Provided by PPG Corporate IT Security Questions?

Email: *IT Security

T I P S A N D T E C H N I Q U E S T O P R O T E C T YO U R I N F O R M AT I O N

Private Is Not So Private in Social Media

Anna (weve simplified her Twitter name so its not identifiable) tweeted some details of the difficulty of being a young, single mother on welfare. When unfriendly, judgmental remarks by an acquaintance she only knew slightly turned up on view for the friends and family shes linked to on Facebook, it wasnt something shed expected. I dont make a secret of my situation, she tweeted (still at it, apparently), but she was clearly surprised, unhappy, and with one fewer friend on Facebook. Millions of people now use Facebook, Twitter, LinkedIn and other social networking sites to communicate with friends, family, and colleagues. This can be a wonderful way to stay in touch, but along with their ease of use comes the risk of sharing too much information. Its easy to believe that you are sharing your thoughts and photos with just your friends, but the services you use can reveal more about you than you realize. The wider your network becomes, the more people have access to your information. When you post something online, youre not just talking to one other person youre potentially talking to hundreds or even thousands of people. Co-workers, customers, bosses, prospects and competitors could all be reading your posts and tweets or searching your LinkedIn profile. While you may think that your information is protected, things you share on social media sites are not confidential. Plus, you have little control over what happens once it is out there. Its a simple process for someone to find, copy, and post your content somewhere else without you even knowing it. You might believe that what you post will go away if you just delete the files. However, the reality is that your content and photos may be out there forever and can come back to haunt you. Beyond the embarrassment of your daughters 948 friends seeing your profile, comments and photos, the consequences of oversharing or poor social media habits can be serious. Cyber criminals mine personal information hoping to crack the passwords to your bank and email accounts. They also monitor activity and take note of your actions. People who have posted photos and comments while on vacation have returned home only to find their houses burglarized. On the employment front, employees have been terminated due to social media instances ranging from revealing confidential or proprietary information to surfing Facebook while calling in sick. In response to rising privacy concerns, social networking sites have added strong privacy settings that can help you protect the information you share online. Facebook, for example, has privacy settings that let you control who can see what type of information. Settings often change, so make sure your profile can only be viewed by friends you have approved. Twitter allows you to protect your tweets, and LinkedIn lets you control the visibility of certain information. But privacy settings dont trump common sense: Be selective about whom you friend or connect with. Know your privacy settings and use the strictest settings available for personal pages and photos. Use good judgment. Consider how your comments will reflect on you and your organization. Change your passwords often and use a different password for each social networking site. Untag yourself from embarrassing photos. Think twice about any personal information you make available in your profiles. Err on the side of caution and refrain from discussions about anything work related.

INSIDE
Passwords: Whats Wrong With Qwerty? Security Savvy
Test your knowledge after reading.

Special Tactics
Watch what you say in emails.

Closer Look
A DroidDream nightmare.

Global Warnings
Cybercrime headlines from around the world.

PPG
Safe email tips from PPG IT Security.

FL

FRONTLINE

2011 by COMPUTER SECURITY INSTITUTE

Security Savvy
Test your knowledge after reading this issue. 1. True or False: Content posted on social media sites will go away if you just delete the files. 2. A strong password should be: a. Reused on all Web sites and applications, so theres only one password to remember b. Written somewhere on your desk because a strong password is too hard to remember c. Made by combining names of cartoon characters d. None of the above 3. Which statement about emails is false? a. Hackers are leaking emails. b. Deleting an email ensures that no one will see it. c. Companies can legally monitor emails. d. Every email leaves a trace. 4. What are some ways to protect yourself when using social media? a. Know and use privacy settings. b. Be selective about personal information you post. c. Change passwords often. d. All of the above.

:: Passwords:

Whats Wrong with QWERTY?

Passwords are a first line of defense in keeping the attackers out of a companys network, but all too often they are viewed as a nuisance or more trouble than theyre worth. The result is terrible security. A hacker group called Gnosis, for example, recently compromised Gawker.coms database and posted the usernames and passwords of 1.3 million users. An analysis of the 188,279 different passwords shows the list to be full of security no-nos. Over 3,000 users chose 123456 and 2,000 people used password. Coming in third place was 12345678 with 1,000 users. Also, a study of more than 30 million passwords exposed when Rockyou.com was hacked found that almost half used common dictionary words, names, or sequential characters on the keyboard, such as qwerty from the top row of English-language keyboards. In addition to choosing weak passwords, many people use the same password for numerous accounts, placing both their organizations and themselves at risk. Once a hacker cracks a password, its a simple matter to go after other networks that contain sensitive data as well as personal email and bank accounts. Fortunately, its fairly simple to create a good, memorable password. Check your companys policy on passwords and follow its recommendations. FL

