Weak and poorly protected passwords remain the single biggest threat to computer security. Unfortunately, many of us still choose passwords that are easily “cracked,” like birthdays, pets’ names, foreign words, and celebrities’ names.
Powerful, automated tools for cracking poorly chosen passwords are readily available to malicious individuals, and are often carried in computer worms and viruses.
These tools call on large dictionaries to guess what a user’s password might be. Password dictionaries generally contain hundreds of thousands of entries, including words and phrases from numerous languages, from pop culture, and sequences like “12345678” and “fjdksla;” which are common passwords. Password cracking tools take each dictionary entry and use it in numerous ways–spelling it forwards and backwards, and making common substitutions like replacing the letter “O” with a zero.
Have you done your SSN spring cleaning? Social Security numbers have long been used by financial services, health care, and educational organizations to identify people. In recent years, the use of SSNs has become much more problematic, as they are often used to commit identity theft. Because of this risk, it’s important that we at Penn do our best to limit the use and storage of SSNs:
• Check computers, file cabinets, and folders to eliminate any unnecessary storage of SSNs.
• Shred unneeded documents containing SSNs.
• Remove requests for SSNs from forms.
• Limit access to SSNs to workers who legitimately require access to the data.
• If you have a system that utilizes SSNs but can use Penn ID instead, make that conversion.
Instant Messaging (IM) can be a useful tool, but be aware of the following risks:
Don’t expect your IM conversations to be private. They travel over the network unencrypted and can be easily forged. IM is a bad way to transmit sensitive data such as credit card numbers, passwords, and social security numbers. It’s about as secure as email, which is to say “not all that secure.”
Worms are also a big problem. Several IM worms will send messages to all your IM buddies with instructions to “click here” to play a computer game or view an image, but point instead to a malicious URL that installs a virus. These messages will appear to your buddies either as you are initiating a session with them or in the middle of an existing IM session with you. And the worm is even smart enough to impersonate your buddy in the conversation if you try to verify his or her identity with a question like, “Is it really you?” To prevent infection, keep your IM software up-to-date and always install the latest security patches.
Before disposing of, or donating, old computers, hard drives, CDs, computer tapes, or other electronic storage devices, make sure that all the data is destroyed.
A simple delete by dragging the file to the trash and then emptying it is not sufficient. Computers don’t actually get rid of the data deleted this way, but simply mark the space as available for subsequent use. Meanwhile the old data is still “squatting” on your hard drive until your operating system happens to assign a new file to the space.
University computers and hard drives should be securely wiped by overwriting the entire hard drive seven times before disposal or donation. Commercial software that will do this includes PGP Desktop for Windows and Mac, Active Eraser for Windows, and Super Scrubber for Mac.
University Archives and Records also provides a secure electronic data records destruction service. Contact Pat Vickers at firstname.lastname@example.org.
The online world gives us unprecedented opportunities to chat with people around the world about current issues, to network professionally and socially, and generally to express ourselves. These are amazing and positive developments.
But think about privacy risks when posting to discussion boards, blogs, and similar services. Electronic postings may be permanent and may define you now or at any future point. Statements made now, in jest or to a small group of colleagues, may come back to haunt you in the future. Consider who may search the web on your name and what they may find.
Online networking sites raise similar privacy issues. Once you post data about yourself, it may be very hard to take it back. Do you want the world to know your street address or your summer plans? Maybe you’re comfortable sharing only your email address and only with a designated, known group of people. Check for privacy options available through most online services and make choices that are right for you about what you share with whom.
Week 8: Does Your Email Sometimes Smell Phishy?
You may have read about phishing email scams that try to trick you into going to bogus websites and entering personal information like credit card numbers and Social Security numbers. This is one of the most common ways of committing identity theft.
In the past year, the attacks have become more personalized. In May 2005, several hundred people at Penn received email forged to look like it came from the Penn Student Federal Credit Union, informing them that their account had been compromised. The email provided a web link, and advised recipients to go to the website and enter their account and password information. In fact, the email linked to a hacked website which was used to collect victims’ passwords. A similar hoax tried to trick Penn people into going to a hacked website to enter their PennKey and password.
You should maintain a healthy skepticism about email that asks you to go to websites to enter personal financial information or passwords. If you think a request may be legitimate, contact the sender directly at a published phone number or email address, not one included in the email.
