Recommended
More Related Content
What's hot
Viewers also liked
Viewers also liked (20)
Similar to Cyber Security for Everybody
Similar to Cyber Security for Everybody (20)
Recently uploaded
Recently uploaded (20)
Cyber Security for Everybody
- 1. Cyber Security for Everybody simple steps for defensive surfing Vahe Amirbekyan
- 2. Plans for today • Introduction • Internet ‘101’ • Steps to prevent cyber crime • Keep your PC clean (OS, Browser, security updates) • Know about Browser security • Never Trust Emails • Manage your Passwords Wisely • Defensive Online Shopping • Mind Open Access Points • Resources
- 3. Introduction • Cyber security is much like real life security, the same rules apply, e.g.: • Lock the doors • Don’t give away your keys • Stay away from dangerous places • Don’t talk to strangers • Don’t give your contact information to random acquaintances
- 4. Internet “plumbing” – quick 101 browser DNS Server www.google.com 1 74.125.19.103 2 Web Server HTTP request(s) 3 HTTP response(s) 4 plugins 5
- 6. Protect your PC! Data source: McAfee; NCSA Regularly check OS and S/W patches Install anti-virus/spyware/phishing/spam S/W Enable Firewalls Change H/W default passwords Download software only from trusted sources Update software on a regular basis!
- 7. Be aware of Browser (in)security browser plugins ! Browser is on the ‘frontline’ of our Internet adventure ! The HTML pages are not static documents anymore ! Browser scripting is very powerful but also poses a serious security threat It is possible to stay secure and get maximum features via: tuning your browser’s security settings regular clearing up browser’s file caches and cookies explicitly logoff your (bank, retail etc.) account as soon as you are done using a different browser for ‘adventurous surfing’
- 8. Don’t trust Emails (and phone calls, too) ! Emails are another ‘door’ to you computer – just like web sites – with the exception that you don’t even have to initiate the action ! Emails are easily faked – including the sender’s name and the reply-to address ! Most emails are easily ‘sniffed’ ! Malicious emails are widely used to: ! make you give away sensitive information (passwords, bank account numbers, SSN etc.) ! infect your computer with viruses ! SPAM you
- 9. ‘Phishing’ – the most popular way to steal your valuable data
- 12. Email: reducing the threat Never send sensitive information (e.g.: passwords, SSN, credit card number) via email Never open an email attachment if you are not sure about the email’s origin Never click on links directly from emails (if you clicked) Always pay attention to the address bar to see the real address of the site you are redirected to Use anti-phishing tools – toolbars or IE7 Use different account name and password for your email address Keep low profile – use your email address judiciously; use ‘lightweight’ email providers as a substitute
- 13. Manage your Passwords wisely ! Passwords are often the only way of identifying us ! Passwords can be ‘phished’, stolen, guessed… ! By taking over your password the fraudsters take over your cyber-identity Minimize the risk by following: Avoid simple passwords (never a single word from dictionary!), use special signs, digits, both upper and lower cases Use at least 6-10 characters long passwords Don’t use password as a super/sub-string of your login name Come out with your own password policy Don’t use the same password on multiple accounts Change your passwords regularly (at least once in 3 months) Whenever possible use two-factor authentication
- 14. Two-factor authentication There are three universally recognized factors for authenticating individuals: 'Something you know‘ (e.g.: password, PIN). 'Something you have‘ (e.g.: physical credit card, mobile phone, security token) 'Something you are‘ (e.g.: fingerprint, a retinal scan) A system is said to leverage Two-factor authentication when it requires at least two of the authentication form factors Two-factor authentication is virtually bullet-proof
- 15. Defensive Online Shopping Poorly secured online stores may lose your credit card/financial data! Know your online merchant Check if the URL you post the sensitive data into uses secure connection Don’t provide more information than needed for a transaction Keep good records Use one-time generated credit card numbers whenever possible Some online stores may be fake – temporary sites setup to collect your valuable data
- 16. Defensive Online Shopping on Check the feedback - any feedback lower than 98% is a risk Carefully read the item's description Contact the seller if you have any doubts Prefer items under eBay/PayPal cash back protection Always prefer paying by PayPal - avoid Instant Cash Transfer Services If received Second Chance Offer in the mailbox - always check its validity by logging into your eBay account's inbox Be careful with 'unusual' requests coming from other users - most probably it's a fraud Completely avoid off-eBay transactions
- 17. Mind Open Access Points ! Web traffic going via non-secure connection is easily readable by anybody else who shares the connection When setting up your own wireless network at home be sure to turn on the encryption (WPA, not WEP) When using public access points use VPN (Virtual Private Network) services to encrypt all the traffic –
- 18. Resources Cyber Security Glossary http://www.staysafeonline .org/basics/glossary.html Browsers: IE7 http://microsoft.com/windows/downloads/ie/getitnow.mspx Firefox http://www.mozilla.com/en-US/ Safari http://www.apple.com/safari/download/ Opera http://www.opera.com/ Tuning security zones on IE: http://www.spywarewarrior.com/uiuc/btw/ie/ie-opts.htm#security Trusted software download site: http://www.download.com/ Lightweight e-mailbox provider - http://mailinator.com/ PayPal/eBay security key http://ebay.com/securitykey or http://paypal.com/securitykey PayPal plugin https://www.paypal.com/us/cgi-bin/webscr?cmd=_vdc-hub eBay security tips http://pages.ebay.com/securitycenter/mrkt_safety.html VPN solutions http://anonymizer.com/, http://hotspotvpn.com, http://publicvpn.com/
- 19. Final words… Internet is a cyber-jungle! You are responsible for your own protection! You can achieve reasonable security by following simple rules! Any questions?
Editor's Notes
- We are ultimately responsible for our own security Never forget that the Internet is like any big city: Much of it is safe and relatively secure, but there are definitely places you don't want to go at all. When surfing around the Internet it's very easy to end up in a dark corner with a single click. Always be careful.
- HTTPS (Hyper Text Transfer Protocol Secure) encrypts the session with a digital certificate i.e., HTTP over SSL (Secure Sockets Layer) which can be used by Web browsers and HTTPS - capable client programs. So if the website begins with https:// instead of http://, it is a secure site (in terms of eavesdropping, tampering, or message forgery).
- Spyware Any software using someone's Internet connection in the background without their knowledge or explicit permission. Spyware applications are typically bundled as a hidden component of freeware or shareware programs that can be downloaded from the Internet; however, it should be noted that the majority of shareware and freeware applications do not come with spyware. Once installed, the spyware monitors user activity on the Internet and transmits that information in the background to someone else. Spyware can also gather information about e-mail addresses and even passwords and credit card numbers. Spam To indiscriminately send unsolicited, unwanted, irrelevant, or inappropriate messages, especially commercial advertising in mass quantities. Noun: electronic "junk mail". Spam can contain worms, viruses and other malicious code. Adware: Any software application which displays advertising banners while the program is running. The authors include additional code, which can be viewed through pop-up windows or through a bar that appears on the computer screen. Adware has been criticized because it usually includes code that tracks a user's personal information and passes it on to third parties, without the user's authorization or knowledge. Virus-scan all downloaded software
- Browser is on the ‘frontline’ – whenever you click a link, it’s taking the first hit of loading an unknown program to your PC and running it The HTML pages are not static documents anymore, instead they may run sophisticated scripts on the top of your browser Some web sites will not work, or will work in less capacity, if you block scripting – e.g. windows updater How many sites you regularly use? (wikipedia, facebook, amazon, cnn, espn, email, ebay…) How many new sites you visit? ActiveX is much more dangerous than other scripting languages (JavaScript, Flash etc.) – but it’s working on IE only Microsoft puts the responsibility of security on the end user via ‘security zones’ There is much less malware targeting Macintoshes than Windows, and much less for non-IE (Internet Explorer) browsers than for IE. User-generated contents… XSS – Mention the risk!
- by “most emails” I mean the ones which are not transmitted via secure connection
- Malicious email which looks like a valid email from one of your online service providers (bank, shop, phone company) Typically includes a link to ‘log on’ to your online account, redirects you to a fake website which looks exactly like the legitimate site Once you type in your login/pwd or other sensitive data, fraudsters get hold of it and can use it freely to get access to your money, do an identity theft etc. PHISHING IS NOT NECESSARILY TIED TO EMAILS, YOU CAN ALSO BE REDIRECTED TO A PHISHING SITE THROUGH OTHER MEANS
- Malicious email which looks like a valid email from one of your online service providers (bank, shop, phone company) Typically includes a link to ‘log on’ to your online account, redirects you to a fake website which looks exactly like the legitimate site Once you type in your login/pwd or other sensitive data, fraudsters get hold of it and can use it freely to get access to your money, do an identity theft etc.
- One of major banks came out with a nice anti-phishing solution… DID’T WORK. Was vulnerable to Man-in-the-middle attack.
- If email is claimed to be coming from online service providers, don’t click on the link; instead login to your account directly
- Passwords are often symbolized as keys – and they really are – so we should protect them appropriately The old pwd practice was: “Don’t write passwords down (and post-it on your monitor)” – but now it caused people choosing really dump dictionary passwords in order to remember them; nowadays it’s rather DO WRITE your passwords down (and keep the notes in your wallet); The best approach is to come out with your own password policy, e.g. have a constant prefix, add domain name to it and append constant postfix. Or have several level of passwords, for ones you don’t care you can use the same easily typable password
- Two-factor authentication is a system wherein two different methods are used to authenticate. Using two factors as opposed to one delivers a higher level of authentication assurance. There are three universally recognized factors for authenticating individuals. A system is said to leverage Two-factor authentication (T-FA) (or multi factor authentication) when it requires at least two of the authentication form factors mentioned above.
- Protect your privacy. Know what information the merchant is collecting about you, how it will be used, and if they share it with or sell it to others. Make sure to print or save electronically any records related to your online transactions Trust your instincts – the more "too-good-to-be-true" is the deal, the more suspicious it should be (there's a good chance that the site is both legitimate and reliable. But as with most things online or off, if you get a bad feeling about a store, skip it and shop somewhere else)
- Q: How many people shop on eBay?
- Q: how many of you use open wi-fi spots – such as internet cafes? How many have wireless internet setup at home? How many have it encrypted? In addition, public access points are vulnerable to DNS spoofing A virtual private network typically provides you with a private connection to your end destination. You use the public connection to connect to the internet, the client on your machine creates a secure connection (IPSec) to the service provider server, then all the traffic is tunneled through that connection.