Persona - Russ Haynal

Download Report

Transcript Persona - Russ Haynal

Security and Privacy Issues
for Internet Users
Russ Haynal
Internet
Instructor, Speaker, and Paradigm Shaker
Ensure the Internet is an asset,
not a liability for your organization
[email protected]
703-729-1757
http://navigators.com
Revision 05/2015
Note: If you send me an email, put “internet training” in the e-mail's subject
Copyright © Information Navigators
Russ Haynal
Internet Instructor & Speaker
http:/ /navigators.com/
issues.html
Course Topics
5
Web Server
- Web Server logs
- web bugs/trackers
4
Online
Security Testers
Background
Statistics
1
Authored content
- Web pages
- Social media
7
User actions
8
- Parental controls
- encryption
- Passwords
- offline media
- updating software 9
- Critical Advice
10
2
Persona
Network Connection 3
Firewall - Hardware 4
Your PC
Security 4
Testers
5
Web Browser
- Cookies
Firewall - software
Anti-virus 4
6
4
9
Internet of things
- Smart TV, Blueray,
- Blu-ray
- thermostat
Email
- Spam
- attachments
Page 2
Security and Privacy Issues
Russ Haynal
Internet Instructor & Speaker
http:/ /navigators.com/
specific_page.html
1. Background and Statistics
2. “Persona” issues and options
3. Network connections ( at work and home )
4. Firewalls , Anti-Virus, spyware
5. Web browsing issues such as cookies
6. Other applications: Email, phishing
7. Authored content and social media
8. Local options (storage, encryption, parent controls)
9. Managing all software and devices
10. Summary and Critical Advice
Online web page = http://navigators.com/issues.html
Page 3
Russ Haynal
Disclaimer
Internet Instructor & Speaker
http:/ /navigators.com/
• This session illustrates a wide variety
of search tools, techniques and
research methods
• Consult your organization’s policies to
verify if these methods are approved
for your types of Internet connections
Page 4
Russ Haynal
An Opening Survey
Internet Instructor & Speaker
http:/ /navigators.com/
• What type of Internet connection(s) do you have:
- attributable (agency.gov, yourcompany.com), mis-attributable, home
• Have you researched work-related topics via your home account?
• Is there a WIFI network at work?
• Is there a WIFI network at home?
• Do you access the Internet at home without a firewall?
• Do you, or anyone in your extended family, use a genealogy program
(e.g. Family Tree Maker)
• Do you, or anyone in your family, use facebook?, linkedin?
• Do you receive Spam email daily?
• Received Phishing? ( = fake request to verify your account )
• Do you know which apps in your smart phone can access your GPS?
Page 5
Russ Haynal
Why this Course…
Internet Instructor & Speaker
http:/ /navigators.com/
•
•
•
•
This course covers a variety of security and privacy issues
Many issues apply directly to work-related Internet usage
Some issues apply strictly to home-based Internet usage
These issues are important from a counter-intelligence
perspective
– Minimize “leaking” of your research interests
– Protection of your personal information and identity
• If the security of your home Internet devices are breeched,
you could be in a compromised/vulnerable situation
Remember: Internet = Passport to interact
with foreign resources and people
Page 6
Russ Haynal
Internet Instructor & Speaker
http:/ /navigators.com/
privacy.html
Some Statistics
Privacy Practices of Web Domains
Random
Sample
Top 100
Popular
Collect Personally
Identifiable Information
90%
96%
Places Third Party Cookies
28%
48%
Posts Privacy Statement
88%
98%
Displays Privacy Seal
(ie. Truste, BBB)
12%
44%
source: www.cert.org/stats
Source:http://www.pff.org/publications/privacyonlinefinalael.pdf
source: webroot.com
Page 7
Russ Haynal
Identity theft
Internet Instructor & Speaker
http:/ /navigators.com/
privacy.html
15 million victims annually in the U.S.
Average loss = $3,500
100 million user records stolen (Target, Home Depot, Anthem, etc)
• Identity theft occurs when someone has collected enough personal
information about you, that they can “impersonate” you
• They access your existing financial accounts, investment accounts
• They establish new accounts (checking, credit card, loans)
• They collect your personal Information through traditional means –
dumpster diving, scam solicitations, corrupt employee.
