1. Personal Information Security and Malware Awareness Workshop
Bard College at Simon’s Rock
Information Technology Services (ITS)
Summer 2012
Version 5, Revised 25 Sept 2012
(Please sign in on the attendance sheet so we know you’ve been here!)

2. What are we doing here?
Brief intro to (some of) the information protection laws that apply to Simon’s Rock
Especially the 2010 “Mass. Privacy Law”, which is the reason you have to attend this session.
Strategies for protecting the private data we work with.
Needs to be a college-wide effort.
Reduce the amount of private data we store, Restrict access to what we do store, and Encrypt any that leaves campus.
Defenses against individual attacks on our personal accounts and computers.
Unique passwords, required to wake system
Software updates
Recognizing fraudulent s and websites
A road map for this presentation.

3. Warm Up: If Nothing Else, Remember This:
Legitimate online service providers, including ITS staff and your bank, will never, ever ask you for your password by . (Watch out for fake login links by , too.)
These days it is more likely to be s with links to bogus sites. In general, assume any asking you to login is fraudulent.
Also, we can’t quite really say “ITS will never ask for your password” – if you leave me you laptop to repair, I’ll ask for your computer password.

4. What is Protected Personal Information?
Depends which law is defining it!
(We have to comply with lots of ‘em!)
Assume financial, academic, and health data need to be protected.
FERPA — Family Education Right to Privacy Act
PCI — Payment Card Industry regulations
HIPAA — Health Insurance Portability and Accountability Act
MA CMR — “Standards for the Protection of Personal Information of Residents of the Commonwealth” (aka the “Massachusetts Privacy Law”) This is the big one…
Hopefully this presentation will make you aware of the sorts of regulations that may apply, and suggests the types of data we need to protect.
In general, be careful of academic, financial, and health records.
Lots of acronyms, e.g. PPI for Protected Personal Information; PHI for Personal Health Information, etc. Bleah.
For any tricky questions, as someone who knows more, e.g. Registrar's Office for FERPA, Business Office for financial stuff, Health Services for, um, Health, etc.
Also lots of info on line (some of which may be true.)
IANAL — I Am Not A Lawyer : This is a very brief overview, and I don’t really know what I’m talking about.

5. FERPA*
FERPA covers living students and alumni, and protects their academic records.
Also, each institution defines “student directory information” (Ours is in our Student Handbook)
Everything else is “non-directory information”
Simon’s Rock may release directory information
We may not release non-directory information without prior consent of the student, except in specific circumstances (such as a subpoena)
A student may request that even their directory information not be published
Family Education Right to Privacy Act
FERPA is the rule that means we can not release a student’s grades or course information, even to their parents, unless the student or alumnus/a has given you prior permission to share the data.
You cannot even share course registration information with other students.
*(ask Heidi and Moira if you desire more details)

6. FERPA (more)
In general, faculty and staff have access to personally identifiable, non-directory information about students as long as they have a legitimate educational interest in it, in other words a "need to know."
Releasing personally identifiable non-directory information to others without prior permission from the student or alumnus/a is illegal.
Directory Simon’s Rock
student’s name;
addresses (home, campus, and );
telephone numbers (home and campus);
major or field of study;
date and place of birth;
full- or part-time status;
enrollment dates;
date of graduation (past or anticipated);
current grade level (first-year, sophomore, junior, or senior);
graduation information as published in the commencement program.
“legitimate educational interest” can include students seeing other student’s records, e.g. students on a discipline hearing committee or something.

7. PCI*: Credit Card Transactions
Any entity which collects payments with credit cards is contractually bound to follow the Payment Card Industry (PCI) Standard to protect information related to credit-card transactions.
The PCI standard provides very specific guidelines on how to protect such information in both paper and electronic formats.
Failure to comply can result in withholding of credit card revenue to pay fines & penalties.
See
Payment Card Industry.
If you are involved with credit cards, you should read up on this.
If you put credit cards in your computer, make sure your software vendor claims compliance. Don’t just put them in a spread sheet.
*I’m not sure if we have a resident expert on PCI. (I’m not it.)

