Computer Vulnerabilities 1. 1.Overview 2. 2.Threats to Computer Systems 3. 3.How Hackers Work 4. 4.Using the Internet Securely 5. 5.How We Make It Easy.

Computer Vulnerabilities1. Overview

2. Threats to Computer Systems

3. How Hackers Work

4. Using the Internet Securely

5. How We Make It Easy for the Hackers

6. “Cookies”

7. Weak Passwords

8. E-Mail Pitfalls

9. “Social Engineering”

10.Viruses & Other “Infections”

11.P2P

12.Insecure Modems

13.Security of Hard Drives

14.Security of Laptops

OverviewOverview Computers concentrate tremendous amounts of data in one location where it is Computers concentrate tremendous amounts of data in one location where it is

vulnerable to unauthorized disclosure, modification, or destruction. The greater the vulnerable to unauthorized disclosure, modification, or destruction. The greater the concentration, the greater the consequences of any security breach.concentration, the greater the consequences of any security breach.

The dramatic increase in interconnections between computer networks, and the The dramatic increase in interconnections between computer networks, and the popularity of the Internet, have made it easier for countries, groups, or individuals popularity of the Internet, have made it easier for countries, groups, or individuals with malicious intentions to intrude into inadequately protected systems. They can with malicious intentions to intrude into inadequately protected systems. They can use that access to steal or make unauthorized changes in sensitive information, use that access to steal or make unauthorized changes in sensitive information, commit fraud, or disrupt operations.commit fraud, or disrupt operations.

Threats to Computer Systems describes the changing face of computer crime. The Threats to Computer Systems describes the changing face of computer crime. The ego-oriented and attention-seeking adolescents who steal information as trophies to ego-oriented and attention-seeking adolescents who steal information as trophies to demonstrate their prowess are still common. However, the field is becoming demonstrate their prowess are still common. However, the field is becoming dominated by professionals who steal information for sale and disgruntled employees dominated by professionals who steal information for sale and disgruntled employees who damage systems or steal information for revenge or profit.who damage systems or steal information for revenge or profit.

The common saying that "security is everyone's responsibility" is especially true with The common saying that "security is everyone's responsibility" is especially true with computer security. It is essential that you understand the vulnerabilities of this new computer security. It is essential that you understand the vulnerabilities of this new medium that is changing the world because YOU -- unknowingly -- can endanger medium that is changing the world because YOU -- unknowingly -- can endanger your entire computer network. Your network is only as secure as its weakest link. your entire computer network. Your network is only as secure as its weakest link. The people who use the computers -- can be just as damaging as weaknesses in the The people who use the computers -- can be just as damaging as weaknesses in the software or hardware.software or hardware.

Threats to Computer Systems The nature of computer crime has changed over the years as the technology has The nature of computer crime has changed over the years as the technology has

changed and the opportunities for crime have changed. Although thrill-seeking changed and the opportunities for crime have changed. Although thrill-seeking adolescent hackers are still common, the field is increasingly dominated by adolescent hackers are still common, the field is increasingly dominated by professionals who steal information for sale and disgruntled employees who damage professionals who steal information for sale and disgruntled employees who damage systems or steal information for revenge or profit.systems or steal information for revenge or profit.

When Willie Sutton was asked why he robbed banks, he replied, "because that's When Willie Sutton was asked why he robbed banks, he replied, "because that's where the money is." People attack computers because that's where the information where the money is." People attack computers because that's where the information is, and in our hyper-competitive, hi-tech business and international environment, is, and in our hyper-competitive, hi-tech business and international environment, information increasingly has great value. Some alienated individuals also gain a information increasingly has great value. Some alienated individuals also gain a sense of power, control, and self-importance through successful penetration of sense of power, control, and self-importance through successful penetration of computer systems to steal or destroy information or disrupt an organization's computer systems to steal or destroy information or disrupt an organization's activities.activities.

A common view of computer security is that the threat comes from a vast group of A common view of computer security is that the threat comes from a vast group of malicious hackers "out there." The focus of many computer security efforts is on malicious hackers "out there." The focus of many computer security efforts is on keeping the outsiders out -- through physical and technical measures such as gates, keeping the outsiders out -- through physical and technical measures such as gates, guards, locks, firewalls, passwords, etc.guards, locks, firewalls, passwords, etc.

Yet, while the threat from outsiders is indeed as great as generally believed, the Yet, while the threat from outsiders is indeed as great as generally believed, the malicious insider with approved access to the system is an even greater threat! This malicious insider with approved access to the system is an even greater threat! This discussion treats the insider threat and the outsider threat separately.discussion treats the insider threat and the outsider threat separately.

Insider Threat to Computer SecurityInsider Threat to Computer Security Survey after survey has shown that most damage is done by insiders -- people with authorized access to a Survey after survey has shown that most damage is done by insiders -- people with authorized access to a

computer network. Many insiders have the access and knowledge to compromise or shut down entire computer network. Many insiders have the access and knowledge to compromise or shut down entire systems and networks.systems and networks.

The Computer Security Institute and FBI cooperate to conduct an annual CSI/FBI Computer Crime and The Computer Security Institute and FBI cooperate to conduct an annual CSI/FBI Computer Crime and Security Survey of U.S. corporations, government agencies, financial institutions, and universities.1 Of the Security Survey of U.S. corporations, government agencies, financial institutions, and universities.1 Of the information security professionals who responded to this survey, 80% cited disgruntled and dishonest information security professionals who responded to this survey, 80% cited disgruntled and dishonest employees as the most likely source of attack on their computer system.employees as the most likely source of attack on their computer system.

Fifty-five percent of respondents reported unauthorized access by insiders, as compared with 30% reporting Fifty-five percent of respondents reported unauthorized access by insiders, as compared with 30% reporting system penetration by outsiders. Many companies reported multiple instances of unauthorized access or system penetration by outsiders. Many companies reported multiple instances of unauthorized access or system penetration. system penetration.

As discussed in Reporting Improper, Unreliable, and Suspicious Behavior, you are expected to report As discussed in Reporting Improper, Unreliable, and Suspicious Behavior, you are expected to report potentially significant, factual information that comes to your attention and that raises potential concerns potentially significant, factual information that comes to your attention and that raises potential concerns about computer security. Reportable behaviors include the following: about computer security. Reportable behaviors include the following:

– Unauthorized entry into any compartmented computer system. Unauthorized entry into any compartmented computer system. – Unauthorized searching/browsing through classified computer libraries. Unauthorized searching/browsing through classified computer libraries. – Unauthorized modification, destruction, manipulation, or denial of access to information residing on a computer system. Unauthorized modification, destruction, manipulation, or denial of access to information residing on a computer system. – Storing or processing classified information on any system not explicitly approved for classified processing. Storing or processing classified information on any system not explicitly approved for classified processing. – Attempting to circumvent or defeat security or auditing systems, without prior authorization from the system administrator, Attempting to circumvent or defeat security or auditing systems, without prior authorization from the system administrator,

other than as part of a legitimate system testing or security research. other than as part of a legitimate system testing or security research. – Any other willful violation of rules for the secure operation of your computer network. Any other willful violation of rules for the secure operation of your computer network.

Outsider Threat to Computer SecurityOutsider Threat to Computer Security The Internet has become a boon to intelligence collectors world wide. Your computer The Internet has become a boon to intelligence collectors world wide. Your computer

network is at risk from many types of outsiders. network is at risk from many types of outsiders.

– Freelance information brokers. Freelance information brokers. – Foreign or domestic competitors. Foreign or domestic competitors. – Military services from adversary nations who are developing the capability to use the Military services from adversary nations who are developing the capability to use the

Internet as a military weapon. Internet as a military weapon. – Terrorist organizations for which organized hacking offers the potential for low cost, low Terrorist organizations for which organized hacking offers the potential for low cost, low

risk, but high gain actions. risk, but high gain actions. – Crime syndicates and drug cartels. Crime syndicates and drug cartels. – Hobbyist hackers who penetrate your system for sport or or to do malicious damage. Hobbyist hackers who penetrate your system for sport or or to do malicious damage. – Common thieves who specialize in stealing and reselling laptop computers. Common thieves who specialize in stealing and reselling laptop computers.

Break-ins occur at an alarming rate because the Internet provides an especially Break-ins occur at an alarming rate because the Internet provides an especially comfortable and interesting place for hackers. The Internet was not designed with comfortable and interesting place for hackers. The Internet was not designed with security in mind. It is a large, intricate network with many software flaws. It is easy to security in mind. It is a large, intricate network with many software flaws. It is easy to remain anonymous on the net. Because everything is interconnected, everything is remain anonymous on the net. Because everything is interconnected, everything is vulnerable, and an expert intruder can cover his or her tracks by weaving a trail vulnerable, and an expert intruder can cover his or her tracks by weaving a trail through a dozen systems in several different countries. Many hacker tools that through a dozen systems in several different countries. Many hacker tools that required in-depth knowledge a few years ago have been automated and have required in-depth knowledge a few years ago have been automated and have become easier to use.become easier to use.

How Hackers Work When linked to the Internet, you are linked to computers throughout the world – and, When linked to the Internet, you are linked to computers throughout the world – and,

more important, they are linked to you. It’s not apparent to the computer user, but more important, they are linked to you. It’s not apparent to the computer user, but any link to a site on the Internet is a potential two-way street!any link to a site on the Internet is a potential two-way street!

Expert hackers create and pass on to others sophisticated software tools to exploit Expert hackers create and pass on to others sophisticated software tools to exploit both human and technical weaknesses in the security of computer systems -- both human and technical weaknesses in the security of computer systems -- password crackers, war dialers, vulnerability scanners, sniffers, IP spoofers, and password crackers, war dialers, vulnerability scanners, sniffers, IP spoofers, and others. Because many of these tools are available on the Internet, relative others. Because many of these tools are available on the Internet, relative newcomers can download and use them, raising the level of sophistication of hackers newcomers can download and use them, raising the level of sophistication of hackers of all types. of all types.

The hacker’s first goal is to get access to your network in order to read your files. The hacker’s first goal is to get access to your network in order to read your files. Ineffective passwords, insecure modems, and what the hackers call “Social Ineffective passwords, insecure modems, and what the hackers call “Social Engineering”. often provide the first opening to a system. Engineering”. often provide the first opening to a system.

How Hackers Work Cont. Once inside the system, the hacker’s second goal is to get what is called "root" access. That Once inside the system, the hacker’s second goal is to get what is called "root" access. That

usually requires finding a technical weakness. Root access means the hacker has unrestricted usually requires finding a technical weakness. Root access means the hacker has unrestricted access to the inner workings of the system. With root access the hacker can: access to the inner workings of the system. With root access the hacker can:

– Copy, change or delete any files. Copy, change or delete any files. – Authorize new users. Authorize new users. – Change the system to conceal the hacker’s presence. Change the system to conceal the hacker’s presence. – Install a "back door" to allow regular future access without going through log-in procedures. Install a "back door" to allow regular future access without going through log-in procedures. – Add a "sniffer" to capture the User IDs and passwords of everyone who accesses the system. Add a "sniffer" to capture the User IDs and passwords of everyone who accesses the system. – Use the captured User IDs and passwords to attack the networks of other organizations to which the Use the captured User IDs and passwords to attack the networks of other organizations to which the

captured User IDs and passwords provide approved access. captured User IDs and passwords provide approved access.

The initial foothold into the system is the toughest part. Often, the hacker will be working via the The initial foothold into the system is the toughest part. Often, the hacker will be working via the Internet, which is open to everyone, and will be trying to penetrate a network that is protected Internet, which is open to everyone, and will be trying to penetrate a network that is protected by a "firewall." A firewall is a series of programs and devices intended to protect a network from by a "firewall." A firewall is a series of programs and devices intended to protect a network from outside intruders. A strong firewall will identify and authenticate users trying to access the outside intruders. A strong firewall will identify and authenticate users trying to access the network from outside, thus limiting access to authorized persons. Sometimes the hacker is an network from outside, thus limiting access to authorized persons. Sometimes the hacker is an insider, an employee already behind the firewall who has authorized access to one part of the insider, an employee already behind the firewall who has authorized access to one part of the system and then hacks his or her way into other protected files within the system.system and then hacks his or her way into other protected files within the system.

