Internet Security For Home Users
Basic Attacks Malware Social Engineering Password Guessing Physical Theft Improper Disposal
Malware Malicious software Computer programs designed to break into and create havoc on computers. Virus Worms Trojans
Viruses A program that secretly attaches itself to a document or another program and executes when that document or program is opened. Like its biological equivalent, viruses require a host to carry them from one system to another.
Viruses A virus might corrupt or delete data on your computer, use your e-mail program to spread itself to other computers, or even erase everything on your hard disk.
Viruses Can be disguised as attachments of funny images, greeting cards, or audio and video files. They can be hidden in illicit software or other files or programs you might download.
Symptoms of a Virus Computer runs very slowly New programs don t install properly New icons appear on the desktop A program suddenly disappears from the computer
Symptoms of a Virus An email message appears that has an unexpected attachment or an attachment has a double file extension such as PICTURE.JPG.VPS. After opening attachment, dialog boxes appear or the computer slows significantly.
Symptoms of a Virus Out-of-memory error messages appear. Programs that used to function normally stop responding. Windows restarts unexpectedly. Windows error messages appear listing critical system files that are missing and refuse to load.
Worms Like a virus but not dependent on a host can spread by itself. Unlike a virus which requires a trigger such as opening an email attachment, a worm does not need a user action to begin to spread.
Worms Worms usually replicate until they clog all available resources. Typical symptom of a worm infected computer is running slowly and unexpectedly rebooting the system.
Trojans Horse Trojan horses disguise themselves as valuable and useful software available for download on the internet. Most people are fooled by this ploy and end up downloading the virus disguised as some other application.
Social Engineering Tricking or deceiving someone to access a system. Phishing Dumpster Diving Password Peeking
Phishing Phishing e-mail messages or phone calls are designed to steal your identity. They ask for personal data, or direct you to Web sites or phone numbers to call where they ask you to provide personal data.
Forms of Phishing They might appear to come from your bank or financial institution, a company you regularly do business with, or from your social networking site.
Phishing Sample
Forms of Phishing They might appear to be from someone you know. Spear phishing is a targeted form of phishing in which an e-mail message might look like it comes from your employer, friend or family member.
Forms of Phishing Phone phishing scams direct you to call a customer support phone number. A person or an audio response unit waits to take your account number, personal identification number, password, or other valuable personal data. The phone phisher might claim that your account will be closed or other problems could occur if you don't respond.
Forms of Phishing They might include official-looking logos and other identifying information taken directly from legitimate Web sites, and they might include convincing details about your personal information that scammers found on your social networking pages.
Phishing Sample
Forms of Phishing They might include links to spoofed Web sites where you are asked to enter personal information.
Dumpster Diving Low-tech method to steal your personal information by digging through your discarded trash for credit card offers, medical statements, bills and other sensitive papers.
Password Peeking Visual peeking to obtain passwords or user codes.
Password Guessing Brute force Dictionary attack Rainbow tables
Brute Force Creating every possible combination by systematically changing one character at a time in a password. Programs are widely available on the internet that use brute force. L0phtCrack http://www.l0phtcrack.com/index.html
Dictionary attack Using an electronic dictionary of words to use as passwords. Generally more efficient than a brute force attack, because users typically choose poor passwords.
Rainbow Tables Contains a large pregenerated data set of nearly every possible password combination. Freely available online. Ophcrack http://ophcrack.sourceforge.net/
Physical Theft 60% of stolen data is due to laptop theft Many mobile devices simply get left behind in places like cabs, subways, and airplanes. 10 to 15 percent of all handheld computers, PDAs, mobile phones, and pagers are eventually lost by their owners.
Improper Disposal Two MIT graduates published a study in which, over two years, they bought 158 used hard drives at second-hand computer stores and on ebay; on 69 drives they found recoverable files, including medical correspondence, credit card numbers and a year's worth of transactions from an Illinois ATM.
How to Prevent Attacks What you can and should do to protect your personal information and system integrity.
Malware Patch software security updates designed to fix vulnerability. Computers can be configured to automatically receive patches.
Patch software Security updates. A broadly released fix for a product-specific security-related vulnerability. Security vulnerabilities are rated based on their severity, as critical, important, moderate, or low. Critical updates. A broadly released fix for a specific problem addressing a critical, non-security related bug.
