Recognizing The Risks

The world-wide-web is literally a world-wide community offering numerous advantages, such as international commerce and communication, vast amounts of stored information, and the ability to have almost instant contact with people in every corner of the developed world. But with all the benefits and advantages offered by the Internet and the world-wide-web, there are also some significant threats and vulnerabilities of which everyone should be aware.

While you're surfing the web, exchanging e-mail with your friends and business associates, downloading games, music, and video files, shopping on-line, and generally enjoying your computer and Internet connection, there is a world of attackers just waiting to take over your system. Hackers are scanning for computers connected to the Internet so they can snoop through their content or simply take over the computer for their own purposes. Disreputable businesses are installing "ad-ware" and "spy-ware" on your computer to track your on-line habits and purchases, all without your knowledge or permission. Criminals are releasing computer viruses, worms, and Trojan horses to disrupt and destroy computer systems. While other criminals are flooding your e-mail inbox with unsolicited bulk e-mail (commonly called SPAM) or attempting to trick you into providing them with your personal and financial information so they can steal your identity and plunder your bank account.

These threats to our on-line security and privacy are certainly real and should be a serious concern to anyone who uses a computer and accesses the Internet. Just as we take certain security precautions in the physical world (such as locking our doors) to keep ourselves safe from criminals, there are security precautions that should be taken in the "cyber-world" to protect ourselves from criminals there as well.

Computer Viruses, Worms, and Trojan Horses

Regardless of the type of computer you use or what you use your computer for, the first step in ensuring your privacy on-line is to protect your computer from computer viruses, worms, and Trojan horses.

Virus - A computer virus is a self-replicating program that attaches itself to other programs on a computer system. The virus spreads to other nodes in a network when the host program is transferred to an unaffected computer. One of the first viruses was "Elk Cloner" written and released in 1982 by Richard Skrenta. Elk Cloner affected ‘Apple DOS 3.3'. Although Skrenta claimed that the virus was released as a joke, it was a malicious program that disrupted game software to which it was attached. One of the first viruses to affect personal computers (PC) was "Brain", created by Basit and Amjad Farooq Alvi in Lahore, Pakistan. "Brain" disrupted the boot sector of floppy disks and displayed a message giving contact information in Pakistan where one could pay to receive a program to remove the virus.

Worm - A worm is a self-replicating program that sends copies of itself to other nodes in the network. Unlike computer viruses, a worn does not need to attach itself to another program or application to spread. One of the first computer worms to spread by the Internet was the "Morris Worm" created by Robert Morris at Cornell University and released onto the Internet on 2 November 1988. The worm continually replicated itself, often infecting a single computer multiple times, slowing the system down and consuming bandwidth and system resources.

Trojan Horse - A Trojan horse is a program that contains a separate hidden program or function that installs a program onto your computer, without the knowledge or intent of the operator. An example of a Trojan horse would be a game which you want to install on your computer, which hides a separate program to copy your address book and e-mail a message to everyone contained therein.

Computer viruses, worms, and Trojan horses all have a potentially critical affect on any computer or network they infect. Protecting yourself from these threats requires that you install that latest version of a quality anti-virus program, and that thereafter you keep the program updated. There are various anti-virus programs available, and which one you use is somewhat a matter of personal preference. My personal preference is for Symantec Corporation's Norton Anti-Virus (http://www.symantec.com/home_homeoffice/products/index.jsp), which I believe to be the best anti-virus currently available. Another major anti-virus program is provided by McAfee Corporation (http://us.mcafee.com/root/store.asp). If you are strapped for cash you can still get anti-virus protection by downloading a freeware anti-virus program from AVG Anti-Virus (http://www.grisoft.com/doc/products-avg-anti-virus-free-edition/ww/crp/0). Microsoft Corporation also offers a free on-line scan at: http://www.microsoft.com/athome/security/default.mspx. Another source for a free on-line scan of your system and the purchase of anti-virus software is from "Stop Sign" and http://www.stop-sign.com/.

No matter which anti-virus program you choose, this is the first and perhaps most important step in protecting your computer from attackers.

When it comes to defending against computer viruses, worms, and Trojan Horses any of the above listed products, along with many other reputable and quality anti-virus programs, will protect your computer from becoming infected. Once you have installed anti-virus software on your system, the protection is fairly automated, but you must be certain to keep the software updated and to run it frequently and respond to any warnings it gives of a potential infection of your system. With most anti-virus software you can set it to run checks on a pre-programmed schedule and respond automatically to detected threats. At an absolute minimum you should update your anti-virus definitions and run a full-system scan at least weekly. Scanning your system everyday of course simply improves your security.

Spyware & Adware

Having taken steps to protect our computer system against viruses, worms, and Trojan horses by installing a quality anti-virus software one might assume that the majority of the on-line threat has been mitigated, but that assumption overlooks the threat of spyware and adware.

