Personal Information Personal Information Security WorkshopSecurity Workshop

Williams College Office for Williams College Office for Information Technology (OIT)Information Technology (OIT)

Winter 2010Winter 2010

What is What is Personal Information?Personal Information?

If Nothing Else, Remember If Nothing Else, Remember This:This:

• Legitimate online service providers, Legitimate online service providers, including OIT staff, will never, including OIT staff, will never, ever ever ask you for your password over the ask you for your password over the phone or by e-mail.phone or by e-mail.

It’s the LawIt’s the Law

• Protect Student Educational RecordsProtect Student Educational Records– Family Education Right to Privacy Act Family Education Right to Privacy Act

(FERPA), enacted in 1974(FERPA), enacted in 1974

It’s the Law: Protect Student It’s the Law: Protect Student InformationInformation

– FERPA covers living students and former students FERPA covers living students and former students (in other words, alumni)(in other words, alumni)

– Each educational institution defines “student Each educational institution defines “student directory information”directory information”

– Everything else is “non-directory information”Everything else is “non-directory information”– Williams may release directory informationWilliams may release directory information– Williams may not release non-directory information Williams may not release non-directory information

without prior consent of the student, except in without prior consent of the student, except in specific circumstances (such as a subpoena)specific circumstances (such as a subpoena)

– A student may request that their directory A student may request that their directory information not be publishedinformation not be published

It’s the Law: Protect Student It’s the Law: Protect Student InformationInformation

• Directory Information @Williams CollegeDirectory Information @Williams College– NameName– Permanent and College addressesPermanent and College addresses– Campus electronic mail addressCampus electronic mail address– Permanent and Campus telephone numbersPermanent and Campus telephone numbers– Date and place of birthDate and place of birth– Country of citizenshipCountry of citizenship– Major fieldMajor field– Extra-curricular activitiesExtra-curricular activities– Height and weight of members of athletic teamsHeight and weight of members of athletic teams– Dates of attendanceDates of attendance– Degrees, honors and awardsDegrees, honors and awards– Other schools attended.Other schools attended.

It’s the Law: Protect Student It’s the Law: Protect Student InformationInformationIn general, faculty and staff have access to personally In general, faculty and staff have access to personally

identifiable, non-directory information about students identifiable, non-directory information about students as long as they have a legitimate educational interest as long as they have a legitimate educational interest in it, in other words a "need to know." in it, in other words a "need to know."

Releasing personally identifiable Releasing personally identifiable non-directorynon-directory information to others without prior permission from information to others without prior permission from the student or alumnus/a is illegal. You cannot, for the student or alumnus/a is illegal. You cannot, for instance, provide information about grades to others, instance, provide information about grades to others, even parents, unless the student or alumnus/a has even parents, unless the student or alumnus/a has given you prior permission to share the data. You given you prior permission to share the data. You cannot even share course registration information cannot even share course registration information with other students. with other students.

It’s the LawIt’s the Law

• Protect Personal Health InformationProtect Personal Health Information– Regulated by Health Insurance Portability and Regulated by Health Insurance Portability and

Accountability Act (HIPAA) and other lawsAccountability Act (HIPAA) and other laws– Personal Health Information (PHI) must be Personal Health Information (PHI) must be

protected, includingprotected, including• Health StatusHealth Status• Provision of Health CareProvision of Health Care• Payment for Health CarePayment for Health Care• In general, any information about a patient’s medical In general, any information about a patient’s medical

record or payment historyrecord or payment history– Defines administrative, physical, and technical Defines administrative, physical, and technical

safeguards for protecting PHIsafeguards for protecting PHI– Some states require notification in case of a Some states require notification in case of a

breachbreach

It’s the Law: Protect Health It’s the Law: Protect Health InformationInformation

• HIPAA applies to faculty and staff HIPAA applies to faculty and staff informationinformation

• HIPAA does not apply to student HIPAA does not apply to student health information at Williams, but health information at Williams, but FERPA does cover it as non-directory FERPA does cover it as non-directory information, and so do some state information, and so do some state lawslaws

Credit Card TransactionsCredit Card Transactions

• Any entity which collects payments with Any entity which collects payments with credit cards is contractually bound to follow credit cards is contractually bound to follow the Payment Card Industry (PCI) Standard to the Payment Card Industry (PCI) Standard to protect information related to credit-card protect information related to credit-card transactions. transactions.

