Basic Computer Security for Higher Education Outline
Transcription
Basic Computer Security for Higher Education Outline
Basic Computer Security for Higher Education Dr. Kara L. Nance ASSERT Center University of Alaska Fairbanks Outline Introduction Overview of Computer Security Email Security Password Safety What You Can Do 1 University of Alaska – Computer Science ABET Accredited Computer Science Program. B.S., M.S., M.S.E. Diverse faculty research expertise with emphasis on – Information Assurance – Computer Graphics Advanced System Security Education, Research, and Training (ASSERT) Lab Computer Forensics Information Assurance Computer Security Authentication Networks Honeypots Virus and Worm Behavior Social Engineering Critical Infrastructure Sensor Webs Education/Outreach www.assert.uaf.edu 2 Outline Introduction Overview of Computer Security Email Security Password Safety What You Can Do What does secure mean? When we have a valuable asset, we want to protect it so that: – Those who should have access to the asset are actually able to access it. – Those who should not have access to the asset are unable to access it. 3 What does secure mean? For example, consider your bank account. – You want to be able to withdraw money from your account. – You don’t want anyone else to be able to withdraw money from your account. What does secure mean? We have similar concerns in the computing realm: – You want to be able to create, read, and modify your files on the institution’s file server. – You want your coco-worker, Bob, to be able to read your files on the institution’s file server. – You don’t want anyone else to be able create, read, or modify your files on the institution’s file server. 4 What does secure mean? For computer systems, we may want to secure assets such as: – Resources including equipment, network bandwidth, CPU cycles, disk space, etc. – Data such as database contents, files, email messages, etc. What does secure mean? Computer systems tend to be: – Complex – lots of components, including hardware, software, users, and data. – Dynamic – frequently changing, due to upgrades, patches, adding and removing users, and changing data. The result is that securing computer systems is a difficult problem, and any solution must be continually rere-evaluated as the system changes. 5 10 Immutable Laws of Security Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore Law #2: If a bad guy can alter the operating system on your computer, computer, it's not your computer anymore Law #3: If a bad guy has unrestricted physical access to your computer, computer, it's not your computer anymore Law #4: If you allow a bad guy to upload programs to your website, website, it's not your website any more Law #5: Weak passwords trump strong security Law #6: A computer is only as secure as the administrator is trustworthy trustworthy Law #7: Encrypted data is only as secure as the decryption key Law #8: An out of date virus scanner is only marginally better than than no virus scanner at all Law #9: Absolute anonymity isn't practical, in real life or on the the Web Law #10: Technology is not a panacea LOOKAT: http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx Attacks – Poorly Designed Programs 13 year old deletes files; none of his actions were unauthorized March 2004 [ North Ridgefield, OH] – A 13 year old deleted numerous files from a district’s electronic electronic reading program. He was suspended and the case was referred to the police. Although he was accused of hacking, several people pointed out that the program was poorly designed and allowed the deletions to take place without any unauthorized intrusions. They also pointed out that the district was negligent negligent for not having backup copies of the files on a separate server. LOOKAT: http://securedistrict.cosn.org/admin/stories.html#2004Dartmouth (CyberSecurity for the Digital District) 6 Attacks – Poor Password “Placement” Stolen Password Used To Change Grades April 2004 [Broward County, FL] Two students were suspended after admitting to using a password stolen from a teacher’s computer to break into the school server and run a small business charging $5 to change students’ grades. LOOKAT: http://securedistrict.cosn.org/admin/stories.html#2004Dartmouth (CyberSecurity for the Digital