Documente Academic
Documente Profesional
Documente Cultură
Table of Contents
1. Introduction..................................................................................................................5 1.1 Cyber Security Awareness..................................................................................5 1.2 Importance of Cyber Security...........................................................................5 2. Computer Ethics..........................................................................................................6 2.1 Definition of Computer Ethics............................................................................6 2.2 Internet Ethics for everyone................................................................................6 2.3 Ethical rules for computer users.........................................................................8 2.4 Scenarios................................................................................................................8 3. Understanding Internet..............................................................................................9 3.1 World Wide Web (WWW)....................................................................................9 3.2 Usage of Internet................................................................................................10 3.3 Features of Internet ...........................................................................................10 3.4 Benefits of Internet ............................................................................................11 3.5 Privacy Issues.......................................................................................................12 3.6 Peer To Peer (P2P) Networking........................................................................13 4. Search Engines and Web Browsers........................................................................17 4.1 Usage of search engines..................................................................................17 4.2 Internet Browser(s) Security .............................................................................17 4.3. Risks towards web browser..............................................................................19 4.4 How to secure your web browser?.................................................................20 5. Filtering services.........................................................................................................27 5.1 Filtering Services in web browser.....................................................................27 5.2 Parental Control Bars.........................................................................................28 5.3 Procedure for installing Parental control toolbar.........................................30 5.4 Changing the parental control settings in the parental control toolbar 37
5.5 k9 web protection..............................................................................................40 K9 also offers:.............................................................................................................40 5.6 Spam filter............................................................................................................42 6. Internet Mediated Communication......................................................................43 6.1 e-Mail Security ....................................................................................................43 6.2 Instant Messaging..............................................................................................47 7. Social Networking.....................................................................................................49 7.1 Tips to avoid risks by social networking .........................................................49 8. Social Engineering.....................................................................................................51 8.1 What is Social Engineering?.............................................................................51 8.2 How do they do this?.........................................................................................51 8.3 Social Engineering can be done in many ways..........................................52 8.4 How do you avoid being a victim?................................................................54 8.5 What do you do if you think you are a victim?............................................55 9. Online Games and Computer Games.................................................................56 9.1 About online games..........................................................................................56 9.2. Things to be noted while downloading the games...................................56 9.3. Risks Involved......................................................................................................56 9.4 Guidelines............................................................................................................57 10. Safe Downloading..................................................................................................59 10.1 Safe Downloading and uploading...............................................................59 10.2 Risks by insecure downloads.........................................................................59 10.3 Tips for Safety downloads...............................................................................60 11. Blogging....................................................................................................................62 11.1Types of blogs....................................................................................................62 11.2 Risks involved in blogging ..............................................................................63
11.3 Tips to avoid risks by blogging ......................................................................63 11.4 Guidance for Parents on Blogging...............................................................63 12. Cyber Bullying..........................................................................................................65 12.1 Harassment and bullying................................................................................65 12.2 Cyber bullying can be done in the following ways..................................65 12.3 Tips and guidelines...........................................................................................66 13. Online Threats and Tips .........................................................................................68 13.1 Protect children from online threats.............................................................68 13.2 Most common online Threats.........................................................................69 13.3 Online Banking..................................................................................................71 13. 4 Online Shopping..............................................................................................73 13.5 Identity Theft......................................................................................................74 13.6 Tab napping......................................................................................................74 13.7 Clickjacking ......................................................................................................76 14. Wireless Network......................................................................................................79 14.1 What is a Wireless Network?...........................................................................79 14.2 Risks of using Unsecured Wi-Fi Network........................................................80 14.3 Tips for Wireless Home Network Security......................................................80 15. Mobile Security........................................................................................................85 15.1 Security Concerns............................................................................................85 15.2 Guidelines for securing mobile devices.......................................................87 16. Data Security............................................................................................................89 16.1 Importance of securing data........................................................................89 16.2 Securing data by disposal..............................................................................91 17. Physical Security......................................................................................................92 17.1 Computer locks................................................................................................92
17.2 BIOS Security......................................................................................................92 17.3 In Organizations................................................................................................93 18. Safe Practices..........................................................................................................95 18.1 Operating System Security.............................................................................95 18.1.2 Guidelines for securing the operating System........................................95 18.2 Password Security Policy ................................................................................97 19. Virus Protection and Cleaner Tools....................................................................102 19.1 Windows Based Tools....................................................................................102 19.2 Linux Based Tools............................................................................................104 20 . Lockdown, Auditing and Intrusion Detection Tools.......................................105 20.1 OS Lockdown Tools........................................................................................105 20.2 URL Scan Based Tools....................................................................................106 20.3 Web Server Lockdown Tools........................................................................108 21.Security Assessment Tools.....................................................................................111 21.1 Assessment Of OS Security Levels...............................................................111 21.2 Assessment Of Database Security Levels..................................................117 21.3 Assessment of Application Security............................................................118 22.1 Security Update Solution Tools (Windows)................................................120 22.2 Windows Desktop Firewall Settings.............................................................120 23. Security Update Detection Tools.......................................................................126 23.1 MBSA.................................................................................................................126 23.2 Microsoft Office Visio 2007 Connector......................................................126 24. IT ACT 127 24.1 Salient Feature of IT Act 2000 127 24.2 IT Act Section 67 (A,B,C) .. 128 24.3 IT (Amendment Act) 2008 Act Section 66 (A,B,C,D,E,F). 129
1. Introduction
1.1 Cyber Security Awareness
Cyber Security needs have to be addressed at all levels, from the individual user to an organization and beyond that to the government and the nation. Cyber Security is becoming synonymous with National Security as Computer Networking, which is vulnerable to Cyber attack and forms the backbone of critical infrastructure of the country's banking, power, communication network, etc... It is, therefore, important to have secure Computer Systems and Networks. Also, increased focus on outsourcing of IT and other services from developed countries is bringing the issue of data security to the fore. Furthermore, owing to the massive Internet boom, a lot of home users with little or no prior knowledge of the threats and their countermeasures are exposed to the Internet. This, the attackers, can exploit to expand their base of malicious activity and use innocent people for their schemes. Consequently, we aim to spread the education to school children, teachers, parents and senior citizens and equip them with the knowledge needed to mitigate the threat. Looking at the growing importance of the Cyber Security, Department of Electronics and Information Technology, Ministry of Communications and Information Technology, Government of India has formulated and initiated the Information Security Education and Awareness (ISEA) programme. One of the activities under this programme is to widely generate information security awareness to children, home users and non-IT professionals in a planned manner.
