Cyber Security Awareness Handbook Table of Contents 1. Introduction..................................................................................................................5 1.1 Cyber Security Awareness..................................................................................5 1.2 Importance of Cyber Security...........................................................................5 2. Computer Ethics..........................................................................................................6 2.1 Definition of Computer Ethics............................................................................6 2.2 Internet Ethics for everyone................................................................................6 2.3 Ethical rules for computer users.........................................................................8 2.4 Scenarios................................................................................................................8 3. Understanding Internet..............................................................................................9 3.1 World Wide Web (WWW)....................................................................................9 3.2 Usage of Internet................................................................................................10 3.3 Features of Internet ...........................................................................................10 3.4 Benefits of Internet ............................................................................................11 3.5 Privacy Issues.......................................................................................................12 3.6 Peer To Peer (P2P) Networking........................................................................13 4. Search Engines and Web Browsers........................................................................17 4.1 Usage of search engines..................................................................................17 4.2 Internet Browser(s) Security .............................................................................17 4.3. Risks towards web browser..............................................................................19 4.4 How to secure your web browser?.................................................................20 5. Filtering services.........................................................................................................27 5.1 Filtering Services in web browser.....................................................................27 5.2 Parental Control Bars.........................................................................................28 5.3 Procedure for installing Parental control toolbar.........................................30 5.4 Changing the parental control settings in the parental control toolbar 37
Cyber Security HandBook
CDAC Hyderabad & NIELIT
1
5.5 k9 web protection..............................................................................................40 K9 also offers:.............................................................................................................40 5.6 Spam filter............................................................................................................42 6. Internet Mediated Communication......................................................................43 6.1 e-Mail Security ....................................................................................................43 6.2 Instant Messaging..............................................................................................47 7. Social Networking.....................................................................................................49 7.1 Tips to avoid risks by social networking .........................................................49 8. Social Engineering.....................................................................................................51 8.1 What is Social Engineering?.............................................................................51 8.2 How do they do this?.........................................................................................51 8.3 Social Engineering can be done in many ways..........................................52 8.4 How do you avoid being a victim?................................................................54 8.5 What do you do if you think you are a victim?............................................55 9. Online Games and Computer Games.................................................................56 9.1 About online games..........................................................................................56 9.2. Things to be noted while downloading the games...................................56 9.3. Risks Involved......................................................................................................56 9.4 Guidelines............................................................................................................57 10. Safe Downloading..................................................................................................59 10.1 Safe Downloading and uploading...............................................................59 10.2 Risks by insecure downloads.........................................................................59 10.3 Tips for Safety downloads...............................................................................60 11. Blogging....................................................................................................................62 11.1Types of blogs....................................................................................................62 11.2 Risks involved in blogging ..............................................................................63
Cyber Security HandBook
CDAC Hyderabad & NIELIT
2
11.3 Tips to avoid risks by blogging ......................................................................63 11.4 Guidance for Parents on Blogging...............................................................63 12. Cyber Bullying..........................................................................................................65 12.1 Harassment and bullying................................................................................65 12.2 Cyber bullying can be done in the following ways..................................65 12.3 Tips and guidelines...........................................................................................66 13. Online Threats and Tips .........................................................................................68 13.1 Protect children from online threats.............................................................68 13.2 Most common online Threats.........................................................................69 13.3 Online Banking..................................................................................................71 13. 4 Online Shopping..............................................................................................73 13.5 Identity Theft......................................................................................................74 13.6 Tab napping......................................................................................................74 13.7 Clickjacking ......................................................................................................76 14. Wireless Network......................................................................................................79 14.1 What is a Wireless Network?...........................................................................79 14.2 Risks of using Unsecured Wi-Fi Network........................................................80 14.3 Tips for Wireless Home Network Security......................................................80 15. Mobile Security........................................................................................................85 15.1 Security Concerns............................................................................................85 15.2 Guidelines for securing mobile devices.......................................................87 16. Data Security............................................................................................................89 16.1 Importance of securing data........................................................................89 16.2 Securing data by disposal..............................................................................91 17. Physical Security......................................................................................................92 17.1 Computer locks................................................................................................92
Cyber Security HandBook
CDAC Hyderabad & NIELIT
3
17.2 BIOS Security......................................................................................................92 17.3 In Organizations................................................................................................93 18. Safe Practices..........................................................................................................95 18.1 Operating System Security.............................................................................95 18.1.2 Guidelines for securing the operating System........................................95 18.2 Password Security Policy ................................................................................97 19. Virus Protection and Cleaner Tools....................................................................102 19.1 Windows Based Tools....................................................................................102 19.2 Linux Based Tools............................................................................................104 20 . Lockdown, Auditing and Intrusion Detection Tools.......................................105 20.1 OS Lockdown Tools........................................................................................105 20.2 URL Scan Based Tools....................................................................................106 20.3 Web Server Lockdown Tools........................................................................108 21.Security Assessment Tools.....................................................................................111 21.1 Assessment Of OS Security Levels...............................................................111 21.2 Assessment Of Database Security Levels..................................................117 21.3 Assessment of Application Security............................................................118 22.1 Security Update Solution Tools (Windows)................................................120 22.2 Windows Desktop Firewall Settings.............................................................120 23. Security Update Detection Tools.......................................................................126 23.1 MBSA.................................................................................................................126 23.2 Microsoft Office Visio 2007 Connector......................................................126 24. IT ACT ………………………………………………………………………………… 127 24.1 Salient Feature of IT Act 2000 ……………………………………………… 127 24.2 IT Act Section 67 (A,B,C) …………………………………………………….. 128 24.3 IT (Amendment Act) 2008 Act Section 66 (A,B,C,D,E,F).……………… 129
Cyber Security HandBook
CDAC Hyderabad & NIELIT
4
1. Introduction 1.1 Cyber Security Awareness Cyber Security needs have to be addressed at all levels, from the individual user to an organization and beyond that to the government and the nation. Cyber Security is becoming synonymous with National Security as Computer Networking, which is vulnerable to Cyber attack and forms the backbone of critical infrastructure of the country's banking, power, communication network, etc... It is, therefore, important to have secure Computer Systems and Networks. Also, increased focus on outsourcing of IT and other services from developed countries is bringing the issue of data security to the fore. Furthermore, owing to the massive Internet boom, a lot of home users with little or no prior knowledge of the threats and their countermeasures are exposed to the Internet. This, the attackers, can exploit to expand their base of malicious activity and use innocent people for their schemes. Consequently, we aim to spread the education to school children, teachers, parents and senior citizens and equip them with the knowledge needed to mitigate the threat. Looking at the growing importance of the Cyber Security, Department of Electronics and Information Technology, Ministry of Communications and Information Technology, Government of India has formulated and initiated the Information Security Education and Awareness (ISEA) programme. One of the activities under this programme is to widely generate information security awareness to children, home users and non-IT professionals in a planned manner.
1.2 Importance of Cyber Security Cyber security is important for the users because they have to protect themselves against identity theft. Organizations including government also need this security to protect their trade secrets, financial information, and some sensitive or critical data. Since all sensitive information that is mostly stored on a computer is connected to the Internet, there is a need for information assurance and security. So, in order to have Cyber Security, everyone should follow the Cyber Security standards that enable us to protect various Malware threats. A poor cyber security practice arises because of some of the following reasons. Poor administrative guidelines of application, poor software coding, which may be vulnerable and improper usage of Cyber Security practices.
Cyber Security HandBook
CDAC Hyderabad & NIELIT
5
2. Computer Ethics 2.1 Definition of Computer Ethics Ethics are a set of moral principles that govern an individual or a group on what is acceptable behaviour while using a computer. Computer ethics is a set of moral principles that govern the usage of computers. One of the common issues of computer ethics is violation of copyright issues. Duplicating copyrighted content without the author’s approval, accessing personal information of others are some of the examples that violate ethical principles.
2.2 Internet Ethics for everyone Internet ethics means acceptable behaviour for using Internet. We should be honest, respect the rights and property of others on the Internet.
2.2.1 Acceptance One has to accept that Internet is not a value free-zone.It means World Wide Web is not a waste wild web it is a place where values are considered in the broadest sense so we must take care while shaping content and services and we should recognize that Internet is not apart from universal society but it is a primary component of it.
2.2.2 Sensitivity to National and Local cultures It belongs to all and there is no barrier of national and local cultures. It cannot be subject to one set of values like the local TV channel; or the local newspaper .We have to accommodate multiplicity of usage.
2.2.3 While using e-Mail and chatting Internet must be used for communication with family and friends. Avoid chatting with strangers and forwarding emails from unknown people/strangers. And we must teach children about risks involved in chatting and forwarding emails to strangers.
2.2.4 Pretending to be someone else We must not use Internet to fool others by pretending to be someone else. Hiding our own identity to fool others in the Internet world is a crime and may also be arisk to others. It’s our responsibility to teach children the same.
Cyber Security HandBook
CDAC Hyderabad & NIELIT
6
2.2.5 Avoid Bad language We must not use rude or bad language while using e-Mail, chatting, blogging and social networking, we need to respect their views and should not criticize anyone on the Internet and the same should be taught to children.
2.2.5 Hide personal information We should teach children not to give personal details like home address, phone numbers, interests, passwords. No photographs should be sent to strangers and they should be asked to hide their personal details from strangers because it might be misused and shared with others without their knowledge.
2.2.6 While Downloading Internet is used to listen and learn about music, It is also used to watch videos and play games. We must not use it to download them or share copyrighted material. The same should be taught to children, and they must be aware of the importance of copyrights and issues of copyright.
2.2.7 Supervision You should know what children are doing on the Internet and the sites they visit on the Internet and should check with whom they are communicating.Restrict them browsing inappropriate sites. Parental involvement is essential when a child is using the Internet in order to make him follow the rules.
2.2.8 Encourage children to use Internet We must encourage children, students and others to gain the knowledge from the Internet and use it wisely. Internet is a great tool where we can gather information which can be used for learning.
2.2.9 Access to Internet The Internet is a time-efficient tool for everyone that enlarges the possibilities for curriculum growth. Learning depends on the ability to find relevant and reliable information quickly and easily, and to select, understand and assess that information. Searching for information on the Internet can help to develop these skills. Classroom exercises and take-home assessment tasks, where students are required to compare website content, are ideal for alerting students to the
Cyber Security HandBook
CDAC Hyderabad & NIELIT
7
requirements of writing for different audiences, the purpose of particular content, identifying and judging accuracy and reliability. Since many sites adopt particular views about issues, the Internet is a useful tool for developing the skills of distinguishing fact from opinion and exploring subjectivity and objectivity.
2.3 Ethical rules for computer users Some of the rules that individuals should follow while using a computer are listed below: Do not use computers to harm other users. Do not use computers to steal others information. Do not access files without the permission of the owner. Do not copy copyrighted software without the author’s permission. Always respect copyright laws and policies. Respect the privacy of others, just as you expect the same from others. Do not use other user's computer resources without their permission. Use Internet ethically. Complain about illegal communication and activities, if found, to Internet service Providers and local law enforcement authorities. Users are responsible for safeguarding their User Id and Passwords. They should not write them on paper or anywhere else for remembrance. Users should not intentionally use the computers to retrieve or modify the information of others, which may include password information, files, etc..
2.4 Scenarios 2.4.1 Scene 1 Ravi asked kishore if he could look at the essay written by him, He said sure and didn’t think much about it. After some days their essays were verified by the class teacher who asked kishore to stay after class. The teacher pointed out that their essays were similar and asked for an explanation. So always teach and guide children not to copy content or information from Internet or from classmates.
2.4.2 Scene 2 Vicky has stepped out from the computer lab without logging off. Bob sits on Vicky’s computer, logs-in as Vicky, sends false e-mail messages to a number of students and posts similar messages on the class newsgroup. So teach children that they must never misuse others computers and e-mail IDs to harm others and defame them.
Cyber Security HandBook
CDAC Hyderabad & NIELIT
8
3. Understanding Internet There are different definitions for Internet but the meaning is the same as shown below Def 1: The series of interconnected network allowing communication of data surrounded by millions of computers worldwide. Def 2: A global communication network that allows computers worldwide to connect and exchange information. Def 3: A worldwide system of computer network, a network of networks in which users at any one computer can get information from any other computer. The word “Internet” exactly means “network of networks”. The Internet consists of thousands of smaller regional networks spread throughout the world. It connects approximately 80 million users in Asian countries on any given day. The Internet is referred as a physical part of the global network. It is a giant collection of cables and computers. No one “owns” the Internet, though there are companies that help out to manage different parts of the networks that tie everything together, there is no single governing body that controls what happens on the Internet. The networks within different countries sponsor the finance and manage according to the local procedure.
