One Step Ahead: Privacy and Security Tips
September 12, 2006, Volume 53, No. 3	Print Issue

A series of tips provided by the Offices of Information Systems & Computing and Audit, Compliance & Privacy.

Managing Passwords

How many of you forget which passwords you use when?  In today’s world of increasing password use, here’s some advice. Create distinctive passwords according to four categories:  1. PennKey; 2. Other Penn Systems; 3. Personal (Most Critical); 4. Personal (Other).

1. PennKey. For many Penn systems, you will be required to create a strong password with the PennKey application.  Never share your PennKey password and use it ONLY on Penn systems.  Your PennKey password can be abused to access institutional data—and even your own sensitive data—so keep it to yourself.  If you have shared your PennKey password, create a new one immediately by visiting www.upenn.edu/computing/pennkey/setreset/#change. If you need to have someone else access PennKey-authenticated systems on your behalf, talk to your Local Support Provider about getting proxy access for that person. 

2. Other Penn Systems. Establish a second password for Penn systems that are not accessed via PennKey and password. 

3. Personal (Most Critical). For your life outside of Penn, consider creating one or two long and complex passwords for your most sensitive systems, such as online banking and other financial systems or home or car alarm systems.

4. Personal (Other). Take as the remaining category your e-commerce activities and select one or two passwords for those activities.

Security and Working at Home

Your Penn LSP probably goes to great lengths to keep your office computer free from viruses, worms, and other network nasties.  But what happens when you lug a Penn laptop home or use your own home computer to stretch your workweek? 

If you have young kids at home, chances are they know more about computers than you do.  They may spend more time online than you, and they probably take technology for granted.  But there could be problems if you let them use your Penn-provided computer.

Many kids’ recreational style of computing is incompatible with keeping computers secure.  Some don’t think twice about clicking on email attachments or installing untrusted, free software that opens up dangerous vulnerabilities.  Others are too trusting.  When faced with a popup window that screams “Your computer has been hacked.  Click here!”, they go ahead and click, installing spyware that will eventually bring the computer to a grinding halt.

If you are the only person using a Penn Windows computer at home and are careful about what you click on and what programs you install, there’s a good chance it is secure.  But if you allow kids to share your work computer, your computer may very well be infected with viruses, spyware, worms, and more.  And, if you bring that computer back to campus, there’s a good chance it will spread security problems to other Penn computers.

It’s best not to allow your kids, or anyone else, to use the same computer that you use for Penn-related work, particularly if you store, or have access to, sensitive data.  One alternative is to give your kids a separate, unprivileged account to use.  That could help limit any unintentional harm they might cause.

Your PennKey—and all the Reasons to keep it Private

You have often heard the strong caution, “don’t share your PennKey,” but you may not know why. Here are some important reasons.

First, your PennKey and your PennKey password protect your information. PennKey is the authentication system for logging on to self-service websites at Penn, including U@Penn, and viewing your own personnel data. Anyone with your PennKey and password can look up your pay, your dependents, and other information that you probably want to keep private!

Second, the PennKey system protects institutional data. Your PennKey is assigned to you and used to provide access to sometimes numerous systems based on your legitimate needs. Access is granted to you—and not to others. If you need to give an assistant access to a particular system, for example, to your e-mail, contact your Local Support Provider to open a proxy account for your assistant for that e-mail account only. That way, you will achieve what you need without opening up other systems and data to someone who is not authorized for access.

Finally, asking another individual to take training or certify compliance using your PennKey is dishonest—it does not qualify as compliance for you or for Penn. Do not ask someone else to electronically “sign” for you using PennKey, and if you are asked to use someone else’s PennKey, just say “no”!  Call 1-888-BEN-TIPS if you have questions or concerns.

Create Strong, “Uncrackable” Passwords to Foil Hackers

You may not realize it, but the number one reason computers get hacked is weak passwords. To protect against hackers, who use automated password-cracking dictionaries to gain access to online accounts and individual computers, be sure to use strong, hard-to-guess passwords with the following characteristics:

• Are at least 8 characters long

• Contain no words found in English or foreign language dictionaries

• Contain no words found in specialized dictionaries, including those used by hackers, which include names, proper nouns, and popular words from non-standard sources such a music, movies, and video games

• Contain a mixture of at least three of the following: uppercase and lower case letters, digits (0-9), and special characters (%*!, etc.)

• Contain no personal information such as your birth date.

To create a strong password, think of a phrase that has meaning only to you; for example, “My son Charlie Jones goes to school in Bryn Mawr, PA.” Take the first letter from each word to create a password that is nearly uncrackable yet not hard to remember: “MsCJgtsiBMPA.” To make it even tougher to crack, use digits and special characters: “MsCJg2siBM,PA.” If you find it necessary to write down your password, don't leave it in an accessible spot or share it with anyone.

While much data at Penn is absolutely necessary to our everyday operations and mission, most people retain sensitive data longer than they need to. This is true for paper documents as well as computer files, e-mails, and so on. And keeping unnecessary data creates unnecessary risks both to the individuals whose data is kept and to Penn.  The best way to protect data is to simply not have it. 

Paper Files.  Review your paper files containing confidential data and shred them when allowed (see below).  To arrange for shredding, contact the University Records Center at (215) 898-9432.  You can have any number of shredding bins placed and picked up based on your office’s needs. 

Electronic Files.  To securely destroy electronic files that are appropriate for destruction, contact your LSP for options.  For example, individual files can be securely destroyed using the PGP Shred function. See www.upenn.edu/computing/provider/recycle.html for more information.

Records Cleanup Day. Spread good practices by hosting your own Records Cleanup Day. For information and tools to help, see www.upenn.edu/privacy.

(Note that we must not shred or delete information that is an original and still within the University’s records retention requirements.  Nor should we destroy any information if there is an actual or likely claim, lawsuit, government investigation, subpoena, summons or other ongoing matter involving such records. When in doubt, retain the information and keep it secure.)

In his 1993 book, The Panoptic Sort, Annenberg Emeritus Professor Oscar Gandy warned about the threat to privacy that panoptic technology poses. Gandy describes panopticism as continuous, automatic surveillance, and describes efforts to monitor the spread of plague in cities in the 17th century by asking individuals to stand in front of their windows to be inspected for pox, and the design of prisons that permit a few guards to monitor hundreds of inmates.

Classic examples of panopticism today are web search engines such as Google, Yahoo! and AltaVista. Search engines run programs called “spiders” that scour billions of the world’s computers and index literally every single word. Google has two spiders, one that follows every link in the world once a month, and another that indexes frequently updated sites like newspapers and magazines. Wikipedia reports that in 2006, Google indexes were stored on 450,000 computers spread around the world. Google receives about a billion requests a day. In 2005, Google claimed that they indexed over 8 billion web pages, but experts claim that it is closer to 24 billion and expect that the short term goal is to be able to index 100 billion. Yahoo! claims to have indexed over 19 billion documents.

Although it would be impossible to find information on the web without indexing, it’s important to take steps to ensure that private information doesn’t get indexed. Read the tips in the next two issues of Almanac to find out what steps you can take.

Keep Your Private Data From Showing Up On Google

If you are careless, Google and similar search engines will index private files on your computer, making them available to the whole world. Here’s how you can prevent this from happening:

• Beware of Google Desktop. For details, see a previous One Step Ahead tip: www.upenn.edu/almanac/volumes/v52/n33/osa.html.

• Ask your web administrator if directory index listings have been disabled. (This has been done for www.upenn.edu.)

• Be careful what folders you store sensitive files in. When you use "Save As …" it's easy to save a file to the wrong folder. Web publishers have sometimes accidentally saved a sensitive file in the public web folder.

• If you lack experience developing web-based databases, get help from your Local Support Provider.

• Even properly protected web pages with sensitive data should be taken offline when no longer needed. It's too easy, unfortunately, for applications with one wrong setting to end up in the public domain.

• Google doesn’t have a PennKey! If only members of the University community should have access to sensitive data, use PennKey authentication to protect those parts of your website. See www.upenn.edu/computing/web-security/websec/  for more information.

• If you run a web server, prevent search engines from indexing selected directories using a robots.txt file.

If you have questions, please contact Information Security at security@isc.upenn.edu.

See next week’s tip (below) to find out how to detect if you’ve been indexed.

