Benjamin Computer Services, Inc.
dba Safe Data Central
Since 1990!
DISASTER PLANNING AND RECOVERY WITH OFFSITE REMOTE BACKUP SERVICE
Celebrating our 16th year in business!

 PROVIDING REMOTE BACKUP SERVICES SINCE 1990!
 

REMOTE DATA BACKUP, DATA RECOVERY, VIRUS, SPYWARE, ADWARE REMOVED, MOBILE COMPUTER REPAIR, WE COME TO YOU.....SERVING ALL OF WESTERN NORTH CAROLINA AND UPSTATE SOUTH CAROLINA...CALL TOLL FREE 1-866-890-5125....SAME DAY SERVICE IS AVAILABLE!

REMOTE BACKUP SERVICE STARTING AT  ONLY  $19.99 PER MONTH
NEWSLETTER

 

National Cyber Alert System
Cyber Security Tip ST05-002 archive

Keeping Children Safe Online

Children present unique security risks when they use a computer—not only do you have to keep them safe, you have to protect the data on your computer. By taking some simple steps, you can dramatically reduce the threats.

 

What unique risks are associated with children?

When a child is using your computer, normal safeguards and security practices may not be sufficient. Children present additional challenges because of their natural characteristics: innocence, curiosity, desire for independence, and fear of punishment. You need to consider these characteristics when determining how to protect your data and the child.

You may think that because the child is only playing a game, or researching a term paper, or typing a homework assignment, he or she can't cause any harm. But what if, when saving her paper, the child deletes a necessary program file? Or what if she unintentionally visits a malicious web page that infects your computer with a virus? These are just two possible scenarios. Mistakes happen, but the child may not realize what she's done or may not tell you what happened because she's afraid of getting punished.

Online predators present another significant threat, particularly to children. Because the nature of the internet is so anonymous, it is easy for people to misrepresent themselves and manipulate or trick other users (see Avoiding Social Engineering and Phishing Attacks for some examples). Adults often fall victim to these ploys, and children, who are usually much more open and trusting, are even easier targets. The threat is even greater if a child has access to email or instant messaging programs, visits chat rooms, and/or uses social networking sites (see Using Instant Messaging and Chat Rooms Safely and Staying Safe on Social Network Sites for more information).

What can you do?

 

     

  • Be involved - Consider activities you can work on together, whether it be playing a game, researching a topic you had been talking about (e.g., family vacation spots, a particular hobby, a historical figure), or putting together a family newsletter. This will allow you to supervise your child's online activities while teaching her good computer habits.

     

  • Keep your computer in an open area - If your computer is in a high-traffic area, you will be able to easily monitor the computer activity. Not only does this accessibility deter a child from doing something she knows she's not allowed to do, it also gives you the opportunity to intervene if you notice a behavior that could have negative consequences.

     

  • Set rules and warn about dangers - Make sure your child knows the boundaries of what she is allowed to do on the computer. These boundaries should be appropriate for the child's age, knowledge, and maturity, but they may include rules about how long she is allowed to be on the computer, what sites she is allowed to visit, what software programs she can use, and what tasks or activities she is allowed to do. You should also talk to children about the dangers of the internet so that they recognize suspicious behavior or activity. The goal isn't to scare them, it's to make them more aware.

     

  • Monitor computer activity - Be aware of what your child is doing on the computer, including which web sites she is visiting. If she is using email, instant messaging, or chat rooms, try to get a sense of who she is corresponding with and whether she actually knows them.

     

  • Keep lines of communication open - Let your child know that she can approach you with any questions or concerns about behaviors or problems she may have encountered on the computer.

     

  • Consider partitioning your computer into separate accounts - Most operating systems (including Windows XP, Mac OS X, and Linux) give you the option of creating a different user account for each user. If you're worried that your child may accidentally access, modify, and/or delete your files, you can give her a separate account and decrease the amount of access and number of privileges she has.

     

    If you don't have separate accounts, you need to be especially careful about your security settings. In addition to limiting functionality within your browser (see Evaluating Your Web Browser's Security Settings for more information), avoid letting your browser remember passwords and other personal information (see Browsing Safely: Understanding Active Content and Cookies). Also, it is always important to keep your virus definitions up to date (see Understanding Anti-Virus Software).

     

  • Consider implementing parental controls - You may be able to set some parental controls within your browser. For example, Internet Explorer allows you to restrict or allow certain web sites to be viewed on your computer, and you can protect these settings with a password. To find those options, click Tools on your menu bar, select Internet Options..., choose the Content tab, and click the Enable... button under Content Advisor.

     

    There are other resources you can use to control and/or monitor your child's online activity. Some ISPs offer services designed to protect children online. Contact your ISP to see if any of these services are available. There are also special software programs you can install on your computer. Different programs offer different features and capabilities, so you can find one that best suits your needs. The following web sites offer lists of software, as well as other useful information about protecting children online:

     

    • GetNetWise - http://kids.getnetwise.org/ - Click Tools for Families to reach a page that allows you to search for software based on characteristics like what the tool does and what operating system you have on your computer.

       

    • Yahooligans! Parents' Guide - http://yahooligans.yahoo.com/parents/ - Click Blocking and Filtering under Related Websites on the left sidebar to reach a list of software.

     

     

 

Authors: Mindi McDowell, Allen Householder
Copyright 2005 Carnegie Mellon University. Terms of use
US-CERT
Last updated January 17, 2008

 

 
National Cyber Alert System
Cyber Security Tip ST04-024 archive

Understanding ISPs

ISPs offer services like email and internet access. Compare factors like security, services, and cost so that you find an ISP that supports all of your needs.

What is an ISP?

An ISP, or internet service provider, is a company that provides its customers access to the internet and other web services. In addition to maintaining a direct line to the internet, the company usually maintains web servers. By supplying necessary software, a password-protected user account, and a way to connect to the internet (e.g., modem, phone number), ISPs offer their customers the capability to browse the web and exchange email with other people. Some ISPs also offer additional services.

ISPs can vary in size—some are operated by one individual, while others are large corporations. They may also vary in scope—some only support users in a particular city, while others have regional or national capabilities.

What services do ISPs provide?

Almost all ISPs offer email and web browsing capabilities. They also offer varying degrees of user support, usually in the form of an email address or customer support hotline. Most ISPs also offer web hosting capabilities, allowing users to create and maintain personal web pages; and some may even offer the service of developing the pages for you. Many ISPs offer the option of high-speed access through DSL or cable modems, and some still offer dial-up connections.

As part of normal operation, most ISPs perform backups of email and web files. If the ability to recover email and web files is important to you, check with your ISP to see if they back up the data; it might not be advertised as a service. Additionally, some ISPs may implement firewalls to block some incoming traffic, although you should consider this a supplement to your own security precautions, not a replacement.

