Surfing Safely: Security for the Masses

abdomendebonairSecurity

Nov 2, 2013 (3 years and 8 months ago)

122 views

Surfing Safely:

Security for the Masses

Kevin W. Wall, CISSP

kwwall@acm.org

http://www.wideopenwest.com/~kwwall/pr
esentations/security/safe
-
surfing.ppt

Copyright ©


Kevin W. Wall


Some Rights Reserved.

This work is licensed under the Creative Commons®

Attribution
-
NonCommercial
-
ShareAlike 2.5 License.


To view a copy of this license, visit

http://creativecommons.org/licenses/by
-
nc
-
sa/2.5/

Overview


What this talk is and is not


Some security statistics


Fundamental security tips


Basic security ideas


Fighting common problems


Combating identity theft


Worms and viruses


Spyware / adware


Common Internet scams

What This Talk Is… and Is Not


What it is…


An attempt to give back to the community


Make my job easier by having a smarter populace


Focuses on Windows (specifically XP Home)


Focuses on common problems


What it is not…


An endorsement of particular products


An attempt to sell services or consulting


An offer to fix your computer (that’s why the others are
here ;
-
)


Comprehensive

Some Security Statistics


One in four people see at least one scam e
-
mail a
month (usually phishing).


23% of Americans affected by online identity
theft.


70% of consumers thought fraudulent e
-
mails they
received from legitimate company.


80% PCs lack up
-
to
-
date anti
-
virus, spyware
protection, or firewall.


Most people surveyed believed their PCs were
safe online.


4 minutes: Average amount of time a default
install, unpatched Windows XP SP1 system lasted
on the Internet before being compromised.

Fun
damental Security Tips


Jeff Richards’ Laws of Data Security:

1.
Don’t buy a computer

2.
If you buy a computer, don’t turn it on.


To which Matt Bishop added:

3.
If you’ve already turned on your computer,
don’t connect it to the Internet.


Kevin Wall’s Corollary:

4.
If you
do
connect to the Internet, use nothing
faster than a 300 baud modem, as this will
slow down the rate your PC is infected with
viruses, worms, and spyware.

Fundamental Security Tips

(The Real Ones)

1.
Regularly back up your PC.

2.
Enable auto
-
updates.


Minimally for Windows, your anti
-
virus software, your anti
-
spyware software, and your browser.

3.
Login using “limited” account normal work.

4.
Install and configure a firewall.

5.
Install and configure anti
-
virus and anti
-
spyware
software so they are always active.

6.
If possible, switch to less “targeted” software.

7.
Don’t surf to “seedy” sites.

8.
Don’t open unexpected e
-
mail attachments.

9.
Secure your WiFi connections at home.

10.
Pick strong passwords and use software to manage them.

Strong Passwords: An Example

Example
:


TLhdgt4u,&wafwj.


Mnemonic
:

T
he
L
ORD
h
as
d
one
g
reat
t
hings
for

u
s
,

and

w
e
a
re
f
illed
w
ith
j
oy
.


(Psalm 126:3 NIV)


Technique
: Use first letter of each word, include
punctuation, change some words to digits or
symbols.


(Shameless plug) more techniques and examples at:

http://www.wideopenwest.com/~kwwall/presentatio
ns/security/good
-
passwords.html

Basic Security Ideas

Security is about:


Managing risk


Ensuring trust

Avoiding Identity Theft:

Phishing, Pharming, and other Phunny
Sounding Security Words


Phishing


Pharming


Miscellaneous phiendishly clever spam
scams


Tips for avoiding

Phishing

Definition
: Phishing is a form of Internet
fraud whereby a criminal attempts to trick a
victim into accepting a false identity
presented by the criminal in order to trick
the victim into providing them with
valuable confidential information.

Typical bait
: A phony e
-
mail

Typical hook
: A phony web site that captures
your password, SSN, credit card
information, etc.

Identity Theft: Avoiding



Order your free credit report
yearly.

Call 1
-
877
-
322
-
8228 or visit:

http://www.annualcreditreport.com/


Regularly check your credit card / bank
statements for unauthorized spending.

Pharming


Definition
: An attack that redirects the user
to a phony web site by “poisoning” the local
Domain Name System (DNS) server(s).


Typical victim
: User using the Internet via
an open WiFi hotspot.


Security issue
: Allows attacker to use a
“man
-
in
-
the
-
middle” attack to capture
everything you send to the phony web site.

Defeating Pharmers


If you need to do something that you are not
willing to have
everyone
see, then use a virtual
private network (VPN).


That includes e
-
mail, web surfing, IM, watching
podcasts, etc. What software tool is used is irrelevant.


Otherwise, do not enter that type of information
while accessing the Internet via a WiFi hotspot.


Change default router password on your home
router to avoid “drive
-
by” pharming.

Identity Theft: Avoiding


Remove your name from the marketing lists
of the three credit reporting bureaus, to limit
pre
-
approved offers for credit or insurance.
Those offers contain sensitive information
that can be retrieved by identity thieves.
Call toll
-
free 1
-
888
-
567
-
8688 or go to
https://www.optoutprescreen.com/

Identity Theft: Avoiding


Reduce the number of credit cards you
actively use.


Carry only one or two of them in your wallet.


Consider canceling unused accounts.


Use temporary cards online.


Never

give out your Social Security
number, credit card number or other
personal information over the phone, by
mail or on the Internet unless you initiated
the call and have a trusted business
relationship with the company.

Identity Theft: Avoiding


Always take your credit card receipts with
you and shred them whenever possible.


Keep all security patches of your operating
system and applications up
-
to
-
date.


Use automated updates if supported.


Install a separate firewall at your router.


Many decent, cheap router / firewall
combinations.


Be sure to disable remote access.


Keep anti
-
virus and spyware protection up
-
to
-
date and run regularly.

Signs of Malware Infection

1.
Browser homepage changed

2.
Extra toolbars installed on browser that you didn’t install

3.
Firewall keeps warning you of programs attempt to
connect to the Internet

4.
Firewall or AV software keeps getting disabled

5.
Your PC becomes inexplicably slow at times when you
aren’t really doing anything on it

6.
Excessive pop
-
up windows that continually pop
-
up and
you can’t close while surfing the web

7.
Your PC takes
much
longer in booting than it used to.

8.
You get a lot of e
-
mail “bounces” addressed to people you
don’t know or a substantial increase in spam.


Two Common Internet Scams


419 (a.k.a.,
“Nigerian”) scam


Fake stock broker
forecasting stock scam


Wk #

# left

Wk #

# left

1

4,000,0
00

7

62,500

2

2,000,0
00

8

31,250

3

1,000,0
00

9

15,625

4

500,000

10

7812

5

250,000

11

3906

6

125,000

12

1953

Avoiding Common Internet Scams


Remember what your parent’s taught you: “If it sounds too
good to be true, then it probably is.”


Beware of general fraud indicators:


Promise you money, jobs or prizes


Ask for donations


Propose lucrative business deals


Ask you to provide sensitive personal information


Ask you to follow a link to a website and log on to an account.


Two good sites:


http://www.hoax
-
slayer.com/common
-
internet
-
scams.html


http://www.fbi.gov/majcases/fraud/internetschemes.htm

Useful References


Qwest’s Incredible Internet site; in particular,
http://www.incredibleinternet.com/index.php?do=
protect_your_identity


David Wheeler’s “Securing Microsoft Windows
(for Home and Small Business Users)”,
http://www.dwheeler.com/essays/securing
-
windows.html


Internet Scambusters:
http://www.scambusters.org/