• The PCI standard provides very specific The PCI standard provides very specific guidelines on how to protect such guidelines on how to protect such information in both paper and electronic information in both paper and electronic formats. formats.

• Failure to comply can result in withholding of Failure to comply can result in withholding of credit card revenue to pay fines & penalties.credit card revenue to pay fines & penalties.

• See https://www.pcisecuritystandards.orgSee https://www.pcisecuritystandards.org

Credit Card TransactionsCredit Card Transactions

• Credit Cards at WilliamsCredit Cards at Williams– Dining Services facilities (on-site)Dining Services facilities (on-site)– WTF Box Office (on-site)WTF Box Office (on-site)– WCMA Museum Shop (on-site)WCMA Museum Shop (on-site)– Alumni Donations (off-site)Alumni Donations (off-site)– PaperCut Printing (off-site)PaperCut Printing (off-site)– Student Bus Travel (future)Student Bus Travel (future)– Others?Others?

It’s the LawIt’s the Law

• Protect Personal Financial Protect Personal Financial InformationInformation– Gramm Leach Bliley Act (GLBA)Gramm Leach Bliley Act (GLBA)– FTC Red Flag RulesFTC Red Flag Rules– Massachusetts General LawMassachusetts General Law– 38 other state identity theft laws38 other state identity theft laws

It’s the Law: Protect Personal It’s the Law: Protect Personal Financial InformationFinancial Information

• What is Personal Financial What is Personal Financial Information?Information?– Massachusetts definition: A person’s Massachusetts definition: A person’s

name in combination with theirname in combination with their•Social Security Number (SSN)Social Security Number (SSN)

•Driver’s License or State-issued ID NumberDriver’s License or State-issued ID Number

•Financial Account NumberFinancial Account Number

•Credit Card NumberCredit Card Number

It’s the Law: Protect Personal It’s the Law: Protect Personal Financial InformationFinancial Information• ““Protect” means preserveProtect” means preserve

– CConfidentialityonfidentiality– IIntegrityntegrity– AAvailability vailability

• Information in any format: paper or digitalInformation in any format: paper or digital

• Protection applies to all Massachusetts Protection applies to all Massachusetts residentsresidents

• StudentsStudents• EmployeesEmployees• AlumniAlumni• Guest speakers, contractors…and everybody elseGuest speakers, contractors…and everybody else

It’s the Law: Protect Personal It’s the Law: Protect Personal Financial Information – MA Financial Information – MA WISPWISPPer MA CMR 201 17.00, Massachusetts Per MA CMR 201 17.00, Massachusetts

businesses must develop, implement and businesses must develop, implement and maintain a comprehensive Written Information maintain a comprehensive Written Information Security Program (WISP) to…Security Program (WISP) to…

Put in place “administrative, technical, and Put in place “administrative, technical, and

physical safeguards to ensure the security and physical safeguards to ensure the security and

confidentiality of such records”confidentiality of such records”

Designate “one or more employees to design, Designate “one or more employees to design,

implement and coordinate” the programimplement and coordinate” the program

““Verify that third-party service providers with Verify that third-party service providers with

access to personal information have the capacity access to personal information have the capacity

to protect such personal information”to protect such personal information”

It’s the Law: Protect Personal It’s the Law: Protect Personal Financial Information – MA Financial Information – MA WISP…WISP…Put in place processes for “Inventorying paper, Put in place processes for “Inventorying paper,

electronic and other records, computing systems, electronic and other records, computing systems,

and storage media, including laptops and portable and storage media, including laptops and portable

devices used to store personal information, to devices used to store personal information, to

identify those records containing personal identify those records containing personal

information.”information.”

