Understanding Internationalized Domain Names

What are internationalized domain names?

To decrease the amount of confusion surrounding different languages, there is a standard for domain names within web browsers. Domain names are included in the URL (or web address) of web site. This standard is based on the Roman alphabet (which is used by the English language), and computers convert the various letters into numerical equivalents. This code is known as ASCII (American Standard Code for Information Interchange). However, other languages include characters that do not translate into this code, which is why internationalized domain names were introduced.

To compensate for languages that incorporate special characters (such as Spanish, French or German) or rely completely on character representation (such as Asian or Arabic languages), a new system had to be developed. In this new system, the base URL (which is usually the address for the home page) is dissected and converted into a format that is compatible with ASCII. The resulting URL (which contains the string “xn--” as well as a combination of letters and numbers) will appear in your browser’s status bar. In newer versions of many browsers, it will also appear in the address bar.

What are some security concerns?

Attackers may be able to take advantage of internationalized domain names to initiate phishing attacks (see Avoiding Social Engineering and Phishing Attacks for more information). Because there are certain characters that may appear to be the same but have different ASCII codes (for example, the Cyrillic “a” and the Latin “a”), an attacker may be able to “spoof” a web page URL. Instead of going to a legitimate site, you may be directed to a malicious site, which could look identical to the real one. If you submit personal or financial information while on the malicious site, the attacker could collect that information and then use and/or sell it.

How can you protect yourself?

  • Type a URL instead of following a link – Typing a URL into a browser rather than clicking a link within a web page or email message will minimize your risk. By doing this, you are more likely to visit the legitimate site rather than a malicious site that substitutes similar-looking characters.
  • Keep your browser up to date – Older versions of browsers made it easier for attackers to spoof URLs, but most newer browsers incorporate certain protections. Instead of displaying the URL that you “think” you are visiting, most browsers now display the converted URL with the “xn--” string.
  • Check your browser’s status bar – If you move your mouse over a link on a web page, the status bar of your browser will usually display the URL that the link references. If you see a URL that has an unexpected domain name (such as one with the “xn--” string mentioned above), you have likely encountered an internationalized domain name. If you were not expecting an internationalized domain name or know that the legitimate site should not need one, you may want to reconsider visiting the site. Browsers such as Mozilla and Firefox include an option in their security settings about whether to allow the status bar text to be modified. To prevent attackers from taking advantage of JavaScript to make it appear that you are on a legitimate site, you may want to make sure this option is not enabled.

Authors

Mindi McDowell, Will Dormann, and Jason McCormick

Advertisements
Posted in Computer Security, Cyber Security, G7 Security, Information Security, Software Security Risks, Uncategorized | Tagged , , , , , , | Leave a comment

Understanding Your Computer: Web Browsers

How do web browsers work?

A web browser is an application that finds and displays web pages. It coordinates communication between your computer and the web server where a particular website “lives.”

When you open your browser and type in a web address (URL) for a website, the browser submits a request to the server, or servers, that provide the content for that page. The browser then processes the code from the server (written in a language such as HTML, JavaScript, or XML) and loads any other elements (such as Flash, Java, or ActiveX) that are necessary to generate content for the page. After the browser has gathered and processed all of the components, it displays the complete, formatted web page. Every time you perform an action on the page, such as clicking buttons and following links, the browser continues the process of requesting, processing, and presenting content.

How many browsers are there?

There are many different browsers. Most users are familiar with graphical browsers, which display both text and graphics and may also display multimedia elements such as sound or video clips. However, there are also text-based browsers. The following are some well-known browsers:

  • Internet Explorer
  • Firefox
  • AOL
  • Opera
  • Safari – a browser specifically designed for Macintosh computers
  • Lynx – a text-based browser desirable for vision-impaired users because of the availability of special devices that read the text

How do you choose a browser?

A browser is usually included with the installation of your operating system, but you are not restricted to that choice. Some of the factors to consider when deciding which browser best suits your needs include

  • compatibility – Does the browser work with your operating system?
  • security – Do you feel that your browser offers you the level of security you want?
  • ease of use – Are the menus and options easy to understand and use?
  • functionality – Does the browser interpret web content correctly? If you need to install other plug-ins or devices to translate certain types of content, do they work?
  • appeal – Do you find the interface and way the browser interprets web content visually appealing?

Can you have more than one browser installed at the same time?

