-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cyber Security Tip ST05-019
Preventing and Responding to Identity Theft
Identity theft, or identity fraud, is a crime that can have
substantial financial and emotional consequences. Take precautions
with personal information; and if you become a victim, act immediately
to minimize the damage.
Is identity theft just a problem for people who submit information online?
You can be a victim of identity theft even if you never use a
computer. Malicious people may be able to obtain personal information
(such as credit card numbers, phone numbers, account numbers, and
addresses) by stealing your wallet, overhearing a phone conversation,
rummaging through your trash (a practice known as dumpster diving), or
picking up a receipt at a restaurant that has your account number on
it. If a thief has enough information, he or she may be able to
impersonate you to purchase items, open new accounts, or apply for
loans.
The internet has made it easier for thieves to obtain personal and
financial data. Most companies and other institutions store
information about their clients in databases; if a thief can access
that database, he or she can obtain information about many people at
once rather than focus on one person at a time. The internet has also
made it easier for thieves to sell or trade the information, making it
more difficult for law enforcement to identify and apprehend the
criminals.
How are victims of online identity theft chosen?
Identity theft is usually a crime of opportunity, so you may be
victimized simply because your information is available. Thieves may
target customers of certain companies for a variety of reasons: a
company database is easily accessible, the demographics of the
customers are appealing, there is a market for specific information,
etc. If your information is stored in a database that is compromised,
you may become a victim of identity theft.
Are there ways to avoid being a victim?
Unfortunately, there is no way to guarantee that you will not be a
victim of online identity theft. However, there are ways to minimize
your risk:
* Do business with reputable companies - Before providing any
personal or financial information, make sure that you are
interacting with a reputable, established company. Some attackers
may try to trick you by creating malicious web sites that appear
to be legitimate, so you should verify the legitimacy before
supplying any information (see Avoiding Social Engineering and
Phishing Attacks and Understanding Web Site Certificates for more
information).
* Take advantage of security features - Passwords and other security
features add layers of protection if used appropriately (see
Choosing and Protecting Passwords and Supplementing Passwords for
more information).
* Check privacy policies - Take precautions when providing
information, and make sure to check published privacy policies to
see how a company will use or distribute your information (see
Protecting Your Privacy and How Anonymous Are You? for more
information). Many companies allow customers to request that their
information not be shared with other companies; you should be able
to locate the details in your account literature or by contacting
the company directly.
* Be careful what information you publicize - Attackers may be able
to piece together information from a variety of sources. Avoid
posting personal data in public forums (see Guidelines for
Publishing Information Online for more information).
* Use and maintain anti-virus software and a firewall - Protect
yourself against viruses and Trojan horses that may steal or
modify the data on your own computer and leave you vulnerable by
using anti-virus software and a firewall (see Understanding
Anti-Virus Software and Understanding Firewalls for more
information). Make sure to keep your virus definitions up to date.
* Be aware of your account activity - Pay attention to your
statements, and request copies of your credit reports from the
main credit reporting companies on a yearly basis.
How do you know if your identity has been stolen?
Companies have different policies for notifying customers when they
discover that someone has accessed a customer database. However, you
should be aware of changes in your normal account activity. The
following are examples of changes that could indicate that someone has
accessed your information:
* unusual or unexplainable charges on your bills
* phone calls or bills for accounts, products, or services that you
do not have
* failure to receive regular bills or mail
* new, strange accounts appearing on your credit report
* unexpected denial of your credit card
What can you do if you think, or know, that your identity has been stolen?
Recovering from identity theft can be a long, stressful, and
potentially costly process. Many credit card companies have adopted
policies that try to minimize the amount of money you are liable for,
but the implications can extend beyond your existing accounts. To
minimize the extent of the damage, take action as soon as possible:
* Contact companies, including banks, where you have accounts -
Inform the companies where you have accounts that someone may be
using your identity, and find out if there have been any
unauthorized transactions. Close accounts so that future charges
are denied. In addition to calling the company, send a letter so
there is a record of the problem.
* Contact the main credit reporting companies (Equifax, Experian,
TransUnion) - Check your credit report to see if there has been
unexpected or unauthorized activity. Have a fraud alerts placed on
your credit reports to prevent new accounts being opened without
verification.
* File a report - File a report with the local police so there is an
official record of the incident. You can also file a complaint
with the Federal Trade Commission.
* Consider other information that may be at risk - Depending what
information was stolen, you may need to contact other agencies;
for example, if a thief has access to your Social Security number,
contact the Social Security Administration. You should also
contact the Department of Motor Vehicles if your driver's license
or car registration have been stolen.
The following sites offer additional information and guidance for
recovering from identity theft:
* Federal Trade Commission -
http://www.ftc.gov/bcp/conline/pubs/credit/idtheft.htm and
http://www.consumer.gov/idtheft/
* United States Department of Justice -
http://www.usdoj.gov/criminal/fraud/idtheft.html
* Social Security Administration -
http://www.ssa.gov/pubs/idtheft.htm
_________________________________________________________________
Author: Mindi McDowell
_________________________________________________________________
Produced 2005 by US-CERT, a government organization.
Terms of use
<http://www.us-cert.gov/legal.html>
This document can also be found at
<http://www.us-cert.gov/cas/tips/ST05-019.html>
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQ6CUUX0pj593lg50AQLRzwf/UOFnQcVY0Yf7ZSdKEpOEIZ4Vaz2+NDWv
SUphI8pQ6UPjROAFwxDNdB6C16VRDraxpUx7c0fQQzP+Xw7sxHayBUgBhobduawJ
UARINllPJD5dtrD/Sv1JhBDMqmc6icItGhkAgJ9igM5JzSSlzEo+9BHHAagytu0P
TEYrNaGk/FhQtQpB9rmYLyHbRvoikN+bDs4EPkYgmScVgqPskXDrfyO0W32DoDzj
OTxSTitZhTWVXwTftm17jAe9HrnnF8kFFijkDQmJR4SWydJbUplX4MBVN/vmr6Iz
JDaDqrJplYNotraqR502RCcaPDE2lMQr7ejUkvaigxY6bySURNTYpw==
=IM9D
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cyber Security Tip ST05-018
Understanding Voice over Internet Protocol (VoIP)
With the introduction of VoIP, you can use the internet to make
telephone calls instead of relying on a separate telephone line.
However, the technology does present security risks.
What is voice over internet protocol (VoIP)?
Voice over internet protocol (VoIP), also known as IP telephony,
allows you to use your internet connection to make telephone calls.
Instead of relying on an analog line like traditional telephones, VoIP
uses digital technology and requires a high-speed broadband connection
such as DSL or cable. There are a variety of providers who offer VoIP,
and they offer different services. The most common application of VoIP
for personal or home use is internet-based phone services that rely on
a telephone switch. With this application, you will still have a phone
number, will still dial phone numbers, and will likely have an adapter
that allows you to use a regular telephone. The person you are calling
will not likely notice a difference from a traditional phone call.
Some service providers also offer the ability to use your VoIP adapter
any place you have a high-speed internet connection, allowing you to
take it with you when you travel.
What are the security implications of VoIP?
Because VoIP relies on your internet connection, it may be vulnerable
to any threats and problems that face your computer. The technology is
still new, so there is some controversy about the potential for
attack, but VoIP could make your telephone vulnerable to viruses and
other malicious code. Attackers may be able to perform activities such
as intercepting your communications, eavesdropping, conducting
effective phishing attacks by manipulating your caller ID, and causing
your service to crash (see Avoiding Social Engineering and Phishing
Attacks and Understanding Denial-of-Service Attacks for more
information). Activities that consume a large amount of network
resources, like large file downloads, online gaming, and streaming
multimedia, will also affect your VoIP service.
There are also inherent problems to routing your telephone over your
broadband connection. Unlike traditional telephone lines, which
operate despite an electrical outage, if you lose power, your VoIP may
be unavailable. There are also concerns that home security systems or
emergency numbers such as 911 may not work properly.
How can you protect yourself?
* Keep software up to date - If the vendor releases patches for the
software operating your device, install them as soon as possible.
These patches may be called firmware updates. Installing them will
prevent attackers from being able to take advantage of known
problems or vulnerabilities (see Understanding Patches for more
information).
* Use and maintain anti-virus software - Anti-virus software
recognizes and protects your computer against most known viruses.
However, attackers are continually writing new viruses, so it is
important to keep your anti-virus software current (see
Understanding Anti-Virus Software for more information).
* Take advantage of security options - Some service providers may
offer encryption as one of their services. If you are concerned
about privacy and confidentiality, you may want to consider this
and other available options.
* Install or enable a firewall - Firewalls may be able to prevent
some types of infection by blocking malicious traffic before it
can enter your computer (see Understanding Firewalls for more
information). Some operating systems actually include a firewall,
but you need to make sure it is enabled.
* Evaluate your security settings - Both your computer and your VoIP
equipment/software offer a variety of features that you can tailor
to meet your needs and requirements. However, enabling certain
features may leave you more vulnerable to being attacked, so
disable any unnecessary features. Examine your settings,
particularly the security settings, and select options that meet
your needs without putting you at increased risk.
_________________________________________________________________
Author: Mindi McDowell
_________________________________________________________________
Produced 2005 by US-CERT, a government organization.
Terms of use
<http://www.us-cert.gov/legal.html>
This document can also be found at
<http://www.us-cert.gov/cas/tips/ST05-018.html>
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQ3JMP30pj593lg50AQKPXQf/WwmsuccVWMVZ2krzu4MMJTMEyarpCa56
8hcOy8d+VZ3Jk2LXAtW8LgFS9leb8185/r7bLWzIaqNlp9Pi802sNvL0kt2aVyiJ
2Ac35GxpanfJFNfCF0fNxEsNSixcoCQycaBTfdlR06vV2fc2X90bhj65TMSVyyYf
GohOjm6bdL0BqX17rRO4Qb2d1v5F/V7yPy/tZsPNB7gjLd2NEZudDdIh8neMqPug
WVNgG3XwdmdYGBHcJA6Px/rFXEiGhwOKu33PGK1L/VfdU4Tp8uUxn9mhM05MzeSI
sIuAbEUDmixq0MatWeWD2MygOVXCEV9Y7RPg230VVCH91PxtIQIJ2g==
=21US
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cyber Security Tip ST05-017
Cybersecurity for Electronic Devices
When you think about cybersecurity, remember that electronics such as
cell phones and PDAs may also be vulnerable to attack. Take
appropriate precautions to limit your risk.
Why does cybersecurity extend beyond computers?
Actually, the issue is not that cybersecurity extends beyond
computers; it is that computers extend beyond traditional laptops and
desktops. Many electronic devices are computers--from cell phones and
PDAs to video games and car navigation systems. While computers
provide increased features and functionality, they also introduce new
risks. Attackers may be able to take advantage of these technological
advancements to target devices previously considered "safe." For
example, an attacker may be able to infect your cell phone with a
virus, steal your phone or wireless service, or access the records on
your PDA. Not only do these activities have implications for your
personal information, but they could also have serious consequences if
you store corporate information on the device.
What types of electronics are vulnerable?
Any piece of electronic equipment that uses some kind of computerized
component is vulnerable to software imperfections and vulnerabilities.
The risks increase if the device is connected to the internet or a
network that an attacker may be able to access. Remember that a
wireless connection also introduces these risks (see Securing Wireless
Networks for more information). The outside connection provides a way
for an attacker to send information to or extract information from
your device.
How can you protect yourself?
* Remember physical security - Having physical access to a device
makes it easier for an attacker to extract or corrupt information.
Do not leave your device unattended in public or easily accessible
areas (see Protecting Portable Devices: Physical Security for more
information).
* Keep software up to date - If the vendor releases patches for the
software operating your device, install them as soon as possible.
These patches may be called firmware updates. Installing them will
prevent attackers from being able to take advantage of known
problems or vulnerabilities (see Understanding Patches for more
information).
* Use good passwords - Choose devices that allow you to protect your
information with passwords. Select passwords that will be
difficult for thieves to guess, and use different passwords for
different programs and devices (see Choosing and Protecting
Passwords for more information). Do not choose options that allow
your computer to remember your passwords.
* Disable remote connectivity - Some PDAs and phones are equipped
with wireless technologies, such as Bluetooth, that can be used to
connect to other devices or computers. You should disable these
features when they are not in use (see Understanding Bluetooth
Technology for more information).
* Encrypt files - Although most devices do not offer you an option
to encrypt files, you may have encryption software on your PDA. If
you are storing personal or corporate information, see if you have
the option to encrypt the files. By encrypting files, you ensure
that unauthorized people can't view data even if they can
physically access it. When you use encryption, it is important to
remember your passwords and passphrases; if you forget or lose
them, you may lose your data.
_________________________________________________________________
Authors: Mindi McDowell, Matt Lytle
_________________________________________________________________
Produced 2005 by US-CERT, a government organization.
Terms of use
<http://www.us-cert.gov/legal.html>
This document can also be found at
<http://www.us-cert.gov/cas/tips/ST05-017.html>
"October is National Cyber Security Awareness Month"
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQ01UPX0pj593lg50AQKguggAmnFCdRZJZ6BIvBK/q/JESNCVnYPufKPs
55qfDTVwWWstI7040sxKep0Z8OlrhthV5VATjWNGdyZbGCMV9NzqvF/+UcAzJWs8
H/ZGdMjq2Gfg6DTNXoJVy2V8ZaVWpD1ixbzkXevFI6ww4IHlr7Sod+kWY5YIteKR
gMwKu1Rolp+MJewSByWX9ey6k168j0HrqY+BLYhYrW3dmiL1aPgXsOX8kYVD58jH
TQBxO+xnKUaMNhABg+BKUVhtZMZmXvznsSfdMu18/w7HRRu1JYwEHKps6gOAl+LF
zDrLmTLHDgSyZm0IBp6quBc5IjxW3zRakjQmn5TFlvFverfEgjCE0g==
=BkNK
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cyber Security Tip ST05-016
Understanding Internationalized Domain Names
You may have been exposed to internationalized domain names (IDNs)
without realizing it. While they typically do not affect your browsing
activity, IDNs may give attackers an opportunity to redirect you to a
malicious web page.
What are internationalized domain names?
To decrease the amount of confusion surrounding different languages,
there is a standard for domain names within web browsers. Domain names
are included in the URL (or web address) of web site. This standard is
based on the Roman alphabet (which is used by the English language),
and computers convert the various letters into numerical equivalents.
This code is known as ASCII (American Standard Code for Information
Interchange). However, other languages include characters that do not
translate into this code, which is why internationalized domain names
were introduced.
To compensate for languages that incorporate special characters (such
as Spanish, French or German) or rely completely on character
representation (such as Asian or Arabic languages), a new system had
to be developed. In this new system, the base URL (which is usually
the address for the home page) is dissected and converted into a
format that is compatible with ASCII. The resulting URL (which
contains the string "xn--" as well as a combination of letters and
numbers) will appear in your browser's status bar. In newer versions
of many browsers, it will also appear in the address bar.
What are some security concerns?
Attackers may be able to take advantage of internationalized domain
names to initiate phishing attacks (see Avoiding Social Engineering
and Phishing Attacks for more information). Because there are certain
characters that may appear to be the same but have different ASCII
codes (for example, the Cyrillic "a" and the Latin "a"), an attacker
may be able to "spoof" a web page URL. Instead of going to a
legitimate site, you may be directed to a malicious site, which could
look identical to the real one. If you submit personal or financial
information while on the malicious site, the attacker could collect
that information and then use and/or sell it.
How can you protect yourself?
* Type a URL instead of following a link - Typing a URL into a
browser rather than clicking a link within a web page or email
message will minimize your risk. By doing this, you are more
likely to visit the legitimate site rather than a malicious site
that substitutes similar-looking characters.
* Keep your browser up to date - Older versions of browsers made it
easier for attackers to spoof URLs, but most newer browsers
incorporate certain protections. Instead of displaying the URL
that you "think" you are visiting, most browsers now display the
converted URL with the "xn--" string. Internet Explorer does not
currently support IDNs, so you will see an error message if you
try to visit a URL that includes non-ASCII characters.
* Check your browser's status bar - If you move your mouse over a
link on a web page, the status bar of your browser will usually
display the URL that the link references. If you see a URL that
has an unexpected domain name (such as one with the "xn--" string
mentioned above), you have likely encountered an internationalized
domain name. If you were not expecting an internationalized domain
name or know that the legitimate site should not need one, you may
want to reconsider visiting the site. Browsers such as Mozilla and
Firefox include an option in their security settings about whether
to allow the status bar text to be modified. To prevent attackers
from taking advantage of JavaScript to make it appear that you are
on a legitimate site, you may want to make sure this option is not
enabled.
_________________________________________________________________
Authors: Mindi McDowell, Will Dormann, Jason McCormick
_________________________________________________________________
Produced 2005 by US-CERT, a government organization.
Terms of use
<http://www.us-cert.gov/legal.html>
This document can also be found at
<http://www.us-cert.gov/cas/tips/STYY-XXX.html>
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQzG6VxhoSezw4YfQAQIS8QgAhFIAtoSMo7hGv63lof18+5f5+4bqIksg
xmgLDbbrBa+RjIleigWa++qYXD+AJdTt73oJ0zZl8RztHbbNjCbk3i05uz+VUtxX
ecVrPL9/6An+lcKXYjd/6zNL8qWmEPl26GRjMXGvBlM21cGAODr2NDIfDM4Ic46j
ukt01rTdUkR7Bo0hKo4bgH+iYJiEK5Db4ox9f3re8SquVyolm2hq1Yb0oZ3E/1UA
XL3TVP89KSmrvXUlPfsLfMomgh5YvQAY4F7bo6CeTVrefLODHsiP3qUgxW7jn0sY
co6Dt/+u8QDItC+HnaA6lhT5R9xkLOH5uyfDuv421MTxFODDIPBWlw==
=WU0L
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cyber Security Tip ST05-015
Understanding Bluetooth Technology
Many electronic devices are now incorporating Bluetooth technology to
allow wireless communication with other Bluetooth devices. Before
using Bluetooth, it is important to understand what it is, what
security risks it presents, and how to protect yourself.
What is Bluetooth?
Bluetooth is a technology that allows devices to communicate with each
other without cables or wires. It is an electronics "standard," which
means that manufacturers that want to include this feature have to
incorporate specific requirements into their electronic devices. These
specifications ensure that the devices can recognize and interact with
other devices that use the Bluetooth technology.
Many popular manufacturers are making devices that use Bluetooth
technology. These devices include mobile phones, computers, and
personal digital assistants (PDAs). The Bluetooth technology relies on
short-range radio frequency, and any device that incorporates the
technology can communicate as long as it is within the required
distance. The technology is often used to allow two different types of
devices to communicate with each other. For example, you may be able
to operate your computer with a wireless keyboard, use a wireless
headset to talk on your mobile phone, or add an appointment to your
friend's PDA calendar from your own PDA.
What are some security concerns?
Depending upon how it is configured, Bluetooth technology can be
fairly secure. You can take advantage of its use of key authentication
(see Understanding Digital Signatures for more information) and
encryption (see Understanding Encryption for more information).
Unfortunately, many Bluetooth devices rely on short numeric PIN
numbers instead of more secure passwords or passphrases (see Choosing
and Protecting Passwords for more information).
If someone can "discover" your Bluetooth device, he or she may be able
to send you unsolicited messages or abuse your Bluetooth service,
which could cause you to be charged extra fees. Worse, an attacker may
be able to find a way to access or corrupt your data. One example of
this type of activity is "bluesnarfing," which refers to attackers
using a Bluetooth connection to steal information off of your
Bluetooth device. Also, viruses or other malicious code can take
advantage of Bluetooth technology to infect other devices. If you are
infected, your data may be corrupted, compromised, stolen, or lost.
You should also be aware of attempts to convince you to send
information to someone you do not trust over a Bluetooth connection
(see Avoiding Social Engineering and Phishing Attacks for more
information).
How can you protect yourself?
* Disable Bluetooth when you are not using it - Unless you are
actively transferring information from one device to another,
disable the technology to prevent unauthorized people from
accessing it.
* Use Bluetooth in "hidden" mode - When you do have Bluetooth
enabled, make sure it is "hidden," not "discoverable." The hidden
mode prevents other Bluetooth devices from recognizing your
device. This does not prevent you from using your Bluetooth
devices together. You can "pair" devices so that they can find
each other even if they are in hidden mode. Although the devices
(for example, a mobile phone and a headset) will need to be in
discoverable mode to initially locate each other, once they are
"paired" they will always recognize each other without needing to
rediscover the connection.
* Be careful where you use Bluetooth - Be aware of your environment
when pairing devices or operating in discoverable mode. For
example, if you are in a public wireless "hotspot," there is a
greater risk that someone else may be able to intercept the
connection (see Securing Wireless Networks for more information)
than if you are in your home or your car.
* Evaluate your security settings - Most devices offer a variety of
features that you can tailor to meet your needs and requirements.
