Module 6 - Free Home Page
advertisement
Module 6: Internet Security, Privacy, and Legal Issues Overview In this module, we will discuss basic Internet security, privacy, and the legal issues involved in communicating over the Internet and publishing to the World Wide Web. We will explore major Internet security threats and the tools used to mitigate them, including antivirus software, firewalls, and basic encryption tools. We will also discuss Internet privacy and identify theft. Specific topics will include cookies, spyware, spam, browser privacy, identity theft, and identity-theft prevention. We will conclude this module by looking at the legal implications of using Web resources, including copyright limitations, documentation of online resources, and understanding the legal terms of usage for online content. Report broken links or any other problems on this page. Copyright © by University of Maryland University College . Objectives After completing this module, you should be able to: describe critical Internet security issues contrast types of Internet security threats discuss ways of mitigating Internet security threats describe the function of firewalls explain the purpose of virus-protection software and why it is important explain and be able to manage cookies, cache, and history files summarize the key areas encompassing Internet privacy issues outline the legal responsibilities involved in communicating and publishing on the Internet Report broken links or any other problems on this page. Copyright © by University of Maryland University College . Commentary Topics 1. Internet Security 2. Who Is Using the Internet? 3. What Should We Secure? 4. How Should We Secure It? 5. Virus Protection 6. Encryption 7. Privacy 8. Identity Theft 9. Online Content and Legal Use 10. Online Content and Citations Internet Security Module 6: Internet Security, Privacy, and Legal Issues Historically, the Internet did not have security designed into its protocols. Today, however, there are many Internet security protocols and products to provide secure data transmission over the Internet. These security systems try to address the additional security problems inherent in the Internet. Even so, there is no absolute guarantee that your data will be secure on the Internet. As with life in general, there are trade-offs. Because we want the information to be available when we need it, we must have access to it, but this access gives us security vulnerability. The security measures we implement should balance availability with protection of the information. Implementing good Internet security means running protocols on top of other protocols, which can add to the processing and transmission time of your data. In addition, if you need high-end security, configuration and administration costs can be high. The best thing you can do to make your Internet experience more secure is to understand that each security system has its weaknesses. Therefore, you should categorize your data based on the level of protection it needs. Types of Internet Security Threats Internet security threats are directed toward computers connected to the Internet, the Internet itself, and the data and resources on the Internet. Crackers are responsible for most of the threats on the Internet. You should not confuse a cracker with a hacker. Hackers are "good guys," but the news media have misrepresented them in recent years. Some of the more common categories of threats crackers have launched are: data corruption and disclosure intrusion denial of service IP spoofing Data Corruption and Disclosure If your data is important, you must protect and safeguard it; otherwise an intruder could destroy, compromise, or copy it. The integrity of your data could also be suspect because you cannot be sure if an intruder has tampered with it, edited it, or changed it. Intrusion An intruder could gain access to your computer and do such things as view your data or run programs, and you may not even be aware of it. He may simply be curious and leave everything untouched, or he may delete files, corrupt files, crash the computer, leave a back door open for future visits, tamper with user accounts, send email in your name, deface your Web site, or use your computer to attack other computers on the Internet. Denial of Service There are many types of denial-of-service attacks. Examples are reformatting hard drives, deleting systemcritical files, cutting power or network cables, filling up available disk space, and overloading a server by continually sending packets to it so it cannot respond to valid requests. IP Spoofing Spoofing is impersonating a computer or a person. IP spoofing is the most common type of spoof. An intruder can gain access to your computer by sending messages with an IP address indicating that the message is coming from a computer or server that you trust. Internet Vulnerability Module 6: Internet Security, Privacy, and Legal Issues At the macro level, the Internet itself currently is not very secure. Internet access on an individual basis, however, is as secure as you make it. You should implement security options such as virus protection, encryption, and firewalls to protect your data and your computer. Even if you believe that you are storing no data on your computer that needs protection, you still must protect your computer with antivirus software and a firewall to keep your computer functioning efficiently. Aside from that, computer users connected to the Internet also have a civic responsibility. Without updated antivirus protection or an active firewall, your system can be compromised and used in more serious attacks. Imagine, for example, 10,000 people who believe they do not have to bother with antivirus