ITS 4050 - Internet and Web Security


Chapter 3, Security Considerations for Home and Personal Online Use

This lesson presents some material from chapter 3. Objectives important to this lesson:

  1. Common terms and threats
  2. Securing common activities
  3. Email scams
  4. OWASP Risks Project
Concepts:
Chapter 3

Chapter 3 begins with some concerns about social engineering, which can occur anywhere, so it is a reasonable place to begin. Social engineering is a label that is applied to any attempt to convince someone to do something that is to your benefit. Think about that. That definition includes a lot of things that are neither immoral nor illegal. However, in the context of IT security, a social engineer is often a con artist who is asking, fooling, convincing, or otherwise manipulating people into revealing secrets or granting access to systems. The text discusses some methods:

  • Shoulder surfing - An attacker observes what a user is doing, typically trying to watch the user enter ID and password information. In an office environment, a user ID is pretty easy for a coworker, or someone who appears to be one, to pick up by other means. The password is the real goal, in that case. In a public setting, the hacker needs the ID as well as the password, and information about what site, application, or network the login information works for. That is a lot to gather in what needs to be a moment's observation. The text points out that hidden cameras can help the hacker get the desired information. A talented hacker might use a cell phone to seemingly take pictures of a partner, while actually shooting video of the intended victim.
  • Dumpster diving - This category covers searching trash for information, harvesting data from discarded technology, and actual theft of technical information and devices while posing as a trash collector.
  • Make a friend - Friends tend to confide in friends, do favors for them, and show off what they know or can do. A hacker may try to become a friend to someone with the next level of access to harvest information from them.
  • Pretext - A pretext is a pretense, a lie of some sort. A pretexting attacker might pretend to be from the IT department, or he/she might instead pretend to be a new user, an assistant to a high level executive, or any other role that seems to fit the situation. Think of Leonardo DiCaprio in Catch Me If You Can, interviewing an airline official to get the information he needed to impersonate a pilot. He was pretexting with the airline official when he pretended to be a reporter for a student newspaper. He then pretended to be a pilot in order to pass bad checks at banks, hotels, and airline counters, which we could say was the real exploit that his initial pretexting led to.
  • Ask for information - Imagine a social engineer asking a user to log in to a "test page", which in reality has the purpose of collecting the user's ID and password. This is similar to phishing, sending email to users that ask them to do the same or similar things.

The text puts particular emphasis on phishing attacks, which can happen to us anywhere because they come through our email accounts. A phishing email often appears to be a real message from someone or some entity that you should know, asking you to provide information, to follow a link, or to make a payment on an account. There is often an element of urgency in the message, which is there to make the reader comply with the request without taking time to think about it or to determine whether the request is legitimate, which it never is. The text presents a list of common scams found in phishing email. Note that this list is always evolving:

  • the message appears to be from an administrator of a network you use
  • the message seems to be from a commonly used web vendor or payment agent, asking you to enter your payment card/bank account information
  • the message pretends to be from your bank or credit card company, and it asks you to verify personal and account information (This one may appear to be from a bank you do not even use. The scammer is playing the odds, hoping that you will be a customer of the large bank/credit card company that is being spoofed.)
  • the message may seem to be from any other company that has a reputation that the reader may trust

The text offers basic advice about any such suspicious email you receive. (You are suspicious, aren't you?)

  • Check the validity of email that asks for personal or financial information
  • Do not follow links in emails that ask for such information. If they appear to be from a reputable source, contact that source by standard means. The link in the email may be a trap.
  • Do not enter personal information in a pop-up. A pop-up can be generated by any running program, not necessarily the one you think it came from.
  • Use protective programs: spam filters, antivirus programs, antispyware, antimalware, and firewalls.
  • The list ends with another standard admonition that I will disagree with. It says "open email attachments only from trusted sources". The problem is that you may not know that the email address of the sender was spoofed by an attacker. Scan all attachments before opening them. Suspect all of them. Most protective software can be configured to scan files before you open them.

If you are having trouble believing that people can get away with this kind of thing, watch this video of a smooth operator using some phone, people, and IT skills.


On page 56, the text discusses identity theft, which is the goal of many attacks on computer systems. The text presents a list of personally identifying information (PII) that can be used to impersonate someone. As we saw in the video above, the hacker had little trouble getting more information and more access to an account just by telling a believable story and presenting a little information that the vendor already had on file.

