University of Rochester

Tips Archive

Security Tip of the Week Archive

Protect Your Computer
Protect Your Data
Protect Yourself
Did You Know?

Protect Your Computer

Don't let spyware control your computer use
Did you know that eight out of ten computers are infected with spyware? Spyware is computer software that is surreptitiously installed on your computer and takes partial control of it without your consent. This malicious software can perform many behaviors, including:
- bombarding you with pop-up advertisements
- changing your home page or search page settings
- adding extra toolbars to your web browser
- slowing down your computer
- crashing your system
- tracking your activities
Lower your risk by taking the following steps:
- Update your operating system and Web browser software, and set your browser security high enough to detect unauthorized downloads
- Use anti-virus and anti-spyware software, as well as a two-way firewall, and update them regularly
- Download free software only from sites you know and trust. Enticing free software downloads frequently contain other software, including spyware
- Don't click on links in pop-ups
- Don't click on links in spam or pop-ups that claim to offer anti-spyware software
Visit http://onguardonline.gov/spyware.html or http://www.rochester.edu/it/security/computer/spyware.html for more information concerning spyware.
Back to top...

Malware
Click here for a PDF version of this tip that can be printed and used as a poster.
Malware is short for "malicious software"; it includes viruses – programs that copy themselves without your permission – and spyware, programs installed without your consent to monitor or control your computer activity. Criminals are hard at work thinking up creative ways to get malware on your computer. They create appealing web sites, desirable downloads, and compelling stories to lure you to links that will download malware, especially on computers that don't use adequate security software. Then, they use the malware to steal personal information, send spam, and commit fraud.
Computers may be infected with malware if they:
- Slow down, malfunction, or display repeated error messages
- Won't shut down or restart
- Serve up a lot of pop-up ads, or display them when you're not surfing the web
- Display web pages or programs you didn't intend to use, or send emails you didn't write.
If you suspect malware is lurking on your computer:
- Stop shopping, banking, and other online activities that involve user names, passwords, or other sensitive information. Malware on your computer could be sending your personal information to identity thieves.
- Delete all unwanted email messages without opening them.
- Do not click on web links sent by someone you do not know
- Confirm that your security software is active and current. At a minimum, your computer should have anti-virus and anti-spyware software, and a firewall.
- Once your security software is up to date, run it to scan your computer for viruses and spyware, deleting anything the program identifies as a problem.
- If you suspect your computer is still infected, you may want to run a second anti-virus or anti-spyware program – or call in professional help.
Monitor your computer for unusual behavior. If you suspect your machine has been exposed to malware, take action immediately. Report problems with malware to your Internet Service Provider (ISP) so it can try to prevent similar problems and alert other subscribers, as well as to the Federal Trade Commission.
Back to top...

Public Computer Safety
Click here for a PDF version of this tip that can be printed and used as a poster.
Most of us will occasionally have to use a public computer for one reason or another. Whatever your reasons, using public computers will always carry an inherent risk of exposing your personal data. Here are some things you can do to protect yourself and lessen that risk.

1. Delete your Browsing History
This should be the first step you take to protect your privacy when Web surfing on a public computer. When you’ve finished browsing, it’s a good idea to delete your cookies, form data, history, and temporary Internet files.
How:
- In Internet Explorer 7, you can do this all at once under Tools | Delete Browsing History. In Mozilla
- Firefox, go to Tools | Options, click the Privacy tab, and select Always Clear My Private Data When I Close Firefox. This erases your browsing history, download history, saved form information, cache, and authenticated sessions. Click the Settings button and select the options to erase your cookies and saved passwords, too.
2. Don’t save files locally
When you’re using a computer other than your own, even if it’s a trusted friend’s machine, it’s polite to avoid saving files locally if you can help it. Many of the files you would normally save locally, such as e-mail attachments, can contain private or sensitive information. An easy way to protect this data is to carry a flash drive and save files there when necessary. It’s also a good idea to attach the flash drive to your key ring so you’ll be less likely to misplace it and create a new security problem.

3. Don’t save passwords
This should be obvious when using a public computer, but if the option is already turned on, you might forget about it.
How:
- Internet Explorer 7, go to Tools | Internet Options | Content. In the AutoComplete panel, click the Settings button and verify that the Prompt Me To Save Passwords check box is deselected.
- In Firefox, choose Tools | Options | Security and deselect Remember Passwords For Sites.
4. Don’t do online banking or enter credit card information
You should remember that ultimately, a public computer is never going to be anywhere close to completely secure, so there are some things you just shouldn’t use them for. If you really need to check your balance on the road, you’re much better off finding a branch office or ATM or using your phone.

Public computers are not the place for online shopping. Your purchases from eBay or Amazon.com can and should wait until you can browse from a more secure location. A little added convenience isn’t worth the trouble of having your credit card hijacked.

5. Delete temporary files
Temporary files, often abbreviated to “temp files”, are created when you use programs other than a web browser. For instance, when you create a Word document, in addition to the actual document file you save, Word creates a temporary file to store information so memory can be freed for other purposes and to prevent data loss in the file-saving process. These files are usually supposed to be deleted automatically when the program is closed or during a system reboot, but unfortunately they often aren’t.
How:
Do a search on all local drives (including subfolders, hidden, and system files) for *.tmp,*.chk,~*.*
This will bring up all files beginning with a tilde or with the extensions .tmp and .chk, which are the most common temp files. Once the search is complete, highlight all and Shift + Delete to remove them. (If you don’t hold down Shift, they’ll usually be sent to the Recycle Bin, which you would then have to empty.)

6. Remember to log out
Always log out of Web sites by clicking "log out" on the site. It's not enough to simply close the browser window or type in another address. Also remember to log off of a public machine when you are done using it. You are responsible for what happens while you are logged into your username.

7. Pay attention to your surroundings and use common sense
Finally, you need to remember to pay attention to things outside of the actual computer that could be a risk. Be aware of strangers around you (potential shoulder surfers) and remember that a public computer is just that — public. Don’t view any truly sensitive documents you couldn’t bear for others to see. Remember the security camera over your shoulder. Cover your hands from view when entering any login information to prevent any casual spying.
Most important, remember that there is nothing you can do to make a public computer completely secure. A truly malicious owner or user could install a hardware keystroke logger that would be impossible to detect without actually opening the case and inspecting it. With that less-than-comforting thought, use common sense and use public computers only for non-sensitive tasks. The University has taken many of these risks into account when building the public machines and has made each machine as safe as possible for your use. But always keep these tips in mind when using an unfamiliar computer.
Our archive of past "Security Tips of the Week" is available for your information.
Back to top...

Laptop Travel Safety - Last Posted 7/5/2010
Click here for a PDF version of this tip that can be used as a poster.
A laptop computer defines convenience and mobility, but chances are you've heard stories about stolen laptops on the news or from friends and colleagues. As the holidays approach, here are some tips to help prevent your laptop from being stolen when you are traveling.
- Keep a careful eye on your laptop when you are in public.
- Password protect your screen.
- Avoid putting your laptop on the floor. If it is your only option, place it somewhere you are aware of it, like in between your legs.
- Don’t keep your passwords in your laptop carrying case. This could make it easier for a thief to access your personal or corporate information.
- Consider using a suitcase, briefcase or a backpack to carry your computer when traveling. Laptop cases advertise what you are carrying.
- Don’t leave your laptop in your car. If you have no choice, make sure that your laptop is completely hidden.
- Don’t leave you laptop for “just a minute.” Take it with you if you can or at least use a cable to lock it.
- Pay close attention in airports especially when you go through security.
- If your laptop has been stolen while you’re out of town report it immediately to the local authorities.
If your laptop that contains University Confidential or Legally Restricted Data has been stolen or compromised contact Information Technology Security immediately at (585) 273-1804 for University departments or (585) 784-6115 for Medical Center departments.
Back to top...

Don't Click on FakeAV
One of the most successful social engineering attacks to appear recently is FakeAV. Criminals are creating authentic-looking copies of Windows screens and notices that make users believe their machine is infected with viruses and offer an anti-virus (AV) program to help remove the infection. The screens may even entice users with recent events, such as a celebrity’s death, to lure you into clicking their link. Once the user clicks the link and installs the anti-virus program, they must pay money to make it operational and/or uninstall it. The FakeAV program will continue sending annoying messages and intrusive alerts until the user provides payment. In addition to being annoying, some of these programs even steal user’s local data and install keyloggers to steal passwords.

If you observe a Windows page that states you have a virus or other computer related issue, contact your department’s information technology department before clicking any links. Once you click on the link, the file is installed and your computer is infected. Either way, you’ll be contacting your department’s information technology.
Back to top...

Protecting Cell phones and PDAs
Click here for a PDF version of this tip that can be printed as a poster.
As cell phones and PDAs become more technologically advanced, attackers are finding new ways to target victims. Most cell phones can send and receive text messages; others connect to the internet. Although these useful features are convenient, attackers can take advantage of them to:
- Abuse your service
- Lure you to a malicious website
- Use your cell phone or PDA in an attack
- Gain access to account information
How to protect yourself:
- Be careful about posting your cell phone number and email address
- Do not follow links sent in email or text messages
- Be wary of downloadable software
- Evaluate your security settings, such as Bluetooth connections, and disable Bluetooth when you are not using it
- Encrypt your cell phone or PDA if it contains sensitive data
Visit http://www.us-cert.gov/cas/tips/ST06-007.html for more information about protecting your cell phone and/or PDA.
Back to top...

Keep Your Computer Virus-Free
Are you worried about your computer becoming infected with a virus? Don't want to spend a small fortune on antivirus software? Then today is your lucky day!
The University provides Sophos Antivirus Software FREE to all faculty, staff, and students. This software should be installed on University computers, and any personal computers that access University resources. The software offers a broad range of protection for desktops, file servers, and email servers and gateways.
Download Sophos desktop antivirus software for PCs and Macs.
** URMC users, please click here for more specific antivirus information and contact the ISD Help Desk at 275-3200 for assistance **
Antivirus software helps prevent a virus from invading your computer. Here are some safe practices you can follow:
- If you are unsure about an attachment, delete it. Especially if it is from a source you don't recognize.
- Don't download unknown programs from the Web. This includes freeware, screensavers, games, and any other executable program - any files with an ".exe" or ".com" extension, such as "coolgame.exe." If you do have to download from the Internet, be sure to scan each program before running it.
- Update your antivirus software regularly. New viruses, worms, and Trojan horses are born daily, and variations of them can slip by software that is not current.
- Configure your antivirus software to boot automatically on start-up and run at all times. This will provide you back-up protection in case you forget to scan an attachment, or decide not to scan.
- Scan all incoming email attachments. Do this even if you recognize and trust the sender; malicious code, like Trojan horses, can slip into your system by appearing to be from a friendly source.
- Delete chain emails and junk email. Do not forward or reply to them. These types of email are considered spam - unsolicited, intrusive messages that clog up inboxes and networks.
- Don't automatically open attachments. Be sure your email program doesn't automatically download attachments. This will ensure that you can examine and scan attachments before they run. Refer to your email program's safety options or preferences menu for instructions.
- Back up any important files on an external drive or disk. In case a virus finds its way to your computer, be prepared. If a virus destroys your files, you will be able to replace them with your back-up copy. You should store your backup copy in a separate location from your work files. *
* Please see our tip of the week regarding Backing up your data
Back to top...

Laptop Security
Click here for a PDF version of this tip that can be printed as a poster.
Secure laptop computers at all times. If your laptop computer is stolen, important information can be exposed, including your personal and financial information.
1. Always keep your laptop with you - or lock it up securely before you step away.
2. Never leave access numbers or passwords in your carrying case.
3. Buy and use a laptop security device. Laptop lockdown cables are available at University Computer Sales and most computer or office supply stores.
4. Laptops containing any University Confidential or Legally Restricted Data (defined in the University Information Technology Policy) must be encrypted.
If your laptop has been lost, stolen or compromised and it contains University Confidential or Legally Restricted Data, contact Information Technology Security immediately at 273-1804 for University departments or 275-3200 for Medical Center departments.
Click here for more information about laptop security.
Back to top...

Apple Users Targeted
The growing success of Apple's Mac OS, bolstered by iPhone sales and new iPad tablet users, has caught the attention of cybercriminals who are setting their sights on Apple users.
Recently, Apple computer owners are being subjected to a number of specialized malware attacks that insist Mac users download a malware version of the popular MacDefender antivirus application, infecting their computers as a result. Additional information about this malware can be found at:
http://isc.sans.edu/diary.html?storyid=10813
http://tech.fortune.cnn.com/2011/05/04/is-mac-under-a-virus-attack/
Another recent announcement involved the availability of a new Do-It-Yourself crimeware kit that has become available that is aimed at the Mac OS X platforms. The toolkit is being sold in low numbers on several black hat hacking forums.
Additional information about this attack can be found by clicking here.
What Can You Do?
To help protect yourself from malware, you should make sure that your Sophos antivirus software is up to date. Sophos antivirus is available free to the University of Rochester community.
For University departments that are not part of the Medical Center, visit here for more information about anti-virus protection, and to download your version today.
For Medical Center departments, please reference here.
Additionally, you should disable "Open safe files after downloading" in Safari to prevent malware from automatically becoming installed.
Back to top...

Lock Your Computer Screen
You are at the center of secURity.
Click here for a printable version of this tip that can be used as a poster.
When leaving your computer unattended, always make sure the screen is locked and password protected. Locking the screen will prevent others from accessing your session without your permission. All your applications and work will remain open in the background while the screen is locked, so when you return and enter your password, you can pick up where you left off.
See http://www.rochester.edu/its/security/computer/Physical_Security.html for more information on how to set up a password for your computer to lock automatically when the screensaver turns on.
Back to top...

Has Your Computer Been Infected?
You are at the center of secURity.
Click here for a PDF version of this tip that can be printed as a poster.
Chances are you have received an email or had a free antivirus scan pop-up on your screen. Scammers and identity thieves are exceptionally good at identifying new opportunities and one area they have been dabbling in recently is the antivirus and anti-spyware market.
There are many criminals who are now selling, or even giving away, software that would appear to offer essential protection to those who surf the net. In reality, many of the programs do not function at all, or are designed to infect and spread the malicious codes they were supposed to protect against.
What Should I do?
- Never click on pop-up advertisements. Not even to close them. This may cause trouble.
- Only open an email attachment if you are POSITIVE about the source.
- If you land on a website and see a warning from Google about its content, pay attention and leave the website.
- If you aren't sure if a product is legitimate, search the name on Google to verify its authenticity.
- Only buy anti-virus and anti-spyware products from reputable companies. Remember that scam artists will often use names that make their sites or products appear to be from reputable vendors.
- Remember your home computer needs antivirus protection just as much as your computer at the University does.
- NOTE: The University provides FREE antivirus software to all University students and employees.
For University departments that are not part of the Medical Center, visit here for more information about anti-virus protection, and to download your version today.
For Medical Center departments, please reference http://intranet.urmc-sh.rochester.edu/InfoSystems/
HelpResources/ApplicationTips/AntiVirus/index.asp.
Check out this list of rogue/fake anti-virus and anti-spyware products.
Our archive of past "Security Tips of the Week" is available for your information.
Back to top...

Social Networking - Instant Messaging Security
You are at the center of secURity.
We are viewing Social Networking as the use of social software applications to establish and maintain a connection among users. It has expanded to include many things over the past several years.
Instant messaging is one of the older methods of social networking, but is still widely used. Instant messaging has many of the same security threats email does... and then some. Instant messaging can transfer viruses and other malware, and give hackers an easy way to find victims. If you regularly use instant messaging, be aware of the security risks associated with it and take steps to protect yourself.
You should:
- Keep your instant messaging client updated with the latest version, as often times updates are released to fix security problems
- Never open pictures, download files, or click links in messages from people you don't know
- Be careful when creating a screen name. Generally, you shouldn't use your real name or include any personal information.
- Create a barrier against unwanted instant messaging by not publishing your screen name
- Never provide sensitive personal information
- Never transmit confidential or legally restricted data within messages
- Only communicate with people who are on your contact or buddy lists
See the following links for more information on instant messaging safety.
Back to top...

