Computer Security Awareness at Home Presented By Gavin Worden
Agenda What is Computer Security? What is at Risk? What can be done to protect your computer? Overview of the Internet and World Wide Web Protecting your Home Network Protecting your Home Computer General On-Line Security Strategies Social Networking Security Privacy and the Internet Smart Phone Security
From the News The IC³, which is a partnership between the FBI and the National White Collar Crime Center (NW3C), received an average of 25,317 cybercrime complaints per month last year, noted the 2010 Internet Crime Report. A sophisticated data mining virus (Zeus Trojan) that has emptied bank accounts in the United Kingdom was found to have infected a computer in the Virginia Tech controller's office. About 370 people were affected. Botnets used in banking credential theft and other criminal enterprises made huge gains in 2010, claiming more than seven times as many victims as the previous year, according to a report issued by a security firm that follows the large networks of infected machines.
From the News Security experts are warning of a new Facebook phishing scam designed to harvest log-in credentials. The scam promises a @facebook.com email address to those who register, but is actually a trap to gather log-ins and passwords for the site. A new IRS scam e-mail looks convincing. With a subject line declaring "TAX EXEMPTION NOTIFICATION," the message told the recipient to fill out and fax an attached form that asked for personal information so he would not miss out on a special tax immunity. In New York, scam callers have been indicating that they are from the Bureau of Criminal Investigations or the Cyber Crime Unit of the New York State Police and requesting money for a bad debt or an unpaid loan, according to a press release from the New York State
What is Computer Security?
What is Computer Security? According to the Computer Emergency Response Team (CERT) at Carnegie Mellon University: Computer security is the process of preventing and detecting unauthorized use of your computer. Prevention measures help you to stop unauthorized users (also known as "intruders") from accessing any part of your computer system. Detection helps you to determine whether or not someone attempted to break into your system, if they were successful, and what they may have done.
Why should you care about Computer Security?
Why should you care about Computer Security? Once again, according to CERT: We use computers for everything from banking and investing to shopping and communicating with others through email or chat programs. Although you may not consider your communications "top secret," you probably do not want strangers reading your email, using your computer to attack other systems, sending forged email from your computer, or examining personal information stored on your computer (such as financial statements).
How easy is it to break into your computer? Unfortunately, intruders are always discovering new vulnerabilities (informally called "holes") to exploit in computer software. The complexity of software makes it increasingly difficult to thoroughly test the security of computer systems. There is no such thing as a 100% secure computer. - CERT Coordination Center Home Network Security, (2001), http://www.cert.org/tech_tips/home_networks.html
Why would someone break into your computer? Intruders often want to gain control of your computer so they can use it to launch attacks on other computer systems. Having control of your computer gives them the ability to hide their true location as they launch attacks, often against highprofile computer systems such as government or financial systems. Intruders may be able to watch all of your actions on the computer, or cause damage to your computer by reformatting your hard drive or changing your data. - CERT Coordination Center Home Network Security, (2001), http://www.cert.org/tech_tips/home_networks.html
What is at risk? Your Personal Information Your Financial Assets Your computer being used to attack others And more
What can be done to protect your computer? Use the strategy of Defense in Depth Utilize multiple security layers and methods to reduce the likelihood that you will fall victim to an intruder. Examples include: Use a network firewall and a software firewall on your PC. Perform regular software updates on your operating system and installed applications Install anti-malware software and keep it up to date.
Overview of the Internet and the World Wide Web
Overview of the Internet and the World Wide Web The History of the Internet: In the 1960 s, basic networking technologies were being developed in support of the telephone systems. In 1969, the Advanced Research Projects Agency (ARPA) launched ARPAnet the foundation for the modern Internet. ARPAnet connected to a number of other networks resulting in a Network of Networks. Between 1972 and 1980, ARPAnet and its partner networks grew from 15 interconnected computerrs to over 100,000. - Kurose, J., & Ross, K. (2008). Computer Networking, 4 th Edition. Boston, MA: Pearson Education.
