Document Actions

 

security practices

On your own computer you should always login with a password. Don't share that password with anyone. If someone else wants to borrow your computer, create a guest account for that person to use instead of telling her/him your password. If you don't know how to do this, ask someone for help (or use google).

If you ever need to share your password(s) with someone legitimately (such as a service technician working on your computer) you should reset any password immediately afterwards. It's also a good idea to change your password after you've used it on someone else's computer (just in case they had a virus infections or a keylogger installed).

Don't use the same password everywhere. It's always good practice to use different passwords for different applications. This way if one password gets found out or stolen, you haven't given away the keys to the entire castle.

Keep the software on your computer up to date. Using old crufty versions of applications (or operating systems) leaves one open to malware and also theft of credentials/identity.

Be aware of whether or not wireless connections are encrypted. When connected to an open (unencrypted) wireless connection, don't login to any websites unless they are secured with SSL (https).

If you have a laptop, make sure SSL (or TLS) is enabled for both sending and receiving of email. This is also highly recommended on a desktop machine.

If you use your computer in a location that is accessible to others, set it so that the screen will lock after a few minutes of inactivity.

Understanding URLs

While this discussion is somewhat technical in nature, it is useful to understand basic concepts about Uniform Resource Locators (URLs, sometimes also referred to as Uniform Resource Identifiers (URIs)). For purposes of our discussion, we'll only be talking about "web" addresses which all start with http:// or https:// -- as mentioned above, the S in https:// refers to SSL and provides an encrypted connection between your computer/device and the "server" that is hosting the content you're accessing. The URL of a "link" isn't necessarily the text that you're clicking on. If you hover your mouse over the link, the URL will usually show up. To be 100% certain, you can right click your mouse on a link, select "Copy link location" from the popup menu and then paste the text into your favorite editor, like notepad, textedit or emacs.

Order is important. The really important thing to pay attention to (when analyzing a URL to try to determine if it is "safe" or "legitimate") is what's called the "domain name" of the site. This is the portion immediately to the left of the first single forward slash / that occurs in the URL. Or if there are no single slashes in the URL, the domain name is the part all the way at the right of the URL. Once you understand how this works, it's quite easy to be able to reliably identify the domain name (each domain name has one period in it, like google.com, yahoo.com, gmail.com, simons-rock.edu, etc...). And I should also mention that sometimes a numeric "IP address" is used instead of a domain name, like 10.10.10.10 (in this case there will be 4 numbers separated by 3 periods). So let's look at some examples:

  • http://google.example.com/some/file/lives/here.php
  • https://yahoo.gmail.aol.example.com/index.html
  • http://confusion.reigns.distracted.be.not.says.yoda.example.com/google.com/gmail/login/page
  • https://example.com/yahoo.com/google.com.really.this.is.not.the.domain/index.php
  • https://a.b.c.d.example.com/distracting/text/goes/here/f/g/h/i/j/k.asp
  • http://french.english.spanish.russian.loop-de-loop.example.com

So in all of the above URLs in that list, the domain name is example.com -- I tried to make the examples as confusing as I possibly could, though the one thing you'll find in real life examples is that the URLs often get much much longer than the ones I created above.

At this point you may be asking yourself "Why do I need to know what a domain name is?" which is a perfectly valid question. The basic answer is that it's always a good idea to know what server you are interacting with and the domain name component of the URL is how one knows this information.

More specifically we are interested in whether we can "trust" the server. If you have a gmail or google+ account, you should only be logging in on pages that have a domain name of gmail.com or google.com (and to again repeat the obvious, make sure that the URL is an encrypted one, i.e. https://). Likewise if you have a yahoo email account, you should only ever login to a server for which the domain is yahoo.com. And you should only ever login with your simons-rock.edu account at domain names that start with https:// and end with simons-rock.edu of course.

There's another case where URL analysis can be handy. At this point in time, it's possible for malware to be hosted on a webpage that is capable of infecting your browser, computer, phone, or other device. That is, all that's necessary is that you visit the page (so there's a danger even before you consider whether or not to enter any personal data in a webform). If you ever have any question about whether it's safe to visit a particular URL, you are welcome to send an email its@simons-rock.edu including the full URL and asking us to check it first.

For more detailed information, please see the wikipedia entry on URLs

Some rules for using public use computers follow.

Technically speaking, any computer where the login you use is (ever) used by someone other than yourself should be considered a public use computer.

If a public use computer does not have the latest up to date versions of software on it, you should consider not using it to login to any personal accounts. It would also be good form to report this to the owner(s) of the machine, as malware often spreads due to lack of timely updates on common desktop software (browsers, pdf-viewers, etc...).

There is another calculus that one should probably make on any public machine. Unless one knows the owner/administrator very well, it's always probably safer to be cynical. For instance I would never consider logging into my bank from a machine in any internet cafe. I might login to facebook though. Your decision might be different depending on how important the sanctity of your facebook account is to you.

Make sure you explicitly ask for SSL enabled sites. That is to say, type in the extra s after the http directly, don't just type gmail.com or facebook.com, instead type https://gmail.com or https://facebook.com. If you're logging in somewhere that https:// doesn't work.

Understand the different behavior of Apple (Mac) computers versus Windows (PC) computers. When you are using a Mac (Apple) the application doesn't shut down when you close the last open window like it does on Windows. This is also important to understand if you are using a friend's Mac. If you want to close an application completely, you should use Apple-Q (or select "Quit" from the applications menu, just to the right of the apple symbol at the top left of your screen).

Always click on the logout/signout links explicitly when you're done. Additionally, shut down the computer completely (if you can). If you can't shut down the computer, at least try to logout of the user account (so that the next user has to login before they can use the computer. Many public use computers are configured to additionally purge data when a logout or shutdown has occurred.