2. 2
Copyright and Reuse
• The Digital Self Defense logo is the property of the Rochester
Institute of Technology and is licensed under the Creative
Commons Attribution-Non-Commercial-No Derivative Works 3.0
United States License. To view a copy of this license, visit
http://creativecommons.org/licenses/by-nc-nd/3.0/us/ or send
a letter to Creative Commons, 171 Second Street, Suite 300, San
Francisco, California 94105, USA. To request permission for
other purposes, contact infosec@rit.edu.
• The course materials are the property of the Rochester Institute
of Technology and are licensed under the Creative Commons
Attribution-Non-Commercial-Share Alike 3.0 United States
License. To view a copy of this license, visit
http://creativecommons.org/licenses/by-nc-sa/3.0/us/ or send
a letter to Creative Commons, 171 Second Street, Suite 300, San
Francisco, California 94105, USA. To request permission for
other purposes, contact infosec@rit.edu.
3. 3
What we’ll talk about today
• Basic information and computer
security
• Identity Theft, Phishing and Scams
• Safe social networking
4. 4/10 Symantec Internet Threat Report
How Bad is it?
In 2009:
• The education sector accounted for 20 percent of
data breaches that could lead to identity theft during
this period, more than any other sector
• Financial was the top sector for identities exposed,
accounting for 60 percent of the total
• Theft or loss of computer or other data-storage
medium was the cause of 20% of data breaches
• Hacking was the cause of 60%
• 2,895,802 new malicious code signatures, 51% of all-
time total.
5. General Trends
• Malicious activity has become Web-
based and is shifting to developing
countries
– Malicious PDFs 49% of web-based attacks
• Attackers targeting end users instead of
computers
• Underground economy consolidates and
matures
• Lowered barriers to entry—crimeware
kits
6. 6
Everyone is a target
• You have access to financial resources
– Lines of credit
– Bank accounts
• You have access to information resources
– Personal confidential information
– Employer confidential information
• You have access to network resources
– High-bandwidth connections
– Computing power
7. 7
How Could I Become a Victim?
Attacks are complex
• Software vulnerabilities/configuration errors
– 4,392 ―easily exploitable‖ vulnerabilities in 2008*
• Malicious Software/Malware
– Viruses, worms, spyware, etc.
• Social Engineering Attacks
– Phishing scams
– Target sensitive private
information
*4/09 Symantec Internet Threat Report
8. Malware
• Keyloggers
– Steal usernames, passwords, etc.
• Rootkits and bot software
– Attackers can remotely control computers
– Botnets used to send out spam and phishing
• Spyware and adware
– Monitor your web
activity
8
Copyright 2003 D. Seah Bigger than Cheese
9. 9
Botnets & Zombie PCs
Large number of ―zombie‖ computers
infected with remote control software
• Send out spam, phishing, malware, in
extremely large volumes
• 75,158 active bot-infected computers daily
High-volume attacks
• Target insecure computers
• ―Low-hanging fruit‖
Botnet illustration. Retrieved 18 July 2007. www.symantec.com
*4/09 Symantec Internet Threat Report
10. Avert Labs Malware Research
10
Retrieved July 24, 2009 from:
http://www.avertlabs.com/research/blog/index.php/2009/07/22/malware-is-their-businessand-business-is-good/
11. Social Engineering
Aside from malware, people may also try
to steal your private information using:
• E-mails
• Instant messages
• Fake websites
• Phone calls
• Text messages
• Face-to-face
11
12. 12
A Layered Defense
• Strong Passwords
• Patching
• Anti-Virus Protection
• Firewall
• Anti-Spyware Protection
• Physical Security
• Paranoia & Common sense
13. Passwords
• Weak passwords can be guessed
– Automated programs
– Personal details
• Use different passwords
– How many accounts can be accessed with
just one of your passwords?
– Password vaults
13
14. 14
Passphrases
• Series of words or
a sentence
• Examples
– MyT1gerIs0range
– Ritch1eTh3Tiger
Advantages:
• Easier to remember
• More secure than short complex passwords
15. 15
RIT Desktop Standard
Desktop and Portable Computer Standard
requires:
• Patching/Updating (automatic)
• Anti-Virus (automatic)
• Firewall
• Anti-Spyware
Lock on keyboard graphic. Retrieved 18 July 2007.
http://images.jupiterimages.com/common/detail/43/73/22847343.jpg
16. But I own a Mac…
In 2008:
• Mac OS X had more disclosed
vulnerabilities than any other OS*
• Apple Safari web browser had the longest
wait for updates out of all major
browsers**
• Macs are not immune to online threats
16
*IBM Internet Security Systems X-Force 2008 Trend & Risk Report **Symantec Internet Security Threat Report
17. Patching
*4/08 Symantec Internet Threat Report
• 2,134 vulnerabilities in the second half
of 2007.*
– 73% were ―easily exploitable‖
• Patches close these vulnerabilities,
19. Anti-Virus Software
• Use an anti-virus software such as
McAfee, Norton, Avast, AVG, etc.