District) Attacks - Equipment KeyKatcher Used On School Machines January 2004 [Saratoga, CA] A group of high school students installed “keykatcher “keykatcher”” devices on several school computers and captured teacher passwords which they used to access school systems to steal tests and answers. The device costs less than $100 and is about the size of a AA battery. It is installed between the keyboard and the computer. It went unnoticed in teachers' classrooms. “We've only found one KeyKatcher on campus,'' Principal Kevin Skelly said. “But we know there's more out there.” The keykatcher exploit was accidentally discovered in the process of investigating two other incidents: a math student who broke into a school computer and tried to change a grade, and two students who stole a printed test and saved electronic copies. LOOKAT: http://securedistrict.cosn.org/admin/stories.html#2004Dartmouth (CyberSecurity for the Digital District) 7 Attacks – Social Engineering and Poor Password Choice Scam to change grades: So simple, so effective ... so stupid Nick Farrell, vnunet.com 17 Jul 2002 A student at the University of Delaware has appeared in court charged charged with breaking into the university's computer systems to change her grades. grades. Darielle Insler made phone calls to the technical support teams in which she impersonated her teachers and requested a new password. She used the password to get into her personal files and change her grades. She also was able to guess at least one professor’s password. Campus police say she allegedly changed her grades in math and science science classes from Fs to As. And police say she changed an 'incomplete' 'incomplete' to a passing grade in an education class. Police stated that the plan was simple and very effective at gaining gaining access to key systems. "It's the easier way, because you don't really need need the computer expertise or knowknow-how, instead of handling the computer, you're handling the people." LOOKUP: http://cnnstudentnews.cnn.com/2002/fyi/teachers.ednews/07/17/university.hacker.ap/ http://cnnstudentnews.cnn.com/2002/fyi/teachers.ednews/07/17/university.hacker.ap/ Types of Threats Interception – For example, a final exam is read by a student as the instructor emails it from his home computer to his office account. Interruption – For example, students cannot register because the registration website because the servers are experiencing a DenialDenial-ofof-Service attack. 8 Types of Threats Modification – For example, messages between “select” senior faculty members are changed by the Bob during transmission (“Bob’s tenure evaluation meeting begins at 8:00” becomes “Bob’s tenure evaluation meeting begins at 10:00”). Fabrication – For example, an ‘A’ student receives a fake message from a professor that an exam has been cancelled. Method, Opportunity, and Motive An attacker needs a method, an opportunity, and a motive. Methods are increasingly widely available to even unskilled computer users. Scripts and programs that can be used to exploit vulnerabilities are widely available on the Internet, so that an attacker need only download and run a program to perform an attack. 9 Method, Opportunity, and Motive Opportunities are far more widely available. Since almost all computer systems have some kind of network connection, physical access to the computer system is rarely needed. Motives are many and widely varied, and include profit, intellectual curiosity, challenge, revenge, personal advancement, etc. Computer Security Goals Confidentiality – Student exam results can only be read by Professor X and the student. Integrity – Grades can only be changed by Staff Member A. Availability – Student B’s Unofficial Transcript is available to (and can be accessed by) Advisor X and Student B at all times. 