The document summarizes the most dangerous places on the web according to threat levels. It discusses email inboxes, video download sites, websites using Flash, social networks, ad-supported sites, Twitter, search engines, downloaded PDF files, hacked legitimate sites, fake anti-virus programs, torrent sites, and provides tips for staying safe online such as keeping software updated, using passwords wisely, and backing up data regularly. The overall message is to be cautious of links, attachments, and downloads from untrusted sources that could enable malware infections or data theft.
4. Your E mail Inbox
• Moderately Dangerous
• Email attachments carrying malware are the most
common way attackers get into your computer.
– Viruses
– Worms
– Trojan Horses
– Rootkits
• Phishing: The act of sending an email to a user
falsely claiming to be an established legitimate
enterprise in an attempt to scam the user into
surrendering private information that will be used
for identity theft.
5. Your E mail Inbox
If you have to go there:
• Delete suspicious emails with attachments
• Be sure that your anti-virus software is
configured to scan incoming email
• Update your virus definitions files “regularly”
• Look for spelling and grammar errors
• Look for faked or numerical URLs
– www.warstaw.ly/www.citibank.com
– http://200.215.16.194/
• Call the company that sent you the message, but
don’t use the phone number in the email
6.
7.
8.
9.
10. Video Download S ites
• Moderately Dangerous
• Hackers exploit flaws in video players like
QuickTime and Windows Media Player
• These can trigger bugs that let attackers in to
spy on your computer activity, plant other
malware, and more
• Or you may be prompted to install an additional
codec which could be infected
11. Video Download S ites
If you have to go there:
• Keep your player software up to date
• Avoid downloading videos at random
• Stick to well-known video sites such as YouTube
or to download services like iTunes
12. Webs ites that Us e Flas h
• Moderately Dangerous
• Adobe’s Flash is widely used to display video
• Flash cookies can track the sites you visit
• When you delete your browser cookies, Flash
cookies get left behind
13. Webs ites that Us e Flas h
If you have to go there:
• Keep your Flash browser plug-ins up to date
with get.adobe.com/flashplayer/
14. Webs ites that Us e Flas h
If you have to go there:
• If you use Firefox as your browser, download
Better Privacy at
www.pcworld.com/downloads/file/fid,80462/description
• If not, go to
www.macromedia.com/support/documentation/en/flashp
and follow the instructions there
15. S oc ial Networks
• Moderately Dangerous
• Way too much sharing of information
• Information stays on the Web
permanently
16. S oc ial Networks
If you have to go there:
• This threat is easy to avoid with just a
little common sense
• Be mindful of what you post
• Be certain to check your privacy settings
17. J us t A bout A ny A d-S upported S ite
• Moderately Dangerous
• Cybercriminals have taken out ads on popular
web sites to lure in victims
• Even the NY Times web site has been affected
• As has Google’s Sponsored Link ad program
• Ads that look like links to major companies’
websites redirect you to sites containing
malware
18. J us t A bout A ny A d-S upported S ite
If you have to go there:
• Move your mouse pointer to the link and hover
over it. In the lower right corner of the
screen you will see the URL of the site to
which a click would take you
• Inspect it carefully, and if it looks suspicious,
don’t go there
19.
20. Twitter
• Very Dangerous
• Because of the 140 word limit on a “tweet,”
Twitter relies heavily on shortened URLs
• It is very simple to hide malware or scams
behind shortened URLs
21. Twitter
If you have to go there:
• Simply don’t click on shortened links
(but that takes all the fun out of it!)
• Use a Twitter client app. Tweet Deck (
http://www.tweetdeck.com/desktop/) has a preview
feature that lets you see the full URL
• Another alternative is http://www.expandmyurl.com/
22. S earc h E ngines
• Very Dangerous
• “Search engine poisoning” is the practice of
building tainted sites that are designed to rank
high in a search for a given topic
• Breaking news topics, facebook, and female
rock, tv and movie stars are frequent examples
23. S earc h E ngines
If you have to go there (and you do)
• Pick and choose which search results to click on
• Check each URL first to make sure that it
really leads you to the site you want
• Use tools like
AVG’s Link Scanner (linkscanner.avg.com),
McAfee’s SiteAdvisor (www.siteadvisor.com),
or Web of Trust (www.mywot.com)
to help identify malicious sites
24.