• Hacker gains access to your PC: account #’s, investment software, cookies,
auto-complete password, and family genealogy
• Hacker gains access to your relative’s PC which has a genealogy program
• Researches facebook and public databases
Free credit report every 12 months from
each of the 3 credit bureaus.
Official site:
Annualcreditreport.com or call
1-877-322-8228
Page 8
Security and Privacy Issues
Russ Haynal
Internet Instructor & Speaker
http:/ /navigators.com/
specific_page.html
1. Background and Statistics
2. “Persona” issues and options
3. Network connections ( at work and home )
4. Firewalls , Anti-Virus, spyware
5. Web browsing issues such as cookies
6. Other applications: Email, phishing
7. Authored content and social media
8. Local options (storage, encryption, parent controls)
9. Managing all software and devices
10. Summary and Critical Advice
Page 9
Russ Haynal
Backbones Connecting
Internet Instructor & Speaker
http:/ /navigators.com/
traceroute.html
Your Internet traffic flows through several Internet Providers
Backbone
ISP- A
Large
organization
Backbone
ISP- B
Web
hosting
center
Destination
regional
ISP #1
regional
ISP #2
Exchange Point
Backbone ISP
Regional ISP
Server
Client(PC)
Enterprise LAN/Wan
Page 10
Introduction to “Persona”
Russ Haynal
Internet Instructor & Speaker
http:/ /navigators.com/
persona.html
As you surf the Internet, you give-off a certain persona
URL1
Web Server
Analyst
Webmaster
URL2
Internet
Access
Access
logs
Reports
• While viewing a web page (URL1), you click on a hyperlink to another
web page (URL2)
• Your web browser sends “environment variables” to the web server
• Webmaster’s use this information to determine information about you
and your organization (physical location, your interests, software )
You should always know what websites know about you
Page 11
Russ Haynal
Persona Details
Internet Instructor & Speaker
http:/ /navigators.com/
persona.html
•Your persona is communicated to every web server that you visit
•You should be explicitly aware of your persona before you visit any
website. For example, should you visit:
– badguy.com from agency.gov?
Your persona is communicated via “environment variables” such as:
•REMOTE_HOST = This is the name associated with your IP Number.
•REMOTE_ADDR= This is the IP number of your computer, or proxy.
A webmaster could do a traceroute to see how you are connected.
•HTTP_REFERER = This is the URL of the page you were previously
viewing. Be careful on how you create web pages.
For example, do you want to reveal the following?:
– http://badguy.com is listed on
http://intranet.agency.gov/joe_smith/investigation_targets.html?
• Your persona may also be transmitted via Java Applets
such as ga.js and urchin.js (google analytics)
Page 12
Russ Haynal
Internet Instructor & Speaker
http:/ /navigators.com/
persona.html
A Typical Scenario...
searchtool.com
webmaster
Analyst
hits
http://searchtool.com/query=searchterms
page
Persona:
- agency.gov OR
- town.ninja.com
destination.com
webmaster
searchtool.com webmaster knows your “search terms”
destination.com webmaster knows what “search terms”
you used to find them
Page 13
Always check your Persona
Russ Haynal
Internet Instructor & Speaker
http:/ /navigators.com/
persona.html
Important note:
This test page is
most accurate when
you click on a link to
arrive at this page.
This is a key
paragraph to look
for… If this is
missing, then no
referring URL is
being passed via
http_referer
• Several persona testers are listed at
navigators.com/persona.html
Page 14
Russ Haynal
Think before you click...
Internet Instructor & Speaker
http:/ /navigators.com/
persona.html
• Does your connection transmit a referring URL?
• IF IT DOES... do NOT “Click” on your search results
http://www.google.com/query=terrorist_&start=110
Referring URL
Hover over
the link to
see its URL
• Clicking on this link will tell orgnet.com’s webmaster that
you found them while searching for “terrorist”
Page 15
Russ Haynal
Google’s Cached Issues…
Internet Instructor & Speaker
http:/ /navigators.com/
cached.html
Leads your browser to live website
Google stores the text of a cached webpage. The graphics, videos,
etc. are still downloaded by your browser from the live website.
