Security Awareness Month 2013

Thank you to everyone who participated in the 2013 National Cyber Security Awareness Month (NCSAM) campaign!

The information below has been left available for your reference.

 

Week 1: Phishing & Email Hoaxes

Security Awareness Month Week 1

A phishing attack is an email designed to trick you into providing your sensitive information by posing as a trustworthy entity.

It’s not uncommon these days to hear that company ‘X’ had a security breach which resulted in either their intellectual property or your personal information being stolen from their computer systems.

At UIC, we often see phishing emails posing as university email administrators requesting for users' passwords to be emailed back or entered into a web page form. These are not from ACCC!

What can happen when you give your password to an attacker?

The most common activity we see as a result of a phishing attack is that the hacker accesses your account and uses it to send spam or additional phishing emails. A hacker can also use a compromised account to leverage personal information and gain access to your other accounts if your uic.edu email account is established as a password recovery email address for other accounts (banks, credit cards, …).

At UIC, your common password protects more than just your email or Internet access. It also safeguards your calendar, lab access, printing quota, wireless access, Blackboard (your grades and school work), cloud drive (Google drive, box, webdisk), my.uic.edu portal, banner (grade reporting, financial aid, FERPA data), Nessie (compensation, benefits and direct deposit), Webstore, and many other resources.

ACCC monitors our mail systems for signs of abuse. In the 2012-2013 academic year, our system monitors detected 244 accounts that showed signs of compromise as a result of a phishing attack. When ACCC detects an account that has likely been compromised, access to the account is automatically suspended. Once that happens, the password must be changed. Make sure that you have a strong password recovery challenge/response question set up ahead of time to avoid an in-person password change.

Remember, no credible institution will ever ask you for your password. In addition, email is not a secure means of communication so passwords and other confidential information should never be shared over email.

Email hoaxes are messages that "warn" people of a non-existent threat and/or attempt to defraud people out of money or other valuable property.  An email hoax may be something as simple as an email claiming that a popular celebrity has died and asking you to open a supposedly related file, to something as complicated as a pyramid scheme promising payment for participating.

What do you do if you are a victim of phishing or email hoaxes?

When you receive an email that you suspect is a phishing or email hoax, the best action is to delete it. If you are unsure about the authenticity of an email and have concerns about its legitimacy, you may send a copy of the email with the full message headers visible to security@uic.edu. Here's how to view full message headers.

If you have replied to a phish, immediately change your password for any account protected with that password and notify the ACCC Security Office at security@uic.edu that you were a victim of a phishing attack. If you provided high risk data in your response, be sure to mention that in your email to the security office. If you were defrauded or somehow threatened, you should immediately seek the assistance of the authorities. The UIC Police Department can assist with investigating electronic criminal acts. You may contact the UIC Police Department for non-emergency assistance at 312-996-2830.

Additional resources and examples of phishing or email hoaxes

From time to time, the UIC community is hit with a wave of phishing or email hoaxes. In response, ACCC Security has posted alerts to our @ACCCSecurity Twitter feed. Examples of phishing emails may be viewed in our Twitter media grid. Consider following @ACCCSecurity on Twitter for up-to-date security education, awareness, and news. Finally, if you receive an email that sounds too good to be true, it usually is. Snopes.com is a great online reference for email hoaxes.

Week 2: Patching & Software Updates

Security Awareness Month Week 2

Having unpatched and outdated software on your system increases the likelihood that your device will be compromised. Keeping your operating system and other software patched and updated is an ongoing security task that often goes overlooked, yet it is one of the primary defenses against viruses, malware, and being hacked.

Computing systems and devices should follow a regular maintenance schedule to allow for either automatic or manual updates and unused or outdated software should be considered for removal.  One of the most common ways for your device to be infected is via out-of-date web browsers and other software installed on your system.  When left unpatched, this software exposes your system to vulnerabilities that attackers take advantage of by using drive-by downloads. This means that if all of your software is not up-to-date, you can be compromised simply by visiting a legitimate web site.  So, the next time that Java or Adobe Reader asks you to update itself, be sure to say OK!

The ACCC Security Office monitors network activity on campus and automatically filters compromised devices from the network. This is done as a service to minimize exposure and limit the risk of an outbreak to the campus community. During the 2012-2013 academic year, 894 infected and compromised devices were filtered, many of which could likely have been avoided with regular software updates and patches.

Enable automatic updates

Personal Software Inspector

  • Secunia PSI is a free tool for Windows OS or Android devices that will inspect your installed software and identify unpatched or out-of-date software.
  • Sparkle is a good tool for iOS to alert and remind you of software updates for third-party applications.

Related

Antivirus - detect viruses, repair files, and help prevent virus infection.

Week 3: Password Safety

Security Awareness Month Week 3

Your account and your data is only as secure as your password is! Some key things to know:

  • Passwords should never be shared.
  • Each account you own should have a unique password.
  • Longer passwords are stronger, and passwords that include symbols are even better.
  • Passwords should never be written down or recorded in any place accessible to others.