The hacker’s success in breaching the firewall often comes from some form of human failure -- The hacker’s success in breaching the firewall often comes from some form of human failure -- especially weaknesses caused inadvertently by lack of computer security education, especially weaknesses caused inadvertently by lack of computer security education, carelessness, or gullibility of computer users. Technical weaknesses in the system obviously carelessness, or gullibility of computer users. Technical weaknesses in the system obviously play a role, but even those may be traceable to some form of human error, such as employee play a role, but even those may be traceable to some form of human error, such as employee susceptibility to “Social Engineering”. or a systems administrator’s failure to update the firewall susceptibility to “Social Engineering”. or a systems administrator’s failure to update the firewall software promptly each time the hackers expose a weakness and the manufacturer makes a software promptly each time the hackers expose a weakness and the manufacturer makes a patch available to plug the hole.patch available to plug the hole.

How We Make It Easy for the How We Make It Easy for the HackersHackers

Too many computer users assume their system administrator and the software developers do Too many computer users assume their system administrator and the software developers do everything necessary to keep their network safe. They don’t think they need to worry about everything necessary to keep their network safe. They don’t think they need to worry about security. THEY ARE WRONG. A network, and every computer on it, is only as secure as its security. THEY ARE WRONG. A network, and every computer on it, is only as secure as its weakest link. You need to make certain that your network's weakest link is not YOU.weakest link. You need to make certain that your network's weakest link is not YOU.

A review of how hackers work shows that uninformed or careless actions by well-intentioned A review of how hackers work shows that uninformed or careless actions by well-intentioned computer users can undermine the security of your entire network. computer users can undermine the security of your entire network.

Here are some of the mistakes that computer users make too often, and which the hackers and Here are some of the mistakes that computer users make too often, and which the hackers and other computer criminals exploit. Each of these is discussed in a separate topic. other computer criminals exploit. Each of these is discussed in a separate topic.

– Using a weak or ineffective password. You need to understand how to select a strong password and Using a weak or ineffective password. You need to understand how to select a strong password and why PASSWORDS ARE IMPORTANT. why PASSWORDS ARE IMPORTANT.

– Using an unauthorized or insecure modem. A password and a modem phone number is often all it takes Using an unauthorized or insecure modem. A password and a modem phone number is often all it takes for a hacker to penetrate your company's firewall. Hackers use a tool called a "war-dialer" to identify for a hacker to penetrate your company's firewall. Hackers use a tool called a "war-dialer" to identify modems. modems.

– Responding to people who ask apparently innocent questions about you or your computer. Hackers Responding to people who ask apparently innocent questions about you or your computer. Hackers often use a plausible pretext to elicit key information from well-meaning but naive employees – a often use a plausible pretext to elicit key information from well-meaning but naive employees – a technique that hackers call “Social Engineering”. technique that hackers call “Social Engineering”.

– Exposing your system to viruses. Exposing your system to viruses.

The goal is that you understand your role in protecting the security of the network as a whole. The goal is that you understand your role in protecting the security of the network as a whole. Protecting the network is not just the job of the technical people. Security is everyone's Protecting the network is not just the job of the technical people. Security is everyone's responsibility.responsibility.

Using the Internet SecurelyUsing the Internet Securely You can do many interesting and useful things on the Internet, both in the office and at home, and you can You can do many interesting and useful things on the Internet, both in the office and at home, and you can

do them securely -- if you understand and avoid certain risks. The two main security risks are drawing do them securely -- if you understand and avoid certain risks. The two main security risks are drawing attention to yourself as a potential target for intelligence exploitation and unintentional compromise of attention to yourself as a potential target for intelligence exploitation and unintentional compromise of sensitive information.sensitive information.

The greatest risk is probably downloading files, as discussed in Viruses and Other "Infections". The wealth of The greatest risk is probably downloading files, as discussed in Viruses and Other "Infections". The wealth of free software available for downloading from the Internet is exciting but does pose risks. Many organizations free software available for downloading from the Internet is exciting but does pose risks. Many organizations explicitly prohibit downloading and running software from the Internet. If you want to download a program, explicitly prohibit downloading and running software from the Internet. If you want to download a program, check with your system administrator.check with your system administrator.

When logging in to an Internet site that requires password and user ID, do not use the same password that When logging in to an Internet site that requires password and user ID, do not use the same password that you use to log on to your office network. The password for your office network requires the utmost protection, you use to log on to your office network. The password for your office network requires the utmost protection, while the password used to log in to an external web site is vulnerable to interception unless in it encrypted. while the password used to log in to an external web site is vulnerable to interception unless in it encrypted. Compromise of the one should not compromise the other.Compromise of the one should not compromise the other.

The rapid growth of Internet commerce is driving the development of additional security measures. The rapid growth of Internet commerce is driving the development of additional security measures. Protection mechanisms such as Secure Sockets Layer (SSL) and Secure Electronic Transaction (SET) are Protection mechanisms such as Secure Sockets Layer (SSL) and Secure Electronic Transaction (SET) are growing rapidly. SSL sits "between" your web browser and the web server you are communicating with. It growing rapidly. SSL sits "between" your web browser and the web server you are communicating with. It can exchange verification of both parties to the communication. It then encrypts sensitive information such can exchange verification of both parties to the communication. It then encrypts sensitive information such as credit card data when making a purchase or personal information filled in on a form to register with a site. as credit card data when making a purchase or personal information filled in on a form to register with a site. SET uses digital signatures to ensure that Internet credit card users and merchants are who they say they SET uses digital signatures to ensure that Internet credit card users and merchants are who they say they are. With SET, your credit card number is never stored on the merchant's computer.are. With SET, your credit card number is never stored on the merchant's computer.

Most browsers have a padlock or key symbol in the lower left corner of the screen to show the security Most browsers have a padlock or key symbol in the lower left corner of the screen to show the security status of the connection. When the padlock is open or the key is broken, no special security precautions are status of the connection. When the padlock is open or the key is broken, no special security precautions are in effect. When the padlock is closed or the key is unbroken, information is being encrypted. The number of in effect. When the padlock is closed or the key is unbroken, information is being encrypted. The number of teeth in the key signifies the level of encryption. One tooth signifies a 40-bit key; two teeth means a 128 bit teeth in the key signifies the level of encryption. One tooth signifies a 40-bit key; two teeth means a 128 bit key.key.

Using the Internet Securely Cont.Using the Internet Securely Cont.Chat Rooms, News Groups, Bulletin BoardsChat Rooms, News Groups, Bulletin Boards

Chatting on the Internet or posting messages to news groups or bulletin boards might seem like Chatting on the Internet or posting messages to news groups or bulletin boards might seem like a private pastime, but it is in fact a very public activity. Message sent to "Usenet" discussion a private pastime, but it is in fact a very public activity. Message sent to "Usenet" discussion groups are broadcast to anyone, anywhere in the world, who wants to receive them. These groups are broadcast to anyone, anywhere in the world, who wants to receive them. These messages are archived so that they are readily searchable by the public. The Deja.com archive messages are archived so that they are readily searchable by the public. The Deja.com archive contains messages going back to March 1995.contains messages going back to March 1995.

Foreign intelligence collectors and investigators collecting competitive intelligence regularly troll Foreign intelligence collectors and investigators collecting competitive intelligence regularly troll bulletin board, chat room and newsgroup postings to identify individuals or information of bulletin board, chat room and newsgroup postings to identify individuals or information of potential interest. If someone on the Internet finds that, because of the information you offer, potential interest. If someone on the Internet finds that, because of the information you offer, you could be a good "source," he or she will have no problem finding out more about you.you could be a good "source," he or she will have no problem finding out more about you.

A knowledgeable information collector can identify a great deal of information about you with A knowledgeable information collector can identify a great deal of information about you with little more than your e-mail address and a newsgroup or chat room posting. One can probably little more than your e-mail address and a newsgroup or chat room posting. One can probably obtain from online sources your address, phone number, vehicle license plate number, social obtain from online sources your address, phone number, vehicle license plate number, social security number, date of birth, name of employer, eye color, weight, credit report, real estate security number, date of birth, name of employer, eye color, weight, credit report, real estate ownership records, and the names, addresses, and phone numbers of nine to fourteen of your ownership records, and the names, addresses, and phone numbers of nine to fourteen of your neighbors who may then be called for additional information about you.neighbors who may then be called for additional information about you.

Once you are identified as a potential target, a knowledgeable information collector may search Once you are identified as a potential target, a knowledgeable information collector may search for and read your newsgroup, bulletin board, and chat room postings.for and read your newsgroup, bulletin board, and chat room postings.

– Do not post any information on the Internet that calls attention to yourself as a person with access to Do not post any information on the Internet that calls attention to yourself as a person with access to proprietary or classified information. This could cause you to become a target.proprietary or classified information. This could cause you to become a target.

Using the Internet Securely Cont.Using the Internet Securely Cont. Chat Rooms, News Groups, Bulletin BoardsChat Rooms, News Groups, Bulletin Boards

– Do not try to impress others with how much you know. Specifically: Do not try to impress others with how much you know. Specifically:

Do not express any opinion in a way that implies you have insider information, and therefore that Do not express any opinion in a way that implies you have insider information, and therefore that your opinion merits greater credence than the opinions of others. your opinion merits greater credence than the opinions of others.

Do not imply or state outright that you have access to proprietary or classified information. A Do not imply or state outright that you have access to proprietary or classified information. A statement such as "I can't say any more, because I have a clearance" is an example of security statement such as "I can't say any more, because I have a clearance" is an example of security consciousness gone awry. It targets you as a holder of classified information. consciousness gone awry. It targets you as a holder of classified information.

Do not provide information about your work, your employer, or job location. Do not provide information about your work, your employer, or job location.

– The greatest risk on the Internet is when you "chat" in real time with other users, using The greatest risk on the Internet is when you "chat" in real time with other users, using typed input that is relayed back and forth. There are several reasons why this can be typed input that is relayed back and forth. There are several reasons why this can be dangerous: dangerous:

Live chat does not allow you time to think carefully before you respond. Once the message is sent, Live chat does not allow you time to think carefully before you respond. Once the message is sent, it's gone forever. it's gone forever.

What starts out as a casual information exchange can quickly lead to much more. What starts out as a casual information exchange can quickly lead to much more. Your message on the Internet may be read by tens of thousands of people worldwide. Your message on the Internet may be read by tens of thousands of people worldwide. When chatting on line or exchanging e-mail, remember that the people you are communicating When chatting on line or exchanging e-mail, remember that the people you are communicating

with are not always who they seem to be. You don't even know what country they are in. Although with are not always who they seem to be. You don't even know what country they are in. Although there are country codes for Internet addresses, they are not always used. For example, America there are country codes for Internet addresses, they are not always used. For example, America Online is international, and you don't know the home country of a person with an aol.com e-mail Online is international, and you don't know the home country of a person with an aol.com e-mail address.address.

Some messages are sent anonymously. Unfortunately, it is not always possible to know which are Some messages are sent anonymously. Unfortunately, it is not always possible to know which are and which are not. Reputable "remailers" who forward mail anonymously make it clear that their and which are not. Reputable "remailers" who forward mail anonymously make it clear that their messages are anonymous. Less responsible remailers, however, substitute phony names and messages are anonymous. Less responsible remailers, however, substitute phony names and addressed, but do not so indicate. Because messages can be forwarded from anywhere to addressed, but do not so indicate. Because messages can be forwarded from anywhere to anywhere, you cannot assume anything about message origins. Be wary of responding to anywhere, you cannot assume anything about message origins. Be wary of responding to messages from anyone whom you do not know personally.messages from anyone whom you do not know personally.