To view a “text only” version of Google’s cache…
1) Cut and paste this text into your browser address bar:
http://webcache.googleusercontent.com/search?strip=1&q=cache:
2) Add your desired address onto the end of the above string
for example:
webcache.googleusercontent.com/search?strip=1&q=cache:navigators.com/isp.html
no space
Page 16
Russ Haynal
Anonymizers
Internet Instructor & Speaker
http:/ /navigators.com/
anonymizer.html
• Anonymizers replace your persona with their persona
• Anonymizer now “knows your business”
• Webmasters may recognize anonymizer traffic
Page 17
Russ Haynal
Web Site Log Analysis
Internet Instructor & Speaker
http:/ /navigators.com/
persona_connection.html
There are many standard reports that a webmaster can run
Page 18
Russ Haynal
Exposing a “less recognizable” persona
Internet Instructor & Speaker
http:/ /navigators.com/
persona.html
Analyst #1: uses agency.gov persona to visit “targets”
Analyst #2: uses “ninja.com” persona to visit “targets”
Result: “ninja” persona may be recognized as “agency.gov” visitor
The “parallel visit” Problem...
Analyst #1
agency.gov
target.com
Analyst #2 ninja.com
Even with no http_referer,
a webmaster can still make the
association due to high volume
hits, usage patterns, software
footprint, etc.
The “portal” Problem...
agency_portal.com/page_names
Analyst #1
agency.gov
Analyst #2
ninja.com
Persona=agency.gov + referrer = portal
target.com
Persona=ninja.com + referrer = portal
Page 19
Russ Haynal
Internet Accounts, Policies, & Procedures
Internet Instructor & Speaker
http:/ /navigators.com/
• There may be several different types of Internet accounts
with their own intended use, and strengths/limitations
• Some Internet usage policies always apply
• There may also be unique policies associated with each
type of account
• Policies are probably in a state of flux, as organizations
try to keep up with the ever-changing Internet and legal
environment
• Clarify these issues from within your organization
• Make sure ALL Internet users are kept aware of the latest
internet usage policies. Mistakes by a handful of users
could jeopardize your connection’s privacy, and cause
unwanted publicity for your organization
Page 20
Security and Privacy Issues
Russ Haynal
Internet Instructor & Speaker
http:/ /navigators.com/
specific_page.html
1. Background and Statistics
2. “Persona” issues and options
3. Network connections ( at work and home )
4. Firewalls , Anti-Virus, spyware
5. Web browsing issues such as cookies
6. Other applications: Email, phishing
7. Authored content and social media
8. Local options (storage, encryption, parent controls)
9. Managing all software and devices
10. Summary and Critical Advice
Page 21
Russ Haynal
Internet Connection Definitions
Internet Instructor & Speaker
http:/ /navigators.com/
getting_connected.html
• IP # - Internet Protocol number is allocated to you from your ISP
• Fixed IP # - the same IP number remains permanently assigned
• Dynamically assigned IP number – During a log-in/connect sequence,
an IP number is assigned to the user for the duration of that session.
Such IP numbers may be assigned from a “DHCP” Host
(Dynamic Host Configuration Protocol)
• Dial-up – only connected part-time. Dial-up accounts receive
dynamically assigned IP #’s
• Broadband – Cable/DSL/FIOS. Connected 24 X 7.
A broadband account may receive a fixed or dynamic IP #.
A dynamic IP # may persist for a very long time.
Page 22
Russ Haynal
Network Address Translation
Internet Instructor & Speaker
http:/ /navigators.com/
getting_connected.html
• NAT is the translation of an IP number from one network segment
into an IP Number that is used on another network segment
• NAT is often used where a private network touches a public network
( e.g. Internet  broadband modem  internal network)
• There are certain IP numbers reserved for use on private networks
(reference: RFC’s 1918, 1631)
10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255
192.168.0.5
“external”
NAT Device
192.168.0.83
68.70.164.89  192.168.0.1
• To see your “external” IP number: “check your persona” on my web site
• To see your computer’s “local” IP number: DOS prompt  ipconfig /all
Page 23
Getting Online…
At Work….
High speed
Router
Home options
Phone
Modem
ISP /
Internet
Broadband
Modem
Broadband
Modem
Gateway
Router
Local
Routers
Russ Haynal
Internet Instructor & Speaker
http:/ /navigators.com/
getting_connected.html
Wide variety of
implementations including
firewalls.