How do you choose an ISP?

There are thousands of ISPs, and it's often difficult to decide which one best suits your needs. Some factors to consider include

  • security - Do you feel that the ISP is concerned about security? Does it use encryption and SSL (see Protecting Your Privacy for more information) to protect any information you submit (e.g., user name, password)?

  • privacy - Does the ISP have a published privacy policy? Are you comfortable with who has access to your information and how it is being handled and used?

  • services - Does your ISP offer the services you want? Do they meet your requirements? Is there adequate support for the services?

  • cost - Are the ISP's costs affordable? Are they reasonable for the number of services you receive, as well as the level of those services? Are you sacrificing quality and security to get the lowest price?

  • reliability - Are the services your ISP provides reliable, or are they frequently unavailable due to maintenance, security problems, a high volume of users, or other reasons? If the ISP knows that services will be unavailable for a particular reason, does it adequately communicate that information?

  • user support - Are there published methods for contacting customer support? Do you receive prompt and friendly service? Do their hours of availability accommodate your needs? Do the consultants have the appropriate level of knowledge?

  • speed - How fast is your ISP's connection? Is it sufficient for accessing your email or navigating the internet?

  • recommendations - Have you heard or seen positive reviews about the ISP? Were they from trusted sources? Does the ISP serve your geographic area? If you've uncovered negative points, are they factors you are concerned about?

Author: Mindi McDowell
Copyright 2004 Carnegie Mellon University. Terms of use
US-CERT
Last updated December 26, 2007

 

National Cyber Alert System
Cyber Security Tip ST07-001 archive

Shopping Safely Online

Online shopping has become a popular way to purchase items without the hassles of traffic and crowds. However, the Internet has unique risks, so it is important to take steps to protect yourself when shopping online.

 

Why do online shoppers have to take special precautions?

The Internet offers a convenience that is not available from any other shopping outlet. From the comfort of your home, you can search for items from countless vendors, compare prices with a few simple mouse clicks, and make purchases without waiting in line. However, the Internet is also convenient for attackers, giving them multiple ways to access the personal and financial information of unsuspecting shoppers. Attackers who are able to obtain this information may use it for their own financial gain, either by making purchases themselves or by selling the information to someone else.

How do attackers target online shoppers?

There are three common ways that attackers can take advantage of online shoppers:

  • Targeting vulnerable computers - If you do not take steps to protect your computer from viruses or other malicious code, an attacker may be able to gain access to your computer and all of the information on it. It is also important for vendors to protect their computers to prevent attackers from accessing customer databases.

     

  • Creating fraudulent sites and email messages - Unlike traditional shopping, where you know that a store is actually the store it claims to be, attackers can create malicious web sites that mimic legitimate ones or create email messages that appear to have been sent from a legitimate source. Charities may also be misrepresented in this way, especially after natural disasters or during holiday seasons. Attackers create these malicious sites and email messages to try to convince you to supply personal and financial information.

     

  • Intercepting insecure transactions - If a vendor does not use encryption, an attacker may be able to intercept your information as it is being transmitted.

How can you protect yourself?

  • Use and maintain anti-virus software, a firewall, and anti-spyware software - Protect yourself against viruses and Trojan horses that may steal or modify the data on your own computer and leave you vulnerable by using anti-virus software and a firewall (see Understanding Anti-Virus Software and Understanding Firewalls for more information). Make sure to keep your virus definitions up to date. Spyware or adware hidden in software programs may also give attackers access to your data, so use a legitimate anti-spyware program to scan your computer and remove any of these files (see Recognizing and Avoiding Spyware for more information).

     

  • Keep software, particularly your web browser, up to date - Install software patches so that attackers cannot take advantage of known problems or vulnerabilities (see Understanding Patches for more information). Many operating systems offer automatic updates. If this option is available, you should enable it.

     

  • Evaluate your software's settings - The default settings of most software enable all available functionality. However, attackers may be able to take advantage of this functionality to access your computer (see Evaluating Your Web Browser's Security Settings for more information). It is especially important to check the settings for software that connects to the Internet (browsers, email clients, etc.). Apply the highest level of security available that still gives you the functionality you need.

     

  • Do business with reputable vendors - Before providing any personal or financial information, make sure that you are interacting with a reputable, established vendor. Some attackers may try to trick you by creating malicious web sites that appear to be legitimate, so you should verify the legitimacy before supplying any information (see Avoiding Social Engineering and Phishing Attacks and Understanding Web Site Certificates for more information). Locate and note phone numbers and physical addresses of vendors in case there is a problem with your transaction or your bill.

     

  • Take advantage of security features - Passwords and other security features add layers of protection if used appropriately (see Choosing and Protecting Passwords and Supplementing Passwords for more information).

     

  • Be wary of emails requesting information - Attackers may attempt to gather information by sending emails requesting that you confirm purchase or account information (see Avoiding Social Engineering and Phishing Attacks for more information). Legitimate businesses will not solicit this type of information through email.

     

  • Check privacy policies - Before providing personal or financial information, check the web site's privacy policy. Make sure you understand how your information will be stored and used (see Protecting Your Privacy for more information).

     

  • Make sure your information is being encrypted - Many sites use SSL, or secure sockets layer, to encrypt information. Indications that your information will be encrypted include a URL that begins with "https:" instead of "http:" and a lock icon in the bottom right corner of the window.

     

  • Use a credit card - Unlike debit cards, credit cards may have a limit on the monetary amount you will be responsible for paying if your information is stolen and used by someone else. You can further minimize damage by using a single credit card with a low credit line for all of your online purchases.

     

  • Check your statements - Keep a record of your purchases and copies of confirmation pages, and compare them to your bank statements. If there is a discrepancy, report it immediately (see Preventing and Responding to Identity Theft for more information).
Authors: Mindi McDowell, Monica Maher
Produced 2007 by US-CERT, a government organization. Terms of use
US-CERT
Last updated December 12, 2007

 

 

National Cyber Alert System
Cyber Security Tip ST04-023

Understanding Your Computer: Email Clients

The main difference between email clients is the user interface. Regardless of which software you decide to use, follow good security practices when reading or sending email.

 

How do email clients work?

Every email address has two basic parts: the user name and the domain name. When you are sending email to someone else, your domain's server has to communicate with your recipient's domain server.

For example, let's assume that your email address is johndoe@example.com, and the person you are contacting is at janesmith@anotherexample.org. In very basic terms, after you hit send, the server hosting your domain (example.com) looks at the email address and then contacts the server hosting the recipient's domain (anotherexample.org) to let it know that it has a message for someone at that domain. Once the connection has been established, the server hosting the recipient's domain (anotherexample.org) then looks at the user name of the email address and routes the message to that account.

