Security for everyone
Download
1 / 114

Security For Everyone - PowerPoint PPT Presentation


  • 62 Views
  • Uploaded on

Security For Everyone. “A guide to what every one needs to know about security.”. Source: Kentucky Information Technology Center www.kitcenter.org. Security Threats. Viruses and worms cost billions of dollars each year.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Security For Everyone' - gavril


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Security for everyone

Security ForEveryone

“A guide to what every one needs to know about security.”

Source: Kentucky Information Technology Center

www.kitcenter.org


Security threats
Security Threats

  • Viruses and worms cost billions of dollars each year.

  • Industrial/business espionage has always been a big business and now has new avenues of attack.

  • Thousands of people have their personal information (their identity) stolen each year. This information is used to obtain online loans and credit cards.

2


Security threats continued
Security Threats (continued)

  • Online businesses are attacked in such a way that prospective customers can’t access their web site (a “Denial of Service” attack). This costs businesses millions in lost revenue and reputation.

  • Thousands of people fall victim to various scams that are communicated electronically and lose millions of dollars (and often their personal information).

3


Hackers vs crackers
Hackers vs. Crackers

  • Hacker - (Originally, someone who makes furniture with an axe) 1. A person who enjoys exploring the details of programmable systems and how to stretch their capabilities, as opposed to most users, who prefer to learn only the minimum necessary. 2. One who programs enthusiastically (even obsessively) or who enjoys programming rather than just theorizing about programming. 3. One who enjoys the intellectual challenge of creatively overcoming or circumventing limitations. 4. One who

  • Cracker - An individual who attempts to gain unauthorized access to a computer system. These individuals are often malicious and have many means at their disposal for breaking into a system. The term was coined ca. 1985 by hackers in defense against journalistic misuse of "hacker".

4


  • Contrary to widespread myth, cracking does not usually involve some mysterious leap of hackerly brilliance, but rather persistence and the dogged repetition of a handful of fairly well-known tricks that exploit common weaknesses in the security of target systems. Accordingly, most crackers are only mediocre hackers

5


A potential scenario

A Potential Scenario

  • You go on vacation and use the “auto-reply” in Outlook. You are telling anyone who emails you that you are out of town, possibly for several days. This includes spammers.

6


What could a bad guy do
What could a bad guy do? days in July. What could I do with the information in the auto-replies?

  • A bad guy could call the help desk, say I’m so-and-so, I’ve been on vacation and I’ve forgotten my password ….

  • A bad guy could also determine where you live, drop by some night, and help himself to your “toys” (remember, you are on vacation)

7


How easy is it
How Easy Is it? days in July. What could I do with the information in the auto-replies?

  • Go to Google.com in your browser.

  • Type in your phone number.

  • Click Google Search.

8


Why would a cracker want access to your computer? days in July. What could I do with the information in the auto-replies?

9


A cracker could
A cracker could; days in July. What could I do with the information in the auto-replies?

  • The cracker wants to “own” as many computers as possible. It’s a status thing.

  • The cracker might trade your computer to another cracker in exchange for something else (more valuable computer, social security numbers, etc).

10


Why my computer
Why days in July. What could I do with the information in the auto-replies?MY computer?

  • The cracker might be looking for credit card numbers, social security numbers, banking information, etc. The cracker might install a key logger to record the details of your transactions.

11


Why my computer1
Why days in July. What could I do with the information in the auto-replies?MY computer?

  • cracker might want your computer to use to attack your company’s network over a dial-up or other type of connection.

  • cracker might want your computer to use as a repository for mp3s, porn, etc.

  • The cracker might want as many computers as possible to use to attack another computer or web site.

12


My computer used in an attack
My computer used in an attack? days in July. What could I do with the information in the auto-replies?

  • Your computer could be one of many sending traffic to a specific computer or web site in a denial-of-service (DoS) attack. This happened to amazon.com and e-bay.com. It takes about 200 computers to completely DoS a web server. DoS attacks also consume network bandwidth.

13


My computer used in an attack1
My computer used in an attack? days in July. What could I do with the information in the auto-replies?

  • Your computer could be used as a relay in an attack, to hide the true identity of the attacker in case someone tries to trace the attack back to it’s source. Crackers usually relay their attacks through 8 to 10 computers to hide their tracks. Anyone investigating would have to go to all those ISPs to check their log files.

14


My computer used in an attack2
My computer used in an attack? days in July. What could I do with the information in the auto-replies?

