~~NOTOC~~ ~~NOCACHE~~ {{page>css&nodate&noeditbtn&nofooter}} ===== Week 15 — Safety and security ===== This week's topic is about using computers and networks safely and securely. ==== Evaluation ==== Up to 10 points can be gained towards your final score by completing the **in-class exercises** on Friday. ==== What you will learn from this class ==== * The ways in which various media are unreliable and why backups are important. * What online safety is and some things you can do to improve it. * What Internet security is and some ways you can ensure it. * What Internet privacy is and some ways you can protect it. * What kinds of cyberattack exist including malware, viruses, and man-in-the-middle attacks. * How to create a strong password. * How to protect your computer against attack using firewalls and anti-virus software. * How to identify and avoid e-mail phishing attacks. * What a VPN is and how it improves your security and privacy. * What network neutrality is. * What Tor is and how it protects your privacy and anonymity. ==== Preparation === This week's preparation is to watch three short videos about safety, security, and privacy when using the Internet. You can also watch several more (optional) videos to learn about geoblocking and online anonymity. === Videos ==== The following three videos describe several topics related to Internet safety, security, and privacy. A short summary of the important content follows each video URL. | What is cyber security: how it works | 7:06 | https://www.youtube.com/watch?v=inWWhr5tnEA | * phishing e-mails ask you for personal information (e.g., online account or banking details) * they try to convince you that there is a good reason to give them that information * the information is instead used to steal your identity and/or property * cyberattacks are crimes committed using the Internet or Web * malware is any kind of software that can cause harm * a 'trojan' (from '[[https://en.wikipedia.org/wiki/Trojan_Horse|trojan horse]]') is software that allows an external hacker to control your computer * 'adware' generates money for the attacker by causing you to see advertisements that you would normally not see * 'spyware' gathers information about you and sends it to the cybercriminal who can (for example) sell it * 'viruses' are programs that replicate themselves and then spread over the Internet, and that can damage machines, networks, and data * man-in-the-middle attacks occur when cybercriminals intercept or monitor your Internet communications * if they record your communication with an online service, they can replay the recording later and pretend to be you * password attacks attempt to guess your password, allowing the cybercriminal to pretend to be you * cybersecurity is a range of techniques and technologies you use to try to avoid cyberattacks * a firewall filters communication between you and the Internet and only allows authorised communications to pass * e.g., you might not allow incoming connections to your secure shell (ssh) port * a honey pot lures attackers away from real services * e.g., you might arrange for incoming connections to the standard ssh port to time out, very slowly, wasting a lot of the cybercriminals' time * the real ssh that you actually use can be running on a non-standard port * passwords should be difficult to guess * anti-virus software protects you against viruses and malware * a good junk e-mail filter can eliminate a lot of phishing attacks * cyberattacks against institutions can cause serious loss of data or even money * an advanced persistent threat is a cybercriminal who gains access to a system and then steals data or money slowly over a long period of time * a denial of service attack floods a service with many false connections, preventing legitimate users from connecting * the false connections often come from thousands of PCs distributed across the world that have been infected by a criminal's trojan malware * ethical hackers try to break into their employer's own computer systems, thereby identifying weaknesses in the security * security architects design strategies and apply technologies to remove those weaknesses | How to make a strong password | 1:37 | https://www.youtube.com/watch?v=q5DYkzOrz_I | * often a good password is your only defence against having your personal or financial information stolen * using a common or simple password is like leaving the door of your house open while you go on holiday: anyone can gain access * avoid weak passwords: ''like this'' (1.9 seconds to crack, using freely available software on a typical 2020 computer) * a strong password is easy to create if you know what precautions to take * mix capital and small letters: ''LiKe tHiS'' (6 minutes to crack) * replace letters with similar-looking digits: ''L1k3 tHiS'' (2 minutes 15 seconds to crack) * add special or punctuation characters: ''L1k3 tH15!?'' (8 hours to crack) * use longer passwords, e.g., by using a pass //phrase// instead of a single word: ''m0r3 L1K3 th15! P3RH4P5?'' (3 million years to crack) | What is a VPN and how does it work? | 3:22 | https://www.youtube.com/watch?v=lh-72JCv0rg | * VPN = virtual private network * a VPN connects your computer to a remote (trusted) network over an (untrusted) Internet connection * your computer appears to be part of the remote trusted network, not the local untrusted network * all communication between your