2. Computer Ethics
2.1 Definition of Computer Ethics
Ethics are a set of moral principles that govern an individual or a group on what is acceptable behaviour while using a computer. Computer ethics is a set of moral principles that govern the usage of computers. One of the common issues of computer ethics is violation of copyright issues. Duplicating copyrighted content without the authors approval, accessing personal information of others are some of the examples that violate ethical principles.
2.2.1 Acceptance
One has to accept that Internet is not a value free-zone.It means World Wide Web is not a waste wild web it is a place where values are considered in the broadest sense so we must take care while shaping content and services and we should recognize that Internet is not apart from universal society but it is a primary component of it.
2.2.7 Supervision
You should know what children are doing on the Internet and the sites they visit on the Internet and should check with whom they are communicating.Restrict them browsing inappropriate sites. Parental involvement is essential when a child is using the Internet in order to make him follow the rules.
requirements of writing for different audiences, the purpose of particular content, identifying and judging accuracy and reliability. Since many sites adopt particular views about issues, the Internet is a useful tool for developing the skills of distinguishing fact from opinion and exploring subjectivity and objectivity.
2.4 Scenarios
2.4.1 Scene 1
Ravi asked kishore if he could look at the essay written by him, He said sure and didnt think much about it. After some days their essays were verified by the class teacher who asked kishore to stay after class. The teacher pointed out that their essays were similar and asked for an explanation. So always teach and guide children not to copy content or information from Internet or from classmates.
2.4.2 Scene 2
Vicky has stepped out from the computer lab without logging off. Bob sits on Vickys computer, logs-in as Vicky, sends false e-mail messages to a number of students and posts similar messages on the class newsgroup. So teach children that they must never misuse others computers and e-mail IDs to harm others and defame them.
3. Understanding Internet
There are different definitions for Internet but the meaning is the same as shown below Def 1: The series of interconnected network allowing communication of data surrounded by millions of computers worldwide. Def 2: A global communication network that allows computers worldwide to connect and exchange information. Def 3: A worldwide system of computer network, a network of networks in which users at any one computer can get information from any other computer. The word Internet exactly means network of networks. The Internet consists of thousands of smaller regional networks spread throughout the world. It connects approximately 80 million users in Asian countries on any given day. The Internet is referred as a physical part of the global network. It is a giant collection of cables and computers. No one owns the Internet, though there are companies that help out to manage different parts of the networks that tie everything together, there is no single governing body that controls what happens on the Internet. The networks within different countries sponsor the finance and manage according to the local procedure.
10
3.3.2 Architecture
The architecture of Internet is most ever communication network designed. The failure of individual computers or networks will not affect its overall reliability. The information will not change or destroy over time or while transferring in between sites.
11
12
In todays Internet communications scenario, the personal data is valuable and protecting the same has become a skill that the children need to understand and learn. The privacy of children can be compromised in certain online activities: Filling forms for various surveys, contests, downloading games on commercial or free web sites. Giving details about personal information when registering for e-mail access, Chat access. Providing information when registering for free game downloads. Providing information when registering for social networking web sites.
3.5.1 Privacy
Some websites prompt students to complete a form revealing their name, e-Mail address, age and gender, and sometimes even their telephone number and postal address, in order to access information. Some requests are legitimate: much depends on the nature of the website requesting the information. Providing personal information online can result in a student being targeted for spam (unsolicited e-Mail), advertising materials and/or viruses. Privacy issues also apply to students developing personal websites and publishing online. Personal details, including photographs of themselves or other students, may lead to the information being captured and reused by others for illicit purposes.
13
Moreover, these P2P programs may also contain viruses and worms, which prevent users computers from functioning properly.
The main advantage of peer to peer network is that it is easier to set up In peer-to-peer networks all nodes are act as server as well as client therefore no need of dedicated server. The peer to peer network is less expensive. Peer to peer network is easier to set up and use this means that you can spend less time in the configuration and implementation of peer to peer network. It is not require for the peer to peer network to use the dedicated server computer. Any computer on the network can function as both a network server and a user workstation.
14
Disadvantages: A computer can be accessed anytime. Network security has to be applied to each computer separately. Backup has to be performed on each computer separately. No centralized server is available to manage and control the access of data. Users have to use separate passwords on each computer in the network. As with most network systems, unsecure and unsigned codes may allow remote access to files on a victim's computer or even compromise the entire network Example of Peer to peer networks is torrents There are a LOT of risks involved with torrent downloads. The most dangerous being: Virus, Trojan, Worm, Keylogger program attachments. IP signature tattlers Torrents have become an increasingly popular way to download files. No matter what you are looking for, from audio to video to applications, torrents are an easy way to find and download. However, most torrents are illegal and nature and you are breaking the law by downloading them. Peer-to-peer file sharing pretty much began with torrents. They are a type of file sharing protocol specializing in larger file downloads. The way torrents are encoded make it easier to download a large file, and even reputable resources are beginning to use them to make downloading files easier for users. Torrent downloads are basically downloading from multiple personal computer systems, simultaneously, and combining data at the end to form the file you were looking for. Problem is, that it's WAY too easy to attach things to these files, and they just get swept into this whirlwind of information, broken apart and can easily invade your system after they're reconstructed INSIDE YOUR COMPUTER, behind your firewall. After that it's just whether or not you have a good virus scanner that can detect it. IP tattlers are a pain too, in that once you download something and activate it for the first time, it sends information to the watcher program containing the IP address of the computer you were using and where it was downloaded from. These watchers are paid by software development companies to bust people downloading non-free-to-play software. 3 things you should always do before opening ANYTHING you download from torrent: 1) Download from a remote source. Like a cyber cafe or another free wifi zone. Watchers can't find you if you download remotely, it will only send information of the place you downloaded from.