““Cookies”Cookies” Cookie is the deceptively sweet name for a small file that may be placed on your computer’s hard drive, often Cookie is the deceptively sweet name for a small file that may be placed on your computer’s hard drive, often

without your knowledge, when you visit a web site. The cookie is a unique identifier that enables the site to without your knowledge, when you visit a web site. The cookie is a unique identifier that enables the site to which you are linked to recognize that you have been there before. It enables the site to which you are linked which you are linked to recognize that you have been there before. It enables the site to which you are linked to keep track of you as you go to different pages on that site, or to other sites, and to retrieve from its to keep track of you as you go to different pages on that site, or to other sites, and to retrieve from its database any record of your previous visit or visits to the site.database any record of your previous visit or visits to the site.

Cookies are a reminder that surfing the web is not an anonymous activity. Your movements in cyberspace Cookies are a reminder that surfing the web is not an anonymous activity. Your movements in cyberspace can be and often are tracked.can be and often are tracked.

Privacy IssuesPrivacy Issues

– Cookies are controversial because they raise privacy issues. They are put on your computer without your explicit Cookies are controversial because they raise privacy issues. They are put on your computer without your explicit approval and are used to track where you go on the Internet. Most sites track your movements only within their site, but approval and are used to track where you go on the Internet. Most sites track your movements only within their site, but online advertising agencies with multiple clients track your movements among all their clients’ sites. When you register to online advertising agencies with multiple clients track your movements among all their clients’ sites. When you register to use many sites and services you are required to provide demographic information about yourself, often including your use many sites and services you are required to provide demographic information about yourself, often including your name, or an e-mail address that can lead to identification of your name.name, or an e-mail address that can lead to identification of your name.

– There is concern that dossiers of personal information on individuals and their behavior in cyberspace could be compiled, There is concern that dossiers of personal information on individuals and their behavior in cyberspace could be compiled, sold to advertisers or insurance companies, and used in ways that violate one’s right to privacy. Privacy advocates argue sold to advertisers or insurance companies, and used in ways that violate one’s right to privacy. Privacy advocates argue that online marketers should be kept out of the "cookie jar," and they urge Internet surfers to "toss their cookies" to that online marketers should be kept out of the "cookie jar," and they urge Internet surfers to "toss their cookies" to protect themselves from the "Cookie Monster.“protect themselves from the "Cookie Monster.“

– There is no question that cookies, and the information they enable others to collect, could be misused. The open There is no question that cookies, and the information they enable others to collect, could be misused. The open questions are: How often is this information actually being misused? And how much of a threat does this represent? Most questions are: How often is this information actually being misused? And how much of a threat does this represent? Most advertisers comply with the Direct Marketing Association’s Marketing Online Privacy Principles. At least one major advertisers comply with the Direct Marketing Association’s Marketing Online Privacy Principles. At least one major advertising agency specializing in Internet advertising has voluntarily opened its practices and systems for third-party advertising agency specializing in Internet advertising has voluntarily opened its practices and systems for third-party auditing.auditing.

““Cookies” Cont.Cookies” Cont.Options for Dealing with CookiesOptions for Dealing with Cookies

Because cookies are controversial, both Netscape and Microsoft browsers offer users options for dealing Because cookies are controversial, both Netscape and Microsoft browsers offer users options for dealing with cookies. Depending upon which browser you are using and how current it is, the controls for dealing with cookies. Depending upon which browser you are using and how current it is, the controls for dealing with cookies will usually be found on the Edit or View menu, under Options or Preferences. You may then with cookies will usually be found on the Edit or View menu, under Options or Preferences. You may then have to click on a tab called Advanced, Security, or Protocols. There are four possible options, although all have to click on a tab called Advanced, Security, or Protocols. There are four possible options, although all options are not offered by all browsers. options are not offered by all browsers.

– Accept All: This is usually the default setting and means that all cookies are accepted. Accept All: This is usually the default setting and means that all cookies are accepted. – Accept only cookies that get sent back to the originating server: This means you accept only temporary cookies that are Accept only cookies that get sent back to the originating server: This means you accept only temporary cookies that are

deleted as soon as you exit a site. They help the site keep track of your activities only while you are connected to it. For deleted as soon as you exit a site. They help the site keep track of your activities only while you are connected to it. For example, such temporary cookies are needed if you want to be able to put multiple purchases into a "shopping basket" as example, such temporary cookies are needed if you want to be able to put multiple purchases into a "shopping basket" as discussed above. discussed above.

– Disable Cookies: Your computer will not accept any cookies under any circumstances. You will need to turn cookies back Disable Cookies: Your computer will not accept any cookies under any circumstances. You will need to turn cookies back on if you want to use any online services that require them. on if you want to use any online services that require them.

– Warn me before accepting a cookie: Whenever a site to which you are connected tries to put a cookie on your hard drive, Warn me before accepting a cookie: Whenever a site to which you are connected tries to put a cookie on your hard drive, you are warned and given the option of accepting or rejecting it. The down side of this is that responding to all the you are warned and given the option of accepting or rejecting it. The down side of this is that responding to all the warnings at a busy shopping site can become very tedious. warnings at a busy shopping site can become very tedious.

If you want to look at your cookies, the most common place for them to be located is in a directory If you want to look at your cookies, the most common place for them to be located is in a directory subordinate to the directory where your browser is located. However, they may be in several different subordinate to the directory where your browser is located. However, they may be in several different locations, so the most efficient way to find them is to use the Find command and type in cookies. Cookies locations, so the most efficient way to find them is to use the Find command and type in cookies. Cookies are ordinary txt files, so they need to be read with a program such as Wordpad or Notepad.are ordinary txt files, so they need to be read with a program such as Wordpad or Notepad.

You may delete all cookies from your computer if you wish, but be sure to close your browser first. Cookies You may delete all cookies from your computer if you wish, but be sure to close your browser first. Cookies are held in memory while the browser is open, so deletion while the browser is open will be ineffective. are held in memory while the browser is open, so deletion while the browser is open will be ineffective. Remember, however, that deleting all your cookies will cause you to start from scratch with every web site Remember, however, that deleting all your cookies will cause you to start from scratch with every web site you normally visit. It may be preferable to delete only those cookies you don’t want or don’t think you need.you normally visit. It may be preferable to delete only those cookies you don’t want or don’t think you need.

Weak PasswordsWeak Passwords Your password is the key to your computer -- a key much sought-after by hackers as a means of getting a Your password is the key to your computer -- a key much sought-after by hackers as a means of getting a

foothold into your system. A weak password may give a hacker access not only to your computer, but to the foothold into your system. A weak password may give a hacker access not only to your computer, but to the entire network to which your computer is connected. Treat your password like the key to your home. Would entire network to which your computer is connected. Treat your password like the key to your home. Would you leave your home or office unlocked in a high crime area?you leave your home or office unlocked in a high crime area?

Too many passwords are easily guessed, especially if the intruder knows something about their target’s Too many passwords are easily guessed, especially if the intruder knows something about their target’s background. It's not unusual, for example, for office workers to use the word "password" to enter their office background. It's not unusual, for example, for office workers to use the word "password" to enter their office networks. Other commonly used passwords are the computer user's first, last or child's name, Secret, names networks. Other commonly used passwords are the computer user's first, last or child's name, Secret, names of sports teams or sports terms, and repeated characters such as AAAAAA or bbbbbb.of sports teams or sports terms, and repeated characters such as AAAAAA or bbbbbb.

Your computer password is the foundation of your computer security, and it needs to stand up against the Your computer password is the foundation of your computer security, and it needs to stand up against the tools that hackers have for cracking it. There are 308 million possible letter combinations for a six letter tools that hackers have for cracking it. There are 308 million possible letter combinations for a six letter password using all upper case or all lower case letters. A readily available password cracker can check all of password using all upper case or all lower case letters. A readily available password cracker can check all of them in only 2 minutes 40 seconds. With some combination of both upper and lower case letters, a six letter them in only 2 minutes 40 seconds. With some combination of both upper and lower case letters, a six letter password has 19 billion possible combinations. If you increase the password to eight letters and use both password has 19 billion possible combinations. If you increase the password to eight letters and use both upper and lower case letters, there are 53 trillion possible combinations. Substitute a number for one of the upper and lower case letters, there are 53 trillion possible combinations. Substitute a number for one of the letters, and there are 218 trillion possible combinations.letters, and there are 218 trillion possible combinations.

Here are some simple guidelines for strong passwords. Here are some simple guidelines for strong passwords. – It should contain at least eight characters. It should contain at least eight characters. – It should contain a mix of four different types of characters -- upper case letters, lower case letters, numbers, and special It should contain a mix of four different types of characters -- upper case letters, lower case letters, numbers, and special

characters such as !@#$%^&*,;" If there is only one letter or special character, it should not be either the first or last characters such as !@#$%^&*,;" If there is only one letter or special character, it should not be either the first or last character in the password. character in the password.

– It should not be a name, a slang word, or any word in the dictionary. It should not include any part of your name or your It should not be a name, a slang word, or any word in the dictionary. It should not include any part of your name or your e-mail address. e-mail address.

– You should be able to type it quickly, so that someone looking over your shoulder cannot readily see what you have You should be able to type it quickly, so that someone looking over your shoulder cannot readily see what you have typed. typed.

– It should be changed at least every 90 days to keep undetected intruders from continuing to use it. It should be changed at least every 90 days to keep undetected intruders from continuing to use it. – Almost all computer operating system software programs on the market today that store passwords in encrypted format Almost all computer operating system software programs on the market today that store passwords in encrypted format

store the last character in the clear. All password cracking programs know this, so that means one less character for them store the last character in the clear. All password cracking programs know this, so that means one less character for them to crack. This is one of several reasons why numbers and special characters should be toward the middle of your to crack. This is one of several reasons why numbers and special characters should be toward the middle of your password, not at the beginning or end.password, not at the beginning or end.

Weak Passwords Cont.Weak Passwords Cont. The password used for logging on to your office computer should be different from the The password used for logging on to your office computer should be different from the

password you use to log in to a web site on the Internet. The password used to log in to a web password you use to log in to a web site on the Internet. The password used to log in to a web site is far more exposed to potential compromise. Any time you log in over an external network, site is far more exposed to potential compromise. Any time you log in over an external network, your password is vulnerable to being stolen unless it is encrypted. Using a separate and unique your password is vulnerable to being stolen unless it is encrypted. Using a separate and unique password for your office computer helps protect the security of the office network.password for your office computer helps protect the security of the office network.

Once you have selected an effective password, protect it. Resist the temptation to write your Once you have selected an effective password, protect it. Resist the temptation to write your password down. If you do, keep it with you until you remember it, then shred it! NEVER leave a password down. If you do, keep it with you until you remember it, then shred it! NEVER leave a password taped onto a terminal or written on a whiteboard. You wouldn't write your PIN code on password taped onto a terminal or written on a whiteboard. You wouldn't write your PIN code on your automated teller machine (ATM) card, would you? You should have different passwords for your automated teller machine (ATM) card, would you? You should have different passwords for different accounts, but not so many passwords that you can't remember them. Do not allow different accounts, but not so many passwords that you can't remember them. Do not allow anyone to observe your password as you enter it during the logon process.anyone to observe your password as you enter it during the logon process.

Do not disclose your password to anyone, not even to your systems administrator or Do not disclose your password to anyone, not even to your systems administrator or maintenance technician. They have no need to know it. They have their own password with maintenance technician. They have no need to know it. They have their own password with system privileges that will allow them to work on your account without the need for you to reveal system privileges that will allow them to work on your account without the need for you to reveal your password. If a system administrator or maintenance technician asks you for your your password. If a system administrator or maintenance technician asks you for your password, be suspicious (for reasons discussed under “Social Engineering”.).password, be suspicious (for reasons discussed under “Social Engineering”.).