10 Vulnerabilities Hardware – Includes damage to hardware, caused deliberately or accidentally. – Theft and alteration of the hardware is also a major problem – installation of a keystroke logger, for example. Vulnerabilities - Hardware The brazen airport computer theft that has Australia's antianti-terror fighters up in arms By Philip Cornford September 5, 2003 On the night of Wednesday, August 27, two men dressed as computer computer technicians and carrying tool bags entered the cargo processing and intelligence centre at at Sydney International Airport. The men, described as being of PakistaniPakistani-IndianIndian-Arabic appearance, took a lift to the third floor of the Charles Ulm building on Link Road, next to to the customs handling depot and the Qantas Jet Base. They presented themselves to the security desk as technicians sent sent by Electronic Data Systems, the outsourced customs computer services provider which regularly regularly sends people to work on computers after normal office hours. After supplying false names names and signatures, they were given access to the toptop-security mainframe room. They knew the room's location and no directions were needed. Inside, they spent two hours disconnecting two computers, which they put on trolleys and wheeled out of the room, past the security desk, into the lift and and out of the building. LOOKAT: http://www.smh.com.au/articles/2003/09/04/1062548967124.html 11 Vulnerabilities Software – Includes the addition, modification, deletion, or misplacement of software on a system, and again may be caused deliberately or accidentally. – For example, an attacker may attempt to add FTP server software to a computer, in order to provide a location for illegal files to be traded anonymously online. Vulnerabilities Data – Data can be deleted, modified, or revealed to unauthorized users, and again this cause may be deliberate or accidental. – For example, email can typically be intercepted, modified, or deleted with ease by a malicious user with access to the network. 12 Methods of Defense Remember that attackers are often successful when they do the unexpected – don’t expect them to behave like typical users, or attack where your defenses are strongest! Outline Introduction Overview of Computer Security Email Security Password Safety What You Can Do 13 Basic Email Email has become an incredibly popular method of communication, but it was not designed with security in mind. Basic Email In its most basic form, email suffers from at least two very basic drawbacks – The content is usually not encrypted, thus anyone who intercepts the message as it travels from the sender to the recipient(s) can read/modify the message. – The sender is not authenticated. This means that when a recipient receives a message, he/she cannot be sure who sent it. 14 Basic Email A postcard is a much better analogy for email than a letter in an envelope. Basic Email – Unencrypted An email message is unencrypted, so anyone who can intercept the message can read/modify the contents. 15 Basic Email – Unencrypted As an email travels from sender to recipient, it may pass through many computers, such as routers and mail forwarders. Any of these computers (or their administrators) can intercept (and read/modify/discard) the email without the knowledge of the sender or recipient. Basic Email – Unencrypted Any attacker monitoring network traffic on a network segment through which the email travels can also intercept and read/modify the email without the knowledge of the sender or recipient. 16 Basic Email – Unauthenticated The email header contains information about the sender and recipient of the email. Most individuals never read the header. Most individuals trust that the contents of this header accurately reflect the true sender of the email. Most email software has an option that displays these headers to the user. Basic Email – Unauthenticated I have created an email account, csmn681@hotmail.com for this demonstration. We can see that the inbox contains a message claiming to be from one of my CSMN 681 students. The sender’s email address shown is correct, but Rob did not send the message. Thanks to Rob for allowing me to use his address for this demonstration. demonstration. You should NOT assume that you can perform a similar email demonstration without the written written consent of the owner of any email address and email server that you intend to use. 17 Basic Email – Unauthenticated We can view the email header in hotmail by clicking ‘Options’ Then clicking on ‘Mail Display Settings’ Select the ‘Advanced’ radio button in the Message Headers section, then click the ‘OK’ button. Basic Email – Unauthenticated Now when you read an email message in hotmail, the message header should be displayed. Similar settings exist in other email readers (various webmail systems, Netscape, Outlook, Evolution, etc) that allow the email header to be viewed. 18 Basic Email – Unauthenticated If we look at the message header, we see the following: Received: from smtp.uaf.edu ([137.229.18.90]) by mc6mc6-f20.hotmail.com with Microsoft SMTPSVC(5.0.2195.6713); Sat, 17 Jul 2004 17:01:49 -0700 Received: from smtp3.suscom.net (cprg (cprg--42004200-1.cs.uaf.edu [137.229.25.234])by [137.229.25.234])by smtp.uaf.edu (8.12.11/8.12.11/uaf3) with SMTP id i6HNw6Cl482859for <csmn681@hotmail.com>; <csmn681@hotmail.com>; Sat, 17 Jul 2004 15:58:42 -0800 (AKDT) X-MessageMessage-Info: 6sSXyD95QpXKnszpKxcpTToexYIlP8dC MessageMessage-Id: <200407172358.i6HNw6Cl482859@smtp.uaf.edu> ReturnReturn-Path: rramos@suscom.net X-OriginalArrivalTime: OriginalArrivalTime: 18 Jul 2004 00:01:50.0062 (UTC) FILETIME=[6CC060E0:01C46C5A] If we look closely enough , we may notice that some parts of the header don’t look quite right (the yellow part, part, for example), but for almost all users, this would be accepted as having been sent by Rob. Secure Servers This problem of reverting to insecure methods when the secure method fails is common, as the user trades convenience for security. As an example, amazon.com allows users the option of signing into their account using a “standard server” if the SSL based “secure server” login fails. amazon.com is just used here as an example, and is certainly not the only example of this “fail to insecure mode” issue – you should be able to think of several other situations where an insecure method is used in the event of a failure failure in the secure method. 19 Phishing? Phishing 20 Phishing Phishing 21 Phishing Phishing Header ReturnReturn-Path: <frakdirect@lasalle.com> frakdirect@lasalle.com> Received: from mx.uaf.edu (mx.uaf.edu [137.229.34.31]) by mail1.uaf.edu (8.12.11/8.12.11/uaf4) with ESMTP id j1NCxSqR030409; j1NCxSqR030409; Wed, 23 Feb 2005 03:59:28 -0900 Received: from LaSalle.com (gege-germany.de [217.160.143.178]) 217.160.143.178]) by mx.uaf.edu (8.12.11/8.12.11/uaf5) with SMTP id j1NCwslS021301; Wed, 23 Feb 2005 03:58:59 -0900 MessageMessage-Id: <200502231258.j1NCwslS021301@mx.uaf.edu> From: "LaSalle Bank" <frakdirect@lasalle.com > <frakdirect@lasalle.com> Subject: LaSalleOnline - Protect your private information Date: Thu, 24 Feb 2005 07:00:42 -0700 MIMEMIME-Version: 1.0 ContentContent-Type: text/html; charset="Windows charset="Windows--1251" ContentContent-TransferTransfer-Encoding: 7bit X-Priority: 1 X-MSMailMSMail-Priority: High X-Mailer: Microsoft Outlook Express 6.00.2800.1081 X-MimeOLE: MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1081 X-ProofpointProofpoint-SpamSpam-Details: rule=notspam rule=notspam policy= score=18 mlx=18 mlx=18 adultscore=0 adultscore=0 adjust=0 engine=2.5.0engine=2.5.0-05022200 definitions=2.5.0definitions=2.5.0-05022202 X-ProofpointProofpoint-SpamSpam-Score: 18 X-ProofpointProofpoint-SpamSpam-Bar: ** 22 Viruses, Worms, and Trojans Viruses, worms, and trojans have many purposes: – Steal, modify or delete data. – Allow unauthorized access to computer, which is called a backdoor. backdoor. – Provide a temporary server, such as a mail server for spam, or an FTP server. – Create a botnet (a usually large group of compromised computers which can be used to perform some additional tasks, such as a Distributed Denial of Service attack). – Patch a security problem (not as good as it may sound). Malicious Code Virus scanners are now a common piece of software on many computers, and are relatively good at catching known viruses, worms, and trojans provided they are used and updated regularly. regularly. Virus scanners are still not very good at catching new viruses (e.g. on the so called zerozero-day of an exploit). 