Awareness

March - Mobile Device Madness

Mobile Device Madness

Mobile devices, particularly smartphones, have become significantly popular, more so than computers and perhaps any other communication device. We all carry them everywhere we go, every day at all times. From using Facebook to checking our bank accounts or saving our schedules in their agendas, we use mobile devices for all kinds of tasks, which is basically what makes them so useful, as both a work and entertainment tool. However, something we hardly ever realize is that they are not always designed with security in mind and therefore, they are not always as secure as most computers, and with the significant growth of smartphone usage, the issues surrounding mobile security have also grown. 

Similarly, there are many different ways in which your mobile device can be a threat to your personal information security: if it is stolen from you or you lose it and it falls into the wrong hands; if your service provider is attacked or there is a breach in your software (whether because you had it jailbreaked or because it is not updated), if someone hijacks it through an open wireless network, etc. All of these reasons are enough for you to be very careful in protecting the device as much as you can, but also in being selective with the information you store in it.

However there are many things you can do to keep your device as secure as possible so that although it will not guarantee 100% security, at least it will make it a lot harder for cybercriminals to access any of your personal/confidential information. We recommend you to follow the next tips:

Understand your device

  • Configure mobile devices securely by enabling auto-lock and choosing a complex/secured password for protection, and avoid using auto-complete features that remember user names or passwords.
  • Ensure that browser security settings are configured appropriately and enable remote wipe options whenever possible. 
  • Disable Bluetooth (when not needed). If you can access it, so can others.
  • Ensure that sensitive websites use https in your browser URL on both your computer and mobile device.
  • Know your mobile vendor's policies on lost or stolen devices and report the loss to your carrier ASAP so they can deactivate the device.

Use added features

  • Keep your mobile device and applications on the device up to date. Use automatic update options if available.
  • Install an anti-virus/security program (if available) and configure automatic updates if possible. Find out about protective mobile device software.
  • Use an encryption solution to keep portable data secure in transit and at rest. WPA2 is encrypted. 3G encryption has been cracked. Use an SSL (https) connection where available.

General tips          

  • Never leave your mobile device unattended.
  • Report lost or stolen devices and change any passwords (such as RIT WPA2) immediately.
  • Include contact information with the device: on the lock screen, engraved on the device, and/or inserted into the case.
  • For improved performance and security, register your device and connect to the RIT WPA2 network where available.
  • Whenever possible, we recommend that Private Information is not accessed from or stored on mobile devices.
  • To ensure that RIT information will remain secure, you should use only devices that provide encryption while information is in transit and at rest. 
  • Security requirements for handling RIT Private, Confidential, and other information may be found in the Information Access and Protection Standard.
  • When downloading apps, make sure you do it from a trusted app store like Google Play. Read more about avoiding questionable mobile apps.

Follow us on all of our social media accounts for more tips and information:

Facebook: RIT Information Security / Twitter: @RIT_InfoSec / Google+: RIT Information Security Pinterest: RIT InfoSec Instagram: @RIT_infosec

February - Phebruary Phishing

Phebruary Phishing

It’s Ph(F)ebruary! The perfect time to learn all you need to know to avoid the incessant phishing scams that infest the Internet. Just as there are so many things going on every day in the cyberspace, and new and exciting ways of communicating with the world emerge all the time, phishers find a way to be present everywhere too. From e-mail and social networking sites to online games, dating websites and apps, you might come across a scam, and because cybercriminals have become so good at making them, sometimes phishing scams can appear so real that you might easily fall for them.

