target for thieves. Make sure to secure your portable devices to protect both the machine and the nformation it contains.

What is at risk?

Only you can determine what is actually at risk. If a thief steals your laptop or PDA, the most obvious loss is the machine itself. However, if the thief is able to access the information on the computer or PDA, all of the information stored on the device is at risk, as well as any additional information that could be accessed as a result of the data stored on the device itself.

Sensitive corporate information or customer account information should not be accessed by unauthorized people. You've probably heard news stories about organizations panicking because laptops with confidential information on them have been lost or stolen. But even if there isn't any sensitive corporate information on your laptop or PDA, think of the other information at risk: information about appointments, passwords, email addresses and other contact information, personal information for online accounts, etc.

How can you protect your laptop or PDA?

* Password-protect your computer - Make sure that you have to enter a password to log in to your computer or PDA (see Choosing and Protecting Passwords for more information).
* Keep your laptop or PDA with you at all times - When traveling, keep your laptop with you. Meal times are optimum times for thieves to check hotel rooms for unattended laptops. If you are attending a conference or trade show, be especially waryâ€”these venues offer thieves a wider selection of devices that are likely to contain sensitive information, and the conference sessions offer more opportunities for thieves to access guest rooms.
* Downplay your laptop or PDA - There is no need to advertise to thieves that you have a laptop or PDA. Avoid using your portable device in public areas, and consider non-traditional bags for carrying your laptop.
* Be aware of your surroundings - If you do use your laptop or PDA in a public area, pay attention to people around you. Take precautions to shield yourself from "shoulder surfers"â€”make sure that no one can see you type your passwords or see any sensitive information on your screen.
* Consider an alarm or lock - Many companies sell alarms or locks that you can use to protect or secure your laptop. If you travel often or will be in a heavily populated area, you may want to consider investing in an alarm for your laptop bag or a lock to secure your laptop to a piece of furniture.
* Back up your files - If your portable device is stolen, it's bad enough that someone else may be able to access your information. To avoid losing all of the information, make backups of important information and store the backups in a separate location (see Good Security Habits for more information). Not only will you still be able to access the information, but you'll be able to identify and report exactly what information is at risk.

What can you do if your laptop or PDA is lost or stolen?

Report the loss or theft to the appropriate authorities. These parties may include representatives from law enforcement agencies, as well as hotel or conference staff. If your device contained sensitive corporate or customer account information, immediately report the loss or theft to your organization so that they can act quickly.

Warning about bogus CDC/H1N1 website

2009-12-02T14:39:00.004-05:00

US-CERT is aware of public reports of a malware campaign circulating. This campaign is circulating via email messages offering information regarding the H1N1 vaccination. This email messages contain a link to a bogus Centers for Disease Control and Prevention website. Users who click on this link may become infected with malware. Public reports indicate that these email messages are noted as having subject lines such as: "Governmental registration program on the H1N1 vaccination" and "Your personal vaccination profile." Please note that subject lines may change at any time.

US-CERT encourages users to take the following precautions to help mitigate the risks:
* Install antivirus software, and keep the signature files up to date.
* Do not follow unsolicited links and do not open unsolicited email messages.
* Use caution when visiting untrusted websites.
* Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.
* Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on avoiding social engineering attacks.

Recognizing and Avoiding Spyware

2009-11-19T19:08:00.005-05:00

Recognizing and Avoiding Spyware

Because of its popularity, the internet has become an ideal target for advertising. As a result, spyware, or adware, has become increasingly prevalent. When troubleshooting problems with your computer, you may discover that the source of the problem is spyware software that has been installed on your machine without your knowledge.

What is spyware?

Despite its name, the term "spyware" doesn't refer to something used by undercover operatives, but rather by the advertising industry. In fact,spyware is also known as "adware." It refers to a category of software that,when installed on your computer, may send you pop-up ads, redirect your browser to certain web sites, or monitor the web sites that you visit. Some extreme, invasive versions of spyware may track exactly what keys you type. Attackers may also use spyware for malicious purposes.

Because of the extra processing, spyware may cause your computer to become slow or sluggish. There are also privacy implications:

* What information is being gathered?
* Who is receiving it?
* How is it being used?

How do you know if there is spyware on your computer?