Week 9: Links Can Be Deceiving
For years, security experts have advised caution when opening email attachments. Now, clicking on website links in email poses an equally big threat. You can’t be sure where a link will take you.
It is often difficult to tell whether a link is “trustworthy.” In general, exercise caution, but consider factors such as:
• Do you know the sender? Generally, you should be able to trust content from people you know more than from people you do not (though there are exceptions!).
• Is the message of a type you would expect from the sender? Email could be forged to appear to come from an acquaintance and contain links that will trick your web browser into downloading harmful viruses or worms.
• Is the sender likely to understand the risks of unknown links? Some friends or colleagues may send links they know little about, raising again concern about downloading a worm or causing other problems.
If you use instant messaging, the same advice applies. During the 2005 holiday season, tens of thousands of computers were infected by a worm disguised as a greeting card appearing to come from an AOL Instant Messenger buddy.
Week 10: Privacy of Student Records
What do you do when your boss asks you for a list of students in a certain residence or with a certain set of interests to alert them to an upcoming event? What do you do when a parent calls to find out where their child is?
The answer in each case is, “It depends.” Federal law and Penn policy tell us what student data we can share with whom. Student data cannot be shared except in specified circumstances.
These are some common examples of when student data may be shared:
• You may always share student information with University officials who need such information to perform their jobs.
• You may (though are not required to) share student data with a parent or other designated persons when a student has consented to such sharing. Penn allows students to consent through an online application in Penn InTouch or by using a paper form.
• You may share directory information if the student has not opted out of the directory. Follow the student’s preferences according to Penn’s online directory.
Want more information? Visit Penn’s Privacy website at www.upenn.edu/privacy or write to email@example.com.
Week 11: Make Your Home Wireless Network Secure
The affordability and ease of use of basic wireless access points (WAPs) has prompted many Penn users to set up “hot spots” at home.
• On each WAP you use, change the default administrator password to a strong password.
• Change the default SSID, or "name," of each WAP to a unique name of your own choosing.
• Disable broadcasting of your network name (SSID) to make your network less visible to unauthorized users.
• Enable and require the strongest encryption that your WAPs offer -- usually 128-bit Wireless Encryption Protocol (WEP). This will encrypt all traffic traveling across your wireless network.
• Regularly check for, and install, updated versions of the firmware for your WAPs and software drivers for your wireless Ethernet adapters.
• Enable and require MAC (Media Access Control) address filtering on each WAP. This will let you specify which individual computers may access the WAP, identified by the unique MAC addresses associated with their Ethernet adapters. For instructions on locating MAC addresses for Windows and Macintosh computers, please see www.upenn.edu/computing/security/footprints/#locatemac.
Week 12: Don’t Save Passwords in Your Web Browser
Most newer web browsers prompt you to save your usernames and passwords for websites, which may contain private information such as your email, or financial information such as your credit card number. You should never save your PennKey password or your passwords for other University systems, and it’s not a good idea to save passwords for other systems containing personal information either. Once you save a password, anyone using your computer could access your private information, or a worm or virus could steal your password.
For instructions on removing stored passwords from your web browser, please see www.upenn.edu/computing/security/footprints/#removestoredpws.
Week 13: To Stay Secure, Keep Your Software Current
If you are using old, outdated web browsing, email or IM software, you are vulnerable to malicious websites, email attachments and Instant Messages. This can lead to infection with viruses. It can also open up your system to harmful adware and spyware that tracks your web browsing, causes frequent pop-up windows, and makes your computer sluggish. When you use the most current software, your computer is much less likely to get hacked.
To get the latest supported browser and email software, you can go to www.upenn.edu/computing/product/.
For the latest IM software, see:
AOL Instant Messenger http://www.aim.com/
Yahoo Messenger http://messenger.yahoo.com/security/
MSN Messenger http://messenger.msn.com/download
Always check with your Local Support Provider before installing new software on your computer.
Week 14: Spam Filtering
Unsolicited commercial e-mail, commonly referred to as “spam,” has risen exponentially in recent years and now accounts for 40-65% of all email traffic. Spam is a problem for anyone with an email account.
Spam messages can be quite annoying or offensive. They can include attachments and URLs that, if clicked on, can install viruses or worms on your computer. Also, spam uses up your email quota and the amount of spam may overwhelm legitimate email, making legitimate email harder to locate.
