Online Behavior Do’s and Don’ts

The following is a comprehensive list of “do’s and don’ts,” a guideline for safe online behavior, written with the non technical user of the internet in mind.  We discuss tips for safe use of the internet be it emailing, shopping or using social networks, and how to avoid unwanted exposure for you, your family and friends.  We review the tracks you make online that are used by criminals and harassers to exploit, manipulate and even attack an online user.  We explain your digital identity – those footprints left behind whenever we use the internet, and how these traces can be used to gather intelligence on you.

Some of the suggestions are related to our behavior and online habits.  Other implementation suggestions are related to technology and could be passed on to your IT support person.  The bottom line is that in this day and age, we need to educate ourselves and act proactively to be cyber secure.

First, why you should be concerned?

There is a direct correlation between the explosion of the internet across the globe and criminal attempts to exploit our use of it.  And the good guys are having a hard time keeping up with the bad guys who are funded by mafia, supported by nation states, creative, technologically savvy and unfettered by legal concerns.

Malware (malicious software) is epidemic – rising from under 200,000 unique samples in 2004 to almost 6,000,000 unique samples in 2008.  Google claims that 1.3% of their search queries return malicious content.  Examples of malicious software include viruses, worms, trojans, rootkits, spyware, adware and other rogue applications.  A botnet (robot network) consists of multiple hijacked home computers used by spammers to send emails remotely.  Botnets are also used to automatically generate traffic to web sites, ad clicks and blog comments.  Forty percent of spam is sent via botnets.  Vinton Cerf (father of the internet) claims that one quarter of all PCs are part of a botnet which translates to 100s of millions of computers.  And yours may be one of them.

With all these bad guys out to get us, it’s reasonable to adopt a mildly paranoid attitude informed by the knowledge of how the adversary operates.  Thinking a bit like a criminal or hacker results in a healthy, defensive behavior online.

Malware

Malware is malicious software designed to infiltrate or damage a computer system without the owner’s knowledge or consent.  Methods of infection include:

• Unknown attachments
• Fake e-cards
• Random popups (on malicious websites)
• Fake patches
• Joke programs
• Freeware utilities
• Unknown links
• P2P programs

For example, recently a new Trojan has been reported called URLzone.  It encompasses a botnet of about 6,000 systems, conducts bank transactions on the users systems, monitors internet usage for bank site http addresses and modifies user transaction numbers so that activity fades into the background.  The gang using this botnet stole between $4-15K from each account hacked, picking numbers randomly to evade anti-fraud systems.  These attackers work mostly in Europe and made about €300K in 3 weeks.  But the system could work on any continent.

One basic rule of thumb for avoiding detection is to not open an attachment if you are unfamiliar with the sender, and certainly not if the file extension is .exe (indicating an executable program).  And likewise don’t click on popups or programs about which you can’t be certain.  Think before you click.

P2P or Filesharing

Peer to Peer (P2P) networks were first popularized by Napster as an MP3 sharing environment.  File-sharing allows you to connect your computer with an informal network of computers all sharing the same data, potentially connecting millions of users at any time.  There’s a wealth of games, music and software out there to share.  If you have teenagers at home, it’s likely they are using one.  BitTorrent and FastTrack are examples of P2P (peer to peer) networks where you can share music, DVDs, video games and the like.  But the risk of file sharing absolutely requires that you be careful about your access setting to prevent sharing personal files – account numbers, tax returns, photos and personal documents.  Also, if you decide to use a file-sharing software, carefully read the End User Licensing Agreement terms and conditions to make sure you understand the risks not only to your own data, but the consequences of downloading materials.

Here’s a link explaining how exposed you can be via P2P:

Phishing

Phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords or credit card details by masquerading as a trustworthy entity in an electronic communications.  Criminals phish using emails, pop ups and websites that may look like they represent legitimate agencies or businesses.  Some of these messages look very legitimate, especially at a glance.

So keep in mind that you shouldn’t reply to an email or pop up message, or click on links or open attachments that ask for personal or financial information.  Instead go directly to the company’s (for example the bank or agency’s) legitimate web address or, call them.  If you receive an email message that asks you to call a phone number to update your account or give personal information, do not call.  Always call the number that appears in a legitimate directory or on a statement.

Some criminals bombard businesses with targeted spam that looks and feels like internal messaging, from a company’s Human Resource or IT department.   Whether you are being phished at home or at the office, the general criminal idea is to dupe people into revealing credentials that would allow attackers to exploit or infiltrate, easily.

