6.1 Data Security

Specification

  • Explain the difference between the terms security, privacy and integrity of data

  • Show appreciation of the need for both the security of data and the security of the computer system

  • Describe security measures designed to protect computer systems, ranging from the stand-alone PC to a network of computers

    • including user accounts, passwords, authentication techniques such as digital signatures, firewall, anti-virus software, anti-spyware, encryption

  • Show understanding of the threats to computer and data security posed by networks and the internet

    • including malware (virus, spyware), hackers, phishing, pharming

  • Describe methods that can be used to restrict the risks posed by threats

  • Describe security methods designed to protect the security of data

    • including encryption, access rights

There is a sub page describing how encryption works in further detail, should you be interested.

The Value of Data

Introduction

Think for a moment about the different kinds of data that is held by a company. It could include, for example, information about who your customers are, who owes you money, who you owe money to, current orders, information about orders you are trying to win, details about your staff, how much they're paid, meetings that have been arranged and so on. Imagine if it disappeared! What would the consequences be?

Why is data valuable?

Data is valuable for a number of reasons. It takes time to compile, a long time! It takes time to input the data into the computer. To recompile data or re-enter it into a computer is expensive because you have to pay someone to do it, when they could be doing something far more productive for your company. You need information about an order placed with your company so that you can process the order and then be paid for it - that's how your company makes a profit! You need to know when to pay your bills and taxes so that you don't get taken to court. You need to be able to chase up people who haven't paid you so that you can pay your bills and keep trading.

Commercial data is valuable

If you were running a supermarket and you lost the data in your stock control system, you wouldn't know what you had on the shelves. You wouldn't know when you needed to re-order stock and you would lose money while you sorted out the problem. If you kept historical data on your supermarket's computer and you lost that, you would lose valuable information about product trends, what sells well and at what times and doesn't sell very well, for example. This would have an effect on your business's potential to maximise their profits. If you were in the business of offering loans to people, you would want to be able to check their financial background before you handed over any money to them, in case they had a criminal record for fraud, for example! If credit agencies suddenly lost all of their data, then loan companies wouldn't be able to ask them about individuals who have applied for loans. Imagine if credit companies lost all of their data! They wouldn't know who owed them money. If you were in the business of data warehousing or data mining (see later in this section) then losing your data would be catastrophic. Your whole business is based on having historical data to work with! Take this opportunity to review a backup strategy that a company might employ to protect their data. Remind yourself about the need for a written procedure, about what information would go in a procedure and what hardware might be used in a backup regime.

What might cause a company to lose its valuable data?

This could happen in a number of ways, including hardware failure, software failure, losing data because of a virus, hacker, espionage or having the equipment that data was on stolen. Data could be accidently deleted by an employee, or deliberately stolen by them, there might be a natural disaster like an earthquake or a terrorist incident.

Security, privacy and integrity of data

Security, privacy and integrity of data

With so much data now held in digital form, it is possible to copy and distribute it via the Internet within seconds to anywhere in the world. This has serious implications. Nobody, for example, wants their medical records or financial dealings to be freely available to anyone. We all expect our details to be kept private by organisations that hold our details and to take effective and proactive steps to ensure they do. Organisations have both a moral duty but also a legal obligation to keep our details safe. The Data Protection Act 1998 in the UK and various pieces of legislation in Europe and in other individual countries tries to ensure this. We also expect organisations to ensure that the data they do keep about us is up-to-date and accurate so that when it is used, it leads to decisions being made based on good data, not out-of date data.

One form of attack you hope a company has worked to prevent is a SQL injection hack. If you are not sure what SQL is, it is covered in 1.8 Databases.

Security of data

This term relates to protecting data from unauthorised users. It is concerned with the steps that are taken to ensure that only those people with the need and right to view data can actually do so. It covers protecting access to data, picking up accidental or malicious changes to data that compromises data integrity and also the steps taken to protect the systems that data is held on. Through these aims, security of data also covers the need to ensure adequate steps are taken so that data can be recovered if lost or corrupted through backups.

