Security Tips & Info
- Top Tips to Securely Using Social Media - March 2018
- Own Your Online Presence - February 2018
- Disposing of Old Computers - January 2018
- Lock Down Your Login - December 2017
- Using Caution with Email Attachments - November 2017
- Busting the Top 5 Myths About Safe Web Browsing - October 2017
- Securely Using Mobile Apps - September 2017
- The Price of Free Software - August 2017
- Don't Overshare on Social Networking Sites - July 2017
- Phone Scams - June 2017
- Going Mobile: How to be Safer When Using a Smartphone or Tablet -May 2017
- 10 Things You Can Do to Avoid Fraud -April 2017
Social media sites, such as Snapchat, Facebook, Twitter, Instagram, and LinkedIn, are amazing resources, allowing you to meet, interact, and share with people around the world. However, with all this power comes risks--not just for you, but your family, friends, and employer. In this newsletter, we cover the key steps to making the most of social media securely and safely.
Posting--Be careful and think before posting. Anything you post will most likely become public at some point, impacting your reputation and future, including where you can go to school or the jobs you can get.
Privacy--Almost all social media sites have strong privacy options. Enable them when possible. For example, does the site really need to be able to track your location?
Passphrase--Secure your social media account with a long, unique passphrase. A passphrase is a password made up of multiple words, making it easy for you to type and remember, but hard for cyber attackers to guess.
Lock Down Your Account--Even better, enable two-factor authentication on all of your accounts. This adds a one-time code with your password when you need to log in to your account.
Scams--Just like in email, bad guys will attempt to trick or fool you using social media messages. For example, they may try to trick you out of your password or credit card.
Terms of Services--Know the site’s terms of service. Anything you post or upload might become the property of the site.
Work--If you want to post anything about work, check with your supervisor first to make sure it is okay to publicly share.
Follow these tips to enjoy a much safer online experience. To learn more on how to use social media sites safely, or report unauthorized activity, check your social media site’s security page.
SANS Security Awareness Monthly Newsletter March 2018
- Personal information is like money. Value it. Protect it.: Information about you, such as your purchase history or location, has value – just like money. Be thoughtful about who gets that information and how it’s collected through apps and websites.
- Be aware of what’s being shared: Set the privacy and security settings on web services and devices to your comfort level for information sharing. It’s OK to limit how and with whom you share information.
- Share with care: Think before posting about yourself and others online. Consider what a post reveals, who might see it and how it could be perceived now and in the future.
For more information and other useful tips visit: stopthinkconnect.org
Getting rid of your old computer? You can ensure its hard drive doesn’t become a treasure chest for identity thieves. Use a program that overwrites or wipes the hard drive many times. Or remove the hard drive, and physically destroy it.
Understand Your Hard Drive: Computers often hold personal and financial information such as passwords, account numbers, license keys or registration numbers for software programs, addresses and phone numbers, medical and prescription information, tax returns and files created automatically by browsers and operating systems.
When you save a file, especially a large one, it is scattered around the hard drive in bits and pieces. When you open a file, the hard drive gathers the bits and pieces and reconstructs them. When you delete a file, the links to reconstruct the file disappear. But the bits and pieces of the deleted file stay on your computer until they’re overwritten, and they can be retrieved with a data recovery program. To remove data from a hard drive permanently, the hard drive needs to be wiped clean.
How to Clean a Hard Drive: Before you clean a hard drive, save the files you want to keep to a USB drive, a CDRom, an external hard drive or a new computer. Check your owner’s manual, the manufacturer’s website, or its customer support service for information on how to save data and transfer it to a new computer.
Utility programs to wipe a hard drive are available both online and in stores where computers are sold. These programs generally are inexpensive; some are available on the internet for free. These programs vary, some erase the entire disk, while others allow you to select files or folders to erase. Some overwrite or wipe the hard drive many times, while others overwrite it only once. Consider using a program that overwrites or wipes the hard drive many times; otherwise, the deleted information could be retrieved. Or remove the hard drive, and physically destroy it.
How to Dispose of Your Computer: Recycle it. Many computer manufacturers have programs to recycle computers and components. Check their websites or call their toll-free numbers for more information. The Environmental Protection Agency (EPA) has information about electronic product recycling programs. Your local community may have a recycling program, too. Check with your county or local government, including the local landfill office for regulations. Donate it. Many organizations collect old computers and donate them to charities. Resell it. Some people and organizations buy old computers. (Federal Trade Commission)
The process of authentication, or proving who you are, is key to protecting your information, such as your email, social media, or online banking accounts. You may not realize it, but there are three different ways to prove who you are: what you know, such as a password, what you have, such as your driver’s license, and some part of you, such as your fingerprint.
Each one of these methods has advantages and disadvantages. The most common authentication method is passwords, which are something you know. Unfortunately, using passwords just by themselves is proving to be more and more insecure. You can protect yourself and lock down your login with something far better than just passwords. It’s called two-factor authentication.
Two-factor authentication (also called two-step verification, multi-factor authentication, or 2FA) is far stronger than just using passwords by themselves. It works by requiring not one, but two different methods to prove you are who you say you are.