3.1 World Wide Web (WWW) Generally, everyone thinks that the Internet and web are same, but it is false. The web is a software application or services that run on the Internet. It is a collection of documents and resources. It is one of the fastest growing parts of the Internet. It provides easy access to a huge range of information that is stored on computers around the world
3.1.1 What is Web site? Web site contains one to millions of inter connected pages, has hyperlinks to connect and help to find your way around the web site. You can find different kinds of information on the web- like games, health matters, holiday destination, train timetables, weather forecast and many more. There are millions of web sites available on the Internet, and you can find any thing that interests you.
Cyber Security HandBook
CDAC Hyderabad & NIELIT
9
3.1.2 A Web Address Each Web site has its own unique address, which is called a Uniform Resource Locator or URL. To visit a site, you need to type its address in the address bar of your web browser.
3.2 Usage of Internet The Internet is used mainly for communication, to gather information, education, entertainment, current affairs, online learning, commerce, publishing, etc. In the usage of Internet, publishing is not just used for organization or businesses, anyone can create their own web sites and publish their information or files on the Worldwide Web. Through the Internet, thousands of people around the world are able to access information from their homes, schools, Internet cafes and workplaces. The Internet is a global collection of computer network, that help in exchanging data using a common software standard. Internet users can share information in a variety of forms. The user can connect easily through ordinary personal computers and share the knowledge, thoughts by making the use of an Internet. We can send electronic mail (e-Mail) to family members and friends with accounts on the Internet, which is similar to sending letters by post. The E-mail can be sent within minutes no matter where they are without postal stamps etc. We can post information that can be accessed by others and can update it frequently. We can access multimedia information that includes video, audio, and images. We can learn through Web-Based Training and Distance Learning on the Internet.
3.3 Features of Internet 3.3.1 Geographic sharing The geographic sharing of the Internet continues to spread, around the world and even beyond. A main feature of the Internet is that once you have connected to any part of it, you can communicate with all of it.
Cyber Security HandBook
CDAC Hyderabad & NIELITT
10
3.3.2 Architecture The architecture of Internet is most ever communication network designed. The failure of individual computers or networks will not affect its overall reliability. The information will not change or destroy over time or while transferring in between sites.
3.3.3 Universal Access It is easy to access and make the information like text, audio, video and also accessible to a worldwide people at a very low price. Access to Internet is same to everyone no matter where they are.One can connect to any computer in the world, and you can go to many excited places without leaving your chairs.
3.4 Benefits of Internet There are many advantages of Internet: The Internet is data and information loaded, including a range of medium. The Search engines that are available online are, fast and powerful. The Internet is easy to use. Students can become researchers because of easier access to data. Students are motivated to share their work online with the world. The Internet appeals to different learning styles. Unlike paper the web can present dynamic data sources which change over time. The characters in an e-Mail don't get transposed or mixed up when they are sent over long distances. Student can access libraries around the world. The Internet is a very big storeroom of learning material. As a result, it significantly expands the resources available to students beyond the standard print materials found in school libraries.Students can access the latest reports on government and non-government websites, including research results, scientific and artistic resources in museums and art galleries, and other organizations with information applicable to student learning. At secondary schooling levels, the Internet can be used for undertaking reasonably tricky research projects. As Internet is a powerful resource for learning, and is an efficient means of communication, it is very useful in education and provides a number of learning benefits. It includes the development of independent learning and research skills, by improving access to specific subject learning across a wide range of learning areas, as well as in integrated or cross-curricular studies and communication and collaboration, such as the ability to use learning technologies to access resources, create resources and communicate with others.
Cyber Security HandBook
CDAC Hyderabad & NIELITT
11
3.4.1 Access to Internet The Internet is a time-efficient tool for teachers that enlarges the possibilities for curriculum growth. Learning depends on the ability to find relevant and reliable information quickly and easily, and to select, understand and assess that information. Searching for information on the Internet can help to develop these skills. Classroom exercises and take-home assessment tasks, where students are required to compare website content, are ideal for alerting students to the requirements of writing for different audiences, the purpose of particular content, identifying and judging accuracy and reliability. Since many sites adopt particular views about issues, the Internet is a useful tool for developing the skills of distinguishing fact from opinion and exploring subjectivity and objectivity. The Internet is a great tool for developing the communication and collaboration skills of students and children. Above all, the Internet is an effective means of building language skills. Through e-Mail, chat rooms and discussion groups, students learn the basic principles of communication in the written form. This gives teachers the opportunity to incorporate Internet-based activities into normal literacy programs and bring variety to their teaching strategies. Collaborative projects can be intended to improve students’ literacy skills, generally through e-Mail messaging with their peers from other schools or even other countries. Collaborative projects are also useful for engaging students and providing significant learning experiences. In this way, the Internet becomes an effective means of advancing intercultural understanding. Moderated chat rooms and group projects can also provide students with opportunities for collaborative learning.
3.5 Privacy Issues Many children are skilled navigators of the Internet. They are comfortable using computers and are fascinated by the information and images that can be explored at the click of a mouse. Recent figures show that 90% of school-age children have access to computers either at home or at school. The ability to interact and communicate with others is one of the biggest attractions of the Internet for children. We are watching about spending time with people in chat rooms and instant messaging through mobiles, playing games, entering contests and filling forms in popular online activities. Unfortunately, most parents don't really understand how such activities can put their children's privacy at risk or even threaten their safety. Surprisingly in India, most parents never know about some of the activities that their child is participating on the Internet.
Cyber Security HandBook
CDAC Hyderabad & NIELITT
12
In today’s Internet communications scenario, the personal data is valuable and protecting the same has become a skill that the children need to understand and learn. The privacy of children can be compromised in certain online activities: Filling forms for various surveys, contests, downloading games on commercial or free web sites. Giving details about personal information when registering for e-mail access, Chat access. Providing information when registering for free game downloads. Providing information when registering for social networking web sites.
3.5.1 Privacy Some websites prompt students to complete a form revealing their name, e-Mail address, age and gender, and sometimes even their telephone number and postal address, in order to access information. Some requests are legitimate: much depends on the nature of the website requesting the information. Providing personal information online can result in a student being targeted for spam (unsolicited e-Mail), advertising materials and/or viruses. Privacy issues also apply to students developing personal websites and publishing online. Personal details, including photographs of themselves or other students, may lead to the information being captured and reused by others for illicit purposes.
3.6 Peer To Peer (P2P) Networking A peer to peer (or P2P) computer network uses diverse connectivity between participants in a network and the cumulative bandwidth of network participants rather than conventional centralized resources where a relatively low number of servers provides the core services. Sharing content such as audio, video, data or any form of digital data by connecting the nodes via largely ad hoc networks. Risks in Peer to peer networking due to their unstructured networks and sharing with unknown computers or persons may rise to affect or infect your computers with viruses, spam's
3.6.1. Exposing your Computer to Unwanted Software Usually, many peer-to-peer file sharing programs do not employ good security or access control. If users are not familiar with the programs or if there is improper configuration of the settings, it will be dangerous for all the contents stored in user's hard disk to be exposed to other users.
3.6.2. Contracting Computer Viruses Besides, the computers of P2P software users can easily contract computer viruses especially when the file downloaded is from an unknown source.
Cyber Security HandBook
CDAC Hyderabad & NIELITT
13
Moreover, these P2P programs may also contain viruses and worms, which prevent users’ computers from functioning properly.
3.6.3 Infringing Copyright Many copyright laws infringing copies of entertainment files e.g. MP3 Music files, VCD video files etc. and software are often shared by P2P software. The act of unauthorized uploading of a copyright works for others to download may attract civil or even criminal sanctions. Unauthorized downloading of copyright works entails civil liability.
3.6.4 Slowing down your School Internet Speed Last but not least, if you host a large amount of files for other people to download through P2P software via the School campus network, the network traffic thus created can slow down the entire campus network.
3.6.5. Tips for P2P Networks Use filtering software you trust to filter the data communication from your system. Use file sharing program controls and adjust the P2P program to run whenever required. Disable automatic starting. Always update Operating System, Anti virus and Anti Spyware packages. Do not use an administrative account. It may expose the whole system to other users in P2P networks. Create separate account for normal operations. Treat all download files with suspicion. Take back up of important files. This will help you in recovering the files. Delete any pirated software, files, etc. Alternatively, do not download them at all.
The main advantage of peer to peer network is that it is easier to set up In peer-to-peer networks all nodes are act as server as well as client therefore no need of dedicated server. The peer to peer network is less expensive. Peer to peer network is easier to set up and use this means that you can spend less time in the configuration and implementation of peer to peer network. It is not require for the peer to peer network to use the dedicated server computer. Any computer on the network can function as both a network server and a user workstation.
Cyber Security HandBook
CDAC Hyderabad & NIELITT
14
Disadvantages: A computer can be accessed anytime. Network security has to be applied to each computer separately. Backup has to be performed on each computer separately. No centralized server is available to manage and control the access of data. Users have to use separate passwords on each computer in the network. As with most network systems, unsecure and unsigned codes may allow remote access to files on a victim's computer or even compromise the entire network Example of Peer to peer networks is torrents There are a LOT of risks involved with torrent downloads. The most dangerous being: Virus, Trojan, Worm, Keylogger program attachments. IP signature tattlers Torrents have become an increasingly popular way to download files. No matter what you are looking for, from audio to video to applications, torrents are an easy way to find and download. However, most torrents are illegal and nature and you are breaking the law by downloading them. Peer-to-peer file sharing pretty much began with torrents. They are a type of file sharing protocol specializing in larger file downloads. The way torrents are encoded make it easier to download a large file, and even reputable resources are beginning to use them to make downloading files easier for users. Torrent downloads are basically downloading from multiple personal computer systems, simultaneously, and combining data at the end to form the file you were looking for. Problem is, that it's WAY too easy to attach things to these files, and they just get swept into this whirlwind of information, broken apart and can easily invade your system after they're reconstructed INSIDE YOUR COMPUTER, behind your firewall. After that it's just whether or not you have a good virus scanner that can detect it. IP tattlers are a pain too, in that once you download something and activate it for the first time, it sends information to the watcher program containing the IP address of the computer you were using and where it was downloaded from. These watchers are paid by software development companies to bust people downloading non-free-to-play software. 3 things you should always do before opening ANYTHING you download from torrent: 1) Download from a remote source. Like a cyber cafe or another free wifi zone. Watchers can't find you if you download remotely, it will only send information of the place you downloaded from.
Cyber Security HandBook
CDAC Hyderabad & NIELITT
15
2) Download the file to a safe area of your computer, something not highly active, or into a quarantine file monitored by your antivirus program. 3) Wait 48hrs before opening any program you download from torrent, and run antivirus software scans on it before you do. Most viruses are discovered within the first 48hrs of it's release, and you need to wait till your antivirus program receives definition updates, so that you can combat it before it attacks you. Better to let it happen to someone else first. Source: http://hubpages.com/hub/torrent-sites-overview https://torrentprivacy.com/ http://www.techfuels.com/general-networking/10266-advantages-peer-peernetworks.html http://www.ucertify.com/article/what-are-the-advantages-and-disadvantages-of-apeer-to-peer-network.html http://www.techsoup.org/learningcenter/networks/page4774.cfm
Cyber Security HandBook
CDAC Hyderabad & NIELITT
16
4. Search Engines and Web Browsers Search engines can provide fast, easy access to any kind of material on the Internet. Most search engines allow you to block search results that are unsuitable for children. Blocking inappropriate search results greatly reduces the chance that your children will stumble across dangerous or objectionable material on the Internet. These search result filters are not fool proof. Some unwanted content may still a pear in the search results
4.1 Usage of search engines You can search any individual web page using the CTRL-F command. Many websites also offer search boxes that let you search all the pages in the site, or records in its database. Searching is usually the most efficient way to find information. Words searched for in a search command are searched in any order. Use spaces to separate keywords in a simple keyword searching. To search keywords exactly as keyed Enclosing keywords in "double quotation marks" forms a phrase in most search engines. Sometimes a phrase is called a "character string."
4.1.1 Use +REQUIRE or -REJECT A TERM OR PHRASE Insert + immediately before a term with no space, to limit search to documents containing a term. Insert - immediately before a term with no space, to exclude documents containing a term.
4.2 Internet Browser(s) Security Web browser is used to gain access to information and also resources on the World Wide Web. It is a software application used to trace and display the web pages .The main purpose of a web browser is to bring the information resources to the user. The process begins with uniform resource identifier (URI) or uniform resource locator.
