KUAS Engineering

Week 15 — Safety and security

This week's topic is about using computers and networks safely and securely.

Evaluation

Up to 10 points can be gained towards your final score by completing the in-class exercises on Friday.

What you will learn from this class

  • The ways in which various media are unreliable and why backups are important.
  • What online safety is and some things you can do to improve it.
  • What Internet security is and some ways you can ensure it.
  • What Internet privacy is and some ways you can protect it.
  • What kinds of cyberattack exist including malware, viruses, and man-in-the-middle attacks.
  • How to create a strong password.
  • How to protect your computer against attack using firewalls and anti-virus software.
  • How to identify and avoid e-mail phishing attacks.
  • What a VPN is and how it improves your security and privacy.
  • What network neutrality is.
  • What Tor is and how it protects your privacy and anonymity.

Preparation

This week's preparation is to watch three short videos about safety, security, and privacy when using the Internet. You can also watch several more (optional) videos to learn about geoblocking and online anonymity.

Videos

The following three videos describe several topics related to Internet safety, security, and privacy. A short summary of the important content follows each video URL.

What is cyber security: how it works 7:06 https://www.youtube.com/watch?v=inWWhr5tnEA
  • phishing e-mails ask you for personal information (e.g., online account or banking details)
  • they try to convince you that there is a good reason to give them that information
  • the information is instead used to steal your identity and/or property
  • cyberattacks are crimes committed using the Internet or Web
  • malware is any kind of software that can cause harm
    • a 'trojan' (from 'trojan horse') is software that allows an external hacker to control your computer
    • 'adware' generates money for the attacker by causing you to see advertisements that you would normally not see
    • 'spyware' gathers information about you and sends it to the cybercriminal who can (for example) sell it
    • 'viruses' are programs that replicate themselves and then spread over the Internet, and that can damage machines, networks, and data
  • man-in-the-middle attacks occur when cybercriminals intercept or monitor your Internet communications
    • if they record your communication with an online service, they can replay the recording later and pretend to be you
  • password attacks attempt to guess your password, allowing the cybercriminal to pretend to be you
  • cybersecurity is a range of techniques and technologies you use to try to avoid cyberattacks
  • a firewall filters communication between you and the Internet and only allows authorised communications to pass
    • e.g., you might not allow incoming connections to your secure shell (ssh) port
  • a honey pot lures attackers away from real services
    • e.g., you might arrange for incoming connections to the standard ssh port to time out, very slowly, wasting a lot of the cybercriminals' time
    • the real ssh that you actually use can be running on a non-standard port
  • passwords should be difficult to guess
  • anti-virus software protects you against viruses and malware
  • a good junk e-mail filter can eliminate a lot of phishing attacks
  • cyberattacks against institutions can cause serious loss of data or even money
  • an advanced persistent threat is a cybercriminal who gains access to a system and then steals data or money slowly over a long period of time
  • a denial of service attack floods a service with many false connections, preventing legitimate users from connecting
    • the false connections often come from thousands of PCs distributed across the world that have been infected by a criminal's trojan malware
  • ethical hackers try to break into their employer's own computer systems, thereby identifying weaknesses in the security
  • security architects design strategies and apply technologies to remove those weaknesses
How to make a strong password 1:37 https://www.youtube.com/watch?v=q5DYkzOrz_I
  • often a good password is your only defence against having your personal or financial information stolen
  • using a common or simple password is like leaving the door of your house open while you go on holiday: anyone can gain access
    • avoid weak passwords: like this (1.9 seconds to crack, using freely available software on a typical 2020 computer)
  • a strong password is easy to create if you know what precautions to take
    • mix capital and small letters: LiKe tHiS (6 minutes to crack)
    • replace letters with similar-looking digits: L1k3 tHiS (2 minutes 15 seconds to crack)
    • add special or punctuation characters: L1k3 tH15!? (8 hours to crack)
    • use longer passwords, e.g., by using a pass phrase instead of a single word: m0r3 L1K3 th15! P3RH4P5? (3 million years to crack)
What is a VPN and how does it work? 3:22 https://www.youtube.com/watch?v=lh-72JCv0rg
  • VPN = virtual private network
  • a VPN connects your computer to a remote (trusted) network over an (untrusted) Internet connection
    • your computer appears to be part of the remote trusted network, not the local untrusted network
  • all communication between your machine and the remote network is encrypted, which stops cybercriminals from intercepting it
    • even on a public WiFi (e.g., in a coffee shop) nobody can intercept or spy on your VPN communications
  • a VPN makes you part of your institution's network, even when you are working at home or in a hotel
    • or the other way around; e.g: when at KUAS I often use a VPN to connect my laptop to my home network, giving me much better access to Internet services
  • at your institution, other computers and devices think that you are physically present on their network
    • printers, file shares, etc., on the remote (trusted) network are all available to you
  • you can also use a VPN to stop your ISP from spying on your Internet or Web activity and selling or logging that information
  • there are dedicated VPN companies that you can use just for this purpose, but make sure they are trustworthy before using them
  • a geoblocked website is one that is only accessible from certain parts of the world
    • your IP address is used to determine where, approximately, you are located
    • video streaming services, and some online games, use geoblocking to control which countries can access their servers
  • you can use a VPN to get around geoblocking by appearing to be located in a different country
    • when connected to the VPN, you appear to be accessing the Internet from the physical location of the remote network
    • E.g: I use VPNs in other countries to access online banking, because the banks use geoblocking to prevent 'foreigners' from trying to access the service
    • E.g: I use a VPN to watch English movies on streaming services (such as Amazon) that are geoblocked in Japan because of distribution/licensing restrictions
  • some ISPs throttle communication (make it artificially slow) when downloading files, using peer-to-peer networks, or transferring other specific kinds of data
  • a VPN can be used to hide the nature of your communications and avoid the throttling, ensuring 'network neutrality'
  • people living in countries that censor Internet services (China, USSR, etc.) can use a VPN to 'tunnel' out from their country to the open Internet
  • the secure, encrypted communication channel that a VPN creates between your computer and a remote (trusted) network is called a 'tunnel'
  • a VPN service is only as safe and trustworthy as the people who run it (and the remote network it connects you to)
    • maybe the VPN operator is logging all your activity to analyse and sell!
    • one way to avoid this is to set up your own VPN, on your own rented server in another country
      • you then know that the communication is secure, and that your activity is not being logged and analysed or sold
      • such a server can cost as little as a few hundred yen per month
      • software such as 'openvpn' makes setting up your own VPN quite easy to do (especially if you have been studying this Information Literacy course!)
  • there are also other high-tech ways to track your Internet use, even over a VPN
    • systems such as Tor can protect you from this by hiding your true location and the content of your communication

