Account and Computer Security
The purpose of this guide is to provide some very basic, end user focused advice which may help individuals in both their work and home life stay more secure. It provides a general guide on personal computer security for both on-campus and home users.
Note: This Practical Guide to Computer Security has been modified for JCU with the permission of AusCERT, of which JCU is a member.
AusCERT is the Australian Computer Emergency Response Team - Australia's National CERT. AusCERT is hosted at the University of Queensland and works broadly in the space of information and computer security. AusCERT is a not-for-profit group and relies upon membership and similar source for its revenue.
Choose passwords at least 8 characters in length
Use upper/lower case characters as well as numbers
Keep them in a safe place, if you must write them down
Get in the habit of changing your password regularly i.e. every 3 to 6 months
Use dictionary words
Stick them to your monitor with a post-it note
Use easily guessable words (e.g. phone number)
Ever tell anyone your password
Re-use the same password for important systems
Poor passwords are one of the classic areas of weakness. People are pretty lax with passwords generally and often don't get the message that they are the keys to various online items such as corporate PC's, emails, or online banking.
Choosing a good password can sound daunting, however once practiced a few times, it becomes a fairly straight forward process. Choosing a good password is critical. Common mistakes are to choose passwords that include your pets name, the name of a family member or a special date such as kids’ birthday or wedding anniversary. You may be surprised at how many people actually do this!
Modern attack tools can make more than 100,000 guesses per second - if a password is in a dictionary (any dictionary), it is likely to be compromised quickly by any attacker trying to break it.
A passphrase is just like a long password. We use the word passphrase to get a message across; you should be using a phrase rather than a short word as your access credential to systems.
It is important to confirm with your IT staff or service provider the MAXIMUM number of characters their systems allow. The reason for this is that if the systems only allow an 8 character maximum, and you think your passphrase is "everyone loves chocolate cake for their birthday" your password will actually just be "everyone" and that's a dictionary word!
Note: If there is no limit on a password length, use a pass-phrase. e.g. "Europe is beautiful this time of year." However, if you have to pick a smaller password, just use the first letter of each word and swap some characters: "E1bTtof7"
AusCERT - Choosing good passwords: http://www.auscert.org.au/2260
Apply software updates to your operating system and all other programs you have installed (preferably letting the computer manage this automatically).If the computer you are using is owned by JCU this service is provided for you
ITR provide a Patch Management service to all JCU’s managed desktop fleet
Run as a non-privileged user (ie. not with 'Administrator' access) when surfing the web, reading email or for computer based activities that do not require an Internet connection.
Most modern operating systems, including Windows, provide an 'Automatic update' option. This should always be turned on (unless in a corporate environment where there is an alternate enterprise update tool). When prompted if a user wishes to allow updates, they should always click YES - don't put it off. A couple of days without patching could make all the difference where it comes to being protected from malicious code. If you have programs on your system that do not have automatic updates, make sure you regularly (one a week to once a month) check the website for the program and see if there is a new version or new patches available.
Wherever possible, users should run without administrator access. The administrator access account should only be used rarely, for installing software and should not be used for general use such as surfing the web or reading email. The reason for this is as follows. If a bit of malware (let’s say a trojan horse) tries to infect a computer, it needs to install itself into various places in order to work. Generally, these places are not accessible from a non-administrator account; therefore the trojan cannot get properly installed onto the computer. This is a really good protection, as the doctor says "An ounce of prevention is worth a pound of cure!"
Use your administrator account only for installing new software from trusted sources and configuring your security settings on your computer/network.
A personal firewall
Anti-virus software. See Computer Virus Guide
Anti-spam filter. See Email Spam and Attachments Guide
Note: JCU has an enterprise-wide Sophos Agreement and staff should be subscribed by their IT Support Officer. This covers work and home use. Students and home users should see: http://www-public.jcu.edu.au/libcomp/computing/mobile/virus/ for more information
Despite all the good practices, there is always the potential for something bad to happen. Therefore, security software is essential.
Windows has a personal firewall built in which Windows 7 users can make use of. There are links to several free and trial versions of anti-virus and personal firewall software off of www.microsoft.com/security
As much of modern malicious code is delivered via email, anti-spam does a lot more than just keep junk mail out of your inbox, it may well stop you being delivered viruses or other malware.
Anti-spyware tools are similar to anti-virus tools - they run on your PC and attempt to block or remove programs that would capture your personal information (e.g. browsing habits) and provide this to a third parties. Certain types of Spyware (such as that which is installed along with shareware) are not considered malicious by anti-virus software and may not be detected by it.
Of course, as with all software, these tools are only as good as their most recent update. Ensure that your anti-virus, anti-spam and anti-spyware products have automatic updates enabled and periodically check their 'definitions' or 'signatures' are up to date. These definitions or signatures should generally be no older than one week old for reliable protection.
Turn off preview pane and view emails in plain text
Be careful about clicking on links in emails and instant messages
Open attachments if you don’t know the sender
Open messages that seem out of character for a sender that you do know.
Reply to unsolicited emails or calls asking you to provide account and password details.
