The Internet is an extremely useful source of information and an environment that facilitates many of the day-to-day transactions that we perform. However, some individuals who develop web content have malicious intent and hope to lure unsuspecting individuals into accessing their site where they may be tricked into providing personal information or inadvertently retrieve malicious software. Malicious web sites could appear just as official as any corporate, non-profit or government site - it all depends on the effort that the content developer wishes to expend.
Fortunately, when someone stumbles across a malicious site, there are clues that can alert the person browsing the site that something may be amiss. For example, the Internet is designed in a manner that provides each participating organization with one or more registered domain names that can confirm that the system you are accessing belongs to the intended institution (e.g., uhcl.edu is the domain name for our campus). When you visit the UHCL web site, you should expect that each page's web address or "URL":
- Contains the UHCL domain name "uhcl.edu"
- The UHCL domain name is positioned either
- Immediately before the first slash ( / ) character after the "http://" or the "https://" (e.g., http://mycomputer.uhcl.edu/mysite/mysubpage)
- If there is no slash character ( / ) in the URL after the "http://" or the "https://", then the UHCL domain name should be at the end of the URL (e.g., http://www.uhcl.edu).
It is certainly easier to feel comfortable accessing a well-known, reputable site (e.g., financial institutions, travel sites, universities, major vendors) than one whose source is not obvious. But even reputable sites have been hacked at one time or another - some sites more than others. For example, there was a time when pop culture sites, particularly dealing with the media stars who appeal to teenagers, were a major source of web-based malware activity.
While one cannot protect themselves completely against the "perfect hack on the web," there are things we all can do to reduce our risk -
- Avoid web sites of organizations or individuals of an unknown or questionable reputation
- Shun web sites that have a history of spreading malicious software, such as pop culture sites
- Before clicking a link, view the web site’s address by passing the cursor over the link (but not clicking). The web site address or URL that displays should point to the registered domain name of the site that you expect.
Beware of unsolicited web warnings and popups
When surfing the web, unsolicited Web popups, messages, warnings and free service announcements can be designed to compromise your system or lead you to malicious sites. Responding to these unsolicited messages, warnings and popups you receive while web browsing, especially ones promising free services, such as “We’ve detected a virus on your system!!” and “Click here for faster Internet!” may download malicious software onto your system or expose your Web traffic to unauthorized individuals, even if it is encrypted. When it comes to these types of messages, the wise choice is to ignore their content, not click on anything in the popup, and close the popup using your browser menu or system task bar.
Ensure that your computers and mobile devices encrypt sensitive information when transmitting it over a network
Information that is not encrypted can be viewed by anyone who has access to any piece of network equipment through which the information travels from the UHCL network to the network hosting the web site. Additionally, information transmitted via an unsecured wireless network can also be viewed by anyone using an inexpensive retail device that can capture information traveling through the air. It is important to note that most wireless networks designed for use by the general public are not set up to be secure for practical reasons. Nonetheless, information traveling across insecure, open networks can be transmitted securely as long as encryption technology is set up between your workstation's browser and the web server with which you are communicating.
When you need to submit sensitive information (e.g., online banking, tax information) into any web site with which you have a business relationship, ensure that the site is valid and your information is transmitted in an encrypted manner by confirming the following -
- The target URL, i.e., the true URL, not necessarily the one printed on the web page, begins with “https://”
- The target URL has the expected domain name immediately before the first slash ( / ) character after the "https://" OR, if there is no additional slash following the "https://", then the expected domain name should be at the end of the URL. For example, if the page asking for sensitive information has a URL in one of the following forms: https://www.uhcl.edu/information-security/procedures/ or https://www.uhcl.edu, it is a page that is being hosted by a system in the "uhcl.edu" domain.
- A lock icon is displayed on your browser window
- Modern browsers also highlight the URL with a green background if the web server's
identity is appropriately validated
Note - If the URL background is highlighted in red, the web site may be counterfeit. Contact the appropriate web site administrator to ensure that the site is legitimate.
Do not enter any sensitive information (e.g., passwords, social security numbers, account numbers, other information deemed confidential) into a web site unless all of the above conditions are met.
If a UHCL-based application or web site that you need to access does not have an encryption capability, you may still access the site securely if you use the University's Virtual Private Network (VPN) technology. VPN technology encrypts all network traffic between your computer and the University's campus network. Please contact the OIT Support Center at extension 2828 or firstname.lastname@example.org for information about setting up VPN on your system.
Protect your web browsing cookies
“Cookies” are small files that web sites send to your browser to facilitate your interaction with the site. If you’ve entered sensitive data into a web site, it may be held in a cookie on your computer, but how well the cookies are protected is up to the web site.
To ensure that one site does not obtain sensitive data by reading another site’s cookies, perform the following:
- Configure your browser to delete all cookies when you exit. Please contact the OIT Support Center at extension 2828 or email@example.com for information about configuring your browser to handle cookies appropriately.
- If you have submitted sensitive information to a web site and wish to browse to another site, first close ALL of the browser's open windows to delete all of its cookies. The cookies will not be deleted if even one browser window is open. Then, you can safely reopen your browser and access the other site.