INFOCOMM SEC RITY. is INCOMPLETE WITHOUT. Be aware, responsible. secure!

INFOCOMM SEC RITY is INCOMPLETE WITHOUT Be aware, responsible secure! U

HACKER Smack that What you can do with these five online security measures... ANTI-VIRUS SCAMS UPDATE FIREWALL PASSWORD

FASTEN UP! The world is highly connected through the widespread use of infocomm technologies. Many activities can be performed over the Internet, such as conducting business, keeping in touch with family and friends, pursuing an education and shopping for goods and services. To fully enjoy the benefits and convenience of the Internet, we should be aware of the potential security threats that may affect us and take the necessary precaution to protect ourselves when we go online. This is because our computers can be compromised and used for malicious purposes, for example, to propagate viruses and worms or to commit cyber fraud. We not only lose our personal information but may become targets for organised crime. FASTEN UP! is a set of essential security practices you can follow to protect yourself when you go online. Besides adopting these essential practices, we should also be aware of the latest techniques that hackers are using so as to protect our computers and personal information. Firewall Anti-virus Scams & Spam T E N Install a personal firewall and use it correctly Install anti-virus software and update its signature regularly Beware of emails and websites with great offers that sound too good to be true Update Update operating systems and application software regularly Password Create strong passwords and keep them safe Remember to FASTEN UP! before you surf the Internet. More details regarding these tips can be found at www.singcert.org.sg/awareness

Bad freebie

Beware of Drive-by Downloads Drive-by download refers to the automatic download of malicious software or malware like viruses, worms or Trojan horses. Drive-by downloads can happen by visiting a website, viewing an email message or by clicking on a popup window. A type of drive-by download leverages on legitimate websites which have been infected to propagate malware. If a website has weak security features, a hacker can append or inject malware to the website so that subsequent visitors who view or drive-by the website will have the malware automatically downloaded to their computer. S E C U R I T Y T I P S Keep your browser and operating system updated with the latest software patches. Do not allow the download and installation of dynamic or interactive content (Active Content) from unknown websites. Do not click on links in emails, instant messages or notifications that you receive in a social networking site unless you can verify its authenticity. When unsure about the authenticity (content, attachments, links), always check with the sender even when it appears to be from someone you know.

Plug and slay Blue screen of death

Prevent Autorun Attacks Malicious software like viruses, worms and spyware may be automatically downloaded or executed when portable devices (e.g. external hard drives, flash drive, memory cards, MP3 players and digital photo frames) are connected to the computer. To achieve this, hackers exploit the auto run feature of computers. This feature prompts the computer to automatically launch installers and other software found in the portable devices connected to it. Hence, if a thumb drive containing malicious software is connected to a computer, the software may be automatically executed if the auto run feature is enabled. S E C U R I T Y T I P S Do not use external devices from unknown or untrusted sources. Use anti-virus software to scan USB devices for malicious software before use. To reduce the risk of infection, disable the auto run feature. Click on files and installers manually to launch them.

Zombie PC

Protect Your Computer From Becoming A Zombie A botnet is a group of computers that are remotely controlled via the Internet by a hacker and used for malicious purposes, without the knowledge of their owners. Each compromised computer (known as a zombie) is set up to exploit and infect other computers and turn them into zombies, further enlarging the botnet. Botnets can be used to perform distributed denial-of-service (DDoS) attacks against governments or private organisations, bringing down their online services (e.g. Government websites, Internet banking and media websites). This is accomplished by directing the vast number of zombies to simultaneously make requests to a particular online service, thereby crippling its ability to handle legitimate requests. The service thus becomes inaccessible. Botnets may also be used for other nefarious activities like sending out spam, phishing emails or stealing information like login credentials (e.g. user ID and password) and sensitive corporate or personal information. S E C U R I T Y T I P S Do not click on links or download attachments in emails, instant messages or notifications that you receive in a social networking site unless you can verify its authenticity. This reduces the risk of inadvertently downloading malicious software (e.g. virus, worm and Trojan) into your computer. When unsure about the authenticity (content, attachments, links), always check with the sender even when it appears to be from someone you know. Turn off your computer and Internet connection when they are not in use. A computer that has an always on internet connection has a higher risk of getting infected by malicious software.

