Unwelcome to IT

Online Security

We use the Internet all the time, but unfortunately so do criminals: they're after your computer, your bandwidth, your money, and your identity. However, you can take some simple steps to reduce their chances of success.

Cartoon of insecure PC
Computer Security is taken very seriously at Oxford University. Computer security ranges from the physical basics, such as securing a laptop with a small lock, to the more advanced measures that can be taken to protect email messages from prying eyes.

Password Security

One of the simplest examples of computer security are passwords. These are often the first and last line of defence used by typical users for almost all secure operations, yet many people can be relatively flippant in how they deal with them.

If your password is easily guessable, a criminal will have a much better chance of getting into your accounts. As more and more systems are linked to each other, a single breach could enable criminals to get all kinds of information about you, or to impersonate you.

When creating a password, it is important to make it easy for you to remember, but not easy for others to guess.

You should avoid using:

  • The accompanying username (whether identical, reversed or rearranged)
  • Your first or last name or date of birth
  • Names or dates of birth of your nearest and dearest
  • Your house name or your home street
  • Dictionary words

Generally, do not use anything that someone intent on 'hacking' into your secure feature could easily find out or guess.

A good password includes a mixture of upper (A-Z) and lower-case (a-z) letters, digits and, if permitted, other printable characters e.g. ,;:?%^*[]{}+-).

Devise a system for choosing passwords that are memorable to you but difficult for others to guess. For example, you could choose the initial letters of words in a line from a favourite song or poem (e.g. ‘Shall I compare thee to a summer's day?’ becomes ‘SIctta5d?’ But don't use this one!).

Never share your password with anyone. OUCS and your local IT support staff will never ask for your password, and if you are asked, you should not divulge it. If others do obtain your password it should be changed immediately (either via the registration web site, by OUCS directly, or by your local IT support staff). Such an event could not only cause you harm, but could discredit your College, department, or the University, or cause potential damage to other peoples' computers.

If your memory lets you down and you have to keep a note of your passwords, don't leave it lying around or store it in a folder or document called Passwords.

When using a communal computer in a public place, be aware that someone else may be recording all your keystrokes!

Don't use the Administrator account

Just like legitimate software, most malware requires Administrator privileges to be able to run on your computer. If you are using Windows try, where possible, to use a limited account for your day-to-day activities.

How:
Windows XP:
Go to [Start] -> [Settings] -> [Control Panel]. Select [User accounts] -> [Create a new account] and when you choose the account type select Limited. For operations which can't be done from a limited account, use 'Run as': hold down Shift; right-click on the relevant program; select '[Run as...]' from the resulting list of options; and then enter administrator logon details so that you can run the program as administrator.
Mac OS X or Linux users:
Do not log in as admin or root. Instead, use a command like sudo to perform command-line operations requiring root access.

Avoid being fooled by spoof emails, sites, or scams

Criminals commonly try to ‘phish’ for personal information: i.e. trick you into revealing confidential information about yourself.

For example:

  • They may send you a spoof email purporting to come from your bank or your email provider, informing you of a problem and asking you to send details about your account in reply (e.g. username and password). Never reply to these emails.
  • They may set up a web site that looks like the standard log-in screen to your bank, but is actually an impostor and is intended solely to collect your information (e.g. username and password).

You can take a number of simple measures to avoid being caught by phishers:

  • Is the Web address (the URL which appears at the top of your web browser) the one that you normally use for this service? If no, then avoid the site.
    • To check the correct Web address, use Google (or your preferred search engine) to search for the service you are using. For example, typing Barclays Bank into the search box shows that web addresses for Barclays in the UK start with http(s)://xxx.barclays.co.uk/xxxxx/.
  • Most sites that require confidential information now have built-in security mechanisms. Look for https:// in the URL and the padlock icon in your web browser. If these aren't present, criminals may be able to read the information you send over the Internet. However, the mere presence of a padlock does not guarantee that your information will be secure.
  • How did you get to the site in the first place? Did you click a link in an unsolicited email message purporting to come from your email provider, bank, credit card company? If yes, steer clear of the site! Instead, type the site name yourself.
  • Click on the padlock and check the site's certificate. For more information on secure sites see the Get Safe Online web pages
  • Beware of sites that start with all numbers such as http://147.46.235.54/ebay.com
  • Make sure that your web browser is up to date (see the advice on updating your software).
  • If you are shopping online, look for clear signs that you are buying from a reputable company (e.g. does it have a physical address? Does a search for the company reveal user comments and reviews?).
  • If you are using eBay or a similar site, make sure that you read the basic help guides. If possible, check that the seller has a good reputation.
  • Use safe ways to pay, such as PayPal or credit cards that insure you against theft.
Use the filter in your email client to block spam emails.
  • This is the easiest way to deal with phishers; however, sometimes genuine messages are treated as spam by mistake. So, we recommend that you have suspected spam messages diverted to a Junk messages folder and check its contents periodically.

