RIT Information Security
585.475.4122
infosec@rit.edu
digital self defense
2
Copyright and Reuse
• The Digital Self Defense logo is the property of the Rochester
Institute of Technology and is lice...
3
What we’ll talk about today
• Basic information and computer
security
• Identity Theft, Phishing and Scams
• Safe social...
4/10 Symantec Internet Threat Report
How Bad is it?
In 2009:
• The education sector accounted for 20 percent of
data breac...
General Trends
• Malicious activity has become Web-
based and is shifting to developing
countries
– Malicious PDFs 49% of ...
6
Everyone is a target
• You have access to financial resources
– Lines of credit
– Bank accounts
• You have access to inf...
7
How Could I Become a Victim?
Attacks are complex
• Software vulnerabilities/configuration errors
– 4,392 ―easily exploit...
Malware
• Keyloggers
– Steal usernames, passwords, etc.
• Rootkits and bot software
– Attackers can remotely control compu...
9
Botnets & Zombie PCs
Large number of ―zombie‖ computers
infected with remote control software
• Send out spam, phishing,...
Avert Labs Malware Research
10
Retrieved July 24, 2009 from:
http://www.avertlabs.com/research/blog/index.php/2009/07/22/m...
Social Engineering
Aside from malware, people may also try
to steal your private information using:
• E-mails
• Instant me...
12
A Layered Defense
• Strong Passwords
• Patching
• Anti-Virus Protection
• Firewall
• Anti-Spyware Protection
• Physical...
Passwords
• Weak passwords can be guessed
– Automated programs
– Personal details
• Use different passwords
– How many acc...
14
Passphrases
• Series of words or
a sentence
• Examples
– MyT1gerIs0range
– Ritch1eTh3Tiger
Advantages:
• Easier to reme...
15
RIT Desktop Standard
Desktop and Portable Computer Standard
requires:
• Patching/Updating (automatic)
• Anti-Virus (aut...
But I own a Mac…
In 2008:
• Mac OS X had more disclosed
vulnerabilities than any other OS*
• Apple Safari web browser had ...
Patching
*4/08 Symantec Internet Threat Report
• 2,134 vulnerabilities in the second half
of 2007.*
– 73% were ―easily exp...
18
Patching/Updating
Patching:
• Fixes ―vulnerabilities‖ in software
You need to:
• Turn on auto-updating (Windows, Mac OS...
Anti-Virus Software
• Use an anti-virus software such as
McAfee, Norton, Avast, AVG, etc.
• Check with your ISP. They may ...
What Anti-Virus Protects Against
• Viruses
– Self-replicating software that attaches itself to
other programs and files
– ...
21
Firewalls
Firewalls
• Monitor and protect network ports
• Prevent unauthorized connections
You must use a firewall
• Wi...
Choosing a Firewall
• Windows XP Firewall
– Default with SP2
– Does not block outgoing connections
• ZoneAlarm Personal Fi...
23
Anti-Spyware
Spyware is:
―tracking software deployed without adequate
notice, consent or control for the user.‖
You nee...
24
How do You Get Spyware?
• Browser Vulnerabilities
– Links to malicious sites
– Following common search
terms
• Bundled ...
Limited User Accounts
Administrative/root user accounts
• Unnecessary level of access
Limited user accounts can prevent:
•...
26
Physical Protection
• Never leave your computer or
mobile device unattended
• Lock or log out
– Set a screensaver passw...
27
Know Your Computer!
Has your computer been acting different
than usual?
• Run anti-virus and antispyware
• Ask for help
28
Paranoia and Common Sense
Identity Theft
• What’s the problem with this picture?
29
30
Phishing
• Purpose
– ―verify/confirm/authorize‖ account or
personal information
• Source
– Appear to come from PayPal, ...
31
Targeted Phishing
• Sent to a specific community
• May include personal details
• Appears official
– Identical logos,
g...
32
How to Spot and Avoid Phishing
• Does it seem credible?
– Misspellings, bad grammar,
formatting errors
• File attachmen...
Phishing
33
34
Phishing Samples (APWG)
35
Phishing Website Tricks
• Similar names
– www.eday.com, www.ebay-secure.com,
www.paipall.com, www.yafoo.com
• Use of @ ...
