You’re now aware that networks, including the Internet, can be a rough place. And you know enough of the rules so you can keep out of trouble. Here are some actions you can take to protect yourself and your data even further.
A basic premise of computer security is there’s no way to be 100% safe from all risks, but if you make yourself as secure as you possibly can, a cracker or con man or even a piece of malware will simply move on to an easier target.
In The Risks, we talked about social engineering. These con men (and women) are simply after information that will help them steal your identity and your assets. Knowing what sort of information they typically look for--and not giving them access to it--is all that it takes to defeat them.
Always be hesitant to give your social security number, even partially, to anyone and don’t be afraid to ask why they need it. Never give it in response to an e-mail, and don’t store social security numbers on your computer.
For more information about when it is appropriate to give your social security number to someone, please follow the Social Security link in our links section to the left.
There are other things like social security numbers you need to protect, like driver’s license, other governmental-issued I.D. numbers and bank account numbers--including credit card information. Keep those items secret: do not store them on your computer or give them to someone that calls you on the phone or sends you an e-mail.
And never give a password to anyone. Ever. Not even to your support personnel, a co-worker, or even your boss.
If you’re not sure an e-mail or a website is legitimate, ask your computer support personnel, such as the Computer Helpdesk or the staff at a computer lab. You won’t bother them--in fact, most enjoy finding bad websites and phishing e-mails so they can put a stop to them.
You can help us stop phishing at Oregon State University. While we block thousands of these attempts daily, some new ones always manage to get through. Information on how to safely get the right information from a phishing e-mail and provide that to the appropriate individuals so they can block it are provided in our links to the left under “Report an Incident.”
Stopping malware requires several actions on your part.
Always run an antivirus program on your computer. That includes you too, Mac and Linux users. Everyone is susceptible to malware. Oregon State University provides everyone, employees and students, with a high quality antivirus program. Click on the Free Stuff link on the left to get a copy and install it on your computer.
You’ll recall that some malware programs take advantage of flaws in programs to get onto a computer. To overcome this risk, it is vital that you keep all the programs on your system up-to-date.
One of the most common ways to get infected is to do a search and, clicking through the search results, visit a website that is either malicious or contains an infected advertisement. Sometimes it is obvious--the URL just looks wrong--but most of the time, at a glance, you’d never know there was anything wrong with the site. There are tools to help you with this. One such tool, called Web-of-Trust shows good sites with a green circle and bad sites with a red one from your search results. A link is provided in our Free Stuff section.
Now we have to be brutally honest with you here. Even if you do everything that we’ve suggested so far to stop malware, chances are that eventually you will still get infected. There’s simply too much malware out there, and some of it is very, very cleverly designed.
There is another thing you can do to prevent malware from getting onto your computer. It is, by far, the best single thing you can do to prevent your computer from being compromised. What is it?
If you do use an account that has those rights, it is time to start a discussion about getting rid of those rights and adding a second account that has those rights instead. You can then use this account when you need to install programs.
Ah. It may have just dawned on you why this is so important. You need to be an administrator to install certain types of programs, including the worst kinds of malware.
If you happen to use information classified as Protected, you do not have a choice. University policy requires that you do not use an account that has administrative rights for daily activities on your system. Please check with your computer support personnel to make sure you are in compliance with the policy.
We’d encourage everyone, to do this. Students—and employees for your personal machines—do this too. It makes a big difference.
Aside from using a social engineering technique, or a piece of malware like a keylogger that records everything you type on your computer, one of the first things a cracker will try to do to gain access to your data is to break your password. You can already count on them having your account name--that is really easy to get.
Your password is stored on your computer in a known location. It is encrypted--it is hidden from easy view by using a mathematical algorithm to transform that series of letters, numbers and special characters into gibberish. But it can be guessed. And it can be broken by using software tools.
A good password that you don’t share with anyone makes guessing difficult. Using a software tool requires a powerful computer (or a group of computers working together) but it will, eventually, break even the toughest password.
But how long will it take? That’s where having a longer password helps.
Let’s say you have a fairly complex password, that is, a password that contains both upper and lower case letters, numbers and punctuation characters. If that password is 5 characters in length, a cracking program running on one average computer will take 74 minutes to crack.
Take that up to 6 characters, and the program will take 4 days. That’s still not very long.
8 characters however, will take one computer 58 years.
So you’re probably feeling pretty smug right now. That 8 character password will take you all the way through school and retirement, and then some.
But your average cracker doesn’t just use one computer. He’s been infecting machines all over the world with malware that lets him control them. He has what is known as an army of bots--several hundred, or even thousands of computers, waiting to do his bidding. So while those computer’s owners are all snug in their beds asleep at night, our nefarious cracker is using those systems to crack your 8 character password.
If he’s just getting started, and only has 500 computers available, it will take him only a month and a half to break your password. At 1000 computers, it is only 21 days.
According to a 2006 article in the Washington Post, the average size army of bots available to a cracker is 20,000 computers. Your 8 character password might last a day, if it is really complex. If you're lucky.
To beat that, you need to add length. A 15 character password would take that cracker with his 20,000 computers 35 million years to break.
The thing is, a 15 character password--or even a 20 character password--is actually easy to type and remember--if you think of it not as a single word, but as a passphrase.
I like to use nonsense phrases:
That, including spaces (which count) is 30 characters long (there’s a punctuation mark at the end in case you’re counting). I can make it even tougher to crack by adding a special character or a number in the middle of a word. It is easy to remember--and very quick to type--once you get used to it.
Try a passphrase--it is an easy way to defeat a password stealing cracker.
Another tool you can use to defeat crackers is to enable the built-in firewall on your computer. If you’re an OSU employee, it is very likely that your departmental computing administrator has already enabled this for you. You may also be behind a hardware firewall.
If you’re a student, or an employee at home, instructions on how to enable the built-in firewall on your computer can be found in our links section to the left.
If you’re being bullied by another student at Oregon State University, contact the Student Conduct and Community Standards Office. A link to their web page is on our Additional Information page.
Cyber threats and Cyber predators should be treated seriously. Should you become aware of this activity, or you are a victim of a cyber threat or predator, please contact the Oregon State Police at the Department of Public Safety. Their contact information is included in our Incident Response section.
These are just a few tips to protect yourself, your computer and your data. We’ll be providing more ideas in our Respond section of this website in the near future--be sure to check back with us. If you have any ideas for responding to these types of risks, please share them with us through the “contact us” section of the site.
Thanks and have a safe time on the network.