Use a password-locked screensaver to make certain no one can perform any activity under Use a password-locked screensaver to make certain no one can perform any activity under your User ID while you are away from your desk. These can be set up so that they activate after your User ID while you are away from your desk. These can be set up so that they activate after the computer has been idle for a while. Strange as it may seem, someone coming around to the computer has been idle for a while. Strange as it may seem, someone coming around to erase or sabotage your work is not uncommon. Or imagine the trouble you could have if nasty erase or sabotage your work is not uncommon. Or imagine the trouble you could have if nasty e-mail messages were sent to your boss or anyone else from your computer, or your account e-mail messages were sent to your boss or anyone else from your computer, or your account were used to transfer illegal pornography.were used to transfer illegal pornography.

E-Mail PitfallsE-Mail Pitfalls E-mail has several vulnerabilities, each of which is discussed in greater detail below: E-mail has several vulnerabilities, each of which is discussed in greater detail below:

Lack of PrivacyLack of Privacy

– Sending e-mail is like sending a postcard through the mail. Just as the mailman and others Sending e-mail is like sending a postcard through the mail. Just as the mailman and others have an opportunity to read a postcard, network eavesdroppers can read your e-mail as it have an opportunity to read a postcard, network eavesdroppers can read your e-mail as it passes through the Internet from computer to computer. E-mail is transmitted over a public passes through the Internet from computer to computer. E-mail is transmitted over a public network where you have no right to expect privacy. It is not like a telephone call, where network where you have no right to expect privacy. It is not like a telephone call, where privacy rights are protected by law.privacy rights are protected by law.

– The courts have repeatedly sided with employers who monitor their employees' e-mail or The courts have repeatedly sided with employers who monitor their employees' e-mail or Internet use. In an American Management Association poll, 47% of major companies Internet use. In an American Management Association poll, 47% of major companies reported that they store and review their employees' e-mail. Organizations do this to protect reported that they store and review their employees' e-mail. Organizations do this to protect themselves against lawsuits, because the organization can be held liable for abusive, themselves against lawsuits, because the organization can be held liable for abusive, harassing, or otherwise inappropriate messages sent over its computer network. In the harassing, or otherwise inappropriate messages sent over its computer network. In the same poll, 25% of companies reported that they have fired employees for misuse of the same poll, 25% of companies reported that they have fired employees for misuse of the Internet or office e-mail. 5Internet or office e-mail. 5

In the past couple years, The New York Times fired 23 employees for exchanging off-color e-mail. In the past couple years, The New York Times fired 23 employees for exchanging off-color e-mail. Xerox fired 40 people for inappropriate Internet use. Dow Chemical fired 24 employees and Xerox fired 40 people for inappropriate Internet use. Dow Chemical fired 24 employees and disciplined another 230 for sending or storing pornographic or violent material by e-mail. 1disciplined another 230 for sending or storing pornographic or violent material by e-mail. 1

Several years ago, Chevron Corp. had to pay $2.2 million to plaintiffs who successfully brought a Several years ago, Chevron Corp. had to pay $2.2 million to plaintiffs who successfully brought a suit of sexual harassment, in part because an employee sent an e-mail to coworkers listing the suit of sexual harassment, in part because an employee sent an e-mail to coworkers listing the reasons why beer is better than women. 2reasons why beer is better than women. 2

E-Mail Pitfalls Cont.E-Mail Pitfalls Cont. Inability to Fully EraseInability to Fully Erase

– The seemingly informal and temporary aspect of e-mail encourages people to use it to say things they The seemingly informal and temporary aspect of e-mail encourages people to use it to say things they would never commit to paper. But e-mail is like a cat with nine lives. It keeps coming back. It is almost would never commit to paper. But e-mail is like a cat with nine lives. It keeps coming back. It is almost impossible to eliminate all traces of an e-mail message. impossible to eliminate all traces of an e-mail message.

– Most e-mail messages remain retrievable on your hard drive and the recipient’s hard drive long after Most e-mail messages remain retrievable on your hard drive and the recipient’s hard drive long after you think they have been "deleted," as discussed under Security of Hard Drives. you think they have been "deleted," as discussed under Security of Hard Drives.

– The recipient may have archived the message or transmitted it to others. The recipient may have archived the message or transmitted it to others. – Computer servers routinely make back-ups of user accounts. One of the top priorities for any computer-Computer servers routinely make back-ups of user accounts. One of the top priorities for any computer-

system manager is to make sure he or she never loses any important information on the computer system manager is to make sure he or she never loses any important information on the computer network. They archive backup tapes that record everything. network. They archive backup tapes that record everything.

– In short, e-mail messages sent years ago may live on in taped storage or on a hard drive beyond the In short, e-mail messages sent years ago may live on in taped storage or on a hard drive beyond the reach of your delete key. You never know when an impulsive or ill-advised e-mail message will come reach of your delete key. You never know when an impulsive or ill-advised e-mail message will come back to haunt you. Three and four-year-old e-mail messages have played key roles as evidence in back to haunt you. Three and four-year-old e-mail messages have played key roles as evidence in several high profile court cases.several high profile court cases.

Remote AccessRemote Access– If you can gain access to your e-mail from afar via the Internet, while traveling, others may be able to do If you can gain access to your e-mail from afar via the Internet, while traveling, others may be able to do

the same thing without your knowledge. An eavesdropper would only have to know the modem phone the same thing without your knowledge. An eavesdropper would only have to know the modem phone number and then also know, guess, or be able to crack your password. The vulnerability is similar to number and then also know, guess, or be able to crack your password. The vulnerability is similar to that discussed under Voice Mail. See Weak Passwords to learn how easy it is to guess or crack weak that discussed under Voice Mail. See Weak Passwords to learn how easy it is to guess or crack weak passwords.passwords.

Uncertain OriginUncertain Origin– It is easy to forge an e-mail message so that it appears to come from someone else or from some other It is easy to forge an e-mail message so that it appears to come from someone else or from some other

location. Incoming e-mail from someone you do not know is always questionable, as the sender may location. Incoming e-mail from someone you do not know is always questionable, as the sender may not be who he or she claims to be. For example, a marketing survey that purports to come from a U.S. not be who he or she claims to be. For example, a marketing survey that purports to come from a U.S. company may actually originate overseas and be part of a foreign intelligence collection operation. See company may actually originate overseas and be part of a foreign intelligence collection operation. See Obtaining Information under False Pretenses.Obtaining Information under False Pretenses.

E-Mail Pitfalls Cont.E-Mail Pitfalls Cont.Ease of Accidental CompromiseEase of Accidental Compromise

When you exchange e-mail with a colleague, it may seem like a cozy, private conversation. When you exchange e-mail with a colleague, it may seem like a cozy, private conversation. "Legally and technologically, however, you are as exposed as dummies in a department store "Legally and technologically, however, you are as exposed as dummies in a department store window." 3 Classified information must never be sent via e-mail. Sensitive but unclassified window." 3 Classified information must never be sent via e-mail. Sensitive but unclassified information should be encrypted prior to sending by e-mail whenever practical. Any information should be encrypted prior to sending by e-mail whenever practical. Any inappropriate language of any type must be avoided.inappropriate language of any type must be avoided.

E-mail is so easy to use that it is also easy to thoughtlessly or accidentally send others E-mail is so easy to use that it is also easy to thoughtlessly or accidentally send others information they shouldn’t have. E-mail is a frequent source of security compromise. Here are information they shouldn’t have. E-mail is a frequent source of security compromise. Here are two examples. In the first case, the e-mail writer put classified information into what he two examples. In the first case, the e-mail writer put classified information into what he mistakenly thought was a private message to a few colleagues with security clearances. The mistakenly thought was a private message to a few colleagues with security clearances. The second is a situation that often arises in offices that have both classified and unclassified second is a situation that often arises in offices that have both classified and unclassified networks.networks.

A few hours after participating in the successful rescue of a F-16 fighter pilot downed in Bosnia, A few hours after participating in the successful rescue of a F-16 fighter pilot downed in Bosnia, an excited U.S. Air Force pilot sat down at his computer and banged out a first hand account of an excited U.S. Air Force pilot sat down at his computer and banged out a first hand account of the mission. He hooked up to the Internet and sent the account by e-mail to Air Force friends at the mission. He hooked up to the Internet and sent the account by e-mail to Air Force friends at other bases, scooping the media coverage of the rescue. Friends passed it on to their friends other bases, scooping the media coverage of the rescue. Friends passed it on to their friends until it was seen by thousands of people and posted on an America Online bulletin board until it was seen by thousands of people and posted on an America Online bulletin board accessible to millions. The account contained classified radio frequencies, pilot code names, accessible to millions. The account contained classified radio frequencies, pilot code names, exact times and weapons loads for the mission, etc. The pilot explained that he had intended exact times and weapons loads for the mission, etc. The pilot explained that he had intended the account to be a personal communication to other cleared officers and not for public review. the account to be a personal communication to other cleared officers and not for public review. But he was badly wrong on two counts. First, you don't put classified information in an But he was badly wrong on two counts. First, you don't put classified information in an unclassified e-mail message under any circumstances. Second, nothing that goes on the unclassified e-mail message under any circumstances. Second, nothing that goes on the Internet is personal or private. 4Internet is personal or private. 4

E-Mail Pitfalls Cont.E-Mail Pitfalls Cont.Transmission of VirusesTransmission of Viruses

Mail programs generally allow files to be included as attachments to mail messages. Mail programs generally allow files to be included as attachments to mail messages. The files that come by mail are files like any other. Any way in which a file can find its The files that come by mail are files like any other. Any way in which a file can find its way onto a computer is potentially dangerous. If the attached file is only a text way onto a computer is potentially dangerous. If the attached file is only a text message, the risk is limited. If the attached file is a program, an executable script, or message, the risk is limited. If the attached file is a program, an executable script, or a data file which contains a macro, extreme caution should be applied before running a data file which contains a macro, extreme caution should be applied before running it, as this is the means by which many viruses and other types of malicious logic are it, as this is the means by which many viruses and other types of malicious logic are spread.spread.

One of the more dangerous types of malicious logic spread in this manner is a One of the more dangerous types of malicious logic spread in this manner is a "Trojan Horse" that allows a remote user to access and control your computer via the "Trojan Horse" that allows a remote user to access and control your computer via the Internet without your knowledge. One of these Trojan Horses was originally Internet without your knowledge. One of these Trojan Horses was originally developed as a means of playing pranks on friends. When installed on another developed as a means of playing pranks on friends. When installed on another person's computer, you can control that computer via the Internet. For example, you person's computer, you can control that computer via the Internet. For example, you can make the CD-ROM tray on that person's computer pop out repeatedly for no can make the CD-ROM tray on that person's computer pop out repeatedly for no discoverable reason, or reverse the functions of the left and right buttons on the discoverable reason, or reverse the functions of the left and right buttons on the person's mouse. However, you can also read, change, or copy all the person's files person's mouse. However, you can also read, change, or copy all the person's files without his or her knowledge. This Trojan Horse can be snuck onto someone's without his or her knowledge. This Trojan Horse can be snuck onto someone's computer by burying it in a game program or other executable script sent by e-mail.computer by burying it in a game program or other executable script sent by e-mail.

Happily, all known versions of this Trojan Horse are caught by any good virus Happily, all known versions of this Trojan Horse are caught by any good virus checker. However, about 200 to 300 new viruses are being created each month, so checker. However, about 200 to 300 new viruses are being created each month, so your virus checker is rarely capable of detecting all malicious logic.your virus checker is rarely capable of detecting all malicious logic.

““Social Engineering”Social Engineering” "Social engineering" is hacker-speak for conning legitimate computer users into "Social engineering" is hacker-speak for conning legitimate computer users into

providing useful information that helps the hacker gain unauthorized access to their providing useful information that helps the hacker gain unauthorized access to their computer system.computer system.

The attacker using social engineering usually poses as a legitimate person in the The attacker using social engineering usually poses as a legitimate person in the organization and tricks computer users into giving useful information. This is usually organization and tricks computer users into giving useful information. This is usually done by telephone, but it may also be done by forged e-mail messages or even an done by telephone, but it may also be done by forged e-mail messages or even an in-person visit.in-person visit.

