Safe Web Surfing and Social Engineering
Tip 9 -- Safe Web Surfing
We all love to surf the Web. However the Web is filled with all kinds of dangers. I will mention 3 dangers in this tip and ways to manage them.
Avoiding Dangerous Web Sites:
There are a number of services that rate Web sites and provide some kind of ranking to let you know when you are possibly about to connect to a dangerous site. These are not foolproof, but they can provide somewhat of a shield.
One service, that I often use, is Web Of Trust (WOT) this provides a simple browser add-on that will give a simple ranking to any web site that you attempt to connect to, or that comes back in a google search. Unless I have privileged knowledge I always trust the WOT ratings.
Another great service is the ATT Privacy Bird -- this is a service that identifies sites that have a privacy policy published. In this way you can avoid sites that are likely to share your information with others. Of course you should always be careful to not share any information unless you are absolutely sure the site is reputable.
Norton/Symantec also provides a Web surfing protection program -- in addition to its complete suite of anti-malware and anti-spyware programs. Of course the service is commercial - so you will be paying -- but the protection is rated among the best available.
Managing Cookies
Cookies were originally developed as a way of allowing Web connections to have a memory (ie, a 'state'). They hold information in a text file on your computer and are read later to remember what you were doing. One of the first applications of the cookie was to build a 'shopping cart' for online e-commerce sites. When used properly, cookies can be a major convenience.
However - tracking cookies are intended to be read across multiple sites - such as the ones used by the DoubleClick ad banner system. The problem here is that it is possible to gain a profile of the online behavior of the user. Add to this session cookies, that may hold userids and passwords, and it is then possible to establish the identity of a user.
Of course the issue here is one of privacy - currently, in the United States, you have a right to privacy in many situations. In these situations, defined by law, you may choose to hold information private weather or not anyone else likes it. So, I recommend that all users learn about cookies and how to manage them.
Every web browser has a capability to erase cookies or turn them off. However, many shopping sites will not work if cookies are not enabled. I like to periodically erase cookies from my browser. But beware - there are many kinds of cookies (flash cookies are another example) and it is often not practical to erase them all manually. So, there are many programs, both free and commercial, for cookie management and removal.
One popular commercial program is UltraSentry, a free program is 12 Ghosts.
History and Web Tracks
When we browse the Web, our browser keeps a history list of the sites we visit. Copies of files and pictures are also maintained in cache memory until that memory is either erased or needed for other uses. Programs like those mentioned above will often clean these history lists and tracks as well, but you can also do it manually from your Web browser.
Some people use Web anonymizer services such as those listed at http://www.thefreecountry.com/security/anonymous.shtml -- I do not necessarily trust services like this. Although it really depends on what you are doing. If you simply want privacy (which is your right) go right ahead. But please do not be tempted to break the law, harass people, or worse using such services - in the case of terrorism I would expect, and hope, that they can be broken.
Avoiding Dangerous Web Sites:
There are a number of services that rate Web sites and provide some kind of ranking to let you know when you are possibly about to connect to a dangerous site. These are not foolproof, but they can provide somewhat of a shield.
One service, that I often use, is Web Of Trust (WOT) this provides a simple browser add-on that will give a simple ranking to any web site that you attempt to connect to, or that comes back in a google search. Unless I have privileged knowledge I always trust the WOT ratings.
Another great service is the ATT Privacy Bird -- this is a service that identifies sites that have a privacy policy published. In this way you can avoid sites that are likely to share your information with others. Of course you should always be careful to not share any information unless you are absolutely sure the site is reputable.
Norton/Symantec also provides a Web surfing protection program -- in addition to its complete suite of anti-malware and anti-spyware programs. Of course the service is commercial - so you will be paying -- but the protection is rated among the best available.
Managing Cookies
Cookies were originally developed as a way of allowing Web connections to have a memory (ie, a 'state'). They hold information in a text file on your computer and are read later to remember what you were doing. One of the first applications of the cookie was to build a 'shopping cart' for online e-commerce sites. When used properly, cookies can be a major convenience.
However - tracking cookies are intended to be read across multiple sites - such as the ones used by the DoubleClick ad banner system. The problem here is that it is possible to gain a profile of the online behavior of the user. Add to this session cookies, that may hold userids and passwords, and it is then possible to establish the identity of a user.
Of course the issue here is one of privacy - currently, in the United States, you have a right to privacy in many situations. In these situations, defined by law, you may choose to hold information private weather or not anyone else likes it. So, I recommend that all users learn about cookies and how to manage them.
Every web browser has a capability to erase cookies or turn them off. However, many shopping sites will not work if cookies are not enabled. I like to periodically erase cookies from my browser. But beware - there are many kinds of cookies (flash cookies are another example) and it is often not practical to erase them all manually. So, there are many programs, both free and commercial, for cookie management and removal.
One popular commercial program is UltraSentry, a free program is 12 Ghosts.
History and Web Tracks
When we browse the Web, our browser keeps a history list of the sites we visit. Copies of files and pictures are also maintained in cache memory until that memory is either erased or needed for other uses. Programs like those mentioned above will often clean these history lists and tracks as well, but you can also do it manually from your Web browser.
Some people use Web anonymizer services such as those listed at http://www.thefreecountry.com/security/anonymous.shtml -- I do not necessarily trust services like this. Although it really depends on what you are doing. If you simply want privacy (which is your right) go right ahead. But please do not be tempted to break the law, harass people, or worse using such services - in the case of terrorism I would expect, and hope, that they can be broken.
Tip 10 -- WiFi Safety
Wireless networks are one of the coolest evolving information technologies of the past 2 decades. Where, in the 1990's, home computer users typically had a single desktop computer and a telephone modem, today many homes have cable or DSL connections and wireless routers supporting many desktops, laptops and handheld devices. My home network has 9 nodes (currently).
The problem is that most wireless network routers come with factory settings and no security. In a recent project, some of my students surveyed 9,000 networks in State College and found almost 1/3 to be completely insecure. This means anyone with a laptop or handheld computer can use your network. If they use it to break the law guess where the police will come?
At a minimum, I recommend setting up WEP or WPA encryption on your network. This will keep out 98% of all users, although not *my* students. Businesses should use WPA2 with VPN as a minimum. Although this is probably overkill for the average home network, where you just want to keep the 10-year-old from next door from using your wifi network to get to porno.
There are many tutorials online for setting up WEP and WPA encryption. Many of these are specific to the kind of wifi router you have - so best to do a Google search or go to the home page for your wifi router and look for instructions there.
The problem is that most wireless network routers come with factory settings and no security. In a recent project, some of my students surveyed 9,000 networks in State College and found almost 1/3 to be completely insecure. This means anyone with a laptop or handheld computer can use your network. If they use it to break the law guess where the police will come?
At a minimum, I recommend setting up WEP or WPA encryption on your network. This will keep out 98% of all users, although not *my* students. Businesses should use WPA2 with VPN as a minimum. Although this is probably overkill for the average home network, where you just want to keep the 10-year-old from next door from using your wifi network to get to porno.
There are many tutorials online for setting up WEP and WPA encryption. Many of these are specific to the kind of wifi router you have - so best to do a Google search or go to the home page for your wifi router and look for instructions there.
Tip 11 -- Social Engineering
As I like to tell my students, the least secure part of any system is the wet-ware (ie, the human). Humans can be fooled, lead and deceived. They often want to be helpful and because most people are basically honest they want to believe other people are basically honest. As P.T. Barnum once observed 'A sucker is born every minute.'
Social engineering is increasingly employed by malware developers to trick users into infecting their own systems or giving away information. I will mention two major methods here, the trick and the carrot.