Duped SEND AMOUNT LEFT IN BANK ACCOUNT: $0.00

Beware of Social Engineering Attacks Hackers may employ different social engineering techniques to manipulate victims into performing activities that they would not normally do, like clicking on links in spam emails or divulging confidential information via online forms. A social engineering attack may come in the form of a scam email or an instant message that contains a link to a fake e-card site. This type of attack usually takes advantage of festive seasons and the fact that users may be expecting e-cards from friends or relatives. Similarly, the attack may also be in the form of links to the latest terrorist attack news video from a seemingly legitimate news network. By exploiting significant events such as festive seasons and national disasters, hackers attempt to lure users into clicking and downloading malicious software to their computers. Another emerging trend is to use the popularity of social networking sites and instant messaging tools to propagate malicious software by attempting to exploit the trust that users have in their friends. S E C U R I T Y T I P S Do not click on links or download attachments in emails, instant messages or notifications that you receive in a social networking site unless you can verify its authenticity. When unsure about the authenticity (content, attachments, links), always check with the sender even when it appears to be from someone you know.

Fear factor

Beware of Scareware Scareware refers to the use of unethical marketing practices to trick victims into downloading and purchasing useless and potentially dangerous security software. By instilling fear, uncertainty or doubt into their victims, hackers trick these users into buying fake security software to fix a non existent problem. A scareware scam may come in the form of web browser pop-ups that appear while the user is surfing a legitimate website. The pop-up resembling Windows system message usually warns of viruses or critical problems detected on the user s computer. It may also offer the user an option to purchase fake security software that supposedly removes the virus or problem. Hence, fearing the loss of invaluable data, the victim proceeds to provide personal and credit card information to purchase and download the fake security software. S E C U R I T Y T I P S When closing pop-ups, use <Alt> <F4>; do not click the X, OK or Cancel buttons. Do not allow the download and installation of dynamic or interactive content (Active Content) from unknown websites. Do not install software from unknown or untrusted sources; always verify the source and reputation of the vendor.

Hooked

Beware of Spear Phishing Attacks Spear phishing is a more sophisticated form of social engineering attack where hackers send customised scam emails targeting a select group of people, such as employees or members within a certain organisation or government agency. The emails aim to trick the potential victims into revealing confidential information or getting them to download malicious software (malware). To make these scam emails even more deceptive, they often have forged sender email addresses that appear to have come from organisations or individuals that the potential victims are familiar with e.g. emails seemingly from your employer or IT support colleague. To customise the attack, hackers often obtain information on their targets through websites, blogs and social networking sites. S E C U R I T Y T I P S Use a phishing filter, built into many email software and web browsers. Look for possible error in the sender s email address (e.g. john_tan@b4nk.com.sg) Limit the amount of personal information you put online (e.g. in social networking sites) Do not visit unknown or un-trusted websites or follow links provided by unknown or un-trusted sources; enter website address manually on your browser. When unsure about the authenticity (content, attachments, links), always check with the sender through phone or other means even when it appears to be from someone you know. Do not reply directly to the email. Do not rely on the contact information provided in the questionable email.

2 Become 1

Protect Your Online Identity From Theft Social networking sites like Facebook, Twitter, LinkedIn and many other similar sites provide a convenient way to keep in touch with friends and business associates. These social networking sites encourage users to provide personal information such as name, relationship status, birth date, workplace information, schools attended and personal interests. Such information can be shared with friends or with the public at large. Unfortunately, social networking sites also provide hackers with an easy way to harvest personal information for nefarious purposes. If you are not careful about whom you choose to share information with, a hacker could learn enough about you to impersonate you to scam your friends or commit fraud. Your online profile information may also provide clues to hackers to a potential username and password that you may use for other online accounts like email and Internet banking. S E C U R I T Y T I P S Limit the amount of personal information you put online (e.g. phone number, physical address or full date of birth). Ensure your online account passwords do not contain personal information that could be easily guessed from contextual information found on your social networking profile (e.g. spouse s name, anniversary dates, favourite soccer team) Read and understand the privacy policies of the social networking sites you frequent and be aware of how they use your information.

Cheap Thrill

Beware Of Online Shopping Fraud With a click of the mouse, shoppers can buy nearly any product online, from groceries and household goods to books and jewellery. Electronic commerce (or e-commerce) enables consumers to shop at any online store and pay for their purchases without leaving the comforts of home. On the flipside, this rapid growth of e-commerce has made online shopping fraud a profitable business for hackers. Hackers may set up fraudulent online stores using hijacked brands like Amazon.com or put up products for sale on auction sites like e-bay. Products on such sites are often sold on discounts, bundled with freebies or some too good to be true deals to entice buyers. In many instances, the purchased products are not delivered or are grossly misrepresented. Often, the consumer s credit card and personal data entered into the website are stolen by hackers. The captured information is then used to make purchases elsewhere or sold in the underground economy. S E C U R I T Y T I P S Make online purchases from a secured computer. Avoid transacting from public internet cafes. Do not make purchases from online shops whose website addresses were received via suspicious emails, instant messages or social networking sites. Purchase only through a secured website. (e.g. website bearing the seal.) Check your bank statements regularly, especially after making purchases over the Internet to ensure all transactions are valid. Contact your bank immediately should there be any payments you cannot identify.

Close Call

Protect Your Smart Phone & Data Streaming video and music, accessing the Internet, emails and social networking sites on the move are some of the benefits provided by smart phones like Blackberry and iphone. Smart phones are no longer spared from viruses, phishing attacks and other information security threats. Their popularity, increasing computing power and not to mention their always-on nature has made these mobile devices an obvious target for hackers. Hackers may exploit your smart phone to install malware that steal your business contacts, business data and SMS that are stored on your phone. Some malware even allow hackers to listen in on your phone conversations and track your location using the phone s in-built GPS. S E C U R I T Y T I P S Install security software for your smart phone. Some of the security features provided by smart phone security software includes Anti-virus that prevent viruses and Trojan Horses from infecting your smartphone. Anti-snoopware to prevent malware from turning on your camera without your consent. Firewall that blocks hackers from accessing your personal and business information. SMS anti-spam that blocks SMS text and multimedia from unknown senders. Remote data wipe feature to delete data on lost or stolen devices. Enable password protection on sensitive documents. Turn on bluetooth connection only when needed.

Heart-stopper HARD DISK ERASED!

Report Virus Infections & Hacking Incidents Your computer may behave abnormally when it has been infected by malicious software. Computers Hard disks starting that suddenly up when run you at an are exceptionally not working slow at your speed computer and unexpected and connections by your by your computer computer to the to Internet the Internet are some are examples some examples of abnormal of abnormal behaviour. behaviour. Perform a thorough check of your computer when you suspect it has been infected. If your computer has been hacked or infected, you should contact SingCERT to report the incident and for further advice on what to do. SingCERT s contact details Hotline: (65) 6211 0911 Email: cert@singcert.org.sg Website: www.singcert.org.sg Operating Hours: Mon-Thurs 8:30am - 6:00pm Fri 8:30am - 5:30pm

FASTEN UP! Firewall Anti-virus Scams & Spam T E N Update Password Install a personal firewall and use it correctly Install anti-virus software and update its signature regularly Beware of emails and websites with great offers that sound too good to be true Update operating systems and application software regularly Create strong passwords and keep them safe S T E N F A U P HACKER BE AWARE, RESPONSIBLE AND SECURE! IDA shall not be liable for any inaccuracy, error or omission in this publication or for any loss of income, arising or resulting from the contents of this publication or the use therefore for any purpose whatsoever. COPYRIGHT March 2010 Infocomm Development Authority of Singapore. All rights reserved. Reproduction without permission is prohibited.