How many email clients are there?

There are many different email clients and services, each with its own interface. Some are web-based, some are stand-alone graphics-based, and some are text-based. The following are some well-known email programs:

    Web-based
    • Hotmail
    • Yahoo! Mail
    • Gmail

    Stand-alone graphics-based

    • Outlook and Outlook Express
    • Thunderbird
    • Pegasus

    Text-based

    • Pine

 

How do you choose an email client?

There is usually an email client included with the installation of your operating system, but many other alternatives are available. Be wary of "home-brewed" software, because it may not be as secure or reliable as software that is tested and actively maintained. Some of the factors to consider when deciding which email client best suits your needs include

  • security - Do you feel that your email program offers you the level of security you want for sending, receiving, and reading email messages? How does it handle attachments (see Using Caution with Email Attachments for more information)? If you are dealing with sensitive information, do you have the option of sending and receiving signed and/or encrypted messages (see Understanding Digital Signatures and Understanding Encryption for more information)?

     

  • privacy - If you are using a web-based service, have you read its privacy policy (see Protecting Your Privacy for more information)? Do you know what information is being collected and who has access to it? Are there options for filtering spam (see Reducing Spam for more information)?

     

  • functionality - Does the software send, receive, and interpret email messages appropriately?

     

  • reliability - For web-based services, is the server reliable, or is your email frequently unavailable due to maintenance, security problems, a high volume of users, or other reasons?

     

  • availability - Do you need to be able to access your account from any computer?

     

  • ease of use - Are the menus and options easy to understand and use?

     

  • visual appeal - Do you find the interface appealing?

 

Each email client may have a different way of organizing drafted, sent, saved, and deleted mail. Familiarize yourself with the software so that you can find and store messages easily, and so that you don't unintentionally lose messages. Once you have chosen the software you want to use for your email, protect yourself and your contacts by following good security practices (see US-CERT Cyber Security Tips for more information).

Can you have use more than one email client?

You can have more than one email client, although you may have issues with compatibility. Some email accounts, such as those issued through your internet service provider (ISP) or place of employment, are only accessible from a computer that has appropriate privileges and settings for you to access that account. You can use any stand-alone email client to read those messages, but if you have more than one client installed on your machine, you should choose one as your default. When you click an email link in a browser or email message, your computer will open that default email client that you chose.

Most vendors give you the option to download their email software directly from their web sites. Make sure to verify the authenticity of the site before downloading any files, and follow other good security practices, like using a firewall and keeping anti-virus software up to date, to further minimize risk (see Understanding Firewalls, Understanding Anti-Virus Software, and other US-CERT Cyber Security Tips for more information).

You can also maintain free email accounts through browser-based email clients (e.g., Yahoo!, Hotmail, Gmail) that you can access from any computer. Because these accounts are maintained directly on the vendors' servers, they don't interfere with other email accounts.

Author: Mindi McDowell
Copyright 2004 Carnegie Mellon University. Terms of use
Last updated November 16, 2007

 

Good Security Habits

There are some simple habits you can adopt that, if performed consistently, may dramatically reduce the chances that the information on your computer will be lost or corrupted.

 

How can you minimize the access other people have to your information?

You may be able to easily identify people who could, legitimately or not, gain physical access to your computer—family members, roommates, co-workers, members of a cleaning crew, and maybe others. Identifying the people who could gain remote access to your computer becomes much more difficult. As long as you have a computer and connect it to a network, you are vulnerable to someone or something else accessing or corrupting your information; however, you can develop habits that make it more difficult.

     

  • Lock your computer when you are away from it. Even if you only step away from your computer for a few minutes, it's enough time for someone else to destroy or corrupt your information. Locking your computer prevents another person from being able to simply sit down at your computer and access all of your information.

     

  • Disconnect your computer from the Internet when you aren't using it. The development of technologies such as DSL and cable modems have made it possible for users to be online all the time, but this convenience comes with risks. The likelihood that attackers or viruses scanning the network for available computers will target your computer becomes much higher if your computer is always connected. Depending on what method you use to connect to the Internet, disconnecting may mean ending a dial-up connection, turning off your computer or modem, or disconnecting cables.

     

  • Evaluate your security settings. Most software, including browsers and email programs, offers a variety of features that you can tailor to meet your needs and requirements. Enabling certain features to increase convenience or functionality may leave you more vulnerable to being attacked. It is important to examine the settings, particularly the security settings, and select options that meet your needs without putting you at increased risk. If you install a patch or a new version of the software, or if you hear of something that might affect your settings, reevaluate your settings to make sure they are still appropriate (see Understanding Patches, Safeguarding Your Data, and Evaluating Your Web Browser's Security Settings for more information).

What other steps can you take?

Sometimes the threats to your information aren't from other people but from natural or technological causes. Although there is no way to control or prevent these problems, you can prepare for them and try to minimize the damage.
  • Protect your computer against power surges. Aside from providing outlets to plug in your computer and all of its peripherals, some power strips protect your computer against power surges. Many power strips now advertise compensation if they do not effectively protect your computer. During a lightning storm or construction work that increases the odds of power surges, consider shutting your computer down and unplugging it from all power sources. Power strips alone will not protect you from power outages, but there are products that do offer an uninterruptible power supply when there are power surges or outages.

     

  • Back up all of your data. Whether or not you take steps to protect yourself, there will always be a possibility that something will happen to destroy your data. You have probably already experienced this at least once— losing one or more files due to an accident, a virus or worm, a natural event, or a problem with your equipment. Regularly backing up your data on a CD or network reduces the stress and other negative consequences that result from losing important information (see Real-World Warnings Keep You Safe Online for more information). Determining how often to back up your data is a personal decision. If you are constantly adding or changing data, you may find weekly backups to be the best alternative; if your content rarely changes, you may decide that your backups do not need to be as frequent. You don't need to back up software that you own on CD-ROM or DVD-ROM—you can reinstall the software from the original media if necessary.

 

Both the National Cyber Security Alliance and US-CERT have identified this topic as one of the top tips for home users.
Authors: Mindi McDowell, Allen Householder
Copyright 2004 Carnegie Mellon University. Terms of use

 

Safeguarding Your Data

When there are multiple people using your computer and/or you store sensitive personal and work-related data on your computer, it is especially important to take extra security precautions.

 

Why isn't "more" better?

Maybe there is an extra software program included with a program you bought. Or perhaps you found a free download online. You may be tempted to install the programs just because you can, or because you think you might use them later. However, even if the source and the software are legitimate, there may be hidden risks. And if other people use your computer, there are additional risks.