However, there is no need to panic! There are still ways you can avoid falling for these traps, although of course the most important thing to do is be very careful and pay attention responsibly to everything you see online before you click it or enter any sensitive information about you (or anyone else for that matter). Here are some tips to follow:

  • Do not respond to a request for your password sent by e-mail, even if the request appears legitimate.
  • Do not provide identity information, including credit card numbers, when you receive an unsolicited e-mail or phone call.
  • Do not open attachments in unexpected or suspicious e-mails or instant messages.
  • If the e-mail or instant message provides a link to a site where you are requested to enter personal information, it may be a phish.
  • Make sure links are really taking you where they say they are before you click. You just have to move your mouse over the link, and if it shows you different address than the one displayed in the e-mail it is a phish.
  • Be suspicious of any type of communication (e-mail, post on social media site, text message, etc.) that urges you to do something like provide personal information or click somewhere.
  • Look for signs in e-mails like grammar mistakes.
  • Make sure the security certificate is displayed on a website by double-clicking the “lock” icon. If it isn’t or you get a warning message that it does not match the address, it’s better to get out of this website.
  • Although normally phishing emails are not personalized, they can be. So if it looks suspicious it’s always smart to confirm with the company directly to make sure the email is in fact from them.
  • Enable site checking on your browser.
  • Add an anti-phishing toolbar to your browser. Anti-phishing toolbars help detect and may block known phishing sites. ITS is providing McAfee anti-phishing tools to ePO-managed users.

You can also find more tips and information by going to Best Practices>Phishing (http://www.rit.edu/security/content/phishing).

Since we’re all human, at some point we could inevitably fall for a phishing scam. Stay Safe Online has shared some things you can do to control the damage it may inflict you if you do:

  • Beware of any unauthorized charges to any of your accounts
  • If you think your financial accounts could be compromised, contact your financial institution immediately and ask them to close the accounts for you.
  • Consider reporting it to the local police department, the Federal Trade Commission (https://www.ftccomplaintassistant.gov/#crnt&panel1-1) or the FBI’s Internet Crime Complaint Center (http://www.ic3.gov/default.aspx).

We are going to be talking about phishing all month long in all of our social media gadgets, keep up for more useful information about #PhebruaryPhishing. And remember if you receive a phish, report it by emailing spam@rit.edu.  You can forward phishing attempts to this email.

Follow us on all of our social media accounts for more tips and information:

Facebook: RIT Information Security / Twitter: @RIT_InfoSec / Google+: RIT Information Security Pinterest: RIT InfoSec Instagram: @RIT_infosec

 

December – Scams & Hoaxes

December – Scams & Hoaxes

The last month of 2014 has arrived. December is full of joy because the holidays’ spirit is around all month. There is a long break from classes and its Christmas time! Unfortunately, this is also the reason why it’s become scamming season as well. The generous nature of these holidays makes all of us the perfect target of scams and hoax.

From emails to ads and websites, there all kinds of scams and hoaxes infesting the Internet’s waters. Falling for any of them is as easy as one click away. The only way to stay safe is by being cautious whenever we navigate the Internet and by keeping updated about all the new scams and hoaxes that emerge. Scammers like to take advantage of the generous spirit of this giving season to trick us into clicking into malware, identity or personal information theft, fake gift cards, and all sorts of scams. 

Helping you stay safe online is RIT Information Security Office´s responsibility, it’s a full-time job that we take very seriously, which is why during this whole month, including the break, we will be giving away information and security tips about scams and hoaxes through all of our social media gadgets. We encourage you to be extra cautious during this season, so that your joyful mood is not ruined for Christmas!

The following tips will help you prevent falling for cyber-traps:

