-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cyber Security Tip ST04-024
Understanding ISPs
ISPs offer services like email and internet access. Compare factors
like security, services, and cost so that you find an ISP that
supports all of your needs.
What is an ISP?
An ISP, or internet service provider, is a company that provides its
customers access to the internet and other web services. In addition
to maintaining a direct line to the internet, the company usually
maintains web servers. By supplying necessary software, a
password-protected user account, and a phone number to dial into the
internet connection, ISPs offer their customers the capability to
browse the web and exchange email with other people. Some ISPs also
offer additional services.
ISPs can vary in size--some are operated by one individual, while
others are large corporations. They may also vary in scope--some only
support users in a particular city, while others have regional or
national capabilities.
What services do ISPs provide?
Almost all ISPs offer email and web browsing capabilities. They also
offer varying degrees of user support, usually in the form of an email
address or customer support hotline. Most ISPs also offer web hosting
capabilities, allowing users to create and maintain personal web
pages; and some may even offer the service of developing the pages for
you. Many ISPs offer the option of high-speed access through DSL or
cable modems, while others may just rely on dial-up connections.
As part of normal operation, most ISPs perform backups of email and
web files. If the ability to recover email and web files is important
to you, check with your ISP to see if they back up the data; it might
not be advertised as a service. Additionally, some ISPs may implement
firewalls to block some incoming traffic, although you should consider
this a supplement to your own security precautions, not a replacement.
How do you choose an ISP?
There are thousands of ISPs, and it's often difficult to decide which
one best suits your needs. Some factors to consider include
* security - Do you feel that the ISP is concerned about security?
Does it use encryption and SSL (see Protecting Your Privacy for
more information) to protect any information you submit (e.g.,
user name, password)?
* privacy - Does the ISP have a published privacy policy? Are you
comfortable with who has access to your information and how it is
being handled and used?
* services - Does your ISP offer the services you want? Do they meet
your requirements? Is there adequate support for the services?
* cost - Are the ISP's costs affordable? Are they reasonable for the
number of services you receive, as well as the level of those
services? Are you sacrificing quality and security to get the
lowest price?
* reliability - Are the services your ISP provides reliable, or are
they frequently unavailable due to maintenance, security problems,
a high volume of users, or other reasons? If the ISP knows that
services will be unavailable for a particular reason, does it
adequately communicate that information?
* user support - Are there published methods for contacting customer
support? Do you receive prompt and friendly service? Do their
hours of availability accommodate your needs? Do the consultants
have the appropriate level of knowledge?
* speed - How fast is your ISP's connection? Is it sufficient for
accessing your email or navigating the internet?
* recommendations - Have you heard or seen positive reviews about
the ISP? Were they from trusted sources? Does the ISP serve your
geographic area? If you've uncovered negative points, are they
factors you are concerned about?
_________________________________________________________________
Author: Mindi McDowell
_________________________________________________________________
This document can also be found at
<http://www.us-cert.gov/cas/tips/ST04-024.html>
Copyright 2004 Carnegie Mellon University
Terms of use
<http://www.us-cert.gov/legal.html>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQcCTcRhoSezw4YfQAQJizQf/bvCKALmkT6zbtjT4Ng9GRsodGD+I59fn
mZgujxOT90+5OISN6db8ZKRro87pa8h/had3fT1Pgox5HyXzwEeL5EyKM37l6YME
qSvkI+fxJlnv0Qu1V6m4IavLSRpK5Z24qRVxiM//25XSs5JSq39F/F4xyT60D+SY
+jQ9RQ4DbsSNE2DBUNE5t6r9FzEMm8VUh+e+Cbgv2Adm7Hn9GWhL6zTHrPFHcX9E
Fb4R4aDIniI8QeSsOCjtK6QF6IaJHzGo8103vryz1vHCOHRbpbp6HQ4dF7786GF9
f7LCtg1Lr7iC9nz7v+vwk5Xlc2NsDIf7SGBXlajPmDEBaV5ypY9DiQ==
=QnxF
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cyber Security Tip ST04-023
Understanding Your Computer: Email Clients
The main difference between email clients is the user interface.
Regardless of which software you decide to use, follow good security
practices when reading or sending email.
How do email clients work?
Every email address has two basic parts: the user name and the domain
name. When you are sending email to someone else, your domain's server
has to communicate with your recipient's domain server.
For example, let's assume that your email address is
johndoe@example.com, and the person you are contacting is at
janesmith@anotherexample.org. In very basic terms, after you hit send,
the server hosting your domain (example.com) looks at the email
address and then contacts the server hosting the recipient's domain
(anotherexample.org) to let it know that it has a message for someone
at that domain. Once the connection has been established, the server
hosting the recipient's domain (anotherexample.org) then looks at the
user name of the email address and routes the message to that account.
How many email clients are there?
There are many different email clients and services, each with its own
interface. Some are web-based, some are stand-alone graphics-based,
and some are text-based. The following are some well-known email
programs:
Web-based
* Hotmail
* Yahoo! Mail
Stand-alone graphics-based
* Eudora
* Mulberry
* Outlook and Outlook Express
* Pegasus
* Thunderbird
Text-based
* Pine
How do you choose an email client?
There is usually an email client included with the installation of
your operating system, but many other alternatives are available. Be
wary of "home-brewed" software, because it may not be as secure or
reliable as software that is tested and actively maintained. Some of
the factors to consider when deciding which email client best suits
your needs include
* security - Do you feel that your email program offers you the
level of security you want for sending, receiving, and reading
email messages? How does it handle attachments? If you are dealing
with sensitive information, do you have the option of sending and
receiving signed and/or encrypted messages?
* privacy - If you are using a web-based service, have you read its
privacy policy? Do you know what information is being collected
and who has access to it? Are there options for filtering spam?
* functionality - Does the software send, receive, and interpret
email messages appropriately?
* reliability - For web-based services, is the server reliable, or
is your email frequently unavailable due to maintenance, security
problems, a high volume of users, or other reasons?
* availability - Do you need to be able to access your account from
any computer?
* ease of use - Are the menus and options easy to understand and
use?
* visual appeal - Do you find the interface appealing?
Each email client may have a different way of organizing drafted,
sent, saved, and deleted mail. Familiarize yourself with the software
so that you can find and store messages easily, and so that you don't
unintentionally lose messages. Once you have chosen the software you
want to use for your email, protect yourself and your contacts by
following good security practices.
Can you have use more than one email client?
You can have more than one email client, although you may have issues
with compatibility. Some email accounts, such as those issued through
your internet service provider (ISP) or place of employment, are only
accessible from a computer that has appropriate privileges and
settings for you to access that account. You can use any stand-alone
email client to read those messages, but if you have more than one
client installed on your machine, you should choose one as your
default. When you click an email link in a browser or email message,
your computer will open that default email client that you chose.
Most vendors give you the option to download their email software
directly from their web sites. Make sure to verify the authenticity of
the site before downloading any files, and follow other good security
practices, like keeping anti-virus software up to date, to further
minimize risk.
You can also maintain free email accounts through browser-based email
clients (e.g., Yahoo!, Hotmail) that you can access from any computer.
Because these accounts are maintained directly on the vendors'
servers, they don't interfere with other email accounts.
