+

How to use Personal and Home Use Internet devices in a secure manner?

/in /by

In the modern IT era, there are a lot of individual and home use Internet-enabled devices, including smart phones, smart watches, home routers, electronic game consoles, and a variety of smart home devices. While bringing convenience to life, it may also bring certain information security risks. Therefore, we would like to provide some security tips for you to ensure that the devices you are using are assets, rather than burdens.

  • Make sure your computer program is up to date Keep updating the system and software programs of the device regularly. If the anti-malware program has been installed, it should be updated to avoid damage or infection by malware;
  • Secure your network The wireless network should be protected properly using WPA2 encryption, complex passwords, and the software of WiFi router at home should be updated regularly;
  • Learn more about your device Have a solid understanding on how a device works, the nature of its connection to the Internet, and the type of information it stores and transmits;
  • Understand how to keep devices up to date Read the instructions carefully to understand all necessary safe use methods, including changing the default password and precautions;
  • Understand the data content being collected Some smart devices will collect data. Take some time to understand what information your connected devices collect and how the information is managed and used;
  • Know how your data is stored Smart devices will send and store the collected data on cloud. Therefore, users should be aware of where the data is stored and the security measures to protect personal data;
  • Do more studies Before adopting new smart devices, study and understand more about other users’ evaluation on the security and privacy of the devices and service provider.

Are you always ready to protect important data?

/in /by

With the increasing storage of data on computer devices, especially under the popularity of mobile devices such as smart phones, tablets and notebook computer, etc. their intrinsic value and portability are likely to be the targets of criminals. We would like to provide you with the below tips to protect your information to a certain extent in case your mobile device is stolen or lost.

  • Encrypt sensitive information. Add a layer of protection to your files by using the built-in encryption tools included on your computer’s operating system (e.g., BitLocker or FileVault).
  • Protect your mobile devices and backup data! Make sure that you have performed data backup for each device, and you can safely lock or wipe all data through remote operation whenever necessary. In addition, data backup can be used not only for data restoration, but also for identifying lost data accurately, facilitating reports and appropriate actions for data with security risks.
  • Never leave your devices unattended in a public place or office. Your device should not be exposed when it is left in the car, place it inside the cabinet. In addition, please be aware that the high temperature inside the car after parking may damage your device.
  • Protect your devices with password. By enabling passwords, PINs, fingerprint scans, or other forms of authentication, you can have more time to remotely wipe your device if it is stolen or lost. Also, do not enable the options that allow your computer to remember your passwords.
  • Put that shredder to work! Make sure to shred the documents with any personal, medical, financial, or other sensitive data before throwing them away.
  • Be smart about recycling or disposing of old computers and mobile devicesDestroy the data in your computer’s hard drive properly before disposing the old computers. Use the factory reset option on your mobile devices and erase or remove SIM and storage cards.
  • Verify app permissions. Don’t forget to review an app’s specifications and privacy permission before installing it!
  • Be cautious about public Wi-Fi hot spots. Avoid performing financial or other sensitive transactions while connected to public Wi-Fi hot spots.
  • Keep your software up to date. If the vendor releases updates for the software operating your device, install them as soon as possible, so that it can prevent attackers from being able to take advantage of the known problems or vulnerability.

In case your laptop or mobile device is lost or stolen, please consider to report to the police and keep the police report. If the lost device contained sensitive information of the University, staff or student information, please report the lost or situation to the University immediately, so that the related action can be taken as soon as possible.

2FA – Account Security under Your Control

/in /by

If someone steals your account password, is there a way for your not to worry about the account being stolen? It is actually easy! It can be easily implemented by using the two-factor authentication (2FA), which allows users to control their account login. Without user’s authorization, nobody can log into the account. It takes only a few minutes to complete the setup and it is easy to use, which is a simple and efficient measure.