Find Out If Google’s Got Your Data Before the Bad Guys Do

Hackers use Google extensively to find private data on the web. You can preempt theft of your data by using the same tools the bad guys use.

Use search engines regularly to search for any private data that might have been mistakenly exposed. Because you’ll be searching computers throughout the world, you’ll need to limit your search somehow to avoid getting a lot of “false positives.”  To limit your search to just Penn, type the following in front of your search terms: site:upenn.edu

Or to limit your search to a particular server, such as the Penn Humanities web server, type: site:humanities.sas.upenn.edu 

Search for terms like “confidential,” “private,” “meeting minutes,” employee names or cell phone numbers.  Before searching for especially sensitive data like Social Security or credit card numbers, consider that any search terms you type will go out over the open Internet, and are subject to snooping, so use good judgment.  For an excellent article on Googling yourself to protect your privacy, see: http://review.zdnet.com/AnchorDesk/4520-7297_16-5153622.html

If you are unlucky enough to have sensitive data indexed, simply removing it from your computer is often not enough. Google, the Internet Archive, and other sites often keep a cache, or copy, of your data on their sites, and you will need to work with them to get it removed.  For help removing cached data, contact security@isc.upenn.edu.  

Finally, if you should find another Penn organization’s private data, please contact Penn Information Security at security@isc.upenn.edu.

Carelessness with Consequences

Don’t let this happen to you; it could. Dave, a business administrator, discovered that dozens of his department’s employees’ salaries, SSNs, and performance appraisal ratings were publicly available on the Internet.

Dave was computer savvy and had been given responsibility for the department’s web accessible database. Though not an expert, he thought he knew enough to get the job done. However, in today’s complex web environment, he didn’t know enough about how to protect data. Thinking a database set up on a widely used database application would be accessible only to three of his colleagues, he was shocked to find some of the data accessible by Internet-based search engines. He assumed a hacker had stolen the data. 

In fact, no one had broken into the computer. Rather, while setting up the database, Dave had accidentally placed the private file in a public folder, available to anyone on the Internet. The entire file was indexed by two of the major search engines.

Two critical lessons can be learned from this situation:

• If you aren't knowledgeable about security-related practices and techniques in building web-based databases, then ask for help from your local computing support provider or consult with ISC Security (security@isc.upenn.edu).

• Do NOT store Social Security Numbers unless there is no alternative. Use the PennID instead. If you wish to convert your SSNs to PennIDs, please contact Vicki Fullam in ISC's Data Administration Group at (215) 746-6376 to get information about a new tool scheduled for pilot testing in December.

Who Has Access to Systems? Think about it!

Many—maybe most—people at Penn have a need for access to information systems with some sort of confidential data.  But think about who, in most cases, doesn’t need and shouldn’t have that access:

• Terminated employees
• Employees who haven’t used the system in a very long time
• Employees who have changed job functions and no longer need access for their new role

Shutting down an account that is no longer needed goes very far in protecting the privacy of the data in that system. 

System owners should periodically—at least quarterly—review access privileges and eliminate unnecessary accounts. In addition, supervisors should ensure that as employees leave the University or change jobs, system access for those employees is reviewed and, where appropriate, terminated. 

For assistance, contact:

Data Administration, Amy Miller at milleraa@isc.upenn.edu
Human Resources, Gary Truhlar at truhlar@hr.upenn.edu

About Keystroke Loggers

Security experts often warn against “shoulder surfers” who peek at your screen and watch your fingers as you type in order to steal passwords and other sensitive information, but those prying eyes aren’t necessarily right behind you—they can be almost literally “inside” your computer. Keystroke loggers can record everything you type, as well as your mouse movements and clicks, and transmit them secretly to one or more spies anywhere on the Internet.

These are sometimes physical devices installed on your computer while you’re away from it, sometimes they are software programs, and in some cases a combination of both. Physical keystroke loggers often are devices inserted inline between your keyboard connector and computer, while software-based loggers are often installed by viruses, “spyware,” “adware,” and various “free” software packages like toolbars, “accelerators,”etc.

What to do? The use of personal firewalls, anti-virus software (available via site license to most Penn users at www.upenn.edu/computing/product/) and spyware removal tools helps detect and protect against unwanted loggers, and of course, don’t open unknown and/or unsolicited e-mail attachments. Be very careful about the software you download and install and the source it comes from, especially in the case of “free” programs. Also, take some time to familiarize yourself with the devices connected to your computer, what functions they perform, and be alert to any unexplained changes or additions.

Beware of “Social Engineers”

Though it sounds like something that might be a four-year degree program at Penn, “social engineering” is a term that refers to the practice of leveraging and manipulating human nature to gather sensitive and confidential information the “old fashioned way” by means of deceit, guile, subterfuge and fraud. In short, “social engineer” is a euphemism for “con artist”.

Rather than spend hours stealing and cracking encrypted passwords, social engineers understand that the best way to get someone to reveal their password is to ask them for it. By posing on the phone as someone “from the Help Desk” who needs the username and password to “fix a problem with your account”, the experienced social engineer can count on reaching more than a few people who will willingly divulge that information. In some cases, he may show up in person posing as a service representative or vendor and walk around looking for things like passwords affixed to screens with post-it notes. “Dumpster divers” are social engineers who comb through trash bins in search of confidential documents and printouts that have not been properly disposed of (i.e, shredded).

To foil social engineers, take the time to verify the identity of any person asking you for sensitive or confidential information, whether yours or anybody else’s, and verify as much as possible the legitimacy of the request. Likewise, verify the identity of visitors and monitor their activity, especially if it involves access  to computers. Where possible, orient monitors so passers-by cannot read what is on the screen. Keep confidential printouts away from prying eyes, store them securely when not in use and shred them when no longer needed. All the electronic security measures in the world are useless if the information ends up being unwittingly given away.

More and more Penn faculty and staff are working from home and more and more resources are available to make it easy. But several data protection issues arise with work-from-home activities. 

The safest way to work from home is to use a Penn laptop, managed by a Local Support Provider, that is protected by a strong password, up-to-date patches, and antivirus software.  Data should not be kept on the laptop.  Instead, use the laptop – and secure remote access – to log onto Penn’s secure servers to access data.

If you must keep sensitive data on the laptop, talk to your Local Support Provider about using an encrypted file system, which would make the data unavailable to others if the laptop were lost or stolen.  Always use a strong password for access to the laptop.  Also, purchase and install Computrace software, available from the Office of Software Licensing (www.business-services.upenn.edu/softwarelicenses/).  If a computer is lost or stolen, this software will identify its location as soon as it is connected to the Internet, and can securely delete the data from a remote location. 

If you are using a home computer instead of a Penn laptop, keep in mind that the Penn data you are working with is only as secure as the machine you are working on.  In most cases, Penn does not support home machines.  As a result, you must yourself maintain and update antivirus software and security patches, and ideally utilize a firewall, to protect your machine and the data that you access from that machine, including Penn data.

Finally, if you choose to use storage media for data, such as USB drives, these are easily “loseable”, creating risk of loss or theft of data.  Again, encrypt data on any external storage media and/or use a strong password to access the data. 

Talk to your Local Support Provider or contact ISC Information Security (security@isc.upenn.edu) for more information on these important security controls for work-at-home activities.

Security Patches/Updates—Usually Automatic, but “Restart” Weekly to be Sure

A critical aspect of keeping your computer secure is to regularly download and install operating system (OS) updates, patches and service packs. Many updates can be downloaded and installed “on the fly” with little or no impact on the computer’s operation. In some cases, however, rebooting is required for an update to take effect, and you may be presented with a dialogue box giving you the option of restarting immediately or canceling the restart. If restarting is impractical or inconvenient at the time, it’s very important to remember that a reboot is needed. If you tend to leave your computer on most of the time, be sure to restart it weekly to make sure any recently installed updates can take effect.

Your LSP has probably set your office computer up for automatic updating, but your home machine should be configured for auto-updates as well. See “Six Steps to Stronger Security” at www.upenn.edu/computing/security.