_________________________________________________________________
Author: Mindi McDowell
_________________________________________________________________
This document can also be found at
<http://www.us-cert.gov/cas/tips/ST04-023.html>
Copyright 2004 Carnegie Mellon University
Terms of use
<http://www.us-cert.gov/legal.html>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQa4UihhoSezw4YfQAQJbogf8DKoQ6xMTuc8rakOLOyNTX8Z/behMqYkC
ikPkooK3+oa23rnHy2Pj6zlS5CCrv7cxQt68YTWNn8LXAIX1SNPujXDZgIkjPfYr
ucC/58PV4LNrSlNntrG+5qO2WNIIBAkHspuYMFwuxGxjYRb8KleDiJztnpHgEb0I
a4aQryVIenaqj6L54hNe8dQopbhvtgBVCurnkob+X0nE5S4RMSa6ij6Tfu/PCAD+
dRN6uMxSqHDB9FSkjSG6CFNK0YIAk3ltEi3jA58bJ4J/mmTll3fWd+IMHBVfvKIH
yAEo0Lr7TxGAUHtbvrMUW57avAFD+dNGzJ9cj6pWRlDdIG28HG5m7Q==
=IYqE
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cyber Security Tip ST04-022
Understanding Your Computer: Web Browsers
Web browsers allow you to navigate the internet. There are a variety
of options available, so you can choose the one that best suits your
needs.
How do web browsers work?
A web browser is an application that finds and displays web pages. It
coordinates communication between your computer and the web server
where a particular web site "lives."
When you open your browser and type in a web address (URL) for a web
site, the browser contacts that server, requests the web page you
asked for, and displays the page on your computer. The browser
translates the code (written in a language such as HTML or XML) for
the different elements of the page (text, images, sounds) into the
appropriate format and displays the resulting page.
How many browsers are there?
There are many different browsers. Most users are familiar with
graphical browsers, which display both text and graphics and may also
display multimedia elements such as sound or video clips. However,
there are also text-based browsers. The following are some well-known
browsers:
* Internet Explorer
* Mozilla
* Firefox
* AOL
* Opera
* Safari - a browser specifically designed for Macintosh computers
* Lynx - a text-based browser desirable for vision-impaired users
because of the availability of special devices that read the text
How do you choose a browser?
A browser is usually included with the installation of your operating
system, but you are not restricted to that choice. Some of the factors
to consider when deciding which browser best suits your needs include
* compatibility - Does the browser work with your operating system?
* security - Do you feel that your browser offers you the level of
security you want?
* ease of use - Are the menus and options easy to understand and
use?
* functionality - Does the browser interpret web content correctly?
If you need to install other plug-ins or devices to translate
certain types of content, do they work?
* appeal - Do you find the interface and way the browser interprets
web content visually appealing?
Can you have more than one browser installed at the same time?
If you decide to change your browser or add another one, you don't
have to uninstall the browser that's currently on your computer--you
can have more than one browser on your computer at once. However, you
will be prompted to choose one as your default browser. Anytime you
follow a link in an email message or document, or you double-click a
shortcut to a web page on your desktop, the page will open using your
default browser. You can manually open the page in another browser.
Most vendors give you the option to download their browsers directly
from their web sites. Make sure to verify the authenticity of the site
before downloading any files, and follow other good security
practices, like keeping anti-virus software up to date, to further
minimize risk.
_________________________________________________________________
Author: Mindi McDowell
_________________________________________________________________
This document can also be found at
<http://www.us-cert.gov/cas/tips/ST04-022.html>
Copyright 2004 Carnegie Mellon University
Terms of use
<http://www.us-cert.gov/legal.html>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQZu1jxhoSezw4YfQAQKTWQf/eMi5FuMhwqLRwlNNEddaUHONO0U9akgB
mr89+UXg/ZlY5KHgDPo7nYR2YHLKTtPtOSBL+Lmq8TH23B5OaRl7A0zX+55uhMlF
6dOEEBLyS+xg8oKlqhQIeN5RAjCa2UNyd8rqy7DjxEdWgJt55Kmxryt2pwATB2QM
MAJNePfF00FzisEIwD2XqfP1mjoVXIb1C++xzpx4K2A+S+ivb9pDUwhqj3nvKB+i
mOmlTPTGlpRpIK1P2hDwN4I/kS4hPiPaF4yterWri26B62dQ8+iR4BE/nDmN9cqZ
6urfobEcGuhEPRMf3kjbIg8JO4b6mqfRRVTRVLhPzB67jt7vMV6XZA==
=ykQG
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cyber Security Tip ST04-021
Understanding Your Computer: Operating Systems
The operating system is the most fundamental program that runs on your
computer. It serves as the basis for how everything else works.
What is an operating system?
An operating system (OS) is the main program on a computer. It
performs a variety of functions, including
* determining what types of software you can install
* coordinating the applications running on the computer at any given
time
* making sure that individual pieces of hardware, such as printers,
keyboards, and disk drives, all communicate properly
* allowing applications such as word processors, email clients, and
web browsers, to perform tasks on the system (e.g., drawing
windows on the screen, opening files, communicating on a network)
and utilize other system resources (e.g., printers, disk drives)
* reporting error messages
The OS also determines how you see information and perform tasks. Some
operating systems utilize a graphical user interface (GUI), which
presents information through pictures (icons, buttons, dialog boxes,
etc.) as well as words. Other operating systems can rely solely on
text.
How do you choose an operating system?
In very simplistic terms, when you choose to buy a computer, you are
usually also choosing an operating system. Although you may change it,
vendors typically ship computers with a particular operating system.
There are multiple operating systems, each with different features and
benefits, but the following three are the most common:
* Windows - Windows, with versions including Windows Me, Windows
2000, and Windows XP, is the most common operating system for home
users. It is produced by Microsoft and is typically included on
machines purchased in electronics stores or from vendors such as
Dell or Gateway. The Windows OS uses a GUI, which many users find
more appealing and easier to use than text-based interfaces.
* Mac OS X - Produced by Apple, Mac OS X is the operating system
used on Macintosh computers. With the exception of a different
GUI, it is similar to the Windows interface in the way it
operates.
* Linux and other UNIX-derived operating systems - Linux and other
systems derived from the UNIX operating system are frequently
utilized for specialized workstations and servers, such as web and
email servers. Because they often more difficult for general users
or require specialized knowledge and skills to operate, they are
not very popular with home users. However, as they continue to
develop and become easier to use, they may become more popular on
typical home user systems.
_________________________________________________________________
Authors: Mindi McDowell, Chad Dougherty
_________________________________________________________________
This document can also be found at
<http://www.us-cert.gov/cas/tips/ST04-021.html>
Copyright 2004 Carnegie Mellon University
Terms of use
<http://www.us-cert.gov/legal.html>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQYlNXhhoSezw4YfQAQKqRgf+Mru+aDIxG5EpZRLjQ3puOQuLQM2GSwha
5tRML9VrFU3w3Vw9NErq2vHn2fQTehW/sDmPx6jIYA9YNV44W2Pkpo2tK2sBQFk2
hRT2mZI6FzJ6tXcrDN9B85+5PG0twYazrEM/oD/UPPMFMMqvkXSQFJNvknx2eKt4
iETBLNlecUh0WcyNGAxg8DQWDgNKgw1CbIk7PrlEUyvgmm8Ci8ftXK7VateTTUBr
nx+DX7bPCNkRMs4+NtNoZ9T5fyicOm02hraJc/NzE5lhDBtvLux6JUNrVGrzHbY0
PKOlF3WErhjk0TDp1stdRWMub5+l8eLrML0qXg3bTrZiH/4p5+FAlg==
=XBli
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Protecting Portable Devices: Data Security
In addition to taking precautions to protect your portable devices, it
is important to add another layer of security by protecting the data
itself.