  • How does it work? Once you have activated two-factor authentication on your account, whenever an account login with your password comes from a different device other than the one you have already permitted, an authorization check will come to your registered smart phone. Without your approval, a password thief can never get into your account.
  • Is it difficult to set up? 2FA has been widely applied and easy to use nowadays. Typically, you only need to install the 2FA app on your mobile phone and complete simple registration process, you can then authorize the account login when necessary.
  • Can I adjust the frequency of checking? Although some accounts are required to perform an authorization operation each time user logs in or performs a specific operation, in many cases, 2FA will provide some convenient features. For example, the default authorization feature, usually the user is not required to authorize again when logging in the browser of the same computer within the preset time after the first authorization operation is completed. However, DO NOT enable any default authorization feature on a public computer.
  • Which accounts should I protect with 2FA? In fact, it is recommended to initiate 2FA for all accounts as much as possible, and it is recommended to protect the following accounts first:
    • User account for work purpose, of course, you must comply with some data protection related laws and data protection policies, guidelines and procedures of your organization.
    • Financial accounts: Protect your money!
    • Online shopping accounts: Protect usage of your stored credit card information!
    • Social media accounts and email accounts: Protect your personal reputation in case your identity is compromised!

Reference

Are you always ready to protect your mobile devices?

/in /by

Mobile phones, tablets, and notebook computers have always provided us with the convenience of working anywhere, anytime, and at the same time brought some additional security risks. These mobile devices make storage and information access easy on one hand, but are easily lost or stolen on the other hand. Do you know what to do if your device is lost or stolen? Here are some information security tips for you:

  • Secure your devices. Use a password or fingerprint to secure your device to avoid unauthorized access;
  • Turn on the “Find Me” function. If your device has a “Find Me” as well as remote deactivation and wipe features, make sure they are enabled to avoid data loss or being stolen.
  • Protect your data. Perform data backup regularly and consider enabling encryption feature for your device; (Please refer to “Data loss happens all the time. Do you have a data backup plan?“)
  • Update any software, including anti-virus protection, to make sure you are running the most secure version available. Avoid downloading and installing software from unknown sites;
  • Do not ignore the physical security measures of the devices.
    • Cover the camera of your laptop or mobile device to protect your privacy if necessary;
    • Label you devices with basic contact information in case they are lost;
    • Write it down! Record the manufacturer, model, serial numbers of your mobile devices, contact information that can provide support;
    • In case your device is stolen, please consider reporting to police and keep the police report as well.

Reference

Beware of Phishing Trap

/in /by
“Phishing” is a trick in social engineering. Cybercriminals usually use phishing to trick the victim into some kind of expected behavior. Social engineering is the core of all phishing attacks, especially via email. The advancement of information technology makes phishing simple. It is very fast, inexpensive and low-risk to set up and operate phishing attacks. Any cybercriminal can launch such attacks.

Before replying to any email, you must confirm the identity of the sender, especially if the email involves sensitive content such as money, personal information or account password, etc. please pay special attention. Usually, a phishing email will contain one or more characteristics as below:

1. Be aware of the non-official email address domain. For example, a notice from ICTO Help Desk is unlikely to come from the following email addresses. Please note that if an email address is shown with a display name, it may not be used to verify of the sender’s identity. For this case, you need to verify the sender’s email address in “< >” or “[ ]”;

  • @ — For official email, it is unlikely to come from third party email service;
  • @ — @connect.um.edu.mo is used in the student and alumni service but not an official staff email address.

2. Beware of attachments — Email attachment is the most common platform for malicious software. When you get a message with an attachment, DO NOT open it unless you are expecting it and absolutely certain that it is legitimate;

3. Urge to do something is one of the typical phishing characteristics, an urgent call to action makes you more likely to cooperate, e.g. urge to perform account verification, purchase some prepaid cards, money transfer, etc. If a message states that you must act immediately or you will lose access, so you must calmly deal with it. Cybercriminals often use intimidation and hope you will follow the action without thinking;

4. Incorrect URL link — It will take the recipient to a fraudulent website instead of the genuine links;

5. Fake email signature — Hackers may obtain the email signature from somewhere. Even if it looks real, you are not recommended to identify the authenticity of email with the email signature. However, if the sender’s email signature is unusual, you need to pay special attention;

6. Do not trust the sender’s photo — Hackers may obtain someone’s photo from somewhere, e.g. social media website;

7. Using different communication channels — For any suspicious requests, you can use different communication channels to determine the authenticity of the email sender. For example, instant messaging apps, or voice call, etc.

Reference

Data Privacy and Skills in Using Email

/in /by

In today’s information age, email service has become an indispensable communication tool in daily work, as well as one of the major communication tools. Hence, email security are becoming more and more important. For external attacks such as telecommunications fraud and malware attacks, although user’s information security awareness is increasing, the possible problems arising from the use of email cannot be ignored. In particular, for any jobs that involved personal data, you must handle them with special care. To further enhance users’ skills in using email more secure, here are some security tips:

  • Before sending an email, you must review the email content, attachments, and the recipients’ email addresses;
  • Before replying to email, you must confirm the identity of the sender. Do not reply to the email casually. For those emails that involve sensitive content such as money, personal information or account password, etc, please pay special attention;
  • Before forwarding emails, you must understand whether the email content, which included attachments and contents of reply history, is suitable for forwarding. You can also consider extracting some necessary contents instead of forwarding the entire email. Do not arbitrarily forward unconfirmed content, so as not to spread the rumors;
  • To consider carefully the necessity of mass emailing and make good use of email system resources. For more details, please refer to the “Guidelines for Mass Email and E-mail Groups“;
  • Be aware of using “Reply to all”. It may cause unnecessary distortion. Please carefully consider the necessity;
  • Make good use of Bcc., to ensure that the recipients are not allowed to see each other’s email addresses, thus protecting the privacy of each recipient;
  • Note the email contents and attachments. Do not send too much content or attachments, especially personal information. If it contains sensitive content, you must consider whether it is suitable for transmission via email. In addition, the use of email must also comply with the policies of the University and existing local laws and regulations, as well as other laws that may need to be complied in other jurisdictions. (Please refer to the Reference information.)
  • Do not rely on “email recall”! Actually, the email recall is a facilitating function that can only minimize the impact, but it cannot guarantee recalling the email you sent successfully.

In addition, users can get used to writing emails before filling in the recipients’ email addresses, so as not to send unfinished emails by mistake. If you need to select an email address from the contacts, be careful when selecting an email address as some email addresses may look similar.

 

* Reference information

  1. Office for Personal Data Protection, Macao
  2. Personal Data Protection Act, Macao
  3. Privacy Policy, UM
  4. Guidelines for Handling Confidential Information, UM
  5. Acceptable Use Policy on ICTO Computing Facilities Campus Network and Internet
  6. Guidelines for Mass Email and E-mail Groups
  7. How can I identify a phishing, fake email and websites?
  8. What you need to know about EU General Data Protection Regulation?
  9. Data Privacy in an Era of Compliance
  10. Other Information Security Tips

Data Privacy in an Era of Compliance

/in /by

“Compliance” means conforming to laws, regulations, standards and other requirements.

Nowadays, Internet is essential for everyday life. However, do you know Internet contains large amount of data about you? Whenever you play a game, online shopping, browse websites, or use any of numerous apps, your activity and some of your personal information may be collected and shared.

Similarly, our daily work may require us to collect, process, and store the personal information of others. Whenever we handle such information, we need to think about how we want our own information treated and treating other people’s data with the same care and respect.

Tips for protecting your personal data:

  • Know what you are sharing. Check the privacy settings on all of your social media accounts. Some of them may include a wizard to guide you walk through the settings. Always be cautious about what you post publicly;
  • Guard your date of birth and telephone number. These are key pieces of information used for identity and account verification, and you should not share them publicly. If an online service or site asks you to share this critical information, you should consider whether the necessity and the security level of the site;
  • Be aware of phishing email and fake website. Your personal information may be phished! *6

Tips for protecting the information, identity, and privacy of others:

  • Know what laws, policies and guidelines are applicable. They govern how to collects, processes, stores, and deletes the personal data of constituents;*1,2,3,4,5
  • Use the data only for its intended purpose. If you need to use data for another reason, always check the above policies and guideline first;
  • Do keep constituents’ personal information confidential and limit access to the data;
  • Destroy or de-identify private information when you no longer need it.

* Reference

  1. Office for Personal Data Protection, Macao
  2. Personal Data Protection Act, Macao
  3. Privacy Policy, UM
  4. Guidelines for Handling Confidential Information, UM
  5. What you need to know about EU General Data Protection Regulation?
  6. How can I identify a phishing, fake email and websites?

How to Protect Your Data and Devices While Traveling

/in /by

Traveling today is so much easier with technology. You can stay productive, entertained, and in touch. For many, having a cell phone or other electronic device is a critical part of having a great travel experience and an integral part of daily life. Unfortunately, traveling with devices can mean increased risks for keeping your personal data private as well as the potential for device theft.

Here are some steps you can take to help secure your devices and your privacy.

