Don’t Be Fooled! Protect Yourself and Your Identity

According to the US Department of Justice, more than 17 million Americans were victims of identity theft in 2014. EDUCAUSE research shows that 21 percent of respondents to the annual ECAR student study have had an online account hacked, and 14 percent have had a computer, tablet, or smartphone stolen. Online fraud is an ongoing risk. The following tips can help you prevent identity theft.

  • Read your credit card, bank, and pay statements carefully each month. Look for unusual or unexpected transactions. Remember also to review recurring bill charges and other important personal account information.
  • Review your health insurance plan statements and claims. Look for unusual or unexpected transactions.
  • Shred it! Shred any documents with personal, financial, or medical information before you throw them away.
  • Take advantage of free annual credit reports. In the US, the three major credit reporting agencies provide a free credit report once a year upon request.
  • If a request for your personal info doesn’t feel right, do not feel obligated to respond! Legitimate companies won’t ask for personal information such as your social security number, password, or account number in a pop-up ad, e-mail, text, or unsolicited phone call.
  • Limit the personal information you share on social media. Also, check your privacy settings every time you update an application or operating system (or at least every few months).
  • Put a password on it. Protect your online accounts and mobile devices with strong, unique passwords or passphrases.
  • Limit use of public Wi-Fi. Be careful when using free Wi-Fi, which may not be secure. Consider waiting to access online banking information or other sensitive accounts until you are at home.
  • Secure your devices. Encrypt your hard drive, use a VPN, and ensure that your systems, apps, antivirus software, and plug-ins are up-to-date.

If you become a victim of identity theft:

  • File a report with the US Federal Trade Commission at IdentityTheft.gov.
  • Use the identity theft report to file a police report. Make sure you keep a copy of both reports in a safe place.
  • Flag your credit reports by contacting the fraud departments of any one of the three major credit bureaus: Equifax (800-525-6285), Experian (888-397-3742), or TransUnion (800-680-7289).

Follow us on Twitter @SRSUOIT

Like us on Facebook SRSUOIT

Article courtesy of Educause

Are You Practicing Safe Social Networking?

Who Else Is Online? Social media sites are not well-monitored playgrounds with protectors watching over you to ensure your safety. When you use social media, do you think about who might be using it besides your friends and connections? Following are some of the other users you may encounter.

  • Identity thieves. Cybercriminals need only a few pieces of information to gain access to your financial resources. Phone numbers, addresses, names, and other personal information can be harvested easily from social networking sites and used for identity theft. Cybercrime attacks have moved to social media, because that’s where cybercriminals get their greatest return on investment.
  • Online predators. Are your friends interested in seeing your class schedule online? Well, sex offenders or other criminals could be as well. Knowing your schedule and your whereabouts can make it very easy for someone to victimize you, whether it’s breaking in while you’re gone or attacking you while you’re out.
  • Employers. Most employers investigate applicants and current employees through social networking sites and/or search engines. What you post online could put you in a negative light to prospective or current employers, especially if your profile picture features you doing something questionable or “less than clever.” Think before you post a compromising picture or inflammatory status. (And stay out of online political and religious discussions!)

How Do I Protect My Information? Although there are no guaranteed ways to keep your online information secure, following are some tips to help keep your private information private.

  • Don’t post personal or private information online! The easiest way to keep your information private is to NOT post it. Don’t post your full birthdate, address, or phone numbers online. Don’t hesitate to ask friends to remove embarrassing or sensitive information about you from their posts, either. You can NEVER assume the information you post online is private.
  • Use privacy settings. Most social networking sites provide settings that let you restrict public access to your profile, such as allowing only your friends to view it. (Of course, this works only if you allow people you actually know to see your postings — if you have 10,000 “friends,” your privacy won’t be very well protected.)
  • Review privacy settings regularly. It’s important to review your privacy settings for each social networking site; they change over time, and you may find that you’ve unknowingly exposed information you intended to keep private.
  • Be wary of others. Many social networking sites do not have a rigorous process to verify the identity of their users. Always be cautious when dealing with unfamiliar people online. Also, you might receive a friend request from someone masquerading as a friend. Here’s a cool hint — if you use Google Chrome, right-click on the photo in a LinkedIn profile and choose Google image search. If you find that there are multiple accounts using the same image, all but one is probably spurious.
  • Search for yourself. Do you know what information is readily available about you online? Find out what other people can easily access by doing a search. Also, set up an automatic search alert to notify you when your name appears online. (You may want to set alerts for your nicknames, phone numbers, and addresses as well; you may very well be surprised at what you find.)
  • Understand the role of hashtags. Hashtags (#) are a popular way to provide clever commentary or to tag specific pictures. Many people restrict access to their Instagram accounts so that only their friends can see their pictures. However, when someone applies a hashtag to a picture that is otherwise private, anyone who searches for that hashtag can see it.