University Electronic Cleanup
Sponsored by the Data Security Task Force
Wednesday, February 29, 2012 (1:00PM – 3:00PM suggested time)
Click here to add a reminder to your calendar.
The Data Security Task Force encourages everyone at the University to set aside two hours on Leap Day for electronic file cleanup. Taking time out of this extra day will help make your computer and your life more efficient and secure.
Visit the LEAP Day Promise site to learn more.
Back to top...

Protect Your Computer: Anti-Virus Software
You are at the center of secURity.
- For University areas, click here for a poster that can be printed and placed in your area.
- For URMC areas, click here for a poster that can be printed and placed in your areas.
The University has anti-virus software available for FREE to all faculty, students, and staff at the University. This software, from Sophos, offers a broad range of protection for desktops, file servers, e-mail servers and gateways.
If you do not have Sophos Anti-Virus currently installed, please join the effort to keep the University network virus-free by installing this software now.
For University departments and students that are not part of the Medical Center, visit here for more information about anti-virus protection, and to download your version today.
For Medical Center departments, please reference http://intranet.urmc-sh.rochester.edu/InfoSystems/
HelpResources/ApplicationTips/AntiVirus/index.asp.
Back to top...

Protecting University Data: Anti-Virus Protection
You are at the center of secURity.
The University coordinated a large volume anti-virus software purchase in 2006 to encourage widespread use of comprehensive anti-virus programs on the University's network. This software, from Sophos, offers abroad range of protection for desktops, file servers, e-mail servers and gateways. This software is available for free to all faculty, students, and staff at the University.
If you are not currently using any anti-virus software, then please join the effort to keep the University network virus-free.
For University departments and students that are not part of the Medical Center, visit here for more information about anti-virus protection, and to download your version today.
For Medical Center departments, please reference http://intranet.urmc-sh.rochester.edu/InfoSystems/
HelpResources/ApplicationTips/AntiVirus/index.asp.
Back to top...

Protect Your Computer - Malware
You are at the center of secURity.
Click here for a printable version of this tip that can be used as a poster.
What is Malware?
Malware is short for "malicious software." It includes viruses and spyware that get installed on your computer, phone, or mobile device without your consent. These programs can cause your device to crash and can be used to monitor and control your online activity. Criminals use malware to steal personal information, send spam, and commit fraud.
Is My Computer Infected?
Your computer may be infected with malware if it:
- slows down, crashes, or displays repeated error messages
- won't shut down or restart
- serves up a barrage of pop-ups
- displays web pages you didn't intent to visit, or sends emails you didn't write
Other warning signs of malware include:
- new and unexpected toolbars
- new and unexpected icons in your shortcuts or on your desktop
- a sudden or repeated change in your computer's internet home page
- a laptop battery that drains more quickly than it should
How To Avoid Malware
- Update your operating system and Web browser software, and set your browser security high enough to detect unauthorized downloads
- Use anti-virus and anti-malware software, as well as a two-way firewall, and update them regularly
- Download free software only from sites you know and trust. Enticing free software downloads frequently contain other software, including spyware
- Don't click on links in pop-ups
- Don't click on links in spam or pop-ups that claim to offer anti-malware software
Where To Go For Help
Visit http://onguardonline.gov/malware and https://www.rochester.edu/it/security/computer/viruses_Worms_Malware.html for further information on malware.
If you suspect your machine may be infected, and you need assistance, contact your departmental security liaison or your IT Help Desk for assistance.
Spyware Game
Try this fun Spyware Game to learn the clues about spyware.
Back to top...

Protect Your Computer - Attack Resistant Computers
Click here for a version of this tip that can be printed and used as a poster.
An up-to-date, properly configured computer is the best way to keep your computer safe from viruses and attacks. Making sure all security patches are installed, making sure anti-virus software is receiving daily updates, and disabling unneeded features such as file sharing and personal web sharing are all important steps.
You should:
- Make sure that the latest patches are installed on your computer regularly.
  Please see http://www.rochester.edu/it/security/computer/win_patches.html for information concerning Computer Updates.
- Make sure your anti-virus software is kept up to date.
  Sophos anti-virus software is available for all members of the University.
  - While the software is checking for updates, you should notice that the left side of the shield is flashing green. If the updates are unsuccessful, the shield will change its appearance to this: If you see the red X, try to run the updates again by double-clicking on the shield. If this does not work, contact the IT Center at 275-2000 (for University departments that are not part of the Medical Center) or the ISD Help Desk at 275-3200 (for Medical Center departments)..
  - For University departments that are not part of the Medical Center, visit http://www.rochester.edu/it/security/computer/antivirus.html for more information about anti-virus protection.
  - For Medical Center departments, anti-virus protection information can be found at http://intranet.urmcsh.rochester.edu/InfoSystems/HelpResources/ApplicationTips/AntiVirus/index.asp.
- Only install the software packages that you need on your computer.
  Many exploits used by computer hackers target vulnerabilities in computers that are running unnecessary services. For example, applications such as the Java Runtime Environment should only be installed if another application you use requires it. Java is a platform that is frequently targeted. If you do need to install this software, you should keep the software current with any released patches.
You should contact your IT support area if you have questions concerning what software you should be installing.
Back to top...

Protect Your Computer: Anti-Virus Protection
You are at the center of secURity.
Did you know that anti-virus software is the most important security software that you can have on your computer?
To help ensure your safety, the University coordinated a large volume of anti-virus software purchases in 2006 to allow for all faculty, staff, and students to have access to a premiere and comprehensive anti-virus solution. This software, from Sophos, offers a broad range of protection for desktops, file servers, e-mail servers and gateways. This software is available for free to all faculty, students, and staff at the University.
Please view our anti-virus video to gain additional information on where to obtain anti-virus software, or go to www.rochester.edu/antivirus:

Back to top...

Protect Your Computer - Internet Security Risks and Their Fixes
You are at the center of secURity.
Click here for a PDF version of this tip that can be used as a poster.

We all love the internet. It is easy to access and provides us with an infinite amount of information. But the internet wasn’t made with security in mind. There are a lot of things we do that open us and our private information to hackers, scammers and computer viruses.

Here are 6 internet security risks and what you can do to fix them.
Risk 1: Leaving your Wi-Fi unprotected

Wireless internet is a great to have at home especially if you have a laptop. Leaving your wireless network open without a password is like leaving your home's doors and windows open when you're not there. It is easy for passersby's to access your network.

FIX: Always password protect you wireless router and change the default password on your wireless router when you first set it up.

Risk 2: Not enabling your firewall

Firewalls plug virtual ports in your computer that make it vulnerable to the plethora of malicious programs that may try to access your computer.

FIX: Every computer comes with a free, built-in firewall. Activate your firewall by going into your security settings and turning it on.

Risk 3: Opening emails from strangers

Opening email from an unknown source is never ok. Your anti-virus software is only as good as its most recent update.

FIX: Never open an email from a suspicious sender. If the sender looks legitimate, never download attachments or follow links asking you to change personal information or passwords unless you were expecting them. Update your anti-virus software frequently.

Risk 4: Downloading torrent files

Torrents are a popular method of peer to peer file sharing. Copyright infringement is not the only potential issue with torrents; illegal downloads also often come bundled with viruses or malware which can harm your computer. You could have to pay a hefty fee if caught illegally downloading copyrighted files.

FIX: This one is easy. Don’t use torrent sites to download software, music, or movies. It could save you hundreds of thousands of dollars in the long run.

Risk 5: Not installing system updates

Those annoying system update pop-ups remind us there is a new software update available. Software updates keep your computer secure.

FIX: Just do it. Update your software frequently.

Risk 6: Not password protecting your hardware

We have all heard stories of someone’s laptop or smartphone being stolen. If the device isn't password protected not only can the thief get your hardware, they also have your data. They may potentially gain access to personal information contained on the device.
FIX: Require a password to be entered to unlock a device, to wake it up, or turn it on. It may get irritating to type your password every time your screen saver comes on but your information will be safer if your computer is ever stolen.
Back to top...

Protect Your Data

Wireless Security
Click here for a PDF version of this tip that can be used as a poster.
Wireless Internet access offers convenience and mobility but the downside is anyone with a wireless-ready computer can use your connection. Unless you take certain precautions, neighbors, or hackers lurking nearby, could “piggyback” on your network, or even access your personal information. If an unauthorized person uses your network to commit crimes or send spam the activity can be traced back to your account. Here are the following steps you should take to protect your computers on a wireless network:
- Use encryption to scramble communications over the network. If you have a choice, use WiFi Protected Access (WPA) as it is stronger than Wired Equivalent Privacy (WEP).
- Use anti-virus and anti-spyware software, as well as a firewall on both your computer(s) and router.
- Change the identifier on your router from the default so a hacker can't use the manufacturer's default identifier to try to access your network.
- Most wireless routers have a mechanism called identifier broadcasting. Turn it off so your router won't send a signal announcing its presence.
- Change your router's pre-set password for administration to a passphrase or series of letters, numbers and symbols that only you know. The longer the password, the tougher it is to crack.
- Allow only specific computers to access your wireless network using MAC address filtering.
- Turn off your wireless network when you aren't using it.
- Don't assume public "hot spots" are secure. You should assume other people can access any information you see or send over a public wireless network.
Back to top...

How Secure is your Flash Drive?
Click here for a PDF version of this tip that can be used as a poster.
Flash Drives. We all use them. They are small, cheap, offer gigabytes of storage, and are easy to use. It is easy to fill one with important files, clip it to a keychain or slip it in a purse and hit the road.
But what if you lose it while looking for change or misplace your keys and is found by a hacker?
By following 3 simple rules you can protect any important information on your flash drive from falling into the wrong hands.
Rule 1: Most importantly, minimize the amount of sensitive information you keep on it. The Ideal amount is Zero.
If you can't follow rule 1:
Rule 2: Keep the flash drive safely in your possession or otherwise locked up in a safe place, just like any valuable object.
Rule 3: use a drive with built-in access control and encryption protection, and use that feature. Don't count on your ability to never lose drive, or never have it stolen.
Encrypt your flash drive:
Windows Users:
- TrueCrypt - www.truecrypt.org
- Winzip - www.winzip.com
Mac Users:
- Use Disk Utility to create a password protected sparse disk image. Learn how here.
- TrueCrypt - www.truecrypt.org
Back to top...

Passwords are the key to your data
Click here for a PDF version of this tip that can be printed and used as a poster.
Create a password that is easy to remember, but hard for anyone else to guess.
When choosing a password:
- Don't use passwords based on personal information that may be easily accessed or guessed.
- Don't use words in any dictionary of any language.
- Develop a mnemonic for remembering complex passwords.
- Create passwords with uppercase and lowercase letters.
- Also use a combination of letters, numbers, and special characters.
- Use different passwords on different systems.
Visit http://www.rochester.edu /it /security/yourself/passwords.html for more information about strong passwords, and to try the password checker to test the strength of your password.
Back to top...

SSN Registration
This is a reminder to University Faculty and Staff to continue to register Social Security Numbers (SSN).
After the June 30, 2009 deadline, a security breach, loss or potential illegal disclosure of Social Security Numbers that have not been registered will result in financial liability for the department(s) responsible for managing the data.
SSN Registration is an ongoing policy at the University. If changes to a current collection are made, update and register the changes. Be sure to register any new collections.
It is University Policy that all Social Security Numbers (SSN) are registered using the SSN registration form.
For more information on the SSN Registration and SSN Policy visit:
- http://www.rochester.edu/it/policy/SSN-PII/ssn_registration.php
- http://www.rochester.edu/it/policy/SSN-PII/currents.php
- http://www.rochester.edu/it/policy/SSN-PII/currents.warner.php
- http://www.rochester.edu/it/policy/SSN-PII/SSN_Compliance_Deadline_Memo.pdf
Back to top...

Remote Access Using VPN
When you are off campus and need to access email or other University restricted resources, you should use VPN (Virtual Private Network). VPN provides a secure connection between your off campus computer and University resources while using the Internet.
Please reference the following links for additional information about how to use VPN for remote access:
http://www.rochester.edu/it/vpn for College and University
http://www.rochester.edu/it/vpn/medcenter for the Medical Center
Back to top...

Changes coming to IT Center and River Campus public computers
You are at the center of secURing your data.
Starting in January 2011, access to kiosks and public computers in the libraries and IT Center on the River Campus will require login credentials for use. To ensure access to resources on public computers including the ability to login, you will first need to update your NetID. The new login requirements are part of an effort to further protect information and will help preserve availability of computers for the University community. The computers will log you off automatically after 15 minutes of inactivity, which will help preserve your security. University IT reminds you, however, to always log off from public computers when finished using them, and to never share your password with anyone.
Medical Center faculty, staff, and students will not be asked to update their NetIDs at this time. Instead, they will be able to use their active directory accounts to access kiosks and public computers in the libraries and IT Center on the River Campus.
Once you have updated your NetID, you will also have access to a new wireless service that will allow you to authenticate your laptop, smart phone, and other wireless devices just once. These devices will automatically connect to the University network in the future and will not require you to login as you move around campus.
Please look for an official communication concerning this via email this week (the week of January 4th, 2011).
Further information on this important security change can be found by clicking here.
Back to top...

Public computers will soon require login
You are at the center of secURing your data.
Starting in January 2011, access to kiosks and public computers in the libraries and IT Center on the River Campus will require login credentials for use. The new logon requirements are part of an effort to further protect information and will help preserve availability of computers for the University community.
Please look for an official communication concerning this via email the week of January 4th, 2011.
Further information on this important security change can be found by clicking here.
Back to top...

Remember to Register your Social Security Number Collections
It has been two years since the University of Rochester's Social Security Numbers (SSNs) & Personal Identifying Information (PII) policy was approved. It is University Policy that all SSNs are to be registered with a University Information Security Officer using the SSN registration form.
This is a reminder for all University Faculty and Staff to continue to register any new Social Security Number collections. If changes have been made to a previously reported collection, update the registration with the changes.
For more information on the SSN Registration and SSN Policy, visit the policy website by clicking here.
Back to top...

10 Most Easily Stolen Passwords
Click here for a PDF version of this tip that can be used as a poster.
You are at the center of secURing your data.
A recent study looked at 32 million exposed passwords and revealed the 10 most common. They include:
1. 123456
2. 12345
3. 123456789
4. Password
5. iloveyou
6. princess
7. rockyou
8. 1234567
9. 12345678
10. abc123
Many of the stolen passwords used common slang words, adjacent keyboard keys and names presumably important to the user (such as family members).
It is important that you choose a complex password that you can easily remember. Please avoid these common password practices. Further information about passwords can be found by clicking here.
Back to top...

Monthly Campaigns - Starting with Regulatory Compliance

The Information Security teams are working hard to educate faculty, staff, and students about best practices to protect your information. Over the past 18 months, we have been raising information security awareness by distributing postcards and posters, broadcasting weekly security tips, creating videos, and placing photos on the University home page. Often, these would cover a different topic each week.
This month, we are launching a new approach that is designed to focus on a specific topic or theme each month, allowing us to cover each topic in more detail. There will be an online quiz at the end of most months that will make you eligible for a chance at giveaways.
You will also start seeing our new logo:
Monthly Theme
This month, our theme is Regulatory Compliance.

The first topic that we will cover is Social Security Number protection.

The University of Rochester's Social Security Numbers (SSNs) & Personal Identifying Information (PII) policy has been in place since January, 2009. It is University Policy that all SSN collections are to be registered with a University Information Security Officer using the SSN registration form.

This is a reminder for all University faculty and staff to continue to register any new Social Security Number collections. If changes have been made to a previously reported collection, update the registration with the changes. Your departmental Security Liaison should also be checking in with you about your current registrations to see if any updates are needed.

For more information on the SSN Registration and SSN Policy, visit the policy website.

Back to top...

Regulatory Compliance - Policy website

You are at the center of secURity.
Continuing our focus on Regulatory Compliance this month, please take a few minutes to review the Information Technology Policy website at:
http://www.rochester.edu/it/policy/
Here, you will find important information concerning privacy, data classification and access restrictions, and enforcement within the IT Policy.
You will also find links to the Acceptable Use Policy, Credit Card Policy, Mobile Device Standard, Multifunctional Devices and Copiers Policy, Record Retention Policy, and SSN Policy.
Be sure to check the Policy website occasionally as this will be the area where any new Information Technology policies will be added.
Back to top...

Regulatory Compliance - HIPAA
You are at the center of secURity.
HIPAA, the Health Insurance Portability and Accountability Act, affects everyone at the University of Rochester. As a healthcare provider, workforce members at URMC and Affiliates have regulatory responsibility to comply with HIPAA and maintain the privacy of patients’ protected health information (PHI). However all UR faculty, staff, students and volunteers are patients themselves at some point either here at URMC or elsewhere and are therefore affected by HIPAA. HIPAA is a good example of how the privacy of patient information intersects with IT security. In fact, HIPAA Security regulations with their IT focus were enacted to ensure compliance with the HIPAA Privacy Rule.
IT security controls are required to maintain not only the confidentiality but also the integrity and availability of PHI in the following ways:
- Confidentiality—requires role-based access which permits users to have only the access they need to perform their job (HIPAA Privacy Rule requires adherence to a minimum necessary standard). Strong passwords, session inactivity time outs, privacy and security training, proper user access templates, encryption of PHI whether in transit or at rest, appropriate physical security of data centers, servers, etc. are all required to maintain the confidentiality of PHI. Users may only access PHI when they have a clinical or business need to do so. Users who are not in compliance with HIPAA will be subject to sanctions as required by these federal regulations.
- Integrity—physicians and others caring for patients must have confidence that the data they are using to base medical decisions is accurate and not able to be manipulated, deleted or tampered with by those who could potentially cause damage to a system. Proper controls of access provisions and to systems are important to maintain the integrity of PHI.
- Availability—in order to be sure that systems containing protected health information are available as needed, business continuity plans, back up of systems, data recovery, emergency preparedness, business impact analysis, etc. are all necessary components.
With the recent launch of the new eRecord system at Strong Memorial and Highland Hospitals all users as well the Medical Center’s Information Systems staff must be vigilant in their roles to maintain the confidentiality, availability and integrity of the medical information of over one million patients.
For more information on HIPAA, see the URMC intranet site at: http://intranet.urmc-sh.rochester.edu/policy/HIPAA/
Back to top...

Mobile Computing Device Standards - Training and Quiz (for Prizes!)
Over the past month, we have been focusing on securing Mobile Computing Devices. We have:
- Announced the new Mobile Computing Device Standards
- Provided a video to show some of the things you should do to protect your mobile computing device
- Listed some tips on how to stay safe with your mobile computing device
Training coming soon
This week, we have been working on a training video to show what a mobile device is, why the University is concerned about the security of mobile devices, why a mobile device standard is needed, how you can stay safe on the go, and some step by step how-to's for several mobile devices. This video will be available soon from the Mobile Computing Device Standards website at http://www.rochester.edu/it/policy/MobileDevice.html.
Take our quiz for a chance at prizes
We have some great prizes available for those that successfully complete our Mobile Computing Device quiz. If you complete our quiz correctly, you will be entered for a chance to win one of three 8G padlock-encrypted flash drives.
Click here to take this month's quiz.
Back to top...

Mobile Computing Device - Stay Secure on the Go
Mobile devices are everywhere, and so is the potential for lost or stolen data.   Smart phones, laptops, iPads, and all portable devices are vulnerable. The University’s mobile device standard requires these three security standards:

1.    Encryption
2.    Password protection
3.    Inactivity timeout

Additional recommendations include remote wipe capabilities and secure connectivity.

Here are step-by-step instructions on how to secure your mobile device (Note: The instructions may vary slightly dependent upon the version and model number of your mobile device).
Android
Blackberry
iPhone/iPad
For more information, see the Mobile Computing Device Security Standards.
http://www.rochester.edu/it/policy/MobileDevice.html
Back to top...

SSN Registration Reminder
The University of Rochester's Social Security Numbers (SSNs) & Personal Identifying Information (PII) policy has been in place since January, 2009. It is University Policy that all SSN collections are to be registered with a University Information Security Officer using the SSN registration form.

This is a reminder for all University faculty and staff to continue to register any new Social Security Number collections. If changes have been made to a previously reported collection, please remember to update the registration with the changes.

If you have any questions, please check with your departmental Security Liaison, HIPAA Security Official, or Privacy Officer.

For more information on the SSN Registration and SSN Policy, visit the policy website.

Back to top...

Data Classification - Legally Restricted Data
You are at the center of secURity.
Click here for a version of this tip that can be printed and used as a poster.
Legally Restricted data is data that needs to be protected by law. Some examples of Legally Restricted Data include:
- Protected Health Information (PHI)
- Social Security Numbers (SSN)
- Credit/debit card information collected for payment of University goods or services
- Bank account numbers
- Personally Identifying Information (PII) - examples include an employee's social security number; home address or telephone number; personal electronic mail address; Internet identification name or password; parent's surname prior to marriage; drivers' license number; NYS non-driver identification card number; and account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individuals's financial account
Some places that you may find Legally Restricted data include:
- Patient records
- Grant documents for current, retired, or rejected grants
- Human subjects records
- Personal tax forms
- Federal reporting requirements (Welfare benefits and wage garnishing)
- I-9 forms
- Drivers license
- Personnel file for faculty, staff, and retired staff
- Appointment letters
- Performance appraisals (historical contains SSN)
- Records of payroll deductions
- Salary records
- Student health information
- Financial Aid records (SSN)
To help keep this data safe, please remember to secure paper formats in locked storage. Encrypt saved content. Encrypt information that is moved off University systems.
When disposing of Legally Restricted data, you must make sure that the data is no longer readable or recoverable.
Back to top...

Data Classification - Confidential Data
You are at the center of secURity.
Click here for a version of this tip that can be printed and used as a poster.
Confidential data is information that can be sensitive or proprietary. Some examples of Confidential Data include:
- Large segments of the University budget
- Unpublished intellectual property such as patent applications, inventions, manuscripts, Department academic files
- Information the University has agreed to hold confidential under a contract
- Personnel records
- Department academic files
- Student information
- Records and communications of the Board of Trustees
How to Keep Confidential Data Safe
Use University computing resources when working with this data. Transmit information using University email systems. Save information on University equipment, preferably network storage instead of your laptop or computer at your desk. Avoid or minimize using personally owned devices to check email or work remotely. Encrypt any saved content. Encrypt content that is moved off University systems. Secure paper formats in locked storage.
How to Dispose of Confidential Data
Data must no longer be readable or recoverable, whether electronic or paper. Remove from all storage locations or destroy the storage locations. Shred paper or use a document destruction service.
Basic Safe Data Handling
- Never share account logins
- Use University email systems for University business
- Encrypt devices with passcodes and inactivity time-outs
- Respect the privacy of others
- When working from home, maintain personally owned equipment in good working order
Unsure of the Data Classification?
Try asking, "What consequences will the University incur if the data in question is exposed?"
...if significant legal expenses or lawsuits, the data is probably legally restricted.
...if embarrassment, perhaps requiring public apology, then the data is probably confidential.
...if regret, then the data is probably internal.
...if pride, then the data is probably public!
Back to top...

Data Classification - Internal Data
You are at the center of secURity.
Click here for a version of this tip that can be printed and used as a poster.
Internal data is information that is necessary for people to perform their work at the University, is properly available to others at the University, but is not appropriate to be known by the general public.
Some places where you can find Internal Data includes:
- Health records pertaining to environmental safety
- Radiation safety records
- Asbestos monitoring and training
- Security and incident reports
- Accident and incident reports
- Financial auditing work papers
- Financial statements - unaudited
- Department budgets
- Purchase orders
- Travel reimbursements
- Organizational charts with names
- Job descriptions
- Search committee records - any staff level
- Tenure and promotion cases
- Affirmative action plans
- Union agreements
- Grievance files (not considered personnel file)
- Sexual harassment complaints, investigations, and findings (not considered personnel file)
- Real estate materials
- Construction drawings
- Alumni data
- Gift records
Basic Safe Data Handling
- Never share account logins
- Use University email systems for University business
- Encrypt devices with passcodes and inactivity time-outs
- Respect the privacy of others
- When working from home, maintain personally owned equipment in good working order
Unsure of the Data Classification?
Try asking, "What consequences will the University incur if the data in question is exposed?"
...if significant legal expenses or lawsuits, the data is probably legally restricted.
...if embarrassment, perhaps requiring public apology, then the data is probably confidential.
...if regret, then the data is probably internal.
...if pride, then the data is probably public!
Back to top...

Protecting University Data - Lock Your Computer Screen
You are at the center of secURity.
Click here for a PDF version of this tip that can be used as a poster.
Your computer screen is the way you view all of the information on your computer. It takes only a few seconds to secure your computer and discourage malicious individuals from snooping through your files. Lock your computer screen every time you leave your computer.
Here are some ways to secure your computer.
Windows:
1. Click the Windows key (the flying window key at the bottom of the key board) and the L key. This will bring up your login screen and lock your computer down
OR
1. Click Ctrl+Alt+Delete
2. Select "Lock Computer"
3. This will bring up your login screen and lock your computer down.
To log back in, type Ctrl+Alt+Delete if necessary, and type in your username and password.
You should also set your screen saver with a time out, then click the checkbox for "On resume, password protect" or "On resume, display logon screen".
Also, under Energy Saving Settings, it can be set to “Require a password on wake”. When your computer wakes from sleep, no one can access your data without entering the correct password to unlock the computer.

Mac:
If you have Check Point Full Disk Encryption for Mac installed, you can select 'Lock workstation' under the Check Point status icon on the menu bar.
If you do not have Check Point installed, you can do the following:
1. Open System Preferences.
2. Click on the Security icon.
3. Check Require password to wake this computer from sleep or screen saver.
You can also enable hot corners by:
1. Open System Preferences and choose the Desktop and Screen Saver icon.
2. Select the Screen Saver tab.
3. Click Hot Corners
4. Select 'Start Screen Saver' for one of the corners and click OK
5. Click Show All
6. Select Security & Policy
7. Click the General tab
8. Enable "Require password for sleep and screen saver" and then set to 'immediately'
9. Close System Preferences.
Now when you move your mouse to that corner, the screen saver will come on and the machine will lock.
An alternative on the Mac to enabling the screen saver - press Shift+Control+Eject. This puts the display to sleep.
Back to top...

Protecting University Data - Desktop Encryption
You are at the center of secURity.
What is it?
Full disk encryption protects data on all areas of your computer’s internal hard disk from unauthorized access when the computer is off. Once encrypted, if your desktop or laptop should be stolen or misplaced, the computer’s data will not be accessible without proper login credentials. This protects individuals who may have sensitive information stored on your computer system, and protects the University by ensuring sensitive and confidential data are not released to unauthorized personnel.
Any laptop or desktop that contains or has ever contained legally restricted information such as Protected Health information (PHI), Personally Identifiable Information (PII) including SSN’s etc, or other information such as an employee’s home address, phone number, birth dates or personal email address must be encrypted.
If you have more questions, please reference:
University departments:
http://www.rochester.edu/it/encryption/faq.html.
Medical Center:
http://intranet.urmc-sh.rochester.edu/InfoSystems/
HelpResources/Security/FullDiskEncryption.asp
How do I get my computer encrypted?
As part of a University-wide program to improve data security, University Information Technology has been deploying full disk encryption for designated departments that handle high-risk sensitive data, while the Information Systems Division has been deploying to all URMC computers.
If your computer needs to be encrypted…
Windows XP, 2000, 2003, Vista, Windows 7 and Macintosh users
- University departments - call the IT Center at 275-2000.
- Medical Center - call the ISD Help Desk at 275-3200
Back to top...

Protecting University Data - Backing up Your Data
You are at the center of secURity.
Click here for a PDF version of this tip that can be used as a poster.
Many people rely on computers to store important information. If this sounds like you, then be sure to back up your data in case of computer theft or malfunction.
You should:
- Backup information that cannot easily be replaced, such as email, address books, bookmarks, personal projects, documents, and digital photographs.
- Backup to removable media, such as an external hard drive.
- Store backup media in a secure location. A good place is a fire proof safe or safety deposit box, since the media is a collection of your most important information. It is a goldmine for someone looking to steal it.
- If sensitive or confidential data is contained within your backups, use additional protection measures.
- Remember: Legally Restricted Information (SSN, HIPAA, FERPA, financial, PCI, personnel records) in paper form must be stored in locked or otherwise secured areas when not in active use. Legally Restricted Information in electronic form must be stored in secure designated data centers or, if authorized to be stored elsewhere, only in encrypted (or similarly protected) form. It must not be stored on desktop, laptop or other portable devices or media without encryption or similar protection. Contact Information Technology (University IT or ISD) or a Privacy Officer for advice and assistance.
Visit http://www.rochester.edu/it/policy/index.php to review the University's IT Policy.
Visit http://www.rochester.edu/it/security/data/backups.html for more information on backing up your important digital data.
Back to top...

Protect Your Data - Seven Practices for Safer Computing
You are at the center of secURity.
Click here for a PDF version of this tip that can be used as a poster.
OnGuardOnline.gov, maintained by The Federal Trade Commission (FTC), provides practical tips from the federal government and the technology industry to help you be on guard against Internet fraud, secure your computer, and protect your personal information.
See their 7 Practices For Safer Computing for detailed information about the following practices. Use these practices to help stay safe with your personal computer use.
1. Protect your valuable personal information
2. Know who you are dealing with
3. Use security software that updates automatically
4. Learn about the security features of your operating system and Web browser
5. Protect your passwords
6. Back up important information
7. Know what to do in an e-emergency
Back to top...

Protecting Your Data: Top 10 Security Tips
You are at the center of secURity.
We recommend you use these tips to help keep you and your data safe:
1. Keep your computer updated
2. Download files legally
3. Keep personal information safe
4. Lock your computer
5. Log off public computers
6. Back up important data
7. Scan email attachments
8. Create strong passwords
9. Limit social network information
10. No wireless routers or switches
Additional information about these tips can be found by clicking here. This can also be printed and used as a poster within your area.
Back to top...

Password Protection - Password Storing Tools
You are at the center of secURity.
The average user has roughly 15 password protected accounts. With the need to keep your passwords unique and secure, this can be very complicated to manage.
There are numerous products available to aid with your password management, the most common of which is a password safe. A password safe encrypts all of your usernames and passwords using one strong master password. Although we are not endorsing any of these products specifically, some examples include:
Free Software Product
One software product that is available free of charge is KeePass Password Safe. Information about KeyPass can be found at: http://keepass.info/.
Commercial Software Products
There are several commercial software products available to assist with your password needs. A 2011 Password Management Software Review Product Comparison can be found by clicking here.
Portable Devices
Portable devices can also be used to manage your password storing needs. Some available products include:
- MyLOK by ii2P
- Password Memory
- Logio Secure Password Organizer
- Password Wallet
There are numerous other products that we did not mention here. The important message is that you find a method that works for you, and use it to help keep your personal information safe. Also, most password storing tools should require you to set a password. Be sure to use a strong password when setting this up.
Back to top...

Data Privacy - January is Data Privacy Month
You are at the center of secURity.
We will be spending this month helping to raise awareness about keeping private information private.
It is your obligation to keep any private information that you have access to from being shared with others. This includes any information shared for example in the hallway, over lunch, or through social media.
We have created a couple of posters to help promote this idea. Feel free to print and post within your area. Click here to access a poster for University departments/areas. Click here to access a poster for URMC areas.
For additional information about Data Privacy, you can reference the Educause site at http://www.educause.edu/focus-areas-and-initiatives/policy-and-security/educause-policy/community-engagement/data-privacy-month. Educause will be providing weekly webinars throughout the month focusing on different areas of data privacy.
StaySafeOnline.org also provides information, with an emphasis on Data Privacy Day, as an effort to empower people to protect their privacy and control their digital footprint and escalate the protection of privacy and data as everyone's priority.
Back to top...

