It remains uncertain what broader fallout there will be due to current geopolitical turmoil. Whether initiated by Russia, or by third parties who use the Ukraine invasion as a distraction, one thing is certain: We should continue to focus on the fundamentals to protect ourselves at home and at ODU.
- This is the number one way credentials are stolen. Pause before you click. If you receive a message that doesn't look 100% right, call or text the sender to confirm the message's legitimacy.
- Update your privacy settings in social media. StaySafeOnline has compiled a list of many online service providers and shows you exactly how to check your privacy settings in each one. Adjust your settings so you only share what you intend to share.
- Be choosy about who you friend.
- Photos can be a privacy risk in two ways: One is the geo-tag that may be attached to the photo when it's taken. The other risk is the background of your photo. The backgrounds in your vacation photos, for example, tell the world that you are away from your home for an extended period.
- Don't reuse passwords on multiple sites, and use stronger passwords for sites with highly sensitive personal information (like banks).
- Protect your Social Security Number and other information that can be used to open an account or start a company.
- Consider getting credit monitoring service, or credit lock or freeze, to protect your financial identity.
- Don't give out your social security number to anyone but the Social Security Administration, Bank, and Employer. Others who ask can find another way to identify you.
- Don't share your entire birth date on social media. Keep the year discreet, so that it is not known to the general population.
Mobile Device Security
- Set a PIN, passcode or password on your mobile device, and allow your device to erase your data after 10 failed password attempts.
- Enable Find My Device.
- Enable Encryption.
- Don't Jailbreak your device.
- Download from trusted sites only.
Follow basic computer hygiene
- Install anti-virus or other malware protection on your device.
- Download from trusted sites only.
Scammers are getting increasingly good at making their email messages look legit. It can be difficult to distinguish a real message from a dangerous fake. Here are some simple things you can do to protect yourself from phishers who are out to steal your identity, your money or your security:
- Never click on unknown email links. Even when an email appears to be legitimate, mouse over the link to verify that the URL address is one you recognize and trust.
- Pay attention to the 'Reply To' address, even in emails that seem to be from someone you know.
- Never click on links to website logins, as they may redirect to fake login pages. If you need to, manually type the company's address into your browser so you know you're logging in to a page you trust.
- Never give out personally identifiable information like user IDs, passwords, birthdates, SSNs, addresses or password recovery information.
- Be wary of untrusted email attachments, and scan all attachments before opening them.
- Never respond to offensive messages or spam.
- Beware of scare tactics informing you of account revalidation processes or quota limits. Most online services will never ask for your username and password.
- Don't fall for enticing 'Prize Winnings,' 'Purchase Order' or 'Work Opportunity' scams. You are not the 999,999th visitor.
Faculty/Staff Email Security
- ODU faculty/staff email is protected by Microsoft Advanced Threat Protection (ATP), which automatically analyzes all links and attachments for malicious content. While this provides an additional level of protection, you should still exercise caution with all email links and attachments. Learn more about what ATP means for the security of your ODU email.
QR Code Safety
QR codes (quick response codes) are those square matrix barcodes that allow us to access coupons, promotional websites, receive exclusive offers, or learn about products. Most smartphones have QR code readers installed that allow us to point our camera at the square to open the promotional website.
Why are QR codes used?
QR codes save us the hassle of typing in a web address or URL. They can be placed in magazines, on posters, packaging, menus, or on billboards, anywhere a smartphone camera can be pointed. They are easy and helpful for consumers, and they are beneficial for companies or organizations.
What is the risk of using a QR code?
Like many conveniences that are enabled by technology, QR codes can be used in malicious ways. Understanding how this technology works and how it can be used maliciously can help us avoid being a victim of fraud or cyber-attack.
- Cyber attackers can print their own QR code and tape or glue the code on top of a legitimate QR code. An unsuspecting recipient will use the code, thinking it is taking them to a legitimate site, only to be directed to a malicious site.
- A malicious QR code can send the device to a compromised website that downloads and installs malware.
- A malicious QR code can send the device to a fake login page, where supplied credentials are gleaned, then used to attempt unauthorized access to online services.
- Cyber attackers can pose as a legitimate cause or service and print posters with a QR code to attract well-meaning passersby. Scanning any QR code from an untrusted source is a risk.
- Over time, a domain name used by a company may become available to be purchased because it is no longer used by the company. If a company has existing QR codes or other promotions using an old domain name URL, and a malicious actor has purchased the domain, they can use the domain for malicious purposes instead of the original use. When a customer scans the old QR code, their device is taken to the new location.
- As with any program, there is the potential of a bug in the QR code reader software. Being directed to a malicious site can leverage bugs in the software on the device, to compromise the camera, sensors, or data on the device.
What can we do to protect against malicious QR Codes?
- Never scan a QR code from an untrusted source. If the code is in a questionable email or on a physical poster of uncertain origin, then it is untrusted.
- If a QR code is on a poster, check to see if there is a sticker over the original QR code.
- Use a trusted QR code reader that is automatically patched. Some readers offer security features, such as previewing the content of a website before taking the device to that site or checking for known malicious sites to warn the customer.
- If you find a potentially malicious QR code, report it to the owner of the business or to the information security office of your organization.
A QR code should not automatically be trusted just because it appears on a poster with a compelling message. Do some research before scanning the code. A little prevention can save you from becoming an unsuspecting victim.
- Use a longer passphrase rather than the minimum (MIDAS passwords can have up to 24 characters).
- Change passwords occasionally, or whenever there is a security concern.
- Never share your password with others.
- Never write down your password.
- Don't reuse passwords for multiple sites (bank, school, email, social media).
- Consider using a password manager (see below).
- Never enter passwords on untrusted web pages (look for a green padlock, or other indication of encryption security, in the address field).
- Be wary of using the "save password" option.
- Use two-factor options when available.
Why does my MIDAS password have to be so complex?
Your MIDAS credentials give you access to a wide range of web services, including MyODU portal, email and dozens of other ODU services. This reduces the number of accounts and passwords you must remember, increases the security of your personal and private information, and makes it easier to access ODU resources.
However, because it gives you access to so many systems, the MIDAS password rules and complexity must meet a lot of requirements. ODU's password practices (MIDAS password length, complexity, and rotation frequency) all blend together to adhere to industry standards and meet the requirements for identity assurance certification.
ODU takes the security and privacy of our students' information seriously. In order to have a less complex password that is still secure, the length of the password would have to increase or the frequency of change would have to be made shorter. We strive to balance these aspects and ultimately deliver a secure yet user friendly computing environment.
ITS Acceptable Usage Policy prohibits sharing your MIDAS password with anyone else.
The best passwords are complex and unique. And for added security, you shouldn't write them down or duplicate them. So how do you remember all of those different passwords?
One option is to use a password manager. Password managers digitally store all of your passwords in one place, and in many cases can generate random secure passwords for you. You only have to remember one master password that unlocks them all.
Here are some password managers:
- 1Password - A password manager that protects a variety of data behind one master password. Store anything from passwords to account numbers, and search easily on any device. There is an annual subscription ($2.99/month, billed annually), but the first six months are free.
- LastPass - A browser-based, cross-platform password manager with broad support for desktop and mobile devices. There is a free version, but if you want to sync your passwords across all of your devices, you'll need a premium account ($12/year).
- DashLane - A password manager and digital wallet that can keep track of many types of secure information. The free version works on any one device, but to access passwords in multiple places, you'll have to go premium ($39.99/year).
- KeePass - A free and open-source password manager. KeePass only runs on Windows, but there is a product called KeePassX which will run on Mac OS X and Linux.
These days, browsers will offer to remember your passwords for you. However, browsers are frequently targeted for attacks. It's better to use a password manager, whose sole purpose is to encrypt and protect your data.
The possibility exists that your computer could be compromised by an online attacker or virus. We offer this information as a guide to protecting your computer and your data. You are responsible for updating your computer.
The first thing you should do is install a good anti-virus program. (There are some free options listed below.) Remember, anti-virus software is only effective if it is always running and up-to-date. Whichever program you use, make sure it updates virus definitions automatically so it recognizes new threats.
Windows 8 and 10
There is no need to download or install any other anti-virus software; just make sure you have Windows Defender turned on.
It is extremely important to keep your operating system (Windows and Mac) patched with the latest critical updates. Updates are released frequently to close vulnerability holes in your computer and help minimize security risks.
You can set your operating system to automatically install updates as they become available. You can also check for updates manually and install any recommended patches that are listed. Always install the critical updates.
A firewall is like a fence between neighbors. You can use the gate to go back and forth, but things you don't want on your side (dogs, cats, small children) can't get through without access to that gate.
When your computer is connected to the Internet, it uses specific ports to transfer data through; a firewall can control access to the ports, allowing only specific programs to pass information through the firewall to and from the Internet.
A firewall prevents others on the Internet from scanning your computer for open ports to exploit. Critical updates help close these vulnerabilities, but a firewall will block all ports except the ones you authorize. As programs need to use the Internet, the firewall will ask you for permission to let them through the "gate."
Sometimes, programs on your computer may ask for permission to act as a server, providing data to someone else. If you're not sure whether or not to allow this, do a quick internet search for that specific .exe program wanting permission to open a port. You don't want to accidentally allow spy-ware programs to act as servers and send data from your computer to someone else's.
Windows and Mac both come with built-in firewalls that you can turn on and use. Third party firewall programs are also available, if you prefer something more powerful.
All computers should have a password for access. Use as many of the password guidelines in the following section as you can to create the strongest password possible. And, as with any password, don't write it down or share it with anyone.
The University network provides high speed access to the Internet. But that same network provides the Internet high speed access to your computer.
The Windows operating system -- especially the default installation -- is not the most secure. In order to harden your system against attacks and illicit activities, you should address a few simple things during or immediately after a new OS installation. For example, don't install unnecessary services, and change default passwords for service accounts, guest access and remote access.
If you administer your own computer, please follow these recommended guidelines to "harden" a new machine:
For Windows 10 systems, Microsoft has developed a security configuration framework with guidelines for securing your computer. We recommend following the Enterprise Basic Security configuration for Productivity Devices at the very least, unless you decide a higher level of security is necessary for the work you do.
For Mac OS X system, please download the OSX Hardening Guide and follow the guidance provided in the document.
For more in-depth information, LinkedIn Learning offers a course called Computer Security and Internet Safety. Log in with your MIDAS ID and password to view the course for free.
Wireless Network Security
Wireless internet (WiFi) networks in public places may be convenient, but they're not always safe. Many public WiFi spots are not secured, leaving users at risk of exposing sensitive information and data. The information you send over an unsecured WiFi network is not encrypted. Keep that in mind when deciding what information you access in public.
(Side note: MonarchODU is encrypted. AccessODU is not.)
You should always know what network you are joining. In an Evil Twin attack, a user is tricked into joining an imposter network that mimics the authentic public access network. Once the user joins, the attacker can easily intercept sensitive information.
- First and foremost, reduce your computer's vulnerablity by ensuring that your operating system and firewall software are up-to-date before connecting to any wireless network.
- Be aware that data sent through a unsecure WiFi network is sent in the clear and can be intercepted.
- Wireless data is not limited to just the range of your computer. Hackers can increase their range by using amplified antennas to intercept the signal from greater distances.
- Be cautious about the wireless network you join. Wireless networks that require a network security key or password protect the information sent over the secured networks as the information is encrypted.
- Be careful about what information you are sending. Never send personal information such as a user ID, password, banking information or credit card numbers.
- Disable shared folders while you're using public WiFi; file and printer sharing enables computers on the same network to access resources on your laptop, leaving you vulnerable to hackers.
These general practices are your first line of defense for staying safe while you are connected to the internet.
- Avoid questionable webites.
- Use caution with free software and file-sharing applications. There are many legitimate free and open-source applications that are quite useful, but there are also a lot of shady or downright malicious titles out there. Do your research before downloading anything free.
- Increase your browser security settings to a medium or high level.
- Type in a trusted URL for a company's site into the address bar of your browser instead of clicking on links in an email or instant message.
- Avoid clicking on pop-ups, even to close them. Instead, close pop-ups from the system tray area with a right mouse click.
Spotting a fake website
A scammer recently tried to gain access to MIDAS IDs and passwords by imitating the Monarch-Key web login page. Depending on your role at ODU, you may see this page several times a day and think nothing of entering your credentials. But in this case, there were some clues that indicated this was not a legitimate ODU login page. You should always pay close attention to your online surroundings to keep from entering important personal information on fake pages.
Mobile Device Security
Mobile devices are convenient and almost necessary in today's connected society. But if your smartphone or tablet is ever lost or stolen, or if you share data over networks that aren't secure, your personal information could be exposed. Take the following precautions to protect yourself and your data.
Protect your device
- Set a device password. This is your first line of defense if your device falls into the wrong hands. This password should be at least 8 characters long, complex and unique. Change your password every 30 days, or whenever anyone else learns what it is.
- Enable inactivity time out. Set your device to turn itself off after no more than five minutes of inactivity.
- Enable Erase Data to automatically erase the device after ten failed passcode attempts.
- Don't leave your device unattended. Be extra careful when travelling. One in twenty mobile devices is lost or stolen.
- Do not jailbreak. Only download apps from reputable developers in your device's app store.
- Keep your OS and all apps up-to-date. When your device is no longer supported with new updates, consider upgrading. And when your device has reached the end of its life with you, make sure it is erased or wiped before reassigning, replacing or returning it.
Protect corporate data
- Do not use cloud services to backup company data. And do not store any regulated data (HIPAA, FERPA, etc) on your mobile device at all.
- Do not send work related email to personal email accounts.
Protect your connections
- Ask to join WiFi networks. Make sure your device isn't automatically connecting to open networks without your knowledge.
- Be smart about WiFi connections. Do not use untrustworthy hotspots. When using open WiFi hotspots, make sure that the data you are transferring is encrypted. Check site certificates on any web authentication page before entering your credentials.
- Turn off unused connection services. If you're not using Bluetooth, WiFi, VPN or Location Services, turn them off to prevent unauthorized connections.
Social Network Security
Facebook, Twitter, and Instagram are great for connecting and sharing with each other. But an increasing number of people are falling victim to online harassment, identity theft or legal action because of things they share on social media. Here are some things to keep in mind while using these sites:
Minimize your exposure to phishing attacks on social media.
- Limit interactions to users you're sure you can trust. Make sure that you've either met them in person or that you have mutual connections and their profile seems credible. Don't interact with profiles if they don't know you or are contacting you for suspicious reasons.
- Avoid clicking on links or downloading file attachments sent to you through social media, especially if the links seem suspicious or if the users seem unfamiliar. On LinkedIn, it's common to share attachments like cover letters, resumes and letters of recommendation. When in doubt, pass the link or attachment in question to an open source malware detector.
- Ensure two-factor authentication is enabled on all of your social accounts. This provides another barrier of protection should an attacker ever steal your credentials. Many social networks can now require a code be sent to your phone or via email when they detect a new browser or device attempting to access your account, so be on the lookout for any sort of suspicious activity.
If you wouldn't post it on a resume don't post it on the net.
Don't get fired before you get hired. Employers have Internet access too, and they scour social networking sites to learn about potential employees. Innapropriate content or behavior will immediately lower your reputation and reduce your odds of employment. Keep your page appropriate, because you never know who is looking at it.
Sensitive information is for your eyes only.
A rising number of people are exposing sensitive information on social networking sites. Many don't realize that what they post can be read by people they don't know, and that information can be used maliciously and for identity theft. Do not share information that could help somebody guess your security questions, PIN numbers, address or social security numbers.
Security is essential.
While most social networking services allow you to block strangers from accessing your profile, people you don't know could still gain access to your page. Following these practices will help prevent such intrusions.
- Always log out of online services, especially if you are using them on public access computers.
- Avoid the use of automatic login as well, as it creates multiple avenues for hackers to gain access.
- Use different passwords for every online account, and reset your password whenever you feel your account may have been compromised.
- Finally, remember that just because you deleted something from your page doesn't mean it's gone; someone could have downloaded or kept your information somewhere else.
Options for greater security vary from site to site. Facebook, for example, allows users to set up log-in notifications, to allow you to ensure that you are the only person with access to your account. Many sites (banking in particular) will also use 2-factor authentication: Users are given a personalized key that the website displays to prove you're at the actual website. If you can enable 2-factor authentication, do so.
If you manage an ODU social media account, you need to be even more mindful of Internet security. Remember, you are contributing to ODU's reputation while you use the ODU name.
- Use a different strong password for each account. Change those passwords whenever a member of your team leaves the University, or any time you feel the account may have been compromised.
- Use 2-factor authentication whenever possible.
- If the social media channel allows it, have it notify you when the account is accessed from unauthorized devices.
- Do not use auto-login options.
- Log out of your accounts on all devices after each use.
- Use social media management platforms like Hootsuite that can help with management and prevent sharing of accounts.
International Security: Safe Computing While Abroad
Traveling overseas with a laptop can be risky for your equipment, your data and your privacy. Because you can't always count on networks to be secure, you should assume that your device could be compromised at any time. There are some things you can do, however, to reduce your risks while traveling:
- Change your passwords before you leave and after you get back.
- Do not leave your device unattended.
- Any information on your computer could be exposed to unauthorized access. Take only the presentation you intend to give, and no other electronic personal or business information. Consider traveling with a loaner laptop that can be reimaged when you return.
- Don't conduct any sensitive business over public WiFi. Instead, use the ODU VPN every time you connect to an open network or a network outside of the United States. This will encrypt your communication while on the internet (subject to export control input from the Office of Research). Always use the ODU VPN any time you:
- access files on ODU's servers or cloud storage services
- communicate with ODU
- access any ODU resources
- To prevent any cross-network malware infection, DO NOT connect the device to your home or ODU's network when you return. Have the device rebuilt before connecting to the wired network at ODU or in your home.
The Travel Channel has some additional tips for protecting your personal data while traveling.
For more information about protecting your research and data while overseas, read the FBI's Best Practices for Academics Traveling Abroad.
Learn how to recognize scams so you don't become a victim.