Spyware is a program that is installed on a computer, usually without the knowledge or permission of the computer owner, which gathers personal information about the user of the computer. This personal information ranges from tracking what web-sites are visited, to attempts to record passwords, credit card numbers and similar information to be used for criminal purposes.

Adware is a program which displays advertising of some type whether or not the computer user has consented to the display of the advertisement. Adware may be installed surreptitiously, or may be consented to by the computer user as a condition of obtaining some other product (i.e. ad supported software).

Spyware and surreptitiously installed adware is a problem not just for the information it gathers, but because spyware and adware programs use computer resources and degrade the function of the computer on which they reside. Spyware and adware programs can also frequently cause operating errors or complete system crashes. According to the Webroot Software Spyware Education Center (http://www.webroot.com/resources/spywareinfo/) and quoted in Wikipedia "As of 2006, spyware has become one of the preeminent security threats to computer systems running Microsoft Windows operating systems. In an estimate based on customer-sent scan logs, Webroot Software, makers of Spy Sweeper, said that 9 out of 10 computers connected to the Internet are infected." (http://en.wikipedia.org/wiki/Spyware). The Webroot Software Spyware Education Center further reports that Some form of spyware can be found on 87% of corporate PCs, and 86% U.S. adult Internet users believe that spyware on their computers has caused them to suffer a monetary loss, 2005.

Just as you scan your computer for viruses, you should also scan your computer for adware and spyware. By using programs such as Ad-Aware (http://www.lavasoftusa.com/) or Spybot Search and Destroy (http://www.safer-networking.org/) you can scan your computer for these programs and remove them from your system.

E-mail Privacy - Digital Certificates & Encryption

When sending an e-mail many people assume that they have some degree of privacy in their communication, perhaps equating an e-mail as similar to a pen and paper letter sent through the postal service. Unfortunately an e-mail is much more like a postcard than a letter, its content being visible to everyone who handles it. Worse yet in the case of e-mail is that copies of e-mail are made and stored as the message travels from sender to recipient.

To secure your e-mail from prying eyes it is necessary to ensure that it is only intelligible to the send and the intended recipient. This method of ensuring that a message can only be read by its intended recipient is called encryption, and we will look at various ways to accomplish.

Digital Certificates - Digital certificates can do many things, but for our purposes we will look at them for the purpose of signing and encrypting our e-mail communications. For a digital certificate to work there must be a "root key certificate" and your personal digital certificate stored on the computer you are using. To encrypt a message to another person you must also have a copy of the "public key" portion of their digital certificate on your computer.

Root key certificates for major certificate authorities may already be stored on your computer. To see what digital certificates are on your system (assuming you are using IE and MS Outlook / Express): open your email and click on the "Tools" menu and then on the "Options" menu. Then click on the "Security" tab, and the "Digital IDs..." button. This will let you see what digital certificates are stored on your computer.

If you don't have a digital certificate listed under "Personal" certificates you will need to get one. One of the major certificate authorities is Thawte. Thawte offers a free personal digital certificate, which will allow you to sign and encrypt your e-mail at: http://www.thawte.com/secure-email/personal-email-certificates/index.html

Another source for a free personal digital certificate is from WildID.com at http://www.wildid.com/. While WildID is a much smaller company than Thawte, the certificates work in the same manner. The only difference is that WildID certificates expire every 30 days while Thawte certificate expire annually. For securing your e-mail communication among a small group of friends and associates, the WildID certificate is a good place to start, while Thawte gives the recognition of a well established and trusted certificate authority.

Once you and those with whom you wish to communicate have digital certificates installed on your computer, securing your e-mail is as simple as clicking the "encrypt" button. You can even set your e-mail to automatically encrypt all of your out-going messages. This default setting to always encrypt works well if everyone (or alt least almost everyone) you send e-mail to has a digital certificate. If you try to send encrypted e-mail to someone who does not have a digital certificate you will receive a warning that the message cannot be encrypted and you will be given the option to send the e-mail unencrypted.

To obtain a copy of someone else's certificate so that you can send them encrypted e-mail they only need send you a message signed by their own digital certificate. This will provide you with the public key portion of their certificate and allow you to encrypt messages using their digital certificate thereafter.

Encryption Software - To keep your e-mail private it should be encrypted. The unofficial standard for e-mail security on the Internet has been PGP (Pretty Good Privacy), a security and encryption program created by Phil Zimmermann and released to the public back in 1991. You can download your free copy of PGP from the PGP International site at (http://www.pgpi.org/). The commercial version of PGP is available from PGP.Com (http://www.pgp.com).