Data Privacy - Information Lasts Forever
You are at the center of secURity.
Our focus continues on Data Privacy this month.
You can find and print a poster version of this tip that can be placed within your area by clicking here.
Social and Professional Networking
One of the important messages we want you to remember is once you post something on a social or professional networking site such as Facebook or LinkedIn, it stays there forever. Some important points are:
- Don't post important personal information about yourself such as social security number, address, phone number, or bank and credit card account numbers.
- Never post personal or protected information about someone else. This includes information about students, faculty or staff, doctors or nurses, or patients.
- This is not the place to talk negatively about anyone or anything. Remember schools, colleges, and future employers can get access to the information you post, and this will form one of their first impressions of you.
URMC Public Relations has put together a social media toolkit that provides some helpful guides at http://www.urmc.rochester.edu/news/social-media-toolkit/.
You need to keep private data private, yours and also other people's.
The Case of the Cyber Criminal (Game)
With this game, a techie spy and his cunning crew are out to get your personal information. Stop them cold by proving you're ready to protect yourself online. Access the game by clicking here.
Back to top...

Data Privacy - Data Classifications
You are at the center of secURity.
Our focus continues on Data Privacy this month.
Access to information owned by the University is generally broadly consistent with the concept of academic freedom and the open nature of the institution. However, there are types of information where access must be restricted and caution in handling and storing the information is necessary.
Data Classifications
We classify data as either Legally Restricted, Confidential, Internal University Use Only, or Public Information.
For information about each of these classifications, please reference Data Security Classifications At A Glance.
Policy Website
You can also reference the Information Technology Policy website at:
http://www.rochester.edu/it/policy/
Here, you will find important information concerning privacy, data classification and access restrictions, and enforcement within the IT Policy.
You will also find links to the Acceptable Use Policy, Copyright and File-Sharing, Credit Card Policy, Email Use Policy, Mobile Device Standard, Multifunctional Devices and Copiers Policy, Record Retention Policy, and SSN Policy.
Be sure to check the Policy website occasionally as this will be the area where any new Information Technology policies will be added.
Back to top...

Data Privacy - BBB Names Top Ten Scams of 2012
You are at the center of secURity.
Our focus continues on Data Privacy this month.
The Better Business Bureau has named the Top Ten Scams of 2012.
Please review the following list, and remember that it is always important to protect your private information.
1. Top Overpayment/Fake Check Scam: Car Ads
2. Top Emergency Scam: Grandparents Scam
3. Top Employment Scam: Mystery Shopping
4. Top Advance Fee/Prepayment Scam: Nonexistent Loans
5. Top Phishing Scam: President Obama Will Pay Your Utility Bills
6. Top Sweepstakes/Lottery Scam: Jamaican Phone Lottery
7. Top Identity Theft Scam: Fake Facebook Tweets
8. Top Home Improvement Scam: Sandy "Storm Chasers"
9. Top Sales/Rental Scam: Real Stars, Fake Goods
10. Scam of the Year: Newtown Charity Scams
Further information about each of these scams can be found by going to http://www.bbb.org/us/article/better-business-bureau-names-top-ten-scams-of-2012-39388.
Back to top...

Cloud Computing - Protect University Data
You are at the center of secURity.
Click here for a PDF version of this tip that can be used as a poster.

The cloud computing model has been criticized by privacy advocates for the greater ease in which the companies hosting the cloud services control, and thus, can monitor at will (whether permitted or not by their customers), the communication between the host company and the end user, as well as the user's stored data.
To protect University data, it is imperative that no legally restricted or confidential data be placed in a cloud environment that is not sanctioned by the University. This would include environments such as Dropbox, Gmail, Facebook, LinkedIn, etc. that are not sanctioned.
If you have a question as to whether it is safe to use a cloud service, please contact your area Information Security Officer.
Back to top...

Cloud Computing - Best Practices - Self Audit
You are at the center of secURity.
Click here for a PDF version of this tip that can be used as a poster.
We put more and more of ourselves in the cloud every day. Email, device settings, data synchronization between devices, and access to much of our digital selves is tied to a handful of cloud service accounts with Google, Apple, Microsoft, and others. These accounts can easily be put at risk if they are too interconnected.
Best Practices - Self-Audit
There are things you can do to make yourself less vulnerable to potential hacks or compromises of cloud services, or at least limit the damage that can be done if one is exposed. Perform a self-audit of your identity in the cloud to find and fix potential problems:
- Do you use strong passwords, and change them regularly?
- Do you share access to your cloud services with other people, such as family members or friends?
- Do you use the same email address and password as your credentials for more than one service?
- Do you use two-factor authentication? Using two-factor authentication allows you help protect your account by not only asking for something you know (your password), but it asks for something you have. In many cases this would be an application on your smart phone that generates a numeric code that you type into the web site, or a text message that the site sends your mobile phone when you login.
- Do you use the same credentials for iCloud and Amazon?
- Do you use the same cloud-based email account as your password recovery contact address for more than one service?
- Do you have multiple webmail accounts connected into a single mailbox?
- How hard is it to guess or research your answer to your chosen security question?
There are also some local protection items that you should consider:
- Do you keep a local backup in addition to cloud backups?
- Do you really need to reach back to that computer? Only turn cloud synchronization on when you need it—and have virus scanners checking your synced folders.
- How often do you update your malware and Web browsing protection?
Further information about all of these items can be found at http://arstechnica.com/information-technology/2012/08/secure-your-digital-self-auditing-your-cloud-identity/
Reminder - to protect University data, it is imperative that no legally restricted or confidential data be placed in a cloud environment that is not sanctioned by the University. This would include environments such as Dropbox, Gmail, Facebook, LinkedIn, etc. that are not sanctioned.
If you have a question as to whether it is safe to use a cloud service, please contact your area Information Security Officer.
Back to top...

Cloud Computing - Did You Know?
You are at the center of secURity.
Click here for a PDF version of this tip that can be used as a poster.
We put more and more of ourselves in the cloud every day. Email, device settings, data synchronization between devices, and access to much of our digital selves is tied to a handful of cloud service accounts with Google, Apple, Microsoft, and others. There are both advantages and disadvantages for doing so.
Advantages
- The use of cloud services reduces the risks involved with physically carrying data around on removable media.
- Users often have on-demand access to their information anywhere they can connect to the internet.
- Cloud services can provide easier collaboration with others due to ease of accessing and transferring information.
Disadvantages
- Control: Cloud services often run on an external or third party provider’s system, unlike systems directly under the user’s personal or institutional control. It is important to know who is actually storing your information and how it is being protected.
- Security: Cloud vendors often have transparent or inadequate service level agreements, which do not clarify their level of security and privacy regarding your data.
- Reliability: Many cloud vendors are new businesses and their future and success is uncertain. What would happen to your data if they fail or change their services? What happens if the service is temporarily down when you need to access your account?
Reminder - to protect University data, it is imperative that no legally restricted or confidential data be placed in a cloud environment that is not sanctioned by the University. This would include environments such as Dropbox, Gmail, Facebook, LinkedIn, etc. that are not sanctioned.
If you have a question as to whether it is safe to use a cloud service, please contact your area Information Security Officer.
Back to top...

Protect Your Data - Vishing: New Take on an Old Scam
You are at the center of secURity.
What is Vishing?
With many people catching on to the risks of clicking links within an email, or providing personal information through digital communication (most often referred to as “phishing”), many scammers are resorting back to the telephone. “Vishing” (voice phishing) is the attempt from scammers to acquire your personal information via the phone.
Typically, the criminal will contact the victim directly or will leave a message, requesting that the victim returns a call to verify an account or some similar scheme. When the victim returns the call, they are asked to provide account and identifying information under the pretenses of "updating" the account.
Vishing Video
Watch the following video that shows a vishing scheme: http://www.youtube.com/watch?v=jjECkBcHBbo
Tips to Avoid Vishing
To avoid vishing scams, remember the following tips:
- Banks and credit card companies will never ask you to call a number and provide account information. If they are asking for your full social security number or account number, they are most likely not legitimate.
- If the call sounds suspicious, hang up and call the institution that is requesting the information directly by referring to the number listed on the back of the card, monthly statement or from their official website.
- Speak only to a live person when providing account information.
- Don’t respond to text messages or automated voice messages from unknown or blocked phone numbers.
- Report the suspicious call to the institution, which can then work with authorities to find the scammers.
Back to top...

Clean and Go Green - Digital Spring Cleaning
You are at the center of secURity.
Click here for a version of this tip that can be printed and used as a poster.

It is that time of year when you break out the broom, vacuum, and old dust rag. However, keep in mind that spring cleaning is more than just tidying up around the house. Over the past year your work computer has been collecting digital dust in the form of countless emails, unorganized files, and a hard-drive filled nearly to its max.

In order to help make your computer and your life more efficient and secure, follow these simple steps and clean up your digital clutter.
http://www.rochester.edu/it/security/SpringClean
Back to top...

Clean and Go Green - Record Disposal
You are at the center of secURity.
Click here for a version of this tip that can be used as a poster.
The University of Rochester requires that some specific types of records be retained for specific periods of time and in designated official repositories. Other records, documents or correspondence (those records not required to be retained or those that are in the possession of individuals or departments other than the official repository for the record) should be disposed of when they are no longer needed for active use by those who possess them.
The University Policy on Record Retention can be found at http://www.rochester.edu/adminfinance/records.html. The policy includes a schedule of records, the time of required retention and the designated repository.
As you dispose of any old paper records, please be sure to dispose of these properly based upon the information they contain. Please be sure to shred or otherwise render unreadable confidential or legally restricted paper records If they don't contain confidential or legally restricted data, then be sure to recycle! Information about what is classified as legally restricted or confidential data can be found at http://www.rochester.edu/it/policy/assets/pdf/At%20a%20Glance%20Data%20Classifications.pdf.
Back to top...

Clean and Go Green - Device Disposal
You are at the center of secURity.
What is the best way to dispose of University electronic devices? University IT offers easy and secure recycling for consumer electronics from all University departments. Information about electronic equipment disposal can be found at http://www.rochester.edu/it/security/data/disposal.html
For personal devices, there are several places that now accept old equipment to be recycled. Before providing your device to such a place, or passing it along to anyone else, please be sure to remove all data from the device. For cell phones, this should include performing a factory reset. If you are unsure of how to do this, please see your cell phone manufacturers web site.
Back to top...

Mobile Computing Device - Don't lose your smartphone!
You are at the center of secURity.
So What Would You Do If You Found A Smartphone?
The Symantec Smartphone Honey Stick Project was an experiment involving 50 "lost" smartphones. Before the smartphones were intentionally lost, a collection of simulated corporate and personal data was placed on them, along with the capability to remotely monitor what happened to them once they were found. The intent of the project was to help businesses and individuals to understand some of the most likely threats to smartphones and their associated information.
Here is what they found:
- 96 percent of lost smartphones were accessed by the finders of the devices
- 89 percent of devices were accessed for personal related apps and information
- 83 percent of devices were accessed for corporate related apps and information
- 70 percent of devices were accessed for both business and personal related apps and information
- 50 percent of smartphone finders contacted the owner and provided contact information
We suggest you watch this MSNBC video - The "lost" cell phone project, and the dark things it says about us that highlights the results of the project. (Sorry for the advertisement at the beginning of it. Be patient - it is worth the wait to see the video)
What Should I Do If I Lose My Smartphone?
If you are the victim of a lost/stolen smartphone, some things for you to consider are:
- If a mobile device containing University of Rochester information is lost or stolen, report the loss immediately to University of Rochester Security, the University or Medical Center Chief Information Security Officer, and a Privacy Officer (if it was used to access or store Medical Center information).
- Call your phone from another phone to see if the person who has it picks up and will return it.
- File a police/security report on the lost/stolen phone, etc.
- Perform a remote wipe/lock/message if you have an iPhone and you've downloaded the "Find my Phone" app.
Minimum Requirements For Mobile Devices
To help protect your device, you should meet the following requirements:
- Physical Protection - Individuals must keep mobile devices with them at all times or store them in a secure location when not in use
- Password Protection - Access to the mobile device must be protected by the use of a password
- Encryption - University data classified as Legally Restricted Information must not be stored on a storage card or the device (including with cached email) without proper encryption, password protection and inactivity timeout.
- Inactivity time out Protection - Inactivity timeout must be set. The recommended inactivity timeout is 15 minutes but must not exceed 60 minutes
- Proper Disposal - Any residual settings, data, and applications on the mobile device must be removed or wiped prior to disposal or transfer to another user. All attached storage cards that contain Legally Restricted Information must be destroyed or wiped so no data recovery is possible.
Further requirements and recommendations for mobile devices can be found within the University or Rochester Mobile Computing Device Security Standards.
Back to top...

Mobile Computing Device - Safety Video
Please view our video to show what a mobile device is, why the University is concerned about the security of mobile devices, why a mobile device standard is needed, and how you can stay safe on the go.
This video is also available from the Mobile Computing Device Standards website at http://www.rochester.edu/it/policy/MobileDevice.html.
Back to top...

Protect Yourself

Create a Strong Password You Can Remember

Click here for a PDF version of this tip that can be printed as a poster.

Strong passwords are important protections to help you have safer online transactions. An ideal password is long (14+ characters) and complex, containing letters, punctuation, symbols, and numbers.

There are many ways to create a long, complex password. Here is one way that may make it easier to remember:

What to do	Example
Start with a sentence or two (about 10 words total).	I hate snow. I'd much rather be at the beach. (10 words)
Turn your sentences into a row of letters.	ihsimrbatb (10 characters)
Add complexity with upper and lower case letters.	IHSimrbATb (10 characters)
Add length with numbers.	IHS75imrbATb (12 characters)
Add length with punctuation.	!IHS75imrbATb (13 characters)
Add length with symbols.	!IHS75imrbATb#(14 characters)

Test Your Password Strength
If you aren’t sure about how strong your password is, use a secure password checker.

Things to keep in mind when creating a password:

Use the entire keyboard, not just the most common characters. - Symbols typed by holding down the "Shift" key and typing a number are very common in passwords. Your password will be much stronger if you choose from all the symbols on the keyboard, including punctuation marks not on the upper row of the keyboard, and any symbols unique to your language.
Avoid using any personal information - Any novice hacker can easily find out your full name, the names of your spouse or children, your pets, or your favorite sports teams. Never choose a password that has anything to do with you personally.
Don’t use real words - You shouldn't use any actual word that can be found in a dictionary as well as words spelled backwards, common misspellings, and abbreviations. Passwords like that can be easily cracked by password software.
Avoid common sequences or repeated characters - Examples: 12345678, 222222, abcdefg, or adjacent letters on your keyboard (qwerty).
Use a password management tool – The main reason that users choose passwords that are easy to crack is that they want to choose passwords that are easy to remember. If you have many passwords that you have a hard time remembering, using a password management tool you only have to remember one password.
Keep your passwords safe – Learn how here.

Read an article about common passwords that hackers love here.

National Consumer Protection Week
March 1 - 7, 2009 is the 11th Annual National Consumer Protection Week. This year's campaign is Nuts and Bolts: Tools for Today's Economy, which is intended to highlight consumer education efforts across the nation. Information can help people get the most for their money, whether they are trying to stretch their paychecks, find a quick fix for a spotty credit history, or tell the difference between a real deal and a potentially fraudulent product or service.
Visit the National Consumer Protection Week website (http://www.consumer.gov/ncpw/) to get the information needed to make informed decisions in today’s marketplace.
Back to top...

Physical Safety
Click here for a PDF version of this tip that can be used as a poster.
Do you know how to contact UR Security? Who to call in the event of an emergency? Report a crime, parking lot incident, or strange occurrence?
Look to the back of your ID badge!
Important University Emergency Phone Numbers: This will connect you to a University Security Emergency Dispatcher
- Dial x13 From Any University Phone
- Dial #413 From Any AT&T or Verizon Cell Phone. Program your AT&T or Verizon cell phone to call #413 for University emergencies. It works anywhere in Monroe County.
- Use x13 or #413 to report University emergencies - dialing 9-1-1 will not provide your exact location and may hinder assistance.
Not Inside or Without Your Cell Phone? Pick up a Blue Light Emergency Phone:
- Pick up a Blue Light Emergency Phone receiver and to be connected to an emergency dispatcher. No dialing is required. If you are being followed, simply drop the receiver and walk toward another blue light emergency phone, repeat and keep walking – the emergency dispatcher will know your direction of travel and dispatch assistance.
- Picture of a Blue Light Emergency Phone: http://security.rochester.edu/emerg.html
- Using x13, #413 and the Blue Light Emergency Phones will provide emergency services, including UR Security, Rochester Police, Ambulance and Fire Department.
Important Non-Emergency Phone Numbers:
- Call UR Security: Dial 275-3333 for non-emergency issues.
- Call University Operators: Dial “0” from any University phone, or dial 275-2121 or 275-2100 from any non-University external phone
For more information, see UR Security’s http://www.security.rochester.edu/
Back to top...