Privacy of data

This term relates to our expectation that our data belongs to us and nobody else. We can give permission for our data to be used by somebody else, and we should be made aware that if an organisation is collecting data about us, we know in advance what they will do with it but ultimately, we own our own data and expect it to be protected from viewing by unauthorised viewers. We expect organisations to have systems in place that reduce the chance of unauthorised access to our private data.

Integrity of data

This term relates to our expectation that organisations that keep data about us take proactive steps to ensure that the data is accurate and up-to-date. When data is collected and processed, we expect that data to be correct. Organisations should have procedures to ensure that any accidental or malicious changes to data are detected and corrected in a timely fashion.

Security measures to protect systems and data

An organisation can take a number of practical steps to keep information private and confidential:

  1. It can ensure that a named person is responsible for ensuring that the organisation's Data Protection Act (DPA) policy is enforced efficiently. This would ensure that employees are very clear about their responsibilities.

  2. The Data Protection Act should be followed to the letter. This means, for example, that data should be deleted when it isn't needed any more and shouldn't be sent to countries that don’t have legislation comparable to the DPA 1998.

  3. The organisation should ensure that access to the hardware that holds the data is restricted. This could be done by ensuring the hardware is in locked, secure rooms that can only be accessed by authorised users.

  4. The organisation could ensure that data files are password-protected, to ensure that unauthorised people who gain access to the files can't open them.

  5. Data could be encrypted using a software encryption tool such as PGP (Pretty Good Privacy). This means that even if the data is accessed or intercepted whilst being emailed, it can't actually be read.

  6. The organisation can ensure that the back-up policy in the organisation is being followed and that the back-up copies of data are themselves held securely and in encrypted form.

  7. Regular checks on computers for spyware, for example, should take place.

Maintaining the privacy of data

The Data Protection Act 1998 requires that an organisation take steps to keep data secure. Any computer system that is accessible to people, either physically or over a network, has a problem - how does it make sure that only those people who should have access to data or resources on a network can do so and everyone else is excluded? How can it ensure that it keeps data secure? There are a number of ways to do this:

  • Logins and passwords

  • Firewalls, proxy servers and authorisation.

  • Firewalls and authorising a user from outside a LAN.

  • Encryption techniques.

  • Authentication techniques using digital signatures and digital certificates.

Logins and passwords and 'views of data'

Computer systems which hold data should not be accessed by just anyone. Only an authorised user should be able to log on to the system. This means that they should have their own login and password. In addition, just because somebody can log in to a computer system, doesn't mean they should be able to access all of the data on it. When somebody sets up a new login and password for a new employee, they also have to set up what folders and files that person can view and what they can do with them, what rights they have e.g. to view a file, delete a file, amend a file and so on. This is known as the 'view of data' somebody has. Although everyone in organisation can access the same computer system with all of the data, each employee sees their own personal view of that data, depending on what job role they perform and what data they need to carry out that job. They cannot see any data that has nothing to do with their job role. Teachers, for example, can get access to a student's academic records and details about how to contact home, but they have no access to any medical records that the school may have about you on its system. On the other hand, the school nurse will be able to access your medical records but not your academic ones. The Head may be able to access all data.

Firewalls, proxy servers and authorisation

A firewall is a network security system that monitors and controls the incoming and outgoing network traffic based on predetermined security rules. A Firewall, according to the British Computing Society's 'A Glossary of Computing Terms', "is a computing program used in a large computing system to prevent external users (even if authorised) getting access to the rest of the system. Network users' access is restricted to a small part of the system and the firewall software prevents a user (including unauthorised users) accessing data or executing any programs in the rest of the system". When a user on a network wants to access data or applications held in a main server, it sends a request for the information. The request is intercepted by the firewall (often sitting in a proxy server). A proxy server is simply a server that has been set up to control access to the main server. The firewall program will look at the request and the information about the user that is automatically attached to it. It then checks both that the user is valid and that they have the right to the information they are requesting. It is able to do this because it holds a database of all the users and their associated rights - it just needs to look up its database! If the request is valid, then the firewall will send a message to a proxy server to retrieve the requested data. The proxy server will then access the data from the main server and pass it out through the firewall to the user. The user cannot access the main server directly but must go through the firewall and proxy server. Firewalls can exist outside of proxy servers, but the combination of the two together is often enough to ensure only authorised access from an untrusted network.

