-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cyber Security Tip ST07-001
Shopping Safely Online
Online shopping has become a popular way to purchase items
without the
hassles of traffic and crowds. However, the Internet has unique risks,
so it is important to take steps to protect yourself when shopping
online.
Why do online shoppers have to take special precautions?
The Internet offers a convenience that is not available from
any other
shopping outlet. From the comfort of your home, you can search for
items from countless vendors, compare prices with a few simple mouse
clicks, and make purchases without waiting in line. However, the
Internet is also convenient for attackers, giving them multiple ways
to access the personal and financial information of unsuspecting
shoppers. Attackers who are able to obtain this information may use it
for their own financial gain, either by making purchases themselves or
by selling the information to someone else.
How do attackers target online shoppers?
There are three common ways that attackers can take advantage
of
online shoppers:
* Targeting vulnerable computers - If you do not take steps to
protect your computer from viruses or other malicious code, an
attacker may be able to gain access to your computer and all of
the information on it. It is also important for vendors to protect
their computers to prevent attackers from accessing customer
databases.
* Creating fraudulent sites and email messages - Unlike traditional
shopping, where you know that a store is actually the store it
claims to be, attackers can create malicious web sites that mimic
legitimate ones or create email messages that appear to have been
sent from a legitimate source. Charities may also be
misrepresented in this way, especially after natural disasters or
during holiday seasons. Attackers create these malicious sites and
email messages to try to convince you to supply personal and
financial information.
* Intercepting insecure transactions - If a vendor does not use
encryption, an attacker may be able to intercept your information
as it is being transmitted.
How can you protect yourself?
* Use and maintain anti-virus software, a firewall, and
anti-spyware
software - Protect yourself against viruses and Trojan horses that
may steal or modify the data on your own computer and leave you
vulnerable by using anti-virus software and a firewall (see
Understanding Anti-Virus Software and Understanding Firewalls for
more information). Make sure to keep your virus definitions up to
date. Spyware or adware hidden in software programs may also give
attackers access to your data, so use a legitimate anti-spyware
program to scan your computer and remove any of these files (see
Recognizing and Avoiding Spyware for more information).
* Keep software, particularly your web browser, up to date - Install
software patches so that attackers cannot take advantage of known
problems or vulnerabilities (see Understanding Patches for more
information). Many operating systems offer automatic updates. If
this option is available, you should enable it.
* Evaluate your software's settings - The default settings of most
software enable all available functionality. However, attackers
may be able to take advantage of this functionality to access your
computer (see Evaluating Your Web Browser's Security Settings for
more information). It is especially important to check the
settings for software that connects to the Internet (browsers,
email clients, etc.). Apply the highest level of security
available that still gives you the functionality you need.
* Do business with reputable vendors - Before providing any personal
or financial information, make sure that you are interacting with
a reputable, established vendor. Some attackers may try to trick
you by creating malicious web sites that appear to be legitimate,
so you should verify the legitimacy before supplying any
information (see Avoiding Social Engineering and Phishing Attacks
and Understanding Web Site Certificates for more information).
Locate and note phone numbers and physical addresses of vendors in
case there is a problem with your transaction or your bill.
* Take advantage of security features - Passwords and other security
features add layers of protection if used appropriately (see
Choosing and Protecting Passwords and Supplementing Passwords for
more information).
* Be wary of emails requesting information - Attackers may attempt
to gather information by sending emails requesting that you
confirm purchase or account information (see Avoiding Social
Engineering and Phishing Attacks for more information). Legitimate
businesses will not solicit this type of information through
email.
* Check privacy policies - Before providing personal or financial
information, check the web site's privacy policy. Make sure you
understand how your information will be stored and used (see
Protecting Your Privacy for more information).
* Make sure your information is being encrypted - Many sites use
SSL, or secure sockets layer, to encrypt information. Indications
that your information will be encrypted include a URL that begins
with "https:" instead of "http:" and a lock icon in the bottom
right corner of the window.
* Use a credit card - Unlike debit cards, credit cards may have a
limit on the monetary amount you will be responsible for paying if
your information is stolen and used by someone else. You can
further minimize damage by using a single credit card with a low
credit line for all of your online purchases.
* Check your statements - Keep a record of your purchases and copies
of confirmation pages, and compare them to your bank statements.
If there is a discrepancy, report it immediately (see Preventing
and Responding to Identity Theft for more information).
_________________________________________________________________
Authors: Mindi McDowell, Monica Maher
_________________________________________________________________
Produced 2007 by US-CERT, a government organization.
Terms of use
<http://www.us-cert.gov/legal.html>
This document can also be found at
<http://www.us-cert.gov/cas/tips/ST07-001.html>
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBR2BW6fRFkHkM87XOAQJOhAf+MeyvEabVEoG9z7Dbn6r+7VXlCUuP0lls
w0pzyyBMyJfh/p4d56FIOa+U4AnksgE4DpkvM4/HMjNTg/JUYtXhPQm7u3uYcQKH
8C1ybNXHaph23hoYlrPrxaU0che7wPsWFoFm3PYI+cZ17Dxk8oFvz9SehcY80xbX
PqGf3bBXnFm0gTKHp8f54/N3ErJ3DrQEyxGI4NR1zXrSJ45tsf76cCMLSi/T0r8G
YBEk186THHnRxhoDvTUrUPCMocTmIcMcOZc3XM+Gr5c85x4hBXYXF3UIlvl1cpMN
RCDRGD/canpB/HbI+ZEgj16MPlgqskmlU8ILC41WSq40QwqePmRWdw==
=X05Z
-----END PGP SIGNATURE-----
Scanned By Sophos PureMessage
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Cyber Security Tip ST04-022
Understanding Your Computer: Web Browsers
Web browsers allow you to navigate the internet. There are a
variety
of options available, so you can choose the one that best suits your
needs.
How do web browsers work?
A web browser is an application that finds and displays web
pages. It
coordinates communication between your computer and the web server
where a particular web site "lives."
When you open your browser and type in a web address (URL) for
a web
site, the browser contacts that server, requests the web page you
asked for, and displays the page on your computer. The browser
translates the code (written in a language such as HTML or XML) for
the different elements of the page (text, images, sounds) into the
appropriate format and displays the resulting page.
How many browsers are there?
There are many different browsers. Most users are familiar
with
graphical browsers, which display both text and graphics and may also
display multimedia elements such as sound or video clips. However,
there are also text-based browsers. The following are some well-known
browsers:
* Internet Explorer
* Firefox
* AOL
* Opera
* Safari - a browser specifically designed for Macintosh computers
* Lynx - a text-based browser desirable for vision-impaired users
because of the availability of special devices that read the text
How do you choose a browser?
A browser is usually included with the installation of your
operating
system, but you are not restricted to that choice. Some of the factors
to consider when deciding which browser best suits your needs include
* compatibility - Does the browser work with your operating system?
* security - Do you feel that your browser offers you the level of
security you want?
* ease of use - Are the menus and options easy to understand and
use?
* functionality - Does the browser interpret web content correctly?
If you need to install other plug-ins or devices to translate
certain types of content, do they work?
* appeal - Do you find the interface and way the browser interprets
web content visually appealing?
Can you have more than one browser installed at the same time?
If you decide to change your browser or add another one, you
don't
have to uninstall the browser that's currently on your computer--you
can have more than one browser on your computer at once. However, you
will be prompted to choose one as your default browser. Anytime you
follow a link in an email message or document, or you double-click a
shortcut to a web page on your desktop, the page will open using your
default browser. You can manually open the page in another browser.
Most vendors give you the option to download their browsers
directly
from their web sites. Make sure to verify the authenticity of the site
before downloading any files. To further minimize risk, follow other
good security practices, like using a firewall and keeping anti-virus
software up to date (see Understanding Firewalls, Understanding
Anti-Virus Software, and other US-CERT Cyber Security Tips for more
information).
_________________________________________________________________
Author: Mindi McDowell
_________________________________________________________________
Produced 2004 by US-CERT, a government organization.
Note: This tip was previously published and is being
re-distributed
to increase awareness.
Terms of use
<http://www.us-cert.gov/legal.html>
This document can also be found at
<http://www.us-cert.gov/cas/tips/ST04-022.html>
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRzIfLPRFkHkM87XOAQI4YQf+JFx8JpGXy4mIJUjQVk9kexz/G7Gf1Ov4
+aRZ8m0B+5Qk1VMziFYJhKmGZ4kkt11uiz9YwscJqZwc7vHo0+K+dZq2ULRsjKaD
WRfCaV0VOMgNo0ec7jWdIYQCGKdauY0/c3woBF1lSNn4u2RdAOt0zRpsvlY/6F08
LjqyUj4B7RqQ5yPuT9wGxybFtbnHxVCIZi7WZGx83c7XGKkDMljIk//fBvBkA9Fm
MndxC84VitJOe/IbdS7nwPsi7zgtsfJWzFWeJir1Hirc/j4382PPVMrQ9CsnSNTL
KGzac3PkgnQVC0ei2itDEYY+/NAtGT4ubjzoArZoJoHGmDoH193dLg==
=XRw+
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cyber Security Tip ST04-021
Understanding Your
Computer: Operating Systems
The operating system is the most fundamental program that runs
on your
computer. It serves as the basis for how everything else works.
What is an operating system?
An operating system (OS) is the main program on a computer. It
performs a variety of functions, including
* determining what types of software you can install
* coordinating the applications running on the computer at any given
time
* making sure that individual pieces of hardware, such as printers,
keyboards, and disk drives, all communicate properly
* allowing applications such as word processors, email clients, and
web browsers to perform tasks on the system (e.g., drawing windows
on the screen, opening files, communicating on a network) and
utilize other system resources (e.g., printers, disk drives)
* reporting error messages
The OS also determines how you see information and perform
tasks. Some
operating systems use a graphical user interface (GUI), which presents
information through pictures (icons, buttons, dialog boxes, etc.) as
well as words. Other operating systems can rely solely on text.