If you decide to change your browser or add another one, you don’t have to uninstall the browser that’s currently on your computer—you can have more than one browser on your computer at once. However, you will be prompted to choose one as your default browser. Anytime you follow a link in an email message or document, or you double-click a shortcut to a web page on your desktop, the page will open using your default browser. You can manually open the page in another browser.

Most vendors give you the option to download their browsers directly from their websites. Make sure to verify the authenticity of the site before downloading any files. To further minimize risk, follow other good security practices, like using a firewall and keeping anti-virus software up to date (see Understanding Firewalls,Understanding Anti-Virus Software, and other US-CERT Tips for more information).

Author

Mindi McDowell

Posted in Computer Security, Cyber Security, G7 Security, Information Security, Software Security Risks, Uncategorized | Tagged , , , | Leave a comment

Understanding Web Site Certificates

What are web site certificates?

If an organization wants to have a secure web site that uses encryption, it needs to obtain a site, or host, certificate. There are two elements that indicate that a site uses encryption (seeProtecting Your Privacy for more information):

  • a closed padlock, which, depending on your browser, may be located in the status bar at the bottom of your browser window or at the top of the browser window between the address and search fields
  • a URL that begins with “https:” rather than “http:”

By making sure a web site encrypts your information and has a valid certificate, you can help protect yourself against attackers who create malicious sites to gather your information. You want to make sure you know where your information is going before you submit anything (see Avoiding Social Engineering and Phishing Attacks for more information).

If a web site has a valid certificate, it means that a certificate authority has taken steps to verify that the web address actually belongs to that organization. When you type a URL or follow a link to a secure web site, your browser will check the certificate for the following characteristics:

  1. the web site address matches the address on the certificate
  2. the certificate is signed by a certificate authority that the browser recognizes as a “trusted” authority

If the browser senses a problem, it may present you with a dialog box that claims that there is an error with the site certificate. This may happen if the name the certificate is registered to does not match the site name, if you have chosen not to trust the company who issued the certificate, or if the certificate has expired. You will usually be presented with the option to examine the certificate, after which you can accept the certificate forever, accept it only for that particular visit, or choose not to accept it. The confusion is sometimes easy to resolve (perhaps the certificate was issued to a particular department within the organization rather than the name on file). If you are unsure whether the certificate is valid or question the security of the site, do not submit personal information. Even if the information is encrypted, make sure to read the organization’s privacy policy first so that you know what is being done with that information (see Protecting Your Privacy for more information).

Can you trust a certificate?

The level of trust you put in a certificate is connected to how much you trust the organization and the certificate authority. If the web address matches the address on the certificate, the certificate is signed by a trusted certificate authority, and the date is valid, you can be more confident that the site you want to visit is actually the site that you are visiting. However, unless you personally verify that certificate’s unique fingerprint by calling the organization directly, there is no way to be absolutely sure.

When you trust a certificate, you are essentially trusting the certificate authority to verify the organization’s identity for you. However, it is important to realize that certificate authorities vary in how strict they are about validating all of the information in the requests and about making sure that their data is secure. By default, your browser contains a list of more than 100 trusted certificate authorities. That means that, by extension, you are trusting all of those certificate authorities to properly verify and validate the information. Before submitting any personal information, you may want to look at the certificate.

How do you check a certificate?

There are two ways to verify a web site’s certificate in Internet Explorer or Firefox. One option is to click on the padlock icon. However, your browser settings may not be configured to display the status bar that contains the icon. Also, attackers may be able to create malicious web sites that fake a padlock icon and display a false dialog window if you click that icon. A more secure way to find information about the certificate is to look for the certificate feature in the menu options. This information may be under the file properties or the security option within the page information. You will get a dialog box with information about the certificate, including the following:

  • who issued the certificate – You should make sure that the issuer is a legitimate, trusted certificate authority (you may see names like VeriSign, thawte, or Entrust). Some organizations also have their own certificate authorities that they use to issue certificates to internal sites such as intranets.
  • who the certificate is issued to – The certificate should be issued to the organization who owns the web site. Do not trust the certificate if the name on the certificate does not match the name of the organization or person you expect.
  • expiration date – Most certificates are issued for one or two years. One exception is the certificate for the certificate authority itself, which, because of the amount of involvement necessary to distribute the information to all of the organizations who hold its certificates, may be ten years. Be wary of organizations with certificates that are valid for longer than two years or with certificates that have expired.

Authors

Mindi McDowell and Matt Lytle

Posted in Computer Security, Cyber Security, G7 Security, Hacked, Information Security, isecurity, Software Security Risks, Uncategorized | Tagged , , , , , , | Leave a comment

Understanding Bluetooth Technology

What is Bluetooth?