If you receive a phishing attack that asks for University credentials, report it to phishing@oucs.ox.ac.uk For more information on this, and for guidance on how to secure your email in general, see http://www.oucs.ox.ac.uk/email/

Mobile devices (such as phones) are computers as well:protect them!

Most mobile devices (e.g. phones) allow you to access all kinds of services and store your usernames and passwords. If yours is lost or stolen then someone may be able to access all your information.

Password/passcode protect your device on start-up. Follow all the advice on updating applications and encryption given above for desktop/laptop computers.

Don't give away too much information about yourself

Restricting what others can find out about you online both reduces the risk of identity theft and prevents other people finding out things about your social life that you'd rather keep discreet.

If you need to use an out-of-office email message when you're away, tell people only the bare essentials (i.e. when you'll be back and whether you'll be checking messages during your absence).

On social networks e.g. Facebook:

  • Use the privacy settings to restrict how much data others can see, especially people who aren't already your friends in the physical world (e.g. see http://www.facebook.com/safety/).
  • Don't post compromising photos of yourself or of your friends. Prospective employers use Facebook too.
  • If someone else tags you in a photo, have a look at it and remove the tag if you don't want others to know you're in it. (Or ask your friend to remove the photo itself.)
  • When posting to a discussion board, remember that contributions are often saved and can be read a long time after they've been made. An ill-advised comment may come back to haunt you!

Be aware of your surroundings

The physical environment in which you use a computer is extremely important. Remember, if you are using public computers, or open wireless networks, there is a greater chance that criminals are recording everything you do.

If you have to use a communal computer -- e.g. in an internet cafe, library, or open computing room -- only do simple activities that don't involve typing confidential information.

However, if you do have to use a communal computer for a financial or other confidential transaction, make sure that you don't leave any information about yourself on the computer when you have finished.

You can remove traces of your passwords and the Web sites you've visited as follows:

Safari:
Before you start, select [Safari] -> [Private Browsing]. When you finish, select [Safari] -> [Reset Safari]. If the computer won't let you do this, then select [Safari] -> [Empty Cache] and [History] -> [Clear History].
Microsoft Internet Explorer:
Before you log off, select [Tools] -> [Delete Browsing History].
Firefox:
If you have version 3.5 or above, select [Tools] -> [Start Private Browsing] before you start. When you finish, select [Tools] -> [Clear Private Data] (version 3.0.x) or [Tools] -> [Clear Recent History] (version 3.5 and above).

You might also consider changing your password (or other login details) when you return home to a computer that you trust.

Be very wary of using open wireless networks. If you have a wireless network at home, make sure WPA security is enabled and use a strong password (see above). If you have control over your wireless network, consider allowing only designated computers to access it.

Consider setting up a separate email account (e.g. on Google Mail or Yahoo) to use when you are travelling.

If you have to leave your computer for any length of time (even if it's in your office), make sure that the computer locks the screen when it activates the screen saver or goes to sleep. The screen can only be unlocked when the username and/or password are entered. To instruct the computer to lock its screen:

To lock a screen:

On a computer running Windows XP:
Select [Start] -> [Control Panel] -> [Performance and Maintenance] -> [Power Options]. Go to the [Advanced] tab and tick [Prompt for password when computer resumes from standby].
On a computer running Windows Vista:
Select [Start] -> [Control Panel] -> [System and Maintenance] -> [Power Options]. Go to the [Require a password on wakeup] option on the left side of the screen. Click on Change settings that are currently unavailable and then select Require a password.
On a Mac:
Open [System Preferences] and select [Security]. Make sure that there is a tick beside each of the boxes labelled Require password to wake this computer from sleep or screen saver and Disable automatic login.
On a computer running Ubuntu Linux:
Open [System] -> [Preferences] -> [Screensaver] and tick [Lock screen when screensaver is active].

University and College Systems

At Oxford, OUCS handles security on central systems, and monitors the use of its services to prevent illegal, or potentially harmful use. Within individual Colleges and departments, the local IT support staff will generally handle internal IT security matters. OxCERT, the University's IT Security Team, handles Computer and Network Security issues across the University.

Personal Firewalls

There is a range of Open Source and Commercial products which provide basic protection against malicious attacks directed at your computer from the internet, including some that block all common attempts to access your computer in the hope of hacking into it and causing harm. A computer firewall acts as a virtual wall against intrusion from the internet. Microsoft Vista, XP and some other systems are supplied with a firewall as standard - check the firewall is active.

Up: Contents Next: Anti-Virus Software - Your Responsibility

Sections in this document: