OUCH! | January 2012–Securing Your Home Wi-Fi Network

OUCH! | January 2012

IN THIS ISSUE…

• Administration
• Your Network Name
• Encryption & Authentication
• OpenDNS

Securing Your Home Wi-Fi Network

GUEST EDITOR

Raul Siles is the guest editor for this issue. Raul is the
founder of and a senior security analyst with Taddong
(www.taddong.com), a SANS author and instructor, and
security passionate (www.raulsiles.com). You can follow
Raul on Twitter at @taddong and on his blog at
blog.taddong.com.

 

OVERVIEW

Wi-Fi networks (sometimes called by their technical name
802.11) allow people to wirelessly connect devices to the
Internet, such as smartphones, gaming consoles, tablets,
and laptops. Because Wi-Fi networks are simple to setup,
many people install their own Wi-Fi networks at home.
However, many home Wi-Fi networks are configured
insecurely, allowing strangers or unauthorized people to
easily access your home network or anonymously abuse
your Internet connection. To ensure you have a safe and
secure home Wi-Fi network, here are a few simple steps
you should take.

ADMINISTRATION

Your Wi-Fi network is controlled by something called a Wi-
Fi access point. This is a physical device you can buy at
your local electronics store or that may be built into your
Internet router. The access point is what wirelessly
connects your devices to the Internet. One of the first steps
to securing your Wi-Fi network is limiting who can
administer your Wi-Fi access point and how they can
access it. We recommend you take the following steps
when configuring your Wi-Fi access point for the first time.

• For many Wi-Fi access points the default
  administrator login and password is well known. In
  fact, these default accounts can often be found
  listed on the Internet. So be sure to change the
  default administrator login and password to
  something that only you know.
• For administrative access to your Wi-Fi access
  point, we recommend you disable wireless access
  and instead require a physical network connection,
  such as using an Ethernet cable. If you must have
  wireless administrative access, then at a minimum
  disable HTTP access and require HTTPS, which
  supports encryption.

SETTING YOUR WI-FI NETWORK NAME

Another option you will need to configure is the name of
your Wi-Fi network (often called SSID). This is the name
your devices will see when they search for local Wi-Fi
networks. We recommend changing your default Wi-Fi
network name. Give your network name something unique
so you can easily identify it, but make sure it does not
contain any personal information. Also, there is little value
in configuring your Wi-Fi network as hidden (or non-
broadcast). Today most Wi-Fi scanning tools or any skilled
attacker can easily discover the details of a hidden network.
The recommended option is to leave your Wi-Fi network
visible, but secure it using the other steps covered in this
newsletter.

ENCRYPTION & AUTHENTICATION

The next step is to ensure that only people you know and
trust can connect to and use your Wi-Fi network and that
those connections are encrypted. We want to be sure that
neighbors or nearby strangers cannot connect to or monitor
your Wi-Fi network. Fortunately, these dangers are easily
mitigated by simply enabling strong security on your Wi-Fi
access point. Currently one of the best options is to use the
security mechanism WPA2. By simply enabling this you
require a password for people to connect to your Wi-Fi
network, and once authenticated, those connections are
encrypted. Be sure you do not use older, outdated security
methods, such as WEP, or no security at all, which is called
an open Wi-Fi network. An open network allows anyone to
connect to your Wi-Fi network without any authentication.
The recommended encryption method for WPA2 is AES
only, versus other options such as TKIP or TKIP+AES.

When configuring the password people will use to connect
to your Wi-Fi network, make sure it is different from the
administrator password and that the password cannot be
easily guessed; we recommend at least 20 characters long.
This may sound like a very long password, but remember
you most likely have to enter it only once for each of your
devices, as they will store and remember the password for
future network access. If your Wi-Fi access point is in a
physically secure location and only trusted members of your
family have access to it, one option may be to tape the user
password to the bottom of the Wi-Fi access point for easy
recall. Remember that anyone you have given the password
to will have access to your Wi-Fi network, so from time to
time you may want to change it.

Finally, we recommend you turn off or disable WPS (Wi-Fi
Protected Setup). WPS is a specification designed to ease
the process of securely setting up your Wi-Fi access point.
At the time of publishing this newsletter, recent vulnerabilities
were found that may allow an attacker full access to your
wireless network if WPS is enabled.

OPENDNS

Once you have your Wi-Fi connection configured, one of the
last steps we recommend is configuring your network to use
OpenDNS as your DNS servers. When you type a name into
your browser, DNS is how your browser knows which server
on the Internet to connect to. OpenDNS is a free service that
helps ensure you connect only to safe websites. In addition,
OpenDNS gives you the ability to manage what websites your
family can connect to. If you want to filter and block
objectionable material, this is a great resource. The
OpenDNS website walks you through step-by-step how to
configure your Wi-Fi access point to use OpenDNS.

RESOURCES

Some of the links shown below have been shortened for
greater readability using the TinyURL service. To mitigate
security issues, OUCH! always uses TinyURL’s preview
feature, which shows you the ultimate destination of the link
and asks your permission before proceeding to it.

OnGuard Online Wi-Fi Security:
http://preview.tinyurl.com/7sylsul

Security Encyclopedia:
http://preview.tinyurl.com/bpc2h23

WPS Vulnerability:
http://preview.tinyurl.com/cjs4l4w

OpenDNS:
http://www.opendns.org

Common Security Terms:
http://preview.tinyurl.com/6wkpae5

LEARN MORE

Subscribe to the monthly OUCH! security awareness
newsletter, access the OUCH! archives, and learn more
about SANS security awareness solutions by visiting us at
http://www.securingthehuman.org

OUCH! is published by the SANS Securing The Human program and is distributed under the
Creative Commons BY­NC-ND 3.0 license. Permission is granted to distribute this newsletter
as long as you reference the source, the distribution is not modified and it is not used for
commercial purposes. For translating or more information, please contact ouch@securingthehuman.org.
 
Editorial Board: Bill Wyman, Walt Scrivens, Phil Hoffman, Lance Spitzner

© The  S A N S  Institute 2012                                                    http://www.securingthehuman.org

 

Blog posted using Windows Live Writer

Need a Florist? Try Arrigo’s Flower Shop !!

 

If you live in the East Lovejoy area of Buffalo, NY (aka Iron Island, Iron City), try a local merchant for your floral needs. 30 years experience shows that they do it right!

They’re located at 1180 Lovejoy Street, Buffalo, NY and can be reached toll free at

1-800-472-1841

Arrigo’s Flower Shop

Cyber Security Tip ST11-001 – Holiday Traveling With Personal Internet-Enabled Devices

                         Cyber Security Tip ST11-001
            Holiday Traveling With Personal Internet-Enabled Devices

   The internet is at our fingertips with the widespread use of
   internet-enabled devices such as smart phones and tablets. When traveling
   and shopping anytime, and especially during the holidays, consider the
   wireless network you are using when you complete transactions on your
   internet-enabled device.

Know the risks

   Your smart phone, tablet, or other internet-enabled device is a full-fledged
   computer. It is susceptible to risks inherent in online transactions. When
   shopping, banking, or sharing personal information online, take the same
   precautions with your smart phone or other internet-enabled device that you
   do with your personal computer — and then some. The mobile nature of these
   devices  means  that you should also take precautions for the physical
   security of your device (see Protecting Portable Devices: Physical Security
   for more information) and consider the way you are accessing the internet.

Do not use public Wi-Fi networks

   Avoid using open Wi-Fi networks to conduct personal business, bank, or shop
   online. Open Wi-Fi networks at places such as airports, coffee shops, and
   other public locations present an opportunity for attackers to intercept
   sensitive  information  that  you  would provide to complete an online
   transaction.

   If you simply must check your bank balance or make an online purchase while
   you are traveling, turn off your device’s Wi-Fi connection and use your
   mobile device’s cellular data internet connection instead of making the
   transaction over an unsecure Wi-Fi network.

Turn off Bluetooth when not in use

   Bluetooth-enabled  accessories  can  be helpful, such as earpieces for
   hands-free talking and external keyboards for ease of typing. When these
   devices are not in use, turn off the Bluetooth setting on your phone. Cyber
   criminals have the capability to pair with your phone’s open Bluetooth
   connection when you are not using it and steal personal information.

Be cautious when charging

   Avoid connecting your mobile device to any computer or charging station that
   you do not control, such as a charging station at an airport terminal or a
   shared computer at a library. Connecting a mobile device to a computer using
   a USB cable can allow software running on that computer to interact with the
   phone in ways that a user may not anticipate. As a result, a malicious
   computer could gain access to your sensitive data or install new software.
   Don’t Fall Victim to Phishing Scams If you are in the shopping mode, an
   email that appears to be from a legitimate retailer might be difficult to
   resist. If the deal looks too good to be true, or the link in the email or
   attachment to the text seems suspicious, do not click on it!

What to do if your accounts are compromised

   If you notice that one of your online accounts has been hacked, call the
   bank, store, or credit card company that owns your account. Reporting fraud
   in a timely manner helps minimize the impact and lessens your personal
   liability. You should also change your account passwords for any online
   services associated with your mobile device using a different computer that
   you control. If you are the victim of identity theft, additional information
   is available from http://www.idtheft.gov/.

   For  even  more  information  about  keeping  your  devices safe, read
   Cybersecurity for Electronic Devices.
     _________________________________________________________________

   Produced in 2011 by US-CERT, a government organization.

   Terms of use

   http://www.us-cert.gov/legal.html

   This document can also be found at

   http://www.us-cert.gov/cas/tips/ST11-001.html

   For instructions on subscribing to or unsubscribing from this
   mailing list, visit http://www.us-cert.gov/cas/signup.html.

 

Blog posted using Windows Live Writer

 

#Computers #Internet #Security

OUCH! | December 2011–E-mail Phishing and Scams

OUCH! | December 2011

IN THIS ISSUE…

• Phishing
• Scams
• Protecting Yourself

E-mail Phishing and Scams

GUEST EDITOR

Pieter Danhieux is the guest editor for this issue. He works
for BAE Systems stratsec in Australia (www.stratsec.net)
and is an instructor for the penetration testing courses at
the SANS Institute.

 

OVERVIEW

E-mail is one of the primary ways we communicate. We not
only use it every day for work, but also to stay in touch with
our friends and family. In addition e-mail is how companies
provide many products or services, such as confirmation of
an online purchase or updates to our bank account. Since
so many people around the world depend on e-mail, it has
also become one of the primary methods cyber criminals
use to attack others. In this newsletter we explain these
dangers and steps you can take to protect yourself.

PHISHING

Phishing is one of the most common e-mail based attacks.
It uses social engineering, a technique where cyber
attackers attempt to fool you into taking an action. Phishing
was a term originally used to describe an attack designed to
steal your online banking login details. However, the term
has evolved and now refers to almost any cyber attack sent
by e-mail. A phishing attack begins with an e-mail
pretending to be from someone or something you know or
trust, such as your bank or your favorite online store.
These e-mails then try to entice you into taking an action,
such as clicking on a link, opening an attachment, or
responding to a message. Cyber criminals craft these
convincing e-mails and then send them out to thousands, if
not millions, of people around the world. The criminals do
not have a specific target in mind, nor do they know exactly
who will fall victim. They simply know the more e-mails
they send out, the more people they may be able to fool.
Phishing attacks often have one of the following objectives:

 
. Harvesting Information: The cyber attacker’s
   goal is to fool you into clicking on a link and taking
   you to a website that asks for your login and
   password or perhaps your favorite color or mother’s
   maiden name. These websites may look legitimate
   with exactly the same look and feel of your online
   bank, but they are designed to steal information
   that could give them access to your online account.

. Controlling your computer through malicious
   links: Once again, the cyber attacker’s goal is for
   you to click on a link. However, instead of
   harvesting your information, the goal is to infect
   your computer. If you click on the link, you are
   directed to a website that silently launches an
   attack against your browser, and, if successful,
   these cyber criminals have full control over your
   computer.

. Controlling your computer through malicious
   attachments: These are phishing e-mails that have
   infected attachments, such as infected PDF files or
   Microsoft Office documents. If you open these
   attachments they attack your computer, and if
   successful, give the attacker complete control.

SCAMS:

Scams are nothing new; these are attempts by criminals to
defraud you. Classic examples include notices that you’ve
won the lottery (even though you never entered it) or that a
dignitary needs to transfer millions of dollars into your
country and would like to pay you to help with the transfer.
They will then tell you that you have to pay a processing fee
before you can get your money. After you pay these fees
the criminals disappear, never to be heard from again.

PROTECTING YOURSELF

In most cases simply opening an e-mail is safe. For most
attacks to work you have to do something after reading the
e-mail (such as opening the attachment, clicking on the link,
or responding to the request for information). If after
reading an e-mail you think it is a phishing attack or scam,
simply delete the message. Here are some indications if an
e-mail is an attack.

. Be suspicious of any e-mail that requires
   immediate action or creates a sense of urgency.
   This is a common method used to trick people.

. Be suspicious of e-mails addressed to “Dear
   Customer” or some other generic salutation.

. Be suspicious of grammar or spelling mistakes,
   most businesses proofread their messages very
   carefully.

. If a link in an e-mail seems suspicious, hover your
   mouse over the link. This will show you the true
   destination where you would go if you actually clicked
   it. The link that is written in the e-mail may be very
   different than where it will actually send you.

. Do not click on links. Instead copy the URL from the
   email and paste it into your browser. Even better is
   to simply type the destination name into your
   browser. For example, if you get an email from UPS
   telling you your package is ready for delivery, do not
   click on the link. Instead, go to the UPS website and
   then copy and paste the tracking number.

. Be suspicious of attachments; only open attachments
   that you were expecting.

. Just because you got an e-mail from your friend does
   not mean they sent it. Your friend’s computer may
   have been infected or their account may have been
   compromised, and malware is sending the e-mail to
   all of your friend’s contacts. If you get a suspicious email
   from a trusted friend or colleague, call them to
   confirm that they sent it.

Ultimately, using e-mail safely is all about common sense. If
something seems suspicious or too good to be true, it is most
likely an attack. Simply delete the e-mail.

RESOURCES

Some of the links shown below have been shortened for
greater readability using the TinyURL service. To mitigate
security issues, OUCH! always uses TinyURL’s preview
feature, which shows you the ultimate destination of the link
and asks your permission before proceeding to it.

How Phishing Works: http://preview.tinyurl.com/853xj85

OnGuard Online – Avoiding Scams:
http://preview.tinyurl.com/6vfoljs

Anti-Phishing Working Group: http://www.apwg.org
Phishtank: http://www.phishtank.org

Security Terms & Definitions:

LEARN MORE

Subscribe to the monthly OUCH! security awareness
newsletter, access the OUCH! archives, and learn more
about SANS security awareness solutions by visiting us at
http://www.securingthehuman.org

OUCH! is published by the SANS Securing The Human program and is distributed under the
Creative Commons BY­NC-ND 3.0 license. Permission is granted to distribute this newsletter
as long as you reference the source, the distribution is not modified and it is not used for
commercial purposes. For translating or more information, please contact ouch@securingthehuman.org.

Editorial Board: Bill Wyman, Walt Scrivens, Phil Hoffman, Lance Spitzner, Carmen Ruyle Hardy

© The  S A N S  Institute 2011                                                    http://www.securingthehuman.org

 

#computers #e-mail #email #internet #security #phishing

 

Blog posted using Windows Live Writer

OUCH! | November 2011–Browser Security & Privacy

OUCH! | November 2011

 

IN THIS ISSUE…

• Staying Current
• Plugins and Add-Ons
• Security Features
• Privacy

Browser Security and Privacy

GUEST EDITOR

Mike Poor is the guest editor for this issue. He is a senior
security analyst for the consulting firm InGuardians Inc.
(www.inguardians.com). Mike is also a senior instructor for
the SANS Institute and the track lead for one of SANS’ top
courses, SEC503: Intrusion Detection In-Depth.

 

OVERVIEW

Your Internet browser, such as Internet Explorer, Firefox,
Chrome, or Safari, is one of the primary tools you use to
interact with the Internet. Cyber attackers know this, which
makes your browser one of their primary targets. Also, your
browser may collect a great deal of personal information
about you that you may not be aware of. In this newsletter
we cover the steps you can take to protect both your
computer and your privacy.

KEEPING YOUR BROWSER CURRENT

The first step to protecting yourself is always using the
latest version of your browser. It does not matter which
browser you use; what is important is that you use the most
recent version of your browser. Cyber attackers are
constantly searching for, and finding, programming errors
and other flaws in browsers. These mistakes (often called
vulnerabilities) can be exploited, giving attackers access to,
and sometimes even complete control, over your system.
The companies that developed your browser (such as
Microsoft, Google, or Apple) release patches to fix these
vulnerabilities. By always having the latest version, you
ensure your browser has these known issues fixed. To
ensure your browser is updated, make sure the auto-
update feature is always enabled in your browser and
operating system. Some browsers, such as Chrome,
automatically update themselves every time you restart the
browser.

PLUGINS AND ADD-ONS

Plugins (sometimes called Add-Ons) are additional
programs you can install in your browser. The problem
with these additional programs is they can expose you and
your system to greater risk. Each program you add to your
browser has its own unique vulnerabilities or weaknesses.
Install only the plugins you absolutely need and be sure you
download them from well known, trusted sites. At times a
website may ask you to install a plugin. Be careful –these
can be attempts to fool you to install infected software.
When possible, always download and install a plugin from
the original vendor’s site. For example, always download
or update your Flash player from the Adobe site
www.adobe.com. Once you have installed a plugin you
have to ensure that you keep it up to date, just like your
browser. This can be challenging as many plugins have
no automatic updating capability; you have to manually
check and update them yourself. If that is the case, we
recommend you check the status of your browser plugins at
least once a month. In the resources section are several
trusted websites that will help you do this.

SECURITY FEATURES

Each browser has its own unique security features. Be
sure to take a moment and review your browser’s security
preferences or options. A key feature that almost all
browsers support is warning you when you visit potentially
malicious websites. Your browser maintains an updated list
of thousands of known websites that are malicious or
attempt to harm people. If you attempt to visit any of these
known malicious websites, your browser will stop you and
present a warning banner. When you get a warning
banner do not proceed to the site. Keep in mind, though,
you still always have to be careful about the websites you
visit. Your browser cannot keep up with cyber criminals; it
will not know all sites that are malicious.

PRIVACY

You may not realize it, but your browser may store a great
deal of information about your online activities, including
cookies, cached pages, and history. Cookies are small
data files that websites send to your browser and can make
using the web easier, such as storing your preferences.
But cookies also allow companies to track your movements
across the web. Cached pages are stored copies of
websites you have recently visited. They are used to
improve your system’s performance but also might be
accessed by unauthorized users. Finally, many browsers
save the history of all the websites you have visited to take
you more quickly to the websites you visit the most.
To protect your privacy you can disable some or all these
features. In addition, some browsers support the ability to
manually erase any stored data, or automatically erase stored
data every time you close your browser. Finally most
browsers support a privacy mode where all data collection is
turned off, including caching, cookies, and history. This
ensures no information is collected about your browsing
activities; however, this can also limit your ability to interact
with some sites. Check your browser’s privacy settings to
change any of these features.

Finally, whenever possible make sure your browser
connections are encrypted. This helps ensure your online
activity cannot be monitored or captured. Encrypted
connections are often called HTTPS. For example, sites
such as Twitter, Facebook, and Google allow you to set your
personal settings to ensure you are always using HTTPS
(encryption) when communicating to these sites. In addition,
whenever banking or shopping online, make sure your
connections are encrypted. To confirm this, look for https:// in
the browser and a lock.

RESOURCES

Some of the links shown below have been shortened for
greater readability using the TinyURL service. To mitigate
security issues, OUCH! always uses TinyURL’s preview
feature, which shows you the ultimate destination of the link
and asks your permission before proceeding to it.

Browser Plugin Check:
http://preview.tinyurl.com/3m9gjr5

Firefox Plugin Check:
http://preview.tinyurl.com/3ojhl69

Chrome Browser Security:
http://preview.tinyurl.com/36sgakv

Internet Explorer 9 Security:
http://preview.tinyurl.com/3ly6wyv

Safari Browser Security:
http://preview.tinyurl.com/aesqpl

Firefox Browser Security:
http://preview.tinyurl.com/6ee3kx6

LEARN MORE

Subscribe to the monthly OUCH! security awareness
newsletter, access the OUCH! archives, and learn more
about SANS security awareness solutions by visiting us at
http://www.securingthehuman.org

OUCH! is published by the SANS Securing The Human program and is distributed under the
Creative Commons BY­NC-ND 3.0 license. Permission is granted to distribute this newsletter
as long as you reference the source, the distribution is not modified and it is not used for
commercial purposes. For translating or more information, please contact ouch@securingthehuman.org.

Editorial Board: Bill Wyman, Walt Scrivens, Phil Hoffman, Lance Spitzner, Carmen Ruyle Hardy

© The  S A N S  Institute 2011                                                    http://www.securingthehuman.org

 

#computers #browsers #internet #security

 

Blog posted using Windows Live Writer

OUCH! | October 2011 – Backup and Recovery

OUCH! | October 2011

IN THIS ISSUE…

• What To Back Up and When
• How To Perform a Backup
• Recovery
• Key Points

Backup and Recovery

GUEST EDITOR

Dr. Eric Cole is the guest editor for this issue of OUCH! Eric
focuses on consulting services that help organizations
deploy solutions that protect themselves. He also is an
author and teacher for the SANS Institute.

 

OVERVIEW

Backups are one of the most important steps you can take
to protect your information. They are your last line of
defense when something goes wrong, such as hard drive
failures, accidental file deletions, or malware infections. In
this issue, we focus on ways that you can back up your
data and develop a strategy that’s right for you.

WHAT TO BACK UP AND WHEN

There are two basic approaches when deciding what to
back up: (1) any data that you have created or that is
important to you, such as documents, pictures, or videos or
(2) everything, including your operating system and any
programs you have installed in addition to your unique data.
The first approach streamlines your backup process;
however, the second approach makes it easier to recover in
the event of a complete system failure. If you are not sure
what to back up, then back up everything.

Your next decision will be deciding how often to back up
your data. Common options include hourly, daily, weekly,
etc. For home users, personal backup programs, such as
Apple’s Time Machine or Microsoft’s Windows Backup and
Restore, will allow you to create an automatic “set it and
forget it” backup schedule. Other solutions offer continuous
protection, in which new or altered files are immediately
backed up as soon as they’re closed. If you’re part of an
organization with multiple computers, you may wish to
define your own schedule. A good approach is to consider
how much information you can afford to lose in a worst-
case scenario. For example, by backing up daily, you
might lose one day’s work if your computer crashes late in
the day. Many organizations schedule daily backups during
off-peak hours to minimize the impact on normal
operations.

HOW TO PERFORM A BACKUP

In general there are two destinations to which you can back
up your information: physical media or cloud-based
storage. Examples of physical media include DVDs, USB
drives, magnetic tape, or additional hard drives. Avoid
backing up to the same device that holds the original files.
When using physical media, be sure to label it both
internally (in the file name) and externally (on the medium)
so that you can easily identify a backup from a particular
date and time. You can store a local backup copy in a
lockable, fireproof and waterproof container designed for
your chosen media. A more robust option is to store
copies of your backups off site. For personal backups this
can be as simple as storing them at a family member’s
house or in a safe deposit box. Organizations may want to
hire a professional service to securely transport and store
backups. Depending on the sensitive nature of your
backups and where they are being stored, you may also
want to encrypt them.

Many of these issues are addressed for you with cloud
backups. Performing cloud backups is often as simple as
installing and configuring an application on your computer.
After you configure your backup options, new and altered
files are backed up automatically over the Internet to
servers in the provider’s data center.

Finally, you need to decide how far back in time your
backups need to go. Home users most likely do not need
to go back more than thirty days. Some organizations may
have policy or legal requirements for longer retention
periods and may also mandate the destruction of old
backups. If you are backing up organizational data, check
with your information technology, legal, or records
management group to be sure. Cloud backup services may
charge based on the amount of data that is backed up, so
take care not to run up a big bill.

RECOVERY

Backing up your data is only half the battle; you have to be
certain that you can easily recover it. Practice your recovery
process regularly, just as you would a fire drill, to help ensure
that everything will work properly should you need to use it.
Check at least once a month that your backup program is
working. If nothing else, try recovering a file. For more robust
testing, especially in organizations, consider making a full
system recovery, and verify that it is restorable. If you don’t
have spare hardware to use for testing a full system recovery,
restore key files and folders to a different location and then
verify that you have and can open everything.

KEY POINTS

.. Automate your backup process as much as possible, but
verify that it runs correctly.

.. When rebuilding an entire system or recovering key
operating system files, be sure you reapply security patches
and updates before putting it back into service.

.. Outdated or obsolete backups may become a liability and
should be destroyed in order to prevent them from being
accessed by unauthorized users.

.. If you are using a cloud solution, research the policies and
reputation of the organization. For example, do they encrypt
your data when it is stored? Who has access to your
backups? Do they support strong authentication?

.. For robust backup practices, consider the 3-2-1 rule:

… Three: If something is worth keeping, keep the
original plus two backup copies.

… Two: Use different types of media for your two
backup copies. If you must use the same medium
for both, use different vendors to mitigate
manufacturing defects.

.. One: Store one copy off-site, away from the
original and the second copy.

RESOURCES

Some of the links shown below have been shortened for
greater readability using the TinyURL service. To mitigate
security issues, OUCH! always uses TinyURL’s preview
feature, which shows you the ultimate destination of the link
and asks your permission before proceeding to it.

Apple Time Machine:
http://preview.tinyurl.com/3wkytqs

Windows 7 Backup and Restore:
http://preview.tinyurl.com/ylghqgp

Cloud Backup:
http://preview.tinyurl.com/3reftgv

LEARN MORE

Subscribe to the monthly OUCH! security awareness
newsletter, access the OUCH! archives, and learn more
about SANS security awareness solutions by visiting us at
http://www.securingthehuman.org

OUCH! is published by the SANS Securing The Human program and is distributed under the
Creative Commons BY­NC-ND 3.0 license. Permission is granted to distribute this newsletter
as long as you reference the source, the distribution is not modified and it is not used for
commercial purposes. For translating or more information, please contact ouch@securingthehuman.org.

Editorial Board: Bill Wyman, Walt Scrivens, Phil Hoffman, Lance Spitzner, Carmen Ruyle Hardy

© The  S A N S  Institute 2011                                                    http://www.securingthehuman.org

 

#computers #data #internet #security #backup #restore

 

Blog posted using Windows Live Writer

OUCH! | September 2011 – Social Networking Safety

OUCH! | September 2011

IN THIS ISSUE…

• Overview
• Privacy
• Security

Social Networking Safety

GUEST EDITOR

Lenny Zeltser is the guest editor for this issue of OUCH!
Lenny focuses on safeguarding customers’ IT operations at
Radiant Systems and teaches malware combat at the
SANS Institute. Lenny is active on Twitter as @lennyzeltser
and writes a security blog at blog.zeltser.com.

OVERVIEW

This month we’ll look at social networking sites, such as
Facebook, Twitter, Google+ and LinkedIn. Sites such as
these are powerful tools, allowing you to meet, interact with,
and share with people around the world. However with all
these capabilities come considerable risks, not to just you
but your employer, family, and friends. In this newsletter
we will discuss what these dangers are and how to use
these sites safely.

PRIVACY

A common concern about social networking sites is your
privacy, the risk of you or others sharing too much
information about yourself. These dangers of oversharing
include:

.. Damaging Your Career: Embarrassing information
may harm your future. Many organizations search social
networking sites as part of a new employee background
check to see what has been posted about you. Any
embarrassing or incriminating posts, no matter how old they
are, may prevent you from getting that new job. In addition,
many universities conduct similar checks for new student
applications.

.. Attacks Against You: Cyber criminals can harvest
your information and use it for attacks against you. For
example, they can harvest your personal information to
guess the answers to “secret questions” that websites
use to reset your passwords or perhaps apply for a credit
card using your personal information.

.. Attacks Against Your Employer: Criminals may
gather information that you share on social networking sites
when compiling competitive data or preparing for a cyber
attack on your employer. Moreover, your actions online
may inadvertently reflect badly on your employer. Be sure
to consult your employer’s social networking policy for
guidelines on how you are expected to safeguard your
organization’s data and reputation.

The most effective way to protect yourself against these
dangers is to be cautious about what information you post
about yourself. Consider whether the data you are sharing
now could be used against you some time later. Also,
tighten the privacy settings of your social networking profile
to limit who can see the personal information you might
share on the site. Keep in mind that your data may be
inadvertently leaked by the website or your friends, so it is
best to assume that any information you post will at some
point become public knowledge. Also, be aware of what
others post about you. If you have friends posting
information, pictures, or other data you do not want made
public, ask them to remove it.

SECURITY

In addition to being the source of damaging information
leaks, social networking sites can be used as a platform for
attacking your system or conducting scams. Here are
some steps to protect yourself.

..Login: Protect your social networking account with
a strong password. (See OUCH May 2011) Do not share
this password with anyone or use it for other sites. In
addition, some social networking sites, such as Facebook
or Google+, support features for stronger authentication,
such as using one-time passwords when logging in from
public computers or using your phone as part of the login
process. Enable these features where possible.

..Encryption: Many sites, such as Facebook,
Google+, and Twitter, allow you to force all communications
with the website to be encrypted (called HTTPS).
Whenever possible, enable this option.

..E-mail: Be cautious when clicking on links in e-mail
messages that claim to originate from a social networking
site. Instead, access the site using a saved bookmark and
check any messages or notifications using the website
directly.

.. Links: Be careful of clicking on links posted on
people..s walls or public pages. Viruses and worms spread
easily on such sites. If a link seems odd, suspicious, or too
good to be true, do not click on it..even if the link is on your
most trusted friend..s page. Your friend’s account may have
been hijacked or infected and now be spreading malware.

.. Scams: Criminals take advantage of the open nature
of social networking sites to defraud individuals. Such scams
sometimes use the pretext of an offer for a job or money that
is too good to be true. Another common scam uses hijacked
accounts to contact the victim’s friends with requests for help,
claiming that the person got robbed in a foreign country and
needs money. Be cautious when approached by a friend or a
stranger on a social networking site with a request for money
or with an offer that’s surprisingly good.

.. Apps: Some social networking sites give you the
ability to add or install third party applications, such as
games. Keep in mind there is little or no quality control or
review of these applications and they may have full access to
your account and the data you share. Malicious apps can
use this access to interact with your friends on your behalf
and to steal and misuse personal data. Be careful, and only
install apps that come from trusted, well-known sites. Once
they are installed, make sure you keep them updated. If you
are no longer using the app, then remove it.

Social networking sites are a powerful and fun tool; they
allow you to communicate with the world. If you follow the
tips outlined here, you should be able to enjoy a much safer
online experience.
 
RESOURCES

Some of the links shown below have been shortened for
greater readability using the TinyURL service. To mitigate
security issues, OUCH! always uses TinyURL’s preview
feature, which shows you the ultimate destination of the link
and asks your permission before proceeding to it.

OnGuard Online: http://preview.tinyurl.com/5yjgjt
Microsoft: http://preview.tinyurl.com/3q4qzzr
US CERT: http://preview.tinyurl.com/df9f2d
Facebook: http://www.facebook.com/safety
Twitter: http://preview.tinyurl.com/3mb92rp

LEARN MORE

Subscribe to the monthly OUCH! security awareness
newsletter, access the OUCH! archives, and learn more
about SANS security awareness solutions by visiting us at
http://www.securingthehuman.org

OUCH! is published by the SANS Securing The Human program and is distributed under the
Creative Commons BY­NC-ND 3.0 license. Permission is granted to distribute this newsletter
as long as you reference the source, the distribution is not modified and it is not used for
commercial purposes. For translating or more information, please contact ouch@securingthehuman.org.

Editorial Board: Bill Wyman, Walt Scrivens, Phil Hoffman, Lance Spitzner, Carmen Ruyle Hardy

© The  S A N S  Institute 2011                                                    http://www.securingthehuman.org

 

 

Blog posted using Windows Live Writer