Laptops

Treat a laptop as though it were cash.  Never leave a laptop in a car, unattended or on the floor in a public place.  Keep it locked and physically separate from your passwords.  When traveling, consider putting your laptop in a non laptop looking case.  Be especially vigilant passing through airport security where laptops are easily stolen in the confusion of the checkpoint.  Use the hotel safe if you must leave it behind.  Consider an alarm that goes off if the laptop moves outside a set perimeter; that automatically reports its location as a stolen laptop upon connection to the internet.

If you use a Blackberry or its equivalent, which is after all like a mini laptop, make sure you add a password lock code on it – in addition to using the security protocols listed above.

Many of us, on a business trip or over coffee at Starbucks, use public Wi-Fi to connect to the internet.  Be aware of a ploy used to phish critically sensitive financial information from you as you finish your double tall nonfat latte.  The criminals simply set up their own Wi-Fi network on a laptop in, for example, a hotel lobby.  Others in close proximity are lured into logging in to the bogus network, divulging information in the process.  Always know what you are connecting to.  Ask the hotel staff directly for instructions for logging in to a Wi-Fi network.  And if in doubt, plug in to a fixed network, rather than using a wireless local area network.

Working and Shopping Online

Whether you are working or playing online, be aware of how you browse.  As you move from site to site know that malicious code is found in parts of a site not controlled a site’s owner, such as in banner ads and widgets (a portable chunk of code for example, an on-screen clock).

Many online retailers are prepared to take your credit card and purchase information over the phone.  For those shoppers who want to avoid digital distribution, this is one way to try and shop securely.  For those who would rather not pick up the phone, there are some simple rules of thumb.  Don’t share personal or financial information through a company’s website until you have checked its security.  Is there for example a lock icon near the URL address line, which should read “https:” … where the ‘s’ refers to a secure site?  Also read through the online company’s privacy policy to understand what information they collect, how they use it and with what third parties, if any, your information is shared.  What measures do they take to secure your information and is it their policy to allow you to see what information they are holding?  Sometimes, it best to pass on a company than to take the risk.

When dealing with an online seller for the first time, check out that they are who they say.  Call their number to confirm the company’s viability.  Google the company name for unfavorable reviews.  Consider toolbar software that shows ratings and warnings for sites by experts and other users, like MyIdentityDefender.

Social Networks

How many of us, our families and friends use Facebook, Myspace, Linked-In, Twitter, Second Life and other social networks?  It seems like everyone these days is on at least one.  A danger inherent in these virtual communities is the false sense of anonymity we feel when online.  Our natural defenses are lower because there is no physical contact.  And it all combines potentially to the disclosure of information we surely would not share if we were meeting these folks in person, at a social gathering.

Things to Avoid:

• Over sharing information about your company’s activities and its intellectual property.
• Mixing the personal with business in what is a very public domain.
• Posting or ranting out of anger.
• Not verifying a contact request before you accept it.  There’s no prize for having the most friends or contacts so think quality over quantity.
• Don’t use the same password for a social network that you do for a bank account or other sensitive account.
• Don’t get click happy.  Think before you link to avoid drive by downloads and zero day attacks.
• Don’t divulge personal information like a birth date or details about family or children on a social site; it’s an invitation to ID theft and worse.

Many social networking sites have privacy settings.  Use them.

Once you’ve posted a document, message, video or photo on line, there’s no way to undo it.  Even if you delete the item, a version could already reside on another computer, have been copied or forwarded.  Think before you post.

Take a look at this video about social networking scams:

Social Engineering is another component of successful exploitation.  Often, it’s a lot easier to dupe a password out of a human being than it is to hack or phish it.  The characteristics of an adept social engineer are the same the world over.  Here’s an interesting talk by one of the best:

Reporting

If you discover that you’ve been a victim of commercial fraud here are some U.S. government agencies you can contact:

Federal Trade Commission – e-commerce fraud, you suspect you’ve divulged personal info that could result in identity theft  www.ftc.gov

Anti Phishing Work Group – reportphishing@antiphishing.org

Deceptive Spam – spam@uce.gov

Hacking – contact the FBI www.ic3.gov

For Computer Viruses – contact your ISP

Public Information

Be aware that a good deal of information is available about you online, simply as a matter of public record.  Property transactions, legal cases, campaign contributions are available online.  Addresses, participation in community and alumni activities are also out there in abundance.  So, start by googling  yourself.  Research yourself to find out what information is available publicly.  Intelius is an example of a company that maintains a large database of public information about people for the purposes of background checks.  In many cases you can request that contact information be deleted from a given database.  Here are the instructions for doing so with Intelius:

In order for Intelius to “opt out” your public information from being viewable on the Intelius website, they require faxed proof of identity. Proof of identity can be a state issued ID card or driver’s license. If you are faxing a copy of your driver’s license, obscure the photo and the driver’s license number. They only need to see the name, address and date of birth. Please allow 2 to 3 weeks to process your request.