However, enabling certain features may leave you more vulnerable
to being attacked, so disable any unnecessary features or
Bluetooth connections. Examine your settings, particularly the
security settings, and select options that meet your needs without
putting you at increased risk. Make sure that all of your
Bluetooth connections are configured to require a secure
connection.
* Take advantage of security options - Learn what security options
your Bluetooth device offers, and take advantage of features like
authentication and encryption.
_________________________________________________________________
Authors: Mindi McDowell, Matt Lytle
_________________________________________________________________
Produced 2005 by US-CERT, a government organization.
Terms of use
<http://www.us-cert.gov/legal.html>
This document can also be found at
<http://www.us-cert.gov/cas/tips/ST05-015.html>
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQvpkERhoSezw4YfQAQIR7Qf/XuyKEmWs90OFU/9Qdnk+lJXWhVjJdFzL
GXBASOXVtlIqczmbukFNkSnElGobtiL5h85O9vOoU8gYffkbMll4vFgAs0hxhsfQ
FYBanm28yU1gpiN9NvbS44ODQfDXrRTkCdooBR/YLqLtxX3Pt9ecL7DeCBI5uYuK
38kiSLxGu1Izw7j3kb8qL/0PyNofvgQ7pzPCQfNdZqDhmMgEVRliJeL4fAJAherF
igSUzoHD35US/PQTTTvb/koYer9D9AzzErkNRcme3wXcV3Mua097KCeU0u2cozjP
Xb+b46tjz8KTfSwLvi7Xcvt6X1r9aFruwbO3GA8hwmmVEjIKgbH3+Q==
=HO+J
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cyber Security Tip ST05-014
Real-World Warnings Keep You Safe Online
Many of the warning phrases you probably heard from your parents and
teachers are also applicable to using computers and the internet.
Why are these warnings important?
Like the real world, technology and the internet present dangers as
well as benefits. Equipment fails, attackers may target you, and
mistakes and poor judgment happen. Just as you take precautions to
protect yourself in the real world, you need to take precautions to
protect yourself online. For many users, computers and the internet
are unfamiliar and intimidating, so it is appropriate to approach them
the same way we urge children to approach the real world.
What are some warnings to remember?
* Don't trust candy from strangers - Finding something on the
internet does not guarantee that it is true. Anyone can publish
information online, so before accepting a statement as fact or
taking action, verify that the source is reliable. It is also easy
for attackers to "spoof" email addresses, so verify that an email
is legitimate before opening an unexpected email attachment or
responding to a request for personal information (see Using
Caution with Email Attachments and Avoiding Social Engineering and
Phishing Attacks for more information).
* If it sounds too good to be true, it probably is - You have
probably seen many emails promising fantastic rewards or monetary
gifts. However, regardless of what the email claims, there are not
any wealthy strangers desperate to send you money. Beware of grand
promises--they are most likely spam, hoaxes, or phishing schemes
(see Reducing Spam, Identifying Hoaxes and Urban Legends, and
Avoiding Social Engineering and Phishing Attacks for more
information). Also be wary of pop-up windows and advertisements
for free downloadable software--they may be disguising spyware
(see Recognizing and Avoiding Spyware for more information).
* Don't advertise that you are away from home - Some email accounts,
especially within an organization, offer a feature (called an
autoresponder) that allows you to create an "away" message if you
are going to be away from your email for an extended period of
time. The message is automatically sent to anyone who emails you
while the autoresponder is enabled. While this is a helpful
feature for letting your contacts know that you will not be able
to respond right away, be careful how you phrase your message. You
do not want to let potential attackers know that you are not home,
or, worse, give specific details about your location and
itinerary. Safer options include phrases such as "I will not have
access to email between [date] and [date]." If possible, also
restrict the recipients of the message to people within your
organization or in your address book. If your away message replies
to spam, it only confirms that your email account is active. This
may increase the amount of spam you receive (see Reducing Spam for
more information).
* Lock up your valuables - If an attacker is able to access your
personal data, he or she may be able to compromise or steal the
information. Take steps to protect this information by following
good security practices (see the Cyber Security Tips index page
for a list of relevant documents). Some of the most basic
precautions include locking your computer when you step away;
using firewalls, anti-virus software, and strong passwords;
installing appropriate patches; and taking precautions when
browsing or using email.
* Have a backup plan - Since your information could be lost or
compromised (due to an equipment malfunction, an error, or an
attack), make regular backups of your information so that you
still have clean, complete copies (see Good Security Habits for
more information). Backups also help you identify what has been
changed or lost. If your computer has been infected, it is
important to remove the infection before resuming your work (see
Recovering from Viruses, Worms, and Trojan Horses for more
information). Keep in mind that if you did not realize that your
computer was infected, your backups may also be compromised.
_________________________________________________________________
Authors: Mindi McDowell, Matt Lytle
_________________________________________________________________
This document can also be found at
<http://www.us-cert.gov/cas/tips/ST04-021.html>
Copyright 2005 Carnegie Mellon University
Terms of use
<http://www.us-cert.gov/legal.html>
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQswj8xhoSezw4YfQAQJIbQf+NrrPT/mjmGtpzbRyMrockbcYUMLucu9Q
uOmCQD4v3JD1ngBAUwPXl0PeaanmeosjE0gIS1m79Pr8kZ4dX7RZATjXww1CrWtD
CThi4LBwhT9GL2n8B7xCfuNbhz6CJn6AbSn5AK9+d7FU4xMFmet1MZ76W22xG6gB
y91a7sCUawzkUUbTwcOE0nh0S2SyVAGKtrEJ0I7zQGoTjGikGviz8xzRlTp/DGd0
9jtgSWr0sp+X+VWh4ClBCRYl4xtxGCmgWsAEqIcUhwzNoiE44IYg4DFDKnW2CMCC
rO8Zq8Te6Lm0QxAy5eRMYqJX7n9HODc5BuQw3zxCz89Wxm1gxlad+A==
=B2VB
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cyber Security Tip ST05-013
Guidelines for Publishing Information Online
Remember that the internet is a public resource. Avoid putting
anything online that you don't want the public to see or that you may
want to retract.
Why is it important to remember that the internet is public?
Because the internet is so accessible and contains a wealth of
information, it has become a popular resource for communicating, for
researching topics, and for finding information about people. It may
seem less intimidating than actually interacting with other people
because there is a sense of anonymity. However, you are not really
anonymous when you are online, and it is just as easy for people to
find information about you as it is for you to find information about
them. Unfortunately, many people have become so familiar and
comfortable with the internet that they may adopt practices that make
them vulnerable. For example, although people are typically wary of
sharing personal information with strangers they meet on the street,
they may not hesitate to post that same information online. Once it is
online, it can be accessed by a world of strangers, and you have no
idea what they might do with that information.
What guidelines can you follow when publishing information on the internet?
* View the internet as a novel, not a diary - Make sure you are
comfortable with anyone seeing the information you put online.
Expect that people you have never met will find your page; even if
you are keeping an online journal or blog, write it with the
expectation that it is available for public consumption. Some
sites may use passwords or other security restrictions to protect
the information, but these methods are not usually used for most
web sites. If you want the information to be private or restricted
to a small, select group of people, the internet is probably not
the best forum.
* Be careful what you advertise - In the past, it was difficult to
find information about people other than their phone numbers or
address. Now, an increasing amount of personal information is
available online, especially because people are creating personal
web pages with information about themselves. When deciding how
much information to reveal, realize that you are broadcasting it
to the world. Supplying your email address may increase the amount
of spam you receive (see Avoiding Social Engineering and Phishing
Attacks for more information).
* Realize that you can't take it back - Once you publish something
online, it is available to other people and to search engines. You
can change or remove information after something has been
published, but it is possible that someone has already seen the
original version. Even if you try to remove the page(s) from the
internet, someone may have saved a copy of the page or used
excerpts in another source. Some search engines "cache" copies of
web pages so that they open faster; these cached copies may be
available after a web page has been deleted or altered. Some web
browsers may also maintain a cache of the web pages a user has
visited, so the original version may be stored in a temporary file
on the user's computer. Think about these implications before
publishing information--once something is out there, you can't
guarantee that you can completely remove it.
As a general practice, let your common sense guide your decisions
about what to post online. Before you publish something on the
internet, determine what value it provides and consider the
implications of having the information available to the public.
Identity theft is an increasing problem, and the more information an
attacker can gather about you, the easier it is to pretend to be you.
Behave online the way you would behave in your daily life, especially
when it involves taking precautions to protect yourself.
_________________________________________________________________
Authors: Mindi McDowell, Matt Lytle, Jason Rafail
_________________________________________________________________
This document can also be found at
<http://www.us-cert.gov/cas/tips/ST05-013.html>
Copyright 2005 Carnegie Mellon University
Terms of use
<http://www.us-cert.gov/legal.html>
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQrnJ6BhoSezw4YfQAQIppwgAjgHthf3LmqHZPJ4jLYLuodmX2DMiMG1D
a5Qxz/dVHs6ys2RwcowSwYUesI1QkIuS5KdolXUOMuC7kiql4IcT0A4Hf+ewIjwP
V90lcHrvYVIERUmWVmBZefO/H6JhmayOptNpdfzCreOYePv2zr3jz6pXt9rpUgNw
BFbaITEhrvm4hT6COnkepOkse/pEmvqCZLwk08e9zBqudHUNqyKMteoHQJFBBd96
SThjkc4CTOh6FOcSbHz/6oHk9SWYPhFy6YmzT6JpdLUFniPm5RwvscTrWG2sMZ2e
eheQAzFahqEP6H6bryPu4SS6Hb7LzwvytDxXxkqxCe59k3m8g6MRPQ==
=RxLc
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cyber Security Tip ST05-012
Supplementing Passwords
Passwords are common form of protecting information, but passwords
alone may not provide adequate security. For the best protection, look
for sites that have additional ways to verify your identity.
Why aren't passwords sufficient?
Passwords are beneficial as a first layer of protection, but they are
susceptible to being guessed or intercepted by attackers. You can
increase the effectiveness of your passwords by using tactics such as
avoiding passwords that are based on personal information or words
found in the dictionary; using a combination of numbers, special
characters, and lowercase and capital letters; and not sharing your
passwords with anyone else (see Choosing and Protecting Passwords for
more information). However, despite your best attempts, an attacker
may be able to obtain your password. If there are no additional
security measures in place, the attacker may be able to access your
personal, financial, or medical information.
What additional levels of security are being used?
Many organizations are beginning to use other forms of verification in
addition to passwords. The following practices are becoming more and
more common:
* two-factor authentication - With two-factor authentication, you
use your password in conjunction with an additional piece of
information. An attacker who has managed to obtain your password
can't do anything without the second component. The theory is
similar to requiring two forms of identification or two keys to
open a safe deposit box. However, in this case, the second
component is commonly a "one use" password that is voided as soon
as you use it. Even if an attacker is able to intercept the
exchange, he or she will still not be able to gain access because
that specific combination will not be valid again.
* personal web certificates - Unlike the certificates used to
identify web sites (see Understanding Web Site Certificates for
more information), personal web certificates are used to identify
individual users. A web site that uses personal web certificates
relies on these certificates and the authentication process of the
corresponding public/private keys to verify that you are who you
claim to be (see Understanding Digital Signatures and
Understanding Encryption for more information). Because
information identifying you is embedded within the certificate, an
additional password is unnecessary. However, you should have a
password to protect your private key so that attackers can't gain
access to your key and represent themselves as you. This process
is similar to two-factor authentication, but it differs because
the password protecting your private key is used to decrypt the
information on your computer and is never sent over the network.
What if you lose your password or certificate?
You may find yourself in a situation where you've forgotten your
password or you've reformatted your computer and lost your personal
web certificate. Most organizations have specific procedures for
giving you access to your information in these situations. In the case
of certificates, you may need to request that the organization issue
you a new one. In the case of passwords, you may just need a reminder.
No matter what happened, the organization needs a way to verify your
identity. To do this, many organizations rely on "secret questions."
When you open a new account (email, credit card, etc.), some
organizations will prompt you to provide them with the answer to a
question. They may ask you this question if you contact them about
forgetting your password or you request information about your account
over the phone. If your answer matches the answer they have on file,
they will assume that they are actually communicating with you. While
the theory behind the secret question has merit, the questions
commonly used ask for personal information such as mother's maiden
name, social security number, date of birth, or pet's name. Because so
much personal information is now available online or through other
public sources, attackers may be able to discover the answers to these
questions without much effort.
Realize that the secret question is really just an additional
password--when setting it up, you don't have to supply the actual
information as your answer. In fact, when you are asked in advance to
provide an answer to this type of question that will be used to
confirm your identity, dishonesty may be the best policy. Choose your
answer as you would choose any other good password, store it in a
secure location, and don't share it with other people (see Choosing
and Protecting Passwords for more information).
While these practices do offer you more protection, there is no
guarantee that they are completely effective. Attackers may still be
able to access your information, but increasing the level of security
does make it more difficult. Be aware of these practices when choosing
a bank, credit card company, or other organization that will have
access to your personal information. Don't be afraid to ask what kind
of security practices the organization uses.
_________________________________________________________________
Authors: Mindi McDowell, Chad Dougherty, Jason Rafail
_________________________________________________________________
This document can also be found at
<http://www.us-cert.gov/cas/tips/ST05-012.html>
Copyright 2005 Carnegie Mellon University
Terms of use
<http://www.us-cert.gov/legal.html>
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQqdIMRhoSezw4YfQAQLGsQf/c+3j74R00jILRUnFKhZfeqqX8laut2ag
Zutry3lWABJRQI22+YhR+ikrTNIi1jQwHgGiQnoGGcQ53zmSqexbVATPLmXv1qWA
lisFpd1rm6cnSFpvz729kI/tsiwsnBYv4nYsPeODCQoWRJeZipeJZzv4hNCKsCQ/
JCly6AKiHRK7uDhl8qPBH8Ld+8uWbg7bholvAD1JLl8KbvUAKBwBJ6qOm6VL82We
bI2Wenm+NbH+SSdi6f9SGEliB9Upxe11r/8rwNMJalR4f6FCfaL0ICDTMcp6nJsu
sjSM8kwBqeZIOPiycsh12uwp0dd35iOqlKqyYpNCHsdmWjfxPvJ+JQ==
=Ne7i
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cyber Security Tip ST05-011
Effectively Erasing Files
Before selling or discarding an old computer, or throwing away a disk
or CD, you naturally make sure that you've copied all of the files you
need. You've probably also attempted to delete your personal files so
that other people aren't able to access them. However, unless you have
taken the proper steps to make sure the hard drive, disk, or CD is
erased, people may still be able to resurrect those files.
Where do deleted files go?
When you delete a file, depending on your operating system and your
settings, it may be transferred to your trash or recycle bin. This
"holding area" essentially protects you from yourself--if you
accidentally delete a file, you can easily restore it. However, you
may have experienced the panic that results from emptying the trash
bin prematurely or having a file seem to disappear on its own. The
good news is that even though it may be difficult to locate, the file
is probably still somewhere on your machine. The bad news is that even
though you think you've deleted a file, an attacker or other
unauthorized person may be able to retrieve it.
What are the risks?
Think of the information you have saved on your computer. Is there
banking or credit card account information? Tax returns? Passwords?
Medical or other personal data? Personal photos? Sensitive corporate
information? How much would someone be able to find out about you or
your company by looking through your computer files?
Depending on what kind of information an attacker can find, he or she
may be able to use it maliciously. You may become a victim of identity
theft. Another possibility is that the information could be used in a
social engineering attack. Attackers may use information they find
about you or an organization you're affiliated with to appear to be
legitimate and gain access to sensitive data (see Avoiding Social
Engineering and Phishing Attacks for more information).
Can you erase files by reformatting?
Reformatting your hard drive or CD may superficially delete the files,
but the information is still buried somewhere. Unless those areas of
the disk are effectively overwritten with new content, it is still
possible that knowledgeable attackers may be able to access the
information.
How can you be sure that your information is completely erased?
Some people use extreme measures to make sure their information is
destroyed, but these measures can be dangerous and may not be
completely successful. Your best option is to investigate software
programs and hardware devices that claim to erase your hard drive or
CD. Even so, these programs and devices have varying levels of
effectiveness. When choosing a software program to perform this task,
look for the following characteristics:
* data is written multiple times - It is important to make sure that
not only is the information erased, but new data is written over
it. By adding multiple layers of data, the program makes it
difficult for an attacker to "peel away" the new layer. Three to
seven passes is fairly standard and should be sufficient.
* use of random data - Using random data instead of easily
identifiable patterns makes it harder for attackers to determine
the pattern and discover the original information underneath.
* use of zeros in the final layer - Regardless of how many times the
program overwrites the data, look for programs that use all zeros
in the last layer. This adds an additional level of security.
While many of these programs assume that you want to erase an entire
disk, there are programs that give you the option to erase and
overwrite individual files.
An effective way to ruin a CD or DVD is to wrap it in a paper towel
and shatter it. However, there are also hardware devices that erase
CDs or DVDs by destroying their surface. Some of these devices
actually shred the media itself, while others puncture the writable
surface with a pattern of holes. If you decide to use one of these
devices, compare the various features and prices to determine which
option best suits your needs.
_________________________________________________________________
Authors: Mindi McDowell, Matt Lytle
_________________________________________________________________
This document can also be found at
<http://www.us-cert.gov/cas/tips/ST05-011.html>
Copyright 2005 Carnegie Mellon University
Terms of use
<http://www.us-cert.gov/legal.html>
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQpTP4xhoSezw4YfQAQLhNgf+LZsx8JxEMB682mperD2120DxwczSPPLF
7vUveUx3xjg+KTL12q5oLXr4SpSANKzLzPp54mIiynz2Tb5wQC2hdETJBv366Qzd
z5GbGrXWgZLTiMW9gUkHt8M/D9tEkZEyKrRZWVHqfK8RCLmlSQf+02QzUd2S2Y4q
zu2n60acrXaUUN3nMGrjrr11FkVNqdRc80qFGWoxN9A1LeGVspR23Y/6dmjGIhb4
/ISJrFzbqnFqJ+Bw0wEqLNoHqNWpUr0qNr6MCqFs4ateUSc8vcH52A7qqTdPDmjx
0ZO8OABirchhN5BwKJXrZ4FoyKxlyVvBR/8BRSs5bR0Omz6TSqjhqQ==
=RVwT
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cyber Security Tip ST05-010
Understanding Web Site Certificates
You may have been exposed to web site, or host, certificates if you
have ever clicked on the padlock in your browser or, when visiting a
web site, have been presented with a dialog box claiming that there is
an error with the name or date on the certificate. Understanding what
these certificates are may help you protect your privacy.
What are web site certificates?
If an organization wants to have a secure web site that uses
encryption, it needs to obtain a site, or host, certificate. Some
steps you can take to help determine if a site uses encryption are to
look for a closed padlock in the status bar at the bottom of your
browser window and to look for "https:" rather than "http:" in the URL
(see Protecting Your Privacy for more information). By making sure a
web site encrypts your information and has a valid certificate, you
can help protect yourself against attackers who create malicious sites
to gather your information. You want to make sure you know where your
information is going before you submit anything (see Avoiding Social
Engineering and Phishing Attacks for more information).
If a web site has a valid certificate, it means that a certificate
authority has taken steps to verify that the web address actually
belongs to that organization. When you type a URL or follow a link to
a secure web site, your browser will check the certificate for the
following characteristics:
1. the web site address matches the address on the certificate
2. the certificate is signed by a certificate authority that the
browser recognizes as a "trusted" authority
Can you trust a certificate?
The level of trust you put in a certificate is connected to how much
you trust the organization and the certificate authority. If the web
address matches the address on the certificate, the certificate is
signed by a trusted certificate authority, and the date is valid, you
can be more confident that the site you want to visit is actually the
site that you are visiting. However, unless you personally verify that
certificate's unique fingerprint by calling the organization directly,
there is no way to be absolutely sure.
By trusting a certificate, you have trusted the certificate authority
to perform this verification for you. However, it is important to
realize that certificate authorities vary in how strict they are about
validating all of the information in the requests and about making
sure that their data is secure. By default, your browser contains a
list of more than 100 trusted certificate authorities. That means
that, by extension, you are trusting all of those certificate
authorities to properly verify and validate the information. Before
submitting any personal information, you may want to look at the
certificate.
How do you check a certificate?
There are two ways to verify a web site's certificate in Internet
Explorer or Mozilla. One option is to click on the padlock in the
status bar of your browser window. However, your browser may not
display the status bar by default. Also, attackers may be able to
create malicious web sites that fake a padlock icon and display a
false dialog window if you click that icon. A more secure way to find
information about the certificate is to look for the certificate
feature in the menu options. This information may be under the file
properties or the security option within the page information. You
will get a dialog box with information about the certificate,
including the following:
* who issued the certificate - You should make sure that the issuer
is a legitimate, trusted certificate authority (you may see names
like VeriSign, thawte, or Entrust). Some organizations also have
their own certificate authorities that they use to issue
certificates to internal sites such as intranets.
* who the certificate is issued to - The certificate should be
issued to the organization who owns the web site. Do not trust the
certificate if the name on the certificate does not match the name
of the organization or person you expect.
* expiration date - Most certificates are issued for one or two
years. One exception is the certificate for the certificate
authority itself, which, because of the amount of involvement
necessary to distribute the information to all of the
organizations who hold its certificates, may be ten years. Be wary
of organizations with certificates that are valid for longer than
two years or with certificates that have expired.
When visiting a web site, you may have been presented with a dialog
box that claims that there is an error with the site certificate. This
may happen if the name the certificate is registered to does not match
the site name, you have chosen not to trust the company who issued the
certificate, or the certificate has expired. You will usually be
presented with the option to examine the certificate, after which you
can accept the certificate forever, accept it only for that particular
visit, or choose not to accept it. The confusion is sometimes easy to
resolve (perhaps the certificate was issued to a particular department
within the organization rather than the name on file). If you are
unsure whether the certificate is valid or question the security of
the site, do not submit personal information. Even if the information
is encrypted, make sure to read the organization's privacy policy
first so that you know what is being done with that information (see
Protecting Your Privacy for more information).
_________________________________________________________________
Authors: Mindi McDowell, Matt Lytle
_________________________________________________________________
This document can also be found at
<http://www.us-cert.gov/cas/tips/ST05-010.html>
Copyright 2005 Carnegie Mellon University
Terms of use
<http://www.us-cert.gov/legal.html>
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQoNhrRhoSezw4YfQAQJ9FAf/UKy43nRJF3aR9J2OBak9BuDM4URTmPXP
tTMF5oH8d1mXyKoHP/dRO4nTLvGQhCKvB+ag9rkrOXzYJD1aB2rDOfKz6bGHO3bW
Tby1CdwXD6LwmKr5LXxuctv6jS6djRgKxZIQkfJGfT3cabIttJhXML11ECGhuNEC
zX0u6BThA/HEuG3fIaRU9Qian75hTTq2IG3t0yDGkjN6d6tRHO5Hh8hUDXgPQJOK
6DLyJLhmCwXl/rwjUhGRiRbT+u+R0V/c8hn0Xjg3TaS366xm28C44qLTX+CSwbpC
e+5BoN2EGPWJViXuCLacD6TbOQKD3CeB2cC4syET6XsAHkvat5Qs3A==
=0tZi
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cyber Security Tip ST05-009 archive
Benefits and Risks of Free Email Services
Although free email services are convenient for sending personal
correspondence, you should not use them to send messages containing
sensitive information.
What is the appeal of free email services?
Many service providers offer free email accounts (e.g., Yahoo!,
Hotmail, Gmail). These email services typically provide you with a
browser interface to access your mail. In addition to the monetary
savings, these services often offer other benefits:
* accessibility - Because you can access your account(s) from any
computer, these services are useful if you cannot be near your
computer or are in the process of relocating and do not have an
ISP. Even if you are able to access your ISP-based email account
remotely, being able to rely on a free email account is ideal if
you are using a public computer or shared wireless hot spot and
are concerned about exposing the details of your primary account.
* competitive features - With so many of these service providers
competing for users, they now offer additional features such as
large amounts of storage, spam filtering, virus protection, and
enhanced fonts and graphics.
* additional capabilities - It is becoming more common for service
providers to package additional software or services (e.g.,
instant messaging) with their free email accounts to attract
customers.
Free email accounts are also effective tools for reducing the amount
of spam you receive at your primary email address. Instead of
submitting your primary address when shopping online, requesting
services, or participating in online forums, you can set up a free
secondary address to use (see Reducing Spam for more information).
What risks are associated with free email services?
Although free email services have many benefits, you should not use
them to send sensitive information. Because you are not paying for the
account, the organization may not have a strong commitment to
protecting you from various threats or offering you the best service.
Some of the elements you risk are
* security - If your login, password, or messages are sent in plain
text, they may easily be intercepted. If a service provider offers
SSL encryption, you should use it. You can find out whether this
is available by looking for a "secure mode" or by replacing the
"http:" in the URL with "https:" (see Protecting Your Privacy for
more information).
* privacy - You aren't paying for your email account, but the
service provider has to find some way to recover the costs of
providing the service. One way of generating revenue is to sell
advertising space, but another is to sell or trade information.
Make sure to read the service provider's privacy policy or terms
of use to see if your name, your email address, the email
addresses in your address book, or any of the information in your
profile has the potential of being given to other organizations
(see Protecting Your Privacy for more information). If you are
considering forwarding your work email to a free email account,
check with your employer first. You do not want to violate any
established security policies.
* reliability - Although you may be able to access your account from
any computer, you need to make sure that the account is going to
be available when you want to access it. Familiarize yourself with
the service provider's terms of service so that you know exactly
what they have committed to providing you. For example, if the
service ends or your account disappears, can you retrieve your
messages? Does the service provider give you the ability to
download messages that you want to archive onto your machine?
Also, if you happen to be in a different time zone than the
provider, you may find that their server maintenance interferes
with your normal email routine.
_________________________________________________________________
Authors: Mindi McDowell, Allen Householder
_________________________________________________________________
This document can also be found at
<http://www.us-cert.gov/cas/tips/ST05-009.html>
Copyright 2005 Carnegie Mellon University
Terms of use
<http://www.us-cert.gov/legal.html>
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQm/vQxhoSezw4YfQAQKk5Qf7B/5Wm9z+8vjOui4tbaWYrdUWVnzyh9n1
iNA1jlILlK0T3qqNGqt9R+mZF0bI6vgSMbDc0FktD9IeDmAmyfH5bNQsMHUrPibI
iGqteejW5RY8/vbqHq6KWchkHXhMtpL3ZXPjH8BA/qcKyU4IbAyxRxpKBtJ9w8p8
bELpzZp17lz1E4Qn2QsIqrZZzOz+OHbGPkq+WwasSh4ojo/feWVkVzQJntbFUdOp
xbugb4afESAlLKJnumpoBONkxM8fQmgSnKrNAXyeistd/T9KOCt524ZOf6X6GT2B
IZ5mxlgONi5op1fLeBiWJSIthV7qY6NzPKTHaxshQHI+NbtFcsFvrg==
=TJQn
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cyber Security Tip ST05-008
How Anonymous Are You?
You may think that you are anonymous as you browse web sites, but
pieces of information about you are always left behind. You can reduce
the amount of information revealed about you by visiting legitimate
sites, checking privacy policies, and minimizing the amount of
personal information you provide.
What information is collected?
When you visit a web site, a certain amount of information is
automatically sent to the site. This information may include the
following:
* IP address - Each computer on the internet is assigned a specific,
unique IP (internet protocol) address. Your computer may have a
static IP address or a dynamic IP address. If you have a static IP
address, it never changes. However, some ISPs own a block of
addresses and assign an open one each time you connect to the
internet--this is a dynamic IP address. You can determine your
computer's IP address at any given time by visiting
www.showmyip.com
* domain name - The internet is divided into domains, and every
user's account is associated with one of those domains. You can
identify the domain by looking at the end of URL; for example,
.edu indicates an educational institution, .gov indicates a US
government agency, .org refers to organization, .com is for
commercial use. Many countries also have specific domain names.
The list of active domain names is available at
http://www.iana.org/domain-names.htm or
http://www.norid.no/domenenavnbaser/domreg.html.
* software details - It may be possible for an organization to
determine which browser, including the version, that you used to
access its site. The organization may also be able to determine
what operating system your computer is running.
* page visits - Information about which pages you visited, how long
you stayed on a given page, and whether you came to the site from
a search engine is often available to the organization operating
the web site.
If a web site uses cookies, the organization may be able to collect
even more information, such as your browsing patterns, which include
other sites you've visited. If the site you're vising is malicious,
files on your computer, as well as passwords stored in the temporary
memory, may be at risk.
How is this information used?
Generally, organizations use the information that is gathered
automatically for legitimate purposes, such as generating statistics
about their sites. By analyzing the statistics, the organizations can
better understand the popularity of the site and which areas of
content are being accessed the most. They may be able to use this
information to modify the site to better support the behavior of the
people visiting it.
Another way to apply information gathered about users is marketing. If
the site uses cookies to determine other sites or pages you have
visited, it may use this information to advertise certain products.
The products may be on the same site or may be offered by partner
sites.
However, some sites may collect your information for malicious
purposes. If attackers are able to access files, passwords, or
personal information on your computer, they may be able to use this
data to their advantage. The attackers may be able to steal your
identity, using and abusing your personal information for financial
gain. A common practice is for attackers to use this type of
information once or twice, then sell or trade it to other people. The
attackers profit from the sale or trade, and increasing the number of
transactions makes it more difficult to trace any activity back to
them. The attackers may also alter the security settings on your
computer so that they can access and use your computer for other
malicious activity.
Are you exposing any other personal information?
While using cookies may be one method for gathering information, the
easiest way for attackers to get access to personal information is to
ask for it. By representing a malicious site as a legitimate one,
attackers may be able to convince you to give them your address,
credit card information, social security number, or other personal
data (see Avoiding Social Engineering and Phishing Attacks for more
information).
How can you limit the amount of information collected about you?
* Be careful supplying personal information - Unless you trust a
site, don't give your address, password, or credit card
information. Look for indications that the site uses SSL to
encrypt your information (see Protecting Your Privacy for more
information). Although some sites require you to supply your
social security number (e.g., sites associated with financial
transactions such as loans or credit cards), be especially wary of
providing this information online.
* Limit cookies - If an attacker can access your computer, he or she
may be able to find personal data stored in cookies. You may not
realize the extent of the information stored on your computer
until it is too late. However, you can limit the use of cookies
(see Browsing Safely: Understanding Active Content and Cookies for
more information).
* Browse safely - Be careful which web sites you visit; if it seems
suspicious, leave the site. Also make sure to take precautions by
increasing your security settings (see Evaluating Your Web
Browser's Security Settings for more information), keeping your
virus definitions up to date (see Understanding Anti-Virus
Software for more information), and scanning your computer for
spyware (see Recognizing and Avoiding Spyware for more
information).
_________________________________________________________________
Author: Mindi McDowell
_________________________________________________________________
This document can also be found at
<http://www.us-cert.gov/cas/tips/ST05-008.html>
Copyright 2005 Carnegie Mellon University
Terms of use
<http://www.us-cert.gov/legal.html>
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQl1zehhoSezw4YfQAQKrowf/YzizaA86gW3FToRfM1SmjVin8jMIvtv0
04pEE79wZJ1bHyWSqd7TKPcH249Yp3Hix01oEA3E3LoEJoDCJvvHOctRrDcR4mUx
x7j5AsVMY7Ch6JwfvP/TGDQGnV+0u1Xb1G86amj4d3w426fa6UeHHsyox0PbeQ1o
gedIqZsQsQeRvs/WO9eTqTyJEw/vQXN95ZEH1yLhUZlnXM5wXZqddAEbNr4NTQHW
4Q0+zooySh2N6XqoasnpDr9H1qB+F32U5koi2jW0Wi9iDhE1odYXClCtJJngUHRu
zOIc8x+WTgNtwhM9ldnyzApe9FVA4obJkpb+m12bO8bvUiRarN+3ew==
=fWWf
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cyber Security Tip ST05-007
Risks of File-Sharing Technology
File-sharing technology is a popular way for users to exchange, or
"share," files. However, using this technology makes you susceptible
to risks such as infection, attack, or exposure of personal
information.
What is file sharing?
File sharing involves using technology that allows internet users to
share files that are housed on their individual computers.
Peer-to-peer (P2P) applications, such as those used to share music
files, are some of the most common forms of file-sharing technology.
However, P2P applications introduce security risks that may put your
information or your computer in jeopardy.
What risks does file-sharing technology introduce?
* Installation of malicious code - When you use P2P applications, it
is difficult, if not impossible, to verify that the source of the
files is trustworthy. These applications are often used by
attackers to transmit malicious code. Attackers may incorporate
spyware, viruses, Trojan horses, or worms into the files. When you
download the files, your computer becomes infected (see
Recognizing and Avoiding Spyware and Recovering from Viruses,
Worms, and Trojan Horses for more information).
* Exposure of sensitive or personal information - By using P2P
applications, you may be giving other users access to personal
information. Whether it's because certain directories are
accessible or because you provide personal information to what you
believe to be a trusted person or organization, unauthorized
people may be able to access your financial or medical data,
personal documents, sensitive corporate information, or other
personal information. Once information has been exposed to
unauthorized people, it's difficult to know how many people have
accessed it. The availability of this information may increase
your risk of identity theft (see Protecting Your Privacy and
Avoiding Social Engineering and Phishing Attacks for more
information).
* Susceptibility to attack - Some P2P applications may ask you to
open certain ports on your firewall to transmit the files.
However, opening some of these ports may give attackers access to
your computer or enable them to attack your computer by taking
advantage of any vulnerabilities that may exist in the P2P
application.
* Denial of service - Downloading files causes a significant amount
of traffic over the network and relies on certain processes on
your computer. This activity may reduce the availability of
certain programs on your computer or may limit your access to the
internet.
* Prosecution - Files shared through P2P applications may include
pirated software, copyrighted material, or pornography. If you
download these, even unknowingly, you may be faced with fines or
other legal action. If your computer is on a company network and
exposes customer information, both you and your company may be
liable.
How can you minimize these risks?
The best way to eliminate these risks is to avoid using P2P
applications. However, if you choose to use this technology, you can
follow some good security practices to minimize your risk:
* use and maintain anti-virus software - Anti-virus software
recognizes and protects your computer against most known viruses.
However, attackers are continually writing new viruses, so it is
important to keep your anti-virus software current (see
Understanding Anti-Virus Software for more information).
* install or enable a firewall - Firewalls may be able to prevent
some types of infection by blocking malicious traffic before it
can enter your computer (see Understanding Firewalls for more
information). Some operating systems actually include a firewall,
but you need to make sure it is enabled.
_________________________________________________________________
Author: Mindi McDowell. Some content contributed by Brent Wrisley
and Will Dormann.
_________________________________________________________________
This document can also be found at
<http://www.us-cert.gov/cas/tips/ST05-007.html>
Copyright 2005 Carnegie Mellon University
Terms of use
<http://www.us-cert.gov/legal.html>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQksOJxhoSezw4YfQAQIBawgAlEJKf+JNd60G4ubPyMvNlIiKC+e7Kfii
irVTi4MsqmJYiViQ48w+HCUIA4aaRR+wwuG8Ln3B/VCDW6BZ9xSS6qwmzNcljapI
dpTrjajbgocN3iMewPcAMQaE8q1OC9WmJVhw8JcL1aCRof54UTdOtO/vok7HIEvt
ODlSmZIdHKtfdONVob0cCfX95AslgO4pKbHjYd/NPjAmZrkZrIWyHIdi8JAQrset
d3HHpJKwaKdBSMY/ysE1ySRTTDLdmItB8b8E164M+C0phMmMVEVPjrHSRXRrg4y9
n0NGe6u6l+HV807bCmbuj0/OHVJubEHRtNvatVsQMN1luWUXmW8Bag==
=SZJD
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cyber Security Tip ST05-006
Recovering from Viruses, Worms and Trojan Horses
Unfortunately, many users are victims of viruses, worms, or Trojan
horses. If your computer gets infected with malicious code, there are
steps you can take to recover.
How do you know your computer is infected?
Unfortunately, there is no particular way to identify that your
computer has been infected with malicious code. Some infections may
completely destroy files and shut down your computer, while others may
only subtly affect your computer's normal operations. Be aware of any
unusual or unexpected behaviors. If you are running anti-virus
software, it may alert you that it has found malicious code on your
computer. The anti-virus software may be able to clean the malicious
code automatically, but if it can't, you will need to take additional
steps.
What can you do if you are infected?
1. Minimize the damage - If you are at work and have access to an IT
department, contact them immediately. The sooner they can
investigate and clean your computer, the less damage to your
computer and other computers on the network. If you are on your
home computer or a laptop, disconnect your computer from the
internet. By removing the internet connection, you prevent an
attacker or virus from being able to access your computer and
perform tasks such as locating personal data, manipulating or
deleting files, or using your computer to attack other computers.
2. Remove the malicious code - If you have anti-virus software
installed on your computer, update the virus definitions (if
possible), and perform a manual scan of your entire system. If you
do not have anti-virus software, you can purchase it at a local
computer store (see Understanding Anti-Virus Software for more
information). If the software can't locate and remove the
infection, you may need to reinstall your operating system,
usually with a system restore disk that is often supplied with a
new computer. Note that reinstalling or restoring the operating
system typically erases all of your files and any additional
software that you have installed on your computer.
How can you reduce the risk of another infection?
Dealing with the presence of malicious code on your computer can be a
frustrating experience that can cost you time, money, and data. The
following recommendations will build your defense against future
infections:
* use and maintain anti-virus software - Anti-virus software
recognizes and protects your computer against most known viruses.
However, attackers are continually writing new viruses, so it is
important to keep your anti-virus software current (see
Understanding Anti-Virus Software for more information).
* change your passwords - Your original passwords may have been
compromised during the infection, so you should change them. This
includes passwords for web sites that may have been cached in your
browser. Make the passwords difficult for attackers to guess (see
Choosing and Protecting Passwords for more information).
* keep software up to date - Install software patches so that
attackers can't take advantage of known problems or
vulnerabilities (see Understanding Patches for more information).
Many operating systems offer automatic updates. If this option is
available, you should enable it.
* install or enable a firewall - Firewalls may be able to prevent
some types of infection by blocking malicious traffic before it
can enter your computer (see Understanding Firewalls for more
information). Some operating systems actually include a firewall,
but you need to make sure it is enabled.
* use anti-spyware tools - Spyware is a common source of viruses,
but you can minimize the number of infections by using a
legitimate program that identifies and removes spyware (see
Recognizing and Avoiding Spyware for more information).
* follow good security practices - Take appropriate precautions when
using email and web browsers so that you reduce the risk that your
actions will trigger an infection (see other US-CERT security tips
for more information).
As a precaution, maintain backups of your files on CDs or DVDs so that
you have saved copies if you do get infected again.
References
* Recovering from a Trojan Horse or Virus
* Before You Connect a New Computer to the Internet
_________________________________________________________________
Author: Mindi McDowell
_________________________________________________________________
This document can also be found at
<http://www.us-cert.gov/cas/tips/ST05-006.html>
Copyright 2005 Carnegie Mellon University
Terms of use
<http://www.us-cert.gov/legal.html>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQjiTpxhoSezw4YfQAQKfewf9HGAAhW+Txuz/nQ1Leym5lk8tOVLxa0iX
lrhBd8zcL5NVMNMvHiBEnUiUve1+mBYT61frDCfeV4/bUwGNqWIi/CXFPxYBva+Q
sRzIA+iGpfws176WN/bR51ZpAj8wCPyjfVbbyn+Qb0xNMu9h/Wag2hlqXBMKuoUV
Ljd/Onbpd89H56qkmv54eGkA1hJqhlQt2QVIbkUFkamRl91Q6EdDO6EoLzqgFvgC
tFipGrIQkOhK4QJfBCq3FGaCyrecgWxF0kK7DAd5q3+xcfeQVpDyMA+RNEZ2PwJ2
7p8gVGiZVOjSPkLuRv8/nPtwIqpEF+PHgsZbRoW67R0KqDP4puF2Pg==
=hyuS
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cyber Security Tip ST05-005 archive
Reviewing End-User License Agreements
Before accepting an end-user license agreement, make sure you
understand and are comfortable with the terms of the agreement.
What is an end-user license agreement?
An end-user license agreement (EULA) is a contract between you and the
software's vendor or developer. Some software packages state that by
simply removing the shrink-wrap on the package, you agree to the
contract. However, you may be more familiar with the type of EULA that
is presented as a dialog box that appears the first time you open the
software. It usually requires you to accept the conditions of the
contract before you can proceed. Some EULAs only apply to certain
features of the software, so you may only encounter them when you
attempt to use those features.
Unfortunately, many users don't read EULAs before accepting them. The
terms of each contract differ, and you may be agreeing to conditions
that you later consider unfair or that expose you to security risks
you didn't expect.
What terms may be included?
EULAs are legal contracts, and the vendor or developer may include
almost any conditions. These conditions are often designed to protect
the developer or vendor against liability, but they may also include
additional terms that give the vendor some control over your computer.
The following topics are often covered in EULAs:
* Distribution - There are often limitations placed on the number of
times you are allowed to install the software and restrictions
about reproducing the software for distribution (see Avoiding
Copyright Infringement for more information about copyright
issues).
* Warranty - Developers or vendors often include disclaimers that
they are not liable for any problem that results from the software
being used incorrectly. They may also protect themselves from
liability for software flaws, software failure, or incompatibility
with other programs on your computer.
