November 6, 2006
Tips offered on laptop, Internet security
By Julie Goldstein
Information Technology Services
The technological advances that make many things easier also require additional vigilance.
This article is the second of a two-part series on cyber security awareness. See first story
Laptop computers and other portable electronic devices are extremely vulnerable to theft and loss, putting information stored on them at increased risk.
It is important to keep these devices securely locked up when you are not around. Any suspected theft of UCSC-related computing equipment should be reported to the UCSC Police Department and to the local authorities if the incident occurred away from campus. Be sure to let the police know if the missing equipment contains sensitive information.
In terms of managing risk, it is useful to make decisions about what information you put on laptops and other portable devices under the assumption that they will be lost or stolen at some point. In general, do not store sensitive information or your only copy of critical information on these devices. If you cannot avoid storing some sensitive information on a portable device:
• Store the least amount possible
• Delete, mask or truncate sensitive data elements whenever possible
• If you need assistance removing or protecting sensitive information, contact the ITS Support Center.
Privacy on the Internet is a growing concern, especially as more and more people are using it for their professional and personal business, socializing, and entertainment. As a general rule, it is best to assume that any information you enter online is public unless you are using a known, trusted, secure site (see below).
Social networking sites (such as MySpace and Facebook), personal web pages, and blogs have also become notorious as public sources of personal information and uncensored opinions. It is important to remember that there is often no way to know who is reading or using the information you post--and for what purpose. You may be sharing with a larger audience than you think, including prospective employers, landlords, coworkers, instructors, college officials, law enforcement, the government, etc. Seemingly innocent information about your interests, family, or history could be used by hackers for identity theft, or by stalkers or social engineers (see below). Also keep in mind that once you post something online, it can be very difficult to “take it back.” Even if you delete the information, copies can still exist on other computers, web sites, or in search engines. Finally, remember that other people may not always tell the truth on these Internet sites.
Steps for protecting privacy
• Use only known, trusted, secure websites when you enter sensitive or personal information online. Get to these web sites by typing the web address in directly. Don’t click on links in unsolicited e-mails or cut and paste links from these e-mails.
• Look for “https” in the URL and the little locked padlock that appears in the corner of most browser windows to indicate that there is a secure connection.
• Assume that anything you post to social networking sites, personal web pages, blogs, or other unprotected sites is public and could potentially be used against you. A good rule of thumb is to only post information you would be willing to write on a banner that is displayed in a public place.
• Don’t give out personal or sensitive information to anyone you don’t know or who doesn’t have a legitimate need for it.
'Social engineering' is the practice of persuading people to reveal valuable information (personal, financial, business, log-in, system, network, etc.), access credentials (e.g. passwords), or even give money to a hacker. Social engineers take advantage of our desire to trust and help others, and our tendency to act quickly when faced with a crisis. The underlying principle behind social engineering is that it can be easier to trick people than to hack into computing systems by force.
Three extremely common examples of social engineering are “spam scams,” “impersonation” and “dumpster diving.”
Spam scams are deceptive e-mails designed to get people to reveal personal, financial or log-in information (often via links to web sites that can look legitimate, but which are really bogus sites designed to steal information), click on links or open attachments that can infect computers, or send money. For additional information and examples of spam scams, see OnGuard Online’s spam page or the Federal Trade Commission’s (FTC’s) spam site
In impersonation, attackers typically pose as someone in authority, or an IT representative, in order to obtain information or direct access to systems. Impersonators often research their role or their victims in advance in order to appear more legitimate.
Dumpster diving describes the practice of going through trash to obtain valuable information. Any sensitive information--paper or electronic--that is thrown away intact is vulnerable to dumpster diving.
To protect yourself from social engineering:
• Don’t give sensitive personal, financial, log-in, business, system or network information to anyone you don’t know (in person, over the phone, via e-mail or the Internet), or who doesn’t have a legitimate need for it. Keep in mind that you may have to enter your password for someone to work on your computer, but you shouldn’t have to tell it to them.
• Destroy or securely erase sensitive information before recycling or throwing it away.
• Delete unsolicited e-mails; don’t open, forward, reply to, or click on links or attachments in them.
• If an offer sounds too good to be true, it probably is. If you want to investigate something, look it up on your own (e.g. do a Google search) instead of clicking on an unknown or unsolicited link.
• You can report deceptive email to firstname.lastname@example.org. The FTC uses these reports to pursue legal action against people who send this email.
For more information:
Additional computer security information is available on the ITS Security Awareness web site, including:
• A top 10 list of good computing practices
• Information about how to protect sensitive data
• Online tutorials
• Excellent non-UCSC resources
General questions about cyber security can be directed to the ITS Support Center:
Submit a request at http://itrequest.ucsc.edu/, or contact the ITS Support Center by e-mail, telephone or in-person. Please bring a photo ID or Student ID card with current sticker when visiting the office.