Bluetooth is a technology that allows devices to communicate with each other without cables or wires. It is an electronics “standard,” which means that manufacturers that want to include this feature have to incorporate specific requirements into their electronic devices. These specifications ensure that the devices can recognize and interact with other devices that use the Bluetooth technology.

Many popular manufacturers are making devices that use Bluetooth technology. These devices include mobile phones, computers, and personal digital assistants (PDAs). The Bluetooth technology relies on short-range radio frequency, and any device that incorporates the technology can communicate as long as it is within the required distance. The technology is often used to allow two different types of devices to communicate with each other. For example, you may be able to operate your computer with a wireless keyboard, use a wireless headset to talk on your mobile phone, or add an appointment to your friend’s PDA calendar from your own PDA.

What are some security concerns?

Depending upon how it is configured, Bluetooth technology can be fairly secure. You can take advantage of its use of key authentication (see Understanding Digital Signatures for more information) and encryption (see Understanding Encryption for more information). Unfortunately, many Bluetooth devices rely on short numeric PIN numbers instead of more secure passwords or passphrases (see Choosing and Protecting Passwords for more information).

If someone can “discover” your Bluetooth device, he or she may be able to send you unsolicited messages or abuse your Bluetooth service, which could cause you to be charged extra fees. Worse, an attacker may be able to find a way to access or corrupt your data. One example of this type of activity is “bluesnarfing,” which refers to attackers using a Bluetooth connection to steal information off of your Bluetooth device. Also, viruses or other malicious code can take advantage of Bluetooth technology to infect other devices. If you are infected, your data may be corrupted, compromised, stolen, or lost. You should also be aware of attempts to convince you to send information to someone you do not trust over a Bluetooth connection (see Avoiding Social Engineering and Phishing Attacks for more information).

How can you protect yourself?

  • Disable Bluetooth when you are not using it – Unless you are actively transferring information from one device to another, disable the technology to prevent unauthorized people from accessing it.
  • Use Bluetooth in “hidden” mode – When you do have Bluetooth enabled, make sure it is “hidden,” not “discoverable.” The hidden mode prevents other Bluetooth devices from recognizing your device. This does not prevent you from using your Bluetooth devices together. You can “pair” devices so that they can find each other even if they are in hidden mode. Although the devices (for example, a mobile phone and a headset) will need to be in discoverable mode to initially locate each other, once they are “paired” they will always recognize each other without needing to rediscover the connection.
  • Be careful where you use Bluetooth – Be aware of your environment when pairing devices or operating in discoverable mode. For example, if you are in a public wireless “hotspot,” there is a greater risk that someone else may be able to intercept the connection (see Securing Wireless Networks for more information) than if you are in your home or your car.
  • Evaluate your security settings – Most devices offer a variety of features that you can tailor to meet your needs and requirements. However, enabling certain features may leave you more vulnerable to being attacked, so disable any unnecessary features or Bluetooth connections. Examine your settings, particularly the security settings, and select options that meet your needs without putting you at increased risk. Make sure that all of your Bluetooth connections are configured to require a secure connection.
  • Take advantage of security options – Learn what security options your Bluetooth device offers, and take advantage of features like authentication and encryption.

Authors

Mindi McDowell and Matt Lytle

Posted in Computer Security, Cyber Security, G7 Security, Information Security, Software Security Risks, Technology | Tagged , , , , | Leave a comment

Shopping Safely Online

Why do online shoppers have to take special precautions?

The Internet offers convenience not available from other shopping outlets. From the comfort of your home, you can search for items from multiple vendors, compare prices with a few mouse clicks, and make purchases without waiting in line. However, the Internet is also convenient for attackers, giving them multiple ways to access the personal and financial information of unsuspecting shoppers. Attackers who are able to obtain this information may use it for their own financial gain, either by making purchases themselves or by selling the information to someone else.

How do attackers target online shoppers?

There are three common ways that attackers can take advantage of online shoppers:

  • Creating fraudulent sites and email messages – Unlike traditional shopping, where you know that a store is actually the store it claims to be, attackers can create malicious websites or email messages that appear to be legitimate. Attackers may also misrepresent themselves as charities, especially after natural disasters or during holiday seasons. Attackers create these malicious sites and email messages to try to convince you to supply personal and financial information.
  • Intercepting insecure transactions – If a vendor does not use encryption, an attacker may be able to intercept your information as it is transmitted.
  • Targeting vulnerable computers – If you do not take steps to protect your computer from viruses or other malicious code, an attacker may be able to gain access to your computer and all of the information on it. It is also important for vendors to protect their computers to prevent attackers from accessing customer databases.

