Guidelines for Publishing Information Online

Why is it important to remember that the Internet public?

Because the Internet is so accessible and contains a wealth of information, it has become a popular resource for communicating, for researching topics, and for finding information about people. It may seem less intimidating than actually interacting with other people because there is a sense of anonymity. However, you are not really anonymous when you are online, and it is just as easy for people to find information about you as it is for you to find information about them. Unfortunately, many people have become so familiar and comfortable with the Internet that they may adopt practices that make them vulnerable. For example, although people are typically wary of sharing personal information with strangers they meet on the street, they may not hesitate to post that same information online. Once it is online, it can be accessed by a world of strangers, and you have no idea what they might do with that information.

What guidelines can you follow when publishing information on the Internet?

  • View the Internet as a novel, not a diary – Make sure you are comfortable with anyone seeing the information you put online. Expect that people you have never met will find your page; even if you are keeping an online journal or blog, write it with the expectation that it is available for public consumption. Some sites may use passwords or other security restrictions to protect the information, but these methods are not usually used for most websites. If you want the information to be private or restricted to a small, select group of people, the Internet is probably not the best forum.
  • Be careful what you advertise – In the past, it was difficult to find information about people other than their phone numbers or address. Now, an increasing amount of personal information is available online, especially because people are creating personal web pages with information about themselves. When deciding how much information to reveal, realize that you are broadcasting it to the world. Supplying your email address may increase the amount of spam you receive (see Reducing Spam for more information). Providing details about your hobbies, your job, your family and friends, and your past may give attackers enough information to perform a successful social engineering attack (see Avoiding Social Engineering and Phishing Attacks for more information).
  • Realize that you can’t take it back – Once you publish something online, it is available to other people and to search engines. You can change or remove information after something has been published, but it is possible that someone has already seen the original version. Even if you try to remove the page(s) from the Internet, someone may have saved a copy of the page or used excerpts in another source. Some search engines “cache” copies of web pages; these cached copies may be available after a web page has been deleted or altered. Some web browsers may also maintain a cache of the web pages a user has visited, so the original version may be stored in a temporary file on the user’s computer. Think about these implications before publishing information—once something is out there, you can’t guarantee that you can completely remove it.

As a general practice, let your common sense guide your decisions about what to post online. Before you publish something on the Internet, determine what value it provides and consider the implications of having the information available to the public. Identity theft is an increasing problem, and the more information an attacker can gather about you, the easier it is to pretend to be you. Behave online the way you would behave in your daily life, especially when it involves taking precautions to protect yourself.

Authors

Mindi McDowell, Matt Lytle, and Jason Rafail

Posted in Computer Security, Cyber Security, G7 Security, Information Security, isecurity, Risk Management Strategies, Software Security Risks, Technology | Tagged , , , , , , , , , , , , | Leave a comment

Protecting Your Privacy

How do you know if your privacy is being protected?

  • Privacy policy – Before submitting your name, email address, or other personal information on a website, look for the site’s privacy policy. This policy should state how the information will be used and whether or not the information will be distributed to other organizations. Companies sometimes share information with partner vendors who offer related products or may offer options to subscribe to particular mailing lists. Look for indications that you are being added to mailing lists by default—failing to deselect those options may lead to unwanted spam. If you cannot find a privacy policy on a website, consider contacting the company to inquire about the policy before you submit personal information, or find an alternate site. Privacy policies sometimes change, so you may want to review them periodically.
  • Evidence that your information is being encrypted – To protect attackers from hijacking your information, any personal information submitted online should be encrypted so that it can only be read by the appropriate recipient. Many sites use SSL, or secure sockets layer, to encrypt information. Indications that your information will be encrypted include a URL that begins with “https:” instead of “http:” and a lock icon in the bottom right corner of the window (see Understanding Web Site Certificates for more information). Some sites also indicate whether the data is encrypted when it is stored. If data is encrypted in transit but stored insecurely, an attacker who is able to break into the vendor’s system could access your personal information.

What additional steps can you take to protect your privacy?

  • Do business with credible companies – Before supplying any information online, consider the answers to the following questions: do you trust the business? is it an established organization with a credible reputation? does the information on the site suggest that there is a concern for the privacy of user information? is there legitimate contact information provided?
  • Do not use your primary email address in online submissions – Submitting your email address could result in spam. If you do not want your primary email account flooded with unwanted messages, consider opening an additional email account for use online (see Reducing Spam for more information). Make sure to log in to the account on a regular basis in case the vendor sends information about changes to policies.
  • Avoid submitting credit card information online – Some companies offer a phone number you can use to provide your credit card information. Although this does not guarantee that the information will not be compromised, it eliminates the possibility that attackers will be able to hijack it during the submission process.
  • Devote one credit card to online purchases – To minimize the potential damage of an attacker gaining access to your credit card information, consider opening a credit card account for use only online. Keep a minimum credit line on the account to limit the amount of charges an attacker can accumulate.
  • Avoid using debit cards for online purchases – Credit cards usually offer some protection against identity theft and may limit the monetary amount you will be responsible for paying. Debit cards, however, do not offer that protection. Because the charges are immediately deducted from your account, an attacker who obtains your account information may empty your bank account before you even realize it.
  • Take advantage of options to limit exposure of private information – Default options on certain websites may be chosen for convenience, not for security. For example, avoid allowing a website to remember your password. If your password is stored, your profile and any account information you have provided on that site is readily available if an attacker gains access to your computer. Also, evaluate your settings on websites used for social networking. The nature of those sites is to share information, but you can restrict access to certain information so that you limit who can see what (see Staying Safe on Social Network Sites for more information).

Author

US-CERT Publications

Posted in Computer Security, Cyber Security, G7 Security, isecurity, Uncategorized | Tagged , , , , | Leave a comment

Understanding Your Computer: Operating Systems

What is an operating system?

An operating system (OS) is the main program on a computer. It performs a variety of functions, including

  • determining what types of software you can install
  • coordinating the applications running on the computer at any given time
  • making sure that individual pieces of hardware, such as printers, keyboards, and disk drives, all communicate properly
  • allowing applications such as word processors, email clients, and web browsers to perform tasks on the system (e.g., drawing windows on the screen, opening files, communicating on a network) and use other system resources (e.g., printers, disk drives)
  • reporting error messages

The OS also determines how you see information and perform tasks. Most operating systems use a graphical user interface (GUI), which presents information through pictures (icons, buttons, dialog boxes, etc.) as well as words. Some operating systems can rely more heavily on textual interfaces than others.

How do you choose an operating system?

In very simplistic terms, when you choose to buy a computer, you are usually also choosing an operating system. Although you may change it, vendors typically ship computers with a particular operating system. There are multiple operating systems, each with different features and benefits, but the following three are the most common:

  • Windows – Windows, with versions including Windows XP, Windows Vista, and Windows 7, is the most common operating system for home users. It is produced by Microsoft and is typically included on machines purchased in electronics stores or from vendors such as Dell or Gateway. The Windows OS uses a GUI, which many users find more appealing and easier to use than text-based interfaces.
  • Mac OS X – Produced by Apple, Mac OS X is the operating system used on Macintosh computers. Although it uses a different GUI, it is conceptually similar to the Windows interface in the way it operates.
  • Linux and other UNIX-derived operating systems – Linux and other systems derived from the UNIX operating system are frequently used for specialized workstations and servers, such as web and email servers. Because they are often more difficult for general users or require specialized knowledge and skills to operate, they are less popular with home users than the other options. However, as they continue to develop and become easier to use, they may become more popular on typical home user systems.

Authors

Mindi McDowell and Chad Dougherty

Posted in Computer Security, Cyber Security, G7 Security, Information Security, isecurity, Network Security | Tagged , , , , | Leave a comment

Risks of File-Sharing Technology

What is file sharing?

File sharing involves using technology that allows internet users to share files that are housed on their individual computers. Peer-to-peer (P2P) applications, such as those used to share music files, are some of the most common forms of file-sharing technology. However, P2P applications introduce security risks that may put your information or your computer in jeopardy.

What risks does file-sharing technology introduce?