  • Be very suspicious of emails from people or businesses you don't know, especially those that promise money, good health or a solution to your problems.
  • Remember that while banks never ask for confidential information via email, scam and hoax emails are intended to trick you into disclosing personal information such as bank account details, passwords or credit card numbers.
  • Scammers put a lot of time and effort into making emails and websites look real. Be skeptical always and pay attention to anything that looks suspicious.
  • Unless you applied for a “lottery” or are participating in any contest, -and even if you have-, it’s VERY unlikely that you won. Be careful with scams emails that claim you have been selected as a “WINNER”.
  • Beware of shipping notification emails that contain attachments or links; it could be a scam, especially if you didn’t order anything.
  • Never reply to an email or pop-up message that requests your personal or financial information, don’t click on the links in the message either, or paste them into your Web browser. Simply ignore and erase those messages.
  • If you get a notice from an “official” from a foreign agency or government with an offer to transfer a commission into your bank account in exchange for assisting them with transferring a large sum of money, it is probably a scam.
  • Scams don’t just appear in online forms, you must also be careful with bogus security products. Never let someone who calls you, mess with your computer. 
  • Some scammers send Online Extortions threatening the recipient to kill them if they don’t pay a large sum of money to the sender, who claims to be a hired assassin. The FBI advises against replying and recommends just deleting the email.
  • Research any charities before donating to make sure it’s actually going where it says it is.
  • There are many fake mystery shopping opportunities out there. A legitimate one will not ask you to pay an application fee or to deposit a check or wire money to someone else.
  • There are some legitimate free e-book offers like Amazon’s free Kindle books, but there are also many free e-books out there filled with spam links and malware designed to catch your credit card information. Stick with e-book sellers and authors you already know, advises the Better Business Bureau (BBB).
  • During this giving season you will probably be doing a lot of online shopping. Check out our tips for safe online shopping and banking.
  • Keep updated with the latest Internet scams and email hoaxes so you don’t become a victem: http://www.hoax-slayer.com/latest-information.html
  • Check McAfee’s 12 scams of the holidays https://blogs.mcafee.com/consumer/12-scams-of-holidays/

 

Follow us on all of our social media accounts for more tips and information:

Facebook: RIT Information Security / Twitter: @RIT_InfoSec / Google+: RIT Information Security Pinterest: RIT InfoSec Instagram: @RIT_infosec 

Browser Configuration

Browser Configuration

One of the easiest “technologies” to keep your information and computer safe is properly configuring the security settings on your web browser.  Most people leave the settings at default because it’s convenient, but not taking those extra couple minutes now can mean many costly hours (or weeks) later if your information gets compromised.

Below are some setting suggestions and how to complete them on the most common browsers.  Settings may vary based on browser version, and we recommend always updating your browser to the most current version to ensure the most recent patches and security features are applied.

  1. Limit Cookie Storage
  2. Don’t Store Passwords or Allow Sites to Remember Your Form Entries
  3. Disable Pop-ups
  4. Limit Plug-ins and Add-ons
  5. Enable Automatic Site Checking
  6. Prompt for Downloads
  7. Clear Browsing Data/Temporary Internet Files

1. Limit Cookie Storage

Cookies are data files a webpage puts on your computer that tracks information about you.  Cookies can be helpful like remembering what item you put in your shopping cart while you continue shopping.  Cookies can also send data to third-parties that you are not aware of or keep your login data on a webpage on a public computer after you are done using it.  To help protect your data, we suggest changing your settings to initially block most or all cookies and only enable cookies for certain sites as you come across them. 

NOTE: First-party cookies (cookies for the domain you are on) help with the general web browsing feel we are all used to, for example, staying logged into your bank account site as you navigate from your checking to your savings account.  Therefore, blocking cookies entirely may not be ideal for your browsing needs.  Third-party cookies (cookies not specifically attached to the domain you visited) often are the cookies that contain issues and compromise data and can be blocked without interfering with you day-to-day web activities.

To configure cookies, select:

INTERNET

EXPLORER 10

Tools | Internet Options | Privacy | Advanced, and:

  1. Select Override automatic cookie handling.
  2. Select Prompt or Accept for first- party cookies and Block for third-party cookies.  If you select Prompt, it will ask for each site what you want to keep, which is helpful for limiting cookie use but will have a lot notifications.