Worried About Identity Theft? Ways to Monitor Your Credit Report

Most identity theft involves abuses of credit. Identity thieves may use your data to open up new credit card accounts or use your existing account to charge purchases for themselves. One of the best protective measures is to keep a close watch on—or actually control—your credit report. You can do this in a variety of ways:

• Credit Freeze. The best preventative measure is to put a freeze on your credit file, as allowed by Pennsylvania law beginning January 1, 2007. A credit freeze effectively prevents anyone else from getting credit in your name. It also, however, prevents you from getting instant credit, for example, when you are offered a discount for opening a credit card on the spot. A credit freeze costs $10, and an additional $10 to lift the freeze when you want to apply for credit or a loan.

• Fraud Alerts. You can also place a fraud alert on your credit report to let potential lenders know that they should verify that it is actually you applying for credit before extending credit. There are two types of fraud alerts: a 90-day alert and an extended fraud alert, which stays on your credit report for seven years (you must provide an identity theft report to qualify for a seven year alert). 

• Credit Monitoring.  Each of the three credit reporting agencies sells a credit monitoring service. For about $100 annually, this service will let you know when there is new activity on your credit report, such as a new account, a closed account, an extension on credit line, and so on. The information comes to you when it is relevant, rather than you having to check your credit report yourself.

• Free Credit Report.  If you don’t want to spend money to stay on top of what is happening to your credit report, federal law requires each of the three credit bureaus to provide you a free credit report on request each year. See www.annualcreditreport.com to exercise this right. This puts more of an onus on you to do the work to get the information, but it is free and an important, minimum step to detect identity theft.

For more information on ID theft, please visit www.consumer.gov/idtheft.

What Keeps You Up at Night?

If the answer is:  I have a lot of personal, sensitive data in a database or application and I’m not sure I’m protecting it appropriately, you are not alone, and unfortunately, your concerns may very well be valid! 

Many faculty and staff at Penn are now learning different ways of building databases and applications to run administrative and academic functions -- but many have not had the security training to minimize the risks of hackers accessing data, physical theft, web crawlers like Google picking up the data and making it publicly searchable, and other risks that are all too real in today’s world.

A new tool is now available to help you identify the top privacy and security risks, and more importantly, identify strategies that help to minimize those risks.  It is called the Security and Privacy Impact Assessment (SPIA) and was developed jointly by Information Systems and Computing and the Office of Audit, Compliance, and Privacy.  The process is described and the tool available by visiting www.upenn.edu/privacy and clicking on “Conduct Your Own Security and Privacy Impact Assessment.” We are all much better off finding security holes and plugging them through our own proactive activities rather than hearing about them from others once the damage has already been done.

If you have questions about the SPIA process or tool, please write to spia@pobox.upenn.edu.  An ounce of prevention . . . still makes sense.

Phishing: eBay and PayPal

Although “phishing” was the subject of a previous security tip, it’s worth revisiting and focusing on the two most frequently “phished” companies: eBay and PayPal. PayPal was acquired by eBay in 2002 to facilitate online payments for its buyers and sellers. In recent years many other businesses have adopted PayPal as a payment method to the point where today untold millions of people worldwide have accounts with eBay, PayPal or both. These provide one of the single biggest “ponds” for “phishers”, and from the earliest days of the scam, by far the most common examples have revolved around eBay and PayPal.

To refresh your memory, “phishing” is a fraud that arrives in your e-mail inbox as a message purporting to be from a major business or financial institution that attempts to induce you to visit a phony web site and enter sensitive information about yourself and your account(s). This information is then sold or used for identity theft and/or outright theft of your financial assets. Given that PayPal is so frequently “impersonated” in this way, it’s no surprise that its website offers particularly good advice on how to spot the tipoffs of a “phishing” scam, such as generic greetings (“Dear PayPal Member”), false urgency (“act immediately, without delay”) and pop-up boxes (never used by PayPal, as they are not secure). These and more tips can be found on PayPal’s site at www.paypal.com/cgi-bin/webscr?cmd=_vdc-security-spoof-outside, and they’re just as useful in spotting the scam from other sources.

Student Records – Knowing the Basics

Have you asked yourself any of the following questions?

• May I discuss a student’s academic performance with his/her advisor?
• May I share a student’s grades with his/her parents?
• May I ask students for their Social Security Number?
• May I leave graded exams outside my door for students to pick up?
• May I post class lists and student photos on the web?
• May I destroy copies of my old grade sheets?

If you have asked any of these questions, then you have recognized that student data is often sensitive and private and that there are “dos” and “don’ts” involved in the handling of such data.

Student records are protected by the federal FERPA law.  They may be shared with school officials with “legitimate educational interests,” in other words, where the information would be helpful in the performance of official duties or in an enterprise sanctioned by Penn.  In many other situations, such as photos on the web or graded exams outside a door, student records may not be shared without the student’s specific and affirmative consent.

Wipe Cell Phones and Other Wireless Devices Securely Before Disposal

As we all know, cell phones today are not just for having telephone conversations. You can surf the Internet, send and receive e-mail and text messages, keep your calendar, manage contacts, shoot photos and videos and even listen to music. Along with all of those great features comes a potential risk that personal information could be available to strangers after your phone is sold or donated.

With the average life of a cell phone at about 1 1/2 years, most of us will go through several different phones a decade, so it is important to learn how to dispose of them properly, while protecting our personal privacy and avoiding other data breaches.  The exact steps to securely wipe clean your old phone depend upon the model that you have. Wirelessrecycling.com offers instructions for many different phones, PDAs, and smart phones. Palm has a unique method for their products that will allow you to overwrite your data with 1’s and O’s, ensuring your privacy. More information about Palm’s “zero-out” method can be found on their website www.palm.com. Contact your cell service provider for more information about your particular model and assistance.

Cell phones can have a productive second life after we’re finished with them, but making sure they are clean should be a priority before sending them out the door.

New Back-IT-UP Service for Secure Backups

Even though backing up the data on your computer gets less attention these days than issues like identity theft, it’s still a critical security procedure. ISC now has available a new for-fee service called Back-IT-UP, for backing up desktops, laptops, and servers. This easy-to-use service lets you define exactly what you want to back up and determine a convenient schedule for running your backups. All data are compressed and encrypted before being sent to the Back-IT-UP repository, which maintains copies of the backups both locally at Penn and at a remote, high-availability site off campus.

For more information about Back-IT-UP, please contact Nicole Werner, nwerner@isc.upenn.edu.

Unprotected Computers Can  Be “Stashes” for Illegal Material

One of the “hot button” topics in computing over the last several years has been the widespread downloading and sharing of digital media - music, movies, television, games, application software and more. At Penn, as at our peer institutions, there are incidents of copyrighted material being made publicly available on Penn computers, intentionally violating the Digital Millenium Copyright Act (DMCA) and University policy. As a research  institution that creates new  knowledge, we are especially sensitive to the obligations of honoring all intellectual property rights. Penn students and employees found to be violating copyright are subject to disciplinary measures in addition to the possibility of legal action by the copyright holders.

There are occasions, however, when the computer in question has been compromised by means of virus infection or other exploit and is being used to “stash” the infringing and/or illegal material without the knowledge of the computer’s owner. If you receive a notice of copyright violation relating to a computer that you use that is attached to PennNet, and you believe that you are not intentionally sharing copyrighted material, you should contact your Local Support Provider (LSP) immediately and request that your computer be evaluated for signs of compromise or other security-related issues. The vast majority of Penn users do, of course, respect copyrights and do not illegally download and share material, but avoiding this situation is yet another reason to make sure that your computer is running anti-virus software that is regularly updated, has a personal firewall installed and in use, and that all operating system patches and upgrades are applied in a timely fashion. For information on how to do this, contact your LSP.

Securing Data on your Handheld Computer

Handheld computers comprise a broad class of devices including BlackBerry, Windows Mobile, and Palm Smartphone, as well as traditional PDAs (Personal Digital Assistants). As these devices can contain lots of personally sensitive information, it is a good idea to make sure that they are protected from prying eyes as much as possible. In the event one of these devices is lost or stolen, the following short list of recommendations will help ensure that your data is protected, and is accessible by you:

• If your device has a power-on password feature, you should use it. This basic security is more intrusive on some devices than others.  Our recommendation is to try the built-in password screen on your device and see if it is usable for your specific needs.  Make sure that you use a strong password that is hard to guess.  For password creation tips, please see: www.upenn.edu/computing/security/footprints/index.html#strongpswd.

