Saturday, April 4, 2015

Email and Internet Safety

The use of email and the Internet has become such a key part of daily life that I wanted to write an additional post with more tips on how to safely browse through emails and the web. Although the following suggestions apply mainly to interactions with emails, the way links are presented on web pages is very similar. Therefore, the same safety principles outlined here can be also be applied while browsing the web.

1. An Introduction to Attacker Tactics
First, it's important to be aware of the motives and tactics of attackers. One of the most prevalent motives of attackers is to obtain your personal information and/or gain access to your accounts. This type of attack, known as "phishing," usually attempts to appeal to your emotion in order to get you to click on a malicious link and provide sensitive, personal information, such as your account username and password. Attackers will often craft the link and its corresponding webpage to appear legitimate. I will provide an example of a phishing attack later in this blog post.

This attack is sometimes taken a step further in a tactic known as "spear phishing." Spear phishing is focused towards a particular organization and/or previously gathered details on the targeted individual. For example, the attacker may gather from your Facebook page that you work for a particular organization or have an account with an online retailer such as Amazon. The attacker will then leverage this information by including some of these details in the spear phishing email so that it appears legitimate. Remember that attackers will attempt to use any information than can glean from your Twitter, Facebook, Instagram, Blog, etc. against you. Never post anything personal or that could in any way be considered sensitive.

Another common attacker tactic is to attach a virus to the email, hoping that you will download and run the virus on your computer. The virus may then steal your information, destroy your files, and/or attempt to spread to other devices on your network. This can be especially dangerous in organizational settings when the virus spreads to other devices on the organizational network.

2. Before You Open The Email
The best way to avoid damage from a malicious email is to never open it in the first place. Here are a few questions I ask myself before ever opening a suspicious email:
  • Is there anything in the subject line that looks fishy?
    One of the first indicators of a malicious email is the subject line. Malicious emails often contain obscene subject content and/or spelling/grammatical errors. I list this step before checking the sender because even legitimate sender email addresses can be compromised by attackers and then used to send malicious emails to the contacts of the compromised email account. If the subject looks fishy, delete it--even if it appears to be from someone you know. That person's email account may have been compromised.
  • Does the sender appear legitimate?
    Be aware that just because the sender appears to be someone that you know, doesn't mean that the email is actually from that individual. Besides an legitimate email account being compromised (see above), attackers can craft emails to appear to be from a particular name, even if that name does not belong to the attacker. For example, an attacker could check your Facebook account to identify one of your friends, then craft an email to appear to be from that person. If you are able to determine the actual source email address of the email before opening the email, do so.

    For example, the following image shows an email from "Nintendo." However, in Gmail, by mousing over the name of the sender of this email, a box appears showing us the actual email address of the sender, "nintendo@em-news.nintendo.com." This email address appears to indeed be legitimate. It is always a good idea to verify that emails are actually from who they say they are from. This isn't a perfect way of determining whether the actual email address is legitimate, since an attacker could create an email address that appears legitimate or compromise a trusted contact's email account (as described above); however, I have often found that malicious emails are from suspicious email addresses.
  • Is opening the email really worth the risk?
    Lastly, before opening the suspicious email, think one more time about whether it's really worth the risk of opening the suspicious email. Remember that most organizations, including banks, should never contact you through email to ask for personal information. Many emails telling you that you need to log in immediately in order to stay protected or retain benefits are actually phishing attempts. This is also true of emails telling you that you've one won a prize. If there is really an important legitimate need for an organization to contact you, the organization will find a way to contact you.

3. If You Open the Email
If you choose to open the email, here are a few things you should be aware of before doing anything else:
  • Again assess the legitimacy of the email.
    You should again assess the legitimacy of the email, this time focusing on the email's body (make sure to hold off on downloading any attachments). Follow steps similar to those you followed before opening the email. Many attackers are based in countries where English is not the native language. As such, malicious emails often have poor grammar/spelling. Seeing any typos and/or grammatical errors should raise some very prominent red flags.
  • Be very cautious about downloading any attachments.
    Be aware that email attachments are often used to spread viruses. If you have any doubts at all about the attachments, don't download them. Remember that viruses can spread via files other than just executables. Be very cautious before downloading anything from an email.
  • Assess any links/buttons in the email.
    Be very wary before complying with any actions the email asks you to take. Attackers are very good at making phishing emails appear legitimate. The text in the email can appear legitimate, the link in the email can appear legitimate, and even the website that the link/button takes you to can appear to be legitimate. One of the best ways to assess the true legitimacy of the email is to inspect the link/button before clicking it.