Overview of the Internet and the World Wide Web Video The History of the Internet (YouTube) http://www.youtube.com/watch?v=9hiqjrmhtv4
Overview of the Internet and the World Wide Web The History of the World Wide Web: The Internet is a network that data travels over, while the World Wide Web is a graphical user interface that we interact with directly through web pages. The Web was invented at the European Council for Nuclear Research (CERN) by Tim Berners-Lee between 1989 and 1991. Berners-Lee and his associates developed the initial versions of Hypertext Markup Language (HTML), Hypertext Transfer Protocol (HTTP), a web server, and a web browser the four key components of the Web. - Kurose, J., & Ross, K. (2008). Computer Networking, 4 th Edition. Boston, MA: Pearson Education.
Protecting your home network
Protecting your home network Use a hardware firewall on your home network. Never directly connect your computer to your Internet Service Provider (ISP). Hardware firewalls are often bundled with inexpensive consumer Internet share devices like cable modems, gateways, or wireless routers.
Protecting your home network Wireless Security Wireless Security Basics: 1. Change the default password on your wireless router per the manufacturer s instructions. The DEFAULT password is openly published on the internet, allowing anyone with in range to access your wireless network and make security configuration changes. 2. Hide the name of your wireless network. The technical name of your wireless network is the SSID. Change the default SSID name and select the option DO NOT BROADCAST SSID. This means people cannot easily locate and connect to your wireless network without knowing your new SSID.
Protecting your home network Wireless Security Wireless Security Basics Continued: 3. Be sure to enable wireless encryption (WPA2 is recommended) per the manufacturer s instructions. Enabling WPA2 will also require that you set a passphrase for access your wireless network. This means that only computers that are configured with your WPA2 passphrase will be able to connect to your wireless network. This will reduce the likely hood of someone stealing your bandwidth or trying to hack your wireless network.
Protecting your Computer (Laptop, Tablet, etc.)
Protecting your Computer (Laptop, Tablet, etc.) Be sure to install a security software suite that includes at least the following security components: A software firewall Intrusion Prevention Anti-malware (anti-virus, anti-spyware, etc)
Protecting your Computer (Laptop, Tablet, etc.) Schedule automatic updates for your computer s operating system. This reduces the number of security wholes that an attacker can use to gain access to your computer. Routinely update the applications installed on your computer. Many software applications now include software update utilities that notify you when new software updates are available.
General On-Line Security Strategies
General On-Line Security Strategies Be sure to use STRONG PASSWORDS on websites that store personal or otherwise sensitive information. What makes a strong password? Make it lengthy. Each character that you add to your password increases the protection that it provides many times over. Your passwords should be 8 or more characters in length; 14 characters or longer is ideal. Many systems also support use of the space bar in passwords, so you can create a phrase made of many words (a "pass phrase"). A pass phrase is often easier to remember than a simple password, as well as longer and harder to guess. Combine letters, numbers, and symbols. The greater variety of characters that you have in your password, the harder it is to guess. - How to Create and Use Strong Passwords, Microsoft, http://www.microsoft.com/nz/digitallife/security/create-strong-passwords.mspx
General On-Line Security Strategies What makes a strong password? (continued) Use words and phrases that are easy for you to remember, but difficult for others to guess. The easiest way to remember your passwords and pass phrases is to write them down. Contrary to popular belief, there is nothing wrong with writing passwords down, but they need to be adequately protected in order to remain secure and effective. In general, passwords written on a piece of paper are more difficult to compromise across the Internet than a password manager, Web site, or other software-based storage tool, such as password managers. - How to Create and Use Strong Passwords, Microsoft, http://www.microsoft.com/nz/digitallife/security/create-strong-passwords.mspx
General On-Line Security Strategies Examples of WEAK Passwords: george (someone s name) 11171965 (someone s birthdate) 1234 (simple number strings) Examples of STRONG Passwords: des*3r!9 (completely random) LO0k@m3! (approximates a word or phrase using special characters)
General On-Line Security Strategies How do you securely store all of your passwords? Most if not all of the major consumer security software vendors offer some sort of secure password vault. Secure Password Vault = Encrypted application to securely store usernames and passwords. Many smart phones include secure password vault applications for access to your passwords on the go. IMPORTANT! Only use secure password storage applications from companies you trust! Also, avoid on-line password managers they are only as secure as the company and applications storing your information.
General On-Line Security Strategies What is Social Engineering? Social engineering is the act of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical cracking techniques.