These risks become especially important if you use your computer to manage your personal finances (banking, taxes, online bill payment, etc.), store sensitive personal data, or perform work-related activities away from the office. However, there are steps you can take to protect yourself.

How can you protect both your personal and work-related data?

  • Use and maintain anti-virus software and a firewall - Protect yourself against viruses and Trojan horses that may steal or modify the data on your own computer and leave you vulnerable by using anti-virus software and a firewall (see Understanding Anti-Virus Software and Understanding Firewalls for more information). Make sure to keep your virus definitions up to date.

     

  • Regularly scan your computer for spyware - Spyware or adware hidden in software programs may affect the performance of your computer and give attackers access to your data. Use a legitimate anti-spyware program to scan your computer and remove any of these files (see Recognizing and Avoiding Spyware for more information).

     

  • Keep software up to date - Install software patches so that attackers cannot take advantage of known problems or vulnerabilities (see Understanding Patches for more information). Many operating systems offer automatic updates. If this option is available, you should turn it on.

     

  • Evaluate your software's settings - The default settings of most software enable all available functionality. However, attackers may be able to take advantage of this functionality to access your computer. It is especially important to check the settings for software that connects to the internet (browsers, email clients, etc.). Apply the highest level of security available that still gives you the functionality you need.

     

  • Avoid unused software programs - Do not clutter your computer with unnecessary software programs. If you have programs on your computer that you do not use, consider uninstalling them.

     

  • Consider creating separate user accounts - If there are other people using your computer, you may be worried that someone else may accidentally access, modify, and/or delete your files. Most operating systems (including Windows XP, Mac OS X, and Linux) give you the option of creating a different user account for each user, and you can set the amount of access and privileges for each account. You may also choose to have separate accounts for your work and personal purposes. While this approach will not completely isolate each area, it does offer some additional protection.

     

  • Establish guidelines for computer use - If there are multiple people using your computer, especially children, make sure they understand how to use the computer and internet safely. Setting boundaries and guidelines will help to protect your data (see Keeping Children Safe Online for more information).

     

  • Use passwords and encrypt sensitive files - Passwords and other security features add layers of protection if used appropriately (see Choosing and Protecting Passwords and Supplementing Passwords for more information). By encrypting files, you ensure that unauthorized people can't view data even if they can physically access it. You may also want to consider options for full disk encryption, which prevents a thief from even starting your laptop without a passphrase. When you use encryption, it is important to remember your passwords and passphrases; if you forget or lose them, you may lose your data.

     

  • Follow corporate policies for handling and storing work-related information - If you use your computer for work-related purposes, make sure to follow any corporate policies for handling and storing the information. These policies were likely established to protect proprietary information and customer data, as well as to protect you and the company from liability.

     

  • Dispose of sensitive information properly - Simply deleting a file does not completely erase it. To ensure that an attacker cannot access these files, make sure that you adequately erase sensitive files (see Effectively Erasing Files for more information).

     

  • Follow good security habits - Review other security tips for ways to protect yourself and your data.
Author: Mindi McDowell
Produced 2006 by US-CERT, a government organization. Terms of use

 

Understanding Hidden Threats: Corrupted Software Files

Malicious code is not always hidden in web page scripts or unusual file formats. Attackers may corrupt types of files that you would recognize and typically consider safe, so you should take precautions when opening files from other people.

 

What types of files can attackers corrupt?

An attacker may be able to insert malicious code into any file, including common file types that you would normally consider safe. These files may include documents created with word processing software, spreadsheets, or image files. After corrupting the file, an attacker may distribute it through email or post it to a web site. Depending on the type of malicious code, you may infect your computer by just opening the file.

When corrupting files, attackers often take advantage of vulnerabilities that they discover in the software. These vulnerabilities may allow attackers to insert and execute malicious scripts or code, sometimes without being detected. Sometimes the vulnerability involves a combination of certain files (such as a particular piece of software running on a particular operating system) or only affects certain versions of a software program.

What problems can malicious files cause?

There are various types of malicious code, including viruses, worms, and Trojan horses (see Why is Cyber Security a Problem? for more information). However, the range of consequences varies even within these categories. The malicious code may be designed to perform one or more functions, including

  • interfering with your computer's ability to process information by consuming memory or bandwidth (causing your computer to become significantly slower or even "freeze")
  • installing, altering, or deleting files on your computer
  • giving the attacker access to your computer
  • using your computer to attack other computers (see Understanding Denial-of-Service Attacks for more information)

How can you protect yourself?

  • Use and maintain anti-virus software - Anti-virus software recognizes and protects your computer against most known viruses, so you may be able to detect and remove the virus before it can do any damage (see Understanding Anti-Virus Software for more information). Because attackers are continually writing new viruses, it is important to keep your definitions up to date.

     

  • Use caution with email attachments - Do not open email attachments that you were not expecting, especially if they are from people you do not know. If you decide to open an email attachment, scan it for viruses first (see Using Caution with Email Attachments for more information). Not only is it possible for attackers to "spoof" the source of an email message, your legitimate contacts may unknowingly send you an infected file.

     

  • Be wary of downloadable files on web sites - Avoid downloading files from sites that you do not trust. If you are getting the files from a supposedly secure site, look for a web site certificate (see Understanding Web Site Certificates for more information). If you do download a file from a web site, consider saving it to your desktop and manually scanning it for viruses before opening it.

     

  • Keep software up to date - Install software patches so that attackers cannot take advantage of known problems or vulnerabilities (see Understanding Patches for more information). Many operating systems offer automatic updates. If this option is available, you should enable it.

     

  • Take advantage of security settings - Check the security settings of your email client and your web browser (see Evaluating Your Web Browser's Security Settings for more information). Apply the highest level of security available that still gives you the functionality you need. In email clients, turn off the option to automatically download attachments.

Related information

Author: Mindi McDowell
Produced 2006 by US-CERT, a government organization. Terms of use

 

Dealing with Cyberbullies

Bullies are now taking advantage of technology to intimidate and harass their victims. Dealing with cyberbullying can be difficult, but there are steps you can take.

 

What is cyberbullying?

Cyberbullying refers to the new, and growing, practice of using technology to harass, or bully, someone else. Bullies used to be restricted to methods such as physical intimidation, postal mail, or the telephone. Now, developments in electronic media offer forums such as email, instant messaging, web pages, and digital photos to add to the arsenal. Computers, cell phones, and PDAs are new tools that can be applied to an old practice.

Forms of cyberbullying can range in severity from cruel or embarrassing rumors to threats, harassment, or stalking. It can affect any age group; however, teenagers and young adults are common victims, and cyberbullying is a growing problem in schools.

Why has cyberbullying become such a problem?

