Introduction



COMPSECDr. Gerry Santoro – Founding Associate ProfessorModule 10 – Safe Web Surfing IntroductionDeveloped in the early part of the 1990’s, the World Wide Web became the “killer application” that made the Internet relevant for millions of people who never before had any reason to use a computer. The Web gave birth to e-commerce, online education, streaming media, and social networking. It also gave a boost to misinformation, ranting, scams, and drive-by malware attacks.On one hand, the Web is a very powerful tool for shopping, learning, and socializing. On the other hand, it is an unmanaged wild frontier. Back around the year 2000, when giving a short introductory public lecture on use of the Web, I had a number of adult students lamenting that there was no authority designated to ensure that everything found online was truthful. That’s nothing! Some Web sites use a technique called “cross-site scripting” (CSS) to deliver malware to your computer, without your knowledge, by simply visiting the site. With a CSS attack malware is downloaded to your computer through the scripting capabilities of your browser. (note that use if a least-privilege account can stop many CSS methods. Other sites promote scams, rumors, or misinformation for the unwary.Being Safe on the WebIf you have followed the tips provided in earlier modules of this course—using anti-malware and anti-spyware software, establishing a least-privilege account, enabling firewall protection, and ensuring that your operating system and applications have current patches—then you are mostly there. You have done everything you can do locally to reduce the possibility of infection.The remaining task is to ensure that you only browse to Web sites with a good reputation. “How do I do that?” you are probably asking. Some malware suites come with browser add-ons that automatically alert you when you are about to browse to a site with a poor reputation. There are also free add-ons and extensions that can provide this capability, such as Web of Trust. HYPERLINK "" This is a free browser plug-in, available for IE, Firefox and Chrome. It consults a crowd-sourced database of Web sites and provides a ranking of likelihood of safety. Many other security suites also provide this capability – such as Avast Pro – although these typically require a subscription.Examine the following screenshot from a Google search of ‘malware.’ Since I use Avast Pro many of the returned sites have a ranking (green bars) of potential reliability. Some sites are unranked. A site with 3 bright green bars is more likely to be malware-free.These applications will check the URL of the Web site to which you are connecting against a database of sites with known (or suspected) trust issues. You are then given the option to either cancel your navigation to the site, or—if you are willing to take the risk—to decline the warning and proceed. These applications are not foolproof, but when used in addition to the other protections, they can add a level of reliability to your browsing.While these applications may certain risks on the Internet, they do not verify that all information found on a site is correct. For example, no software can detect if a site claiming that a specific political candidate is honest and trustworthy is factual. On the other hand, a site that routinely provides false information, such as “The World is flat,” might be flagged by users and detected as potentially untrustworthy. Ultimately, the user must exercise critical thinking skills in evaluating whatever information is provided.Sharing Personal InformationSocial media is everywhere. It is vital that you exercise restraint in sharing personal information through online services, including those that are recognized as reliable. Facebook may be a reliable site, but that doesn’t mean people can take your information and do unacceptable things with it. Social media sites have made it tempting to share everything about who we are, where we work, our life history, our preferences, our families and friends, and more. However, when you share this information how do you really know who is viewing it or what they intend to do with it?Again, some critical judgment is in order. For example, if you are planning an extended vacation and your home will be left untended, it is probably not a good idea to advertise the fact online. Sure, it is tempting to post pictures while you are on vacation in Europe, but by doing so you are alerting people that your home is potentially ripe for the picking. In February of 2010, a Web site named “Please Rob Me” was launched to bring attention to the numbers of people posting information regarding their whereabouts online. The authors shut down the site after they decided that they had made their point.When you do share information, you should limit the amount of personal information you share. For example, nobody would post their social security number online, yet few people realize that their date and location of birth could be used to determine their SSN with frightening accuracy. Other biographical information might be used to correctly answer a security question such as “What was your maternal grandmother’s first name?”It is tempting to rely on privacy controls in these sites, but how do you really know that they are working? Most users do not even read the fine print terms when creating an account on these services. Many agreements give permission for the sharing of information with business partners. If the service itself becomes victim to a hacking attack, all privacy controls and agreements go out the window.So, by far the safest approach is to strictly limit the amount of information you share. If you are going to say that your birthday is June 1, that is probably okay. Just don’t share the year. If you are going to post that you take a yoga class, don’t mention the exact times or location.A good rule of thumb for anything posted on the Web is to assume that it is publically available to everyone, even if you have set security controls on the site. Employers