15
2) Download the file to a safe area of your computer, something not highly active, or into a quarantine file monitored by your antivirus program. 3) Wait 48hrs before opening any program you download from torrent, and run antivirus software scans on it before you do. Most viruses are discovered within the first 48hrs of it's release, and you need to wait till your antivirus program receives definition updates, so that you can combat it before it attacks you. Better to let it happen to someone else first. Source: http://hubpages.com/hub/torrent-sites-overview https://torrentprivacy.com/ http://www.techfuels.com/general-networking/10266-advantages-peer-peernetworks.html http://www.ucertify.com/article/what-are-the-advantages-and-disadvantages-of-apeer-to-peer-network.html http://www.techsoup.org/learningcenter/networks/page4774.cfm
16
The URL represents http://www.infosecawareness.in Each URL is divided into different sections as shown below http:// In short, http means the hypertext transfer protocol and the file is a web page and every time you dont need to type the http, it is automatically inserted by the browser.
17
www World Wide Web infosecawareness site name .in It is one of the domains name, which is basically a country name. Other domain names are .com (commercial organization), .net (network domain) etc. (The organization address and location of the organization address are known as the domain name). co.in suffix or global domain name shows the type of organization address and the origin of the country like the suffix co.in indicates a company in India. Generally a web browser connects to the web server and retrieves the information.Each web server contains the IP address, and once you are connected to the web server by using http, it reads the hyper text mark-up language (HTML) which is a language used to create document on World Wide Web in which the same document is displayed in the web browser . In short, a browser is an application that provides a way to look at and interact with all the information on the World Wide Web.
18
19
There is an increased fear of threat from software attacks which may take advantage of vulnerable web browsers. Some softwares of a web browser like Javascript, Active X, etc may also cause vulnerabilities to the computer system. So it is important to enable security features in the web browser you use which will minimize the risk to the computer. Web browsers are frequently updated. Depending upon the software, features and options may change. It is therefore recommended to use the updated web browser.
20
Tracking Protection: which limits the browser's communication with certain websitesdetermined by a Tracking Protection Listto help keep your information private. SmartScreen Filter: It can help protect you from online phishing attacks, fraud, and spoofed or malicious websites. It also scans download, and then warns you about possible malware (malicious software). InPrivate Browsing: You can use to browse the web without saving related data, such as cookies and temporary Internet files. ActiveX Filtering option of Internet Explorer 9 I used to protect your computer from risky and unreliable ActiveX Control. Report unsafe website: A reported unsafe website has been confirmed by reputable sources as fraudulent or linking to malicious software and has been reported to Microsoft. Microsoft recommends you do not give any information to such websites. Cross site scripting (XSS) filter: It can help to prevent attacks from fraudulent websites that might attempt to steal your personal and financial information. To block all cookies 1. In Internet Explorer, click the Tools button, click Internet Options, and then click the Privacy tab. 2. Move the slider up to Block All Cookies. On this setting, websites will not be able to store cookies on your computer.
21
From the tools menu of the firefox browser select the options and then click on the security tab. Under security tab enable the options like warn me when sites try to install the add-ons in and to add or remove the sites click on the exception tab and add or remove the sites you want. Enable the option tell me if the site Im visiting is a suspected attack site. Enable the option tell me if the site I am using is a suspected forgery Firefox gets a fresh update of web forgery sites 48 times in a day, so if you try to visit a fraudulent site thats pretending to be a site you trust a browser prompts you message and will stop you. Disable the option remember passwords for sites Firefox integrated the feature into your surfing experience. Choose to remember site passwords without intrusive pop-ups. Now youll see the remember password notification integrated into your view at the top of the site page and if you choose the never remember passwords for sites it will not show any notification. In Firefox web browser select Tools options select content enable Block pop-up windows as shown below
Anti-Virus Software Firefox integrates elegantly with your Windows anti-virus software. When you download a file, your computers antivirus program automatically checks it to protect you against viruses and other malware, which could otherwise attack your computer. The other feature is automated updates this lets us to find the security
Cyber Security HandBook CDAC Hyderabad & NIELIT 22
issues and fix updates and make the safe surfing and receive automatic notification or wait until you are ready. Firefox protects you from viruses, worms, trojan horses, and spyware delivered over the Web. If you accidentally access an attack site, it will warn you away from the site and tell you why it isnt safe to use. Site Identity Button: The Site Identity Button is in the Location bar to the left of the web address. When viewing a website, the Site Identity Button will display in one of three colors - gray, blue, or green. Clicking on the Site Identity Button will display security information about the website, with a matching gray, blue, or green "Passport Officer" icon. Gray: No Identity Information Blue: Basic Identity Information Green: Complete Identity Information Privacy settings in a firefox control the level of examination youd like Firefox to give a site and enter exceptionssites that dont need the third degree. Customize settings for, cookies, Remembering passwords, downloads and History storage as shown below
23
any traces like cookies after you close the incognito window any files you download or bookmarks will be preserved. Chrome there is a new feature that it has an own Task Manager that shows you how much memory and CPU usage each tab and plugin is using. You can open it by clicking Shift-Esc from within Chrome or place the cursor on window and right click and select the Task Manager. You can get more details by clicking the Stats for nerds link which is on the Task Manager and it will open a page with full details of memory and CPU usage for each process within the browser. It is used to close a bad process in one tab and wont kill your whole browser session. The one of the feature of chrome is dynamic tabs here you can drag tabs out of the browser to create new windows, gather multiple tabs into one window or arrange your tabs however you wish and it becomes quickly and easily to login into the desired sites i.e. reopen the closed sites. The safe browsing feature in the Google Chrome displays the warning if the web address listed in the certificate doesn't match the address of the website .The following are the steps for a safe browsing setting in a Google Chorme.
From the settings tab select the options and click on the under the hood. Under privacy enable the option show suggestions for navigation error.
24
Enable the option use a suggestion service to help complete searches and URLS typed in the address bar. Enable DNS pre-fetching to improve page load performance. Enable the phishing and malware protection. In Google Chrome web browser Select Tools options Select under the hood Under cookies select the Restrict how third party cookies can be used only first-party cookie information is sent to the website. Third-party cookie information isn't sent back to the websites that originally set the third-party cookies as shown below
Under minor tweaks enable the enable the never save passwords. Under computer wide SSL settings enable the option use SSL 2.0 From the page menu select the create application shortcuts, this is used if you want some websites to be viewed regularly and you may want to create applications shortcuts for the desired web sites that can be placed on your desktop, start menu or quick launch menu so you can choose any one of these options after creating if you double click on the shortcut icon on the desktop or start menu, the websites opens in a special window that doesnt display tabs, buttons, address bar or menus. Many of the browser functions are available instead in the dropdown menu that appears when you click the page logo in the upperright corner of the window. If you click a link that takes you to a different website, the link opens in a standard Google Chrome window so you won't lose track of your website.
25
26
5. Filtering services
5.1 Filtering Services in web browser
The content filtering over the Internet sometimes called parental controls, these are used to block any access to offensive websites. It is not guaranteed but it can be very helpful.
27
In Google search engine there is option for a safe search filtering Click on preference or search preferences Safe search filtering Select desired option
In Yahoo search engine there is option for a safe search filtering Click on Advanced Select desired option
Remember none of these filtering features are 100 % accurate- and some unsuitable content may still slip through. It is important to teach your children to surf the web safely and take time to explore the Internet with them.
28
Enforce time limits to child Internet activity set by parent. Block access to materials (pictures) identified as inappropriate for kids. Monitor your childs activity on the Internet by storing names of sites and/or snapshots of material seen by your child on the computer for you to view later. Set different restrictions for each family member. Limit results of an Internet search to content appropriate for kids.
5.2.1.2 Firefox Browser in Windows There are many Firefox addons or extensions, which we can download from
https://addons.mozilla.org/en-US/firefox/search?q=parental+control&cat=all
Some of the products/addons for Firefox 5.2.1.3 Glubble for Families Glubble allows you to create a private family page where you can monitor and support your childrens online activities. Glubble provides games, chat, safe surfing, and a Family Photo Timeline service for uploading, storing, and sharing your photos online. Glubble integrates Ask for Kids, a safe search engine for children.
29
https://addons.mozilla.org/firefox/addon/5881
5.2.1.4 ProCon filters Web page content by using a list of inappropriate words and replacing them with asterisks (***). Note that the bad word filter does not block websites containing the words; you must add the website to a Blacklist. ProCon can also block all traffic, making sure that only desired websites (set in the Whitelist) can be accessed. You can manage "white" and "black" lists of sites and pages. ProCon also has password protection in order to keep others from changing the settings 5.2.1.5 ProCon Latte In addition to Firefox extensions, there are many third-party software packages that can filter content through your operating system or at the point where your network connects to the Internet. Available: https://addons.mozilla.org/firefox/addon/1803
2. After double clicking, it will ask to close any other browser windows. Click OK button.
30
4. The wizard asks for the parental control password which will be used to manage parental control settings.
5. Type the password and enter a question which will be used as a hint when you forget the password typed earlier. Be sure that your child doesnt know the answer for the question.
31
6. Type the e-Mail address, to which the parental password will be sent and click Next.
7. Next the installation starts by taking appropriate files from the website and completes with in a few minutes.
32
8. The parental control bar will be added to the Internet Explorer browser as shown above
9. Below shows the parent button showing that the browser is acting in parent mode.
10. Type the website that you want to block for children and click the button Block this site.
33
12. After entering the password and clicking OK. A window opens telling that the site is blocked.
34
13. Whenever child wants to browse the website, the browser should be in child mode. So click parent mode button, so that the browser is changed to child mode. Then the parent control toolbar appears as shown below telling that child safe mode is now active.
14. Click ok. 15. When the child wants to browse the blocked site, it asks for the password to open the site which is shown as below.
35
16. Now if the child wants to view the website without entering password, an error occurs like this.
36
5.4 Changing the parental control settings in the parental control toolbar
1. To change settings for allowing and blocking websites, click the 'change parental settings'.
2. After clicking change parental settings, a window opens and asks for the parent control password.
3. Type the password and click ok. After that a window opens like this.
4. You can add sites in the allowed list by clicking the allowed site list tab.
37
5. Type the website that you want to allow and click allow button as shown below.
6. You can also add sites in the blocked list by clicking blocked site list.
7. Type the website that you want to block and click block button as shown in the below figure.
8. You can also filter some type of contents by clicking basic site filters tab.
38
9. The following window appears after click the Basic site filters tab.
39
11. You can also block other types of sites by checking the block button.
K9 also offers:
Real-time malware protection Blue Coat WebFilter helps identify and block illegal or undesirable content in real time, including malware-infected sites. You also benefit from the WebPulse cloud service, a growing community of more than 62 million users who provide more than six billion real-time Web content ratings per day. Automatic content ratings New Web sites and pages are created every
40
minute, and no one person can possibly rate or categorize all of them. To ensure protection against new or previously unrated Web sites, Blue Coats patentpending Dynamic Real-Time Rating (DRTR) technology automatically determines the category of an unrated Web page, and allows or blocks it according to your specifications. Continuous protection that wont slow down your computer Caching is the method your Web browser uses to save frequently used data, which increases efficiency by reducing the amount of information requested over the Internet. K9 uses Blue Coats unique caching technology, so your Internet experience is always as fast as possible.
