10/2 Online safety

Our agenda today:

Review from last time (email)

Presentation:  Note the handout and the web material contain more than what we will view in the lesson.  So use all sources to become proficient in online safety!

Homework:

Recording

Miss the class or want to learn more?  View the recording of Tuesday's class.

Online Safety Webinar

San Diego County Credit Union is hosting a webinar on October 11 from noon to 1.  It will feature hints on how to keep your accounts safe.  You need to pre-register.

Here is the link to register for this event.

Introduction to online safety

Today’s class is all about online safety.  We will discuss different types of malware, and how that malware gets onto your system.  We will learn how to minimize your chances of downloading malware, and will discuss what to do when you think you have it on your system.  In addition, we will discuss anti-virus programs, passwords and apps, how to stay safe and a list of resources to help if you are a victim of a breach or identity theft.   Lots of information in today’s lesson!

Malware

Malware is any software installed on your machine which performs unwanted tasks, often for another party’s benefit.  They can just be annoying (popups) or serious (stealing passwords or data or infecting other computers on network).  Malware gets through by bundling (attached to other software), email attachments or links, or finding security holes in your browser.  If you get a note saying that software is needed to view a site, this may be malware.  Or, a site may say that clicking on certificate verification will make it safer.  Not the case!  Once installed, it can be very difficult to remove.   

How malware is spread


Malware is spread using different methods including:

Smartphones: Your smartphones are not immune to malware.  


Social networks are also vulnerable.  

By merely receiving a notice in messenger that a friend has mentioned you, you click on it. You are taken outside Facebook to download malware.  Attacker adds the post to your timeline so others can click on it.  Malware takes over (hijacks) your browser, which is disguised to look like the real one.  The attacker captures traffic and hijacks accounts.  In the background, others scripts download which protect the malicious code from analysis and makes it invisible to antivirus software.  Attackers now own the Facebook account (and anything associated with the hijacked browser (Google drive, Microsoft One Note).

Malicious email:  

If malware is software that performs unwanted tasks, email is the vehicle that delivers it to your device. Emails can be harmful to your computer, causing you to click on sites that can leave malware on your system, or trick you into providing some personal information.  You may find yourself in an Email scam by responding to a questionable email.  Some of these include the old-fashioned fraud emails (business opportunities, health and diet, cable descrambler kits), discount software, advance fee fraud (like the Nigerian Prince), Phishing email (looking for information) or Trojan Horse emails (entice you into installing software, then turning on you).  

Malicious email attachments:  

According to a 2017 Verizon report, 66% of malware was installed via a Malicious Email attachment.  With a malicious email attachment, the attacker will fool the user into downloading malware or other things which can include invoice fraud.  Downloading the attachment alone can release the malware and do damage.

Malicious attachments that look like legitimate file attachments, usually an invoice, software update, or other file that seems urgent in nature. These attachments can infect your device with malware that can spread to other systems. Some attachments will take you to a website which asks you to enter your credentials to access the file. However, the file is bogus, and your credentials are now in the hands of the attacker.

Websites:  

Sometimes a fairly innocuous site may contain links to sites which are not to be trusted.  One way is through clickbait.  Clickbait is when you see a headline on a website, but you can’t reveal the answer until you click on it.  Clicking on the image will not give you malware, but it will send you to yet another web page, which may contain additional links which are not reputable.  Clickbait is attractive because we don’t like ambiguity, and we find it difficult to leave a site after having our interest piqued.  


Examples of malware: (not in class)

Botnet: 

Hacker sends out virus or worm to infect vulnerable home computers.  This creates a slave network called botnet.  In the next stage, the hacker sells or hires out the botnet to other criminals who use it for fraud, spamming, DDS attacks and other cybercrimes.

Ad blockers: 

We don’t like those ads.  But sometimes, the ad blocker can be fake and might have the ability to remotely inject malicious code into unsuspecting customers of the ad blocker. Some browsers, such as Google Chrome, now have built-in ad blocking, which blocks negative ads such as popups, auto-playing video ads with sound, ads with a countdown and large stick ads.  If the browser suspects a website is running these ads, they may choose not to load any ads on that website. 

Virus

Virus:  A self-replicating code.  It must be opened or executed to run it.  It looks for programs to infect.  It can live in the system (resident), which would mean it could strike again.  Or it can only be activated when clicked (non-resident).  Computers can become infected with a virus in a number of ways including:

·         Accepting software or download without reading the fine print (Trojan Horse)

·         Downloading infected software from a bad source

·         Opening email attachments containing a virus

·         Using an infected disc or thumb drive

·         Visiting a malicious site

·         Not running updates on browser, programs and operating system

·         Using a file distribution network for pirated movies/software

Signs you may have a virus:

·         Clicking on an icon or program does not work

·         Your device is crashing, freezing or rebooting by itself

·         Your antivirus and/or firewall is suddenly disabled

·         You see unexpected advertisement windows

·         You cannot print

·         You no longer have the icons on the desktop, and/or program files in your folder

·         You have major problems installing or downloading software

·         You can’t access your disk drive or hard drive

If you think a file is suspicious, you should first scan the file for viruses.  Using your antivirus program, right click on the file and select “scan for viruses”. 

If you are concerned that you are infected, use your antivirus program to run a full scan.  Open the program and select full system scan.

If a virus is found, a prompt will be given to move the virus or delete the files.  Both are ok.

If you don’t have an antivirus program installed, find a free one online by a reputable company such as Bitdefender, ESET, Trend Micro, Kaspersky or Symantec.

Clickbait

Clickbait is a technique used in websites which is designed to have you click on links that look interesting.  In fact, the goal of clickbait is for you to click on the link.  It really doesn’t care if clicking on the link provides you with a satisfactory answer.  They get paid either way!  Clickbait is not in itself malware but could direct you to a bad website. 

Adware: 

Software that provides unwanted advertising.  Includes pop-up ads, banners and in-text links.  May redirect to another website, install third party software, track or affect system performance.  May even prevent you from using ad removal software.

Spyware: 

Script which collects information about your device and transmits it to other sites.  So, these sites know where you have visited and will provide sometimes fake websites that would interest you.

Keyloggers:

Software that captures anything that you type.  Not only dangerous for your devices (think passwords) but also in terminals at gas stations and ATM machines (known as POS or point of service terminals)

RAM scraping malware

RAM scraping malware is also used for POS interactions, where data is stored unencrypted for just a couple of milliseconds.  RAM scrapers use this window of time to grab card data and save as a .txt file. 

Browser hijacking software: 

Advertising software that modifies your browser settings.  Although installing a program may result in a new default browser (not too bad), this new browser can have malicious links in it (that is bad).  Always check when installing new software for permissions. 

Ransomware: 

A particularly malicious software which blocks access to your computer until a sum of money is paid, usually in bitcoin or gift cards.  The ransomware encrypts your data in such a way that only they can unencrypt.  It is not recommended, though, that you pay the ransom.  Instead, contact a professional if this happens to you.

Hacking

Hacking is unauthorized intrusion into a computer or network.  Uses scripts or code, gains access through methods such as passwords, bundled software or email.  The hacker will find scripts, learn about hacking opportunities and share what they find on the Dark web using special browsers like Tor.  They will then share what they have found using Tor (a private browser) to set up botnets, break a security network or share sensitive documents.  There are also forums on the dark web where sensitive information is shared.  There is a site on the dark web called FreeHacks, which give tips on how to hack and example of hacks to try.

Malicious email: 

If malware is software that performs unwanted tasks, email is the vehicle that delivers it to your device. Emails can be harmful to your computer, causing you to click on sites that can leave malware on your system, or trick you into providing some personal information.  You may find yourself in an Email scam by responding to a questionable email.  Some of these include the old-fashioned fraud emails (business opportunities, health and diet, cable descrambler kits), discount software, advance fee fraud (like the Nigerian Prince), Phishing email (looking for information) or Trojan Horse emails (entice you into installing software, then turning on you). 

Malicious email attachments: 

According to a 2017 Verizon report, 66% of malware was installed via a Malicious Email attachment.  With a malicious email attachment, the attacker will fool the user into downloading malware or other things which can include invoice fraud.  Downloading the attachment alone can release the malware and do damage.

Malicious attachments that look like legitimate file attachments, usually an invoice, software update, or other file that seems urgent in nature. These attachments can infect your device with malware that can spread to other systems. Some attachments will take you to a website which asks you to enter your credentials to access the file. However, the file is bogus, and your credentials are now in the hands of the attacker.

Do not open any attachments that you were not expecting.  Documents, PDFs, images and other attachments might be dangerous.  When in doubt, contact the sender and ask.  But don’t contact by using the reply, as it might be malicious.  Call and ask if they did indeed send you an attachment.

There is no sure way to tell if it is malicious.  Still, here are some things to consider:

·         Your email provider should be scanning for malicious attachments.  If a virus is included in the attachment that you are trying to send, you will see a “Virus detected”” error message.  You can choose to send without an attachment.  If the virus is attached to an email sent to you, they should reject the message and let the sender know.  If the virus is found in an attachment in your inbox, you won’t be able to download the attachment.  This is true in theory, but things can still get through.  So, keep reading!

·         Filenames:  avoid bizarre filenames and misspelled words.  Spreadsheets are usually not named a random string of symbols (this would be suspicious as well)

·         EXE files:  These are executable files.  Only open if you have downloaded them from a reputable source.  Do not open an EXE file in an email attachment.

·         Zipped files:  If you have any doubt, confirm by phone or email (but not replying to this email because you are not sure if it is legitimate)

·         Office documents:  These can contain hidden macros or scripts that will “allow macros” without knowing what you are allowing to run.  Macros can then enable installed malware.

Focus on Phishing

What is Phishing


Phishing is a Cyberattack where attackers attempt to deceive individuals into revealing sensitive information, such as usernames, passwords, credit card numbers, or other personal details, by masquerading as a trustworthy entity. 

“Phishing" is a play on the word "fishing," as attackers "fish" for information from unsuspecting victims.


Things to know about phishing:

Methods: Phishing attacks often occur via email, but they can also be carried out through phone calls (vishing), text messages (smishing), or fake websites.


Deceptive Emails: In a typical phishing email, the attacker might pretend to be from a well-known company, bank, or service provider. The email may contain logos, formatting, and language that make it look legitimate.


Urgent or Threatening Language: Many phishing attempts create a sense of urgency, prompting the recipient to act quickly. For example, an email might claim that the user's account will be suspended unless they click a link and update their details.


Malicious Links: Phishing emails often contain links that lead to fake websites designed to look like legitimate ones. Once on these sites, users might be prompted to enter personal information, which is then captured by the attacker.


Attachments: Some phishing emails contain malicious attachments that, when opened, can infect the user's device with malware.


Targeted Attacks: While many phishing attempts are broad and sent to a large number of potential victims, some are highly targeted. "Spear phishing" targets specific individuals or organizations, often using personalized information to make the attack more convincing.


Types of phishing


Phishing is spread by

 

 

Spotting phishing emails

More on Digital Certificates

•They are a cryptographic way to authenticate data (emails, documents, software). Based on public and private keys.

•Purpose in emails:  Verifies identity and Integrity

•Should be seen in businesses, government agencies, banks, healthcare and any other service where sensitive data is exchanged

•Digital signatures only provide authenticity, they do not encrypt emails

•View the digital signature on the address bar (padlock, checkmark, certificate), or in the heading (DKIM Signature or S/MIME) or on attachments (“.p7s” extension)

•You may also use digital signatures for important documents (loans, banking)

Finding the digital certificate:

Super challenge:

This quiz has 14 screens.  You look at the screen and decide whether it is Phish or Real.  When you are done, you can see the things that indicate that something was phishing.  

Tools to help determine if something is legitimate

How to spot phishing

There are ways to spot possible phishing attempts.  They include:

How can you tell if an email is malicious?

How to tell if an email attachment is legitimate

There is no sure way to tell if it is malicious.  Still, here are some things to consider:

Your email provider should be scanning for malicious attachments.  If a virus is included in the attachment that you are trying to send, you will see a “Virus detected”” error message.  You can choose to send without an attachment.  If the virus is attached to an email sent to you, they should reject the message and let the sender know.  If the virus is found in an attachment in your inbox, you won’t be able to download the attachment.  This is true in theory, but things can still get through.  So, keep reading!

How to tell if a website is malicious

A scamming website performs its work in 3 steps:

1.    Bait:  Draw users in via email, social media, texts, messaging, other websites

2.    Compromise:  Users do something to expose information or devices to attackers

3.    Execute:  Attackers exploit the users to misuse their private information

Look for these clues:

How to identify an imposter scam:

Occasionally, you will be contacted by a specific person or representative of a business (such as bank) or government (such as IRS).  They might call, send a text or email.  Here are some warning signs that this may not be legitimate:

·         Money needed immediately

·         You need to pay a fee to get somethings for “free”

·         You won a prize, but they need more information

·         Something is wrong with your computer

·         A friend or relative needs to borrow money

·         A person or business requests money in the form of a gift card, wire transfer or prepaid debit

Other examples of scams

·         Social security scam calls

·         Parcel tracking text scan

·         Amazon Prime Renewal phone scams

·         Gift card scams

·         Navy Federal Credit Union scams through email

·         TSA Precheck Renewal

·         Email asking to validate your COVID-19 status

·         Scammers promoting local police support

·         Letter from a law firm telling you that you have inherited money

·         Note from company (Netflix) saying you need to update your billing information

·         Phone call from tech support saying your device is not working properly

·         Message from Publishers Clearing house claiming you are a winner



Activity:

Can you spot an online scam?  Try this short quiz to find out.

Apps: 

Can you get a virus from an app?

No, but you can get other forms of malware which may steal money, steal credit card information, steal contacts and sensitive photos, track your location, read text messages, save passwords, send SMS messages, and spend your money.

Can you get malware from an App from the Apple App store?

Unlikely, although it has happened.  To be sure, only install apps from the Apple App store.  These apps go through thorough testing and verification prior to release.  Your iPhone is protected as long as you did not jailbreak it or use third party apps. Apps outside the Apple App store require that you jailbreak the phone.

Can they be trusted? Short answer no!

·         Not necessarily safe if in the Google or Apple App store

·         Definitely can be unsafe if not on the Google or Apple App store

·         Who makes the app?  Special caution for beauty apps, VPN apps, and antivirus apps

Tips on how to tell if an app is safe:

·         Find out how the app uses your personal information.  If it is sharing with others, it could be malicious. How do you know?  First, if it is free, they are not obligated to disclose their advertising and tracking service, so it is probable they are tracking you.

·         Permissions:  The app may require permission for certain features.  For example, a heart rate workout tracker would want access to your health access, and you might have to enable certain aspects of that health data.  Once set up, the permissions are made and the data will be exchanged. Make sure it makes sense.  A flashlight app will need access to the camera flash, but nothing else.  A book app does not need access to the camera.  On an Android device, app permissions are included in settings.  ON the iPhone, clicking on the app in settings will show you what it has access to.  Beware of apps which ask for lots of permission (such as managing files, using contact information from friends, or camera).

·         Understand when and why the app will track your location.  This information would be part of the license agreement that we often scroll past.

·         More research on the app:

o   Look at the developer’s name right under the app’s name.  You can do a Google search to find more information about the developer such as a website.  If they have created a number of apps (well-reviewed), then it is probably safe.

o   Look how many times it has been downloaded.  The more downloads, the safer it may be (to an extent of course!)

o   Look for an app that has been around for a while, but has been recently updated.  In the Google Play store, you can find this information under “read more”. 

o   Read reviews.   There should be lots of reviews, and they should have some positive and some negative points in them.

o   Spelling and grammar errors:  Since often apps are created in other countries, the grammar or spelling may be incorrect.  This is a red flag.

o   Unbelievable discounts:  If it seems too good to be true, it probably is!

·         Avoid third-party apps:  These are ones which are found outside the App Store or the Google Play Store.  Third party apps bypass security measures making it easier for a hacker to infect your device with a bad app. 

·         NOTE:  If you suddenly have lots of ads after downloading an app, you may be a victim of “targeted advertising”.  Although not malicious, they can be annoying and might slow down the phone.  Delete any apps which seem to get these ads. 

What to do if...

You are contacted by a scammer:

You are a victim of an imposter scam:


You are hacked

If your computer is acting differently (can’t turn it off, running slowly, opening pages you didn’t select, popups) then you may have been hacked.  Steps to take:

You are the victim of a data breach

A breach typically exposes personal information and not passwords, but if there is a concern, change your password.  If you have used the password in other places change them.  If your account has been hacked as well, you will need to confirm or repair all recovery information.  Consider two-factor authentication.  Additionally, if your accounts are breached, you can:

•          Freeze your credit.  Make sure to include all three credit bureaus

•          If it was your phone account, change your cell phone account password and PIN numbers.

•          Consider multifactor authentication

•          Follow the advice of data breach letters and take advantage of free monitoring if offered

•          Be on the lookout for phishing.  They may want to exploit what they know already.

•          Monitor your financial accounts (credit cards, banking, utilities)

•          Contact the DMV is your license has been exposed


Resources when your identity is breached:


What can you do for a safer you?