At UIC, your common password protects more than just your email or Internet access. It also safeguards your calendar, lab access, printing quota, wireless access, Blackboard (your grades and school work), cloud drive (Google drive, box, webdisk), my.uic.edu portal, banner (grade reporting, financial aid, FERPA data), Nessie (compensation, benefits and direct deposit), webstore, and many other resources. Additionally, if your uic.edu email account is established as a password recovery email address for other accounts (banks, credit cards, …) those accounts may be at risk as well.

Tips for choosing a strong password

When choosing a password you should utilize the maximum security protocols allowed. That means that if the password can be 6-17 characters with mixed case alphanumeric and symbols, you should create a 17 character password utilizing lower and uppercase letters, symbols and numbers. The difference between cracking a 6 character password (7.43 seconds) to cracking a 17 character password (13.44 trillion centuries) is many lifetimes and is worth the extra effort.

When possible, passwords should be randomly generated. Password manager software is a great secure way to create, recall and store your passwords. The University of Illinois recommends using a password manager such as KeePass (Windows), KeePassX (Mac and Linux), or LastPass (multi-platform).

If you need a long, but easier to remember password, consider a passphrase. A passphrase can be easily created by combining a few random words. A great comic about password strength can be found on the website xkcd.

Password strength tester

Changing your password

If you know your common password and would like to change it, you may do so by logging into the ACCC Password Changing Utility at password.accc.uic.edu. Please note that using this utility to change your common password will affect all ACCC accounts including: GoogleApps@UIC, Blackboard, Mailserv, Tigger, Argo, UICalendar, and the ACCC public computer labs.

Password recovery options

Like many other service providers, ACCC offers challenge/response and emergency email password recovery services at password.accc.uic.edu.

When opting into password recovery services, be careful not to use a shared email address, or challenge/response information that can be easily guessed, looked up, or socially engineered. This means that someone should not be about to coax the answer to your challenge/response from you within a short conversation. “What is my favorite football team” is a poor example of a challenge/response. Likely, you frequently talk about your team, or perhaps proudly wear your team’s clothing.  Even if you don’t talk about your favorite team, with a finite number of football teams (32), this challenge is not difficult for someone to guess using process of elimination.

If information related to your challenge/response can be easily accessed by someone visiting your social media profile, searching your information on the Internet, or within a short conversation, it is weak and should not be used.

The security team at ACCC periodically audits user challenge/response pair. While answers are encrypted and cannot be viewed by our team, we are able to determine the frequency the same challenge question and encrypted answer is used. Additionally weak challenge/response pairs are also identified. In order to maintain security, these challenge/response pairs may be deleted and the affected users will receive an alert from ACCC Security.

Alternatives to sharing passwords

There is never a good reason to share your password.  Here are safe alternatives to sharing your password:

Week 4: Copyright Infringement

Security Awareness Month Week 4

Downloading and sharing copyright protected content (music, movies, ebooks, software, … ) is a crime! Violators may be sued for up to $250,000 and spend five years in a federal prison!

Every year ACCC receives hundreds of Digital Millennium Copyright Act (DMCA) notifications of Copyright Infringement that we are required by law to investigate and take action. Some of these notices arrive in the form of settlement letters where the copyright owners seek monetary damages to prevent a lawsuit.

In collaboration with the Dean of Students Office, ACCC has established the UIC Policy on Copyright Infringement and Peer-to-Peer Abuse. A protocol is established to legally comply with DMCA notifications to protect our campus community, while providing education and resources about Copyright Infringement.

Last academic year, we suspended 263 users for violations of the DMCA, and unfortunately some of those incidents were settlement letters requesting payment of monetary damages from those individuals.

Remember to always use legitimate movie and music services and to abide by copyright law. As a resource, Educause maintains a list of Legal Sources of Online Content.  For information on “Fair Use” visit the University Library resource copyright.uic.edu.

Week 5: Personal Data Security

Security Awareness Month Week 5Think before posting! Sharing the wrong personal information online can lead to identity theft or the compromise of your account!

We frequently hear, “the Internet never forgets” and it’s true! Information you share on the Internet today may be used to hack into your accounts months from now!

Remember that time that you posted about how your favorite aunt, Sophie, said that ridiculous thing?  Did you remember that post when your bank asked you to secure your password by telling them who your favorite aunt is? Attackers enjoy playing connect the dots.

Additional caution should be taken when deciding where you store and how you transmit your personal data online. Portable storage solutions are a convenient way to carry your personal data around with you, but what happens when you lose that USB thumb drive? Unless you’ve taken the time to encrypt the data, whoever finds the thumb drive now has access to everything on it.

Be careful about what you put on an unencrypted portable device!

Do store:

  • Pictures that you don’t care if someone sees
  • Documents that you don’t care if someone reads
  • Files that you don’t care if someone looks at
  • Detect a theme here?

Don’t store:

  • Anything with your SSN (or anyone elses)!
  • Bank account information
  • Passwords
  • Documents that contain sensitive or high risk data
  • Anything else that shouldn’t fall into someone else's hands.

In lieu of using an unencrypted portable device, you can use the University of Illinois licensed Box service for cloud file storage and sharing.  All University of Illinois users may access their Box account at uofi.box.com.

Please note that Box is not an approved solution for high risk data.  If this data needs to be stored on a portable device, the device must be encrypted so that if the device is lost or stolen, the data will be unrecoverable.

Last updated: 

October 02, 2018