Avoiding the Dark Alleys of the Internet

Extension in the Connected Age

NC Cooperative Extension March 24, 2009

Presented by Greg ParmerAlabama Cooperative Extension System

Security is kind of like air. It is easy to take for granted until

it goes missing.

Security TopicsUpdates/Patches

PasswordsE-MailSurfing

Router/Firewall

Updates/PatchesWhy “if it ain’t broke, don’t fix it” doesn’t apply here!

Updates/PatchesOperating System

Anti-virusApplications

@Risk ExampleWidely Deployed Software(1) CRITICAL: Adobe Acrobat and Reader

JavaScript Method Buffer Overflow Vulnerability (APSB09-04)

(2) CRITICAL: Autonomy KeyView SDK "wp6sr.dll" Buffer Overflow Vulnerability

(3) MODERATE: GNOME glib Base64 Functions Mutiple Integer Overflow Vulnerabilities

(4) MODERATE: PPLive Multiple URI Handlers Code Execution Vulnerabilities

MS Windows Security• Install virus protection software• Turn on the Windows firewall• Turn on Windows updates• Use Windows Security Center• Use limited accounts• Use password for every account

Virus Protection Software

Install & routinely update virus protection software• Sophos• McAfee• AVG• ClamAV

Windows FirewallChoose “On” Only unblock programs

that you trust

Windows Updates

Select “Automatic (recommended)”

Select “Everyday”Choose an

appropriate timeLeave computer on!

(check sleep/ hibernate)

Security CenterEnsures:

• Firewall is on• Automatic

updates are installed

• Virus protection installed & up-to-date

Security Center

You don’t want the RED or Yellow shield

Click on the shield to fix the problem

Limited AccountsProhibited from installing software

• Prevents installation of malware/viruses• User has access to currently installed

softwareProhibited from accessing Administrator’s

documents & settings• Prevents changes to administrator

password• Prevents access to Administrator’s

Documents, Desktop, etc.Create/modify system accounts under

“Control Panel/User Accounts”

Limited Accounts

Easily switch between accounts

Leave programs running while others login (windows-L)

Passwords?How to stop the sharing

madness

PasswordsHR system controls your $$Banks control your $$No reason to share passwords because

you can use:• Network file shares• Shared files/folders• Remote Desktop• E-mail Proxy• Web 2.0 products

Managing PasswordsTrade-offs

• Different passwords for different systems• Require passwords to change

Password Managers• Password Safe

http://passwordsafe.sourceforge.net• Others

http://www.lifehack.org/articles/technology/10-free-ways-to-track-all-your-passwords.html

Choosing a good passphrase• “1wbiDCH” (I was born in Dale County Hospital)http://www.aces.edu/extconnections/2006/10/

Safely Using EmailAvoid hoaxes and phishing

attempts

HoaxesTrickery

Please forwardUsually harmless

Waste time and resources

Phishing Clues Return address appears to be legitimateWarns of consequences unless urgent action is takenNo personal info or account name/number in messageName of link doesn’t match destination

• Name of link: https://www.firstnational.com• Destination of link:

http://www.sargonas.con/firstnational/login.htm

http://www.wikipedia.org/wiki/Phishinghttp://jdorner.blogspot.com/2007/03/every-now-and-then-i-

come-across.htmlhttp://www.aces.edu/extconnections/2006/12

Viruses & TrojansWhen you receive an attachment via e-

mail, think about it before you click to open. Is there ANYTHING suspicious about the message?

Just because you know the “sender” doesn’t mean the message is legitimate.

Don’t Become A Victim“Google” a sentence from the message

to see if it’s a hoax or phishing attempt – add snopes to the search terms

Be wary of any web links you get via e-mail

SurfingRead the Warnings

S is for securePasswords deserve

• “https”Check the SSL box

• “imaps”• “pops”

Read & Heed

Plain-text Protocols

Secure Protocol

Home RoutersInsurance that works for you!

Home RoutersOne internet connection,

multiple computersFirewall protectionAccess restrictions

One Internet Connection

Firewall ProtectionOne-way valve that lets you out, but

doesn’t let intruders in• Prevents unauthorized access to your

computer(s)• Hides your computer(s) from the internet

while still allowing access to the internet

Access Restrictions

Control when a computer can access the internet

• Deny/Allow by website or keyword

Multiple configurations

• Everyday or only on school days etc.

• All the time, or only between 4p.m. & 10p.m, etc.

Secure WirelessDisable wireless, if you’re not using itMost routers can be configured w/a CDWhat can be done manually?

• Change the SSID (wireless network name)• Disable SSID Broadcast (make it invisible)• Require a password to join the wireless

network• Restrict by MAC address

Other ReferencesSANS

https://www.sans.org/newsletters/The National Institute on Media and the

Familyhttp://www.mediafamily.org/

network_guides.shtmlBruce Schneier

“Beyond Fear”http://www.schneier.com

Thank You

Greg Parmergparmer @ auburn.edu