8. PCI (more) : Credit Cards at Simon’s Rock
Kilpatrick Athletic Center
Admissions
Development and Alumni Relations
Phone-a-thons?
Business Office
Chartwells and Bookstore
Others?
I fear that PCI compliance is an area where we probably do not meet the letter of the regulations.

9. HIPAA* Protect Personal Health Information
Personal Health Information (PHI) must be protected, including information about:
Health Status
Provision of Health Care
Payment for Health Care
In general, any information about a patient’s medical record or medical payment history is protected.
HIPAA defines administrative, physical, and technical safeguards for protecting PHI
HIPAA applies to faculty, staff, and student information
(FERPA also covers student health information, since it is non-directory information)
Health Insurance Portability and Accountability Act
Our student electronic health records database is off-site (aka “in the cloud”) and is HIPAA compliant software.
HIPAA is why you have to sign that seemingly pointless and generic privacy policy form when you first see any medical practitioner.
If you have any question about if you are allowed to discuss a student’s treatment or health, I suggest punting your questions to Health Services quite quickly.
*We pretty much depend on Health Services staff to deal with HIPAA.

10. MA CMR 201 17* (Mass Privacy Law)
Protects Personal Financial Information (PFI)
Mass. definition: A person’s name with their:
Social Security Number (SSN)
Driver’s License or State-issued ID Number
Financial Account Number
Credit Card Number
Information in any format: paper or digital
Protection applies to all Mass. residents:
Students, Alumni, Employees, Guest speakers, contractors,…and everybody else.
“Name” here means “First and Last names” or “First Initial and Last name”. Note that most common IDs have both the name and number, so your credit card or driver’s license is protected.
“PFI” – more acronyms.
Companies in other states that have data on MA residents also need to comply
*Janice is probably our best resource on this, plus there is lots of data on-line, because it is a recent law and all MA businesses have been scrambling to comply.

11. MA CMR (more)
Mass. businesses must develop, implement and maintain a comprehensive Written Information Security Program (WISP) to…
Designate “one or more employees to design, implement and coordinate” the program
Put in place processes for “Inventorying paper, electronic and other records, computing systems, and storage media, including laptops and portable devices used to store personal information, to identify those records containing personal information.”
Put in place “administrative, technical, and physical safeguards to ensure the security and confidentiality of such records”
That first point means that this needs to be supported from the top, and we can’t just ignore it.

12. MA CMR (still more)
WISP requirements continued…
“Verify that third-party service providers with access to personal information have the capacity to protect such personal information”
Provide “Education and training of employees on the proper use of the computer security system and the importance of personal information security”
But, having the WISP written down is one thing, making it work to actually protect data depends on all of us.
WISP: Need to check (non-Mass) vendors. (MA vendors already have to comply.)
e.g. All the our records at Bard need to be compliant.
Also, these meetings 
Last point is key: This is not something ITS can do in a centralized way. (See following data breach examples.)

13. MA CMR (omg, more)
The law has regulations about Information Security Breaches, defined as unauthorized use or acquisition of personal information that “creates a substantial risk of identity theft or fraud.”
So, a breach means the release (or potential release) of either:
Unencrypted personal financial information
Unencrypted data capable of compromising personal financial information (e.g. usernames & passwords)
E.g. Mass AG fined Belmont Savings Bank (Belmont is a Boston suburb) a civil penalty of $7,500
May 2011 breach: employee left a computer backup tape on a desk overnight, rather than in a storage vault. A surveillance camera showed that the backup tape was inadvertently discarded by the evening cleaning crew and, according to the Attorney General's Office, was likely incinerated by the bank's waste disposal company. [THUS, VERY LIKELY NO ACTUAL EXPOSEURE OF DATA]
Fined because they did not properly implement their WISP, which said the tapes would be in the vault and that employees would be trained to put them there.
(Retrieved from )