Solutions
• Education and awareness
– Because social engineering such as
phishing relies on tricking consumers,
awareness ...
Solutions
• Safe computing practices provide a strong
defense against phishing:
– Never click on links directly from an em...
Solutions
• Software
– Although avoiding phishing attempts is typically
a matter of following safe practices, there are a
...
Browser extensions
• Netcraft Anti-Phishing toolbar (for IE & FF)
• Firefox extensions
– Adblock
– Noscript (only trusted ...
Netcraft
http://toolbar.netcraft.com/
• Giant neighborhood watch
scheme
– Blocks reported URLs, it is blocked for communit...
41
42
Other Phish/Scams
• Disaster events
– Hurricane Katrina
– Va. Tech shootings
• Celebrity/popular events
– Michael Jacks...
43
Student Identity Theft
The 18-29 age group reports more
identity theft than any other
• Shred sensitive documents
• Thi...
44
If You Think You’re a Victim…
Reporting identity theft:
• Law enforcement
• Your financial institutions
• Credit bureau...
45
Safer Social Networking
Do you use any social networking or blogging
websites such as Facebook or MySpace?
46
It’s Harmless, Right?
What kinds of things do people typically
post?
• Class schedule
• New cell phone number
• Details...
47
Who Else Uses Social Networking?
• Employers
– Estimated that up to 75% of employers
regularly ―google‖ or ―facebook‖ a...
48
What You Post Can Be Used To…
• Make judgments about your character
• Impersonate you to financial institutions
• Monit...
49
Not YourSpace
Would I be comfortable if this
were posted on a billboard?
The Internet is public space!
• Search results...
50
Use Social Networks Safely
Do:
• Make friends
• Use privacy settings
• Be conscious of the
image you project
Don’t:
• P...
51
Paranoia or Common Sense?
Guard your personal information!
– Even less sensitive information can
be exploited by an att...
Phishing on Social Network Sites
http://www.markmonitor.com/download/bji/BrandjackingIndex-Spring2009.pdf
52
Is this really your friend?
When ―friends‖ ask for money online
• Do they speak/write like your friend?
• Do they know any...
The First Line of Defense
Stay alert—you will be the first to know if
something goes wrong
– Are you receiving odd communi...
For more information
• Information Security web page
http://security.rit.edu
• RIT Information Security Facebook page
• St...
Online Phishing Quiz
• http://www.sonicwall.com/phishing/
56
Questions & Comments
infosec@rit.edu
http://security.rit.edu
Upcoming SlideShare
Loading in...5
×

Digital Self Defense (RRLC version)

1,659

Published on

Digital Self Defense workshop presented to Rochester Regional Library Conference on 10/25/10

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,659
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Transcript of "Digital Self Defense (RRLC version)"

  1. 1. RIT Information Security 585.475.4122 infosec@rit.edu digital self defense
  2. 2. 2 Copyright and Reuse • The Digital Self Defense logo is the property of the Rochester Institute of Technology and is licensed under the Creative Commons Attribution-Non-Commercial-No Derivative Works 3.0 United States License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-nd/3.0/us/ or send a letter to Creative Commons, 171 Second Street, Suite 300, San Francisco, California 94105, USA. To request permission for other purposes, contact infosec@rit.edu. • The course materials are the property of the Rochester Institute of Technology and are licensed under the Creative Commons Attribution-Non-Commercial-Share Alike 3.0 United States License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/3.0/us/ or send a letter to Creative Commons, 171 Second Street, Suite 300, San Francisco, California 94105, USA. To request permission for other purposes, contact infosec@rit.edu.
  3. 3. 3 What we’ll talk about today • Basic information and computer security • Identity Theft, Phishing and Scams • Safe social networking
  4. 4. 4/10 Symantec Internet Threat Report How Bad is it? In 2009: • The education sector accounted for 20 percent of data breaches that could lead to identity theft during this period, more than any other sector • Financial was the top sector for identities exposed, accounting for 60 percent of the total • Theft or loss of computer or other data-storage medium was the cause of 20% of data breaches • Hacking was the cause of 60% • 2,895,802 new malicious code signatures, 51% of all- time total.