41
42
43
In the figure shown above, Client 1 has an account in the mail server 1 and Client 2 has an account in mail server 2. When Client 1 sends a mail to Client 2, first the mail goes to the SMTP server of mail server 1. Here the SMTP server divides the receiver address into two parts username and domain name. For example, if SMTP server receives user1@example.com as the receivers address.It will separate into user1, which is a mail account in destination mail server and example.com which is the domain name of destination mail server. Now with the help of the domain name it will request particular IP address of the recipients mail server, and then it will send the message to mail server 2 by connecting to its SMTP server. Than SMTP server of Mail Server 2 stores the message in Client2 mailbox with the help of POP3 in mail server 2. When the client 2 opens his mailbox, he can view the mail sent by client 1.
44
6.1.3 Possible threats through e-Mail and guidelines for handling eMails safely
e-Mails are just like postcards from which the information can be viewed by anyone. When a mail is transferred from one mail server to another mail server there are various stops at which there is a possibility of unauthorized users trying to view the information or modify it. Since a backup is maintained for an e-Mail server all the messages will be stored in the form of clear text though it has been deleted from your mailbox. Hence there is a chance of viewing the information by the people who are maintaining backups. So it is not advisable to send personal information through e-Mails. Say you have won a lottery of million dollars, Getting or receiving such kind of mails is a great thing, and really its the happiest thing. However these mails may not be true.By responding to such a kind of mails many people lost huge amount of money. So ignore such kind of e-Mails, do not participate in it and consider it as a scam. Sometimes e-Mails offering free gifts and asking personal informa are received from unknown addresses.This is one way to trap your personal information. One way of stealing the password is standing behind an individual and looking over their password while they are typing it or searching for the papers where they have written the password. Another way of stealing the password is by guessing. Hackers try all possible combinations with the help of personal information of an individual. When there are large numbers of combinations of passwords the hackers use fast processors and some software tools to crack the password. This method of cracking password is known as Brute force attack. Hackers also try all the possible words in a dictionary to crack the password with the help of some software tools. This is called a dictionary attack. Generally spammers or hackers try to steal e-Mail address and send malicious software or code through attachments, fake e-Mails, and spam and also try to collect your personal information. 6.1.3.1 Attachments Sometimes attachments come with e-mails and may contain executable code like macros, .EXE files and ZIPPED files. Sometimes attachments come with double extensions like attachment.exe.doc.By opening or executing such attachments malicious code may downloaded into your system and can infect your system. Tip: Always scan the attachments before you open them.
Cyber Security HandBook CDAC Hyderabad & NIELIT 45
6.1.3.2 Fake e-Mails Sometimes e-Mails are received with fake e-mail services@facebook.com by an attachment named, Facebook_Password_4cf91.zip and includes the file Facebook_Password_4cf91exe" that, the e-mail claims, contains the user's new Facebook password. When a user downloads the file, it could cause a mess on their computer and which can be infected with malicious software. address like
Tip: Always check and confirm from where the e-mail has been received, generally service people will never ask or provide your password to change. 6.1.3.3 Spam e-Mails Spam messages may trouble you by filling your inbox or your e-mail database. Spam involves identical messages sent to various recipients by e-Mail. Sometimes spam e-mails come with advertisements and may contain a virus. By opening such e-Mails, your system can be infected and your e-Mail ID is listed in spammers list. Tip: It is always recommended to ignore or delete spam e-mails. 6.1.3.4 e-Mails offering free gifts Sometimes e-Mails are targeted at you by; unknown users by offering gifts, lottery, prizes, which might be free of cost, and this may ask your personal information for accepting the free gift or may ask money to claim lottery and prizes it is one way to trap your personal information. Tip: Always ignore free gifts offered from unknown users. 6.1.3.5 Hoaxes Hoax is an attempt to make the person believe something which is false as true. It is also defined as an attempt to deliberately spread fear, doubt among the users.
46
6.1.4.2 Ignore e-mails from strangers Avoid opening attachments coming from strangers, since they may contain a virus along with the received message. Be careful while downloading attachments from e-Mails into your hard disk. Scan the attachment with updated antivirus software before saving it.
your contact list and can communicate until the person is online .There are many instant service providers like AOL, Yahoo messenger, Google Talk and many more.
48
7. Social Networking
Social networking means grouping of individuals into specific groups, like small communities. Social networking is used to meet Internet users, to gather and share information or experiences about any number of topics, developing friendships, or to start a professional relationship. (Or)A simple Social Networking site is where different people keeping different information related to any particular thing at one place.For example Orkut, Facebook, etc. Through social networking there are many advantages like we can get into any kind of groups based on our hobbies, business, schools and many more, it is a different communication tool to keep in touch with friends and colleagues. Apart from all these advantages there are disadvantages like based on these communication tools, sites can be trapped by scammers or any hackers so it is very important to protect yourself. These social networking sites are very popular with young people. They expose them to risks they have always faced online but in a new forum: online bullying, disclosure of private information, cyberstalking, access to age-inappropriate content and, at the most extreme, online grooming and child abuse. For adults, who are also using these sites in greater numbers, there are serious risks too. They include loss of privacy and identity theft. Adults too can be victims of cyber-bullying and stalking.
49
privacy settings according to whom you want to allow seeing your information. Be careful if you want to meet social networking friends in person, it may not be true identity posted on a web site. Think before you meet. If you are going to meet then do it in a public place during the day.
50
8. Social Engineering
8.1 What is Social Engineering?
Social Engineering is an approach to gain access to information through misrepresentation. It is the conscious manipulation of people to obtain information without realizing that a security breach is occurring. It may take the form of impersonation via telephone or in person and through email. Some emails entice the recipient into opening an attachment that activates a virus or malicious program in to your computer. Careless talking is one of the reasons for social engineering Careless talking about business, the office, home, personal and the people and discussing with those who not authorized to talk, and also gives the sensitive information indirectly to someone who may use it for a specific reason such as breaking into your computer, your organization details etc.