4.2.1 Uniform Resource Locator (URL)
The URL represents http://www.infosecawareness.in Each URL is divided into different sections as shown below http:// In short, http means the hypertext transfer protocol and the file is a web page and every time you don’t need to type the http, it is automatically inserted by the browser.
Cyber Security HandBook
CDAC Hyderabad & NIELITT
17
www –World Wide Web infosecawareness – site name .in –It is one of the domains name, which is basically a country name. Other domain names are .com (commercial organization), .net (network domain) etc. (The organization address and location of the organization address are known as the domain name). co.in –suffix or global domain name shows the type of organization address and the origin of the country like the suffix co.in indicates a company in India. Generally a web browser connects to the web server and retrieves the information.Each web server contains the IP address, and once you are connected to the web server by using http, it reads the hyper text mark-up language (HTML) which is a language used to create document on World Wide Web in which the same document is displayed in the web browser . In short, a browser is an application that provides a way to look at and interact with all the information on the World Wide Web.
4.2.2. Understanding usage of Web browsers A Web browser is a software application that runs on the Internet and allows viewing the web pages, as well as content, technologies, videos, music, graphics, animations and many more. In other words, a browser is an application that offers a method to look at and interact with the entire information on the World Wide Web.
4.2.3 Types of web browsers There are different types of web browsers available with different features. A web browser is a tool used not only on the personal computers, but is also used on mobile phones to access the information. There are different technologies that support web browsers like Java, frames, XHTML and many more. Web browsers are also available in different languages like English, German, Chinese, Arabic and many more .By knowing all the web browsers and their uses, it will become easier to improve the Internet usage.
Cyber Security HandBook
CDAC Hyderabad & NIELITT
18
4.2.4 Some of the popular web browsers 4.2.4.1 Internet Explorer It is known as Microsoft Internet Explorer in short IE. It is one of the most popular web browsers.The latest edition of IE is available with some of the Windows operating system like Windows XP, windows 2003 and Windows Vista. 4.2.4.2 Mozila Firefox It is a free, open source web browser developed by Mozilla corporation .The browser can be used in different operating systems like windows, MAC, Linux, etc. 4.2.4.3 Google chrome It is a web browser designed for a Windows operating system. This browser works on windows XP and Windows Vista. 4.2.4.4 Safari It is a web browser developed by Apple Corporation. It is a default web browser of MAC OS X .This browser also works on Windows XP and Windows Vista.
4.3. Risks towards web browser There are increased threats from software attacks taking advantage of vulnerable web browsers. The vulnerabilities are exploited and directed at web browsers with the help of compromised or malicious websites. Exploiting vulnerabilities in web browsers have become a popular way for attackers to compromise computer systems, as many users do not know how to configure their web browser securely or are unwilling to enable or disable functionality as required to secure their web browsers.
4.3.1. Secure web browser By default, a Web browser comes with an operating system, and it is set up with default configuration, which doesn't have all secure features enabled in it. There are many web browsers installed in computers like Internet explorer, Mozilla, Google Chrome, etc. That are used frequently. Not securing a web browser leads to problems caused by anything like spyware, malware, viruses, worms, etc. Being installed into a computer this may cause intruders to take control over your computer.
Cyber Security HandBook
CDAC Hyderabad & NIELITT
19
There is an increased fear of threat from software attacks which may take advantage of vulnerable web browsers. Some softwares of a web browser like Javascript, Active X, etc may also cause vulnerabilities to the computer system. So it is important to enable security features in the web browser you use which will minimize the risk to the computer. Web browsers are frequently updated. Depending upon the software, features and options may change. It is therefore recommended to use the updated web browser.
4.3.2 Security zone Security zone in an Internet web browser lets you secure the browser and offers to trust the people and companies on the Internet. This helps to decide and adds which sites to be allowed to run the application, scripts, add-ons, install a plug-in on your computer .Security zone also contains other features like adding an address of web sites under restricted sites. This feature is available in Internet explorer and this blocks the un trusted sites or attack sites. This feature is available in fire fox, which varies with different web browsers.
4.3.3 Trusted site Internet is a network of people, with all kinds of stuff with the different kind of people. Generally, you don’t trust everyone around you so why should all websites be trusted? Moreover why do you allow everyone to come into your computer without your authorization? So use the feature of trusted sites in your web browser to decide whom to trust.
4.4 How to secure your web browser? 4.4.1 Internet explorer (IE Version 9) The following are some of the features and their settings of Internet explorer The following are the some of the features and their settings of Internet explorer. From the settings/tools tab options like
Safety
you will find the following
Tracking Protection Smart Screen Fileter In private Browsing Active X filtering Report unsafe website Cross Site Scripting
Cyber Security HandBook
CDAC Hyderabad & NIELIT
20
Tracking Protection: which limits the browser's communication with certain websites—determined by a Tracking Protection List—to help keep your information private. SmartScreen Filter: It can help protect you from online phishing attacks, fraud, and spoofed or malicious websites. It also scans download, and then warns you about possible malware (malicious software). InPrivate Browsing: You can use to browse the web without saving related data, such as cookies and temporary Internet files. ActiveX Filtering option of Internet Explorer 9 I used to protect your computer from risky and unreliable ActiveX Control. Report unsafe website: A reported unsafe website has been confirmed by reputable sources as fraudulent or linking to malicious software and has been reported to Microsoft. Microsoft recommends you do not give any information to such websites. Cross site scripting (XSS) filter: It can help to prevent attacks from fraudulent websites that might attempt to steal your personal and financial information. To block all cookies 1. In Internet Explorer, click the Tools button, click Internet Options, and then click the Privacy tab. 2. Move the slider up to Block All Cookies. On this setting, websites will not be able to store cookies on your computer.
4.4.2 Firefox 6.0.2 Browser The following are the features and their setting of Mozilla Firefox web browser. Anti Phishing will shop and do business safely on the Internet. Firefox gets a fresh update of forgery sites a whopping 48 times a day, so if you try to visit a fraudulent site that’s pretending to be someone you trust (like your bank), a warning message will stop you before any harm is done. Security settings in a firefox control the level of examination you’d like Firefox to give a site and enter exceptions—sites that don’t need the third degree. Customize settings for passwords, cookies, loading images and installing add-ons for a fully empowered Web experience as shown below
Cyber Security HandBook
CDAC Hyderabad & NIELIT
21
From the tools menu of the firefox browser select the options and then click on the security tab. Under security tab enable the options like warn me when sites try to install the add-ons in and to add or remove the sites click on the exception tab and add or remove the sites you want. Enable the option tell me if the site I’m visiting is a suspected attack site. Enable the option tell me if the site I am using is a suspected forgery Firefox gets a fresh update of web forgery sites 48 times in a day, so if you try to visit a fraudulent site that’s pretending to be a site you trust a browser prompts you message and will stop you. Disable the option remember passwords for sites Firefox integrated the feature into your surfing experience. Choose to “remember” site passwords without intrusive pop-ups. Now you’ll see the “remember password” notification integrated into your view at the top of the site page and if you choose the never remember passwords for sites it will not show any notification. In Firefox web browser select Tools options select content enable Block pop-up windows as shown below
Anti-Virus Software Firefox integrates elegantly with your Windows anti-virus software. When you download a file, your computer’s antivirus program automatically checks it to protect you against viruses and other malware, which could otherwise attack your computer. The other feature is automated updates this lets us to find the security Cyber Security HandBook
CDAC Hyderabad & NIELIT
22
issues and fix updates and make the safe surfing and receive automatic notification or wait until you are ready. Firefox protects you from viruses, worms, trojan horses, and spyware delivered over the Web. If you accidentally access an attack site, it will warn you away from the site and tell you why it isn’t safe to use. Site Identity Button: The Site Identity Button is in the Location bar to the left of the web address. When viewing a website, the Site Identity Button will display in one of three colors - gray, blue, or green. Clicking on the Site Identity Button will display security information about the website, with a matching gray, blue, or green "Passport Officer" icon. Gray: No Identity Information Blue: Basic Identity Information Green: Complete Identity Information Privacy settings in a firefox control the level of examination you’d like Firefox to give a site and enter exceptions—sites that don’t need the third degree. Customize settings for, cookies, Remembering passwords, downloads and History storage as shown below
4.4.3 Google Chrome The following are the features and security settings of Google chrome web browser From the setting menu select the Incognito window a new window appears and pages you view from this window won’t appear in your web browser history or search history and they won’t leave
Cyber Security HandBook
CDAC Hyderabad & NIELIT
23
any traces like cookies after you close the incognito window any files you download or bookmarks will be preserved. Chrome there is a new feature that it has an own Task Manager that shows you how much memory and CPU usage each tab and plugin is using. You can open it by clicking Shift-Esc from within Chrome or place the cursor on window and right click and select the Task Manager. You can get more details by clicking the “Stats for nerds” link which is on the Task Manager and it will open a page with full details of memory and CPU usage for each process within the browser. It is used to close a bad process in one tab and won’t kill your whole browser session. The one of the feature of chrome is dynamic tabs here you can drag tabs out of the browser to create new windows, gather multiple tabs into one window or arrange your tabs however you wish and it becomes quickly and easily to login into the desired sites i.e. reopen the closed sites. The safe browsing feature in the Google Chrome displays the warning if the web address listed in the certificate doesn't match the address of the website .The following are the steps for a safe browsing setting in a Google Chorme.
From the settings tab select the options and click on the under the hood. Under privacy enable the option show suggestions for navigation error.
Cyber Security HandBook
CDAC Hyderabad & NIELIT
24
Enable the option use a suggestion service to help complete searches and URLS typed in the address bar. Enable DNS pre-fetching to improve page load performance. Enable the phishing and malware protection. In Google Chrome web browser Select Tools options Select under the hood Under cookies select the “Restrict how third party cookies can be used” only first-party cookie information is sent to the website. Third-party cookie information isn't sent back to the websites that originally set the third-party cookies as shown below
Under minor tweaks enable the enable the never save passwords. Under computer wide SSL settings enable the option use SSL 2.0 From the page menu select the create application shortcuts, this is used if you want some websites to be viewed regularly and you may want to create applications shortcuts for the desired web sites that can be placed on your desktop, start menu or quick launch menu so you can choose any one of these options after creating if you double click on the shortcut icon on the desktop or start menu, the websites opens in a special window that doesn’t display tabs, buttons, address bar or menus. Many of the browser functions are available instead in the dropdown menu that appears when you click the page logo in the upperright corner of the window. If you click a link that takes you to a different website, the link opens in a standard Google Chrome window so you won't lose track of your website.
Cyber Security HandBook
CDAC Hyderabad & NIELIT
25
4.4.4 Safari 5 Browser The following are the features of safari secure web browser Phishing Protection Safari protects you from fraudulent Internet sites. When you visit a suspicious site, Safari warns you about its suspect nature and prevents the page from loading. Malware Protection Safari recognizes websites that harbor malware before you visit them. If Safari identifies a dangerous page, it warns you about the suspect nature of the site. Antivirus Integration Safari notifies your antivirus software whenever you download a file, image, application, or other item. This allows the antivirus software to scan each download for viruses and malware. Secure Encryption To prevent eavesdropping, forgery, and digital tampering, Safari uses encryption technology to secure your web communications. Safari supports the very latest security standards, including SSL versions 2 and 3, Transport Layer Security (TLS), 40- and 128-bit SSL encryption, and signed Java applications. Automatic Updates Get quick, easy access to the latest security updates. Safari takes advantage of Apple Software Update, which checks for the latest versions of Safari when you’re on the Internet. Pop-Up Blocking By default, Safari intelligently blocks all unprompted pop-up and pop-under windows, so you can avoid distracting advertisements while you browse. Cookie Blocking Some companies track the cookies generated by the websites you visit, so they can gather and sell information about your web activity. Safari is the first browser that blocks these tracking cookies by default, better protecting your privacy. Safari accepts cookies only from the current domain.
Cyber Security HandBook
CDAC Hyderabad & NIELIT
26
5. Filtering services 5.1 Filtering Services in web browser The content filtering over the Internet sometimes called parental controls, these are used to block any access to offensive websites. It is not guaranteed but it can be very helpful.
5.1.1 What is content filtering? People find some inappropriate content like images of sex, violence or strong language on the Internet. As Internet is a free zone anyone can post anything and there is no effective restriction on the Internet itself. As a result, many people use content filtering software and set browser settings to block offensive websites.