25. Downloaded PDF Files
• Very Dangerous
• PDF files can be crafted so that they trigger bugs in
Adobe Reader and Adobe Acrobat
• Downloaded, they can let an attacker commandeer
your PC and access your files and personal
information
• A newer variant can take an otherwise innocent PDF
and insert malware into it
• According to security firm Symantec, in 2009
attacks using malicious PDFs made up 49% of all
Web-based attacks
26. Downloaded PDF Files
If you have to go there:
• Make sure you always have the latest version of
Adobe Reader
• Better still, use a different PDF reader
– Foxit
(http://www.foxitsoftware.com/pdf/reader/)
– Sumatra (
http://blog.kowalczyk.info/software/sumatrapdf/free-pdf-re
)
– Nuance
(
http://www.nuance.com/for-business/by-product/pdf/pdfread
)
27.
28. Hacked Legitimate S ites
• Downright Unsafe
• In a common attack method, criminals will hack
a Web page, often on a legitimate site, and
insert code that will download malware to your
computer
29. Hacked Legitimate S ites
If you have to go there:
• Keep your security software up to date
• Run regular malware scans
• Try a program like WinPatrol that takes snapshot of
your critical system resources and alerts you to any
changes that may occur without your knowledge. (
http://www.winpatrol.com/)
30. Fake A nti-Virus Programs
• Downright Unsafe
• Fake anti-virus programs are contained in pop-
up windows on legitimate web sites
• They typically report finding a virus, even
though your computer is actually clean.
• The software might also fail to report viruses
when your computer is infected.
• Sometimes, when you download rogue security
software, it will install a virus or other
malicious software on your computer so that the
software has something to detect
31. Fake A nti-Virus Programs
• Downright Unsafe
• Once downloaded, the trial version will nag you
for a purchase
• When you buy, the criminals will steal your
credit information
32. Fake A nti-Virus Programs
• Downright Unsafe
• Rogue security software might also:
– Lure you into a fraudulent transaction (for
example, upgrading to a non-existent paid version
of a program).
– Install malware that can go undetected as it steals
your data.
– Launch pop-up windows with false or misleading
alerts.
– Slow your computer or corrupt files.
– Disable Windows updates or disable updates to
legitimate antivirus software.
– Prevent you from visiting antivirus vendor websites.
33. Fake A nti-Virus Programs
If you have to go there:
• If you get an alert saying you’re infected with
malware, but it didn’t come from software you
knowingly installed:
– Immediately stop what you are doing
– Close the browser (end the task) using Task
Manager. Don’t click on the close button!
– Try booting into Safe Mode and running a scan
– In no case should you download the suggested
software or run the suggested system check
34. Torrent S ites
• Downright Unsafe
• Most often used for sharing pirated music,
videos, or software
• Which can easily contain malware
• By comparison, many porn sites are
deemed trustworthy
35. Torrent S ites
If you have to go there:
• Don’t use your primary computer
• Use anti-virus software and keep it updated
• Scan downloaded files
• Wait a couple of days before opening them;
scan again before opening
37. Tip #1
• Ensure that you have antivirus software
installed and that it is updated at least
once a week, either manually or
automatically. Check occasionally to
ensure that it really is up to date. If
your antivirus software subscription has
expired, renew it as a matter of
urgency.
38. Tip #2
• Never click on a link within an email
message, or download an attachment
linked to an email message, unless you
are 100% confident that the source can
be trusted. If in doubt, just delete the
message. Remember, banks never email
you to ask you to log in to your account.
39. Tip #3
• If you haven't turned on the firewall in
Windows, do so. To learn how to do this,
click on Start, then Help and Support.
