For Home Users
Basic Attacks
Malware Social Engineering Password Guessing Physical Theft Improper DisposalMalware
Malicious software
Computer programs designed to break into and create havoc on computers. • Virus
• Worms • Trojans
Viruses
A program that secretly attaches itself to a document or another program
and executes when that document or program is opened. Like its
biological equivalent, viruses require a host to carry them from one
Viruses
A virus might corrupt or delete data on your computer, use your e-mail
program to spread itself to other
computers, or even erase everything on your hard disk.
Viruses
Can be disguised as attachments of funny images, greeting cards, or audio and
video files.
They can be hidden in illicit software or other files or programs you might
Symptoms of a Virus
Computer runs very slowly
New programs don’t install properly New icons appear on the desktop
A program suddenly disappears from the computer
Symptoms of a Virus
An email message appears that has an unexpected attachment or an
attachment has a double file
extension such as PICTURE.JPG.VPS. After opening attachment, dialog
boxes appear or the computer slows significantly.
Symptoms of a Virus
Out-of-memory error messages appear. Programs that used to function normally
stop responding.
Windows restarts unexpectedly.
Windows error messages appear listing “critical system files” that are missing and refuse to load.
Worms
Like a virus but not dependent on a host – can spread by itself.
Unlike a virus which requires a trigger such as opening an email
attachment, a worm does not need a user action to begin to spread.
Worms
Worms usually replicate until they clog all available resources.
Typical symptom of a worm infected computer is running slowly and
Trojans Horse
Trojan horses disguise themselves as valuable and useful software
available for download on the
internet. Most people are fooled by
this ploy and end up downloading the virus disguised as some other
Social Engineering
Tricking or deceiving someone to access a system.
• Phishing
• Dumpster Diving • Password Peeking
Phishing
Phishing e-mail messages or phone calls are designed to steal your
identity. They ask for personal data, or direct you to Web sites or phone numbers to call where they ask you to provide personal data.
Forms of Phishing
They might appear to come from
your bank or financial institution, a company you regularly do business with, or from your social
Forms of Phishing
They might appear to be from someone you know.
Spear phishing is a targeted form of
phishing in which an e-mail message might look like it comes from your
Forms of Phishing
Phone phishing scams direct you to call a customer support phone number. A
person or an audio response unit waits to take your account number, personal
identification number, password, or other valuable personal data. The phone
phisher might claim that your account will be closed or other problems could occur if you don't respond.
Forms of Phishing
They might include official-looking logos and other identifying
information taken directly from
legitimate Web sites, and they might include convincing details about your personal information that scammers found on your social networking
Forms of Phishing
They might include links to spoofed Web sites where you are asked to enter personal information.
Dumpster Diving
Low-tech method to steal your
personal information by digging through your discarded trash for credit card offers, medical
statements, bills and other sensitive papers.
Password Peeking
Visual “peeking” to obtain passwords or user codes.
Password Guessing
• Brute force
• Dictionary attack • Rainbow tables
Brute Force
Creating every possible combination by systematically changing one
character at a time in a password. Programs are widely available on the internet that use brute force.
L0phtCrack
Dictionary attack
Using an electronic dictionary of words to use as passwords.
Generally more efficient than a brute force attack, because users typically choose poor passwords.
Rainbow Tables
Contains a large pregenerated data set of nearly every possible password
combination. Freely available online. Ophcrack
Physical Theft
60% of stolen data is due to laptop theft
Many mobile devices simply get left behind in places like cabs, subways, and airplanes. 10 to 15 percent of all handheld computers, PDAs, mobile phones, and pagers are eventually lost by their owners.
Improper Disposal
Two MIT graduates published a study in which, over two years, they bought 158 used hard drives at second-hand
computer stores and on eBay; on 69 drives they found recoverable files, including medical correspondence,
credit card numbers and a year's worth of transactions from an Illinois ATM.
How to Prevent Attacks
What you can and should do to
protect your personal information and system integrity.
Malware
Patch software – security updates designed to fix vulnerability.
Computers can be configured to automatically receive patches.
Patch software
Security updates. A broadly released fix for a product-specific security-related vulnerability. Security vulnerabilities are rated based on their severity, as critical, important, moderate, or low. Critical updates. A broadly released fix
for a specific problem addressing a critical, non-security related bug.