5.1.2 How to enable content filtering? In Internet Explorer, there is an option to restrict the web sites and access only those web sites set by a user. In Internet Explorer web browser select tools content Click enable
Cyber Security HandBook
Internet options Select
CDAC Hyderabad & NIELIT
27
In Google search engine there is option for a safe search filtering Click on preference or search preferences Safe search filtering Select desired option
In Yahoo search engine there is option for a safe search filtering Click on Advanced Select desired option
Remember none of these filtering features are 100 % accurate- and some unsuitable content may still slip through. It is important to teach your children to surf the web safely and take time to explore the Internet with them.
5.2 Parental Control Bars Parental Control Bar is a simple, powerful tool to help shield your children from explicit websites. Simply activate Child-Mode while your children surf the Internet, and the toolbar will block access to adult-oriented websites. Ensure that your child is safe while using the Internet . Parental controls will provide you with the advantage of being able to do the following
Cyber Security HandBook
CDAC Hyderabad & NIELIT
28
Enforce time limits to child Internet activity set by parent. Block access to materials (pictures) identified as inappropriate for kids. Monitor your child’s activity on the Internet by storing names of sites and/or snapshots of material seen by your child on the computer for you to view later. Set different restrictions for each family member. Limit results of an Internet search to content appropriate for kids.
5.2.1 Parental control Bars in Web Browsers 5.2.1.1 Internet Explorer 8 The Parental Control Bar in Windows vista OS supports for Internet Explored by default. For information on setting up parental controls in Windows Vista. Open Parental Controls by clicking the start button, clicking Control Panel, under User accounts, clicking Setup Parental Controls. If you are prompted for an administrator password or confirmation, type the password or provide confirmation. Then click the standard user account for which to set Parental Controls Under Parental Controls, Click On. Once you've turned on Parental Controls for your child's standard user account, you can adjust the individual settings that you want to control. You can control the following areas like web restrictions, time limits , games, can block specific programs. Third party parental control bar tools can be downloaded from the following links. Go to following website and download http://www.ieaddons.com/en/details/Security/ParentalControl_Bar/
5.2.1.2 Firefox Browser in Windows There are many Firefox addons or extensions, which we can download from https://addons.mozilla.org/en-US/firefox/search?q=parental+control&cat=all
Some of the products/addons for Firefox 5.2.1.3 Glubble for Families Glubble allows you to create a private family page where you can monitor and support your children’s online activities. Glubble provides games, chat, safe surfing, and a Family Photo Timeline service for uploading, storing, and sharing your photos online. Glubble integrates Ask for Kids, a safe search engine for children.
Cyber Security HandBook
CDAC Hyderabad & NIELIT
29
https://addons.mozilla.org/firefox/addon/5881
5.2.1.4 ProCon filters Web page content by using a list of inappropriate words and replacing them with asterisks (***). Note that the bad word filter does not block websites containing the words; you must add the website to a Blacklist. ProCon can also block all traffic, making sure that only desired websites (set in the Whitelist) can be accessed. You can manage "white" and "black" lists of sites and pages. ProCon also has password protection in order to keep others from changing the settings 5.2.1.5 ProCon Latte In addition to Firefox extensions, there are many third-party software packages that can filter content through your operating system or at the point where your network connects to the Internet. Available: https://addons.mozilla.org/firefox/addon/1803
5.3 Procedure for installing Parental control toolbar. 1. Double “click parental control setup downloaded” from the website.
2. After double clicking, it will ask to close any other browser windows. Click ‘OK’ button.
Cyber Security HandBook
CDAC Hyderabad & NIELIT
30
3. Click ‘I agree’ button to agree the license agreement..
4. The wizard asks for the parental control password which will be used to manage parental control settings.
5. Type the password and enter a question which will be used as a hint when you forget the password typed earlier. Be sure that your child doesn’t know the answer for the question.
Cyber Security HandBook
CDAC Hyderabad & NIELIT
31
.
6. Type the e-Mail address, to which the parental password will be sent and click ‘Next’.
7. Next the installation starts by taking appropriate files from the website and completes with in a few minutes.
Cyber Security HandBook
CDAC Hyderabad & NIELIT
32
8. The parental control bar will be added to the Internet Explorer browser as shown above
9. Below shows the ‘parent’ button showing that the browser is acting in ‘parent’ mode.
10. Type the website that you want to block for children and click the button ‘Block this site’.
Cyber Security HandBook
CDAC Hyderabad & NIELIT
33
11. To block this site parental control bar asks password.
12. After entering the password and clicking OK. A window opens telling that the site is blocked.
Cyber Security HandBook
CDAC Hyderabad & NIELIT
34
13. Whenever child wants to browse the website, the browser should be in child mode. So click ‘parent mode’ button, so that the browser is changed to child mode. Then the parent control toolbar appears as shown below telling that child safe mode is now active.
14. Click ‘ok’. 15. When the child wants to browse the blocked site, it asks for the password to open the site which is shown as below.
Cyber Security HandBook
CDAC Hyderabad & NIELIT
35
16. Now if the child wants to view the website without entering password, an error occurs like this.
Cyber Security HandBook
CDAC Hyderabad & NIELIT
36
5.4 Changing the parental control settings in the parental control toolbar 1. To change settings for allowing and blocking websites, click the 'change parental settings'.
2. After clicking change parental settings, a window opens and asks for the ‘parent control password’.
3. Type the password and click ‘ok’. After that a window opens like this.
4. You can add sites in the allowed list by clicking the ‘allowed site list’ tab.
Cyber Security HandBook
CDAC Hyderabad & NIELIT
37
5. Type the website that you want to allow and click ‘allow’ button as shown below.
6. You can also add sites in the blocked list by clicking ‘blocked site list’.
7. Type the website that you want to block and click ‘block’ button as shown in the below figure.
8. You can also filter some type of contents by clicking ‘basic site filters’ tab.
Cyber Security HandBook
CDAC Hyderabad & NIELIT
38
9. The following window appears after click the ‘Basic site filters’ tab.
10. By default, the following types of sites are filtered.
Cyber Security HandBook
CDAC Hyderabad & NIELIT
39
11. You can also block other types of sites by checking the ‘block’ button.
5.5 k9 web protection It is a Free, enterprise-class security software designed for home computers. To protect your home computer from online threats of all kinds, you need a robust security solution that’s updated in real time. With Blue Coat K9 Web Protection, you don’t have to wait for the latest security patch or upgrade, which can leave your computer vulnerable to new and evolving Web threats. K9 delivers the comprehensive protection you need automatically. With K9, you get the same advanced Web filtering technology used by enterprise and government institutions worldwide — all with a user-friendly interface that allows you to control Internet use in your home.
K9 also offers: Real-time malware protection — Blue Coat WebFilter helps identify and block illegal or undesirable content in real time, including malware-infected sites. You also benefit from the WebPulse cloud service, a growing community of more than 62 million users who provide more than six billion real-time Web content ratings per day. Automatic content ratings — New Web sites and pages are created every
Cyber Security HandBook
CDAC Hyderabad & NIELIT
40
minute, and no one person can possibly rate or categorize all of them. To ensure protection against new or previously unrated Web sites, Blue Coat’s patentpending Dynamic Real-Time Rating™ (DRTR) technology automatically determines the category of an unrated Web page, and allows or blocks it according to your specifications. Continuous protection that won’t slow down your computer — Caching is the method your Web browser uses to save frequently used data, which increases efficiency by reducing the amount of information requested over the Internet. K9 uses Blue Coat’s unique caching technology, so your Internet experience is always as fast as possible.
More on: http://www1.k9webprotection.com/
Cyber Security HandBook
CDAC Hyderabad & NIELIT
41
5.6 Spam filter Along with the content filter and website filter nowadays all the e-Mail services providers are built with spam filter. Click on the spam filter option and add e-Mail ID which you feel not a trusted ID or e-Mail ID of an unknown user. Example as shown below
Cyber Security HandBook
CDAC Hyderabad & NIELIT
42
6. Internet Mediated Communication 6.1 e-Mail Security e-Mail is a short form of electronic mail. It is one of the widely used services on the Internet. e-Mail is used for transmission of messages in a text format over the Internet. The message can be sent by using the receiver e-Mail address and vice versa. e-Mail can be sent to any number of users at a time it takes only few minutes to reach the destination. e-Mail consists of two components, the message header contains control information, an originator's e-Mail address and one or more recipient addresses and message body, which is the e-mail content. Some e-Mail systems are confined to a single computer system or to a small network, and they are connected to the other e-Mail systems through the gateway, which enables the users to connect to anywhere in the world. Though different electronic mail systems have different formats, there are some emerging standards like MAPI, X.400 that enables the users to send messages in between different electronic mail systems. MAPI is a Mail Application Programming Interface, system built in Windows, which allow different mail applications working together for distributing mails. Until MAPI is enabled on both the application’s the users can share mails with each other. X.400 is the universal protocol that provides a standard format for all e-Mail messages. X.500 is an extension to X.400 standard, which provides standard addressing formats for sending e-Mails so that all e-Mail systems are linked to one another.
6.1.1 How an e-Mail works? The working of e-Mail is as shown in the figure below. Each mail server consists of two different servers running on a single machine. One is POP3 (Post Office Protocol) or IMAP (Internet Mail Access Protocol) server which holds the incoming mails and the other SMTP (Simple Message Transfer Protocol) server which holds the outgoing mails. SMTP works on the port number 25 and POP works on the port number 110 and IMAP works on the port number 143.
Cyber Security HandBook
CDAC Hyderabad & NIELIT
43
In the figure shown above, Client 1 has an account in the mail server 1 and Client 2 has an account in mail server 2. When Client 1 sends a mail to Client 2, first the mail goes to the SMTP server of mail server 1. Here the SMTP server divides the receiver address into two parts username and domain name. For example, if SMTP server receives
[email protected] as the receivers address.It will separate into user1, which is a mail account in destination mail server and example.com which is the domain name of destination mail server. Now with the help of the domain name it will request particular IP address of the recipient’s mail server, and then it will send the message to mail server 2 by connecting to its SMTP server. Than SMTP server of Mail Server 2 stores the message in Client2 mailbox with the help of POP3 in mail server 2. When the client 2 opens his mailbox, he can view the mail sent by client 1.
6.1.2 POP3 Server POP3 server contains a collection of text files one for each mail account. When a message has arrived to a particular user it will append that message at the bottom of that particular user account text file. When a user connects to the mail server for checking his mails, he connects to POP3 server of that mail server through port 110. Here it requires username and password to view his mailbox on the mail server.
Cyber Security HandBook
CDAC Hyderabad & NIELIT
44
IMAP is also similar to POP3 protocol.
6.1.3 Possible threats through e-Mail and guidelines for handling eMails safely e-Mails are just like postcards from which the information can be viewed by anyone. When a mail is transferred from one mail server to another mail server there are various stops at which there is a possibility of unauthorized users trying to view the information or modify it. Since a backup is maintained for an e-Mail server all the messages will be stored in the form of clear text though it has been deleted from your mailbox. Hence there is a chance of viewing the information by the people who are maintaining backups. So it is not advisable to send personal information through e-Mails. Say you have won a lottery of million dollars, Getting or receiving such kind of mails is a great thing, and really it’s the happiest thing. However these mails may not be true.By responding to such a kind of mails many people lost huge amount of money. So ignore such kind of e-Mails, do not participate in it and consider it as a scam. Sometimes e-Mails offering free gifts and asking personal informa are received from unknown addresses.This is one way to trap your personal information. One way of stealing the password is standing behind an individual and looking over their password while they are typing it or searching for the papers where they have written the password. Another way of stealing the password is by guessing. Hackers try all possible combinations with the help of personal information of an individual. When there are large numbers of combinations of passwords the hackers use fast processors and some software tools to crack the password. This method of cracking password is known as “Brute force attack”. Hackers also try all the possible words in a dictionary to crack the password with the help of some software tools. This is called a “dictionary attack”. Generally spammers or hackers try to steal e-Mail address and send malicious software or code through attachments, fake e-Mails, and spam and also try to collect your personal information. 6.1.3.1 Attachments Sometimes attachments come with e-mails and may contain executable code like macros, .EXE files and ZIPPED files. Sometimes attachments come with double extensions like “attachment.exe.doc”.By opening or executing such attachments malicious code may downloaded into your system and can infect your system. Tip: Always scan the attachments before you open them. Cyber Security HandBook
CDAC Hyderabad & NIELIT
45
6.1.3.2 Fake e-Mails Sometimes e-Mails are received with fake e-mail
[email protected] by an attachment named, “Facebook_Password_4cf91.zip and includes the file Facebook_Password_4cf91exe" that, the e-mail claims, contains the user's new Facebook password. When a user downloads the file, it could cause a mess on their computer and which can be infected with malicious software.
address
like
Tip: Always check and confirm from where the e-mail has been received, generally service people will never ask or provide your password to change. 6.1.3.3 Spam e-Mails Spam messages may trouble you by filling your inbox or your e-mail database. Spam involves identical messages sent to various recipients by e-Mail. Sometimes spam e-mails come with advertisements and may contain a virus. By opening such e-Mails, your system can be infected and your e-Mail ID is listed in spammers list. Tip: It is always recommended to ignore or delete spam e-mails. 6.1.3.4 e-Mails offering free gifts Sometimes e-Mails are targeted at you by; unknown users by offering gifts, lottery, prizes, which might be free of cost, and this may ask your personal information for accepting the free gift or may ask money to claim lottery and prizes it is one way to trap your personal information. Tip: Always ignore free gifts offered from unknown users. 6.1.3.5 Hoaxes Hoax is an attempt to make the person believe something which is false as true. It is also defined as an attempt to deliberately spread fear, doubt among the users.
6.1.4 How to prevent? 6.1.4.1 Using filtering software’s Use e-Mail filtering software to avoid Spam so that only messages from authorized users are received. Most e-Mail providers offer filtering services.
Cyber Security HandBook
CDAC Hyderabad & NIELIT
46
6.1.4.2 Ignore e-mails from strangers Avoid opening attachments coming from strangers, since they may contain a virus along with the received message. Be careful while downloading attachments from e-Mails into your hard disk. Scan the attachment with updated antivirus software before saving it.
6.1.5 Guidelines for using e-Mail safely Since the e-Mail messages are transferred in clear text, it is advisable to use some encryption software like PGP (pretty good privacy) to encrypt e-Mail messages before sending, so that it can be decrypted only by the specified recipient only. Use E-Mail filtering software to avoid Spam so that only messages from authorized users are received. Most e-Mail providers offer filtering services. Do not open attachments coming from strangers, since they may contain a virus along with the received message. Be careful while downloading attachments from e-Mails into your hard disk. Scan the attachment with updated antivirus software before saving it. Do not send messages with attachments that contain executable code like Word documents with macros, .EXE files and ZIPPED files. We can use Rich Text Format instead of the standard .DOC format. RTF will keep your formatting, but will not include any macros. This may prevent you from sending virus to others if you are already infected by it. Avoid sending personal information through e-Mails. Avoid filling forms that come via e-Mail asking for your personal information. And do not click on links that come via e-Mail. Do not click on the e-Mails that you receive from un trusted users as clicking itself may execute some malicious code and spread into your system.
6.2 Instant Messaging Instant messaging (IM) is a real time text based communication between two or more people connected over the network like Internet. Instant message became most popular with this you can interact with people in a real time and you can keep the list of family and friends on Cyber Security HandBook
CDAC Hyderabad & NIELIT
47
your contact list and can communicate until the person is online .There are many instant service providers like AOL, Yahoo messenger, Google Talk and many more.
6.2.1 Risks involved in IM Hackers constantly access instant messages and try to deliver malicious codes through the instant message and the code may contain a virus, Trojan, and spyware and if you click on the file the code will enter your system and within seconds it infects the system. 6.2.1.1 Spim Spim is a short form of spam over instant messaging, it uses IM platforms to send spam messages over IM. Like e-mail spam messages, a spim message also contains advertisements. It generally contains web links, by clicking on those links malicious code enters into your PC. Generally, it happens in real time and we need to stop the work and deal with spim as the IM window pop-ups, in the e-mail we have time to delete and we can delete all spam at a time, or we can scan before opening any attachments. This cannot be done in IM. Tip: Avoid opening attachments and links in IM
Cyber Security HandBook
CDAC Hyderabad & NIELIT
48
7. Social Networking Social networking means grouping of individuals into specific groups, like small communities. Social networking is used to meet Internet users, to gather and share information or experiences about any number of topics, developing friendships, or to start a professional relationship. (Or)A simple Social Networking site is where different people keeping different information related to any particular thing at one place.For example Orkut, Facebook, etc. Through social networking there are many advantages like we can get into any kind of groups based on our hobbies, business, schools and many more, it is a different communication tool to keep in touch with friends and colleagues. Apart from all these advantages there are disadvantages like based on these communication tools, sites can be trapped by scammers or any hackers so it is very important to protect yourself. These social networking sites are very popular with young people. They expose them to risks they have always faced online but in a new forum: online bullying, disclosure of private information, cyberstalking, access to age-inappropriate content and, at the most extreme, online grooming and child abuse. For adults, who are also using these sites in greater numbers, there are serious risks too. They include loss of privacy and identity theft. Adults too can be victims of cyber-bullying and stalking.
7.1 Tips to avoid risks by social networking Be careful about the information you put online , like if you put your photo or video or your account details will stay for a long time and who ever connected will see it. Generally, business people will see as part of hiring process to know about everyone views and interests. However hackers will use these sites to collect the personal information and may misuse them. Remember don’t put anything personal like sensitive information about your family details, addresses, personal photographs. Most of the sites and services provide options for privacy settings and use them to prevent attackers to view your information. You can also set the
Cyber Security HandBook
CDAC Hyderabad & NIELIT
49
privacy settings according to whom you want to allow seeing your information. Be careful if you want to meet social networking friends in person, it may not be true identity posted on a web site. Think before you meet. If you are going to meet then do it in a public place during the day.
Cyber Security HandBook
CDAC Hyderabad & NIELIT
50
8. Social Engineering 8.1 What is Social Engineering? Social Engineering is an approach to gain access to information through misrepresentation. It is the conscious manipulation of people to obtain information without realizing that a security breach is occurring. It may take the form of impersonation via telephone or in person and through email. Some emails entice the recipient into opening an attachment that activates a virus or malicious program in to your computer. Careless talking is one of the reasons for social engineering Careless talking about business, the office, home, personal and the people and discussing with those who not authorized to talk, and also gives the sensitive information indirectly to someone who may use it for a specific reason such as breaking into your computer, your organization details etc.
8.2 How do they do this? A Social Engineer may approach you either a telephone or e-mail and pose as a person from your Information Technology Department or Help Desk and may ask for user id, password and other details like systems and network information. A Social Engineer may meet you outside of your work place or organization and may ask you about your work or how your organization does the things. A Social Engineer may come to your organization to present business needs and may ask for network connectivity to know about network information or any sensitive information. A Social engineer may ask your identity card to know about your personal information about your School, organization etc. The basic goals of social engineering are the same as hacking in general: to gain unauthorized access to systems or information to commit fraud, network intrusion, identity theft or simply disrupt the system and network.
Cyber Security HandBook
CDAC Hyderabad & NIELIT
51
8.3 Social Engineering can be done in many ways 8.3.1 Non-Technical Public Places Social Engineering can be done through public places like cafes, pubs, movie theatres. You may release or give some sensitive information to the public or a social engineer or someone may overhear you. Gossips You may talk about some gossip with colleague and may give some information to other colleague who might be a social engineer. Personal Pride or Confidence You may give sensitive information of your family or organization to boast your achievements, pride, and confidence to unknown persons. Online Social engineers may obtain information on-line by pretending to be the Network Administrator, sending e-mail through the network and asking for a user's password or any sensitive information indirectly.
8.3.2 Technical Vishing It is one of the methods of social engineering over the telephone system, most often using features facilitated by Voice over IP (VoIP), to gain access to private personal and financial information from the public for the purpose of financial reward. The term is a combination of "voice" and phishing. Tip: Don’t give any financial information to unknown people over phone, confirm to whom you are speaking and cross check with the concern company or bank before giving any information Phishing Phishing is a type of deception designed to steal your valuable personal data, such as credit card numbers, passwords, account data and or other information. The attackers have become more sophisticated and also their phishing e-mail
Cyber Security HandBook
CDAC Hyderabad & NIELIT
52
messages and pop-up windows. They often include official looking logos from real organizations and other identifying information taken directly from legitimate Web sites. Tip: If you think you've received a phishing email message, do not respond to it. And don’t even click on the links you received from the unknown users.
8.3.3 Other Techniques Baiting It is one of the methods of social engineering which uses physical media and relies on the curiosity or greed of the victim. Here the attacker leaves the malware inserted or infected USB or pen Drive, CD/DVD ROM in a location that to be found and gives a legitimate looking and makes victim curiosity and waits for them to use the device. Tip: Don’t get tempted in accessing the devices which left unattended or found at sidewalk, elevator, parking lot etc. Persuasion Influence someone to give you confidential information either by convincing them you are someone who can be trusted or by just asking for it. Tip: Be suspicious don’t get influenced by the unknown person and don’t give away the confidential information to them.
8.3.4 Non –Technical Dumpster diving Dumpster diving, also known as trashing is another popular method of Social Engineering. A huge amount of information can be collected through company dumpsters or wastage from home. Tip: Don’t dump any confidential papers into trash, before dumping make sure you don’t have any important information in it.
Cyber Security HandBook
CDAC Hyderabad & NIELIT
53
Hoaxing A Hoax is an attempt to trap people into believing that something false is real. This is usually aimed at a single victim and is made for illicit financial or material gain a hoax is often perpetrated as a practical joke, to cause embarrassment. Tip: Beware don’t believe the e-mails received from unknown and don’t ever give the financial information. Pretexting Pretexting is the act of creating and using an imaginary scenario to engage a targeted victim in a manner that increases the chance the victim will reveal information or do actions that would be unlikely in ordinary circumstances. It is more than a simple lie. Tip: Be cautious because strangers try to fool you by creating false situation and make you to believe in order to collect the confidential information.
8.4 How do you avoid being a victim? Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about employees or other internal information. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company. Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person's authority to have the information. Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email. Don't send sensitive information over the Internet before checking a website's security. Pay attention to the URL of a website. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net). If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided on a website connected to the request; instead, check previous statements for contact information. Information about known phishing attacks is also available online from groups such as the Anti-Phishing Working Group
Cyber Security HandBook
CDAC Hyderabad & NIELIT
54
Install and maintain anti-virus software, firewalls, and email filters to reduce some of this traffic. Take advantage of any anti-phishing features offered by your email client and web browser.
8.5 What do you do if you think you are a victim? If you believe you might have revealed sensitive information about your organization, report it to the appropriate people within the organization, including network administrators. They can be alert for any suspicious or unusual activity. If you believe your financial accounts may be compromised, contact your financial institution immediately and close any accounts that may have been compromised. Watch for any unexplainable charges to your account. Immediately change any passwords you might have revealed. If you used the same password for multiple resources, make sure to change it for each account, and do not use that password in the future. Watch for other signs of identity theft . Consider reporting the attack to the police, and file a report with the Federal trade commission.
Cyber Security HandBook
CDAC Hyderabad & NIELIT
55
9. Online Games and Computer Games 9.1 About online games An online game is a game played over a computer network via the Internet. Online games range from normal text based to graphical based games. Simultaneously Players can play the same game .The main advantage of online games is the ability to connect to multiple games even though single player is online. Based on technology the games are also become more complex the technology related games like flash games and java games became more popular. There are free online games and commercial games , most of the popular games are enclosed with end user license agreements and limited to access by the creators of games and the breaking of the agreement range from warning to termination. There are massively multi-player online games like real time strategy games, role playing game, first person shooter games and many more.
9.2. Things to be noted while downloading the games Carefully study the rating of an online game, frequently they will let you know if it is suitable for your age. Read the terms and conditions of the sites that you use and check if there are special safety features for children. It is important and make sure that game vendor is reputable and download the game from trusted web sites. Sometimes free download games conceal malicious software , this includes plug-ins required to run a games, administrative mode to open a game which is not advisable , by doing this you open yourself to the risk that an attacker could gain complete control of your computer, it is always safe to play in a user mode rather than the administrative mode. When playing an online game it is best to play it at the game site , this may reduce the risk and end up with a malicious web site.
9.3. Risks Involved Online games involve the technology risks to your computer system or system of gamers with whom you interact. If the software on the game server as been compromised, computers that connect to it also compromised. Exploited Vulnerabilities codes in games makes attackers to get into your system and read the files from a gamer computer, crash the games during online play in order to get the full control of the exploited computer.
