Rossander’s Security Reader

Have you received the latest email "alert" about protecting your old hotel key-cards from identity thieves? If so, you’re not alone. This urban legend resurfaces fairly regularly. I suspect that this one is popping up again as people begin making their holiday travel plans.

According to this legend, hotel key-cards have all sorts of private information encoded in the magnetic strip on the back of the card. The information allegedly includes your name, home address, hotel room number, check-in and check-out dates, credit card number, expiration date, etc. and claims to be based on an alert from the Pasadena Police Department.

While you certainly could fit all that information on the magnetic strip, no hotel actually does. For one thing, why would they bother? They already have all that data in their database. Why would they pay to put it on the card as well and take up the problem of fixing all the inevitable mistakes when the coding needs to be fixed? The hotel’s card only needs a serial number to control your room’s door. No personal information is recorded on the card.

These hoax emails end by encouraging you to "cut up the card". Don’t waste your time. Leave it for the hotel staff to reuse with a new customer.

For more information, see Snopes.com.

If it sounds too good to be true, it is.
Regardless of what the email claims, there are no wealthy strangers desperate to send you money. Beware of grand promises – they are spam, hoaxes or phishing schemes. Remember that anyone can publish information online so before accepting a statement as fact, verify that the source is reliable. It is also easy for attackers to "spoof" email addresses, so verify that an email is legitimate before opening an unexpected email attachment or responding to a request for personal information.

Don’t take candy from strangers.
Finding something on the internet does not mean that it is true or safe. Be wary of advertisements for free software downloads – they may be disguising spyware. Check out the reputation of the provider and of the website hosting the download before you act.

Close the door behind you.
Your personal information is only private if you work to keep it so. Lock your computer (using Ctrl-Alt-Del) when you step away. Pick strong passwords and keep them safe. Put a firewall, anti-virus and anti-spyware programs on your computer and keep them all current. Be smart when browsing or using email.

Don’t tell everyone when you’ll be away from home.
The email "Out of Office" function lets you create an "away" message that is automatically sent to anyone who emails you while the autoresponder is enabled. This is helpful especially in business because it lets people know that you will not be able to respond right away. Be careful how you phrase your message. You do not want to let potential attackers know that you are not home, or, worse, give specific details about your location and itinerary. (Also, if your away message replies to spam, it confirms that your email account is active and will increase the volume of spam you receive.) If possible, restrict the recipients of the message to people within your organization or in your address book.

Always tell the truth.
What you write in email, you may have to live with it forever. Be honest, be trustworthy, be tactful and think twice about what you wrote before you hit send. Never write anything that you’d be embarrassed to see on the front page of tomorrow’s newspaper.

Hold hands when crossing the street.
We’re all in this together. What affects you affects me, too. If you see something suspicious or if a caller strikes you as a bit fishy, ask a co-worker or supervisor for help. Help each other be safe.

Okay, that’s a bit of an overstatement but it is a security professional’s nightmare.

Google Desktop is a popular free program that can be downloaded onto a personal computer to allow the indexing and searching of files on your computer. It operates much like the internet-based Google search engine and can find content from a wide variety of file types and formats including emails, instant message logs, web history, MS Office and Adobe documents, videos, music files, images, etc.

Given enough time, Google Desktop will search all drives to which you are connected. This means that if you are connected to your office’s systems, the Google Desktop engine will begin indexing all of their files as well – whether or not that was your intent. This information will be exposed to anyone with access to the index. Since web histories are included by default, this frequently has the result of allowing users to bypass usernames and passwords before seeing confidential information and to see information that should have been protected by someone else’s password.

Google Desktop allows users to “share across computers”. In theory, this increases your ability to find content since you can simultaneously search multiple locations. In practice, this exposes your documents and private information to outsiders. Even if you have the actual documents in protected folders, the index (and all the confidential information which was captured by that index) is available to everyone. The research company Gartner considers this an “unacceptable security risk”, an assessment to which even Google agreed. (See here for more.) If you have any private information on your computer or if you are covered by any privacy regulation (and in the insurance industry, we all are), you should never allow the installation of the “share across computers” feature.

Google Desktop also represents yet another piece of software which must be kept fully patched and up to date. Unpatched software creates an avenue which hackers can follow to gain access to your computer. Read this article about a recent vulnerability with this software.

Unless you have a dedicated security expert who can make sure that your configuration is exactly correct, Google Desktop should not be allowed on any corporate computer holding confidential information.

Thursday, 30 November is the International Computer Security Day.

This year’s theme is "Working Together" and emphasizes that we each have important roles in protecting our customer, employee and other stakeholders’ private information.

Some of your specific responsibilities include:

• Selecting strong passwords and changing them regularly.
• Controlling who has access to your buildings and politely challenging strangers.
• Staying alert for fraudulent phone calls and other forms of social engineering.
• Using your computer resources appropriately.
  • Never disable the antivirus, firewall and other protections installed by IT.
  • Be especially professional in your use of email and IM. Remember – never write anything that you’d be embarrassed to see on the front of tomorrow’s newspaper.
• Making sure that all paper documents end their lives in a shred bin and that electronic documents are purged in accordance with your Retention/Destruction Guide.
• Helping your co-workers to remember and live up to their obligations to your customers’ privacy.

Go to www.computersecurityday.org for some other thoughts on Computer Security Day.