Email is a really great part of the Internet. However, it is more and more becoming used as a means to deliver unwanted nasties - malicious code - to personal computers. Therefore, it is really important that when using email, you are careful and think about what you are doing.
Remember, your bank will not generally ask you to click a link in an email, not even for 'security updates' or 'fraud protection.' Also, if you see an offer in an email message that appears too good to be true - it almost certainly is. If you didn't apply for a lottery, you are unlikely to win it. Very few people are really willing to give you a job to do nothing for thousands of dollars a week. Think twice before acting on information you see in an email - and remember emails can be easily forged.
Clicking on links or running programs or files delivered in email is probably still the quickest way to become infected with malicious code such as viruses, trojans or spyware. Unless you are expecting an attachment - do not open it. Generally avoid clicking links in email - the link you see may not actually go to the place you expect.
Note: JCU does not send emails requesting you to confirm, update or disclose your confidential log in details. If you receive what you consider to be a hoax email, DO NOT RESPOND and please delete it immediately.
AusCERT has published a number of security bulletins related to Phishing. "Phishing is an attempt to criminally and fraudulently acquire sensitive information, such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication." - see Phishing courtesy WikiPedia .
Type in the address of the website you want to transact with, never follow a link in an email.
Make sure you use a strong password (as described above) for online services you care about (such as banking).
Check the status of your online transactional accounts regularly and contact your transaction service provider immediately in the event of any problems.
Purchase items from websites you are unsure of. Check the credentials of the business first and confirm that you are indeed looking at their website.
Use 'shared' PCs you don't control for online transactional services.
Online transactional systems (such as banking, shares and superannuation) are of significant concern to most people.
One significant area of potential threat to online transactional systems is the use of shared computers such as those found in hotel lobbies, cyber cafes and airport lounges. If someone has placed a keystroke logging trojan on these devices, your username and password for your transactional system could be compromised.
Also, do not transact online unless you have the golden SSL padlock displayed. Do not use a site for transactions if you receive any warning or error message regarding the 'certificate' for the site. Such warnings can sometimes indicate the presence of a malicious 3rd party impersonating your transactional service provider’s site (e.g. Pretending to be your bank site).
If using removable devices, such as USB memory sticks ensure that they are not set to autorun and your anti-virus software is set to scan the device on insertion or access.
Always lock or log out of your workstation when you are physically away from it. Locking can be set to occur after a period of inactivity.
Visually inspect devices connected to your workstation. Devices could have been installed that have the ability to compromise your security. Pay particular attention to your mouse, keyboard and network connections.
Make sure you know what sites your children are visiting online.
Ensure that your children get your approval before downloading programs.
Educate your kids not to provide ANY personal information to people they meet online - not even their name.
Monitor your kid’s interactions with people online - the people they are talking to may not be who they appear to be.
Consider installing parental lock software, or better still consider placing the computer in a shared space (such as the living room).
It is natural, and reasonable, to be concerned about the well-being of children using the internet. In addition to ensuring they follow the good advice covered here - especially about the dangers of running programs you do not know - kids need to be aware of the dangers. Be alert.
The Queensland police, amongst others, have made available useful information with regards to the risks posed to children over the internet. Kids are often a bit naive where it comes to computer use - and something that would trigger the 'stranger danger' test in the street may not do so with kids online.
Make sure you kids know never to provide personal information (and especially not photos) to anyone they know online, unless you (the parent) have met and confirmed the identity of the person face to face.
By purchasing a dedicated device that handles the internet connection, your host computer is no longer directly connected to the Internet, but is now given a "private" address (common private address ranges start with 192.168 or 10.0). The modem router device handles the process of converting public to private IP addresses (and vice-versa), which is also known as "Network Address Translation" (NAT).
Security on Social Networking Sites
The popularity of social networking sites continues to increase, especially among teenagers and young adults. The nature of these sites introduces security risks, so you should take certain precautions.
Check the Cyber Security Tip ST06-003 - Staying Safe on Social Network Sites as released by US-Cert for general advice on best practice when using Social Networking Sites.
See the Sophos recommended privacy settings for Facebook for guidelines on how to increase the security of your personal information.
Wireless poses a number of risks. The most concerning of these are related to others using your access without permission and include; the theft of your internet bandwidth (you probably pay for access), contamination of your computer by someone using your wireless without your authorisation and theft of private information.
Perhaps the scariest potential risk with unauthorised access to your wireless network is what someone could do with that access. They could be involved with child exploitation, illegal software or computer hacking. When the authorities track this activity back, it will come back to YOU (your wireless access point) - this could make for an interesting discussion or two with various authorities.
On your computer make sure you always turn your wireless adaptor off when not in use. On your access point enable encryption, WEP is weak (but better than nothing) and WPA2 is stronger. Allow only a set of MAC addresses to connect to the router and don't broadcast your SSID.
See JCU Wireless for more information on support, coverage and Eduroam.
For Additional Information on Security, look at:
Protecting your computer from malicious code www.auscert.org.au/3352
AusCERT have an Annual Conference and host Computer Security Days.