    For example, the following image shows an example of a phishing message. As you can see from the text of the email, it is attempting to appeal to your emotion--endeavoring to get you to act quickly and click the link before thinking (people tend to be less careful when acting out of urgency) by saying that you aren't safe otherwise. This is a very common tactic used in phishing emails. You'll also notice that, at first glance, the link appears to go to www.google.com. However, we can and should inspect the link closer before clicking it. Websites and email links are written in such a way that allows the displayed text to differ from the actual address that the link takes you to. Most internet browsers will show you the actual address of the link in the bottom left corner of the browser window when you mouse over the link. The image below shows an example of this. As you can see, the actual link takes you to www.google.stealyourinfo.com. Herein lies another tactic that attackers often use. Someone performing only a quick scan of this address may see the "www.google" at the beginning and immediately proceed, believing that the link is legitimately from Google. However, upon closer inspection, you'll notice that the "google" portion of the address is merely a sub-domain (sub-section) of the website. The real base website that the address will take you to is stealyourinfo.com. If you clicked the link, this fraudulent website would likely look very similar to a Google website, and may even have some of the Google logos on it--but would likely steal your account username and password when you entered them on the website. Therefore, when inspecting addresses, first find the right-most website domain name (the name that comes just before the .com, .edu, .net, etc.)--this is the website that the link will really take you to. Anything preceding it is simply a sub-domain of that website. This same practice can also be used to inspect links found on websites. Obviously, a malicious address will likely be something much less obvious than stealyourinfo.com. Attackers often choose a name that appears at least somewhat legitimate. However, if it doesn't look exactly right and/or doesn't exactly match what you know the website should be, don't click the link. If possible, avoid using links/buttons provided in emails altogether. Instead, go to the website directly and find the corresponding page yourself. If you can't find anything about the email's requests on the legitimate website that you went to directly, the email is likely a scam.

I hope these simple tips will help keep your email and internet browsing experience safe. Remember, one action can cause a lot of damage. "Think twice before you click."

Monday, December 1, 2014

Internet Safety and Sanity

I've recently been asked by some friends about some of the ways to help prevent unwanted images or search results from appearing when browsing the Internet (especially when children are using the computer). The Internet has become, in my opinion, one of the most trying challenges regarding the gospel principle of living in the world, but not of the world. We need the Internet almost daily now for school, email, gospel research, and many other worthy causes. However, concealed within the hosts of incredible resources the Internet has to offer, lie multitudes of mines, waiting to devastate the users who happen to wander onto them.

The Lord prayed for us in His magnificent Intercessory Prayer, not that Heavenly Father "shouldest take [us] out of the world", but that He "shouldest keep [us] from the evil." (John 17:15). But what tools has Heavenly Father inspired men to create in order to help keep us from this "evil"? Although there are far too many to list, here are a few of the things that I have found must helpful.

1. Be Smart and Be Clean:
Although obvious, the most important thing to do is to remember to be smart when using the Internet. This means ensuring that children are aware of the dangers of the Internet and know exactly what to do when (not if) they come across explicit content. It's only a matter of time before children are exposed to this filth, but if children are taught early to close the window or tab containing the explicit content immediately without dwelling on it, this pattern will become an invaluable standard for them to follow throughout their lives. My parents were great examples of following this pattern, and I still admire and feel gratitude to them for teaching it to me at such a young age. Encourage your children to come talk to you about it if they come across this explicit content. This will give you the opportunity to reassure them of your love and support--helping to invite the Spirit back into their lives. This will also give you the opportunity to compliment them on their decision to keep the commandments, which will encourage them to follow the same process the next time.

Use passwords on computers to make sure that children are only able to browse the Internet at appropriate times, when others are around and can easily see the display.

Also, be weary of mobile devices. Desktop and laptop computers are no longer the only devices capable of accessing the filth of the Internet. Set rules concerning when and where these mobile devices are used and which websites are appropriate to visit on them. Google Safe Search (see below) can also be enabled on many mobile devices (see https://support.google.com/websearch/answer/1636666?hl=en).

2. Google Safe Search:
Google has become one of the staples of the Internet. I can honestly say that very few days go by that I don't use Google to search for at least one thing. Thankfully, this useful tool has an setting, entitled Google Safe Search, to help prevent explicit content from showing up in the search results. This is especially useful to help prevent children from seeing unwanted content while doing research for school. There are a few ways to enable Google Safe Search:

The easiest way is to simply use the the website http://www.safesearchkids.com/ to browse the web instead of google.com. The SafeSearchKids website simply uses a customized version of the Google search engine with Google Safe Search turned on at all times. This allows you to get the same results you expect from using Google, without the garbage.

The other way to enable Google Safe Search is to enable it within Google's own settings. This allows you to use google.com and as well as Google's other services (such as images.google.com to search for images) with Google Safe Search (please be warned that although Google Safe Search will help, some unwanted content (especially images) may still show up). To do this, follow the proceeding steps:

  • First, visit https://www.google.com.
  • Next, click on the "Settings" link at the bottom right of the screen, then click the "Search settings" link:
Click the "Settings" link, then click "Search settings"
  • Next, check the "Filter explicit results." checkbox under the "SafeSearch filters" section:

Check the "Filter explicit results." checkbox
  • Finally, scroll down to the bottom of the page and click the "Save" button:
Scroll down and click the "Save" button


Please be aware that the above steps must be completed on each browser on each computer you use, and these settings will need to be re-enabled should you ever clear your browser settings.