Most people think computer break-ins are purely technical, the result of technical Most people think computer break-ins are purely technical, the result of technical flaws in computer systems that the intruders are able to exploit. The truth is, flaws in computer systems that the intruders are able to exploit. The truth is, however, that social engineering often plays a big part in helping an attacker slip however, that social engineering often plays a big part in helping an attacker slip through the initial security barriers. Lack of security awareness or gullibility of through the initial security barriers. Lack of security awareness or gullibility of computer users often provides an easy stepping stone into the protected system in computer users often provides an easy stepping stone into the protected system in cases when the attacker has no authorized access to the system at all. cases when the attacker has no authorized access to the system at all.

In testimony before Congress after he was released from jail, our country's most In testimony before Congress after he was released from jail, our country's most notorious computer hacker, Kevin Mitnick, told the lawmakers that the weakest notorious computer hacker, Kevin Mitnick, told the lawmakers that the weakest element in computer security is the human element. "I was so successful in [social element in computer security is the human element. "I was so successful in [social engineering] that I rarely had to resort to a technical attack," Mitnick explained. He engineering] that I rarely had to resort to a technical attack," Mitnick explained. He added that "employee training to recognize sophisticated social engineering attacks added that "employee training to recognize sophisticated social engineering attacks is of paramount importance."1 is of paramount importance."1

““Social Engineering” Cont.Social Engineering” Cont. As an example of how it is done, here is a quick summary of Case 2, a successful As an example of how it is done, here is a quick summary of Case 2, a successful

hacking operation based almost entirely on social engineering: hacking operation based almost entirely on social engineering:

Posing as someone from the public relations department, the hackers called an Posing as someone from the public relations department, the hackers called an executive's secretary and succeeded in obtaining the executive's employee number. executive's secretary and succeeded in obtaining the executive's employee number. A second call exploited the knowledge of the executive's employee number in order A second call exploited the knowledge of the executive's employee number in order to obtain the executive's cost center number, which was then used to receive to obtain the executive's cost center number, which was then used to receive overnight courier service delivery of the company’s internal phone directory. overnight courier service delivery of the company’s internal phone directory.

The hackers called the office in charge of new employees and were able to obtain a The hackers called the office in charge of new employees and were able to obtain a list of new employees. list of new employees.

Posing as information systems employees, the hackers told the new employees that Posing as information systems employees, the hackers told the new employees that they wanted to give them a computer security awareness briefing over the phone. they wanted to give them a computer security awareness briefing over the phone. During this process, the hackers obtained "basic" information including the types of During this process, the hackers obtained "basic" information including the types of computer systems used, the software applications used, the employee number, the computer systems used, the software applications used, the employee number, the employees computer ID, and their password. employees computer ID, and their password.

Using a "war dialer" together with a call to the company's computer help desk, the Using a "war dialer" together with a call to the company's computer help desk, the hackers obtained the phone numbers of the company modems. hackers obtained the phone numbers of the company modems.

They then called the modems and used the compromised computer IDs and They then called the modems and used the compromised computer IDs and passwords to gain access to the system. passwords to gain access to the system.

““Social Engineering” Cont.Social Engineering” Cont.Common “Social Engineering” scenariosCommon “Social Engineering” scenarios

The attacker pretends to be a legitimate end-user who is new to the system or is The attacker pretends to be a legitimate end-user who is new to the system or is simply not very good with computers. The attacker may call systems administrators simply not very good with computers. The attacker may call systems administrators or other end-users for help. This "user" may have lost his password, or simply can't or other end-users for help. This "user" may have lost his password, or simply can't get logged into the system and needs to access the system urgently. The attacker get logged into the system and needs to access the system urgently. The attacker may sound really lost so as to make the systems administrator feel that he is, for may sound really lost so as to make the systems administrator feel that he is, for example, helping a damsel in distress. This often makes people go way out of their example, helping a damsel in distress. This often makes people go way out of their way to help. way to help.

The attacker pretends to be a VIP in the company, screaming at administrators to get The attacker pretends to be a VIP in the company, screaming at administrators to get what he wants. In such cases, the administrator (or it could be an end-user) may feel what he wants. In such cases, the administrator (or it could be an end-user) may feel threatened by the caller's authority and give in to the demands. threatened by the caller's authority and give in to the demands.

The attacker takes advantage of a system problem that has come to his attention, The attacker takes advantage of a system problem that has come to his attention, such as a recently publicized security vulnerability in new software. The attacker such as a recently publicized security vulnerability in new software. The attacker gains the user's trust by posing as a system administrator or maintenance technician gains the user's trust by posing as a system administrator or maintenance technician offering help. Most computer users are under the mistaken impression that it is okay offering help. Most computer users are under the mistaken impression that it is okay to reveal their password to computer technicians. to reveal their password to computer technicians.

The attacker posing as a system administrator or maintenance technician can The attacker posing as a system administrator or maintenance technician can sometimes persuade a computer user to type in computer commands that the user sometimes persuade a computer user to type in computer commands that the user does not understand. Such commands may damage the system or create a hole in does not understand. Such commands may damage the system or create a hole in the security system that allows the attacker to enter the system at a later time. the security system that allows the attacker to enter the system at a later time.

Social Engineering” Cont.Social Engineering” Cont.RecommendationsRecommendations

Computer security experts recommend the following measures to outsmart a hacker:Computer security experts recommend the following measures to outsmart a hacker:

– If you cannot personally identify a caller who asks for personal information about you or If you cannot personally identify a caller who asks for personal information about you or anyone else (including badge number or employee number), for information about your anyone else (including badge number or employee number), for information about your computer system, or for any other sensitive information, do not provide the information. computer system, or for any other sensitive information, do not provide the information. Insist on verifying the caller’s identity by calling them back at their proper telephone number Insist on verifying the caller’s identity by calling them back at their proper telephone number as listed in your organization’s telephone directory. This procedure creates minimal as listed in your organization’s telephone directory. This procedure creates minimal inconvenience to legitimate activity when compared with the scope of potential losses. inconvenience to legitimate activity when compared with the scope of potential losses.

– Remember that passwords are sensitive. A password for your personal account should be Remember that passwords are sensitive. A password for your personal account should be known ONLY to you. Systems administrators or maintenance technicians who need to do known ONLY to you. Systems administrators or maintenance technicians who need to do something to your account will not require your password. They have their own password something to your account will not require your password. They have their own password with system privileges that will allow them to work on your account without the need for you with system privileges that will allow them to work on your account without the need for you to reveal your password. If a system administrator or maintenance technician asks you for to reveal your password. If a system administrator or maintenance technician asks you for your password, be suspicious. your password, be suspicious.

– Systems maintenance technicians from outside vendors who come on site should be Systems maintenance technicians from outside vendors who come on site should be accompanied by the local site administrator (who should be known to you). If the site accompanied by the local site administrator (who should be known to you). If the site administrator is not familiar to you, or if the technician comes alone, it is wise to give a call administrator is not familiar to you, or if the technician comes alone, it is wise to give a call to your known site administrator to check if the technician should be there. Unfortunately, to your known site administrator to check if the technician should be there. Unfortunately, many people are reluctant to do this because it makes them look paranoid, and it is many people are reluctant to do this because it makes them look paranoid, and it is embarrassing to show that they do not trust a visitor. embarrassing to show that they do not trust a visitor.

– If you feel you have thwarted or perhaps been victimized by an attempt at social If you feel you have thwarted or perhaps been victimized by an attempt at social engineering, report the incident to your manager and to security personnel immediately.engineering, report the incident to your manager and to security personnel immediately.

Viruses & Other "Infections"Viruses & Other "Infections" A virus is a small, self-contained piece of computer code hidden within another computer program. Like a A virus is a small, self-contained piece of computer code hidden within another computer program. Like a

real virus, it can reproduce, infect other computers, and then lie dormant for months or years before it strikes. real virus, it can reproduce, infect other computers, and then lie dormant for months or years before it strikes. A virus is only one of several types of "malicious logic" that can harm your computer or your entire network.A virus is only one of several types of "malicious logic" that can harm your computer or your entire network.

Worms, logic bombs, and Trojan Horses are similar "infections" commonly grouped with computer viruses. A Worms, logic bombs, and Trojan Horses are similar "infections" commonly grouped with computer viruses. A computer worm spreads like a virus but is an independent program rather than hidden inside another computer worm spreads like a virus but is an independent program rather than hidden inside another program. A logic bomb is a program normally hidden deep in the main computer and set to activate at some program. A logic bomb is a program normally hidden deep in the main computer and set to activate at some point in the future, destroying data. A Trojan Horse masquerades as a legitimate software program. It waits point in the future, destroying data. A Trojan Horse masquerades as a legitimate software program. It waits until triggered by some pre-set event or date and then delivers a payload that may include destroying files or until triggered by some pre-set event or date and then delivers a payload that may include destroying files or disks. disks.

Some viruses are high-tech pranks not intended to cause damage. For example, a virus may be designed to Some viruses are high-tech pranks not intended to cause damage. For example, a virus may be designed to conceal itself until a predetermined date, then flash a message on all network computers. Even pranks, conceal itself until a predetermined date, then flash a message on all network computers. Even pranks, however, are not benign. They steal computer memory, storage, and processing time.however, are not benign. They steal computer memory, storage, and processing time.

Of greatest concern, of course, are viruses and other devices that are deliberately malicious. They are Of greatest concern, of course, are viruses and other devices that are deliberately malicious. They are intended to cause serious damage such as deleting files, provide access for an outsider to copy your files, or intended to cause serious damage such as deleting files, provide access for an outsider to copy your files, or disrupting the operation of an entire computer network or organization.disrupting the operation of an entire computer network or organization.

From an information security point of view, one of the more dangerous types of malicious logic is a Trojan From an information security point of view, one of the more dangerous types of malicious logic is a Trojan Horse that allows a remote user to access and control your computer without your knowledge whenever you Horse that allows a remote user to access and control your computer without your knowledge whenever you are on the Internet. One of these Trojan Horses was originally developed as a means of playing pranks on are on the Internet. One of these Trojan Horses was originally developed as a means of playing pranks on friends. When installed on another person's computer, you can control that computer via the Internet. For friends. When installed on another person's computer, you can control that computer via the Internet. For example, you can make the CD-ROM tray on that person's computer pop out repeatedly for no discoverable example, you can make the CD-ROM tray on that person's computer pop out repeatedly for no discoverable reason, or reverse the functions of the left and right buttons on the person's mouse. However, you can also reason, or reverse the functions of the left and right buttons on the person's mouse. However, you can also read, change, or copy all the person's files without his or her knowledge. This Trojan Horse can be snuck read, change, or copy all the person's files without his or her knowledge. This Trojan Horse can be snuck onto someone's computer by burying it in a game program or other executable script sent by e-mail. Happily, onto someone's computer by burying it in a game program or other executable script sent by e-mail. Happily, known versions of the program will be caught by a good virus checker.known versions of the program will be caught by a good virus checker.

Viruses & Other "Infections“ Cont.Viruses & Other "Infections“ Cont. The virus threat is increasing for several reasons: The virus threat is increasing for several reasons:

– Creation of viruses is getting easier. The same technology that makes it easier to create legitimate Creation of viruses is getting easier. The same technology that makes it easier to create legitimate software is also making it easier to create viruses, and virus construction kits are now available on the software is also making it easier to create viruses, and virus construction kits are now available on the Internet. About 200 to 300 new viruses are being created each month, while the old ones continue to Internet. About 200 to 300 new viruses are being created each month, while the old ones continue to spread.1 spread.1

– The increased use of portable computers, e-mail, remote link-ups to servers, and growing links within The increased use of portable computers, e-mail, remote link-ups to servers, and growing links within networks and between networks mean that any computer that has a virus is increasingly likely to networks and between networks mean that any computer that has a virus is increasingly likely to communicate with -- and infect -- other computers and servers than would have been true a few years communicate with -- and infect -- other computers and servers than would have been true a few years ago. ago.

