Hook, Line and Sinker: Beware of 'Phishing' and Other Computer Security Risks

October 16, 2008 — E-mail phishing, computer malware and identity theft are "more threatening than the economy," IT security analyst Karen McDowell said last Tuesday, calling on University of Virginia faculty and staff to protect personally identifying information during a computer security presentation.

The session was one of several events to highlight IT security awareness throughout the University and the region during October for National Cyber Security Awareness Month.

McDowell described a recent event that illustrated the danger of phishing e-mails. On Aug. 22, a phishing e-mail was reported that attempted to capture passwords by persuading University users to log in to a replica of the University’s login page.

“ITC blocked the fake Web page before anyone visited it,” she said.

Malware was highlighted as another dangerous threat. Downloading unsolicited computer programs can result in malicious software also being installed. “Malware is not just computer viruses,” McDowell warned.

Bots, Trojans, viruses, key loggers, rootkits and worms attempt to gather personally identifying information that can be used to steal a computer user’s identity -- or worse -- other identities stored on the computer.

For example, recent reports indicate that a replica of YouTube installs malware that appears to be coming from a known Web site.

McDowell recommended these tips:

•    Avoid giving personally identifying information to anyone not authorized to have it. That also includes sensitive information about people affiliated with the University.

•    Avoid opening or accessing attachments and Web sites in unsolicited e-mail messages.

•    Avoid posting personally identifying information on blogs and social networking sites.

•    Install and update anti-spyware and anti-virus software.

•    Use strong passwords. McDowell recommended constructing a password by “taking a sentence you know, take the initial letter from each word and add numbers and special characters.”

•    Use Identity Finder software on University-owned computers to find highly sensitive data used for identity theft, such as, social security numbers, birth dates and financial information.

She demonstrated Identity Finder during the presentation. After finding highly sensitive data that needs to be deleted, another software product, Secure Deletion Shredder, permanently deletes files to Department of Defense specifications.

"Secure Deletion Shredder is not a recycle bin," she said. "When you put something in this, it is gone forever."

University policy requires each employee to justify the need to store highly sensitive data on computers.

According to the policy, "Highly sensitive data can only reside on individual-use devices and media with the approval of the responsible vice president or dean." Individual-use devices are fingered specifically because of the high risk of theft. Strict security measures must be taken.

"If you are authorized, you must encrypt the data," McDowell said. "And use VPN technology for Off-Grounds access."

Jay Darmstadter, local support partner of the Weldon Cooper Center for Public Service, noted that Macintosh users should also be wary.

"A lot of IT Security information is directed toward PC users, but Macs aren't invulnerable to attacks either," he said.

Joby Giacalone, director of programming and systems development for the Health System Development Office, said sessions like the one Tuesday are important.

“Most people think computers are just fun machines and don't realize the dangers that are out there," he said.

Other upcoming events:

At the Local Support Partners conference on Oct. 21 at 10 a.m. in Newcomb Hall South Meeting Room, Tim Tolson and Brian Davis from the IT Security and Policy Office will present more information and answer IT security questions.

On Oct. 22 at 2 p.m. in the Newcomb Hall South Meeting Room, Marty Peterman, also from the IT Security and Policy Office, will discuss IT security. Refreshments will be provided.

Another opportunity to see an IT Security and Policy Office presentation will be on Oct. 29 in Newcomb Hall for the Fall 2008 Office Technology Conference.

Finally, McDowell will repeat her presentation at 1 p.m. on Oct. 30 in the Newcomb Hall South Meeting Room.

Until then, you may see her walking around Newcomb Hall during lunch dressed as a phish to warn people about the dangers of phishing e-mails.

— By Dale Castle