The trick:
Just today I received an email that claimed to be from Facebook, claiming that they are concerned that I have not been able to get into my account, and asking me to click on a link to resolve the problem. What they did not know was that I was already logged into Facebook in a different browser. The link went to a malware site and I would have become a malware victim (or not, as I use LPA). A few minutes later I received another email, supposedly from FedEx, claiming that they could not make a delivery to my home and asking that I open an attachment and call their office with the tracking number. Again, this was a fake message and had I opened the attachment I would have become infected.
These are examples of the social engineering 'trick' -- a ruse to get you to do something - such as open an attachment or click on a Web link. When you do that action executes with the privileges you have at the moment. (An LPA will prevent many opf these, but not all.) Best rule of thumb is to NEVER open an attachment that you did not request and NEVER click on a link sent to you via email. If someone wants to send you an attachment, have them send a SECOND email telling you that they are sending the attachment and what it contains. The added verification will help you know it is real.
The carrot:
The problem with most social networking sites is that they encourage you to reveal private information about yourself, information you would never reveal if you did not feel as if you were with friends. I am not singling out any particular SN site - they all have this problem. We are social creatures, and we want to know others and be known by others. I am no different - I probably check Facebook 2-3 times each day. I keep up with my kids, most of my friends, and even my wife that way.
But sometimes we give away information without understanding the risk. An example is the location-based add-ons that automatically say where you are located. They are also, unintentionally, saying where you are NOT located (ie, at home). This could alert a criminal that your home in unattended and vulnerable to theft. People have also been known to post pictures, however innocently, that get themselves or others into trouble with present or future employers. As an old guy (57) many of the dumb things I did as a teen are long forgotten - teens today do not have that luxury.
So - a good rule is not to post anything on any online site (regardless of their privacy policy) that you would not want your parents, wife/husband, employer or a stranger to know. Law enforcement agencies and the IRS are routinely data-mining social networking sites.
Social engineering is increasingly employed by malware developers to trick users into infecting their own systems or giving away information. I will mention two major methods here, the trick and the carrot.
The trick:
Just today I received an email that claimed to be from Facebook, claiming that they are concerned that I have not been able to get into my account, and asking me to click on a link to resolve the problem. What they did not know was that I was already logged into Facebook in a different browser. The link went to a malware site and I would have become a malware victim (or not, as I use LPA). A few minutes later I received another email, supposedly from FedEx, claiming that they could not make a delivery to my home and asking that I open an attachment and call their office with the tracking number. Again, this was a fake message and had I opened the attachment I would have become infected.
These are examples of the social engineering 'trick' -- a ruse to get you to do something - such as open an attachment or click on a Web link. When you do that action executes with the privileges you have at the moment. (An LPA will prevent many opf these, but not all.) Best rule of thumb is to NEVER open an attachment that you did not request and NEVER click on a link sent to you via email. If someone wants to send you an attachment, have them send a SECOND email telling you that they are sending the attachment and what it contains. The added verification will help you know it is real.
The carrot:
The problem with most social networking sites is that they encourage you to reveal private information about yourself, information you would never reveal if you did not feel as if you were with friends. I am not singling out any particular SN site - they all have this problem. We are social creatures, and we want to know others and be known by others. I am no different - I probably check Facebook 2-3 times each day. I keep up with my kids, most of my friends, and even my wife that way.
But sometimes we give away information without understanding the risk. An example is the location-based add-ons that automatically say where you are located. They are also, unintentionally, saying where you are NOT located (ie, at home). This could alert a criminal that your home in unattended and vulnerable to theft. People have also been known to post pictures, however innocently, that get themselves or others into trouble with present or future employers. As an old guy (57) many of the dumb things I did as a teen are long forgotten - teens today do not have that luxury.
So - a good rule is not to post anything on any online site (regardless of their privacy policy) that you would not want your parents, wife/husband, employer or a stranger to know. Law enforcement agencies and the IRS are routinely data-mining social networking sites.
This page created and made available for educational purposes by Dr. Gerry Santoro - [email protected]