23 Malicious Code Computer users are becoming less susceptible to some types of malicious code (e.g. email attachments), so attackers often utilize a level of social engineering in the attack. For example, people often will not open attachments from people they don’t know. – This is a good start. – However, malicious code in email attachment often appears to be from someone you do know, since the email is sent from someone you know who is already infected by the virus. Britney Spears Bill Gates Jennifer Lopez Shakira Osama Bin Laden Michael Jackson Bill Clinton Anna Kournikova Paris Hilton Pamela Anderson 24 Hoaxes (Social Engineering) Virus Hoaxes: Not Just Harmless Pranks There are a lot of viruses out there. And then there are some viruses that aren't really out there at all. Hoax virus warning messages are more than mere annoyances. After repeatedly becoming alarmed, only to learn that there was no real virus, computer users may get into the habit of ignoring all virus warning messages, leaving them especially vulnerable to the next real, and truly destructive, virus. LOOKAT: http://vil.nai.com/VIL/hoaxes.asp http://vil.nai.com/VIL/hoaxes.asp Hoaxes Commentary: The soso-called "Teddy Bear" virus hoax is not one of the latest email hoaxes hoaxes but, as email hoaxes go, this one is proving to be quite resilient. resilient. It regularly pops up on forums and news groups and still finds its way to my inbox. Unfortunately, this one is a little more harmful than your average average email hoax in that it can trick unwary computer users into deleting "jdbgmgr.exe ", a "jdbgmgr.exe", legitimate Windows file. One of the reasons that this email hoax has been so successfully is that the file in question (jdbgmgr.exe (jdbgmgr.exe)) really does have a cute little teddy bear icon. Such an icon may look out of place for a Windows file, so people are perhaps that little bit more willing to believe the warning in the email. Of course, if nothing else, the teddy bear icon proves that computer programmers actually do have a sense of humor (grin). (grin). Teddy bear icon for jdbgmgr.exe LOOKAT: http://www.hoaxhttp://www.hoax-slayer.com/teddyslayer.com/teddy-bearbear-virusvirus-hoax.html 25 Nigerian 419 Scam SUBJECT: TSUNAMI DONATIONS Dear Friend As you read this, I don't want you to feel sorry for me, because, because, I believe everyone will die someday. My name is Andrew Adams a merchant in PHILIPPINES, I have been diagnosed diagnosed with Esophageal cancer .It has defiled all forms of medical treatment, and right now I have only only about a few months to live, according to medical experts. I have not particularly lived my life so well, as I never never really cared for anyone (not even myself) but my business. Though I am very rich, I was never generous, I was always always hostile to people and only focused on my business as that was the only thing I cared for. But now i regret regret all this as I now know that there is more to life than just wanting to have or make all the money in the world. I believe believe when God gives me a second chance to come to this world I would live my life a different way from how I have lived it. Now that God has called me, I have willed and given most of my property and assets to my immediate and extended extended family members as well as a few close friends. I want God to be merciful to me and accept my soul so, I have decided to give alms to charity organizations, as I want this to be one of the last good deeds I do on earth. So far, I have distributed money to some charity organizations in the U.A.E, Algeria and Malaysia, Indian Indian and Pakistan. Now that my health has deteriorated so badly, I cannot do this myself anymore. I once asked members of my family to close one of my accounts in Switzerland and distribute the money which I have there to charity organization in Bulgaria and Pakistan, they they refused and kept the money to themselves. Hence, I do not trust them anymore, as they seem not to be contended contended with what I have left for them. Now I want you to assist me in getting some cash deposit claim and distribute distribute to charity and people of the tsunami disaster. The last of my money which no one knows of is the huge Cash deposit deposit of $36,000.000.00 million united states dollars that I have with a finance/Security Company abroad. I will will want you to help me collect this deposit and dispatched it to charity organizations. I have set aside twenty percent for you and for your time. My email address is: [removed] regards, Andrew Adam LOOKAT: http://www.hoaxhttp://www.hoax-slayer.com/tsunamislayer.com/tsunami-nigeriannigerian-scam.html Money From Microsoft Subject: FW: PLEEEEEASE READ!!!! It was on the news! Dear friends, Something to share with all of u. Would u believe if this is true? true? Read on..... For those who need money badly and