51
8.3.2 Technical
Vishing It is one of the methods of social engineering over the telephone system, most often using features facilitated by Voice over IP (VoIP), to gain access to private personal and financial information from the public for the purpose of financial reward. The term is a combination of "voice" and phishing. Tip: Dont give any financial information to unknown people over phone, confirm to whom you are speaking and cross check with the concern company or bank before giving any information Phishing Phishing is a type of deception designed to steal your valuable personal data, such as credit card numbers, passwords, account data and or other information. The attackers have become more sophisticated and also their phishing e-mail
52
messages and pop-up windows. They often include official looking logos from real organizations and other identifying information taken directly from legitimate Web sites. Tip: If you think you've received a phishing email message, do not respond to it. And dont even click on the links you received from the unknown users.
53
Hoaxing A Hoax is an attempt to trap people into believing that something false is real. This is usually aimed at a single victim and is made for illicit financial or material gain a hoax is often perpetrated as a practical joke, to cause embarrassment. Tip: Beware dont believe the e-mails received from unknown and dont ever give the financial information. Pretexting Pretexting is the act of creating and using an imaginary scenario to engage a targeted victim in a manner that increases the chance the victim will reveal information or do actions that would be unlikely in ordinary circumstances. It is more than a simple lie. Tip: Be cautious because strangers try to fool you by creating false situation and make you to believe in order to collect the confidential information.
54
Install and maintain anti-virus software, firewalls, and email filters to reduce some of this traffic. Take advantage of any anti-phishing features offered by your email client and web browser.
55
56
Virus and worms may enter a system when you try to download or install a game on your computer. These viruses or worms may be hidden in the files you download. Malicious software takes advantage of the websites associated with online games that rely on chat, e-mail to entice you to visit the bogus web sites that contain malicious software installs in your computer, then they use the software for various criminal purpose. Some times because of the insecure game coding, the game software causes buggy behaviour on your computer and introduces unknown vulnerabilities. Sometimes strangers try to gain access to unprotected computers connected to Internet while online play and contact the children by pretending to be another child and trap to gather the personal information . Malicious individuals may try to trick you installing or downloading the games that might be bogus web sites and offer software patches for game downloading, in reality they are malicious software. Malicious individual can gather information about you from the profiles you create in online games and other gaming web sites, they may be able to use it to establish accounts in your name, resell it, or use it to access your existing accounts. Game accounts were created in their name without their knowledge. There was speculation that people were trying to make money selling virtual weapons and abilities used in the game.
9.4 Guidelines
Create a family e-Mail address for signing up for online games. Screenshots: If anything bad happens while playing online games, take a screen shot using the "print screen" button on the keyboard of those displayed things on the screen and report it to the concerned web site ad use the screen shot as evidence. Use antivirus and antispyware programs. Be cautious about opening files attached to e-Mail messages or instant messages. Verify the authenticity and security of downloaded files and new software. Configure your web browsers securely. Use a firewall.
57
Set up your user profile to include appropriate language and game content for someone your age. Set time limits for children. Never download software and games from unknown websites. Beware of clicking links, images and pop ups in the web sites as they may contain a virus and harm the computer. Never give personal information over the Internet while downloading games. Some free games may contain a virus, so be cautious and refer while downloading them. Create and use strong passwords. Patch and update your application software
58
59
Malicious software can be installed without your knowledge, or it can be bundled with a program, link or software you would like to download. For example, you would like to download a game from the untrusted website then with out your knowledge malicious software can be downloaded. Some time malware spreads itself by sending e-mail from an infected computer to every e-mail address it finds. Mostly these malware spread through e-mails
Never download any files like music, video, games and many more from untrusted sites and dont go by the recommendations given by your friends or made by any random website's comments. Check that the URLs are same and always download games, music or videos from the secure websites like which use HTTPS websites instead of HTTP. In the web address, it replaces http to https. The https refers to the hypertext transfer protocol secure. Download anything only from thrust worthy websites. Dont click links to download anything you see on unauthorized sites.
60
If any dirty words appear on the website just close the window no matter how important it is, because spyware may be installed on your PC from such websites. Check the size of the file before you download, sometimes it shows a very small size but after you click it increases the size of the file. Never believe anything which says click on this link and your computer settings will be changed and your PC can be turned into XBOX and can play unlimited games on your computer. Dont accept anything that offers you free download because that may contain malicious software. Dont click the link or file and let it start download automatically, download the file and save where you want save and then run on the application. Set secure browser settings before you download anything.
Read carefully before you click on install or run application. That means read terms and conditions. Dont download anything until you know complete information of the website and know whether it is an original site of an original company.
Never download from the links that offer free antivirus or anti spyware software, always download from trusted sites, if you are not sure about the site you are downloading, enter the site into favourite search engine to see anyone posted or reported that it contains unwanted technologies.
61
11. Blogging
A web blog is a Web site that consists of a series of entries arranged in reverse chronological order, often updated on frequently with new information about particular topics. The information can be written by the site owner, gathered from other Web sites or other sources, or contributed by users. A web blog may consist of the recorded ideas of an individual (a sort of diary)
11.1Types of blogs
There are many different types in content and the way content is delivered or written
Personal blogs Corporate and organizational blogs Genre blogs Media type blogs By Device blogs Different blog sites are used for a different purpose of communication.
11.1.4 Media type blogs (vlog, linklog, photoblog) are used for sharing the
videos called vlogs, for sharing the links called linklogs and for sharing the photos called photoblog.
11.1.5 By the device (mobile phone, PDA, wearable wireless webcam) are
used to write the blogs through the mobile device like mobile phones or PDA called moblog.
