Chapter 3, Security Considerations for Home and Personal Online Use
This lesson presents some material from chapter 3. Objectives important
to this lesson:
Common terms and threats
Securing common activities
Email scams
OWASP Risks Project
Concepts:
Chapter 3
Chapter 3 begins with some concerns about social engineering, which can
occur anywhere, so it is a reasonable place to begin. Social
engineering is a label that is applied to any attempt to convince
someone to do something that is to your benefit. Think about that. That
definition includes a lot of things that are neither immoral nor illegal.
However, in the context of IT security, a social engineer is often a con
artist who is asking, fooling, convincing, or otherwise manipulating people
into revealing secrets or granting access to systems. The text discusses
some methods:
Shoulder surfing - An attacker
observes what a user is doing,
typically trying to watch the user enter ID and password information.
In an office environment, a
user ID is pretty easy for a coworker, or someone who appears to be
one, to pick up by other means. The password
is the real goal, in that case. In a public setting, the hacker needs
the ID as well as the password,
and information about what site,
application, or network
the login information works for. That is a lot to gather in what needs
to be a moment's observation. The text points out that hidden cameras
can help the hacker get the desired information. A talented hacker might
use a cell phone to seemingly take pictures of a partner, while actually
shooting video of the intended victim.
Dumpster diving - This category
covers searching trash for information, harvesting data from discarded
technology, and actual theft of technical information and devices while
posing as a trash collector.
Make a friend - Friends tend
to confide in friends, do favors for them, and show off what they know
or can do. A hacker may try to become a friend to someone with the next
level of access to harvest information from them.
Pretext - A pretext is a pretense,
a lie of some sort. A pretexting attacker might pretend to be from the
IT department, or he/she might instead pretend to be a new user, an
assistant to a high level executive, or any other role that seems to
fit the situation. Think of Leonardo DiCaprio in Catch
Me If You Can, interviewing an airline official to get the information
he needed to impersonate a pilot. He was pretexting with the airline
official when he pretended to be a reporter for a student newspaper.
He then pretended to be a pilot in order to pass bad checks at banks,
hotels, and airline counters, which we could say was the real exploit
that his initial pretexting led to.
Ask for information - Imagine
a social engineer asking a user to log in to a "test page", which in
reality has the purpose of collecting the user's ID and password. This
is similar to phishing, sending
email to users that ask them to do the same or similar things.
The text puts particular emphasis on phishing
attacks, which can happen to us anywhere because they come through our
email accounts. A phishing email often appears to be a real message from
someone or some entity that you should know, asking you to provide information,
to follow a link, or to make a payment on an account. There is often an
element of urgency in the message, which is there to make the reader comply
with the request without taking time to think about it or to determine
whether the request is legitimate, which it never is. The text presents
a list of common scams found in phishing email. Note that this list is
always evolving:
the message appears to be from an administrator
of a network you use
the message seems to be from a commonly used web
vendor or payment agent,
asking you to enter your payment card/bank account information
the message pretends to be from your bank
or credit card company, and
it asks you to verify personal and account information (This one may
appear to be from a bank you do not even use. The scammer is playing
the odds, hoping that you will be a customer of the large bank/credit
card company that is being spoofed.)
the message may seem to be from any other company that has a reputation
that the reader may trust
The text offers basic advice about any such suspicious email you receive.
(You are suspicious, aren't you?)
Check the validity of email
that asks for personal or financial information
Do not follow links
in emails that ask for such information. If they appear to be from a
reputable source, contact that source by standard means. The link in
the email may be a trap.
Do not enter personal information
in a pop-up. A pop-up can be
generated by any running program, not necessarily the one you think
it came from.
Use protective programs: spam
filters, antivirus programs, antispyware, antimalware, and firewalls.
The list ends with another standard admonition that I will disagree
with. It says "open email attachments only from trusted sources". The
problem is that you may not know that the email address of the sender
was spoofed by an attacker.
Scan all attachments before opening them. Suspect all of them. Most
protective software can be configured to scan files before you open
them.
If you are having trouble believing that people can get away with this
kind of thing, watch this video of a smooth operator using some phone,
people, and IT skills.
On page 56, the text discusses identity theft, which is the goal of
many attacks on computer systems. The text presents a list of personally
identifying information (PII) that can be used to impersonate someone.
As we saw in the video above, the hacker had little trouble getting more
information and more access to an account just by telling a believable
story and presenting a little information that the vendor already had
on file.
On page 57, the text offers a list of good practices to follow regarding
personal information and online habits. Here are a few of them:
Use strong passwords and change them regularly. A stolen
password is of little use to the thief if you have changed it.
The text says to restrict data sent over public wireless access points.
We should go a bit further: never send personal or identifying
data over an unencrypted channel.
Clear a computer's browser cache after each session, especially
if it is a shared computer. You might be surprised how many security
students find information on classroom computers belonging to students
who used those computers earlier in the day. Sign out of accounts
when you are done with a session, don't just close the browser.
The text presents a topic box on page 59 about wi-fi eavesdropping.