10 Scams to Screen from Your Email
Click here for a PDF version of this tip that can be used as a poster.
Email users have lost money to bogus offers that arrived as spam in their inbox. Con artists are very cunning; they know how to make their claims seem legitimate. Some spam messages ask for your business, others invite you to a website with a detailed pitch.
To help minimize your risk:
- Protect your personal information. Only provide your credit card or other personal information when you're buying from a company you know and trust.
- Know who you're dealing with. Don't do business with any company that won't provide its name, street address, and telephone number.
- Never give confidential information to an unknown person over the phone, no matter what they seem to know about you. Even if the call seems legitimate, tell the caller that you will call them back via a telephone number that you can verify independently, such as a number listed in a telephone directory
- Take your time. Resist any urge to "act now" despite the offer and the terms. Once you turn over your money, you may never get it back.
- Read the small print. Get all promises in writing and review them carefully before you make a payment or sign a contract.
- Never send money for a "free" gift. Disregard any offer that asks you to pay a fee for a gift or prize. Free means free.
Some of the more common scams include:
1. The "Nigerian" Email Scam
2. Phishing
3. Work-at-Home Scams
4. Weight Loss Claims
5. Foreign Lotteries
6. Cure-All products
7. Check Overpayment Scams
8. Pay-in-Advance Credit Offers
9. Debt Relief
10. Investment Schemes
Visit http://onguardonline.gov/spam.html for more information about these scams, or http://www.rochester.edu/uit/security/data/e-mail.html for more information concerning email safety.
Back to top...

Five Safe Email Practices
Click here for a PDF version of this tip that can be used as a poster.
Although many people think of email as being an "electronic letter," it's actually more like a postcard that can be read by any number of people along the route between sender and recipient. It can be easily forged and does not afford privacy. Because email is not secure, here are important tips to keep in mind when emailing:
1. Confidential Information
- Never put anything in an internet-based email you're not willing to share with the world.
- Beware of emails that attempt to lure you into divulging personal information.
- Never click links in a message that request personal or financial information.
For more information about phishing, visit http://www.rochester.edu/it/security/yourself/phishing.html.
2. Attachments
Attachments require special attention since even ones coming from friends' computers could contain viruses. Following these tips can help lower the chance of infecting your computer:
- Minimize the use of attachments as much as possible.
- Question unsolicited file attachments.
- Never open attachments from unknown sources or even from trusted senders if you weren't expecting them.
- Question executable (.EXE) programs received via email.
3. Strange Messages
- Examine your list of new messages carefully before you open them.
- Don't reply to unsolicited "spam" mail, or other harassing or offensive email.
- Disable the preview feature in email programs such as Outlook Express. This feature can allow you to unknowingly execute the code in an infected email. To turn off the Preview Pane in Outlook Express, go to the top menu bar > View > Reading Pane > Off.
4. Infected Files
If you receive an infected file from a friend, you should notify them as soon as possible. Do this if you know the person and are certain that the originating email address is accurate. This helps the sender correct the problem within their system before passing the virus on to others.
5. Antivirus Software
Having up-to-date antivirus software installed on your computer is critical. This will help protect your machine and the machines of others on the internet.
For more information about antivirus protection for your computer, visit http://www.rochester.edu/it/security/computer/antivirus.html.
Back to top...

11 Ways to Prevent Email Spam
Click here for a PDF version of this tip that can be used as a poster.
1. Use more than one email address: one for personal email and the other for mandatory fields in online forms and access areas.
2. Never post your real email address anywhere online, especially in newsgroups, online chat rooms and online profiles.
3. Always check the privacy policy of any website that requests personal details, such as email addresses. Do not submit your information if the website does not allow you to opt out or does not have a privacy policy.
4. When you are responding via website form, read it thoroughly. Some websites that include an opt-out option usually require you to check a box that you agree to be sent email (either from them or their associates). However, some of them ask that you uncheck a pre-checked box not to be sent email and many consumers have gotten burned by that.
5. Never open email and/or download attachments from anyone if you are not expecting them and always virus scan attachments first.
6. Block future messages from unknown users, if your email client allows it.
7. Never reply to a spam email, not even to “unsubscribe."
8. Keep your operating system, anti-virus, anti-spyware and firewall software up-to-date.
9. Use any spam filters available by default from your ISP.
10. Use anti-virus software and/or firewalls on every computer you own/use. Remember that children are easy prey to the “just click here” tactic so remind them not to click.
11. Stay up to date with current scams and always report suspicious activity.
Back to top...

Top 10 Scams and Rip-Offs of 2009
The Better Business Bureau has released the top 10 Scams and Rip-offs of 2009. These include:
1. Acai Supplements and Other “Free” Trial Offers
2. Stimulus/Government Grant Scams
3. Robocalls
4. Lottery/Sweepstakes Scam
5. Job Hunter Scams
6. Google Work from Home Scam
7. Mortgage Foreclosure Rescue/Debt Assistance
8. Mystery Shopping
9. Over-Payment Scams
10. Phishing e-mails/H1N1 spam
Further information about each of these scams can be found by clicking here.
Remember - consumers or small business owners victimized by a scam can contact their local Better Business Bureau or file a complaint at www.bbb.org. Always research a business with the Better Business Bureau before you sign any contracts or hand over any money.
Back to top...

Four Steps to Take if Your Identity is Stolen
Click here for a PDF version of this tip that can be used as a poster.
If you are a victim of identity theft, take the following four steps as soon as possible, and keep a record with the details of your conversations and copies of all correspondence.

1. Place a fraud alert on your credit reports, and review your credit reports.
Fraud alerts can help prevent an identity thief from opening any more accounts in your name. Contact the toll-free fraud number of one of the three consumer reporting companies on www.annualcreditreport.com to place a fraud alert on your credit report. The company you call is required to contact the other two, which will place an alert on their versions of your report, too. The Fair Credit Reporting Act guarantees you access to a free credit report from each of the three nationwide reporting agencies every twelve months.
2. Close the accounts that you know, or believe, have been tampered with or opened fraudulently.
Call and speak with someone in the security or fraud department of each company. Follow up in writing, and include copies (NOT originals) of supporting documents. Send your letters by certified mail, return receipt requested, so you can document what the company received and when.

Once you have resolved your identity theft dispute with the company, ask for a letter stating that the company has closed the disputed accounts and has discharged the fraudulent debts to have proof if errors relating to this account reappear on your credit report.

3. File a complaint with the Federal Trade Commission.
This will provide important information that can help law enforcement officials across the nation track down identity thieves and stop them.

You can file a complaint with the FTC using the online complaint form; or call the FTC's Identity Theft Hotline, toll-free: 1-877-ID-THEFT (438-4338); TTY: 1-866-653-4261; or write Identity Theft Clearinghouse, Federal Trade Commission, 600 Pennsylvania Avenue, NW, Washington, DC 20580. Be sure to call the Hotline to update your complaint if you have any additional information or problems.

4. File a report with your local police or the police in the community where the identity theft took place.
Call your local police department and tell them that you want to file a report about your identity theft. Ask them if you can file the report in person. If you cannot, ask if you can file a report over the Internet or telephone.
Visit the FTC's Defend site for more information.
Back to top...

Identity Protection
Click here for a PDF version of this tip that can be used as a poster.
Awareness is an effective weapon against identity theft.
- Become aware by learning how information is stolen and what you can do to protect yourself.
- Monitor your personal information to uncover problems quickly and know what to do when you suspect your identity has been stolen.
- Your Social Security Number is a prime target for identity thieves. Only give out your Social Security Number and other personal identifying information when absolutely necessary.
- Many places use Social Security Numbers for user identification. Ask to use an alternate number if possible.
- Do not print your Social Security Number on personal checks.
- Do not carry your Social Security card with you.
Make identity thieves' jobs more difficult by arming yourself with knowledge on how to protect your identity and take action.
Visit http://www.rochester.edu/it/security/yourself/id_theft2.html for more information about Identity Theft and Protection.
Back to top...

Facebook Privacy Settings
Click here for a PDF version of this tip that can be printed and used as a poster.
Facebook's frequent policy changes and unclear privacy settings can be confusing. Privacy Defender can help manage this confusion by automatically configuring your Facebook privacy settings. Not only is it easy to use, but it is FREE!
To access this application, go to http://apps.facebook.com/privacydefender/. Select your desired level of privacy protection and Privacy Defender does the rest.
Privacy Defender is made available by Reputation Defender, a leading comprehensive online reputation management and privacy company.
Faculty and Staff please follow your department's guidelines regarding use of social networking sites.
Back to top...

Social Security Number and Personal Identifying Information
In January, 2009, the University adopted a formal policy on the collection, maintenance and distribution of Social Security numbers (SSN) and Personal Identifying Information (PII). The policy specifies how to protect Social Security Number and employee Personal Identifying Information, which includes such things as employee home address and home telephone number, as well as employee SSN.
- The policy applies to any medium – paper, microfiche, electronic, etc.
- The first protection step is to reduce the number of places sensitive data is stored. By being thoughtful about what really needs to be retained, and then consolidating storage locations from individual offices to a departmental office or to the University’s Official Repository for that data (see new Data Retention Policy), the risk of exposure can be greatly reduced.
- Leverage the "Clean and Go Green" initiative as a way to clear out unnecessary collections of SSN and PII.
- As you dispose of unneeded copies of SSN and PII, you must do so in a manner that makes the data unreadable and unrecoverable.
- If you decide that you need to retain a particular data collection containing SSN, you must register the collection with a Privacy Officer of the University. This registration is to be completed by June 30, 2009.
Where can I get help?
Information concerning the SSN and PII policy is located at http://www.rochester.edu/its/policy/SSN-PII/
If you still have questions, or would like a University Privacy Officer to attend one of your staff meetings to discuss this topic, please call:
University-wide
273-1804
Medical Center specific
275-7059
Back to top...

Phishing is not just for email!
Click here for a PDF version of this tip that can be printed and used as a poster.
Cybercriminals are expanding upon the traditional email phishing campaigns to also target social networks. Here, they can easily use social engineering attacks, such as putting up fake web applications or other means, to steal confidential data.
Some tips to help protect yourself when using social networks includes:
1. Use caution when you click links
2. Know what you've posted about yourself
3. Don't trust a message is really from who it says it's from
4. To avoid giving away email addresses of your friends, do not allow social networking services to scan your email address book.
5. Type the address of your social networking site directly into your browser or use your personal bookmarks
6. Be selective about who you accept as a friend on a social network
7. Choose your social network carefully
8. Assume everything you put on a social networking site is permanent
9. Be careful about installing extras on your site
10. Think twice before you use social networking sites at work
11. Talk to your kids about social networking
Further information about these tips can be found at http://www.microsoft.com/protect/parents/social/socialnet.aspx
Back to top...

Log Out of Public Computers
Click here for a PDF version of this tip that can be used as a poster.
To help protect yourself, and your data, please remember to log all the way out of your accounts on public computers or kiosks when you are finished using them. You are responsible for what happens on a computer system while you are logged into that system.
If the person before you forgot to log out, be courteous and log out for them. To log out of the Public Kiosks, follow the directions on the kiosks’ desktop.

The University of Rochester has taken the necessary steps to make each of the public stations safe for your use. It is up to you to take other precautionary measures to stay safe when using public computers.
- Don’t save any of your login information including usernames and passwords.
- Be aware of potential over-the-shoulder snoops.
- Don’t leave the computer unattended with sensitive information on the screen.
- Don’t enter sensitive information into a public computer like your social security number or any banking information.
- Delete browser history before leaving a public station.
Back to top...

12 Scams of Christmas
A leading security technology company is providing some helpful tips when it comes to online usage this holiday season:
1. Charitable phishing scams. Be wary of e-mails that appear to be from legitimate charities. Not only will they take your money and deprive charities of needed funds, but they will also steal your credit card information and identity.
2. Fake invoices from delivery services. Scammers are sending out fake invoices and delivery notifications appearing to come from Federal Express, UPS, the US Postal Service or even the U.S. Customs Service saying that they were unable to deliver a package to your address. They ask you to confirm your address and give them credit card information to pay for delivery.
3. Social networking friend requests. Beware of authentic looking friend requests via e-mail. Don't click on the links within e-mail, but instead log into Facebook and other services and look for friend requests from the site itself. Clicking on a link could install malware on your computer or trick you into revealing your password.
4. Holiday e-cards. These can be used to deliver malware, pop-ups, and other forms of unwanted advertising. Some fake e-cards will look like they come from Hallmark or other legitimate companies, so pay close attention and make sure it's from someone you know.
5. Fake "luxury" jewelry. If you see an offer for luxury gifts from companies like Cartier, Gucci, and Tag Heuer at a price that's too good to be true, it probably isn't true. These links could lead you to malware and take your money for merchandise that will probably never arrive (or be fake if it does).
6. Practice safe holiday shopping. Make sure your wireless network is secure, and be sure you're shopping on sites that are secure. Though it isn't an iron clad guarantee, you should look for the lock icon in the lower right corner of your browser and make sure the Web page starts with https.
7. Christmas carol lyrics can be dangerous. Bad guys know that people are searching for holiday related sites for music, holiday graphics, and other festive media. During this time, they create fraudulent holiday related sites.
8. Job search related scams. Beware of online offers for high paying jobs or at-home money making schemes. Some of these sites ask for money up front, which is a good way for criminals not only to steal your "set up fee" but misuse your credit card too.
9. Auction site fraud. There is a rise in fake auction sites during the holidays. Make sure you're actually going to eBay or whatever site you plan to deal with if you are making purchases through an auction site.
10. Password stealing scam. Criminals use low-cost tools to uncover passwords, in some cases planting key logger software to record keystrokes. Once they get your passwords, they gain access to bank accounts and credit card accounts and send spam from your e-mail accounts.
11. E-mail banking scams. A common type of phishing scam is sending out official looking e-mails that appear to come from your bank. Don't click on any links but type in your bank's web address manually if you need to access your account.
12. Files for ransom. Hackers use malware to gain control of your computer and lock your data files. To access your own data, you have to pay them ransom.
Back to top...

Top 10 Scams and Rip-Offs of 2010
The Better Business Bureau has released the top 10 Scams and Rip-offs of 2010. Those looking for jobs, and those struggling to make money and get out of debt were common targets in this tough economy.
The Better Business Bureau saw approximately a 30 percent increase in 2010 of complaints about debt relief and settlement services. Complaints about the timeshare industry - including deceptive resellers - increased by over 40 percent. Another large increase of roughly 40 percent was with itinerant home repair and roofers.
The top ten items include:
1. Job Hunter Scams
2. Debt Relief and Settlement Services
3. Work from Home Schemes
4. Timeshare Resellers
5. Not So "Free" Trial Offers
6. Itinerant Home Repair/Roofers
7. Lottery and Sweepstakes Scams
8. Identity Theft
9. Advance Fee Loan Scams
10. Over-Payment Scams
Further information about each of these scams can be found by clicking here.
Remember - consumers or small business owners victimized by a scam can contact their local Better Business Bureau or file a complaint at www.bbb.org. Always research a business with the Better Business Bureau before you sign any contracts or hand over any money.
Back to top...

6 Mistakes To Help Your Identity Thief
You are at the center of secURing your data
Six common mistakes that help identity thieves get access to your data are:
- Exposing your social security number
- Being careless with mail
- Not securing sensitive information
- Not checking your credit reports
- Not scrutinizing bills and bank statements
- Entering sensitive information on public computers
Helpful tips to prevent each of these mistakes can be found by clicking here.
As a reminder, we are providing a chance for you to win a $25 iTunes Gift Card or even an iPod Nano by participating in our Security Awareness quizzes this month. This week's quiz is on Identity Theft, and can be accessed by clicking here.
Back to top...