On page 57, the text offers a list of good practices to follow regarding personal information and online habits. Here are a few of them:

  • Use strong passwords and change them regularly. A stolen password is of little use to the thief if you have changed it.
  • The text says to restrict data sent over public wireless access points. We should go a bit further: never send personal or identifying data over an unencrypted channel.
  • Clear a computer's browser cache after each session, especially if it is a shared computer. You might be surprised how many security students find information on classroom computers belonging to students who used those computers earlier in the day. Sign out of accounts when you are done with a session, don't just close the browser.
  • The text presents a topic box on page 59 about wi-fi eavesdropping. Are you aware that there is no actual law against eavesdropping on signals sent to an unencrypted public access point? This seems strange when you first learn about it, and it seems like a terrible mistake when you think about it for a minute. Use encrypted channels, or don't use wireless.
  • Make regular backups. Be ready to wipe your computer and restore from a backup if necessary. The text references cases in which systems have been encrypted by ransomware in which the only choices were to wipe and restore or pay the ransom to the attacker. The problem with paying the ransom is that you have no guarantee that your system will be decrypted or that the attacker will not repeat the attack in the future. Wiping and restoring, however, presumes that you have a backup, and that it was made before the ransomware was placed in the system. If it was not, the backup will be of no use.

The text turns to discussions of common Internet activities that can be done more safely:

  • Connect to web sites with HTTPS instead of HTTP. The secure version of the protocol avoids sending data in plaintext. However, this does not guarantee that you are connected to a legitimate site. See this article on Krebs on Security about an increasing number of phishing sites using HTTPS.
  • Learn to recognize phishing scams. Do not be a phish.
  • Read the URL in the address line when you go to a web site. Make sure you are on the intended site, not one with a similar name that is being run by someone harvesting personal information.
  • Update your antivirus and antimalware programs regularly, and use them. It is much better to pay a fee for the versions that provide automatic updates and automatic scanning. The ones that require a manual update and manual scans depend on you doing something you are usually in too much of a hurry to do.
  • The text presents a long list of shopping site scams. The short version of the warning is that there is probably a false version of any site you could imagine, whether it is for shopping, donating money, or or any other activity that collects money from a customer/user. Don't be a victim. Suspect any site that promotes a product that is too good to be true.

The text spends a few pages on social networking. As you may have heard, social network sites are valuable resources for people doing research on both companies and individuals. Many people provide more information about themselves than is healthy, and invest more faith in such sites than they deserve. I will let two associates make a valid point about this topic.



The text offers a list of categories of criminal activities that people may use social networking sites to enable. The truth is that you will find those people in other online venues and in real life, not just on social networking sites. People seem to have less incentive to behave themselves in the online worlds, so we hear more stories about them. There are opportunities for people to do bad things online (like cyber bullying) that they might not be able to get away with in real life. People who take their bad actions into the real world as well (like potential sex offenders looking for victims) are using what was meant to be a good invention for bad purposes. Be aware of the categories on pages 64 and 65 for your own protection and as a caution to make your own behavior better than it might be in situations where you think there may be nothing to control it.

The rest of the chapter offers more ways things can go wrong online, but does not offer many thoughts about dealing with those things. Some email advice, for example, must be implemented by the administrator running the email server (e.g. virus filtering).

One thing that is mentioned often is a buffer overflow. Since this topic is rarely explained, and a student recently mentioned the topic to me, I will offer this video from Computerphile, which has the best discussion i have seen about why a buffer overflow could cause code to actually be executed.

Let's move on to the last section of the chapter about the Open Web Application Security Project (OWASP). The link in the last sentence will take you to their web site, which I find a bit hard to navigate. How hard? I could not find the document the author used with their internal search tool. I used Google to locate their Top 10 Web Application Security Risks for 2017. I will upload a copy of the PDF of that document to Module 3 for this class in Canvas. Oddly, the lists for 2017, 2013, and 2010 all differ from list presented by our author on pages 70 through 72. I searched again with Google, and this time found a document about Privacy Risks. This link will take you to a supplementary document that covers countermeasures for the named risks. A quick reference to the ten intended categories seems called for:

  1. Web application vulnerabilities - This is addressed in their web application security risks, which seems to be updated periodically.
  2. Operator-sided data leakage - This a slightly formal way of saying to be careful what you upload, post, and share.
  3. Insufficient data breach response - It seems like every company that suffers a data breach takes longer to announce it, and does less to help the customers whose data was stolen.
  4. Insufficient deletion of personal data - The refers to people not guarding their own data, and not removing it from their own devices and online devices.
  5. Non-transparent policies, terms, and conditions - The entities who want our online business should make it clear to us what they will do with our data. We should be able to make choices about vendors based on their practices.
  6. Collection of data not required for the primary purpose - It is a basic policy in database design NOT to collect data we are not going to use. Deviation from this principle makes the motives of the collector suspect.
  7. Sharing of data with third party - Published data policies often state that an entity will share our data with partner entities. This sounds better than selling our data to anyone who wants it, which seems to happen frequently as well.
  8. Outdated personal data - The bottom line is that there ought to be a way to have incorrect and outdated information about ourselves removed from stored profiles about us. There does not appear to be a way in most cases.
  9. Missing or insufficient session expiration - There needs to be a simple way to assure that a user/customer is logged out when the session is intended to end.
  10. Unsecure data transfer - Most data travels in cleartext. This should not be so.

 

Assignments

  1. Continue the reading assignments for the course.
  2. Download the handouts files for this module. There are two that pertain to OWASP this week.
  3. Complete the assignment and class discussion in this module.