Are you aware that there is no actual law against eavesdropping
on signals sent to an unencrypted public access point? This seems
strange when you first learn about it, and it seems like a terrible
mistake when you think about it for a minute. Use encrypted channels,
or don't use wireless.
Make regular backups. Be ready to wipe your computer
and restore from a backup if necessary. The text references cases
in which systems have been encrypted by ransomware in which the
only choices were to wipe and restore or pay the ransom to the attacker.
The problem with paying the ransom is that you have no guarantee that
your system will be decrypted or that the attacker will not repeat the
attack in the future. Wiping and restoring, however, presumes that you
have a backup, and that it was made before the ransomware was placed
in the system. If it was not, the backup will be of no use.
The text turns to discussions of common Internet activities that can
be done more safely:
Connect to web sites with HTTPS instead of HTTP. The secure
version of the protocol avoids sending data in plaintext. However, this
does not guarantee that you are connected to a legitimate site. See
this article on Krebs on Security about an increasing number of phishing
sites using HTTPS.
Learn to recognize phishing scams. Do not be a phish.
Read the URL in the address line when you go to a web site.
Make sure you are on the intended site, not one with a similar
name that is being run by someone harvesting personal information.
Update your antivirus and antimalware programs
regularly, and use them. It is much better to pay a fee
for the versions that provide automatic updates and automatic scanning.
The ones that require a manual update and manual scans depend on you
doing something you are usually in too much of a hurry to do.
The text presents a long list of shopping site scams. The short
version of the warning is that there is probably a false version of
any site you could imagine, whether it is for shopping, donating money,
or or any other activity that collects money from a customer/user. Don't
be a victim. Suspect any site that promotes a product that is too good
to be true.
The text spends a few pages on social networking. As you may have heard,
social network sites are valuable resources for people doing research
on both companies and individuals. Many people provide more information
about themselves than is healthy, and invest more faith in such sites
than they deserve. I will let two associates make a valid point about
this topic.
The text offers a list of categories of criminal activities that
people may use social networking sites to enable. The truth is that you
will find those people in other online venues and in real life, not just
on social networking sites. People seem to have less incentive to behave
themselves in the online worlds, so we hear more stories about them. There
are opportunities for people to do bad things online (like cyber bullying)
that they might not be able to get away with in real life. People who take
their bad actions into the real world as well (like potential sex offenders
looking for victims) are using what was meant to be a good invention for
bad purposes. Be aware of the categories on pages 64 and 65 for your own
protection and as a caution to make your own behavior better than it might
be in situations where you think there may be nothing to control it.
The rest of the chapter offers more ways things can go wrong online,
but does not offer many thoughts about dealing with those things. Some
email advice, for example, must be implemented by the administrator running
the email server (e.g. virus filtering).
One thing that is mentioned often is a buffer overflow. Since this topic
is rarely explained, and a student recently mentioned the topic to me,
I will offer this video from Computerphile,
which has the best discussion i have seen about why a buffer overflow
could cause code to actually be executed.
Let's move on to the last section of the chapter about the Open
Web Application Security Project (OWASP). The link in the
last sentence will take you to their web site, which I find a bit hard
to navigate. How hard? I could not find the document the author used with
their internal search tool. I used Google to locate their Top
10 Web Application Security Risks for 2017. I will upload a copy of
the PDF of that document to Module 3 for this class in Canvas. Oddly,
the lists for 2017, 2013, and 2010 all differ from list presented by our
author on pages 70 through 72. I searched again with Google, and this
time found a document about Privacy Risks. This link will take you to
a supplementary document
that covers countermeasures for the named risks. A quick reference
to the ten intended categories seems called for:
Web application vulnerabilities - This is addressed in their web application
security risks, which seems to be updated periodically.
Operator-sided data leakage - This a slightly formal way of saying
to be careful what you upload, post, and share.
Insufficient data breach response - It seems like every company that
suffers a data breach takes longer to announce it, and does less to
help the customers whose data was stolen.
Insufficient deletion of personal data - The refers to people not
guarding their own data, and not removing it from their own devices
and online devices.
Non-transparent policies, terms, and conditions - The entities who
want our online business should make it clear to us what they will do
with our data. We should be able to make choices about vendors based
on their practices.
Collection of data not required for the primary purpose - It is a
basic policy in database design NOT to collect data we are not going
to use. Deviation from this principle makes the motives of the collector
suspect.
Sharing of data with third party - Published data policies often state
that an entity will share our data with partner entities. This sounds
better than selling our data to anyone who wants it, which seems to
happen frequently as well.
Outdated personal data - The bottom line is that there ought to be
a way to have incorrect and outdated information about ourselves removed
from stored profiles about us. There does not appear to be a way in
most cases.
Missing or insufficient session expiration - There needs to be a simple
way to assure that a user/customer is logged out when the session is
intended to end.
Unsecure data transfer - Most data travels in cleartext. This should
not be so.
Assignments
Continue the reading assignments for the course.
Download the handouts files for this module. There are two that
pertain to OWASP this week.
Complete the assignment and class discussion in this module.