Copyright and File Sharing
Did you know the University receives hundreds of copyright infringement notifications for students, faculty and staff? These notifications can lead to disconnection from the Internet and fines for students. Notifications pertaining to staff members are passed to their managers for the first offense, and Human Resources for subsequent offenses. Staff members have been dismissed for copyright infringement violations. Faculty members have the first notification passed to their department chair, second notifications are passed to the department chair and the Dean’s Office.
Do not utilize University networks to download or share illegally obtained copyrighted materials. There are many alternatives to illegal file sharing. Please visit http://www.rochester.edu/its/security/yourself/file-sharing.html for more information concerning copyright and file sharing and to explore links for legal music and movies.
When you connect to the University using VPN, for example from home or coffee shop or conference site, your computer is subject to the same rules and regulations as a computer located at work.
As a reminder, we are providing a chance for you to win a $25 iTunes Gift Card or even an iPod Nano by participating in our Security Awareness quizzes this month. This week's quiz is on Copyright and File Sharing and can be accessed by clicking here.
Back to top...

Don't Get Hooked by a Phishing Expedition
Click here for a PDF version of this tip that can be used as a poster.
If you are ever asked to click on an email link to provide security or personal information, use extreme caution! Most of these request types are actually "phishing scams" to obtain your secure information. Lenders, brokerages, and banks would never ask for confidential information via e-mail as it is not a secure method.
If you ever have a question as to whether a request is valid, call the business entity and ask. They can confirm appropriate information requests.
Visit http://www.rochester.edu/it/security/yourself/phishing.html for more information about Phishing.
As a reminder, we are providing a chance for you to win a $25 iTunes Gift Card or even an iPod Nano by participating in our Security Awareness quizzes this month. This week's quiz is on Phishing and can be accessed by clicking here.
Back to top...

Beware of Japan Earthquake Relief Scams and Malware
We are seeing reports of scams and malware associated with the tragedy in Japan. Be on the alert!
Every time there is a natural disaster involving human suffering, scammers set up fake charity sites. We're seeing reports of scams involving charitable donations and malware disguised as video of the events in Japan. Responding to these scams could lead to compromised accounts, identity theft and loss of money from your bank accounts. The scammers' use of social media increases the likelihood that you'll be exposed to these scams.
FBI Recommendations (further information)
- Do not respond to any unsolicited (spam) incoming e-mails, including clicking links contained within those messages.
- Be skeptical of individuals representing themselves as surviving victims or officials asking for donations via e-mail or social networking sites.
- Verify the legitimacy of nonprofit organizations by utilizing various Internet-based resources that may assist in confirming the group's existence and its nonprofit status rather than following a purported link to the site.
- Be cautious of e-mails that claim to show pictures of the disaster areas in attached files because the files may contain viruses. Only open attachments from known senders.
- Make contributions directly to known organizations rather than relying on others to make the donation on your behalf to ensure contributions are received and used for intended purposes.
- Do not give your personal or financial information to anyone who solicits contributions: Providing such information may compromise your identity and make you vulnerable to identity theft.
What To Do If You Suspect You Are a Victim
- If you are the recipient or victim of an online scam the FBI recommends you report any suspected online scams to the Internet Crime Complaint Center at http://www.ic3.gov
- If you believe your password may have been compromised, contact the appropriate Help Desk by calling 275-2000 for University departments or 275-3200 for Medical Center departments.
If You Want To Help
The following agencies are responding to the crisis:
- Red Cross: www.redcross.org
- CARE: www.care.org
For More Information
- Sophos recommends "Don't fall for Japanese Tsunami charity scams"
- Internet Storm Center provides "Japan Earthquake: Possible scams/malware"
- Better Business Bureau "Tips for Giving to Earthquake Relief Efforts in Japan"
- SC Magazine "Japan earthquake unleashes web scams, malware"
- lifehacker.com provides "How to Give to Japanese Recovery Efforts Without Getting Scammed"
Back to top...

Staying Safe with Skype
Click here for a PDF version of this tip that can be printed as a poster.
You are at the center of secURity.
Skype is a software application which allows users to instant message, voice chat, and share files with other Skype users.
- Never use Skype to transfer University files, including documents and data files, and never accept documents from others.
- Skype cannot be used for University conversations that contain confidential information.
- University IT does not condone the use of Skype.
Services like Skype open unsuspecting users to viruses, hackers, and identity thieves. To stay safe while using Skype do the following:
- Read Skype’s Privacy Policy to understand Skype and what you can or cannot do
- Read Skype's Online Safety Web Page
  - Create a strong and unique password
  - Always use antivirus software
  - Keep Skype up-to-date
  - Update Skype’s privacy settings
  - Do not authorize people whom you do not know and/or do not want to talk to
  - Remember:
    - The public parts of your profile can be seen by everyone on Skype
    - Don’t put things in your profile that you wouldn't’t normally share with strangers
    - You don’t have to complete your profile and can modify it at any time
  - Never respond to emails that request your credit card details
  - Know how to protect yourself against:
    - online fraud, spam and viruses
    - phishing
  - If you think your account has been compromised, change your password immediately
Visit http://www.rochester.edu/it/security/yourself/passwords.html for more information about strong passwords, and to try the password checker to test the strength of your password.
Back to top...

Epsilon Data Breach - How Can You Protect Yourself?

Many of you likely received emails from Epsilon earlier this month notifying you of a data security breach. With this particular breach, names and email addresses were taken.
Be Very Careful
With this type of breach, you should be on the alert for potential "phishing" schemes. "Phishing" is a scam where internet fraudsters send spam or pop-up messages to lure personal and financial information from unsuspecting victims.
There have been reports of scammers taking advantage of the Epsilon data breach. Some references include:
BBB Warns of Phishing Email Received from Epsilon Data Breach from Better Business Bureau
Scammers take advantage of Epsilon data breach, in Virus Bulletin
What Can You Do?
OnGuardOnline.gov provides the following tips to help avoid being caught by a "phishing" scheme:
- If you get an email or pop-up message that asks for personal or financial information, do not reply. And don't click on the link in the message, either.
- Area codes can mislead.
- Use anti-virus and anti-spyware software, as well as a firewall, and update them all regularly.
- Don't email personal or financial information.
- Review credit card and bank account statements as soon as you receive them.
- Be cautious about opening any attachment or downloading any files from emails you receive, regardless of who sent them.
- Forward phishing emails to spam@uce.gov.
- If you believe you've been scammed, file a complaint with the Federal Trade Commission at www.ftc.gov/complaint.
You can also receive additional information at http://www.rochester.edu/it/security/yourself/phishing.html.
Back to top...

Pharming
Click here for a PDF version of this tip that can be used as a poster.
You are the center of secURity.
What is pharming?
Pharming is a hacker's attack to redirect a legitimate website's traffic to a bogus website where a user can be fooled into entering sensitive data such as a password, bank account or credit card number. Once personal information has been entered at a fraudulent website, criminals have the information they need for identity theft. Pharming can be conducted either by changing the host’s file on a victim’s computer or by exploiting a vulnerability in domain name server (DNS) software.
Take these simple precautions to protect yourself from pharming:
- Before clicking on a link in a browser window, place your mouse over the link and check the link's address that's displayed in the bar at the bottom left of the window
- Confirm that a website has a valid certificate of authority, from a service such as VeriSign, which matches the site's name before you enter any personal data.
- Only use a secure web site when submitting credit card or other sensitive information via the web browser. The beginning of a secure web site address should read “https”. The ‘s’ on the end of http signifies it is a secure site.
- Avoid completing forms in email messages that ask for personal financial information.
- Change the default password that came with your wireless router to your own unique, strong password.
- Make sure your browser is up to date and security patches are applied.
- Regularly check bank, credit card, and debit card statements to ensure all transactions are legitimate.
If you believe that you have been a victim of pharming, notify the Internet Crime Complaint Center (IC3) by filing a complaint on the IC3's web site: www.ic3.gov.
Back to top...

Mobile Device Safety
You are at the center of secURity.
Mobile devices can perform a variety of tasks: take pictures, send text messages, surf the Web, and more. Be sure to take the same precautions on mobile devices as you would with your computer in regard to messaging and online safety.
Click here to access the University's Mobile Computing Device Security Standards.
Here are some tips to keep you safe on the go:
- Do not use your mobile phone to communicate with strangers. Never reply to text messages from people you don't know. Only give your number to people you know and trust, and do not give out anyone else's number without their permission.
- Know how to block others from calling your phone. Using caller ID, you can block all incoming calls or block individual names and numbers.
- Make a record of your Electronic Serial Number (ESN) and/or your International Mobile Equipment Identity (IMEI) number. You can get your IMEI number by pressing *#06# on your mobile phone's keypad. It will display a 15 digit number - that is your IMEI number. The IMEI number is used to identify a valid device, and can be used for stopping a stolen phone from accessing the network.
- If your phone is lost or stolen, report it to your local police station and your network operator immediately.
- Encrypt your mobile device if it contains PHI (Protected Health Information) or PII (Personally Identifiable Information).
- Think about how a text message might be read or interpreted before you send it.
- You should never take pictures or videos of anyone with your phone if you do not have their permission.
- Do not allow others to take pictures or videos of you without your permission. Remember - these pictures and videos can be posted to the Internet.
- Be careful if you meet someone in real life who you only "know" through text messaging. Even though text messaging is often the "next step" after online chatting, that does not mean that it is safer.
Back to top...

Password Protection - Comic and Quiz for Prizes!
We thought you might enjoy the following comic to go along with this month's emphasis on choosing strong passwords to help protect yourself and your data.

Quiz -- Win Prizes!!
To wrap up this month's campaign, we want to provide you with an opportunity to be entered for a random drawing to win one of three $25 gift cards to University IT Computer Sales by successfully completing our quiz. You can get to the quiz by clicking here.
Back to top...

12 Scams of Christmas 2011
‘Tis the season for consumers to spend more time online - shopping for gifts, looking for great holiday deals on new digital gadgets, e-planning family get-togethers and of course, using online or mobile banking to make sure they can afford it all. But before logging on from a PC, Mac, or mobile device, consumers should look out for the “12 Scams of Christmas,” the dozen most dangerous online scams this holiday season, provided by a leading security technology company.
Things to look out for include:
1. Mobile Malware
2. Malicious Mobile Applications
3. Phony Facebook Promotions and Contests
4. Scareware, or Fake Antivirus software
5. Holiday Screensavers
6. Mac Malware
7. Holiday Phishing Scams
8. Online Coupon Scams
9. Mystery Shopper Scams
10. Hotel "Wrong Transaction" Malware Emails
11. "It" Gift Scams
12. "I'm away from home" Scammers
Further information about each of these can be found by clicking here.
How To Protect Yourself
You can protect yourself from these cybercrimes by following these tips:
- Only download mobile apps from official app stores, such as iTunes and the Android Market, and read user reviews before downloading them.
- Be extra vigilant when reviewing and responding to emails.
- Watch out for too-good-to-be-true offers on social networks (like free airline tickets). Never agree to reveal your personal information just to participate in a promotion.
- Don’t accept requests on social networks from people you don’t know in real life. Wait to post pictures and comments about your vacation until you’ve already returned home.
Back to top...

Mobile Device Protection - Mobile Device Reminders and Safety Tips
You are at the center of secURity.
Mobile Device Reminders
With this being a busy time of year for gift-giving and receiving, we want to remind you to take all necessary steps to secure any mobile devices that you are using, and to dispose of any old mobile devices properly.
- All mobile devices should maintain minimum security requirements related to physical protection, password protection, encryption, and inactivity time out protection. Please review the University's Mobile Computing Device Security Standards website by clicking here.
- If you are disposing of an old device, be sure to remove or wipe any residual settings, data, and applications before either disposing of it or giving it to someone else to use.
- If a mobile device containing University of Rochester information is lost or stolen, report the loss immediately to University of Rochester Security, the University or Medical Center Chief Information Security Officer, and a Privacy Officer (if it was used to access or store Medical Center information).
Tips to Keep you Safe on the Go
Mobile devices can perform a variety of tasks: take pictures, send text messages, surf the Web, and more. Be sure to take the same precautions on mobile devices as you would with your computer in regard to messaging and online safety.
- Do not use your mobile phone to communicate with strangers. Never reply to text messages from people you don't know. Only give your number to people you know and trust, and do not give out anyone else's number without their permission.
- Know how to block others from calling your phone. Using caller ID, you can block all incoming calls or block individual names and numbers.
- Make a record of your Electronic Serial Number (ESN) and/or your International Mobile Equipment Identity (IMEI) number. On most phones, you can get your IMEI number by pressing *#06# on your mobile phone's keypad. It will display a 15 digit number - that is your IMEI number. The IMEI number is used to identify a valid device, and can be used for stopping a stolen phone from accessing the network.
- If your phone is lost or stolen, report it to your local police station and your network operator immediately. If the phone contains University data, report the loss immediately to University of Rochester Security, the University or Medical Center Chief Information Officer, and a Privacy Officer (if it was used to access or store Medical Center information).
- Encrypt your mobile device if it contains PHI (Protected Health Information) or PII (Personally Identifiable Information).
- Think about how a text message might be read or interpreted before you send it.
- You should never take pictures or videos of anyone with your phone if you do not have their permission.
- Do not allow others to take pictures or videos of you without your permission. Remember - these pictures and videos can be posted to the Internet.
- Be careful if you meet someone in real life who you only "know" through text messaging. Even though text messaging is often the "next step" after online chatting, that does not mean that it is safer.
Back to top...

Illegal Downloading - How Can You Avoid Digital Piracy?
You are at the center of secURity.
Click here for a version of this tip that can be used as a poster.
The Motion Picture Association of America, Inc. provides a web site that has helpful information to Respect Copyrights. It provides detail as to what to do if you receive a notice from the MPAA, and a listing of where you can get movies and TV shows legally.
They realize you have many choices when it comes to purchasing and viewing your favorite movies and TV shows online. They provide the following tips to help you make the right choices:
1. Watch for titles that are "Too New to be True"
Movies that have yet to be released in theaters, or which are still out in theaters, are not legally available online. If very recent titles are being sold or traded online, they are almost invariably illegal copies.
2. Trust Your Eyes and Ears
In many cases, the quality of illegal copies is inferior with poor sound and can appear blurry or shaky.
3. Be Cautious When Websites Make Offers that are Too Good to be True
Be wary of "too good to be true" offers, such as those for "free" content when searching for and purchasing downloads from unfamiliar sites; they typically indicate pirated product. Look-out for terms like "Unlimited Movie Downloads," "100% legal," and "Millions of Files Shared." Offers for one-time or yearly fees with no details and no contact information should also alert you that you have entered an illegal site. If the site avoids disclosing its location (for example, if there is no address in its contact information), this can also be a sign of an illegal website.
You can access this website by clicking here.
Back to top...

Don't Pass On Chain Messages Or Send Warnings To Everyone You Know
You are at the center of secURity.
Click here for a PDF version of this security tip that can be used as a poster.
Chain messages are a burden on email systems and to the vast majority of the people who receive them. The simple response is to not pass them on.
You may get messages from friends, warning you about a new virus, health scare, charity appeal or con trick. These are very likely to be hoaxes or just plain wrong.
Be very suspicious of messages that ask you to pass them to "everyone you know". That leads to an endless chain of forwarded messages that go on long past any real or imagined threat.
If it is really convincing, pass it to your IT Helpdesk for them to consider.
Back to top...

Password Protection - Passwords That Work

You are at the center of secURity.
Click here for a version of this tip that can be printed and used as a poster.
A good password has a system for creating codes that are easy to remember but hard to crack. Here are guidelines for creating effective and memorable passwords:
- Choose a phrase that's at least five words long. It could be a book, a song title or quote. Draw your core password from that, perhaps by using the first letter of each word. For example, the first letters of the book title The Cat in the Hat Comes Back are: tcithcb. This step protects you from an attack where someone tries to crack your phrase using known words and proper names.
- Now alter some of it. Replace some lowercase letters with capital letters, numbers or symbols. For example: Tc!tHc6 capitalizes the first and fifth letter, replaces the "i" with an exclamation point, and replaces the "b" with the number 6.
- Customize the password for each use. Add a character or three to the core password to ensure that every pass phrase is at least seven characters long and includes a number. Generate an extra letter and number based on the name of the program you're accessing. For example: o5Tc!tHc6 could be a password for a Yahoo Web mail account, adding an "o" for the last letter of Yahoo, and a 5, for the number of letters in Yahoo.
- Write down your hint. Now you can write down a mnemonic device that will jog your memory without being obvious to anyone else. Hide this piece of paper or keep it in your wallet. For example, you could write down "basic: cat" to recall the Dr. Seuss title.
- Establish different levels of passwords. Use different core phrases to develop passwords for online banking, for accounts that use your credit card and for those that don't involve financial information. If you can't change your password every 90 days, do so whenever daylight-saving time starts and stops.
Back to top...