The relative anonymity of the internet is appealing for bullies because it enhances the intimidation and makes tracing the activity more difficult. Some bullies also find it easier to be more vicious because there is no personal contact. Unfortunately, the internet and email can also increase the visibility of the activity. Information or pictures posted online or forwarded in mass emails can reach a larger audience faster than more traditional methods, causing more damage to the victims. And because of the amount of personal information available online, bullies may be able to arbitrarily choose their victims.

Cyberbullying may also indicate a tendency toward more serious behavior. While bullying has always been an unfortunate reality, most bullies grow out of it. Cyberbullying has not existed long enough to have solid research, but there is evidence that it may be an early warning for more violent behavior.

How can you protect yourself?

  • Be careful where you post personal information - By limiting the number of people who have access to your contact information or details about your interests, habits, or employment, you reduce your exposure to bullies that you do not know. This may limit your risk of becoming a victim and may make it easier to identify the bully if you are victimized.

     

  • Avoid escalating the situation - Responding with hostility is likely to provoke a bully and escalate the situation. Depending on the circumstances, consider ignoring the issue. Often, bullies thrive on the reaction of their victims. Other options include subtle actions. For example, if you are receiving unwanted email messages, consider changing your email address. If the bully does not have access to the new address, the problem may stop. If you continue to get messages at your new account, you may have a stronger case for legal action.

     

  • Document the activity - Keep a record of any online activity (emails, web pages, instant messages, etc.), including relevant dates and times. In addition to archiving an electronic version, consider printing a copy.

     

  • Report cyberbullying to the appropriate authorities - If you are being harassed or threatened, report the activity to the local authorities. Law enforcement agencies have different policies, but your local police department or FBI branch are good starting points. Unfortunately, there is a distinction between free speech and punishable offenses, but the legal implications should be decided by the law enforcement officials and the prosecutors. Depending on the activity, it may also be appropriate to report it to school officials who may have separate policies for dealing with activity that involves students.

Protect your children by teaching them good online habits (see Keeping Children Safe Online for more information). Keep lines of communication open with your children so that they feel comfortable telling you if they are being victimized online. Reduce their risk of becoming cyberbullies by setting guidelines for and monitoring their use of the internet and other electronic media (cell phones, PDAs, etc.).

Author: Mindi McDowell
Produced 2006 by US-CERT, a government organization. Terms of use



Scripts in eBay Postings May Enable Phishing Attacks

Original release date: April 27, 2006
Last revised: --
Source: US-CERT

 

Systems Affected

The eBay web site may contain pages that affect various web browsers.


 

Overview

A vulnerability in the eBay web site may allow an attacker to steal personal information from eBay customers.


 

Solution

Verify the legitimacy of eBay web pages

Attackers may use the vulnerability to perform a phishing attack. Make sure that the URL is accurate, and check the web site certificate to make sure that you are visiting an authentic eBay web page.


 

Description

eBay allows users to incorporate a type of code, also known as scripting, into the auction descriptions on its web site. An attacker can use this code to modify pages on eBay's web site or redirect you to a malicious web page. These may appear to be legitimate eBay web pages that request personal information. Using these techniques, an attacker may be able to collect your passwords, credit card numbers, or other personal information.

Please see US-CERT Vulnerability note VU#808921 for details and additional workarounds.


 

References


 

Feedback can be directed to the US-CERT Technical Staff.

Produced 2006 by US-CERT, a government organization. Terms of use

Revision History

April 27, 2006: Initial release
 


 

 

Avoiding the Pitfalls of Online Trading

Online trading can be an easy, cost-effective way to manage investments. However, online investors are often targets of scams, so take precautions to ensure that you do not become a victim.

 

What is online trading?

Online trading allows you to conduct investment transactions over the internet. The accessibility of the internet makes it possible for you to research and invest in opportunities from any location at any time. It also reduces the amount of resources (time, effort, and money) you have to devote to managing these accounts and transactions.

What are the risks?

Recognizing the importance of safeguarding your money, legitimate brokerages take steps to ensure that their transactions are secure. However, online brokerages and the investors who use them are appealing targets for attackers. The amount of financial information in a brokerage's database makes it valuable; this information can be traded or sold for personal profit. Also, because money is regularly transferred through these accounts, malicious activity may not be noticed immediately. To gain access to these databases, attackers may use Trojan horses or other types of malicious code (see Why is Cyber Security a Problem? for more information).

Attackers may also attempt to collect financial information by targeting the current or potential investors directly. These attempts may take the form of social engineering or phishing attacks (see Avoiding Social Engineering and Phishing Attacks for more information). With methods that include setting up fraudulent investment opportunities or redirecting users to malicious sites that appear to be legitimate, attackers try to convince you to provide them with financial information that they can then use or sell. If you have been victimized, both your money and your identity may be at risk (see Preventing and Responding to Identity Theft for more information).

How can you protect yourself?

  • Research your investment opportunities - Take advantage of resources such as the U.S. Securities and Exchange Commission's EDGAR database and your state's securities commission (found through the North American Securities Administrators Association) to investigate companies.

     

  • Be wary of online information - Anyone can publish information on the internet, so try to verify any online research through other methods before investing any money. Also be cautious of "hot" investment opportunities advertised online on in email.

     

  • Check privacy policies - Before providing personal or financial information, check the web site's privacy policy. Make sure you understand how your information will be stored and used (see Protecting Your Privacy for more information).

     

  • Make sure that your transactions are encrypted - When information is sent over the internet, attackers may be able to intercept it. Encryption prevents the attackers from being able to view the information.

     

  • Verify that the web site is legitimate - Attackers may redirect you to a malicious web site that looks identical to a legitimate one. They then convince you to submit your personal and financial information, which they use for their own gain. Check the web site's certificate to make sure it is legitimate (see Understanding Web Site Certificates for more information).

     

  • Monitor your investments - Regularly check your accounts for any unusual activity. Report unauthorized transactions immediately.

     

  • Use and maintain anti-virus software - Anti-virus software recognizes and protects your computer against most known viruses. However, because attackers are continually writing new viruses, it is important to keep your virus definitions current (see Understanding Anti-Virus Software for more information).

     

  • Use anti-spyware tools - Spyware is a common source of viruses, and attackers may use it to access information on your computer. You can minimize the number of infections by using a legitimate program that identifies and removes spyware (see Recognizing and Avoiding Spyware for more information).

     

  • Keep software up to date - Install software patches so that attackers can't take advantage of known problems or vulnerabilities (see Understanding Patches for more information). Enable automatic updates if the option is available.