• PDAs are particularly vulnerable to damage or loss and should be backed up regularly. The definition of an appropriate backup depends heavily on the workflow of the user; there is no global recommendation to be made here. For some users the vendor-supplied desktop sync package will be sufficient. Other users may require whole-device backup packages such as SPBBackup or BackupBuddy.

• When performing backups to a flash memory card in your device, remember that these backups only protect you against damage to the device; if the device is lost or stolen, the memory card, along with the backups, goes with it.

For additional information on handheld computers in general, please visit www.upenn.edu/computing/provider/pda.

Secure Web Browsing: Three Important Signs

The chances are good that you conduct sensitive transactions online. Whether you’re buying a book, submitting sensitive customer data at work, or doing online banking at home, the web is an essential part of doing business.  Here are three things to look for when transmitting sensitive data online:

1) Check for the “S”:  Look for https:// in the address bar of your web browser and a picture of a lock in one corner of your browser window when doing online transactions (credit card purchases, banking, submitting sensitive data, etc.).  These indicate that the session is encrypted. If you are doing an online transaction and the “https” and lock aren’t there, your data may be at risk.

2) Don’t ignore the signs:  When confronted with an error page or pop-up box that warns you of a problem, don’t be in such a hurry to skip it. More often than not, the error or caution message is letting you know about a legitimate problem.  Before you click “Ignore” or “Continue to this website,” stop and reconsider. Have you ever visited this site before?  Are you sure the site is what it claims to be?  Do you have to do this transaction immediately, or can you wait 24 hours and try again?

3)  A picture is worth a 1000 words:  Many financial institutions are putting more stringent authentication practices in place, including having a personalized image, phrase, or both displayed to a user at login.  If you have an account that uses this technique, be on the look out for it every time you log in.  If something changes, stop the transaction and contact the institution.

Want More Control Over Info? Look for Opportunities

Whether at Penn or elsewhere, you may be looking for opportunities to take control in areas affecting your privacy.

Penn’s Privacy website has a “Manage Your Information” tab that identifies steps you can take to address many privacy concerns. Check your credit report for free, get on the national do-not-call list, or stop receiving pre-approved credit offers–all using resources described on the Penn Privacy website. You can also find out about privacy options at Penn, such as how to manage your spam filters, how to opt out of having certain information appear in your online directory listings, and more.

Visit www.upenn.edu/privacy for these and other resources.

Many other opportunities exist online and offline to exercise privacy choices. Look for default settings about marketing offers on websites you visit. Ask questions at retail and other establishments that ask for more information than you’re comfortable giving. Tell individual telemarketers that you wish to be placed on their “do-not-call list.” 

Ask questions, stay vigilant, protect yourself.

A Home Wireless Network

The affordability and ease of use of basic wireless access points (WAPs) has prompted many Penn users to set up “hot spots” at home. If you choose to set up your own wireless network, be aware of the following security issues and guidelines to prevent others from accessing your network and your data.

• Change the default passwords on all WAPs you use on your wireless network to strong passwords of your own choosing. This prevents intruders from taking control of your network by using published lists of manufacturers' default account names and passwords or by simply guessing frequently used ones. Being in control of your own network is just as important as being in control of your own computer.

• Change the default  SSID, or “name,” of each WAP to a unique name of your own  choosing.

• Disable  broadcasting of your network name (SSID) to make your network less visible  to unauthorized users.

• Enable and require the strongest encryption that your WAPs offer in order to encrypt traffic traveling across your wireless network. In many cases this will be 128-bit Wireless Encryption Protocol (WEP), but many units now offer a superior alternative, Wi-Fi Protected Access (WPA).

• Regularly check  for, and install, updated versions of the firmware for your WAPs and  software drivers for your wireless Ethernet adapters.

• Enable and require  MAC (Media Access Control) address filtering on each WAP. This will let you specify which individual computers may access the WAP, identified by  the unique MAC addresses associated with their Ethernet adapters.

For more information about securing home wireless networks, read the Guide to Information Security at www.upenn.edu/computing/security/brochure/brochure_current.html.

Resetting your PennKey Password

You just realized that you wrote down your PennKey password and left it on your desk overnight.  Did someone see it?  Should you change it?

While working on a sensitive project, you gave your PennKey password to a colleague so you could both get access to the information to complete the project.  You now realize that you shouldn’t have shared this information and want to change your password - but how do you change it?

Your PennKey password gives you access to sensitive institutional data and, in many cases, your own personal data. It is extremely important that you protect your password, and the examples above are just a few instances of when you might want or need to reset it.  Fortunately, this can be easily done by following the instructions on the Setting, Resetting, or Changing Your PennKey Password web page at www.upenn.edu/computing/pennkey/setreset/.  Here you will be guided through the steps to resetting your password whether it be known or unknown.  You will also find useful links to other PennKey web pages that can help you set strong, uncrackable passwords as well as familiarize you with best practices to safeguard your password.

When is a PC File Truly Deleted?

So, you dragged that sensitive file to the Recycle Bin, emptied the bin, and now the file is gone forever, right? Not so fast.

Like cats, deleted files seemingly have nine lives. When you delete a file, the operating system simply changes the first character of the filename and marks the space the file occupies as being free. The filename and data remain on the drive until overwritten and are easily retrievable using widely available recovery and forensic tools.

But wait, there’s more. For speed and efficiency, Windows creates temporary files for storing file data while the file is open, and these temporary files often remain even after deletion. Windows also uses page- and swapfiles to create “virtual memory” for faster operation, and deleted files can often remain in these as well. And what about copies on backup tapes, CDs, or other media.

Windows XP has a “Disk Cleanup” utility that can be accessed via the Start/Programs/Accessories/System Tools/Disk Cleanup menu sequence. For secure file deletion, security experts recommend using one or more disk-wiping or “shredding” utility programs that are available from many sources, some for free or minimal cost. These programs will overwrite the space occupied by a deleted file with 0’s, 1’s, or random data and can be set to make multiple passes. Opinion varies on how many passes are needed, but three is considered sufficient in most instances.

A more thorough, not overly technical discussion of file deletion can be found at www.sans.org/reading_room/whitepapers/incident/631.php.

Run a Security/Privacy Check on New and Upgraded Systems and Applications

• You just built a great new database to improve administrative efficiency in your department. 
• You’ve launched a new application collecting personal data of participants as part of a research study.  
• You’ve upgraded an older system to a new version and are delighted by the better features. 

Are you thinking about the security and privacy implications in any of these scenarios?   If you aren’t, you should be. 

Penn has developed an easy-to-use tool—the “Security and Privacy Impact Assessment” or “SPIA” tool—that can be used to evaluate any individual database or application. The tool is already being used by many Schools and Centers to inventory and evaluate systems in general. 

To use the tool on an individual system, go to the SPIA site at www.upenn.edu/computing/security/spia/ and, using the blank tool (an Excel spreadsheet), follow steps 2 through 5 in the SPIA instructions. Sample evaluations are also available. If you need assistance or have questions, write to spia@pobox.upenn.edu.

Sleep better at night—find your security and privacy vulnerabilities before the bad guys do.

Cleaning Up Home Computers

As many of us look forward to the fresh start that spring cleaning brings to our homes, it’s worth taking a moment to think about how a regular “cleanout” of our home computers can be beneficial as well. As with paper files, receipts, etc., we all tend to accumulate and retain computer files longer than we really need to in most cases. Many old files can simply be deleted, while others that still have some value don’t necessarily have to stay on your hard drive and can be archived to CD or other media for safe storage. While this has the obvious benefit of freeing up drive space, there’s also a security benefit. Many of these files may contain correspondence, data and other information relating to personal matters, such as a dispute with your bank over a charge on your monthly statement. The files may include account numbers, Social Security Numbers and other sensitive information that could expose you to identity theft if left on a hard drive that is stolen or compromised.

Of course, sitting down to clean out years of old files can be a daunting and time-consuming chore, but it’s a worthwhile task and there are some ways to make the job go easier. For starters, as you look through your folders and directories, sort them by date and look at the oldest files first. It can also be helpful to sort them by file type, especially when looking through a directory containing e-mail attachments that have been downloaded over time. And, don’t forget to look for old e-mail messages that are no longer needed.

One special case deserves particular mention: because the tax laws change each year, the software produced by companies like Turbo Tax and H & R Block differs as well. Once you have finished using the software to file your returns, it’s generally a good idea to uninstall the program. However, the uninstall routines for most tax programs will leave the file containing that year’s return information on the drive in order to be referenced by the next year’s software. If you’re unaware of this, or forget, you may end up with several previous years worth of your tax information sitting on your drive that doesn’t really need to be there.

Cleaning out your home computer may not be any more fun than cleaning your house, but the rewards are similar, and you will just feel better about everything.

SSN Clean Up Tools–Use Them & Protect the Penn Community

You’ve read about the hundreds of colleges, universities, retailers, banks and others that have had data security breaches– hacked systems, lost laptops, stolen backup tapes and the like–involving Social Security Numbers. You worry about this type of problem because:

• You can’t be sure whether you still have old SSNs in any of your desktop or server files, OR

• You think you need full SSNs to interface with other systems on campus, OR

• You need some type of identifier to make sure you’ve got the right “John Smith” and SSN is the best one out there, OR

• You don’t need to use SSNs, and you know you have some old ones, but you don’t know how to truly delete them.

• You actually do need to work with SSNs (legally required or necessary for certain third party transactions for example), but want to handle them responsibly.

Know the following:

• Finding SSNs. Your local support provider can assist you in using automated tools to determine if a file containing SSNs is still on your desktop, laptop, or server. Contact your LSP.

• Keeping SSNs to Interface with Other Systems?  Check Again. Many systems at Penn have been reconfigured to accept PennID in lieu of the SSN as a unique identifier (also sometimes a “key”). Contact the relevant system owner, or data administration at da-staff@isc.upenn.edu.

• Converting SSNs to PennID. A new, free tool exists to convert files containing full SSNs to PennIDs. Contact the Office of Audit, Compliance, and Privacy at (215) 573-4492.

• Deleting Unnecessary SSNs. Talk to your LSP for options.

• Truncate/Restrict View Wherever Possible. If all else fails and you must continue to work with SSNs, truncate to show only the last four digits in as many “views” as possible. Truncating SSNs and limiting access to only those people with a need-to-know are important ways to minimize risk.

Spoofed PennKey Sites Can Steal Your Password

A shadowy website in Chicago might have collected passwords from thousands of universities and businesses earlier this year. The site has been taken down, and there is no evidence that PennKey passwords were compromised, but similar rogue websites could pop up elsewhere in the future, so it’s important to be alert for this scam.

 The rogue Chicago website spoofed login webpages. The spoofed PennKey site looked and functioned almost exactly like authentic PennKey login pages, with only two exceptions:

• The web browser was clearly pointed at a non-Penn website,  with  following URL appearing in the browser’s address field: https://c67176154155.hsd1.il.comcast.net...

• Anyone using the spoofed Chicago site was presented with, and had to have acknowledged, a warning about a possible security problem.

To protect your PennKey password, be alert:

1. Only enter your PennKey and password when your web browser is pointed at Penn websites such as rosetta.upenn.edu, library.upenn.edu, galaxy.isc-seo.upenn.edu. If you have any doubt about the authenticity of the site, contact your Local Support Provider before entering your password.

2. Never enter your PennKey and password if your web browser displays warning messages about the site certificate. Example warning messages include:

“Website certified by an unknown authority.”

“There is a problem with the site’s security certificate.”

“It is possible, though unlikely, that someone may be trying to intercept communication with this website.”

3. Be alert for email scams that try to trick you into visiting spoofed PennKey sites. They could come in the form of an official-looking announcement forged from a Penn office, warning you of a problem with your account. Such a scam would instruct you to click on a weblink to correct the alleged problem, but the link would take your web browser to a spoofed PennKey website and your password, if you entered it, would be stolen.

Bogus Warnings About Viruses & Spyware

In a December, 2006 report, Microsoft warned about an increase in offers for “rogue security software” that tries to trick unsuspecting victims into downloading harmful, malicious software. The offers come in the form of website popup windows with false warning messages like:

Warning!  1 Threat Found
Your Computer is Infected!
Security Warning! Serious Security Threat Detected
Windows has detected spyware infection!

At the bottom of the window are buttons to click with labels like:

Click here to protect your computer

When the user clicks to accept the offer, malicious software is installed that allows stealth, unauthorized access to your computer.

Some of the popup windows include a button labeled “Cancel” or “Continue unprotected.” Others display an “X” in an upper corner.  Ordinarily, clicking either “Cancel” or the “X” on a popup window would close it. However, it is best not to click anywhere on these malicious popup windows. Instead, just quit and restart your web browser.

If your computer becomes infected with a known computer virus, your anti-virus (A/V) software will display an appropriate notification. If you use Penn’s licensed A/V software, the window will be labeled either “Norton Antivirus Notification” (Mac) or “Symantec Antivirus Notification” (PC), and will contain information about the virus name, type, file location, and an indication of whether the virus was removed or quarantined. If you believe your computer may have been infected with a virus, or some other malicious software, contact your local computing support provider.

Legal Requirements for Penn Data

Many faculty and staff at Penn work with personal information of Penn constituents as part of their job responsibilities. Indeed, personal data drives many critical functions at Penn—from assigning grades to students, to managing and paying staff, to performing life-saving medical research on human subjects. 

Taking steps to protect confidential data from falling into the wrong hands is critical— someone else’s private information may literally be in your hands. 

In addition to protecting data out of concern for others, it is critical to bear in mind the legal and industry requirements that apply to much of the data on the Penn campus.
Examples of significant requirements are:

• The federal HIPAA law protects identifiable health information for Schools and Centers providing care or health plan functions.

• The federal FERPA law protects the privacy of education (i.e., student) records.

• The federal Gramm-Leach-Bliley law requires reasonable safeguards of certain financial information about customers.

• CAN SPAM, a federal law, requires that certain bulk e-mail with primarily commercial messages be properly labeled and provide an opt-out.

• The credit card industry's PCI DSS standards impose strict security protections for credit card data.

• And Penn procedures put limits on the collection, retention, and disclosure of Social Security numbers.

If you have questions about the applicability of these rules or other requirements to protect confidential data, please write to privacy@pobox.upenn.edu or security@isc.upenn.edu.

Peer-to-peer file-sharing software (“file-sharing software”) is often used illegally to download music or movies for free from other computers running the software.  Are you running file-sharing software on your work or home computer?  Or, has someone in your household installed it on your computer?  If so, there is even more to be concerned about than the possibility of illegally downloading or sharing copyrighted audio and video files. 

Increasingly, criminals are using peer-to-peer file-sharing networks to expose sensitive data and commit identity theft.  If you participate in such networks any files on your computer that contain sensitive information can potentially be accessed by these individuals. 

A former employee of a pharmaceutical firm learned about the dangers of file-sharing software the hard way.  A family member installed peer-to-peer file-sharing software on her work laptop, inadvertently leaking Social Security Numbers of over 17,000 employees to the Internet. 

What can you do to protect yourself?

• Do not install or run file-sharing software on any computer that you own or use. 
• Do not store sensitive information on your machine. If you need sensitive files, copy them to a CD or other external media and store the media in a safe place.
• If you do need to run file-sharing software, speak to someone in your IT department who can help you choose and install file-sharing software appropriately.
• Be aware that uninstalling file-sharing software may not completely rid your computer of the problem; most of these programs install spyware that will stay on your machine long after you uninstall the program.  You should, at a minimum, also periodically run a spyware removal tool such as Ad-Aware or Spybot.  To ensure complete removal, rebuilding your machine is the most reliable solution; consult your local computing support provider (LSP) to discuss the advisability of this step in your particular situation.

For additional tips, see the One Step Ahead link on the Information Security website: www.upenn.edu/computing/security/.

The online world gives us unprecedented opportunities to chat with people around the globe about current issues, to network professionally and socially, and generally to express ourselves. These are amazing and positive developments.

But think about privacy risks when posting to blogs and similar services, and uploading to video-sharing sites. Electronic postings may be permanent and may define you now or at any future point. Statements and pictures posted online now, in jest or to convey a message to a defined group, may come back to haunt you in the future. Employers commonly use search engines to gather background information on job applicants. Consider who else may search the web on your name and what they may find. 

Online networking sites raise similar privacy issues. Once you post data about yourself, you may never be able to take it back. Do you want the world to know your street address or your winter break plans? Maybe you’re comfortable sharing only your email address and only with a designated group of people. Check for privacy options available through most online services and make choices that are right for you about what you share with whom. Be aware, however, that choosing the right privacy options does not provide any guarantee against potential hackers who may gain access to all site data.