The following topics, while not standard, are examples of other
conditions that have been included in EULAs. They present security
implications that you should consider before accepting the agreement.
* Monitoring - Agreeing to the EULA may give the vendor permission
to monitor your computer activity and communicate the information
back to the vendor or to another third party. Depending on what
information is being collected, this type of monitoring could have
both security and privacy implications.
* Software installation - Some agreements allow the vendor to
install additional software on your computer. This may include
updated versions of the software program you installed (the
determination of which version you are running may be a result of
the monitoring described above). Vendors may also incorporate
statements that allow them or other third parties to install
additional software programs on your computer. This software may
be unnecessary, may affect the functionality of other programs on
your computer, and may introduce security risks.
_________________________________________________________________
Author: Mindi McDowell
_________________________________________________________________
This document can also be found at
<http://www.us-cert.gov/cas/tips/ST05-005.html>
Copyright 2005 Carnegie Mellon University
Terms of use
<http://www.us-cert.gov/legal.html>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQiYk4BhoSezw4YfQAQJRSAf/YwwTiDH7BQGooVDw8PhlzzP64nMIvSAB
rwFJaBzCUzj1e1+m8TGYh3aT1uP5tT1tH9FlNFAD2RKCBlxht0xrtYPPu6AcXBRv
xJgebw2hRNdjqqe8zlGIGadSyHNpt6U0EiUuKQYMLNi2hTgv5A0gA6wvsKOfSu7L
66kdRyFKv4ljj0aAzAd/jgQXJtkykqynlQ4jm/HbJSVDPz0XUIO4z/k4yEB935xt
fpoU49TpQd1Aj+DpITK3AwrhNP63cJHGR8v68+1jAsEamkGmOyuQFXh8KPy2ozVR
O0U9089yQBfQnsU6jjnwOdzVqq8gwIfScFdHOvh3LgMNiRu8Yhj8xw==
=t3K9
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cyber Security Tip ST05-004
Avoiding Copyright Infringement
Although copyright may seem to be a purely legal issue, using
unauthorized files could have security implications. To avoid
prosecution and minimize the risks to your computer, make sure you
have permission to use any copyrighted information, and only download
authorized files.
How does copyright infringement apply to the internet?
Copyright infringement occurs when you use or distribute information
without permission from the person or organization that owns the legal
rights to the information. Including an image or cartoon on your web
site or in a document, illegally downloading music, and pirating
software are all common copyright violations. While these activities
may seem harmless, they could have serious legal and security
implications.
How do you know if you have permission to use something?
If you find something on a web site that you'd like to use (e.g., a
document, a chart, an application), search for information about
permissions to use, download, redistribute, or reproduce. Most web
sites have a "terms of use" page that explains how you are allowed to
use information from the site (see US-CERT's terms of use for an
example). You can often find a link to this page in the site's contact
information or privacy policy, or at the bottom of the page that
contains the information you are interested in using.
There may be restrictions based on the purpose, method, and audience.
You may also have to adhere to specific conditions about how much
information you are allowed to use or how the information is presented
and attributed. Consider whether the individual or organization that
operates the web site has the legal authority to give you permission
to use the item--if they did not produce the item, they can't give you
permission to use it because they don't hold the copyright. If you
can't locate the terms of use, or if it seems unclear, contact the
individual or organization that holds the copyright to ask permission.
What consequences could you face?
* Prosecution - When you illegally download, reproduce, or
distribute information, you risk legal action. Penalties may range
from warnings and mandatory removal of all references to costly
fines. Depending on the severity of the crime, jail time may also
be a possibility. To offset their own court costs and the money
they feel they lose because of pirated software, vendors may
increase the prices of their products.
* Malicious copies - Some users knowingly violate copyright by using
sites or networks that allow them to illegally download music and
movies or by making or installing unauthorized copies of software
applications. Attackers could take advantage of these outlets by
including code into a music or movie file or a pirated copy of
software that would infect your computer once it was installed.
Because you wouldn't know the source or identity of the infection
(or maybe that it was even there), you might not be able to easily
identify or remove it. Pirated software with hidden Trojan horses
(see Why is Cyber Security a Problem? for more information) is
often advertised as discounted software in spam email messages
(see Reducing Spam for more information).
References
* U.S. Copyright Office - <http://www.copyright.gov/>
* Copyright on the Internet -
<http://www.fplc.edu/tfield/copynet.htm>
_________________________________________________________________
Author: Mindi McDowell
_________________________________________________________________
This document can also be found at
<http://www.us-cert.gov/cas/tips/ST05-004.html>
Copyright 2005 Carnegie Mellon University
Terms of use
<http://www.us-cert.gov/legal.html>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQhOItBhoSezw4YfQAQJSJwf/QM7iSSl2ZXgjPo8KjNXSY2OyceXbhgrI
IVYfQGGwdBDAANQNtaGk/IrHwB5xTXN13SKPIT02pSXaVJpsEVM9CIoW3PHqhsFV
26HEllDwuFv/DZ8amgbAAUcDAC7gab6+APTWg//Q9F0Se17wkGZYHVlMigmgi61U
+r/4HoF9gQ9hQ5XXrR5Y31NOKuRw5lB1YU1YzpTe5uU2/C1/pFjn4xZR6FcmTgSY
itA1Pi6NbJe7qElQoS5teXN68UsZeIIdxQu+DsidF4uJUM53zeLuva8qZWNVJRsY
vwPdvYWMY8AGLOs3hSwAvDrQzMsDfLaxkd9RirK9wAtr9kYsJA549A==
=AkjD
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cyber Security Tip ST05-003
Securing Wireless Networks
Wireless networks are becoming increasingly popular, but they
introduce additional security risks. If you have a wireless network,
make sure to take appropriate precautions to protect your information.
How do wireless networks work?
As the name suggests, wireless networks, sometimes called WiFi, allow
you to connect to the internet without relying on wires. If your home,
office, airport, or even local coffee shop has a wireless connection,
you can access the network from anywhere that is within that wireless
area.
Wireless networks rely on radio waves rather than wires to connect
computers to the internet. A transmitter, known as a wireless access
point or gateway, is wired into an internet connection. This provides
a "hotspot" that transmits the connectivity over radio waves. Hotspots
have identifying information, including an item called an SSID
(service set identifier), that allow computers to locate them.
Computers that have a wireless card and have permission to access the
wireless frequency can take advantage of the network connection. Some
computers may automatically identify open wireless networks in a given
area, while others may require that you locate and manually enter
information such as the SSID.
What security threats are associated with wireless networks?
Because wireless networks do not require a wire between a computer and
the internet connection, it is possible for attackers who are within
range to hijack or intercept an unprotected connection. A practice
known as wardriving involves individuals equipped with a computer, a
wireless card, and a GPS device driving through areas in search of
wireless networks and identifying the specific coordinates of a
network location. This information is then usually posted online. Some
individuals who participate in or take advantage of wardriving have
malicious intent and could use this information to hijack your home
wireless network or intercept the connection between your computer and
a particular hotspot.
What can you do to minimize the risks to your wireless network?
* Change default passwords - Most network devices, including
wireless access points, are pre-configured with default
administrator passwords to simplify setup. These default passwords
are easily found online, so they don't provide any protection.
Changing default passwords makes it harder for attackers to take
control of the device (see Choosing and Protecting Passwords for
more information).
* Restrict access - Only allow authorized users to access your
network. Each piece of hardware connected to a network has a MAC
(media access control) address. You can restrict or allow access
to your network by filtering MAC addresses. Consult your user
documentation to get specific information about enabling these
features. There are also several technologies available that
require wireless users to authenticate before accessing the
network.
* Encrypt the data on your network - WEP (Wired Equivalent Privacy)
and WPA (Wi-Fi Protected Access) both encrypt information on
wireless devices. However, WEP has a number of security issues
that make it less effective than WPA, so you should specifically
look for gear that supports encryption via WPA. Encrypting the
data would prevent anyone who might be able to access your network
from viewing your data (see Understanding Encryption for more
information).
* Protect your SSID - To avoid outsiders easily accessing your
network, avoid publicizing your SSID. Consult your user
documentation to see if you can change the default SSID to make it
more difficult to guess.
* Install a firewall - While it is a good security practice to
install a firewall on your network, you should also install a
firewall directly on your wireless devices (a host-based
firewall). Attackers who can directly tap into your wireless
network may be able to circumvent your network firewall--a
host-based firewall will add a layer of protection to the data on
your computer (see Understanding Firewalls for more information).
* Maintain anti-virus software - You can reduce the damage attackers
may be able to inflict on your network and wireless computer by
installing anti-virus software and keeping your virus definitions
up to date (see Understanding Anti-Virus Software for more
information). Many of these programs also have additional features
that may protect against or detect spyware and Trojan horses (see
Recognizing and Avoiding Spyware and Why is Cyber Security a
Problem? for more information).
_________________________________________________________________
Authors: Mindi McDowell, Allen Householder, Matt Lytle
_________________________________________________________________
This document can also be found at
<http://www.us-cert.gov/cas/tips/ST05-003.html>
Copyright 2005 Carnegie Mellon University
Terms of use
<http://www.us-cert.gov/legal.html>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQgE3NRhoSezw4YfQAQI0MQgAhGDFYW1OjFMaP1oi5ex+extt6hPQZX9H
qyIBnC+RHRKan2sZeQofwiiyQJtJILLXSQf+0bheHqvF8zNwdciFxlovDXis6IEK
7TxbTbApDtVfsiyOCOa4xSyDW3TFqzWJEBZeiKdi9tcBIz2mR57Ijf8P+uJA86A3
nURXfs3L/+SsyNIwK80HkFLhxh06q7nEWgQ6qlN5rMSpWOZO6T9ZqimHMueUT88M
tP8Xofti/OWjCuwq2U13DISz5gRFXJkHvW6wTusXey2AnDNoSDoLB5TQstu8f/AM
x1fBeoZYGJK7dsVdN6fUt0/jUX5xOgSr5Q8XvFAA7WgL/29Z65aQDQ==
=OIJa
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cyber Security Tip ST05-002
Keeping Children Safe Online
Children present unique security risks when they use a computer--not
only do you have to keep them safe, you have to protect the data on
your computer. By taking some simple steps, you can dramatically
reduce the threats.
What unique risks are associated with children?
When a child is using your computer, normal safeguards and security
practices may not be sufficient. Children present additional
challenges because of their natural characteristics: innocence,
curiosity, desire for independence, and fear of punishment. You need
to consider these characteristics when determining how to protect your
data and the child.