this is one opportunity to try it! I'm an attorney, and I know the the law. This thing is for real. Rest assured AOL and Intel will follow through with their promises for fear of facing a multimillionmultimillion-dollar class action suit similar to the one filed by PepsiCo against General Electric not too long ago. Dear Friends, Please do not take this for a junk letter. Bill Gates is sharing his fortune. If you ignore this you will repent later. Microsoft and AOL are now the largest Internet companies and in an effort to make sure that Internet Explorer remains the most widely used program, Microsoft and AOL are running running an ee-mail beta test. When you forward this e-mail to friends, Microsoft can and will track it (if you are a Microsoft Microsoft Windows user) for a two week time period. For every person that you forward this ee-mail to, Microsoft will pay you $245.00, for every person that you you sent it to that forwards it on, Microsoft will pay you $243.00 and for every every third person that receives it, you will be paid $241.00. Within two weeks, Microsoft will contact you for your address address and then send you a cheque. cheque. Regards. Charles S. Bailey General Manager Field Operations [CONTACT DETAILS REMOVED] I thought this was a scam myself, but two weeks after receiving this ee-mail and forwarding it on, Microsoft contacted me for my address and within days, I received a cheque for US$24,800.00. You need to respond before the beta testing is over. If anyone can afford this Bill Gates is is the man. It's all marketing expense to him. Please forward this to as many people as possible. You are bound to get at least US$10,000.00. We're not going to help them out with their ee-mail beta test without getting a little something for our time. My brother's girlfriend got in on this a few months ago. When I went went to visit him for the Baylor/UT game. She showed me her check. It was for the sum of $4,324.44 and was stamped "Paid "Paid In Full". Like I said before, I know the law, and this is for real Intel and and AOL are now discussing a merger which would make them the largest Internet company and in an effort make sure sure that AOL remains the most widely used program, Intel and AOL are running an ee-mail beta test. LOOKAT: http://www.hoaxhttp://www.hoax-slayer.com/tsunamislayer.com/tsunami-nigeriannigerian-scam.html 26 Life Is Beautiful This information arrived this morning, from Microsoft and Norton. Norton. Please send it to everybody you know who accesses the Internet. You may receive an apparently harmless harmless email with a PowerPoint presentation called "Life is beautiful.pps." beautiful.pps." If you receive it DO NOT OPEN THE FILE UNDER ANY CIRCUMSTANCES, and delete it immediately. If you open this file, a message will appear on your your screen saying: "It is too late now, your life is no longer beautiful", subsequently you will LOSE EVERYTHING EVERYTHING IN YOUR PC and the person who sent it to you will gain access to your name, email and and password. This is a new virus which started to circulate on Saturday afternoon. WE NEED TO DO EVERYTHING POSSIBLE TO STOP THIS VIRUS. UOL has already confirmed its dangerousness, and the antivirus Softs are not capable of destroying it. The virus has been created by a hacker who calls himself "life owner", and who aims to destroying domestic PCs and who also fights fights Microsoft in court! That's why it comes disguised with extension pps. pps. He fights in court for the WindowsWindows- XP patent. MAKE A COPY OF THIS EMAIL TO ALL YOUR FRIENDS LOOKAT: http://www.hoaxhttp://www.hoax-slayer.com/lifeslayer.com/life-isis-beautifulbeautiful-virusvirus-hoax.html Charity Hoax Hi, my name is Amy Bruce. I am 7 years old, and I have severe lung lung cancer from second hand smoke. I also have a large tumor in my brain, from from repeated beatings. doctors say I will die soon if this isn't fixed, fixed, and my family can't pay the bills. The Make A Wish Foundation, has agreed to donate donate 7 cents for every time this message is sent on. For those of you who send this along, I thank you so much, but for for those who don't send it, what goes around comes around. Have a Heart, please send this. Please, if you are a kind person, send this on. PLEASE PLEASE HIT FORWARD BUTTON "NOT REPLY