Temporary Postings are Easily Made Permanent: You may think that what you’re posting is temporary or limited in view. Bear in mind that websites like Internet Archives capture snapshots of the entire web and preserve data–even data taken down locally—for the world to see perhaps for decades.

For additional tips, see the One Step Ahead link on the Information Security website: www.upenn.edu/computing/security/.

Website visitors—including members of the Penn community—who access information and services online are increasingly paying attention to online privacy and security issues. Their concerns are well-founded, since identity theft and other misuses of personal data are not uncommon in today’s wired world. Recognizing these rising concerns, it is important to consider the expectations of website users and post a privacy statement when appropriate.

New guidance on when and where to post website privacy statements, and what to include in them, is available on the Privacy Office website (www.upenn.edu/privacy; click under “What’s New.”). The guidance describes the value of posting privacy statements, as well as the need for caution about what is included in them.  

In addition, the new guidance includes a link to a template document that provides a starting point in drafting, or improving, a website privacy statement. The template suggests potential topics to cover in the statement, such as:

•            what data is collected and why,
•            whether cookies are used, and
•            what security measures are in place.

The template also provides language that may be appropriate to use for these topics and others, depending upon your particular circumstances.

It is crucial to review your draft website privacy statement before posting, to confirm that everything in it is accurate.  Leave out any statements in which you do not have complete confidence. Failure to comply with a posted statement erodes the trust of website visitors and can potentially create liability for the University.

If you have questions about website privacy statements, or would like to have your draft statement reviewed, write to privacy@pobox.upenn.edu.

For additional tips, see the One Step Ahead link on the Information Security website: www.upenn.edu/computing/security/.

A widespread computer worm named “Storm,” circulating since January 2007, has many guises.

The worm arrives in your email inbox as spam.  A recent version warns that the Recording Industry is tracking you if you download free movies or music. You are pointed to a link to download Tor, a popular anonymous internet routing implementation. But if you follow the instructions, you infect your machine with the Storm worm. Your machine is then drafted into a network of hacked machines used to crash popular websites and carry out identity theft attacks. Other versions of the scam send the Storm worm as an email attachment rather than send you to the website.

Other Storm worm bait that has hooked victims includes:

• Bogus email warning that your face is all over YouTube. If you click on the purported YouTube link, you’re asked to first install specialized video viewing software (which, in truth, is the Storm worm).
• Bogus email informing you that an account has been created for a free music/movie service.  The email includes an account name and a password and instructs you to log on, but first you need to install a (bogus) media player.  Same result: Storm worm infection.
• Bogus email forged to look like it’s from Amazon (or eBay, or PayPal, or many large banks) warning you that you have unpaid fees (or that your purchase is (in)complete, or that your information is out of date). If you click on the bogus link and follow the instructions: Storm worm.
• Bogus email announcing that you have an electronic greeting card. Same result as above.
• Bogus email with news announcing “Chinese missile shot down by Russian satellite”.
• Bogus email announcing, “Saddam Hussein is alive”.

In general, be wary of unsolicited email asking you to click on links or to install software. If you think it might be legitimate, type the URL into your browser rather than click on the link. Or check it out by calling the organization using a phone number from a service like switchboard.com. Electronic greeting cards are  highly suspect these days.  If you don’t recognize the sender, hit “delete”. (If it’s a secret admirer, don’t worry, they’ll eventually find you.) If you receive email claims about outlandish news stories, don’t click on those links either, but simply point your browser at your favorite online newspaper.

For additional tips, see the One Step Ahead link on the Information Security website: www.upenn.edu/computing/security/.

Working at home and while traveling are becoming common phenomena in our society—including the Penn community. “Virtual offices” can be created almost anywhere using current technology, and flexible work scheduling is expanding in large part because of technology’s impact. The convenience that these developments make possible is accompanied, however, by increased risks to data privacy and security.

For example, assume for a moment that you are working with confidential University data on your home desktop or your laptop. Is the machine properly protected with updated anti-virus software and a firewall? Without these you are running an unnecessary risk of having confidential Penn data hacked. Has a family member perhaps downloaded file-sharing software to your computer?  If so, another machine running that software could potentially access all of the data—including the University information—on your hard drive, not just the files that your family member intended to share. 

It is critical to be aware that working with confidential Penn data on personal desktops and laptops gives rise to significant new privacy and security risks. To help address these risks, the following steps are recommended:

• Minimize—and if possible avoid—use of personally-owned machines to access confidential University data such as SSNs, health information, credit card data, student records, and financial information.

• Be especially cautious regarding computers used by others who may have downloaded dangerous software such as file-sharing tools.

• Protect your machine with a Penn-recommended security suite. 

• Encrypt any confidential data that is stored locally on your computer.

It is also crucial not to use computers whose security level is unknown—such as public machines in libraries and Internet cafes—to gain access to confidential University data. 

For some basic tips on protecting your computer’s security visit the Hot Links listed at www.upenn.edu/computing/index.html.

For additional tips, see the One Step Ahead link on the Information Security website: www.upenn.edu/computing/security/.

What is the right thing to do with documents and data of faculty or staff members when they leave Penn? In most cases, one can involve the individual in the decisions before they leave. They will often on their own, or at the request of their supervisor, help map out what is appropriate to share with colleagues, to securely delete, or for more personal items, what they wish to take with them.

In some cases the handling of this issue is more difficult. Consider a staff member who is terminated for cause and asked to leave immediately. Consider also an individual who is unexpectedly taken seriously ill. And, how does one handle the situation of a faculty or staff member who has passed away?

Guidance has recently been written to help Schools, Centers and Departments address these types of more difficult scenarios, with several recommended components for handling them, for example:

• It is important to have a person who coordinates decisions and actions regarding the documents and data.

• Immediate consideration should be given to the individual’s activities, to help identify potential data locations for further review. A high-level inventory of the relevant data and documents should then be developed.

• It is also important to identify the types of interests that may exist in the data, for example:

* Business continuity
* Research
* Academic collaboration
* Potential litigation
* Intellectual property
* Institutional history, and
* Personal data.

In the case of deceased individuals, these issues should be handled with great sensitivity, particularly to the difficulties faced by loved ones.

For information, including useful links, visit the Penn Privacy website, www.upenn.edu/privacy. If you have questions, contact the Privacy Office at privacy@pobox.upenn.edu.

For additional tips, see the One Step Ahead link on the Information Security website: www.upenn.edu/computing/security/.

Higher Risk for Security Breaches

Your home computer from 2001 may seem to be chugging along fine, doing everything you need it to do, but saving a few bucks by keeping an outdated computer in service could cost you in the long run. Older computers connected to the Internet are at a higher risk for security and privacy breaches than newer systems. It is a violation of University policy to put confidential research or administrative data onto a computer that cannot be properly secured.

Here are a few ways in which older computers are vulnerable:

• Manufacturers like Apple and Microsoft routinely retire operating systems (OSs). After a specific date, they stop releasing security updates for older products, leaving the computers they run on and the data stored on them exposed. Microsoft officially supports, and supplies patches for, Windows XP and Vista; Apple only supports OSs newer than 10.2. Older OSs like Windows 2000, Windows Me, Windows NT, and Windows 98 cannot be patched and are vulnerable to attack. Older versions of applications such as MS Office could pose risks as well.

• Modern OSs have built-in firewall software, which plays an integral part in protecting your computer and data. Firewalls are activated by default by the manufacturer. A few years ago the technology wasn’t available.

• More secure versions of web browsers like Firefox and Internet Explorer 7.0 require processor speeds and RAM not available in older computers. They also include pop-up blockers and trusted site lists to keep your web traffic secure.

For additional tips, see the One Step Ahead link on the Information Security website: www.upenn.edu/computing/security/.

In the past, hackers operated mostly for the glory of seeing their viruses distributed to millions of computers.  Nowadays, they are more interested in financial gain and are increasingly writing viruses and worms targeted to particular groups to steal passwords and credit card numbers. By narrowing their focus, they also more easily evade anti-virus and spam filtering software.

