Guidelines for Publishing Information Online

Why is it important to remember that the Internet public?

Because the Internet is so accessible and contains a wealth of information, it has become a popular resource for communicating, for researching topics, and for finding information about people. It may seem less intimidating than actually interacting with other people because there is a sense of anonymity. However, you are not really anonymous when you are online, and it is just as easy for people to find information about you as it is for you to find information about them. Unfortunately, many people have become so familiar and comfortable with the Internet that they may adopt practices that make them vulnerable. For example, although people are typically wary of sharing personal information with strangers they meet on the street, they may not hesitate to post that same information online. Once it is online, it can be accessed by a world of strangers, and you have no idea what they might do with that information.

What guidelines can you follow when publishing information on the Internet?

  • View the Internet as a novel, not a diary – Make sure you are comfortable with anyone seeing the information you put online. Expect that people you have never met will find your page; even if you are keeping an online journal or blog, write it with the expectation that it is available for public consumption. Some sites may use passwords or other security restrictions to protect the information, but these methods are not usually used for most websites. If you want the information to be private or restricted to a small, select group of people, the Internet is probably not the best forum.
  • Be careful what you advertise – In the past, it was difficult to find information about people other than their phone numbers or address. Now, an increasing amount of personal information is available online, especially because people are creating personal web pages with information about themselves. When deciding how much information to reveal, realize that you are broadcasting it to the world. Supplying your email address may increase the amount of spam you receive (see Reducing Spam for more information). Providing details about your hobbies, your job, your family and friends, and your past may give attackers enough information to perform a successful social engineering attack (see Avoiding Social Engineering and Phishing Attacks for more information).
  • Realize that you can’t take it back – Once you publish something online, it is available to other people and to search engines. You can change or remove information after something has been published, but it is possible that someone has already seen the original version. Even if you try to remove the page(s) from the Internet, someone may have saved a copy of the page or used excerpts in another source. Some search engines “cache” copies of web pages; these cached copies may be available after a web page has been deleted or altered. Some web browsers may also maintain a cache of the web pages a user has visited, so the original version may be stored in a temporary file on the user’s computer. Think about these implications before publishing information—once something is out there, you can’t guarantee that you can completely remove it.

As a general practice, let your common sense guide your decisions about what to post online. Before you publish something on the Internet, determine what value it provides and consider the implications of having the information available to the public. Identity theft is an increasing problem, and the more information an attacker can gather about you, the easier it is to pretend to be you. Behave online the way you would behave in your daily life, especially when it involves taking precautions to protect yourself.

Authors

Mindi McDowell, Matt Lytle, and Jason Rafail

Posted in Computer Security, Cyber Security, G7 Security, Information Security, isecurity, Risk Management Strategies, Software Security Risks, Technology | Tagged , , , , , , , , , , , , | Leave a comment

Protecting Your Privacy

How do you know if your privacy is being protected?

  • Privacy policy – Before submitting your name, email address, or other personal information on a website, look for the site’s privacy policy. This policy should state how the information will be used and whether or not the information will be distributed to other organizations. Companies sometimes share information with partner vendors who offer related products or may offer options to subscribe to particular mailing lists. Look for indications that you are being added to mailing lists by default—failing to deselect those options may lead to unwanted spam. If you cannot find a privacy policy on a website, consider contacting the company to inquire about the policy before you submit personal information, or find an alternate site. Privacy policies sometimes change, so you may want to review them periodically.
  • Evidence that your information is being encrypted – To protect attackers from hijacking your information, any personal information submitted online should be encrypted so that it can only be read by the appropriate recipient. Many sites use SSL, or secure sockets layer, to encrypt information. Indications that your information will be encrypted include a URL that begins with “https:” instead of “http:” and a lock icon in the bottom right corner of the window (see Understanding Web Site Certificates for more information). Some sites also indicate whether the data is encrypted when it is stored. If data is encrypted in transit but stored insecurely, an attacker who is able to break into the vendor’s system could access your personal information.

What additional steps can you take to protect your privacy?