62
63
11.5 Scenario
Like many of her friends, Alice has a blog. However, unlike her friends, she keeps its location secret. She doesnt link to anyone elses blog, and she doesnt comment on other blogs using her blog identity. Somehow, though, Bob finds out the URL for Alices blog and adds it to the friends list on his blog. Word spreads, and soon everyone has read Alices blog. Unfortunately, she has used her blog to criticize most everyone she knows, including other students, teachers, and her parents. Everyone is furious with her. So always guide your children not to blog anything related personal information about family and guide them how to use the blogs and advantages of blogs and make them understand that blogs are not used to criticize others.
64
65
12.2.6 Sending threatening e-mails and pictures through e-mail or mobile to hurt another
Children may send hateful or threatening messages to other kids, without realizing that while not said in real life, unkind or threatening messages are hurtful and very serious.
66
Educate students by conducting various workshops from an internal or external expert to discuss related issues in cyber bullying, good online behaviour and other information security issues. Moreover keep related posters in school.
67
68
The boundaries you set and the kind of conversations you have with your children will depend on their age and technical ability as well as your judgement as parents. These factors will change as they grow up and should be reconsidered regularly.
69
Sometimes you receive an e-Mail like you won a lottery of million dollars receiving such a kind of mails is a great thing, and really its a happiest thing. By responding to such a kind of mails huge amount of money will be lost. Because these e-Mails are not true, scammers try to fool and trap you to obtain money. Online Auction If you bid for a product you never get the product promised or dont match the product, and the description given to you may be incomplete, wrong, or fake. The scammer accepts the bid from one person and goes for some other sites where they can get less than the winning bid so scammers may not send the product you wanted. Forwarding Product or Shipping Scam When ever you answer an online advertisement for a letter or e-mail manager like some US based corporation which lacks address or bank details and needs someone to take goods and sent to their address or ship overseas, and you are asked to accept the transfers into your bank. Generally, it happens for products that are purchased using stolen credit cards and shipped to your address and then you will be fooled and asked to reship the product to others they might have deceived who reship the product overseas. The stolen money will be transferred to your account. E-Mail Scam Like --Congratulations you have won Webcam, Digital Camera, etc. Sometimes you get an e-mail with a message like -- you have won something special like digital camera webcam , all you need to do is just visit our web site by clicking the link given below and provide your debit or credit card details to cover shipping and managing costs. However the item never arrives but after some days the charges will be shown on your bank account and you will lose money. By e-mails Generally, fraudsters send you an e-mail with tempting offers of easy access to a large sum of money and ask you to send scanned copies of personal documents like your address proof, passport details and ask you to deposit an advance fee for a bank account. So once you deposit the funds, they take money and stop further communication, leaving you with nothing in return.
70
Unscrupulous Websites for Income Tax Refund Generally, websites feel like official websites and seek the details of credit card, CVV PIN of ATM and other personal details of the taxpayers in the name of crediting income tax refund through electronic mode.
71
check their balance each and every day by just logging into their account. They can catch the discrepancies in the account and can act on it immediately. Link Manipulation Most methods of phishing use some form of technical deception designed to make a link in an e-mail (and the spoofed website it leads to) appear to belong to the spoofed organization. Misspelled URLs or the use of sub domains are common tricks used by phishers. In the following example URL, http://www.yourbank.example.com/, it appears as though the URL will take you to the Attacker Database of the your bank website; actually this URL points to the "yourbank" (i.e. phishing) section of the Attacker Database website. Filter Evasion Phishers have used images instead of text to make it harder for anti-phishing filters to detect text commonly used in phishing e-mails. Malware attacks Example: Clampi Virus Targets Users at Banks and Credit Card Sites Keeping up with the latest Web security threats is a daunting task, because viruses and Trojans emerge, evolve, and spread at an alarming rate. While some infections like Nine Ball, Conficker, and Gumblar have hit the scene and immediately become the scourge of the cyber security world, others take their time -- quietly infiltrating more and more computers before revealing the true depth of the danger they pose. One such slow grower is Clampi, a Trojan that made its debut as early as 2007 (depending on who you ask) but is only now raising hairs outside professional security circles. Clampi primarily spreads via malicious sites designed to dispense malware, but it's also been spotted on legitimate sites that have been hacked to host malicious links and ads. Using these methods, Clampi has infected as many as half a million computers, Joe Stewart, of Secure Works, told a crowd at the Black Hat Security Conference in July, USA Today reports. Once installed on a PC, the Trojan quietly waits for you to visit a credit card or banking Web site. When it detects you're on one of the roughly 4,600 financial Web sites it's trained to watch, it records your username and password, and feeds that information back to the criminals. Clampi can even watch for network login information, allowing it to spread quickly through networked PCs (e.g.,
72
those in an office). In fact, it seems that businesses have been the primary target of Clampi so far. According to the Times Online, in July, an auto parts shop in Georgia was robbed of $75,000 when criminals stole online banking information using Clampi. The Trojan was also used to infiltrate computers for a public school district in Oklahoma and submit $150,000 in fake payroll payments.
73
people never send such e-Mails. If you receive such immediately call the merchant and inform the same.
e-Mails
74
Until now phishing has involved sending hoax emails in an attempt to steal your usernames, passwords and bank details. Often the sender will claim to be from your bank and will ask you to verify your bank details by clicking on a link contained in the email. The link actually directs you to a fake website which looks just like your bank's own website. Once you have typed in your login details they can be accessed by the criminals who set the fake site up. But were beginning to wise up to phishing attacks like this, and many of us know we should be very wary of clicking URLs even if they appear to be in a legitimate email. With awareness of phishing on the up, making it more difficult for scammers to succeed, tab napping could be the scam to watch out for next. Tab napping is more sophisticated than the phishing scams weve seen so far, and it no longer relies on persuading you to click on a dodgy link. Instead it targets internet users who open lots of tabs on their browser at the same time (for example, by pressing CTRL + T).
