Mobile Devices and Wireless

Para ver la informacion de esta pagina en Español seleciona Español en el menú debajo.

INTRODUCTION

Why should mobile devices be protected?

Every day, mobile devices are lost, stolen, and infected. Assume for a moment that your mobile device has been stolen. What would you do?

What stored data was stolen? (think about both work and non-work)
What stored passwords were stolen?
Do they have your 2-step authentication (MFA) codes?
What other accounts and services might have been compromised? (Dropbox, shopping, credit cards, bank accounts, work accounts, Facebook, ...)
Did you lose your only copy of anything important?

Mobile devices are computers, too.

Mobile devices can store important business and personal information, and are often be used to access University systems, email, banking information, work and personal accounts. Where this is the case, they need to be protected like any other computer.

(Back to "How to Stay Secure" page)

Lost or stolen devices used for work:

Important: Report the loss or theft of devices used for work to the ITS Support Center so they can help identify and address potential compromised accounts or data, including compromised P3 or P4 sensitive data , which requires additional action on the part of the University. See the lost/stolen device checklist below for additional steps to take.

Protecting mobile devices:

A good rule of thumb is not to store anything you're not willing to lose or share with the world on a mobile device. This said, following are some steps you can take to help protect information on these devices. Some of these steps may require additional configuration/setting changes:

Password-protect your mobile device with a complex password, and be sure your device requires a password to start up or resume activity -- but still don't store anything you're not willing to lose.
Set it to automatically lock after a short period of inactivity.
Keep it with you or lock it up securely before you step away -- even just for a second. See Physical Security for more information.
Don't store sensitive information. Encrypt your device or sensitive contents if you do.
Store passwords only in a secure password safe.
Run current, up-to-date versions of the operating system and applications. Remember to sync often so you get available updates. Always install updates when your carrier tells you they are available.
Beware of phishing: Don't open files, click links, or call numbers in unsolicited emails, text messages or IMs (instant messages).
- Be suspicious of links that arrive via text or email.
- To be even safer, don't click on emailed links on your phone. It's difficult to tell where they will actually take you. If your phone has a link preview feature, use it.
Don't jail break your phone or tablet. This defeats built-in software safety features, so it's risky.
If your mobile device has built-in firewall or access control functionality, activate them. Default settings are typically acceptable for most people.
Avoid using auto-complete features that remember user names or passwords.
Turn off unnecessary services:
- Disable or remove applications (apps) and plug-ins that you don't actively use
- Disable Bluetooth, wireless & IrDA (infrared) when you're not actively using them
- Turn off GPS and geotagging when you're not actively using them. These can allow your location to be tracked without your knowledge.
Set devices to “ask” before joining new wireless networks (see below for more information about wireless).
- Periodically go through your device's list of known wireless networks and delete ones no longer needed (usually found under network, wireless, or airport settings)
If your device has a web browser, set the browser to block pop-ups. For added privacy, also set the browser to limit the cookies it accepts. For example, some devices let you set the browser to accept cookies only from sites you visit.
- Also disable JavaScript in your phone's web browser to help thwart malicious links and websites. This will affect the functionality of some non-malicious websites, too, so there's a trade-off with this one.
- Additional browser security recommendations are available at Web Browser Secure Settings, though not all features are available on mobile browsers.
Securely delete all contents before discarding, exchanging, selling or donating the device.
All devices connecting to UCSC’s network or services must meet UC & UCSC security requirements.

Prevention in case of theft or loss:

Back up or sync your data regularly.
Set your device to erase itself after repeated failed log-on attempts.
Enable remote wipe.
Enable location tracking, keeping in mind the privacy implications.
Related articles (older articles but still relevant):
- Your smartphone is tracking you, and you said it was okay (BGR Media)
- Your Phone Logs Everywhere You Go. Here's How to Turn It Off
Set the device to display a "call if found" phone number.