machine and the remote network is encrypted, which stops cybercriminals from intercepting it * even on a public WiFi (e.g., in a coffee shop) nobody can intercept or spy on your VPN communications * a VPN makes you part of your institution's network, even when you are working at home or in a hotel * or the other way around; e.g: when at KUAS I often use a VPN to connect my laptop to my home network, giving me much better access to Internet services * at your institution, other computers and devices think that you are physically present on their network * printers, file shares, etc., on the remote (trusted) network are all available to you * you can also use a VPN to stop your ISP from spying on your Internet or Web activity and selling or logging that information * there are dedicated VPN companies that you can use just for this purpose, but make sure they are trustworthy before using them * a //geoblocked// website is one that is only accessible from certain parts of the world * your IP address is used to determine where, approximately, you are located * video streaming services, and some online games, use geoblocking to control which countries can access their servers * you can use a VPN to get around geoblocking by appearing to be located in a different country * when connected to the VPN, you appear to be accessing the Internet from the physical location of the remote network * E.g: I use VPNs in other countries to access online banking, because the banks use geoblocking to prevent 'foreigners' from trying to access the service * E.g: I use a VPN to watch English movies on streaming services (such as Amazon) that are geoblocked in Japan because of distribution/licensing restrictions * some ISPs //throttle// communication (make it artificially slow) when downloading files, using peer-to-peer networks, or transferring other specific kinds of data * a VPN can be used to hide the nature of your communications and avoid the throttling, ensuring 'network neutrality' * people living in countries that censor Internet services (China, USSR, etc.) can use a VPN to 'tunnel' out from their country to the open Internet * the secure, encrypted communication channel that a VPN creates between your computer and a remote (trusted) network is called a 'tunnel' * a VPN service is only as safe and trustworthy as the people who run it (and the remote network it connects you to) * maybe the VPN operator is logging all your activity to analyse and sell! * one way to avoid this is to set up your own VPN, on your own rented server in another country * you then //know// that the communication is secure, and that your activity is not being logged and analysed or sold * such a server can cost as little as a few hundred yen per month * software such as 'openvpn' makes setting up your own VPN quite easy to do (especially if you have been studying this Information Literacy course!) * there are also other high-tech ways to track your Internet use, even over a VPN * systems such as Tor can protect you from this by hiding your true location and the content of your communication Note that there are now two common uses of the term 'VPN', which can usually be distinguished by context. - the original, technical definition: a VPN extends a remote, trusted, network and allows computers located outside that network to become virtually part of that network - the new, commercial definition: a service (often paid) that allows you to to connect to a remote VPN server and its network (usually in a country of your choice) to avoid geoblocking or other censorship. The following videos are optional but you can watch them if you are interested to learn more about security, privacy, and anonymity. {{what-is-geoblocking.mp4?335x189|local copy}} Note that the first of these videos, about geoblocking, has been censored by YouTube. YouTube forces you to log in to 'prove' that you are over 18 (a violation of your privacy) before they will allow you to watch the video. The video contains nothing that is inappropriate for young people, so their censorship is really about limiting access to the knowledge it contains. Presumably Google (who own YouTube) believe your knowing about geoblocking, and how to circumvent it, is not in their financial and/or business and/or political interests. (Google, Facebook, Twitter, etc., engage in //massive// amounts of censorship to restrict or remove content from their platforms that criticises or contradicts their favoured political narratives and long-term socio-economic agendas.) I have fixed their unethical overreach by downloading the video and making a local copy available for you to view from this Web page. | What is geoblocking? | 4:54 | https://www.youtube.com/watch?v=AkALEDV2Exk (censored: view the local copy above) | | Using the Tor browser for online anonymity | 7:15 | https://www.youtube.com/watch?v=xCXOSRsirR8 | | Is Tor or VPN better for privacy, security, anonymity? | 12:31 | https://www.youtube.com/watch?v=6ohvf03NiIA | | How to make your own VPN | 25:53 | https://www.youtube.com/watch?v=gxpX_mubz2A | ==== Notes ==== /* https://us.norton.com/internetsecurity-kids-safety-stop-stressing-10-internet-safety-rules-to-help-keep-your-family-safe-online.html */ What is security? The term //security// refers to the protection of individuals, organisations, and property against external threats and criminal activities. Security is focused on preventing