This summer, fraudsters sent targeted email to thousands of HR professionals who use the monster.com recruiting service. The email attachment carried a keystroke logger that was used to steal the recipient’s Monster password. The attackers then used the stolen passwords to send email to job applicants forged to look like it came from HR hiring professionals, with email attachments that carried keystroke loggers.

Earlier this month, IT managers at universities across the country (including Penn) received email offering technical training at a price too good to be true, from an organization purporting to be associated with Educause, a higher education IT professional association.  Recipients were invited to visit a website and create an account and password.  Presumably the attackers were banking on the fact that people often choose the same password for many accounts.

Attackers will often mine social networking sites like Facebook for personal information and relationships in order to further personalize scams.  The common denominator in the IT training scam was that most recipients had personal profiles on the Educause web site.

Be prepared for personalized email scams:

• Don't automatically trust email from colleagues or friends.  If the content of the email is out of character with the sender, consider the possibility of fraud.

• Be suspicious of offers that are too good to be true.

• Don't click on links or attachments in email if you suspect fraud.

For additional tips, see the One Step Ahead link on the Information Security website: www.upenn.edu/computing/security/.

Though much progress has been made in recent years in providing more secure methods of gaining access to computing resources, the primary authentication method remains the combination of a username and password. Of course, as we continue to open new accounts on websites like amazon.com, do our banking online, and perform other useful but confidential work, the number of account names and passwords multiplies as well, and it’s difficult for the average human being to remember all of them.

“Password vault” programs are one solution to this problem. These programs are essentially a database for all your usernames, passwords, and other similarly sensitive information that is encrypted and protected by a single, strong “master” password of your choosing. Simply open the database with the master password to decrypt and look up the account info you need–much safer than post-it notes on your monitor! If you are using Mac OS X, you already have one called Keychain. A Google search on “password vault” will yield a wide assortment of Windows-based vault programs, such as PowerKeeper (by Symark) and PasswordVault (by Lava Software), though you should compare features and check consumer ratings before buying.

A final caution: Don’t use the “Remember My Password” checkboxes often found on websites and in applications–they are risky for many reasons. If “password proliferation” is giving you a headache, a vault program is a much safer alternative.

For additional tips, see the One Step Ahead link on the Information Security website: www.upenn.edu/computing/security/.

Penn has established standards of stewardship and ethical behavior that affect all areas of the University.  These basic expectations for the Penn community have been articulated in ten Principles of Responsible Conduct, which can be viewed at www.upenn.edu/audit/oacp_principles.htm.

The Principles include, for example, maintaining confidentiality, respecting others in the work place, complying with laws, regulations and policies, and avoiding conflict of interest. If you become aware of behavior that you think may violate established standards of conduct, what should you do? 

The answer to this question is simple.  Penn’s Office of Audit, Compliance and Privacy has established a Confidential Reporting and Help Line:  1-888-BEN-TIPS.  The Reporting and Help Line is a resource for all University staff, students and faculty to call anytime for assistance with questions, policies or procedures, or to report suspected incidents of non-compliance.  Individuals are permitted to make reports anonymously, or they may identify themselves and request confidentiality about their identity as the inquiry goes forward.  In most cases, requests for confidentiality can be honored; a compliance specialist can explain the limits on confidentiality for callers who are concerned.

Using the Ben Tips Confidential Reporting and Help Line is also simple.  A compliance specialist will answer the Line between 8:30 a.m. and 5 p.m., Monday through Friday. At any other time, callers are invited to leave a message. Your name is not required, as noted above, and the Reporting and Help Line does not have a caller ID feature. All questions and concerns are welcome, and no action will be taken against anyone for reporting information in good faith to the Reporting and Help Line.  The Office of Audit, Compliance and Privacy will respond to all questions and will facilitate any required action. 

For additional information about Penn’s Office of Audit, Compliance and Privacy visit www.upenn.edu/audit.

Is it Safe to Visit This Website?

Google reported in May, 2007, that ten percent of websites are infected with malicious software that could result in a user’s personal information being stolen. Sometimes, simply visiting an infected site, without even clicking links, will compromise your computer.  How can you tell a safe site from an unsafe site?

For starters, avoid sites that offer celebrity photos, screensaver wallpaper, adult photos or movies, or free or pirated computer games, movies, or music.  A 2005 study by researchers at the University of Washington found that between 7% and 20% of such sites will infect visitors’ computers with harmful malicious software.

Don’t click on website ads. Antivirus software vendor McAfee reports that in 2007, 6.9% of sponsored links on the web point to malicious software. Most large website operators sub-syndicate their advertising space to ad agencies who in turn syndicate the space to still other agencies. So website operators often have little or no control over whether malicious software finds its way into ads that they host. In the past two years Google, MySpace, and, more recently, websites of The Economist, the National Hockey League and Major League Baseball hosted ads harboring malicious software.

Next week: Facebook, MySpace and YouTube Raise New Computer Security Risks

To receive weekly OneStepAhead  tips via email, send email to listserv@lists.upenn.edu with the following text in the body of the message:  sub one-step-ahead <your name>.

For additional information about Penn’s Office of Audit, Compliance and Privacy visit www.upenn.edu/audit.

Be wary of sites like MySpace, Facebook and YouTube where practically anyone can provide content. These sites are designed to allow you and your friends, or even strangers, to post text, images, movies and, in some cases, programs. Bad guys have found ways to circumvent security controls and plant malicious software on such sites. In November, 2007, hackers infected Alicia Keys’ MySpace page. Many people who visited the site had their computers infected with software that stole credit card numbers.

There are two primary risks with sites where users provide the content. If you use an older web browser or media player that lacks the latest security patches, simply viewing a hacked site can infect your computer. If this attack fails, the attacker entices you into clicking on a link and installing a malicious program on your computer. Intruders make this seem plausible by implying that you need the program to get the desired content.  

If you must use such sites, be certain that your computer, web browser and media players (Quicktime, RealPlayer, Windows Media Player, Flash, Flip4Mac) have all of the current patches. Recommended versions of web browsers and media players are available at: www.upenn.edu/computing/product/. If you are prompted at a website to install a media player, never install it by following links from the website. Either go to the Penn site above or ask your Local Support Provider for help. Any prompts encountered on Facebook or the like to install programs or codecs (digital media encoders) should be declined.

To receive weekly OneStepAhead  tips via email, send email to listserv@lists.upenn.edu with the following text in the body of the message:  sub one-step-ahead <your name>.

For additional tips, see the One Step Ahead link on the Information Security website: www.upenn.edu/computing/security/.

One of the most popular features of e-mail is the ability to send the same message to a group of individuals with a single mouse click. For example, you can create a group of addresses with your mail program (such as Outlook), give the group a name, or “alias,” and substitute the alias for the underlying address list when sending a message. You can also initiate a list management service, or listserv, which allows you to send messages to list subscribers without entering a series of addresses. Although such “group emails” can be convenient, there are also several potential privacy risks to consider.

For example, when you send a message to an alias, do you first check to confirm that it is appropriate for everyone on the underlying address list to receive the message? Do you avoid using listserv names and e-mail aliases (as well as subject lines) that could reveal sensitive information if the message is seen by someone other than the intended recipient? Suppose, for example, that the e-mail alias for your message is “Cancer Support Group”—this in itself could potentially reveal, to office staff or others who inadvertently see the message, that the recipient has a health concern.

You can reduce the risk of revealing confidential information by routinely choosing neutral names for listservs and other e-mail address groups—for example, “student group A” rather than “academic probation group”. (Also, e-mail programs typically allow you to use the “bcc” field to enter the actual recipient addresses; you can enter your own address in the “to” field, keeping the identities of the actual recipients private.) When you initiate a listserv, select options that enable you to control who can see and use the subscriber list.

For further information about e-mail group mailing lists at Penn see www.upenn.edu/computing/list/.

To receive weekly OneStepAhead  tips via email, send email to listserv@lists.upenn.edu with the following text in the body of the message:  sub one-step-ahead <your name>.

For additional tips, see the One Step Ahead link on the Information Security website: www.upenn.edu/computing/security/.

Be Careful About “Free” Wireless Networks

The availability of wireless networking on the Penn campus has expanded greatly over the last couple of years, and members of the Penn community have the luxury of using PennKey-authenticated and encrypted wireless sessions for secure networking over PennNet. Of course, more and more businesses—especially coffee shops, bookstores and airports—are also offering wireless “hot spots” for their customers to use, and even when it’s a major company or chain, it can be difficult to know how secure the network is. How can you be sure the person at the table next to you isn’t “sniffing” all the traffic going across the network, including yours?