Provide “Education and training of employees on Provide “Education and training of employees on

the proper use of the computer security system the proper use of the computer security system

and the importance of personal information and the importance of personal information

security”security”

It’s the Law: Protect Personal It’s the Law: Protect Personal Financial Information – MA Financial Information – MA WISP…WISP…• Information on the Internet Information on the Internet

– E-mail & files sent over the Internet E-mail & files sent over the Internet containing personal financial information containing personal financial information must be encryptedmust be encrypted

• Information on portable devicesInformation on portable devices– By March 1By March 1stst, 2010, all laptops and other , 2010, all laptops and other

portable information devices (Smart portable information devices (Smart Phones, PDA’s, USB Drives) that store Phones, PDA’s, USB Drives) that store personal financial information or store personal financial information or store information that may give access to it information that may give access to it must be encrypted.must be encrypted.

What is an What is an Information Security Breach?Information Security Breach?

The unauthorized use or acquisition of The unauthorized use or acquisition of personal information that “personal information that “creates a creates a substantial risk of identity theft or fraudsubstantial risk of identity theft or fraud” ”

In Massachusetts, a breach means the In Massachusetts, a breach means the (potential) release of either(potential) release of either

- Unencrypted personal financial informationUnencrypted personal financial information- Unencrypted data capable of compromising Unencrypted data capable of compromising

personal financial informationpersonal financial information- In other words, usernames & passwordsIn other words, usernames & passwords

Information Security BreachInformation Security Breach

If a breach or possible breach occurs (at least in If a breach or possible breach occurs (at least in Massachusetts):Massachusetts):

Business must notifyBusiness must notify- MA Office of Consumer Affairs and Business RegulationMA Office of Consumer Affairs and Business Regulation- The Massachusetts Attorney GeneralThe Massachusetts Attorney General- The individual(s) whose information is at riskThe individual(s) whose information is at risk

The notification must include: The notification must include: – The date or approximate date of the breach The date or approximate date of the breach – Steps that have been taken to deal with the breach Steps that have been taken to deal with the breach – Consumers’ right to obtain a police report Consumers’ right to obtain a police report – Instructions for requesting a credit report security freezeInstructions for requesting a credit report security freeze

The notification may not include:The notification may not include:– The number of MA residents affectedThe number of MA residents affected

Credit Report Security Credit Report Security FreezeFreeze

Any consumer in Massachusetts, New York, or Vermont Any consumer in Massachusetts, New York, or Vermont may place a security freeze on his or her credit report may place a security freeze on his or her credit report by sending a request in writing, by mail to all 3 by sending a request in writing, by mail to all 3 consumer reporting agencies (EquiFax, Experian, consumer reporting agencies (EquiFax, Experian, TransUnion). TransUnion).

There’s no fee for victims or their spouses for placing There’s no fee for victims or their spouses for placing or removing a security freeze on a credit report. You or removing a security freeze on a credit report. You can prove you’re a victim by sending a copy of a police can prove you’re a victim by sending a copy of a police report. All other consumers must pay a $5-$10 fee.report. All other consumers must pay a $5-$10 fee.