14. Information Security Breach
MA CMR (more, more, more!)
Information Security Breach
If a breach or possible breach occurs in Massachusetts:
Business and other organizations in MA must notify
MA Office of Consumer Affairs and Business Regulation
The Massachusetts Attorney General
The individuals whose information is at risk
The notification to the State must include:
The nature and circumstances of the breach
The number of Mass residents involved
Steps that have been taken to deal with the breach
The notification to involved individuals must include
Consumers’ right to obtain a police report
Instructions for requesting a credit report security freeze
BUT, should not include the nature of the breach or number of MA residents involved.
Note that this seems like it would be a large hassle to deal with. This is in fact correct… we have a real life example from Williams College coming up

15. Williams Breach: October, 2009
Data loss occurred when a college-owned laptop computer was stolen from user’s car.
Steps necessary to respond to this breach:
Interviewed laptop owner about information on laptop
Scanned laptop backup files for protected financial information and health data
Protected data was found (Names w/ SSN’s), so laws in 39 states and many foreign countries probably apply, depending on residency of leaked individuals
Williams obtained legal assistance and contracted for breach counseling services
The residency bit can be interesting for college students. Most likely, their home address is still their residency, so MA laws and their home state laws both apply.
Also, with old data, the address that was leaked may be a different state than the resident’s current address. Oof.

16. Where did the Williams’ SSN’s come from?
Excel files of pre-2006 class rosters from the old Student System (SIS)
messages related to paying individuals such as guest speakers, performers, referees
Unsolicited messages that contained protected personal data.
Note that this was all old data that probably did not need to be saved. (If you really need a class list from a few years back, the registrar can get you one!)
Be careful of s or attachments with SSNs from students, or for payment info for guest lectures, independent contractor’s invoices, etc.

17. Williams Breach: Cleanup Process
Compiled list of residential and addresses for approximately 750 potential victims
Notified potential victims by mail and by , sent all-campus notice
Responded to phone calls and s
Financial costs to handle this breach included staff time, legal assistance and breach counseling services. Costs exceeded $50,000.
Note: If the laptop had been encrypted, the only loss would have been the cost of the laptop. (Hint: Do not store Simon’s Rock PPI on an unencrypted portable device!)
The loss of an encrypted device does not count as a data breach, because the data is un-readable.

18. (Aside) Fun Fact: if your personal data is involved in a data breach, you get a Free Credit Report Security Freeze
Any consumer in Massachusetts, New York, or Vermont may place a security freeze on his or her credit report by sending a request in writing, by mail, to all 3 consumer reporting agencies (EquiFax, Experian, TransUnion).
There’s no fee for victims or their spouses for placing or removing a security freeze on a credit report. You can prove you’re a victim by sending a copy of a police report. All other consumers must pay a $5-$10 fee.
See the Consumers Union web site for more information:
Good to know if you ever wind up in this situation

19. Discussion break (pop quiz?)
You are the advisor to a first-year student. Their parent s you and is concerned that the student is not doing well in classes, and asks if you can check with the student’s professors and let the parent know.
Can you do this? What regulations might apply?
Done with the law overview, here’s a practical case.
All student’s sign a FERPA form saying what we can disclose, so if the student okayed their parents, all set.

20. Here’s the FERPA form that all students fill out:
Note that this form suggests that we encourage close communication with parents, and also explains the dependent clause. Advisors get a printed copy of this, and the permissions are copied to the student’s course schedule.