FIREFOX 21

Main Menu | Options | Options | Privacy, and:

  1. Under History, select Use Custom Setting for History.
  2. Uncheck at least Accept third-party cookies.  You may instead want to uncheck Accept cookies from sites to block all cookies and enable individual cookies as you need to.
  3. Change the Keep Until value to I close Firefox so it won’t store first-party cookies after you close your browser window

SAFARI 6

Safari | Preferences | Privacy, and under Block cookies, select From third parties and advertisers.  You can also block all cookies if you wish by selecting Always and enable individual cookies as you need to.

CHROME 27

Chrome Menu | Settings | Show Advanced Settings.  Under Privacy click Content settings.  Under Cookies, set the following:

  1. Select Keep local data only until I quit my browser.  You can instead select Block sites for setting any data if you want to elect which cookies to allow as you visit each site.
  2. Check Block third-party cookies and site data.

OPERA 12

Main Menu | Settings | Preferences | Advanced | Cookies, and:

  1. Select Accept cookies only from the site I visit to disable third-party cookies.  You can instead select Never accept cookies if you want elect which cookies to allow as you visit each site.
  2. Check Delete new cookies when exiting Opera.

 

2. Don’t Store Passwords or Allow Sites to Remember Your Form Entries

Some webpages ask if you want to store information such as credit cards, usernames or passwords.  They may also give you the option to stay logged in or to “remember me.”  Having websites remember your information is like writing down a password on a piece of paper and sticking it on your front door.  Anyone who looks at the right door will see it.  To help yourself, be conscious of what you tell sites to remember and configure the following settings:

INTERNET

​EXPLORER 10

Tools | Internet Options, and:

  1. Select Advanced.  Then under Security, check Do not save encrypted pages to disk.
  2. Select Content.  Then under Autocomplete, click Settings and uncheck all.
  3. Select Privacy.  Then check Never allow websites to request your physical location.

FIREFOX 21

Main Menu | Options |Options | Privacy, and:

  1. Under Tracking, select Tell sites that I do not want to be tracked.
  2. Under History, select Use Custom Setting for History. Uncheck Remember my browsing and download history.  Uncheck Remember search and form history.

Also select Main Menu | Options |Options | Security, and uncheck Remember passwords for sites.

SAFARI 6

Safari | Preferences, and:

  1. Select Autofill and uncheck all.
  2. Select Privacy and check Ask websites not to track me.

CHROME 27

Chrome Menu | Settings, and:

  1. Under Privacy, click Content settings.  Under location, select Ask me when a site tries to track my physical location.
  2. Under Passwords and forms, uncheck Enable Autofill to fill out web forms in a single click and uncheck Offer to save passwords I enter on the web.

OPERA 12

Main Menu | Settings | Preferences, and:

  1. Select Forms.  Uncheck Enable Password Manager.  Also do not enter any of the saved form data.
  2. Select Advanced |Security.  Check Ask websites not to track me.

NOTE:  If you would like to save your passwords because you created very strong passwords that may be hard to remember, we suggest an external password vault service that encrypts your password information locally and stores the encrypted information for you in the cloud.  Some popular ones are LastPass (https://lastpass.com/index.php), RoboForm (http://www.roboform.com), and 1Password (https://agilebits.com/onepassword).

 

3. Disable Pop-ups

Pop-ups are generally advertisements or other little windows that force you to pay attention to them before you can get back to the webpage you are on.  This is a great advertising gimmick, but it’s also dangerous because a malicious pop-up may have a virus download on all links within the pop-up, including the Ok and Cancel buttons.  Crafty popups even make it so the X at the top of the window to close it contains a virus download.  Pop-ups may also take you to sites that can phish your information or otherwise trick you into putting yourself at risk.

Smart web developers have learned to not put content in pop-ups, so blocking all pop-ups should not negatively affect your browsing experience.  You can always allow certain pop-ups as you go if you need them.  Block all pop-ups by selecting:

INTERNET

​EXPLORER 10

Tools | Internet Options | Privacy, and check Turn on Pop-up Blocker.

FIREFOX 21

Main Menu | Options | Options | Content, and click Block pop-up windows.