Patch software Service Packs - A tested, cumulative set of hotfixes, security updates, critical updates, and updates, as well as additional fixes for problems found internally since the release of the product. Service Packs might also contain a limited number of customer-requested design changes or features.
Windows Update Settings
Malware Anti-virus software Must be continuously updated to recognize new viruses. Scan system weekly. Consider an internet security suite which may include additional layers of defense spam filters, firewall, pop-up blockers, phishing detectors, real-time threat alerts.
Kaspersky
Malware Removal Many applications are available to detect and remove malware that has infected your system. I recommend malwarebytes, free version. Must manually update but very effective.
Malwarebytes
Malwarebytes
Phishing Don t click on links within emails that ask for your personal information. No legitimate business would place links within emails. To check whether the message is really from the company or agency, call it directly or go to its Web site (use a search engine to find it).
Spoofing Do not rely on the text in the address bar as an indication that you are at the site you think you are. There are several ways to get the address bar in a browser to display something other than the site you are on.
Pop-ups Never enter your personal information in a pop-up screen. Legitimate companies, agencies and organizations don t ask for personal information via pop-up screens. Install pop-up blocking software to help prevent this type of phishing attack.
Attachments Only open email attachments if you re expecting them and know what they contain. Even if the messages look like they came from people you know, they could be from scammers and contain programs that will steal your personal information.
Verify If someone contacts you and says you ve been a victim of fraud, verify the person s identity before you provide any personal information. Ask for the name of the person, agency or company, phone number, and the address. Get the main number from the phone book, or Internet, then call to find out if the person is legitimate.
Shop Securely Industry has developed technology that can scramble sensitive information, such as your credit card number, so that it can be read only by the merchant you are dealing with and your credit card issuer. This ensures that your payment information cannot be read by anyone else or changed along the way.
Online Payments There are several ways to determine if you have that protection when you are sending payment information on the web.
Online Payments Look for the picture of the unbroken key or closed lock in your browser window. Either one indicates that the security is operative. A broken key or any open lock indicates it is not.
https Look to see if the web address on the page that asks for your credit card information begins with "https:" instead of "http."
SSL Some web sites use the words "Secure Sockets Layer (SSL)" or a pop up box that says you are entering a secure area.
SSL Credentials SSL Certificates are credentials for the online world, uniquely issued to a specific domain and Web server and authenticated by the SSL Certificate provider. When a browser connects to a server, the server sends the identification information to the browser.
View Credentials Click the closed padlock in a browser window.
View Credentials Click the trust mark
Strong Passwords Must be at least 8 characters Must contain a combination of letters, numbers, special characters, upper and lowercase. Don t reuse passwords. Use unique passwords or each application
Passphrases Take a common phrase such as Four score and seven years ago and replace the spaces with numbers Four1score2and3seven4years5ago. Use your favorite song title or poem.
Password Safes KeePass is a free password manager. Put all your passwords in one database, which is locked with one master key. The databases are encrypted and you only have to remember one master password. http://keepass.info/
Keepass
Keepass
Password Generators Keepass also contains an excellent password generator. Or online programs such as: http://www.pctools.com/guides/password/ http://strongpasswordgenerator.com/
Keepass
Physical Theft Record serial numbers Use ID tags Never leave your laptop unguarded in a hotel or conference room. Never leave a laptop bag on a car seat in plain view. Lock it!
Recovery Services Simple software application displays a lost message on log in screen locks the device remotely shreds data on your hard drive May include GPS feature http://yougetitback.com/laptop_superhero
Erasing Hard Drive Even reformatting a drive may not be enough to erase data. Darik's Boot and Nuke ("DBAN") is a self-contained boot disk that securely wipes the hard disks of most computers. Free. http://www.dban.org/about
Physically Destroy HD Smash your hard disk with a hammer Pour paint on the hard disk platters Drill holes through the drive case and shatter the hard drive platters inside it Use a radial arm saw to cut the hard disk in two pieces Put a few nails through the drive
Software Downloads Download only from companies that are known to be malware-free and do not have a hidden motive for providing software.
The End Take Control. Be proactive! Plenty of free applications to protect your system online. If you need help (you are not alone!), ask experts or research online. Beware! It is getting worse, not better. If you do become a victim, report it.