How can you protect yourself?

  • Do business with reputable vendors – Before providing any personal or financial information, make sure that you are interacting with a reputable, established vendor. Some attackers may try to trick you by creating malicious websites that appear to be legitimate, so you should verify the legitimacy before supplying any information. (See Avoiding Social Engineering and Phishing Attacks and Understanding Web Site Certificates for more information.) Attackers may obtain a site certificate for a malicious website to appear more authentic, so review the certificate information, particularly the “issued to” information. Locate and note phone numbers and physical addresses of vendors in case there is a problem with your transaction or your bill.
  • Make sure your information is being encrypted – Many sites use secure sockets layer (SSL) to encrypt information. Indications that your information will be encrypted include a URL that begins with “https:” instead of “http:” and a padlock icon. If the padlock is closed, the information is encrypted. The location of the icon varies by browser; for example, it may be to the right of the address bar or at the bottom of the window. Some attackers try to trick users by adding a fake padlock icon, so make sure that the icon is in the appropriate location for your browser.
  • Be wary of emails requesting information – Attackers may attempt to gather information by sending emails requesting that you confirm purchase or account information. (See Avoiding Social Engineering and Phishing Attacks.) Legitimate businesses will not solicit this type of information through email. Do not provide sensitive information through email. If you receive an unsolicited email from a business, instead of clicking on the provided link, directly log on to the authentic website by typing the address yourself. (See Recognizing and Avoiding Email Scams.)
  • Use a credit card – There are laws to limit your liability for fraudulent credit card charges, but you may not have the same level of protection for your debit cards. Additionally, because a debit card draws money directly from your bank account, unauthorized charges could leave you with insufficient funds to pay other bills. You can minimize potential damage by using a single, low-limit credit card to making all of your online purchases. Also use a credit card when using a payment gateway such as PayPal, Google Wallet, or Apple Pay.
  • Check your shopping app settings – Look for apps that tell you what they do with your data and how they keep it secure. Keep in mind that there is no legal limit on your liability with money stored in a shopping app (or on a gift card). Unless otherwise stated under the terms of service, you are responsible for all charges made through your shopping app.
  • Check your statements – Keep a record of your purchases and copies of confirmation pages, and compare them to your bank statements. If there is a discrepancy, report it immediately. (See Preventing and Responding to Identity Theft.)
  • Check privacy policies – Before providing personal or financial information, check the website’s privacy policy. Make sure you understand how your information will be stored and used. (See Protecting Your Privacy.)

Author

US-CERT Publications

Posted in Computer Security, Cyber Security, G7 Security, Information Security, Software Security Risks, Technology | Tagged , , , , , | Leave a comment

Protecting Portable Devices: Data Security

Why do you need another layer of protection?

Although there are ways to physically protect your laptop, PDA, or other portable device (seeProtecting Portable Devices: Physical Security for more information), there is no guarantee that it won’t be stolen. After all, as the name suggests, portable devices are designed to be easily transported. The theft itself is, at the very least, frustrating, inconvenient, and unnerving, but the exposure of information on the device could have serious consequences. Also, remember that any devices that are connected to the internet, especially if it is a wireless connection, are also susceptible to network attacks (see Securing Wireless Networksfor more information).

What can you do?

  • Use passwords correctly – In the process of getting to the information on your portable device, you probably encounter multiple prompts for passwords. Take advantage of this security. Don’t choose options that allow your computer to remember passwords, don’t choose passwords that thieves could easily guess, use different passwords for different programs, and take advantage of additional authentication methods (see Choosing and Protecting Passwordsand Supplementing Passwords for more information).
  • Consider storing important data separately – There are many forms of storage media, including CDs, DVDs, and removable flash drives (also known as USB drives or thumb drives). By saving your data on removable media and keeping it in a different location (e.g., in your suitcase instead of your laptop bag), you can protect your data even if your laptop is stolen. You should make sure to secure the location where you keep your data to prevent easy access. It may be helpful to carry storage media with other valuables that you keep with you at all times and that you naturally protect, such as a wallet or keys.
  • Encrypt files – By encrypting files, you ensure that unauthorized people can’t view data even if they can physically access it. You may also want to consider options for full disk encryption, which prevents a thief from even starting your laptop without a passphrase. When you use encryption, it is important to remember your passwords and passphrases; if you forget or lose them, you may lose your data.
  • Install and maintain anti-virus software – Protect laptops and PDAs from viruses the same way you protect your desktop computer. Make sure to keep your virus definitions up to date (see Understanding Anti-Virus Software for more information). If your anti-virus software doesn’t include anti-spyware software, consider installing separate software to protect against that threat (see Recognizing and Avoiding Spyware and Coordinating Virus and Spyware Defense for more information).
  • Install and maintain a firewall – While always important for restricting traffic coming into and leaving your computer, firewalls are especially important if you are traveling and using different networks. Firewalls can help prevent outsiders from gaining unwanted access (see Understanding Firewalls for more information).
  • Back up your data – Make sure to back up any data you have on your computer onto a CD-ROM, DVD-ROM, or network (see Good Security Habits andReal-World Warnings Keep You Safe Online for more information). Not only will this ensure that you will still have access to the information if your device is stolen, but it could help you identify exactly which information a thief may be able to access. You may be able to take measures to reduce the amount of damage that exposure could cause.