Two-factor authentication is widely available on most major banking, email, social networking, and other sites. In addition, most of these sites offer simple step-by-step instructions how to turn on two-factor authentication. Once you enable two-factor authentication, you can expect it to work like this.
First, you log in to your account using your username and password, just as you always have. This is the first of the two factors--something you know. Then you will receive a unique code, often by text to your smartphone. You then enter that code into the login screen. This is the second of the two factors--you must have your phone to receive that code. Now your account is truly locked down. Even if a cyber-criminal steals your password, they cannot access your account unless they also have your phone.
For more information on two-factor authentication visit securingthehuman.sans.org/newsletters
Why can email attachments be dangerous?
Some of the characteristics that make email attachments convenient and popular are also the ones that make them a common tool for attackers:
-Email is easily circulated – Forwarding email is so simple that viruses can quickly infect many machines. Most viruses don't even require users to forward the email—they scan a users' computer for email addresses and automatically send the infected message to all of the addresses they find. Attackers take advantage of the reality that most users will automatically trust and open any message that comes from someone they know.
-Email programs try to address all users' needs – Almost any type of file can be attached to an email message, so attackers have more freedom with the types of viruses they can send.
-Email programs offer many "user-friendly" features – Some email programs have the option to automatically download email attachments, which immediately exposes your computer to any viruses within the attachments.
What steps can you take to protect yourself and others in your address book?
- Be wary of unsolicited attachments, even from people you know
- Keep software up to date
- Trust your instincts
- Save and scan any attachments before opening them
- Turn off the option to automatically download attachments
- Consider creating separate accounts on your computer with different privileges
- Apply additional security practices - US-CERT, Security Tip (ST04-010)
There are a vast number of myths and misconceptions about safe web browsing circling around. How many have you fallen for? Let's take a look at the top five myths.
Myth #1: My computer has never been infected with malware so I must be a safe surfer. Nearly a third of all computers in the U.S. are infected with some form of malware. You may not even know you're infected. Web malware is designed to steal personal information and passwords or use your machine for distributing spam, malware or inappropriate content without you knowing it.
Myth #2: Only gambling and illegal websites are dangerous. Not true. The majority of infected websites are ones that you trust. Hackers prefer to hijack and infect popular, high-traffic websites so they can silently distribute malware to unsuspecting visitors. Your computer can be infected just by visiting an infected site. Anyone who surfs the Internet is at risk.
Myth #3: You can only get infected if you download files. False. Hackers take advantage of vulnerabilities in web browsers, plug-ins and operating systems. You can be infected with malware by simply visiting an infected website. An attack of this type is called a "drive-by" download because the malicious code is downloaded and executed automatically.
Myth #4: When the lock icon appears in the browser, it means it's a secure website. Not true. The lock icon means there is an SSL encrypted connection between your browser and the web server which enables private communications over the Internet. SSL encryption doesn't provide any protection from malware. In fact, hackers often spoof SSL certificates on fake banking websites to make visitors feel secure.
Myth #5: Only computers and laptops can become infected. False. Mobile malware, which affects smartphones, tablets and other mobile devices, increased by 58% last year. This nasty malware can easily steal information on your device such as phone numbers and email addresses. It can even use the device's GPS to track your whereabouts.
These helpful tips are provided by InfoSight Inc, an information security consultancy working to help ensure the privacy and security of your corporate, personal and financial information.
Mobile devices, such as tablets, smartphones, and watches, have become one of the primary technologies we use in both our personal and professional lives. What makes mobile devices so versatile are the millions of apps we can choose from. These apps enable us to be more productive, instantly communicate and share with others, train and educate, or just have more fun. However, with the power of all these mobile apps comes risks. Here are some steps you can take to securely use and make the most of your mobile apps.
- Make sure you always download mobile apps from a safe, trusted source. Cyber criminals have mastered their skills at creating and distributing infected mobile apps that appear to be legitimate. If you install one of these infected apps, criminals can take complete control of your mobile device. By downloading apps from only well-known, trusted sources, you reduce the chance of installing an infected app. What you may not realize is the brand of mobile device you use determines your options for downloading apps.
- Once you have installed a mobile app from a trusted source, make sure it is safely configured and protecting your privacy. Always think before allowing a mobile app access: do you want to grant the app the permission it asks for, and does the app really need it? For example, some apps use geo-location services. If you allow an app to always know your location, you may be allowing the creator of that app to track your movements, even allowing the app author to sell that information to others.
- Mobile apps, just like your computer and mobile device operating system, must be updated to stay current. Criminals are constantly searching for and finding weaknesses in apps. It is recommended that you allow the system to update mobile apps automatically and make sure you verify any new permissions they might require. SANS Securing the Human March 2017
Has your computer been acting strange lately? Maybe your default search engine or other browser settings changed, or you’re getting suspicious warnings about your computer’s performance. Are you seeing ads that don’t seem to belong – like ones that cover up parts of the webpage or are on a site that doesn’t usually show ads? If so, you may have unwanted software on your computer. Your next step: get rid of any malware.