The following symptoms may indicate that spyware is installed on your computer:

* you are subjected to endless pop-up windows
* you are redirected to web sites other than the one you typed into your browser
* new, unexpected toolbars appear in your web browser
* new, unexpected icons appear in the task tray at the bottom of your screen
* your browser's home page suddenly changed
* the search engine your browser opens when you click "search" has been changed
* certain keys fail to work in your browser (e.g., the tab key doesn't work when you are moving to the next field within a form)
* random Windows error messages begin to appear
* your computer suddenly seems very slow when opening programs or processing tasks (saving files, etc.)

How can you prevent spyware from installing on your computer?

To avoid unintentionally installing it yourself, follow these good security practices:

* Don't click on links within pop-up windows - Because pop-up windows are often a product of spyware, clicking on the window may install spyware software on your computer. To close the pop-up window, click on the "X" icon in the titlebar instead of a "close" link within the window.
* Choose "no" when asked unexpected questions - Be wary of unexpected dialog boxes asking whether you want to run a particular program or perform another type of task. Always select "no" or "cancel," or close the dialog box by clicking the "X" icon in the titlebar.
* Be wary of free downloadable software - There are many sites that offer customized toolbars or other features that appeal to users. Don't download programs from sites you don't trust, and realize that you may be exposing your computer to spyware by downloading some of these programs.
* Don't follow email links claiming to offer anti-spyware software - Like email viruses, the links may serve the opposite purpose and actually install the spyware it claims to be eliminating.

As an additional good security practice, especially if you are concerned that you might have spyware on your machine and want to minimize the impact, consider taking the following action:

* Adjust your browser preferences to limit pop-up windows and cookies - Pop-up windows are often generated by some kind of scripting or active content. Adjusting the settings within your browser to reduce or prevent scripting or active content may reduce the number of pop-up windows that appear. Some browsers offer a specific option to block or limit pop-up windows. Certain types of cookies are sometimes considered spyware because they reveal what web pages you have visited. You can adjust your privacy settings to only allow cookies for the web site you are visiting (see Browsing Safely: Understanding Active Content and Cookies and Evaluating Your Web Browser's Security Settings for more information).

How do you remove spyware?

* Run a full scan on your computer with your anti-virus software - Some anti-virus software will find and remove spyware, but it may not find the spyware when it is monitoring your computer in real time. Set your anti-virus software to prompt you to run a full scan periodically (see Understanding Anti-Virus Software for more information).
* Run a legitimate product specifically designed to remove spyware - Many vendors offer products that will scan your computer for spyware and remove any spyware software. Popular products include Lavasoft's Ad-Aware, Microsoft's Window Defender, Webroot's SpySweeper, and Spybot Search and Destroy.
* Make sure that your anti-virus and anti-spyware software are compatible - Take a phased approach to installing the software to ensure that you don't unintentionally introduce problems (see Coordinating Virus and Spyware Defense for more information). _________________________________________________________________

Authors: Mindi McDowell, Matt Lytle
_________________________________________________________________

Copyright 2004 Carnegie Mellon University. Terms of use
US-CERT

Cyber Shopping Tips - Don't Get Scrooged This Holiday Season

2009-11-05T12:16:00.003-05:00

Online Holiday Shopping Tips (these apply all year)

The holiday season is approaching quickly and many of us will be shopping online. ComScore estimates that in one day alone last year --Cyber Monday on December 1, 2008 --$846 million was spent in online shopping, marking a 15% jump from 2007. With the increased volume of online shopping, it’s important that consumers understand the potential security risks and know how to protect themselves and their information.

The following tips are provided to help promote a safe, secure online shopping experience:

* Secure your computer. Make sure your computer has the latest security updates installed. Check that your anti-virus/anti-spyware software is running and receiving automatic updates. If you haven’t already done so, install a firewall before you begin your online shopping.

* Upgrade your browser. Upgrade your Internet browser to the most recent version available. Review the browser’s security settings. Apply the highest level of security available that still gives you the functionality you need.

* Ignore pop-up messages. Set your browser to block pop-up messages. If you do receive one, click on the "X" at the top right corner of the title bar to close the pop-up message.

* Secure your transactions. Look for the "lock" icon on the browser's status bar and be sure “https” appears in the website’s address bar before making an online purchase. The "s" stands for "secure” and indicates that the webpage is encrypted. Some browsers can be set to warn the user if they are submitting information that is not encrypted.

* Use strong passwords. Create strong passwords for online accounts. Use at least eight characters, with numbers, special characters, and upper and lower case letters. Don’t use the same passwords for online shopping websites that you use for logging onto your home or work computer. Never share your login and/or password.

