• Resources
• Academic Resources
• Jobs & Announcements
• Policies
• Computing
• Facilities
• On-Line Services
• Help Pages
• Knowledge Base

Resources

Laptop/Wireless Security

Lightweight portable computers and PDAs make mobile computing easier all the time, especially with the increased availability of Wireless Internet access. Security is not inherently strong with Wireless, but there are steps you can take to make your connections more secure.

Secure your traffic

• Avoid sending data in the clear (i.e., unencrypted). Use WPA (Wi-Fi Protected Access) or WEP (Wired Equivalency Privacy) whenever possible. Although WEP is relatively easy to break, it provides some protection. Most wireless networks -- especially public hotspots (e.g., Starbucks) don't use WEP so you need to use other encryption methods to ensure privacy. Remember: wireless traffic can be intercepted by anyone out of thin air - there is no wire that has to be tapped.
  
• email - use secure protocols. Most email clients now support secure IMAP (IMAP over SSL). Some support secure POP3, but we recommend IMAP. In the Thunderbird client, this is selected via a checkbox on the Server Settings configuration page.
  
• web mail - use secure (SSL) connections. Sites that offer mail access via browsers generally offer secure logons: for Yahoo, select Secure mode instead of Standard; Hotmail automatically uses SSL for logon.
  

(Note: browsers indicate encrypted (SSL) connections with a locked padlock in the lower right corner of the browser window. Unencrypted connections show an unlocked padlock or no padlock at all.)

• ssh/sftp - avoid telnet and ftp since they send usernames, passwords, and data without encryption. ssh and sftp use SSL, so they are secure.
  
• web browsing - normal browsing (i.e.,reading) is safe, but be aware that unencrypted traffic can be "sniffed" so someone can know what sites you're going to and what you're reading. You should avoid sending personal information - usernames, passwords, account numbers, credit card numbers, social security numbers, etc. If you must send personal data, be sure you're using SSL connections -- look for URLs that begin with https instead of just http (and the locked padlock icon in the lower right corner).
  
• VPN - UITS's VPN (Virtual Private Network) provides a security umbrella by creating an encrypted link between your machine and the UofA network. You can use this for access to any Internet service (not just UofA resources). The VPN is ideal for public hotspots. See http://uits.arizona.edu/services/vpn for more information.
  

Protect your computer and data

• Patches - keep operating system and applications current with critical patches.
  
• Anti-Virus - install and keep anti-virus signature files current. Sophos is free to UofA Faculty, Staff, and Students and can easily be kept up-to-date. See Sophos Anti-Virus Software.
  

Public Hotspots

Public locations that provide wireless Internet access offer other security risks. In these areas, you should:

• Turn off file sharing from your laptop. This prevents other wireless users on the network from accessing local files on your laptop.
  
• Remove or disable your wireless card if you are working offline.
  
• Watch for over the shoulder viewing of your login, credit card, or other personal information.
  
• Properly log out of web sites by clicking log out instead of just closing your browser or typing in a new web address.
  
• Avoid using instant messaging (IM). Most instant messaging services transmit clear (unencrypted) text, so it could be sniffed by other wireless users.
  

General Practices

• Don't leave your computer unattended
  
• Don't loan your computer to someone unfamiliar to you
  
• Choose strong passwords (combination of letters, numbers, and special characters)
  
• Keep passwords and account numbers secure - don't store them on your computer or share them with anyone
  
• Change your passwords frequently
  
• Avoid file-sharing software (Kazaa, eDonkey, etc.). Distributions tend to install spyware on your machine.
  
• Never open attachments you are not expecting or that are from people you don't know.
  

For more information, google wireless security.

FAQ

Q. Is it safe to use pine?
A.Once you ssh to a CS machine, all traffic is encrypted so pine is completely safe.

Q. I'm confused about setting SSL on in my Thunderbird mail client.
A. UofA email should be set to use SSL/TLS for IMAP and SMTP. For other mail servers, try SSL. If that doesn't work, try TLS options.

Q. What about HotMail or Yahoo! Mail?
A. When signing-in to Hotmail, SSL is used automatically to encrypt your email address and password. When signing-in to Yahoo!, select Secure mode instead of Standard to use SSL.
However, be aware that reading and writing emails does not use SSL. Your password is protected, but the emails are downloaded and sent in the open.

Q. I don't use Windows. Should I worry about patches?
A.Yes. Windows vulnerabilities are widely publicized and exploited, but other operating systems (Mac, Linux) have their own security issues.

For Macs, read about security at http://www.info.apple.com/usen/security/index.html or http://www.securemac.com/.

See http://www.info.apple.com/ to download updates.

For Linux, see the website for your particular flavor, e.g., for RedHat: http://www.redhat.com/solutions/security/.

For general Linux security, see http://www.linuxsecurity.com/.

Q. What is spyware?
A.As defined on http://searchcio.com:

In general, spyware is any technology that aids in gathering information about a person or organization without their knowledge. On the Internet, spyware is programming that is put in someone's computer to secretly gather information about the user and relay it to advertisers or other interested parties. Spyware can get in a computer as a software virus or as the result of installing a new program.

There are several tools available to find and eliminate spyware, including Sophos and Spybot.

Other Spyware Removal Tools: http://www.spyware-removal-tools.com/

Q. Is the UITS VPN all I need?
A.The VPN encrypts all your traffic so it can't be sniffed by other wireless users. However, it's no panacea. It won't (by itself) protect your machine from viruses or other OS/protocol exploits.

Q. Do I have to worry about security in CS or just in other places (like public hotspots)?
A.Security is a concern everywhere. On CS department machines (labs/office desktop), we have facilities in place to limit exposure to security threats. Any other access is outside of our control. You may have no idea what protections are in place or what risks are present--so be conservative and follow the guidelines of this document.

• patch your operating system
  
• install and keep anti-virus signature files current (for now, Windows only)
  
• use SSL for email
  
• use ssh/sftp
  
• use a spyware removal tool (for now, Windows only) and keep it current
  
• follow General Practices (above)
  
  

Q. Overall, what should I not do (or avoid) for better security?
A. A lot of what to avoid is common sense (e.g., leaving your laptop unattended). Follow the guidelines in this document. The biggest mistake you can make is to ignore security and hope that you won't be affected. You will--it's only a matter of time.

Last updated August 26, 2013
Send questions about this page to

© 2014 The Arizona Board of Regents.