21. Part II: Okay, so what do we do?
How do we comply with all these laws?
We need to determine what “Protected” data we really need to have, and then figure out how to actually protect it.
(Disclaimer: This data protection is not something ITS can magically make happen!)
Has to be a distributed effort

22. Data Security Guiding Principles
Reduce!
Don’t collect personal data you don’t need
Don’t store data you won’t need again
Restrict!
Keep protected data in secure locations
Paper docs in locked drawers or closets
Electronic docs stay on central servers
Password required to see your screen!
Encrypt!
Protected electronic data that leaves Simon’s Rock must be encrypted. (Also: Why is it leaving? Is it going to someone with a legitimate need for it?)
(Loosely inspired by Reduce, Reuse, Recycle. Get it?)
Obvious trade off between convenience and security – takes more time to lock and unlock stuff, or to enter your password.

23. Shared Responsibility for Data Security
Responsibility of Staff Departments
Each department head is responsible for ensuring the appropriate protection of information within his or her area. Every employee is responsible for protecting the data they use and store, both electronic and on paper.
Responsibility of Faculty
Every faculty member is responsible for ensuring the confidentiality of any information they collect or use, both electronic and on paper. The Dean of Academic Affairs and Division heads should be aware of protected information handled by their divisions.
A distributed solution is required. Remember that the Mass Privacy Law requires us to inventory all of our PPI, paper and electronic. In general, this needs to be done by every employee.
Staff: Bosses, make sure you are aware of the protected data in your area, which means, audit your work flows and old stored data. Minimize what you need to keep, and keep it protected.
Faculty: You are each pretty much on your own, because your department chairs generally don’t know in detail what you are up to. Still, division chairs can nag everyone about this at faculty meetings.

24. What about your office?
Goal: Minimize the potential risks from information leaks
If you don’t need it, get rid of it (use a shredder if it’s paper)
Be skeptical of requests for information
Don’t disclose protected information to just anyone!
Be careful of post-its with credit card info and other temporary documents

25. What about your office?
Does your office handle legally-protected or confidential information?
Do you know what protected data you have?
Workgroups should audit their stored data to confirm that old confidential docs are still required.
If you’re not sure what’s protected, ask!
Photocopies of checks?
Credit card info on scrap paper until it is processed?
Does your office or department have policies and procedures for protecting confidential information?
More about information usage policy in a couple slides.
ITS has an example of paper checks. We used to photocopy phone bill payments, just because that was the process. We decided to stop copying checks, and just record them paid and get them to the business office. We shredded our older copies. (No real need for us to have them: If someone disputes that they paid, they can present a copy of a cancelled check.)

26. What about your office?
Does your office send or receive confidential information via ?
Encrypt them when you send (details later)
Delete them from when you receive them
Does your office use a shredder?
Or the secure document disposal can at Business Office.
Do you lock up your files when the office is closed?
Does your computer need a password to wake from sleep?
Do you lock the screen when you are away from your desk?
Again, the trade off between ease and security.
It is very handy when I stop to update a computer and can just sit down and use it, but in terms of data security it is not good. (Also, even if there is a password screen, it is often on a post it somewhere handy…)

27. Goal: Each department that handles PPI has an Information Usage Policy
An information usage policy explains
What information is confidential
How to protect confidential information
How to handle requests for information, both internal and external
When and how to dispose of confidential information
What the consequences are if the policy isn’t followed
We should have one!
This is a goal for all groups that handle private data on campus.
I will buy donuts for any office that already has such a policy about confidential data!

28. ITS can help (somewhat)
Locate data with PPI (part of your office audit!)
We have software called Identity Finder which will search documents (Word, Excel, pdfs) and for things that look like PPI
Often finds SS#s, Credit Card #s, Bank Account #s and passwords in clear text.
Such data should be removed from your computer:
Delete if not needed
Store only on the server if possible.
Install Full-Disk encryption on all college laptops
Truecrypt on Windows, File Vault on Macs
Requires extra password to decrypt for boot
Hard disk unreadable without decryption
If you must store PPI on your computer (e.g. Audrey) then your system should be encrypted.
Encryption is again a trade off of security vs. convenience, but it is not too bad. (Mostly have laptop just go to sleep; only need to decrypt on restart or wake from hibernation.)
ITS is also plans to meet with all employees about privacy law and protecting data. (You are at such a meeting now!)
ITS is not going to help write your Information Usage Policy. Sorry.