General On-Line Security Strategies Three important Social Engineering concepts: Pretexting Phishing E-mail Spoofing
General On-Line Security Strategies Pretexting is the act of creating and using an invented scenario (the pretext) to engage a targeted victim in a manner that increases the chance the victim will divulge information or perform actions that would be unlikely in ordinary circumstances. Involves prior research for impersonation (e.g., information about you, your agency, our organization, etc.) to establish legitimacy in the mind of the target.
General On-Line Security Strategies Phishing is a technique of fraudulently obtaining private information. The phisher sends an e-mail that appears to come from a legitimate source like a government agency requesting information and warning of some dire consequence if it is not provided. The e-mail may contain links to a fraudulent web page that seems legitimate with agency logos and content and may initiate a download that is ultimately malware.
General On-Line Security Strategies E-mail spoofing is a term used to describe e-mail activity in which the sender address and other parts of the e-mail header are altered to appear as though the e-mail originated from a different source.
General On-Line Security Strategies Pretexting, E-mail Spoofing, & Phishing are often used together. Spear Phishing is a targeted phishing attack specific organizations or individuals are targeted.
General On-Line Security Strategies Phishing Examples: Security experts are warning of a new Facebook phishing scam designed to harvest log-in credentials. The scam promises a @facebook.com email address to those who register, but is actually a trap to gather log-ins and passwords for the site. IRS scam e-mail looks convincing. With a subject line declaring "TAX EXEMPTION NOTIFICATION," the message told the recipient to fill out and fax an attached form that asked for personal information so he would not miss out on a special tax immunity. In New York, scam callers have been indicating that they are from the Bureau of Criminal Investigations or the Cyber Crime Unit of the New York State Police and requesting money for a bad debt or an unpaid loan, according to a press release from the New York State
General On-Line Security Strategies Important tips for avoiding Phishing scams: Never open an e-mail attachment if you have not first verified that both the sender and the attachment are legitimate. Never click on a hyperlink in an e-mail until you have verified the sender and know that the link is legitimate. Do not assume that an e-mail is legitimate solely based on the sender s address.
Social Networking Security
Social Networking Security What are some examples of social networking sites that you are aware of?
Social Networking Security Social Networking site examples include: Classmates Facebook Flickr Friendster LinkedIn MySpace Twitter Yelp And the list goes on and on
Social Networking Security Be careful about what information you post on Social Media Sites! Why??
Social Networking Security Information that you post on Social Media sites can potentially reveal sensitive information, including: Your full name Date of birth Address Family members (Mother s Maiden Name) Work and/or work location You schedule (when you are away from home)
Social Networking Security When aggregated, these pieces of information can increase your risk of identity theft. Information commonly posted on social networking sites can be used for password retrieval on other sites. Information about your location or schedule can aid burglars and other criminals.
Social Networking Security Be sure to use social networking site security features to their maximum potential! Limit who can see your information on-line. Think twice about posting or tweeting information about your location or schedule. Do not post information or pictures that reveal your address. Do not post your full date of birth. Avoid posting information that can be aggregated for use with a password recovery program: High School, Place of Birth, Maiden Name, Etc.
Social Networking Security Do YOU know of any examples of Social Networking security mistakes? Let s hear them!
Privacy and the Internet
Privacy and the Internet Be careful about making personal information available on the Internet. The Internet is a public medium accessible by people all over the world. Think beyond traditional social networking applications. Consider blogs, news articles, school work, business marketing material, etc.
Privacy and the Internet Even on protected sites, your information is only as secure as the web application or company that stores your information. Information you put on the Internet may still be available long after you delete it. Information about you can be gathered from all over the internet into a single report for use by the good guys, or the bad guys.
Privacy and the Internet Information Aggregators What are Personal Information Aggregators? Personal information aggregators aggregate and display personal information collected from a variety of public sources (such as social network accounts, blog posts, phone book listings, customersubmitted reviews, real estate listings, and databases of other aggregators) and sell detailed reports on individuals for anyone who pays for them (free reports are often available as well). - Spokeo. Snopes.com. (2011). Retrieved from http://www.snopes.com/computer/internet/spokeo.asp
Privacy and the Internet Information Aggregators What are personal information aggregators used for? Personal Information Aggregators operate in much the same way as other data aggregators (financial, topical, social). They use automated processes and custom algorithms to gather and correlate related data from across the Internet. The idea is to create a convenient centralized location to access data that normally resides in multiple locations.