– You can catch a virus by launching an infected application or starting up your computer from a disk that You can catch a virus by launching an infected application or starting up your computer from a disk that has infected system files. Once a virus is in memory, it usually infects any application you run, including has infected system files. Once a virus is in memory, it usually infects any application you run, including network applications (if you have write access to network folders or disks). A properly configured network applications (if you have write access to network folders or disks). A properly configured network is less susceptible to viruses than a stand-alone computer.network is less susceptible to viruses than a stand-alone computer.

– When you interact with another computer, the virus may automatically reproduce itself in the other When you interact with another computer, the virus may automatically reproduce itself in the other computer. Once a virus infects a single networked computer, the average time required to infect another computer. Once a virus infects a single networked computer, the average time required to infect another workstation in the same network is from 10 to 20 minutes -- meaning a virus can paralyze an entire workstation in the same network is from 10 to 20 minutes -- meaning a virus can paralyze an entire organization in a few hours. 3organization in a few hours. 3

– Not all viruses, worms, logic bombs, and Trojan Horses are transmitted through infected software Not all viruses, worms, logic bombs, and Trojan Horses are transmitted through infected software brought in from outside the organization. Some of the most damaging are implanted by disaffected brought in from outside the organization. Some of the most damaging are implanted by disaffected insiders. For example: insiders. For example:

A computer programmer at a Fort Worth, Texas, insurance firm was convicted of computer sabotage for planting A computer programmer at a Fort Worth, Texas, insurance firm was convicted of computer sabotage for planting malicious software code that wiped out 168,000 payroll records two days after he was fired. malicious software code that wiped out 168,000 payroll records two days after he was fired.

Viruses & Other "Infections“ Cont.Viruses & Other "Infections“ Cont.CountermeasuresCountermeasures

Your organization has policies and tools for countering the threat of viruses. In order to avoid security or Your organization has policies and tools for countering the threat of viruses. In order to avoid security or system maintenance problems, many organizations require that all software be installed by a system system maintenance problems, many organizations require that all software be installed by a system administrator. Some organizations require that any diskette you bring into the building be tested for viruses administrator. Some organizations require that any diskette you bring into the building be tested for viruses before being used. Others do not. Consult your system administrator to learn the correct procedures in your before being used. Others do not. Consult your system administrator to learn the correct procedures in your organization.organization.

Be sure you know how your virus detection software works. If it indicates your system has a virus problem, Be sure you know how your virus detection software works. If it indicates your system has a virus problem, report it immediately to your system administrator and then to the person you believe may have passed the report it immediately to your system administrator and then to the person you believe may have passed the virus to you. It is important to remain calm. There are many virus hoaxes as well as real viruses, and a virus virus to you. It is important to remain calm. There are many virus hoaxes as well as real viruses, and a virus scare can cause as much delay and confusion as an actual virus outbreak. Before announcing the virus scare can cause as much delay and confusion as an actual virus outbreak. Before announcing the virus widely, make sure you verify its presence using a virus detection tool, if possible, with the assistance of widely, make sure you verify its presence using a virus detection tool, if possible, with the assistance of technically competent personnel.technically competent personnel.

The following procedures will help lower the risk of infection or amount of damage if the worst does happen. The following procedures will help lower the risk of infection or amount of damage if the worst does happen.

– Don't be promiscuous. Most risk of infection by viruses can be eliminated if you are cautious about what programs are Don't be promiscuous. Most risk of infection by viruses can be eliminated if you are cautious about what programs are installed on your computer. If you are unaware of or unsure of the origin of a program, it is wise not to run it. Do not installed on your computer. If you are unaware of or unsure of the origin of a program, it is wise not to run it. Do not execute programs or reboot using old diskettes unless you have reformatted them, especially if the old diskettes have execute programs or reboot using old diskettes unless you have reformatted them, especially if the old diskettes have been used to bring software home from a trade show or another security-vulnerable place. been used to bring software home from a trade show or another security-vulnerable place.

– Excellent virus-checking and security audit tools are available. Use them and, if possible, set them to run automatically Excellent virus-checking and security audit tools are available. Use them and, if possible, set them to run automatically and regularly. Update your virus checker regularly, as many new viruses are created each month. and regularly. Update your virus checker regularly, as many new viruses are created each month.

– Notice the unusual. Be familiar with the way your system works. If there is an unexplainable change (for instance, files Notice the unusual. Be familiar with the way your system works. If there is an unexplainable change (for instance, files you believe should exist are gone, or strange new files are appearing and disk space is "vanishing"), you should check you believe should exist are gone, or strange new files are appearing and disk space is "vanishing"), you should check for the presence of viruses. for the presence of viruses.

– Back up your files. If worst comes to worst, you can restore your system to its state before it was infected. Back up your files. If worst comes to worst, you can restore your system to its state before it was infected.

Viruses & Other "Infections“ Cont.Viruses & Other "Infections“ Cont.SpywareSpyware

Is a program monitoring your computer activity while you are online without your permission? Is your name Is a program monitoring your computer activity while you are online without your permission? Is your name being stripped from these findings and compiled with the statistics of many other users? Is a summary of being stripped from these findings and compiled with the statistics of many other users? Is a summary of your Net activity being sold to Net advertisers so they may more effectively profile users in order to better your Net activity being sold to Net advertisers so they may more effectively profile users in order to better target their advertising?target their advertising?

The answers to these questions and the questions themselves are the subject of a current moral and ethical The answers to these questions and the questions themselves are the subject of a current moral and ethical debate. Some users find it intrusive or just plain sneaky to discover that they have unwittingly installed a debate. Some users find it intrusive or just plain sneaky to discover that they have unwittingly installed a program/applet/cookie that feeds information about their usage back to a third party. While it cannot be said program/applet/cookie that feeds information about their usage back to a third party. While it cannot be said that spyware or adware is currently illegal, there has been legislation proposed in the United States about that spyware or adware is currently illegal, there has been legislation proposed in the United States about this ethical dilemma.this ethical dilemma.

If your computer starts to behave strangely or displays any of the symptoms listed below, you may have If your computer starts to behave strangely or displays any of the symptoms listed below, you may have spyware or other unwanted software installed on your computer.spyware or other unwanted software installed on your computer.

– I see pop-up advertisements all the time. Some unwanted software will bombard you with pop-up ads that aren't related I see pop-up advertisements all the time. Some unwanted software will bombard you with pop-up ads that aren't related to a particular Web site you're visiting. These ads are often for adult or other Web sites you may find objectionable. If you to a particular Web site you're visiting. These ads are often for adult or other Web sites you may find objectionable. If you see pop-up ads as soon as you turn on your computer or when you're not even browsing the Web, you may have see pop-up ads as soon as you turn on your computer or when you're not even browsing the Web, you may have spyware or other unwanted software on your computer.spyware or other unwanted software on your computer.

– My settings have changed. Some unwanted software has the ability to change your home page or search page settings. My settings have changed. Some unwanted software has the ability to change your home page or search page settings. This means that the page that opens first when you start your Internet browser or the page that appears when you select This means that the page that opens first when you start your Internet browser or the page that appears when you select "search" may be pages that you do not recognize. Even if you know how to adjust these settings, you may find that they "search" may be pages that you do not recognize. Even if you know how to adjust these settings, you may find that they revert back every time you restart your computer.revert back every time you restart your computer.

– My Web browser contains additional components that I didn’t download. Spyware and other unwanted software can add My Web browser contains additional components that I didn’t download. Spyware and other unwanted software can add additional toolbars to your Web browser that you don't want or need. Even if you know how to remove these toolbars, additional toolbars to your Web browser that you don't want or need. Even if you know how to remove these toolbars, they may return each time you restart your computer.they may return each time you restart your computer.

– My computer seems sluggish. The resources Spyware and other unwanted software use to track your activities and My computer seems sluggish. The resources Spyware and other unwanted software use to track your activities and deliver advertisements can slow down your computer and errors in the software can make your computer crash. If you deliver advertisements can slow down your computer and errors in the software can make your computer crash. If you notice a sudden increase in the number of times a certain program crashes, or if your computer is slower than normal at notice a sudden increase in the number of times a certain program crashes, or if your computer is slower than normal at performing routine tasks, you may have spyware or other unwanted software on your machine.performing routine tasks, you may have spyware or other unwanted software on your machine.

P2PP2P Peer-to-Peer (P2P) file-sharing is now an unavoidable part of Internet life. Because of its large user base, Peer-to-Peer (P2P) file-sharing is now an unavoidable part of Internet life. Because of its large user base,

P2P networks can offer any ordinary user literally billions of files that are available for download with a simple P2P networks can offer any ordinary user literally billions of files that are available for download with a simple click of mouse. Anyone connected to one of these networks can share and download virtually any file in click of mouse. Anyone connected to one of these networks can share and download virtually any file in existence, from the latest hot music track and Hollywood blockbuster, to obscure textbook and rare foreign existence, from the latest hot music track and Hollywood blockbuster, to obscure textbook and rare foreign texts. Best of all, most P2P networks as well as much of their contents are accessible at no cost! texts. Best of all, most P2P networks as well as much of their contents are accessible at no cost!

Yet the downside to P2P file sharing is that it is inherently insecure and lives on the fringes of legality. Badly-Yet the downside to P2P file sharing is that it is inherently insecure and lives on the fringes of legality. Badly-coded clients, viruses and Trojans and potential lawsuits are just some of the many threats that users must coded clients, viruses and Trojans and potential lawsuits are just some of the many threats that users must face when they venture into the untamed wilderness of the P2P world. face when they venture into the untamed wilderness of the P2P world.

Some serious issues facing P2P users include: Some serious issues facing P2P users include:

1 - Worms, Trojans, Backdoors and Viruses 1 - Worms, Trojans, Backdoors and Viruses

– The biggest viral threat comes from the sharing, unintended or not, of infected files. Some users do not know that they The biggest viral threat comes from the sharing, unintended or not, of infected files. Some users do not know that they have been infected and they put up their file collection for the world to download, thus putting other users at risk. Others have been infected and they put up their file collection for the world to download, thus putting other users at risk. Others intentionally distribute malware, ranging from the casual script kiddie who wants to feel empowered, to a hacker to shares intentionally distribute malware, ranging from the casual script kiddie who wants to feel empowered, to a hacker to shares a Trojan to allow him full control over another computer. Harmful files often carry filenames of popular files, masquerading a Trojan to allow him full control over another computer. Harmful files often carry filenames of popular files, masquerading as a benign object to increase their chance at being downloaded, and waiting for an unsuspecting user to trigger their as a benign object to increase their chance at being downloaded, and waiting for an unsuspecting user to trigger their nefarious charge. nefarious charge.

– Recently, some viruses were specifically made for P2P distribution. Their effects include installing backdoors on victims' Recently, some viruses were specifically made for P2P distribution. Their effects include installing backdoors on victims' machines for easy access by remote attackers, putting up entire drives for sharing, and mass-mailing. These worms machines for easy access by remote attackers, putting up entire drives for sharing, and mass-mailing. These worms make copies of themselves in the P2P client's shared folder and posing as popular files that will entice others to make copies of themselves in the P2P client's shared folder and posing as popular files that will entice others to download and run them. download and run them.

– Even more worrisome is the fact that some P2P clients might be harbouring backdoors for questionable purposes. In the Even more worrisome is the fact that some P2P clients might be harbouring backdoors for questionable purposes. In the past, a backdoor from Brilliant Digital Entertainment was bundled with KaZaA. This exploit can be turned on remotely to past, a backdoor from Brilliant Digital Entertainment was bundled with KaZaA. This exploit can be turned on remotely to create an entirely new network unbeknownst to the user. The company intended to use this backdoor to commandeer create an entirely new network unbeknownst to the user. The company intended to use this backdoor to commandeer and resell unused computing resources like disk space, bandwidth and CPU time, across the whole network, all without and resell unused computing resources like disk space, bandwidth and CPU time, across the whole network, all without compensating them. Another example is EarthStation 5 (ES5 or ESV), in which users discovered a hidden feature that compensating them. Another example is EarthStation 5 (ES5 or ESV), in which users discovered a hidden feature that enabled the remote deletion of their files on their computers. Though the developers of ES5 claimed that this was the enabled the remote deletion of their files on their computers. Though the developers of ES5 claimed that this was the remnant of an abandoned automatic update feature, many from the P2P community are still suspicious at the makers' remnant of an abandoned automatic update feature, many from the P2P community are still suspicious at the makers' true intentions. true intentions.