• Check with your ISP. They may provide
security software, including anti-virus.
20. What Anti-Virus Protects Against
• Viruses
– Self-replicating software that attaches itself to
other programs and files
– Moves from program to program, replacing each
one with an infected version
• Worms
– Self-replicating software that does not need to
attach itself to other programs and files
– Moves from computer to computer over a
network, searching for vulnerable hosts
• Trojans
– Software that appears to be something harmless
(like a game or screen saver), but actually
contains malicious code
21. 21
Firewalls
Firewalls
• Monitor and protect network ports
• Prevent unauthorized connections
You must use a firewall
• Windows XP and Mac OS built-in firewalls
• Third-party products
Graphic of fire. Retrieved 18 July 2007. http://www.adrenalin.bc.ca/lazer/pix/firewall_2.jpg
22. Choosing a Firewall
• Windows XP Firewall
– Default with SP2
– Does not block outgoing connections
• ZoneAlarm Personal Firewall
– A little more sophisticated
– Free license for personal use only
• Router/Wireless Router
– Does not block outgoing connections
– Must change wireless router settings to make it
secure
23. 23
Anti-Spyware
Spyware is:
―tracking software deployed without adequate
notice, consent or control for the user.‖
You need to:
• Update and scan weekly
– Automatic-updating and scheduling
• Use multiple programs
– http://security.rit.edu/students.html
Computer ‘Spy’. Retrieved 18 July 2007. http://www.afcea.org/signal/articles/articlefiles/248-
HSK_Spyware_computer-spy.jpg
24. 24
How do You Get Spyware?
• Browser Vulnerabilities
– Links to malicious sites
– Following common search
terms
• Bundled with software
• Malware
– Disguised as anti-spyware
programs or other popular
freeware
Stressed woman photo. Retrieved 18 July 2007. http://www.computermediconcall.com/images/computer-frustration.jpg
25. Limited User Accounts
Administrative/root user accounts
• Unnecessary level of access
Limited user accounts can prevent:
• Many types of malware and
spyware/adware
• Configuration changes
– Malicious or accidental
25
Recommended
26. 26
Physical Protection
• Never leave your computer or
mobile device unattended
• Lock or log out
– Set a screensaver password
• Don’t let others use
without supervision
– Know what devices are
registered to your name
Computer protection image. Retrieved 18 July 2007. http://www.allsquareinc.com/downloads/Love%20My%20Computer.jpg
27. 27
Know Your Computer!
Has your computer been acting different
than usual?
• Run anti-virus and antispyware
• Ask for help
30. 30
Phishing
• Purpose
– ―verify/confirm/authorize‖ account or
personal information
• Source
– Appear to come from PayPal, banks, ISPs,
IT departments, other official or
authoritative sources
• Tone
– Appeals to fear, greed, urgency,
sympathy
31. 31
Targeted Phishing
• Sent to a specific community
• May include personal details
• Appears official
– Identical logos,
graphics, layout,
content, etc.
32. 32
How to Spot and Avoid Phishing
• Does it seem credible?
– Misspellings, bad grammar,
formatting errors
• File attachments
– Is it expected? If not, ignore it!
• Never respond directly to e-mail
requests for private information
– Verify with company
– Don’t click on links
• Type in the web address as you normally would
35. 35
Phishing Website Tricks
• Similar names
– www.eday.com, www.ebay-secure.com,
www.paipall.com, www.yafoo.com
• Use of @ in URLs
– www.ebay.com/upd@aw-confirm.us/upd
• Masked URLs
– http://www.myspace.com/
36. Solutions
• Education and awareness
– Because social engineering such as
phishing relies on tricking consumers,
awareness education is a key component
in reducing consumer losses to phishing.
– A number of government and private
entities have created web sites designed
to educate consumers about the threats
of phishing. These sites include
• FTC OnGuard Online.
• Anti-Phishing Working Group
• MillerSmiles
36
37. Solutions
• Safe computing practices provide a strong
defense against phishing:
– Never click on links directly from an email.
– Use File/Properties to find out which website you are
really on.
– Look for the proper symbol to indicate you’re on a secure
web site.
• Secure web sites use a technique called SSL (Secure Socket
Layer) that ensures the connection between you and the
web site is private.
• This is indicated by “https://” instead of “http://” at the
beginning of the address AND by a padlock icon which must
be found either at the right end of the address bar or in the
bottom right-hand corner of your browser window.
• A padlock appearing anywhere else on the page does not
represent a secure site.
37
38. Solutions
• Software
– Although avoiding phishing attempts is typically
a matter of following safe practices, there are a
number of browser helpers available to help
warn you of suspicious web sites.
– Browser helpers normally work as another
toolbar in your browser. Use one or more for
your protection.
– Internet Explorer 8 and Firefox 3 also provide
limited protection by denying access to many
known phishing sites.
– Spam filters may also intercept many phishing
attempts.
38
40. Netcraft
http://toolbar.netcraft.com/
• Giant neighborhood watch
scheme
– Blocks reported URLs, it is blocked for community members as they
subsequently access the URL.
– Widely disseminated attacks (people constructing phishing attacks
send literally millions of electronic mails in the expectation that some
will reach customers of the bank) simply mean that the phishing
attack will be reported and blocked sooner.
• The toolbar also:
– Traps suspicious URLs containing characters which have no common
purpose other than to deceive.
– Enforces display of browser navigational controls (toolbar & address
bar) in all windows, to defend against pop up windows which attempt
to hide the navigational controls.
– Clearly displays sites' hosting location, including country, helping you
to evaluate fraudulent URLs (e.g. the real citibank.com or
barclays.co.uk sites are unlikely to be hosted in the former Soviet
Union).
40
43. 43
Student Identity Theft
The 18-29 age group reports more
identity theft than any other
• Shred sensitive documents
• Thieves want credit,
not cash
• Check your credit rating
– www.ftc.gov/freereports
– www.annualcreditreport.com
• www.ed.gov/misused
44. 44
If You Think You’re a Victim…
Reporting identity theft:
• Law enforcement
• Your financial institutions
• Credit bureaus
• FTC Web site
– www.idtheft.gov
46. 46
It’s Harmless, Right?
What kinds of things do people typically
post?
• Class schedule
• New cell phone number
• Details of upcoming vacation
• Complaints about a co-worker
or manager
• Story about last weekend’s party
47. 47
Who Else Uses Social Networking?
• Employers
– Estimated that up to 75% of employers
regularly ―google‖ or ―facebook‖ applicants
• Identity Thieves
– Names, birthdays, phone #’s, addresses, etc.
• Online Predators
– Schedules, whereabouts,
weekend/vacation plans,
etc.
•Facebook Stalker
(http://www.youtube.com/watch?v=wCh9bmg0zGg)
48. 48
What You Post Can Be Used To…
• Make judgments about your character
• Impersonate you to financial institutions
• Monitor what you do and where you go
– Theft
– Harassment
– Assault
49. 49
Not YourSpace
Would I be comfortable if this
were posted on a billboard?
The Internet is public space!
• Search results
• Photo ―tagging‖
50. 50
Use Social Networks Safely
Do:
• Make friends
• Use privacy settings
• Be conscious of the
image you project
Don’t:
• Post personal information
• Post schedules or whereabouts
• Post inappropriate photos
51. 51
Paranoia or Common Sense?
Guard your personal information!
– Even less sensitive information can
be exploited by an attacker!
– Don’t post it in public places
– Know to whom you’re giving it
• Watch out for Facebook Applications!!
– A 2008 study found that 90.7% of apps had
access to private user data (only 9.3%
actually used the data)
Macbook. Retrieved 18 July 2007. http://s7v1.scene7.com/is/image/JohnLewis/230407880?$product$
52. Phishing on Social Network Sites
http://www.markmonitor.com/download/bji/BrandjackingIndex-Spring2009.pdf
52
53. Is this really your friend?
When ―friends‖ ask for money online
• Do they speak/write like your friend?
• Do they know any details about you or
themselves that do NOT appear on Facebook
profile pages?
• Do they refuse other forms of help, phone call
requests, etc.?
Just because it is your friend’s account does not
mean that it’s your friend!
53
54. The First Line of Defense
Stay alert—you will be the first to know if
something goes wrong
– Are you receiving odd communications from
someone?
– Is your computer sounding strange or slower
than normal?
– Has there been some kind of incident or warning
in the news?
Do something about it!
– Run a scan
– Ask for help
55. For more information
• Information Security web page
http://security.rit.edu
• RIT Information Security Facebook page
• Staysafeonline.info