  • Installation of malicious code – When you use P2P applications, it is difficult, if not impossible, to verify that the source of the files is trustworthy. These applications are often used by attackers to transmit malicious code. Attackers may incorporate spyware, viruses, Trojan horses, or worms into the files. When you download the files, your computer becomes infected (see Recognizing and Avoiding Spyware and Recovering from Viruses, Worms, and Trojan Horses for more information).
  • Exposure of sensitive or personal information – By using P2P applications, you may be giving other users access to personal information. Whether it’s because certain directories are accessible or because you provide personal information to what you believe to be a trusted person or organization, unauthorized people may be able to access your financial or medical data, personal documents, sensitive corporate information, or other personal information. Once information has been exposed to unauthorized people, it’s difficult to know how many people have accessed it. The availability of this information may increase your risk of identity theft (see Protecting Your Privacy and Avoiding Social Engineering and Phishing Attacks for more information).
  • Susceptibility to attack – Some P2P applications may ask you to open certain ports on your firewall to transmit the files. However, opening some of these ports may give attackers access to your computer or enable them to attack your computer by taking advantage of any vulnerabilities that may exist in the P2P application. There are some P2P applications that can modify and penetrate firewalls themselves, without your knowledge.
  • Denial of service – Downloading files causes a significant amount of traffic over the network. This activity may reduce the availability of certain programs on your computer or may limit your access to the internet (see Understanding Denial-of-Service Attacks for more information).
  • Prosecution – Files shared through P2P applications may include pirated software, copyrighted material, or pornography. If you download these, even unknowingly, you may be faced with fines or other legal action. If your computer is on a company network and exposes customer information, both you and your company may be liable.

How can you minimize these risks?

The best way to eliminate these risks is to avoid using P2P applications. However, if you choose to use this technology, you can follow some good security practices to minimize your risk:

  • use and maintain anti-virus software – Anti-virus software recognizes and protects your computer against most known viruses. However, attackers are continually writing new viruses, so it is important to keep your anti-virus software current (see Understanding Anti-Virus Software for more information).
  • install or enable a firewall – Firewalls may be able to prevent some types of infection by blocking malicious traffic before it can enter your computer (seeUnderstanding Firewalls for more information). Some operating systems actually include a firewall, but you need to make sure it is enabled.

Authors

Mindi McDowell, Brent Wrisley, and Will Dormann

Posted in Computer Security, Cyber Security, G7 Security, Information Security, isecurity, Network Security, Risk Management Strategies, Software Security Risks, Technology | Tagged , , , , , , , | Leave a comment

Understanding Voice over Internet Protocol (VoIP)

What is voice over Internet protocol (VoIP)?

Voice over Internet protocol (VoIP), also known as IP telephony, allows you to use your Internet connection to make telephone calls. Instead of relying on an analog line like traditional telephones, VoIP uses digital technology and requires a high-speed broadband connection such as DSL or cable. There are a variety of providers who offer VoIP, and they offer different services. The most common application of VoIP for personal or home use is Internet-based phone services that rely on a telephone switch. With this application, you will still have a phone number, will still dial phone numbers, and will usually have an adapter that allows you to use a regular telephone. The person you are calling will not likely notice a difference from a traditional phone call. Some service providers also offer the ability to use your VoIP adapter any place you have a high-speed Internet connection, allowing you to take it with you when you travel.

What are the security implications of VoIP?

Because VoIP relies on your Internet connection, it may be vulnerable to many of the same problems that face your computer and even some that are specific to VoIP technology. Attackers may be able to perform activities such as intercepting your communications, eavesdropping, taking control of your phone, making fraudulent calls from your account, conducting effective phishing attacks by manipulating your caller ID, and causing your service to crash (see Avoiding Social Engineering and Phishing Attacks and Understanding Denial-of-Service Attacks for more information). Activities that consume a large amount of network resources, like large file downloads, online gaming, and streaming multimedia, may affect your VoIP service.

There are also inherent problems to routing your telephone over your broadband connection. Unlike traditional telephone lines, which operate despite an electrical outage, if you lose power, your VoIP may be unavailable. VoIP services may also introduce problems for location-dependent systems such as home security systems or emergency numbers such as 911.

How can you protect yourself?

