Understanding Encryption

Cyber Security Tip ST04-019
Understanding Encryption

Encrypting data is a good way to protect sensitive information. It ensures that the data can only be read by the person who is authorized to have access to it.

What is encryption? In very basic terms, encryption is a way to send a message in code. The only person who can decode the message is the person with the correct key; to anyone else, the message looks like a random series of letters, numbers, and characters.

Encryption is especially important if you are trying to send sensitive information that other people should not be able to access. Because email messages are sent over the internet and might be intercepted by an attacker, it is important to add an additional layer of security to sensitive information.

How is it different from digital signatures? Like digital signatures, public-key encryption utilizes software such as PGP, converts information with mathematical algorithms, and relies on public and private keys, but there are differences:
• The purpose of encryption is confidentiality—concealing the content of the message by translating it into a code. The purpose of digital signatures is integrity and authenticity—verifying the sender of a message and indicating that the content has not been changed. Although encryption and digital signatures can be used independently, you can also sign an encrypted message.
• When you sign a message, you use your private key, and anybody who has your public key can verify that the signature is valid (see Understanding Digital Signatures for more information). When you encrypt a message, you use the public key for the person you’re sending it to, and his or her private key is used to decrypt the message. Because people should keep their private keys confidential and should protect them with passwords, the intended recipient should be the only one who is able to view the information.
How does encryption work?
• Obtain the public key for the person you want to be able to read the information. If you get the key from a public key ring, contact the person directly to confirm that the series of letters and numbers associated with the key is the correct fingerprint.
• Encrypt the email message using their public key. Most email clients have a feature to easily perform this task.
• When the person receives the message, he or she will be able to decrypt it.

Authors: Mindi McDowell Copyright 2004 Carnegie Mellon University. Terms of use

Understanding ISPs

Cyber Security Tip ST04-024
Understanding ISPs

ISPs offer services like email and internet access. Compare factors like security, services, and cost so that you find an ISP that supports all of your needs.

What is an ISP?
An ISP, or internet service provider, is a company that provides its customers access to the internet and other web services. In addition to maintaining a direct line to the internet, the company usually maintains web servers. By supplying necessary software, a password-protected user account, and a way to connect to the internet (e.g., modem, phone number), ISPs offer their customers the capability to browse the web and exchange email with other people. Some ISPs also offer additional services.

ISPs can vary in size—some are operated by one individual, while others are large corporations. They may also vary in scope—some only support users in a particular city, while others have regional or national capabilities.

What services do ISPs provide?
Almost all ISPs offer email and web browsing capabilities. They also offer varying degrees of user support, usually in the form of an email address or customer support hotline. Most ISPs also offer web hosting capabilities, allowing users to create and maintain personal web pages; and some may even offer the service of developing the pages for you. Many ISPs offer the option of high-speed access through DSL or cable modems, and some still offer dial-up connections.

As part of normal operation, most ISPs perform backups of email and web files. If the ability to recover email and web files is important to you, check with your ISP to see if they back up the data; it might not be advertised as a service. Additionally, some ISPs may implement firewalls to block some incoming traffic, although you should consider this a supplement to your own security precautions, not a replacement.

How do you choose an ISP?
There are thousands of ISPs, and it’s often difficult to decide which one best suits your needs. Some factors to consider include

• security – Do you feel that the ISP is concerned about security? Does it use encryption and SSL (see Protecting Your Privacy for more information) to protect any information you submit (e.g., user name, password)?

• privacy – Does the ISP have a published privacy policy? Are you comfortable with who has access to your information and how it is being handled and used?
• services – Does your ISP offer the services you want? Do they meet your requirements? Is there adequate support for the services?
• cost – Are the ISP’s costs affordable? Are they reasonable for the number of services you receive, as well as the level of those services? Are you sacrificing quality and security to get the lowest price?
• reliability – Are the services your ISP provides reliable, or are they frequently unavailable due to maintenance, security problems, a high volume of users, or other reasons? If the ISP knows that services will be unavailable for a particular reason, does it adequately communicate that information?
• user support – Are there published methods for contacting customer support? Do you receive prompt and friendly service? Do their hours of availability accommodate your needs? Do the consultants have the appropriate level of knowledge?
• speed – How fast is your ISP’s connection? Is it sufficient for accessing your email or navigating the internet?
• recommendations – Have you heard or seen positive reviews about the ISP? Were they from trusted sources? Does the ISP serve your geographic area? If you’ve uncovered negative points, are they factors you are concerned about?

Author: Mindi McDowell Copyright 2004 Carnegie Mellon University. Terms of use

Browsing Safely: Understanding Active Content and Cookies

Cyber Security Tip ST04-012
Browsing Safely: Understanding Active Content and Cookies

Many people browse the Internet without much thought to what is happening behind the scenes. Active content and cookies are common elements that may pose hidden risks when viewed in a browser or email client.

Mac user’s note – while the information here is important, the specifics of the article assumes one is using Internet Explorer on Windows. Feel free to contact us if you need more specific Mac based support.