* Do not e-mail sensitive data. Never e-mail credit card or other financial/sensitive information. E-mail is like sending a postcard and other people have the potential to read it.

* Do not use public computers or public wireless to conduct transactions. Don’t use public computers or public wireless for your online shopping. Public computers may contain malicious software that steals your credit card information when you place your order. Criminals may be monitoring public wireless for credit card numbers and other confidential information.

* Review privacy policies. Review the privacy policy for the website/merchant you are visiting. Know what information the merchant is collecting about you, how it will be used, and if it will be shared or sold to others.

* Make payments securely. Pay by credit card rather than debit card. Credit/charge card transactions are protected by the Fair Credit Billing Act. Cardholders are typically only liable for the first $50 in unauthorized charges. If online criminals obtain your debit card information they have the potential to empty your bank account.

* Use temporary account authorizations. Some credit card companies offer virtual or temporary credit card numbers. This service gives you a temporary account number for online transactions. These numbers are issued for a short period of time and cannot be used after that period.

* Select merchants carefully. Limit your online shopping to merchants you know and trust. Confirm the online seller's physical address and phone number in case you have questions or problems. If you have questions about a merchant check with the Better Business Bureau or the Federal Trade Commission.

* Keep a record. Keep a record of your online transactions, including the product description and price, the online receipt, and copies of every e-mail you send or receive from the seller. Review your credit card and bank statements for unauthorized charges.

What to do if you encounter problems with an online shopping site:
If you have problems shopping online contact the seller or site operator directly. If those attempts are not successful, you may wish to contact the following entities:
the Attorney General's office at: http://www.ncdoj.com/
the Better Business Bureau at: www.bbb.org
the Federal Trade Commission at: www.ftc.gov/

For additional information about safe online shopping, please visit the following sites:

US-CERT: www.us-cert.gov/cas/tips/ST07-001.html
NCSA: www.staysafeonline.org/content/online-shopping
OnGuard Online: www.onguardonline.gov/topics/online-shopping.aspx
Online Cyber Safety: www.bsacybersafety.com/video/
Microsoft: www.microsoft.com/protect/fraud/finances/shopping_us.aspx

Java Update Needed

2009-11-05T12:12:00.001-05:00

Multiple vulnerabilities have been discovered in Java applications that could allow attackers to take complete control of a vulnerable system. If you have not already received a Java update notification in your system tray, you should shortly. Please install the update as soon as possible. The update will take several minutes but you can continue to work as it installs. You will not have to reboot when it's done. Let me know if you have any questions.

Avoiding Social Engineering and Phishing Attacks

2009-10-28T10:25:00.002-04:00

Cyber Security Tip ST04-014
Avoiding Social Engineering and Phishing Attacks

Do not give sensitive information to anyone unless you are sure that they are indeed who they claim to be and that they should have access to the information.

What is a social engineering attack?

In a social engineering attack, an attacker uses human interaction (social skills) to obtain or compromise information about an organization or its computer systems. An attacker may seem unassuming and respectable, possibly claiming to be a new employee, repair person, or researcher and even offering credentials to support that identity. However, by asking questions,
he or she may be able to piece together enough information to infiltrate an organization's network. If an attacker is not able to gather enough information from one source, he or she may contact another source within the same organization and rely on the information from the first source to add to his or her credibility.

What is a phishing attack?

Phishing is a form of social engineering. Phishing attacks use email or malicious websites to solicit personal information by posing as a trustworthy organization. For example, an attacker may send email seemingly from a reputable credit card company or financial institution that requests
account information, often suggesting that there is a problem. When users respond with the requested information, attackers can use it to gain access to the accounts.

Phishing attacks may also appear to come from other types of organizations, such as charities. Attackers often take advantage of current events and certain times of the year, such as

* natural disasters (e.g., Hurricane Katrina, Indonesian tsunami)
* epidemics and health scares (e.g., H1N1)
* economic concerns (e.g., IRS scams)
* major political elections
* holidays

How do you avoid being a victim?

* Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about employees or other internal information. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.
* Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person's authority to have the information.
* Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email.
* Don't send sensitive information over the Internet before checking a website's security (see Protecting Your Privacy for more information).
* Pay attention to the URL of a website. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net).
* If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided on a website connected to the request; instead, check previous statements for contact information. Information about known phishing attacks is also available online from groups such as the Anti-Phishing Working Group (http://www.antiphishing.org).
* Install and maintain anti-virus software, firewalls, and email filters to reduce some of this traffic (see Understanding Firewalls, Understanding Anti-Virus Software, and Reducing Spam for more information).
* Take advantage of any anti-phishing features offered by your email client and web browser.

What do you do if you think you are a victim?

* If you believe you might have revealed sensitive information about your organization, report it to the appropriate people within the organization, including network administrators. They can be alert for any suspicious or unusual activity.
* If you believe your financial accounts may be compromised, contact your financial institution immediately and close any accounts that may have been compromised. Watch for any inexplainable charges to your account.
* Immediately change any passwords you might have revealed. If you used the same password for multiple resources, make sure to change it for each account, and do not use that password in the future.
* Watch for other signs of identity theft (see Preventing and Responding to Identity Theft for more information).
* Consider reporting the attack to the police, and file a report with the Federal Trade Commission (http://www.ftc.gov/).
_________________________________________________________________

Author: Mindi McDowell
_________________________________________________________________

Produced 2004 by US-CERT, a government organization.

Note: This tip was previously published and is being re-distributed to increase awareness.

Terms of use

http://www.us-cert.gov/legal.html

This document can also be found at

http://www.us-cert.gov/cas/tips/ST04-014.html

Home Use Autorization Forms Due by Friday

2009-10-28T10:21:00.002-04:00

Attention Faculty - Home Use form CA-2 should be filled out to track computers being used away from campus for more than 30 days. Please print, complete, sign, and return form CA-2 to David Parker via interoffice mail before the end of October. Click here to download form CA-2 if you have not already done so. Contact David if you have any questions.

Warning for Blackberry Users

2009-10-27T13:18:00.000-04:00

US-CERT is aware of public reports of a new software application called PhoneSnoop. This software allows an attacker to call a user's BlackBerry and listen to personal conversations. In order to install and setup the PhoneSnoop application, attackers must have physical access to the user's device or convince a user to install PhoneSnoop. US-CERT encourages users to only download BlackBerry applications from trusted sources and to password protect and lock BlackBerry devices.

TOP 10 Cyber Security Tips

2009-10-23T13:32:00.000-04:00

October is Cyber Security Awareness Month – Our Shared Responsibility

In recognition of the 2009 National Cyber Security Awareness Month, this edition of the newsletter is designed to provide you with the TOP 10 Cyber Security Tips that you can - and should - use to protect your computer system.

1. Think Before You Click

Always think before you click on links or images in an email, instant message, or on web sites. Be cautious when you receive an attachment from unknown sources. Even if you know and trust the sender of the email, instant message, web site, or a friend's social networking page, it is still prudent to use caution when navigating pages and clicking on links or images.

2. Use Hard to Guess Passwords

Developing good password practices will help keep your personal information and identity more secure. Passwords should have at least eight characters and include uppercase and lowercase letters, numerals and symbols.

3. Avoid Phishing Scams

Phishing is a form of identity theft in which the intent is to steal your personal data, such as credit card numbers, passwords, account data, or other information. Do not reply to emails that ask you to “verify your information” or to “confirm your user-id and password.”

4. Shop Safely Online

When shopping online always know with whom you're dealing. When submitting your purchase information, look for the "lock" icon on the browser's status bar to be sure your information is secure during transmission. Always remember to pay by credit card and keep a paper trail.

5. Protect Your Identity

When visiting web sites, it's important to know what information is being collected, by whom and how it will be used. Web sites track visitors as they navigate through cyberspace, therefore, data may be collected about you as a result of many of your online activities. Please keep in mind most legitimate web sites include a privacy statement. The privacy statement is usually located at the bottom of the home page and details the type of personally identifiable information the site collects about its visitors, how the information is used - including with whom it may be shared - and how users can control the information that is gathered.

6. Dispose of Information Properly

Before discarding your computer or portable storage devices, you need to be sure that the data contained on the device has been erased or "wiped." Read/writable media (including your hard drive) should be "wiped" using Department of Defense (DOD) compliant software.

7. Protect Your Children Online

Discuss and set guidelines and rules for computer use with your child. Post these rules by the computer as a reminder. Familiarize yourself with your child's online activities and maintain a dialogue with your child about what applications they are using. Consider using parental control tools that are provided by some Internet Service Providers and available for purchase as separate software packages.