29. Part III: Getting Personal — Securing PCs (including home PCs)
Some elements are software based, e.g. system updates, secure password storage.
Mostly human based: Learn to recognize fake s and bogus websites
BUT: The bad guys are getting better and better. Malware and web-based attacks get more sophisticated and more effective.
Millions of computers world-wide remotely controlled via malware, used to send spam, or merely to harvest financial info from the computer’s owners. So, the issue is already very wide spread
New sophisticated “weapons-grade” malware used to attack foreign government facilities; code may leak into the wild.

30. How is data is lost or stolen?
Via Physical Access:
Theft of computer, external drives, flash drives, CDs, smartphones
Carelessness with passwords: Written in obvious places, passwords or hints too simple, home wifi router passwords left at default value.
It just takes seconds to read saved Firefox passwords, or to install monitoring software.
Via the Network:
phishing scams – users reply with passwords
Server hacks: Password files stolen and decrypted via “brute force”, then any recovered usernames/passwords are tried on other services.
Viruses / spyware used to install key-loggers or other monitoring software remotely
Includes “Drive by” web hacks. Malware code hacked into legit website infects your computer when you visit.
Wireless data sniffing
Password carelessness: Once I was working on a user’s computer when they were out of the office, and I had not asked for the password before they left. But after I tried blank and “letmein”, the system showed the password hint: “dirt dessert”. Any guesses? Yep, “mudpie”
Our campus wifi networks are encrypted against sniffing, but public places with open or shared password networks are vulnerable. Use HTTPS (more later)

31. Install ALL updates to key software
Updates come out so frequently, because new exploits of bugs & security flaws are discovered all the time.
(Can you get the fixes installed before you get hacked by the new malware?)
Important Software to Update:
Windows or Mac OS
AntiVirus definitions
Java
Pretty much every staff Windows system I visit has one or more icons by the clock informing of updates waiting to be installed.
Note that AV updates are an exception, as they are not to patch bugs, but to recognize new malware.
With auto-updaters, may get messages at boot, or icons by the click. Still usually need to click through to install. Ninite gives you an installer that will update without all those clicks.
Adobe Reader
Adobe Flash player
Firefox (and all browsers)
Or: : Select, install, and update software

32. Simple computer security
Don’t use post-its to manage your passwords
Use a program with strong encryption to store passwords
Don’t store passwords in Firefox (no encryption)
If you must write passwords down, keep them in your wallet.
If you have your own office: keep the door locked when away
If you work in a public area, lock your screen when you leave
Windows: Press Windows-key + L to lock without logging out.
Macintosh: Apple Menu > Sleep. (Also, see next point!)
Require a password when your computer wakes from sleep
Laptop security cable: Cheap, prevents opportunistic theft.
If others have access to your office, private data needs to be locked up in drawers as well
Passwords not on post-its on monitor or top drawer. Keep in wallet, don’t label what they go to, change all passwords if you lose the wallet.
Firefox passwords available as clear text to anyone who sits at your computer.
HOME: Set a password to configure your wifi router. (There has been at least one major instance of malware that checked router logins, and took over the ones it could log into, (DNS Changer) so this code is out there.

33. and PPI
& files sent over the Internet containing PPI must be encrypted.
may pass through many servers en-route to its destination
Our users often read on small devices that are not encrypted and that can be easily lost.
Most computer clients keep local copies of s that can be read by anyone with access to the system
For these reasons, any un-encrypted PPI in an counts as a potential data breach.
Both sending and receiving are a problem!

34. Received email with PPI
Some bozo un-aware parent sends you an with an unencrypted PDF of their tax return attached. What do you?
Get this document out of your box!
Download the document if you need it
Delete the message, and Empty your trash.
If you need to forward it to another staff member, encrypt the file you downloaded, the encrypted version, and delete the file.
(Next slide talks about encryption. Note that you will need to share the encryption password with the recipient.)
In general, ing to an other SR staff member is not a data breach, because it stays on campus on our server. However, the recipient may read their from anywhere, so the data may in fact leave campus. Thus encryption is required even for staff-to-staff messages.

