Most commonly asked questions about Computer Security...

 

Security Frequently Asked Questions

1.  How do I create a secure password?

2.  How do I recognize a potential threat/compromise?

3.  What is Phishing?

4.  How do I recognize a spoofed email?

5.  What do I do if I suspect my computer is compromised?

1.  How do I create a secure password?

Create a strong, memorable password in 5 steps:

1. Think of a sentence that you can remember. This will be the basis of your strong password or pass phrase. Use a memorable sentence, such as "My son Aiden is three years old."
   
   
2. Check if the computer or online system supports the pass phrase directly. If you can use a pass phrase (with spaces between characters) on your computer or online system, do so.
   
   
3.  If the computer or online system does not support pass phrases, convert it to a password. Take the first letter of each word of the sentence that you've created to create a new, nonsensical word. Using the example above, you'd get: "msaityo".
   
   
4. Add complexity by mixing uppercase and lowercase letters and numbers. It is valuable to use some letter swapping or misspellings as well. For instance, in the pass phrase above, consider misspelling Aiden's name, or substituting the word "three" for the number 3. There are many possible substitutions, and the longer the sentence, the more complex your password can be. Your pass phrase might become "My SoN Ayd3N is 3 yeeRs old." If the computer or online system will not support a pass phrase, use the same technique on the shorter password. This might yield a password like "MsAy3yo".
   
   
5. Finally, substitute some special characters. You can use symbols that look like letters, combine words (remove spaces) and other ways to make the password more complex. Using these tricks, we create a pass phrase of "MySoN 8N i$ 3 yeeR$ old" or a password (using the first letter of each word) "M$8ni3y0".
   

Password strategies to avoid

 

Some common methods used to create passwords are easy to guess. To avoid weak, easy-to-guess passwords:

• Avoid sequences or repeated characters. "12345678," "222222," "abcdefg," or adjacent letters on your keyboard do not help make secure passwords.
  
  
• Avoid using only look-alike substitutions of numbers or symbols. Criminals and other malicious users who know enough to try and crack your password will not be fooled by common look-alike replacements, such as to replace an 'i' with a '1' or an 'a' with '@' as in "M1cr0$0ft" or "P@ssw0rd". But these substitutions can be effective when combined with other measures, such as length, misspellings, or variations in case, to improve the strength of your password.
  
  
• Avoid your login name. Any part of your name, birthday, social security number, or similar information for your loved ones constitutes a bad password choice. This is one of the first things criminals will try.
  
  
• Avoid dictionary words in any language. Criminals use sophisticated tools that can rapidly guess passwords that are based on words in multiple dictionaries, including words spelled backwards, common misspellings, and substitutions. This includes all sorts of profanity and any word you would not say in front of your children.
  
  
• Use more than one password everywhere. If any one of the computers or online systems using this password is compromised, all of your other information protected by that password should be considered compromised as well. It is critical to use different passwords for different systems.
  
  
• Avoid using online storage. If malicious users find these passwords stored online or on a networked computer, they have access to all your information.

More information can be found at Microsoft’s website  http://www.microsoft.com/athome/security/privacy/password.mspx

2.  How do I recognize a potential threat/compromise?

Signs of a compromised computer can include:

• System is exceptionally less responsive than usual, unable to connect to network services, or simply non-functional.
  
• There is unusual disk activity.
  
• There are unusual log entries such as login failures, user changes, or connections to unfamiliar services.
  
• You receive a complaint from a third party about suspicious activity originating from your computer, account, or IP address.

Compromise, for purposes of this document, entails unauthorized interactive access to the system.  A virus would not normally be considered to be a compromise.  A “hacked” user account, a brute force break-in providing privileged access, or a hole such as those found in many misconfigured web servers which allow users to access data which is not intended for public consumption are all considered to be compromises.  Keep in mind that the list above is not intended to be comprehensive – if you are in doubt treat the system as if it is compromised.

Sensitive Data

 

Sensitive data includes any of the following:

• Social Security Numbers
  
• Drivers license numbers
  
• Credit card numbers of individuals, and/or any credit card expiration date(s), and/or card verification codes (typically a 3 or 4 digit number used for fraud prevention)
  
• Grades/G.P.A. information
  
• Information protected under the Family Educational Rights and Privacy Act (FERPA) (e.g., information in records maintained by the university that are directly related to students, including biographic and demographic data, application materials, course schedules, grades, test scores, work-study records, or immigration information).
  