Firewalls and authorising a user from outside a LAN

Many computer networks are set up so that users can dial into them to retrieve files and use their resources. To prevent only authorised users dialling into the network, a firewall program on a proxy server can be used. A user dials in to the network with a user ID and password. The firewall looks at these and also looks at the other information automatically attached to the request, such as the individual's IP address. Using all of this information, it attempts to authorise the user. If the user can be validated, then access is granted. The user, however, will continue to work through this firewall and proxy server and will not have direct access to the network itself.

Encryption

As a last line of defence, sensitive data should be encrypted. Encryption is a technique that takes data and scrambles it so that it doesn't make any sense until you decrypt the message. Users may want to encrypt data for various reasons. For example, data may be encrypted as part of a company's procedures to comply with the Data Protection Act (to keep data secure). It may be that sensitive emails are being sent, for example holding medical, financial, national security or legal information. Remember, emails are sent across the Internet using packet switching. There are programs that hackers can use to 'grab' packets on a network. Since email is simple text, it would be easy to read a packet. It is also possible that you could send information to the wrong address or that messages end up in the wrong place by accident.

Encryption using PGP

Pretty Good Privacy, or PGP, is a very secure method of encrypting data. It takes a message and applies some complex maths to it to scramble the data. PGP is freeware so you can download a copy of PGP from http://www.tucows.com/ and try it out. There are lots of people interested in PGP - if you do a search for it on the Internet, you will find a lot of information about PGP.

How does a pupil called Max use PGP to send secure messages to his friend Alfred?

If Alfred wants to return a secure message, he must ask Max to send him his Public Key first.

There is a section further down with more information on encryption.

Authentication and digital signatures

When someone sends you an email, how can you be sure that it comes from whom you think it comes from? You can achieve this by using digital signatures. PGP can be used to sign an email digitally, with a special signature. It works like this.

  1. Alfred writes an email to Max.

  2. He digitally signs it. By that, we mean that the PGP program takes the message and Alfred’s Private Key and then generates a signature (a mixture of characters from the keyboard). The signature is attached to the email.

  3. Alfred then sends it.

  4. When Max receives it, he opens his PGP program and uses Alfred's Public Key to check the signature. If there is any change in the message or Alfred's Private Key hasn't been used, then Max will be told by the computer that authentication has failed and he should consider that the message is not from Alfred or has been compromised.

Digitally signing emails is a very good way of letting your users check communications received. You do not want anyone pretending that they are you and your users need a way of being confident that an email is from who it says it's from. It can be used to help businesses as well because if a business sends you a communication that has been digitally signed, then there is no way they can say that they didn't send the communication in the future, perhaps when there is a disagreement about the details of a contract.

Digital certificates

A digital certificate is another way of proving who you are when you do business on the Internet. Suppose somebody wants to buy something from an online shop. How do they know that the shop is a genuine shop? What is stopping a con artist from setting up a shop online, supposedly ‘selling’ bargains, collecting credit card numbers from unsuspecting buyers and then using them for illegal activities? What is to stop somebody setting themselves up as a virus-protection company and then getting you to download viruses? The answer is very little, which is where digital certificates come in. If a web site has been issued with a digital certificate it means that it is connected to a real person with a real address and a real phone number. Certificates are only issued by special companies after a series of stringent security checks. If someone goes to a web site to buy something and the web site has a genuine digital certificate, it increases the confidence of that buyer to do business with the web site. Remember that there are still a lot of people out there who are not happy using their credit cards online because of the very real problem of fraud. Digital certificates have been designed to help overcome that fear.

A Certification Authority issues the certificate. They will carry out a number of checks on a business before issuing a certificate to them. Once the web site owner has the certificate, they can display and use it on their web site. The certificate contains the name of the business, their Public Key and digital signature, a reference number, an expiry date for the signature and the digital signature of the Certification Authority. The digital signature of the Certification Authority is included so that someone can check that the actual certificate is a genuine one.

Backing up data

Have you ever lost work you have done on the computer? Do you backup your work onto a pen drive every time you do some work on the computer? If you don't, you should! Given the amount of coursework you probably have to do, it is a wise approach keeping up-to-date backup copies of work that goes towards your final course grades! Your teacher would have told you to do this many times and you will get little sympathy from anyone if you lose work! Companies must also back up their work. If you lose your work, you can start again - not much fun but possible. If a company loses files they could go out of business. People could lose livelihoods. Data is valuable to an organisation. It takes companies years to build up a customer base. Getting data into a computer takes time. Businesses today are run on computers.

Operating systems usually come with utility programs to allow you to take back-ups. Typical options include the ability to take an entire 'snapshot' of your hard drive (called a 'system image') so that if your hard drive fails, you simply replace it, and then run a recovery program on a pen drive or CD that loads the system image onto your new hard drive. Another option is to schedule back-ups so that back-ups happen automatically at a particular time of day. You can also tell your computer to do a full back-up (all of your data files), only back-up files that have been added or altered since the last time you did a back-up (called an 'incremental back-up') or only back-up files from certain folders. Most people used to back-up to an external hard drive but it is becoming more common to back-up to cloud storage now.

The last point about back-ups to make is that an untested back-up should not be depended upon. You should periodically test files being backed up to see if the process has been working correctly. Unfortunately, some people do not do this and find out that their system has not been backing things up correctly only when their hard drive fails! This can be a disaster, of course.

For more on backup, see the section on failover below.

Current legislation

As computers have become more widespread, so the need for legislation has grown. There now exists legislation that seeks to protect our health and safety while working with computers, to protect our privacy, to ensure that those who seek to carry out criminal acts using computer technology are punished and to ensure that intellectual rights to material are protected. One major problem with any country's legislation, however, is that it is difficult to enforce those laws if the 'crime' is carried out in another country. The Internet is a worldwide phenomenon that crosses the boundary of every country. What is illegal in one country may be perfectly legal in another country, or may simply be impossible to enforce. There are lots of good sources that deal with this issue on the Internet. Search Google using keywords like privacy, legislation, Data Protection Act, European privacy legislation, SPAM, junk mail, cookies and so on.

Disk mirroring strategies and failover

Introduction

If an organisation's network or key pieces of hardware fail for whatever reason, it might have serious implications for the organisation. They would lose all of their employees' records. They would lose all of the data about the products they sell. They wouldn't know who has paid them for products and services and who still owes them money, and they wouldn't know what bills need to be paid. They would lose all the information about past and present customers and all the information about marketing and advertising. Losing data could be so serious that they might even go out of business. If some of the network hardware failed on your school or college network, you might lose all of your controlled assessments or other project work. The school might lose all of its information it needs to run the school and information about you, for example, contact information in case you have an accident. The data must be kept secure. Another way to achieve this is called disk mirroring, or 'failover'.

Failover

All equipment will fail eventually. Moving parts wear out. Dust gets into equipment and stops them working properly. There are other reasons, too. So that a business can continue as normal in the event of a serious hardware failure, organisations often use 'failover'. Failover is the term used when you have a second, identical piece of equipment that can start working automatically if the first main piece of equipment fails.

For example, one key piece of equipment on a client-server network is the server. This manages the entire network of personal computers, printers and other hardware on the network. If the server fails, the whole network will not be available for anyone to use.

Network designers often include a second, back-up server on a network. This second server has a mirror image of the software and files on the main server, and is constantly updated. If the main server fails, then this second server starts up automatically so that users on the network can carry on as normal. They won’t even know that there has been a major hardware problem. The network manager can then arrange to get the main server fixed.

You could ask your Network Manager if they have a back-up server that kicks in automatically in case the first one fails. You could also ask about the back-up system in place. Are magnetic tapes used? How is the back-up system organised? How often are back-ups taken? Have they considered using cloud storage for automatic back-ups if they don't? Why do they / don't they use cloud storage?

Network security and potential threats

Introduction

There are many threats to security on a network. In this section, we will detail the most common ones and how to deal with them.

Viruses, worms and trojan horses

A virus is a program that has been written by someone. It can replicate itself, be attached to files and applications and can cause a lot of damage because it can change the contents of your hard disk as well as use up your memory. They can spread very quickly, usually by shared storage devices or email attachments. Ideally, you should never share storage devices. You should never open an email attachment unless you know and can trust where it comes from (by checking a digital certificate, for example). Attachments to be especially careful of include file names ending in .exe .bat .pif .scr and .vbs. Other types of viruses include ‘Worms’ and ‘Trojan horses’. Worms are programs that can spread themselves via vulnerable network connections. They are standalone programs, unlike viruses, which ‘piggyback’ on other programs. In addition to unauthorised use of systems and causing damage, they can take up a lot of bandwidth as they spread and slow networks right down. A particularly nasty one called MSBlaster affected computers worldwide in August 2003. It spread very quickly, hunting for computers on the Internet without a firewall. When it found one, it jumped into the computer through the open communication port and infected it without the user knowing - until their PC closed down every time an Internet connection was made!! Another one, W32.Sobig.F@mm mails itself to all the email addresses it can find on an infected computer. Trojan horses are viruses hidden inside seemingly innocent programs. They, too, can cause major problems for your computer.

You should always have an anti-virus program on your computer and you need to ensure that the virus patterns are always up-to-date. Updating virus patterns typically happens at least once a day. An up-to-date anti-virus program will catch most viruses, worms and trojan horses most of the time.

Spyware and adware

These are both types of malicious software (called 'malware' for short). Spyware is the name given to software that gets access to your computer without you knowing, often because you have downloaded and installed free software from the Internet. Spyware can change the settings on your computer and interfere with or slow down your internet experience. Spyware can also gather information silently about your computer habits and personal information and transmit them to unauthorised people. Adware is software that gets access to your computer, again usually because you have downloaded free software from the Internet or you have downloaded legitamate software but it cam bundled with adware. You often have the option to not install adware when installing any software so be careful about just clicking OK - OK - OK when installing new software! Always check to see if there is a screen that is asking if you want to install extra software that has nothing to do with the main software. Adware can cause adverts to pop up on your screen or in your browser and can add adverts to whatever browser you are using and can be very annoying.

You should frequently run software designed specifically to identify and destroy spyware and adware. Two such programs are:

https://www.malwarebytes.org/

and Adaware from

http://www.lavasoft.com/

Phishing

This is a term used to describe when criminals try to get hold of your credit card details or other personal information by pretending to be someone they are not over the Internet. They do this by sending out bogus emails e.g. pretending to be from a bank and asking you to confirm passwords for security reasons or by setting up a web site that looks like it is a legitimate business and luring you into entering personal data, perhaps by advertising very cheap prices for goods. Despite numerous warnings that organisations never ask for personal details by email, and reminding people that if an offer is too good to be trueit probably is, people fall victim to Phishing attacks regularly and can suffer huge financial loses.

Cookies

A cookie is text file deposited onto your computer by a website that you have been to. When you next visit the website, the cookie detects that you have been there before and can display content based on what has been accessed previously or can retrieve information entered last time, such as personal details or account details. It's not a threat to your computer as such but many people block cookies on their computer because they don’t like the idea that information is being collected about their surfing habits and potentially, being sent back to the websites that they visit. Websites now have to legally ask your permission to put a cookie on your computer.

Hackers and hacking

Hackers try to get unauthorised access to your computer by 'hacking' into it (breaking in to it). Firewalls, described later, are an excellent way of preventing hackers from getting into a network and most companies and individuals set one up on their system.

http and https

When you request a website from a web browser, it is sent to your computer using a set of standards known as http. This is not secure so somebody potentially could intercept this communication and see what has been requested. If you are sending, for example, your personal details or a password across the Internet using a web page, or requesting a web page with your personal finances on, then there is a serious risk these details could be intercepted and used for criminal activities, such as stealing from your bank or identity theft. To prevent this, companies use the https protocol rather than the http one. https stands for Hyper Text Transfer Protocol Secure and is the secure version of http. If you are using an https website then you can reasonably expect that you are communicating with the website you were intending to communicate with and that any communications are encrypted automatically so can't be intercepted and used by criminals.

Free hotspots and https

You should assume that at all times on a public network, someone else is watching what you have on your screen and can see all of your communications. When you use a free local hotspot with WI-FI on a phone, tablet or laptop, your communications are especially vulnerable. Anyone on these types of unencrypted networks, with the right freely available software, can capture the packets of data that make up communications across networks and can steal any information you send or receive. It is also perfectly possibly for an unscrupulous criminal to set up what appears to be a free local hotspot for you to use, which you unwittingly connect to. They can then easily see everything you are doing on your computer. It is very important to only use encrypted communications across any public network and to use https at all times for anything sensitive. However, the best course of action is to not use public networks for anything at all that is sensitive.

Virtual Private Networks (VPNs)

Many people go on holiday, go travelling or go on business these days and they need constant access to the Internet. We know that this presents a serious security risk so what can people do. The best solution by far is to ensure that all communications between you and whatever websites you are using on a public network or a network that you cannot trust are encrypted. The best solution is to rent a Virtual Private Network service. This can cost just a few pounds a month. What happens when you sign up is that you download and install some client software. When you go to a public hotspot and log on, the client software makes contact with the VPN service and your computer and the VPN exchange security keys, to verify to each other that you are authentic. Once this has been done, all of your communications are encrypted and go via the VPN service. Apart from encrypting everything, the VPN service masks your IP address. This can be useful if you want to watch your favourite program on catch-up TV via the Internet whilst on holiday but you can only do so if you are in the UK.

No system is 100% secure

Of course, it is possible for the VPN service to intercept your communications if they wanted to. Companies and individuals who are concerned about this check carefully in the Terms and Conditions whether a VPN company logs communications. Most don't but the weak link in any 'secure' system are the employees, who could do something unauthorised or illegal if given an opportunity and reason!

Virus Protection Software

A virus is a software program written by someone on a computer in a programming language and then sent across the Internet by email or spread by people sharing storage devices. They are sometimes designed to do nothing more than annoy (like making your keys beep each time you press one on your keyboard) but they often do a lot of damage such as wiping your hard drive clean or allowing your computer to be accessed by a hacker remotely or allowing a hacker to control your webcam!

You often hear people advising you not to open or double-click attachments sent with an email unless you are absolutely sure where the email came from. If you do, you might install a virus on your computer. If you are lucky, your computer will be set up to check all of your emails and any attachments you open, but a virus might still get through your computer's defences. Microsoft have identified the file extensions in the table to be a potential threat to your computer. A file extension consists of the three letters that you can see after each file name e.g. myHoliday.doc or NotVirus.exe . If you can't see the file extension in an email or in your file manager, then it is because that feature has been switched off and you need to switch it on. In Windows, you usually have to go to My Computer - Folder Options - on the View tab, remove the tick next to 'Hide file extensions for known file types' and then click on okay. It does vary between Windows operating systems but the process is similar for all of them.