     

  • Evaluate your security settings - By adjusting the security settings in your browser, you may limit your risk of certain attacks (see Evaluating Your Web Browser's Security Settings for more information).
The following sites offer additional information and guidance:
Author: Mindi McDowell
Produced 2006 by US-CERT, a government organization. Terms of use

US-CERT National Cyber Alert System

TA06-062A-Apple Mac Products are Affected by Multiple Vulnerabilities

Original release date: March 3, 2006
Last revised: --
Source: US-CERT

Systems Affected

 

  • Apple Mac OS X version 10.3.9 (Panther) and version 10.4.5 (Tiger)
  • Apple Mac OS X Server version 10.3.9 and version 10.4.5
  • Apple Safari web browser
Previous versions of Mac OS X may also be affected. Please see Apple Security Update 2006-001 for further information.

 


Overview

Apple has released Security Update 2006-001 to correct multiple vulnerabilities
affecting Mac OS X, Mac OS X Server, Safari web browser, and other products. The
most serious of these vulnerabilities may allow a remote attacker to execute arbitrary code. Impacts of other vulnerabilities include bypassing security restrictions and
denial of service.


I. Description

Apple Security Update 2006-001 resolves a number of vulnerabilities affecting Mac OS X, OS X Server, Safari web browser, and other products. Further details are available in the following Vulnerability Notes:

VU#999708 - Apple Safari automatically executes arbitrary shell commands or
code

Apple Safari fails to properly determine file safety, allowing a remote unauthenticated attacker to execute arbitrary commands or code.
(CVE-2006-0848)

VU#351217 - Apple Safari WebKit component vulnerable to buffer overflow

Apple Safari WebKit component is vulnerable to buffer overflow. This vulnerability may allow are remote attacker to execute arbitrary code or cause a denial-of-service
condition.
(CVE-2005-4504)

VU#176732 - Apple Safari vulnerable to buffer overflow

Apple Safari is vulnerable to a stack-based buffer overflow. This vulnerability may
allow a remote attacker to execute arbitrary code on a vulnerable system.
(CVE-2006-0387)

Please note that Apple Security Update 2006-001 addresses additional vulnerabilities
not described above. As further information becomes available, we will publish
individual Vulnerability Notes. In addition, more information about VU#999708 is available in US-CERT Technical Cyber Security Alert TA06-053A.


II. Impact

The impacts of these vulnerabilities vary. For information about specific impacts,
please see the Vulnerability Notes. Potential consequences include remote execution
of arbitrary code or commands, bypass of security restrictions, and denial of service.


III. Solution

Install an update

Install the update as described in Apple Security Update 2006-001. In addition, this update is available via Apple Update.


Appendix A. References

US-CERT Vulnerability Note VU#999708 - <http://www.kb.cert.org/vuls/id/999708>

US-CERT Vulnerability Note VU#351217 - <http://www.kb.cert.org/vuls/id/351217>


 

These vulnerabilities were reported in Apple Security Update 2006-001. Please see
the Vulnerability Notes for individual reporter acknowledgements.

Feedback can be directed to the authors: US-CERT Technical Staff.

Produced 2006 by US-CERT, a government organization. Terms of use

Revision History

March 3, 2006: Initial release
 

 

US-CERT National Cyber Alert System

SA06-053A-Apple Mac OS X Safari Command
Execution Vulnerability

Original release date: February 22, 2006
Last revised: --
Source: US-CERT

 

Systems Affected

  • Apple Safari running on Mac OS X

 

Overview

A vulnerability in the Apple Safari web browser could allow an attacker to place and run malicious code on your computer.


 

Solution

Turn off "Open safe files after downloading" feature

To turn off "Open safe files after downloading" feature in Safari, first choose "Preferences" from the Safari menu. Next, uncheck the option "Open 'safe' files after downloading."

More information about this solution is available in the document "Securing Your Web Browser."


 

Description

Apple Safari is a web browser that comes with Apple Mac OS X. Safari contains a vulnerability that could allow an attacker to run malicious programs on your computer.

For more technical information, see US-CERT Technical Alert TA06-053A.


 

References


 

Feedback can be directed to US-CERT.

Produced 2006 by US-CERT, a government organization. Terms of use

Revision History

February 22, 2006: Initial release
 

 



 

Cybersecurity for Electronic Devices

When you think about cybersecurity, remember that electronics such as cell phones and PDAs may also be vulnerable to attack. Take appropriate precautions to limit your risk.

 

Why does cybersecurity extend beyond computers?

Actually, the issue is not that cybersecurity extends beyond computers; it is that computers extend beyond traditional laptops and desktops. Many electronic devices are computers—from cell phones and PDAs to video games and car navigation systems. While computers provide increased features and functionality, they also introduce new risks. Attackers may be able to take advantage of these technological advancements to target devices previously considered "safe." For example, an attacker may be able to infect your cell phone with a virus, steal your phone or wireless service, or access the records on your PDA. Not only do these activities have implications for your personal information, but they could also have serious consequences if you store corporate information on the device.

What types of electronics are vulnerable?

Any piece of electronic equipment that uses some kind of computerized component is vulnerable to software imperfections and vulnerabilities. The risks increase if the device is connected to the internet or a network that an attacker may be able to access. Remember that a wireless connection also introduces these risks (see Securing Wireless Networks for more information). The outside connection provides a way for an attacker to send information to or extract information from your device.

How can you protect yourself?

  • Remember physical security - Having physical access to a device makes it easier for an attacker to extract or corrupt information. Do not leave your device unattended in public or easily accessible areas (see Protecting Portable Devices: Physical Security for more information).

     

  • Keep software up to date - If the vendor releases patches for the software operating your device, install them as soon as possible. These patches may be called firmware updates. Installing them will prevent attackers from being able to take advantage of known problems or vulnerabilities (see Understanding Patches for more information).

     

  • Use good passwords - Choose devices that allow you to protect your information with passwords. Select passwords that will be difficult for thieves to guess, and use different passwords for different programs and devices (see Choosing and Protecting Passwords for more information). Do not choose options that allow your computer to remember your passwords.

     

  • Disable remote connectivity - Some PDAs and phones are equipped with wireless technologies, such as Bluetooth, that can be used to connect to other devices or computers. You should disable these features when they are not in use (see Understanding Bluetooth Technology for more information).

     

  • Encrypt files - Although most devices do not offer you an option to encrypt files, you may have encryption software on your PDA. If you are storing personal or corporate information, see if you have the option to encrypt the files. By encrypting files, you ensure that unauthorized people can't view data even if they can physically access it. When you use encryption, it is important to remember your passwords and passphrases; if you forget or lose them, you may lose your data.
Authors: Mindi McDowell, Matt Lytle
Produced 2005 by US-CERT, a government organization. Terms of use

 


 

Understanding Bluetooth Technology

Many electronic devices are now incorporating Bluetooth technology to allow wireless communication with other Bluetooth devices. Before using Bluetooth, it is important to understand what it is, what security risks it presents, and how to protect yourself.