When turning on wireless networking these days, it is increasingly common to see a half-dozen or more available networks to join. Some of them will be “free,” even though there may be no indication of who is providing the service. Just as clicking a link in a “phishing” message may take you to a malicious website, joining an unknown wireless network may lead to compromise of your data.

Whenever possible (even on a secure wireless network), use applications that provide their own level of encryption. Because virtually all legitimate commercial websites use SSL encryption (“https://”), it’s generally safe to shop online. Check with your e-mail provider to see if they encrypt messages in transit—if not, be cautious about using e-mail. If you regularly use a wireless network provided by a reputable business, check their website for information about how they provide security for wireless sessions. Don’t join “free” and/or anonymous networks just because you can—they may not be as “free” as they appear.

For more information on Penn’s wireless networking offerings, visit www.upenn.edu/computing/wireless/.

__________________________________________

Another tip in a series provided by the Offices of Information Systems & Computing and Audit, Compliance & Privacy.

If a computer security incident happens to you, don’t panic.  Penn has established a policy and infrastructure to support the appropriate response to security incidents.  Penn’s policy, the Information Systems Security Incident Response Policy, contains several components to ensure that computer security incidents are handled responsibly and that appropriate internal and external communication takes place. 

The most important point to remember is that the policy requires that all Penn faculty, staff, consultants, contractors and students (and their respective agents) report “computer security incidents” to their local IT management, who in turn must notify ISC Information Security. A “computer security incident” is defined as any event that threatens the confidentiality, integrity, or availability of University systems, applications, data, or networks.  This definition is intended to cover, at a minimum, compromised machines, lost or stolen computing or storage devices, and outright theft or abuse of data. 

Under the policy, an immediate response team is assembled in cases involving “confidential University data.”  The immediate response team investigates, contains, mitigates, and shares learning from computer security incidents.   In certain cases, a senior response team is convened as well to address the need for any additional communications and actions. 

The full text of the Information Systems Security Incident Response Policy can be viewed at www.net.isc.upenn.edu/policy/approved/20070103-secincidentresp.pdf.

__________________________________________

Cyberbullying—when children or teens use the Internet, cell phones or other digital technologies to threaten, harass or intimidate another child or teen—is a growing problem, affecting almost half of US teens and children. Studies have shown that difficulty making friends, loneliness, low self-esteem, depression, poor academic achievement, truancy and suicide are all associated with being bullied. The pervasive, and sometimes invasive nature of some communication technologies can create intense stress for victims as attacks swell and spread to large numbers of peers. Many adults are often unaware of the problem due to lack of technical knowledge or youths’ tendency to not discuss online activities openly.

The following tips are given to help adults in the Penn community support children facing the threats of cyber-bullying:

            •  Make sure that the child knows that if she ever has a problem on-line, that you are there to help.

            •  Advise your child or teen not to respond to bullying. Rather, ask for adult help.

            •  Advise your child or teen not to trust that people on the Internet are who they say they are. It is very easy for a bully to fake messages that look like they come from your friends.

            •  Print everything out. For serious cases, you may want to contact school officials or police, and it will help to have documentation.

_________________________________________

Before sending an e-mail message, be sure to look beyond the body of the message. More and more privacy intrusions are occurring based on improperly addressed e-mail messages. The problem can often be exacerbated by e-mail programs that “recognize” the recipient after only a few letters of the name are typed and e-mail listservs that have similar names to one another. And, it is often too easy to hit the “Reply to All” button when you actually meant to reply only to the sender.

A recent example makes the point quite clearly. The news that highly confidential settlement talks were taking place between Eli Lilly Co. and the federal government was not “leaked” but rather unwittingly disclosed to a New York Times reporter whose name was similar to the name of an attorney working on the case. The New York Times reporter received an e-mail spelling out the details of the settlement from an attorney from a firm representing Eli Lilly—that message was intended for co-counsel at another law firm.

This problem and related ones can be avoided by taking an extra few seconds to “QA” or quality assure that your e-mail is being directed to the individual(s) you intend it for. A little extra caution can help avoid a lot of grief.

_________________________________________

To receive weekly OneStepAhead  tips via email, send email to listserv@lists.upenn.edu with the following text in the body of the message:  sub one-step-ahead <your name>.

For additional tips, see the One Step Ahead link on the Information Security website: www.upenn.edu/computing/security/.

In today’s wired society, it is virtually impossible to wholly eliminate your risk of being a victim of identity theft. But, there are many important and often effective ways to significantly lower your risk of falling victim to this crime.
For example:

• Do not give out personal information unless you’ve initiated the contact or are sure you know with whom you are dealing.

• Guard your mail and trash from theft. Tear or shred documents containing your personal information.

• Place hard-to-guess passwords on your credit card, bank and phone accounts when possible. 

• Do not provide your personal information in response to e-mails or phone calls unless you are absolutely certain about the legitimacy of the organization and the legitimacy of the request.

• Do not leave your wallet, briefcase, laptop or other property unattended as such property will often provide thieves with most or all of what they need to open up credit accounts in your name. 

• Get off pre-approved credit offer lists. Don’t let “dumpster divers” get these offers and sign up for them in your name (but at a different address!) Penn’s Privacy website – www.upenn.edu/privacy—describes how to “opt out” of receiving such offers under the “Manage Your Information” tab.

• Secure your computer with anti-virus software, strong passwords, promptly- applied security patches and a personal firewall.

• Check your personal credit report regularly, or at least once a year, to see if your identity has been compromised. A free credit report is available at www.annualcreditreport.com

• For more information, visit www.ftc.gov and click on “Avoid ID Theft, under Hot Topics.”

_________________________________________

It is estimated that in 2005, in the US, there were 2.75 million professional programmers and 55 million end user software developers, i.e., people who had taught themselves to program. The trend began in the 1980s with spreadsheet software and continued with the advent of easy-to-use tools like FileMaker, PageMaker, and Visual Basic, to mention just a few.

End user software development tends to be cheaper and faster. Often, however, a downside is that it does not conform to the types of policies, rules, and standards professional programmers observe. The editor of IEEE (Institute of Electrical and Electronics Engineers) Software puts it this way:

“... we now have systems on the Web that dilettantes built in their spare time while holding down a job in marketing, accounting, hardware repair, or even medicine. They’ve given little if any thought to systematic testing, maintainability, design, and yes, security. These systems are available to the entire Internet community—geography and international borders no longer buffer our data from programming mistakes.”

If you are an end user software developer, consider getting a second opinion from your IT professional. There may very well be serious risks that you can’t see that experienced IT staff can help you identify and mitigate.

_______________________________________

Do you currently use Social Security Number (SSN) to identify people in your IT systems or in day-to-day procedures? Did you know there is a tool available to help you switch from SSN to PennID? Using PennID as the identifier ensures that SSNs will not be stolen and used to commit identity theft.

The 8-digit PennID number is a unique identifier for individuals associated with the University or the Health System.  It can therefore replace the SSN as a key in databases, or to uniquely identify an individual in e-mails or phone conversations.  Using PennID can eliminate the need to encrypt data, ease report handling, and improve the security and privacy of communication between administrative offices.

The Penn ConvertID application converts SSNs to PennIDs.  There are two options: direct lookup of a single PennID using certain data, and a batch tool for converting entire files with SSNs to use PennID instead. Usage is strictly monitored to ensure the highest standards of security and privacy, and lockout safeguards are built in to prevent misuse of the application.  ISC Data Administration directly monitors results of batch conversion requests, forwards results to requesters, investigates lockouts, and is available for support and any questions.

For further information on the ConvertID application, contact Data Administration at penncommda@isc.upenn.edu

or the Office of Audit, Compliance, and Privacy at (215) 573-4492. The form to request access to the ConvertID application is available at www.upenn.edu/computing/group/penncommunity/authorization/documents/convert_id_ access form.doc.

_______________________________________

To receive weekly OneStepAhead  tips via email, send email to listserv@lists.upenn.edu with the following text in the body of the message:  sub one-step-ahead <your name>.

For additional tips, see the One Step Ahead link on the Information Security website: www.upenn.edu/computing/security/.