Employee PCs
Dial-up modem with a single PC
- Temporary connection
- Dynamically assigned IP number
Broadband (Cable/DSL/fiber) with a single PC
- Persistent connection
- IP number remains constant throughout “session”
Broadband modem with multiple PCs
- “Internet gateway router” includes extra
features: DHCP and NAT to assign
additional IP #’s to all computers;
firewall, print server, wireless
- Modem’s IP number = Internet persona
Page 24
A special note about wireless networks
(are you sure, you can’t install a wire?)
Russ Haynal
Internet Instructor & Speaker
http:/ /navigators.com/
getting_connected.html
• Remote “guests” may be able to connect into your local network
• Wireless networking standards are always evolving:
802.11b, 802.11g, 802.11n, 802.11ac
• WEP (Wireless Equivalent Privacy) has a weakness in its algorithm.
It can be easily compromised using free shareware.
WPA/WPA2 (Wifi Protected Access) adds additional security
Wireless
Router
ISP /
Internet
Broadband
Modem
Router
Neighbor’s
computer /
smartphone
Comcast Modems are now Public WIFI Hotspots!
Read the manual for your router and UPDATE the firmware
Page 25
Security and Privacy Issues
Russ Haynal
Internet Instructor & Speaker
http:/ /navigators.com/
specific_page.html
1. Background and Statistics
2. “Persona” issues and options
3. Network connections ( at work and home )
4. Firewalls , Anti-Virus, spyware
5. Web browsing issues such as cookies
6. Other applications: Email, phishing
7. Authored content and social media
8. Local options (storage, encryption, parent controls)
9. Managing all software and devices
10. Summary and Critical Advice
Page 26
Russ Haynal
Personal Firewalls
Internet Instructor & Speaker
http:/ /navigators.com/
firewall.html
• A firewall should monitor incoming and outgoing traffic
(windows XP firewall was incoming only)
• Some firewalls are more secure than others
(stateful packet inspection, ICSA Certified, etc)
• Most firewalls do not protect against viruses
• All firewalls require administration (set-up configuration,
updates, granting permissions for applications)
• Change the default administrative
password included in the firewall
• Event logs – learn how to read these
• Many “alerts” come from infected
machines doing random scanning
• You can traceroute IP#’s and search
for info on port numbers
Page 27
Russ Haynal
Internet Instructor & Speaker
http:/ /navigators.com/
firewall.html
Firewall Options
Broadband
Modem
Broadband
Modem
Firewall
(hardware)
Router
Router
Firewall
(Software)
• Cost: <$100 to ~$500
• Additional functions available
• NAT, DCHP, Email notification
• Easier for computers to locally
share folders / printers
• Can protect other devices
Firewall
(Software)
• Cost: free to ~$50 per computer
• Each machine needs to be configured
• Firewalls may interfere with local
network sharing
• What about other Internet devices?
Page 28
Russ Haynal
Testing Security / firewall
Internet Instructor & Speaker
http:/ /navigators.com/
firewall.html
• There are several online websites that will scan
your personal computer, looking for openings.
Do not try these scanners at work.
• Some online scanners only test the well known
vulnerabilities, while other test sites are more
comprehensive. (There are over 65,000 different
ports supported by the TCP –IP protocol)
• Most of these sites will educate you on how to
close any open ports
• There are also software tools that can be installed
locally into your machine to scan for problems.
(packet sniffers such as wireshark)
• Do NOT assume that you are 100% invincible
Page 29
Russ Haynal
Anti-Virus Software
Internet Instructor & Speaker
http:/ /navigators.com/
virus.html
• Every machine should have updated anti-virus software installed, and running
• AV software should automatically examine every incoming file ( email
attachment, web download, peer-to peer download)
• AV software will occasionally scan every file on your machine for viruses
• The heart of most AV programs is a “dictionary” of pre-defined viruses which
is compared to your files. The dictionary may have over 100,000 definitions.
• AV programs will also monitor certain sensitive system resources for any
changes
Important: the virus definition
dictionary must to be updated
frequently. There may be 100
new virus definitions added to
the dictionary in one week.