Cyber Security HandBook
CDAC Hyderabad & NIELIT
56
Virus and worms may enter a system when you try to download or install a game on your computer. These viruses or worms may be hidden in the files you download. Malicious software takes advantage of the websites associated with online games that rely on chat, e-mail to entice you to visit the bogus web sites that contain malicious software installs in your computer, then they use the software for various criminal purpose. Some times because of the insecure game coding, the game software causes buggy behaviour on your computer and introduces unknown vulnerabilities. Sometimes strangers try to gain access to unprotected computers connected to Internet while online play and contact the children by pretending to be another child and trap to gather the personal information . Malicious individuals may try to trick you installing or downloading the games that might be bogus web sites and offer software patches for game downloading, in reality they are malicious software. Malicious individual can gather information about you from the profiles you create in online games and other gaming web sites, they may be able to use it to establish accounts in your name, resell it, or use it to access your existing accounts. Game accounts were created in their name without their knowledge. There was speculation that people were trying to make money selling virtual weapons and abilities used in the game.
9.4 Guidelines Create a family e-Mail address for signing up for online games. Screenshots: If anything bad happens while playing online games, take a screen shot using the "print screen" button on the keyboard of those displayed things on the screen and report it to the concerned web site ad use the screen shot as evidence. Use antivirus and antispyware programs. Be cautious about opening files attached to e-Mail messages or instant messages. Verify the authenticity and security of downloaded files and new software. Configure your web browsers securely. Use a firewall.
Cyber Security HandBook
CDAC Hyderabad & NIELIT
57
Set up your user profile to include appropriate language and game content for someone your age. Set time limits for children. Never download software and games from unknown websites. Beware of clicking links, images and pop ups in the web sites as they may contain a virus and harm the computer. Never give personal information over the Internet while downloading games. Some free games may contain a virus, so be cautious and refer while downloading them. Create and use strong passwords. Patch and update your application software
Cyber Security HandBook
CDAC Hyderabad & NIELIT
58
10. Safe Downloading 10.1 Safe Downloading and uploading 10.1.1 About Downloading The term download is used to describe the process of copying a file from an online service that is via an Internet to one owns a computer. Downloading also refers to copying a file from network server to a computer on the network. To download means to receive data i.e. whatever offered for downloading can be downloaded. You can download any kind of files from Internet like documents, music, videos, images and software and many more.
10.1.2 About uploading The opposite of download is uploading this means copying a file from your computer to another computer over the network. Uploading means to transmit data. Whatever is transferred can be uploaded. In short “Uploading means sending a file to a computer that is set up to receive it”. You can upload any kind of files like documents, music, videos, images and software and many more.
10.2 Risks by insecure downloads When you try to download a file from the Internet, it includes installing a program, opening pictures, links from different websites or from e-mails, downloading music files and many more files on to a computer .These files could be the same what they say are, but they can also be involved with something like malicious software that can harm your computer, which includes viruses, worms and many destructive programs. A virus can destroy data or give someone access to all the information on your computer and destroy all the confidential information on your PC. Another threat is spyware. The spyware often changes your computer's behaviour like PC becomes slow, and even causes a computer crash. The spyware can be used to track the browsing history, steal the passwords and allow an attacker to grab complete information of your system.
Cyber Security HandBook
CDAC Hyderabad & NIELIT
59
Malicious software can be installed without your knowledge, or it can be bundled with a program, link or software you would like to download. For example, you would like to download a game from the untrusted website then with out your knowledge malicious software can be downloaded. Some time malware spreads itself by sending e-mail from an infected computer to every e-mail address it finds. Mostly these malware spread through e-mails
10.3 Tips for Safety downloads While downloading any file close all the applications that are running on your computer, let only one set-up file run at a time of downloading. Close all the important applications in order to be safe if something goes wrong while downloading. Set firewalls,set antivirus to actively scan all the files you download. Scan all the files after you download whether from websites or links received from e-mails. Always use updated antivirus, spam filter and spyware to help detect and remove virus, spyware from the application you want to download.
Never download any files like music, video, games and many more from untrusted sites and don’t go by the recommendations given by your friends or made by any random website's comments. Check that the URLs are same and always download games, music or videos from the secure websites like which use HTTPS websites instead of HTTP. In the web address, it replaces “http” to https”. The https refers to the hypertext transfer protocol secure. Download anything only from thrust worthy websites. Don’t click links to download anything you see on unauthorized sites.
Cyber Security HandBook
CDAC Hyderabad & NIELIT
60
If any dirty words appear on the website just close the window no matter how important it is, because spyware may be installed on your PC from such websites. Check the size of the file before you download, sometimes it shows a very small size but after you click it increases the size of the file. Never believe anything which says click on this link and your computer settings will be changed and your PC can be turned into XBOX and can play unlimited games on your computer. Don’t accept anything that offers you free download because that may contain malicious software. Don’t click the link or file and let it start download automatically, download the file and save where you want save and then run on the application. Set secure browser settings before you download anything.
Read carefully before you click on install or run application. That means read terms and conditions. Don’t download anything until you know complete information of the website and know whether it is an original site of an original company.
Never download from the links that offer free antivirus or anti spyware software, always download from trusted sites, if you are not sure about the site you are downloading, enter the site into favourite search engine to see anyone posted or reported that it contains unwanted technologies.
Cyber Security HandBook
CDAC Hyderabad & NIELIT
61
11. Blogging A web blog is a Web site that consists of a series of entries arranged in reverse chronological order, often updated on frequently with new information about particular topics. The information can be written by the site owner, gathered from other Web sites or other sources, or contributed by users. A web blog may consist of the recorded ideas of an individual (a sort of diary)
11.1Types of blogs There are many different types in content and the way content is delivered or written
Personal blogs Corporate and organizational blogs Genre blogs Media type blogs By Device blogs Different blog sites are used for a different purpose of communication.
11.1.1 Personal blog is an ongoing dairy or commentary by an individual. A Site, such as Twitter, allows bloggers to share thoughts and feelings instantaneously with friends and family and is much faster than e-mailing.
11.1.2 Corporate and organizational blogs (business, marketing) are used by the employees who are working in the companies. They are internally used to enhance the communication in a corporation or externally for marketing, branding or public relations.
11.1.3 Genre blogs (causes, education, political, travel) are focused on a particular subject like education, fashion, music, travel, political, personal (home) blogs …etc.
11.1.4 Media type blogs (vlog, linklog, photoblog) are used for sharing the videos called vlogs, for sharing the links called linklogs and for sharing the photos called photoblog.
11.1.5 By the device (mobile phone, PDA, wearable wireless webcam) are used to write the blogs through the mobile device like mobile phones or PDA called moblog.
Cyber Security HandBook
CDAC Hyderabad & NIELIT
62
11.2 Risks involved in blogging If you give your personal information like your name, location address, phone numbers, credit card details in the blogging sites, your information may be stolen by others (identity theft) because everyone who is having login account in the site which you are using can access to your profile. The profile which you are creating will be visible to everyone on the blogsite. The persons like strangers can access your profile and can view all your details. For example, if you give your credit card number in the site, they may use that number for their own business or shopping purpose and the bill will be sent to you. Another example is if your children give their school name or location addresses in the site, the strangers who access that data may take advantage of it and may kidnap your children.
11.3 Tips to avoid risks by blogging Never give away your personal information into the blogging sites Put reliable information as it reaches entire world and assume what you publish on the web is permanent. Avoid competition with other bloggers. State the terms of use, copy right in blog properly to viewers to protect your blogs. Guide them with other positive examples such as the children are posting their related information.
11.4 Guidance for Parents on Blogging Establish Rules for online use with children. Monitor what your children plan to post before they post it. Evaluate Blogging Service and their features like a password protected secured blogs etc. Review your children blogs regularly. Guide them with other positive example such as reference to the students who are posting their related information.
Cyber Security HandBook
CDAC Hyderabad & NIELIT
63
11.5 Scenario Like many of her friends, Alice has a blog. However, unlike her friends, she keeps its location secret. She doesn’t link to anyone else’s blog, and she doesn’t comment on other blogs using her blog identity. Somehow, though, Bob finds out the URL for Alice’s blog and adds it to the “friends” list on his blog. Word spreads, and soon everyone has read Alice’s blog. Unfortunately, she has used her blog to criticize most everyone she knows, including other students, teachers, and her parents. Everyone is furious with her. So always guide your children not to blog anything related personal information about family and guide them how to use the blogs and advantages of blogs and make them understand that blogs are not used to criticize others.
Cyber Security HandBook
CDAC Hyderabad & NIELIT
64
12. Cyber Bullying 12.1 Harassment and bullying Cyber bullying can be carried out through Internet services such as e-Mail, chat rooms, discussion groups, instant messaging or web pages. It can also include bullying through mobile phone technologies such as SMS. Cyber bullying can include teasing and being made fun of, spreading rumours online, sending unwanted messages and defamation.
12.2 Cyber bullying can be done in the following ways 12.2.1 Forwarding a private IM communication to others A kid/teen may create a screen name that is very similar to another kid's name. The name may have an additional "i" or one less "e". They may use this name to say inappropriate things to other users while posing as the other person. Children may forward the above private communication so others to spread their private communication.
12.2.2 Impersonating to spread rumours Forwarding gossip mails or spoofed mails to spread rumours or hurt another kid or teen. They may post a provocative message in a hate group's chat room posing as the victim, inviting an attack against the victim, often giving the name, address and telephone number of the victim to make the hate group's job easier.
12.2.3 Posting embarrassing photos or video A picture or video of someone in a locker room, bathroom or dressing room may be taken and posted online or sent to others on cell phones.
12.2.4 By using web sites or blogs Children used to tease each other in the playground; now they do it on Web sites. Kids sometimes create Web sites or blogs which may insult or endanger another child. They create pages specifically designed to insult another kid or group of people.
12.2.5 Humiliating text sent over cell phones Text wars or text attacks are when kids gang up on the victim, sending thousands of text-messages related to hatred messages to the victim’s cell phone or other mobile phones.
Cyber Security HandBook
CDAC Hyderabad & NIELIT
65
12.2.6 Sending threatening e-mails and pictures through e-mail or mobile to hurt another Children may send hateful or threatening messages to other kids, without realizing that while not said in real life, unkind or threatening messages are hurtful and very serious.
12.2.7 Insulting other user in Interactive online games Kids/Teens verbally abuse the other kids/teens, using threats and foul language while playing online games or interactive games.
12.2.8 Stealing Passwords A kid may steal another child's password and begin to chat with other people, pretending to be the other kid or by changing actual user profile.
12.3 Tips and guidelines Use Parental Control Bars, Desktop Firewalls, Browser Filters to avoid or preventing children from cyber bullying others or accessing inappropriate content. Make sure your child's school has Internet Safety education programming. You may request school authorities to teach or guide students about how to prevent and respond to online peer harassment, interact wisely through social networking sites and responsible online users. Form the rules of computer Labs, Internet labs. Specify clear rules, Guidelines and policies regarding the use of the Internet, Computers and Other Devices such as USB, CDROM at School for Cyber Bullying. Teach Students the impact of Cyber Bullying. Teach students that all types of bullying are unacceptable and such behaviour is subject to discipline. Mentoring the students and establishment of peer Monitoring. Teachers need to mentor or establishment mentorship with senior students to guide information security awareness and monitoring through peer students. Implement Blocking/Filtering Software at Lab PCs in School. Use Desktop Firewalls, Browser Filters to avoid or preventing children from cyber bullying other or accessing inappropriate content. In addition use monitoring with software tools for students online activity. Educate your students.
Cyber Security HandBook
CDAC Hyderabad & NIELIT
66
Educate students by conducting various workshops from an internal or external expert to discuss related issues in cyber bullying, good online behaviour and other information security issues. Moreover keep related posters in school.
Cyber Security HandBook
CDAC Hyderabad & NIELIT
67
13. Online Threats and Tips 13.1 Protect children from online threats Children may face different security risks when they use a computer or when they are online. Not only do you have to keep them safe, you have to protect the data on your computer. By taking some simple steps, and can reduce the risks.
13.1.1 What are the risks? Exposure to inappropriate images or content Solicitation by sexual predators in chat rooms and by e-Mail. Online bullying or harassment. Piracy of software, music or video. Disclosure of personal information. Spyware and viruses. Excessive commercialism: advertising and product-related websites. Illegal downloads, such as copyright-protected music files.
13.1.2 General safety tips If you suspect a pedophile may be grooming or trying to befriend your child or your child is being stalked or harassed, contact your local police. Set ground rules for children. Use Internet content filtering and spam filters to reduce the risk of accidental exposure to unwanted content. Set up shared computers properly to restrict what children can do. Consider setting up a family e-mail account which can be used specifically to register for websites, competitions, etc. Be careful about peer-to-peer file sharing.