Patch software
Service Packs -
A tested, cumulative set of hotfixes,
security updates, critical updates, and updates, as well as additional fixes for problems found internally since the
release of the product. Service Packs might also contain a limited number of customer-requested design
Malware
Anti-virus software – Must be
continuously updated to recognize new viruses. Scan system weekly. Consider an internet security suite
which may include additional layers of defense – spam filters, firewall,
pop-up blockers, phishing detectors, real-time threat alerts.
Malware Removal
Many applications are available to detect and remove malware that has infected your system.
I recommend malwarebytes, free version. Must manually update but very effective.
Phishing
Don’t click on links within emails that ask for your personal information. No legitimate business would place links within emails.
To check whether the message is really from the company or agency, call it directly or go to its Web site (use a search engine to find it).
Spoofing
Do not rely on the text in the address bar as an indication that you are at the site you think you are. There are several ways to get the address bar in a browser to display something other than the site you are on.
Pop-ups
Never enter your personal information in a pop-up screen.
Legitimate companies, agencies and organizations don’t ask for personal information via pop-up screens.
Install pop-up blocking software to help prevent this type of phishing attack.
Attachments
Only open email attachments if you’re expecting them and know what they contain. Even if the messages look like they came from people you
know, they could be from scammers and contain programs that will steal your personal information.
Verify
If someone contacts you and says you’ve
been a victim of fraud, verify the person’s identity before you provide any personal information.
Ask for the name of the person, agency or company, phone number, and the
address. Get the main number from the phone book, or Internet, then call to find out if the person is legitimate.
Shop Securely
Industry has developed technology that
can scramble sensitive information, such as your credit card number, so that it
can be read only by the merchant you are dealing with and your credit card issuer. This ensures that your payment information cannot be read by anyone else or changed along the way.
Online Payments
There are several ways to determine if you have that protection when you are sending payment information on the web.
Online Payments
Look for the picture of the unbroken key or closed lock in your browser
window. Either one indicates that the security is operative. A broken key or any open lock indicates it is not.
https
Look to see if the web address on the page that asks for your credit card information begins with "https:"
SSL
Some web sites use the words "Secure Sockets Layer (SSL)" or a pop up box that says you are entering a secure area.
SSL Credentials
SSL Certificates are credentials for the online world, uniquely issued to a
specific domain and Web server and authenticated by the SSL Certificate provider. When a browser connects to a server, the server sends the
identification information to the browser.
View Credentials
Click the closed padlock in a browser window.
View Credentials
Strong Passwords
Must be at least 8 characters
Must contain a combination of letters,
numbers, special characters, upper and lowercase.
Don’t reuse passwords.
Passphrases
Take a common phrase such as “Four score and seven years ago” and
replace the spaces with numbers
“Four1score2and3seven4years5ago”. Use your favorite song title or poem.
Password Safes
KeePass is a free password manager. Put all your passwords in one
database, which is locked with one master key. The databases are
encrypted and you only have to remember one master password. http://keepass.info/
Password Generators
Keepass also contains an excellent password generator.
Or online programs such as:
http://www.pctools.com/guides/password/ http://strongpasswordgenerator.com/
Physical Theft
• Record serial numbers • Use ID tags
• Never leave your laptop unguarded in a hotel or conference room.
• Never leave a laptop bag on a car seat in plain view.
Recovery Services
Simple software application
• displays a lost message on log in screen • locks the device remotely
• shreds data on your hard drive • May include GPS feature
Erasing Hard Drive
Even reformatting a drive may not be enough to erase data.
Darik's Boot and Nuke ("DBAN") is a
self-contained boot disk that securely wipes the hard disks of most
computers. Free.
Physically Destroy HD
• Smash your hard disk with a hammer • Pour paint on the hard disk platters • Drill holes through the drive case and
shatter the hard drive platters inside it • Use a radial arm saw to cut the hard
disk in two pieces
Software Downloads
Download only from com panies that are known to be m alware-free and do not have a hidden m otive for providing software.
The End
Take Control. Be proactive!
Plenty of free applications to protect your system online.
If you need help (you are not alone!), ask experts or research online.
Beware! It is getting worse, not better. If you do become a victim, report it.