But how does unwanted software get on your computer in the first place? If you installed some free software, you may have accidentally downloaded it at the same time. Extra software – and sometimes malware – can get bundled together with popular free software downloads, and you might not realize what you’re getting. To avoid this problem:
- Be on the lookout when installing free software. Read each screen during the installation process. Choose the “custom” install option instead of the “express” option. Then, if you see software you don’t want in the bundle, decline the additional program or just exit the installation process.
- If you want a particular download, go straight to that company’s site – or another source you trust. Sites that offer lots of popular software – for free – are more likely to bundle it with extra software.
- Talk to your kids. If you let your kids download software, help them recognize reputable sources.
- Don’t click on popups or banner ads. Clicking on popups or banner ads about your computer’s performance might start a download of unwanted software.
- Keep your security software up to date. Up-to-date security software can catch malicious software and protect your computer.
By Amanda Koulousias, Attorney, Division of Privacy and Identity Protection, Federal Trade Commission
If you post too much information about yourself, an identity thief can find information about your life, use it to answer ‘challenge’ questions on your accounts, and get access to your money and personal information. Consider limiting access to your networking page to a small group of people. Never post your full name, Social Security number, address, phone number, or account numbers in publicly accessible sites.
(Federal Trade Commission, How to Keep Your Personal Information Secure)
Every year, thousands of people lose money to telephone scams — from a few dollars to their life savings. Scammers will say anything to cheat people out of money. Some seem very friendly — calling you by your first name, making small talk, and asking about your family. They may claim to work for a company you trust, or they may send mail or place ads to convince you to call them.
If you get a call from someone you don’t know who is trying to sell you something you hadn’t planned to buy, say "No thanks." And, if they pressure you about giving up personal information — like your credit card or Social Security number — it’s likely a scam. Hang up and report it to the Federal Trade Commission.
For more information on “Signs of a Scam”, “How They Hook You”, “Why They’re Calling You”, “How to Handle an Unexpected Sales Call", and “What to Do About Pre-Recorded Calls” visit the Federal Trade Commission website at https://www.consumer.ftc.gov/articles/0076-phone-scams for the complete article.
Everywhere you look, people are using smartphones and tablets as portable, hand-held computers. "Unfortunately, cybercriminals are also interested in using or accessing these devices to steal information or commit other crimes," said Michael Benardo, manager of the FDIC's Cyber Fraud and Financial Crimes Section. "That makes it essential for users of mobile devices to take measures to secure them, just as they would a desktop computer."
Here are some basic steps you can take to secure your mobile devices.
Avoid apps that may contain malware. Buy or download from well-known app stores, such as those established by your phone manufacturer or cellular service provider. Consult your financial institution's website to confirm where to download its official app for mobile banking.
Keep your device's operating system and apps updated. Consider opting for automatic updates because doing so will ensure that you have the latest fixes for any security weaknesses the manufacturer discovers. "Cybercriminals try to take advantage of known flaws, so keeping your software up to date will help reduce your vulnerability to foul play," said Robert Brown, a senior ombudsman specialist at the FDIC.
Consider using mobile security software and apps to protect your device. For example, anti-malware software for smartphones and tablets can be purchased from a reputable vendor.
Use a password or other security feature to restrict access in case your device is lost or stolen. Activate the "time out" or "auto lock" feature that secures your mobile device when it is left unused for a certain number of minutes. Set that security feature to start after a relatively brief period of inactivity. Doing so reduces the likelihood that a thief will be able to use your phone or tablet.
Back up data on your smartphone or tablet. This is good to do in case your device is lost, stolen or just stops working one day. Data can easily be backed up to a computer or to a back-up service, which may be offered by your mobile carrier.
Have the ability to remotely remove data from your device if it is lost or stolen. A "remote wipe" protects data from prying eyes. If the device has been backed up, the information can be restored on a replacement device or the original (if you get it back). A number of reputable apps can enable remote wiping.
To learn more about safely using smartphones and tablets, see the Federal Trade Commission's Computer Security Web page. (FDIC Consumer News-Winter 2016)
Crooks use clever schemes to defraud millions of people every year. They often combine new technology with old tricks to get people to send money or give out personal information. Here are some practical tips to help you stay a step ahead.
- Spot imposters-scammers often pretend to be someone you trust.
- Do online searches-type a company or product name into a search engine with words like review, complaint, or scam.
- Don’t believe your caller ID-technology makes it easy for scammers to fake caller ID info.
- Don’t pay upfront for a promise-you may be asked to pay in advance for a job, a prize or debt relief.
- Consider how you pay-credit cards have significant fraud protection, but some payment methods don’t, such as wire transfer.
- Talk to someone you trust-before you give up your money or personal information.
- Hang up on robocalls-if you answer the phone and hear a recorded sales pitch hang up.
- Be skeptical about free trial offers-some companies use free trials to sign you up for products and then bill you.
- Don’t deposit a check and wire money-if a check you deposit turns out to be a fake, you are responsible for repaying the bank.
- Sign up for free scam alerts from the FTC at ftc.gov/scams for the latest tips and advice about scams.