Your computer encrypts the new key with Amazon’s public key and sends it back toAmazon remember is that encryption is just a way of scrambling a message so that nobody but theperson with
Trang 2free ebooks ==> www.ebook777.comFinally! A Human-Readable Guide to Cybersecurity
This knowledge is valuable for anyone who uses a computer Whether you use your
computer primarily for personal reasons, or you are a businessman wanting to make surethat important company information on your computer remains secure, this book containsinvaluable information that can help you maintain privacy It is a concise explanation ofsecurity topics written in plain English, so that anyone can understand what it takes tokeep computers secure I’ll also guide you on what to do if you find that your computerhas already been compromised I’ve tried to keep this book as short and concise as
possible so that it will be as easy as possible for you to soak up this information
These tips that I will give you come from a number of places - many I have learned fromtalented programmers, and some from my my own sweat and blood I’ve tried to include
a lot of real world examples of hacking schemes to keep this interesting Then I’ll tell youpro-tips that repair shops and security personnel normally sell you for hundreds of dollars I’ll tell you how to get the same things done for free or at comparatively little cost,
potentially saving you hundreds I’ll point you to free programs that work nearly as well
as commercial ones And for those of you who are willing to invest a little more in
computer security, I ’ ll give you my professional opinion on the best commercial
software Read this book, and you’ll be saved from the legwork of comparing programs,and then trying to change when you realize you picked the wrong one No more searchingGoogle and sifting through internet to find out what you need - you’ll find it right here
By reading and applying the principles in this book could save you from a destructivehacking attempt
Trang 3
to make smart choices even in areas this book doesn’t cover Sometimes when we firststart learning about something new, we don’t really have our bearings and can get lost, or
we waste our time on things that do not really matter It’s also easy to miss an importantarea In the world of digital security, just one omission can leave a computer vulnerable
In this book, I’ll give you a holistic view of how security works, so that you can be bestprepared to meet the number of attacks that are coming today, and the new ones devisedtomorrow Unfortunately, the more the digital world grows, the more incentive hackershave to break into it For those of us us who do honest work, it is frustrating that we have
to deal with this problem That said, the consequences of not doing so can be
catastrophic By reading and implementing the security measures in this book, you will beproviding yourself with a first line of defense that could be the difference between
productive computing, and an incredibly destructive security breach
As a final note, while this book is designed to be a help to you in implementing digitalsecurity, please be aware that it is impossible to cover every attack New ones are
invented every day Even if you follow every tip written in this book, there invariably will
be other attacks and viruses out there that can cause problems It is impossible to cover allaspects of security in one book That said, this book contains valuable information thatwill get you on the right track So without further ado, lets get started
Trang 4free ebooks ==> www.ebook777.com
people who swiped their cards in the store As data was sent from the credit card readers
to where it was stored and processed, the hackers listened in on the wires and intercepted
it If Home Depot had been using the technology that I am about to show you, they wouldhave been safe from harm As it is, however, they did not, and massive damage ensued
At the end of this section, I’ll show you a bit of a report on their website which discusseshow they implemented this critical security technology called encryption
Encryption is in many ways the backbone of any secure system Basically, it is a system ofscrambling the contents of a message so that nobody can tell what it says unless they havethe right password The whole point of it is to enable people to transmit confidential
information through an insecure route Here’s an example of how simple encryption
might work:
If I want to disguise the word “cat” with extremely basic encryption, I could change everyletter in the word to the next one in the alphabet - so “c” becomes “d”, “a” becomes “b”,and “t” becomes “u” The resulting “encrypted” form of the word “cat” would be “dbu”
I could do the same to a whole sentence and get a result that looks completely differentthan the original If someone were to look at our sentence without first undoing the
encryption, it would have absolutely no meaning Of course, this encryption algorithmwouldn’t be very difficult for anyone to unravel, so far more complex ones have beendevised
In encryption formulas created today, there are two parts - the formula, called the cipher,and a secret password called the key In the example above, we could change it up so thatinstead of replacing each letter with the one after it in the alphabet, we would replace eachletter with the third letter after it We could replace it with the tenth letter after it (andwrap around back to “a” for letters near the end of the alphabet) In this example, theencryption formula would be quite simple:
Trang 5Usually these formulas to scramble and unscramble the message are freely available sothat anyone can use them protect their information The key, however, is always keptsecret As long as that secret code is protected, the message is safe, and it is virtuallyimpossible to unscramble the message In fact, many of the algorithms used today are sosecure that today the most powerful supercomputers on earth couldn’t decode the
scrambled message, even if given thousands of years
The use for such a system is pretty clear - you can send a sensitive message through aninsecure route, confident that if anyone were to intercept it they still would not be able tofind out the contents of your message This is particularly useful in online transactions,where sensitive data is commonly sent across the internet Let’s say for example, you arebuying this book from Amazon with your credit card (and of course that you don’t have itsaved) When you enter your credit card number and click the “Buy” button, your
computer sends your credit card number through your internet connection to your internetservice provider (like AT&T, Verizon, your cable company, etc.) Then your internet
service provider sends your credit card number many miles, possibly hundreds of miles toAmazon’s internet service provider, and then to Amazon’s own computers Once theyhave the card, they have to send the number to your credit card provider (like Visa orMasterCard) and make the charge In one online transaction, your credit card may be senthundreds, or even thousands of miles
Sending your credit card number many miles across internet wires is dangerous As thedistance a message is sent increases, the chances of it getting intercepted likely increase aswell If your message was not encrypted at all, someone could hook into your internetwires or wifi connection and see everything that you were doing They could see intercept
Trang 6free ebooks ==> www.ebook777.com
were clever, they would listen in right outside of Amazon’s location, and intercept all theconnections Amazon had with their customers and steal every single credit card number! Obviously that would be a huge, huge problem, that would make online shopping utterlyinfeasible By encrypting the credit card number, however, companies ensure that no onebut the intended recipient can read them
The way this is implemented in real life is brilliant, but also nearly invisible to the enduser Your web browser almost always takes care of it behind the scenes Occasionallysomething goes wrong in the encryption process, however, and when it does, you need toknow what to do I’ll go over that in a minute Right now I’m going to explain in greaterdetail what your browser is doing under the hood Knowing this will better equip you tounderstand what can go wrong I will warn you, however, that this will get a bit technical;since its not absolutely essential to keeping secure, its an ok section to skip If you canread it, though, you may find it quite interesting
To transfer information securely over the internet, both the sending computer and the
receiving computer need to know the same secret key One computer could come up with
a randomly generated key, and send it to the other, then for the rest of the time, they couldcommunicate securely using the secret key they both share But how can that key be
securely exchanged?