• Gramm-Leach-Blily Act (GLBA) protected information. GLBA-protected information includes financial and/or tax information of students, parents, or other third parties with whom Carnegie Mellon has a continuing relationship where such information was acquired in the provision of financial services by Carnegie Mellon (such as loans, financial aid, processing of tuition payments, etc.).
  
• Information obtained from a third party or the government that was indicated to have been controlled under U.S. export control laws or regulations such as EAR or ITAR.
  
  Information obtained from a third-party under a written obligation of non-disclosure or confidentiality.
  
  
• Other non-public personally-identifiable information not already listed above (such as home address, home phone number, data of birth, W-2 information, ethnicity, etc.).

Source: http://www.cmu.edu/computing/documentation/policies_firstrepond/first_respond.html 

 

3.  What is Phishing?

Phishing is a growing problem for consumers as fraudsters get more and more sophisticated.

Phishing is usually done via an email which appears to be from a trusted source - your bank, Pay-Pal, eBay, etc. - and which attempts to induce you to provide your personal information, bank account number or credit card number. Many of these emails look legitimate, and the unwary consumer clicks on the link and becomes a victim.

Phishing Examples

Pay-Pal - These phishing excursions indicate that there have been attempts to access the recipient’s Pay-Pal account from a foreign IP, and that they must verify their identity by clicking on the link provided in the email in order to have their account remain active. Early versions of this phishing attempt had numerous misspellings in the e-mail, but those seem to have been fixed in more recent attempts.

The most common ones request that you, of course, click on the link to verify your account. I’ve recently been getting some which purport to come from a potential buyer asking that I respond to a question. The emails look good, but they’re being sent to an email account which isn’t linked to my eBay account, and I don’t currently have any auctions running.

There are hundreds of phishing scams hoping to catch the unwary at any given time. The Anti-Phishing Working Group has an archive of phishing attacks that have been submitted to them.

How to Avoid Getting Hooked

The simplest way to avoid becoming the victim of a phishing attack is to never click on a link from an unsolicited email. If you are ever asked to verify your account information for any reason, go to the website of the bank or company, and access your account directly via their secure website.

Some other ways to avoid becoming a victim are:

Hold your cursor over the link. A text message will show the URL of the website you will be directed to. If it is not the website of the company sending the email, or it doesn’t start with “https” you can be pretty sure you’ve been phished.

Never reply to a phishing email; this can give the potential thieves information about you.

Keep your virus and firewall software up-to-date; some phishing attacks carry harmful viruses or trojans that can collect personal information from your computer.

Never open attachments that end in .exe or aren’t from a trusted source.

How to Report Phishing

If you’ve been phished, forward the entire email to spam@uce.gov and to the to the company, bank, or organization impersonated in the phishing email. Most organizations have information on their websites about where to report problems.

From http://credit.about.com/od/phishing/a/phishing.htm

4.  How do I recognize a spoofed email?

A spoofed email is when someone sends a message and makes it look like it came from you.  This often happens when your email address is on somebody else’s computer that has become infected with a virus or spyware.  If you receive a message that you suspect has been spoofed, or been told you sent a message you know you did not, please check your sent items to verify.  Another way to verify is to check the message header information, how to check this varies depending on your email client.  To find out further, call your organizations Tech Desk.

You can find several tips and suggestions from PayPal's fraudulent e-mail advisory.  But note that emails that "seem" legitimate could still be phishing  attempts.

If you're concerned about a "call to action" from an email -- e.g. your bank claims your credit card is being abused, PayPal reports a problem with an account -- do not click any links in the email.  Close the email, your email program, and all your browser windows.  Then, visit the site directly (e.g. type in www.paypal.com for PayPal concerns).

 5.  What do I do if I suspect my computer is compromised?

Procedures:

1. Disconnect the computer from the network i.e. pull the network cable from either the wall jack or the computer, deconfigure wireless and/or pull out the wireless card.
2. Call the IRT Tech Desk at 651-962-6230 to log an incident and get instructions.
3. Do not power off, reboot, or rebuild until so instructed by IRT.