Continue reading »]]> from https://www.us-cert.gov

How can you minimize the access other people have to your information?

You may be able to easily identify people who could, legitimately or not, gain physical access to your computer—family members, roommates, co-workers, members of a cleaning crew, and maybe others. Identifying the people who could gain remote access to your computer becomes much more difficult. As long as you have a computer and connect it to a network, you are vulnerable to someone or something else accessing or corrupting your information; however, you can develop habits that make it more difficult.

• Lock your computer when you are away from it. Even if you only step away from your computer for a few minutes, it’s enough time for someone else to destroy or corrupt your information. Locking your computer prevents another person from being able to simply sit down at your computer and access all of your information.
• Disconnect your computer from the Internet when you aren’t using it. The development of technologies such as DSL and cable modems have made it possible for users to be online all the time, but this convenience comes with risks. The likelihood that attackers or viruses scanning the network for available computers will target your computer becomes much higher if your computer is always connected. Depending on what method you use to connect to the Internet, disconnecting may mean disabling a wireless connection, turning off your computer or modem, or disconnecting cables. When you are connected, make sure that you have a firewall enabled (see Understanding Firewalls for more information).
• Evaluate your security settings. Most software, including browsers and email programs, offers a variety of features that you can tailor to meet your needs and requirements. Enabling certain features to increase convenience or functionality may leave you more vulnerable to being attacked. It is important to examine the settings, particularly the security settings, and select options that meet your needs without putting you at increased risk. If you install a patch or a new version of the software, or if you hear of something that might affect your settings, reevaluate your settings to make sure they are still appropriate (see Understanding Patches, Safeguarding Your Data, and Evaluating Your Web Browser’s Security Settings for more information).

What other steps can you take?

Sometimes the threats to your information aren’t from other people but from natural or technological causes. Although there is no way to control or prevent these problems, you can prepare for them and try to minimize the damage.

• Protect your computer against power surges and brief outages. Aside from providing outlets to plug in your computer and all of its peripherals, some power strips protect your computer against power surges. Many power strips now advertise compensation if they do not effectively protect your computer. Power strips alone will not protect you from power outages, but there are products that do offer an uninterruptible power supply when there are power surges or outages. During a lightning storm or construction work that increases the odds of power surges, consider shutting your computer down and unplugging it from all power sources.
• Back up all of your data. Whether or not you take steps to protect yourself, there will always be a possibility that something will happen to destroy your data. You have probably already experienced this at least once— losing one or more files due to an accident, a virus or worm, a natural event, or a problem with your equipment. Regularly backing up your data on a CD or network reduces the stress and other negative consequences that result from losing important information (see Real-World Warnings Keep You Safe Online for more information). Determining how often to back up your data is a personal decision. If you are constantly adding or changing data, you may find weekly backups to be the best alternative; if your content rarely changes, you may decide that your backups do not need to be as frequent. You don’t need to back up software that you own on CD-ROM or DVD-ROM—you can reinstall the software from the original media if necessary.

Both the National Cyber Security Alliance and US-CERT have identified this topic as one of the top tips for home users.

Authors: Mindi McDowell, Allen Householder

Continue reading »]]> from https://www.us-cert.gov

sn’t it better to have more protection?

Spyware and viruses can interfere with your computer’s ability to process information or can modify or destroy data. You may feel that the more anti-virus and anti-spyware programs you install on your computer, the safer you will be. It is true that not all programs are equally effective, and they will not all detect the same malicious code. However, by installing multiple programs in an attempt to catch everything, you may introduce problems.

How can anti-virus or anti-spyware software cause problems?

It is important to use anti-virus and anti-spyware software (see Understanding Anti-Virus Software and Recognizing and Avoiding Spyware for more information). But too much or the wrong kind can affect the performance of your computer and the effectiveness of the software itself.

Scanning your computer for viruses and spyware uses some of the available memory on your computer. If you have multiple programs trying to scan at the same time, you may limit the amount of resources left to perform your tasks. Essentially, you have created a denial of service against yourself (see Understanding Denial-of-Service Attacks for more information). It is also possible that in the process of scanning for viruses and spyware, anti-virus or anti-spyware software may misinterpret the virus definitions of other programs. Instead of recognizing them as definitions, the software may interpret the definitions as actual malicious code. Not only could this result in false positives for the presence of viruses or spyware, but the anti-virus or anti-spyware software may actually quarantine or delete the other software.

How can you avoid these problems?

• Investigate your options in advance - Research available anti-virus and anti-spyware software to determine the best choice for you. Consider the amount of malicious code the software recognizes, and try to find out how frequently the virus definitions are updated. Also check for known compatibility issues with other software you may be running on your computer.
• Limit the number of programs you install - Many vendors are now releasing packages that incorporate both anti-virus and anti-spyware capabilities together. However, if you decide to choose separate programs, you really only need one anti-virus program and one anti-spyware program. If you install more, you increase your risk for problems.
• Install the software in phases - Install the anti-virus software first and test it for a few days before installing anti-spyware software. If problems develop, you have a better chance at isolating the source and then determining if it is an issue with the software itself or with compatibility.
• Watch for problems - If your computer starts processing requests more slowly, you are seeing error messages when updating your virus definitions, your software does not seem to be recognizing malicious code, or other issues develop that cannot be easily explained, check your anti-virus and anti-spyware software.

