ITS Technology Tips

What is identity theft?

Identity theft is a crime where a person uses your personal identification information, like your name, Social Security Number, driver’s license number or credit card number, without your permission with an intention to commit fraud. This also allows the criminal to steal money from you by opening up new credit card accounts and running up charges on them or purchasing new services like a phone account, internet, rent an apartment, etc. in your name. You may not even be able to find out about the theft until you review your credit card statement and notice charges you didn’t make or in some instances until you review your full credit report and credit history.

How is it harmful?

Identity theft can also provide a thief with false credentials for immigration or other applications. The biggest problem with identity theft is that the crimes committed by the thief are often attributed to the victim. The FTC (Federal Trade Commission) estimates that as many as 9 million Americans have their identities stolen each year. Identity theft is a serious crime and it can be harmful to the person whose identity is stolen by losing out on job opportunities, or denial of loans for education, housing or cars because of negative information on their credit reports. Aside from losing money and confidence in the marketplace, identity theft also soils the reputation and livelihood of the consumer. In few cases, they may even be arrested for crimes they did not commit. According to the FBI, identity theft is the fastest-growing white-collar crime in the United States.

What can one do if already a victim of Identity Theft?

1)     Place a fraud alert on your credit reports as and review them as fraud alert prevents an identity thief from opening more accounts in your name.

2)     Close the accounts that you suspect have been opened fraudulently immediately.

3)     File a complaint with the local police or with the Federal Trade Commission, which may help in recovering from identity theft more quickly.

How to avoid Identity theft?

To minimize the risk of becoming a victim of identity theft, remember the word SCAM:

S – Be stingy. Do not give your personal information to others unless you have a valid reason to trust them
C – always Check your financial information on a regular basis to track your financial status
A  – Ask for a copy of your credit report from time to time – you are entitled to 1 free report every year
M – Maintain careful records of your banking and other important financial accounts

What is the Gameover malware?

Gameover is an updated Zeus malware attack that goes after bank information.  The attack takes place when malicious users send spam email to infect computers with malware, which is designed to collect bank account information from the recipient’s computer.  After this malware is on your computer,  it is able to steal usernames, passwords and can bypass financial institutions’ user authentications.  As the name of the attack suggests, once the malware gets your information, it is “game over” for your bank account.

How it works

Spammers spread the virus to computers by sending out emails from the National Automated Clearing House Association (NACHA), the Federal Reserve Bank, or the Federal Deposit Insurance Corporation (FDIC) saying there is a problem with your bank account or recent transaction.  A link is provided in the email to fix the problem, which then leads you to a fake website. As soon as you click the link and go to the website you also just downloaded this malware to your computer.

How to protect yourself

NACHA, FDIC, and the Federal Reserve all say they don’t send out unsolicited emails to bank account holders. So if you want to confirm there’s a problem with your account or one of your recent transactions, contact your financial institution. Do not click on any links sent via email, as these may take you to a Web site that places malicious software on your computer. Instead, enter the address that you know is legitimate into your browser. For example: Instead of clicking on the URL received in an email (such as http://www.123citi-bank-usa.com/update/yourcredentials.html), open up Firefox and navigate to Citibank’s known website: www.citibank.com.

Where can I find more info?
Visit http://www.luc.edu/uiso/protect_yourself.shtml for additional security tips.

Firesheep is a Firefox extension that basically allows anyone you are sharing a wireless network with to discover and access certain online sessions that you are logged into. Many sites encrypt information only for your initial log in; once you successfully log in, the server (that hosts the website you are accessing) sends your browser a cookie granting you access. Once you are logged in, the site reverts back to an unencrypted transmission. Firesheep allows other users to access someone else’s cookies and enter websites using that login information.

To effectively combat Firesheep, you can download one of several plug-ins for Firefox that will force a webpage to use a secure web connection. However, in order for this work, the website must support full end-to-end encryption (either as HTTPS or SSL). For more information and to learn how to install one of these plug-ins, visit the University Information Security Office page.