There are all kinds of tricks that hackers use to try and get you to open an email attachment.

1. An email arrives telling you that your computer is infected with the latest virus in the news, and offers to remove it - all you have to do is click on the removal program attached! When you open the attachment, it disables your antivirus program and firewall. Then it installs a virus and reports to you that your computer is virus-free. The virus can then get to work.

2. Your friend sends you a file called greatGame.exe". You friends says they've played it and it's great so you open the attachment by double-clicking on it. The problem is, it contains a delayed action virus along with the game. You might get to play the game but now your computer has a virus. And all because you thought your friend knew what they were doing!

extensions

3. An email arrives that seems to come from Microsoft. The Microsoft heading and icons are correct and it looks real. The email tells you to patch your copy of Windows immediately as there is a security threat to your computer. The patch is attached to the message and as soon as you double-click it, you've disabled your firewall and anti-virus programs and installed a virus! It was a 'spoof' email, not from Microsoft.

4. Attackers can hide malicious attachments by using double extensions, e.g. "answers.txt.lnk" or "great_picture.gif.vbe". *.lnk, *.vbe and several other extensions are usually hidden. The file names you see are "answers.txt" or "great_picture.gif". When you double-click on them, you install a virus because .ink and .vbe can be used to do just that.

The other main way of catching a virus is by sharing back-up devices like a pen drive. When you plug someone else's pen drive into your machine, if it has a virus, it could jump from their pen drive to your computer and infect your computer. When you plug a pen drive into your computer, the virus then jumps to it. If you take it to your friend's house, for example, and then plug it into their computer, the virus will jump to their computer, and so it spreads very quickly. Again, if you are lucky, your computer might stop the virus but on the other hand, it might not.

Anti-virus software is used to help protect your computer against viruses. It does this by checking potential viruses e.g. a file that you have double-clicked on from an email, against patterns of known viruses that it keeps in its database. If it finds a match, it quarantines the virus or deletes it and then tells you. As thousands of new viruses are written every week, it is important to ensure that virus patterns are kept up-to-date. This can usually be done automatically. There are free versions of anti-virus software and there are also many paid-for versions as well. These often come with many additional features and support if there is a problem.

More on Hotspots

A hotspot is a place where you can get Internet access using wifi. Just as described in the section on setting up a home network, you connect to a wireless router, which has been set up by someone or a company who has paid an Internet Service Provider (ISP) for access to the Internet.

Unsecured hotspots

Hotspots come in various flavours. They can be 'open' or 'unsecured'. You just need to be within range of the wireless router (typically within 20 -30 metres), select it from the list of available networks and you get connected without knowing a password. This might sound great - free access but it comes with a serious set of security risks. The reason is that any data you send over an unsecured network (a network where you don't have to enter a password) is easily available for anyone with the right software to grab - and the software to do this is widely available on the Internet. So, for example, any photos you send or any email accounts you use can be easily seen by others. If you don't have some software called a Firewall set up properly on your connecting device, and you have 'file sharing' still turned on in your settings, it is also possible for someone to gain access to your hard disk. Just by connecting to an open network, you are opening up yourself to anyone else on that network! In addition, if you use someone's network without their permission, you may also be breaking the law.

Secured hotspots

Hotspots can be free but password protected. You have to be in range of the router and you need to know the password. Sometimes in a cafe, these are simply stuck to a wall for everyone to see and at other times, you have to ask the owner for the name of the network and the password. You then select the name of the network from the list that appears on your phone, tablet or laptop, for example, enter the password and you are connected. Sometimes, access is free but you have to set up an account, often using a mobile phone number to verify the account. You then get login and password details. Finally, there are hotspots where you have to pay. You pay a company a fee, usually by credit card, for so much access time. When you are within range of the company's router, you open up a browser, enter in a login and password and you are connected, until your time runs out! With all public networks, there is a risk that your sensitive information can be grabbed by someone else. The same advice applies here as for with unsecured networks. You should always use a Firewall and check that file sharing is disabled. Many people advise never to do any sensitive transactions over public networks e.g. never do banking transactions, for example. Browsing using a secure browser is also recommended, something like this.

Tethering

If you have two devices, one with 3g Internet access e.g. a phone and one without e.g. a tablet with just wifi, it is possible with many phones to set up a hotspot. This is called 'tethering'. Typically, you have to find a box to tick in your phone's settings that tells the phone to turn tethering on. You have to give your temporary hotspot a name and sometimes a password or passcode, although this is also sometimes automatically generated for you. Anyone within range of your phone can then see the name of your hotspot in their list of available wireless networks. As long as they have the password or passcode, they can get access to the Internet using your phone! You need to be careful, though. For one, they might use up your bandwidth very quickly and you will have to pay for more. You might also be breaking your phone provider's terms and conditions. For example, you may have a package that allows unlimited Internet access but they will state that tethering is not allowed to protect themselves from excessive downloads. Your phone company may suspend your account if it detects a sudden surge of data being downloaded.

More on Encryption

Introduction to encryption

Encryption is the term used to describe how a message or indeed any data file is 'hidden' by scrambling its contents using a 'key', which is just a simple Maths formula applied to the data. If the data file has been intercepted by an unauthorised person, they will only be able to read the file if they have a key that can decrypt a file. Lots of different types of data files need to be encrypted. For example, information on credit cards when being used on the Internet need to be encrypted to stop someone getting the details and going on a buying spree at your expense. Companies need to keep sensitive data away from prying eyes, banks need to keep financial and personal information private, armies need to be able to send secure communications on the battlefield and criminals try to hide their footsteps by encrypting things they don't want others to see. Although encrypting data might seem like a rock-solid way of hiding information, there are problems. Sometimes, a weak key is chosen and the files can be broken into easily. Sometimes, the key is hacked across the Internet or via insecure email, or someone in an organisation steals the key and uses it for their own reasons.

Introduction to symmetric encryption

This kind of encryption uses the same key to encrypt a file as to decrypt it. If you know the key, you can decrypt any encrypted file and this is one of the main problems with this kind of encryption. There is a distinct possibility that the key can be stolen or intercepted in transit as it is being shared.

Keys can be very simple. For example, you might have a key for a text file that says, 'Replace each letter with the one two positions further along in the alphabet'. So DAVID becomes FCXKF. To decrypt the message, you just need to know the key (the rule that describes how the file was encrypted originally). If a key is as simple as the one above, and you have enough data to work with, it wouldn't take you very long to work out how to break the code and find out what they was. In practice, therefore, symmetric encryption uses codes that are a little more sophisticated than the one in this example. However, because of the fantastic processing power of computers, you can still crack many codes using symmetric encryption eventually using brute force – trying out every possible combination of a key until you find the correct one.

The most important early symmetric algorithm was called the Data Encryption Standard (DES) and was developed in the 1970s. This uses a 56-bit key, giving 70,000,000,000,000,000 (70 quadrillion) possible combinations. This is now considered inadequate as modern computers can find the key for the reasons just given. AES uses up to 256-bits, giving far more combinations and is considered far more secure (at the moment).

Asymmetric encryption (public-key cryptography)

Asymmetric encryption is a very secure method of encrypting data. It takes a message and applies some complex maths to it to scramble the data. A digital signature uses this method to digitally sign emails, secure traffic, etc.

An analogy to public-key encryption is that of a locked mail box with a mail slot. The mail slot is exposed and accessible to the public – its location (the street address) is, in essence, the public key. Anyone knowing the street address can go to the door and drop a written message through the slot. However, only the person who possesses the key can open the mailbox and read the message

An analogy for digital signatures is the sealing of an envelope with a personal wax seal. The message can be opened by anyone, but the presence of the unique seal authenticates the sender.

The above illustrates that the advice about never opening an attachment unless you really know where it came from and who sent it to you is very good advice!