Password Protection - Check the Strength of Your Password
You are at the center of secURity.
Click here for a version of this tip that can be printed and used as a poster.
Your online accounts, computer files, and personal information are more secure when you use strong passwords to help protect them. Passwords are the first line of defense for all users. If someone knows your password, all other security is useless!
Reminders:
- At no time and under no circumstances should you share your password or login using someone else's password.
- If someone contacts you and asks you for your password on behalf of The University of Rochester, please contact your appropriate Helpdesk so we can investigate.
- Do not use the "Remember Password" feature of applications (e.g., web browser).
- Do not store passwords in a file on ANY computer system (including smart phones, thumb drives or any similar device) without encryption.
Check Your Password Strength
The strength of a password depends on the different types of characters that you use, the overall length of the password, and whether the password can be found in a dictionary.
You can check the strength of your password by using the following secure password checker.
Back to top...

Illegal Downloading - Video
You are at the center of secURity.
Sharing or downloading copyrighted files without permission over the UR network is illegal and a violation of University policy.
Check out our video that shows some of the effects of downloading illegal music.
Back to top...

Identity Protection - Five Ways to Protect Against Identity Theft
You are at the center of secURity.
Click here for a PDF version of this tip that can be printed and used as a poster.
Identity theft occurs when someone uses your name, Social Security number, credit card number, or some other piece of your personal information for financial gain. Thieves often use this information to apply for a credit card, make unauthorized purchases, gain access to your bank accounts, or obtain loans under your name.
Five tips to help protect your identity:
1. When you order checks, instead of your first name, have only your initials and last name put on them. If someone takes your checkbook, they will not know how you sign your checks. But your bank will know.
2. Do not sign the back of your credit cards. Instead put "PHOTO ID REQUIRED".
3. When writing checks to pay on your credit card accounts, DO NOT put the complete account number on the "For" line. Instead, just put the last four digits.
4. Don't list any telephone number on your checks. You can always write it on the check at the time of the transaction. If you have a PO Box, use that instead of your home or work address.
5. Place the contents of your wallet on a photocopy machine. Copy both sides of each license, credit card, etc. If your wallet is ever stolen, you will have a record of all the account numbers and phone numbers when you call to cancel your cards. Store in a secure place and update the copies when you change cards.
More information about Identity Theft can be found at http://www.rochester.edu/it/security/yourself/id_theft2.html.
Back to top...

Identity Protection - Awareness Video
You are at the center of secURity.
Please watch our Identity Theft awareness video to hear about the personal experiences of one of our team members who was a victim of Identity Theft.
Back to top...

Identity Protection - Zombie Survival Game
You are at the center of secURity.
Please try our Identity Protection "Zombie Survival Game" for a fun way to check your identity protection knowledge. You can access the game by clicking here.
Back to top...

Phishing Protection - Don't Fall for Phishing Schemes
Click here for a PDF version of this tip that can be printed and used as a poster.
You are at the center of secURity.
We have seen a large increase in the number of phishing emails that are being circulated. Several news sources are cautioning people to beware of charity scams in wake of Hurricane Sandy.
Could you tell if an email message requesting personal information was legitimate? In most cases you can trust your instincts, if an email message looks suspicious, it probably is. However there are some messages that look like the real thing but aren't.
Even for legitimate emails from places you do business with, you should always ignore the links in the emails and go directly to the business's website. For example, if you get an email that refers to your account at your bank or here at the University of Rochester, you should go to your browser and type in the url that you normally use to log into your bank or the University of Rochester myidentity system (http://myidentity.rochester.edu).
Do you know how to spot a phishing email?
It could be a phishing email if...
- There are misspelled words in the e-mail or it contains poor grammar.
- The sender's name doesn't seem related to the sender email address.
- The message is making you an offer that is too good to be true.
- The message is asking for personally identifiable information, such as credit card numbers, account numbers, passwords, PINs or Social Security Numbers.
- There are "threats" or alarming statements that create a sense of urgency. For example: "Your account will be locked until we hear from you" or "We have noticed activity on your account from a foreign IP address."
- The domain name in the message isn't the one you're used to seeing. It's usually close to the real domain name but not exact. For example:
  - Phishing website: www.regionsbanking.com
  - Real website: www.regions.com
- Beware that some phishing emails use attachments (coupons, etc) which can house malware.
How good are you at spotting phishing emails? Test your knowledge with these quizzes.
- http://www.onguardonline.gov/games/phishing-scams.aspx
- http://www.washingtonpost.com/wp-srv/technology/articles/phishingtest.html
- http://www.sonicwall.com/phishing/
Back to top...

Social Networking - Safety Tips
You are at the center of secURity.
Click here for a PDF version of this tip that can be used as a poster.
As the popularity of social networking sites such as MySpace, Facebook, Twitter, and LinkedIn grow, so do the risks of using them. Hackers, spammers, virus writers, identity thieves, and other criminals follow the traffic.
Protect yourself and your privacy online by being…

…proactive:
- Understand the privacy policy for any social networking site you plan to use.
- Customize your privacy settings to restrict access to only certain people; the default settings for some sites may allow anyone to see your profile.
- Limit the amount of personal information you post, especially information that would make you vulnerable, such as your address or information about your schedule or routine.
- Be considerate when posting information, including photos, about your friends.
- Accept ‘friends’ on a social network selectively; identity thieves create fake profiles in order to get information from you.
- Protect your account with passwords that cannot easily be guessed.
…aware:
- You are personally responsible for the information that you post. Once you post information online, you can't delete it. Only post information you are comfortable with anyone seeing. This includes information and photos in your profile and in blogs and other forums.
- Don't trust that a message is really from who it says it's from. Hackers can break into accounts and send messages that look like they're from your friends, but aren't. If you suspect a message is fraudulent, don’t open it.
- Don't believe everything you read online. People may post false or misleading information. Take appropriate precautions and verify the authenticity of any information before taking action. Treat links in messages on these sites as you would links in email messages.
- Be careful about installing extras on your site. Many social networking sites allow you to download third-party applications that let you do more with your personal page. Criminals sometimes use these applications to steal your personal information.
…responsible:
- When at work, follow your department's guidelines regarding the use of social networking sites. Many areas do not allow the use of social networking sites while at work.
- Never post business related information - especially photos or anything that includes Legally Restricted Information such as Social Security Numbers (SSN) or Protected Health Information (PHI).
- Talk to your kids about social networking. If you are a parent of a child who uses social networking sites explain what information is private, what pictures are okay to post, and how to decline requests to meet people.
- Use and maintain anti-virus software. Antivirus software recognizes most known viruses and protects your computer against them, so you may be able to detect and remove the virus before it can do any damage.
Back to top...

Consumer Protection - Online Shopping
Click here for a PDF version of this tip that can be used as a poster.
You are at the center of secURity.
Shopping on the Internet can be economical, convenient, and as safe as shopping in a store or by mail, especially if you follow the tips listed below. Remember to not use your work PC or work email address when shopping online as stated in the University's IT Policy at www.rochester.edu/it/policy.
- Know who you're dealing with.
  - Be sure the company has a physical address and phone number.
  - If the company is new to you, research them at the Better Business Bureau online (http://www.bbbonline.org).
  - Check the company's website for customer feedback.
- Know exactly what you're buying.
  - Read the seller's description of the product closely, especially the fine print.
  - Determine if the company has a return policy, and how easy the process is to follow, in case the product is not what you expected.
- Know what it will cost.
  - Factor shipping and handling — along with your needs and budget — into the total cost of the order.
- Pay by credit or charge card, for maximum consumer protection.
  - The safest way to shop on the Internet is with a credit card. In the event something goes wrong, you are protected under the federal Fair Credit Billing Act. You have the right to dispute charges on your credit card, and you can withhold payments during a creditor investigation. When it has been determined that your credit was used without authorization, you are only responsible for the first $50 in charges.
  - Obtain one credit card that you use only for online payments to make it easier to detect wrongful credit charges.
  - For more information on credit card consumer protections, see http://www.privacyrights.org/fs/fs32-paperplastic.htm#3
  - Always read the privacy statement before you fill in the blanks.
- Use secure web sites
  - Always verify that the site is using encryption before you submit any information — look for https in the web address and for a padlock or key on the web page. Never enter a password, or other personal information, into a site that does not show https.
- Don't send personal information (Social Security number, credit card number, etc.) in an email or through instant messaging.
- If you are required to set up an account, do not use a password that you are using elsewhere.
- Check out the terms of the deal, including refund policies and delivery dates.
- Print and save records of your online transactions.
- Consider using an escrow service, such as http://escrow.com.
  - This can reduce the potential risk of fraud by acting as a trusted third party that collects, holds and disburses funds according to Buyer and Seller instructions. There is generally a fee associated with using a service such as this.
More information about safe online shopping can be found at http://www.onguardonline.gov/topics/online-shopping.aspx.
Back to top...

12 Scams of Christmas 2012
The holidays are just around the corner and amid the hustle and bustle many of us will fire up our devices to go online, order gifts, and plan travel. But while we’re getting festive, the cybercriminals are getting ready to take advantage of the influx of your good cheer to spread scams and malware.
With online holiday shopping expected to grow 12.1% in the US alone this year, to as much as $96 billion, and more people than ever using social media and mobile devices to connect, the cybercriminals have a lot of opportunities to spoil our fun. Using multiple devices provides the bad guys with more ways to access your valuable “digital assets,” such as personal information and files, especially if the devices are under-protected.
According to a McAfee global study commissioned by MSI International last year, consumers place an average value of $37,438 on the “digital assets” they own across multiple digital devices, yet more than a third lack protection across all of those devices.
So, as you head online this holiday season, stay on guard and stay aware. Get familiar with the “12 Scams of Christmas” to ensure a safe and happy holiday season:
1. Social Media Scams
2. Malicious Mobile Applications
3. Travel Scams
4. Holiday Spam/Phishing
5. The new iPad, iPhone 5, and other hot holiday gift scams
6. Skype Message Scare
7. Bogus Gift Cards
8. Holiday SMiShing
9. Phony E-tailers
10. Fake Charities
11. Dangerous e-cards
12. Phony classifieds
Further information about each of these can be found by going to http://blogs.mcafee.com/consumer/12-scams-of-christmas-2012.
How To Protect Yourself
You can help protect yourself from these cybercrimes by following these tips:
- Stay suspicious - be wary of any offer that sounds too good to be true, and always look for telltale signs that an email or website may not be legitimate, such as low resolution images, misspellings, poor grammar, or odd links.
- Practice safe shopping - Stick to reputable e-commerce sites. Look for a lock symbol and "https" at the beginning of the web address (as opposed to just "http") to see if the site uses encryption to protect your data.
- Use strong passwords - Make sure your passwords are at least eight characters long and contain a variety of letters, numbers and characters that don't spell anything. Avoid using the same password for your important accounts, and never share your passwords with anyone.
- Be careful when clicking - Don't click on any links in messages from people you don't know.
- Computer security - make sure that your computer is kept current with patches, and has updated anti-virus software
Back to top...

Phishing Protection - Phishing Bells
Phishing is an e-mail fraud method in which the sender uses legitimate-looking email in an attempt to gather personal and financial information from recipients. Typically, the messages appear to come from well known and trustworthy Web sites.
For additional tips to help avoid Phishing, including a link to our newly created awareness video, you can visit https://www.rochester.edu/it/security/yourself/phishing.html.
We hope you enjoy our rendition of "Phishing Bells" to help remind you to be careful when clicking links found within your email.
Back to top...

Phishing Protection - Awareness Video
The University is experiencing a dramatic increase in targeted phishing and spam attacks. Faculty, staff, and students have been receiving emails that are created to look as if they came from University Information Technology, Information Systems Division, the IT Help Desk, or other support locations. The emails look remarkably like valid University communications - using the University logo, department names, and official branding or formatting.
Please view our video to gain some important tips regarding phishing.
Back to top...

Phishing Protection - Phishing Quiz - Can You Spot a Phish?
Test your phishing knowledge by trying this online quiz to see if you can identify a phishing attempt. The quiz is located at https://www.opendns.com/phishing-quiz/.
Back to top...

Better Business Bureau (BBB) Cautions Consumers to Watch Out for Scammers in Wake of the Boston Marathon Attack
You are at the center of secURity.
Often when there is an event involving human suffering, scammers set up fake charity sites. We're seeing reports of scams involving charitable donations emerging in the wake of the explosions at the finish line of the Boston Marathon.
BBB Wise Giving Alliance, which is an affiliate of the Council of Better Business Bureaus, urges donors to give thoughtfully and avoid those seeking to take advantage of the generosity of others:
BBB Wise Giving Alliance: Ten Tips for Giving with Confidence
1. Thoughtful Giving
Take the time to check out the charity to avoid wasting your generosity by donating to a questionable or poorly managed effort.
2. Help Spread the Wise Giving Word
Remind your friends and family to be cautious about giving requests in the wake of such a tragedy and ask them to spread the word as well.
3. State Government Registration
About 40 of the 50 states require charities to register with a state government agency (usually a division of the State Attorney General’s office) before they solicit for charitable gifts. If the charity is not registered, that may be a significant red flag.
4. Respecting Victims and Their Families
Organizations raising funds should get permission from the families to use either the names of the victims and/or any photographs of them.
5. How Will Donations Be Used?
Watch out for vague appeals that don’t identify the intended use of funds.
6. What if a Family Sets Up Its Own Assistance Fund?
Some families may decide to set up their own assistance funds. Be mindful that such funds may not be set up as charities. Also, make sure that collected monies are received and administered by a third party such as a bank, CPA or lawyer.
7. Online Cautions
Never click on links to charities on unfamiliar websites or in texts or emails.
8. Financial Transparency
After funds are raised for a tragedy, it is even more important for organizations to provide an accounting of how funds were spent.
9. Newly Created or Established Organizations
This is a personal giving choice, but an established charity will more likely have the experience to quickly address the circumstances and have a track record that can be evaluated.
10. Tax Deductibility
Not all organizations collecting funds to assist this tragedy are tax exempt as charities under section 501(c)(3) of the Internal Revenue Code. Donors can support these other entities but keep this in mind if they want to take a deduction for federal income tax purposes.
Further information about these items is located at http://www.bbb.org/us/article/bbb-warns-of-charity-scams-offers-giving-tips-in-wake-of-boston-marathon-bombing-41366

Back to top...

Clean and Go Green - Your Facebook Friends List
You are at the center of secURity.
Do you know who all your friends are?
There is a wealth of information available on your Facebook account that can be used for identity theft. Go through your friends list and ask yourself, “Do I really know this person? Would I trust them with my personal information?”
If the answer is “no”, consider unfriending them. If you are not willing to unfriend them, take a look at what you are sharing in your facebook profile and consider cleaning up your profile so you are sharing less personal information.
Since Facebook continually adds new sharing features, it is also a good idea to occasionally check your privacy settings to make sure you are only sharing what you want to share.

Click here for information on how to unfriend someone on Facebook.
Back to top...