Why do you need another layer of protection?
Although there are ways to physically protect your laptop, PDA, or
other portable device (see Protecting Portable Devices: Physical
Security for more information), there is no guarantee that it won't be
stolen. After all, as the name suggests, portable devices are designed
to be easily transported. The theft itself is, at the very least,
frustrating, inconvenient, and unnerving, but the exposure of
information on the device could have serious consequences. Also,
remember that any devices that are connected to the internet,
especially if it is a wireless connection, are also susceptible to
network attacks.
What can you do?
* Use passwords correctly - In the process of getting to the
information on your portable device, you probably encounter
multiple prompts for passwords. Take advantage of this security.
Don't choose options that allow your computer to remember
passwords, don't choose passwords that thieves could easily guess,
and use different passwords for different programs (see Choosing
and Protecting Passwords for more information).
* Consider storing important data separately - There are many forms
of storage media, including floppy disks, zip disks, CDs, DVDs,
and removable flash drives (also known as USB drives or thumb
drives). By saving your data on removable media and keeping it in
a different location (e.g., in your suitcase instead of your
laptop bag), you can protect your data even if your laptop is
stolen. You should make sure to secure the location where you keep
your data to prevent easy access.
* Encrypt files - By encrypting files, you ensure that unauthorized
people can't view data even if they can physically access it. You
may also want to consider options for full disk encryption, which
prevents a thief from even starting your laptop without a
passphrase. When you use encryption, it is important to remember
your passwords and passphrases; if you forget or lose them, you
may lose your data.
* Install and maintain anti-virus software - Protect laptops and
PDAs from viruses the same way you protect your desktop computer.
Make sure to keep your virus definitions up to date (see
Understanding Anti-Virus Software for more information).
* Install and maintain a firewall - While always important for
restricting traffic coming into and leaving your computer,
firewalls are especially important if you are traveling and
utilizing different networks. Firewalls can help prevent outsiders
from gaining unwanted access (see Understanding Firewalls for more
information).
* Back up your data - Make sure to back up any data you have on your
computer onto a CD-ROM, DVD-ROM, or network. Not only will this
ensure that you will still have access to the information if your
device is stolen, but it could help you identify exactly which
information a thief may be able to access. You may be able to take
measures to reduce the amount of damage that exposure could cause.
_________________________________________________________________
Authors: Mindi McDowell, Matt Lytle
_________________________________________________________________
This document is available at:
<http://www.us-cert.gov/cas/tips/ST04-020.html>
Copyright 2004 Carnegie Mellon University. Terms of use
<http://www.us-cert.gov/legal.html>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQXa6exhoSezw4YfQAQI+lwf/QtQ1SaEF6+3KP3zPKs2BcSct6zhymzW6
Uy1WZ7OZZ7YWbLoHBjPqtorbW8SMDjUX+oGUzT87YaELjX9styOWtt9fKONrUAOb
7SY8ACGVS77kJC76zVOUoLGlWcdyIDYKQA7tz2mge4FZaMRv/WV3XkU0inMVHgaF
8FfkTO5nlmgGyelhJingFJbBaNZoK4n0lSJH0yc6MZHZsEbVQ8lyr1fQa/YuxO6I
Vzj/WgvjtWifGZeRdoWYHWSfsceb9zLXjQD8ds02Vr1+4JNdx8td2wgDdTNZQKrl
t5wJhS/AnaTuZLgAdmhMqksckXIHQGVAZUJ85CcpXQmszD122ydpig==
=bWbe
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cyber Security Tip ST04-019
Understanding Encryption
Encrypting data is a good way to protect sensitive information. It
ensures that the data can only be read by the person who is authorized
to have access to it.
What is encryption?
In very basic terms, encryption is a way to send a message in code.
The only person who can decode the message is the person with the
correct key; to anyone else, the message looks like a random series of
letters, numbers, and characters.
Encryption is especially important if you are trying to send sensitive
information that other people should not be able to access. Because
email messages are sent over the internet and might be intercepted by
an attacker, it is important to add an additional layer of security to
sensitive information.
How is it different from digital signatures?
Like digital signatures, public-key encryption utilizes software such
as PGP, converts information with mathematical algorithms, and relies
on public and private keys, but there are differences:
* The purpose of encryption is confidentiality--concealing the
content of the message by translating it into a code. The purpose
of digital signatures is integrity and authenticity--verifying the
sender of a message and indicating that the content has not been
changed. Although encryption and digital signatures can be used
independently, you can also sign an encrypted message.
* When you sign a message, you use your private key, and anybody who
has your public key can verify that the signature is valid (see
Understanding Digital Signatures for more information). When you
encrypt a message, you use the public key for the person you're
sending it to, and his or her private key is used to decrypt the
message. Because people should keep their private keys
confidential and should protect them with passwords, the intended
recipient should be the only one who is able to view the
information.
How does encryption work?
1. Obtain the public key for the person you want to be able to read
the information. If you get the key from a public key ring,
contact the person directly to confirm the fingerprint.
2. Encrypt the email message using their public key. Most email
clients have a feature to easily perform this task.
3. When the person receives the message, he or she will be able to
decrypt it.
_________________________________________________________________
Authors: Mindi McDowell
_________________________________________________________________
This document can also be found at
<http://www.us-cert.gov/cas/tips/ST04-019.html>
Copyright 2004 Carnegie Mellon University
Terms of use
<http://www.us-cert.gov/legal.html>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQWQ0ShhoSezw4YfQAQIztAgAimWlh13vuh5gxTAkNoGSWJkywtdS9gNv
Mu9v5Nz5UrNoNLcpaA5gr4MV8l/qMDPzQ8h/arBXz6Ls9jD5yA64I3Cwxph+KJJw
ZzZhw/UDONMt3egUFIU94Iv+y+lanz78/q/CzPGv3WkuFPgDuKQGEFyxxOpzsmcG
BWl4GFIaypLw9AJPnvNrMaMxDsxdGaZ8/sSl/jB+S+J9igc+ehdGGwi43g5foYdg
i0xKhi9MGAUl+O1hYifdbhYGRlP6hB+eHHOJ5gvY8pSbJ/lfcln/TAaHw3OFPtGe
TQc2nDguEJgK1XnDbtXcKpWPL0yZEuV81qKZIOEyCI3txl9qvOSFgg==
=eT68
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Understanding Digital Signatures
Digital signatures are a way to verify that an email message is really
from the person who supposedly sent it and that it hasn't been
changed.
What is a digital signature?
You may have received emails that have a block of letters and numbers
at the bottom of the message. Although it may look like useless text
or some kind of error, this information is actually a digital
signature. To generate a signature, a mathematical algorithm is used
to combine the information in a key with the information in the
message. The result is a random-looking string of letters and numbers.
So, the signature doesn't just tell you that this person wrote a
message, it tells you that this person wrote this message.
Why would you use one?
Because it is so easy for attackers and viruses to "spoof" email
addresses (see Using Caution with Email Attachments for more
information), it is sometimes difficult to identify legitimate
messages. Authenticity may be especially important for business
correspondence--if you are relying on someone to provide or verify
information, you want to be sure that the information is coming from
the correct source. A signed message also indicates that changes have
not been made to the content since it was sent; any changes would
cause the signature to break.
How does it work?
Before you can understand how a digital signature works, there are
some terms you should know:
* Keys - Keys are used to create digital signatures. For every
signature, there is a public key and a private key.
+ Private key - The private key is the portion of the key you
use to actually sign an email message. The private key is
protected by a password, and you should never give your
private key to anyone.
