Understanding Encryption

Cyber Security Tip ST04-019
Understanding Encryption

Encrypting data is a good way to protect sensitive information. It ensures that the data can only be read by the person who is authorized to have access to it.

What is encryption? In very basic terms, encryption is a way to send a message in code. The only person who can decode the message is the person with the correct key; to anyone else, the message looks like a random series of letters, numbers, and characters.

Encryption is especially important if you are trying to send sensitive information that other people should not be able to access. Because email messages are sent over the internet and might be intercepted by an attacker, it is important to add an additional layer of security to sensitive information.

How is it different from digital signatures? Like digital signatures, public-key encryption utilizes software such as PGP, converts information with mathematical algorithms, and relies on public and private keys, but there are differences:
• The purpose of encryption is confidentiality—concealing the content of the message by translating it into a code. The purpose of digital signatures is integrity and authenticity—verifying the sender of a message and indicating that the content has not been changed. Although encryption and digital signatures can be used independently, you can also sign an encrypted message.
• When you sign a message, you use your private key, and anybody who has your public key can verify that the signature is valid (see Understanding Digital Signatures for more information). When you encrypt a message, you use the public key for the person you’re sending it to, and his or her private key is used to decrypt the message. Because people should keep their private keys confidential and should protect them with passwords, the intended recipient should be the only one who is able to view the information.
How does encryption work?
• Obtain the public key for the person you want to be able to read the information. If you get the key from a public key ring, contact the person directly to confirm that the series of letters and numbers associated with the key is the correct fingerprint.
• Encrypt the email message using their public key. Most email clients have a feature to easily perform this task.
• When the person receives the message, he or she will be able to decrypt it.

Authors: Mindi McDowell Copyright 2004 Carnegie Mellon University. Terms of use

Understanding ISPs

Cyber Security Tip ST04-024
Understanding ISPs

ISPs offer services like email and internet access. Compare factors like security, services, and cost so that you find an ISP that supports all of your needs.

What is an ISP?
An ISP, or internet service provider, is a company that provides its customers access to the internet and other web services. In addition to maintaining a direct line to the internet, the company usually maintains web servers. By supplying necessary software, a password-protected user account, and a way to connect to the internet (e.g., modem, phone number), ISPs offer their customers the capability to browse the web and exchange email with other people. Some ISPs also offer additional services.

ISPs can vary in size—some are operated by one individual, while others are large corporations. They may also vary in scope—some only support users in a particular city, while others have regional or national capabilities.

What services do ISPs provide?
Almost all ISPs offer email and web browsing capabilities. They also offer varying degrees of user support, usually in the form of an email address or customer support hotline. Most ISPs also offer web hosting capabilities, allowing users to create and maintain personal web pages; and some may even offer the service of developing the pages for you. Many ISPs offer the option of high-speed access through DSL or cable modems, and some still offer dial-up connections.

As part of normal operation, most ISPs perform backups of email and web files. If the ability to recover email and web files is important to you, check with your ISP to see if they back up the data; it might not be advertised as a service. Additionally, some ISPs may implement firewalls to block some incoming traffic, although you should consider this a supplement to your own security precautions, not a replacement.

How do you choose an ISP?
There are thousands of ISPs, and it’s often difficult to decide which one best suits your needs. Some factors to consider include

• security – Do you feel that the ISP is concerned about security? Does it use encryption and SSL (see Protecting Your Privacy for more information) to protect any information you submit (e.g., user name, password)?

• privacy – Does the ISP have a published privacy policy? Are you comfortable with who has access to your information and how it is being handled and used?
• services – Does your ISP offer the services you want? Do they meet your requirements? Is there adequate support for the services?
• cost – Are the ISP’s costs affordable? Are they reasonable for the number of services you receive, as well as the level of those services? Are you sacrificing quality and security to get the lowest price?
• reliability – Are the services your ISP provides reliable, or are they frequently unavailable due to maintenance, security problems, a high volume of users, or other reasons? If the ISP knows that services will be unavailable for a particular reason, does it adequately communicate that information?
• user support – Are there published methods for contacting customer support? Do you receive prompt and friendly service? Do their hours of availability accommodate your needs? Do the consultants have the appropriate level of knowledge?
• speed – How fast is your ISP’s connection? Is it sufficient for accessing your email or navigating the internet?
• recommendations – Have you heard or seen positive reviews about the ISP? Were they from trusted sources? Does the ISP serve your geographic area? If you’ve uncovered negative points, are they factors you are concerned about?