See the Consumers Union web site for more See the Consumers Union web site for more information: www.consumersunion.orginformation: www.consumersunion.org

Williams Breach: October, Williams Breach: October, 20092009Cause was a stolen laptop computer Cause was a stolen laptop computer

(3 college laptops have been stolen in past 8 months)(3 college laptops have been stolen in past 8 months)

• Interviewed laptop owner about information on laptopInterviewed laptop owner about information on laptop

• Scanned laptop backup files for protected financial Scanned laptop backup files for protected financial information and health datainformation and health data

• Protected data found (SSN’s), so laws in 39 states and Protected data found (SSN’s), so laws in 39 states and many foreign countries might apply, depending on many foreign countries might apply, depending on residencyresidency

• Obtained legal assistance and contracted for breach Obtained legal assistance and contracted for breach counseling servicescounseling services

Williams Breach: October, Williams Breach: October, 20092009• Compiled list of residential and e-mail addresses Compiled list of residential and e-mail addresses

for approximately 750 potential victims for approximately 750 potential victims

• Notified potential victims by mail and by e-mailNotified potential victims by mail and by e-mail

• Sent all-campus e-mail noticeSent all-campus e-mail notice

• Responded to phone calls and e-mailsResponded to phone calls and e-mails

• Financial costs to handle a breach included staff Financial costs to handle a breach included staff time, legal assistance and breach counseling time, legal assistance and breach counseling services. Final cost has exceeded $50,000. services. Final cost has exceeded $50,000.

Where did the SSN’s come Where did the SSN’s come from?from?

• Excel files of pre-2006 class rosters Excel files of pre-2006 class rosters from the old Student System (SIS)from the old Student System (SIS)

• E-mail messages related to paying E-mail messages related to paying individuals such as guest speakers, individuals such as guest speakers, performers, refereesperformers, referees

• Unsolicited e-mail messagesUnsolicited e-mail messages

College Confidentiality College Confidentiality PolicyPolicy

• Published January, 2010Published January, 2010

• Find it atFind it at

http://wiki.williams.edu/display/http://wiki.williams.edu/display/handbooks/Confidentialityhandbooks/Confidentiality

(you can also search for (you can also search for confidentiality confidentiality policypolicy on the Williams web on the Williams web

College Confidentiality College Confidentiality PolicyPolicyResponsibility of Administrative DepartmentsResponsibility of Administrative Departments

““Each department head is responsible for Each department head is responsible for ensuring the appropriate protection of ensuring the appropriate protection of information within his or her office.”information within his or her office.”

Responsibility of FacultyResponsibility of Faculty

““Each faculty member is responsible for ensuring Each faculty member is responsible for ensuring the confidentiality of any information s/he collects the confidentiality of any information s/he collects or uses, both electronic and on paper.”or uses, both electronic and on paper.”

What about your office?What about your office?

• Does your office handle legally-Does your office handle legally-protected or confidential information?protected or confidential information?– What kind? What kind? – If you’re not sure what’s confidential, ask!If you’re not sure what’s confidential, ask!

• Does your office or department have a Does your office or department have a policies and procedures for protecting policies and procedures for protecting confidential information?confidential information?

What about your office?What about your office?

• An information usage policy explainsAn information usage policy explains– What information is confidentialWhat information is confidential– How to protect confidential informationHow to protect confidential information– How to handle requests for information, How to handle requests for information,

both internal and externalboth internal and external– When and how to dispose of confidential When and how to dispose of confidential

information information – What the consequences are if the policy What the consequences are if the policy

isn’t followedisn’t followed

What about your office?What about your office?

• Goal: Minimize the potential risks from Goal: Minimize the potential risks from information leaksinformation leaks

• If you don’t need it, get rid of it If you don’t need it, get rid of it (use a shredder if it’s paper)(use a shredder if it’s paper)

• Be skeptical of requests for informationBe skeptical of requests for information

• Again: If you don’t need it, get rid of it!Again: If you don’t need it, get rid of it!

What about your office?What about your office?

• Does your office send or receive Does your office send or receive confidential information via e-mail?confidential information via e-mail?

• Does your office use a shredder?Does your office use a shredder?• Do you lock up your files when the Do you lock up your files when the

office is closed and turn off your office is closed and turn off your computers at the end of the day?computers at the end of the day?

• What if your paper files were What if your paper files were damaged due to fire or flood?damaged due to fire or flood?

Methods by which data is lost or Methods by which data is lost or stolenstolen

Physical:Physical:• Theft of computer, external drives, usb flash drives, CDs, smartphonesTheft of computer, external drives, usb flash drives, CDs, smartphones

• Carelessness with passwords (written in obvious places) or passwords Carelessness with passwords (written in obvious places) or passwords are too simpleare too simple

Electronic:Electronic:• E-mail (phishing scams – replying with passwords)E-mail (phishing scams – replying with passwords)

• Web (phishing scams, website hijack)Web (phishing scams, website hijack)

• Viruses / spyware (from email, web sites or downloads)Viruses / spyware (from email, web sites or downloads)

• Rogue software (fake antivirus)Rogue software (fake antivirus)

• Wireless data sniffingWireless data sniffing

Simple computer security at Simple computer security at workwork• Don’t use post-its to manage your passwords (if you need to have a Don’t use post-its to manage your passwords (if you need to have a

file that stores your various passwords, keep it up on the network or file that stores your various passwords, keep it up on the network or use an Excel file that is locked with a password).use an Excel file that is locked with a password).

• If you have your own office: keep your door locked when awayIf you have your own office: keep your door locked when away

• If you work in a public area: consider a privacy screenIf you work in a public area: consider a privacy screen

• Require a password when your computer wakes from sleepRequire a password when your computer wakes from sleep

• Laptop security cable? Cheap, prevents opportunistic theft. OIT will Laptop security cable? Cheap, prevents opportunistic theft. OIT will give you one for free.give you one for free.

Traveling with a computerTraveling with a computerBefore you leave, think about what it would mean if your laptop were stolen or Before you leave, think about what it would mean if your laptop were stolen or

lost – are you sure you need it on your trip?lost – are you sure you need it on your trip?

Consider checking out a Library loaner – should be no personal data on thoseConsider checking out a Library loaner – should be no personal data on those

If you just need to check email you can use a smart phoneIf you just need to check email you can use a smart phone

Do not EVER leave a laptop in a parked car in a city – this is by far the most Do not EVER leave a laptop in a parked car in a city – this is by far the most common way that laptops are stolencommon way that laptops are stolen

Don’t check your laptop when flying – in general don’t let your computer out of Don’t check your laptop when flying – in general don’t let your computer out of your sight.your sight.

If using a foreign wireless network, run the VPN client to prevent data sniffingIf using a foreign wireless network, run the VPN client to prevent data sniffing

If your laptop is stolen, contact OIT If your laptop is stolen, contact OIT immediately and change your password immediately and change your password (consider it compromised)(consider it compromised)

OIT initiatives for 2009 - OIT initiatives for 2009 - 20102010To protect against data loss due to computer or To protect against data loss due to computer or

device theft OIT is starting initiatives for:device theft OIT is starting initiatives for:

• Full disk encryption (TrueCrypt) on laptopsFull disk encryption (TrueCrypt) on laptops

• Full data backup (Atempo Livebackup or USB external Full data backup (Atempo Livebackup or USB external drive)drive)

• Remediation and removal of PII from college computers*Remediation and removal of PII from college computers*

* SS#s, Credit Card #s, Bank Account #s and passwords in clear text are some of the many things we commonly find

We have software called Identity Finder which will search documents (word, excel, powerpoint, pdfs) and email for this type of information

Email Security + PhishingEmail Security + Phishing

• NEVER FORGET: It is easy to spoof the From: address in an email. NEVER FORGET: It is easy to spoof the From: address in an email. • Does the From: address match the Reply-to: address (if not, beware)Does the From: address match the Reply-to: address (if not, beware)• Phishing emails often start out “your account has been used to send spam” Phishing emails often start out “your account has been used to send spam”

or “we are doing maintenance on our webmail system” – then they ask that or “we are doing maintenance on our webmail system” – then they ask that you reply with your username and passwordyou reply with your username and password

• There will never be a reason to give anyone your password by email – There will never be a reason to give anyone your password by email – honestly.honestly.