P2P Cont.P2P Cont. 2 - Fake files 2 - Fake files

– Because anyone can share anything, it is very hard sometimes to tell whether the files one is downloading are indeed the Because anyone can share anything, it is very hard sometimes to tell whether the files one is downloading are indeed the authentic files. Media giants offer apparently popular music or films to sniff out copyright violators in an effort to try to authentic files. Media giants offer apparently popular music or films to sniff out copyright violators in an effort to try to protect their products from being distributed illegally online. Anyone who has recently downloaded popular music tracks protect their products from being distributed illegally online. Anyone who has recently downloaded popular music tracks from KaZaA and the like can tell you just how many bogus files are out there. More of an annoyance than harm, this from KaZaA and the like can tell you just how many bogus files are out there. More of an annoyance than harm, this practice is mostly perpetrated by large record labels trying to curb the sharing of copyrighted material and to track which practice is mostly perpetrated by large record labels trying to curb the sharing of copyrighted material and to track which users attempted to copy them. As well, by flooding the network with useless material they hope to decrease the users attempted to copy them. As well, by flooding the network with useless material they hope to decrease the popularity of P2P. popularity of P2P.

– On a darker note, this trend might encourage some companies with questionable business practices, in the name of On a darker note, this trend might encourage some companies with questionable business practices, in the name of protecting their products from piracy, to go beyond simply releasing decoys and distribute programs posing as working protecting their products from piracy, to go beyond simply releasing decoys and distribute programs posing as working versions of their products but that secretly sabotage a user's machine. versions of their products but that secretly sabotage a user's machine.

– Most P2P clients boast to be able to tell whether a file is authentic or not by generating a unique hash for each file and Most P2P clients boast to be able to tell whether a file is authentic or not by generating a unique hash for each file and using this fingerprint to identify files, but some clients like KaZaA only implement this scheme halfway. The hashes these using this fingerprint to identify files, but some clients like KaZaA only implement this scheme halfway. The hashes these clients generate are based on only certain parts of the files, thus many corrupt downloads would have the same clients generate are based on only certain parts of the files, thus many corrupt downloads would have the same fingerprint as their real counterparts. fingerprint as their real counterparts.

3 - Spyware/Adware 3 - Spyware/Adware

– Many P2P clients claim to be free of charge - but are they? To subsidize the development cost, some developers Many P2P clients claim to be free of charge - but are they? To subsidize the development cost, some developers partnered up with advertising companies to include spyware and adware in the P2P program. In exchange for a share of partnered up with advertising companies to include spyware and adware in the P2P program. In exchange for a share of the marketing revenue, the marketers can have access to a large pool of potential consumers that they can track, the marketing revenue, the marketers can have access to a large pool of potential consumers that they can track, analyze, and target with customized advertising. Beside the annoyance of targeted ads, the ability to track a user's online analyze, and target with customized advertising. Beside the annoyance of targeted ads, the ability to track a user's online activity and sending reports back to an online monitor virtually removes the anonymity of the Internet. While some argue activity and sending reports back to an online monitor virtually removes the anonymity of the Internet. While some argue that tracking is harmless since the common user has no covert activity to hide from anyone, it still is a serious violation of that tracking is harmless since the common user has no covert activity to hide from anyone, it still is a serious violation of privacy rights. privacy rights.

– One of the more notorious examples is KaZaA. Bundled with the P2P client is Cydoor, a hidden application that tracks a One of the more notorious examples is KaZaA. Bundled with the P2P client is Cydoor, a hidden application that tracks a user's Internet-related activities. Like many other programs with spyware/adware, KaZaA would no longer run if Cydoor is user's Internet-related activities. Like many other programs with spyware/adware, KaZaA would no longer run if Cydoor is removed, forcing users to trade away their privacy in exchange for access to the FastTrack network. removed, forcing users to trade away their privacy in exchange for access to the FastTrack network.

P2P Cont.P2P Cont. 4 - Buggy or improperly configured software 4 - Buggy or improperly configured software

– Not all P2P clients are made the same. Some are developed by ragtag teams following ad-hoc plans, resulting in barely Not all P2P clients are made the same. Some are developed by ragtag teams following ad-hoc plans, resulting in barely functional, extremely buggy clients that are prone to security breaches. Even popular software is not immune; in the past, functional, extremely buggy clients that are prone to security breaches. Even popular software is not immune; in the past, various FastTrack network clients like KaZaA had vulnerabilities that enabled someone to remotely crash the client. various FastTrack network clients like KaZaA had vulnerabilities that enabled someone to remotely crash the client. Recently, a security leak was found in eMule, an eDonkey client, which permitted a remote attacker to execute arbitrary Recently, a security leak was found in eMule, an eDonkey client, which permitted a remote attacker to execute arbitrary codes on the victim's machine. codes on the victim's machine.

– In the hands of an inexperienced user, even a well-written P2P client could be doomed to disaster. A P2P novice can In the hands of an inexperienced user, even a well-written P2P client could be doomed to disaster. A P2P novice can accidentally put a whole hard drive as being shared, enabling any fellow file sharers to gaze at the user's private, perhaps accidentally put a whole hard drive as being shared, enabling any fellow file sharers to gaze at the user's private, perhaps highly confidential, documents, may they be personal information or business data. A user may also enable features that highly confidential, documents, may they be personal information or business data. A user may also enable features that could potentially compromise system security. For example, a KaZaA user could set his/her computer as a Supernode, a could potentially compromise system security. For example, a KaZaA user could set his/her computer as a Supernode, a feature known to be vulnerable to buffer overflows. feature known to be vulnerable to buffer overflows.

5 - Copyright issues 5 - Copyright issues

– With all the media hype surrounding reports of P2P users being sued by big record companies, one cannot ignore the With all the media hype surrounding reports of P2P users being sued by big record companies, one cannot ignore the issue of copyright violations. Once again, due to the decentralized nature of the network and the fact that no one single issue of copyright violations. Once again, due to the decentralized nature of the network and the fact that no one single entity has de-facto control of what gets shared, there is an enormous amount of copyrighted works that are being illegally entity has de-facto control of what gets shared, there is an enormous amount of copyrighted works that are being illegally distributed without the consent of their creators or rightful owners. Coupled with the fact that true online anonymity does distributed without the consent of their creators or rightful owners. Coupled with the fact that true online anonymity does not exist yet, users who inadvertently share copyrighted work can expose themselves to expensive litigations. not exist yet, users who inadvertently share copyrighted work can expose themselves to expensive litigations.

– In the USA, one of the fiercest battles pitting P2P users and copyright holders is music sharing. The Recording Industry In the USA, one of the fiercest battles pitting P2P users and copyright holders is music sharing. The Recording Industry Association of America and its associates are actively prosecuting American file sharers for copyright infringement Association of America and its associates are actively prosecuting American file sharers for copyright infringement because the trade group alleges that music sharing is the principal cause of flagging sales. Though Canada's RIAA because the trade group alleges that music sharing is the principal cause of flagging sales. Though Canada's RIAA counterpart, SOCAN, was dealt a series of setbacks by various court rulings that prevent it from using U.S. tactics, some counterpart, SOCAN, was dealt a series of setbacks by various court rulings that prevent it from using U.S. tactics, some of these decisions are currently being appealed. It should be noted that as of January 2004 it has been deemed legal for of these decisions are currently being appealed. It should be noted that as of January 2004 it has been deemed legal for users to download music in Canada provided it is for their own use and not for redistribution or sale. users to download music in Canada provided it is for their own use and not for redistribution or sale.

– Music is not the only problematic issue when it comes to filesharing. Peer-to-peer networks are teeming with pirated Music is not the only problematic issue when it comes to filesharing. Peer-to-peer networks are teeming with pirated software and bootlegged movies. Some observers predict that other industry trade groups might follow suite by launching software and bootlegged movies. Some observers predict that other industry trade groups might follow suite by launching their own lawsuits against online copyright infringers. their own lawsuits against online copyright infringers.

Insecure ModemsInsecure Modems A computer presents very little risk if it's by itself. The problem arises when it's hooked up to a modem. A modem is a A computer presents very little risk if it's by itself. The problem arises when it's hooked up to a modem. A modem is a

communications device that allows your computer to talk with another computer. Modem is short for modulator/demodulator. It communications device that allows your computer to talk with another computer. Modem is short for modulator/demodulator. It is, basically, a telephone for your computer. It converts the computer's output to a format that can be sent over telephone lines.is, basically, a telephone for your computer. It converts the computer's output to a format that can be sent over telephone lines.

If your computer has a modem connected to the Internet, it is like you are living in a high-crime neighborhood. You must take If your computer has a modem connected to the Internet, it is like you are living in a high-crime neighborhood. You must take appropriate precautions. The modem connection can be a significant vulnerability. Any unauthorized modem is a serious appropriate precautions. The modem connection can be a significant vulnerability. Any unauthorized modem is a serious security concern.security concern.

Hackers commonly use a tool known as a "war-dialer" to identify the modems at a target organization. A war-dialer is a Hackers commonly use a tool known as a "war-dialer" to identify the modems at a target organization. A war-dialer is a computer program that automatically dials phone numbers within a specified range of numbers. Most organizations have a computer program that automatically dials phone numbers within a specified range of numbers. Most organizations have a block of sequential phone numbers. If you have one number for the organization, it is usually correct to assume that most other block of sequential phone numbers. If you have one number for the organization, it is usually correct to assume that most other numbers are within a limited range of numbers either higher or lower than that number.numbers are within a limited range of numbers either higher or lower than that number.

By dialing all numbers within the targeted range, the war-dialer identifies which numbers are for computer modems and By dialing all numbers within the targeted range, the war-dialer identifies which numbers are for computer modems and determines certain characteristics of those modems. The hacker then uses other tools to attack the modem to gain access to determines certain characteristics of those modems. The hacker then uses other tools to attack the modem to gain access to the computer network. Effective war-dialers can be downloaded from the Internet at no cost.the computer network. Effective war-dialers can be downloaded from the Internet at no cost.

In one test of corporate security, a computer dialed a block of 1,500 numbers in the space of 16 hours and identified 55 In one test of corporate security, a computer dialed a block of 1,500 numbers in the space of 16 hours and identified 55 modems.1 As a countermeasure to war-dialers, many organizations have equipment that detects rapid sequential dialing and modems.1 As a countermeasure to war-dialers, many organizations have equipment that detects rapid sequential dialing and shuts it down. On the other hand, some war-dialers are designed to avoid this type of detection.shuts it down. On the other hand, some war-dialers are designed to avoid this type of detection.

The problem is that a modem is a means of bypassing the "firewall" that protects your network from outside intruders. A hacker The problem is that a modem is a means of bypassing the "firewall" that protects your network from outside intruders. A hacker using a "war-dialer" to identify the modem telephone number and a password cracker to break one weak password can gain using a "war-dialer" to identify the modem telephone number and a password cracker to break one weak password can gain access to the system. Due to the nature of computer networking, once a hacker connects to that one computer, the hacker can access to the system. Due to the nature of computer networking, once a hacker connects to that one computer, the hacker can often connect to just about any other computer in the network.2often connect to just about any other computer in the network.2

It is possible to have a secure connection to the Internet, but it must meet certain requirements. The connection must be It is possible to have a secure connection to the Internet, but it must meet certain requirements. The connection must be configured properly with the latest security equipment, and all employees who are authorized to access their office computers configured properly with the latest security equipment, and all employees who are authorized to access their office computers via the Internet from home or while traveling must use strong passwords. Too often, however, these conditions are not met.via the Internet from home or while traveling must use strong passwords. Too often, however, these conditions are not met.