35. Sending PPI (Encryption basics)
Encryption is scrambling a file using complex mathematics and a password.
Without the password, the file is random gibberish.
The password allows the file to be decrypted back to the original readable form, using similar complex math
Some encryption schemes are “weak” and can’t be used.
Choose a password, encrypt the file of PPI, and attach the encrypted version to an
Don’t send the password via ! (Call or skype or something to get it to the recipient)
Don’t use your regular system password!
If you send many files to this recipient, you can use the same password for all of them
Colleen often has to send SSNs and other sorts of PPI to e.g. our insurance vendors. She must encrypt these files.

36. Encrypting Microsoft Office files
MS Office (since 2007) has strong encryption. So, password protect Word and Excel files of PPI directly in Office.
Must use the new .docx or .xlsx file fomats —encryption of the older .DOC or .XLS versions is weak, and there are free websites that can decrypt these files without the password.
(Recipient must have Office 2007 or later to read such files.)
To encrypt: File menu > Info. Click “Protect…” button, then select “Encrypt with password.”
Show demo of Word if time.

37. Encryption for other files (PDF, etc.)
Zip files have adequate encryption. So, put the file or files you need to send into a zip file, and then add a password.
Use a long passphrase, as zip encryption is weaker with short passwords.
Older Macs will not open password-protected zip files without additional (free) software.
The password scheme built-in to PDF files is very weak. Use password protected zip files instead
Show demo of Word if time.

38. Traveling with a computer
Before you leave, think about what it would mean if your laptop were stolen or lost – are you sure you need it on your trip?
Consider a loaner with no personal data.
If you just need to check you can use a smart phone.
Do not EVER leave a laptop in a parked car in a city – this is by far the most common way that laptops are stolen
Don’t check your laptop when flying – in general don’t let your computer out of your sight.
If using a public wireless network, use https sites to prevent data sniffing
Several years ago a travelling staff member checked her laptop, and it was stolen from her bag. (That laptop was not encrypted. Today, that loss would count as a data breech that would need to be reported.)
If your laptop is stolen, contact ITS immediately and change your Simon’s Rock password (consider it compromised)

39. Web Security
We are often required to log into web sites. How can you tell if the site is legitimate? First, any site with a login must be not
Next, check the “domain” – which of these could be Simon’s Rock sites:
The domain is the last two words between the “ or “ and the next “/”
Same format as addresses: or
Any Simon’s Rock site will be //xyz.simons-rock.edu/
Any American Express site will be //xyz.americanexpress.com/
is legitimate because the domain is correct
Note that some browers hide the plain “ so that “ sites stand out more.”
A leading “ is often optional.
https means that all data is encrypted between your browser and the web server.
Some non-US sites have additional items after the domain, e.g. Domain.com.uk rather than just .com

40. Email Security + Phishing
Phishing is the fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication.
NEVER FORGET: It is easy to spoof the From: address in an .
Does the From: address match the Reply-to: address (if not, beware)
Phishing s often start out “your account has been used to send spam” or “we are doing maintenance on our webmail system” – then they ask that you reply with your username and password
There will never be a reason to give anyone your password by – honestly. (Also, be careful of links to login sites.)
Note: notifications to the community from Simon’s Rock ITS will always be from an individual listed at ITS in the campus staff directory, not from a generic name like “Help Desk”. (But, the directory is on-line, so a smart spammer could use it to find a good from address.)
Portal alerts look more spammy. Sorry.