Note that there are now two common uses of the term 'VPN', which can usually be distinguished by context.

  1. the original, technical definition: a VPN extends a remote, trusted, network and allows computers located outside that network to become virtually part of that network
  2. the new, commercial definition: a service (often paid) that allows you to to connect to a remote VPN server and its network (usually in a country of your choice) to avoid geoblocking or other censorship.

The following videos are optional but you can watch them if you are interested to learn more about security, privacy, and anonymity.

Note that the first of these videos, about geoblocking, has been censored by YouTube. YouTube forces you to log in to 'prove' that you are over 18 (a violation of your privacy) before they will allow you to watch the video. The video contains nothing that is inappropriate for young people, so their censorship is really about limiting access to the knowledge it contains. Presumably Google (who own YouTube) believe your knowing about geoblocking, and how to circumvent it, is not in their financial and/or business and/or political interests. (Google, Facebook, Twitter, etc., engage in massive amounts of censorship to restrict or remove content from their platforms that criticises or contradicts their favoured political narratives and long-term socio-economic agendas.) I have fixed their unethical overreach by downloading the video and making a local copy available for you to view from this Web page.

What is geoblocking? 4:54 https://www.youtube.com/watch?v=AkALEDV2Exk (censored: view the local copy above)
Using the Tor browser for online anonymity 7:15 https://www.youtube.com/watch?v=xCXOSRsirR8
Is Tor or VPN better for privacy, security, anonymity? 12:31 https://www.youtube.com/watch?v=6ohvf03NiIA
How to make your own VPN 25:53 https://www.youtube.com/watch?v=gxpX_mubz2A

Notes

What is security?

The term security refers to the protection of individuals, organisations, and property against external threats and criminal activities. Security is focused on preventing deliberate actions that are intended to inflict harm to an individual, organisation, or property. (Bank security includes having serious locks to prevent unauthorised access to the underground vault where the big pile of gold that used to give actual value to your paper money was stored until about 50 years ago when paper money was made worthless, taking away your financial security in an activity that certainly should be considered criminal.)

What is safety?

The term safety means being protected from anything that might cause harm. The harm might come from known dangers or from unintended accidents. (Astronaut safety includes protection from the extreme temperatures in outer space. Building site safety includes wearing a hard hat to protect against accidentally dropped objects.)

What is privacy?

The term privacy relates to the rights you have to control your personal information, who can access it, and how it is used. The personal information might be explicitly collected or implied from your behaviour. (When downloading a smartphone app you agree to what personal information it can collect from your e-mails, camera, location, etc. You might also take steps to actively prevent anyone from knowing which Web sites you browse, or which products you are buying for how much from which vendors. In the case of 'free' services, you often pay by giving up your privacy: until recently, Google scanned all your gmail communications to help them decide what advertisements you should see. In 2017 they said they were going to stop doing that. Maybe they did, but even so: whenever any corporation provides an online service for 'free' then it is always the service's users who are that corporation's commercial product and source of profit, almost always at the expense of the users' privacy.)

What is network neutrality?

The term network neutrality refers to the principle that Internet Service Providers (ISPs) must not discriminate against particular uses of the Internet. Discrimination could be in the form of a slower (or capped) service, or additional fees. (If Rakuten ran the Internet in Japan then they could violate net neutrality to favour their own business by making it harder for you to choose alternatives. For example they could provide slower Internet service, or charge additional usage fees, whenever you access Amazon to make an online purchase. Geoblocking can be considered a kind of violation of net neutrality. Some countries have laws that require net neutrality from ISPs, and some content distributors such as Netflix try to license content in ways that do not require them to implement any geoblocking.)

Last modified: 2021/01/06 17:17