You may think that because the child is only playing a game, or
researching a term paper, or typing a homework assignment, he or she
can't cause any harm. But what if, when saving her paper, the child
deletes a necessary program file? Or what if she unintentionally
visits a malicious web page that infects your computer with a virus?
These are just two possible scenarios. Mistakes happen, but the child
may not realize what she's done or may not tell you what happened
because she's afraid of getting punished.
Online predators present another significant threat, particularly to
children. Because the nature of the internet is so anonymous, it is
easy for people to misrepresent themselves and manipulate or trick
other users (see Avoiding Social Engineering and Phishing Attacks for
some examples). Adults often fall victim to these ploys, and children,
who are usually much more open and trusting, are even easier targets.
The threat is even greater if a child has access to email or instant
messaging programs and/or visits chat rooms (see Using Instant
Messaging and Chat Rooms Safely for more information).
What can you do?
* Be involved - Consider activities you can work on together,
whether it be playing a game, researching a topic you had been
talking about (e.g., family vacation spots, a particular hobby, a
historical figure), or putting together a family newsletter. This
will allow you to supervise your child's online activities while
teaching her good computer habits.
* Keep your computer in an open area - If your computer is in a
high-traffic area, you will be able to easily monitor the computer
activity. Not only does this accessibility deter a child from
doing something she knows she's not allowed to do, it also gives
you the opportunity to intervene if you notice a behavior that
could have negative consequences.
* Set rules and warn about dangers - Make sure your child knows the
boundaries of what she is allowed to do on the computer. These
boundaries should be appropriate for the child's age, knowledge,
and maturity, but they may include rules about how long she is
allowed to be on the computer, what sites she is allowed to visit,
what software programs she can use, and what tasks or activities
she is allowed to do. You should also talk to children about the
dangers of the internet so that they recognize suspicious behavior
or activity. The goal isn't to scare them, it's to make them more
aware.
* Monitor computer activity - Be aware of what your child is doing
on the computer, including which web sites she is visiting. If she
is using email, instant messaging, or chat rooms, try to get a
sense of who she is corresponding with and whether she actually
knows them.
* Keep lines of communication open - Let your child know that she
can approach you with any questions or concerns about behaviors or
problems she may have encountered on the computer.
* Consider partitioning your computer into separate accounts - Most
operating systems (including Windows XP, Mac OS X, and Linux) give
you the option of creating a different user account for each user.
If you're worried that your child may accidentally access, modify,
and/or delete your files, you can give her a separate account and
decrease the amount of access and number of privileges she has.
If you don't have separate accounts, you need to be especially
careful about your security settings. In addition to limiting
functionality within your browser (see Evaluating Your Web
Browser's Security Settings for more information), avoid letting
your browser remember passwords and other personal information
(see Browsing Safely: Understanding Active Content and Cookies).
Also, it is always important to keep your virus definitions up to
date (see Understanding Anti-Virus Software).
* Consider implementing parental controls - You may be able to set
some parental controls within your browser. For example, Internet
Explorer allows you to restrict or allow certain web sites to be
viewed on your computer, and you can protect these settings with a
password. To find those options, click Tools on your menu bar,
select Internet Options..., choose the Content tab, and click the
Enable... button under Content Advisor.
There are other resources you can use to control and/or monitor
your child's online activity. Some ISPs offer services designed to
protect children online. Contact your ISP to see if any of these
services are available. There are also special software programs
you can install on your computer. Different programs offer
different features and capabilities, so you can find one that best
suits your needs. The following web sites offer lists of software,
as well as other useful information about protecting children
online:
* GetNetWise - http://kids.getnetwise.org/ - Click Tools for
Families to reach a page that allows you to search for software
based on characteristics like what the tool does and what
operating system you have on your computer.
* Yahooligans! Parents' Guide -
http://yahooligans.yahoo.com/parents/ - Click Blocking and
Filtering under Related Websites on the left sidebar to reach a
list of software.
_________________________________________________________________
Authors: Mindi McDowell, Allen Householder
_________________________________________________________________
This document can also be found at
<http://www.us-cert.gov/cas/tips/ST05-002.html>
Copyright 2005 Carnegie Mellon University
Terms of use
<http://www.us-cert.gov/legal.html>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQe7D4RhoSezw4YfQAQKCmwgAkyR/blfHuHM/1uX5WnWWE8MiTg3R6++G
PGvtvxofR6s3Pe0CliCpLGh8BLv0hw6N0+x3j6l0p/OAbzU69fINa3XYLelF+BJ6
/LVvCNFW0UONRg8/lqyEJ3jNqux4v6RP5FM072ugu2Tf0oj/hSEKsumvsxSEtr+/
xAzHCQbOLU7V93xcJVobB/tqE3LgsXz2ynvJA+UbCUhkmXeG2dIYThUcoDDvSNi7
gWXRT51qRbU+cJQkCwN1sIWpPU0t+cQGbcnY1YMb2H5TuLjC6u6p8OVuo75wNFt2
0IYZSEfuTtVwYCYv+FaDqGeqXe+KwT3SlpvNIicB4njVEkXlyleiQA==
=v+Ql
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cyber Security Tip ST05-001
Evaluating Your Web Browser's Security Settings
Check the security settings in your web browser to make sure they are
at an appropriate level. While increasing your security may affect the
functionality of some web sites, it could prevent you from being
attacked.
Why are security settings for web browsers important?
Your web browser is your primary connection to the rest of the
internet, and multiple applications may rely on your browser, or
elements within your browser, to function. This makes the security
settings within your browser even more important. Many web
applications try to enhance your browsing experience by enabling
different types of functionality, but this functionality might be
unnecessary and may leave you susceptible to being attacked. The
safest policy is to disable the majority of those features unless you
decide they are necessary. If you determine that a site is
trustworthy, you can choose to enable the functionality temporarily
and then disable it once you are finished visiting the site.
Where can you find the settings?
Each web browser is different, so you may have to look around. For
example, in Internet Explorer, you can find them by clicking Tools on
your menu bar, selecting Internet Options..., choosing the Security
tab, and clicking the Custom Level... button. However, in Mozilla, you
click Edit on the menu bar, select Preferences..., and click the +
next to Privacy & Security to explore the various options. Browsers
have different security options and configurations, so familiarize
yourself with the menu options, check the help feature, or refer to
the vendor's web site.
While every application has settings that are selected by default, you
may discover that your browser also has predefined security levels
that you can select. For example, Internet Explorer offers custom
settings that allow you to select a particular level of security;
features are enabled or disabled based on your selection. Even with
these guides, it is helpful to have an understanding of what the
different terms mean so that you can evaluate the features to
determine which settings are appropriate for you.
How do you know what your settings should be?
Ideally, you would set your security for the highest level possible.
However, restricting certain features may limit some web pages from
loading or functioning properly. The best approach is to adopt the
highest level of security and only enable features when you require
their functionality.
What do the different terms mean?
Different browsers use different terms, but here are some terms and
options you may find:
* Zones - Your browser may give you the option of putting web sites
into different segments, or zones, and allow you to define
different security restrictions for each zone.
For example, Internet Explorer identifies the following zones:
+ Internet - This is the general zone for all public web sites.
When you browse the internet, the settings for this zone are
automatically applied to the sites you visit. To give you the
best protection as you browse, you should set the security to
the highest level; at the very least, you should maintain a
medium level.
+ Local intranet - If you are in an office setting that has its
own intranet, this zone contains those internal pages.
Because the web content is maintained on an internal web
server, it is usually safe to have less restrictive settings
for these pages. However, some viruses have tapped into this
zone, so be aware of what sites are listed and what
privileges they are being given.
+ Trusted sites - If you believe that certain sites are
designed with security in mind, and you feel that content
from the site can be trusted not to contain malicious
materials, you can add them to your trusted sites and apply
settings accordingly. You may also require that only sites
that implement Secure Sockets Layer (SSL) can be active in
this zone. This permits you to verify that the site you are
visiting is the site that it claims to be (see Protecting
Your Privacy for more information). This is an optional zone
but may be useful if you personally maintain multiple web
sites or if your organization has multiple sites. Even if you
trust them, avoid applying low security levels to external
sites--if they are attacked, you might also become a victim.
+ Restricted sites - If there are particular sites you think
might not be safe, you can identify them and define
heightened security settings. Because the security settings
may not be enough to protect you, the best precaution is to
avoid navigating to any sites that make you question whether
or not they're safe.
* JavaScript - Some web sites rely on web scripts such as JavaScript
to achieve a certain appearance or functionality, but these
scripts may be used in attacks (see Browsing Safely: Understanding
Active Content and Cookies for more information).
* Java and ActiveX controls - These programs are used to develop or
execute active content that provides some functionality, but they
may put you at risk (see Browsing Safely: Understanding Active
Content and Cookies for more information).
* Plug-ins - Sometimes browsers require the installation of
additional software known as plug-ins to provide additional
functionality. Like Java and ActiveX controls, plug-ins may be
used in an attack, so before installing them, make sure that they
are necessary and that the site you have to download them from is
trustworthy.
You may also find options that allow you to take the following
security measures:
* Manage cookies - You can disable, restrict, or allow cookies as
appropriate. Generally, it is best to disable cookies and then
enable them if you visit a site you trust that requires them (see
Browsing Safely: Understanding Active Content and Cookies for more
information).
* Block pop-up windows - Although turning this feature on could
restrict the functionality of certain web sites, it will also
minimize the number of pop-up ads you receive, some of which may
be malicious (see Recognizing and Avoiding Spyware for more
information).
_________________________________________________________________
Authors: Mindi McDowell, Jason Rafail
_________________________________________________________________
Copyright 2004 Carnegie Mellon University. Terms of use US-CERT
Last updated January 05, 2005
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQdw9wBhoSezw4YfQAQI/XQf8CgR7LJpPU0AzjFkuw5Fk0pURNl2bze5O
6YTvLKuq15SG1ofnJbSOn3CkhF27plrJZDxIVpbPyz3O8AGhoaPyFQm5UBT+nR0p
4Zq/Gyd+Tn/LO1+cX0KpY76HI11j7K+x7nisXGjufwePoMxL4xWyPVxT0cdZDaQA
EP4qWl/A383O2AZHoOnCdE1eu6iYknGqzX4WHDS53uujMM3y7jAnACS7V/5EbGT+
GH1L4866ScLREapcq7jkl/AUjdUyxevo73P5sweKMlkPpNyASkXIXFhpbVlzz9zg
uxHDsYfsG7DFkz0BwXs3VgfUvQm6+tpVpX8kprnIDd7WWFmqwxOgjg==
=RD1o
-----END PGP SIGNATURE-----