Password Dos . . . . . and Donts

You can make it difficult for hackers by following some password best practices: Keep a different password for all of your accounts. Every time youre asked to create a password, make it a brand new one. Change your passwords periodically. Keep your password a secret; dont share it even with a trusted coworker. Be sure no one is looking over your shoulder when you type your password. Keep your password reminders in a secret place that isnt easily visible. Never write your password on a sticky and put it on your monitor or under your keyboard. Here are some things to avoid in choosing a password: Avoid sequences or repeated characters, such as 22222 or 12345 or qwerty or asdfg. Never use the word password. Do not use your first name, last name or username. Skip all dictionary words even those with an added number or character in front or back or a number substitution. Avoid names of family members, friends or pets. Dont use personal information about yourself or family members in passwords.

FRONTLINE

2011 by COMPUTER SECURITY INSTITUTE

S PECIAL TACTICS
Watch What You Say in Emails
Imagine having your emails published by hackers for the entire world to see. A number of recent news stories Wikileaks is only one have made it clear that email databases are sometimes hacked and the contents of the emails made public. This can occur whether or not the breach is widely known you may not even be aware that your emails are being read by unintended recipients. Because email is a simple, convenient way of communicating, its easy to forget that emails are company documents that can cause a lot of damage if they fall into the wrong hands. Whether its accidentally leaked or stolen by hackers, email can be used to place organizations at risk, damage reputations, and lay the groundwork for other criminal acts by people posing as the sender. More and more, emailing has replaced chatting with coworkers around the water cooler. The trouble is that around this new version of the water cooler, all of the conversation is being written down, and every email you write could wind up on the Internet or in court. Whether its sharing sensitive information, complaining about the boss, or forwarding a joke, its easy to write something in an email that you may later regret. Nowadays, you shouldnt expect any email that you write at work to remain private. Emails can be forwarded without your knowing it. If youre a high level employee, they can get reported to public newsgroups and made public at a later date. Its never a bad idea to write your emails with the idea that they could wind up on the front page of a newspaper. Many companies also monitor email to protect their proprietary information and make sure employees arent using email for non-work related activities. In most jurisdictions, emails can be read legally by your supervisor and serve as evidence for termination. Employees who assume their messages are gone when they delete them are often wrong. Every email leaves an electronic trace as it passes through the system. Even if you clear your inbox, draft, trash, and sent folders regularly, there may be a permanent record of your emails in the company system. Here are some tips for keeping safe. Be careful what you write treat all emails as though they are being monitored. Only send messages that you would be comfortable seeing in the newspaper. Limit your communications with family and friends. Dont send inappropriate material if youre thinking of adding, Delete this as soon as you read it, you shouldnt be sending that email. Be careful when using humor without face-to-face communication your joke may not be received in the spirit intended. Guard your email password to keep others from posing as you. FL

CLOSER LOOK
A DroidDream Nightmare
A recent malware attack on Android phones broke new ground for mobile viruses. Known as DroidDream, this Trojan horse is the first piece of Android malware to appear in Googles official Android App Market. It is also the most sophisticated piece of Android malware seen to date. DroidDream is also the first instance of Android malware that exploits two vulnerabilities in the Android phone operating system. It was able to bypass security features within the Android operating system and gain access to the phones system code. While the vulnerabilities were patched by Google last year, the majority of phones lacked the patch, allowing the attack to compromise more than 260,000 phones. In the attack, hackers pirated copies of 58 popular apps, inserted the Trojan, and posted the apps with slightly different names back on the Android Market. The hackers then used the malicious apps to gain substantial control of the affected phones. Once in place, the program forwarded phone-specific information including model, software version, and user identifiers -- to the hackers command-and-control server. A further phase served to maintain a connection to the server with the purpose of silently downloading additional programs and installing them as system applications on any infected device. Google removed 58 applications from the Android Marketplace and immediately took action to identify affected users and remotely remove the malicious applications from their smartphones. Google also developed a security update to push to affected phones, which should mitigate further information leaks or access by the malware-laden applications. If there was any claim that mobile malware isnt a serious threat, the appearance of DroidDream shattered it. A close look at DroidDream shows that criminal hackers are coming up with more ways to attack mobile devices. Users, while generally aware of cyber attacks that are prevalent on the PC, may have a good chance of being caught by surprise on the phone. FL

FRONTLINE

2011 by COMPUTER SECURITY INSTITUTE

GLOBALWARNINGS
If you find yourself wondering why todays managers and security departments are concerned about employee security behaviors, take a look at todays headlines. These selected stories from around the globe make it clear that there are lots of good reasons to be careful.

PLAY.COM CUSTOMER EMAILS LOST IN DATA BREACH

Online retailer Play.com named its marketing partner Silverpop as the guilty party behind the disclosure of customer names and email addresses. The breach led to distribution of spam to email addresses only registered with the online retailer on Sunday. These emails offered supposed software updates from Adobe but actually linked to sites serving up malware. The Register, 3/22

HEALTH NET BREACH EXPOSES 1.9 MILLION RECORDS

Nine server drives containing names, addresses, health information, Social Security numbers and/or financial information of former and current Health Net members, employees and health care providers were lost by IBM, Health Nets IT infrastructure vendor, during a move to a new data center. Dark Reading, 3/16

Safe Email Tips from PPG IT Security

On the Internet today, SPAM and Phishing attempts can come from anywhere. Email scams have been around almost as long as the Internet itself and are still widely used today. We all have seen email scams come into our mailbox. Sometimes they are disguised as an email from a bank, credit card company, longlost relative or foreign dignitary, asking for you to verify account information or provide financial assistance. These messages are attempts to gain access to your personal information or infect your PC with harmful malware. Built-in SPAM blocking software does a good job at blocking most of these emails from our mailboxes, but some will avoid detection and be delivered. Users should cautious about all email that they receive and open. Practicing safe email habits can help to protect users from SPAM and Phishing attacks. Here are a few simple rules that all users should follow regarding email: 1. Never open emails from unknown senders. If a suspicious email is opened by accident, never download or open any attachments from these suspicious messages. Suspicious messages can often be identified by spelling errors and poor grammar. 2. Be cautious when clicking web links in email. SPAM and Phishing attempts will often hide the true address in a provided link. A quick check can be performed by placing the mouse cursor over the link, which will display the true address of the link. If the link looks suspicious or different than what is displayed in the email, it may lead to a malicious site. 3. Never reply to an email with your username and password or any other personal information. Most reputable companies will not ask for your credentials via email or via links to websites contained in email. If you want to log into a site, type the sites address into your Internet browser instead of using the link in the email. Ultimately, all employees make up one of the layers of security for the PPG network and it is important to be cautious when checking email. Following these few simple rules can greatly reduce the risk that SPAM and Phishing emails pose to PPG.

LOST MEMORY STICK PLACES ELDERLY AT RISK

Leicester City Council lost a memory stick containing security codes of 2,000 homes and medical details on 4,000 people looked after by the LeicesterCare support service. The memory stick, used to back up information on council computers, was supposed to be locked in a safe every night. UK Daily Mail Reporter, 3/22

GLOBAL OFFENSIVE SNAGGED CORPORATE, PERSONAL DATA

Hackers in Europe and China successfully broke into computers at nearly 2,500 companies and government agencies over an 18-month period in a coordinated global attack that exposed vast amounts of personal and corporate secrets to theft. Besides Merck and Cardinal Health, people familiar with the attack named several other companies infiltrated, including Paramount Pictures and software company Juniper Networks Inc. Wall Street Journal, 2/18

11.6 HOURS SCAM SPREADING ON TWITTER

A new Twitter scam is spreading through accounts of unsuspecting users who have been duped into clicking on a link that claims to reveal how many hours theyve spent on Twitter. The scam spreads through a message that reads I have spent 11.6 hours on Twitter. How much have you? Find out here. A link takes the user to a page that will attempt to connect an application called Time on Tweeter, which, if installed, will spread the message further through the users Twitter account without their consent. Mashable, 3/2

TSUNAMI WHALE FACEBOOK SCAM

Facebook criminals are spreading a likejacking scam called Japanese Tsunami Launches Whale Into Building. Spread via crazytsunamivid.info on wall posts, the link takes users to FouTube.com. When Users click on what they think is the video, they immediately silently like the fake video and spread it via wall posts to their friends. And after all that work, there is no video. SecurityNewsDaily, 3/14

FRONTLINE

2011 by COMPUTER SECURITY INSTITUTE