Page 30
Russ Haynal
Security Suite ratings from PCmag.com
Internet Instructor & Speaker
http:/ /navigators.com/
firewall.html
• The full table of ratings at pcmag.com contain an additional dozen
programs that rated worse than those shown here
Page 31
Security and Privacy Issues
Russ Haynal
Internet Instructor & Speaker
http:/ /navigators.com/
specific_page.html
1. Background and Statistics
2. “Persona” issues and options
3. Network connections ( at work and home )
4. Firewalls , Anti-Virus, spyware
5. Web browsing issues such as cookies
6. Other applications: Email, phishing
7. Authored content and social media
8. Local options (storage, encryption, parent controls)
9. Managing all software and devices
10. Summary and Critical Advice
Page 32
Russ Haynal
Web Surfing Risks
Internet Instructor & Speaker
http:/ /navigators.com/
privacy_browser.html
• There are numerous concerns with web surfing
• Cookies / web bugs – track your individual movements
• Java / Active X – Executable code downloaded and
running on your machine
• Web site registrations- collect personal info, credit cards
• Social networking – sharing your information
• Pop-ups, pop-unders, fake ads
• Browser leaks – persona, referrer, plug-ins, Clipboard
• Numerous web browser settings and third party software
options, toolbars, advertisement blockers
Page 33
Russ Haynal
Cookies ( = barcode on forehead)
xyz.com
abc.com
def.com
Internet Instructor & Speaker
http:/ /navigators.com/
cookies.html
“I am not a piece of
your inventory”
ad_cookies
Browser
• A cookie is a piece of text stored on
your computer
• Helps the web site to “recognize you”
(username_greetings) and “remember” your interactions
within the web site (shopping cart)
• Web site may repeatedly refer/update your cookie and its
internal database on your movements
• 3rd parties may also place cookies through many web
sites (advertisers, facebook, etc)
Page 34
Russ Haynal
Are you visiting just one site?
Internet Instructor & Speaker
http:/ /navigators.com/
privacy_browser.html
Page1.html
Page2.html
Page2.html
Logo.gif
Cookies
Scripts, etc
Ad_banner.gif
Cookies, etc
Tiny_dot.gif
Cookies, etc
facebook.gif
Cookies, etc
• Viewing a single page may cause your browser to interact
with many different web servers
• Even with cookies turned off, you still make foot prints on
third-party web servers while retrieving their graphics
Page 35
Russ Haynal
Internet Instructor & Speaker
http:/ /navigators.com/
cookies.html
Third Party Cookies
Web pages can include graphics/cookies/javascripts from “third parties”
3p.com
Jokes.com
Joe_nobody
[email protected]
Viewing history
Your Cookies
Jokes.com ID#_201
loan.com ID#_4873
badplace.com ID#_539
3p.com ID#_435349
loan.com
Real_Name
[email protected]
Address_phone
Viewing history
Buys/sells
your data
with its
“partners”
Jokes.com
Joe_nobody
[email protected]
Your viewing history
loan.com
Real_Name
[email protected]
Address_phone
Your viewing history
badplace.com
Fake Name
[email protected]
Your viewing history
Copyright navigators.com
badplace.com
Fake Name
[email protected]
Viewing history
The “third party site” can compile an extensive profile on you, and
sell this information to companies that are online and offline.
Google Analytics is embedded in 50% of the top 1 million websites
Page 36
Russ Haynal
Web Bugs and Beacons
Internet Instructor & Speaker
http:/ /navigators.com/
cookies.html
• Web bugs are “hidden” graphics
• The graphic is usually a 1 x 1 pixel and
is the same color as the background
• Some web privacy policies refer to web
bugs as “beacons”
• www.bugnosis.org offered a free
plug-in which highlighted all web
bugs, showed you its cookie value,
and other parameters:
• Try Firefox plug-in; Ghostery
Each tiny graphic = item to be downloaded
Page 37
Russ Haynal
Managing Cookies
Internet Instructor & Speaker
http:/ /navigators.com/
cookies.html
Browsers have several settings
to control cookies
Tools -> Options ( or Internet options )
You can allow cookies from
specific web sites, while
blocking most other sites.
There are other types of
cookies such as Adobe
“flash cookies”.
