Chapter 3, Security Considerations for Home and Personal Online
This lesson presents some material from chapter 3. Objectives
important to this lesson:
Common terms and threats
Securing common activities
OWASP Risks Project
Chapter 3 begins with some concerns about social engineering,
which can occur anywhere, so it is a reasonable place to begin. Social engineering is a label
that is applied to any attempt to convince someone to do something
that is to your benefit. Think about that. That definition
includes a lot of things that are neither immoral nor illegal.
However, in the context of IT security, a social engineer is often
a con artist who is asking, fooling, convincing, or otherwise
manipulating people into revealing secrets or granting access to
systems. The text discusses some methods:
Shoulder surfing - An
attacker observes what
a user is doing, typically trying to watch the user enter ID and
password information. In an office
environment, a user ID is pretty easy for a coworker, or someone
who appears to be one, to pick up by other means. The password
is the real goal, in that case. In a public setting, the hacker
needs the ID as well as
the password, and
information about what site,
application, or network
the login information works for. That is a lot to gather in what
needs to be a moment's observation. The text points out that
hidden cameras can help the hacker get the desired information.
A talented hacker might use a cell phone to seemingly take
pictures of a partner, while actually shooting video of the
Dumpster diving - This
category covers searching trash for information, harvesting data
from discarded technology, and actual theft of technical
information and devices while posing as a trash collector.
Make a friend -
Friends tend to confide in friends, do favors for them, and show
off what they know or can do. A hacker may try to become a
friend to someone with the next level of access to harvest
information from them.
Pretext - A pretext is
a pretense, a lie of
some sort. A pretexting attacker might pretend to be from the IT
department, or he/she might instead pretend to be a new user, an
assistant to a high level executive, or any other role that
seems to fit the situation. Think of Leonardo DiCaprio in Catch Me If You
Can, interviewing an airline official to get the
information he needed to impersonate a pilot. He was pretexting
with the airline official when he pretended to be a reporter for
a student newspaper. He then pretended to be a pilot in order to
pass bad checks at banks, hotels, and airline counters, which we
could say was the real exploit that his initial pretexting led
Ask for information -
Imagine a social engineer asking a user to log in to a "test
page", which in reality has the purpose of collecting the user's
ID and password. This is similar to phishing,
sending email to users that ask them to do the same or similar
The text puts particular emphasis on phishing
attacks, which can happen to us anywhere because they come through
our email accounts. A phishing email often appears to be a real
message from someone or some entity that you should know, asking
you to provide information, to follow a link, or to make a payment
on an account. There is often an element of urgency in the
message, which is there to make the reader comply with the request
without taking time to think about it or to determine whether the
request is legitimate, which it never is. The text presents a list
of common scams found in phishing email. Note that this list is
the message appears to be from an administrator
of a network you use
the message seems to be from a commonly used web
vendor or payment
agent, asking you to enter your payment card/bank
the message pretends to be from your bank
or credit card company,
and it asks you to verify personal and account information (This
one may appear to be from a bank you do not even use. The
scammer is playing the odds, hoping that you will be a customer
of the large bank/credit card company that is being spoofed.)
the message may seem to be from any other company that has a
reputation that the reader may trust
The text offers basic advice about any such suspicious email you
receive. (You are suspicious, aren't you?)
Check the validity of
email that asks for personal or financial information
Do not follow links in emails that ask for
such information. If they appear to be from a reputable source,
contact that source by standard means. The link in the email may
be a trap.
Do not enter personal
information in a pop-up.
A pop-up can be generated by any running program, not
necessarily the one you think it came from.
programs: spam filters, antivirus programs, antispyware,
antimalware, and firewalls.
The list ends with another standard admonition that I will
disagree with. It says "open email attachments only from trusted
sources". The problem is that you may not know that the email
address of the sender was spoofed
by an attacker. Scan all attachments before opening them.
Suspect all of them. Most protective software can be configured
to scan files before you open them.
If you are having trouble believing that people can get away with
this kind of thing, watch this video of a smooth operator using
some phone, people, and IT skills.
On page 56, the text discusses identity theft, which is the goal
of many attacks on computer systems. The text presents a list of
personally identifying information (PII) that can be used to
impersonate someone. As we saw in the video above, the hacker had
little trouble getting more information and more access to an
account just by telling a believable story and presenting a little
information that the vendor already had on file.
On page 57, the text offers a list of good practices to follow
regarding personal information and online habits. Here are a few
Use strong passwords and change them
regularly. A stolen password is of little use to the thief if
you have changed it.
The text says to restrict data sent over public wireless
access points. We should go a bit further: never send
personal or identifying data over an unencrypted
Clear a computer's browser cache after each session,
especially if it is a shared computer. You might be surprised
how many security students find information on classroom
computers belonging to students who used those computers earlier
in the day. Sign out of accounts when you are done with
a session, don't just close the browser.