How do you choose an operating system?
In very simplistic terms, when you choose to buy a computer,
you are
usually also choosing an operating system. Although you may change it,
vendors typically ship computers with a particular operating system.
There are multiple operating systems, each with different features and
benefits, but the following three are the most common:
* Windows - Windows, with versions including Windows Me, Windows
2000, and Windows XP, is the most common operating system for home
users. It is produced by Microsoft and is typically included on
machines purchased in electronics stores or from vendors such as
Dell or Gateway. The Windows OS uses a GUI, which many users find
more appealing and easier to use than text-based interfaces.
* Mac OS X - Produced by Apple, Mac OS X is the operating system
used on Macintosh computers. With the exception of a different
GUI, it is similar to the Windows interface in the way it
operates.
* Linux and other UNIX-derived operating systems - Linux and other
systems derived from the UNIX operating system are frequently used
for specialized workstations and servers, such as web and email
servers. Because they are often more difficult for general users
or require specialized knowledge and skills to operate, they are
not very popular with home users. However, as they continue to
develop and become easier to use, they may become more popular on
typical home user systems.
_________________________________________________________________
Authors: Mindi McDowell, Chad Dougherty
_________________________________________________________________
Produced 2004 by US-CERT, a government organization.
Note: This tip was previously published and is being
re-distributed
to increase awareness.
Terms of use
<http://www.us-cert.gov/legal.html>
This document can also be found at
<http://www.us-cert.gov/cas/tips/ST04-021.html>
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRx9YUPRFkHkM87XOAQKgBAf/b0N0PmXDUrIE9W8O1JDNeEFP6SDxLMyM
y+OxTnZYwH2SYpZ/dXYKO69yk1pOx1W7HhK/QQwem/zn3hvX2/Td07ez33eCRpmk
T5St+fnX26J2WfUrn5iOC3Pjl60KbwxfbXsCXRtq0kwykk+W4fWtiVr2vfXMaltm
4YdhwYLFWmYpJnRTbKlPHogqxqTMGkw372wnfgoCcsyrJcJwIOS0xN1XQZ3lXF69
nUr00ftNAZIYB44lQZ+TZ0q5FfgtVfmT8CWOwdvzvFFZPrj3OOyIrOweZm/SVP+p
P24p/6vtXLe7no8kwk5E38M5SbBXov4ssAK1w3G7LJ0/8y7GAFzSow==
=92dl
-----END PGP SIGNATURE-----
Processed by Sophos Pure Message
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Cyber Security Tip ST04-020
Protecting Portable Devices: Data Security
In addition to taking precautions to protect your portable
devices, it
is important to add another layer of security by protecting the data
itself.
Why do you need another layer of protection?
Although there are ways to physically protect your laptop,
PDA, or
other portable device (see Protecting Portable Devices: Physical
Security for more information), there is no guarantee that it won't be
stolen. After all, as the name suggests, portable devices are designed
to be easily transported. The theft itself is, at the very least,
frustrating, inconvenient, and unnerving, but the exposure of
information on the device could have serious consequences. Also,
remember that any devices that are connected to the internet,
especially if it is a wireless connection, are also susceptible to
network attacks (see Securing Wireless Networks for more information).
What can you do?
* Use passwords correctly - In the process of getting to the
information on your portable device, you probably encounter
multiple prompts for passwords. Take advantage of this security.
Don't choose options that allow your computer to remember
passwords, don't choose passwords that thieves could easily guess,
use different passwords for different programs, and take advantage
of additional authentication methods (see Choosing and Protecting
Passwords and Supplementing Passwords for more information).
* Consider storing important data separately - There are many forms
of storage media, including floppy disks, zip disks, CDs, DVDs,
and removable flash drives (also known as USB drives or thumb
drives). By saving your data on removable media and keeping it in
a different location (e.g., in your suitcase instead of your
laptop bag), you can protect your data even if your laptop is
stolen. You should make sure to secure the location where you keep
your data to prevent easy access.
* Encrypt files - By encrypting files, you ensure that unauthorized
people can't view data even if they can physically access it. You
may also want to consider options for full disk encryption, which
prevents a thief from even starting your laptop without a
passphrase. When you use encryption, it is important to remember
your passwords and passphrases; if you forget or lose them, you
may lose your data.
* Install and maintain anti-virus software - Protect laptops and
PDAs from viruses the same way you protect your desktop computer.
Make sure to keep your virus definitions up to date (see
Understanding Anti-Virus Software for more information).
* Install and maintain a firewall - While always important for
restricting traffic coming into and leaving your computer,
firewalls are especially important if you are traveling and
utilizing different networks. Firewalls can help prevent outsiders
from gaining unwanted access (see Understanding Firewalls for more
information).
* Back up your data - Make sure to back up any data you have on your
computer onto a CD-ROM, DVD-ROM, or network (see Good Security
Habits and Real-World Warnings Keep You Safe Online for more
information). Not only will this ensure that you will still have
access to the information if your device is stolen, but it could
help you identify exactly which information a thief may be able to
access. You may be able to take measures to reduce the amount of
damage that exposure could cause.
_________________________________________________________________
Authors: Mindi McDowell, Matt Lytle
_________________________________________________________________
Produced 2007 by US-CERT, a government organization.
Note: This tip was previously published and is being
re-distributed
to increase awareness.
Terms of use
<http://www.us-cert.gov/legal.html>
This document can also be found at
<http://www.us-cert.gov/cas/tips/ST04-020.html>
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRwz+ufRFkHkM87XOAQLyswf8C03wGpqOGz/4iVvoHB208Oibfg3Tv9z3
VclMjDSAz1QWV9FpY5KjOuVEiOrT5siwHw/xItz90U7w7C8X4eGzXrreXkioO2FB
bSn1oRz7UQnXEA1dt64h6sbVzDx0jSi2ekHTKHd3AKwp6FFKJbXrOIkZLXzYJavz
iktTp9YvYEnhh+CnDqp2SvYaXfBOUdeeTVtf9K1zKakm2cvXCdGOyH79p+zYZ0r2
7CZQWxV5lkxAvrMKd10tzsIJtlBk0E3d2+BvdwnKlKvmuWc2CqbC1U5cokoIneIw
51autmaDecQy3Tte2Ek3K46QyibtafHGKzLAZ4IZzved97vc40I/sg==
=sJ3Y
-----END PGP SIGNATURE-----
Processed by Sophos Pure Message
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Cyber Security Tip ST04-019
Understanding Encryption
Encrypting data is a good way to protect sensitive
information. It
ensures that the data can only be read by the person who is authorized
to have access to it.
What is encryption?
In very basic terms, encryption is a way to send a message in
code.
The only person who can decode the message is the person with the
correct key; to anyone else, the message looks like a random series of
letters, numbers, and characters.
Encryption is especially important if you are trying to send
sensitive
information that other people should not be able to access. Because
email messages are sent over the internet and might be intercepted by
an attacker, it is important to add an additional layer of security to
sensitive information.
How is it different from digital signatures?
Like digital signatures, public-key encryption utilizes
software such
as PGP, converts information with mathematical algorithms, and relies
on public and private keys, but there are differences:
* The purpose of encryption is confidentiality--concealing the
content of the message by translating it into a code. The purpose
of digital signatures is integrity and authenticity--verifying the
sender of a message and indicating that the content has not been
changed. Although encryption and digital signatures can be used
independently, you can also sign an encrypted message.
* When you sign a message, you use your private key, and anybody who
has your public key can verify that the signature is valid (see
Understanding Digital Signatures for more information). When you
encrypt a message, you use the public key for the person you're
sending it to, and his or her private key is used to decrypt the
message. Because people should keep their private keys
confidential and should protect them with passwords, the intended
recipient should be the only one who is able to view the
information.
How does encryption work?
1. Obtain the public key for the person you want to be able to
read
the information. If you get the key from a public key ring,
contact the person directly to confirm that the series of letters
and numbers associated with the key is the correct fingerprint.
2. Encrypt the email message using their public key. Most email
clients have a feature to easily perform this task.
3. When the person receives the message, he or she will be able to
decrypt it.
_________________________________________________________________
Authors: Mindi McDowell
_________________________________________________________________
Produced 2007 by US-CERT, a government organization.
Note: This tip was previously published and is being
re-distributed
to increase awareness.
Terms of use
<http://www.us-cert.gov/legal.html>
This document can also be found at
<http://www.us-cert.gov/cas/tips/ST04-019.html>
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRvquZvRFkHkM87XOAQIMxggAl8iTFJqMEEEyrGZsV/p+m97s5ojWtiub
Eg4BT95cAeG8fwfuevbcfR5gjM2/u2/Pa4RQkWlRXLKdVDEvgZd6pcGx8TUFqteJ
qjCFmCE5Z7Wl1jCxp3iQCHYDqTtfO8nI7/6DLF7vwVLoeMf7PF+H6Rw3lLjCME8f
tE5OWS9+JXAqzzPq0ipsmLoRMMkhmhtJfFuAD9oJY/z2SktIG9Roq6nH8zF1o/jI
ioJzgUkLBgeZnJkOmcJJx6bDFqi3ta2IUAFVXV4gNG84OFKtBbPsitcGqLGbRwtP
XY2GIdvigbqaW4s9z0Noe+/5Gdwxs3IxCS0TPOzj04Lpj5jRJSDPZA==
=U7Ev
-----END PGP SIGNATURE-----
Processed by Sophos Pure Message
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Cyber Security Tip ST04-018
Understanding
Digital Signatures
Digital signatures are a way to verify that an email message
is really
from the person who supposedly sent it and that it hasn't been
changed.
What is a digital signature?
You may have received emails that have a block of letters and
numbers
at the bottom of the message. Although it may look like useless text
or some kind of error, this information is actually a digital
signature. To generate a signature, a mathematical algorithm is used
to combine the information in a key with the information in the
message. The result is a random-looking string of letters and numbers.
Why would you use one?
Because it is so easy for attackers and viruses to "spoof"
email
addresses (see Using Caution with Email Attachments for more
information), it is sometimes difficult to identify legitimate
messages. Authenticity may be especially important for business
correspondence--if you are relying on someone to provide or verify
information, you want to be sure that the information is coming from
the correct source. A signed message also indicates that changes have
not been made to the content since it was sent; any changes would
cause the signature to break.
How does it work?
Before you can understand how a digital signature works, there
are
some terms you should know:
* Keys - Keys are used to create digital signatures. For every
signature, there is a public key and a private key.
+ Private key - The private key is the portion of the key you
use to actually sign an email message. The private key is
protected by a password, and you should never give your
private key to anyone.
+ Public key - The public key is the portion of the key that is
available to other people. Whether you upload it to a public
key ring or send it to someone, this is the key other people
can use to check your signature. A list of other people who
have signed your key is also included with your public key.
You will only be able to see their identities if you already
have their public keys on your key ring.
* Key ring - A key ring contains public keys. You have a key ring
that contains the keys of people who have sent you their keys or
whose keys you have gotten from a public key server. A public key
server contains keys of people who have chosen to upload their
keys.
* Fingerprint - When confirming a key, you will actually be
confirming the unique series of letters and numbers that comprise
the fingerprint of the key. The fingerprint is a different series
of letters and numbers than the chunk of information that appears
at the bottom of a signed email message.
* Key certificates - When you select a key on a key ring, you will
usually see the key certificate, which contains information about
the key, such as the key owner, the date the key was created, and
the date the key will expire.
* "Web of trust" - When someone signs your key, they are confirming
that the key actually belongs to you. The more signatures you
collect, the stronger your key becomes. If someone sees that your
key has been signed by other people that he or she trusts, he or
she is more inclined to trust your key. Note: Just because someone
else has trusted a key or you find it on a public key ring does
not mean you should automatically trust it. You should always
verify the fingerprint yourself.
The process for creating, obtaining, and using keys is fairly
straightforward:
1. Generate a key using software such as PGP, which stands for Pretty
Good Privacy, or GnuPG, which stands for GNU Privacy Guard.
2. Increase the authenticity of your key by having your key signed by
co-workers or other associates who also have keys. In the process
of signing your key, they will confirm that the fingerprint on the
key you sent them belongs to you. By doing this, they verify your
identity and indicate trust in your key.
3. Upload your signed key to a public key ring so that if someone
gets a message with your signature, they can verify the digital
signature.
4. Digitally sign your outgoing email messages. Most email clients
have a feature to easily add your digital signature to your
message.
_________________________________________________________________
Authors: Mindi McDowell, Allen Householder
_________________________________________________________________
Produced 2007 by US-CERT, a government organization.
Note: This tip was previously published and is being
re-distributed
to increase awareness.
Terms of use
<http://www.us-cert.gov/legal.html>
This document can also be found at
<http://www.us-cert.gov/cas/tips/ST04-018.html>
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRuqdm/RFkHkM87XOAQLahgf7BOBifMF/d/6kPtvHFOJxwp0YnZThpxM2
R/qUO5lb70GmXAfi+qOnjHBhd6grLiKSlFhvLvEKrNoVFj6VmCpWxDdZgInVuO9F
ni5Ga/0Y1Elgvz9bNQOpavABua/QipxtjTa88mEXEgjov1LiwWnbYRF/xoni1+Rw
x6aQt7Z/v2nSnxnjJOnLcJJDDOfkjQjdk1+2YwbnkoH9RqMHyQpIWDxlbbhxFP//
3YrO57n8ZEXZmumGISC51ZPmwLrDwYN9pONx1kpv5oMofxWNjqjgu57XjIMWwXnZ
1iUaB1RgFuO7rcZqfUV06Ub6nStW1X/PNGO2dmTbwpwSfLT5JwEwxw==
=775z
-----END PGP SIGNATURE-----
Processed by Sophos Pure Message
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Cyber Security Tip ST04-017
Protecting Portable Devices: Physical Security
Many computer users, especially those who travel for business,
rely on
laptops and PDAs because they are small and easily transported. But
while these characteristics make them popular and convenient, they
also make them an ideal target for thieves. Make sure to secure your
portable devices to protect both the machine and the information it
contains.
What is at risk?
Only you can determine what is actually at risk. If a thief
steals
your laptop or PDA, the most obvious loss is the machine itself.
However, if the thief is able to access the information on the
computer or PDA, all of the information stored on the device is at
risk, as well as any additional information that could be accessed as
a result of the data stored on the device itself.
Sensitive corporate information or customer account
information should
not be accessed by unauthorized people. You've probably heard news
stories about organizations panicking because laptops with
confidential information on them have been lost or stolen. But even if
there isn't any sensitive corporate information on your laptop or PDA,
think of the other information at risk: information about
appointments, passwords, email addresses and other contact
information, personal information for online accounts, etc.
How can you protect your laptop or PDA?
* Password-protect your computer - Make sure that you have to
enter
a password to log in to your computer (see Choosing and Protecting
Passwords for more information).
* Keep your laptop or PDA with you at all times - When traveling,
keep your laptop with you. Meal times are optimum times for
thieves to check hotel rooms for unattended laptops. If you are
attending a conference or trade show, be especially wary--these
venues offer thieves a wider selection of devices that are likely
to contain sensitive information, and the conference sessions
offer more opportunities for thieves to access guest rooms.
* Downplay your laptop or PDA - There is no need to advertise to
thieves that you have a laptop or PDA. Avoid using your portable
device in public areas, and consider non-traditional bags for
carrying your laptop.
* Consider an alarm or lock - Many companies sell alarms or locks
that you can use to protect or secure your laptop. If you travel
often or will be in a heavily populated area, you may want to
consider investing in an alarm for your laptop bag or a lock to
secure your laptop to a piece of furniture.
* Back up your files - If your portable device is stolen, it's bad
enough that someone else may be able to access your information.
To avoid losing all of the information, make backups of important
information and store the backups in a separate location (see Good
Security Habits for more information). Not only will you still be
able to access the information, but you'll be able to identify and
report exactly what information is at risk.
What can you do if your laptop or PDA is lost or stolen?
Report the loss or theft to the appropriate authorities. These
parties
may include representatives from law enforcement agencies, as well as
hotel or conference staff. If your device contained sensitive
corporate or customer account information, immediately report the loss
or theft to your organization so that they can act quickly.
_________________________________________________________________
Author: Mindi McDowell
_________________________________________________________________
Produced 2007 by US-CERT, a government organization.
Note: This tip was previously published and is being
re-distributed
to increase awareness.
Terms of use
<http://www.us-cert.gov/legal.html>
This document can also be found at
<http://www.us-cert.gov/cas/tips/ST04-017.html>
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRtWUS/RFkHkM87XOAQJKUQf9E+koP+sA3Az+l1EYQHGHd+Z1VUz9ElrL
1i8aNBjYs7fY9iUF3tu+N+0S4yT26JNRj0rQzCtgSSBJ/s/UuUjQs1+LJMpLUcoj
+UE/XCVS6x04D68ihIBNOZAsu1afF1ExXr/M4DRxQBMwqfwHqIs5xeDzENJkHFrG
khaCRIjXQ0mC25GThP/ZvZ3n8ZOxK/acPl/jIMYqDHwcz3w7lF9uxRWFgijTgW4B
aYW055NqxJPAST0qo2ohQs3Js+K3B3g4H9vPkF1hsyRz5KDuPG5qNePl1fe5o97S
vgatttyoQDCkNnK2CY0Esl3bWUENpU5W9kE6z9ytCjAKpT13626Tsg==
=6mU2
-----END PGP SIGNATURE-----
Processed by Sophos Pure Message
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Cyber Security Tip ST04-016
Recognizing and
Avoiding Spyware
Because of its popularity, the internet has become an ideal
target for
advertising. As a result, spyware, or adware, has become increasingly
prevalent. When troubleshooting problems with your computer, you may
discover that the source of the problem is spyware software that has
been installed on your machine without your knowledge.
What is spyware?
Despite its name, the term "spyware" doesn't refer to
something used
by undercover operatives, but rather by the advertising industry. In
fact, spyware is also known as "adware." It refers to a category of
software that, when installed on your computer, may send you pop-up
ads, redirect your browser to certain web sites, or monitor the web
sites that you visit. Some extreme, invasive versions of spyware may
track exactly what keys you type. Attackers may also use spyware for
malicious purposes.
Because of the extra processing, spyware may cause your
computer to
become slow or sluggish. There are also privacy implications:
* What information is being gathered?
* Who is receiving it?
* How is it being used?
How do you know if there is spyware on your computer?
The following symptoms may indicate that spyware is installed
on your
computer:
* you are subjected to endless pop-up windows
* you are redirected to web sites other than the one you typed into
your browser
* new, unexpected toolbars appear in your web browser
* new, unexpected icons appear in the task tray at the bottom of
your screen
* your browser's home page suddenly changed
* the search engine your browser opens when you click "search" has
been changed
* certain keys fail to work in your browser (e.g., the tab key
doesn't work when you are moving to the next field within a form)
* random Windows error messages begin to appear
* your computer suddenly seems very slow when opening programs or
processing tasks (saving files, etc.)
How can you prevent spyware from installing on your computer?
To avoid unintentionally installing it yourself, follow these
good
security practices:
* Don't click on links within pop-up windows - Because pop-up
windows are often a product of spyware, clicking on the window may
install spyware software on your computer. To close the pop-up
window, click on the "X" icon in the titlebar instead of a "close"
link within the window.
* Choose "no" when asked unexpected questions - Be wary of
unexpected dialog boxes asking whether you want to run a
particular program or perform another type of task. Always select
"no" or "cancel," or close the dialog box by clicking the "X" icon
in the titlebar.
* Be wary of free downloadable software - There are many sites that
offer customized toolbars or other features that appeal to users.