See my web page for links:
navigators.com/cookies.html
Page 38
Russ Haynal
Explore Your Web Browser Settings
Internet Instructor & Speaker
http:/ /navigators.com/
privacy.html
• Internet Explorer = Tools  Internet Options
• Firefox = Tools Options
Cookies Settings
Settings for Active X, scripts, etc
Page 39
Russ Haynal
Secure Web Pages
Not Encrypted
Internet Instructor & Speaker
http:/ /navigators.com/
privacy_browser.html
Encrypted
• Webserver invokes encryption with browser on a page by page basis
• Watch for encryption whenever personal information is being
transferred (username/password, credit card #, Financial info, etc)
• Encryption protects the contents of page information as it is
transferred between your web browser and the remote web server
• Encryption does NOT protect your data from a local keystroke logger
• Encryption does NOT protect your data after it arrives at the remote
web server
• Encryption does NOT guarantee that the vendor is reputable
Page 40
Security and Privacy Issues
Russ Haynal
Internet Instructor & Speaker
http:/ /navigators.com/
specific_page.html
1. Background and Statistics
2. “Persona” issues and options
3. Network connections ( at work and home )
4. Firewalls , Anti-Virus, spyware
5. Web browsing issues such as cookies
6. Other applications: Email, phishing
7. Authored content and social media
8. Local options (storage, encryption, parent controls)
9. Managing all software and devices
10. Summary and Critical Advice
Page 41
What about the other applications?
Russ Haynal
Internet Instructor & Speaker
http:/ /navigators.com/
privacy_other_apps.html
• Many applications you use are “internet enabled”
• These applications carry your connection persona, and have their
own set of privacy and security settings
Internet
Access
Internet
Page 42
Russ Haynal
Email issues
Internet Instructor & Speaker
http:/ /navigators.com/
privacy_other_apps.html
• Default email program settings may leave you vulnerable
• Viruses often transmitted via address books (don’t trust any attachment –
even from your friends)
• Spam – Do not reply to get “removed”
• Scams – nigeria money scam – Give us your bank account number
• Hoaxes - $300 cookie recipe, boy brain tumor, modem tax, etc.
• Social engineering – One virus hoax email told you to search for a file and
delete it... Unfortunately the file in question is a normal system file
• If it says “tell everyone you know”, it IS a
hoax. To confirm if it is a hoax, simply
search for part of the email using google.
• Microsoft outlook – Look for updates,
patches and learn about settings
Page 43
Russ Haynal
Spam and Phishing
Internet Instructor & Speaker
http:/ /navigators.com/
privacy_other_apps.html
Source: www.junk-o-meter.com
• For every email you receive, dozens of spam
messages have been blocked by your ISP
• “Phishing” is sent to random users to get
them infected or to reveal sensitive data
• “Spear-Phishing” is targeted and customized
to you
• “Whaling” is targeted to your leadership
Page 44
Russ Haynal
Reading Email = Web Surfing!
Internet Instructor & Speaker
http:/ /navigators.com/
privacy_other_apps.html
• Most graphics are downloaded from an
online server as you view email
• The spammer now knows that you
have read his email
• Ways to avoid this:
– Disable HTML, preview options
– Block Internet while browsing
downloaded email
• Try it yourself: www.readnotify.com
Page 45
Russ Haynal
Internet Instructor & Speaker
http:/ /navigators.com/
email_details.html
Email Architecture
Mail Server #1
Mail Server #2
Web-Based Email #3
POP3
SMTP
SMTP
POP3
SMTP
HTTP
Port 110
Port 25
Port 25
Port 110
Port 25
Port 80
Email
Client A
Email
Client B
Email
Client C
Web
Browser D
• A sent email may include the following information in its “headers”
– IP # of YOUR PC as you send the email
– IP # of the email server that handles your email (your ISP’s server)
– IP # of the recipient's email server (their ISP’s Server)
Page 46
Russ Haynal
Email Details
Headers: mail server - mail server
communications
To: [email protected]
From: [email protected]
Subject: meeting agenda
here is the body of the message.
Stuff, stuff, stuff, etc.
Internet Instructor & Speaker
http:/ /navigators.com/
persona_email.html
Look at the headers too
The part of an email you
normally look at
• The “from” of a message is absolutely unreliable. The sender can
put anything they want here.
• To see the headers, look under viewing options in your email
software or web-based email
• Anti-spam web sites contain good information for identifying email
Page 47
Russ Haynal
Other applications
Internet Instructor & Speaker
http:/ /navigators.com/
privacy_other_apps.html
• Most forms of peer- to - peer programs may reveal your
specific IP number (file sharing, chat rooms, Instant
messenger, etc)
• Peer- to- peer programs can be configured to share the
contents of your hard disk
• Some free programs include piggy-back programs
• Some programs include spyware, which monitor your
usage of their product
• Trojans , viruses – Once they are in your system, they can
be used to collect personal information
(This is why you want a 2-way firewall)
Page 48
Russ Haynal
Look for the options / settings
Internet Instructor & Speaker
http:/ /navigators.com/
privacy_other_apps.html
• Homework: Examine every application on your PC which is
“internet aware”, you need to explore through every preference /
option menu
• Your firewall settings are WORTHLESS, if your 12-year old enables
your entire hard disk to be shared with everyone who also uses
that chat program, music swapper, etc.
Page 49
Piggy Back Applications
(Spyware, Adware)
Russ Haynal
Internet Instructor & Speaker
http:/ /navigators.com/
privacy_other_apps.html
• Some Free program include piggy-back programs (they provide
revenue to the free program)
• For example: a stealth p2p network application is bundled with
Kazaa
– Buried in the user agreement:
– "You hereby grant “Brilliant” the right to access and
use the unused computing power and storage space
on your computer/s and/or Internet access or
bandwidth for the aggregation of content and use in
distributed computing,"
• “Brilliant” now has the keys to your computer
• 150 million copies of Kazaa had been downloaded
• How hard would it be for a hacker to also access these capabilities?
• Programs such as Spyware doctor, ad-aware,
“Spybot Search and destroy”, can be used to identify
& remove such programs.
Page 50
Security and Privacy Issues
Russ Haynal
Internet Instructor & Speaker
http:/ /navigators.com/
specific_page.html
1. Background and Statistics
2. “Persona” issues and options
3. Network connections ( at work and home )
4. Firewalls , Anti-Virus, spyware
5. Web browsing issues such as cookies
6. Other applications: Email, phishing
7. Authored content and social media
8. Local options (storage, encryption, parent controls)
9. Managing all software and devices
10. Summary and Critical Advice
Page 51
Russ Haynal
Authoring issues
Internet Instructor & Speaker
http:/ /navigators.com/
If you author any content, here are some concerns:
• Mailing lists – If you post a message to a mailing list…
Do you know who else is on that list?
Is there an archive of that list’s messages?
• Blogs such as facebook – Assume that your content will
be archived and shared with a very large audience
• Web Pages – Your HTML authoring program may imbed
your full name into an HTML meta-tag. The software
“knows” your name from the first day when you installed
the program. (This is also true of most other programs
such as Word, Powerpoint)
• Web – based email – includes IP number of workstation
Page 52
Facebook must be managed…
Russ Haynal
Internet Instructor & Speaker
http:/ /navigators.com/
• Information you (or your kids) post can assist with identity theft:
(birthdate, home town, name of high school, dog’s name, etc)
• Are your co-workers also facebook friends? 8 of your friends have
college degrees in “International Relations” and their kids go to
Langley High School…
• Facebook Privacy controls are splintered into many different sections
and layers. New features are usually defaulted to “everyone”.
You have to keep changing them to “friends only”
• Try these tests:
– Make a new “fake person” at facebook, and see how much of your
information (and your kid’s) can be seen by “everyone’
– Make “fake person #2” at facebook, make them a friend to one of
your friends/relatives; and see how much of your information
(and your kid’s) can be seen by this “friend of friend”
Facebook tracks you across many websites
Facebook has been “experimenting” on users
Page 53
Russ Haynal
Internet Instructor & Speaker
http:/ /navigators.com/
persona_example.html
web.archive .org
User PC
User
Interface
Robot
Recent
copy
copied
web page
Web Servers
• Archive.org robot
collects web pages like
other search engines
• Previous web page
copies are not deleted
Archive copies
• Surf through previous copies of a web site
• Deleting sensitive information from today’s web
server does not remove it from archive.org
• “document not found”? – Paste the address into archive.org
• Viewing archived web pages will cause hits to live target website
Page 54
Russ Haynal
Local Set-up options
Internet Instructor & Speaker
http:/ /navigators.com/
privacy.html
• Consider using encryption at home to protect personal data . For
example, encrypted file systems are now standard in Windows.
• Some applications offer encryption schemes for files (quicken),
but these are not very secure. There are numerous “cracker”
programs which will easily break these open.
• Require passwords for access to computers or internet access
• Create multiple user accounts (even for yourself)
• Physical security of computer
Page 55
Russ Haynal
Consider Offline Storage
Internet Instructor & Speaker
http:/ /navigators.com/
privacy.html
$400+ : A second PC without a network connection. You can use
a KVM switch to run this PC to your existing keyboard/monitor
$350 : an extra notebook computer
Where will
you store
the offline
media?
~$100 : Second hard disk – can be external,
or internal with a lock key to switch disks
Removable media – optical or magnetic storage
USB flash drive – some include encryption
Page 56
Russ Haynal
Consider Alternatives
Internet Instructor & Speaker
http:/ /navigators.com/
• Switch away from Microsoft products
• Alternative products may be more secure, or less
targeted by hackers.
• Browsers
• Email Clients
• Operating Systems
Page 57
If it connects to the Internet,
it must be updated
Russ Haynal
Internet Instructor & Speaker
http:/ /navigators.com/
update.html
All Programs  Windows Update
•
•
•
•
•
•
•
•
Computer Laptops: Windows Vista, 7, 8; Mac OS X
Microsoft Office
Browser (Firefox, Chrome) plug-ins, Java, Flash, PDF Acrobat
Other software: security suite, skype
Tablet / Cell phone : Android, Apple IOS, apps
Network devices – modem (yours or ISP’s)
Router updates. Printer, network attached storage.
“Internet of Things” - Xbox, wii, playstation, DVR , Roku, Smart TV,
blu-ray/dvd playe, stereo, alarm system, fitness devices, cameras,
smart watch, home automation – thermostat, switches, refrig, car,
kids toys.
Page 58
Russ Haynal
Worst case considerations
Internet Instructor & Speaker
http:/ /navigators.com/
• Read through your cookies - what if a clever website
were able to copy all of your cookies?
• Look at the content of your hard drive - what if a clever
website were able to copy a directory listing, or
individual files?
• If your research requires you to visit “exotic places” you
should use a “sacrificial machine” - which has a very
“bland identity”
• On the “sacrificial machine”, never use personalized
sites (gmail, amazon, local restaurant, etc)
Page 59
Russ Haynal
Public Terminals
Internet Instructor & Speaker
http:/ /navigators.com/
• Public terminals = Library, Kinkos, Hotel Lobby, Cyber
Café, etc
• Is there any kind of consistent “administration” to
guarantee the integrity of these computers?
For a public terminal, you should always
assume that the machine has been
compromised, and that a “keystroke logger”
is quietly capturing all keystrokes
( usernames, passwords, credit cards, etc)
Page 60
Russ Haynal
Future
Internet Instructor & Speaker
http:/ /navigators.com/
privacy.html
• Biometric scanner – finger, face recognition, voice, eye
• Other devices leaking information –cell phone/GPS…
• Much personal Information is in databases: phone number, map,
county taxes, DMV, court records, supermarket purchases, credit card
company, phone company records, etc.
• Proposed law would give copyright owners the right to hack into your
PC
• Patent filed by Verizon to use microphone and cameras in your house
to customize ads sent to your TV/phone/tablet
Fingerprint scanner as USB accessory
or built into a notebook
Page 61
Russ Haynal
Internet Instructor & Speaker
http:/ /navigators.com/
advice.html
•
•
•
•
•
•
•
•
•
Final Advice
Always be self-aware of your persona
Know what policies apply to you
Email = attack path to your oranization
Go HOME – make backups (just in case)
Update operating system
Update security suite software
Update all other software from Modem ->
smart watch
Explore “options” menus in all programs
Keep notes of all changes
Page 62
Russ Haynal
Parent Options
Internet Instructor & Speaker
http:/ /navigators.com/
navigators.com/parentguide.html
Your Options:
•
•
•
•
•
•
Do nothing…
Separate computers / user accounts
Time constraints on when access is available
Move computer screen to a visible location
Cell phone charger in kitchen overnight
Install parent control software
– Blacklists, vs. logs
– Monitoring web vs monitoring everything (key logger)
• Know what applications are being installed and how they are configured
( bit torrent, hotmail – email filter options, etc)
• Talk to child – show them how they can be tracked
– email articles to them about online predator cases.
• Next, what about the neighbor’s computer
where your child goes instead?
• What happens when the child moves out?
Have they learned how to take care of themselves online?
Page 63