Computer Security

What is Information Security?

• The protection of the information assets stored within your computer, against unauthorized access.

Personal Computer Security

• Theft – The illegal taking of someone’s property.

• Physical – laptop, desktopRemedies - LoJack, LaptopCop, and STOP.

• Electronic (hard to trace)– Password protection, anti-virus, spyware, firewall

• Intellectual – “social engineering”– Never disclose information to an unknown party

Electronic Theft• Unauthorized Access - when a person who does not have

permission to connect to or use a computer, gains entry in a manner unintended by the computer owner.

Responsibility of Users

Maintain Operating System– Stay current on security updates and patches

Check your system for viruses– Scan your system everyday, and stay current on updates

Block Spyware and Identity Theft– Keep your information private!

“Security holes are discovered daily in operating systems and programs. A secure system today may not be a secure system tomorrow.”

Use a correctly configured firewall– A poorly configured firewall is almost worst than having nothing.

Practice safe computing– Make sure that if you’re sending sensitive personal information that

your connection is secure (SSL); a closed padlock item appears on the status bar and the address will start with https:// rather than http://

– Use passwords to protect access to your PC and do change them regularly.

– Make frequent back-up copies of your data and store in a safe place.– DON’T open e-mail attachments if you don't know what's in the

attachment.

Stay involved in protecting your system!!!

Responsibility of Users (cont.)

Identity Theft• Failure to be responsible about protecting your PC could

result in horrible loss.

• One online transaction using a debit card is all an attacker needs.– Use only credit cards to purchase online.

– ShopSafe® is a free service that allows you to create a temporary card number each time you make an online purchase. (Bank of America)

• Always sign-out of any online account after use and always delete the “cookies” before exiting the web browser.

Wi-Fi SideJacking

• This technique proves that attackers can not only sniff, but grab, a victim's online account. i.e.

• The attacker can exploit the victim's previously-established site having the access to change passwords, post mail messages, download files, or take any other action offered by that website.

Protection - HotSpotVPN

SideJacking - the process of sniffing session cookies (which stores user credentials), then replaying them to clone another user's web session.

SideJacking (cont.)

• SideJacking works only if the site catches a non-SSL (non-secure) cookie, so any Web site that uses SSL exclusively would be safe from SideJackers…or so we think.

is still vulnerable to SideJacking despite SSL (being a secure site with a lock in the bottom corner of the page and begins with https://)

Best ProtectionDespite the possibility of still being SideJacked, Enabling the HTTPS

setting in Gmail is your best option. Directions are provided in Handout

Malicious Code

• Deliberate software attacks that occur when an individual or group designs software to attack a system

• They are designed to damage, destroy, or deny service to the systems.

Email Hazards

• Email and attachments have become a popular way of entrance into one’s network/computer.

• There are many different methods to obtaining this access.

Spyware

• Any technology that aids in gather information about a person or organization without their knowledge

• It is placed on a computer, gathers the information, and transfers it back to the offender

• Examples include a tracking cookie which is placed on the user’s computer to track the activity on different Web Sites and creates a detailed profile on them

Viruses

• A computer virus attaches itself to a program or file enabling it to spread from one computer to another, leaving infections as it travels

• Like a human virus, a computer virus can range in severity: Can damage software or files

• Almost all viruses are attached to an executable file, which means the virus may exist on your computer but it actually cannot infect your computer unless you run or open the malicious program.

Viruses through Attachments

• The most common method of virus transmission

• Opening e-mail attachment files

• Once opened it can replicate itself and damage the entire operating system

Worms

• Similar to a virus by design and is considered to be a sub-class of a virus

• Worms spread from computer to computer, but unlike a virus, it has the capability to travel without any human action

• The biggest danger with a worm is its capability to replicate itself on your system. So it could send thousands of copies of itself throughout your system.

Spam

• Unsolicited commercial email.

• More of a nuisance than an attack

• The worst consequences are waste of the computer and human resources.

Trojan Horse

• The Trojan Horse, at first glance will appear to be useful software but will actually do damage once installed or run on your computer

• The results can vary• known to create a backdoor on your computer

that gives someone access to your system. Can allow access to personal information.

Back doors

• Use a known or previously unknown and newly discovered access mechanism to gain access to a system or network resource.

• Very difficult to detect• It can be a program installed on a computer . • It can be entrance obtained by a previous attack

such as a worm.

Sniffers

• A program or device that can monitor data traveling over a network.

