Saturday, October 31, 2009

Online Safety - National Cyber Security Awareness Month - Tips 1-31 (Plus Bonus Tips)

Today ends the 2009 edition of National Cyber Security Awareness Month (NSCAM).  Throughout the month, I and many others have been posting guides, tips and advice on how to stay safe online and how to keep the online experience a secure and enjoyable one for you and your family. For my part, each day I tweeted a daily tip via my Twitter account @BurgessCT and attached the hash-tags #onlinesafety and #NSCAM for ease of compilation by others.  

I was heartened throughout the month so many asked, "Will you expound on these daily tips? Yes, I've already begun, see ( Online Safety – UserID’s and Passwords [October 25, 2009]) and I plan to continue.  Others have asked will you provide all of the daily tips in one comprehensive list? Yes, I provide these below (and I have tossed in a few bonus items).

Keep in mind, none of these are highly technical, some are behavioral and all are easy to implement.

National Cyber Security Awareness Month Tips 1-31:
  1. Passwords:  Practice good cyber-hygiene – Passwords are like toothbrushes – you don’t share them with others and you change them often.
  2. Passwords: Passwords should be used for one site only. For strong passwords, use symbols, numbers and letters – never a word from any language dictionary.
  3. WI-FI: Home or Business wireless networks (WI-FI) – Enable WPA2 encryption with strong passwords. If your router does not support WPA2 encryption, time to upgrade that router to new technology.
  4. WI-FI: Configure your router to suppress the broadcast of your Service Set Identifier (SSID)
  5. Guidance & Direction: Guide your young. The internet is to receive information only and not to be used to share information. Only Mom & Dad share information over the internet.
  6. Browser Settings: Web-based email (e.g. Gmail, Hotmail, etc.) configure your browser log-in to HTTPS (S=secure) and avoid having your password sniffed and grabbed when connecting via an open (not secure) network connection.
  7. Software Settings: Does your family use Peer-to-Peer (P2P) file sharing? Know your settings. Tips from the FTC’s OnGuard OnLine 
  8. Computer Settings: Disable Auto-Run and scan all USB/CD/DVD even if you received it from a trusted source, their USB/CD/DVD may be ill from having visited a machine with malware/crimeware prior to visiting yours.
  9. Software Settings: Software auto updates – DO IT. May be inconvenient but updates close previously unknown vulnerabilities.
  10. Email: Phishing Scams – No replies or click-on-links of emails asking for personal or financial information.
  11. Computer Settings: Administrator control? Who has control of your computer? Take control, set a unique password so that the computer settings can only be changed by the administrator, you?
  12. Anti-Virus Software: Have it and use it! Auto update both the engine and the data. Don’t ignore warnings. Train your family to call out and alert you when a warning presents itself – don’t ignore these warnings.
  13. Anti-Spyware Software: Have it and use it! As with Anti-Virus don’t ignore the warnings – Spyware can capture your data at the point of entry or harvest from your hard drive.
  14. Data Backup: Regular data backup(s) should be a part of your security regime. Data includes, but not limited to photos, videos, music, documents, etc. If your device (laptop, pda, etc.) goes down, your data is safe.
  15. Malware/Crimeware: Be wary of ‘scareware’ pop-ups which announce your computer’s compromise and offering you a “free” software to remove – a tried and true technique to have you install malware. (NB: FTC v. Innovative Marketing, Inc., et al – an excellent read of the FTC's Complaint taking down a purveyor of "scareware")
  16. E-mail: If a retailer or vendor asks you to “email your credit or debit card data” – Say “Absolutely Not” and don’t do it. 
  17. Browser Settings: Do enable the “Pop-up Blocker” and “Redirect Disable” settings on your browser - this puts you in control of your internet experience.
  18. Firewalls: Have it and use it! Think of the firewall as your computer’s guard force – blocking attempts to communicate with your computer which you haven’t authorized.
  19. System Scans: Security checks for your computer – a list of free scan software from reputable vendors, courtesy of http://www.staysafeonline.org/ 
  20. Public Computers: Use an internet connection at the library, airport, etc? Clear the browser’s history and cache’s when you are finished to remove “easy” accessibility to the websites you visited. 
  21. Electronic Media: Recycling or discarding media? Reformat or degauss your electronic media prior to recycle or discard. This will prevent inadvertent sharing of your personal or business data.
  22. Computer Settings: Do visitors use your computer? Create a guest account with separate log-in for your guests so they have their own environment on the computer w/o access to your personal data or browser history or cookies.
  23. Computer Location: For families, PC’s to be used in a central place – not behind closed doors. All can keep an eye on activities.
  24. Online Friends: Talk to your children about the need to talk to Mom or Dad prior to meeting online friends face-to-face.
  25. Parents Online: Go where your children go online. Browser history will guide you; if history doesn’t exist or has been selectively deleted – time to pay attention.
  26. Chat rooms: Chat rooms are great for learning and sharing, children should obtain Mom or Dad permission and review first
  27. Data Security: Consider encryption, with a robustly strong key phrase, for your important data (i.e., medical, personal, financial and private). Extend this protection to your data backups.
  28. Chat rooms: Select user-ids which are age and gender neutral, as filter userids is a methodology used by online predators: “Pineneedle” not “Seattle1084”
  29. Laptop Security: Do you travel with your laptop? Protect it, it may be the gateway to your online presence and accounts, and hosts ur data – see the FTC's Onguard Online which has some great laptop tips.
  30. Internet Connectivity: Know how your children are getting online – home, school, mobile phone, friends, library and craft rules/boundaries
  31. Reporting: If you believe you have passed your personal identifying information (PII) to a criminal do file a complaint with the FTC (http://www.ftc.gov/) .
Bonus: Think of online safety and security practices as a basic extension of your family security plan – no less important than smoke detectors, alarm systems, and how to interact w/strangers.