To use PGP you and everyone you want to communicate securely with must have PGP software installed on their computers. Once PGP is installed, you next exchange public key certificates with those you want to communicate securely with (much like exchanging keys with a digital certificate) and then you can encrypt and decrypt messages to and from that person. As an example of PGP encryption, the above paragraph encrypted with PGP looks like this:

-----BEGIN PGP MESSAGE-----
Version: PGP 8.0qANQR1DDDQQJAwKXTDltvGx3RGDJwCyT7QWWQYdVz1DmMaQ3ND665+Li9MZvdhxuUSwK88UbuhygUzfDG46lQFW0Zg1UAV7woAjxswapWkbsPK/soC+ZqvabnjYAUUCLAC84/TG/VlhMNcRsIzhGzRC/pYBiCit4abb1rvpK6fpng1m4Zeod5x369HtZAIci4ENosyUrDr68pGqmX/By5q25lfhuKigTPmenDpGSrQJA0pRZqulQiCe0uGp1ajYflOMliOHKCZDeHCptoUnRyUG2E/2y7Qm+PRbUEefshmHtW0itFvxfTY84lSt2+fYo3uL2RZGgw0QJ/u7tcVPApzmB9g===DoAs
-----END PGP MESSAGE-----

A more portable method of encryption is available in the public domain from Fourmilab Switzerland at http://www.fourmilab.ch/javascrypt/. This encryption program implements AES (the advanced encryption standard) through JavaScript, thereby making it functional on most any platform and operating system.

The JavaScript encryption can be run easily from a CD, Flash-Drive, or Floppy Disk, making it portable and able to be run from any computer that is capable of running JavaScript - which means just about any current personal computer. Unlike the asymmetric (or public-key) encryption used in PGP, the JavaScript encryption program uses symmetric encryption which means that you must arrange a password with the recipient of your messages in advance of sending them.
Spam, Phishing, and Internet Hoaxes

Spam - Spam is unsolicited bulk e-mail. It is all the junk e-mail that seems to flood your inbox. It is important to understand that in almost all cases spam is an offer for substandard or overpriced products, an offer for illegal products (i.e. prescription drugs provided without a physician's prescription), links to pornographic material, or outright scams seeking payment for an item you will never receive.

The spammer sends out millions of e-mails, knowing that only a small portion of these emails will actually make it to the inbox of a potential victim. Of the e-mail that ends up in an inbox, only a small portion of those will receive a response. But in the words of P.T. Barnum "There's a sucker born every minute".
Let's look at a hypothetical example of why spam continues to plague the Internet. A spammer sends out 1,000,000 (one million) spam e-mails over a month offering some item for $29.95. Of the 1,000,000 e-mails sent, we will assume that only 10% (100,000) of them actually make it to the inbox of a potential victim. Of our 100,000 emails that made it to an inbox, we will again assume that only 10% (10,000) of those actually are opened and read, and of that only 10% (1000) receive a response where someone sends in $29.95 for what ever was offered in the spam. The spammer still potentially receives $29,950.00 for his spamming efforts that month.

The spammer's ability to send 1-million e-mail messages is based on stolen accounts and fraudulent header and subject lines, and bulk e-mailing software that automatically searches for e-mail addresses and sends spam e-mail to the collected addresses. Because the spammer often uses a hijacked or stolen account, it costs him nothing to flood the Internet with his 1-million e-mails.

Phishing - According to the Anti-Phishing Working Group (http://www.antiphishing.org/) "Phishing attacks use both social engineering and technical subterfuge to steal consumers' personal identity data and financial account credentials. Social-engineering schemes use 'spoofed' e-mails to lead consumers to counterfeit websites designed to trick recipients into divulging financial data such as credit card numbers, account usernames, passwords and social security numbers. Hijacking brand names of banks, e-retailers and credit card companies, phishers often convince recipients to respond."

Like the spammer, in a phishing attack, the criminal send out tens-of-thousands, or even millions of e-mail messages warning individuals that, for example, there is a problem with their credit card account and asking that customers verify their information by going to the credit card company's web-site and entering their personal and credit information. The phishing criminal will then include a link in the e-mail that takes the victim to a web-site that looks exactly like the credit card company's legitimate web-site. The unsuspecting victim believing that he is logging into his account, or provides information believing that he is validating his credit or banking information has in actuality just provided this information to a criminal who will use it to run up fraudulent credit charges, steal money from a bank account, or engage in the crime of identity theft, stealing the victim's complete identity.

According to the U.S. Treasury the following tips will help you protect yourself from the crime of phishing: (http://www.occ.treas.gov/consumer/phishing.htm)

- 1. Never provide your personal information in response to an unsolicited request, whether it is over the phone or over the Internet. E-mails and Internet pages created by phishers may look exactly like the real thing. They may even have a fake padlock icon that ordinarily is used to denote a secure site. If you did not initiate the communication, you should not provide any information.

