Computer Security Session 3: Phishing and Other Everyday Threats

Standard

version 0.1

This session will attempt to focus on the most common security problems that regular home users run into.

Phishing and Scamming and Spamming

Phishing

Phishing is the process of fooling users into thinking an illegitimate website is legitimate. For example, a scammer might send you an e-mail pretending to be from your bank, a social media platform, or a shopping service. Sometimes these fraudulent messages are threatening (“reply or your account will be shut down”) and sometimes they seem innocent (“J. Random Person wants to join your LinkedIn network”).

Often the goal of phishing is to trick people into giving up their login information. This can be blatant (“please respond to this e-mail with your account name and password”) or subtle (“please click this link to log into your account”).

Spear phishing is when the scammer has specific information about you that they use to tailor their communication.

Some general rules for dealing with phishing and other scams include:

  • Be wary of communications from strangers. Sometimes these are legitimate, but often not.
  • Be wary of spelling and grammatical mistakes in communications from supposedly-reputable websites. (But be careful: scammers have improved their grammar.)
  • Be wary of e-mail attachments, especially unexpected ones.
  • Be wary of links in e-mails. If you are being admonished to log into a website, do so by navigating to the website independently, not by clicking the link.
  • Inspect links and website URLs for suspicious properties.
  • Never ever ever give your password information to anybody. Ever.

OpenDNS published a pretty good quiz on phishing: http://www.opendns.com/phishing-quiz/

Spam and Reliability

Spam is any kind of unwanted and unsolicited communication. Small amounts of spam are an annoyance; large amounts render the communications platform unusable.

As people have moved away from e-mail, spammers have moved to new platforms: Facebook, Twitter, blog comments…

Unfortunately, e-mail has become an unreliable means of communication, largely thanks to spam:

  • Spam filters can trap legitimate e-mail
  • Spammers try to fool you into thinking that legitimate mail is illegitimate
  • Mail servers can blacklist (block) e-mail senders unexpectedly

Spam has other effects as well:

  • Website comment spam can get your website blacklisted by search engines

How should you deal with spam?

  • Avoid giving out your contact information on the Internet.
  • Don’t feed the spammers. Never be tempted to purchase goods or services that are advertised via spam.
  • Use spam filters, but be judicious; you have to scan your spam pile once in a while for legitimate e-mail. Some spam filters are trainable — you can tell them what is spam and what is not, and they learn to distinguish your legitimate communication better. (This can have a privacy cost.)
  • Be wary of accepting friend requests/follow requests arbitrarily.

E-mail Privacy

Many people do not realize that it is possible to snoop on e-mail communications. By default, e-mail is not encrypted.

Viruses and Botnets

There are many different kinds of threats labelled as “viruses” by the general public: spyware, trojans, bots, and many others. A general description of such software is malware.

What damage can malware do?

  • Some malware is used for surveillance, and in the worst case can track your login information as you browse the web.
  • Some malware pops up warnings and redirects websites to their products.
  • An especially worrying form of malware turns your computer into a member of a botnet — a computer that obeys the commands of an outside source. Botnets are rented out for all kinds of shady purposes like breaking into websites, cracking passwords, and infecting other computers.

How does malware infect your computer?

  • You might browse a malicious website that downloads something bad onto your computer. Often such websites exploit security vulnerabilities in your software.
  • You might install a program that contains malware. This often happens with fake antivirus programs that “warn” you of your computer being infected. Sketchier programs (pirated material, cracking programs, some freeware) are also sources of this material.
  • You might install such a program in your e-mail — especially when opening a malicious attachment.
  • You might use a USB key in a computer that is infected, and transmit the infection to your own computer.