Did You Know?
Loyola University Chicago blocks over one million spam messages per day.

What is Phishing?
Phishing is an attempt to steal sensitive information, such as your social security number or passwords, by posing as a trusted organization or person. Phishers are known for using this information for identity theft and other fraudulent acts.

What do Phishing attacks look like?
Phishing is most commonly attempted via an email that will claim to come from a trusted organization, such as Loyola University Chicago, your bank or your credit card company. There are two common mechanisms that phishers use to steal your sensitive information:

• 1.  They will ask you to respond to an email with your sensitive  information.
• 2.  They will ask you to follow links to update your sensitive  information.
  • a.  You will appear to be providing your information to the trusted company, while in fact you will be providing that information to a phisher.

What are some types of Phishing attacks?

• “Spear Phishing” targets a particular person or organization into revealing confidential company information by impersonating the organization, or members of the organization.
• “Whaling” specifically targets senior management into divulging confidential information.

How can I prevent becoming a victim of Phishing attacks?
No legitimate organization will ever ask you for your password!

Do not click on any links sent via email, as these may take you to a web site that places malicious software on your computer. Instead, enter the address that you know is legitimate into your browser.

For example:  Instead of clicking on the URL received in an email (such as http://www.123citi-bank-usa.com/update/yourcredentials.html), open up Firefox and navigate to Citibank’s known website: www.citibank.com.

Call the institution to inquire on the matter instead of following the link. In addition, refrain from calling any numbers listed in the email, and instead, use a number for the organization that you know is legitimate.

If you are prompted to enter your username and password to a site that appears legitimate, enter both incorrectly.  A fraudulent site will accept the incorrect username and password while a legitimate site will not. Also make sure to check that the SSL certificate is valid and error free. Refer to the following link and steps to validate the sites SSL certificate, http://info.ssl.com/article.aspx?id=10068.

If you do provide personal or sensitive information to a malicious site, immediately contact the appropriate institution with the details surrounding the occurrence.

Where can I send potential Phishing attacks to be processed?
LUC Staff, faculty, and students should report any regular phishing emails or sites to spam@mailfoundry.com.

If you have received a Spear Phishing or Whaling attack, please forward it to DataSecurity@luc.edu.

Where can I find more info?
Visit http://www.luc.edu/uiso/protect_yourself.shtml for additional security tips.

Does this scenario sound familiar?

It’s time again for you to change your Loyola password and due to the password complexity requirements, you end up creating a password with a string of numbers and letters that’s impossible to remember.  Each time you need your Loyola password you find yourself reaching for that sticky note that you hid in your desk drawer.

Now compound that with 10 more accounts and 10 more passwords for each account.  Suddenly you have a memory nightmare!

If you have more than one username and password it can be a struggle to manage your login information securely. For this week’s Tech Tip, The University Information Security Office (UISO) provides you with information and resources to help you manage all of your passwords.

What are Password Vault Technologies?

Password Vault Technologies allow you to store all of your user names and passwords in one securely encrypted database.

Why should I use a Password Vault?

• -It allows you to use stronger passwords that are not easy to remember, especially as password complexity rules become stricter.

• -No more needing to set all your accounts to the same username and password.
• -It requires you to only have to remember one master password.
• -It will keep you from having to write down passwords which are easy to lose or have fall into the wrong hands.

How does a Password Vault keep you safe?

You can put all your passwords for your accounts in one database, which is locked with one master key. You only have to remember one single master password to unlock the whole database. The database is encrypted using best and most secure encryption algorithms, so you can be assured it will not be broken into.

The password vault technologies come with these features:

• -Database Encryption- Encrypts the complete database, not just your passwords. User names, notes and other data are encrypted too.
• -Protection against guessing and dictionary attacks- These technologies have anti-brute forcing protections built in to the product.  However, be sure to select a good master password!  Any easy-to-guess password will expose all of your credentials.