Checklist for lost or stolen mobile devices:

Immediately report lost or stolen devices to the police: Report to UCSC police for campus incidents and local police for off-campus incidents (phone is best)
- If you used the device for work, notify your supervisor and also report it to the ITS Support Center so they can help identify and address potential compromised accounts or data
- Additional reporting information
For phones, notify your cellular carrier -- see if they can deactivate the device.
Change all passwords stored or used on the device, including email, Dropbox, banking, etc.
Un-register your device from any service that uses it for 2-step authentication (MFA).
Notify credit card companies and banks if you used the device for shopping or banking.
Try to track its location, if possible.
Try remote wipe if sensitive information, passwords, or credit cards were stored.

A special note about sensitive information:

Don’t work with sensitive UCSC information on a mobile device unless you can ensure the device meets UCSC’s security requirements.
P3 or P4 sensitive data stored on mobile devices must be encrypted. This includes email, text messages, instant messages, documents, removable storage cards/devices, etc.
- NOTE: Electronic protected health information (ePHI or "HIPAA data") MUST be encrypted on portable devices and may not be stored at all on non-University devices.
Keep all stored passwords in an encrypted password safe.
Make sure you have a secure (encrypted) connection before working with sensitive data.
- Use known, encrypted networks, such as UCSC’s EDUROAM SECURE WIRELESS and CAMPUS VIRTUAL PRIVATE NETWORK (VPN), available to UCSC students, researchers, faculty, and staff (also see below for more about eduroam, Campus VPN, and wireless).
- Make sure web pages have https (not http) in the web address (URL). The “s” stands for “secure" and tells you that the information you enter is being encrypted as it is sent. Look for this before logging into anything.
- Coffee shop/hotel/airport-type wireless, including UCSC-Guest is not encrypted.
- If you’re not sure, assume it’s not secure.

A special note about wireless, eduroam, and Campus VPN:

Wireless:
Information sent via standard wireless, including UCSC-Guest and public hotspots, is especially easy to intercept. To protect yourself:

See the guidance above about sensitive information.
Don’t connect to insecure or unknown wireless hot spots/access points if you’re concerned about security or privacy (or your passwords).
As mentioned under "Protecting mobile devices" above, set devices to “ask” before joining new wireless networks.
If you use UCSC-Guest or other public wireless to connect to Facebook, Snapchat, Instagram, Twitter, etc., use a different password for those sites than for banking, shopping, or UCSC.
For additional information about home wireless security, see the Home Wireless Security page at onguardonline.gov

eduroam:
eduroam (education roaming) is a secure, encrypted, world-wide roaming wireless service developed for the international research and education community. It is available on the UCSC campus and allows UCSC students, researchers, faculty, and staff to obtain secure Internet connectivity across campus and when visiting other participating institutions with their laptop or supported mobile devices. See Wireless Services for information and set-up instructions. Follow the instructions and do a full eduroam installation including installing the UCSC self-signed certificate.

Note: You should only have to enter your CruzID Blue password into eduroam when you initially set it up. If your device asks for it again later, don't do it. It could be that you are too far from the network to do anything useful and that is causing login failures. Or it could be that you are being offered a rogue login to a device masquerading as UCSC that is attempting to steal your password. Either way, you shouldn't have to re-enter your password for eduroam to work once it has been set up.

Campus Virtual Private Network (VPN):
UCSC's Campus VPN (virtual private network) encrypts your Internet traffic and provides a secure (encrypted) connection to the UCSC network from off campus. The Campus VPN is available to all campus members with a CruzId and Gold password. See VPN Client Installation for information and set-up instructions.

Related Resources:

Use of Third Party and Cloud Services:
"Non-UC technology services" are computer-related services that you can sign up for online, often for free or nearly-free. more...

Smartphone Security Checker from the Federal Communications Commission (FCC):
10 customized steps to secure your mobile device! website...

How Do I Protect the Information on My Smartphone?
Eight ways to safeguard your smartphone from BullGuard Internet Security: Eight ways to keep your smartphone safe

How Do I Securely Erase My Phone Before I Sell It?