• Note: E-mail notifications to the community from Williams OIT will always Note: E-mail notifications to the community from Williams OIT will always have a subject line beginning with: “OIT Eph Notice {mm/dd/yy}have a subject line beginning with: “OIT Eph Notice {mm/dd/yy}

Phishing is the fraudulent process of Phishing is the fraudulent process of attempting to acquire sensitive attempting to acquire sensitive information such as usernames, information such as usernames, passwords and credit card details by passwords and credit card details by masquerading as a trustworthy entity in masquerading as a trustworthy entity in an electronic communication.an electronic communication.

Find the “phishing” cluesFind the “phishing” cluesFrom: "Williams College" <webmaster@williams.edu>From: "Williams College" <webmaster@williams.edu>

Date: February 13, 2009 11:25:45 AM ESTDate: February 13, 2009 11:25:45 AM ESTSubject: Webmail SubscriberSubject: Webmail SubscriberReply-To: supportss@live.comReply-To: supportss@live.com

Attn. Webmail User,Attn. Webmail User,

We regret to announce to you that we will be making some vitalWe regret to announce to you that we will be making some vital maintainance maintainance on our webmail. on our webmail. During this process you might have login problems in During this process you might have login problems in signing signing into your Online account, into your Online account, but to prevent this you have to confirm but to prevent this you have to confirm your account immediately after you receive this notification.your account immediately after you receive this notification.

Your williams.edu Account ConfirmationYour williams.edu Account Confirmation

Name:Name:E-mail ID:E-mail ID:E-mail Password:E-mail Password:Date of birth:Date of birth:

Your account shall remain active after you have successfully confirmedYour account shall remain active after you have successfully confirmedyour account details.your account details.

ThanksThanks

Williams CollegeWilliams CollegeWebmail Support TeamWebmail Support Team

We are often required to log into web sites. How can you tell if the We are often required to log into web sites. How can you tell if the site is legitimate?site is legitimate?

Check the “domain” – which of these could be a real Williams site?Check the “domain” – which of these could be a real Williams site?

http://www.williamsrewards.com/http://www.williamsrewards.com/

http://williams.edu.technical-supports.com/ http://williams.edu.technical-supports.com/

http://technical-supports.williams.edu/http://technical-supports.williams.edu/

Web SecurityWeb Security

We are often required to log into web sites. How can you tell if the site We are often required to log into web sites. How can you tell if the site is legitimate?is legitimate?

Check the “domain” – which of these could be a real Williams site:Check the “domain” – which of these could be a real Williams site:

http://www.williamsrewards.com/http://www.williamsrewards.com/

http://williams.edu.technical-supports.com/ http://williams.edu.technical-supports.com/

http://technical-supports.williams.edu/http://technical-supports.williams.edu/

The The domaindomain is the last two words between the http:// and the first / is the last two words between the http:// and the first /

Same format as email addresses: xyz@Same format as email addresses: xyz@williams.edu williams.edu or xyz@or xyz@aol.comaol.com

Any Williams site will be //xyz.Any Williams site will be //xyz.williams.edu/williams.edu/

Any American Express site will be //xyz.Any American Express site will be //xyz.americanexpress.com/americanexpress.com/

http://www.http://www.williams.eduwilliams.edu/go/x is legitimate because the domain is /go/x is legitimate because the domain is correctcorrect

Web SecurityWeb Security

Website copyWebsite copy

• On Monday Sept. 29, a bogus email was sent with the subject On Monday Sept. 29, a bogus email was sent with the subject line “Read Email Security Message” to many hundreds of line “Read Email Security Message” to many hundreds of college employees and students.  The email had an college employees and students.  The email had an attachment with a link to a bogus Williams webmail site.attachment with a link to a bogus Williams webmail site.