What is active content?
To increase functionality or add design embellishments, web sites often rely on scripts that execute programs within the web browser. This active content can be used to create “splash pages” or options like drop-down menus. Unfortunately, these scripts are often a way for attackers to download or execute malicious code on a user’s computer.
• JavaScript – JavaScript is just one of many web scripts (other examples are VBScript, ECMAScript, and JScript) and is probably the most recognized. Used on almost every web site now, JavaScript and other scripts are popular because users expect the functionality and “look” that it provides, and it’s easy to incorporate (many common software programs for building web sites have the capability to add JavaScript features with little effort or knowledge required of the user). However, because of these reasons, attackers can manipulate it to their own purposes. A popular type of attack that relies on JavaScript involves redirecting users from a legitimate web site to a malicious one that may download viruses or collect personal information.
• Java and ActiveX controls – Different from JavaScript, Java and ActiveX controls are actual programs that reside on your computer or can be downloaded over the network into your browser. If executed by attackers, untrustworthy ActiveX controls may be able to do anything on your computer that you can do (such as running spyware and collecting personal information, connecting to other computers, and potentially doing other damage). Java applets usually run in a more restricted environment, but if that environment isn’t secure, then malicious Java applets may create opportunities for attack as well.
JavaScript and other forms of active content are not always dangerous, but they are common tools for attackers. You can prevent active content from running in most browsers, but realize that the added security may limit functionality and break features of some sites you visit. Before clicking on a link to a web site that you are not familiar with or do not trust, take the precaution of disabling active content.
These same risks may also apply to the email program you use. Many email clients use the same programs as web browsers to display HTML, so vulnerabilities that affect active content like JavaScript and ActiveX often apply to email. Viewing messages as plain text may resolve this problem.

What are cookies?
When you browse the Internet, information about your computer may be collected and stored. This information might be general information about your computer (such as IP address, the domain you used to connect (e.g., .edu, .com, .net), and the type of browser you used). It might also be more specific information about your browsing habits (such as the last time you visited a particular web site or your personal preferences for viewing that site).
Cookies can be saved for varying lengths of time:

• Session cookies – Session cookies store information only as long as you’re using the browser; once you close the browser, the information is erased. The primary purpose of session cookies is to help with navigation, such as by indicating whether or not you’ve already visited a particular page and retaining information about your preferences once you’ve visited a page.

• Persistent cookies – Persistent cookies are stored on your computer so that your personal preferences can be retained. In most browsers, you can adjust the length of time that persistent cookies are stored. It is because of these cookies that your email address appears by default when you open your Yahoo! or Hotmail email account, or your personalized home page appears when you visit your favorite online merchant. If an attacker gains access to your computer, he or she may be able to gather personal information about you through these files.
To increase your level of security, consider adjusting your privacy and security settings to block or limit cookies in your web browser (see Evaluating Your Web Browser’s Security Settings for more information). To make sure that other sites are not collecting personal information about you without your knowledge, choose to only allow cookies for the web site you are visiting; block or limit cookies from a third-party. If you are using a public computer, you should make sure that cookies are disabled to prevent other people from accessing or using your personal information.

Author: Mindi McDowell Copyright 2004 Carnegie Mellon University. Terms of use

Staying Safe on Social Network Sites

Cyber Security Tip ST06-003
Staying Safe on Social Network Sites

The popularity of social networking sites continues to increase, especially among teenagers and young adults. The nature of these sites introduces security risks, so you should take certain precautions.

What are social networking sites?
Social networking sites, sometimes referred to as “friend-of-a-friend” sites, build upon the concept of traditional social networks where you are connected to new people through people you already know. The purpose of some networking sites may be purely social, allowing users to establish friendships or romantic relationships, while others may focus on establishing business connections.

Although the features of social networking sites differ, they all allow you to provide information about yourself and offer some type of communication mechanism (forums, chat rooms, email, instant messenger) that enables you to connect with other users. On some sites, you can browse for people based on certain criteria, while other sites require that you be “introduced” to new people through a connection you share. Many of the sites have communities or subgroups that may be based on a particular interest.

What security implications do these sites present?Social networking sites rely on connections and communication, so they encourage you to provide a certain amount of personal information. When deciding how much information to reveal, people may not exercise the same amount of caution as they would when meeting someone in person because
• the internet provides a sense of anonymity
• the lack of physical interaction provides a false sense of security
• they tailor the information for their friends to read, forgetting that others may see it
• they want to offer insights to impress potential friends or associates

While the majority of people using these sites do not pose a threat, malicious people may be drawn to them because of the accessibility and amount of personal information that’s available. The more information malicious people have about you, the easier it is for them to take advantage of you. Predators may form relationships online and then convince unsuspecting individuals to meet them in person. That could lead to a dangerous situation. The personal information can also be used to conduct a social engineering attack (see Avoiding Social Engineering and Phishing Attacks for more information). Using information that you provide about your location, hobbies, interests, and friends, a malicious person could impersonate a trusted friend or convince you that they have the authority to access other personal or financial data.