Author: Mindi McDowell Copyright 2004 Carnegie Mellon University. Terms of use

Browsing Safely: Understanding Active Content and Cookies

Cyber Security Tip ST04-012
Browsing Safely: Understanding Active Content and Cookies

Many people browse the Internet without much thought to what is happening behind the scenes. Active content and cookies are common elements that may pose hidden risks when viewed in a browser or email client.

Mac user’s note – while the information here is important, the specifics of the article assumes one is using Internet Explorer on Windows. Feel free to contact us if you need more specific Mac based support.

What is active content?
To increase functionality or add design embellishments, web sites often rely on scripts that execute programs within the web browser. This active content can be used to create “splash pages” or options like drop-down menus. Unfortunately, these scripts are often a way for attackers to download or execute malicious code on a user’s computer.
• JavaScript – JavaScript is just one of many web scripts (other examples are VBScript, ECMAScript, and JScript) and is probably the most recognized. Used on almost every web site now, JavaScript and other scripts are popular because users expect the functionality and “look” that it provides, and it’s easy to incorporate (many common software programs for building web sites have the capability to add JavaScript features with little effort or knowledge required of the user). However, because of these reasons, attackers can manipulate it to their own purposes. A popular type of attack that relies on JavaScript involves redirecting users from a legitimate web site to a malicious one that may download viruses or collect personal information.
• Java and ActiveX controls – Different from JavaScript, Java and ActiveX controls are actual programs that reside on your computer or can be downloaded over the network into your browser. If executed by attackers, untrustworthy ActiveX controls may be able to do anything on your computer that you can do (such as running spyware and collecting personal information, connecting to other computers, and potentially doing other damage). Java applets usually run in a more restricted environment, but if that environment isn’t secure, then malicious Java applets may create opportunities for attack as well.
JavaScript and other forms of active content are not always dangerous, but they are common tools for attackers. You can prevent active content from running in most browsers, but realize that the added security may limit functionality and break features of some sites you visit. Before clicking on a link to a web site that you are not familiar with or do not trust, take the precaution of disabling active content.
These same risks may also apply to the email program you use. Many email clients use the same programs as web browsers to display HTML, so vulnerabilities that affect active content like JavaScript and ActiveX often apply to email. Viewing messages as plain text may resolve this problem.

What are cookies?
When you browse the Internet, information about your computer may be collected and stored. This information might be general information about your computer (such as IP address, the domain you used to connect (e.g., .edu, .com, .net), and the type of browser you used). It might also be more specific information about your browsing habits (such as the last time you visited a particular web site or your personal preferences for viewing that site).
Cookies can be saved for varying lengths of time:

• Session cookies – Session cookies store information only as long as you’re using the browser; once you close the browser, the information is erased. The primary purpose of session cookies is to help with navigation, such as by indicating whether or not you’ve already visited a particular page and retaining information about your preferences once you’ve visited a page.

• Persistent cookies – Persistent cookies are stored on your computer so that your personal preferences can be retained. In most browsers, you can adjust the length of time that persistent cookies are stored. It is because of these cookies that your email address appears by default when you open your Yahoo! or Hotmail email account, or your personalized home page appears when you visit your favorite online merchant. If an attacker gains access to your computer, he or she may be able to gather personal information about you through these files.
To increase your level of security, consider adjusting your privacy and security settings to block or limit cookies in your web browser (see Evaluating Your Web Browser’s Security Settings for more information). To make sure that other sites are not collecting personal information about you without your knowledge, choose to only allow cookies for the web site you are visiting; block or limit cookies from a third-party. If you are using a public computer, you should make sure that cookies are disabled to prevent other people from accessing or using your personal information.