  • If your computer is compromised and you use it to connect to your company’s network, your computer could then be used to attack your company’s network.

15


How is this possible
How is this possible? days in July. What could I do with the information in the auto-replies?

  • Users choose easy-to-guess passwords.

  • Poorly written software contains vulnerabilities that the cracker can exploit.

  • Users install software from unknown sources (viruses, spyware, malware).

  • Users are easily fooled (social engineering, hoaxes, scams).

16


How good are the crackers
How good are the crackers? days in July. What could I do with the information in the auto-replies?

  • Crackers have tools (programs, utilities) that will scan a network looking for computers.

  • Crackers have tools that can identify what operating system a computer is running (from across the network – the hacker could be in Japan).

17


How good are the crackers1
How good are the crackers? days in July. What could I do with the information in the auto-replies?

  • Crackers have tools that will probe a computer for specific vulnerabilities.

  • Crackers have tools that will perform the exploit against these vulnerabilities.

  • There are scripts that can do these things automatically – allowing crackers with few skills to attack computers (script kiddies).

18


The good news
The “good” news days in July. What could I do with the information in the auto-replies?

  • A cracker will often patch your computer for you.

  • After the cracker “owns” your box, he/she doesn’t want someone else to be able to successfully attack it.

19


The bad news
The “bad” news days in July. What could I do with the information in the auto-replies?

  • Currently operating systems and applications are riddled with vulnerabilities.

  • crackers have really good tools.

  • The public is not very aware of the problem, and that helps the crackers.

20


What can we do

NEED TO BE MORE PARANOID! days in July. What could I do with the information in the auto-replies?

What can we do?

  • Change your attitude about security:

    • Educate yourself.

    • Pay attention (don’t click on just anything).

    • Assume the worst at all times.

    • Change your bad habits.

    • Think like a cracker.

    • Assume responsibility – we all have a stake in effective security.

21


Security is a way of thinking

STOP days in July. What could I do with the information in the auto-replies?

Think how much of your personal information is already out there!!

Security is a Way of Thinking

  • Security is not just something you do (especially something you only have to do once and then forget). Security is an on-going process.

  • Security is also a state of mind, or an attitude. We have to start thinking of everything in the context of security.

22


Convenience vs security
Convenience vs. Security days in July. What could I do with the information in the auto-replies?

  • Computer and software companies have gone to great lengths to make things easy.

  • Problem is, we’ve made things easy for the bad guys, too.

  • In general, anything that improves security does so at the expense of convenience.

  • As users, we have to realize that the loss of convenience is necessary, to improve security.

23


Remember
Remember! days in July. What could I do with the information in the auto-replies?

  • Don’t unnecessarily give out information in any form.

  • Don’t assume that everybody has honorable intentions.

  • Don’t assume that something secure today will be secure tomorrow.

  • Don’t assume you have nothing of interest to anyone else.

24


Areas you have to be concerned with
Areas you have to be concerned with days in July. What could I do with the information in the auto-replies?

  • Physical security

  • Authentication/Passwords

  • Social Engineering

  • Software issues

  • Viruses, Worms, Trojan Horses

  • Identity Theft and Scams

  • Email issues

25


Physical security
Physical Security days in July. What could I do with the information in the auto-replies?

  • All bets are off if the bad guy is able to sit down at your computer, so physical security is absolutely vital.

  • All computers with sensitive information should be behind locked doors.

    • Problem  any computer in the company may be connected to these physically secured computers.

26


Physical security what can you do
Physical Security: What can you do? days in July. What could I do with the information in the auto-replies?

  • Require a username and password to log in to your computer.

  • Lock your workstation when you leave your desk.

  • Use a screensaver with a password. Set it to come on in a short period of time.

  • If you travel with a laptop, never let it leave your sight.

27


Physical security what can you do1
Physical Security: What can you do? days in July. What could I do with the information in the auto-replies?

  • Don’t let your kids use the company computer.

  • Don’t let outside service people wander un-escorted inside your company.

  • Check the ID of anyone you let inside.

  • Don’t throw away things that a Dumpster Diver can use!

29


Dumpster diving
Dumpster Diving days in July. What could I do with the information in the auto-replies?

  • Dumpster diving – the bad guys go through your trash.

  • What are they looking for?

    • Written passwords

    • Company phone directories

    • Network diagrams

    • Personal information

    • Any information that can be used against you or your company

30


Areas you have to be concerned with1
Areas you have to be concerned with days in July. What could I do with the information in the auto-replies?