  5. 5. General Trends • Malicious activity has become Web- based and is shifting to developing countries – Malicious PDFs 49% of web-based attacks • Attackers targeting end users instead of computers • Underground economy consolidates and matures • Lowered barriers to entry—crimeware kits
  6. 6. 6 Everyone is a target • You have access to financial resources – Lines of credit – Bank accounts • You have access to information resources – Personal confidential information – Employer confidential information • You have access to network resources – High-bandwidth connections – Computing power
  7. 7. 7 How Could I Become a Victim? Attacks are complex • Software vulnerabilities/configuration errors – 4,392 ―easily exploitable‖ vulnerabilities in 2008* • Malicious Software/Malware – Viruses, worms, spyware, etc. • Social Engineering Attacks – Phishing scams – Target sensitive private information *4/09 Symantec Internet Threat Report
  8. 8. Malware • Keyloggers – Steal usernames, passwords, etc. • Rootkits and bot software – Attackers can remotely control computers – Botnets used to send out spam and phishing • Spyware and adware – Monitor your web activity 8 Copyright 2003 D. Seah Bigger than Cheese
  9. 9. 9 Botnets & Zombie PCs Large number of ―zombie‖ computers infected with remote control software • Send out spam, phishing, malware, in extremely large volumes • 75,158 active bot-infected computers daily High-volume attacks • Target insecure computers • ―Low-hanging fruit‖ Botnet illustration. Retrieved 18 July 2007. www.symantec.com *4/09 Symantec Internet Threat Report
  10. 10. Avert Labs Malware Research 10 Retrieved July 24, 2009 from: http://www.avertlabs.com/research/blog/index.php/2009/07/22/malware-is-their-businessand-business-is-good/
  11. 11. Social Engineering Aside from malware, people may also try to steal your private information using: • E-mails • Instant messages • Fake websites • Phone calls • Text messages • Face-to-face 11
  12. 12. 12 A Layered Defense • Strong Passwords • Patching • Anti-Virus Protection • Firewall • Anti-Spyware Protection • Physical Security • Paranoia & Common sense
  13. 13. Passwords • Weak passwords can be guessed – Automated programs – Personal details • Use different passwords – How many accounts can be accessed with just one of your passwords? – Password vaults 13
  14. 14. 14 Passphrases • Series of words or a sentence • Examples – MyT1gerIs0range – Ritch1eTh3Tiger Advantages: • Easier to remember • More secure than short complex passwords
  15. 15. 15 RIT Desktop Standard Desktop and Portable Computer Standard requires: • Patching/Updating (automatic) • Anti-Virus (automatic) • Firewall • Anti-Spyware Lock on keyboard graphic. Retrieved 18 July 2007. http://images.jupiterimages.com/common/detail/43/73/22847343.jpg
  16. 16. But I own a Mac… In 2008: • Mac OS X had more disclosed vulnerabilities than any other OS* • Apple Safari web browser had the longest wait for updates out of all major browsers** • Macs are not immune to online threats 16 *IBM Internet Security Systems X-Force 2008 Trend & Risk Report **Symantec Internet Security Threat Report
  17. 17. Patching *4/08 Symantec Internet Threat Report • 2,134 vulnerabilities in the second half of 2007.* – 73% were ―easily exploitable‖ • Patches close these vulnerabilities,
  18. 18. 18 Patching/Updating Patching: • Fixes ―vulnerabilities‖ in software You need to: • Turn on auto-updating (Windows, Mac OS X) • Check regularly for application updates (Adobe, Microsoft Office, etc.)
  19. 19. Anti-Virus Software • Use an anti-virus software such as McAfee, Norton, Avast, AVG, etc. • Check with your ISP. They may provide security software, including anti-virus.