My Information Won’t Be Available Forever, Will It? Well, maybe not forever, but it will remain online for a lot longer than you think.

  • Before posting anything online, remember the maxim “what happens on the web, stays on the web.” Information on the Internet is public and available for anyone to see, and security is never perfect. With browser caching and server backups, there is a good chance that what you post will circulate on the web for years to come. So: be safe and think twice about anything you post online.
  • Share only the information you are comfortable sharing. Don’t supply information that’s not required. Remember: You have to play a role in protecting your information and staying safe online. No one will do it for you.

Follow us on Twitter @SRSUOIT

Like us on Facebook SRSUOIT

Article courtesy of Educause

Security Tips for Traveling at Home and Abroad

We all like to travel with our mobile devices (smartphones, laptops, or tablets) — whether it’s to the coffee shop around the corner or to a café in Paris. These devices make it easy for us to stay connected while on the go, but they can also store a lot of information — including contacts, photos, videos, location, and other personal and financial data — about ourselves and our friends and family. Following are some ways to protect yourself and others.

Before you go:

  • If possible, do not take your work or personal devices with you on international trips. If you do, remove or encrypt any confidential data.
  • For international travel, consider using temporary devices, such as an inexpensive laptop and a prepaid cell phone purchased specifically for travel. (For business travel, your employer may have specific policies about device use and traveling abroad.)
  • Install a device finder or manager on your mobile device in case it is lost or stolen. Make sure
    it has remote wipe capabilities and that you know how to do a remote wipe.
  • Ensure that any device with an operating system and software is fully patched and up-to-date with security software.
  • Makes copies of your travel documents and any credit cards you’re taking with you. Leave the copies with a trusted friend, in case the items are lost or stolen.
  • Keep prying eyes out! Use strong passwords, passcodes, or smart-phone touch ID to lock and protect your devices.
  • Avoid posting social media announcements about your travel plans; such announcements make you an easy target for thieves. Wait until you’re home to post your photos or share details about your trip.

While you’re there:

  • Physically protect yourself, your devices, and any identification documents (especially your passport).
  • Don’t use an ATM unless you have no other option; instead, work with a teller inside the bank. If you must use an ATM, only do so during daylight hours and ask a friend to watch your back. Also check the ATM for any skimming devices, and use your hand to cover the number pad as you enter your PIN.
  • It’s hard to resist sharing photos or telling friends and family about your adventures, but it’s best to wait to post about your trip on social media until you return home.
  • Never use the computers available in public areas, hotel business centers, or cyber cafés since they may be loaded with keyloggers and malware. If you use a device belonging to other travelers, colleagues, or friends, do not log in to e-mail or any sensitive accounts.
  • Be careful when using public wireless networks or Wi-Fi hotspots; they’re not secure, so anyone could potentially see what you’re doing on your computer or mobile device while you’re connected.
  • Disable Wi-Fi and Bluetooth when not in use. Some stores and other locations search for devices with Wi-Fi or Bluetooth enabled to track your movements when you’re within range.
  • Keep your devices with you at all times during your travels. Do not assume they will be safe in your hotel room or in a hotel safe.

When you return:

  • Change any and all passwords you may have used abroad.
  • Run full antivirus scans on your devices.
  • If you used a credit card while traveling, check your monthly statements for any discrepancies for at least one year after you return.
  • If you downloaded any apps specifically for your trip and no longer need them, be sure to delete those apps and the associated data.
  • Post all of your photos on social media and enjoy reliving the experience!