  • Physical security

  • Authentication/Passwords

  • Social Engineering

  • Software issues

  • Viruses, Worms, Trojan Horses

  • Identity Theft and Scams

  • Email issues

31


Authentication
Authentication days in July. What could I do with the information in the auto-replies?

  • A central concept of security is that data should be kept from the wrong people, but those that legitimately need access should be given access after their identity is verified.

  • This process of verification is called authentication.

  • The most popular method of authentication is currently a username and a password.

32


Authentication1
Authentication days in July. What could I do with the information in the auto-replies?

  • Authentication is making sure you are who you say you are.

  • Methods are:

    • Something you know (password)

    • Something you have (smart card or token, used with a PIN number)

    • Something you are (some biometric measure, such as fingerprint, retinal scan, voiceprint)

33


Authentication cont
Authentication (cont.) days in July. What could I do with the information in the auto-replies?

  • Passwords are cheap, but have serious problems.

  • Smart cards/tokens have a cost (configuration is labor-intensive), require readers, can be lost (and the user cannot authenticate until replaced).

  • Biometrics require readers, take time to authenticate, give both false positives and false negatives. (very expensive)

34


False positives negatives
False Positives/Negatives days in July. What could I do with the information in the auto-replies?

  • A false positive is when something is found to be true, but isn’t really. In biometrics this means someone is authenticated who shouldn’t be (a security breach)

  • A false negative is when something is found to be false, but isn’t really. In biometrics this means that someone is not authenticated, but should have been (a hassle)

35


The problems with passwords
The Problems with Passwords days in July. What could I do with the information in the auto-replies?

  • People use short passwords

  • People use common words as passwords

  • People use their name, or the name of their spouse, or children, or pet

  • People write their password down and place in near their keyboard

  • People use the same password on multiple systems

36


Password crackers
Password “Crackers” days in July. What could I do with the information in the auto-replies?

  • Programs exist that can eventually “crack” any password.

  • One way they do this by trying each word in a list (a dictionary attack).

  • Another way is to try each possible combination of letters, numbers, etc. (brute-force attack).

37


Short passwords
Short Passwords days in July. What could I do with the information in the auto-replies?

  • A short password is not a good password because there are not many combinations that need to be tried before the password is cracked.

  • A short password will be cracked by a brute-force attack in a shorter time than a longer password.

  • Although any password can eventually be cracked, the goal is to make it take so long as to be pointless (you will change the password before someone cracks it).

38


The problem with common words
The Problem with Common Words days in July. What could I do with the information in the auto-replies?

  • People like to choose common words for passwords, because these are easy to remember. These are vulnerable using a “dictionary” attack.

  • In a dictionary attack the cracker uses a password cracker and a file of common words (dictionary words) to try to match your password.

39


The problem with using a name
The Problem With Using a Name days in July. What could I do with the information in the auto-replies?

  • Another way to remember your password is to use your name (or some variation), your spouse’s name, your child’s name, etc.

  • Sometimes this information is readily available to the bad guy (maybe it’s in the phone book – Thomas & Amanda Smith, or it’s on the picture frame on your desk – “Fluffy the Cat”).

40


Writing your password down
Writing Your Password Down days in July. What could I do with the information in the auto-replies?

  • Believe it or not, the bad guy knows to look under the keyboard for your password.

  • It’s also pretty obvious when you stick it to your monitor.

  • Most know to look under your mouse or mouse pad.

41


Using the same password over and over
Using the Same Password Over and Over days in July. What could I do with the information in the auto-replies?

  • Most of us have to log in to more than one system, so we use the same password over and over.

  • If a cracker cracks your password for any of these systems, he/she will certainly try the same password on other systems.

  • This technique is often used: crack an unimportant machine, then use the same password on an important machine.

42


How to make a better password
How to Make a Better Password days in July. What could I do with the information in the auto-replies?

  • Upper-case alpha, lower-case alpha, numbers, and punctuation add to the “complexity”, this tends to nullify the dictionary attack, and makes the brute-force take much longer. (Microsoft’s definition of complexity is 3 of 4 of these)

  • Using a passphrase or a password based on a phrase is better, both from the standpoint of being harder to “guess” and being easier for you to remember.

43


Pass phrase example
Pass-phrase Example days in July. What could I do with the information in the auto-replies?

  • “I’m Fixing a Hole” (from the Beatles Sgt. Pepper’s Lonely Hearts Club album) becomes !’mFxng@H0l&

  • “I’m a Believer” becomes 1m@B3l13v3r

  • You get the idea ….