Privacy and the Internet Information Aggregators Examples of Personal Information Aggregators: Spokeo.com Pipl.com Zabasearch.com There are many more
Privacy and the Internet Information Aggregators Often times, personal information aggregators contain more personal information than a person is comfortable with. Identity thieves, or others with bad intentions, can use this information in support of their criminal pursuits.
Privacy and the Internet Information Aggregators Threat Mitigation Strategies: Many of these aggregators offer a way to Opt Out for free (still need to deal with source data). Limit the personal information that you put on the Internet. Limit the personal information that you supply to retailers. Conduct regular personal reconnaissance and damage control by researching your personal information that is available on search engines and aggregator sites.
Smart Phone Security
Smart Phone Security Today s Smart Phones are essentially fully functional hand held computers. Smart Phones can: Browse the web. Provide e-mail access. Take and send pictures or video to anyone anywhere Support numerous applications that take advantage of state of the art technology like the Internet and global positioning systems (GPS).
Smart Phone Security Location-Based Services Location-Based Services: Use internet-connected mobile devices geolocation capabilities to let users notify others of their locations by checking in to that location. Some of these geosocial services emphasize social networking functions, and can notify friends on the service when the user is nearby. Other services take a gaming approach, in which check-ins are used to unlock levels or badges, or can be used to earn a certain title when the user has checked in to that location more than any other user. - Zickuhr, K., and Smith, A. 4% of online Americans use location-based services. Pew Internet. November 4, 2010.
Smart Phone Security Location-Based Services Foursquare is a web and mobile application that allows registered users to connect with friends and update their location. Points are awarded for "checking in" at venues. Users can choose to have their check-ins posted on their accounts on Twitter, Facebook or both. Facebook Places Facebook Places, like existing location-based apps, uses GPS so people can "check in" on their mobile phones, letting friends know where they are and what they're up to. Gowalla Primarily a mobile web application that allows users to checkin to locations that they visit using their mobile device. Upon checking-in, users may receive items as a bonus and these can be swapped or dropped at Spots. - Wikipeida.org
Smart Phone Security Geotagging Geotagging is the process of adding geographical identification information to various media such as photographs, video, websites, SMS messages, or RSS feeds. It is commonly used for photographs. Some cell phones like the iphone and Motorola Backflip utilize a GPS chip along with built-in cameras to allow users to automatically geotag photos. Geographic coordinates can also be added to a photograph after the photograph is taken by attaching the photograph to a map using programs such as Flickr and Panoramio. - Geotagging. Wikipedia. Retrieved from http://en.wikipedia.org/wiki/geotagging.
Read the full story here: http://nyti.ms/917hrh Smart Phone Security - U.S. ARMY Social Medaia Roundup. Geotags and Location-Based Social Networking. Retreived from http://www.slideshare.net/usarmysocialmedia Geotagging In August of 2010, Adam Savage, of MythBusters, took a photo of his vehicle using his smartphone. He then posted the photo to his Twitter account including the phrase off to work. Since the photo was taken by his smartphone, the image contained metadata reveling the exact geographical location the photo was taken. So by simply taking and posting a photo, Savage revealed the exact location of his home, the vehicle he drives and the time he leaves for work.
Smart Phone Security Risks of using Location-Based Services and geotagging: Establishing patterns of where you go and when. Could be used to determine when you are not home. Could be used to determine the location of your home and/or work. These pieces of information can be used by criminals or other ill-intentioned individuals.
Conclusion Review: What is Computer Security? What is at Risk? What can be done to protect your computer? Overview of the Internet and World Wide Web Protecting your Home Network Protecting your Home Computer General On-Line Security Strategies Social Networking Security Privacy and the Internet Smart Phone Security
Conclusion 1. Be aware of basic computer security concepts. 2. Protect your personal information. 3. Protect your home network (Wireless Security!) 4. Protect your home computers 5. Be SMART when you are on-line! 6. Avoid publicly sharing personal information 7. Be aware of the security risks with mobile computing devices (Smart Phones)
QUESTIONS??
Computer Security at Home Presented By Gavin Worden