+ Public key - The public key is the portion of the key that is
available to other people. Whether you upload it to a public
key ring or send it to someone, this is the key other people
can use to check your signature. A list of other people who
have signed your key is also included with your public key.
You will only be able to see their identify if you already
have their public keys on your key ring.
* Key ring - A key ring contains public keys. You have a key ring
that contains the keys of people who have sent you their keys or
whose keys you have gotten from a public key server. A public key
server contains keys of people who have chosen to upload their
keys.
* Fingerprint - When confirming a key, you will actually be
confirming the unique series of letters and numbers that comprise
the fingerprint of the key. The fingerprint is a different series
of letters and numbers than the chunk of information that appears
at the bottom of a signed email message.
* Key certificates - When you select a key on a key ring, you will
usually see the key certificate, which contains information about
the key, such as the key owner, the date the key was created, and
the date the key will expire. You can see an example of the
information included in a key certificate by looking at Sending
Sensitive Information to US-CERT.
* "Web of trust" - When someone signs your key, they are confirming
that the key actually belongs to you. The more signatures you
collect, the stronger your key becomes. If someone sees that your
key has been signed by other people that he or she trusts, he or
she is more inclined to trust your key. Note: Just because someone
else has trusted a key or you find it on a public key ring does
not mean you should automatically trust it. You should always
verify the fingerprint yourself.
The process for creating, obtaining, and using keys is fairly
straightforward:
1. Generate a key using software such as PGP, which stands for Pretty
Good Privacy, or GnuPG, which stands for GNU Privacy Guard.
2. Increase the authenticity of your key by having your key signed by
co-workers or other associates who also have keys. In the process
of signing your key, they will confirm that the fingerprint on the
key you sent them belongs to you. By doing this, they verify your
identity and indicate trust in your key.
3. Upload your signed key to a public key ring so that if someone
gets a message with your signature, they can verify the digital
signature.
4. Digitally sign your outgoing email messages. Most email clients
have a feature to easily add your digital signature to your
message.
_________________________________________________________________
Authors: Mindi McDowell, Allen Householder
_________________________________________________________________
Copyright 2004 Carnegie Mellon University. Terms of use US-CERT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQVG7IhhoSezw4YfQAQKFwwf9EJ2/xrXbYAa1smccDIokqMiNpmuBOry5
xqWQysKBmxyFzVo46SZP5E0CQitVWnjfZ9ohfs1+wMaNkXZm356A9sZl2OEcBtrg
wjuGRWqQUNG4nMSjYKnt+1SGOjh4eZN12MDXtJUGnUbpvknukJT3IUPBDJ64uND9
R56bO18lo0kj3hANkbFTmT7SrXu7HclUt8tPzcwaUgSXGFuksBh/GzlaTZ/JtEPK
HFs3iVsqn3uEB3eq5w1D/obcfxNUb6l5KguLyeU36DKBP5xWbhE28p7Hh6SQsjB5
rfD+AmY1VSV18raMJYkEREFIGwTvsc+3TMCUqq6Aw6bf+WMT8h4iDg==
=geuX
-----END PGP SIGNATURE-----
9/8/04
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cyber Security Tip ST04-017
Protecting Portable Devices: Physical Security
Many computer users, especially those who travel for business, rely on
laptops and PDAs because they are small and easily transported. But
while these characteristics make them popular and convenient, they
also make them an ideal target for thieves. Make sure to secure your
portable devices to protect both the machine and the information it
contains.
What is at risk?
Only you can determine what is actually at risk. If a thief steals
your laptop or PDA, the most obvious loss is the machine itself.
However, if the thief is able to access the information on the
computer or PDA, all of the information stored on the device is at
risk, as well as any additional information that could be accessed as
a result of the data stored on the device itself.
Sensitive corporate information or customer account information should
not be accessed by unauthorized people. You've probably heard news
stories about organizations panicking because laptops with
confidential information on them have been lost or stolen. But even if
there isn't any sensitive corporate information on your laptop or PDA,
think of the other information at risk: information about
appointments, passwords, email addresses and other contact
information, personal information for online accounts, etc.
How can you protect your laptop or PDA?
* Password-protect your computer - Make sure that you have to enter
a password to log in to your computer (see Choosing and Protecting
Passwords for more information).
* Keep your laptop or PDA with you at all times - When traveling,
keep your laptop with you. Meal times are optimum times for
thieves to check hotel rooms for unattended laptops. If you are
attending a conference or trade show, be especially wary--these
venues offer thieves a wider selection of devices that are likely
to contain sensitive information, and the conference sessions
offer more opportunities for thieves to access guest rooms.
* Downplay your laptop or PDA - There is no need to advertise to
thieves that you have a laptop or PDA. Avoid using your portable
device in public areas, and consider non-traditional bags for
carrying your laptop.
* Consider an alarm or lock - Many companies sell alarms or locks
that you can use to protect or secure your laptop. If you travel
often or will be in a heavily populated area, you may want to
consider investing in an alarm for your laptop bag or a lock to
secure your laptop to a piece of furniture.
* Back up your files - If your portable device is stolen, it's bad
enough that someone else may be able to access your information.
To avoid losing all of the information, make backups of important
information and store the backups in a separate location (see Good
Security Habits for more information). Not only will you still be
able to access the information, but you'll be able to identify and
report exactly what information is at risk.
What can you do if your laptop or PDA is lost or stolen?
Report the loss or theft to the appropriate authorities. These parties
may include representatives from law enforcement agencies, as well as
hotel or conference staff. If your device contained sensitive
corporate or customer account information, immediately report the loss
or theft to your organization so that they can act quickly.
_________________________________________________________________
Author: Mindi McDowell
_________________________________________________________________
This document can also be found at
<http://www.us-cert.gov/cas/tips/ST04-017.html>
Copyright 2004 Carnegie Mellon University
Terms of use
<http://www.us-cert.gov/legal.html>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQFBP1xvXlvNRxAkFWARArFgAKCWpURrQ52/3xGdUMiWAeXQ95QT0wCggo6z
JBg2gV9JLPwqPREz6dyRPq8=
=OY91
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Recognizing and Avoiding Spyware
Because of its popularity, the internet has become an ideal target for
advertising. As a result, spyware, or adware, has become increasingly
prevalent. When troubleshooting problems with your computer, you may
discover that the source of the problem is spyware software that has
been installed on their machine without their knowledge.
What is spyware?
Despite its name, the term "spyware" doesn't refer to something used
by undercover operatives, but rather by the advertising industry. In
fact, spyware is also known as "adware." It refers to a category of
software that, when installed on your computer, may send you pop-up
ads, redirect your browser to certain web sites, or monitor the web
sites that you visit. Some extreme, invasive versions of spyware may
track exactly what keys you type.
Because of the extra processing, spyware may cause your computer to
become slow or sluggish. There are also privacy implications:
* What information is being gathered?
* Who is receiving it?
* How is it being used?
How do you know if there is spyware on your computer?
The following symptoms may indicate that spyware is installed on your
computer:
* you are subject to endless pop-up windows
* you are redirected to web sites other than the one you typed into
your browser
* new, unexpected toolbars appear in your web browser
* new, unexpected icons appear in the task tray at the bottom of
your screen
* your browser's home page suddenly changed
* the search engine your browser opens when you click "search" has
been changed
* certain keys fail to work in your browser (e.g., the tab key
doesn't work when you are moving to the next field within a form)
* random Windows error messages begin to appear
* your computer suddenly seems very slow when opening programs or
processing tasks (saving files, etc.)