One could meet in person with the party in question, or one could even speak over thephone and communicate the secret key Clearly if one were to simply send the key andthen the message right after it, the security of the message would be compromised If Isend Amazon the key to decrypt my credit card information, and then immediately sendthe encrypted information right after that, anyone listening in could just intercept the
Trang 7Here’s how this plays out in an example scenario
Amazon generates a private and public key pair, and sends their public key to anyone whovisits their site, but they keep the private key highly secure When you visit their site,your computer generates another key (unrelated to Amazon’s keys), encrypts this key withAmazon’s public key, and sends it to Amazon Amazon decrypts the key that your
computer generated, and for the rest of the time you are connected, your computers use thekey your computer generated to keep your messages secure
1 Amazon sends you their public key
2 Your computer generates another completely unrelated key
3 Your computer encrypts the new key with Amazon’s public key and sends it back toAmazon
remember is that encryption is just a way of scrambling a message so that nobody but theperson with the password can read it Home Depot posted the following as their solution
to the credit card scam:
The company has implemented enhanced encryption of payment data in all U.S stores The new security protection locks down payment card data, taking raw
payment card information and scrambling it to make it unreadable and virtually useless to hackers Home Depot’s encryption technology, provided by Voltage
Security, Inc., has been tested and validated by two independent IT security firms.
Trang 8
free ebooks ==> www.ebook777.com
https://corporate.homedepot.com/MediaCenter/Documents/Press%20Release.pdf
From what I can tell, they were using encryption any time a credit card left their internalnetwork Amazingly, the hackers found a way to break into their internal network wherecredits cards were not encrypted Home Depot had to step up their security measures,encrypting the cards immediately after people swiped them in the store
Now that you know how online encryption works, here’s how you can recognize if yourconnection is encrypted In most browsers today, there is a little lock in the url bar thatshows that your site is encrypted Here’s what it looks like in Internet Explorer 11,
Trang 9
The text to the right of the first green lock icon states that the identity of the site has beenverified I’ll go over how that works later on For now, I want to focus on how encryptionworks
If you look at the text next to the second green lock, you’ll notice that in this instance theconnection is secured with a 256 bit encryption Usually encryption today is either 128 bit
or 256 bit All that refers to is the length of the secret key used to encrypt your
connection A longer 256 bit key is more secure than a shorter 128 bit key The longer thekey, the more complex the encryption is, and the more difficult it is to undo As of todayboth are sufficiently long to be considered secure
The next item in the security information box is the name of the protocol that governs howthe connection is initiated and encrypted It says “The connection uses TLS 1.2.” Here,the name of the protocol used is TLS 1.2 Right now TLS 1.2 is widely believed to be themost secure mainstream protocol for transmitting information in a web browser TLS 1.1and TLS 1.0 are older versions that are less secure Another, older method of encryption
is SSL 3.0 Both TLS 1.0 and SSL 3.0 have widely known vulnerabilities that make them
Trang 10free ebooks ==> www.ebook777.com
easier to break into If you are using a site with very important information, like a banking
or investing site, you should think twice before you enter your information if the
connection is not using TLS 1.2, or at least 1.1 It may just be that they have not updatedtheir software, but for financial institutions, this is unlikely If you see a bank websitewith a TLS 1.0 connection, your browser may be out of date If you have an up-to-datebrowser, it is possible that there is a third party hacker interfering with the connection,causing the connection to be governed by a less secure protocol
The next item in the list states the actual encryption algorithm used to secure messagestransmitted The TLS protocol simply governs how the connection is formed, not whatspecific algorithm is used to encrypt messages Computers today support a number ofdifferent encryption algorithms (called ciphers), and any of a number of them can be
used The TLS protocol determines how your browser and the site you are accessing willdecide on a cipher Not all computers have the same ciphers, and they must find one thatboth have in common In this case, the cipher used is CHACHA20_POLY1305, which isconsidered a secure encryption algorithm Here are the other ciphers that are commonlyconsidered secure when used with either TLS 1.1 or 1.2
connection Now that you know more about encryption, however, you have the tools todetermine if a site is using the latest, most secure protocol, or an older less secure one
This is a picture of the security profile for a stock trading company I found when writingthis book Note that it uses TLS 1.0, a protocol with known security holes (Disclaimer -TradeStation may have updated their site since the writing of this book Please checkthere to see the status)
Trang 11to be encrypted with a secure algorithm and key Both sides need to have the same key Onecomputer generates the key, and sends it to theother The key exchange mechanism describeshow the key is securely transmitted once it hasbeen generated I covered how this worksconceptually earlier, but there are a number ofdifferent ways this can be implemented Mybrowser here is telling me exactly whatimplementation is being used If you are usingTLS 1.2, your browser should take care ofchoosing a secure key exchange mechanism
In addition to making sure that you have good encryption when visiting a website, yourbrowser also needs to verify that you are actually connecting to the site you want to
connect to Digital cryptography is used to verify identity online Using public and
private key cryptography, the identity of a remote server can be verified with a trustedthird party We’ll go over how this works in a later section on phishing
It is worth noting that if you see a yellow triangle over the lock in Chrome, it means thatonly part of the page is secured Often times web pages are split up into different partsand each part is loaded separately If one of those parts is not being loaded over an
encrypted connection, your browser should alert you If this is happening, it really is asecurity risk If all the information is not encrypted, it is much easier for someone toinject malicious code into the site If you are accessing a sensitive site and receive a
warning that part of the page is not encrypted, then you should proceed with caution If it
is a site with important information like a bank account, it would not be unwise to contactthem about it If the page does not contain sensitive information, however, it shouldn’t be
Trang 12free ebooks ==> www.ebook777.com
In this case, by using an older version of Internet Explorer, you are putting your system atneedless risk For other browsers like Firefox and Chrome, updates are installed
automatically, which means that unless you alter the settings, your browser should be up
to date If you have an older version of Firefox, you may need to update it manually,however, as older versions of Firefox do not automatically update
B Protecting Files on Your Personal Computer With Encryption
Keeping files safe on your computer involves the same technology that is used to keepyour information safe while being sent across the internet You probably have a password
on your computer, and you may think that such a precaution is enough to secure your files
Unfortunately its not quite that easy If I had physical access to your computer, I couldprobably break in and read all your files in a matter of minutes (assuming, of course, that Ihad your permission to do so) Your password is a good tool for keeping benevolent usersfrom administrative control on your machine, but unless you have a new computer withWindows 8.1, your files will be unprotected from anyone who really want your
Trang 13
The reason is because by default, your files are stored unencrypted on your hard drive Ahacker could easily plug in a flash drive with Linux on it, and start your computer up
using a completely different operating system They can completely bypass the Windowsuser account system altogether, and access all the information on the hard drive If yourcomputer is stolen, your information is likely unprotected and could be accessed by
recommend one to you as well If you don’t want to encrypt your computer at all, or arenot interested right now, feel free to just skip the rest of this section, and we’ll see you atthe beginning of the next what is the next section?