Additionally, because of the popularity of these sites, attackers may use them to distribute malicious code. Sites that offer applications developed by third parties are particularly susceptible. Attackers may be able to create customized applications that appear to be innocent while infecting your computer without your knowledge.

How can you protect yourself?
• Limit the amount of personal information you post – Do not post information that would make you vulnerable, such as your address or information about your schedule or routine. If your connections post information about you, make sure the combined information is not more than you would be comfortable with strangers knowing. Also be considerate when posting information, including photos, about your connections.
• Remember that the internet is a public resource – Only post information you are comfortable with anyone seeing. This includes information and photos in your profile and in blogs and other forums. Also, once you post information online, you can’t retract it. Even if you remove the information from a site, saved or cached versions may still exist on other people’s machines (see Guidelines for Publishing Information Online for more information).
• Be wary of strangers – The internet makes it easy for people to misrepresent their identities and motives (see Using Instant Messaging and Chat Rooms Safely for more information). Consider limiting the people who are allowed to contact you on these sites. If you interact with people you do not know, be cautious about the amount of information you reveal or agreeing to meet them in person.
• Be skeptical – Don’t believe everything you read online. People may post false or misleading information about various topics, including their own identities. This is not necessarily done with malicious intent; it could be unintentional, an exaggeration, or a joke. Take appropriate precautions, though, and try to verify the authenticity of any information before taking any action.
• Evaluate your settings – Take advantage of a site’s privacy settings. The default settings for some sites may allow anyone to see your profile. You can customize your settings to restrict access to only certain people. However, there is a risk that even this private information could be exposed, so don’t post anything that you wouldn’t want the public to see. Also, be cautious when deciding which applications to enable, and check your settings to see what information the applications will be able to access.
• Use strong passwords – Protect your account with passwords that cannot easily be guessed (see Choosing and Protecting Passwords for more information). If your password is compromised, someone else may be able to access your account and pretend to be you.
• Check privacy policies – Some sites may share information such as email addresses or user preferences with other companies. This may lead to an increase in spam (see Reducing Spam for more information). Also, try to locate the policy for handling referrals to make sure that you do not unintentionally sign your friends up for spam. Some sites will continue to send email messages to anyone you refer until they join.
• Use and maintain anti-virus software – Anti-virus software recognizes most known viruses and protects your computer against them, so you may be able to detect and remove the virus before it can do any damage (see Understanding Anti-Virus Software for more information). Because attackers are continually writing new viruses, it is important to keep your definitions up to date.
Children are especially susceptible to the threats that social networking sites present. Although many of these sites have age restrictions, children may misrepresent their ages so that they can join. By teaching children about internet safety, being aware of their online habits, and guiding them to appropriate sites, parents can make sure that the children become safe and responsible users (see Keeping Children Safe Online for more information).

Author: Mindi McDowell Produced 2006, 2009 by US-CERT, a government organization. Terms of use

Avoiding Social Engineering and Phishing Attacks

Cyber Security Tip ST04-014
Avoiding Social Engineering and Phishing Attacks

Do not give sensitive information to anyone unless you are sure that they are indeed who they claim to be and that they should have access to the information.

What is a social engineering attack? To launch a social engineering attack, an attacker uses human interaction (social skills) to obtain or compromise information about an organization or its computer systems. An attacker may seem unassuming and respectable, possibly claiming to be a new employee, repair person, or researcher and even offering credentials to support that identity. However, by asking questions, he or she may be able to piece together enough information to infiltrate an organization’s network. If an attacker is not able to gather enough information from one source, he or she may contact another source within the same organization and rely on the information from the first source to add to his or her credibility. What is a phishing attack? Phishing is a form of social engineering. Phishing attacks use email or malicious web sites to solicit personal, often financial, information. Attackers may send email seemingly from a reputable credit card company or financial institution that requests account information, often suggesting that there is a problem. When users respond with the requested information, attackers can use it to gain access to the accounts.

How do you avoid being a victim?
• Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about employees or other internal information. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.
• Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person’s authority to have the information.
• Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email.
• Don’t send sensitive information over the Internet before checking a web site’s security (see Protecting Your Privacy for more information).
• Pay attention to the URL of a web site. Malicious web sites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net).
• If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided on a web site connected to the request; instead, check previous statements for contact information. Information about known phishing attacks is also available online from groups such as the Anti-Phishing Working Group (http://www.antiphishing.org/phishing_archive.html).
• Install and maintain anti-virus software, firewalls, and email filters to reduce some of this traffic (see Understanding Firewalls, Understanding Anti-Virus Software, and Reducing Spam for more information).
What do you do if you think you are a victim?
• If you believe you might have revealed sensitive information about your organization, report it to the appropriate people within the organization, including network administrators. They can be alert for any suspicious or unusual activity.
• If you believe your financial accounts may be compromised, contact your financial institution immediately and close any accounts that may have been compromised. Watch for any unexplainable charges to your account.
• Consider reporting the attack to the police, and file a report with the Federal Trade Commission (http://www.ftc.gov/).

Author: Mindi McDowell Copyright 2004 Carnegie Mellon University. Terms of use