8. Protect Your Portable Devices

It is important to make sure you secure your portable devices to protect both the device and the information contained on the device. Always establish a password on all devices. If your device has Bluetooth functionality and it’s not used, check to be sure this setting is disabled. Some devices have Bluetooth-enabled by default. If the Bluetooth functionality is used, be sure to change the default password for connecting to a Bluetooth enabled device. Encrypt data and data transmissions whenever possible.

9. Secure Your Wireless Network

Wireless networks are not as secure as the traditional "wired" networks, but you can minimize the risk on your wireless network by enabling encryption, changing the default password, changing the Service Set Identifier (SSID) name (which is the name of your network) as well as turning off SSID broadcasting and using the MAC filtering feature, which allows you to designate and restrict which computers can connect to your wireless network.

10. Back-Up Important Files

Back-up your important files minimally on a weekly basis. Don’t risk losing your important documents, images or files!

October is National Cybersecurity Awareness Month

2009-10-20T11:22:00.002-04:00

Another One (almost) Bites The Dust

2009-10-16T14:47:00.005-04:00

A few weeks ago I wrote a cautionary tale of external hard drives. Today, one of our folks discovered that an external hard drive was no longer showing up in Windows explorer. All the usual USB troubleshooting did nothing to reconnect the drive. I took it into surgery and found a heap of soot and melted plastic as I removed the case. The source of the mess...a $0.39 fan had stopped working. Judging from the discoloration on the fan's silver label, I'm assuming that the soot and plastic was from the internal workings of the fan motor. The fan could have stopped working first causing the interface board to die or vise-versa...either way, it seemed that all hope (and a lot of work not backed up) was lost. But, after a few tense moments, a little hard drive TLC, and a new USB interface, professor and data were one again reunited. This scenario plays out on a fairly regular basis in our shop and there has been more than one instance where a fan failure caused the hard drive to cook. Please back up your work and follow my tips on external hard drives posted previously in this blog.

Updates Needed

2009-10-15T14:45:00.001-04:00

ARE Faculty/Staff, Cenrep, GradPC Users: Please update your Adobe products that are installed on your PC ASAP. The easiest way is to open each application, click on Help, then "check for updates". There are new security vulnerabilities out for most versions of Adobe Acrobat and Reader.

Password Requirements

2009-10-15T14:34:00.005-04:00

If you access the administrative portal to view your payroll, benefits, or other personal information, have access to student records, or access the grant management system, you are required by the university to change your Unity password every 90 days. Read more about Unity password requirements and instruction and suggestions for changing yours at NCSU OIT's Web Site.

Password requirements and expiration periods are different for loggin in to ARE's network. Contact Us with any questions.

Laptop Secutiry

2009-10-15T14:32:00.000-04:00

Traveling with your laptop is a great way to keep up with your office work and to keep in touch with others. Laptop users should, however, be mindful of keeping their business laptops in their possession at all times. OIT-Security and Compliance reminds users that if you do loose your university-owned laptop (or other university-owned equipment) for whatever reason, North Carolina General Statute (G.S.) 114-15.1 requires NC State employees to report this incident to their immediate supervisor within three days of the lost. Your supervisor should contact the Office of Legal Affairs to file form SBI 78 with the State Bureau of Investigation within 10 days. You should also file a police report with the local police department in the area where the equipment was lost or stolen.

External Hard Drives

2009-10-15T14:28:00.002-04:00

We have seen a number of external hard drives fail in the department over the past several months. It is obvious that the reliability of external drives is considerably less than internal drives. This problem is not unique to us - I've read dozens of technical articles discussing wide-spread external drive failures. I believe that two factors greatly contribute to external drive failures - heat and shock. Most external drive enclosures do not have cooling fans and many, especially low-end or "entry level" devices, are housed in plastic cases with inadequate ventilation an very little metal for heat transfer/dissipation. Heat can damage the interface electronics, which is an easy repair, or damage the drive itself - an impossible and/or very expensive repair/recovery. Shock (vibration) is a problem in external drives because they are moved around and sit on a desk in a small enclosure and are easily bumped, knocked over, etc. This can cause physical damage to the drive if it occurs during a read or write operation.Personal experience yesterday - A few months ago I became concerned about the reliability of an external drive at home which housed about 300Gb of digital photos, scanned photos, and video. I bought a large secondary internal drive for my home desktop and transferred everything from the external to the secondary internal but continued to use the external drive for backups. Yesterday, the external drive failed. I knew when it started up and sounded like a coffee grinder it was gone. Fortunately, years of family photos and movies were saved on the internal drive.I know some of you use external drives for primary storage. I strongly suggest that you do so with caution and with the knowledge that you could suffer a unrecoverable loss. I don't mean to instill panic, just sharing the fact that no storage device or media gives you 100% assurance that your data is safe. If you use an external drive for anything do the following:

Make sure there is plenty of room around the enclosure to ensure adequate ventilation. Feel it occasionally so you will know how warm it normally operates. If it suddenly feels unusually hot, turn it off an call us.
Select a location for the drive on your desk that is out of the way, behind your monitor for example, where it is less likely to get bumped, knocked over, or worse, knocked to the floor.

Turn it off when not in use. If you use it only for backups, turn it on to make your backup then turn it off again.

If you hear any odd noise at all from the drive, excessive chattering, clicking, humming, etc. turn it off right away and call us.

If you use and external drive for primary storage, make a backup of your most important data. Depending on how much data you need to backup, use a flash drive (available up to 64Gb now), CD, DVD, or "M" Drive. You can also take advantage of the network backup options ARE-IT provides - contact us for details if you are not familiar with network backup.

Good Security Habits

2009-10-15T14:20:00.004-04:00

There are some simple habits you can adopt that, if performed consistently, may dramatically reduce the chances that the information on your computer will be lost or corrupted. How can you minimize the access other people have to your information? You may be able to easily identify people who could, legitimately or not, gain physical access to your computers ??family members, roommates, co-workers, members of a cleaning crew, and maybe others. Identifying the people who could gain remote access to your computer becomes much more difficult. As long as you have a computer and connect it to a network, you are vulnerable to someone or something else accessing or corrupting your information; however, you can develop habits that make it more difficult. * Lock your computer when you are away from it. Even if you only step away from your computer for a few minutes, it's enough time for someone else to destroy or corrupt your information. Locking your computer prevents another person from being able to simply sit down at your computer and access all of your information. * Disconnect your computer from the Internet when you aren't using it. The development of technologies such as DSL and cable modems have made it possible for users to be online all the time, but this convenience comes with risks. The likelihood that attackers or viruses scanning the network for available computers will target your computer becomes much higher if your computer is always connected. Depending on what method you use to connect to the Internet, disconnecting may mean disabling a wireless connection, turning off your computer or modem, or disconnecting cables. When you are connected, make sure that you have a firewall enabled (see Understanding Firewalls for more information).* Evaluate your security settings. Most software, including browsers and email programs, offers a variety of features that you can tailor to meet your needs and requirements. Enabling certain features to increase convenience or functionality may leave you more vulnerable to being attacked. It is important to examine the settings, particularly the security settings, and select options that meet your needs without putting you at increased risk. If you install a patch or a new version of the software, or if you hear of something that might affect your settings, reevaluate your settings to make sure they are still appropriate (see Understanding Patches, Safeguarding Your Data, and Evaluating Your Web Browser's Security Settings for more information). What other steps can you take? Sometimes the threats to your information aren't from other people but from natural or technological causes. Although there is no way to control or prevent these problems, you can prepare for them and try to minimize the damage. * Protect your computer against power surges and brief outages. Aside from providing outlets to plug in your computer and all of its peripherals, some power strips protect your computer against power surges. Many power strips now advertise compensation if they do not effectively protect your computer. Power strips alone will not protect you from power outages, but there are products that do offer an uninterruptible power supply when there are power surges or outages. During a lightning storm or construction work that increases the odds of power surges, consider shutting your computer down and unplugging it from all power sources. * Back up all of your data. Whether or not you take steps to protect yourself, there will always be a possibility that something will happen to destroy your data. You have probably already experienced this at least once, losing one or more files due to an accident, a virus or worm, a natural event, or a problem with your equipment. Regularly backing up your data on a CD or network reduces the stress and other negative consequences that result from losing important information (see Real-World Warnings Keep You Safe Online for more information). Determining how often to back up your data is a personal decision. If you are constantly adding or changing data, you may find weekly backups to be the best alternative; if your content rarely changes, you may decide that your backups do not need to be as frequent. You don't need to back up software that you own on CD-ROM or DVD-ROM. You can reinstall the software from the original media if necessary.