Before encrypting your computer, you need to remember one thing - if you forget yourpassword, and don’t have it saved anywhere else, your files are lost permanently Thewhole point of encryption is to lock out anyone without the password If you lose it, yourfiles won’t remember you and will be lost forever For that reason, you MUST backupyour encryption key and store multiple copies of it in safe places
A new Windows 8.1 PC offers the easiest way to encrypt your files, so I’ll cover this casefirst All you have to do is sign in with a Microsoft account with administrator rights toyour machine, and your computer will automatically encrypt your files! Pretty easy,
right? Microsoft seems to have recognized the security hole in their setup, and has donesomething to improve the security of your machine For those of you who have a newWindows 8.1 computer, your account is safe, as long as you log in with a Microsoft onlineaccount It is important to note that if you log in to your computer with a local Windowsaccount instead of an online Microsoft account, encryption will not take place The reason
Trang 14free ebooks ==> www.ebook777.com
out permanently If you forget your password on your computer, you can reset it throughtheir online service
If you upgraded to Windows 8.1, the encryption may not work, because it requires certainhardware that many computers don’t currently have If your computer has been aroundfor a few years, it likely does not have the right hardware If you upgraded to Windows8.1 and want to enable encryption, I’ll point you to Microsoft’s guide at the link below:
http://windows.microsoft.com/en-us/windows-8/using-device-encryption
For those not using a new Windows 8.1 computer (most of us), there are a number ofprograms out there that do the same thing, and well Just remember to keep your
encryption key in a secure place
For Windows Users who have a Professional or Enterprise edition, you have a built inutility called BitLocker If you don’t have BitLocker, you’ll need to upgrade to a proversion of the operating system you are using, or use another freeware program I’ll coverlater To use BitLocker, search for BitLocker from the start menu, and you should seesomething like “Manage BitLocker” When you click on that, you’ll be taken to the
BitLocker page in the Control Panel From there you can easily enable encryption byclicking on the text to turn on BitLocker, and following the steps in the wizard that
appears BitLocker will allow you to encrypt your whole drive, even if your processordoes not support the encryption that comes with new Windows 8.1 PCs
If you have a Mac, there is a built in utility called FileVault that you can use to encryptyour data Just go to system preferences => File Vault There you can select what foldersyou want encrypted Some users may want their whole drive encrypted Oftentimes,however, you really just need your important documents encrypted The Mac computergives you the built-in ability to easily encrypt your computer, no need for any upgrade Apple doesn’t back up your key, so make sure to store your key in multiple other places soyou won’t forget it
Trang 15
Open source means that the developer of the program has made all the code used to create
a program freely available to the public Most commercial software contains license
agreements that strictly prohibit anyone from even trying to see how the program wasmade Open source software is just the opposite - anyone and everyone can look at justhow the program was made, and even tweak a personal copy of it if they know what theyare doing
Open source cryptography programs like DiskCryptor are said to be more secure thanproprietary ones because any programmer can look at how the program was written toverify that it is secure Some people have concerns that the governments could compelcompanies to implement secret weaknesses in encryption so that they can access the
encrypted files Whether this occurs or not is not in the realm of this book to discuss Themain point is just that some people consider open source programs more secure than
closed source ones, and thus opt for open source programs like DiskCryptor Here arelinks to the homepage and downloads:
encryption It is faster and easier, and if there are any security holes in it, none have beendiscovered yet, as far as I can tell
As this section on encryption comes to a close, I want to remind you of a few things
regarding the security of your data First, remember to choose a good, strong password
No matter how amazing your encryption program is, if you have a poor password,
Trang 16free ebooks ==> www.ebook777.com
and may be able to find yours in a “brute force” hacking attempt Remember to keep yourbrowser up to date too And lastly, I want to remind you once again to always back upyour encryption key or password If you lose it, your files are irrevocably lost
C Physical Security
Sometimes its easy to forget that everything in the digital world, or “the cloud”, as theysay, is actually man-made hardware, and is just as susceptible to physical theft as anythingelse People often think that the internet is something that just mysteriously exists “incyberspace” The reality is, however that “cyberspace” is nothing more than a bunch ofcomputers and wires that connect them together Really, that’s all that cyberspace is There are no ghosts, no ethereal clouds There are just computers and wires There arebig computers and small computers, short wires and long Copper wires and fiber opticcables But that’s really all the internet is
When you store information in an online storage service like DropBox, or iCloud, you’reactually sending it to a massive warehouse filled with computers, called a server farm When someone sends an email to your email account, it is also stored in a server farmsomewhere Whether email or a backup from your computer, your data is saved to one ormore computers in the server farm Whenever you want it back, that computer will
retrieve your data, and send it across the internet to your computer The computers inserver farms stay on 24/7 so you can access your data whenever you want, and they haveinternet connections that go unbelievably fast so they can send and receive data frommillions of people at once
Google has put together a pretty cool website showing how their server farms work It has
a lot of cool pictures and explains some of the technology required to build it If you havethe time, I would encourage you to take a look:
http://www.google.com/about/datacenters/gallery/#/
This aggregation of digital information is potentially very dangerous These server farmscontain important information belonging to countless people A single computer couldcontain the emails or personal files of hundreds, or even thousands of people, or could
Trang 17As you can see, “the cloud” which is in many ways the future of computing, comes withserious risk To ensure safety, tech companies like Apple and Google usually have 24/7security guards and strong walls to protect their facilities They also encrypt their data aswell, so that if any computers are stolen, sensitive information is not compromised
Usually they have backups of information stored in different data centers, so users can stillaccess their data If just one copy is stolen, however, the consumer data is compromised
In your situation, you are not likely to be hiring a guard to watch your computer 24/7 That said, people really do physically steal computers to get the data stored in them, andyou need to take precautions to prevent data from getting into the wrong hands I was apart of a nonprofit organization, years ago, whose computer was stolen My guess is thatthe criminals were trying to access personal data from the members of the organization.They were likely hoping to find important information that can be used to break into bankaccounts and such, like social security numbers, dates of birth, and other personally
identifiable information Fortunately, only contact information was stored on the
computer, and no worse harm occurred
When considering your overall security strategy, don’t forget that someone breaking inand stealing a computer, especially at work, is a real security concern System admins,and anyone else who stores sensitive data must be careful to keep critical systems lockedbehind doors, or sensitive data could be compromised If you run or work at a small
company or organization, developing a strategy to keep your computers safe is a verygood use of time
D Managing User Permissions
This is a concept that I think most people already understand All it really means is
managing who can do what on your computer Computers today come with a built-in set
of access controls that allow certain users to do certain things Just like its important togive out information only on a need-to-know basis, it’s critical that in digital security,
Trang 18free ebooks ==> www.ebook777.com
you give out access to people in your company Don’t give anyone you do not trust access
to things they don’t need Even if you do trust them, its still probably better not to givethem access Why? First, because no matter who they are, they may deal with your datamaliciously Second, even though they may have absolutely good intentions, they may nothave the skill or knowledge to deal with it in a secure way They could accidentally
damage your information, or even compromise your system I’ve seen it happen beforewhere an inexperienced person was given administrator access to a system and
accidentally downloaded a piece of malware on an organization’s computer The personmay not be trying to share company secrets, but they may accidentally lose a sticky notewith their username and password If their account gets hacked and they have
administrator permissions, you could be in serious danger
have-access basis is wise Computer programmers take this to heart, restricting not onlyhow people, but how programs can access sensitive information For example, securitymeasures are used to try to prevent any unauthorized programs from running on yourcomputer If you have Windows 7 or 8, you are probably familiar with the somewhatannoying alerts that Windows sets off when you try to install software The reason forthose alerts is because Windows limits the abilities that the installer has on your computer
In general, by restricting access to anything that could be used destructively to a need-to-so that it can’t install anything you do not permit It actually considers that installer adifferent “user” of the computer, and requires you, the administrator to authorize the
program to install By requiring you to explicitly OK the installation of programs,
Microsoft is trying to protect you from malware and other programs that you don’t wantinstalled on your computer
Implementing a secure user access policy is pretty easy on today’s computers There arealmost always two main groups - standard users and administrators Sometimes there areother account types like guest accounts, and sometimes you can define your own accounttypes Standard and administrator accounts are really the only two you need for day-to-day purposes
they can add and remove programs, change system files, or whatever else they like Users
Trang 19contain malware
It can also be a good idea for you to have two different accounts for yourself on yourcomputer - an administrative account and a standard account If you are using the
standard account and download a piece of malware on your computer, it is less likely toactually infect your computer Because standard accounts can’t install most software orchange system files, malware that may be trying to install itself will likely be blocked aswell
One excellent example of critical system files that need protection are startup files
Malicious programmers usually want their viruses to run automatically at startup Theywant their programs and spyware to be running every time you turn your computer on Ifyou accidentally run some malicious software while logged in to an administrative
account, a piece of malware can easily inject itself into your startup files If you run it on
a standard account, however, the program will have more difficulty getting into thoseimportant startup files
One other important aspect of user permissions is that standard accounts do not haveaccess to most files created by another user This is important because it keeps standardusers from accidentally or maliciously deleting files on a computer If your kids use thesame computer you do, its probably a good idea to give them a different, standard useraccount so they can’t accidentally delete your files
To change user permissions on a Windows computer, just search for “User Accounts” atthe start menu, and you should see something with that name and a picture of two people
If that doesn’t work, or if you are still running Windows XP, go to start => control panel,and then click on user accounts Here’s what it looks like in Windows 8.1:
Trang 20free ebooks ==> www.ebook777.com
From there you can manage the accounts on your computer As you can see, it offers youthe option of changing your account type, or if you click “Manage another account”, youcan see all the accounts on the computer When you click on any of them, you’ll see theoption to change the user account type There you can switch users from administrator tostandard permissions and visa versa If you have a different version of Windows, it maylook a bit different, but the same basic functionality is there
On a Mac, click the Apple icon in the top left of the screen, then select system
preferences, then choose Users & Groups From there you can easily change and manageuser permissions
By limiting administrator access to your computer, you are protecting your system frombeing damaged by an unthinking user By using a standard account on a day-to-day basis,you are further protecting your computer from unintended harm And by restricting
people who may not have the best interests of your company at heart, you can preventthem from destroying important files or installing dangerous malware
E Login Security: How to Keep Hackers Out of Your Accounts
Keeping logins confidential is a critical aspect of computer security If you don’t have agood strategy for keeping people out of your online accounts, hackers can steal passwords
Trang 21So how do you choose a good password? Well first, it’s probably better if you know whatthreat you are up against The greater the ability of the hacker, the more complex yourpassword needs to be to avoid a hack To crack passwords, hackers use powerful
computers that can test sometimes billions of passwords per second Because they gothrough a huge number of records per second, common passwords will be easily guessed
To make a strong password, don’t use any combination of words in the dictionary
Hackers have their own dictionaries of passwords that contain all sorts of combinations ofdictionary words to crack passwords The programs they use are powerful and quiteclever If you use anything that has any sort of meaning, they can usually crack it prettyeasily Sometimes people think that if they use a clever placement of numbers or specialcharacters they can be secure However passwords like “passw0rd” or “s3cr3t” are easilyunderstood by password cracking programs and are highly insecure
Using easy-to-find personal information in a password is another common mistake peoplemake For example, including a zip code, or a name of someone close in the password Skilled hackers sometimes do background checks on their targets, and can feed suchpersonal information into the password cracking program, thus making that kind of
password insecure It’s not too hard for a criminal to do a background check on you,especially with the advent of social networking sites like Facebook; so, it is not unlikelyeven if you are not a high profile target Furthermore, someone who knows you anddoesn’t like you will find it easier to guess your password And while we are talkingabout unsecured personal information, it is also worth mentioning that you should choosevery obscure security questions so that someone close who does not like you cannot resetyour password on you In that same line, if you find someone asking you what your
mother’s maiden name is for no apparent reason, take note, and don’t give it to them.Another good practice in password security is to keep your password at least 8 letterslong, and use an assortment of lowercase and capital letters, and perhaps some