Type “firewall” (no quotes) in the search
box and press Enter.
40. Tip #4
• Ensure that you have enabled the
Automatic Updates feature in Windows.
To learn how to do this, click on Start,
then Help and Support. Type “windows
updates” (no quotes) in the search box
and press Enter.
41. Tip #5
• If you have a broadband or cable router
that is providing wifi access, you must
enable encryption. Without encryption,
neighbours and strangers can access your
internet connection and, possibly, the
files on your PC. WEP encryption is an
older standard and is not as strong as
WPA, but is better than nothing if your
router doesn't support WPA.
42. Tip #6
• If you are using your computer for online
shopping, always buy from sites run by
reputable companies that you trust.
• If you use online banking, or other online
services where security is paramount,
always use a different password for each
bank or site.
43. Tip #7
• Before entering personal information such
as a password or your credit card
number into a web site, check that the
address of the site starts with https
(sometimes accompanied by a picture of
a padlock).
• An example:
44.
45. Tip #8
• If you have confidential documents
stored on your PC you should therefore
consider the use of an encryption
program, or look up details on how to use
the EFS (Encrypting File System) feature
built into Windows.
• (I use lockdir.exe available at
http://www.filecluster.com/downloads/KaKa-Fo
)
46. Tip #9
• Make copies of all the important files
that are on your computer, such as
documents, emails, photographs, music
tracks, video clips, and so on. The most
convenient way to do this is to use an
external USB hard drive or a “flash
drive", depending on how much data you
have. Never keep your backup near your
computer.
47. Keeping S oftware Up to Date
Secunia is a FREE security tool designed to
detect vulnerable and out-dated programs and
plug-ins which expose your PC to attacks.
http://secunia.com/vulnerability_scanning/online
http://secunia.com/vulnerability_scanning/personal/
48. S ummary
• Keep up on patches and version updates
• Be password smart
• Use security software
• Back up your data regularly
• If it sounds too good to be true. . .well, you
know the rest
• Assume that everyone is out to get you
Stay up-to-date, Stay paranoid, Stay protected
49. S ome S ites that Make it Worthwhile
• YouTube (www.youtube.com)
• The Drudge Report (www.drudgereport.com)
• The Art Project (www.googleartproject.com)
• Government Made Easy (www.usa.gov)
• US1 Events Search (princetoninfo.com/index.php?option
=com_us1event&Itemid=2)
50. This presentation is available on the Web at
www.joelmay.org/presentations
The E nd
Editor's Notes
Antivirus software stops viruses and trojans getting onto your computer. Such "malware" could allow remote hackers to access your files and see what you're typing. Obsolete software won't protect you from new viruses, or new strains of existing viruses.
Viruses, trojans, password stealers and other types of "malware" often spread by automatically emailing themselves to potential victims. Clicking on an untrustworthy attachment is like inviting a burglar through your front door - it bypasses any protection offered by your firewall.
It will help to protect you from hackers on the internet. It will also help to prevent any rogue software which finds its way onto your PC from making contact with outside hackers.
. This will ensure that security patches issued by Microsoft will be downloaded and installed automatically on your computer.
If you provide your credit card details to a company that you haven't heard of, there's a chance that the company might be fraudulent and might misuse your information. If someone discovers or guesses your password, that password is only valid for one site rather than multiple sites.
The https prefix and the closed padlock symbol means that all the information which you type into the web site will be encrypted before being sent to the site, thus ensuring that hackers can't intercept it. Also, companies which use https sites are easier to trace should anything go wrong.
If someone were to steal your computer, they could read all the files stored on it, even if you have configured Windows to ask for a username and password for each user. Encrypting the files prevents this.
If your computer breaks, or is lost or stolen, you risk losing all of the information stored on it. If you have backup copies of that information you can easily copy it to your new machine. By ensuring that you don't keep the backups near the computer, disasters such as a fire or a burglary won't result in you losing both the computer and the backup.