  • Do business with credible companies – Before supplying any information online, consider the answers to the following questions: do you trust the business? is it an established organization with a credible reputation? does the information on the site suggest that there is a concern for the privacy of user information? is there legitimate contact information provided?
  • Do not use your primary email address in online submissions – Submitting your email address could result in spam. If you do not want your primary email account flooded with unwanted messages, consider opening an additional email account for use online (see Reducing Spam for more information). Make sure to log in to the account on a regular basis in case the vendor sends information about changes to policies.
  • Avoid submitting credit card information online – Some companies offer a phone number you can use to provide your credit card information. Although this does not guarantee that the information will not be compromised, it eliminates the possibility that attackers will be able to hijack it during the submission process.
  • Devote one credit card to online purchases – To minimize the potential damage of an attacker gaining access to your credit card information, consider opening a credit card account for use only online. Keep a minimum credit line on the account to limit the amount of charges an attacker can accumulate.
  • Avoid using debit cards for online purchases – Credit cards usually offer some protection against identity theft and may limit the monetary amount you will be responsible for paying. Debit cards, however, do not offer that protection. Because the charges are immediately deducted from your account, an attacker who obtains your account information may empty your bank account before you even realize it.
  • Take advantage of options to limit exposure of private information – Default options on certain websites may be chosen for convenience, not for security. For example, avoid allowing a website to remember your password. If your password is stored, your profile and any account information you have provided on that site is readily available if an attacker gains access to your computer. Also, evaluate your settings on websites used for social networking. The nature of those sites is to share information, but you can restrict access to certain information so that you limit who can see what (see Staying Safe on Social Network Sites for more information).

Author

US-CERT Publications

Posted in Computer Security, Cyber Security, G7 Security, isecurity, Uncategorized | Tagged , , , , | Leave a comment

Understanding Your Computer: Operating Systems

What is an operating system?

An operating system (OS) is the main program on a computer. It performs a variety of functions, including

  • determining what types of software you can install
  • coordinating the applications running on the computer at any given time
  • making sure that individual pieces of hardware, such as printers, keyboards, and disk drives, all communicate properly
  • allowing applications such as word processors, email clients, and web browsers to perform tasks on the system (e.g., drawing windows on the screen, opening files, communicating on a network) and use other system resources (e.g., printers, disk drives)
  • reporting error messages

The OS also determines how you see information and perform tasks. Most operating systems use a graphical user interface (GUI), which presents information through pictures (icons, buttons, dialog boxes, etc.) as well as words. Some operating systems can rely more heavily on textual interfaces than others.

How do you choose an operating system?

In very simplistic terms, when you choose to buy a computer, you are usually also choosing an operating system. Although you may change it, vendors typically ship computers with a particular operating system. There are multiple operating systems, each with different features and benefits, but the following three are the most common:

  • Windows – Windows, with versions including Windows XP, Windows Vista, and Windows 7, is the most common operating system for home users. It is produced by Microsoft and is typically included on machines purchased in electronics stores or from vendors such as Dell or Gateway. The Windows OS uses a GUI, which many users find more appealing and easier to use than text-based interfaces.
  • Mac OS X – Produced by Apple, Mac OS X is the operating system used on Macintosh computers. Although it uses a different GUI, it is conceptually similar to the Windows interface in the way it operates.
  • Linux and other UNIX-derived operating systems – Linux and other systems derived from the UNIX operating system are frequently used for specialized workstations and servers, such as web and email servers. Because they are often more difficult for general users or require specialized knowledge and skills to operate, they are less popular with home users than the other options. However, as they continue to develop and become easier to use, they may become more popular on typical home user systems.

Authors

Mindi McDowell and Chad Dougherty

Posted in Computer Security, Cyber Security, G7 Security, Information Security, isecurity, Network Security | Tagged , , , , | Leave a comment

Risks of File-Sharing Technology

What is file sharing?

File sharing involves using technology that allows internet users to share files that are housed on their individual computers. Peer-to-peer (P2P) applications, such as those used to share music files, are some of the most common forms of file-sharing technology. However, P2P applications introduce security risks that may put your information or your computer in jeopardy.

What risks does file-sharing technology introduce?