punctuation Ten characters is even better Obviously the shorter the password, the easier
it is to guess, or crack by a massive brute-force hacking attempt Furthermore, by adding
in just capital letters you exponentially decrease the probability of your password beingguessed
Trang 22free ebooks ==> www.ebook777.com
Those are the major guidelines for choosing a password Unfortunately, in addition tomaking a password hard to guess, following these criteria can also make it difficult toremember your password So how can you choose a memorable password that is stillsecure? One popular technique today is to come up with a memorable sentence and takethe first letter and punctuation of each word in it For example, “My best friend, John,read a book on cyber security” Taking the first word and punctuation yields a password
“Mbf,J,rabocs” It’s a lot easier to remember the sentence “My best friend, John, read abook on cyber security” than it is to remember “Mbf,J,rabocs” And a password like that
is random enough that a computer will have a very difficult time finding it To recap, hereare the rules for secure password generation:
Ok, so now you know about choosing a good password But one good password isn’tenough You need to have a different password for the most important logins you have,like email and bank accounts Why? Because if any of your accounts that use the samepassword are compromised, all are at risk There are a number of ways this can happen,and each is quite problematic
One way hackers can get ahold of your password is by physically stealing a login serverfrom a website you use (A server, by the way, is just a computer with special softwarethat allows it to run a website.) Alternatively, they could also create a virus that coulddigitally steal the files from the site as well Either way, the hacker gets ahold of a list ofusers, along with their email addresses and passwords used for logging in Usually thepasswords will be encrypted, but if anyone is using a weak password, the encryption willlikely be broken, and the password discovered Unfortunately, these same people withweak passwords probably are not very security conscious, and so likely use the same
password on other sites as well The hacker then tries to log into the person’s email
Trang 23
Another reason to make sure you don’t reuse the same password across multiple sites isbecause you don’t know what the website will do with your information They may
immediately encrypt it as they should, never looking at your password, or they may store
it in their own personal database and promptly try and log in to your email with it It mayseem like a reputable site, but it is quite possible that it is simply a scam to get your log-ininformation
Having a hacked email account is a really bad problem because so many other accountsare usually linked to it If they hack your email, they can 1) Browse through your email tosee what services you use, and 2) reset the passwords on other sites and quickly break intomultiple accounts you have They can read important documents you have, impersonateyou, and more If they have any personally identifiable information, they may be able tocorrectly answer security questions and get into even more accounts To prevent this fromhappening, NEVER use the same password for at least your email and financial accounts Doing so could have disastrous results Using two-factor authentication is another way toprotect your email account which we will cover later
Another critical way to keep your online logins secure is to password protect your
computer not only on login, but also whenever your computer comes out of sleep or
screensaver This may seem seem like an inconvenience, but can be very worthwhile
This is clearly important to protect the encryption of any documents and files stored onyour computer If you haven’t specifically enabled encryption, it is nevertheless important
to protect the login information for your online accounts Even if you don’t have
encryption enabled, the login information to websites is nearly always encrypted usingyour login password by default on your computer If you have saved any passwords inyour browser, and yet don’t have your computer password protected, anyone who stealsyour computer will be able to easily log into your accounts If you do have a passwordpresent, it will be much more difficult for intruders to see them
Trang 24free ebooks ==> www.ebook777.com
Encrypting your login information is good, but the best way to prevent people from
stealing your online passwords is to never store them in your browser For less importantlogins, storing them may be fine, but for your most important logins, such as email andbank accounts, I would strongly caution you against storing any important logins in yourbrowser Yes, it may be encrypted with your login password, but still, for something asimportant as a bank account, its really not a good idea
There are a number of more advanced password management tools out there LastPass isone of the most popular When you create an account on a new website, it will generate avery secure password for you, and then remember it You only need to remember yourLastPass Password, and LastPass will remember the rest Furthermore it encrypts yourpasswords and stores them on their servers so that you can access them from any computeranywhere
The convenience of such a system is obvious, and there are real security benefits to using
it Because it generates and remembers secure passwords, you will have very strong,unique passwords for all your sites The problem is, however, all someone has to do to getall your passwords is guess the one you use for LastPass The fact that all your passwordsare stored on a server somewhere is further cause for concern If one of those serverswere compromised, then your data would be at risk Now I can’t imagine that the
passwords aren’t encrypted like crazy on their servers, so you’d probably be fine using theservice That said, if you do, I’d recommend that you do not have it remember your mostimportant passwords just to be safe
By generating long, random passwords, and hiding them behind one master password,LastPass attempts to make up for common security issues associated with passwords Unfortunately, it is still subject to the same weakness that any other password-protectedsystem is — you can lose the password, and all your information is compromised Tocombat this weakness, engineers have devised another way to authenticate users Thatway even if the password is lost, there is still some protection for the account This iscalled two-factor authentication, and is most often accomplished via texting
Here’s how it works Once you visit a site and enter in the correct username and
Trang 25in, the website may remember the computer or phone you are using so that you don’t have
to get any more secret codes via text when logging in from that device
This method of securing logins is an excellent way to help maintain online security Inorder to hack your account, hackers must have access to both your phone and your
password Getting both of those is significantly more difficult than getting just one, andadds in an extra layer of security If your email provider offers this, I would highly
recommend you take advantage of it It is a small hassle now, but really could save you inthe long run
relatively weak
To have the best chance of securing your wifi network, choose a good, strong passwordlike we have discussed Seriously, if you don’t your wifi password could be cracked inminutes For critical locations, choose an even longer, more complex password
For wifi security, the standard WEP (Wired Equivalent Privacy) encryption protocol iswidely known to be easy to crack, and is officially deprecated The only reason you see it
on your router today is for legacy reasons WPA (Wi-Fi protected Access), was the nextsecurity mode invented to address the problems with WEP, but was also found to have
Trang 26free ebooks ==> www.ebook777.com
WPA2 WPA2 is the most secure algorithm yet, and is the standard for wifi today Youshould always use it That said, if you choose a weak password, it doesn’t matter whatsecurity algorithm is being used, your wifi network will still be easy to break into Choose
a good strong password, use WPA2 encryption, and you will have the best chances ofstaying secure
If you are using public Wifi, you are probably already familiar with the fact that yourinternet usage could be tracked by others on the network You may not know, though, that
if the site you are visiting is encrypted (like most email and banking sites), you technicallystill can browse securely How? Because the encryption takes place right on your
computer, so any traffic to or from your computer will be protected with strong
encryption If you are about to complete a multibillion dollar transaction, you still mightwant to use private Wifi In fact, you always want to use private Wifi if you can becauseyou never know what security threats may arise But if you are in a pinch, if your
information on everyone’s computer Would you be able to get your files back withoutpaying? If you don’t backup your computer, you might try to turn it on tomorrow andrealize that you have something just about as bad as CryptoLocker - a dead computer Thefact of the matter is, if you don’t backup your data on a regular basis, you may be in for avery unwelcome surprise
Right now, there are two major forms of data backup for the consumer - using your ownbackup device, or backing up to “the cloud.” Most people are at least somewhat familiar
Trang 27
If you don’t have many critical files, this way works all right If you are trying to storemore information, or even a backup of your whole computer, it has a few issues For one,
it can be inconvenient to have to manually back up all your files Second, if you try tobackup your whole computer like this at various intervals, you can quickly run out ofspace on your external hard drive
Considering that you can buy an external hard drive for less than a hundred dollars todaythat can backup your entire computer, the simple method of dragging and dropping filesfrom your computer to your backup hard drive works, if you don’t have many files Youcan just store a new copy of each file or folder you want to save If you are trying tobackup your whole hard drive, however, you would quickly run out of space if you copiedits entire contents to your backup drive every time you made a backup Furthermore,copying all that information would take a long time To alleviate this problem, there are anumber of backup solutions available that create incremental backups Incremental
backups store an initial copy of what is on the hard drive, and then only store changesthereafter Incremental backups are great not only because they save space, but also
because they track the history of changes, oftentimes allowing you to recover a file at anygiven point in time
If you have a Mac, you have an excellent backup utility built in Time Machine, as it iscalled, is a program that works at set intervals to backup all your data to a connected harddrive It creates an incremental backup of your hard drive, which allows to recreate avirtual snapshot of your computer at each time it has run a backup This comes in handyeven if your hard drive didn’t crash If you make changes to a file at some point and thenwant to revert back to an earlier version you had, by using time machine, you can go backand find a copy of the file at a former date
Time Machine on the Mac currently has one other cool feature, if you are willing to pay Apple has a device called the Airport Time Capsule that is basically a wireless backup
Trang 28free ebooks ==> www.ebook777.com
backup your data to it, instead of to a usb-connected hard drive For $299, you can have abackup solution that serves as a wifi hotspot, and automatically takes care of Time
Machine functionality as well If you have the money, it is a nifty device, and saves youfrom the hassle of plugging in an external hard drive Using Time Machine with a
standard hard drive works just as well, however, and is a good solution if you don’t want
to pay
On Windows, there is no one built-in tool that does all of what Time Machine does WithWindows 8, however, Microsoft has added a new feature that does a good job of backing
up files The program, called File History, can be accessed just by searching for it fromthe home screen Once you plug in an external drive and configure it, File History willautomatically check every hour to see if your important files have been changed If theyhave, it saves a copy to the external device
File history keeps old backups for some time after a new backup has been stored Thisallows you to recover not only the latest copy, but also previous versions you have savedbefore that To save space, this backup only saves files from commonly used locations,that is, Libraries, Contacts, Favorites, and your Desktop The Libraries folder containsyour My Documents folder, and most of the other places you will be storing your data
Unfortunately, File History doesn’t backup all the programs you have installed, or
Windows itself, because both of those take up a lot of space Even if your computer
crashes, you can still just reinstall Windows, and reinstall all the programs you have Since File History saves your most important files, a computer crash isn’t the worst thingthat could happen Restoring your files is still a hassle, but its not catastrophic like losingall your files would be As long as you have your personal files backed up, the damage isnot irreparable That said, anything short of a full system backup is still risky Sure itbacks up everything in certain locations, but sometimes we accidentally save things instrange locations In the event of a system crash, all those files would be lost For thatreason, I would recommend implementing a full system backup I’ll explain how to dothat on Windows in just a second As for File History, overall it is a nice new feature thatMicrosoft has added that gives you a convenient way to backup commonly used folders But it may not be quite enough
Trang 29If you don’t have Windows 8, or you just want to have a more fully featured backup
system for your PC, you’ll want to download a separate backup and restore application One of the best free programs available for this today is Cobian backup It is not as
polished as some of the paid software, but as far as a free backup program goes, it does thejob well The reason Cobian backup is what we want is because it does everything weneed, and for free Here are the features great backup software needs to have:
1 Incremental Backup - as I said earlier, instead of copying your entire computer’s
contents on every backup, an incremental backup system only saves the changes - thisdrastically reduces the amount of space that a backup takes up
2 Full System Backup - as we discussed earlier, you don’t want to miss a single file on
your backup If you have limited hard drive space on your backup drive, then of courseyou won’t be using this, but if you have the free space, then this is an important thing tohave
3 Backup Encryption - you may password protect your computer and encrypt everything
on it, but if your backup isn’t encrypted, you are just one forgetful moment away fromdata theft
4 Automatic Backup - the program should backup your files automatically on a schedule,
or even in real time as you save changes
Cobian backup takes care of all of these, and so for most people it will work well Youcan find it at:
http://www.cobiansoft.com/cobianbackup.htm
Another alternative to Cobian backup is CrashPlan’s free backup plan Unlike Cobianbackup, CrashPlan is a commercially supported piece of software, and so it has a niceruser interface It does the same three things that Cobian backup does, with only minorlimitations The backup is encrypted, automatic, and incremental, but you are limited to amaximum of one automatic backup per day if you don’t upgrade to premium For most
Trang 30free ebooks ==> www.ebook777.com
people, the free version of CrashPlan is a good security option CrashPlan also has a
cloud backup capability, which I will cover in a moment
One thing to remember though, is this: backup utilities can only make backups when yourexternal hard drive is plugged in Don’t forget to plug it in!
H Cloud Backup
Having to remember to plug in your computer can be a pain sometimes What if youcould just back up your computer over the internet, and not have to worry about plugging
in a hard drive ever again? That’s where cloud backup companies come into play Theyoffer cloud based services that usually back up your files in real time That means thatevery time you hit save on your computer, your changes are immediately sent to the
backup server The main cons to this type of service are the monthly fees for continuingservice, and privacy concerns if your data is not properly encrypted Prices for onlinebackup have dropped significantly over the past few years, so you can get a good onlinebackup for less than $5 per month, which is absolutely affordable for the value it delivers
As far as privacy concerns go, you need to be careful who you choose
There are a huge number of companies that sell online backup services For them, setting
up an online backup system is easy! Just hook up a few hard drives to the internet, andboom, they have an online backup! Just kidding It certainly is not that easy becausethey have to implement systems that can scale for millions of users, encrypt users’ data,replicate it several times in case one of their servers goes down, make sure that it staysseparate from everyone else’s data, and more Still, it’s a competitive field, and prices arerapidly decreasing
In the online backup world, there are two different competing models One isn’t really
“backup” I’m talking about the DropBox model DropBox is just like a folder that syncsonline You put things in the DropBox folder on your computer or on the DropBox
website, and it syncs with the DropBox servers and with any other connected devices This is a great feature for sharing data, and syncing it across multiple devices, but don’t be
Trang 31
The other model is what we have been talking about - a true system backup Currentlythere are a number of providers who do this, all for varying costs When it comes todeciding whether you should backup to the cloud, and if so, where, there are two of
critical things to consider when it comes to security
1 Encryption method used - most large cloud backup providers encrypt your data in thecloud (remember, encryption means scrambling your data using a special formula and apassword) Without at least some encryption, they would have trouble getting business,and may even have legal trouble Just because your data is encrypted, however, doesn’tmean it is secure If the company has the password to decrypt your backup, someonecould steal that key and access your files If a rotten employee gets a hold of that
information, he could sneakily use it to view your files If the US Government decidesthat they want to look at your files, they can force the storage company to reveal yourinformation, all without telling you If hackers break into the system and steal the keys,your data could be compromised The bottom line is, if the backup storage provider hasyour encryption password, your backup is not completely secure Some backup solutionskeep the encryption key stored on your computer so that no one can access your data Forgreatest security, you should use a service like this On the other hand, this also preventsthe use of a password reset mechanism, so if you use a backup like this, be sure to storeyour encrypted password in a different place NOT on your computer After all, if yourcomputer crashes, you won’t be able to get the key if the only place you have it stored isyour computer
2 Redundancy - you pay them to back up your data, but what if their hard drive breaks? That wouldn’t be a very good backup The more the cloud provider backs up the data, themore secure it will be At bare minimum, a backup provider will store the data in twoplaces, and a good backup provider should store it in three different places That way youcan be confident that your data will be safe
Trang 32
free ebooks ==> www.ebook777.com
They offer 5gb of free online backup While not much, that may be enough to store yourmost important documents in the cloud Unlike Google Drive, and Dropbox, iDrive
actually backs up folders on your computer, instead of just enabling you to access onefolder connected to the cloud
If you are willing to pay a little more for online backup security, CrashPlan’s online
backup service may be for you At a cost of just about $5 per month, it’s about the lowestprice you can get today As far as privacy is concerned, you can set it so that your privateencryption key is always secured by your password Currently, that doesn’t seem to be thedefault configuration, so it looks like you may need to go into the settings to make sure it
is that way The system is set up so that it actually has two passwords for your data One
is the password you make, and the second is a “key” The key is a 56 character long string
of letters that is a super-secure password they generate for you If you want maximumsecurity, you can generate this on your computer, and never upload it This is the mostsecure option for keeping anyone and everyone out of your account At the time of thiswriting, they offer an individual plan for just $3.96 per month, making it one of the mostcost-effective options When combined with its ability to store local backups, I can
Government is pretty active in demanding to see people’s information If that is
something that you don’t like, please be aware and act accordingly Only services thatencrypt information before it is sent to the backup provider can offer you the confidencethat your system has not been hacked
Trang 33
Section 2 Types of Malware - The Ingenious Ways Hackers Can Ruin Your
Computer
Here I’ll present to you several different types of malware, and more importantly, how toavoid getting them in your system As the name suggests, malware is a general name formalicious software - programs that try to steal your data, track your activity, damage yourfiles, or perform other unwanted activities Malware is created by programmers, calledhackers, who unfortunately do not use their skill for good This is a critical section toread, so don’t skip it unless you really have an understanding of how to defend againstthese types of attacks Even if you do know about these viruses, its still worth reading, asI’ll relate some stories about security attacks that may give you deeper understanding ofwhat we are facing
A Trojan Horses
A Trojan Horse attack is the name given for any malicious program that is initially
disguised as a legitimate program The name is a reference to the story of the Greek siege
of Troy Just like the Greeks were able to convince the Trojans to bring them into theircity, a Trojan Horse piece of malware tries to gain access to your computer by pretending
it is something you want Instead of trying to break through all the security features onyour computer that prevent unauthorized access, Trojan Horse attacks attempt to trick youinto authorizing them to run on your computer They pose as beneficial programs that youwant on your computer so that you will run them Once you give them full access to yourcomputer, they can work nearly limitless harm They can take over your system, injectmany malicious files, and even paralyze it Here’s an example of a Trojan horse that costthe world a whole lot of money It’s called CryptoLocker
CryptoLocker was usually first transmitted to a potential victim as an attachment from anemail disguised to look like it was from Fedex or UPS It might, for example, say that itwas from Fedex announcing that a package had not been delivered, and instruct the user todownload an attachment for more details That attachment, however, had been engineered
to exploit a security hole in the computer, and as soon as it was opened, would quicklyinfect the computer Once the virus was on the computer, it would set to work encrypting
Trang 34free ebooks ==> www.ebook777.com
user’s computer, making it impossible to retrieve without the right key The programwould then send the key back to the hackers who would hold it for ransom, usually forsomething between $200 and $700
As you can imagine, this would be a terrible virus to get, especially if you didn’t backupyour computer I use my computer pretty much all day, every day, so if I got this virus, itcould devastate my work Fortunately I keep my work backed up on a regular basis, but if
I didn’t the results would be disastrous And how could I get this virus? Just by carelesslyopening an attachment from an email that looks like it was sent from UPS or Fedex
Should it be that way? No - you shouldn’t be able to get malware through opening a PDF,
or a Microsoft Word document Unfortunately the creators of pdf reading software
oftentimes leave security holes in their software that hackers can exploit PDF readers arenotorious for weaknesses that allow malware in, and you need to be able to protect
yourself
Adobe Reader is the most common PDF reader, and as a result bears the brunt of mostattacks Hackers usually concentrate their attacks on the most popular programs becausethey have the most potential victims Hacks often come through exploiting a weakness
in a particular piece of software, and thus for hackers, time is most efficiently spent
developing viruses for the most common software Furthermore, Adobe Reader is thestandard program for reading PDFs, and that means that the non-tech savvy people aremost likely to use it, further increasing the chances that their malware will successfullyinfiltrate their victims’ computers
If you don’t have Google Chrome, it is worth at least looking into Google pours a lot ofmoney into developing a browser that is fast, stable, and secure Its built-in PDF reader is
Trang 35“Sandboxing”, which basically means that it isolates the PDF and everything related to itfrom the rest of your system Sandboxing, in addition to the fact that it is less commonlyused than Adobe Reader makes it a wise choice to use You can set it to be the defaultreader for all your PDFs as an additional security measure To do this in Windows, rightclick on any PDF, move your mouse to “Open With” in the context menu that pops up,then choose Google Chrome For more detailed information, here is a link to a paperdescribing the security features in Chromium, the development name of Google Chrome:
http://seclab.stanford.edu/websec/chromium/chromium-security-architecture.pdf
The other main way to avoid becoming a victim of a PDF-borne attack is by following thissimple rule: Don’t open any attachment unless you are sure you know where it is from Ifyou get an email you are not expecting , from someone you don’t know that has an
attachment, you should assume its a virus and immediately delete it Do NOT even thinkabout downloading the attachment In fact, you should not even open up the email,
because they may still find a way to exploit your browser when you look at it In the case
of an email that seems like it is from someone or an organization that you trust, how couldyou know that this was a faked email?
First, is there a good reason for the email? Did you recently send a package? Second,why does it have an attachment Think about emails you have gotten from UPS or Fedex How often do they ask you to download an attachment? Why would they want you todownload one? They generally only have a few things they say - “Your package wasdelivered”, “Your package was not delivered because…”, or some other basic message What reason would they have for you to need to download a pdf? The answer is theyusually don’t If they do need to send you so much information that it needs to be
contained in an attachment, you probably will have specifically requested it from them Ifyou didn’t request extra information, that’s a pretty good clue that you are looking at afaked email
Just like PDFs can be specially modified to compromise your computer, Microsoft Word
Trang 36free ebooks ==> www.ebook777.com
computer Just like Adobe Reader is a common piece of software, Microsoft Word isinstalled on a huge number of PCs across the globe Because Word is such an extensivelyused program, it is difficult to ensure that there are no security vulnerabilities Recentversions of Word have stepped-up security measures with documents downloaded fromthe internet, but they are still a vulnerability You should be careful when opening docfiles, just like with PDFs Additionally, since most informative documents are transmittedvia PDF, you should be very suspicious of a Word Document file from any location youdon’t expect Don’t open the email, and don’t even think about downloading the
attachment
There are many other file types that can be sent across the internet, but few are so
common as the PDF Occasionally you may get a picture, a video or even an executablefile that contains a virus Executable files on Windows have a exe extension, and are themost deadly type of attachment you can run Unlike PDFs, executable files are actualprograms like the ones you install on your computer, so they can do far more than justexploit the weakness in another program on your system Once you run an executable file,the attacker immediately has access to your system Never run such a file Even a
seemingly harmless picture can be malware in disguise Really, to avoid a hack you must
be suspicious of any and all attachments that come from unexpected sources, now matterhow innocent they look
In sum, attachments are one of the most effective ways for hackers to gain access to yourcomputer, because they look like things you want But the reality is, they can be
dangerous Trojan Horses, one of the most effective forms of malware, and they can wreakhavoc on your computer If you are not expecting an attachment, don’t open it, no matterwho it is from Even if it is from one of your friends, if you are not expecting it, be
careful A hacker may have hijacked your friend’s email account, and now is using it tosend malware-filled emails to everyone in your friend’s contact list These threats are real,and people’s computers frequently are compromised through these means One of myown relatives’ email got hacked Fortunately, the only thing the hacker used it for wassending out advertisements and spam They could have used it to send out malware filledattachments The account had a weak password that was easy to crack, so after I
recovered the account, I put in a real password that would be very difficult to crack