SRSU OIT Advisory: Petya Cyber Attack

Through news agencies and social media, many of you are aware of the current cyber attack, Petya, which started in Europe and continues to spread across the globe, including the U.S. This attack is similar to the devastating attack on organizations around the globe in May 2017. OIT is keeping an eye on developments in this latest attack and will keep you informed if and when the situation changes.

In the meantime, here are four things you can do immediately to lower the chance you will be impacted by this latest global threat.

1. Ensure all updates are applied on your computer. This includes Operating Systems (Windows, MacOS, others), applications (MS Office is the most common). Your SRSU computer is updated automatically each time Microsoft releases an update but you may want to check that on occasion.

2. Don’t click on email messages and attachments you are not expecting or seem unusual. If you receive something that doesn’t look right, assume it is not. Contact the person that supposedly sent it and verify the message or attachment(s) are valid. A 60-second phone call may save many months or years of work.

3.  Ensure your data is backed up to a location that is not accessible by a virus or ransomware attack. While not the first item on this list, this may be one of the most important and the one for which all the responsibility falls to you.  If you are not sure your hard drive is being backed up, assume that it is not.  SRSU OIT does not provide backups for your SRSU supplied desktop computer.  For some of you, backups are to an external hard drive. While a worthy solution, even external hard drives fail from time to time or can be corrupted if left plugged into an infected machine.  OIT recommends the use of Office 365 to store all your documents.

4.  Never download software not authorized by OIT. The beginnings of this latest threat come from tax accounting software. Once it gets inside an organization, it can spread from machine to machine if those machines are vulnerable to the threat.

OIT continues to monitor any situation that heighten the risk of your computer and data files being compromised. We will take appropriate actions as we see fit.

Follow us on Twitter @SRSUOIT

Like us Facebook SRSUOIT

Here are links if you are interested in learning more about this cyber attack:

Read Greg Freidline’s blog post here. https://blogs.sulross.edu/gfreidline/2017/06/28/block-petya-virus-on-a-computer/ WARNING: Lots of geek-speak here! 

Here is an excerpt from NPR talking about the Petya virus: http://www.npr.org/sections/thetwo-way/2017/06/28/534679950/petya-ransomware-hits-at-least-65-countries-microsoft-traces-it-to-tax-software.

Learn What It Takes to Refuse the Phishing Bait!

Cybercriminals know the best strategies for gaining access to your institution’s sensitive data. In most cases, it doesn’t involve them rappelling from a ceiling’s skylight and deftly avoiding a laser detection system to hack into your servers; instead, they simply manipulate a community member.

According to IBM’s 2014 Cyber Security Intelligence Index, human error is a factor in 95 percent of security incidents. Following are a few ways to identify various types of social engineering attacks and their telltale signs.

  • Phishing isn’t relegated to just e-mail! Cybercriminals will also launch phishing attacks through phone calls, text messages, or other online messaging applications. Don’t know the sender or caller? Seem too good to be true? It’s probably a phishing attack.
  • Know the signs. Does the e-mail contain a vague salutation, spelling or grammatical errors, an urgent request, and/or an offer that seems impossibly good? Click that delete button.
  • Verify the sender. Check the sender’s e-mail address to make sure it’s legitimate. If it appears that your institution’s help desk is asking you to click on a link to increase your mailbox quota, but the sender is “UniversityHelpDesk@yahoo.com,” it’s a phishing message.
  • Don’t be duped by aesthetics. Phishing e-mails often contain convincing logos, links to actual company websites, legitimate phone numbers, and e-mail signatures of actual employees. However, if the message is urging you to take action — especially action such as sending sensitive information, clicking on a link, or downloading an attachment — exercise caution and look for other telltale signs of phishing attacks. Don’t hesitate to contact the company directly; they can verify legitimacy and may not even be aware that their name is being used for fraud.
  • Never, ever share your password. Did we say never? Yup, we mean never. Your password is the key to your identity, your data, and your classmates’ and colleagues’ data. It is for your eyes only. Your institution’s help desk or IT department will never ask you for your password.
  • Avoid opening links and attachments from unknown senders. Get into the habit of typing known URLs into your browser. Don’t open attachments unless you’re expecting a file from someone. Give them a call if you’re suspicious.
  • When you’re not sure, call to verify. Let’s say you receive an e-mail claiming to be from someone you know — a friend, colleague, or even the president of your college or university. Cybercriminals often spoof addresses to convince you, then request that you perform an action such as transfer funds or provide sensitive information. If something seems off about the e-mail, call them at a known number listed in your institution’s directory to confirm the request.
  • Don’t talk to strangers! Receive a call from someone you don’t know? Are they asking you to provide information or making odd requests? Hang up the phone and report it to the help desk.
  • Don’t be tempted by abandoned flash drives. Cybercriminals may leave flash drives lying around for victims to pick up and insert, thereby unknowingly installing malware on their computers. You might be tempted to insert a flash drive only to find out the rightful owner, but be wary — it could be a trap.
  • See someone suspicious? Say something. If you notice someone suspicious walking around or “tailgating” someone else, especially in an off-limits area, call campus safety.