  • Installation of malicious code – When you use P2P applications, it is difficult, if not impossible, to verify that the source of the files is trustworthy. These applications are often used by attackers to transmit malicious code. Attackers may incorporate spyware, viruses, Trojan horses, or worms into the files. When you download the files, your computer becomes infected (see Recognizing and Avoiding Spyware and Recovering from Viruses, Worms, and Trojan Horses for more information).
  • Exposure of sensitive or personal information – By using P2P applications, you may be giving other users access to personal information. Whether it’s because certain directories are accessible or because you provide personal information to what you believe to be a trusted person or organization, unauthorized people may be able to access your financial or medical data, personal documents, sensitive corporate information, or other personal information. Once information has been exposed to unauthorized people, it’s difficult to know how many people have accessed it. The availability of this information may increase your risk of identity theft (see Protecting Your Privacy and Avoiding Social Engineering and Phishing Attacks for more information).
  • Susceptibility to attack – Some P2P applications may ask you to open certain ports on your firewall to transmit the files. However, opening some of these ports may give attackers access to your computer or enable them to attack your computer by taking advantage of any vulnerabilities that may exist in the P2P application. There are some P2P applications that can modify and penetrate firewalls themselves, without your knowledge.
  • Denial of service – Downloading files causes a significant amount of traffic over the network. This activity may reduce the availability of certain programs on your computer or may limit your access to the internet (see Understanding Denial-of-Service Attacks for more information).
  • Prosecution – Files shared through P2P applications may include pirated software, copyrighted material, or pornography. If you download these, even unknowingly, you may be faced with fines or other legal action. If your computer is on a company network and exposes customer information, both you and your company may be liable.

How can you minimize these risks?

The best way to eliminate these risks is to avoid using P2P applications. However, if you choose to use this technology, you can follow some good security practices to minimize your risk:

  • use and maintain anti-virus software – Anti-virus software recognizes and protects your computer against most known viruses. However, attackers are continually writing new viruses, so it is important to keep your anti-virus software current (see Understanding Anti-Virus Software for more information).
  • install or enable a firewall – Firewalls may be able to prevent some types of infection by blocking malicious traffic before it can enter your computer (seeUnderstanding Firewalls for more information). Some operating systems actually include a firewall, but you need to make sure it is enabled.

Authors

Mindi McDowell, Brent Wrisley, and Will Dormann

Posted in Computer Security, Cyber Security, G7 Security, Information Security, isecurity, Network Security, Risk Management Strategies, Software Security Risks, Technology | Tagged , , , , , , , | Leave a comment

Understanding Voice over Internet Protocol (VoIP)

What is voice over Internet protocol (VoIP)?

Voice over Internet protocol (VoIP), also known as IP telephony, allows you to use your Internet connection to make telephone calls. Instead of relying on an analog line like traditional telephones, VoIP uses digital technology and requires a high-speed broadband connection such as DSL or cable. There are a variety of providers who offer VoIP, and they offer different services. The most common application of VoIP for personal or home use is Internet-based phone services that rely on a telephone switch. With this application, you will still have a phone number, will still dial phone numbers, and will usually have an adapter that allows you to use a regular telephone. The person you are calling will not likely notice a difference from a traditional phone call. Some service providers also offer the ability to use your VoIP adapter any place you have a high-speed Internet connection, allowing you to take it with you when you travel.

What are the security implications of VoIP?

Because VoIP relies on your Internet connection, it may be vulnerable to many of the same problems that face your computer and even some that are specific to VoIP technology. Attackers may be able to perform activities such as intercepting your communications, eavesdropping, taking control of your phone, making fraudulent calls from your account, conducting effective phishing attacks by manipulating your caller ID, and causing your service to crash (see Avoiding Social Engineering and Phishing Attacks and Understanding Denial-of-Service Attacks for more information). Activities that consume a large amount of network resources, like large file downloads, online gaming, and streaming multimedia, may affect your VoIP service.

There are also inherent problems to routing your telephone over your broadband connection. Unlike traditional telephone lines, which operate despite an electrical outage, if you lose power, your VoIP may be unavailable. VoIP services may also introduce problems for location-dependent systems such as home security systems or emergency numbers such as 911.

How can you protect yourself?

  • Keep software up to date – If the vendor releases updates for the software operating your device, install them as soon as possible. Installing them will prevent attackers from being able to take advantage of known problems or vulnerabilities (see Understanding Patches for more information).
  • Use and maintain anti-virus software – Anti-virus software recognizes and protects your computer against most known viruses. However, attackers are continually writing new viruses, so it is important to keep your anti-virus software current (see Understanding Anti-Virus Software for more information).
  • Take advantage of security options – Some service providers may offer encryption as one of their services. If you are concerned about privacy and confidentiality, you may want to consider this and other available options.
  • Install or enable a firewall – Firewalls may be able to prevent some types of infection by blocking malicious traffic before it can enter your computer (seeUnderstanding Firewalls for more information). Some operating systems actually include a firewall, but you need to make sure it is enabled.
  • Evaluate your security settings – Both your computer and your VoIP equipment/software offer a variety of features that you can tailor to meet your needs and requirements. However, enabling certain features may leave you more vulnerable to being attacked, so disable any unnecessary features. Examine your settings, particularly the security settings, and select options that meet your needs without putting you at increased risk.

Additional information

Author

Mindi McDowell

Posted in Computer Security, Cyber Security, G7 Security, Information Security, isecurity, Network Security, Software Security Risks | Tagged , , , , , , | Leave a comment

Browsing Safely: Understanding Active Content and Cookies

What is active content?

To increase functionality or add design embellishments, web sites often rely on scripts that execute programs within the web browser. This active content can be used to create “splash pages” or options like drop-down menus. Unfortunately, these scripts are often a way for attackers to download or execute malicious code on a user’s computer.

  • JavaScript – JavaScript is just one of many web scripts (other examples are VBScript, ECMAScript, and JScript) and is probably the most recognized. Used on almost every web site now, JavaScript and other scripts are popular because users expect the functionality and “look” that it provides, and it’s easy to incorporate (many common software programs for building web sites have the capability to add JavaScript features with little effort or knowledge required of the user). However, because of these reasons, attackers can manipulate it to their own purposes. A popular type of attack that relies on JavaScript involves redirecting users from a legitimate web site to a malicious one that may download viruses or collect personal information.
  • Java and ActiveX controls – Different from JavaScript, Java and ActiveX controls are actual programs that reside on your computer or can be downloaded over the network into your browser. If executed by attackers, untrustworthy ActiveX controls may be able to do anything on your computer that you can do (such as running spyware and collecting personal information, connecting to other computers, and potentially doing other damage). Java applets usually run in a more restricted environment, but if that environment isn’t secure, then malicious Java applets may create opportunities for attack as well.

JavaScript and other forms of active content are not always dangerous, but they are common tools for attackers. You can prevent active content from running in most browsers, but realize that the added security may limit functionality and break features of some sites you visit. Before clicking on a link to a web site that you are not familiar with or do not trust, take the precaution of disabling active content.

These same risks may also apply to the email program you use. Many email clients use the same programs as web browsers to display HTML, so vulnerabilities that affect active content like JavaScript and ActiveX often apply to email. Viewing messages as plain text may resolve this problem.

What are cookies?

When you browse the Internet, information about your computer may be collected and stored. This information might be general information about your computer (such as IP address, the domain you used to connect (e.g., .edu, .com, .net), and the type of browser you used). It might also be more specific information about your browsing habits (such as the last time you visited a particular web site or your personal preferences for viewing that site).

Cookies can be saved for varying lengths of time:

  • Session cookies – Session cookies store information only as long as you’re using the browser; once you close the browser, the information is erased. The primary purpose of session cookies is to help with navigation, such as by indicating whether or not you’ve already visited a particular page and retaining information about your preferences once you’ve visited a page.
  • Persistent cookies – Persistent cookies are stored on your computer so that your personal preferences can be retained. In most browsers, you can adjust the length of time that persistent cookies are stored. It is because of these cookies that your email address appears by default when you open your Yahoo! or Hotmail email account, or your personalized home page appears when you visit your favorite online merchant. If an attacker gains access to your computer, he or she may be able to gather personal information about you through these files.

To increase your level of security, consider adjusting your privacy and security settings to block or limit cookies in your web browser (see Evaluating Your Web Browser’s Security Settings for more information). To make sure that other sites are not collecting personal information about you without your knowledge, choose to only allow cookies for the web site you are visiting; block or limit cookies from a third-party. If you are using a public computer, you should make sure that cookies are disabled to prevent other people from accessing or using your personal information.

Author

Mindi McDowell

Posted in Computer Security, Cyber Security, G7 Security, Information Security, Network Security, Software Security Risks | Tagged , , , , , , , | Leave a comment

Evaluating Your Web Browser’s Security Settings

Why are security settings for web browsers important?

Your web browser is your primary connection to the rest of the internet, and multiple applications may rely on your browser, or elements within your browser, to function. This makes the security settings within your browser even more important. Many web applications try to enhance your browsing experience by enabling different types of functionality, but this functionality might be unnecessary and may leave you susceptible to being attacked. The safest policy is to disable the majority of those features unless you decide they are necessary. If you determine that a site is trustworthy, you can choose to enable the functionality temporarily and then disable it once you are finished visiting the site.

Where can you find the settings?

Each web browser is different, so you may have to look around. For example, in Internet Explorer, you can find them by clicking Tools on your menu bar, selecting Internet Options…, choosing the Security tab, and clicking the Custom Level… button. However, in Firefox, you click Tools on the menu bar and select Options…. Click the Content, Privacy, and Security tabs to explore the basic security options. Browsers have different security options and configurations, so familiarize yourself with the menu options, check the help feature, or refer to the vendor’s web site.

While every application has settings that are selected by default, you may discover that your browser also has predefined security levels that you can select. For example, Internet Explorer offers custom settings that allow you to select a particular level of security; features are enabled or disabled based on your selection. Even with these guides, it is helpful to have an understanding of what the different terms mean so that you can evaluate the features to determine which settings are appropriate for you.

How do you know what your settings should be?

Ideally, you would set your security for the highest level possible. However, restricting certain features may limit some web pages from loading or functioning properly. The best approach is to adopt the highest level of security and only enable features when you require their functionality.

What do the different terms mean?

Different browsers use different terms, but here are some terms and options you may find:

  • Zones – Your browser may give you the option of putting web sites into different segments, or zones, and allow you to define different security restrictions for each zone.For example, Internet Explorer identifies the following zones:
    • Internet – This is the general zone for all public web sites. When you browse the internet, the settings for this zone are automatically applied to the sites you visit. To give you the best protection as you browse, you should set the security to the highest level; at the very least, you should maintain a medium level.
    • Local intranet – If you are in an office setting that has its own intranet, this zone contains those internal pages. Because the web content is maintained on an internal web server, it is usually safe to have less restrictive settings for these pages. However, some viruses have tapped into this zone, so be aware of what sites are listed and what privileges they are being given.
    • Trusted sites – If you believe that certain sites are designed with security in mind, and you feel that content from the site can be trusted not to contain malicious materials, you can add them to your trusted sites and apply settings accordingly. You may also require that only sites that implement Secure Sockets Layer (SSL) can be active in this zone. This permits you to verify that the site you are visiting is the site that it claims to be (see Protecting Your Privacy and Understanding Web Site Certificates for more information). This is an optional zone but may be useful if you personally maintain multiple web sites or if your organization has multiple sites. Even if you trust them, avoid applying low security levels to external sites—if they are attacked, you might also become a victim.
    • Restricted sites – If there are particular sites you think might not be safe, you can identify them and define heightened security settings. Because the security settings may not be enough to protect you, the best precaution is to avoid navigating to any sites that make you question whether or not they’re safe.
  • JavaScript – Some web sites rely on web scripts such as JavaScript to achieve a certain appearance or functionality, but these scripts may be used in attacks (see Browsing Safely: Understanding Active Content and Cookies for more information).
  • Java and ActiveX controls – These programs are used to develop or execute active content that provides some functionality, but they may put you at risk (see Browsing Safely: Understanding Active Content and Cookies for more information).
  • Plug-ins – Sometimes browsers require the installation of additional software known as plug-ins to provide additional functionality. Like Java and ActiveX controls, plug-ins may be used in an attack, so before installing them, make sure that they are necessary and that the site you have to download them from is trustworthy.

You may also find options that allow you to take the following security measures:

  • Manage cookies – You can disable, restrict, or allow cookies as appropriate. Generally, it is best to disable cookies and then enable them if you visit a site you trust that requires them (see Browsing Safely: Understanding Active Content and Cookies for more information).
  • Block pop-up windows – Although turning this feature on could restrict the functionality of certain web sites, it will also minimize the number of pop-up ads you receive, some of which may be malicious (see Recognizing and Avoiding Spyware for more information).

Authors

Mindi McDowell and Jason Rafail

Posted in Computer Security, Cyber Security, G7 Security, Information Security, Software Security Risks, Uncategorized | Tagged , , , , , , , | Leave a comment

Understanding Internationalized Domain Names

What are internationalized domain names?

To decrease the amount of confusion surrounding different languages, there is a standard for domain names within web browsers. Domain names are included in the URL (or web address) of web site. This standard is based on the Roman alphabet (which is used by the English language), and computers convert the various letters into numerical equivalents. This code is known as ASCII (American Standard Code for Information Interchange). However, other languages include characters that do not translate into this code, which is why internationalized domain names were introduced.

To compensate for languages that incorporate special characters (such as Spanish, French or German) or rely completely on character representation (such as Asian or Arabic languages), a new system had to be developed. In this new system, the base URL (which is usually the address for the home page) is dissected and converted into a format that is compatible with ASCII. The resulting URL (which contains the string “xn--” as well as a combination of letters and numbers) will appear in your browser’s status bar. In newer versions of many browsers, it will also appear in the address bar.

What are some security concerns?

Attackers may be able to take advantage of internationalized domain names to initiate phishing attacks (see Avoiding Social Engineering and Phishing Attacks for more information). Because there are certain characters that may appear to be the same but have different ASCII codes (for example, the Cyrillic “a” and the Latin “a”), an attacker may be able to “spoof” a web page URL. Instead of going to a legitimate site, you may be directed to a malicious site, which could look identical to the real one. If you submit personal or financial information while on the malicious site, the attacker could collect that information and then use and/or sell it.

How can you protect yourself?

  • Type a URL instead of following a link – Typing a URL into a browser rather than clicking a link within a web page or email message will minimize your risk. By doing this, you are more likely to visit the legitimate site rather than a malicious site that substitutes similar-looking characters.
  • Keep your browser up to date – Older versions of browsers made it easier for attackers to spoof URLs, but most newer browsers incorporate certain protections. Instead of displaying the URL that you “think” you are visiting, most browsers now display the converted URL with the “xn--” string.
  • Check your browser’s status bar – If you move your mouse over a link on a web page, the status bar of your browser will usually display the URL that the link references. If you see a URL that has an unexpected domain name (such as one with the “xn--” string mentioned above), you have likely encountered an internationalized domain name. If you were not expecting an internationalized domain name or know that the legitimate site should not need one, you may want to reconsider visiting the site. Browsers such as Mozilla and Firefox include an option in their security settings about whether to allow the status bar text to be modified. To prevent attackers from taking advantage of JavaScript to make it appear that you are on a legitimate site, you may want to make sure this option is not enabled.

Authors

Mindi McDowell, Will Dormann, and Jason McCormick

Posted in Computer Security, Cyber Security, G7 Security, Information Security, Software Security Risks, Uncategorized | Tagged , , , , , , | Leave a comment

Understanding Your Computer: Web Browsers

How do web browsers work?

A web browser is an application that finds and displays web pages. It coordinates communication between your computer and the web server where a particular website “lives.”

When you open your browser and type in a web address (URL) for a website, the browser submits a request to the server, or servers, that provide the content for that page. The browser then processes the code from the server (written in a language such as HTML, JavaScript, or XML) and loads any other elements (such as Flash, Java, or ActiveX) that are necessary to generate content for the page. After the browser has gathered and processed all of the components, it displays the complete, formatted web page. Every time you perform an action on the page, such as clicking buttons and following links, the browser continues the process of requesting, processing, and presenting content.

How many browsers are there?

There are many different browsers. Most users are familiar with graphical browsers, which display both text and graphics and may also display multimedia elements such as sound or video clips. However, there are also text-based browsers. The following are some well-known browsers:

  • Internet Explorer
  • Firefox
  • AOL
  • Opera
  • Safari – a browser specifically designed for Macintosh computers
  • Lynx – a text-based browser desirable for vision-impaired users because of the availability of special devices that read the text

How do you choose a browser?

A browser is usually included with the installation of your operating system, but you are not restricted to that choice. Some of the factors to consider when deciding which browser best suits your needs include

  • compatibility – Does the browser work with your operating system?
  • security – Do you feel that your browser offers you the level of security you want?
  • ease of use – Are the menus and options easy to understand and use?
  • functionality – Does the browser interpret web content correctly? If you need to install other plug-ins or devices to translate certain types of content, do they work?
  • appeal – Do you find the interface and way the browser interprets web content visually appealing?

Can you have more than one browser installed at the same time?

If you decide to change your browser or add another one, you don’t have to uninstall the browser that’s currently on your computer—you can have more than one browser on your computer at once. However, you will be prompted to choose one as your default browser. Anytime you follow a link in an email message or document, or you double-click a shortcut to a web page on your desktop, the page will open using your default browser. You can manually open the page in another browser.