At Penn, each School mail server offers a spam filter but these filters differ in how they are used, managed, and configured. For information and links to School and other Penn spam filtering sites, see www.upenn.edu/computing/security/footprints/index.html#spamfiltering.
Week 15: Don’t Download Sensitive Data
Unless You Absolutely Have To
Several weeks ago, at a peer institution, a researcher’s laptop containing sensitive HIV-related information about 1500 patients was stolen from the researcher’s home. This was not an isolated incident. More and more data breaches are occurring as a result of lost or stolen laptops. Data is also at risk when it is stored on an unsecured desktop.
The best way to avoid risks to sensitive data, to people, and to Penn is simply to not download sensitive data unless you absolutely must. Your Local Support Provider (LSP) can advise you on how you can instead store and access sensitive documents on properly secured departmental file servers. They should be used whenever possible to reduce the number of points of possible vulnerability. If you must download sensitive data, contact your LSP for assistance in encrypting the file, securing your machine, and securely deleting the information once it is no longer necessary.
Week 16: Laptop Theft
UPPD CrimeStats published in Almanac routinely report laptop thefts from on campus. The cost of replacing a stolen laptop is considerable, but looks small in comparison to the cost of losing months or years of work. Stolen laptops also pose a serious threat to privacy when they contain sensitive information like SSNs, medical records, or student information.
To keep your laptop safe:
• Keep your belongings in sight and never leave your laptop unattended.
• Don't leave your laptop visible on the seat in your vehicle.
• Don't leave a meeting or conference without your laptop.
• Make sure your laptop data are backed up.
• Finally, consider purchasing Computrace software ($99 from Office of Site Licensing)*. Computrace is a recovery service that enables law enforcement to recover stolen laptops. If a computer with Computrace installed is reported stolen, the software contacts a monitoring center as soon as the computer is attached to the Internet, and reports its location. The Computrace vendor tracks the location and works with local law enforcement to recover and return your laptop to you. For more information, see: www.business-services.upenn.edu/computerstore/home/software/system.html#security.
*For Computrace software (described in the May 2 "One Step Ahead" column on "Laptop Theft"), there are different purchasing methods for departmental purchases and individual purchases. Departments must place orders with the Office of Software Licensing (www.upenn.edu/softwarelicenses/), whereas individuals can only purchase from the Penn Computer Connection.
A Security and Privacy Risk
A new feature added to the Google Desktop 3.0 program for Windows computers poses serious risks to the security and privacy of personal and Penn institutional data. Google Desktop is a search tool that lets you search all the information on your computer and other computers as well.
In February, Google added a new “search across computers” function. This feature places images of your personal and work-related files on Google’s servers so you can search the contents of one computer from another. If your email or Instant Messenger conversations are stored on your computer, Google Desktop will index them and store them on Google’s servers. There are options for configuring what data is uploaded to Google, but if Google Desktop is configured incorrectly, you can unknowingly transmit copies of restricted data for storage on Google’s servers.
It is recommended that no one use Google Desktop on computers used for Penn business. This is especially true for faculty and staff with confidential HIPAA, FERPA, or other confidential or legally protected records stored on their computers.
If you use Google Desktop for your personal computer (one not used for Penn business), the article at the following address describes some limited options for protecting your data: www.itd.umich.edu/itcsdocs/s4340/.
Don’t Keep Email Around
It’s easy to let email accumulate in your inbox for years. But keeping email around too long may put you at risk for several reasons:
- You may go over your storage quota. Computer storage space is expensive. And your local copy may be archived in computer backup systems, taking even more space! When you delete email, make sure it is deleted everywhere. If you are unsure where copies of your email might reside, check with your Local Support Provider.
- Enormous mailboxes are more likely to become corrupted than lean ones on some email clients. This may lead to data loss.
- Large mailboxes may slow down searches when you're looking for recent mail.
Be sure to delete email routinely in accordance with University Archives and Records' records retention schedule (www.archives.upenn.edu/urc/recrdret/entry.html). However, be aware that upon service of legal process (subpoena, summons, or the like), the record retention schedule must be suspended and records related to the legal process must not be destroyed.
For additional tips, see the One Step Ahead link on the Information Security website: www.upenn.edu/computing/security/.