SAFARI 6

Safari | Preferences | Security, and check Block pop-up windows.

CHROME 27

Chrome Menu | Settings, under Privacy click Content settings.  Select Do not allow any site to show pop-ups.

OPERA 12

Main Menu |Settings |Preferences |General, and select Block all pop-ups

 

4. Limit Plug-ins and Add-ons

Downloaded toolbars, plug-ins and add-ons can be helpful for enhancing your browsing experience, but the more items you attach to your browser, the more possible vulnerabilities there are for an attacker to exploit.  Additionally, attackers may use Active X, JavaScript, VBScript, and Java to run malicious code on a website without your knowledge.   Unfortunately, many legitimate pages use JavaScript as part of their functionality.  Limiting these types of scripts, though, can help protect you from a surprise malware download.  We suggest blocking most or all and enabling individual sites as you go by performing the following:

INTERNET

​EXPLORER 10

Tools | Internet Options | Advanced.  Under Browsing, uncheck Enable third-party browser extensions (add-ons).

You will also want to select Security and click the Internet icon. Change the setting to High for the “Internet” zone.  Click the Trusted Sites icon and set this to Medium.  Add sites to the Trusted list as you go.

FIREFOX 21

Main Menu  | Options | Options, and:

  1. Select Content and uncheck Enable JavaScript.  If desired you can keep Enable JavaScript checked, but click Advanced and uncheck all to limit JavaScript actions.
  2. Select Security, and check Warn when sites try to install add-ons.

SAFARI 6

Safari | Preferences | Security, and uncheck Enable JavaScript, uncheck Allow Java, and uncheck Allow all other plug-ins.

CHROME 27

Chrome Menu | Settings. Under Privacy, click Content settings and:

  1.  Under JavaScript, select Do not allow any site to run JavaScript.
  2. Under Plug-ins, select Block all (you can instead select Click to play to be prompted).
  3.  Under Unsandboxed plug-in access, select Ask me when a site wants to use a plug-in to access my computer.

OPERA 12

Main Menu | Settings |Preferences | Advanced | Content, and uncheck Enable JavaScript, uncheck Enable Java, and uncheck Enable plug-Ins.  If desired you can keep Enable JavaScript checked, but click JavaScript Options and uncheck all to limit JavaScript actions.

 

5. Enable Automatic Site Checking

Automatic Site Checking or other filters such as this will check webpages you visit against known fraudulent or malicious websites (a blacklist) and warns or blocks you before loading the page.  These features may also scan webpages for suspicious characteristics and flag you of potentially hazardous sites (which can be added to the blacklist if need be).

INTERNET

​EXPLORER 10

This feature is automatically on.  To verify that it’s on, select Tools |Safety | Turn on SmartScreen Filter.

FIREFOX 21

Must be turned on by selecting Main Menu | Options | Options | Security.  Check Block reported attack sites and check Block reported web forgeries.

SAFARI 6

This feature is automatically on.  To verify that it’s on, select Safari | Preferences | Security, and check Warn when visiting a fraudulent website.

CHROME 27

This feature may be automatically on.  To verify that it’s on, select Chrome Menu | Settings, and under Privacy check Enable phishing/malware protection.

OPERA 12

This feature is automatically on.  To verify that it’s on, select Main Menu | Settings | Preferences | Advanced | Security and check Enable Fraud and Malware Protection

 

6. Prompt for Downloads

The Automatic Site checking mentioned above can help review downloads for malware, but there are other settings you can configure that can help alert when something is about to download in case you accidently click a link and realize you shouldn’t be downloading that item.  Even just prompting you to tell the browser where to save the file can make you pause and think about what you are downloading.  You should always be careful what you download and from where, and scan all email attachments and downloads with your anti-virus software.

INTERNET

​EXPLORER 10

Tools | Internet Options | Security |Custom Level.  Under Downloads, select Enable for Automatic prompting for file downloads.