41. Find the “phishing” clues
From: ”Bard College at Simon’s Rock" Date: February 13, :25:45 AM EST Subject: Webmail Subscriber Reply-To: Attn. Webmail User, We regret to announce to you that we will be making some vital maintainance on our webmail. During this process you might have login problems in signing into your Online account, but to prevent this you have to confirm your account immediately after you receive this notification. Your simons-rock.edu Account Confirmation Name: ID: Password: Date of birth: Your account shall remain active after you have successfully confirmed your account details. Thanks Bard College at Simon’s Rock Webmail Support Team

42. “Phishing” clues shown in yellow
From: ”Bard College at Simon’s Rock" Date: February 13, :25:45 AM EST Subject: Webmail Subscriber (Missing list “tag”, e.g [Faculty] ) Reply-To: Attn. Webmail User, We regret to announce to you that we will be making some vital maintainance on our webmail. During this process you might have login problems in signing into your Online account, but to prevent this you have to confirm your account immediately after you receive this notification. Your simons-rock.edu Account Confirmation Name: ID: Password: Date of birth: Your account shall remain active after you have successfully confirmed your account details. Thanks Bard College at Simon’s Rock Webmail Support Team
But, the second item with the list tags ([Staff], [Faculty]) is not true for portal alerts.

43. Phishing Detection: Check the links!
HTML format s let the sender “hide” the target URL address of a link behind descriptive text, which can be set to look like a different URL.
Hold the cursor over the link text to see the actual link address. (Mac Mail shown.)
Note that it is simple to copy graphics from the web…
These sorts of fake s are getting better and better.
Clever ones use fake shipment confirmation notices, hoping you will reply to say, “Wait, I didn’t order that!” and then they will send you a link to a fake site to login and cancel the bogus order, and they get your Amazon login.

44. More Check the Links!
With Webmail (and Thunderbird), the actual link is shown in the “Status Bar” at the bottom of the window.
Where the actual link text appears varies based on the browser or mail client, but the idea is the same.

45. A Phish that Worked at Simon’s Rock
The following spam went to some faculty and staff:
This is not a particularly strong effort: ? ?!
Undisclosed recipients?!?
Helpdesk.4-all.org ??!!
But, it did the trick!
Aside: Sophos missed this. Forward it as an attachment to:
False positives to:
Note that portal alerts send with “undisclosed recipients”, but would not be used for something that should be only to specific individuals.

46. Here’s the Web Site linked to in that spam:
I love that they warn about fake password solicitation by , even as they steal your password!
Although this page does not seem much like a Simon’s Rock website, one employee logged in to this site. The attackers used the stolen credentials to send spam via our webmail server, a few per second. Unhappily, it was the 4th of July weekend…

47. Another successful attack: Williams Webmail site copy
On Monday Sept. 29, 2009, a bogus was sent with the subject line “Read Security Message” to many hundreds of Williams employees and students.  The had an attachment with a link to a bogus Williams webmail site.
The itself was not particularly believable, but the fake webmail site was a perfect copy of Williams’ real site.  The only way to tell it was fake was to look at the domain information, which was:
Again, every graphic on the web is totally simple to copy, and there is software that can copy an entire site.

48. Preventing Malware, Viruses, Spyware
Malware, short for malicious software, is designed to infiltrate or damage a computer system without the owner's informed consent. The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code covering viruses, spyware, trojan horses, worms, rogues, etc.
Spyware is like a virus specifically designed to steal information.
Worst-case Malware allows attacker to remotely control your computer:
Send spam from hosts with no direct link to actual source
Use clusters of compromised hosts for mass attacks on other web targets
Record keystrokes and web traffic to obtain user’s financial account logins, etc.
Keep up to date with AV, OS, Browser, Java, and Adobe patches.
Tools for home use:
Microsoft Security Essentials : Simple, lightweight AV free from Microsoft.
Malwarebytes.org : Free removal tool – MalwareBytes AntiMalware (MBAM) Run if you have a problem. (Download file is mbam-setup-versionnumber.exe : Be careful of the ads for other stuff on the download page. You want only the mbam-setup… file)
Search Microsoft to find their free Security Essentials antivirus. They update it based on the malware that Windows systems encounter world wide (you can opt out if it reporting home, but it seems a useful idea.)
The free version of MBAM does not prevent malware; you run it manually to clean it up if you have gotten a problem. Note that since it is a free give-away, rather than hosting it directly at they link to download sites that pay them for advertising. Thus, when you try to download it, there will be many ads on the page trying to get you to click them. Make sure you only click for the mbam-setup.exe download (the file name includes the current version number as well.)

49. Common ways to get Malware:
Beware of online pop-up ads pretending to be a malware scanner.
Beware of online videos that claim you need to install special software to play the video.
attachments – Don’t open it unless you are sure. Check with the sender. This includes e-cards, Word documents and PDFs.
Web links in – Don’t follow it unless you know for sure where it goes. (Check the actual link address, not the “pretty” version.)
Don’t download hacked versions of expensive software — who knows what else the hacker might have added?
Don’t add random software to your system if you can live without it
E.g. WeatherBug, popup Smiley-face tools, fancy screen savers, etc.
However, some malware can get you if you merely visit an infected website. Sorry.
The last category refers to soffware known as “drive-by malware” The infected site could be a totally reputable one that has been hacked with the malware installing link. (Patched up-to-date browsers and software are some defense against these.)
Basically, the sites may have links that open in “invisible” windows and “display” files that will break your browser plug ins and lead to an exploit.

50. Rogue Security Software
Rogue security software (“Fake Anti-Virus”) is software that misleads users into paying for the fake removal of malware.
Typically you get a pop-up window while on the web alerting you that you have viruses or spyware on the computer and offering to clean it up. If you accept the offer the program installs itself, then will continuously try to get you to pay for a “professional version” – which does nothing, except maybe remove itself.
Sometimes these rogue programs will not be picked up by real anti-virus software because you agreed to install the software.
One program that does very well at removing this type of software is Malwarebytes AntiMalware (MBAM) from malwarebytes.org.
This has been a big fad in malware for a while. Apparently they really make money at this!
A partial list of know rogue security software. Just the a’s!!
Advanced Cleaner, AlfaCleaner, Alpha AntiVirus, AntiSpyCheck 2.1, AntiSpyStorm, AntiSpyware 2009, AntiSpyware Bot, AntiSpywareExpert, AntiSpywareMaster, AntiSpywareSuite, AntiSpyware Shield, Antivermins, Antivirus 2008, Antivirus 2009, Antivirus 2010, Antivirus 360, Antivirus Pro 2009, AntiVirus Gold, Antivirus Master, Antivirus XP 2008, Antivirus Pro 2010, Antivirus System PRO, Avatod Antispyware 8.0, Awola

51. Security recap
Physical security can usually be attained by applying common sense and a little care – treat your computer like a passport or your wallet or purse.
Apply important software updates as soon as you are prompted.
Your office computer is a business tool – don’t use it like a home entertainment system. This may help avoid some malware
Wireless is everywhere and incredibly convenient, but anyone can receive your traffic (traffic generally meaning whatever you are typing in a web browser). If you are doing anything off-campus that requires a username and password, or requires entry of confidential information make sure the website is
Your username and password protect a lot more than just YOUR personal info – they may give access to many people’s PPI on college systems.

52. Quick Quizzes
You’re traveling without a computer and want to see if you were paid on time. You find an internet café, pay for access, and log in to your online banking web site. You note that the username/password page in the web browser on the computer you’re using is encrypted (using Should you log in?

53. Quick Quizzes
Which of these web addresses (URL’s) are legitimate Simon’s Rock addresses?

54. If Nothing Else, What should you remember?

55. WWII Posters from American Merchant Marine at War, www.usmm.org
Questions?
Many thanks to Williams College OIT for use of their PowerPoint presentation and for sharing their specific exploit examples.
WWII Posters from American Merchant Marine at War,
If time for more demos:
Word password protect document
Ninite.com
Lastpass.com