software or a firewall. Someone can then easily compromise these 10,000 computers and turn them into zombies with the intention of launching a denial-of-service attack to crash the Federal Aviation Administration or Amtrak's systems. Because you saw no need to maintain your computer's antivirus software and a firewall, you are now part of the problem. There is yet another option if you do not wish to bother with virus protection. The requirements would be to never use storage devices that have been used on other computer stations, to never let anyone else use your computer, and to keep your computer permanently removed from any Internet connection. If this isn't an option for you, then antivirus software and a firewall should be. So what kind of information is being gathered about us on the Internet? Do people know our home addresses? Our salaries? Do they have access to our personal files? What can we do to protect ourselves? What about the material on the Web and the content of all that easily accessible information? These issues should be of concern to anyone who currently uses or plans to use the Internet; and according to the numbers below, a lot of people are online. Who Is Using the Internet? Figure 6.1 Worldwide Internet Usage (Miniwatts Marketing Group, 2006) Internet Usage Data Percent Population (Penetration) According to the Internet Crime Complaint Center (IC3), Internet auction fraud was the most-reported Internet offense in 2004, with 71.2 percent of the total complaints. This represents a 16.7 percent increase from the 2003 levels of auction fraud reported. In addition, during 2004, the non-delivery of merchandise and/or payment represented 15.8 percent of complaints (down 24.4 percent from 2003), and credit- and debit-card fraud made up an additional 5.4 percent of complaints (down 21.7 percent from 2003). Identity theft, computer Module 6: Internet Security, Privacy, and Legal Issues fraud, Nigerian letter fraud, and financial institutions fraud complaints represented less than 0.8 percent of all complaints combined (NWC3, 2005). According to the Federal Trade Commission, however, identity theft continues to be the top fraud-related complaint, accounting for 39 percent of all complaints filed in 2004. The FTC's report, National and State Trends in Fraud and Identity Theft, did note that the other top fraud-related complaint was Internet auctions, "which made up 16 percent of all complaints registered last year" (2005). Whatever the most accurate statistics are, we cannot argue that online vulnerabilities have multiplied as the number of networks, hosts, and users on the Internet has dramatically increased. The Computer Emergency Response Team (CERT), an Internet security watchdog organization, calculates that the number of security vulnerabilities has risen from 1,090 in 2000 to more than 5,900 in 2005. In other words, security breaches, which occurred at the rate of nearly three per day in 2000, exploded to more than 16 per day in 2005 (Carnegie Mellon University, 2006). Even with this increase, if we consider the amount of information exchanged every day on the Internet and compare that to the volume of fraudulent activity that occurs everywhere else, we would find that the statistics are relatively low. Most security breaches attributed to the Internet take place at the client and server levels, which are controlled and managed by humans. The Internet could be considered just as secure as any other means of communication, such as the Public Switched Telephone Network (PSTN) or the United States Postal Service (USPS). If we compared the security of mailing a letter via the USPS, making a telephone call on the PSTN, or using mobile telephone systems with the security of e-mailing the same information using Internet encryption, we would find that the Internet is actually more secure. However, some people will not transmit a credit card number over the Internet, citing security concerns. When thinking about security, we should also consider these situations: When we go to a restaurant and give our credit card to a waiter, he takes the credit card and proceeds to another room (out of sight), records the transaction, and returns the credit card to us. While the waiter was out of our sight, did he make copies of our credit card number? What is stopping any employee of the restaurant who has access to customer information from getting our credit card number? The telephone rings. It is a convincing telemarketer and you decide to make a purchase, so you provide your credit card number over the phone. How do you know that your phone or the telemarketer's phone is not tapped? If you are using a cordless or mobile phone, how do you know that someone is not using a receiver to monitor your conversation? How do you know the telemarketer is reputable or representing a legitimate business? How about going to your local supermarket, gas station, or shopping mall and using your credit card to make purchases? To verify your credit card, telecommunication lines transmit the numbers, usually using the same lines you use to access the Internet from your home. Is this really any different from making a purchase online? Breaches of Internet security are generally the result of the same types of mistakes made in other situations in which security is important, such as trusting friends, relatives, and neighbors too much, leaving the keys in the ignition, leaving your door unlocked, or being overconfident, thinking "this will never happen to me." Similarly, choosing a password that can be cracked easily, letting someone know your password, failing to protect your data, and accessing the Internet without using a firewall are common computer security mistakes. Someone can take