How can you prevent spyware from installing on your computer?
To avoid unintentionally installing it yourself, follow these good
security practices:
* Don't click on links within pop-up windows - Because pop-up
windows are often a product of spyware, clicking on the window may
install spyware software on your computer. To close the pop-up
window, click on the "X" icon in the titlebar instead of a "close"
link within the window.
* Choose "no" when asked unexpected questions - Be wary of
unexpected dialog boxes asking whether you want to run a
particular program or perform another type of task. Always select
"no" or "cancel," or close the dialog box by clicking the "X" icon
in the titlebar.
* Be wary of free downloadable software - There are many sites that
offer customized toolbars or other features that appeal to users.
Don't download programs from sites you don't trust, and realize
that you may be exposing your computer to spyware by downloading
some of these programs.
* Don't follow email links claiming to offer anti-spyware software -
Like email viruses, the links may serve the opposite purpose and
actually install the spyware it claims to be eliminating.
As an additional good security practice, especially if you are
concerned that you might have spyware on your machine and want to
minimize the impact, consider taking the following action:
* Adjust your browser preferences to limit pop-up windows and
cookies - Pop-up windows are often generated by some kind of
scripting or active content. Adjusting the settings within your
browser to reduce or prevent scripting or active content may
reduce the number of pop-up windows that appear. Some browsers
offer a specific option to block or limit pop-up windows. Certain
types of cookies are sometimes considered spyware because they
reveal what web pages you have visited. You can adjust your
privacy settings to only allow cookies for the web site you are
visiting (see Browsing Safely: Understanding Active Content and
Cookies for more information).
How do you remove spyware?
* Run a full scan on your computer with your anti-virus software -
Some anti-virus software will find and remove spyware, but it may
not find the spyware when it is monitoring your computer in real
time. Set your anti-virus software to prompt you to run a full
scan periodically (see Understanding Anti-Virus Software for more
information).
* Run a legitimate product specifically designed to remove spyware -
Many vendors offer products that will scan your computer for
spyware and remove any spyware software. Popular products include
LavaSoft's Adaware, Webroot's SpySweeper, PestPatrol, and Spybot
Search and Destroy.
_________________________________________________________________
Authors: Mindi McDowell, Matt Lytle
_________________________________________________________________
This document can also be found at
<http://www.us-cert.gov/cas/tips/ST04-016.html>
Copyright 2004 Carnegie Mellon University
Terms of use
<http://www.us-cert.gov/legal.html>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD4DBQFBLN06XlvNRxAkFWARAusaAJd4ASwlSNxTIimC2sfrlZWXvAO7AJ9xa67i
phq/IujlxCes3jK/BP3DvA==
=YdoZ
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cyber Security Tip ST04-015 archive
Understanding Denial-of-Service Attacks
You may have heard of denial-of-service attacks launched against web
sites, but you can also be a victim of these attacks.
Denial-of-service attacks can be difficult to distinguish from common
network activity, but there are some indications that an attack is in
progress.
What is a denial-of-service (DoS) attack?
In a denial-of-service (DoS) attack, an attacker attempts to prevent
legitimate users from accessing information or services. By targeting
your computer and its network connection, or the computers and network
of the sites you are trying to use, an attacker may be able to prevent
you from accessing email, web sites, online accounts (banking, etc.),
or other services that rely on the affected computer.
The most common and obvious type of DoS attack occurs when an attacker
"floods" a network with information. When you type a URL for a
particular web site into your browser, you are sending a request to
that site's computer server to view the page. The server can only
process a certain number of requests at once, so if an attacker
overloads the server with requests, it can't process your request.
This is a "denial of service" because you can't access that site.
An attacker can use spam email messages to launch a similar attack on
your email account. Whether you have an email account supplied by your
employer or one available through a free service such as Yahoo or
Hotmail, you are assigned a specific quota, which limits the amount of
data you can have in your account at any given time. By sending many,
or large, email messages to the account, an attacker can consume your
quota, preventing you from receiving legitimate messages.
What is a distributed denial-of-service (DDoS) attack?
In a distributed denial-of-service (DDoS) attack, an attacker may use
your computer to attack another computer. By taking advantage of
security vulnerabilities or weaknesses, an attacker could take control
of your computer. He or she could then force your computer to send
huge amounts of data to a web site or send spam to particular email
addresses. The attack is "distributed" because the attacker is using
multiple computers, including yours, to launch the denial-of-service
attack.
How do you avoid being part of the problem?
Unfortunately, there are no effective ways to prevent being the victim
of a DoS or DDoS attack, but there are steps you can take to reduce
the likelihood that an attacker will use your computer to attack other
computers:
* Install and maintain anti-virus software (see Understanding
Anti-Virus Software for more information).
* Install a firewall, and configure it to restrict traffic coming
into and leaving your computer (see Understanding Firewalls for
more information).
* Follow good security practices for distributing your email address
(see Reducing Spam for more information). Applying email filters
may help you manage unwanted traffic.
How do you know if an attack is happening?
Not all disruptions to service are the result of a denial-of-service
attack. There may be technical problems with a particular network, or
system administrators may be performing maintenance. However, the
following symptoms could indicate a DoS or DDoS attack:
* unusually slow network performance (opening files or accessing web
sites)
* unavailability of a particular web site
* inability to access any web site
* dramatic increase in the amount of spam you receive in your
account
What do you do if you think you are experiencing an attack?
Even if you do correctly identify a DoS or DDoS attack, it is unlikely
that you will be able to determine the actual target or source of the
attack. Contact the appropriate technical professionals for
assistance.
* If you notice that you cannot access your own files or reach any
external web sites from your work computer, contact your network
administrators. This may indicate that your computer or your
organization's network is being attacked.
* If you are having a similar experience on your home computer,
consider contacting your Internet service provider (ISP). If there
is a problem, the ISP might be able to advise you of an
appropriate course of action.
_________________________________________________________________
Author: Mindi McDowell
_________________________________________________________________
This document can also be found at
<http://www.us-cert.gov/cas/tips/ST04-015.html>
Copyright 2004 Carnegie Mellon University
Terms of use
<http://www.us-cert.gov/legal.html>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQFBGmrhXlvNRxAkFWARAlSKAJ9+ylpmp3MCNZ60IY0GH6rpHugmKQCgqWUM
14EnTDomBrdxQ90QtjLRD94=
=8t8G
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cyber Security Tip ST04-014
Avoiding Social Engineering and Phishing Attacks
Do not give sensitive information to anyone unless you are sure that
they are indeed who they claim to be and that they should have access
to the information.
What is a social engineering attack?
To launch a social engineering attack, an attacker uses human
interaction (social skills) to obtain or compromise information about
an organization or its computer systems. An attacker may seem
unassuming and respectable, possibly claiming to be a new employee,
repair person, or researcher and even offering credentials to support
that identity. However, by asking questions, he or she may be able to
piece together enough information to infiltrate an organization's
network. If an attacker is not able to gather enough information from
one source, he or she may contact another source within the same
organization and rely on the information from the first source to add
to his or her credibility.
What is a phishing attack?
Phishing is a form of social engineering. Phishing attacks use email
or malicious web sites to solicit personal, often financial,
information. Attackers may send email seemingly from a reputable
credit card company or financial institution that requests account
information, often suggesting that there is a problem. When users
respond with the requested information, attackers can use it to gain
access to the accounts.
How do you avoid being a victim?