Please fax your information to their customer service department at (425) 974-6194.

If you are not comfortable faxing us the information, you can send a notarized form proving your identity.

Please Note – removing the data in this way does not prevent public records from sending Intelius new information in the future. To permanently have your records sealed, you will need to contact your county’s records department.

As for public transactions, one way to avoid exposure is to operate under a company or DBA, or under the name of a family member.  Likewise, property transactions conducted under a company or trust whose name does not mimic your own, would help safeguard you from public scrutiny.  The same holds true of political donations which under federal law cannot be anonymous.  It is difficult but not impossible to mitigate your inclusion in things like alumni newsletters or charity announcements, but it usually means choosing to not be involved at the same level you would have before the onset of the internet.

Passwords

Here are some commonsense rules of thumb for protecting your passwords:

• The longer the password, the harder it is to break.
• Don’t use common words or numbers, your name or login.
• Don’t leave your passwords in plain sight.
• Don’t share your password(s) by email or over the phone.
• Change your passwords often, no less than every 90 days.
• Don’t use the same password for multiple online accounts.

Emailing

Despite legal protections and the daunting amount of email being sent at any moment (a false sense of protection through numbers), our email privacy is not guaranteed.  It could be as simple as a recipient forwarding a message, intentionally or unintentionally, that includes sensitive information, contact emails, name and the like.

In the United States, the law dictates that email correspondence sent over a company’s system is that company’s property, and subject to being accessed by its management.

Email is delivered over multiple routers and email servers.  A hacker could theoretically access a less protected router.

Unprotected backups are automatically conducted that store email messages that can be accessed at a later date.

When you open an email message that has an embedded image, that image needs to be downloaded from the server on which it resides.  In the process, information about you is gleaned: that your email is legitimate and active, your IP address, and confirmation that you have opened a given message to read it.  To avoid such disclosure, you could consider reading your emails offline.  This approach while effective is pretty inconvenient, especially at the office.  Another method is to forego your html enabled client and work with text only.

There are also ways to configure your particular email system (Outlook, Gmail, Hotmail, Yahoo, etc.) for optimal protection.  Your email provider can supply specific information.  Under their help section, look for tips related to Privacy and Security.  Here are links for Gmail and Yahoo security information.

If you want to play it very safe indeed you could consider using disposable e-mail addresses.  And when you use a different alias for each entity to whom you give an email address, you can easily track who is spamming you.  For example, you sign up for membership to ABC Widgets Online with an alias like tomsmith.abcwidget@disposablemail.com.  You can easily identify the source of mail, including unwanted mail using this device.  One recommended sit is www.guerrillamail.com

Infection Symptoms

Given the surreptitious nature of malware, you may not know or may not be sure whether or not you have a problem.

• Computer runs comparatively slower than normal.
• Computer stops responding or freezes up, often.
• You notice unusual network traffic.
• Computer crashes and restarts suddenly.
• There are usual error message popping up.
• You suddenly see distorted menus and dialog boxes.
• You notice the presence of unknown toolbars in the browser.
• Task manager, registry editors, folder options are disabled.
• Browsers are redirected to unknown websites.

Security Software

Make sure that your security software package runs automatically and updates at least daily.  The lag time between a virus breakout, its fix and the dissemination of that fix to users makes it impossible to keep entirely safe.  But keeping your security software updated surely helps.

Anti Virus – Defends your computer against viruses that can corrupt or delete data, interfere with the performance of your computer or even allow spam emails to be sent from your computer.

Anti Spyware – Installed without your consent, spyware software monitors or controls your use of your computer. It can record your keystrokes and which could lead to the theft of personal information.  Signs of spyware include: your computer won’t shut down or restart, it is slow, repeats error messages, displays pop-ups when you are not surfing the web.

Firewalls – A firewall is part of a computer or network whose purpose is to block unauthorized traffic while permitting allowed traffic and communications to pass.  Like anything, an improperly configured firewall could be worthless and it’s important to make sure yours is set up correctly.

Miscellaneous – Keep your operating system (OS) and web browser software up to date.  Software companies’ security patches are published regularly.  Automatic updating to insure you have the latest patches in place.

You can also upgrade your browser security by changing the default security and privacy settings which are located under the options and tools menu tabs.

And if you won’t be using your computer for an extended period, disconnect it.

Create a Backup

It seems so obvious, yet many of us don’t both maintaining a current backup.  Clearly it’s a good idea to backup your data to an external hard drive or other media and keep it in a safe place.  The time it takes to keep current backups is well worth the effort.