Skip to main content
Sign In

University of Colorado Denver

 

Quick Help

Security


Viruses, worms and trojan-horse programs (aka "Malware")

Computer viruses, "worms" and "trojan horse" programs are a constant source of risk for computer uses. It only takes one infected computer to bring malware onto an entire network, thus endangering the safety of all other computers and computer users on that network. Every computer that connects to the campus network has the ability to affect systems on the entire network. We therefore must all be diligent in maintaining our computers against viruses, worms, and Trojan horses.

To help prevent malware from infecting your computer system, it is vital that you install and use a high-quality antivirus program, keeping it updated regularly These updates instruct the antivirus program on how to detect, block and remove new malware. The university provides and automatically installs McAfee VirusScan antivirus free of charge to all SSPPS faculty and staff. Students must purchase their own antivirus software. Contact the SSPPS IT Services office for assistance. It is a requirement of the School of Pharmacy that you have effective antivirus protection on any computer you connect to the university network.

The most effective step you can take to reduce the chance that your computer will be infected is to just be very cautious about opening attachments to email messages that you are not expecting and in downloading files from web sites. Emails and web sites are the most common way malware spreads. Be very suspicious of emails you don't expect and web sites that are not run by trustworthy companies or organizations.

Spyware

Spyware often arrives attached to other software you intentionally install. "Freeware" and "shareware" programs you download over the Internet may include at least one, but up to several, parasite programs that will silently install themselves on your computer as you install the software that you actually wanted. Some may also arrive in e-mail messages. Unlike viruses, these pieces of spyware usually announce themselves. Clicking on and opening the attachment then serves to download this software onto your computer.

Spyware can be installed on your system by simply visiting a web site. In this case, the web site might ask you to allow the software. In some malicious cases, the web site will take advantage of flaws in your web browser to install the software with out your permission. If you surf the web, particularly with older versions of Microsoft Internet Explorer, even if you are careful, you can pick up adware and other forms of spyware.

Your chances for picking up spyware also rise when you install software applications (especially if you don't full read the license agreements - i.e. the "fine print.") Voluntary downloads account for a large portion of the privacy-infringing software. You may not realize a free screensaver or computer game or toolbar also reports back your private information.

What are some of the symptoms of spyware? If your computer is exhibiting any of the following symptoms, it is very likely that it has become infected with spyware.

  • Unusually slow performance and/or Internet connection
  • You get endless pop-up advertisements, even when you're not on the web
  • Strange hard drive behavior
  • Your web browser's homepage or settings have changed, seemingly on their own
  • There is a new toolbar in your web browser that is difficult to get rid of
  • New, unexpected icons appear in the task tray at the bottom of your screen
  • Frequent computer crashes
  • You are redirected to web sites other than the one you requested
  • The search engine your browser opens to when you click "search" has been changed
  • Certain sites fail to work in your browser.
  • Random Windows error messages begin to appear

How do you remove spyware?

The first step is to not contract spyware in the first place. Prevention is a lot easier than removal. Avoid downloading software from sites other than the software developer, and resist the tempation to install "free" software that checks weather, puts up photo slide shows, and other such gadgets without checking an independent source to make sure that the software you wish to run is free from spyware. When it doubt, don't install it.

McAfee VirusScan made available to all faculty and staff includes some spyware protection. There are also additional tools you can and should run; no single solution can find all the spyware that exists. The SSPPS IT Services office has links to a number of freeware tools that you can use to sweep your system for spyware on our Downloads page. If you believe your system may have spyware, the freeware spyware tools can in many cases identify and remove the problem, but if you continue to have problems, contact the SSPPS IT Services Office for assistance.

Phishing

“Phishing” is the attempt by some crook to entice you to provide confidential data by sending you a message that purports to be from a company or organization with which you do business. Making some false claim designed to panic you into action, such as the claim that an account needs verifying and will be cut off if you don’t take instant action, an email will ask that you go to a web site by clicking on a link in the email. The sender may address you by name and may include specific information related to you or your institution or department. When you go to the web site, you are asked to "update" or "confirm" personal information such as account numbers and passwords. The web sites may look just like a legitimate page from the company or institution the message purports to be and may be extremely realistic, but in reality the link leads to some other web site, often in another country, designed to mimic the real web site but intended solely to steal confidential information from you so that the perpetrators can fraudulently access your accounts.

This sort of scam is now very common, but it’s easy to avoid being fooled. Simply put, you should never provide private information in response to an unsolicited message, even one that appears to come from a known source that appears to be a legitimate message. The same applies to phone calls as well; someone may call you purporting to be from an official source and ask for confidential information. Do not give them any!

If you receive an email asking for confidential information, never click on any included link. No responsible company or organization will include a clickable link in an email asking for personal information since web links can be “faked” to actually connect you to some other unknown web site. Type the URL (website address) of the site directly into your web browser. If you have doubts about the legitimacy of any email you receive, contact the company by phone using a phone number listed directly on the web site of the company or organization (again, type the company’s web link; don’t click on any link in the email), not any phone number provided in the email - and ask if the issue is legitimate. The University of Colorado Denver Office of Information Technology (OIT) will NEVER ask for your password.

The same basic precautions apply to telephone calls. If you receive an unsolicited phone call from someone requesting personal or confidential information, unless you have caller ID that clearly shows the inquirer as being from a known phone number whose owner would be likely to ask for such information, get the caller’s name and phone number, hang up, and contact the organization directly via a known-valid phone number to verify the identity of the person and their need to know the information being requested. Then call the person back. If the person who the caller claimed to be is listed at a different phone number, call that phone number and verify that the person did indeed call you.

For more information and additional suggestions for protecting yourself, see:

http://www.ucdenver.edu/about/departments/ITS/NetworkSecurity/Pages/Phishing-Information.aspx

http://www.microsoft.com/protect/fraud/phishing/symptoms.aspx

Passwords

Keeping your personal passwords private, secure, and unbreakable is one of the most important steps you can take for safer computing. If your passwords slip into the wrong hands, your identity, finances, and personal information could be in jeopardy. Using well-chosen passwords are important steps in ensuring privacy and security on the computers you use everyday, at home and at work. Unfortunately, many of the passwords people use are simple or have been in use for a long period of time and for a lot of accounts. Simple passwords can be easily guessed by people who know you, or can readily be cracked by people with experience. Consider these findings...

  • Studies have shown that more than 40 percent of all individually-chosen passwords are readily guessed by someone who knows you.
  • In a recent survey of password use, more than 3,000 account passwords were cracked out of a test sample of more than 13,000 using readily-available tools.
  • Because many people use the same or similar passwords for different computers and multiple accounts, gaining access to one password often provides access to other systems and accounts.

Dictionary programs are one of many tools frequently used to crack passwords. A hacker will launch a dictionary attack by passing every word through a dictionary, which can contain foreign languages in addition to the entire English language, to a login program hoping that a word will eventually match the correct password. Even worms and viruses will attempt to guess passwords.

Ways in which passwords are vulnerable:

  • Many people do not change the default password that comes with some computer security systems. Lists of default passwords are available on the Internet.
  • A password may be guessable if someone chooses a piece of personal information as their password. Such items include a student ID number, boyfriend or girlfriend's name, birth date, telephone number, or license plate number. Personal data is now available from various sources, many online, and can often be obtained by someone using social engineering techniques such as posing as an opinion surveyor.
  • A password is vulnerable if it can be found in a list of commonly-chosen passwords. Dictionaries, often in computer-readable form, are available for many languages, and lists of passwords are easy to get a hold of. In tests on live systems, dictionary attacks are so routinely successful that software implementing this kind of attack is readily available.
  • A password that is too short, perhaps chosen for ease of typing, is vulnerable if an attacker can obtain the cryptographic hash (mathematical function which maps values from a large domain into a smaller range) of the password. For example, computers are now fast enough to try all alphabetic passwords shorter than seven characters.

Here are some helpful tips for having strong password security:

  • DON'T use your login name in any form; as-is, reversed, capitalized, doubled, etc.
  • DON’T use your employee/student ID or social security number
  • DON'T use consecutive or adjacent keys (e.g. "1234" or "abcd".
  • DON’T use a word based on personal information that may be easy to look up on the Internet such as the name of your spouse, child or pet, or your birthdate or that of your spouse or children.
  • DO use a password that you can type quickly without having to look at the keyboard. This makes it harder for someone to steal your password by watching over your shoulder.
  • DO change your password regularly.
Panicware

An increasing problem that computer users are encountering is known colloquially as "panicware". Panicware rears it's ugly head when you encounter a web site created or hijacked by unethical software developers who attempt to fool you into thinking that your system has viruses or has some other problem and that you need some software or service to fix the problem. Here's what actually is happening, though:

The software developer either lures you to their web site or manages to hook to some other legitimate web site. When you innocently trigger the developer's hack, you get a window pop up that looks like an antivirus or problem scan and claiming that your system is infected by a virus or other malware or that reports some other sort of problem. The popup offers you a "free download" of an tool that purports to be able to remove the malware or correct the problem. If you accept, this software will download and install on your system, and then claim to have scanned your system and found multiple additional malware infections. They kindly then tell you that their for-purchase software can remove these infections. Other scams may ask you to download a tool that will let a "technican" from the scammer access your computer to "fix" the "problems".

In reality, though, these claims of infection or problem are fake, and their "free" software is actually malware of its own that either will plague you with false messages of infections unless and until you buy the developer's software, or that will allow the scammer full access to your computer allowing them to steal your personal information.

All systems owned or provided by the School of Pharmacy should already have McAfee Antivirus installed. So if you get any sort of warning that your system is infected with any sort of malware, check to see if the warning is coming from McAfee. If it's not clearly coming from McAfee or an antivirus package that you know you have legitimately purchased and installed, do not agree to any sort of action.

ABSOLUTELY DO NOT agree to ANY sort of popup or warning that offers to download something to scan your system or to fix the problem or that directs you to call some number for support. It will almost certainly be a fake which will cause problems, not fix them, and in some cases the problems will be so massive that your system will have to be erased and the software rebuilt from scratch. Your information may also be stolen.

If you have any doubts about whether any warning about malware is legitimate, contact the SSPPS Information Technology Services office. We'll be happy to investigate and let you know if your system has a legitimate problem or if you're encountering a scam.

Securing Your Laptop

Every year a few unlucky users have their laptops stolen. There are some simple things you can do to reduce the chance that you’ll join this unfortunate group:

  • Avoid leaving laptops unattended, unsecured and out in the open. Most laptops are stolen due to the owner just leaving the laptop sitting out unattended, on a desk or sitting in a case. Lock the laptop in a desk, cupboard,laptop cart or other secure area when not in use. If the laptop must be left in a vehicle, it should be covered up or locked in the trunk. Above all, do not leave your laptop unattended and unwatched even if it's close by. It only takes seconds for someone to pick up an unattended, unsecured laptop and abscond with it.
  • Use visual deterrents. If you’re placing your laptop on a desk or table and can’t conveniently put it away, a cable lock or other locking mechanism can act as a deterrent to would-be criminals. Although such locks can often be ripped off the plastic exterior of a laptop with a strong tug, they do force some criminals to think twice before taking the risk.
  • Keep laptops inconspicuous. Laptops should be carried in inconspicuous carrying cases, such as backpacks or tote bags, instead of obvious laptop bags.

And to protect your data in the event your laptop is lost or stolen:

  • Use 'complex' passwords and change them regularly. Don't use simple passwords that can be guessed easily. See the above notes for tips on password protection.. Password-protect your screensaver and lock your screen to avoid unwanted access to your computer if you've stepped away.
  • Use encryption software to encrypt the data on your hard drive. This makes it very difficult for a thief to get access to your data should your laptop be stolen. All laptops owned by the University of Colorado Denver and used to store any sensitive informaton must have their hard drives encrypted.
  • Leverage anti-virus software, encryption solutions, anti-spyware and firewalls. Prevent unauthorized access and spyware from invading your computer and protect valuable information with data encryption software. Make sure your anti-malware utilities are properly installed and kept up-to-date.
  • Back up valuable data on a scheduled basis. Data backup needs to happen as frequently as possible to minimize the risk to you and the university in the event of theft or loss of your laptop. The information that is stored on the computer is more valuable than the computer itself. Make sure, though, that any backups containing sensitive data are protected; encrypted, locked in a secure location, etc.
  • Understand the dangers of pirated software and file sharing. Not only is it illegal, but pirated software can increase susceptibility to viruses, trojans and other attacks, many of which are used to steal data from your computer.
  • Stay informed. Continue to educate yourself on the tools and techniques used today by cyber criminals as well as the latest scams and other security risks to university data.
  • Don't rely on laptop recovery software/services to protect your data. Though such software and services do have success stories, there are too many ways around such systems for you to depend on them.