* Be suspicious of unsolicited phone calls, visits, or email
messages from individuals asking about employees or other internal
information. If an unknown individual claims to be from a
legitimate organization, try to verify his or her identity
directly with the company.
* Do not provide personal information or information about your
organization, including its structure or networks, unless you are
certain of a person's authority to have the information.
* Do not reveal personal or financial information in email, and do
not respond to email solicitations for this information. This
includes following links sent in email.
* Don't send sensitive information over the Internet before checking
a web site's security (see Protecting Your Privacy for more
information).
* Pay attention to the URL of a web site. Malicious web sites may
look identical to a legitimate site, but the URL may use a
variation in spelling or a different domain (e.g., .com vs. .net).
* If you are unsure whether an email request is legitimate, try to
verify it by contacting the company directly. Do not use contact
information provided on a web site connected to the request;
instead, check previous statements for contact information.
Information about known phishing attacks is also available online
from groups such as the Anti-Phishing Working Group
(http://www.antiphishing.org/phishing_archive.html).
* Install and maintain anti-virus software, firewalls, and email
filters to reduce some of this traffic (see Understanding
Firewalls, Understanding Anti-Virus Software, and Reducing Spam
for more information).
What do you do if you think you are a victim?
* If you believe you might have revealed sensitive information about
your organization, report it to the appropriate people within the
organization, including network administrators. They can be alert
for any suspicious or unusual activity.
* If you believe your financial accounts may be compromised, contact
your financial institution immediately and close any accounts that
may have been compromised. Watch for any unexplainable charges to
your account.
* Consider reporting the attack to the police, and file a report
with the Federal Trade Commission (http://www.ftc.gov/).
_________________________________________________________________
Author: Mindi McDowell
_________________________________________________________________
This document can also be found at
<http://www.us-cert.gov/cas/tips/ST04-014.html>
Copyright 2004 Carnegie Mellon University
Terms of use
<http://www.us-cert.gov/legal.html>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQFBB/IXXlvNRxAkFWARAoXFAJ9h5v5fRYA92eINrprC859pAmDuPgCdFdAn
K+kdzWarEjwxNUS/xCh4vbc=
=ayUq
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Protecting Your Privacy
Before submitting your email address or other personal information
online, you need to be sure that the privacy of that information will
be protected. To protect your identity and prevent an attacker from
easily accessing additional information about you, avoid providing
certain personal information such as your birth date and social
security number online.
How do you know if your privacy is being protected?
* Privacy policy
Before submitting your name, email address, or other personal
information on a web site, look for the site's privacy
policy. This policy should state how the information will be
used and whether or not the information will be distributed to
other organizations. Companies sometimes share information with
partner vendors who offer related products or may offer options
to subscribe to particular mailing lists. Look for indications
that you are being added to mailing lists by default -- failing
to deselect those options may lead to unwanted spam. If you
cannot find a privacy policy on a web site, consider contacting
the company to inquire about the policy before you submit
personal information, or find an alternate site. Privacy
policies sometimes change, so you may want to review them
periodically.
* Evidence that your information is being encrypted
To protect attackers from hijacking your information, any
personal information submitted online should be encrypted so
that it can only be read by the appropriate recipient. Many
sites use SSL, or secure sockets layer, to encrypt
information. Indications that your information will be
encrypted include a URL that begins with "https:" instead of
"http:" and a lock icon in the bottom right corner of the
window. Some sites also indicate whether the data is encrypted
when it is stored. If data is encrypted in transit but stored
insecurely, an attacker who is able to break into the vendor's
system could access your personal information.
What additional steps can you take to protect your privacy?
* Do business with credible companies
Before supplying any information online, consider the answers
to the following questions: do you trust the business? is it an
established organization with a credible reputation? does the
information on the site suggest that there is a concern for the
privacy of user information? is there legitimate contact
information provided?
* Do not use your primary email address in online submissions
Submitting your email address could result in spam. If you do
not want your primary email account flooded with unwanted
messages, consider opening an additional email account for use
online (see "Reducing Spam" for more information
<http://www.us-cert.gov/cas/tips/ST04-007.html>). Make sure to
log in to the account on a regular basis in case the vendor
sends information about changes to policies.
* Avoid submitting credit card information online
Some companies offer a phone number you can use to provide your
credit card information. Although this does not guarantee that
the information will not be compromised, it eliminates the
possibility that attackers will be able to hijack it during the
submission process.
* Devote one credit card to online purchases
To minimize the potential damage of an attacker gaining access
to your credit card information, consider opening a credit card
account for use only online. Keep a minimum credit line on the
account to limit the amount of charges an attacker can
accumulate.
* Avoid using debit cards for online purchases
Credit cards usually offer some protection against identity
theft and may limit the monetary amount you will be responsible
for paying. Debit cards, however, do not offer that
protection. Because the charges are immediately deducted from
your account, and attacker who obtains your account information
may empty your bank account before you even realize it.
___________________________________________________________________
Author: Mindi McDowell
___________________________________________________________________
This document can also be found at
<http://www.us-cert.gov/cas/tips/ST04-013.html>
Copyright 2004 Carnegie Mellon University
Terms of use
<http://www.us-cert.gov/legal.html>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQFA9XGuXlvNRxAkFWARAmsRAJ4zH4FKY5nJ/IqijmTarhBVQgiW0gCff6Cz
VbGlmKYFuOzhoNFyxxsyd/s=
=Fl15
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Browsing Safely: Understanding Active Content and Cookies
Many people browse the Internet without much thought to what is
happening behind the scenes. Active content and cookies are common
elements that may pose hidden risks when viewed in a browser or email
client.
What is active content?
To increase functionality or add design embellishments, web sites
often rely on scripts that execute programs within the web browser.
This active content can be used to create "splash pages" or options
like drop-down menus. Unfortunately, these scripts are often a way for
attackers to download or execute malicious code on a user's computer.
* JavaScript - JavaScript is just one of many web scripts (other
examples are VBScript, ECMAScript, and JScript) and is probably
the most recognized. Used on almost every web site now, JavaScript
and other scripts are popular because users expect the
functionality and "look" that it provides, and it's easy to
incorporate (many common software programs for building web sites
have the capability to add JavaScript features with little effort
or knowledge required of the user). However, because of these
reasons, attackers can manipulate it to their own purposes. A
popular type of attack that relies on JavaScript involves
redirecting users from a legitimate web site to a malicious one
that may download viruses or collect personal information.
* Java and ActiveX controls - Different from JavaScript, Java and
ActiveX controls are actual programs that reside on your computer
or be downloaded over the network into your browser. If executed
by attackers, untrustworthy ActiveX controls may be able to do
anything on your computer that you can do (such as running spyware
and collecting personal information, connecting to other
computers, and potentially doing other damage). Java applets
usually run in a more restricted environment, but if that
environment isn't secure, then malicious Java applets may create
opportunities for attack as well.
JavaScript and other forms of active content are not always dangerous,
but they are common tools for attackers. You can prevent active
content from running in most browsers, but realize that the added
security may limit functionality and break features of some sites you
visit. Before clicking on a link to a web site that you are not
familiar with or do not trust, take the precaution of disabling active
content.
These same risks may also apply to the email program you use. Many
email clients use the same programs as web browsers to display HTML,
so vulnerabilities that affect active content like JavaScript and
ActiveX often apply to email. Viewing messages as plain text may
resolve this problem.
What are cookies?
When you browse the Internet, information about your computer may be
collected and stored. This information might be general information
about your computer (such as IP address, the domain you used to
connect (e.g., .edu, .com, .net), and the type of browser you used).