• Can be used to steal information such as passwords, the data inside files, and screens full of sensitive data from applications such as bank information.

Information Extortion

• Occurs when an attacker or trusted insider steals information from a computer system and demands something in return for it so they do not disclose the information.

• Common with Credit Card theft

Password Attacks

• Attempting to reverse-calculate a password is often called cracking.

• Completed when a copy of the Security Account manager data file can be obtained

• Brute force attack is the application of computing and network resources to try every possible combination of options of a password.

Password Power

Password Power (cont.)

Do you recognize this picture?

You Should

Going Phishing…

Phishing - The attempt to fraudulently acquire sensitive information by masquerading as a trustworthy person in a seemingly official communication.

• Each one of these people accepted “Jimmy” as their friend and yet had no idea who Jimmy was. Nor did they ask questions.

Incriminating Photos/Info

While this photo looks innocent enough it tells a lot about the individual. A predator now knows that Emily is a cheerleader for Eldorado and has better insight on how to find her.

“Dad not going to lie to you. Some of us are drunk today.”

“DAWSON: To be the best at every possible thing. Including sex.”

“You know, get a couple of cocktails in me, start a fire in someone's kitchen. Maybe go to SeaWorld, take my pants off.”

Information Gathering

We now know that Emily and Whitney are best friends, and that they both like to sing in Geissler’s… Lets hear it!

Public Information

Watch Yourself

• Providing personal information to the public (Internet), any person can maliciously use that content against you whether for personal gain (identity theft), or intent to act upon (sexual predator).

• MySpace revealed that 90,000 registered sex offenders have been kicked off its site in the past two years. Evidence suggests that a portion of them are now on Facebook.

• Nearly 10 million Americans a year are victims of identity theft.

http://www.techcrunch.com/2009/02/03/thousands-of-myspace-sex-offender-refugees-found-on-facebook/

Keep Watching Yourself

• Employers look at Myspace and Facebook profiles for potential employees.

1) Identifying potential job candidates. Employers may use these social electronic databases to search for individuals with a certain level of education, work experience, personal interests, and/or anything else that might be a company asset.

2) Background checking, where "disqualifying information" may be available, such as proof of illegal drug use or behavior the company would consider undesirable in an employee.

http://hubpages.com/hub/How_employers_look_at_Myspace_and_Facebook_pages

Final Thought

• THINK before you ACT.

– Information that is posted about you on the Internet becomes public, even if this information is stored on a private profile.

– Become aware of your activity on the Internet and check for suspicious activity within your accounts. i.e. Jimmy Smith

– Become a RESPONSIBLE USER!

Resources• Whitman, Michael E., and Herbert J. Mattord. Principles of Information Security 3 rd

Edtion. Printed in Canada, 2009.• http://profile.myspace.com/index.cfm?fuseaction=user.viewProfile&friendID=430629858• http://profile.myspace.com/index.cfm?fuseaction=user.viewProfile&friendID=81714953• http://www.helium.com/items/948377-basic-principles-of-computer-security?page=3• http://www.sysmod.com/free-home-computer-security.htm• http://news.cnet.com/8301-1009_3-10019710-83.html• http://www.washingtonpost.com/wp-dyn/content/article/2007/08/03/AR2007080301956.html• http://www.derkeiler.com/Mailing-Lists/securityfocus/pen-test/2009-02/msg00086.html• http://itmanagement.earthweb.com/secu/article.php/3694671• http://www.techcrunch.com/2009/02/03/thousands-of-myspace-sex-offender-refugees-found-o

n-facebook/• http://www.spamlaws.com/id-theft-statistics.html• http://hubpages.com/hub/How_employers_look_at_Myspace_and_Facebook_pages• http://arstechnica.com/business/news/2008/02/report-google-mail-vulnerable-to-sidejacking-d

espite-ssl.ars• http://itmanagement.earthweb.com/secu/article.php/3694671

Resources (cont.)• http://www.anchorfree.com/downloads/hotspot-shield/ • http://www.hotspotvpn.com/• http://uk.trendmicro-europe.com/consumer/products/housecall_launch.php• http://free.grisoft.com/freeweb.php• http://www.avast.com/eng/free_virus_protectio.html• http://www.lavasoftusa.com/software/adaware/• http://www.stoptheft.com/site/index.php • http://www.laptopcopsoftware.com/• http://www.lojackforlaptops.com/• http://us.trendmicro.com/us/home/