 

What is Bluetooth?

Bluetooth is a technology that allows devices to communicate with each other without cables or wires. It is an electronics "standard," which means that manufacturers that want to include this feature have to incorporate specific requirements into their electronic devices. These specifications ensure that the devices can recognize and interact with other devices that use the Bluetooth technology.

Many popular manufacturers are making devices that use Bluetooth technology. These devices include mobile phones, computers, and personal digital assistants (PDAs). The Bluetooth technology relies on short-range radio frequency, and any device that incorporates the technology can communicate as long as it is within the required distance. The technology is often used to allow two different types of devices to communicate with each other. For example, you may be able to operate your computer with a wireless keyboard, use a wireless headset to talk on your mobile phone, or add an appointment to your friend's PDA calendar from your own PDA.

What are some security concerns?

Depending upon how it is configured, Bluetooth technology can be fairly secure. You can take advantage of its use of key authentication (see Understanding Digital Signatures for more information) and encryption (see Understanding Encryption for more information). Unfortunately, many Bluetooth devices rely on short numeric PIN numbers instead of more secure passwords or passphrases (see Choosing and Protecting Passwords for more information).

If someone can "discover" your Bluetooth device, he or she may be able to send you unsolicited messages or abuse your Bluetooth service, which could cause you to be charged extra fees. Worse, an attacker may be able to find a way to access or corrupt your data. One example of this type of activity is "bluesnarfing," which refers to attackers using a Bluetooth connection to steal information off of your Bluetooth device. Also, viruses or other malicious code can take advantage of Bluetooth technology to infect other devices. If you are infected, your data may be corrupted, compromised, stolen, or lost. You should also be aware of attempts to convince you to send information to someone you do not trust over a Bluetooth connection (see Avoiding Social Engineering and Phishing Attacks for more information).

How can you protect yourself?

  • Disable Bluetooth when you are not using it - Unless you are actively transferring information from one device to another, disable the technology to prevent unauthorized people from accessing it.

     

  • Use Bluetooth in "hidden" mode - When you do have Bluetooth enabled, make sure it is "hidden," not "discoverable." The hidden mode prevents other Bluetooth devices from recognizing your device. This does not prevent you from using your Bluetooth devices together. You can "pair" devices so that they can find each other even if they are in hidden mode. Although the devices (for example, a mobile phone and a headset) will need to be in discoverable mode to initially locate each other, once they are "paired" they will always recognize each other without needing to rediscover the connection.

     

  • Be careful where you use Bluetooth - Be aware of your environment when pairing devices or operating in discoverable mode. For example, if you are in a public wireless "hotspot," there is a greater risk that someone else may be able to intercept the connection (see Securing Wireless Networks for more information) than if you are in your home or your car.

     

  • Evaluate your security settings - Most devices offer a variety of features that you can tailor to meet your needs and requirements. However, enabling certain features may leave you more vulnerable to being attacked, so disable any unnecessary features or Bluetooth connections. Examine your settings, particularly the security settings, and select options that meet your needs without putting you at increased risk. Make sure that all of your Bluetooth connections are configured to require a secure connection.

     

  • Take advantage of security options - Learn what security options your Bluetooth device offers, and take advantage of features like authentication and encryption.
Authors: Mindi McDowell, Matt Lytle
Produced 2005 by US-CERT, a government organization. Terms of use


Understanding Your Computer: Operating Systems

The operating system is the most fundamental program that runs on your computer. It serves as the basis for how everything else works.

 

What is an operating system?

An operating system (OS) is the main program on a computer. It performs a variety of functions, including

  • determining what types of software you can install
  • coordinating the applications running on the computer at any given time
  • making sure that individual pieces of hardware, such as printers, keyboards, and disk drives, all communicate properly
  • allowing applications such as word processors, email clients, and web browsers, to perform tasks on the system (e.g., drawing windows on the screen, opening files, communicating on a network) and utilize other system resources (e.g., printers, disk drives)
  • reporting error messages

 

The OS also determines how you see information and perform tasks. Some operating systems utilize a graphical user interface (GUI), which presents information through pictures (icons, buttons, dialog boxes, etc.) as well as words. Other operating systems can rely solely on text.

How do you choose an operating system?

In very simplistic terms, when you choose to buy a computer, you are usually also choosing an operating system. Although you may change it, vendors typically ship computers with a particular operating system. There are multiple operating systems, each with different features and benefits, but the following three are the most common:

  • Windows - Windows, with versions including Windows Me, Windows 2000, and Windows XP, is the most common operating system for home users. It is produced by Microsoft and is typically included on machines purchased in electronics stores or from vendors such as Dell or Gateway. The Windows OS uses a GUI, which many users find more appealing and easier to use than text-based interfaces.

     

     

  • Mac OS X - Produced by Apple, Mac OS X is the operating system used on Macintosh computers. With the exception of a different GUI, it is similar to the Windows interface in the way it operates.

     

     

  • Linux and other UNIX-derived operating systems - Linux and other systems derived from the UNIX operating system are frequently utilized for specialized workstations and servers, such as web and email servers. Because they often more difficult for general users or require specialized knowledge and skills to operate, they are not very popular with home users. However, as they continue to develop and become easier to use, they may become more popular on typical home user systems.

     

 

Authors: Mindi McDowell, Chad Dougherty
Copyright 2004 Carnegie Mellon University. Terms of use


Supplementing Passwords

Passwords are common form of protecting information, but passwords alone may not provide adequate security. For the best protection, look for sites that have additional ways to verify your identity.

 

Why aren't passwords sufficient?

Passwords are beneficial as a first layer of protection, but they are susceptible to being guessed or intercepted by attackers. You can increase the effectiveness of your passwords by using tactics such as avoiding passwords that are based on personal information or words found in the dictionary; using a combination of numbers, special characters, and lowercase and capital letters; and not sharing your passwords with anyone else (see Choosing and Protecting Passwords for more information). However, despite your best attempts, an attacker may be able to obtain your password. If there are no additional security measures in place, the attacker may be able to access your personal, financial, or medical information.

What additional levels of security are being used?

Many organizations are beginning to use other forms of verification in addition to passwords. The following practices are becoming more and more common:

     

  • two-factor authentication - With two-factor authentication, you use your password in conjunction with an additional piece of information. An attacker who has managed to obtain your password can't do anything without the second component. The theory is similar to requiring two forms of identification or two keys to open a safe deposit box. However, in this case, the second component is commonly a "one use" password that is voided as soon as you use it. Even if an attacker is able to intercept the exchange, he or she will still not be able to gain access because that specific combination will not be valid again.