Author: Mindi McDowell Copyright 2004 Carnegie Mellon University. Terms of use

Staying Safe on Social Network Sites

Cyber Security Tip ST06-003
Staying Safe on Social Network Sites

The popularity of social networking sites continues to increase, especially among teenagers and young adults. The nature of these sites introduces security risks, so you should take certain precautions.

What are social networking sites?
Social networking sites, sometimes referred to as “friend-of-a-friend” sites, build upon the concept of traditional social networks where you are connected to new people through people you already know. The purpose of some networking sites may be purely social, allowing users to establish friendships or romantic relationships, while others may focus on establishing business connections.

Although the features of social networking sites differ, they all allow you to provide information about yourself and offer some type of communication mechanism (forums, chat rooms, email, instant messenger) that enables you to connect with other users. On some sites, you can browse for people based on certain criteria, while other sites require that you be “introduced” to new people through a connection you share. Many of the sites have communities or subgroups that may be based on a particular interest.

What security implications do these sites present?Social networking sites rely on connections and communication, so they encourage you to provide a certain amount of personal information. When deciding how much information to reveal, people may not exercise the same amount of caution as they would when meeting someone in person because
• the internet provides a sense of anonymity
• the lack of physical interaction provides a false sense of security
• they tailor the information for their friends to read, forgetting that others may see it
• they want to offer insights to impress potential friends or associates

While the majority of people using these sites do not pose a threat, malicious people may be drawn to them because of the accessibility and amount of personal information that’s available. The more information malicious people have about you, the easier it is for them to take advantage of you. Predators may form relationships online and then convince unsuspecting individuals to meet them in person. That could lead to a dangerous situation. The personal information can also be used to conduct a social engineering attack (see Avoiding Social Engineering and Phishing Attacks for more information). Using information that you provide about your location, hobbies, interests, and friends, a malicious person could impersonate a trusted friend or convince you that they have the authority to access other personal or financial data.

Additionally, because of the popularity of these sites, attackers may use them to distribute malicious code. Sites that offer applications developed by third parties are particularly susceptible. Attackers may be able to create customized applications that appear to be innocent while infecting your computer without your knowledge.

How can you protect yourself?
• Limit the amount of personal information you post – Do not post information that would make you vulnerable, such as your address or information about your schedule or routine. If your connections post information about you, make sure the combined information is not more than you would be comfortable with strangers knowing. Also be considerate when posting information, including photos, about your connections.
• Remember that the internet is a public resource – Only post information you are comfortable with anyone seeing. This includes information and photos in your profile and in blogs and other forums. Also, once you post information online, you can’t retract it. Even if you remove the information from a site, saved or cached versions may still exist on other people’s machines (see Guidelines for Publishing Information Online for more information).
• Be wary of strangers – The internet makes it easy for people to misrepresent their identities and motives (see Using Instant Messaging and Chat Rooms Safely for more information). Consider limiting the people who are allowed to contact you on these sites. If you interact with people you do not know, be cautious about the amount of information you reveal or agreeing to meet them in person.
• Be skeptical – Don’t believe everything you read online. People may post false or misleading information about various topics, including their own identities. This is not necessarily done with malicious intent; it could be unintentional, an exaggeration, or a joke. Take appropriate precautions, though, and try to verify the authenticity of any information before taking any action.
• Evaluate your settings – Take advantage of a site’s privacy settings. The default settings for some sites may allow anyone to see your profile. You can customize your settings to restrict access to only certain people. However, there is a risk that even this private information could be exposed, so don’t post anything that you wouldn’t want the public to see. Also, be cautious when deciding which applications to enable, and check your settings to see what information the applications will be able to access.
• Use strong passwords – Protect your account with passwords that cannot easily be guessed (see Choosing and Protecting Passwords for more information). If your password is compromised, someone else may be able to access your account and pretend to be you.
• Check privacy policies – Some sites may share information such as email addresses or user preferences with other companies. This may lead to an increase in spam (see Reducing Spam for more information). Also, try to locate the policy for handling referrals to make sure that you do not unintentionally sign your friends up for spam. Some sites will continue to send email messages to anyone you refer until they join.
• Use and maintain anti-virus software – Anti-virus software recognizes most known viruses and protects your computer against them, so you may be able to detect and remove the virus before it can do any damage (see Understanding Anti-Virus Software for more information). Because attackers are continually writing new viruses, it is important to keep your definitions up to date.
Children are especially susceptible to the threats that social networking sites present. Although many of these sites have age restrictions, children may misrepresent their ages so that they can join. By teaching children about internet safety, being aware of their online habits, and guiding them to appropriate sites, parents can make sure that the children become safe and responsible users (see Keeping Children Safe Online for more information).

Author: Mindi McDowell Produced 2006, 2009 by US-CERT, a government organization. Terms of use

Avoiding Social Engineering and Phishing Attacks

Cyber Security Tip ST04-014
Avoiding Social Engineering and Phishing Attacks

Do not give sensitive information to anyone unless you are sure that they are indeed who they claim to be and that they should have access to the information.

What is a social engineering attack? To launch a social engineering attack, an attacker uses human interaction (social skills) to obtain or compromise information about an organization or its computer systems. An attacker may seem unassuming and respectable, possibly claiming to be a new employee, repair person, or researcher and even offering credentials to support that identity. However, by asking questions, he or she may be able to piece together enough information to infiltrate an organization’s network. If an attacker is not able to gather enough information from one source, he or she may contact another source within the same organization and rely on the information from the first source to add to his or her credibility. What is a phishing attack? Phishing is a form of social engineering. Phishing attacks use email or malicious web sites to solicit personal, often financial, information. Attackers may send email seemingly from a reputable credit card company or financial institution that requests account information, often suggesting that there is a problem. When users respond with the requested information, attackers can use it to gain access to the accounts.

How do you avoid being a victim?
• Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about employees or other internal information. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.
• Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person’s authority to have the information.
• Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email.
• Don’t send sensitive information over the Internet before checking a web site’s security (see Protecting Your Privacy for more information).
• Pay attention to the URL of a web site. Malicious web sites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net).
• If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided on a web site connected to the request; instead, check previous statements for contact information. Information about known phishing attacks is also available online from groups such as the Anti-Phishing Working Group (http://www.antiphishing.org/phishing_archive.html).
• Install and maintain anti-virus software, firewalls, and email filters to reduce some of this traffic (see Understanding Firewalls, Understanding Anti-Virus Software, and Reducing Spam for more information).
What do you do if you think you are a victim?
• If you believe you might have revealed sensitive information about your organization, report it to the appropriate people within the organization, including network administrators. They can be alert for any suspicious or unusual activity.
• If you believe your financial accounts may be compromised, contact your financial institution immediately and close any accounts that may have been compromised. Watch for any unexplainable charges to your account.
• Consider reporting the attack to the police, and file a report with the Federal Trade Commission (http://www.ftc.gov/).

Author: Mindi McDowell Copyright 2004 Carnegie Mellon University. Terms of use

Keeping Children Safe Online

Cyber Security Tip ST05-002
Keeping Children Safe Online

Children present unique security risks when they use a computer—not only do you have to keep them safe, you have to protect the data on your computer. By taking some simple steps, you can dramatically reduce the threats.

Mac user’s note – while the information here is important, the specifics of the article assumes one is using Internet Explorer on Windows. Feel free to contact us if you need more specific Mac based support.

What unique risks are associated with children?
When a child is using your computer, normal safeguards and security practices may not be sufficient. Children present additional challenges because of their natural characteristics: innocence, curiosity, desire for independence, and fear of punishment. You need to consider these characteristics when determining how to protect your data and the child.

You may think that because the child is only playing a game, or researching a term paper, or typing a homework assignment, he or she can’t cause any harm. But what if, when saving her paper, the child deletes a necessary program file? Or what if she unintentionally visits a malicious web page that infects your computer with a virus? These are just two possible scenarios. Mistakes happen, but the child may not realize what she’s done or may not tell you what happened because she’s afraid of getting punished.

Online predators present another significant threat, particularly to children. Because the nature of the internet is so anonymous, it is easy for people to misrepresent themselves and manipulate or trick other users (see Avoiding Social Engineering and Phishing Attacks for some examples). Adults often fall victim to these ploys, and children, who are usually much more open and trusting, are even easier targets. The threat is even greater if a child has access to email or instant messaging programs, visits chat rooms, and/or uses social networking sites (see Using Instant Messaging and Chat Rooms Safely and Staying Safe on Social Network Sites for more information).

What can you do?
• Be involved – Consider activities you can work on together, whether it be playing a game, researching a topic you had been talking about (e.g., family vacation spots, a particular hobby, a historical figure), or putting together a family newsletter. This will allow you to supervise your child’s online activities while teaching her good computer habits.
• Keep your computer in an open area – If your computer is in a high-traffic area, you will be able to easily monitor the computer activity. Not only does this accessibility deter a child from doing something she knows she’s not allowed to do, it also gives you the opportunity to intervene if you notice a behavior that could have negative consequences.
• Set rules and warn about dangers – Make sure your child knows the boundaries of what she is allowed to do on the computer. These boundaries should be appropriate for the child’s age, knowledge, and maturity, but they may include rules about how long she is allowed to be on the computer, what sites she is allowed to visit, what software programs she can use, and what tasks or activities she is allowed to do. You should also talk to children about the dangers of the internet so that they recognize suspicious behavior or activity. The goal isn’t to scare them, it’s to make them more aware.
• Monitor computer activity – Be aware of what your child is doing on the computer, including which web sites she is visiting. If she is using email, instant messaging, or chat rooms, try to get a sense of who she is corresponding with and whether she actually knows them.
• Keep lines of communication open – Let your child know that she can approach you with any questions or concerns about behaviors or problems she may have encountered on the computer.
• Consider partitioning your computer into separate accounts – Most operating systems (including Windows XP, Mac OS X, and Linux) give you the option of creating a different user account for each user. If you’re worried that your child may accidentally access, modify, and/or delete your files, you can give her a separate account and decrease the amount of access and number of privileges she has.
If you don’t have separate accounts, you need to be especially careful about your security settings. In addition to limiting functionality within your browser (see Evaluating Your Web Browser’s Security Settings for more information), avoid letting your browser remember passwords and other personal information (see Browsing Safely: Understanding Active Content and Cookies). Also, it is always important to keep your virus definitions up to date (see Understanding Anti-Virus Software).
• Consider implementing parental controls – You may be able to set some parental controls within your browser. For example, Internet Explorer allows you to restrict or allow certain web sites to be viewed on your computer, and you can protect these settings with a password. To find those options, click Tools on your menu bar, select Internet Options…, choose the Content tab, and click the Enable… button under Content Advisor.
There are other resources you can use to control and/or monitor your child’s online activity. Some ISPs offer services designed to protect children online. Contact your ISP to see if any of these services are available. There are also special software programs you can install on your computer. Different programs offer different features and capabilities, so you can find one that best suits your needs. The following web sites offer lists of software, as well as other useful information about protecting children online:

• GetNetWise – http://kids.getnetwise.org/ – Click Tools for Families to reach a page that allows you to search for software based on characteristics like what the tool does and what operating system you have on your computer.
• Yahooligans! Parents’ Guide – http://yahooligans.yahoo.com/parents/ – Click Blocking and Filtering under Related Websites on the left sidebar to reach a list of software.

Recognizing and Avoiding Spyware

Cyber Security Tip ST04-016
Recognizing and Avoiding Spyware

Mac user’s note – while the information here is important, the specifics of the article assumes one is using Internet Explorer on Windows. Feel free to contact us if you need more specific Mac based support.