Bonus: Do your children wear their Name & Address on the back of their jacket? Then why post it on a website’s profile.

Bonus: Some good advice on how to avoid being hooked by phish from FTC’s Onguard Online

Bonus: Do you know where your data is stored? Knowing allows protecting. It is important to clear your temporary files and caches as you save and store your data.

Bonus: You, the individual may not have the resources of a company to protect yourself, don’t let that deter you.  Select your ISP w/care – some ISP’s leverage their access to security vendors to provide you with:
  • SPAM filters for your email;
  • CONTENT filters for your browsing;
  • ANTI-VIRUS and ANTI-SPYWARE scanning for all the data passing through their pipe; and
  • WEB PAGE scanning for malware, crimeware, pop-up and redirect protection.
You can focus your individual budget to those areas you need “enhanced” coverage and capability.

I hope the above are of use and you and your family will continue to be safe online.

Thank you for your time
All the best,
Christopher
Posted by Christopher Burgess at 12:19 0 comments Links to this post
Labels: , , , , , , , , , , ,

Sunday, October 25, 2009

Online Safety - UserID's and Passwords


As we approach the end of National CyberSecurity Awareness Month (#NCSAM), I thought it appropriate to begin expanding upon the tips I've been providing through my daily Tweets.

Today's topic will be user identification (USERID) (Tip #25) and passwords (Tip #1 & #2), and how judicious selection of both can serve to protect you and your family online.

Let’s start with the USERID. A USERID is the means by which a service provider, website or account identifies you. Some service providers use your email address as a USERID, while others may ask you to create one for use with their service. On Twitter for example, you are asked to create a USERID. My USERID on Twitter is BurgessCT, clearly associating me to my name.

Pretty straightforward? Well, not exactly. You see, while in my example my USERID clearly identifies me, it does so by design. My Tweets on Twitter are my responsibility and I should be and am held accountable for them, therefore, I chose to make a clear association between me and my USERID. I intended for those seeing the USERID to be able to identify me, and distinguish me from others with a similar name.

Your decision chain on your USERID should be your own. If you have children in your family or are assisting an elder member of our community, I advocate the creation of a USERID which does not identify the user by name or location and is gender and age neutral.