• The email itself was not particularly believable, but the fake The email itself was not particularly believable, but the fake webmail site was a perfect copy of our real site.  The only way webmail site was a perfect copy of our real site.  The only way to tell it was fake was to look at the domain information to tell it was fake was to look at the domain information

• http://www.jctaiwan.com/~jctaiwan/webmail.williams.edu/http://www.jctaiwan.com/~jctaiwan/webmail.williams.edu/

Preventing VirusesPreventing Viruses

Common ways to get viruses:Common ways to get viruses:• An e-card (Hallmark greeting, etc) - Don’t follow the link unless you are An e-card (Hallmark greeting, etc) - Don’t follow the link unless you are

sure. If you are asked to download or install something quit your sure. If you are asked to download or install something quit your browser or ask OIT to check it out.browser or ask OIT to check it out.

• Email attachment – Don’t open it unless you are sure. Check with the Email attachment – Don’t open it unless you are sure. Check with the sender. This includes Word documents and PDFs.sender. This includes Word documents and PDFs.

• Web link in an email – Don’t follow it unless you know for sure where it Web link in an email – Don’t follow it unless you know for sure where it goes.goes.

• General browsing and downloading of things not work-related is the General browsing and downloading of things not work-related is the cause of nearly all infections.cause of nearly all infections.

AT HOME:AT HOME:

Keep your Anti-virus up to date – it’s worthwhile to know what you use.Keep your Anti-virus up to date – it’s worthwhile to know what you use.

Keep your computer up to date with Windows patches.Keep your computer up to date with Windows patches.

Preventing SpywarePreventing Spyware

• What is Spyware? The simplest explanation is that it is like a What is Spyware? The simplest explanation is that it is like a virus specifically designed to steal information.virus specifically designed to steal information.

• Follow the same rules you follow when avoiding viruses.Follow the same rules you follow when avoiding viruses.

• Don’t download “cool” applications: Bonzi Buddy, Weather Don’t download “cool” applications: Bonzi Buddy, Weather Bug, Kazaa, Limewire, CoolWebSearch (this one is bad), Bug, Kazaa, Limewire, CoolWebSearch (this one is bad), Comet CursorComet Cursor

• For your home computer install Windows Defender from For your home computer install Windows Defender from www.microsoft.comwww.microsoft.com (Vista has it built in)(Vista has it built in)

MalwareMalware, short for , short for malicious softwaremalicious software, is software designed to infiltrate or , is software designed to infiltrate or damage a computer system without the owner's informed consent. The damage a computer system without the owner's informed consent. The expression is a general term used by computer professionals to mean a expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code variety of forms of hostile, intrusive, or annoying software or program code covering viruses, spyware, trojan horses, worms, rogues, etccovering viruses, spyware, trojan horses, worms, rogues, etc..

Rogue Security SoftwareRogue Security Software

• Rogue security softwareRogue security software is software that misleads users into paying for the fake is software that misleads users into paying for the fake removal of malware. removal of malware.

• Typically you get a pop-up window while on the web alerting you that you have Typically you get a pop-up window while on the web alerting you that you have viruses or spyware on the computer and offering to clean it up. If you accept the offer viruses or spyware on the computer and offering to clean it up. If you accept the offer the program installs itself, then will continuously try to get you to pay for a the program installs itself, then will continuously try to get you to pay for a “professional version” – which does nothing, except maybe remove itself.“professional version” – which does nothing, except maybe remove itself.

• Generally these rogue programs will not be picked up by real anti-virus software Generally these rogue programs will not be picked up by real anti-virus software because you agreed to install the software.because you agreed to install the software.

• One program that does very well at removing this type of software is called One program that does very well at removing this type of software is called Malwarebytes.Malwarebytes.

A partial list of know rogue software. Just the a’s!!