     

     

  • personal web certificates - Unlike the certificates used to identify web sites (see Understanding Web Site Certificates for more information), personal web certificates are used to identify individual users. A web site that uses personal web certificates relies on these certificates and the authentication process of the corresponding public/private keys to verify that you are who you claim to be (see Understanding Digital Signatures and Understanding Encryption for more information). Because information identifying you is embedded within the certificate, an additional password is unnecessary. However, you should have a password to protect your private key so that attackers can't gain access to your key and represent themselves as you. This process is similar to two-factor authentication, but it differs because the password protecting your private key is used to decrypt the information on your computer and is never sent over the network.

     

What if you lose your password or certificate?

You may find yourself in a situation where you've forgotten your password or you've reformatted your computer and lost your personal web certificate. Most organizations have specific procedures for giving you access to your information in these situations. In the case of certificates, you may need to request that the organization issue you a new one. In the case of passwords, you may just need a reminder. No matter what happened, the organization needs a way to verify your identity. To do this, many organizations rely on "secret questions."

When you open a new account (email, credit card, etc.), some organizations will prompt you to provide them with the answer to a question. They may ask you this question if you contact them about forgetting your password or you request information about your account over the phone. If your answer matches the answer they have on file, they will assume that they are actually communicating with you. While the theory behind the secret question has merit, the questions commonly used ask for personal information such as mother's maiden name, social security number, date of birth, or pet's name. Because so much personal information is now available online or through other public sources, attackers may be able to discover the answers to these questions without much effort.

Realize that the secret question is really just an additional password—when setting it up, you don't have to supply the actual information as your answer. In fact, when you are asked in advance to provide an answer to this type of question that will be used to confirm your identity, dishonesty may be the best policy. Choose your answer as you would choose any other good password, store it in a secure location, and don't share it with other people (see Choosing and Protecting Passwords for more information).

While the additional security practices do offer you more protection than a password alone, there is no guarantee that they are completely effective. Attackers may still be able to access your information, but increasing the level of security does make it more difficult. Be aware of these practices when choosing a bank, credit card company, or other organization that will have access to your personal information. Don't be afraid to ask what kind of security practices the organization uses.

Authors: Mindi McDowell, Chad Dougherty, Jason Rafail
Copyright 2005 Carnegie Mellon University. Terms of use

Understanding Web Site Certificates

You may have been exposed to web site, or host, certificates if you have ever clicked on the padlock in your browser or, when visiting a web site, have been presented with a dialog box claiming that there is an error with the name or date on the certificate. Understanding what these certificates are may help you protect your privacy.

 

What are web site certificates?

If an organization wants to have a secure web site that uses encryption, it needs to obtain a site, or host, certificate. Some steps you can take to help determine if a site uses encryption are to look for a closed padlock in the status bar at the bottom of your browser window and to look for "https:" rather than "http:" in the URL (see Protecting Your Privacy for more information). By making sure a web site encrypts your information and has a valid certificate, you can help protect yourself against attackers who create malicious sites to gather your information. You want to make sure you know where your information is going before you submit anything (see Avoiding Social Engineering and Phishing Attacks for more information).

If a web site has a valid certificate, it means that a certificate authority has taken steps to verify that the web address actually belongs to that organization. When you type a URL or follow a link to a secure web site, your browser will check the certificate for the following characteristics:

  1. the web site address matches the address on the certificate
  2. the certificate is signed by a certificate authority that the browser recognizes as a "trusted" authority

 

Can you trust a certificate?

The level of trust you put in a certificate is connected to how much you trust the organization and the certificate authority. If the web address matches the address on the certificate, the certificate is signed by a trusted certificate authority, and the date is valid, you can be more confident that the site you want to visit is actually the site that you are visiting. However, unless you personally verify that certificate's unique fingerprint by calling the organization directly, there is no way to be absolutely sure.

By trusting a certificate, you have trusted the certificate authority to perform this verification for you. However, it is important to realize that certificate authorities vary in how strict they are about validating all of the information in the requests and about making sure that their data is secure. By default, your browser contains a list of more than 100 trusted certificate authorities. That means that, by extension, you are trusting all of those certificate authorities to properly verify and validate the information. Before submitting any personal information, you may want to look at the certificate.

How do you check a certificate?

There are two ways to verify a web site's certificate in Internet Explorer or Mozilla. One option is to click on the padlock in the status bar of your browser window. However, your browser may not display the status bar by default. Also, attackers may be able to create malicious web sites that fake a padlock icon and display a false dialog window if you click that icon. A more secure way to find information about the certificate is to look for the certificate feature in the menu options. This information may be under the file properties or the security option within the page information. You will get a dialog box with information about the certificate, including the following:

  • who issued the certificate - You should make sure that the issuer is a legitimate, trusted certificate authority (you may see names like VeriSign, thawte, or Entrust). Some organizations also have their own certificate authorities that they use to issue certificates to internal sites such as intranets.

     

  • who the certificate is issued to - The certificate should be issued to the organization who owns the web site. Do not trust the certificate if the name on the certificate does not match the name of the organization or person you expect.

     

     

  • expiration date - Most certificates are issued for one or two years. One exception is the certificate for the certificate authority itself, which, because of the amount of involvement necessary to distribute the information to all of the organizations who hold its certificates, may be ten years. Be wary of organizations with certificates that are valid for longer than two years or with certificates that have expired.

     

 

When visiting a web site, you may have been presented with a dialog box that claims that there is an error with the site certificate. This may happen if the name the certificate is registered to does not match the site name, you have chosen not to trust the company who issued the certificate, or the certificate has expired. You will usually be presented with the option to examine the certificate, after which you can accept the certificate forever, accept it only for that particular visit, or choose not to accept it. The confusion is sometimes easy to resolve (perhaps the certificate was issued to a particular department within the organization rather than the name on file). If you are unsure whether the certificate is valid or question the security of the site, do not submit personal information. Even if the information is encrypted, make sure to read the organization's privacy policy first so that you know what is being done with that information (see Protecting Your Privacy for more information).

Authors: Mindi McDowell, Matt Lytle
Copyright 2005 Carnegie Mellon University. Terms of use


 

Benefits and Risks of Free Email Services

Although free email services are convenient for sending personal correspondence, you should not use them to send messages containing sensitive information.

 

What is the appeal of free email services?

Many service providers offer free email accounts (e.g., Yahoo!, Hotmail, Gmail). These email services typically provide you with a browser interface to access your mail. In addition to the monetary savings, these services often offer other benefits:

  • accessibility - Because you can access your account(s) from any computer, these services are useful if you cannot be near your computer or are in the process of relocating and do not have an ISP. Even if you are able to access your ISP-based email account remotely, being able to rely on a free email account is ideal if you are using a public computer or shared wireless hot spot and are concerned about exposing the details of your primary account.