Authors

Mindi McDowell and Matt Lytle

Posted in Computer Security, Cyber Security, G7 Security, Information Security, Software Security Risks, Uncategorized | Tagged , , , , , | Leave a comment

Securing Wireless Networks

How do wireless networks work?

As the name suggests, wireless networks, sometimes called WiFi, allow you to connect to the internet without relying on wires. If your home, office, airport, or even local coffee shop has a wireless connection, you can access the network from anywhere that is within that wireless area.

Wireless networks rely on radio waves rather than wires to connect computers to the internet. A transmitter, known as a wireless access point or gateway, is wired into an internet connection. This provides a “hotspot” that transmits the connectivity over radio waves. Hotspots have identifying information, including an item called an SSID (service set identifier), that allow computers to locate them. Computers that have a wireless card and have permission to access the wireless frequency can take advantage of the network connection. Some computers may automatically identify open wireless networks in a given area, while others may require that you locate and manually enter information such as the SSID.

What security threats are associated with wireless networks?

Because wireless networks do not require a wire between a computer and the internet connection, it is possible for attackers who are within range to hijack or intercept an unprotected connection. A practice known as wardriving involves individuals equipped with a computer, a wireless card, and a GPS device driving through areas in search of wireless networks and identifying the specific coordinates of a network location. This information is then usually posted online. Some individuals who participate in or take advantage of wardriving have malicious intent and could use this information to hijack your home wireless network or intercept the connection between your computer and a particular hotspot.

What can you do to minimize the risks to your wireless network?

  • Change default passwords – Most network devices, including wireless access points, are pre-configured with default administrator passwords to simplify setup. These default passwords are easily found online, so they don’t provide any protection. Changing default passwords makes it harder for attackers to take control of the device (see Choosing and Protecting Passwords for more information).
  • Restrict access – Only allow authorized users to access your network. Each piece of hardware connected to a network has a MAC (media access control) address. You can restrict or allow access to your network by filtering MAC addresses. Consult your user documentation to get specific information about enabling these features. There are also several technologies available that require wireless users to authenticate before accessing the network.
  • Encrypt the data on your network – WEP (Wired Equivalent Privacy) and WPA (Wi-Fi Protected Access) both encrypt information on wireless devices. However, WEP has a number of security issues that make it less effective than WPA, so you should specifically look for gear that supports encryption via WPA. Encrypting the data would prevent anyone who might be able to access your network from viewing your data (see Understanding Encryption for more information).
  • Protect your SSID – To avoid outsiders easily accessing your network, avoid publicizing your SSID. Consult your user documentation to see if you can change the default SSID to make it more difficult to guess.
  • Install a firewall – While it is a good security practice to install a firewall on your network, you should also install a firewall directly on your wireless devices (a host-based firewall). Attackers who can directly tap into your wireless network may be able to circumvent your network firewall—a host-based firewall will add a layer of protection to the data on your computer (see Understanding Firewalls for more information).
  • Maintain anti-virus software – You can reduce the damage attackers may be able to inflict on your network and wireless computer by installing anti-virus software and keeping your virus definitions up to date (see Understanding Anti-Virus Software for more information). Many of these programs also have additional features that may protect against or detect spyware and Trojan horses (see Recognizing and Avoiding Spyware and Why is Cyber Security a Problem? for more information).

Authors

Mindi McDowell, Allen Householder, and Matt Lytle

Posted in Computer Security, Cyber Security, G7 Security, Information Security, Network Security, Software Security Risks, Uncategorized | Tagged , , , , , | Leave a comment