Advanced Cleaner, AlfaCleaner, Alpha AntiVirus, AntiSpyCheck 2.1, AntiSpyStorm, AntiSpyware 2009, AntiSpyware Bot, AntiSpywareExpert, AntiSpywareMaster, AntiSpywareSuite, AntiSpyware Shield, Antivermins, Antivirus 2008, Antivirus 2009, Antivirus 2010, Antivirus 360, Antivirus Pro 2009, AntiVirus Gold, Antivirus Master, Antivirus XP 2008, Antivirus Pro 2010, Antivirus System PRO, Avatod Antispyware 8.0, Awola

Security recapSecurity recap

1.1. Physical security can usually be attained by applying common Physical security can usually be attained by applying common sense and a little care – treat your computer like a passport or sense and a little care – treat your computer like a passport or your wallet or purse.your wallet or purse.

2.2. Avoiding viruses and spyware can usually be achieved by Avoiding viruses and spyware can usually be achieved by following a simple rule: following a simple rule: Your office computer is a business tool – don’t Your office computer is a business tool – don’t use it like a home entertainment system. use it like a home entertainment system.

3.3. Wireless is everywhere and incredibly convenient, but anyone can sniff Wireless is everywhere and incredibly convenient, but anyone can sniff traffic (traffic generally meaning whatever you are typing). If you are doing traffic (traffic generally meaning whatever you are typing). If you are doing anything off-campus that requires a username and password, or requires anything off-campus that requires a username and password, or requires entry of confidential information run the VPN software.entry of confidential information run the VPN software.

4.4. Your username and password protect a lot more than just YOUR personal Your username and password protect a lot more than just YOUR personal info – you probably have access to many people’s personal info.info – you probably have access to many people’s personal info.

Quick QuizzesQuick Quizzes

You’re travelling without a computer and You’re travelling without a computer and want to see if you were paid on time. You want to see if you were paid on time. You find an internet café, pay for access, and find an internet café, pay for access, and log in to your online banking web site. You log in to your online banking web site. You note that the username/password page in note that the username/password page in the web browser on the computer you’re the web browser on the computer you’re using is encrypted (using https://). Should using is encrypted (using https://). Should you log in? you log in?

Quick QuizzesQuick Quizzes

Which of these web addresses (URL’s) Which of these web addresses (URL’s) are legitimate Williams College are legitimate Williams College addresses?addresses?

http://williamscollege.techno.com/index.htmlhttp://williamscollege.techno.com/index.html

http://collegeinfo.williams.edu/about.htmlhttp://collegeinfo.williams.edu/about.html

http://system1.rewards.williams.edu.x.com/http://system1.rewards.williams.edu.x.com/

https://webmail.williams.edu/https://webmail.williams.edu/

https://webmail.williams.collegebound.net/https://webmail.williams.collegebound.net/

Quick QuizzesQuick Quizzes

You get an e-mail from the HR Benefits You get an e-mail from the HR Benefits Coordinator telling you about a new Williams Coordinator telling you about a new Williams employee benefits program called employee benefits program called WilliamsRewards. The e-mail directs you to WilliamsRewards. The e-mail directs you to www.williamsrewards.com. The web site has www.williamsrewards.com. The web site has the look of a typical Williams web page and the look of a typical Williams web page and instructs you sign up for the program by instructs you sign up for the program by logging in with your Williams username & logging in with your Williams username & password. password.

What do you do? What do you do?

How to check on links in e-mailHow to check on links in e-mail(Outlook)(Outlook)

How to check on links in e-mailHow to check on links in e-mail(WebMail)(WebMail)

If Nothing Else, If Nothing Else, What should you remember? What should you remember?

??

Questions?Questions?

Thanks to Dennis Devlin and Brandeis University for their Thanks to Dennis Devlin and Brandeis University for their assistanceassistance

WWII Posters from American Merchant Marine at War, WWII Posters from American Merchant Marine at War,

www.usmm.orgwww.usmm.org