The text presents a topic box on page 59 about wi-fi
eavesdropping. Are you aware that there is no actual law
against eavesdropping on signals sent to an unencrypted
public access point? This seems strange when you first
learn about it, and it seems like a terrible mistake when you
think about it for a minute. Use encrypted channels, or don't
Make regular backups. Be ready to wipe your
computer and restore from a backup if necessary. The
text references cases in which systems have been encrypted by ransomware
in which the only choices were to wipe and restore or pay the
ransom to the attacker. The problem with paying the ransom is
that you have no guarantee that your system will be decrypted or
that the attacker will not repeat the attack in the future.
Wiping and restoring, however, presumes that you have a backup,
and that it was made before the ransomware was placed in the
system. If it was not, the backup will be of no use.
The text turns to discussions of common Internet activities that
can be done more safely:
Connect to web sites with HTTPS instead of HTTP. The
secure version of the protocol avoids sending data in plaintext.
However, this does not guarantee that you are connected to a
legitimate site. See this article on Krebs on Security about an
increasing number of phishing sites using HTTPS.
Learn to recognize phishing scams. Do not be a phish.
Read the URL in the address line when you go to a web
site. Make sure you are on the intended site, not one
with a similar name that is being run by someone harvesting
Update your antivirus and antimalware
programs regularly, and use them. It is much better to
pay a fee for the versions that provide automatic
updates and automatic scanning. The ones that require a manual
update and manual scans depend on you doing something you are
usually in too much of a hurry to do.
The text presents a long list of shopping site scams.
The short version of the warning is that there is probably a
false version of any site you could imagine, whether it is for
shopping, donating money, or or any other activity that collects
money from a customer/user. Don't be a victim. Suspect any site
that promotes a product that is too good to be true.
The text spends a few pages on social networking. As you may have
heard, social network sites are valuable resources for people
doing research on both companies and individuals. Many people
provide more information about themselves than is healthy, and
invest more faith in such sites than they deserve. I will let two
associates make a valid point about this topic.
The text offers a list of categories of criminal activities
that people may use social networking sites to enable. The truth is
that you will find those people in other online venues and in real
life, not just on social networking sites. People seem to have less
incentive to behave themselves in the online worlds, so we hear more
stories about them. There are opportunities for people to do bad
things online (like cyber bullying) that they might not be able to
get away with in real life. People who take their bad actions into
the real world as well (like potential sex offenders looking for
victims) are using what was meant to be a good invention for bad
purposes. Be aware of the categories on pages 64 and 65 for your own
protection and as a caution to make your own behavior better than it
might be in situations where you think there may be nothing to
The rest of the chapter offers more ways things can go wrong
online, but does not offer many thoughts about dealing with those
things. Some email advice, for example, must be implemented by the
administrator running the email server (e.g. virus filtering).
One thing that is mentioned often is a buffer overflow. Since
this topic is rarely explained, and a student recently mentioned
the topic to me, I will offer this video from Computerphile,
which has the best discussion i have seen about why a buffer
overflow could cause code to actually be executed.
Let's move on to the last section of the chapter about the Open
Web Application Security Project (OWASP). The
link in the last sentence will take you to their web site, which I
find a bit hard to navigate. How hard? I could not find the
document the author used with their internal search tool. I used
Google to locate their Top 10 Web Application Security Risks for 2017.
I will upload a copy of the PDF of that document to Module 3 for
this class in Canvas. Oddly, the lists for 2017, 2013, and 2010
all differ from list presented by our author on pages 70 through
72. I searched again with Google, and this time found a document
about Privacy Risks. This link will take you to a supplementary document that covers countermeasures
for the named risks. A quick reference to the ten intended
categories seems called for:
Web application vulnerabilities - This is addressed in their
web application security risks, which seems to be updated
Operator-sided data leakage - This a slightly formal way of
saying to be careful what you upload, post, and share.
Insufficient data breach response - It seems like every
company that suffers a data breach takes longer to announce it,
and does less to help the customers whose data was stolen.
Insufficient deletion of personal data - The refers to people
not guarding their own data, and not removing it from their own
devices and online devices.
Non-transparent policies, terms, and conditions - The entities
who want our online business should make it clear to us what
they will do with our data. We should be able to make choices
about vendors based on their practices.
Collection of data not required for the primary purpose - It
is a basic policy in database design NOT to collect data we are
not going to use. Deviation from this principle makes the
motives of the collector suspect.
Sharing of data with third party - Published data policies
often state that an entity will share our data with partner
entities. This sounds better than selling our data to anyone who
wants it, which seems to happen frequently as well.
Outdated personal data - The bottom line is that there ought
to be a way to have incorrect and outdated information about
ourselves removed from stored profiles about us. There does not
appear to be a way in most cases.
Missing or insufficient session expiration - There needs to be
a simple way to assure that a user/customer is logged out when
the session is intended to end.
Unsecure data transfer - Most data travels in cleartext. This
should not be so.
Continue the reading assignments for the course.
Download the handouts files for this module. There are
two that pertain to OWASP this week.
Complete the assignment and class discussion in this