BUTTON". LOOKAT: http://www.hoaxhttp://www.hoax-slayer.com/amyslayer.com/amy-brucebruce-charitycharity-hoax.html 27 Outline Introduction Overview of Computer Security Email Security Password Safety What You Can Do Access Control You can control access based on: – Who you are (e.g. fingerprint) – Where you are (e.g. at a certain terminal) – What you have (e.g. ATM card) – What you know (e.g. password) 28 Policy Issues System administrators can establish and enforce password policies including the following: – Password strength Length Contents – Password Change Timed First time – – – Account lockouts How the password is stored What to do when someone forgets their password Encryption – Passwords are usually encrypted using a one-way encryption – Encrypted version is stored – User entry is encrypted and compared with stored version 29 UNIX Password adelia: adelia:gDlE1lfHj06vE: gDlE1lfHj06vE:1311: 1311:100:adelia 100:adelia maples:/usr/home/adelia:/bin/tcsh maples:/usr/home/adelia:/bin/tcsh josefa: josefa:.lZJON/EqHGvA: .lZJON/EqHGvA:2783: 2783:100:josefa 100:josefa bedard:/usr/home/josefa:/bin/tcsh ashli: 1529::100:ashli ashli:ynuN69Od91kOo: ynuN69Od91kOo:1529 100:ashli blocker:/usr/home/ashli:/bin/tcsh blocker:/usr/home/ashli:/bin/tcsh Username Encrypted Password User Identification Number (UID) User Group Identification Number (GID) User Name User Home Directory User Shell Unencrypted Data Google (http://www/google.com (http://www/google.com)) uses a database to quickly retrieve information. – This allows users to quickly find pages related to their search criteria. – It also allows searches based on a number range, for example using 1…50 as the search criteria generates a list of all pages that include the numbers 1 through 50. – We can use this feature to search for credit card numbers, for example, using a search criteria such as 4111000000000000...4111999999999999 – This is not a bug, but it does demonstrate the power of a well designed database (whether the results are then used for good or bad is another issue). 30 Unencrypted Passwords If a system administrator can tell you (or send you) your password, then your password is most likely stored in plain text on their machine. Unencrypted Passwords Unencrypted passwords are VERY vulnerable Sniffing Social engineering Shoulder surfing Hacking Printing 31 Unencrypted Passwords Unencrypted Passwords 32 Unencrypted Passwords Encrypted Password – Dictionary Attack – Word set is identified – Word set is encrypted – Compared with password list 33 Common Passwords 23% child's name 19% partner's name 12% birthdays 9% football team 9% celebrities and bands 9% favorite places 8% own name 8% pet's name Common Passwords lists 7.4% common names 4.0% user/account name 2.7% phrases and patterns 1.8% women's names 1.2% men's names 1.0% machine names 1.0% 34 --I keep forgetting my password --I have too many passwords --I use the same password for everything --I can’t remember the website address for my journal subscription. …a word about password safes Outline Introduction Overview of Computer Security Email Security Password Safety What You Can Do 35 What Can You Do? Deans and Directors Security Page http://rusecure.rutgers.edu/people/deans_n_dir.php http://rusecure.rutgers.edu/people/deans_n_dir.php Faculty/Staff Development Policy Development – – – – – Passwords Plagiarism Computer Use Website Credibility Surplus Equipment Students – Modules in courses – Courses – Internet references vs technical journals What Can You Do? Develop courses, certificates, and programs q q q q q q q q q q Business – Security Management Engineering – Networks, Wireless Security, RFID... Legal – FERPA, HIPAA, Cyberethics... Cyberethics... Computer Science – Millions of things Physics/EE – Power Systems, Critical Infrastructure Communication/Sociology – Social Engineering Library Science – Internet Resources Education – Preservice and Inservice Teacher Training Mathematics – Cryptography Statistics – Combinatorics (passwords) 36 What Can You Do? Opportunities – Funding Research Education Outreach – New student populations Questions? This presentation will be available at the ASSERT website: assert.uaf.edu 37 References [1] Pfleeger, Charles P., and Shari Lawrence Pfleeger. Security in Computing, 3rd Edition. Pearson Education Inc. 2003 38