Keeping It Private

You exist in digital form all over the Internet. It is thus important to ensure that the digital “You” matches what you are intending to share. It is also critical to guard your privacy — not only to avoid embarrassment, but also to protect your identity and finances!

Following are specific steps you can take to protect your online information, identity, and privacy.

  • Use a unique password for each site. Hackers often use previously compromised information to access other sites. Choosing unique passwords keeps that risk to a minimum.
  • Use a password manager. Using an encrypted password manager to store your passwords makes it easy to access and use a unique password for each site. See https://securingthehuman.sans.org/newsletters/ouch/issues/OUCH-201310_en.pdf for more info on password managers.  The OIT department uses Lastpass for our purposes and have found it easy to use and secure.
  • Know what you are sharing. Check the privacy settings on all of your social media accounts; some even include a wizard to walk you through the settings. Always be cautious about what you post publicly.
  • Guard your date of birth and telephone number. These are key pieces of information used for verification, and you should not share them publicly. If an online service or site asks you to share this critical information, consider whether it is important enough to warrant it.
  • Keep your work and personal presences separate. Your employer has the right to access your e-mail account, so you should use an outside service for private e-mails. This also helps you ensure uninterrupted access to your private e-mail and other services if you switch employers.
  • There are no true secrets online. Use the postcard or billboard test: Would you be comfortable with everyone reading a message or post? If not, don’t share it.

(Taken in part from the EducauseReview website)

 

SRSU OIT Security Advisory – Virus in Email Attachment 8/12/2016

Sul Ross is receiving email messages that contain a harmful virus.  The Locky virus encrypts all the files on your computer’s hard drive and these files cannot be recovered.  The only mechanism we have to clean up the virus is to reformat your hard drive.

The email message indicates it is coming from a @sulross.edu account and contains a Microsoft Word document (*.doc, *.docx, *.docm) that when clicked, spreads the virus to your local machine and any attached devices, including thumb drives, external hard drives, and any other physically attached devices.

Our advice is that you never click on any attachments in an email message unless you are specifically expecting the attachment.  We also suggest you look carefully at the sender, the subject line, and the body of the message for indications the email is not legitimate (poor grammar, invalid references, etc.).

In the instances we are seeing today, the email purports to come from Dorothy, Gwendolyn and other common names (e.g. Dorothy@sulross.edu).  We do not use only first names in our email addresses, although some individuals have an alias that includes their first and last, e.g. david.gibson@sulross.edu.

If you receive an email from a peer, we suggest you take a moment, call the individual that supposedly sent the email and verify they did so and that they included an attachment.

Attacks on all institutions are on the rise.  Our best line of defense is you.  Be aware.  Don’t click.  Call us if you need help or are unsure at 432-837-8888.

 

Mobile Device Theft

Mobile Device in Hand

With an increasing amount of sensitive data being stored on mobile devices, the value and mobility of smartphones, tablets, and laptops make them appealing and easy targets. These simple tips will help you be prepared in case your mobile device is lost or stolen or misplaced.

  • Don’t leave your device alone, even for a minute! If you’re not using it, lock your device in a cabinet or drawer, use a security cable, or take it with you. It’s not enough to simply ask the stranger next to you in a library or coffee shop to watch your laptop for a few minutes.
  • Differentiate your device. It’s less likely that someone will steal your device and say they thought it belonged to them if your device looks unique. Sometimes these markings make the laptop harder to resell, so they’re less likely to be stolen. Use a permanent marking, engraving, or tamper-resistant commercial asset tracking tag.
  • Delete sensitive information. Don’t keep any restricted data on your laptop. We recommend searching your computer for restricted data and deleting it. Restricted data includes your Social Security number, credit card numbers, network IDs, passwords, and other personally identifiable information. You’d be surprised how easy it is to forget that this information is on your computer!
  • Back it up. Set a reminder to backup your data on a regular basis! Keep an external copy of important files stored on your laptop in a safe location in case it is lost or stolen. Your photos, papers, research, and other files are irreplaceable, and losing them may be worse than losing your device.
  • Encrypt information. Protect your personal data with the built-in disc encryption feature included with your computer’s operating system (e.g., BitLocker or FileVault).
  • Record the serial number. Jot down the serial number of your device and store it in a safe place. This information can be useful for verifying your device if it’s found.
  • Install software. Install and use tracking and recovery software included with most devices (e.g., the “Find iDevice” feature in iOS) or invest in commercial products like LoJack or Prey. Some software includes remote-wipe capabilities. This feature allows you to log on to an online account and delete all of the information on your laptop. There are both paid and free versions of this type of software, and each provides different levels of features. Search online to find the best combination of cost and functions to meet your needs.

If you have question, please contact the Helpdesk at 432-837-8888.

Guard Your Privacy Online

blog-writing

You and your information are everywhere. When you’re online you leave a trail of “digital exhaust” in the form of cookies, GPS data, social network posts, and e-mail exchanges, among others. It is critical to learn how to protect yourself and guard your privacy. Here are some ideas that can help protect you, your information, as well as the data you are entrusted with from SR.

  • Use long and complex passwords or passphrase. These are often the first line of defense in protecting an online account. The length and complexity of your passwords can provide an extra level of protection for your personal information.
  • Take care what you share. Periodically check the privacy settings for your social networking apps to ensure that they are set to share only what you want, with whom you intend. Be very careful about putting personal information online. What goes on the Internet, usually stays on the Internet.
  • Go stealth when browsing. Your browser can store quite a bit of information about your online activities, including cookies, cached pages, and history. To ensure the privacy of personal information online, limit access by going “incognito” and using the browser’s private mode.
  • Using Wi-Fi? If only public Wi-Fi is available, restrict your activity to simple searches (no banking!) or use a VPN (virtual private network). The latter provides an encrypted tunnel between you and the sites you visit.
  • Should you trust that app? Only use apps from reputable sources. Check out reviews from users or other trusted sources before downloading anything that is unfamiliar.

If you have questions about how to follow any of these guidelines, contact the Helpdesk at 432-837-8888.

By the way, never use your laptop as a coffee mug coaster as in the picture.  Not a good idea. 🙂

 

Guard Your Privacy When Offline or Traveling

suitcasePlanning a summer vacation? People are frequently more vulnerable when traveling because a break from their regular routine or encounters with unfamiliar situations often result in less cautious behavior. If this sounds like you or someone you know, these five tips will help you protect yourself and guard your privacy.

  • Track that device! Install a device finder or manager on your mobile device in case it’s lost or stolen. Make sure it has remote wipe capabilities and also protects against malware.
  • Avoid social media announcements about your travel plans. It’s tempting to share your upcoming vacation plans with family and friends, but consider how this might make you an easy target for local or online thieves. While traveling, avoid using social media to “check in” to airports and consider posting those beautiful photos after you return home. Find out how burglars are using your vacation posts to target you in this infographic.
  • Traveling soon? If you’re traveling with a laptop or mobile device, remove or encrypt confidential information. Consider using a laptop or device designated for travel with no personal information, especially when traveling out of the country.
  • Limit personal information stored on devices. Use a tool like Identity Finder to locate your personally identifiable information (e.g., SSN, credit card numbers, or bank accounts) on your computer, then secure or remove that information.
  • Physically protect yourself and your devices. Use a laptop lock, avoid carrying identification cards, shred sensitive paperwork before you recycle it, and watch out for “shoulder surfers” at the ATM.

These tips can’t protect you from every possible scenario but they will provide some protections and give you ideas for others.  The best advice of all … be aware.