  • Keep software up to date – If the vendor releases updates for the software operating your device, install them as soon as possible. Installing them will prevent attackers from being able to take advantage of known problems or vulnerabilities (see Understanding Patches for more information).
  • Use and maintain anti-virus software – Anti-virus software recognizes and protects your computer against most known viruses. However, attackers are continually writing new viruses, so it is important to keep your anti-virus software current (see Understanding Anti-Virus Software for more information).
  • Take advantage of security options – Some service providers may offer encryption as one of their services. If you are concerned about privacy and confidentiality, you may want to consider this and other available options.
  • Install or enable a firewall – Firewalls may be able to prevent some types of infection by blocking malicious traffic before it can enter your computer (seeUnderstanding Firewalls for more information). Some operating systems actually include a firewall, but you need to make sure it is enabled.
  • Evaluate your security settings – Both your computer and your VoIP equipment/software offer a variety of features that you can tailor to meet your needs and requirements. However, enabling certain features may leave you more vulnerable to being attacked, so disable any unnecessary features. Examine your settings, particularly the security settings, and select options that meet your needs without putting you at increased risk.

Additional information

Author

Mindi McDowell

Posted in Computer Security, Cyber Security, G7 Security, Information Security, isecurity, Network Security, Software Security Risks | Tagged , , , , , , | Leave a comment

Browsing Safely: Understanding Active Content and Cookies

What is active content?

To increase functionality or add design embellishments, web sites often rely on scripts that execute programs within the web browser. This active content can be used to create “splash pages” or options like drop-down menus. Unfortunately, these scripts are often a way for attackers to download or execute malicious code on a user’s computer.

  • JavaScript – JavaScript is just one of many web scripts (other examples are VBScript, ECMAScript, and JScript) and is probably the most recognized. Used on almost every web site now, JavaScript and other scripts are popular because users expect the functionality and “look” that it provides, and it’s easy to incorporate (many common software programs for building web sites have the capability to add JavaScript features with little effort or knowledge required of the user). However, because of these reasons, attackers can manipulate it to their own purposes. A popular type of attack that relies on JavaScript involves redirecting users from a legitimate web site to a malicious one that may download viruses or collect personal information.
  • Java and ActiveX controls – Different from JavaScript, Java and ActiveX controls are actual programs that reside on your computer or can be downloaded over the network into your browser. If executed by attackers, untrustworthy ActiveX controls may be able to do anything on your computer that you can do (such as running spyware and collecting personal information, connecting to other computers, and potentially doing other damage). Java applets usually run in a more restricted environment, but if that environment isn’t secure, then malicious Java applets may create opportunities for attack as well.

JavaScript and other forms of active content are not always dangerous, but they are common tools for attackers. You can prevent active content from running in most browsers, but realize that the added security may limit functionality and break features of some sites you visit. Before clicking on a link to a web site that you are not familiar with or do not trust, take the precaution of disabling active content.

These same risks may also apply to the email program you use. Many email clients use the same programs as web browsers to display HTML, so vulnerabilities that affect active content like JavaScript and ActiveX often apply to email. Viewing messages as plain text may resolve this problem.

What are cookies?

When you browse the Internet, information about your computer may be collected and stored. This information might be general information about your computer (such as IP address, the domain you used to connect (e.g., .edu, .com, .net), and the type of browser you used). It might also be more specific information about your browsing habits (such as the last time you visited a particular web site or your personal preferences for viewing that site).

Cookies can be saved for varying lengths of time:

  • Session cookies – Session cookies store information only as long as you’re using the browser; once you close the browser, the information is erased. The primary purpose of session cookies is to help with navigation, such as by indicating whether or not you’ve already visited a particular page and retaining information about your preferences once you’ve visited a page.
  • Persistent cookies – Persistent cookies are stored on your computer so that your personal preferences can be retained. In most browsers, you can adjust the length of time that persistent cookies are stored. It is because of these cookies that your email address appears by default when you open your Yahoo! or Hotmail email account, or your personalized home page appears when you visit your favorite online merchant. If an attacker gains access to your computer, he or she may be able to gather personal information about you through these files.

To increase your level of security, consider adjusting your privacy and security settings to block or limit cookies in your web browser (see Evaluating Your Web Browser’s Security Settings for more information). To make sure that other sites are not collecting personal information about you without your knowledge, choose to only allow cookies for the web site you are visiting; block or limit cookies from a third-party. If you are using a public computer, you should make sure that cookies are disabled to prevent other people from accessing or using your personal information.

Author

Mindi McDowell

Posted in Computer Security, Cyber Security, G7 Security, Information Security, Network Security, Software Security Risks | Tagged , , , , , , , | Leave a comment

Evaluating Your Web Browser’s Security Settings

Why are security settings for web browsers important?