It might also be more specific information about your browsing habits
(such as the last time you visited a particular web site or your
personal preferences for viewing that site).
Cookies can be saved for varying lengths of time:
* Session cookies - Session cookies store information only as long
as you're using the browser; once you close the browser, the
information is erased. The primary purpose of session cookies is
to help with navigation, such as by indicating whether or not
you've already visited a particular page and retaining information
about your preferences once you've visited a page.
* Persistent cookies - Persistent cookies are stored on your
computer so that your personal preferences can be retained. In
most browsers, you can adjust the length of time that persistent
cookies are stored. It is because of these cookies that your email
address appears by default when you open your Yahoo or Hotmail
email account, or your personalized home page appears when you
visit your favorite online merchant. If an attacker gains access
to your computer, he or she may be able to gather personal
information about you through these files.
To increase your level of security, consider adjusting your privacy
and security settings to block or limit cookies in your web browser.
To make sure that other sites are not collecting personal information
about you without your knowledge, choose to only allow cookies for the
web site you are visiting; block or limit cookies from a third-party.
If you are using a public computer, you should make sure that cookies
are disabled to prevent other people from accessing or using your
personal information.
_________________________________________________________________
Authors: Mindi McDowell
_________________________________________________________________
<http://www.us-cert.gov/cas/tips/ST04-012.html>
Copyright 2004 Carnegie Mellon University.
Terms of use: <http://www.us-cert.gov/legal.html>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQFA4w7nXlvNRxAkFWARApMaAKCYftnyE7oxu669giL79XPcwU03hgCfcTCx
/5k1pZ5UZ0F2oACSjghUSRY=
=bTjT
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cyber Security Tip ST04-011
Using Instant Messaging and Chat Rooms Safely
Although they offer a convenient way to communicate with other people,
there are dangers associated with tools that allow real-time
communication.
What are the differences between some of the tools used for real-time
communication?
* Instant messaging (IM) - Commonly used for recreation, instant
messaging is also becoming more widely used within corporations
for communication between employees. IM, regardless of the
specific software you choose, provides an interface for
individuals to communicate one-on-one.
* Chat rooms - Whether public or private, chat rooms are forums for
particular groups of people to interact. Many chat rooms are based
upon a shared characteristic; for example, there are chat rooms
for people of particular age groups or interests. Although most IM
clients support "chats" among multiple users, IM is traditionally
one-to-one while chats are traditionally many-to-many.
* Bots - A "chat robot," or "bot," is software that can interact
with users through chat mechanisms, whether in IM or chat rooms.
In some cases, users may be able to obtain current weather
reports, stock status, or movie listings. In these instances,
users are often aware that they are not interacting with an actual
human. However, some users may be fooled by more sophisticated
bots into thinking the responses they are receiving are from
another person.
There are many software packages that incorporate one or more of these
capabilities. A number of different technologies might be supported,
including IM, Internet Relay Chat (IRC), or Jabber.
What are the dangers?
* Identities can be elusive or ambiguous - Not only is it sometimes
difficult to identify whether the "person" you are talking to is
human, but human nature and behavior isn't predictable. People may
lie about their identity, accounts may be compromised, users may
forget to log out, or an account may be shared by multiple people.
All of these things make it difficult to know who you're really
talking to during a conversation.
* Users are especially susceptible to certain types of attack -
Trying to convince someone to run a program or click on a link is
a common attack method, but it can be especially effective through
IM and chat rooms. In a setting where a user feels comfortable
with the "person" he or she is talking to, a malicious piece of
software or an attacker has a better chance of convincing someone
to fall into the trap.
* You don't know who else might be seeing the conversation - Online
interactions are easily saved, and if you're using a free
commercial service the exchanges may be archived on a server. You
have no control over what happens to those logs. You also don't
know if there's someone looking over the shoulder of the person
you're talking to, or if an attacker might be "sniffing" your
conversation.
* The software you're using may contain vulnerabilities - Like any
other software, chat software may have vulnerabilities that
attackers can exploit.
* Default security settings may be inappropriate - The default
security settings in chat software tend to be relatively
permissive to make it more open and "usable," and this can make
you more susceptible to attacks.
How can you use these tools safely?
* Evaluate your security settings - Check the default settings in
your software and adjust them if they are too permissive. Make
sure to disable automatic downloads. Some chat software offers the
ability to limit interactions to only certain users, and you may
want to take advantage of these restrictions.
* Be conscious of what information you reveal - Be wary of revealing
personal information unless you know who you are really talking
to. You should also be careful about discussing anything you or
your employer might consider sensitive business information over
public IM or chat services (even if you are talking to someone you
know in a one-to-one conversation).
* Try to verify the identity of the person you are talking to, if it
matters - In some forums and situations, the identity of the
"person" you are talking to may not matter. However, if you need
to have a degree of trust in that person, either because you are
sharing certain types of information or being asked to take some
action like following a link or running a program, make sure the
"person" you are talking to is actually that person.
* Don't believe everything you read - The information or advice you
receive in a chat room or by IM may be false or, worse, malicious.
Try to verify the information or instructions from outside sources
before taking any action.
* Keep software up to date - This includes the chat software, your
browser, your operating system, your mail client, and, especially,
your anti-virus software.
_________________________________________________________________
Authors: Mindi McDowell, Allen Householder
_________________________________________________________________
This document is also available online:
<http://www.us-cert.gov/cas/tips/ST04-011.html>
_________________________________________________________________
Copyright 2004 Carnegie Mellon University.
Terms of use:
<http://www.us-cert.gov/legal.html>
_________________________________________________________________
Last updated June 16, 2004
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQFA0KINXlvNRxAkFWARAtGRAJ94qy2hCoOmiIksjPdFLJeeK7LH0wCfT/Jb
+8Nf+mEUURKaaDbVWKg2+1c=
=bCgy
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cyber Security Tip ST04-010
Using Caution with Email Attachments
While email attachments are a popular and convenient way to send
documents, they are also a common source of viruses. Use caution when
opening attachments, even if they appear to have been sent by someone
you know.
Why can email attachments be dangerous?
Some of the characteristics that make email attachments convenient and
popular are also the ones that make them a common tool for attackers:
* email is easily circulated - Forwarding email is so simple that
viruses can quickly infect many machines. Most viruses don't even
require users to forward the email--they scan a users' computer
for email addresses and automatically send the infected message to
all of the addresses they find. Attackers take advantage of the
reality that most users will automatically trust and open any
message that comes from someone they know.
* email programs try to address all users' needs - Almost any type
of file can be attached to an email message, so attackers have
more freedom with the types of viruses they can send.
* email programs offer many "user-friendly" features - Some email
programs have the option to automatically download email
attachments, which immediately exposes your computer to any
viruses within the attachments.
What steps can you take to protect yourself and others in your address book?
* Be wary of unsolicited attachments, even from people you know -
Just because an email message looks like it came from your mom,
grandma, or boss doesn't mean that it did. Many viruses can
"spoof" the return address, making it look like the message came
from someone else. If you can, check with the person who
supposedly sent the message to make sure it's legitimate before
opening any attachments. This includes email messages that appear
to be from your ISP or software vendor and claim to include
patches or anti-virus software. ISPs and software vendors do not
send patches or software in email.