13.1.3 Monitor children’s use of the Internet All the web browsers keep a record of recently visited sites and also make temporary copies of web pages. To see recently visited sites, click on the History button or press Ctrl and the H key. To see temporary files, open Internet Explorer Select Internet Options, on the General tab under Temporary Internet Files click the Settings button and click View Files. Understand the risks yourself and plan ahead before monitoring and allowing children access to the Internet. Discuss with children what they can and cannot do online. Make a contract with children on usage of computer with signing. Work out how you are going to monitor their Internet use.
Cyber Security HandBook
CDAC Hyderabad & NIELIT
68
The boundaries you set and the kind of conversations you have with your children will depend on their age and technical ability as well as your judgement as parents. These factors will change as they grow up and should be reconsidered regularly.
13.1.4 Monitoring children’s behavior online If a child is too young to access computer always sit with them while they are online. Ask your children to share all their online user names and passwords with you. Set browser settings to limit the access to inappropriate content. Put the computer in an open area in the home. Consider installing Internet monitoring software to track what they do online.
13.1.5 Create a user account for each user Set up a separate user account for your child with a limited permission and can give limited control over the computer. For example, they won’t be allowed to install new programs or change settings without your permission. It also helps monitor and control what they do online.
13.2 Most common online Threats 13.2.1 Online Scam Online scam is an attempt to trap you for obtaining money. There are many types of online scams, this includes obtaining money with fake names, fake photos, fake e-mails, forged documents, fake job offers and many more. Generally, it happens by sending fake e-Mails for your personal details like online banking details, credit card details. Sometimes e-Mails are sent from lottery companies with fake notice, when ever you participate in online auction and eMails received for fake gifts. Phishing scam Online scammers send you an e-mail and ask your account information or credit card details along with a link to provide your information. Generally, the links sent will be similar to your bank. So when ever you post your details in the link then the details will be received by scammers and money is misused. Lottery scam
Cyber Security HandBook
CDAC Hyderabad & NIELIT
69
Sometimes you receive an e-Mail like “you won a lottery of million dollars” receiving such a kind of mails is a great thing, and really it’s a happiest thing. By responding to such a kind of mails huge amount of money will be lost. Because these e-Mails are not true, scammers try to fool and trap you to obtain money. Online Auction If you bid for a product you never get the product promised or don’t match the product, and the description given to you may be incomplete, wrong, or fake. The scammer accepts the bid from one person and goes for some other sites where they can get less than the winning bid so scammers may not send the product you wanted. Forwarding Product or Shipping Scam When ever you answer an online advertisement for a letter or e-mail manager like some US based corporation which lacks address or bank details and needs someone to take goods and sent to their address or ship overseas, and you are asked to accept the transfers into your bank. Generally, it happens for products that are purchased using stolen credit cards and shipped to your address and then you will be fooled and asked to reship the product to others they might have deceived who reship the product overseas. The stolen money will be transferred to your account. E-Mail Scam Like --Congratulations you have won Webcam, Digital Camera, etc. Sometimes you get an e-mail with a message like -- you have won something special like digital camera webcam , all you need to do is just visit our web site by clicking the link given below and provide your debit or credit card details to cover shipping and managing costs. However the item never arrives but after some days the charges will be shown on your bank account and you will lose money. By e-mails Generally, fraudsters send you an e-mail with tempting offers of easy access to a large sum of money and ask you to send scanned copies of personal documents like your address proof, passport details and ask you to deposit an advance fee for a bank account. So once you deposit the funds, they take money and stop further communication, leaving you with nothing in return.
Cyber Security HandBook
CDAC Hyderabad & NIELIT
70
Unscrupulous Websites for Income Tax Refund Generally, websites feel like official websites and seek the details of credit card, CVV PIN of ATM and other personal details of the taxpayers in the name of crediting income tax refund through electronic mode.
13.2.2 Tips to prevent online scams Confirm whether e-Mail is received from bank or not Be cautious while providing bank details online, before proceeding further confirm with the bank about the e-Mail you received. Think that if something is important or urgent why doesn’t the bank call me instead of sending e-Mail? Confirm the shipping Beware of shipping scam.Make sure you get authorized signed document via fax before proceeding further and make sure you received it from an authorized company. Be cautious during online auction Don’t be trapped with discounts and think wisely before you proceed with online auction. Think why $200 product would be $ 20. Be aware about the product you received via e-Mail Be aware about the products you get for a discounted-price.Think why you received e-Mail for products when you never enter any online shopping or contest. Don’t be trapped by lottery scam Don’t get trapped by scammers and e-Mails with a subject line you won some $10000 just think why only you received the e-Mail without your participation.
13.3 Online Banking Online Banking can also be referred as Internet Banking. It is the practice of making bank transactions or paying bills through the Internet. We can do all financial transactions by sitting at home or office. Online banking can be used for making deposits, withdrawals or we can even use it for paying bills online. The benefit of it is the convenience for customers to do banking transactions .The customers need not wait for bank statements, which arrive by e-mail to check their account balance. They can
Cyber Security HandBook
CDAC Hyderabad & NIELIT
71
check their balance each and every day by just logging into their account. They can catch the discrepancies in the account and can act on it immediately. Link Manipulation Most methods of phishing use some form of technical deception designed to make a link in an e-mail (and the spoofed website it leads to) appear to belong to the spoofed organization. Misspelled URLs or the use of sub domains are common tricks used by phishers. In the following example URL, http://www.yourbank.example.com/, it appears as though the URL will take you to the Attacker Database of the your bank website; actually this URL points to the "yourbank" (i.e. phishing) section of the Attacker Database website. Filter Evasion Phishers have used images instead of text to make it harder for anti-phishing filters to detect text commonly used in phishing e-mails. Malware attacks Example: Clampi Virus Targets Users at Banks and Credit Card Sites Keeping up with the latest Web security threats is a daunting task, because viruses and Trojans emerge, evolve, and spread at an alarming rate. While some infections like Nine Ball, Conficker, and Gumblar have hit the scene and immediately become the scourge of the cyber security world, others take their time -- quietly infiltrating more and more computers before revealing the true depth of the danger they pose. One such slow grower is Clampi, a Trojan that made its debut as early as 2007 (depending on who you ask) but is only now raising hairs outside professional security circles. Clampi primarily spreads via malicious sites designed to dispense malware, but it's also been spotted on legitimate sites that have been hacked to host malicious links and ads. Using these methods, Clampi has infected as many as half a million computers, Joe Stewart, of Secure Works, told a crowd at the Black Hat Security Conference in July, USA Today reports. Once installed on a PC, the Trojan quietly waits for you to visit a credit card or banking Web site. When it detects you're on one of the roughly 4,600 financial Web sites it's trained to watch, it records your username and password, and feeds that information back to the criminals. Clampi can even watch for network login information, allowing it to spread quickly through networked PCs (e.g.,
Cyber Security HandBook
CDAC Hyderabad & NIELIT
72
those in an office). In fact, it seems that businesses have been the primary target of Clampi so far. According to the Times Online, in July, an auto parts shop in Georgia was robbed of $75,000 when criminals stole online banking information using Clampi. The Trojan was also used to infiltrate computers for a public school district in Oklahoma and submit $150,000 in fake payroll payments.
13. 4 Online Shopping Online shopping has become very popular to purchase all things without leaving your home, and it is a convenient way to buy things like electronic appliances, furniture, cosmetics, and many more. We can avoid the traffic and crowds. There is no particular time to buy things we can buy at any time instead of waiting for the store to open. Apart from all these advantages risks are involved and there are unique Internet risks so it is very important to take some safety measures before you go for online shopping.
13.4.1 Tips for safe online shopping Before you go for online shopping make sure your PC is secured with all core protections like an antivirus, anti spyware, firewall, system updated with all patches and web browser security with the trusted sites and security level at high. Before you buy things online research about the web site that you want to buy things from, since attackers try to trap with websites that appear to be legitimate, but they are not. So make a note of the telephone number’s physical address of the vendor and confirm that the website is a trusted site. Search for different web sites and compare the prices. Check the reviews of consumers and media of that particular web site or merchants. If you are ready to buy something online check, whether the site is secure like https or padlock on the browser address bar or at the status bar and then proceed with financial transactions. After finishing the transaction take a print or screenshot of the transaction records and details of product like price, confirmation receipt, terms and conditions of the sale. Immediately check the credit card statements as soon as you finish and get them to know about the charges you paid were same, and if you find any changes immediately report to concerned authorities. After finishing your online shopping clear all the web browser cookies and turn off your PC since spammers and phishers will be looking for the system connected to the Internet and try to send spam e-Mails and try to install the malicious software that may collect your personal information. Beware of the e-Mails like “please confirm of your payment, purchase and account detail for the product.” Remember legitimate business
Cyber Security HandBook
CDAC Hyderabad & NIELIT
73
people never send such e-Mails. If you receive such immediately call the merchant and inform the same.
e-Mails
13.5 Identity Theft Identity Theft occurs when someone, without your knowledge, acquires a piece of your personal information and uses it to commit fraud. Identity theft is a crime used to refer to fraud that involves someone pretending to be someone else in order to steal money or get other benefits. The term is relatively new and is actually a misnomer, since it is not inherently possible to steal an identity, only to use it. The person whose identity is used can suffer various consequences when he or she is held responsible for the perpetrator's actions. In many countries specific laws make it a crime to use another person's identity for personal gain. Identity theft is somewhat different from identity fraud, which is related to the usage of a false identity' to commit fraud. Identity theft can be divided into two broad categories: Application fraud Account takeover Application fraud happens when a criminal uses stolen or fake documents to open an account in someone else's name. Criminals may try to steal documents such as utility bills and bank statements to build up useful personal information. On the other hand they may create counterfeit documents. Account takeover happens when a criminal tries to take over another person's account, first by gathering information about the intended victim, then contacting their card issuer masquerading as the genuine cardholder, and asking for mail to be redirected to a new address. The criminal then reports the card lost and asks for a replacement to be sent.
13.6 Tab napping Tab napping is a new online phishing scam to attack your computer and your finances. As internet users we’re all vulnerable to online scams. Unluckily for us, as soon as we become pretty good as spotting one type of attack, another more sophisticated version comes along in its place.
Cyber Security HandBook
CDAC Hyderabad & NIELIT
74
Until now phishing has involved sending hoax emails in an attempt to steal your usernames, passwords and bank details. Often the sender will claim to be from your bank and will ask you to verify your bank details by clicking on a link contained in the email. The link actually directs you to a fake website which looks just like your bank's own website. Once you have typed in your login details they can be accessed by the criminals who set the fake site up. But we’re beginning to wise up to phishing attacks like this, and many of us know we should be very wary of clicking URLs even if they appear to be in a legitimate email. With awareness of phishing on the up, making it more difficult for scammers to succeed, tab napping could be the scam to watch out for next. Tab napping is more sophisticated than the phishing scams we’ve seen so far, and it no longer relies on persuading you to click on a dodgy link. Instead it targets internet users who open lots of tabs on their browser at the same time (for example, by pressing CTRL + T).
13.6.1 How does it work? By replacing an inactive browser tab with a fake page set up specifically to obtain your personal data - without you even realizing it has happened. Believe it or not, fraudsters can actually detect when a tab has been left inactive for a while, and spy on your browser history to find out which websites you regularly visit, and therefore which pages to fake. So don't assume that after you have opened a new tab and visited a webpage, that web page will stay the same even if you don’t return to it for a time while you use other windows and tabs. Malicious code can replace the web page you opened with a fake version which looks virtually identical to the legitimate page you originally visited.
13.6.2 How might tab napping work in practice? Imagine you open the login page for your online bank account, but then you open a new tab to visit another website for a few minutes, leaving the first tab unattended. When you return to your bank’s site the login page looks exactly how you left it. What you haven’t realised is that a fake page has taken its place, so when you type in your username and password, you have inadvertently given the fraudster easy access to your account.
Cyber Security HandBook
CDAC Hyderabad & NIELIT
75
Even if you have already logged into your bank account before opening another tab, when you return you might find you’re being asked to login again. This may not necessarily rouse any suspicion since you might simply assume your bank has logged you out because you left your account inactive for too long. You probably won’t even think twice before logging in for a second time. But this time round you have accidently inputted your security details into a fraudster’s fake page which have been sent back to their server. Once you have done so, you can then be easily redirected to your bank’s genuine website since you never actually logged out in the first place,giving you the impression that all is well.