75
Even if you have already logged into your bank account before opening another tab, when you return you might find youre being asked to login again. This may not necessarily rouse any suspicion since you might simply assume your bank has logged you out because you left your account inactive for too long. You probably wont even think twice before logging in for a second time. But this time round you have accidently inputted your security details into a fraudsters fake page which have been sent back to their server. Once you have done so, you can then be easily redirected to your banks genuine website since you never actually logged out in the first place,giving you the impression that all is well.
13.7 Clickjacking
Clickjacking is a malicious technique of tricking Web users into revealing confidential information or taking control of their computer while clicking on seemingly innocuous Web pages. A vulnerability across a variety of browsers and platforms, a clickjacking takes the form of embedded code or script that can execute without the user's knowledge, such as clicking on a button that appears to perform another function. Clickjacking is possible because seemingly harmless features of HTML Web pages can be employed to perform unexpected actions.
76
A clickjacked page tricks a user into performing undesired actions by clicking on a concealed link. On a clickjacked page, the attackers show a set of dummy buttons, then load another page over it in a transparent layer. The users think that they are clicking the visible buttons, while they are actually performing actions on the hidden page. The hidden page may be an authentic page, and therefore the attackers can trick users into performing actions which the users never intended to do and there is no way of tracing such actions later, as the user was genuinely authenticated on the other page. More on : http://en.wikipedia.org/wiki/Clickjacking
77
78
They use 802.11 networking standards, which come in several flavors: 802.11a transmits at 5 GHz and can move up to 54 megabits of data per second. 802.11b is the slowest and least expen-sive standard. 802.11b transmits in the 2.4 GHz frequency band of the radio spectrum. 802.11g transmits at 2.4 GHz like 802.11b, but it's a lot faster -- it can handle up to 54 megabits of data per second. 802.11n is the newest standard that is widely available. This standard signifi-cantly improves speed and range.
79
80
2. Turn on (Compatible) WPA / WEP En-cryption All Wi-Fi equipment supports some form of encryption. Encryption is the conversion of data into a scrambled form that cannot be easily understood by unauthorized people. Several encryption technologies exist for Wi-Fi today. Wired Equivalent Encryption (WEP), an old encryption standard is claimed to be broken within few seconds, even using a complex passphrase. It is a weak encryption means that it can be easily broken within manage-able time i.e., few seconds or minutes.
Since there are security issues in using WEP, Wi-Fi Alliance introduced a standard for network authentication and encryption. WPA (Wi-Fi protected Access) is one of the several popular standards for wireless security. WPA delivers a higher level of security that further beyond anything that WEP can offer.
81
3. Disable SSID Broadcast In Wi-Fi networking, the SSID is broadcasted by the wireless access points or routers at regular intervals. This feature was designed for businesses and mobile devices where Wi-Fi clients may roam from one place to other. SSID broadcast feature is not so useful in home Wi-Fi network. To improve the security, SSID broadcast security feature should be disabled. Configuring the wireless clients manually to the access point with right SSID, they no longer require these broadcast messages.
4. Change the Default SSID Service Set Identifier (SSID) is a network name that is used by access point and routers. The same SSID set is used by the manufacturers for shipping their products. For example, the SSID for Linksys devices in general is Linksys. Knowing the SSID may not be the cause to hack into network, but the default SSID suggests that the network is poorly configured and much more likely to attack it. When configuring wireless network security, change the default SSID.
82
Every Wi-Fi device possesses a unique identifier known as Media Access Control (MAC) Address or physical address. Routers or Access points maintains MAC addresses of all devices that connect to them. To restrict the network access to allow only connections from the devices, many of the products offer the administrator of the access point or router to store the MAC addresses of their devices. But this is not as powerful as hackers and their software programs can fake MAC addresses.
6. Enable Firewalls on Each Computer and the Router Make sure that the routers firewall is turned on. Most of the network routers have built in firewall capability. It is an option to enable or disable the feature. Along with the firewall at the router side, also install and configure personal firewall software on each computer connected to the router. The security features in the firewall include blocking anonymous internet requests, browsing unwanted websites, protecting from malware and spyware. And also define the security policies so that the unwanted and anonymous connections are restricted. 7. Turn off the Network during Extended Periods of Non-Use An access point or a router keeps on emitting signals if it powered on. To restrict the network to full extent, the ultimate in wireless security measures is to shut down the access point or router. While impractical to turn off and on the devices frequently, at least consider doing so during travel or extended periods offline. Computer disk drives have been known to suffer from power cycle wear-and-tear, but this is a secondary concern for broadband modems and routers. 8. Position the Router or Access Point Safely Wireless signals are not bound to physical boundaries. The signals from the wireless router can go beyond office building or cross the gate of one's house and can enter into neighbor's house. Most wireless routers have a signal range of 100 feet. If this signal range can be imagined as a sphere with wireless router as center, the signal can be accessed form any direction up to 100 feet. It becomes easier to others to find the wireless network and attempt to access it.
83
When installing a wireless home network, the position of the access point or router determines its reach. Try to position these devices near the center of the home rather than near windows to minimize leakage. Signal becomes weak depending upon the distance it travels and the material it passes through such as walls, metal, etc. Aluminum foil can also be used at the windows or doors to reduce the strength of signal. 9. Do Not Auto-Connect to Open Wi-Fi Networks To automatically connect a computer to any available open wireless network without any notification, most computers or devices provide a setting that will connect a computer automatically. But the risk involved is that there may be some dummy access points designed to catch unsuspected users and hack the connected computers. And configuring access point to accept credentials are must, otherwise any unauthorized persons can access access-point without username and password. 10. Assign Static IP Addresses to Devices DHCP (Dynamic Host Configuration Protocol) is used to assign network configuration information to the connecting devices dynamically. So there is no need to configure the networks settings manually because of DHCP. This is used for convenience as the manual configuration of the network settings is reduced. But at the same time, the attackers can use this feature to automatically connect to the network by getting the network settings readily configured and can access the network. To avoid this use the static IP addresses to the devices to connect to the wireless network.
84
85