  20. 20. What Anti-Virus Protects Against • Viruses – Self-replicating software that attaches itself to other programs and files – Moves from program to program, replacing each one with an infected version • Worms – Self-replicating software that does not need to attach itself to other programs and files – Moves from computer to computer over a network, searching for vulnerable hosts • Trojans – Software that appears to be something harmless (like a game or screen saver), but actually contains malicious code
  21. 21. 21 Firewalls Firewalls • Monitor and protect network ports • Prevent unauthorized connections You must use a firewall • Windows XP and Mac OS built-in firewalls • Third-party products Graphic of fire. Retrieved 18 July 2007. http://www.adrenalin.bc.ca/lazer/pix/firewall_2.jpg
  22. 22. Choosing a Firewall • Windows XP Firewall – Default with SP2 – Does not block outgoing connections • ZoneAlarm Personal Firewall – A little more sophisticated – Free license for personal use only • Router/Wireless Router – Does not block outgoing connections – Must change wireless router settings to make it secure
  23. 23. 23 Anti-Spyware Spyware is: ―tracking software deployed without adequate notice, consent or control for the user.‖ You need to: • Update and scan weekly – Automatic-updating and scheduling • Use multiple programs – http://security.rit.edu/students.html Computer ‘Spy’. Retrieved 18 July 2007. http://www.afcea.org/signal/articles/articlefiles/248- HSK_Spyware_computer-spy.jpg
  24. 24. 24 How do You Get Spyware? • Browser Vulnerabilities – Links to malicious sites – Following common search terms • Bundled with software • Malware – Disguised as anti-spyware programs or other popular freeware Stressed woman photo. Retrieved 18 July 2007. http://www.computermediconcall.com/images/computer-frustration.jpg
  25. 25. Limited User Accounts Administrative/root user accounts • Unnecessary level of access Limited user accounts can prevent: • Many types of malware and spyware/adware • Configuration changes – Malicious or accidental 25 Recommended
  26. 26. 26 Physical Protection • Never leave your computer or mobile device unattended • Lock or log out – Set a screensaver password • Don’t let others use without supervision – Know what devices are registered to your name Computer protection image. Retrieved 18 July 2007. http://www.allsquareinc.com/downloads/Love%20My%20Computer.jpg
  27. 27. 27 Know Your Computer! Has your computer been acting different than usual? • Run anti-virus and antispyware • Ask for help
  28. 28. 28 Paranoia and Common Sense
  29. 29. Identity Theft • What’s the problem with this picture? 29
  30. 30. 30 Phishing • Purpose – ―verify/confirm/authorize‖ account or personal information • Source – Appear to come from PayPal, banks, ISPs, IT departments, other official or authoritative sources • Tone – Appeals to fear, greed, urgency, sympathy
  31. 31. 31 Targeted Phishing • Sent to a specific community • May include personal details • Appears official – Identical logos, graphics, layout, content, etc.
  32. 32. 32 How to Spot and Avoid Phishing • Does it seem credible? – Misspellings, bad grammar, formatting errors • File attachments – Is it expected? If not, ignore it! • Never respond directly to e-mail requests for private information – Verify with company – Don’t click on links • Type in the web address as you normally would
  33. 33. Phishing 33
  34. 34. 34 Phishing Samples (APWG)
  35. 35. 35 Phishing Website Tricks • Similar names – www.eday.com, www.ebay-secure.com, www.paipall.com, www.yafoo.com • Use of @ in URLs – www.ebay.com/upd@aw-confirm.us/upd • Masked URLs – http://www.myspace.com/
  36. 36. Solutions • Education and awareness – Because social engineering such as phishing relies on tricking consumers, awareness education is a key component in reducing consumer losses to phishing. – A number of government and private entities have created web sites designed to educate consumers about the threats of phishing. These sites include • FTC OnGuard Online. • Anti-Phishing Working Group • MillerSmiles 36
  37. 37. Solutions • Safe computing practices provide a strong defense against phishing: – Never click on links directly from an email. – Use File/Properties to find out which website you are really on. – Look for the proper symbol to indicate you’re on a secure web site. • Secure web sites use a technique called SSL (Secure Socket Layer) that ensures the connection between you and the web site is private. • This is indicated by “https://” instead of “http://” at the beginning of the address AND by a padlock icon which must be found either at the right end of the address bar or in the bottom right-hand corner of your browser window. • A padlock appearing anywhere else on the page does not represent a secure site. 37
  38. 38. Solutions • Software – Although avoiding phishing attempts is typically a matter of following safe practices, there are a number of browser helpers available to help warn you of suspicious web sites. – Browser helpers normally work as another toolbar in your browser. Use one or more for your protection. – Internet Explorer 8 and Firefox 3 also provide limited protection by denying access to many known phishing sites. – Spam filters may also intercept many phishing attempts. 38
  39. 39. Browser extensions • Netcraft Anti-Phishing toolbar (for IE & FF) • Firefox extensions – Adblock – Noscript (only trusted domains) 39
  40. 40. Netcraft http://toolbar.netcraft.com/ • Giant neighborhood watch scheme – Blocks reported URLs, it is blocked for community members as they subsequently access the URL. – Widely disseminated attacks (people constructing phishing attacks send literally millions of electronic mails in the expectation that some will reach customers of the bank) simply mean that the phishing attack will be reported and blocked sooner. • The toolbar also: – Traps suspicious URLs containing characters which have no common purpose other than to deceive. – Enforces display of browser navigational controls (toolbar & address bar) in all windows, to defend against pop up windows which attempt to hide the navigational controls. – Clearly displays sites' hosting location, including country, helping you to evaluate fraudulent URLs (e.g. the real citibank.com or barclays.co.uk sites are unlikely to be hosted in the former Soviet Union). 40
  41. 41. 41
  42. 42. 42 Other Phish/Scams • Disaster events – Hurricane Katrina – Va. Tech shootings • Celebrity/popular events – Michael Jackson funeral • Nigerian 419 Schemes (Advance Fee Fraud) – Mutually beneficial business transactions – Unclaimed funds – Craigslist – Lottery schemes
  43. 43. 43 Student Identity Theft The 18-29 age group reports more identity theft than any other • Shred sensitive documents • Thieves want credit, not cash • Check your credit rating – www.ftc.gov/freereports – www.annualcreditreport.com • www.ed.gov/misused
  44. 44. 44 If You Think You’re a Victim… Reporting identity theft: • Law enforcement • Your financial institutions • Credit bureaus • FTC Web site – www.idtheft.gov
  45. 45. 45 Safer Social Networking Do you use any social networking or blogging websites such as Facebook or MySpace?
  46. 46. 46 It’s Harmless, Right? What kinds of things do people typically post? • Class schedule • New cell phone number • Details of upcoming vacation • Complaints about a co-worker or manager • Story about last weekend’s party
  47. 47. 47 Who Else Uses Social Networking? • Employers – Estimated that up to 75% of employers regularly ―google‖ or ―facebook‖ applicants • Identity Thieves – Names, birthdays, phone #’s, addresses, etc. • Online Predators – Schedules, whereabouts, weekend/vacation plans, etc. •Facebook Stalker (http://www.youtube.com/watch?v=wCh9bmg0zGg)
  48. 48. 48 What You Post Can Be Used To… • Make judgments about your character • Impersonate you to financial institutions • Monitor what you do and where you go – Theft – Harassment – Assault
  49. 49. 49 Not YourSpace Would I be comfortable if this were posted on a billboard? The Internet is public space! • Search results • Photo ―tagging‖
  50. 50. 50 Use Social Networks Safely Do: • Make friends • Use privacy settings • Be conscious of the image you project Don’t: • Post personal information • Post schedules or whereabouts • Post inappropriate photos
  51. 51. 51 Paranoia or Common Sense? Guard your personal information! – Even less sensitive information can be exploited by an attacker! – Don’t post it in public places – Know to whom you’re giving it • Watch out for Facebook Applications!! – A 2008 study found that 90.7% of apps had access to private user data (only 9.3% actually used the data) Macbook. Retrieved 18 July 2007. http://s7v1.scene7.com/is/image/JohnLewis/230407880?$product$
  52. 52. Phishing on Social Network Sites http://www.markmonitor.com/download/bji/BrandjackingIndex-Spring2009.pdf 52
  53. 53. Is this really your friend? When ―friends‖ ask for money online • Do they speak/write like your friend? • Do they know any details about you or themselves that do NOT appear on Facebook profile pages? • Do they refuse other forms of help, phone call requests, etc.? Just because it is your friend’s account does not mean that it’s your friend! 53
  54. 54. The First Line of Defense Stay alert—you will be the first to know if something goes wrong – Are you receiving odd communications from someone? – Is your computer sounding strange or slower than normal? – Has there been some kind of incident or warning in the news? Do something about it! – Run a scan – Ask for help
  55. 55. For more information • Information Security web page http://security.rit.edu • RIT Information Security Facebook page • Staysafeonline.info
  56. 56. Online Phishing Quiz • http://www.sonicwall.com/phishing/ 56
  57. 57. Questions & Comments infosec@rit.edu http://security.rit.edu

×