44


Password policies
Password Policies days in July. What could I do with the information in the auto-replies?

  • The company you work for probably has a password policy. Some of the things covered in this policy could be:

    • Length – longer passwords are harder to crack

    • Complexity – passwords using a combination of uppercase, lowercase, numbers, and/or punctuation are harder to crack

    • Maximum age – how long a user is allowed to use a particular password

45


Password policies1
Password Policies days in July. What could I do with the information in the auto-replies?

  • Minimum age – length of time a user must use a particular password before they can change it. This (along with “history”) prevents a user from changing a password when required, then changing it back to a favorite.

  • History – the number of passwords the operating system remembers. A user can’t use a password that the OS remembers.

46


Why are you telling me this
Why are you telling me this? days in July. What could I do with the information in the auto-replies?

  • So you will understand the importance of using long and complex passwords, of not writing your password down, of changing your password regularly, etc.

  • We are not asking you to do all this to annoy you. There are valid, important reasons you should do these things.

47


Areas you have to be concerned with2
Areas you have to be concerned with days in July. What could I do with the information in the auto-replies?

  • Physical security

  • Authentication/Passwords

  • Social Engineering

  • Software issues

  • Viruses, Worms, Trojan Horses

  • Identity Theft and Scams

  • Email issues

48


Social engineering
Social Engineering days in July. What could I do with the information in the auto-replies?

  • Humans are acknowledged as the weakest link in any security design/implementation.

  • Since most of the technical ways of hacking a system are hard, numerous ways of exploiting this human factor have been developed by the bad guys.

  • These are called “social engineering.”

49


Social engineering1
Social Engineering days in July. What could I do with the information in the auto-replies?

  • Social engineering uses weaknesses in people instead of in software.

  • Classic social engineering – a cracker calls up the help desk and says “I’m so-and-so and I’ve just been hired as a consultant to do so-and-so and the IT guy said call you and have an account set up, and I’m in a hurry. . . . .” ----help desk person gives the password over the phone

50


Social engineering2
Social Engineering days in July. What could I do with the information in the auto-replies?

  • Social engineering relies on the desire to be “helpful” or the desire to “stay out of trouble.”

  • Social engineering is so effective it is usually the first thing a serious cracker will try.

51


How to neutralize social engineering attacks
How to Neutralize days in July. What could I do with the information in the auto-replies?Social Engineering Attacks

  • Education – we all have to learn not to trust just anyone.

  • Policies – your company needs a policy to cover these types of situation. For example, instead of changing a password over the phone, the help desk personnel will email the password to the person’s supervisor, or leave the new password on the person’s voice mail.

52


Areas you have to be concerned with3
Areas you have to be concerned with days in July. What could I do with the information in the auto-replies?

  • Physical security

  • Authentication/Passwords

  • Social Engineering

  • Software issues

  • Viruses, Worms, Trojan Horses

  • Identity Theft and Scams

  • Email issues

53


Software issues terminology
Software Issues - Terminology days in July. What could I do with the information in the auto-replies?

  • A vulnerability is a weakness, either in how a program was written, or how it is configured on a computer.

  • An exploit is computer code (a small program) written to take advantage of a vulnerability.

  • The goal of the bad guy here is to obtain administrator level access to the computer.

54


Software issues
Software Issues days in July. What could I do with the information in the auto-replies?

  • Operating systems are large complex computer programs that may contain poorly written sections (vulnerabilities) that can be exploited by a cracker, usually leading to the cracker being able to run whatever programs he/she wants on the computer.

  • A cracker usually copies a complete set of attack tools to the compromised machine.

55


More software issues
More Software Issues days in July. What could I do with the information in the auto-replies?

  • Computer applications, such as Internet Explorer and Internet Information Server, are also programs, and also have poorly written sections.

  • Applications can therefore be exploited just like operating systems.

  • Good advice - Don’t install any application or service that you don’t absolutely need.

56


What can go wrong here
What can go wrong here? days in July. What could I do with the information in the auto-replies?

  • Suppose the person(s) discovering the vulnerability are bad guys – do you think they are going to tell the producer of the software?

  • Suppose the discoverer(s) are good guys, but the software producer just ignores them (so they decide to release the vulnerability without a patch being produced).

57


What else can go wrong here
What else can go wrong here? days in July. What could I do with the information in the auto-replies?

  • The vulnerability and the patch is released. Now the bad guys rush to produce an exploit and launch it in a virus or a worm.