Because of its popularity, the internet has become an ideal target for advertising. As a result, spyware, or adware, has become increasingly prevalent. When troubleshooting problems with your computer, you may discover that the source of the problem is spyware software that has been installed on your machine without your knowledge.

What is spyware? Despite its name, the term “spyware” doesn’t refer to something used by undercover operatives, but rather by the advertising industry. In fact, spyware is also known as “adware.” It refers to a category of software that, when installed on your computer, may send you pop-up ads, redirect your browser to certain web sites, or monitor the web sites that you visit. Some extreme, invasive versions of spyware may track exactly what keys you type. Attackers may also use spyware for malicious purposes.
Because of the extra processing, spyware may cause your computer to become slow or sluggish. There are also privacy implications:

• What information is being gathered?
• Who is receiving it?
• How is it being used?

How do you know if there is spyware on your computer?The following symptoms may indicate that spyware is installed on your computer:
• you are subjected to endless pop-up windows
• you are redirected to web sites other than the one you typed into your browser
• new, unexpected toolbars appear in your web browser
• new, unexpected icons appear in the task tray at the bottom of your screen
• your browser’s home page suddenly changed
• the search engine your browser opens when you click “search” has been changed
• certain keys fail to work in your browser (e.g., the tab key doesn’t work when you are moving to the next field within a form)
• random Windows error messages begin to appear
• your computer suddenly seems very slow when opening programs or processing tasks (saving files, etc.)

How can you prevent spyware from installing on your computer?To avoid unintentionally installing it yourself, follow these good security practices:
• Don’t click on links within pop-up windows – Because pop-up windows are often a product of spyware, clicking on the window may install spyware software on your computer. To close the pop-up window, click on the “X” icon in the titlebar instead of a “close” link within the window.
• Choose “no” when asked unexpected questions – Be wary of unexpected dialog boxes asking whether you want to run a particular program or perform another type of task. Always select “no” or “cancel,” or close the dialog box by clicking the “X” icon in the titlebar.
• Be wary of free downloadable software – There are many sites that offer customized toolbars or other features that appeal to users. Don’t download programs from sites you don’t trust, and realize that you may be exposing your computer to spyware by downloading some of these programs.
• Don’t follow email links claiming to offer anti-spyware software – Like email viruses, the links may serve the opposite purpose and actually install the spyware it claims to be eliminating.
As an additional good security practice, especially if you are concerned that you might have spyware on your machine and want to minimize the impact, consider taking the following action:
• Adjust your browser preferences to limit pop-up windows and cookies – Pop-up windows are often generated by some kind of scripting or active content. Adjusting the settings within your browser to reduce or prevent scripting or active content may reduce the number of pop-up windows that appear. Some browsers offer a specific option to block or limit pop-up windows. Certain types of cookies are sometimes considered spyware because they reveal what web pages you have visited. You can adjust your privacy settings to only allow cookies for the web site you are visiting (see Browsing Safely: Understanding Active Content and Cookies and Evaluating Your Web Browser’s Security Settings for more information).

How do you remove spyware?
• Run a full scan on your computer with your anti-virus software – Some anti-virus software will find and remove spyware, but it may not find the spyware when it is monitoring your computer in real time. Set your anti-virus software to prompt you to run a full scan periodically (see Understanding Anti-Virus Software for more information).
• Run a legitimate product specifically designed to remove spyware – Many vendors offer products that will scan your computer for spyware and remove any spyware software. Popular products include Lavasoft’s Ad-Aware, Webroot’s SpySweeper, PestPatrol, and Spybot Search and Destroy.
• Make sure that your anti-virus and anti-spyware software are compatible – Take a phased approach to installing the software to ensure that you don’t unintentionally introduce problems (see Coordinating Virus and Spyware Defense for more information).

Authors: Mindi McDowell, Matt Lytle Copyright 2004 Carnegie Mellon University. Terms of use