Again, remember that although Google Safe Search does help prevent explicit content from showing up, it is NOT PERFECT. Some unwanted content may still show up, and as such, it is still very important to be on your guard at all times and to always follow all of the principles I mentioned in item 1, above.

3. AdBlock:
Finally, the fountain of youth for browsers: AdBlock. AdBlock is a completely free extension (add-on) for Internet browsers that automatically blocks advertisements on the websites you visit without blocking any of the content you actually care about. Not only are these advertisements annoying and a waste of bandwidth, but they also often contain offensive and obscene content (think of the commercials you see today on TV). I primarily use Google Chrome, which has AdBlock available, for everyday web browsing, but variants of AdBlock such as AdBlock Plus are also available for other browsers such as Mozilla Firefox. Below are the steps to install and enable AdBlock on Google Chrome:
Search for "adblock" click add the AdBlock extension
  • A box will likely come up, prompting you to confirm that you want to add the extension, click the "Add" button.
  • After a brief progress screen, you should be able to start browsing without ads!
  • Initially you'll see the AdBlock button at the top right of the screen, which will tell you how many ads it is blocking for the site you are currently visiting, but you can hide this button by right-clicking on it and clicking "Hide button" if you wish:
Hiding the AdBlock button

Hopefully these tips will help protect you from the filth of the Internet while still allowing you to utilize the Internet to bring about good in the world.

Sunday, April 13, 2014

Creating Secure Passwords

Here are some fascinating statistics concerning user's passwords according to xato.net:
  • 4.7% of users have the password password;
  • 8.5% have the passwords password or 123456;
  • 9.8% have the passwords password, 123456 or 12345678;
  • 14% have a password from the top 10 passwords
  • 40% have a password from the top 100 passwords
  • 79% have a password from the top 500 passwords
  • 91% have a password from the top 1000 passwords
With frightening statistics like that, there are a plethora of recommendations concerning creating safe passwords. While I can't list them all, here are a few general rules concerning what I feel are some of the most important things to consider when creating a password.

1. Don't do the Obvious:
How tempted have you been to use your own name, your child's name, your birthday, your username, "password", or "1234" as your password? Don't. Just don't. These are among the first passwords hackers try. I can't tell you how many computers and phones of friends and family I have been able to get into just by guessing combinations of the things above. With so much personal information available on social websites, such as Facebook, you should never assume that people won't know information like the things listed above.

2. Don't Write Your Passwords Down in an Unsecured Location: 
I can't tell you how many times I've been at work, helping someone with his or her computer, and seen the person's username and password on a post-it note stuck to his or her monitor. Never assume that no one will look for your password in your desk drawer or in your notebook. It's best to use a password you can remember without ever writing it down.

3. Use Unique Passwords for Each Sensitive Site:
If a hacker does crack one of your passwords, one of the first things they'll likely try to do is try that same password with your username on a site where they can really do some damage--like a banking website, or Amazon.com. That's why it is very important to use unique passwords on each sensitive site. Your password for Amazon.com should be different from your other websites--same with your banking website. I know that you'll be tempted to use the same password for everything because it will be much easier to remember, but the more unique passwords you use across each of your online accounts, the better protected you will be.

4. Don't Use Passwords Found in the Dictionary:
Attacks by hackers known as "dictionary attacks" are becoming more and more common. The idea behind these attacks is for hackers to try using words found in the dictionary to hack into user accounts since these are the words users most often use for passwords. To combat against these attacks, users should try using combinations of words or throwing random characters in the middle of words for their passwords. I've also heard the recommendation of using the line from a Hymn as your password. This makes the password easy to remember and provides a nice reminder of a Gospel message each time you log in to your account. Phrases can also be used a good passwords. For example, the phrase "We believe in God the Eternal Father, and in His Son, Jesus Christ, and in the Holy Ghost" would translate into the password, "WbiGtEF,aiHS,JC,aitHG." While that password may be a little bit long, using the first letters of a slightly shorter phrase will be easy for you to remember and very difficult for a computer to guess. Just make sure to use a password that is AT LEAST 8 characters long.

If you are interested in seeing just how secure your password is, try putting something similar to it into the following website (I don't recommend using your actual password, as you never know if that information could be intercepted somehow, but typing in a password with the same combination of characters, letters, and special characters as your own password should yield a similar result for how secure it is). This site will tell you approximately how long it would take for a computer to guess your password:

https://howsecureismypassword.net/