    • Have you patched all your computers, or did you think this would just go away?Or were you not paying attention, and didn’t know anything was going on?

58


Mitigating software issues
Mitigating Software Issues days in July. What could I do with the information in the auto-replies?

  • Be aware of newly discovered vulnerabilities: www.cert.org

  • Install patches as soon as they are available.

  • Use virus protection, and keep the signature file up-to-date (to detect the tools a cracker might copy to your computer).

  • Use a personal firewall: www.zonelabs.com

59


Patches
Patches days in July. What could I do with the information in the auto-replies?

  • A patch is code that fixes a vulnerability in an operating system or application.

  • Patches are written and made available by software vendors.

  • Patches must be downloaded and installed.

  • The computer must often be re-booted before the patch takes effect.

60


More on patches
More on Patches days in July. What could I do with the information in the auto-replies?

  • Patches sometime break other parts of your operating system or applications, so things may not work the same as they did before.

  • Keeping up with the latest patches is hard work.

  • Microsoft’s Windows Update is an attempt to automate this process: http://windowsupdate.microsoft.com

61


Even more on patches
Even More on Patches days in July. What could I do with the information in the auto-replies?

  • Microsoft has introduced the Software Update Services (SUS) to facilitate patch distribution within companies (SUS allows local administrators to verify the patches before allowing other computers access to them).

  • Microsoft XP can be set to automatically download and install necessary patches.

62


Start days in July. What could I do with the information in the auto-replies?

Control Panel

Performance & Maintenance

System

63


Microsoft s baseline security analyzer
Microsoft’s Baseline Security Analyzer days in July. What could I do with the information in the auto-replies?

  • Microsoft has a tool (MBSA) that you can install and use to check for critical updates, a number of password issues, a number of file system issues, whether the computer is running unnecessary services, whether there are files shared, etc.

  • MBSA checks the computer against a list at microsoft.com to determine any missing updates (patches).

64


65 days in July. What could I do with the information in the auto-replies?


Personal firewalls
Personal Firewalls days in July. What could I do with the information in the auto-replies?

  • A personal firewall is installed directly on your computer.

  • It monitors traffic into and out of your computer. Let’s you know when there is something going on.

  • Free versions exist, but a little money can buy you added functionality.

66


Even more software issues
Even More Software Issues days in July. What could I do with the information in the auto-replies?

  • Don’t install any software that you don’t absolutely need, and know where that software came from.

  • Don’t install the really cool, free game or the spiffy screensavers – nowadays such things often contain other software you didn’t bargain for: adware, spyware, malware, etc.

67


Free software
Free Software days in July. What could I do with the information in the auto-replies?

  • “Free” software must be paid for somehow – it usually has hidden components that are installed at the same time as the thing you wanted.

  • These hidden components can do a number of things without your knowledge – although you technically gave your permission when you clicked “Install”.

68


What to do if your computer is acting strangely
What to do if your computer is acting strangely days in July. What could I do with the information in the auto-replies?

  • Go to http://www.lavasoftusa.comand download and install Ad-aware.

  • Ad-aware will search through your hard drive looking for software thatdoes such things as tracks your Internet surfing habits, profiles your shopping habits, or otherwise invade your privacy.

  • It will also flag your browser cookies.

69


Cookies
Cookies days in July. What could I do with the information in the auto-replies?

  • Cookies are small files stored on your computer by web servers.

  • Cookies contain information that helps sustain your interactions with web sites.

  • The presence of a cookie from a web site indicates that you have been to the site.

  • Looking at your cookies tells a lot about you.

70


Software issues summary
Software Issues - Summary days in July. What could I do with the information in the auto-replies?

  • Vulnerabilities in operating systems (Windows) and applications are being discovered every day.

  • If you don’t keep your machine patched, your machine will fall victim to exploits based on these vulnerabilities.

  • “Free” software usually includes things you didn’t bargain on, so be very careful about anything you install on your computer.

71


Areas you have to be concerned with4
Areas you have to be concerned with days in July. What could I do with the information in the auto-replies?

  • Physical security

  • Authentication/Passwords

  • Social Engineering

  • Software issues

  • Viruses, Worms, Trojan Horses

  • Identity Theft and Scams

  • Email issues

72


Viruses worms trojan horses
Viruses, Worms, Trojan Horses days in July. What could I do with the information in the auto-replies?

  • A virus is code that needs the user to do something to initiate it: such as opening it.

  • A worm is code that can spread itself.

  • A Trojan horse is code that is hidden inside another, useful looking program.

73


Cost of viruses
Cost of Viruses days in July. What could I do with the information in the auto-replies?

  • “Computer virus attacks cost global businesses an estimated $55 billion in damages in 2003, a sum that would rise this year.” - Trend Micro Inc. (the world's third-largest antivirus software maker).

  • Companies lost roughly $20 billion to $30 billion in 2002 from the virus attacks, up from about $13 billion in 2001, according to various industry estimates.

74


What to do about viruses worms etc
What To Do About Viruses, Worms, etc days in July. What could I do with the information in the auto-replies?.

  • Use virus protection software. Configure the software to automatically download the latest signature file frequently.

  • Use virus protection software that also scans email. Don’t open an attachment unless you are expecting it and know who sent it to you.

  • Don’t install software from an untrusted source.

75


Virus protection software is not enough
Virus Protection Software Is Not Enough days in July. What could I do with the information in the auto-replies?

  • Virus protection software has a serious problem – it works by comparing the “signature” of the virus or worm to the files on your computer.

  • Until someone “catches” any new virus or worm and adds it’s “signature” to the signature file (and you download the new file), there is no protection against the new virus or worm.

76


The new viruses and worms
The New Viruses and Worms days in July. What could I do with the information in the auto-replies?

  • The creators of the newest viruses and worms have learned much from the past:

    • The new viruses and worms spread much more rapidly, before the signature files can be updated and downloaded.

    • The new email viruses look so convincing that many people open them.

77


Areas you have to be concerned with5
Areas you have to be concerned with days in July. What could I do with the information in the auto-replies?

  • Physical security

  • Authentication/Passwords

  • Social Engineering

  • Software issues

  • Viruses, Worms, Trojan Horses

  • Identity Theft and Scams

  • Email issues

78


Scams
Scams days in July. What could I do with the information in the auto-replies?

  • Con artists have expanded their methods online.

  • For example:

    • The Nigerian email scam

    • The Pay Pal scam (phishing scam)

    • The Citibank scam (also phishing)

79


Phishing
Phishing days in July. What could I do with the information in the auto-replies?

  • Phishing refers to a particular type of Internet scam in which a user is tricked into giving up personal information, like bank account information. Also known as carding.

  • Often, these are official looking emails containing links to official looking web sites.

80


What to do about scams
What to do about scams? days in July. What could I do with the information in the auto-replies?

  • Use your head – if it sounds too good to be true, it probably is.

  • Arm yourself with knowledge:

    • http://www.snopes.com/

    • http://www. truthorfiction.com

  • Know the policy of the company who sent you the message – for example, Microsoft never sends security patches via email.

81


The ftc s advice on scams
The FTC’s advice on scams days in July. What could I do with the information in the auto-replies?

  • If you get an email that warns you, with little or no notice, that an account of yours will be shut down unless you reconfirm your billing information, do not reply or click on the link in the email. Instead, contact the company cited in the email using a telephone number or Web site address you know to be genuine.

82


The ftc s advice on scams cont
The FTC’s advice on scams days in July. What could I do with the information in the auto-replies?(cont.)

  • Avoid emailing personal and financial information. Before submitting financial information through a Web site, look for the "lock" icon on the browser's status bar. It signals that your information is secure during transmission.

83


The ftc s advice on scams cont1
The FTC’s advice on scams days in July. What could I do with the information in the auto-replies?(cont.)

  • Review credit card and bank account statements as soon as you receive them to determine whether there are any unauthorized charges. If your statement is late by more than a couple of days, call your credit card company or bank to confirm your billing address and account balances.

84


The ftc s advice on scams cont2
The FTC’s advice on scams days in July. What could I do with the information in the auto-replies?(cont.)

  • Report suspicious activity to the FTC.

    • If you believe you've been scammed, file your complaint at www.ftc.gov, and then visit the FTC's Identity Theft Web site www.ftc.gov/idtheft to learn how to minimize your risk of damage from identity theft.

85


Identity theft info from ftc
Identity Theft (info from FTC) days in July. What could I do with the information in the auto-replies?

How do the bad guys steal your identity?

  • They get information from businesses or other institutions by:

    • stealing records from their employer,

    • bribing an employee who has access to these records, or

    • hacking into the organization’s computers.

  • They rummage through your trash, or the trash of businesses or dumps in a practice known as “dumpster diving.”

86


Identity theft info from ftc1
Identity Theft (info from FTC) days in July. What could I do with the information in the auto-replies?

  • They obtain credit reports by abusing their employer’s authorized access to credit reports or by posing as a landlord, employer, or someone else who may have a legal right to the information.

  • They steal credit and debit card numbers as your card is processed by using a special information storage device in a practice known as “skimming.”

  • They steal wallets and purses containing identification and credit and bank cards.

87


Identity theft info from ftc2
Identity Theft (info from FTC) days in July. What could I do with the information in the auto-replies?

  • They steal mail, including bank and credit card statements, pre-approved credit offers, new checks, or tax information.

  • They complete a “change of address form” to divert your mail to another location.

  • They steal personal information from your home.

  • They scam information from you by posing as a legitimate business person or government official.

88


Computer issues of identity theft also from ftc
Computer issues of identity theft days in July. What could I do with the information in the auto-replies?(also from FTC)

  • Update your virus protection software regularly. Computer viruses can have damaging effects, including introducing program code that causes your computer to send out files or other stored information.

  • Look for security repairs and patches you can download from your operating system’s Web site. Do this regularly.

89


Computer issues of identity theft also from ftc1
Computer issues of identity theft days in July. What could I do with the information in the auto-replies?(also from FTC)

  • Don’t download files from strangers or click on hyperlinks in emails from people you don’t know. Opening a file or clicking on a link could expose your system to a computer virus or a program that could compromise your computer and give someone else complete control.

90


Computer issues of identity theft also from ftc2
Computer issues of identity theft days in July. What could I do with the information in the auto-replies?(also from FTC)

  • Use a firewall, especially if you have a high-speed or “always on” connection to the Internet. The firewall allows you to limit uninvited access to your computer. Without a firewall, hackers can take over your computer and access sensitive information.

91


Computer issues of identity theft also from ftc3
Computer issues of identity theft days in July. What could I do with the information in the auto-replies?(also from FTC)

  • Use a secure browser — software that encrypts or scrambles information you send over the Internet — to guard the safety of your online transactions (this only works if the site you are accessing is a secure site).

  • When you’re submitting information, look for the “lock” icon on the status bar. It’s a symbol that your information is secure during transmission.

92


Computer issues of identity theft also from ftc4
Computer issues of identity theft days in July. What could I do with the information in the auto-replies?(also from FTC)

  • Try not to store financial information on your laptop (or any computer) unless absolutely necessary. If you do, use a “strong” password — that is, a combination of letters (upper and lower case), numbers, and symbols.

  • Avoid using an automatic log-in feature that saves your user name and password; and always log off when you’re finished. If your laptop gets stolen, the thief will have a harder time accessing sensitive information.

93


Computer issues of identity theft also from ftc5
Computer issues of identity theft days in July. What could I do with the information in the auto-replies?(also from FTC)

  • Delete any personal information stored on your computer before you dispose of it. Use a “wipe” utility program, which overwrites the entire hard drive and makes the files unrecoverable.

  • Read Web site privacy policies.

94


Areas you have to be concerned with6
Areas you have to be concerned with days in July. What could I do with the information in the auto-replies?

  • Physical security

  • Authentication/Passwords

  • Social Engineering

  • Software issues

  • Viruses, Worms, Trojan Horses

  • Identity Theft and Scams

  • Email issues

95


Email security
Email Security days in July. What could I do with the information in the auto-replies?

  • Email is a common vector for the delivery of viruses.

  • The virus are in attachments, such as coolpic.jpg

  • Since Windows by default doesn’t show you filename extensions, this attachment could really be coolpic.jpg.exe

  • Instead of a graphic, you have an executable file that could do anything.

96


Steps you can take
Steps you can take days in July. What could I do with the information in the auto-replies?

  • For whatever email software (Outlook, Outlook Express, Eudora) you are using, make sure you have the latest version or have installed any patches available.

  • Change the default setting of the OS so that filename extensions are displayed.

  • Don’t open an attachment unless you are expecting it.

  • Don’t just click on anything you see ….

97


Don t just click on anything
Don’t just click on anything … days in July. What could I do with the information in the auto-replies?

  • Did you ever get an email that said click here (on a web address) to get a really cool game, or to see a cute picture, or ….?

  • Do you realize that there could be a different link behind what looks like the link you are clicking on?

98


99 days in July. What could I do with the information in the auto-replies?


100 days in July. What could I do with the information in the auto-replies?


Email hoaxes
Email Hoaxes days in July. What could I do with the information in the auto-replies?

  • A hoax (in email terms) is a message that is simply untrue.

  • A hoax is harmful because it takes time to read and then delete. A few seconds multiplied by a lot of users equals a lot of time lost in a company.

  • Forwarding a hoax can make you look bad.

    • Example – “Bill Gates wants to give you money ….”

101


Other email issues
Other email issues days in July. What could I do with the information in the auto-replies?

  • Email is sent in a form that’s directly readable (cleartext or plaintext).

  • Anyone between you and the recipient could listen to (sniff) your message and read it.

  • It’s also possible to send an email pretending to be someone else (spoofing).

102


Encrypting your email
Encrypting your email days in July. What could I do with the information in the auto-replies?

  • You can use either PGP (Pretty Good Privacy) or S/MIME (Secure/Multipurpose Internet Mail Extensions) to encrypt your email.

  • This will keep your messages safe from prying eyes, and also give you a defense against someone pretending to be you when sending a message.

103


Cable and dsl
Cable and DSL days in July. What could I do with the information in the auto-replies?

  • Cable and DSL are “always-on” connections.

  • Crackers love always-on connections, because they have a lot of bandwidth and the computers are usually not patched and so are vulnerable to a number of exploits.

  • The computer’s owner often doesn’t know when something unusual is happening.

104


What to do about that
What to do about that …. days in July. What could I do with the information in the auto-replies?

  • Buy and install a Cable/DSL router. This will help to hide your home computer(s) from probes from the crackers.

  • Buy and install a personal firewall for all your computers. Be careful what traffic you let into and out of your computer.

105


Another problem
Another Problem days in July. What could I do with the information in the auto-replies?

  • Many people connect to their company’s network from their home computer. The same computer that everybody in the family uses to surf to who-knows-where and to download all kinds of nifty programs.

  • So when you connect to your company, what are you exposing your company’s computers to?

106


Solution
Solution days in July. What could I do with the information in the auto-replies?

  • You should have a dedicated computer for connecting to work.

  • Computers are relatively cheap now – why not get one for your kids?

  • Put all the computers behind the cable/DSL router.

  • Install virus protection and personal firewalls on everything.

107


Instant messaging
Instant Messaging days in July. What could I do with the information in the auto-replies?

  • Instant messaging is the latest step in the evolution of communications.

  • With instant messaging, you enter friends, co-workers, etc. into a contact list, and you are informed when they are online.

  • For any contact that’s online, you can communicate “instantly”, through a small window on the computer screen.

108


Instant messaging software
Instant Messaging Software days in July. What could I do with the information in the auto-replies?

  • There are a number of IM utilities – AOL Instant Messenger (AIM), ICQ, Microsoft MSN Messenger, Yahoo! Messenger.

  • These typically pass your messages through an external server while on-route to their destination.

  • A variation of this are “chat” rooms, where a number of people can communicate with each other - Internet Relay Chat (IRC), for example.

109


Instant messaging problems
Instant Messaging Problems days in July. What could I do with the information in the auto-replies?

  • The immediacy of IM often leads to quick responses that give away too much information.

  • Do you really know who you are “talking” to?

  • Files can be transferred through IM, and you don’t know what’s in the files.

110


Things to remember
Things to remember days in July. What could I do with the information in the auto-replies?

  • Good passwords are important.

  • Keep your computer patched.

  • Use virus-protection and keep your signature file up-to-date.

  • Don’t open any file unless you are sure of what it is and where it came from.

  • Don’t click on just anything.

111


Things to remember cont
Things to remember (cont.) days in July. What could I do with the information in the auto-replies?

  • Physical security is very important.

  • Don’t give out any information you don’t have to.

  • Back up all important data.

  • Use a firewall.

  • Don’t run unnecessary services.

  • Remember security is an ongoing process.

112


Things to remember cont1
Things to remember (cont.) days in July. What could I do with the information in the auto-replies?

  • Look at the privacy polices on web sites.

  • Get a separate account for your personal e-mail.

  • Teach your kids that giving out personal information online means giving it out to strangers.

  • Clear your memory cache after browsing.

113


114 days in July. What could I do with the information in the auto-replies?


Things to remember cont2
Things to remember (cont.) days in July. What could I do with the information in the auto-replies?

  • Make sure online forms are secure. Look for the lock in the corner of the browser screen.

  • Use anonymous remailers

    • Created to protect privacy

  • Keep your e-mail private, use encryption (some email programs have encryption)

  • Use anonymizers while browsing.

    • www.freedom.net

    • www.anonymizer.com

115


ad