Security Starts with You

The first, and most important, line of defense against viruses, worms, spyware, and other security attacks is you, the user.  While some viruses and worms can take advantage of security holes in your PC without any action on your part, the vast majority of of malware (think programs you’d rather not have on your PC) rely on some action by the user to activate.  You need to open an attachment, download a program from the internet, click a link to a compromised web site, or respond to a message in order for the intruder to get into your PC.

Knowing this, virus writers and hackers employ all kinds of techniques to entice people to perform an action that will activate their program.  They spoof the “from:” address, using personal contact names they found on another computer, so the recipient of the virus-infected email thinks it was sent by someone they know.  Another favorite trick is to claim to be from some official sounding body.  Some viruses have claimed to be patches from Microsoft.  Some have claimed to be virus removal tools from anti-virus vendors. This past year, staff and students at SU received emails claiming to be from the Syr.edu team.  No such team exists at SU.  The virus took public information about SU’s web site (the domain name is syr.edu) and used this to try to fool people into responding to the email.

Another trick is to claim to be offering something for free.  We all love free stuff; virus and spyware writers know this.  So, they offer you a game, a digital pet, a tool that will “dramatically improve the performance of your PC,” free music or images files, or a little bit of humor in your day.  When you accept their offer, with it may come a backdoor into your PC or programs that track your usage of the web (which can then be used for marketing purposes or sold to other companies).   This doesn’t imply that all free software is bad or has these problems.  A lot of useful and entertaining freeware is available that doesn’t result in backdoors, viruses, or spyware.   But some does, so you need to exercise caution when downloading programs from the web.

SU has put technical solutions in place that help slow down attacks.  All email is scanned for viruses before it is delivered, and the Library runs anti-virus software on every PC attached to the network.  This anti-virus protection is constantly updated to allow it to detect newly discovered viruses and worms, but some viruses do still get through to users’ inboxes.  Why?  Because new viruses and worms are reaching SU before the anti-virus writers have time to develop the antidotes.  This brings us back to you, the user, and the measures you can take to protect your PC. 

Here is a list of the things you can do to improve the security of your PC:

• Don’t open suspicious attachments, even if it appears to be from someone you know and trust. 
• Tell your friends and family to include descriptive information in emails about any attachments they do send.  This information should be detailed and personal enough that you can be confident only they could have generated it.
• Example:  I’ve attached a picture (Emily1.gif) that shows Emily playing at the beach with daddy.  Hard to believe she’s two years old already.
• Only download programs from trusted sources on the web. 
• Don’t click on the banner ads, surveys, and other enticing pop up windows that appear on your screen as you surf the web.  These clicks may lead to cookies or spyware being loaded on your PC.   In the worse case scenario, they may result in a compromise of your PC.  Just close the windows instead by clicking on the box with the X in the top right-hand corner.
• If you receive an email asking you to unsubscribe to a list or e-newsletter that you never signed up for, don’t respond.  The sender is probably trying to determine if your email address is valid. 
• Don’t lower the security of your web browser.  You want to be prompted before anything other than a cookie is placed on your PC, so don’t turn off prompts for ActiveX controls, digital certificates, or program downloads.   If a web site asks if it is ok to turn off a security feature of your browser to make visiting the site “easier,” say No. 
• Use hard to guess passwords that are at least 8 characters long.  Don’t use names or birthdays of family, friends, or pets.  Don’t only use words out of the dictionary.  The passwords should include letters, at least 1 number, both upper and lowercase letters, and a special character (*!@$%&).  Hackers have access to programs that can “crack” passwords by trying combinations of letters until they make a match.  Shorter passwords are easier to crack – so the longer your password the better.
• Don’t post passwords in areas that can be viewed by others or under the keyboard (this is such a common place to post passwords that a lot of people know to look there).
• Always make sure you are sending sensitive information, such as credit card numbers or bank accounts, in an encrypted form on the web. The web page address in the white URL box at the top of your browser should start with https:// (note the important S for secure at the end of the word http).  If you are using Internet Explorer, the lock in the bottom right of the window should also be closed.  For other browsers, check the online help to see how the browser indicates that you are in secure mode and make sure this mode is active.
• Never give out passwords, social security numbers, credit card numbers, or other sensitive information via email.  Email is sent “clear text”, which means that an eavesdropper could read its contents if they were able to intercept the information as it traveled across the network.   Knowing this, organizations do not send out or solicit this type of information via email.  If someone does, be suspicious.  If you do know them, call them instead.
• Do NOT respond to emails that claim you need to verify online passwords to keep them from expiring or that claim your account has been compromised and you need to click on the enclosed web link to check your account’s status.  A new form of electronic scam, called “phishing,” tries to trick people into giving away financial or other confidential information by using emails that claim to be from legitimate groups.  If you are concerned about the status of an account or password, contact the institution directly using separate channels  -- do NOT use any information provided in the email.  Some “phishing” attempts have gone to great lengths to look legitimate, even creating web sites that look exactly like the real institution’s web site. 
• When you enter a password on the web to login into a site, the password should appear on the monitor as all asterisks, dots or some other “obscuring” character.  Someone looking over your shoulder should not be able to read your password as you enter it.  If the password isn’t obscured as you type it, stop and don’t continue entering the password.  The login window may not be legitimate.
• The old adage that “If it sounds too good to be true, it probably is” holds as true online as in the rest of your life.  You’re probably not going to win a lot of money or stuff by entering contests on the web.   And if someone has a miracle cure or solution that no one else knows about, ask yourself why.   In responding to such enticements, you open yourself up to someone or some group that you know nothing about.    

The list above may seem long, but once you develop these habits, they are easy to follow.  Being as safe as possible while you are online protects you, your PC, the library, and the University.