  • Travel only with the data that you need. That means leaving some of your devices at home, using temporary devices, removing personal data from your devices, or shifting your data to a secure data storage;
  • Protect your data. Perform a full backup of the data that you leave at home and consider enabling encryption feature for your device;
  • Update any software, including anti-virus protection, to make sure you are running the most secure version available;
  • Turn off Wi-Fi and Bluetooth to avoid unexpectedly automatic connections;
  • Turn on “Find My [Device Name]” tracking and/or remote wiping options in case it is lost or stolen;
  • Well prepared. Especially, charge your devices before you go;
  • Be aware of the risk of committing an offense. Clear your devices of any content that may be considered illegal or questionable in other countries, and verify whether the location you are traveling to has restrictions on encrypted digital content;
  • Don’t overlook low-tech solutions:
    • Tape over the camera of your laptop or mobile device for privacy;
    • Be aware of people “shoulder surfing” for personal information;
    • Keep your devices on you whenever possible, or use a hotel safe;
    • Label all devices in case they get left behind!

Shop Safe Online Tips!

/in /by

The holiday season is the perfect time for cybercriminals to take advantage of unsuspecting online shoppers. When you go to the grocery store or local shop, it’s habit to grab your reusable bags, and make sure you’ve safely put away your credit card or cash before heading home with the day’s purchases. Similar precautions need to be taken when you’re shopping online from the comfort of your own home. If you make these simple precautions regular online shopping habits, you’ll be protecting your purchases and personal information.

These basic steps so you’ll be ready to online shopping safely and securely. (including online ticketing, airline booking, hotel reservation, etc.)

  • Keep update machines. Before searching for that perfect gift, be sure that all connected devices—including PCs, smart phones, and tablets—are free from malware and infections by running only the most current versions of software and apps.
  • Shop reliable websites online. Use the sites of retailers you trust. If it sounds too good to be true, it probably is!
  • Conduct research. When using a new website for your online shopping, read reviews and see if other customers have had a positive or negative experience with the site.
  • Personal information is like money: value it and protect it. When making a purchase online, be alert to the kinds of information being collected to complete the transaction. Make sure you think it is necessary for the vendor to request that information. Remember that you only need to fill out required fields at checkout.
  • Check the address bar. Look for the padlock icon and https:// in the URL before using your credit card online. If using a mobile app, you must use an official app.

Don’t Let a Phishing Scam Reel You In

/in /by

Cybercriminals use phishing—a type of social engineering—to manipulate people into doing what they want. Social engineering is at the heart of all phishing attacks, especially those conducted via email. Technology makes phishing easy. Setting up and operating a phishing attack is fast, inexpensive, and low risk: any cybercriminal with an email address can launch one.
According to Verizon’s 2018 Data Breach Investigations Report, the education sector saw a rise in social engineering–based attacks. Students, staff, and faculty all suffered losses when personal data and research were disclosed to unauthorized parties. Phishing played a part in more than 40% of these breaches. Knowing what you’re up against can help you be more secure. Here are a few things you can do to guard against phishing attacks:

  • Limit what you share online. The less you share about yourself, the smaller the target you are for a phishing attack. Cybercriminals use information you post online to learn how to gain your trust.
  • Protect your credentials. No legitimate organization or department  will ask for your user ID and password or other personal information via email. ICTO definitely won’t. Still not sure if the email is a phish? Contact ICTO Help desk.
  • Beware of attachments. Email attachments are the most common vector for malicious software. When you get a message with an attachment, don’t open it—unless you are expecting it and are absolutely certain it is legitimate.
  • Confirm identities. Phishing messages can look official. Cybercriminals steal organization and company identities, including logos and URLs that are close to the links they’re trying to imitate. There’s nothing to stop them from impersonating University, financial institutions, retailers, and a wide range of other service providers. If you get a suspicious message that claims to be from an organization, use your browser to manually locate the organization online and contact them via their website, email, or telephone number.
  • Check the sender. Check the sender’s email address. Any correspondence from an organization should come from an organizational email address. A notice from your college or university is unlikely to come from @.
  • Take your time. If a message states that you must act immediately or lose access, do not comply. Phishing attempts frequently threaten a loss of service unless you do something. Cybercriminals want you to react without thinking; an urgent call to action makes you more likely to cooperate.
  • Don’t click links in suspicious messages. If you don’t trust the email (or text message), don’t trust the links in it either. Beware of links that are hidden by unknown URL shorteners or text like “Click Here.” They may link to a phishing site or a form designed to steal your user ID and password.

Reference

How can I identify a phishing, fake email and websites?