Which Password Vault product should I use?

The UISO recommends the following Password Vault technologies, which are both open source and free:

• -KeePass: – http://www.keepass.info/download.html
  
• -Password Safe: – http://passwordsafe.sourceforge.net/downloads.shtml

If you have a Microsoft Word 2007 document that you would like to make read-only or if you would like to add password protection, Word offers a few options to secure your file. Here are a few security features offered in Word:

Encrypt Document: Adding encryption to your document will require that a password be entered to open the document. To encrypt your document, click on the Microsoft Icon > Prepare > Encrypt Document. A dialog box will prompt you to set a password.

Read-only Document: You can set your document to be read-only and additionally set a password to open or modify the document. To access these options, click on the Microsoft Icon > Save As, then in the bottom left corner, click on Tools > General Options.

A dialog box will open and you can choose to make the document read-only and to add a password to open and/or a password to modify. Click OK once you have made changes.

When the file is opened, a dialog box will prompt users to enter the password. Keep in mind that if users open the file as a read-only document, they will be able to edit and save as a new document.

Mark as Final: If you want your file to be read-only, you can also mark the document as final. This will disable editing and typing tools. To do this click on the Microsoft Icon > Prepare > Mark as Final. If you decide to open it later for editing, you can select Mark as Final again to set the document to the normal mode.

Note: If you lose or forget any passwords, they cannot be recovered.

In order to keep your computer’s operating system running safely and efficiently, it is important that you regularly install the latest software patches and updates.  In this week’s Tech Tip, the Loyola University Information Security Office provides information and resources to help you keep your software up-to-date.

What is Patch Tuesday?
Patch Tuesday refers to the second Tuesday of each month when Microsoft releases fixes for known issues in its operating systems and other products. These fixes are called patches or updates and are available for free download from the Microsoft website for any legally licensed copy of Microsoft Software.

What do patches do?
After software gets released to the public and it is being used with a greater frequency, people may begin to notice small problems that were not found during testing. Also, old software may have compatibility issues with newer hardware and new software might not run properly on older hardware. After gathering this data, these patches are released to fix these problems.

Why should I care about patches?
Software patches and updates don’t just fix small problems; they can also fix serious security issues within specific software programs. Malicious users can exploit vulnerabilities in software to gain access to part or all of your system. By keeping your software up to date, you are making it harder for someone to gain unauthorized access to your system.

How can I keep my software up to date?
The best way to keep software up to date is to regularly check and install updates from the software company. Microsoft has an update feature built into its operating systems and software which, when turned on, will automatically check with Microsoft for updates. Here at Loyola, computers in the labs, classrooms, as well as faculty/staff desktop PCs, are monitored by network software. Updates are sent to them from a main server once the update has been tested and approved by our Desktop Services team. Students who bring their own computers to campus are required the keep their operating system and antivirus solution up to date. Otherwise, they will not be able to gain access to the Loyola network.

It is also important to keep your other applications up to date. They can have security vulnerabilities that can be exploited by malicious users to gain access to your system. Some applications may have options to turn on automatic updates, but if not, it is important that you check for updates regularly. Here is list of popular software and links to the update site:

Windows:   http://update.microsoft.com
OS X:  http://www.apple.com/support/osfamily
PC Office:  http://office.microsoft.com/officeupdate              
Mac Office:   http://www.microsoft.com/mac/downloads.mspx
iPhone/iPod:  http://www.apple.com/support
Adobe:   http://www.adobe.com/support/downloads/new.jsp
Firefox:  http://www.mozilla.com/en-US/firefox/upgrade.html
Safari:   http://www.apple.com/safari/download
Opera:  http://www.opera.com/download
Norton:  http://www.symantec.com/norton/downloads/index.jsp
McAfee:  http://www.mcafee.com/us/downloads