deliberate actions that are intended to inflict harm to an individual, organisation, or property. (Bank security includes having serious locks to prevent unauthorised access to the underground vault where the big pile of gold that used to give actual value to your paper money was stored until about 50 years ago when [[https://en.wikipedia.org/wiki/Gold_standard#Bretton_Woods|paper money was made worthless]], taking away your financial security in an activity that certainly should be considered criminal.) What is safety? The term //safety// means being protected from anything that might cause harm. The harm might come from known dangers or from unintended accidents. (Astronaut safety includes protection from the extreme temperatures in outer space. Building site safety includes wearing a hard hat to protect against accidentally dropped objects.) What is privacy? The term //privacy// relates to the rights you have to control your personal information, who can access it, and how it is used. The personal information might be explicitly collected or implied from your behaviour. (When downloading a smartphone app you agree to what personal information it can collect from your e-mails, camera, location, etc. You might also take steps to actively prevent anyone from knowing which Web sites you browse, or which products you are buying for how much from which vendors. In the case of 'free' services, you often pay by giving up your privacy: until recently, Google scanned all your gmail communications to help them decide what advertisements you should see. In 2017 they said they were going to stop doing that. Maybe they did, but even so: whenever any corporation provides an online service for 'free' then it is always the service's users who are that corporation's commercial product and source of profit, almost always at the expense of the users' privacy.) What is network neutrality? The term //network neutrality// refers to the principle that Internet Service Providers (ISPs) must not discriminate against particular uses of the Internet. Discrimination could be in the form of a slower (or capped) service, or additional fees. (If Rakuten ran the Internet in Japan then they could violate net neutrality to favour their own business by making it harder for you to choose alternatives. For example they could provide slower Internet service, or charge additional usage fees, whenever you access Amazon to make an online purchase. Geoblocking can be considered a kind of violation of net neutrality. Some countries have laws that require net neutrality from ISPs, and some content distributors such as Netflix try to license content in ways that do not require them to implement any geoblocking.) /***** == Learn to detect and avoid phishing scams == URLs in e-mails that appear to be from your bank, a friend, etc., but are designed to steal personal information. == Understand the importance of data backup == Ransomware is popular among cybercriminals who can lock your computer so you can’t access your valuable files, like your private photos or tax information. One of the best ways to combat the threat of ransomware is to back up your data on a regular basis. == Realize cybersecurity is a moving target == Cybercriminals are constantly coming up with new threats. That means you need to be mindful about downloading the latest security updates and patches. Keep yourself and your family informed about new ways cybercriminals are doing business. Stay current and follow the news for any breaking threats. Don’t share more information than necessary It’s important for children and family members to know how much information is too much information. In their excitement to share their milestones, children may sometimes post their personal information online. For example, a driver’s license or a travel itinerary shared online could be valuable information for identity thieves and burglars. Identify other vulnerabilities in your home Your home Wi-Fi network is another entry point for hackers. Cybercriminals can hack home routers and gain access to various internet-connected devices like home security systems and smart doorbells. Make sure your home Wi-Fi system has a hard-to-crack password and consider security software that identifies “intruders” on the network. Go private on public Wi-Fi Stress the importance of avoiding public Wi-Fi networks. Kids may not think about hackers and cybercriminals when they connect to public Wi-Fi in malls and coffee shops. Always use a VPN, like Norton Secure VPN, when connecting to public Wi-Fi. https://usa.kaspersky.com/resource-center/preemptive-safety/top-10-internet-safety-rules-and-what-not-to-do-online 1. Keep Personal Information Professional and Limited Potential employers or customers don't need to know your personal relationship status or your home address. They do need to know about your expertise and professional background, and how to get in touch with you. You wouldn't hand purely personal information out to strangers individually—don't hand it out to millions of people online. 2. Keep Your Privacy Settings On Marketers love to know all about you, and so do hackers. Both can learn a lot from your browsing and social media usage. But you can take charge of your information. As noted by Lifehacker, both web browsers and mobile operating systems have settings available to protect your privacy online. Major websites like Facebook also have privacy-enhancing settings available. These settings are sometimes (deliberately) hard to find because companies want your personal information for its marketing value. Make sure you have enabled these privacy safeguards, and keep them enabled. 