Security of Hard Drives and LaptopsSecurity of Hard Drives and Laptops Secrets in the computer require the same protection as secrets on paper. Information can usually be Secrets in the computer require the same protection as secrets on paper. Information can usually be

recovered from a computer hard drive even after the file has been deleted or erased by the computer user. It recovered from a computer hard drive even after the file has been deleted or erased by the computer user. It has been estimated that about a third of the average hard drive contains information that has been "deleted" has been estimated that about a third of the average hard drive contains information that has been "deleted" but is still recoverable.1but is still recoverable.1

Computers on which classified information is prepared must be kept in facilities that meet specified physical Computers on which classified information is prepared must be kept in facilities that meet specified physical security requirements for processing classified information. If necessary to prepare classified information in a security requirements for processing classified information. If necessary to prepare classified information in a non-secure environment, use a typewriter or a removable hard drive or laptop that is secured in a safe when non-secure environment, use a typewriter or a removable hard drive or laptop that is secured in a safe when not in use.not in use.

Laptop computers are a particular concern owing to their vulnerability to theft.Laptop computers are a particular concern owing to their vulnerability to theft.

– Laptop computers are a prime target for theft from your office, your home, or at airports, hotels, railroad terminals and on Laptop computers are a prime target for theft from your office, your home, or at airports, hotels, railroad terminals and on trains while you are traveling. They are an extremely attractive target for all types of thieves, as they are small, can be trains while you are traveling. They are an extremely attractive target for all types of thieves, as they are small, can be carried away without attracting attention, and are easily sold for a good price. They are also a favorite target for carried away without attracting attention, and are easily sold for a good price. They are also a favorite target for intelligence collectors, as they concentrate so much valuable information in one accessible place.intelligence collectors, as they concentrate so much valuable information in one accessible place.

– Safeware, the largest insurer of personal computers in the United States, paid claims for the theft of 319,000 laptop Safeware, the largest insurer of personal computers in the United States, paid claims for the theft of 319,000 laptop computers during 1999.1 Of course, most laptops are not insured, so this is only a small fraction of the total number of computers during 1999.1 Of course, most laptops are not insured, so this is only a small fraction of the total number of laptop computers that were stolen during that year. laptop computers that were stolen during that year.

– When a laptop is stolen, you don't know whether it was taken for the value of the information on the computer or for the When a laptop is stolen, you don't know whether it was taken for the value of the information on the computer or for the value of the computer itself. This makes it difficult to assess the damage caused by the loss.value of the computer itself. This makes it difficult to assess the damage caused by the loss.

– This topic offers guidelines for keeping your laptop from being stolen, discusses technical measures for protecting This topic offers guidelines for keeping your laptop from being stolen, discusses technical measures for protecting information on the laptop if it is stolen or entered surreptitiously, and notes special problems relating to traveling overseas information on the laptop if it is stolen or entered surreptitiously, and notes special problems relating to traveling overseas with your laptop.with your laptop.

Security of Laptops Cont.Security of Laptops Cont.Protection of LaptopsProtection of Laptops

The basic rule for protecting your laptop is to treat it like your wallet or purse. Your laptop is a more attractive The basic rule for protecting your laptop is to treat it like your wallet or purse. Your laptop is a more attractive target for thieves than your wallet or purse, and if you lose your laptop, the cost to you in money and target for thieves than your wallet or purse, and if you lose your laptop, the cost to you in money and inconvenience is probably greater than if you lose your wallet or purse. If your laptop has sensitive inconvenience is probably greater than if you lose your wallet or purse. If your laptop has sensitive government, commercial, or scientific data on it, the loss may be valued in the millions. government, commercial, or scientific data on it, the loss may be valued in the millions.

Even in your office, unless it is a controlled secure area, it is advisable to keep your laptop out of sight when Even in your office, unless it is a controlled secure area, it is advisable to keep your laptop out of sight when not in use, preferably in a locked drawer or cabinet. The Washington, DC police recently formed a task force not in use, preferably in a locked drawer or cabinet. The Washington, DC police recently formed a task force to fight a surge in thefts from downtown offices; laptops were the thieves' preferred target.2 to fight a surge in thefts from downtown offices; laptops were the thieves' preferred target.2

Your laptop is especially vulnerable while you are traveling. Here is a summary of basic precautions during Your laptop is especially vulnerable while you are traveling. Here is a summary of basic precautions during travel. travel.

Disguise your laptop. The distinctive size and shape of a laptop computer make it an easily spotted target for Disguise your laptop. The distinctive size and shape of a laptop computer make it an easily spotted target for thieves. Carry it in a briefcase or other, preferably grungy-looking, case.thieves. Carry it in a briefcase or other, preferably grungy-looking, case.

Never let a laptop out of your sight in an airport or other public area. If you set it down while checking in at Never let a laptop out of your sight in an airport or other public area. If you set it down while checking in at the airport counter or hotel registration desk, lean it against your leg so that you can feel its presence, or hold the airport counter or hotel registration desk, lean it against your leg so that you can feel its presence, or hold it between your feet.it between your feet.

When going through the airport security check, don't place your laptop on the conveyor belt until you are When going through the airport security check, don't place your laptop on the conveyor belt until you are sure no one in front of you is being delayed. If you are delayed while passing through the checkpoint, keep sure no one in front of you is being delayed. If you are delayed while passing through the checkpoint, keep your eye on your laptop. See Theft While Traveling for discussion of techniques used to steal laptops at your eye on your laptop. See Theft While Traveling for discussion of techniques used to steal laptops at airports.airports.

When traveling by plane or rail, do not ever place the computer (or other valuables) in checked baggage. If When traveling by plane or rail, do not ever place the computer (or other valuables) in checked baggage. If your aircraft departure is delayed and you are directed or invited to deplane and wait in the terminal, take your aircraft departure is delayed and you are directed or invited to deplane and wait in the terminal, take your computer and other valuables with you. Don't leave them unattended at your seat or in the overhead.your computer and other valuables with you. Don't leave them unattended at your seat or in the overhead.

Security of Laptops Cont.Security of Laptops Cont.Protection of LaptopsProtection of Laptops

Never store a computer in an airport or train station locker. If you must leave it in a car, lock it in the trunk out Never store a computer in an airport or train station locker. If you must leave it in a car, lock it in the trunk out of sight.of sight.

Avoid leaving your computer in a hotel room, but if you must do so, at least lower the risk of theft by keeping Avoid leaving your computer in a hotel room, but if you must do so, at least lower the risk of theft by keeping it out of sight. Lock it securely in another piece of luggage. Placing the computer in a hotel vault or room safe it out of sight. Lock it securely in another piece of luggage. Placing the computer in a hotel vault or room safe should make it secure from theft, but in some foreign countries it may not be secure from access by local should make it secure from theft, but in some foreign countries it may not be secure from access by local intelligence or security personnel.intelligence or security personnel.

Never keep passwords or access phone numbers on the machine or in the case. Do not program your Never keep passwords or access phone numbers on the machine or in the case. Do not program your computer's function keys with sign-on sequences, passwords, access phone numbers, or phone credit card computer's function keys with sign-on sequences, passwords, access phone numbers, or phone credit card numbers. If the machine is stolen or lost, these would be valuable prizes. numbers. If the machine is stolen or lost, these would be valuable prizes.

Back up all files before traveling.Back up all files before traveling.

While in any public place, such as an airplane or hotel lobby, don't have up on your laptop screen anything While in any public place, such as an airplane or hotel lobby, don't have up on your laptop screen anything you don't want the public to know about. A survey of 600 American travelers found that over one-third you don't want the public to know about. A survey of 600 American travelers found that over one-third admitted looking at someone else's laptop while flying. Younger travelers were the worst offenders, with 49 admitted looking at someone else's laptop while flying. Younger travelers were the worst offenders, with 49 percent of the men and 40 percent of the women under 40 admitting they look at what their seatmate is percent of the men and 40 percent of the women under 40 admitting they look at what their seatmate is working on. Most are checking to see what their fellow passenger is doing, while others are more interested working on. Most are checking to see what their fellow passenger is doing, while others are more interested in who they are working for.3in who they are working for.3

Be prepared for the airport security check. You may be directed by airport security personnel to open and Be prepared for the airport security check. You may be directed by airport security personnel to open and turn on your laptop to demonstrate that it is actually a functioning computer. Be sure the battery is charged or turn on your laptop to demonstrate that it is actually a functioning computer. Be sure the battery is charged or have the power cord handy. If you can't turn your laptop on, you may not be permitted to take it on board the have the power cord handy. If you can't turn your laptop on, you may not be permitted to take it on board the aircraft. The airport security X-ray machines will usually not affect hard drives. Floppy diskettes, having less aircraft. The airport security X-ray machines will usually not affect hard drives. Floppy diskettes, having less shielding, may be affected. If possible, pass these to the attendant for hand examination.shielding, may be affected. If possible, pass these to the attendant for hand examination.

It is even more difficult to protect your laptop, and the information on it, when traveling in foreign countries It is even more difficult to protect your laptop, and the information on it, when traveling in foreign countries where your laptop may be targeted as a treasure trove of information. where your laptop may be targeted as a treasure trove of information.

Security of Laptops Cont.Security of Laptops Cont.Technology for Protecting Information on Your LaptopTechnology for Protecting Information on Your Laptop

Due to the very high risk and high cost of laptop theft, many products are being developed to protect the Due to the very high risk and high cost of laptop theft, many products are being developed to protect the security of information in your laptop if it is stolen, prevent the surreptitious entry into files on your laptop, security of information in your laptop if it is stolen, prevent the surreptitious entry into files on your laptop, make it more difficult to steal a laptop, or make it easier to find a stolen laptop. Specific products are not make it more difficult to steal a laptop, or make it easier to find a stolen laptop. Specific products are not discussed here, as the technology is changing so rapidly. The following general types of products are now discussed here, as the technology is changing so rapidly. The following general types of products are now available.available.

Encryption software. Storing all data files in encrypted form will prevent disclosure of the data even if your Encryption software. Storing all data files in encrypted form will prevent disclosure of the data even if your computer is stolen.computer is stolen.

Software that hides information on your hard drive, so that it is not found by the average thief who steals Software that hides information on your hard drive, so that it is not found by the average thief who steals your laptop or, for example, by an intelligence collector who gains surreptitious access to your laptop in your your laptop or, for example, by an intelligence collector who gains surreptitious access to your laptop in your hotel room.hotel room.

Various types of locks, keys, and biometric identification devices designed to prevent anyone but you from Various types of locks, keys, and biometric identification devices designed to prevent anyone but you from using the computer, and perhaps to alert you to any unauthorized attempt to use your computer.using the computer, and perhaps to alert you to any unauthorized attempt to use your computer.

Software utilities that wipe the hard disk clean when deleting sensitive data files. These overwrite the deleted Software utilities that wipe the hard disk clean when deleting sensitive data files. These overwrite the deleted data making it totally unrecoverable, as opposed to the normal Delete command that only deletes the data making it totally unrecoverable, as opposed to the normal Delete command that only deletes the "pointer" that allows the computer to find the file on your hard drive. The file itself is not deleted until it is "pointer" that allows the computer to find the file on your hard drive. The file itself is not deleted until it is overwritten by another file. See Security of Hard Drives.overwritten by another file. See Security of Hard Drives.

Tracers that identify the location of a stolen laptop. When the stolen laptop is linked to the Internet, it Tracers that identify the location of a stolen laptop. When the stolen laptop is linked to the Internet, it transmits a signal to a monitoring station that identifies the user's telephone number or Internet account.transmits a signal to a monitoring station that identifies the user's telephone number or Internet account.

Proximity alarms that go off if the laptop gets too far away from its owner or user. Proximity alarms that go off if the laptop gets too far away from its owner or user.

Ask your system administrator or computer security specialist to evaluate which of the available alternatives Ask your system administrator or computer security specialist to evaluate which of the available alternatives best meet your needs.best meet your needs.