It is unfortunate, but there exists an ugly underbelly of society which preys on our youth and elderly. They glide through chat rooms and harvest lists in an attempt to identify the name, location, gender and age of a potential target so that they may begin to engage the individual to the individual’s detriment and the perpetrator’s benefit. You can make it harder for the miscreant to get started by neutralizing your USERID.

• Examples of USERID’s which tend toward identification of name, location, gender and age, and which I advocate to shy away from: Sally1995 or SeattleJames1995 or Fishing-Lady

• Examples of USERID's which are name, location, gender and age neutral: Wheat5419 or  B8dHRt or Pinecone anyone reviewing these userids wouldn't be harvesting them as male or female, a minor or adult, in Seattle or Omaha, able to identify the name, gender or age of the user.

Now accompanying those USERID’s are PASSWORDs.

The password is the key to the front door of the service provider, website or account. The service provider may ask you to create a password, or they will provide one to you for your initial engagement (then when you enter their domain, you're direct to a page to change it to one of your own choosing).

Passwords can either be weak or strong. A weak password is a word found in the dictionary; or if the USERID is identifiable then a family name, birth date, pet’s name, street address, or the like. Sadly, the most common password is “123456” with “QWERTYU” not far behind.

I advocate the creation of strong passwords. A strong password is not a word found in any dictionary, of any language. The password is case sensitive with both upper and lower case, includes numbers and symbols. This stops, dead in their tracks, the dictionary attacks and brute force compromise of your password.

Though inconvenient, I also strongly suggest that a different password be used for different environments and sites. My recommendation is based on the fact that you can’t protect yourself from the service provider, account provider or website accidently losing your password. If they do, and it is associated with your USERID, then that password, if common across environments opens up all the doors, not just the compromised account.
  • An example of a strong password:   L)ngsh0rem3n  (this uses upper case, symbols and number and is not a word in any dictionary)
Now that you have your USERID and strong password, don’t render them moot by writing them down and sticking them to your computer. If you must write them down, use either mnemonic device to assist you in remembering or create two lists. List A has numbers 1-x and the service provider; List B has number 1-x and the passwords – store list A in a separate area from list B, and neither in proximity to the computer.

To conclude:

Practice good cyber-hygiene: Treat your passwords like your toothbrush. You don’t share them others and you change them often.

Passwords should be used for one site and one site only. For strong passwords, use symbols, numbers and letters. NEVER use a word from a dictionary. NEVER use a word from any language found in any dictionary in any language.

USERIDs, make sure you select USERIDS which are name, location, age and gender neutral.

Thank you for your time.
All the best,
Christopher
Posted by Christopher Burgess at 07:26 0 comments Links to this post
Labels: , , , , , , ,

Tuesday, October 20, 2009

Cyberstalking - A New Phenomena?

Cyberstalking - does it really exist?  Yes, it exists.  Is it a new phenomena, lamentably no.

Cyberstalking has been a factor for more than 10 years and is the unfortunate natural extension of physical stalking and in some cases has supplanted the physical stalking as it provides for less risk of discovery to the perpetrator. It truly is a travesty, as there isn't a state within the United States which doesn't recognize the crime of physical stalking.  Each state has a process, legislature or statute and procedures in place to protect the victims and forestall the individual doing the stalking with restraining orders and the like.  Electronic harassment or cyberstalking is another story. 

In 1999, then Vice President Gore received a report from the Department of Justice, "Cyberstalking:  A New Challenge for Law Enforcement and Industry." The report discusses at length the challenge, the victims, the breadth of the issue and makes recommendations.  Upon reading the report, Vice President Gore got it right when he firmly stated, "Make no mistake: this kind of harassment can be as frightening and as real as being followed and watched in your neighborhood or in your home.  Accurate words in 1999, accurate words in 2009.  Please take the time to read the report, sadly your mind will quickly forget it was presented in 1999 and traverse forward ten years to 2009 noting how little has changed.  The threat remains, the technologies continue to provide challenges to both individuals and law enforcement alike in thwarting this insidious crime.

What has changed, fortunately, as noted in my prior post, per National Council of State Legislatures has identified 46 of 50 US states as have passed legislation addressing the particulars of the electronic world, as an adjunct to existing legislation used to protect individuals within the physical world (Kentucky, Nebraska, New Jersey, New Mexico still lack specific legislation).  These are great steps toward bringing a stop to the crime, but it still isn't enough.

What worries me is the chasm in our society in recognizing the crime of stalking, even in the physical world.  In August 2009 the Department of Justice says that during a recent 12-month period, 3.4 million people ages 18 or older were victims of stalking.  The US census bureau estimated the population of the United States aged 18-64 in 2008 at 191,250,000 therefore 1.7% of the population demographic has been stalked, astounding.

Thus with 3.4 million persons having experienced stalking, I find it hard to believe there are still individuals who ascribe culpability to the victims.  Let me touch on a recent high profile stalking case, that of Ms. Erin Andrews.  My stomach literally did a somersault when I learned some were attempting to rationalize away the victim's complete innocence and ascribing culpability to Ms. Andrews.  While I was nauseated, I found I wasn't alone.  Tracee Hamilton, a reporter from the Washington Post articulated with perfection in her opinion piece, "Columnist Reflects on Stalking Case," the realities and hopefully snapped-to those who "just don't get it" with respect to the fact, victims don't asked to be stalked.

So during National Cyber Security Awareness Month, October 2009, has there been any instances in the news of cyberstalking?   Unfortunately yes.
Resources, do exist:
We can all do a little to make it harder for stalkers, and to be both sympathetic and helpful to those who are victims.

Thank you for your time.
All the best,
Christopher
Posted by Christopher Burgess at 21:46 1 comments Links to this post
Labels: , ,

Sunday, October 18, 2009

Electronic Harassment - The insidious ills of our online society

This is the first blog from within the veritate et virtute domain.

It is fitting, therefore, this particular post revolve around a topic which continues to provide challenges to legislators both in the United States, as well as elsewhere around this small world we share - "Electronic Harassment."

Electronic Harassment is a polite word for the many of the insidious ills which have regrettably transitioned to the electronic world from the physical world. Lamentably, the physical world's ills continue apace, and are now magnified by the ubiquitious global online presence, which is only growing exponentially. The most common and well known form of electronic harassment comes to us in two forms "cyberstalking" or "cyberbullying.

In the United States, 46 of the 50 states have passed legislation addressing the particulars of the electronic world, largely as an adjunct to existing legislation used to protect individuals within the physical world. A good beginning, with much work remaining to be concluded. Only four states have centralized digital evidence laboratories (Arizona, Colorado, Massachusetts, and New Hampshire). Thus none would be surprised to see the backlog of cases involving digital evidence growing, as this evidence often times crosses the physical jurisdictions and thus causes issues of jurisdictional control of data inter-state and intra-state.

The National Council of State Legislatures, has identified only 19 of 50 states as having legislature which specifically addresses "cyberbullying" within the context of their educational systems. These states (and their appropriate legislative acts) are:
These states, I believe, have indicated an appropriate starting point, the activities within the school environment must be a safe learning environment, where are the other states? I must, unfortunately, temper my approval of the 19 states legislatures actions with the admonishment we must do more than legislate. If we are adjudicating, haven't we actually failed to prevent the act from occuring in the first place?

Therefore, I advocate and urge you to engage your elected officials at the state level to avail appropriate resources to the education systems; or be creative and leverage the talents within their constituency to educate the populace on the ills of harassment and bullying. Sometimes the answers lay within reach, just waiting to be leveraged and harvested. We must take action, before one more child, youth, or adult becomes the next victim and before a child, youth or adult on the cusp of engaging in such behavior initiates the actions of harassment.

To that end, I would like to commend to your attention the work of some very fine individuals who have taken it upon themselves to engage the aforementioned populace. Through their engagements they are educating whole communities, so that we will not be able to say, "We didn't know?" or "What was I to do?"
Thank you for your time.
All the best,
Christopher
Posted by Christopher Burgess at 11:10 3 comments Links to this post
Labels: , , , , , ,
Subscribe to: Posts (Atom)