Most vendors give you the option to download their browsers directly from their websites. Make sure to verify the authenticity of the site before downloading any files. To further minimize risk, follow other good security practices, like using a firewall and keeping anti-virus software up to date (see Understanding Firewalls,Understanding Anti-Virus Software, and other US-CERT Tips for more information).

Author

Mindi McDowell

Posted in Computer Security, Cyber Security, G7 Security, Information Security, Software Security Risks, Uncategorized | Tagged , , , | Leave a comment

Understanding Web Site Certificates

What are web site certificates?

If an organization wants to have a secure web site that uses encryption, it needs to obtain a site, or host, certificate. There are two elements that indicate that a site uses encryption (seeProtecting Your Privacy for more information):

  • a closed padlock, which, depending on your browser, may be located in the status bar at the bottom of your browser window or at the top of the browser window between the address and search fields
  • a URL that begins with “https:” rather than “http:”

By making sure a web site encrypts your information and has a valid certificate, you can help protect yourself against attackers who create malicious sites to gather your information. You want to make sure you know where your information is going before you submit anything (see Avoiding Social Engineering and Phishing Attacks for more information).

If a web site has a valid certificate, it means that a certificate authority has taken steps to verify that the web address actually belongs to that organization. When you type a URL or follow a link to a secure web site, your browser will check the certificate for the following characteristics:

  1. the web site address matches the address on the certificate
  2. the certificate is signed by a certificate authority that the browser recognizes as a “trusted” authority

If the browser senses a problem, it may present you with a dialog box that claims that there is an error with the site certificate. This may happen if the name the certificate is registered to does not match the site name, if you have chosen not to trust the company who issued the certificate, or if the certificate has expired. You will usually be presented with the option to examine the certificate, after which you can accept the certificate forever, accept it only for that particular visit, or choose not to accept it. The confusion is sometimes easy to resolve (perhaps the certificate was issued to a particular department within the organization rather than the name on file). If you are unsure whether the certificate is valid or question the security of the site, do not submit personal information. Even if the information is encrypted, make sure to read the organization’s privacy policy first so that you know what is being done with that information (see Protecting Your Privacy for more information).

Can you trust a certificate?

The level of trust you put in a certificate is connected to how much you trust the organization and the certificate authority. If the web address matches the address on the certificate, the certificate is signed by a trusted certificate authority, and the date is valid, you can be more confident that the site you want to visit is actually the site that you are visiting. However, unless you personally verify that certificate’s unique fingerprint by calling the organization directly, there is no way to be absolutely sure.

When you trust a certificate, you are essentially trusting the certificate authority to verify the organization’s identity for you. However, it is important to realize that certificate authorities vary in how strict they are about validating all of the information in the requests and about making sure that their data is secure. By default, your browser contains a list of more than 100 trusted certificate authorities. That means that, by extension, you are trusting all of those certificate authorities to properly verify and validate the information. Before submitting any personal information, you may want to look at the certificate.

How do you check a certificate?

There are two ways to verify a web site’s certificate in Internet Explorer or Firefox. One option is to click on the padlock icon. However, your browser settings may not be configured to display the status bar that contains the icon. Also, attackers may be able to create malicious web sites that fake a padlock icon and display a false dialog window if you click that icon. A more secure way to find information about the certificate is to look for the certificate feature in the menu options. This information may be under the file properties or the security option within the page information. You will get a dialog box with information about the certificate, including the following:

  • who issued the certificate – You should make sure that the issuer is a legitimate, trusted certificate authority (you may see names like VeriSign, thawte, or Entrust). Some organizations also have their own certificate authorities that they use to issue certificates to internal sites such as intranets.
  • who the certificate is issued to – The certificate should be issued to the organization who owns the web site. Do not trust the certificate if the name on the certificate does not match the name of the organization or person you expect.
  • expiration date – Most certificates are issued for one or two years. One exception is the certificate for the certificate authority itself, which, because of the amount of involvement necessary to distribute the information to all of the organizations who hold its certificates, may be ten years. Be wary of organizations with certificates that are valid for longer than two years or with certificates that have expired.

Authors

Mindi McDowell and Matt Lytle

Posted in Computer Security, Cyber Security, G7 Security, Hacked, Information Security, isecurity, Software Security Risks, Uncategorized | Tagged , , , , , , | Leave a comment