3. Practice Safe Browsing You wouldn't choose to walk through a dangerous neighborhood—don't visit dangerous neighborhoods online. Cybercriminals use lurid content as bait. They know people are sometimes tempted by dubious content and may let their guard down when searching for it. The Internet's demimonde is filled with hard-to-see pitfalls, where one careless click could expose personal data or infect your device with malware. By resisting the urge, you don't even give the hackers a chance. 4. Make Sure Your Internet Connection is Secure. Use a Secure VPN Connection When you go online in a public place, for example by using a public Wi-Fi connection, PCMag notes you have no direct control over its security. Corporate cybersecurity experts worry about "endpoints"—the places where a private network connects to the outside world. Your vulnerable endpoint is your local Internet connection. Make sure your device is secure, and when in doubt, wait for a better time (i.e., until you're able to connect to a secure Wi-Fi network) before providing information such as your bank account number. To further improve your Internet browsing safety, use secure VPN connection (virtual private network). VPN enables you to have a secure connection between your device and an Internet server that no one can monitor or access the data that you’re exchanging. Read more about What is VPN 5. Be Careful What You Download A top goal of cybercriminals is to trick you into downloading malware—programs or apps that carry malware or try to steal information. This malware can be disguised as an app: anything from a popular game to something that checks traffic or the weather. As PCWorld advises, don't download apps that look suspicious or come from a site you don't trust. 6. Choose Strong Passwords Passwords are one of the biggest weak spots in the whole Internet security structure, but there's currently no way around them. And the problem with passwords is that people tend to choose easy ones to remember (such as "password" and "123456"), which are also easy for cyber thieves to guess. Select strong passwords that are harder for cybercriminals to demystify. Password manager software can help you to manage multiple passwords so that you don't forget them. A strong password is one that is unique and complex—at least 15 characters long, mixing letters, numbers and special characters. 7. Make Online Purchases From Secure Sites Any time you make a purchase online, you need to provide credit card or bank account information—just what cybercriminals are most eager to get their hands on. Only supply this information to sites that provide secure, encrypted connections. As Boston University notes, you can identify secure sites by looking for an address that starts with https: (the S stands for secure) rather than simply http: They may also be marked by a padlock icon next to the address bar. 8. Be Careful What You Post The Internet does not have a delete key, as that young candidate in New Hampshire found out. Any comment or image you post online may stay online forever because removing the original (say, from Twitter) does not remove any copies that other people made. There is no way for you to "take back" a remark you wish you hadn't made, or get rid of that embarrassing selfie you took at a party. Don't put anything online that you wouldn't want your mom or a prospective employer to see. 9. Be Careful Who You Meet Online People you meet online are not always who they claim to be. Indeed, they may not even be real. As InfoWorld reports, fake social media profiles are a popular way for hackers to cozy up to unwary Web users and pick their cyber pockets. Be as cautious and sensible in your online social life as you are in your in-person social life. 10. Keep Your Antivirus Program Up To Date Internet security software cannot protect against every threat, but it will detect and remove most malware—though you should make sure it's to date. Be sure to stay current with your operating system's updates and updates to applications you use. They provide a vital layer of security. https://clario.co/blog/top-internet-safety-rules/ https://www.pbs.org/wgbh/nova/labs/lab/cyber/ == Safety == make user acct no root login backups == Security == keyloggers vpn cookies and tracking dns lookups snooping phishing emails encrypted files and archives pgp emails passwords in plaintext good passwords = phrases password strength test: https://www.my1login.com/resources/password-strength-test/ https == Privacy == govt surveillance https://www.vpnmentor.com/blog/understanding-five-eyes-concept browse anonymous: tor www.torproject.org https://www.youtube.com/watch?v=xCXOSRsirR8 tor vs vpn https://www.youtube.com/watch?v=6ohvf03NiIA darkweb host (web site, p2p file ecchange) and collaborate (email) completely encrypted and anonymised on dark web: i2p geti2p.net == Liberty: net neutrality and censorship == geoblocking https://www.youtube.com/watch?v=AkALEDV2Exk CENSORED don't believe msm google: duckduckgo *****/ /* syllabus */ /* * Local Variables: * eval: (flyspell-mode) * eval: (ispell-change-dictionary "british") * eval: (flyspell-buffer) * End: */