13.6.3 Tips to protect you against tab napping Make sure you always check the URL in the browser address page is correct before you enter any login details. A fake tabbed page will have a different URL to the website you think you’re using. Always check the URL has a secure https:// address even if you don’t have tabs open on the browser. If the URL looks suspicious in any way, close the tab and reopen it by entering the correct URL again. Avoid leaving tabs open which require you to type in secure login details. Don't open any tabs while doing online banking - open new windows instead (CTL + N).
13.7 Clickjacking Clickjacking is a malicious technique of tricking Web users into revealing confidential information or taking control of their computer while clicking on seemingly innocuous Web pages. A vulnerability across a variety of browsers and platforms, a clickjacking takes the form of embedded code or script that can execute without the user's knowledge, such as clicking on a button that appears to perform another function. Clickjacking is possible because seemingly harmless features of HTML Web pages can be employed to perform unexpected actions.
Cyber Security HandBook
CDAC Hyderabad & NIELIT
76
A clickjacked page tricks a user into performing undesired actions by clicking on a concealed link. On a clickjacked page, the attackers show a set of dummy buttons, then load another page over it in a transparent layer. The users think that they are clicking the visible buttons, while they are actually performing actions on the hidden page. The hidden page may be an authentic page, and therefore the attackers can trick users into performing actions which the users never intended to do and there is no way of tracing such actions later, as the user was genuinely authenticated on the other page. More on : http://en.wikipedia.org/wiki/Clickjacking
13.7.1 Some of the ISSUES Issue #1 STATUS: Clickjacking allows attackers to subvert clicks and send the victim’s clicks to web-pages that allow themselves to be framed with or without JavaScript. Oneclick submission buttons or links are the most vulnerable. It has been known since at least 2002 and has seen at least three different PoC exploits (Google Desktop MITM attack, Google Gadgets auto-add and click fraud). All major browsers appear to be affected. Issue #2 STATUS: ActiveX controls are potentially susceptible to clickjacking if they don’t use traditional modal dialogs, but rather rely on on-page prompting. This requires no cross domain access, necessarily, which means iframes/frames are not a prerequisite on an attacker controlled page. More on :
http://ha.ckers.org/blog/20081007/clickjacking-details/ 13.7.2 Tips: Never click on the links received from the unknown users. If necessary cross check the target of the link by placing mouse at the given link and check the details at bottom left corner before clicking. Take the help of the picture below to understand.
Cyber Security HandBook
CDAC Hyderabad & NIELIT
77
Always type URL in browser
Cyber Security HandBook
CDAC Hyderabad & NIELIT
78
14. Wireless Network 14.1 What is a Wireless Network? Wireless network refers to any type of computer network that is not connected by cables of any kind. It is a method by which telecommunications networks and enterprise (business), installations avoid the costly process of introducing cables into a building, or as a connection between various equipment locations. Wireless networks are generally imple-mented and administered using a transmission system called radio waves to provide wireless high speed Internet and network connections. What is Wi-Fi? Wi-Fi is a branded standard for wirelessly connecting electronic devices. "Wi-Fi" is a trademark of the Wi-Fi Alliance and the brand name for products using the IEEE 802.11 family of standards. Wi-Fi is used by over 700 million people, there are over 4 million hot-spots (places with Wi-Fi Internet connectivity) around the world, and about 800 million new Wi-Fi devices every year. Wi-Fi products that complete the Wi-Fi Alliance interoperability certification testing successfully can use the Wi-Fi CERTIFIED designation and trademark. The radios used for Wi-Fi communication are very similar to the radios used for walkie-talkies, cell phones and other devices. They can transmit and receive radio waves, and they can convert 1s and 0s into radio waves and convert the radio waves back into 1s and 0s. They transmit at frequencies of 2.4 GHz or 5 GHz. This frequency is considerably higher than the frequencies used for cell phones, walkie-talkies and televisions. The higher frequency allows the signal to carry more data.
They use 802.11 networking standards, which come in several flavors: 802.11a transmits at 5 GHz and can move up to 54 megabits of data per second. 802.11b is the slowest and least expen-sive standard. 802.11b transmits in the 2.4 GHz frequency band of the radio spectrum. 802.11g transmits at 2.4 GHz like 802.11b, but it's a lot faster -- it can handle up to 54 megabits of data per second. 802.11n is the newest standard that is widely available. This standard signifi-cantly improves speed and range.
Cyber Security HandBook
CDAC Hyderabad & NIELIT
79
14.2 Risks of using Unsecured Wi-Fi Network Anyone within the geographical net-work range of an open, unencrypted wireless network can sniff or capture or record the traffic, gain unauthorized access to internal network resources as well as to the internet, and then possibly send spam or do other illegal actions using the wireless network's IP address. One of the risks in wireless security is that an intruder can use the victim's broadband connection to get online without paying just to surf the web, to download pirated music or software. There may be no direct harm, but can slow down the Internet or network ac-cess of the legitimate user of the net-work. An intruder can use the victim's connection for malicious purposes like distributing illegal material, launching DoS attack or hacking. The intruder remains anonymous as the connection used by the intruder is the victim's connection. The origin will be traced back to the victim's connection in case of any criminal activity is discovered and investigated. And a wireless network could also be an indirect backdoor into a corporate network. An employee or a company can be a target to get confidential information. There is a risk involved in using unsecured wireless networks. And most of the people and organizations still use unsecured wireless networks. But the knowledge required to attack a wireless network is becoming easier. One has the need to secure the unsecured wireless network and be protected from unauthorized usage of the network.
14.3 Tips for Wireless Home Network Security 1. Change Default Administrator Pass-words (and Usernames) Access Point or router is the core of most Wi-Fi networks. To set up these devices, manufacturers provide web pages to con-figure the settings that allow owners to en-ter their network address and account in-formation. To configure these settings by the right owner, the web pages are pro-tected and need to be authenticated with username and password. All manufacturers provide default usernames and passwords combination with the wireless router or ac-cess point. These default usernames and passwords are available on the Internet. It is easy to get these credentials from the Internet. Most of the users do not change these usernames and passwords combina-tion. As an alert user, these settings need to be changed.
Cyber Security HandBook
CDAC Hyderabad & NIELIT
80
2. Turn on (Compatible) WPA / WEP En-cryption All Wi-Fi equipment supports some form of encryption. Encryption is the conversion of data into a scrambled form that cannot be easily understood by unauthorized people. Several encryption technologies exist for Wi-Fi today. Wired Equivalent Encryption (WEP), an old encryption standard is claimed to be broken within few seconds, even using a complex passphrase. It is a weak encryption means that it can be easily broken within manage-able time i.e., few seconds or minutes.
Enabling Wires Equivalent Privacy (WEP)
Since there are security issues in using WEP, Wi-Fi Alliance introduced a standard for network authentication and encryption. WPA (Wi-Fi protected Access) is one of the several popular standards for wireless security. WPA delivers a higher level of security that further beyond anything that WEP can offer.
Enabling Wi-Fi Protected Access (WPA)
Cyber Security HandBook
CDAC Hyderabad & NIELIT
81
3. Disable SSID Broadcast In Wi-Fi networking, the SSID is broadcasted by the wireless access points or routers at regular intervals. This feature was designed for businesses and mobile devices where Wi-Fi clients may roam from one place to other. SSID broadcast feature is not so useful in home Wi-Fi network. To improve the security, SSID broadcast security feature should be disabled. Configuring the wireless clients manually to the access point with right SSID, they no longer require these broadcast messages.
4. Change the Default SSID Service Set Identifier (SSID) is a network name that is used by access point and routers. The same SSID set is used by the manufacturers for shipping their products. For example, the SSID for Linksys devices in general is “Linksys”. Knowing the SSID may not be the cause to hack into network, but the default SSID suggests that the network is poorly configured and much more likely to attack it. When configuring wireless network security, change the default SSID.
5. Enable MAC Address Filtering
Cyber Security HandBook
CDAC Hyderabad & NIELIT
82
Every Wi-Fi device possesses a unique identifier known as Media Access Control (MAC) Address or physical address. Routers or Access points maintains MAC addresses of all devices that connect to them. To restrict the network access to allow only connections from the devices, many of the products offer the administrator of the access point or router to store the MAC addresses of their devices. But this is not as powerful as hackers and their software programs can fake MAC addresses.
6. Enable Firewalls on Each Computer and the Router Make sure that the router’s firewall is turned on. Most of the network routers have built in firewall capability. It is an option to enable or disable the feature. Along with the firewall at the router side, also install and configure personal firewall software on each computer connected to the router. The security features in the firewall include blocking anonymous internet requests, browsing unwanted websites, protecting from malware and spyware. And also define the security policies so that the unwanted and anonymous connections are restricted. 7. Turn off the Network during Extended Periods of Non-Use An access point or a router keeps on emitting signals if it powered on. To restrict the network to full extent, the ultimate in wireless security measures is to shut down the access point or router. While impractical to turn off and on the devices frequently, at least consider doing so during travel or extended periods offline. Computer disk drives have been known to suffer from power cycle wear-and-tear, but this is a secondary concern for broadband modems and routers. 8. Position the Router or Access Point Safely Wireless signals are not bound to physical boundaries. The signals from the wireless router can go beyond office building or cross the gate of one's house and can enter into neighbor's house. Most wireless routers have a signal range of 100 feet. If this signal range can be imagined as a sphere with wireless router as center, the signal can be accessed form any direction up to 100 feet. It becomes easier to others to find the wireless network and attempt to access it.
Cyber Security HandBook
CDAC Hyderabad & NIELIT
83
When installing a wireless home network, the position of the access point or router determines its reach. Try to position these devices near the center of the home rather than near windows to minimize leakage. Signal becomes weak depending upon the distance it travels and the material it passes through such as walls, metal, etc. Aluminum foil can also be used at the windows or doors to reduce the strength of signal. 9. Do Not Auto-Connect to Open Wi-Fi Networks To automatically connect a computer to any available open wireless network without any notification, most computers or devices provide a setting that will connect a computer automatically. But the risk involved is that there may be some dummy access points designed to catch unsuspected users and hack the connected computers. And configuring access point to accept credentials are must, otherwise any unauthorized persons can access access-point without username and password. 10. Assign Static IP Addresses to Devices DHCP (Dynamic Host Configuration Protocol) is used to assign network configuration information to the connecting devices dynamically. So there is no need to configure the networks settings manually because of DHCP. This is used for convenience as the manual configuration of the network settings is reduced. But at the same time, the attackers can use this feature to automatically connect to the network by getting the network settings readily configured and can access the network. To avoid this use the static IP addresses to the devices to connect to the wireless network.
References: http://computer.howstuffworks.com/wireless-network1.htm http://en.wikipedia.org/wiki/Wireless_network http://en.wikipedia.org/wiki/Wi-Fi http://compnetworking.about.com/od/wirelesssecurity/tp/wifisecurity.htm http://www.thegeekpub.com/773/why-wpa-is-better-than-wep/ http://pcnineoneone.com/howto/80211bsecurity1/
Cyber Security HandBook
CDAC Hyderabad & NIELIT
84
15. Mobile Security Providing mobile PC or mobiles to access Internet for official purpose’s remote access to all business applications may put a personal or organization’s vital information at risk. For professionals or individual users, using mobile or mobile PC, there are plenty of benefits such as work from anywhere, etc...The mobile devices have their own characteristics but also with security concerns such as sensitive information access with mobiles. There are various threats, which can affect the mobile users in several ways. For example, sending multimedia messages and text messages to the toll free numbers, unknowingly clicking for a message received through the mobile phone. Now-a-days many malicious programs have come which will try to get access over mobile phones and laptops and steal the personal information inside it.
15.1 Security Concerns 15.1.1 Exposure of critical information Small amounts of WLAN signals can travel significant distance, and it’s possible to peep into these signals using a wireless sniffer. A wireless intruder could expose critical information if sufficient security isn’t implemented.
15.1.2 Lost or Stolen devices Even if sufficient security is implemented in wireless Virtual Private Networks (VPNs), if a device is lost or stolen. The entire corporate intranet could be threatened if those devices aren’t protected by a password and other user-level security measures.
15.1.3 Mobile Viruses Mobile Viruses can be major threat, particularly with devices that have significant computational capabilities. Mobile devices, in general are susceptible to Viruses in several ways. Viruses can take advantage of security holes in applications or in applications or in the underlying Operating System and cause damage. Applications downloaded to a mobile device can be as Virus-prone as desktop applications. In some mobile OS, malformed SMS messages can crash the device.
Cyber Security HandBook
CDAC Hyderabad & NIELIT
85