Use a good antivirus program

There are many antivirus programs available.  Some are free, others have costs involved.   Unfortunately, you may find that the anti-virus program you downloaded is actually malware!  And, when googling anti-virus programs, you may end up with malignant sources as well.  The go-to site for best antivirus programs can be found at AV-Test, which is an independent IT-Security Institution.  On this site, you choose your device (mobile Android, Windows, Mac or Business) and you can see the operating systems which were tested during that period.  Sites are tested for protection, performance, and usability.  Some will receive a top billing.  For example, the top-rated antivirus programs for Windows 10 are:  Avira, Bitdefender, Kaspersky, Quick Heal and Trend Micro.  Unfortunately, among the lowest scoring for protection is Microsoft Windows Defender.   You can learn more about this by visiting their website at:  av-test.org

Use a safer browser which include certain features:

·         Web of trust (https://www.mywot.com/):  Uses community input to verify the safety of a site.  Needs to be installed on each browser.

·         Web address:  HTTPS should begin the web address if you are putting in sensitive information like address, birthday and credit card information

·         Security symbol:  Besides HTTPS, you should also see a lock someone on the browser’s address window.

·         Update your browser regularly.  Each browser has its own way of doing this, so become familiar with your browser.  (Google Chrome:  Settings > About> It will tell you if it is up to date)

Use a strong password:

·         Strong (over 8 characters include letters, numbers and symbols.  Mix letters and numbers.

·         Do not use personal information in a password

·         Use a password generator to set one up, and to store passwords. Examples include Last Pass (https://lastpass.com/) or Dashlane (https://www.dashlane.com).

·         Do not share with others

·         Don’t store them on your device.  If you must, hide and encode.

Consider using a VPN:

A VPN (virtual private network) is a method used to add security and privacy to public and private networks.  It allows the user to send and receive data across public networks, using a private network instead of the public network.  There are many types of VPNs.  Some are free, and others cost money.  It is better to pay for your VPN, as the free ones may often violate privacy standards.  Remember if you are using your own Wi-Fi or a cellular connection, you probably do not also need a VPN.  Also, if your surfing on public Wi-Fi systems is pretty basic (web searches, basic websites), then a VPN is not necessary.  

VPNs protect your online identity and data sent  online.  It does not protect you from malware, phishing scams nor does it protect your data on your devices.  Some possible suggestions from various sources:

·         Express VPN (https://www.expressvpn.com/)

·         NordVPN (https://nordvpn.com/)

·         Mullvad (https://mullvad.net/en/)

·         TunnelBear (https://www.tunnelbear.com/)

The website whatismyipaddress.com lists a number of VPNs and includes some specifics about them.  While you are there, learn more about IP addresses, checking how sent you that email, and are you blacklisted?  Someday, we will do more on this interesting topic!

Consider using your cellular hot spot or purchasing a hot spot:

Many cell phones offer the capability of using your cellular connection for a portable Wi-Fi.  This is especially useful when you are away from home and want to access a sensitive site.  The process involves setting up your phone for this, which will include a password, then opening your other device and looking for your phone network.  You will have to enter your password on your phone onto the other device.  A purchased hot spot will be set up in a similar fashion. 

Additional resources

Website:  What are some common email scams and what can you do to avoid them?  This is an interesting assortment of them.  Particularly intrigued by Swatting...

Activity:  How good are you at spotting Email scams?  BTW, I took these quizzes and did miss a few.  Fun way to see how much you learned!

Website:  All about Email scams.  Includes activities and lots of examples.  

Resource: Have you been a victim of Identity Theft? Visit the Identity Theft Government site to learn more. 

Resource: Hacking is a problem that seems to affect all of us at one point or another. Here is a great informational site on hacking. 

Interesting web article:  How does the information used by hackers become available?  Follow this story as the author goes onto the dark web to discover more about Russian hackers.  

Adware:  Learn more about adware, and then learn how to clear your browsers of adware.  

Ram scraping:  How do they do it?  This article outlines how ram scraping is done.  Maybe a little technical, but eye-opening!

Website:  The FDA offers some tips on preventing skimmers at the pump.  Very informative!

Online presentation:  At a 2018 conference, information was presented on some prominent Russian hackers.  This presentation shows what they did, how much money they made, and what was used.  Very fascinating!

Video: Street Smarts for Seniors, a presentation by the Brooklyn Police Department.  It is about 30 minutes long, but easy to follow and very useful.  

Tutorial: Avoiding Malware from GCFLearnFree

Flyer: Basic tips for online safety

News article: Sure, a VPN offers secure connections. But they are not all the same. And some are worse than public Wi-Fi! 

News article: Here are some of the more reputable VPNs (includes more information on VPNs)


Video:

Miss the class?  Or want to hear it again?  View the video taken from Tuesday's class.

After completing the lesson, do this on your own: