Safe Surfing

Home

Presentations

Wayne McKinnon's
Security Resource Center

Safe Surfing - Frequently Asked Questions (FAQ)

What can happen if I am hacked?
I'm an executive, why should I care?
What precautions should I take?

Click here to return to "The ITcoach" Home page | or click here to go back to the list of other resources

System Crashing is often blamed on a flaky operating system or software, but it is very likely that many problems you can experience are actually caused by hackers intentionally crashing your system. On example is a utility called "the ping of death." It is a simple program that anyone can run with little knowledge of computers. All that is needed is the TCP/IP address of the computer you want to hit, and if you don't know of a specific one, why not just hit a range of numbers, perhaps yours.

System crashes are sometimes no more than an annoyance, but if you are working on a document that has not been saved, it is lost when the system "hangs" or crashes.

Many vulnerabilities like the one that the ping of death exploits are fixed by installing service packs supplied by the operating system vendor. Newer operating systems should have already been fixed, but they may be susceptible to other unexpected attacks.

Hard drive crashing is much worse than a system crash since restarting your machine does not correct the problem. Hopefully you have a backup of your lost data, as well as the time to reconfigure your hard drive and reinstall all of your applications.

Identity theft is not new, but it is becoming easier to find information electronically. There may be enough personal information on your computer for a hacker to use to successfully apply for a credit card or loan.

If you think that identity theft is strictly in the electronic world, consider the case where a man rented a car. Upon returning from his trip he received a phone call from someone claiming to be the car rental company doing quality control survey. For participating, he was awarded a free upgrade on his next trip. He was told that the company had all his information from his rental agreement, and all that was needed was his Canadian Social Insurance Number in order to award this to him. The company confirmed his information, and received his number. He received a huge debt from the person who had impersonated the car company on the phone. Apparently his rental agreement along with his number was enough information to fill out a credit loan application.

Credit card theft involves gathering your credit card information from your hard drive, or even capturing it off your screen when you are making an on-line purchase.

Although your credit card information could be intercepted when it is sent over the internet, typically these transactions are already secure. They occur over a secure Internet connection that is established between your web browser software and the web server you are connected to. It is then the responsibility of the vendor to ensure that their computer is not hacked, and your responsibility to ensure that yours is also secure.

Tunneling occurs when a hacker connects to your computer that already has a remote connection to a another computer (perhaps your office).

Your employer has hopefully taken precautions to ensure that you are an authorized user before they allow you in to their system, but have you taken precautions to ensure that you do not bring anyone in with you?

Extortion - is there any information on your computer that is sensitive or valuable enough that it would cause you problems if it was made public?

zombies are computers who have been recruited as unwitting accomplices in an attack on another system. If you have a security vulnerability that a hacker can exploit, the zombie software can be planted on your hard drive.

If hackers has managed to plant a program on your hard drive that will allow them to take over your system, they may then cause it to crash so that their new system software is automatically loaded when the system starts.

A second method is to send you a "Trojan Horse" by e-mail. This e-mail attachment might be look like a game, but actually installs a service that the hacker can use to command your computer to attack someone else.

I'm an executive, why should I care?

Do you connect to the office remotely?
do you have critical or sensitive files on your laptop?
Are you sure that your employees are well protected?

What precautions should I take?

For home computer users, the process for system hardening is very similar to the process used by businesses to secure their servers, and is worth looking at (click here).

Here is a condensed list that pertains to you

If you are on the internet, especially if it is a high speed connection, install personal firewall software. Not only will this prevent unauthorized access to your computer, but if you are infected with a Trojan horse program, it can also prevent it from accessing the Internet.

Install virus protection software, and keep it up to date. New viruses are being discovered constantly. Virus protection software looks for specific files or programming code to identify a virus.

Your protection is only as good as the virus signatures that your virus protection software has to work with. Look for virus protection software that also scans your incoming e-mail as well as your hard disk.

Maintain good passwords. Passwords should not be regular words. Software exists that will attempt to break in using every word in a hacker's dictionary.

Ideally use a separate password for every system that you log in to, but as a minimum, keep at least two different passwords (one for secure transactions such as banking, and one for non-secure activities such as logging in to a members only area on a web site).

The longer the password is, the more combinations of letters and numbers the hacker would have to try before being successful. A minimum of 8 characters is considered good practice. If you make these characters a combination of upper and lower case, plus letters AND numbers, the password is exponentially stronger. Add in some special keyboard $ymbol$ (symbols) and you have made it even stronger.

You can set up filtering on your e-mail program, or through our service provider in order to block who can send e-mail to your children.

Avoid surfing the internet while logged on as someone with administrative rights (a privileged user). If you were to open an e-mail message containing a virus, or access a web page and launch a malicious script, since this account has full access to your system and all of your hard drive, so does the script or virus.

Reprints, links or forwarding these articles is encouraged providing that the following credit line is used: © Copyright 2002, Wayne McKinnon, ITcoach.com. For more information contact us at ITcoach.com, Suite 531, 900 Greenbank rd., Ottawa, Ontario, Canada K2J 4P6, (613) 860-1384, 1-888-712-6224, FAX (613) 825-4895, info@ITcoach.com

A copy of the publication in which the article appears would be appreciated.