Our online self defense course is designed to teach online security to everyday users. It starts with basics like anti-virus and good passwords and progresses all the way to using the TOR browser. We are currently working on getting all of the information from our classes online.
Online Self Defense
Online Self Defense - White Belt Level
Basics of protecting yourself
Slides for this class can be found here.
Malware is a generic term for MALicious softWARE. There are many different terms for malware. Here are a few terms that you may hear:
- Virus - self replicating program that can be spread from one computer to another
- Adware - advertising software that installs itself onto your computer
- Spyware - software designed to send information about you to a company
- Scareware - a program that causes threatening messages to pop up designed to get you to buy a product
- Ransomware - software that encrypts your files and threatens to delete them unless you pay a ransom
So how do you get malware?
Some common sources of infections are downloading items from the internet, opening email attachments, and programs including unwanted add-ons when you install, or update them. By only downloading things from trusted sources, having good anti-virus that scans attachments, and being cautious about email attachments you can avoid most malware. There are many sneaky types of malware though, so we'll talk about cleaning a malware infection below.
How is hacking a threat to you? Companies are vulnerable to data breaches which puts your data at risk. Services that you use such as email and Facebook are also vulnerable to hacking. This is especially true if you do not have good passwords or reuse passwords. Finally, you make your computer vulnerable by failing to install security updates for you operating system and programs.
Phishing is a scan using email to get you to click on a malicious link, open an attachment, or provide information. For example, an attacker may send an email that appears to be from your bank that contains a link. Clicking the link will take you to a site that appears to be your bank, but isn't. When you enter your password and account number, you have just given you bank information to an attacker. Spear phishing is like normal phishing, but it uses personal information about you to gain your trust. This information could come from another hacked site, public records, or a data breach of a company that had information about you.
Although there are many threats on the internet, there are things that you can do which will greatly reduce your vulnerability.
Do your updates! As software companies learn about vulnerabilities, they send out fixes. By not doing updates, you are making an attackers job easy by letting them use known exploits against you. Any software that is on your computer needs to be kept up to date. For example:
- Your operating system.
- For windows, use windows update. You can go to http://windows.microsoft.com/en-us/windows/windows-update for more information.
- For a Mac, you can access updates through the app store. For more information go to https://support.apple.com/en-us/HT201541
- Java - https://www.java.com/en/download/help/java_update.xml
- Flash - https://helpx.adobe.com/flash-player.html
- Antivirus - If your antivirus isn't up to date, it can't find all of the viruses out there.
- Web browsers - These directly interact with the internet and must be kept up to date.
This isn't a complete list by any means. Every piece of software on your computer needs to be kept up to date or it may turn into an exploitable vulnerability. By using a applications auto-update features, you get the protection without the effort.
If your computer is connected to the internet at all, you need antivirus. Antivirus programs aren't magic pills that eliminate any threat, but they are a powerful tool for ensuring your safety. When looking at Antivirus programs consider the following factors:
- Features - does it provide features like scanning all downloads? What about email attachments?
- Ease of use - are you comfortable with the design and do you find it easy to navigate?
- System resources - especially for older computers, antivirus programs can be resource hogs. Your computer only has so much processing power and memory available. If your antivirus program is taking it all, it can really impact your computers speed.
- Cost - Antivirus programs range from free to hundereds of dollars. Choose one that fits your budget, but don't overlook free offering just because they are free. Sometimes they perform better than expensive alternatives.
To help pick out an anti-virus program, check out the following sites:
These organizations test antivirus programs and rank them based on their performance and are extremely helpful for finding the best product for you.
The most important thing that you can do to avoid being a victim of a phishing scam are learn to identify phishing emails. Here are some things to look for:
- Emails asking for personal information - These will often appear to be from organizations that you do business with. They may say that they need to verify your information for security purposes or use other scary language.
- Emails with links to click on - Scammers often will include links that say they go to one place but actually go to another. For example if you click on the following link www.google.com you will find it doesn't take you where you expect it to. Scammers use this to direct you to their websites to harvest any information (username, password, account number, etc) that they can get you to type in.
- Emails that contain attachments are VERY dangerous - Attachments on emails can contain all kinds of malware and viruses. Simply opening the file can be enough to infect your system. This is the number one source of infection for a new type of virus called cryptolocker which encrypts all your files and threatens to delete them if you don't pay them a ransom.
So what can you do if you think an email is phishy?
- Never give out personal information in response to an email. If your bank emails you and says that they need to verify your information, call your bank to be sure that the email is legitimate, or go directly to their website using a web browser. Do not respond to the email at all.
- If an email asks you to click on a link, do not do it. Even if it is from someone that you know. It is possible that their email has been compromised and scammers are using it to infect other people. If you want to visit the link, go to a web browser and navigate to the site. This ensures that you are going to the site that you think you are.
- Do not download an open attachments unless they are from someone that you know and you are expecting the email. Even then make sure that you run a virus scan on the file before opening it.
- Forward any phishing emails to firstname.lastname@example.org to report it. Also, contact whatever organization the email claims to be from to alert them of the scam. This will allow them to let others know about the scam.
- After this, delete the email. Do not respond to it.
If you follow these steps, you should be much better protected against phishing scams. Keep in mind that these emails can be extremely convincing.
Passwords are absolutely essential to good computer security. Using weak passwords and reusing passwords are some of the most common mistakes that people make. Unfortunately, these mistakes make any potential breach, such as hacking someone's email, much more serious. If you reuse passwords, and there is a VERY good chance you do, then getting your password for one thing often means they have your password for a lot of other things too.
Img Credit: https://xkcd.com/936/
Here are two points to remember about passwords.
- Long passwords are strong passwords. Adding length to a password makes it much harder to guess than adding complexity. The only caveat here is that choosing a very long dictionary word doesn't help at all. Hackers have files with millions of words and variations on words that their computers can try very quickly to crack a password. This brings us to our second point.
- Passphrases are better than passwords. Choose three to four unrelated (Important!) words and put them together. Make up a story using these words to help yourself remember them. If the site you are setting up a password for doesn't let you use spaces, use dashes or underscores or cram allthewordstogether into one long non-dictionary word. This strategy exponentially increases the difficulty of cracking a password while making it much easier to remember than what we might normally think of as a secure password.
Coming up with a good passphrase
It is important to come up with random words for your passphrase. Here are a couple of ways to accomplish that.
- XKpasswd.net - This site is based on the above XKCD comic. It will generate passphrases for you and has a lot of customization options. However, you are trusting a third party to come up with passphrases for you. The site also includes the perl code, so if you are technically inclined you can audit the code and run it on your own computer. This is a more secure way to do things.
- Diceware - Diceware is an analog way to generate secure passphrases. Basically it includes a huge list of words, all of which have a 5 digit number assigned. You simply roll a dice 5 times to get a five digit number to get your first word and repeat however many times you would like. This site also contains a ton of good information about strong passwords.
Safely Storing Passwords
The reason that people reuse passwords is that there are simply so many passwords required in modern daily life. It is completely impractical to remember them all. Here are a some methods for remembering passwords so that you do not have to reuse them.
Write it down
Sounds crazy right? How insecure is that? Well, it is actually better than just using the same password for everything.
The advantages of this are:
- Simplicity - Everyone has access to a pencil and paper
- Secure from hackers - I have never heard of anyone hacking a notebook yet
However, there are som real disadvantages too:
- Hard to keep up to date - If you try to keep it up to date, you can quickly end up with a jumbled mess
- Must be kept phyically secure - Keeping passwords in your wallet or purse means that if you leave it on the bus or at a resteraunt, whoever ends up with it now has access to everything. If you keep your passwords at your computer or someone easily visible, casual observation can get your password.
- Not very convenient - To always have your passwords with you means that you have to risk losing them. To keep them physically secure means that you may not have them when needed.
This is definitely not an ideal method. It has significant drawbacks, but will at least allow you to not reuse passwords.
A password Vault is a computer program that saves your passwords for you in an encrypted format. You use a strong master password to unlock the vault. Examples are KeePassX and LastPass. Many password vaults have other nice features like password generators and browser plugins which allow them to automatically type in your username and password. Some even have mobile apps and work on smartphones. A note of caution. If you are choosing a password vault that offers a cloud sync option to keep your passwords synced between devices, make sure that it offers "zero knowledge" storage. This means that you are the only one who can decrypt your passwords. Employees at the company can't, and hackers who manage to break into the company's database can't.
- Very convenient
- Very secure (security varies by which program you are using, read reviews and pick a good one)
- Often have nice added features such as password generators
- Requires a program to be downloaded onto your computer (or tablet or smartphone)
- Keeping databases synced between devices can be challenging
- Can be challenging on mobile devices
Password Vaults are a great tool and I highly recommend them. They take a little getting used to, and may seem a bit inconvenient at first, but you will quickly get used to them and there are huge security benefits to being able to have strong, unique passwords for every account you have.
Two Factor Authentication
When authenticating your identity (which is really what passwords are all about) there are a number of ways (factors) that can be used. You can rely on something you know (a password, pin number, secret question, etc), something you have (texting a code to your cell phone or emailing you a code, requiring a hardware key such as a yubikey, etc) or something you are (facial recognition, thumbprint, etc). Most account use passwords as a single factor for authentication. However, many sites are now moving to using two factor authentication. This typically means texting you a code when you try to sign in, or in the case of google, having a smart phone app that generates codes that are needed to login. This ensures that even if someone steals your password, they can't get into your account without also having your cell phone.
- Extremely secure
- Normally very convenient
- Many sites don't support two factor authentication
- Normally requires a smart phone although there are other types of two factor authentication
If it is available, two factor authentication is by far the best and most secure way to set up your accounts