FIREFOX 21

Main Menu | Options | Options | Main, and under Downloads check Always ask me where to save files.

SAFARI 6

Safari | Preferences | General and uncheck Open “safe” files after downloading.

NOTE:  Just because Safari labels the file extension as “safe” doesn’t mean it actually is.  It’s also smart to open downloads only after the anti-virus scans them.

CHROME 27

Chrome Menu | Settings, and under Downloads, check Ask where to save each file before downloading.

OPERA 12

Main Menu | Settings | Preferences | Advanced | Downloads.  Here you can manage what to do for each type of file you may download.  For example, we recommend for EXE and BAT files to select Show the download dialog.

 

7. Clear Browsing Data/Temporary Internet Files

This removes all stored web data on your computer (cookies, cache, history, stored passwords/autofill data, etc.).  Since we just went through blocking new data from being saved, it’s smart to clear out any data that is currently there.   It’s also a good idea to repeat this step regularly to ensure any data that does still get saved, gets cleared.

INTERNET

​EXPLORER 10

Tools |Safety | Delete browsing history. Check the items to remove and click Delete.

FIREFOX 21

Main Menu |History | Clear Recent History.  In the dropdown, change the amount of time you want to go back (recommended: Everything).  Click the arrow next to Details, check the items to remove and click Clear now.

SAFARI 6

Safari | Reset Safari. Check the items to remove and click Reset.

CHROME 27

Chrome Menu | Tools | Clear Browsing Data. In the dropdown, change the amount of time you want to go back (recommended: The beginning of time).  Check the items to remove and click Clear browsing data.

OPERA 12

Main Menu | Settings | Delete Private Data.  Check the items to remove and click Delete.

 

Private Browsing Windows

Many browsers also have a feature that allows you to navigate the web without saving search history, form information, cached information, and some cookies.  While private browsing windows and tabs can be a start to keeping your information safe, it should not be relied on as a means to be “off the grid” or as a total replacement for the security settings mentioned above.

Browser

What It’s Called

How to Set It

INTERNET

​EXPLORER 10

InPrivate Browsing

Tools | Safety | InPrivate Browsing

FIREFOX 21

Private Browsing

Main Menu  | New Private Window

SAFARI 6

Private Browsing

Safari | Private Browsing

CHROME 27

Incognito Mode

Chrome Menu  | New Incognito Window

OPERA 12

Private Tab/Window

Main Menu  | Tabs and Windows | New Private Window

 

SECURITY NOTE:

Using these recommended security settings do not negate the effects of malware that could already be installed on your computer.  For example, keyloggers can capture your data even if your browser doesn’t save it.  Be sure to keep your anti-virus up-to-date and scan your computer regularly for threats.  These security settings also do not exempt you from phishing attacks.  Be careful what information you share online and never provide your password to anyone.  More details can be found in various sections of our Best Practices pages.

Awareness Posters and Videos

Posters

In the last EDUCAUSE Poster and Video contest, RIT student and Information Security Office employee Karyn Lewis won several monetary awards for her posters. We'll provide information on the next contest as it's available. Click on the thumbnails below to see the posters.

Other Student-Produced Posters from RIT

Arden Kelly "Keep Your Private Things Private"Cristin Sick "Is this Your Version of Computer Self Defense?"Richard Kim "When Connected, Stay Protected"

Videos

Retro RIT Information Security Awareness Video created by Rachel Diesel. (Temporarily unavailable.)

The EDUCAUSE Information Security Poster and Video Contest has had a number of interesting entries. View their YouTube page at: https://www.youtube.com/user/SecurityVideoContest.  We've embedded a couple of them on this page. 

 

2011 Gold Winner, PSA: "Protecting Your Computer in a Public Place"

 

2011 Gold Winner, Training Video: "The Right Kind of Bait"

 

2009 Gold Winner, Training Video: "Cyber Security Awareness"

Pages

Subscribe to RSS - Awareness