* Save and scan any attachments before opening them - If you have to
open an attachment before you can verify the source, take the
following steps:
1. be sure the signatures in your anti-virus software are up to
date (see Understanding Anti-Virus Software for more
information)
2. save the file to your computer or a disk
3. manually scan the file using your anti-virus software
4. open the file
* Turn off the option to automatically download attachments - To
simplify the process of reading email, many email programs offer
the feature to automatically download attachments. Check your
settings to see if your software offers the option, and make sure
to disable it.
* Consider additional security practices - You may be able to filter
certain types of attachments through your email software (see
Reducing Spam) or a firewall (see Understanding Firewalls).
_________________________________________________________________
Both the National Cyber Security Alliance and US-CERT have identified
this topic as one of the top ten for home users.
_________________________________________________________________
Authors: Mindi McDowell, Allen Householder
_________________________________________________________________
This document is also available online:
<http://www.us-cert.gov/cas/tips/ST04-010.html>
_________________________________________________________________
Copyright 2004 Carnegie Mellon University.
Terms of use:
<http://www.us-cert.gov/legal.html>
_________________________________________________________________
Last updated June 02, 2004
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQFAvhffXlvNRxAkFWARAt9EAKC949DE6Engkn3bW8z+Nn5Hi5ttfgCgk/7m
3zQuoM2kBKRdYu21ERaXA2o=
=blo1
-----END PGP SIGNATURE-----
5/19/04
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cyber Security Tip ST04-009
Identifying Hoaxes and Urban Legends
Chain letters are familiar to anyone with an email account, whether
they are sent by strangers or well-intentioned friends or family
members. Try to verify the information before following any
instructions or passing the message along.
Why are chain letters a problem?
The most serious problem is from chain letters that mask viruses or
other malicious activity. But even the ones that seem harmless may
have negative repercussions if you forward them:
* they consume bandwidth or space within the recipient's inbox
* you force people you know to waste time sifting through the
messages and possibly taking time to verify the information
* you are spreading hype and, often, unnecessary fear and paranoia
What are some types of chain letters?
There are two main types of chain letters:
* Hoaxes - Hoaxes attempt to trick or defraud users. A hoax could be
malicious, instructing users to delete a file necessary to the
operating system by claiming it is a virus. It could also be a
scam that convinces users to send money or personal information.
* Urban legends - Urban legends are designed to be redistributed and
usually warn users of a threat or claim to be notifying them of
important or urgent information. Another common form are the
emails that promise users monetary rewards for forwarding the
message or suggest that they are signing something that will be
submitted to a particular group. Urban legends usually have no
negative effect aside from wasted bandwidth and time.
How can you tell if the email is a hoax or urban legend?
Some messages are more suspicious than others, but be especially
cautious if the message has any of the characteristics listed below.
These characteristics are just guidelines--not every hoax or urban
legend has these attributes, and some legitimate messages may have
some of these characteristics:
* it suggests tragic consequences for not performing some action
* it promises money or gift certificates for performing some action
* it offers instructions or attachments claiming to protect you from
a virus that is undetected by anti-virus software
* it claims it's not a hoax
* there are multiple spelling or grammatical errors, or the logic is
contradictory
* there is a statement urging you to forward the message
* it has already been forwarded multiple times (evident from the
trail of email headers in the body of the message)
If you want to check the validity of an email, there are some web
sites that provide information about hoaxes and urban legends:
* Urban Legends and Folklore - http://urbanlegends.about.com/
* Urban Legends Reference Pages - http://www.snopes.com/
* Hoaxbusters - http://hoaxbusters.ciac.org/
* Stiller Research Virus Hoax News -
http://www.stiller.com/hoaxes.htm
* TruthOrFiction.com - http://www.truthorfiction.com/
* Symantec Security Response Hoaxes -
http://www.symantec.com/avcenter/hoax.html
* McAfee Security Virus Hoaxes - http://vil.mcafee.com/hoax.asp
_________________________________________________________________
Authors: Mindi McDowell, Allen Householder
_________________________________________________________________
This document is also available online:
<http://www.us-cert.gov/cas/tips/ST04-006.html>
_________________________________________________________________
Copyright 2004 Carnegie Mellon University.
Terms of use:
<http://www.us-cert.gov/legal.html>
_________________________________________________________________
Last updated May 19, 2004
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQFAq7mUXlvNRxAkFWARAuUqAJ94RkpvVgGcKDx2JDFDFpBdCR5dSwCdH6/W
9Sj6EQO7YJPYIYDCTQpP4yU=
=rUa0
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Benefits of BCC
Although in many situations it may be appropriate to list email
recipients in the To: or CC: fields, sometimes using the BCC: field
may be the most desirable option.
What is BCC?
BCC, which stands for blind carbon copy, allows you to hide recipients
in email messages. Unlike addresses in the To: field or the CC:
(carbon copy) field, addresses in the BCC: field cannot be seen by
other users.
Why would you want to use BCC?
There are a few main reasons for using BCC:
* Privacy - Sometimes it's beneficial, even necessary, for you to
let recipients know who else is receiving your email message.
However, there may be instances when you want to send the same
message to multiple recipients without letting them know who else
is receiving the message. If you are sending email on behalf of a
business or organization, it may be especially important to keep
lists of clients, members, or associates confidential. You may
also want to avoid listing an internal email address on a message
being sent to external recipients.
Another point to remember is that if you use the To: or CC: fields
to list all of your recipients, these same recipients will also
receive any replies to your message unless the sender removes
them. If there is potential for a response that is not appropriate
for all recipients, consider using BCC.
* Tracking - Maybe you want to access or archive the email message
you are sending at another email account. Or maybe you want to
make someone, such as a supervisor or team member, aware of the
email without actually involving them in the exchange. BCC allows
you to accomplish these goals without advertising that you are
doing it.
* Respect for your recipients - Forwarded email messages frequently
contain long lists of email addresses that were CC'd by previous
senders. These addresses are highly likely to be active and valid,
so they are highly valuable to spammers. Furthermore, many
email-borne viruses harvest email addresses contained in messages
you've already received (not just the To: and From: fields, but
from the body, too), so those long lists in forwarded messages
pose a risk to all the accounts they point to if you get infected.
Many people frequently forward messages to their entire address
books using CC. Encourage people who forward messages to you to
use BCC so that your email address is less likely to appear in
other people's inboxes and be susceptible to being harvested. To
avoid becoming part of the problem, in addition to using BCC if
you forward messages, take time to remove all existing email
addresses within the message. The additional benefit is that the
people you're sending the message to will appreciate not having to
scroll through large sections of irrelevant information to get to
the actual message.
How do you BCC an email message?
Most email clients have the option to BCC listed a few lines below to
To: field. However, sometimes it is a separate option that is not
listed by default. If you cannot locate it, check the help menu or the
software's documentation.
If you want to BCC all recipients and your email client will not send
a message without something in the To: field, consider using your own
email address in that field. In addition to hiding the identity of
other recipients, this option will enable you to confirm that the
message was sent successfully.
_________________________________________________________________
Authors: Mindi McDowell, Allen Householder
_________________________________________________________________
Copyright 2004 Carnegie Mellon University.
Terms of use:
<http://www.us-cert.gov/legal.html>
This document can also be found online at
<http://www.us-cert.gov/cas/tips/ST04-008.html>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQFAmTh/XlvNRxAkFWARAq1qAKDKf+ZC/6+GjR0ZEket4i5R/HB6jwCgt29G
D658P4gQJ1K+kfXcZwvsLuM=
=pi5/
-----END PGP SIGNATURE-----
4/21/04
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Reducing Spam
Spam is a common, and often frustrating, side effect to having an
email account. Although you will probably not be able to eliminate it,
