[2.1 Taking Charge] [2.2 AUPs] - Acceptable use policy outlines appropriate use of the Internet, enforced by system administrators. - OIT has one, your ISP has one. - Sometimes called Terms of Service (TOS). [2.3 Password Security] - Protect your passwords from other people to prevent them using your accounts. - In most cases, passwords are stored using special techniques so that nobody, not even the sysadmins, can retrieve your password. If needed, they can manually bypass the password, but they cannot retrieve it for you. So if you forget it, you have to change it. - If you receive an email asking for your password, it's a trick. (Social engineering) - Choosing a good password: 6+ chars (8 is better), both uppercase and lowercase, at least one number. Also can use symbols. - Change them often, don't use the same one for more than one account. [2.4 Phishing and Identity Theft] - Phishing: unsolicited email from what appears to be a trustworthy source that requests that you "confirm" or "resubmit" personal info (CC#, bank account #, SSN, PINs, passwords, etc) - Most reputable businesses will never ask for this in an unsolicited email. - Spear phishing: phishing attacks targetted to specific groups of people (e.g. users of a certain bank) - Look for: references an account you don't have, generic greeting, phone the company to verify, grammatical/spelling mistakes, examine the URL to see if it's really going where it's supposed to. - Protect yourself: don't give out personal info over the phone/net unless you initiated the contact and know/can verify the other party. - Never click on links in unsolicited email (type in the homepage for the company) - When submitting personal info, look for https and padlock/key icon. - Smishing: phishing over SMS text messages. - Pharming: redirecting valid URLs to a bogus site that mimics the real site (done through changing the way DNS addresses are resolved into IPs) - Identity theft: illegal use of someone's mean of ID (includes CC) - Thieves capture SSN, phone#, addresses, date/place of birth, drivers lic#, mother's maiden name, etc, then open accounts in your name or make fraudulent purchases. - Can occur through no fault of yours - information can be stolen from records (online or through physically stealing a computer) - Signs of ID theft: missing or late bills, receiving CCs you didn't ask for, being denied credit or offered less favorable terms for no reason, debt collectors calling - Pretexting: acquiring personal information under false pretenses, usually by phone. Usually involves some background research (DOB, SSN, etc) to set up a false sense of security in the mind of the target to get them to release some information or perform some action. (Ex: Pretexter gets someone's DOB/SSN from public records, calls their bank, gets their bank account #, or I take your student IDs, call OIT and ask to have your password reset [won't work]) [2.5 Viruses, Trojan Horses, and Worms] - Virus: computer program with the ability to replicate itself via files that move from one computer to another. Range from benign to destructive. - Trojan Horse: program that slips into a computer system under the guise of another program. Must do something undocumented the user wouldn't approve of. Keyloggers are usually Trojan horses. - Worm: Spreads through open network connections, not through files. Exploit weaknesses in operating systems and other software to get in. - Protect yourself: Use antivirus software, update it regularly. [2.6 Email Viruses] - Very easy to get a virus through an email attachment. Some attachments aren't documents, but are regular programs that can be viruses (sometimes they pretend to look like documents through clever naming and the text in the body). - You can setup your AV software to automatically scan incoming emails for viruses - if you can't do this, then usually "SAVE" rather than "OPEN" will help - your virus scanner can then scan the saved file before you open it. - Don't open attachments from people you don't know. - Macro Viruses: computer virus written in a macro language built into another program that is attached to a document, not the program itself. - MS Word macro viruses used to be incredibly common, due to the fact that almost everyone uses Word, and MS included an incredibly powerful programming language built into Word and allowed for these macros to be embedded into documents. - Melissa virus (macro Word virus) didn't do anything malicious but shut down email systems that just got clogged with email from the virus. It attached an infected document to an email and sent it to people in your address book in Outlook. - Illustrates how you can get a virus from even a "trusted" source. - Newer versions of Word prompt you whenever you open a doc with a macro. - Some email clients allow for sending email that looks like a webpage. These can include embedded programs called scripts that can be used to write viruses. - At the time, AV software didn't usually scan these scripts. Now they do, and most email clients won't run scripts in email now anyway. - ILOVEYOU Worm (love bug) spread through VBScript and used the address book trick again. - Now possible to have combination attacks from blends of scripts, worms, Trojans, and viruses. (Nimda [9/2001], Klez [late 2001]) - Beware of scams (get rich quick, advance fee fraud [nigerian letter]), pyramid schemes, anything too good to be true) [2.7 Hacker Attacks and Intrusions] - Hackers can break into vulnerable computers remotely and take control of them. Illegal under state and federal laws, punishable by fines and jail sentences. - Now is easier to do than ever -- some hacking software even has point and click interfaces. - hacker attacks - they look for easy targets (don't care about who the victims are). Looking for CC#, personal info, etc. - download patches for windows - do not download software you don't trust or didn't explicitly ask for [2.8 Firewalls] - Install a firewall to protect you from hackers -- most newer operating systems come with one built in. (WinXP/Vista, Mac OS X) - Firewall: hardware or software that can permit or deny transfer of data in a computer network. A personal firewall for your computer monitors all attempts to move bits over the net in either direction and can restrict or prevent the action if desired. Acts as a protective boundary btw your computer and the rest of the net. [2.9 Protecting Your Privacy] - privacy of your personal information - sites usually have a privacy policy - describes whether or not they let other people see your personal info - webpages can be programmed to collect info about when you visited the page and what links you clicked on the site [2.10 Libel and Lawsuits] - libel and lawsuits - libel = any written or pictorial statement that damages a person or org. - libel is not a criminal offense, so you can't go to jail for it - but you can be sued, especially by companies if they think the info is "harmful." - if the statements are true (the libel), the lawsuit will fail - once info gets on the internet, it can be hard to remove - digital info is easily copied and reproduced [2.11 Threats and Harassment] - threats - don't do it - flame = email or NG or bulletin board msg in which the writer attacks someone person with uninhibited hostility - flame wars = exchange of flames between 2 or more people - hard to tell when you're being serious [2.12 Software Piracy and Copyright Infringements] - software piracy, copyright infringement - piracy = willful reproduction/distribution of computer programs that disallow such reproductions/distributions - when you purchase commercial software, you are purchasing a license, which is just the right to run the software, not give it to others, you don't OWN it. - distributing music online became very popular - RIAA doesn't like it because most of it is illegal - you can't download copyrighted music (unless you pay for it) - audio home recording act of 1992 lets people copy music for personal use [2.13 Pornography and Other Lapses in Good Taste] [2.14 Hoaxes and Legends] [2.15 Laptops and Wireless Networks] - Unsecured networks in wireless hotspots. - Wireless communications can be intercepted and decoded by a packet sniffer. - Wifi Protected Access (WPA), Wired Equivalent Privacy (WEP) - WPA is stronger: these ask for a password to access the network and encrypt all traffic.