Don't download programs from sites you don't trust, and realize
that you may be exposing your computer to spyware by downloading
some of these programs.
* Don't follow email links claiming to offer anti-spyware software -
Like email viruses, the links may serve the opposite purpose and
actually install the spyware it claims to be eliminating.
As an additional good security practice, especially if you are
concerned that you might have spyware on your machine and want to
minimize the impact, consider taking the following action:
* Adjust your browser preferences to limit pop-up windows and
cookies - Pop-up windows are often generated by some kind of
scripting or active content. Adjusting the settings within your
browser to reduce or prevent scripting or active content may
reduce the number of pop-up windows that appear. Some browsers
offer a specific option to block or limit pop-up windows. Certain
types of cookies are sometimes considered spyware because they
reveal what web pages you have visited. You can adjust your
privacy settings to only allow cookies for the web site you are
visiting (see Browsing Safely: Understanding Active Content and
Cookies and Evaluating Your Web Browser's Security Settings for
more information).
How do you remove spyware?
* Run a full scan on your computer with your anti-virus
software -
Some anti-virus software will find and remove spyware, but it may
not find the spyware when it is monitoring your computer in real
time. Set your anti-virus software to prompt you to run a full
scan periodically (see Understanding Anti-Virus Software for more
information).
* Run a legitimate product specifically designed to remove spyware -
Many vendors offer products that will scan your computer for
spyware and remove any spyware software. Popular products include
Lavasoft's Ad-Aware, Webroot's SpySweeper, PestPatrol, and Spybot
Search and Destroy.
* Make sure that your anti-virus and anti-spyware software are
compatible - Take a phased approach to installing the software to
ensure that you don't unintentionally introduce problems (see
Coordinating Virus and Spyware Defense for more information).
_________________________________________________________________
Authors: Mindi McDowell, Matt Lytle
_________________________________________________________________
Produced 2007 by US-CERT, a government organization.
Note: This tip was previously published and is being
re-distributed
to increase awareness.
Terms of use
<http://www.us-cert.gov/legal.html>
This document can also be found at
<http://www.us-cert.gov/cas/tips/ST04-016.html>
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRsMp5/RFkHkM87XOAQI/Ngf+MEdaHbBks+6QxaMjb5EYLrLP97qWMe/l
l2WCZPWxOC/QCoPg9VN6imoJGIZBiB9PTieIggN3rb8OGJP4lnwnkAjaB7bs0WOS
D2LDWIeaxk/9v6w5/uUCIfB446Ptd78hHjOQ0X5HcvaFSp79HhaNvCPJXcNcCTIQ
nYevhFzGS0TFOkoltqXsp3OlEIqcqVCTWQVqUTJQobInR7XbgkOiquZ+65Kapg6D
uqBxOwBesZ5SZA0FQ8E78qPytOEhCQJXGQLJ9A0lE2J6qu2IwtPpJU7Ui5bfIUeN
RfNqpMnK8ysjiB2+aDgxQ2zR70J2ixi40Tr9qSi8zng0WFOUpLHPQw==
=KFO1
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Cyber Security Tip ST04-015
Understanding Denial-of-Service Attacks
You may have heard of denial-of-service attacks launched
against web
sites, but you can also be a victim of these attacks.
Denial-of-service attacks can be difficult to distinguish from common
network activity, but there are some indications that an attack is in
progress.
What is a denial-of-service (DoS) attack?
In a denial-of-service (DoS) attack, an attacker attempts to
prevent
legitimate users from accessing information or services. By targeting
your computer and its network connection, or the computers and network
of the sites you are trying to use, an attacker may be able to prevent
you from accessing email, web sites, online accounts (banking, etc.),
or other services that rely on the affected computer.
The most common and obvious type of DoS attack occurs when an
attacker
"floods" a network with information. When you type a URL for a
particular web site into your browser, you are sending a request to
that site's computer server to view the page. The server can only
process a certain number of requests at once, so if an attacker
overloads the server with requests, it can't process your request.
This is a "denial of service" because you can't access that site.
An attacker can use spam email messages to launch a similar
attack on
your email account. Whether you have an email account supplied by your
employer or one available through a free service such as Yahoo! or
Hotmail, you are assigned a specific quota, which limits the amount of
data you can have in your account at any given time. By sending many,
or large, email messages to the account, an attacker can consume your
quota, preventing you from receiving legitimate messages.
What is a distributed denial-of-service (DDoS) attack?
In a distributed denial-of-service (DDoS) attack, an attacker
may use
your computer to attack another computer. By taking advantage of
security vulnerabilities or weaknesses, an attacker could take control
of your computer. He or she could then force your computer to send
huge amounts of data to a web site or send spam to particular email
addresses. The attack is "distributed" because the attacker is using
multiple computers, including yours, to launch the denial-of-service
attack.
How do you avoid being part of the problem?
Unfortunately, there are no effective ways to prevent being
the victim
of a DoS or DDoS attack, but there are steps you can take to reduce
the likelihood that an attacker will use your computer to attack other
computers:
* Install and maintain anti-virus software (see Understanding
Anti-Virus Software for more information).
* Install a firewall, and configure it to restrict traffic coming
into and leaving your computer (see Understanding Firewalls for
more information).
* Follow good security practices for distributing your email address
(see Reducing Spam for more information). Applying email filters
may help you manage unwanted traffic.
How do you know if an attack is happening?
Not all disruptions to service are the result of a
denial-of-service
attack. There may be technical problems with a particular network, or
system administrators may be performing maintenance. However, the
following symptoms could indicate a DoS or DDoS attack:
* unusually slow network performance (opening files or accessing web
sites)
* unavailability of a particular web site
* inability to access any web site
* dramatic increase in the amount of spam you receive in your
account
What do you do if you think you are experiencing an attack?
Even if you do correctly identify a DoS or DDoS attack, it is
unlikely
that you will be able to determine the actual target or source of the
attack. Contact the appropriate technical professionals for
assistance.
* If you notice that you cannot access your own files or reach any
external web sites from your work computer, contact your network
administrators. This may indicate that your computer or your
organization's network is being attacked.
* If you are having a similar experience on your home computer,
consider contacting your Internet service provider (ISP). If there
is a problem, the ISP might be able to advise you of an
appropriate course of action.
_________________________________________________________________
Author: Mindi McDowell
_________________________________________________________________
Produced 2004 by US-CERT, a government organization.
Note: This tip was previously published and is being
re-distributed
to increase awareness.
Terms of use
<http://www.us-cert.gov/legal.html>
This document can also be found at
<http://www.us-cert.gov/cas/tips/ST04-015.html>
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRrC42/RFkHkM87XOAQJZWgf7B4MC3vd7pH1M7tKyhaqduKuVk4lshrXg
E1hbBWfbjF3NXdSZea76ioNXkgaxLiaBxEOKswypmElspqmxOenVxp1gStfUubaj
QnIhhRE7VxnJBULdl6Ja6kZRpaDSAYplDJkkrLTPIfJ5QQbaSnaZEGqieKm6zj2B
EOnJNGjMJI1z4nK0CUPiImZBBqsZwQY5uIEsX9mnMrQZPGmptcZgxa41ggbsZDvS
C5VI9Q22cmIG9dc+Q0fNVoCD0pLiOfaG90QVmdwY0eCaTrHKLXW/oYyXNa4g6IQ8
oHpPniPLrf5/Go0Z+m129fpK4Dbr1vSLkOV7EJ5hrXnGR6bAtWRl1w==
=PXKO
-----END PGP SIGNATURE-----
Processed by Sophos Pure Message
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
National Cyber Alert System Cyber Security Tip ST04-014
Avoiding Social Engineering and Phishing Attacks
Do not give sensitive information to anyone unless you are
sure that they are indeed who they claim to be and that they should have access
to the information.
What is a social engineering attack?
To launch a social engineering attack, an attacker uses human
interaction (social skills) to obtain or compromise information about an
organization or its computer systems. An attacker may seem unassuming and
respectable, possibly claiming to be a new employee, repair person, or
researcher and even offering credentials to support that identity. However, by
asking questions, he or she may be able to piece together enough information to
infiltrate an organization's network. If an attacker is not able to gather
enough information from one source, he or she may contact another source within
the same organization and rely on the information from the first source to add
to his or her credibility.
What is a phishing attack?
Phishing is a form of social engineering. Phishing attacks use
email or malicious web sites to solicit personal, often financial, information.
Attackers may send email seemingly from a reputable credit card company or
financial institution that requests account information, often suggesting that
there is a problem. When users respond with the requested information, attackers
can use it to gain access to the accounts.
How do you avoid being a victim?
* Be suspicious of unsolicited phone calls, visits, or email
messages from individuals asking about employees or other internal information.
If an unknown individual claims to be from a legitimate organization, try to
verify his or her identity directly with the company. * Do not provide personal
information or information about your organization, including its structure or
networks, unless you are certain of a person's authority to have the
information. * Do not reveal personal or financial information in email, and do
not respond to email solicitations for this information. This includes following
links sent in email. * Don't send sensitive information over the Internet before
checking a web site's security policy or looking for evidence that the
information is being encrypted (see Protecting Your Privacy and Understanding
Web Site Certificates for more information). * Pay attention to the URL of a web
site. Malicious web sites may look identical to a legitimate site, but the URL
may use a variation in spelling or a different domain (e.g., .com vs. .net). *
If you are unsure whether an email request is legitimate, try to verify it by
contacting the company directly. Do not use contact information provided on a
web site connected to the request; instead, check previous statements for
contact information. Information about known phishing attacks is also available
online from groups such as the Anti-Phishing Working Group (http://www.antiphishing.org/phishing_archive.html).
* Install and maintain anti-virus software, firewalls, and email filters to
reduce some of this traffic (see Understanding Firewalls, Understanding
Anti-Virus Software, and Reducing Spam for more information).
What do you do if you think you are a victim?
* If you believe you might have revealed sensitive information
about your organization, report it to the appropriate people within the
organization, including network administrators. They can be alert for any
suspicious or unusual activity. * If you believe your financial accounts may be
compromised, contact your financial institution immediately and close any
accounts that may have been compromised. Watch for any unexplainable charges to
your account (see Preventing and Responding to Identity Theft for more
information). * Consider reporting the attack to the police, and file a report
with the Federal Trade Commission (http://www.ftc.gov/).
_________________________________________________________________
Author: Mindi McDowell
_________________________________________________________________
Produced 2007 by US-CERT, a government organization.
Note: This tip was previously published and is being
re-distributed to increase awareness.
Terms of use
<http://www.us-cert.gov/legal.html>
This document can also be found at
<http://www.us-cert.gov/cas/tips/ST04-014.html>
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1
(GNU/Linux)
iQEVAwUBRp9k5vRFkHkM87XOAQL4bAf/QrdRKgj6nbUXJKf0PSH2L2MHruDeD8++
gVMVDGB2zvCiR5OrNbJ/I4AlfbSCIpigoL3jyoID15aPtZfeRzozc+MvOJsh6LW9
jH2TUCZjct2Md7EeGLPTemzydzYTUlzWj+YHs7T1qtQThq82jSiegFwCO8gnGzkH
ItDwogX7B/hu15R8kLcM+j4fLYXvpaPIe8CsAW5xa7oA48FNy++Y3+SLm3H1M129
GSNHpRPzpg6/Z0GCdp0187gie17pWBGy0aYL+qxHFMpVFnZWZKXetAYYmTpcPprj
fbbzMu5bfxeBmFKcDs/UEZzvsBEGENcG9C5E/UVNVI4UYYgBfit7kw== =7EFh
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Cyber Security Tip ST04-013
Protecting Your Privacy
Before submitting your email address or other personal
information
online, you need to be sure that the privacy of that information will
be protected. To protect your identity and prevent an attacker from
easily accessing additional information about you, avoid providing
certain personal information such as your birth date and social
security number online.
How do you know if your privacy is being protected?
* Privacy policy - Before submitting your name, email address,
or
other personal information on a web site, look for the site's
privacy policy. This policy should state how the information will
be used and whether or not the information will be distributed to
other organizations. Companies sometimes share information with
partner vendors who offer related products or may offer options to
subscribe to particular mailing lists. Look for indications that
you are being added to mailing lists by default--failing to
deselect those options may lead to unwanted spam. If you cannot
find a privacy policy on a web site, consider contacting the
company to inquire about the policy before you submit personal
information, or find an alternate site. Privacy policies sometimes
change, so you may want to review them periodically.
* Evidence that your information is being encrypted - To protect
attackers from hijacking your information, any personal
information submitted online should be encrypted so that it can
only be read by the appropriate recipient. Many sites use SSL, or
secure sockets layer, to encrypt information. Indications that
your information will be encrypted include a URL that begins with
"https:" instead of "http:" and a lock icon in the bottom right
corner of the window (see Understanding Web Site Certificates for
more information). Some sites also indicate whether the data is
encrypted when it is stored. If data is encrypted in transit but
stored insecurely, an attacker who is able to break into the
vendor's system could access your personal information.
What additional steps can you take to protect your privacy?
* Do business with credible companies - Before supplying any
information online, consider the answers to the following
questions: do you trust the business? is it an established
organization with a credible reputation? does the information on
the site suggest that there is a concern for the privacy of user
information? is there legitimate contact information provided?
* Do not use your primary email address in online submissions -
Submitting your email address could result in spam. If you do not
want your primary email account flooded with unwanted messages,
consider opening an additional email account for use online (see
Reducing Spam for more information). Make sure to log in to the
account on a regular basis in case the vendor sends information
about changes to policies.
* Avoid submitting credit card information online - Some companies
offer a phone number you can use to provide your credit card
information. Although this does not guarantee that the information
will not be compromised, it eliminates the possibility that
attackers will be able to hijack it during the submission process.
* Devote one credit card to online purchases - To minimize the
potential damage of an attacker gaining access to your credit card
information, consider opening a credit card account for use only
online. Keep a minimum credit line on the account to limit the
amount of charges an attacker can accumulate.
* Avoid using debit cards for online purchases - Credit cards
usually offer some protection against identity theft and may limit
the monetary amount you will be responsible for paying. Debit
cards, however, do not offer that protection. Because the charges
are immediately deducted from your account, an attacker who
obtains your account information may empty your bank account
before you even realize it.
_________________________________________________________________
Author: Mindi McDowell
_________________________________________________________________
Produced 2007 by US-CERT, a government organization.
Note: This tip was previously published and is being
re-distributed
to increase awareness.
Terms of use
<http://www.us-cert.gov/legal.html>
This document can also be found at
<http://www.us-cert.gov/cas/tips/ST04-013.html>
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRo0npvRFkHkM87XOAQID8gf+MlK0WW6TuvQKB35V+dL5yX4GBCi/q+bu
KBa2BQ59IH/eNXuvebs4MGzccGRhFjwDjQadeSAPzFeBvurfRTeKopIPh6pDP499
f9ROw6c6xJAXGY9fRHqQR7ZMCozTUuYnl3OfT2hvU1Zlpbf3NDrPP4BHvgb+OU0s
qmPuFnxsFJfNQeE0xeL/ZiIsC4IAJhRgud7BrhRzM9Zy4ttZfq2aeGqcQNXoxVWf
sYj2BiBI6gnz/61z0uuRaRk6IcQZwLHZmi50AnezIc7O3tcU4SkNGbLDSNIYxvq+
hAgUDoQ1gqJqz2k7g1BoMu9847yhhS5+5hXZcV97DSouwRP/TzxyEQ==
=T4fB
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cyber Security Tip ST04-012
Browsing Safely: Understanding Active Content and Cookies
Many people browse the Internet without much thought to what
is
happening behind the scenes. Active content and cookies are common
elements that may pose hidden risks when viewed in a browser or email
client.
What is active content?
To increase functionality or add design embellishments, web
sites
often rely on scripts that execute programs within the web browser.
This active content can be used to create "splash pages" or options
like drop-down menus. Unfortunately, these scripts are often a way for
attackers to download or execute malicious code on a user's computer.
* JavaScript - JavaScript is just one of many web scripts (other
examples are VBScript, ECMAScript, and JScript) and is probably
the most recognized. Used on almost every web site now, JavaScript
and other scripts are popular because users expect the
functionality and "look" that it provides, and it's easy to
incorporate (many common software programs for building web sites
have the capability to add JavaScript features with little effort
or knowledge required of the user). However, because of these
reasons, attackers can manipulate it to their own purposes. A
popular type of attack that relies on JavaScript involves
redirecting users from a legitimate web site to a malicious one
that may download viruses or collect personal information.
* Java and ActiveX controls - Different from JavaScript, Java and
ActiveX controls are actual programs that reside on your computer
or can be downloaded over the network into your browser. If
executed by attackers, untrustworthy ActiveX controls may be able
to do anything on your computer that you can do (such as running
spyware and collecting personal information, connecting to other
computers, and potentially doing other damage). Java applets
usually run in a more restricted environment, but if that
environment isn't secure, then malicious Java applets may create
opportunities for attack as well.
JavaScript and other forms of active content are not always
dangerous,
but they are common tools for attackers. You can prevent active
content from running in most browsers, but realize that the added
security may limit functionality and break features of some sites you
visit. Before clicking on a link to a web site that you are not
familiar with or do not trust, take the precaution of disabling active
content.
These same risks may also apply to the email program you use.
Many
email clients use the same programs as web browsers to display HTML,
so vulnerabilities that affect active content like JavaScript and
ActiveX often apply to email. Viewing messages as plain text may
resolve this problem.
What are cookies?
When you browse the Internet, information about your computer
may be
collected and stored. This information might be general information
about your computer (such as IP address, the domain you used to
connect (e.g., .edu, .com, .net), and the type of browser you used).
It might also be more specific information about your browsing habits
(such as the last time you visited a particular web site or your
personal preferences for viewing that site).
Cookies can be saved for varying lengths of time:
* Session cookies - Session cookies store information only as long
as you're using the browser; once you close the browser, the
information is erased. The primary purpose of session cookies is
to help with navigation, such as by indicating whether or not
you've already visited a particular page and retaining information
about your preferences once you've visited a page.
* Persistent cookies - Persistent cookies are stored on your
computer so that your personal preferences can be retained. In
most browsers, you can adjust the length of time that persistent
cookies are stored. It is because of these cookies that your email
address appears by default when you open your Yahoo! or Hotmail
email account, or your personalized home page appears when you
visit your favorite online merchant. If an attacker gains access
to your computer, he or she may be able to gather personal
information about you through these files.
To increase your level of security, consider adjusting your
privacy
and security settings to block or limit cookies in your web browser
(see Evaluating Your Web Browser's Security Settings for more
information). To make sure that other sites are not collecting
personal information about you without your knowledge, choose to only
allow cookies for the web site you are visiting; block or limit
cookies from a third-party. If you are using a public computer, you
should make sure that cookies are disabled to prevent other people
from accessing or using your personal information.
_________________________________________________________________
Author: Mindi McDowell
_________________________________________________________________
Produced 2004 by US-CERT, a government organization.
Note: This tip was previously published and is being
re-distributed
to increase awareness.
Terms of use
<http://www.us-cert.gov/legal.html>
This document can also be found at
<http://www.us-cert.gov/cas/tips/ST04-012.html>
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRnlsi+xOF3G+ig+rAQIZaAgAghpc907Wj5xEy6D8LAG1OncT1a+Q3IFq
mWJuZQamdo/dTrQ2xThQ4T0W4PjNTYp8uqz7HULI3/6//y2cItMyCPUedfFuWwBL
vzc3P3rliVJZvEYbN1iPCNVF3qOkpWgL7VQGHv8jTjzj+PtbUWEd7AdtJ6ya19MU
ZuN7Fi9V9x5n31Uw/VALGSSze04IxwTYpX6BQ5U6s0FpuJxGDboibuHNCmBIp4Ob
jJHdKXmFZ1rAscCp53evgxoNYvgDH8O/CK5LI/I6txTdiN1rt/rFp67RVpyXjJPm
L39RHmi155x1Scj1JMZD6vO3jwXGYCN5p+nREjuWct10Rt1ccedUpw==
=6Cki
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Cyber Security Tip ST04-011
Using Instant Messaging and Chat Rooms Safely
Although they offer a convenient way to communicate with other
people,
there are dangers associated with tools that allow real-time
communication.
What are the differences between some of the tools used for
real-time
communication?
* Instant messaging (IM) - Commonly used for recreation,
instant
messaging is also becoming more widely used within corporations
for communication between employees. IM, regardless of the
specific software you choose, provides an interface for
individuals to communicate one-on-one.
* Chat rooms - Whether public or private, chat rooms are forums for
particular groups of people to interact. Many chat rooms are based
upon a shared characteristic; for example, there are chat rooms
for people of particular age groups or interests. Although most IM
clients support "chats" among multiple users, IM is traditionally
one-to-one while chats are traditionally many-to-many.
* Bots - A "chat robot," or "bot," is software that can interact
with users through chat mechanisms, whether in IM or chat rooms.
In some cases, users may be able to obtain current weather
reports, stock status, or movie listings. In these instances,
users are often aware that they are not interacting with an actual
human. However, some users may be fooled by more sophisticated
bots into thinking the responses they are receiving are from
another person.
There are many software packages that incorporate one or more
of these
capabilities. A number of different technologies might be supported,
including IM, Internet Relay Chat (IRC), or Jabber.
What are the dangers?
* Identities can be elusive or ambiguous - Not only is it
sometimes
difficult to identify whether the "person" you are talking to is
human, but human nature and behavior isn't predictable. People may
lie about their identity, accounts may be compromised, users may
forget to log out, or an account may be shared by multiple people.
All of these things make it difficult to know who you're really
talking to during a conversation.
* Users are especially susceptible to certain types of attack -
Trying to convince someone to run a program or click on a link is
a common attack method, but it can be especially effective through
IM and chat rooms. In a setting where a user feels comfortable
with the "person" he or she is talking to, a malicious piece of
software or an attacker has a better chance of convincing someone
to fall into the trap (see Avoiding Social Engineering and
Phishing Attacks for more information).
* You don't know who else might be seeing the conversation - Online
interactions are easily saved, and if you're using a free
commercial service the exchanges may be archived on a server. You
have no control over what happens to those logs. You also don't
know if there's someone looking over the shoulder of the person
you're talking to, or if an attacker might be "sniffing" your
conversation.
* The software you're using may contain vulnerabilities - Like any
other software, chat software may have vulnerabilities that
attackers can exploit.
* Default security settings may be inappropriate - The default
security settings in chat software tend to be relatively
permissive to make it more open and "usable," and this can make
you more susceptible to attacks.
How can you use these tools safely?
* Evaluate your security settings - Check the default settings
in
your software and adjust them if they are too permissive. Make
sure to disable automatic downloads. Some chat software offers the
ability to limit interactions to only certain users, and you may
want to take advantage of these restrictions.
* Be conscious of what information you reveal - Be wary of revealing
personal information unless you know who you are really talking
to. You should also be careful about discussing anything you or
your employer might consider sensitive business information over
public IM or chat services (even if you are talking to someone you
know in a one-to-one conversation).
* Try to verify the identity of the person you are talking to, if it
matters - In some forums and situations, the identity of the
"person" you are talking to may not matter. However, if you need
to have a degree of trust in that person, either because you are
sharing certain types of information or being asked to take some
action like following a link or running a program, make sure the
"person" you are talking to is actually that person.
* Don't believe everything you read - The information or advice you
receive in a chat room or by IM may be false or, worse, malicious.
Try to verify the information or instructions from outside sources
before taking any action.
* Keep software up to date - This includes the chat software, your
browser, your operating system, your mail client, and, especially,
your anti-virus software (see Understanding Patches and
Understanding Anti-Virus Software for more information).
_________________________________________________________________
Authors: Mindi McDowell, Allen Householder
_________________________________________________________________
Produced 2004 by US-CERT, a government organization.
Note: This tip was previously published and is being
re-distributed
to increase awareness.
Terms of use
<http://www.us-cert.gov/legal.html>
This document can also be found at
<http://www.us-cert.gov/cas/tips/ST04-011.html>
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRmblx+xOF3G+ig+rAQLFjgf/XyAL3JxGwxNSvM+oyunxnV7Uk1cI0vmI
RAq+aUvoWrHfEhRV4zzfFQh2DofEn2W/4uaXgeqXseg7I5dYD+jeHXQLHfogqDgx
By1Y4FAzJpuJVSKia/zJE6uW77evLlLzg1bcTQsCofSj24LMYGjYe/1jowXP9Wuh
2gQdCH+CEJUpQs6wvbgaVuaTYbNpzU6Ha/zzxEnxMo19EkCxgbidlS7YPkcA4J5O
nXYc12VNoutj9w4P3HF0g5BANtIwJEql5MgSHQU8PHwD1aHMvOPUZBtRnbrfFgI0
K5gqv2ePPVwlV4N8NHFfPpPs0Sn5mKSKdyUnaAu6b8xkEQm59wIIBw==
=vRSF
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Cyber Security Tip ST04-010
Using Caution
with Email Attachments
While email attachments are a popular and convenient way to
send
documents, they are also a common source of viruses. Use caution when
opening attachments, even if they appear to have been sent by someone
you know.
Why can email attachments be dangerous?
Some of the characteristics that make email attachments
convenient and
popular are also the ones that make them a common tool for attackers:
* Email is easily circulated - Forwarding email is so simple that
viruses can quickly infect many machines. Most viruses don't even
require users to forward the email--they scan a users' computer
for email addresses and automatically send the infected message to
all of the addresses they find. Attackers take advantage of the
reality that most users will automatically trust and open any
message that comes from someone they know.
* Email programs try to address all users' needs - Almost any type
of file can be attached to an email message, so attackers have
more freedom with the types of viruses they can send.
* Email programs offer many "user-friendly" features - Some email
programs have the option to automatically download email
attachments, which immediately exposes your computer to any
viruses within the attachments.
What steps can you take to protect yourself and others in your
address book?
* Be wary of unsolicited attachments, even from people you
know -
Just because an email message looks like it came from your mom,
grandma, or boss doesn't mean that it did. Many viruses can
"spoof" the return address, making it look like the message came
from someone else. If you can, check with the person who
supposedly sent the message to make sure it's legitimate before
opening any attachments. This includes email messages that appear
to be from your ISP or software vendor and claim to include
patches or anti-virus software. ISPs and software vendors do not
send patches or software in email.
* Save and scan any attachments before opening them - If you have to
open an attachment before you can verify the source, take the
following steps:
1. Be sure the signatures in your anti-virus software are up to
date (see Understanding Anti-Virus Software for more
information)
2. Save the file to your computer or a disk
3. Manually scan the file using your anti-virus software
4. Open the file
* Turn off the option to automatically download attachments - To
simplify the process of reading email, many email programs offer
the feature to automatically download attachments. Check your
settings to see if your software offers the option, and make sure
to disable it.
* Consider additional security practices - You may be able to filter
certain types of attachments through your email software (see
Reducing Spam) or a firewall (see Understanding Firewalls).
_________________________________________________________________
Both the National Cyber Security Alliance and US-CERT have
identified
this topic as one of the top tips for home users.
_________________________________________________________________
Authors: Mindi McDowell, Allen Householder
_________________________________________________________________
Produced 2004 by US-CERT, a government organization.
Note: This tip was previously published and is being
re-distributed
to increase awareness.
Terms of use
<http://www.us-cert.gov/legal.html>
This document can also be found at
<http://www.us-cert.gov/cas/tips/ST04-010.html>
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRlSavexOF3G+ig+rAQIHOAf9GOq5Zd6jbPFBr7Co70kvCOlOEA+b0r3Y
LBVvD3ycAufXExo+3iuYDWP2HpOSXnqiZY8UGiMLXKDcGdNuKfzMCaNEADfVs45S
BXYl9SiFMeOB/ddt+xdP75BI54c/xO0eAsVQlZJBKF1i+BUj6nZSE9SsdFsU34PI
3YsPsTzeSTrT8bFNxszCkvdraYKLrkB1BOhonBv5LLX80Erpwhzlfl0cvhKkjuLe
dZhXbCcrfB2tEy+Yx52TcFRemmSMJbuYTH7NNiTX4j8BJNjIcYZHJlw6eoGadApx
bisXMmu95HgoaIppI1xcSw5808iJJkv6kHymkhq89B5CV+thZNxTDQ==
=TKWY
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Cyber Security Tip ST04-009
Identifying
Hoaxes and Urban Legends
Chain letters are familiar to anyone with an email account,
whether
they are sent by strangers or well-intentioned friends or family
members. Try to verify the information before following any
instructions or passing the message along.
Why are chain letters a problem?
The most serious problem is from chain letters that mask
viruses or
other malicious activity. But even the ones that seem harmless may
have negative repercussions if you forward them:
* they consume bandwidth or space within the recipient's inbox
* you force people you know to waste time sifting through the
messages and possibly taking time to verify the information
* you are spreading hype and, often, unnecessary fear and paranoia
What are some types of chain letters?
There are two main types of chain letters:
* Hoaxes - Hoaxes attempt to trick or defraud users. A hoax could be
malicious, instructing users to delete a file necessary to the
operating system by claiming it is a virus. It could also be a
scam that convinces users to send money or personal information.
Phishing attacks could fall into this category (see Avoiding
Social Engineering and Phishing Attacks for more information).
* Urban legends - Urban legends are designed to be redistributed and
usually warn users of a threat or claim to be notifying them of
important or urgent information. Another common form are the
emails that promise users monetary rewards for forwarding the
message or suggest that they are signing something that will be
submitted to a particular group. Urban legends usually have no
negative effect aside from wasted bandwidth and time.
How can you tell if the email is a hoax or urban legend?
Some messages are more suspicious than others, but be
especially
cautious if the message has any of the characteristics listed below.
These characteristics are just guidelines--not every hoax or urban
legend has these attributes, and some legitimate messages may have
some of these characteristics:
* it suggests tragic consequences for not performing some action
* it promises money or gift certificates for performing some action
* it offers instructions or attachments claiming to protect you from
a virus that is undetected by anti-virus software
* it claims it's not a hoax
* there are multiple spelling or grammatical errors, or the logic is
contradictory
* there is a statement urging you to forward the message
* it has already been forwarded multiple times (evident from the
trail of email headers in the body of the message)
If you want to check the validity of an email, there are some
web
sites that provide information about hoaxes and urban legends:
* Urban Legends and Folklore - http://urbanlegends.about.com/
* Urban Legends Reference Pages - http://www.snopes.com/
* Hoaxbusters - http://hoaxbusters.ciac.org/
* TruthOrFiction.com - http://www.truthorfiction.com/
* Symantec Security Response Hoaxes -
http://www.symantec.com/avcenter/hoax.html
* McAfee Security Virus Hoaxes - http://vil.mcafee.com/hoax.asp
_________________________________________________________________
Authors: Mindi McDowell, Allen Householder
_________________________________________________________________
Produced 2007 by US-CERT, a government organization.
Note: This tip was previously published and is being
re-distributed
to increase awareness.
Terms of use
<http://www.us-cert.gov/legal.html>
This document can also be found at
<http://www.us-cert.gov/cas/tips/ST04-009.html>
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRkInnexOF3G+ig+rAQKZLQf/YuXEbzhsW+3QvXaYv4woz8VkbTC8oqMp
S3/GuAaBrgoIjzdjSoob0QUhgUUMFmG+hwQq76kqyPnw93frL7BJHE/oMPPVyWqL
auO7/UKv4ezC1/kJrvsUQdHhKUr/Yr9l8EBBgdX0pydoJS9B1pW7RgfoFSbVRt0C
TfVSCc5bRugbFxPRueMR4YoqgwqY6O7QAAa9qNh2fNcRn3vBbbvYmhqVEsfwuBaN
JYFkdS/e2JhKaeJYwHh+KBcPb6c67H9NEVyiRPvYGkdbYBUU4aFF/QPA3XLAWLSn
ahKdWVwi53fJfTk/E0Iy2W5PoaWCCe6Xw0kLlAcsjclGV/M09dqH2A==
=hRfM
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Cyber Security Tip ST04-008
Benefits of BCC
Although in many situations it may be appropriate to list
email
recipients in the To: or CC: fields, sometimes using the BCC: field
may be the most desirable option.
What is BCC?
BCC, which stands for blind carbon copy, allows you to hide
recipients
in email messages. Unlike addresses in the To: field or the CC:
(carbon copy) field, addresses in the BCC: field cannot be seen by
other users.
Why would you want to use BCC?
There are a few main reasons for using BCC:
* Privacy - Sometimes it's beneficial, even necessary, for you to
let recipients know who else is receiving your email message.
However, there may be instances when you want to send the same
message to multiple recipients without letting them know who else
is receiving the message. If you are sending email on behalf of a
business or organization, it may be especially important to keep
lists of clients, members, or associates confidential. You may
also want to avoid listing an internal email address on a message
being sent to external recipients.
Another point to remember is that if you use the To: or CC: fields
to list all of your recipients, these same recipients will also
receive any replies to your message unless the sender removes
them. If there is potential for a response that is not appropriate
for all recipients, consider using BCC.
* Tracking - Maybe you want to access or archive the email message
you are sending at another email account. Or maybe you want to
make someone, such as a supervisor or team member, aware of the
email without actually involving them in the exchange. BCC allows
you to accomplish these goals without advertising that you are
doing it.
* Respect for your recipients - Forwarded email messages frequently
contain long lists of email addresses that were CC'd by previous
senders. These addresses are highly likely to be active and valid,
so they are very valuable to spammers. Furthermore, many
email-borne viruses harvest email addresses contained in messages
you've already received (not just the To: and From: fields, but
from the body, too), so those long lists in forwarded messages
pose a risk to all the accounts they point to if you get infected.
Many people frequently forward messages to their entire address
books using CC. Encourage people who forward messages to you to
use BCC so that your email address is less likely to appear in
other people's inboxes and be susceptible to being harvested. To
avoid becoming part of the problem, in addition to using BCC if
you forward messages, take time to remove all existing email
addresses within the message. The additional benefit is that the
people you're sending the message to will appreciate not having to
scroll through large sections of irrelevant information to get to
the actual message.
How do you BCC an email message?
Most email clients have the option to BCC listed a few lines
below the
To: field. However, sometimes it is a separate option that is not
listed by default. If you cannot locate it, check the help menu or the
software's documentation.
If you want to BCC all recipients and your email client will
not send
a message without something in the To: field, consider using your own
email address in that field. In addition to hiding the identity of
other recipients, this option will enable you to confirm that the
message was sent successfully.
_________________________________________________________________
Authors: Mindi McDowell, Allen Householder
_________________________________________________________________
Produced 2007 by US-CERT, a government organization.
Note: This tip was previously published and is being
re-distributed
to increase awareness.
Terms of use
<http://www.us-cert.gov/legal.html>
This document can also be found at
<http://www.us-cert.gov/cas/tips/ST04-008.html>
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRi+YhOxOF3G+ig+rAQLkDwgAr1w17QxrPsYvsRJTvzEruj6Be3tk5vPh
ypt5ew6JnaGHa7K51Lu6hspR3aeZTGdgivzAreKmOfAT+aJQLejIo9xfsFVlJsn3
ZMagLcPP4pCRCT7/nTJhIGe1Hxuis1WeQiyVPqpcJagHAAsR9+EaR5wbeYPjoXXE
JuAmM4INGzaxniNe1RjLma79H+95RH6Bzxmk2s2v2D69x9zqq+Ezz9GMw7Jl88ug
9EJJGYh2Kt2EwUy0VSzxT8oafOucw5QcoE2ACVviAzvr19qE3qEW3cuBuIuBokXD
gMADMHRbN+FZMJ2y585/zWdKVNGjDSfrKzCE7jn5g79CWOhne35lMw==
=VNOn
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Cyber Security Tip ST04-007
Reducing Spam
Spam is a common, and often frustrating, side effect to having
an
email account. Although you will probably not be able to eliminate it,
there are ways to reduce it.
What is spam?
Spam is the electronic version of "junk mail." The term spam
refers to
unsolicited, often unwanted, email messages. Spam does not necessarily
contain viruses--valid messages from legitimate sources could fall
into this category.
How can you reduce the amount of spam?
There are some steps you can take to significantly reduce the
amount
of spam you receive:
* Don't give your email address out arbitrarily - Email addresses
have become so common that a space for them is often included on
any form that asks for your address--even comment cards at
restaurants. It seems harmless, so many people write them in the
space provided without realizing what could happen to that
information. For example, companies often enter the addresses into
a database so that they can keep track of their customers and the
customers' preferences. Sometimes these lists are sold to or
shared with other companies, and suddenly you are receiving email
that you didn't request.
* Check privacy policies - Before submitting your email address
online, look for a privacy policy. Most reputable sites will have
a link to their privacy policy from any form where you're asked to
submit personal data. You should read this policy before
submitting your email address or any other personal information so
that you know what the owners of the site plan to do with the
information.
* Be aware of options selected by default - When you sign up for
some online accounts or services, there may be a section that
provides you with the option to receive email about other products
and services. Sometimes there are options selected by default, so
if you do not deselect them, you could begin to receive email from
lists those lists as well.
* Use filters - Many email programs offer filtering capabilities
that allow you to block certain addresses or to only allow email
from addresses on your contact list. Some ISPs offer spam
"tagging" or filtering services, but legitimate messages
misclassified as spam might be dropped before reaching your inbox.
However, many ISPs that offer filtering services also provide
options for tagging suspected spam messages so the end user can
more easily identify them. This can be useful in conjunction with
filtering capabilities provided by many email programs.
* Don't follow links in spam messages - Some spam relies on
generators that try variations of email addresses at certain
domains. If you click a link within an email message or reply to a
certain address, you are just confirming that your email address
is valid. Unwanted messages that offer an "unsubscribe" option are
particularly tempting, but this is often just a method for
collecting valid addresses that are then sent other spam.
* Disable the automatic downloading of graphics in HTML mail - Many
spammers send HTML mail with a linked graphic file that is then
used to track who opens the mail message--when your mail client
downloads the graphic from their web server, they know you've
opened the message. Disabling HTML mail entirely and viewing
messages in plain text also prevents this problem.
* Consider opening an additional email account - Many domains offer
free email accounts. If you frequently submit your email address
(for online shopping, signing up for services, or including it on
something like a comment card), you may want to have a secondary
email account to protect your primary email account from any spam
that could be generated. You should also use a secondary account
when posting to online bulletin boards, chat rooms, public mailing
lists, or USENET so that you can get rid of when it starts filling
up with spam.
* Don't spam other people - Be a responsible and considerate user.
Some people consider email forwards a type of spam, so be
selective with the messages you redistribute. Don't forward every
message to everyone in your address book, and if someone asks that
you not forward messages to them, respect their request.
_________________________________________________________________
Authors: Mindi McDowell, Allen Householder
_________________________________________________________________
Produced 2007 by US-CERT, a government organization.
Note: This tip was previously published and is being
re-distributed
to increase awareness.
Terms of use
<http://www.us-cert.gov/legal.html>
This document can also be found at
<http://www.us-cert.gov/cas/tips/ST04-007.html>
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRh0sJexOF3G+ig+rAQJjCQgAkqLoMWZIWfjjLTp0hUMuhmpawzt+Nfi6
cNTXjHr8JBPUjMccKR9Z7By2reiNOtCfyOzD0ZlKlDLm2gYVoMIRZW/T4L0PM1lT
TWI8a3hWxVBh6mpEvTbZs4meJ/b0e/cZn1ZlxDj1cHoNFHlUX4g8WHxB7BhAhi/B
Jwenvqe3Cns9k3dNJ0y94Q19YWOaMznrtY9Vs3uofiMYSDIRuLF/mygtbHs7xUzW
4wRTjrao220bnpn5J62R/FaFblaCNAcAZUWwK6eQvgPlakCZWyFRPdHJyqF0XOay
ADVb/EdDpNmMyEyLvMng50aPk6HRtZV1IShug7/rwIcX//4ViE5gnQ==
=6mwa
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cyber Security Tip ST04-006
Understanding Patches
When vendors become aware of vulnerabilities in their
products, they
often issue patches to fix the problem. Make sure to apply relevant
patches to your computer as soon as possible so that your system is
protected.
What are patches?
Similar to the way fabric patches are used to repair holes in
clothing, software patches repair holes in software programs. Patches
are updates that fix a particular problem or vulnerability within a
program. Sometimes, instead of just releasing a patch, vendors will
release an upgraded version of their software, although they may refer
to the upgrade as a patch.
How do you find out what patches you need to install?
When patches are available, vendors usually put them on their
web
sites for users to download. It is important to install a patch as
soon as possible to protect your computer from attackers who would
take advantage of the vulnerability. Some software will automatically
check for updates, and many vendors offer users the option to receive
automatic notification of updates through a mailing list. If these
automatic options are available, we recommend that you take advantage
of them. If they are not available, check your vendors' web sites
periodically for updates.
Make sure that you only download software or patches from web
sites
that you trust. Do not trust a link in an email message--attackers
have used email messages to direct users to malicious web sites where
users install viruses disguised as patches. Also, beware of email
messages that claim that they have attached the patch to the
message--these attachments are often viruses.
_________________________________________________________________
Both the National Cyber Security Alliance and US-CERT have
identified
this topic as one of the top tips for home users.
_________________________________________________________________
Author: Mindi McDowell
_________________________________________________________________
Produced 2004 by US-CERT, a government organization.
Note: This tip was previously published and is being
re-distributed
to increase awareness.
Terms of use
<http://www.us-cert.gov/legal.html>
This document can also be found at
<http://www.us-cert.gov/cas/tips/ST04-004.html>
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRgq5kuxOF3G+ig+rAQLl/QgAg0WlApazvFDSCJX8C+m7X0cEf9p+AFWL
A6IQuN0cg3OQZ45VKO3QOW8PHqUXaRWdx/rJjwpRYA6I0a2gfwnFkmQR7TkK+Ao4
qkIrSE5ZyrvCmUcfqUozswWdsHaZd9KwiKI26YHOKlBhZ/Nd33i2Baj2APqCuMed
EHaImNvp1HU4gPYugS0cLBaPEsqksfpX9ScQePoOtL/ZumC2BdumBb/4X/Uyk8CP
9etTarJno+d8LaRZelW3ISqZzedF8F1ziXMvEjt5yiNoupekLzRBWkL9GYwaCSFF
oBZ55rpJ8sA62n43Jpp600YjFS232C5q4U9ukXX2+NOXldp1aNXxRA==
=UyQn
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cyber Security Tip ST04-005
Understanding Anti-Virus Software
Anti-virus software can identify and block many viruses before
they
can infect your computer. Once you install anti-virus software, it is
important to keep it up to date.
What does anti-virus software do?
Although details may vary between packages, anti-virus
software scans
files or your computer's memory for certain patterns that may indicate
an infection. The patterns it looks for are based on the signatures,
or definitions, of known viruses. Virus authors are continually
releasing new and updated viruses, so it is important that you have
the latest definitions installed on your computer.
Once you have installed an anti-virus package, you should scan
your
entire computer periodically.
* Automatic scans - Depending what software you choose, you may be
able to configure it to automatically scan specific files or
directories and prompt you at set intervals to perform complete
scans.
* Manual scans - It is also a good idea to manually scan files you
receive from an outside source before opening them. This includes
* saving and scanning email attachments or web downloads
rather than
selecting the option to open them directly from the source
* scanning media, including CDs and DVDs, for viruses before opening
any of the files
What happens if the software finds a virus?
Each package has its own method of response when it locates a
virus,
and the response may differ according to whether the software locates
the virus during an automatic or a manual scan. Sometimes the software
will produce a dialog box alerting you that it has found a virus and
asking whether you want it to "clean" the file (to remove the virus).
In other cases, the software may attempt to remove the virus without
asking you first. When you select an anti-virus package, familiarize
yourself with its features so you know what to expect.
Which software should you use?
There are many vendors who produce anti-virus software, and
deciding
which one to choose can be confusing. All anti-virus software performs
the same function, so your decision may be driven by recommendations,
particular features, availability, or price. See the references
section for a link to a list of some anti-virus vendors.
Installing any anti-virus software, regardless of which
package you
choose, increases your level of protection. Be careful, though, of
email messages claiming to include anti-virus software. Some recent
viruses arrive as an email supposedly from your ISP's technical
support department, containing an attachment that claims to be
anti-virus software. However, the attachment itself is in fact a
virus, so you could become infected by opening it (see Using Caution
with Email Attachments for more information).
How do you get the current virus information?
This process may differ depending what product you choose, so
find out
what your anti-virus software requires. Many anti-virus packages
include an option to automatically receive updated virus definitions.
Because new information is added frequently, it is a good idea to take
advantage of this option. Resist believing email chain letters that
claim that a well-known anti-virus vendor has recently detected the
"worst virus in history" that will destroy your computer's hard drive.
These emails are usually hoaxes (see Identifying Hoaxes and Urban
Legends for more information). You can confirm virus information
through your anti-virus vendor or through resources offered by other
anti-virus vendors. See the references section for a link to some of
these resources.
While installing anti-virus software is one of the easiest and
most
effective ways to protect your computer, it has its limitations.
Because it relies on signatures, anti-virus software can only detect
viruses that have signatures installed on your computer, so it is
important to keep these signatures up to date. You will still be
susceptible to viruses that circulate before the anti-virus vendors
add their signatures, so continue to take other safety precautions as
well.
References
* CERT Coordination Center Computer Virus Resources -
<http://www.cert.org/other_sources/viruses.html#VI>
* Computer Security Division: Computer Security Resource Center
(CSRC) Virus Information - <http://csrc.nist.gov/virus/>
_________________________________________________________________
Both the National Cyber Security Alliance and US-CERT have
identified
this topic as one of the top tips for home users.
_________________________________________________________________
Authors: Mindi McDowell, Allen Householder
_________________________________________________________________
Produced 2004 by US-CERT, a government organization.
Note: This tip was previously published and is being
re-distributed
to increase awareness.
Terms of use
<http://www.us-cert.gov/legal.html>
This document can also be found at
<http://www.us-cert.gov/cas/tips/ST04-005.html>
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRfgsR+xOF3G+ig+rAQL16QgAjQSnCeCotRQfAY/QtMMZIRPitlgTGbVW
1f4dhOSozdvFiy2jN+OgpODMYDskIwwSatWK4gwqc4qCFncl/8CnHoZklbQZuIpZ
K9YqQ55kYPIXs/8d/LBARbG0uK1LrmWYo+JsngqFTRHM9JlQXjFJ4/Zt0hgShI/c
25FkID2+GJFcDqcTBqhLTvb1bA1LbG+xa0dyFebQPX7pJuVok3OlY2WEGHtsNs1l
MdnQbRY0K/+zf61Z1wBT2iqfduv4M0BDXvHPJq88DmBEfJ07hNMUN1f74KqmcDoV
xrfT92tcqp/FxoCI9YGo8Oq21JkF6awg6nCrsQXXuK4B0el+jY6x6w==
=749y
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cyber Security Tip ST04-004
Understanding Firewalls
Understanding Firewalls
When anyone or anything can access your computer at any time,
your
computer is more susceptible to being attacked. You can restrict
outside access to your computer and the information on it with a
firewall.
What do firewalls do?
Firewalls provide protection against outside attackers by
shielding
your computer or network from malicious or unnecessary Internet
traffic. Firewalls can be configured to block data from certain
locations while allowing the relevant and necessary data through (see
Understanding Denial-of-Service Attacks and Understanding Hidden
Threats: Rootkits and Botnets for more information). They are
especially important for users who rely on "always on" connections
such as cable or DSL modems.
What type of firewall is best?
Firewalls are offered in two forms: hardware (external) and
software
(internal). While both have their advantages and disadvantages, the
decision to use a firewall is far more important than deciding which
type you use.
* Hardware - Typically called network firewalls, these external
devices are positioned between your computer or network and your
cable or DSL modem. Many vendors and some Internet Service
Providers (ISPs) offer devices called "routers" that also include
firewall features. Hardware-based firewalls are particularly
useful for protecting multiple computers but also offer a high
degree of protection for a single computer. If you only have one
computer behind the firewall, or if you are certain that all of
the other computers on the network are up to date on patches are
free from viruses, worms, or other malicious code, you may not
need the extra protection of a software firewall. Hardware-based
firewalls have the advantage of being separate devices running
their own operating systems, so they provide an additional line of
defense against attacks. Their major drawback is cost, but many
products are available for less than $100 (and there are even some
for less than $50).
* Software - Some operating systems include a built-in firewall; if
yours does, consider enabling it to add another layer of
protection even if you have an external firewall. If you don't
have a built-in firewall, you can obtain a software firewall for
relatively little or no cost from your local computer store,
software vendors, or ISP. Because of the risks asso