and others routinely search for personal information online. It is better to be safe now rather than sorry later.Protecting Children OnlineChildren face an even greater risk on the Web. By their nature, children are curious. Although we do our best to protect them, we cannot always be there to watch over their shoulders and screen what they are doing. Of course, one solution would be to simply never, ever allow them to access the Web, but this is not realistic. Many educational and safe Web sites do exist and we want our children to be prepared for the challenges of the future.Many operating systems and browsers contain parental controls that can be used to limit a child’s access to potentially dangerous Web sites. Specific Internet filter applications, such as Net-Nanny, may be used to prevent a child from accessing certain Web sites or Web content.these protections are not sufficient. Parents need to start by having frank discussions with their children about what is allowed and what is appropriate for their age group. Children up to about age 14 (and this varies with child) should not have private access in their rooms. A computer can be set up in the family room, facing a wall, so the child has access, but that access can be easily monitored. Periodic audits should be done, with the parent checking the browser history, and the child on notice that the history is not to be erased. Make it clear that the intent is to protect the child and family—not to punish the child.In general, children should not use the same computer as their parents. This will help to reduce the chance that the parent’s private information will be compromised if the child mistakenly becomes victim to drive-by malware or unknowingly allows malware to infect the computer. It is also generally a bad idea to allow children to use social networking sites, unless they are being supervised during such use by an adult. Bullying and other inappropriate behavior are quite common, and often the children do not understand the consequences of their actions. As children get older and acquire better judgment and social skills, you should be able to allow them more autonomous online access, such as access in their room or access to limited social networking. It is important that access be provided gradually. At age 18, children will have complete legal rights and will need to be prepared to navigate the Internet safely.Some common approaches parents may wish to follow include:Not allowing children to have computers in private areas such as bedrooms – but rather having a family computer in an open location such as a TV roomPeriodically checking the browser history information and advising the child that browser settings may not be alteredUse of a child-safety filter such as Net Nanny ( HYPERLINK "" ) - a filter like this will provide parental controls and block access to Web sites of potential harm. Some also provide alerts, monitor instant messaging and mask profanity.Search EnginesIt should come as no surprise that many search engines keep log files that record what you search for. In most cases this is used to tailor your search results and deliver target ads. However, it is possible for these log files to be compromised, or subpoenaed, resulting in a breach of privacy.There are a number of search engines that do not keep log files, or who erase them after a period of time. An example is Ixquick, which does not store any log information and which allows for anonymous viewing of search results.You could also use a personal VPN (see Topic 11) to encrypt your searches and prevent the search engine from knowing your identity. Be aware that your browser may maintain a history of your searches, and Web pages you have visited, so the history list in your browser should be periodically erased.System CleanersYour computer will also maintain other information regarding your Internet usage. This includes registry entries, cached versions of Web pages, and cookies. Cookies are short text strings that give your browser a ‘memory’ of previous activity and are often used to develop ‘shopping carts’ for electronic commerce, as well as to target advertisements to your interests based on previous browsing history.Programs known as ‘system cleaners’ may be used to selectively erase these files. This can lessen your risk if a hacker does gain access to your computer. They are also often used to help your computer run faster by removing unneeded temporary files and broken registry entries. See the resources section of this topic for links to popular system cleaners for Windows and Mac.Sidebar for small businessesMany businesses use a combination of policy and firewall rules to address the problem of secure Web surfing. Policies can explain which Web sites may and may not, be used by an employee using company resources. Firewall rules and the periodic auditing of firewall logs can be used to enforce these policies.For small businesses that allow employees fairly wide use of the Web, it would be useful to have a security suite installed that provides browsing protection. This, of course, in addition to good anti-malware, anti-spyware, and use of least privilege accounts.Be aware that, for policies to be effective, they must be clearly understood by the employee. Be sure that employees receive security awareness training that includes the policies and explains why the policies were enacted. Allow users to become stakeholders in the security of company resources and they will work to support policy, not to circumvent it.ResourcesWeb of Trust: Nanny: tips for safe Web browsing: Safety Project: Please Rob Me: : New Algorithm Guesses SSNs using Date and Place of Birth: News: Safe Web Browsing for Kids: Your Computera: Complete Guide for Child-Proofing Your Mac: to Child-Proof Your iPad: of Search Engines: HYPERLINK "" private search: HYPERLINK "" private search: HYPERLINK "" private search: HYPERLINK "" list of system cleaners: HYPERLINK "" Mac system cleaners comparison: HYPERLINK "" ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download