1. Cyber Security for Everybody
simple steps for defensive surfing
Vahe Amirbekyan
2. Plans for today
• Introduction
• Internet ‘101’
• Steps to prevent cyber crime
• Keep your PC clean (OS, Browser, security updates)
• Know about Browser security
• Never Trust Emails
• Manage your Passwords Wisely
• Defensive Online Shopping
• Mind Open Access Points
• Resources
3. Introduction
• Cyber security is much like real life security, the same
rules apply, e.g.:
• Lock the doors
• Don’t give away your keys
• Stay away from dangerous places
• Don’t talk to strangers
• Don’t give your contact information to random acquaintances
4. Internet “plumbing” – quick 101
browser
DNS
Server
www.google.com
1
74.125.19.103
2
Web
Server
HTTP
request(s)
3
HTTP response(s)
4
plugins
5
6. Protect your PC!
Data source: McAfee;
NCSA
Regularly check OS and S/W patches
Install anti-virus/spyware/phishing/spam S/W
Enable Firewalls
Change H/W default passwords
Download software only from trusted sources
Update software on a regular basis!
7. Be aware of Browser (in)security
browser
plugins
! Browser is on the ‘frontline’ of our Internet
adventure
! The HTML pages are not static documents
anymore
! Browser scripting is very powerful but also
poses a serious security threat
It is possible to stay secure and get maximum
features via:
tuning your browser’s security settings
regular clearing up browser’s file caches and
cookies
explicitly logoff your (bank, retail etc.) account as
soon as you are done
using a different browser for ‘adventurous surfing’
8. Don’t trust Emails (and phone calls, too)
! Emails are another ‘door’ to you computer – just
like web sites – with the exception that you don’t
even have to initiate the action
! Emails are easily faked – including the sender’s
name and the reply-to address
! Most emails are easily ‘sniffed’
! Malicious emails are widely used to:
! make you give away sensitive information
(passwords, bank account numbers, SSN etc.)
! infect your computer with viruses
! SPAM you
12. Email: reducing the threat
Never send sensitive information (e.g.: passwords, SSN,
credit card number) via email
Never open an email attachment if you are not sure
about the email’s origin
Never click on links directly from emails
(if you clicked) Always pay attention to the address bar to
see the real address of the site you are redirected to
Use anti-phishing tools – toolbars or IE7
Use different account name and password for your email
address
Keep low profile – use your email address judiciously;
use ‘lightweight’ email providers as a substitute
13. Manage your Passwords wisely
! Passwords are often the only way of identifying us
! Passwords can be ‘phished’, stolen, guessed…
! By taking over your password the fraudsters take over
your cyber-identity
Minimize the risk by following:
Avoid simple passwords (never a single word from dictionary!),
use special signs, digits, both upper and lower cases
Use at least 6-10 characters long passwords
Don’t use password as a super/sub-string of your login name
Come out with your own password policy
Don’t use the same password on multiple accounts
Change your passwords regularly (at least once in 3 months)
Whenever possible use two-factor authentication
14. Two-factor authentication
There are three universally recognized factors for
authenticating individuals:
'Something you know‘ (e.g.: password, PIN).
'Something you have‘ (e.g.: physical credit card, mobile
phone, security token)
'Something you are‘ (e.g.: fingerprint, a retinal scan)
A system is said to leverage Two-factor authentication
when it requires at least two of the authentication form
factors
Two-factor authentication is virtually bullet-proof
15. Defensive Online Shopping
Poorly secured online stores may lose your credit card/financial data!
Know your online merchant
Check if the URL you post the sensitive data into uses secure
connection
Don’t provide more information than needed for a transaction
Keep good records
Use one-time generated credit card numbers whenever
possible
Some online stores may be fake – temporary sites setup to collect
your valuable data
16. Defensive Online Shopping on
Check the feedback - any feedback lower than 98% is a risk
Carefully read the item's description
Contact the seller if you have any doubts
Prefer items under eBay/PayPal cash back protection
Always prefer paying by PayPal - avoid Instant Cash Transfer
Services
If received Second Chance Offer in the mailbox - always check
its validity by logging into your eBay account's inbox
Be careful with 'unusual' requests coming from other users -
most probably it's a fraud
Completely avoid off-eBay transactions
17. Mind Open Access Points
! Web traffic going via non-secure
connection is easily readable by
anybody else who shares the
connection
When setting up your own wireless network at home be
sure to turn on the encryption (WPA, not WEP)
When using public access points use VPN (Virtual
Private Network) services to encrypt all the traffic –
19. Final words…
Internet is a cyber-jungle!
You are responsible for your own protection!
You can achieve reasonable security by following
simple rules!
Any questions?
Editor's Notes
We are ultimately responsible for our own security
Never forget that the Internet is like any big city: Much of it is safe and relatively secure, but there are definitely places you don't want to go at all. When surfing around the Internet it's very easy to end up in a dark corner with a single click. Always be careful.