Some ways to protect yourself against malware include:

  • Using the principle of least privilege. If you surf the web with an administrator account, it is easier for bad things to install itself on your system. Keep separate accounts for daily tasks (e-mail, web surfing, games) and administration tasks (running software updates, installing programs).
  • Be careful about what you install. Be especially careful for fake antivirus programs that pop up in your web browser, screaming that you have a virus. If you install them then you will be installing malware, not getting rid of it.
  • Keep your software legal and up to date. Some malware exploits flaws in your software to gain access to your computer.
  • Antivirus and antispyware programs can help, but do not put all your faith in them. There are free and legal programs available for personal use: Avast (http://www.avast.com/free-antivirus-download), Microsoft Security Essentials http://windows.microsoft.com/en-US/windows/products/security-essentials).

Wireless Security

There are a few threats to wireless networking:

  • People might use your wireless and download large amounts of material, resulting in overage charges.
  • People might use your wireless with infected computers, or they might use your wireless for nefarious purposes. This can get you in trouble with your Internet Service Provider (or, in the worst case, the police.)
  • People might snoop into communications conducted over your wireless. One notorious program that illustrated such threats was Firesheep (http://codebutler.com/firesheep), which allowed attackers to access websites you had logged into.

Some people deliberately leave their wireless (or parts of their wireless networks) open for other people to use. That is fine, as long as it is intentional and as long as you are aware of the risks.

If you want to protect your wireless networks, here are some (possibly inadequate) tips:

  • Use WPA2 security on your devices with a long (and preferably random) passphrase. Be careful about giving this passphrase to others. “WPA2-Enterprise” security is better than “WPA2-PSK”, but harder to set up.
  • If it is impossible for you to use WPA2 security, you may have to drop down to WPA security. Do not drop down any further.
  • Change the network name (SSID) of your wireless to something uncommon, and preferably something not directly identifiable as you. Using common SSIDs can make attacks easier. For example, see http://www.renderlab.net/projects/WPA-tables/ and http://www.wigle.net/gps/gps/Stat.
  • Since passphrases are cached in computers change the passphrase if any computer is stolen or compromised.
  • When using wireless, surf using HTTPS websites as much as possible. Browser plugins such as HTTPS Everywhere (https://www.eff.org/https-everywhere) can make this easier.
  • Some routers allow remote access to the configuration screens. Turn this off. If possible, turn off access to the configuration screens from the wireless interface as well.
  • If you use a laptop in public networks such as the library or coffee shops, you may want to activate a firewall on your laptop.

Here are some things that people sometimes advise, but which are now considered next to useless:

  • WEP encryption is an old wireless encryption standard. It is easily broken.
  • Hiding your network identifier (SSID) by not broadcasting it does not help since your SSID is encoded in traffic you send to your wireless router.
  • Filtering by MAC Address (a unique identifier on network cards) is not helpful because it is easy to spoof.

Data Theft and Loss

It is easy to get carried away thinking about hackers and viruses. There are many mundane ways in which your data could be under threat:

  • Lightning strikes could destroy your hard drives
  • Your computer or hard drives could crash or fail
  • Your computer could be lost or stolen, especially if it is portable
  • Your computer could be confiscated by the police or another authority
  • You could accidentally delete files that you still care about

The damage that can be done varies as well:

  • You could lose access to your data
  • Other people could access your data

Losing data is usually a bigger threat. Everybody knows that they are
supposed to do backups, but do you actually perform them?

Ideally, you would like your backups to be:

  • Automated so you don’t have to remember to do them
  • Frequent so if your system does go down then you will not lose much data you care about
  • Stored offsite so that if your computer gets damaged your backups will not be damaged at the same time
  • Robust so that a small error in your backup does not mean you lose all your data
  • Secure so that data you would like to keep confidential will not be “leaked” via your backups
  • Historically thorough so that you can restore files created long ago
  • Recoverable even if you lose your computer system. Ideally you should be able to restore files on a completely different system.

These ideals often conflict with each other.

For a longer discussion of backups, refer to Session 7 of the Linux Literacy course.

Creative Commons Licence
This work by KW Freeskool is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.

Advertisements

Comments are closed.