Mobile Computing Device Reminders and Safety Tips
You are at the center of secURity.
Click here for a version of this tip that can be printed and used as a poster.
Mobile Device Reminders
We want to remind you to take all necessary steps to secure any mobile devices that you are using, and to dispose of any old mobile devices properly.
- All mobile devices should maintain minimum security requirements related to physical protection, password protection, encryption, and inactivity time out protection.
  - All University Departments should review the University's Mobile Computing Device Security Standard at http://www.rochester.edu/it/policy/MobileDevice.html
  - URMC Departments should review the URMC standard at https://intranet.urmc-sh.rochester.edu/infosystems/mobile/mobile_devices.asp
- If you are disposing of an old device, be sure to remove or wipe any residual settings, data, and applications before either disposing of it or giving it to someone else to use.
- If a mobile device containing University of Rochester information is lost or stolen, report the loss immediately to University of Rochester Security, the University or Medical Center Chief Information Security Officer, and a Privacy Officer (if it was used to access or store Medical Center information).
Tips to Keep you Safe on the Go
Mobile devices can perform a variety of tasks: take pictures, send text messages, surf the Web, and more. Be sure to take the same precautions on mobile devices as you would with your computer in regard to messaging and online safety.
- Do not use your mobile phone to communicate with strangers. Never reply to text messages from people you don't know.
- Only give your number to people you know and trust, and do not give out anyone else's number without their permission.
- Encrypt your mobile device if it contains PHI (Protected Health Information) or PII (Personally Identifiable Information). Information about what is considered PHI or PII can be found in the Data Classification document.
- Think about how a text message might be read or interpreted before you send it.
- You should never take pictures or videos of anyone with your mobile device if you do not have their permission. To all URMC workforce members, you cannot take pictures of patients, non-public areas of the Med Center, etc. without specific written authorization from the patient.
- Do not allow others to take pictures or videos of you without your permission. Remember - these pictures and videos can be posted to the Internet.
- Be careful if you meet someone in real life who you only "know" through text messaging. Even though text messaging is often the "next step" after online chatting, that does not mean that it is safer.
Back to top...

Did You Know?

Backscatter
If you’ve got questions, we’ll find the answers. Once a month, the University Security & Policy team will answer your information security questions in a new Security Tip of the Week feature called Did You Know? Please email your questions to UnivIT_SP@ur.rochester.edu.
Have you ever received an email informing you that a message was not delivered, but you never sent the message in the first place?
These “bounce back messages” fall under the category of unwanted email called backscatter and are the result of your email address being forged as the sender of spam messages.
Unfortunately, there is no way to avoid receiving these messages and no way to prevent your email address from being forged. However, by limiting where you post your email address online and giving it only to people and businesses you trust, you can reduce the risk that your address will be harvested by someone looking to use it for malicious purposes.
For more information, see our page on forged email.
Back to top...

Finding more security information on Facebook
You can get the latest news, tips, and computer store promotions from University Information Technology by becoming a fan on Facebook at http://www.facebook.com/UR.Technology.
Our weekly security tips will continue to be posted to http://www.rochester.edu/it/security/securitytipofweek.html as well as to our Facebook page.
Back to top...

March 7-13 is National Consumer Protection Week 2010
The theme for this year's campaign is "Dollars and Sense"
Visit http://consumer.gov/ncpw to get helpful information about topics such as
Banking
Credit and Debt
Health
Identity Theft and Privacy
Investing
Money
Mortgages
Rights and Responsibilities
Scam Watch
Back to top...

Facebook Users Targeted by Password-Stealing Virus
Facebook users should be on alert for any suspicious emails claiming to be from Facebook.
A recent email spam attack targeted towards the users of Facebook. This email tells recipients that the passwords on their accounts have been reset and to click on the attachment to get their new login credentials.
If the attachment is opened it downloads malware that steals passwords stored on your computer.
Read the full article here.
Remember: Only open an email attachment if you are POSITIVE about the source.
More information:
- Antivirus
- Malware
Back to top...

Enter to Win an iPod Nano - Help Us Get to 1,000 Fans
Win an iPod Nano...
…by becoming a “fan” of University IT on Facebook.
Become a fan of University of Rochester – Get Technology on Facebook for valuable tips on keeping your computer safe and secure, campus technology updates, and Computer Store promotions and specials. We're here to help you be in the know when it comes to technology at the University and staying secure online!
If we get to 1,000 fans by October 29, 2010, we will enter everyone into a drawing for a chance to win one of the new iPod Nanos. Join us today!
*Faculty and Staff please follow your department's guidelines regarding use of social networking sites.
Contest ends 12:00 Noon on October 29, 2010.
Back to top...

Stop. Think. Connect.
As part of National Cyber Security Awareness month, please remember to always
Stop: Before you use the Internet, take time to understand the risks and learn how to spot potential problems.
Think: Take a moment to be certain the path is clear ahead. Watch for warning signs and consider how your actions online could impact your safety, or your family's.
Connect: Enjoy the Internet with greater confidence, knowing you've taken the right steps to safeguard yourself and your computer.
STOP. THINK. CONNECT. Protect yourself and help keep the web a safer place for everyone.
So how cyber savvy are you? Try these interactive quizzes to see just how savvy you are:
Online Safety
Identity Theft
Laptop Security
Phishing Scams
Email Scams
Peer-to-peer file sharing
Remember to become our fan on Facebook (University of Rochester - Get Technology). If we reach 1,000 fans by October 29, 2010, we will put everyone's name in for a chance to win a new iPod Nano.
Back to top...

Gadgets May Come Preloaded with Viruses
Did you know some of today's hottest gadgets may be preloaded with viruses?
Apple iPods , flash/thumb drives, digital picture frames, and TomTom navigation gear have all been guilty of harboring viruses fresh out of the package in the past. The viruses on these devices can steal passwords, open doors for hackers or make computers targets for spam attacks.
How to protect your computer:
- Keep your antivirus software up to date
- Scan It! - Any time you plug in a new device, like a memory card, digital picture frame, mp3 player or navigation device, into your computer be sure to perform a virus scan on it before you run any programs associated with it
- Disable AutoRun - AutoRun allows executable files on a drive to be run automatically when that drive is accessed. By disabling t AutoRun you can decrease the chances of infecting your computer.
Learn how to disable AutoRun on your Windows system here.
Back to top...

Test Your Security Awareness - Your Chance to Win an iTunes Gift Card or an iPod Nano
Over the next month we will run a series of Information Technology security-based quizzes. Answer the questions correctly and you will be entered for a chance to win one of four iTunes gift cards. At the end of 4 weeks, all those that entered at least one quiz, and answered it successfully, will be entered for a chance to win an 8GB iPod Nano.
Click here to get to this week's quiz.
To stay up to date on what University IT has in store become a fan of us on Facebook, and look for the Security Tip of the Week every week in the Weekly Buzz and @Rochester.
Back to top...

Acceptable Use Policy
You are at the center of secURity.
The University of Rochester's Policy on Acceptable Use of Information Technology and Resources was recently updated. This new version is intended to consolidate several separate Acceptable Use policies (Wireless, Resnet, Remote Access, and NetID) into one document that encompasses all Information Technology and Resources.
The policy establishes specific requirements for the use of all computing and network resources at the University of Rochester.
Please review this updated policy to understand what you can and cannot do when using University of Rochester computing resources.
Back to top...

The Case of the Cyber Criminal
What type of free software may include spyware?
Do you know the answer? Test your knowledge by playing The Case of the Cyber Criminal from OnGuard Online. Here you can test your cyber smarts with any of the interactive quizzes on everything from spam and spyware to phishing and file-sharing.
Back to top...

Regulatory Compliance - Digital Millennium Copyright Act
You are at the center of secURity.
How many DMCA notices is the University receiving?
For the 2010-2011 academic year, the University received 412 illegal file sharing notifications from copyright holders. The University sent out 249 first time notifications and 84 second time notifications resulting in network disconnections.
DMCA (Digital Millennium Copyright Act) was passed by Congress in October 1998 to provide legal protection of copyrighted material. The purpose of copyright is to protect the rights of the creators of intellectual property. Copyright holders have the sole right to copy, modify, and distribute their works. Therefore copyright helps to prevent the unauthorized use or sale of these works.
If the University receives a complaint against you from the Recording Industry Association of America (RIAA), the Motion Picture Association of America (MPAA), or other copyright holding associations, you will be notified by email. For each complaint filed against you, there will be escalating consequences:
- 1st complaint-
  - Employee's supervisor will be notified of the violation.
  - Students will receive a warning from University IT and an informal letter of warning from the Dean of Students Office.
- 2nd complaint-
  - Employee's Human Resources representative and their supervisor will be notified and appropriate actions will be taken.
  - Students will have their NetID account suspended and will incur a $150 reconnection fee. In addition, there will be official disciplinary action from the Dean of Students' Office (e.g. disciplinary probation and community service).
After the second complaint, there may be other actions taken.
Here are a few court cases that have made the news.
- Court orders Jammie Thomas to pay RIAA $1.92 million
- BU student ordered to pay $675,000 in downloading case
Back to top...

Identity Protection - ID Theft FaceOff Game
As part of National Cyber Security Awareness month, please remember to always
Stop: Before you use the Internet, take time to understand the risks and learn how to spot potential problems.
Think: Take a moment to be certain the path is clear ahead. Watch for warning signs and consider how your actions online could impact your safety, or your family's.
Connect: Enjoy the Internet with greater confidence, knowing you've taken the right steps to safeguard yourself and your computer.
STOP. THINK. CONNECT. Protect yourself and help keep the web a safer place for everyone.
As part of our focus on Identity Protection this month, try this fun, interactive game to see how you would handle your identity getting stolen.
Back to top...

Email Use Policy
You are at the center of secURity.
The University has adopted and published a new policy related to the proper use of email.
The Email Use Policy is intended to describe the permitted use of University email. This is an overarching policy, and does not replace more specific policies on specific email use (such as emailing of Legally Restricted data such as PHI).
All University faculty and visiting faculty, physicians, staff, students, contractors, volunteers, and guests who are provided email services managed by or for the University of Rochester are to follow this new policy.
Please review this policy for information related to the proper use of email, official email addresses, email forwarding, confidentiality and security, misuse, local policies permitted, retention and disposal, and sanctions.
The Email Use Policy is located on the IT Policy website, and can be accessed by clicking here.
Back to top...

Illegal Downloading - Digital Millennium Copyright Act
You are at the center of secURity.
Click here for a version of this tip that can be used as a poster.
Click here for a different version of this tip that can be used as a poster.
How many DMCA notices is the University receiving?
For the 2010-2011 academic year, the University received 490 illegal file sharing notifications from copyright holders. The University sent out 249 first time notifications and 84 second time notifications resulting in network disconnections.
For this portion of the 2011-2012 academic year, the University has received 206 notices from September 2011 - January 2012. The University has sent out 114 first time notifications and 10 second time notifications resulting in network disconnections.
What is Digital Millennium Copyright Act?
DMCA (Digital Millennium Copyright Act) was passed by Congress in October 1998 to provide legal protection of copyrighted material. The purpose of copyright is to protect the rights of the creators of intellectual property. Copyright holders have the sole right to copy, modify, and distribute their works. Therefore copyright helps to prevent the unauthorized use or sale of these works.
The University's Acceptable Use Policy prohibits illegal downloading of copyrighted music, movies, books, images, etc.
If the University receives a complaint against you from the Recording Industry Association of America (RIAA), the Motion Picture Association of America (MPAA), or other copyright holding associations, you will be notified by email. For each complaint filed against you, there will be escalating consequences:
- 1st complaint-
  - Employee's supervisor will be notified of the violation.
  - Students will receive a warning from University IT and an informal letter of warning from the Dean of Students Office.
- 2nd complaint-
  - Employee's Human Resources representative and their supervisor will be notified and appropriate actions will be taken.
  - Students will have their NetID account suspended and will incur a $150 reconnection fee. In addition, there will be official disciplinary action from the Dean of Students' Office (e.g. disciplinary probation and community service).
After the second complaint, there may be other actions taken.
Here Are A Few Court Cases That Have Made The News
- 50,000 Bit Torrent users sued for alleged illegal downloads
- Music Fan Owes $675,000 for Illegal Downloads, Court Rules
- Court orders Jammie Thomas to pay RIAA $1.92 million
- BU student ordered to pay $675,000 in downloading case
- Boston appeals court reinstates $675,000 judgment in illegal music downloading case
Back to top...

Students Talk About Social Network Safety
You are at the center of secURity.
Hear what some of our students have to say about social network safety.
Back to top...

Mobile Computing Device - Safety Video
You are at the center of secURity.
We've developed a video to show some of the things you should do to keep your mobile computing devices safe. Please click on the link below to view the video.

Back to top...

Students Talk About Password Security
You are at the center of secURity.
Hear what some of our students have to say about password security at the University of Rochester.
Back to top...

National Cyber Security Awareness Month - Identity Protection

You are at the center of secURity.
Click here to access the National Cyber Security Awareness 2012 poster that can be printed and hung within your area.
October marks the ninth annual National Cyber Security Awareness Month sponsored by the Department of Homeland Security. The theme for National Cyber Security Awareness Month 2012 is "Our Shared Responsibility."
Our Shared Responsibility means each of us must do our part. The actions we take may differ based on our personal and professional responsibilities. However, if each of us does our part - whether it's implementing stronger security practices in our day-to-day online activities, making sure the right tools are in place, raising awareness in the community, educating young people or training employees - together we will be more resistant and resilient, protecting ourselves, our neighbors and our country.
At the University of Rochester, we will be focusing on keeping your Identity Safe throughout this month. You can help to protect your identity by keeping your online accounts secure by making it difficult for someone to gain access to them.
Back to top...

Students Talk About Identity Theft
You are at the center of secURity.
You can find useful information about Identity Theft at http://www.rochester.edu/it/security/yourself/id_theft2.html.
Hear what some of our students have to say about Identity Theft.
Back to top...

Security Awareness at the University of Rochester
You are at the center of secURity.
Check out our video to see what some of our students have to say about information security at the University of Rochester.
Back to top...

Security Tip Highlights
You are at the center of secURity.
In case you missed our weekly security tips over the past school year, we wanted to highlight some of the important messages that will help keep you and your information safe.
Phishing
The University is experiencing a dramatic increase in targeted phishing and spam attacks. We created a video, which can be seen from this tip, to provide some important tips regarding phishing.
http://www.rochester.edu/it/security/securitytipofweek_archive.html#yourself42

Strong Passwords
Passwords are the first line of defense for all users. If someone knows your password, all other security is useless. Check this tip for some reminders on creating secure passwords, and to access a tool to check your password strength.
http://www.rochester.edu/it/security/securitytipofweek_archive.html#yourself32

Anti-virus
Did you know that anti-virus software is the most important security software that you can have on your computer? Did you know that it is also provided FREE to all University faculty, staff, and students? Check this tip for additional information on anti-virus software:
http://www.rochester.edu/it/security/securitytipofweek_archive.html#computer18

Keeping Your Computer up to Date
Keeping your computer updated with the latest patches, including security patches, is important to keeping your computer protected and your information secure. We provided the following tip that shows some ways to make your computer more attack resistant.
http://www.rochester.edu/it/security/securitytipofweek_archive.html#computer17

Further information
We have been maintaining an archive of all of the security tips that we have been using. If you would like to review any more of the tips, you can access the archive at:
http://www.rochester.edu/it/security/securitytipofweek_archive.html
Back to top...

Security Terms Dictionary
You are at the center of secURity.
Do you know the difference between "phishing", "vishing" and "smishing"? Impress your friends with your knowledge of the following information security terms…
Phishing
On the Internet, "Phishing" refers to criminal activity that attempts to fraudulently obtain sensitive information via email.
Vishing
The attempt from scammers to acquire your personal information via the phone.
Smishing
Uses cell phone text messages to lure consumers in.
Pharming
A scam where a hacker installs malicious code on a personal computer or server. This code then redirects clicks you make on a Web site to another fraudulent Web site without your consent or knowledge
Botnet
A network of private computers infected with malicious software and controlled as a group without the owners' knowledge, e.g., to send spam
Malware
A generic term for a number of different types of malicious code.
Spam
Unsolicited bulk messages, especially for advertising and usually delivered via email.
Worm
Malware computer program which replicates itself in order to spread to other computers
Drive-by Download
Software which is downloaded without a person's knowledge or consent. These are often a computer virus, spyware, or malware.
Keylogger
A program used to capture/record key strokes performed on a keyboard. This is usually done in a manner unknown to the user. Many times these are installed via malware to capture passwords or to bypass local security measures.
Spyware
Software which aids in gathering information about a person or organization without their knowledge and may send this information elsewhere without the user's consent.
Vulnerability
A weakness in a computer which allows an attacker to make unauthorized changes. These include unpatched operating systems, applications, and poor configurations of both.

If you are looking for more terms, the SANS organization, which is the leading organization in computer security training, has compiled a dictionary of security terms that you can use for reference. It is located at: http://www.sans.org/security-resources/glossary-of-terms/.

Back to top...