Your web browser is your primary connection to the rest of the internet, and multiple applications may rely on your browser, or elements within your browser, to function. This makes the security settings within your browser even more important. Many web applications try to enhance your browsing experience by enabling different types of functionality, but this functionality might be unnecessary and may leave you susceptible to being attacked. The safest policy is to disable the majority of those features unless you decide they are necessary. If you determine that a site is trustworthy, you can choose to enable the functionality temporarily and then disable it once you are finished visiting the site.

Where can you find the settings?

Each web browser is different, so you may have to look around. For example, in Internet Explorer, you can find them by clicking Tools on your menu bar, selecting Internet Options…, choosing the Security tab, and clicking the Custom Level… button. However, in Firefox, you click Tools on the menu bar and select Options…. Click the Content, Privacy, and Security tabs to explore the basic security options. Browsers have different security options and configurations, so familiarize yourself with the menu options, check the help feature, or refer to the vendor’s web site.

While every application has settings that are selected by default, you may discover that your browser also has predefined security levels that you can select. For example, Internet Explorer offers custom settings that allow you to select a particular level of security; features are enabled or disabled based on your selection. Even with these guides, it is helpful to have an understanding of what the different terms mean so that you can evaluate the features to determine which settings are appropriate for you.

How do you know what your settings should be?

Ideally, you would set your security for the highest level possible. However, restricting certain features may limit some web pages from loading or functioning properly. The best approach is to adopt the highest level of security and only enable features when you require their functionality.

What do the different terms mean?

Different browsers use different terms, but here are some terms and options you may find:

  • Zones – Your browser may give you the option of putting web sites into different segments, or zones, and allow you to define different security restrictions for each zone.For example, Internet Explorer identifies the following zones:
    • Internet – This is the general zone for all public web sites. When you browse the internet, the settings for this zone are automatically applied to the sites you visit. To give you the best protection as you browse, you should set the security to the highest level; at the very least, you should maintain a medium level.
    • Local intranet – If you are in an office setting that has its own intranet, this zone contains those internal pages. Because the web content is maintained on an internal web server, it is usually safe to have less restrictive settings for these pages. However, some viruses have tapped into this zone, so be aware of what sites are listed and what privileges they are being given.
    • Trusted sites – If you believe that certain sites are designed with security in mind, and you feel that content from the site can be trusted not to contain malicious materials, you can add them to your trusted sites and apply settings accordingly. You may also require that only sites that implement Secure Sockets Layer (SSL) can be active in this zone. This permits you to verify that the site you are visiting is the site that it claims to be (see Protecting Your Privacy and Understanding Web Site Certificates for more information). This is an optional zone but may be useful if you personally maintain multiple web sites or if your organization has multiple sites. Even if you trust them, avoid applying low security levels to external sites—if they are attacked, you might also become a victim.
    • Restricted sites – If there are particular sites you think might not be safe, you can identify them and define heightened security settings. Because the security settings may not be enough to protect you, the best precaution is to avoid navigating to any sites that make you question whether or not they’re safe.
  • JavaScript – Some web sites rely on web scripts such as JavaScript to achieve a certain appearance or functionality, but these scripts may be used in attacks (see Browsing Safely: Understanding Active Content and Cookies for more information).
  • Java and ActiveX controls – These programs are used to develop or execute active content that provides some functionality, but they may put you at risk (see Browsing Safely: Understanding Active Content and Cookies for more information).
  • Plug-ins – Sometimes browsers require the installation of additional software known as plug-ins to provide additional functionality. Like Java and ActiveX controls, plug-ins may be used in an attack, so before installing them, make sure that they are necessary and that the site you have to download them from is trustworthy.

You may also find options that allow you to take the following security measures:

  • Manage cookies – You can disable, restrict, or allow cookies as appropriate. Generally, it is best to disable cookies and then enable them if you visit a site you trust that requires them (see Browsing Safely: Understanding Active Content and Cookies for more information).
  • Block pop-up windows – Although turning this feature on could restrict the functionality of certain web sites, it will also minimize the number of pop-up ads you receive, some of which may be malicious (see Recognizing and Avoiding Spyware for more information).

Authors

Mindi McDowell and Jason Rafail

Posted in Computer Security, Cyber Security, G7 Security, Information Security, Software Security Risks, Uncategorized | Tagged , , , , , , , | Leave a comment