- 2. If you believe the contact may be legitimate, contact the financial institution yourself. You can find phone numbers and Web sites on the monthly statements you receive from your financial institution, or you can look the company up in a phone book or on the Internet. The key is that you should be the one to initiate the contact, using contact information that you have verified yourself.

- 3. Never provide your password over the phone or in response to an unsolicited Internet request. A financial institution would never ask you to verify your account information online. Thieves armed with this information and your account number can help themselves to your savings.

- 4. Review account statements regularly to ensure all charges are correct. If your account statement is late in arriving, call your financial institution to find out why. If your financial institution offers electronic account access, periodically review activity online to catch suspicious activity.

Internet Hoaxes - Internet hoaxes can little more than a wide scale practical joke and a bit of fun, or they can be malicious rumors intended to ruin the reputation of a person or company. In the case of malicious rumors there is no legitimate reason to be forwarding this type of material in e-mail, and more than it is acceptable to spread rumors by word of mouth.

In the case of jokes, it may be OK to pass them along to friends, but it is important to be aware that these things are jokes intended to amuse, and to pass them along in the form of a joke, not something to be taken seriously. As an example of a joke or spoof photo that began circulating through e-mail in February 2007, let's look at "The Amazing Logging Moose". (http://urbanlegends.about.com/library/bl_work_moose_in_harness.htm)

The photograph of "The Amazing Logging Moose" was received in an e-mail (sent to many recipients), along with a story claiming that the photograph was legitimate, and that the moose really was being used in a logging camp in the state of Maine.

Now, while this is a fun photograph, it is not real. To check whether something is real or an Internet hoax, the first and simplest step it to take any substantive portion of the questioned item (in this case the words "logging moose") and either them into a search engine (such as Google) together with the word "hoax". This will usually identify whether something is a known hoax or not.

Additionally, before passing along a story or photograph it is always a good idea to check the hoax and scam debunking web-sites, such as Snopes: http://www.snopes.com, or Urban Legends and Folklore: http://urbanlegends.about.com/.
There are many reasons to confirm the veracity of information before passing it along, not the least of which is to avoid making yourself look like a complete idiot when it is discovered that what you sent out as legitimate is in fact a hoax!

Computer Security & Awareness Training

As with any technical subject, computer security is something that must be reviewed on a regular basis. The U.S. Army provides an on-line computer security training course for computer users. This course is an annual requirement for anyone who uses an Army owned/controlled computer, but is available for free to anyone who wants to sign up and work through the course.

Computer Security Training (for Computer Users) -https://ia.gordon.army.mil/iss/default.htm

I recommend that anyone who uses a computer on a regular basis take advantage of this free on-line training.

Conclusion

The on-line world is not an evil and dangerous place, but like the physical world it does have its own threats, vulnerabilities and its own criminal element. The thing that makes the on-line world dangerous is that the computer average user isn't as familiar with the potential problems as he or she is with similar problems in the physical world.
However, by applying the simple privacy and security recommendation in this paper, you will have greater on-line privacy and security than most computer users. Having this additional security can offer you greater peace of mind, and allow you to get a greater benefit for your time in cyber-space.


References

Web-sites and Internet Resources Listed in the Text

Norton Anti-Virus - http://www.symantec.com/home_homeoffice/products/index.jsp

McAfee Corporation - http://us.mcafee.com/root/store.asp

AVG Anti-Virus - http://www.grisoft.com/doc/products-avg-anti-virus-free-edition/ww/crp/0

Microsoft Corporation On-line Scan - http://www.microsoft.com/athome/security/default.mspx.

Stop Sign Anti-Virus - http://www.stop-sign.com/

Webroot Software Spyware Education Center - http://www.webroot.com/resources/spywareinfo/

Spyware defination at Wikipedia - http://en.wikipedia.org/wiki/Spyware

Ad-Aware - http://www.lavasoftusa.com/

Spybot Search and Destroy - http://www.safer-networking.org/

Thawte Corporation (Digital Certificates) - http://www.thawte.com/secure-email/personal-email-certificates/index.html

WildID Digital Certificates - http://www.wildid.com/

PGP International - http://www.pgpi.org/

PGP Corportaion - http://www.pgp.com

Fourmilab Switzerland - http://www.fourmilab.ch/javascrypt/

Anti-Phishing Working Group - http://www.antiphishing.org/

U.S. Treasury (anti-phishing) - http://www.occ.treas.gov/consumer/phishing.htm

Snopes - http://www.snopes.com

Urban Legends and Folklore - http://urbanlegends.about.com/

U.S. Army Computer Security Training (for Computer Users) - https://ia.gordon.army.mil/iss/default.htm


Non-Internet References

Chesbro, Michael 2000, The Complete Guide to E-Security: Protect Your Privacy on the Internet, Citadel Press, New York, NY

Chesbro, Michael 2001, Freeware Encryption and Security Programs: Protecting Your Computer and Your Privacy, Paladin Press, Boulder, CO