HTTPS (Hyper Text Transfer Protocol Secure) encrypts the session with a digital certificate i.e., HTTP over SSL (Secure Sockets Layer) which can be used by Web browsers and HTTPS - capable client programs. So if the website begins with https:// instead of http://, it is a secure site (in terms of eavesdropping, tampering, or message forgery).
Spyware
Any software using someone's Internet connection in the background without their knowledge or explicit permission. Spyware applications are typically bundled as a hidden component of freeware or shareware programs that can be downloaded from the Internet; however, it should be noted that the majority of shareware and freeware applications do not come with spyware. Once installed, the spyware monitors user activity on the Internet and transmits that information in the background to someone else. Spyware can also gather information about e-mail addresses and even passwords and credit card numbers.
Spam
To indiscriminately send unsolicited, unwanted, irrelevant, or inappropriate messages, especially commercial advertising in mass quantities. Noun: electronic "junk mail". Spam can contain worms, viruses and other malicious code.
Adware:
Any software application which displays advertising banners while the program is running. The authors include additional code, which can be viewed through pop-up windows or through a bar that appears on the computer screen. Adware has been criticized because it usually includes code that tracks a user's personal information and passes it on to third parties, without the user's authorization or knowledge.
Virus-scan all downloaded software
Browser is on the ‘frontline’ – whenever you click a link, it’s taking the first hit of loading an unknown program to your PC and running it
The HTML pages are not static documents anymore, instead they may run sophisticated scripts on the top of your browser
Some web sites will not work, or will work in less capacity, if you block scripting – e.g. windows updater
How many sites you regularly use? (wikipedia, facebook, amazon, cnn, espn, email, ebay…) How many new sites you visit?
ActiveX is much more dangerous than other scripting languages (JavaScript, Flash etc.) – but it’s working on IE only
Microsoft puts the responsibility of security on the end user via ‘security zones’
There is much less malware targeting Macintoshes than Windows, and much less for non-IE (Internet Explorer) browsers than for IE.
User-generated contents… XSS – Mention the risk!
by “most emails” I mean the ones which are not transmitted via secure connection
Malicious email which looks like a valid email from one of your online service providers (bank, shop, phone company)
Typically includes a link to ‘log on’ to your online account, redirects you to a fake website which looks exactly like the legitimate site
Once you type in your login/pwd or other sensitive data, fraudsters get hold of it and can use it freely to get access to your money, do an identity theft etc.
PHISHING IS NOT NECESSARILY TIED TO EMAILS, YOU CAN ALSO BE REDIRECTED TO A PHISHING SITE THROUGH OTHER MEANS
Malicious email which looks like a valid email from one of your online service providers (bank, shop, phone company)
Typically includes a link to ‘log on’ to your online account, redirects you to a fake website which looks exactly like the legitimate site
Once you type in your login/pwd or other sensitive data, fraudsters get hold of it and can use it freely to get access to your money, do an identity theft etc.
One of major banks came out with a nice anti-phishing solution… DID’T WORK. Was vulnerable to Man-in-the-middle attack.
If email is claimed to be coming from online service providers, don’t click on the link; instead login to your account directly
Passwords are often symbolized as keys – and they really are – so we should protect them appropriately
The old pwd practice was: “Don’t write passwords down (and post-it on your monitor)” – but now it caused people choosing really dump dictionary passwords in order to remember them; nowadays it’s rather DO WRITE your passwords down (and keep the notes in your wallet);
The best approach is to come out with your own password policy, e.g. have a constant prefix, add domain name to it and append constant postfix. Or have several level of passwords, for ones you don’t care you can use the same easily typable password
Two-factor authentication is a system wherein two different methods are used to authenticate. Using two factors as opposed to one delivers a higher level of authentication assurance. There are three universally recognized factors for authenticating individuals. A system is said to leverage Two-factor authentication (T-FA) (or multi factor authentication) when it requires at least two of the authentication form factors mentioned above.
Protect your privacy. Know what information the merchant is collecting about you, how it will be used, and if they share it with or sell it to others.
Make sure to print or save electronically any records related to your online transactions
Trust your instincts – the more "too-good-to-be-true" is the deal, the more suspicious it should be (there's a good chance that the site is both legitimate and reliable. But as with most things online or off, if you get a bad feeling about a store, skip it and shop somewhere else)
Q: How many people shop on eBay?
Q: how many of you use open wi-fi spots – such as internet cafes?
How many have wireless internet setup at home? How many have it encrypted?
In addition, public access points are vulnerable to DNS spoofing
A virtual private network typically provides you with a private connection to your end destination. You use the public connection to connect to the internet, the client on your machine creates a secure connection (IPSec) to the service provider server, then all the traffic is tunneled through that connection.