Authors: Mindi McDowell, Matt Lytle

Continue reading »]]> from https://www.us-cert.gov

Why do you need a password?

Think about the number of personal identification numbers (PINs), passwords, or passphrases you use every day: getting money from the ATM or using your debit card in a store, logging on to your computer or email, signing in to an online bank account or shopping cart…the list seems to just keep getting longer. Keeping track of all of the number, letter, and word combinations may be frustrating at times, and maybe you’ve wondered if all of the fuss is worth it. After all, what attacker cares about your personal email account, right? Or why would someone bother with your practically empty bank account when there are others with much more money? Often, an attack is not specifically about your account but about using the access to your information to launch a larger attack. And while having someone gain access to your personal email might not seem like much more than an inconvenience and threat to your privacy, think of the implications of an attacker gaining access to your social security number or your medical records.

One of the best ways to protect information or physical property is to ensure that only authorized people have access to it. Verifying that someone is the person they claim to be is the next step, and this authentication process is even more important, and more difficult, in the cyber world. Passwords are the most common means of authentication, but if you don’t choose good passwords or keep them confidential, they’re almost as ineffective as not having any password at all. Many systems and services have been successfully broken into due to the use of insecure and inadequate passwords, and some viruses and worms have exploited systems by guessing weak passwords.

How do you choose a good password?

Most people use passwords that are based on personal information and are easy to remember. However, that also makes it easier for an attacker to guess or “crack” them. Consider a four-digit PIN number. Is yours a combination of the month, day, or year of your birthday? Or the last four digits of your social security number? Or your address or phone number? Think about how easily it is to find this information out about somebody. What about your email password—is it a word that can be found in the dictionary? If so, it may be susceptible to “dictionary” attacks, which attempt to guess passwords based on words in the dictionary.

Although intentionally misspelling a word (“daytt” instead of “date”) may offer some protection against dictionary attacks, an even better method is to rely on a series of words and use memory techniques, or mnemonics, to help you remember how to decode it. For example, instead of the password “hoops,” use “IlTpbb” for “[I] [l]ike [T]o [p]lay [b]asket[b]all.” Using both lowercase and capital letters adds another layer of obscurity. Your best defense, though, is to use a combination of numbers, special characters, and both lowercase and capital letters. Change the same example we used above to “Il!2pBb.” and see how much more complicated it has become just by adding numbers and special characters.

Longer passwords are more secure than shorter ones because there are more characters to guess, so consider using passphrases when you can. For example, “This passwd is 4 my email!” would be a strong password because it has many characters and includes lowercase and capital letters, numbers, and special characters. You may need to try different variations of a passphrase—many applications limit the length of passwords, and some do not accept spaces. Avoid common phrases, famous quotations, and song lyrics.

Don’t assume that now that you’ve developed a strong password you should use it for every system or program you log into. If an attacker does guess it, he would have access to all of your accounts. You should use these techniques to develop unique passwords for each of your accounts.

Here is a review of tactics to use when choosing a password:

• Don’t use passwords that are based on personal information that can be easily accessed or guessed.
• Don’t use words that can be found in any dictionary of any language.
• Develop a mnemonic for remembering complex passwords.
• Use both lowercase and capital letters.
• Use a combination of letters, numbers, and special characters.
• Use passphrases when you can.
• Use different passwords on different systems.

How can you protect your password?

Now that you’ve chosen a password that’s difficult to guess, you have to make sure not to leave it someplace for people to find. Writing it down and leaving it in your desk, next to your computer, or, worse, taped to your computer, is just making it easy for someone who has physical access to your office. Don’t tell anyone your passwords, and watch for attackers trying to trick you through phone calls or email messages requesting that you reveal your passwords (see Avoiding Social Engineering and Phishing Attacks for more information).

If your internet service provider (ISP) offers choices of authentication systems, look for ones that use Kerberos, challenge/response, or public key encryption rather than simple passwords (see Understanding ISPs and Supplementing Passwords for more information). Consider challenging service providers that only use passwords to adopt more secure methods.

Also, many programs offer the option of “remembering” your password, but these programs have varying degrees of security protecting that information. Some programs, such as email clients, store the information in clear text in a file on your computer. This means that anyone with access to your computer can discover all of your passwords and can gain access to your information. For this reason, always remember to log out when you are using a public computer (at the library, an internet cafe, or even a shared computer at your office). Other programs, such as Apple’s Keychain and Palm’s Secure Desktop, use strong encryption to protect the information. These types of programs may be viable options for managing your passwords if you find you have too many to remember.

There’s no guarantee that these techniques will prevent an attacker from learning your password, but they will make it more difficult.

Authors: Mindi McDowell, Jason Rafail, Shawn Hernan

Continue reading »]]> By Kimberly Palmer | U.S.News & World Report LP

The record number of online shoppers this year means fraudsters will be looking to take advantage of people prone to making novice errors. Common mistakes that leave people vulnerable include shopping on websites that aren’t secure, giving out too much personal information, and leaving computers open to viruses.

Here are 10 ways to stay safe while shopping online:

Stay away from fishy-looking sites. You can’t always tell when a website isn’t legitimate, but red flags include poor design, a strange or nonsensical Web address, and multiple pop-up windows that you can’t close. If you notice any of these suspicious signs, stop shopping and close your browser windows.

Avoid clicking on hyperlinks embedded in emails. The Better Business Bureau warns that legitimate businesses don’t send emails asking for follow-up financial information. If an email, even one that claims to be from a familiar retailer, asks you to visit an outside site, don’t do it–it could be redirecting you to a scam site. Instead of clicking on a hyperlink, type in the Web address that you want to visit into your browser manually.

Shop on secure websites only. Adam Levin, founder of Credit.com and Identity Theft 911, suggests looking for “https” instead of just “http” in the address bar. Also, he adds, be sure your computer’s anti-virus software is up to date, since you can come across some unwanted viruses when surfing online for deals and good buys.

Never, ever give your Social Security number to anyone online. If a site asks for it during the checkout process, it’s probably a scam site, says Levin.

Take advantage of the automatic identity-theft protection that comes with many credit cards. That’s one reason to use your credit card instead of debit cards or cash for your holiday shopping. If you see erroneous charges on your statement, you can call your credit card company, which should investigate on your behalf.

The Better Business Bureau points out that credit card companies are required to allow shoppers to dispute charges, and many companies cover charges made on stolen cards. Don’t forget to check your credit card statements frequently (don’t just wait until you get your monthly bill) because many card companies have time limits on when customers can dispute charges.

Change up your passwords. With consumers asked to remember dozens of passwords for various retailers, banks, and accounts, it’s almost impossible to remember them all, especially since they often include mixes of numbers and letters. Either keep careful track in a secure document, rely on mnemonic devices to boost your memory, or come up with some other clever strategy–but don’t stick with simple passwords that are easy for strangers to guess.

Review your rights. The Better Business Bureau reminds shoppers that if products aren’t shipping on time, consumers have the right to cancel the order and get a refund. They can also reject merchandise they deem defective or misrepresented.

Wield that cell phone carefully. Security firm BitDefender reports that shopping with mobile devices–as 6 in 10 shoppers plan to do this year–can come with its own set of security challenges, since shortened URLs can more easily trick shoppers into visiting harmful sites. Also, public Wi-Fi access is convenient, but it can also leave your personal information accessible to hackers, so avoid entering passwords and credit card numbers while in public hotspots.

Avoid strangers on social media. While this rule applies the rest of the year, too, it’s especially important around the holidays, when many retailers use social media to drum up business. Fraudsters also send malicious messages through social networks. BitDefender recommends treating messages from strangers as spam–just ignore them.

Don’t click on fake holiday eCards. Festive e-greetings are ubiquitous this time of year, but the security firm AppRiver says fake cards can spread viruses. At the risk of being Scrooge, the firm recommends that consumers just delete cards that come from unknown addresses.

Continue reading »]]>

from http://www.us-cert.gov

Continue reading »]]> from www.fbi.gov

Internet Fraud

Listed below are tips to protect yourself and your family from various forms of Internet fraud.

For information on the most common complaints and scams, see the annual reports of the Internet Crime Complaint Center, or IC3, a partnership of the FBI and the National White Collar Crime Center. Also see its information on Internet Crime Schemes and its Internet Crime Prevention Tips.

Use our online tips form or the IC3 website to report potential cases of cyber fraud.

Tips for Avoiding Internet Auction Fraud:

• Understand as much as possible about how the auction works, what your obligations are as a buyer, and what the seller’s obligations are before you bid.
• Find out what actions the website/company takes if a problem occurs and consider insuring the transaction and shipment.
• Learn as much as possible about the seller, especially if the only information you have is an e-mail address. If it is a business, check the Better Business Bureau where the seller/business is located.
• Examine the feedback on the seller.
• Determine what method of payment the seller is asking from the buyer and where he/she is asking to send payment.
• If possible, purchase items online using your credit card, because you can often dispute the charges if something goes wrong.
• Be cautious when dealing with sellers outside the United States. If a problem occurs with the auction transaction, it could be much more difficult to rectify.
• Ask the seller about when delivery can be expected and whether the merchandise is covered by a warranty or can be exchanged if there is a problem.
• Make sure there are no unexpected costs, including whether shipping and handling is included in the auction price.
• There should be no reason to give out your social security number or driver’s license number to the seller.