advantage of these weaknesses. In addition, individuals can use social engineering techniques to get confidential information, such as user IDs and passwords. For example, someone could call a company's help desk, claim she is an employee, and say she needs to know her password because she forgot it. Module 6: Internet Security, Privacy, and Legal Issues As more and more financial and personal information is being stored on computers, and more and more computers are connected to the truly worldwide Internet, Internet security becomes increasingly important. With a few basic precautionary measures, however, security threats can be substantially reduced. What Should We Secure? As we discussed in module 1, the Internet operates using the client/server model. This model has three components: 1. the client 2. the network 3. the server Internet security has a similar model, consisting of securing your local system, securing the data in transit, and securing and authenticating the remote server. The relationship between the models is illustrated below. Internet Security Model Client/Server Model securing your local system the client securing the data in transit the network securing and authenticating the remote server the server How Should We Secure It? The most obvious problem with Internet security is that as soon as you connect your network to the Internet, you are effectively opening a data pipeline to the outside world. Doing so is necessary to provide your connection but is just as likely to allow unwelcome intruders to wander around your personal data if you are not careful. To prevent this intrusion, effective hardware and software barriers—in the form of firewalls and password/authentication schemes—can be put in place. Firewalls Essentially, a firewall is a gap between two networks that allows only selected forms of traffic to pass through. You should place a firewall between your computer and the Internet because just as with regular mail, not every packet that arrives at your computer is one you want to open. A firewall is software, hardware, or a combination of both that can restrict access to the Internet from your computer; but more important, it restricts the access to your computer from the Internet. Firewalls can also hide your identity while you access the Internet. A firewall examines each packet and determines whether to send it to its destination. All Internet packets arriving at your computer from outside your network must pass through the firewall. Similarly, all Internet packets going out onto the Internet must also pass through the firewall. You configure the firewall to check all traffic in both directions, and the firewall then selectively passes or blocks the packets, based on the configuration. The criteria a firewall uses for passing packets along depends on the kind of firewall you use. A personal firewall is the most common type found in the home. It acts as a guard checking passes at a building; anything you send or receive first stops at the firewall, which filters or screens packets based on IP addresses, the contents of the data, what an application does, or all of these. Figure 6.2 A Firewall at Work Module 6: Internet Security, Privacy, and Legal Issues For example, a firewall could allow the user to upload and download files with FTP while preventing someone else from using FTP to compromise the user's computer. You could also configure the firewall to ignore all packets for FTP services but allow all HTTP packets to pass when browsing the Web. Although firewalls significantly improve Internet security when properly configured, they are not a cure-all. After you install a firewall, you must not let your guard down and neglect to monitor your ongoing security environment. Many companies make firewall products, and some are available free of charge. Some examples of open-source firewalls are ZoneAlarm, Tiny Personal Firewall, and Astaro; for-purchase firewalls include McAfee, Norton (Symantec), and Black Ice. Password/Authentication Schemes Passwords have long been the first line of defense in protecting computer systems and networks. Choosing an appropriate password takes some thought. We suggest the following guidelines for doing so: Make passwords difficult to guess. In other words, don't use your name or relative's name; don't use your birthday or easily guessed dates that would have meaning to you. Don't use dictionary words or names. Instead, use a combination of letters and numbers. Use the maximum number of characters allowed when creating your password, but never have a password with fewer than eight characters. Change your password often. Use different passwords for different accounts. Using the same password for multiple accounts makes accessing your materials that much easier. Store your passwords securely. If you absolutely can't memorize your passwords, keep them in a securely locked place. Never leave your password on a Post-it note next to your computer or in your desk drawer. Here are some examples of well-chosen passwords: Use lines from a childhood verse: Verse: Do you know the muffin man? Password: DYn0theMM? (making the 0 in n0 a zero rather than the letter o) City expression: Expression: Chicago is my kind of town Password: C1mYKot Foods disliked during childhood: Food: spinach and beans Module 6: Internet Security, Privacy, and Legal Issues Password: sPiNaB3ans (making the e in beans a number three) Food: boiled broccoli Password: boipercentBrocc Technique: Transliteration Illustrative expression: photographic Password: foT0grafik (making the 0 in foT0 a zero rather than the letter o) Technique: Interweaving of characters in successive words Illustrative expression: crazy train Password: crZy7rn NOTE: Obviously, you shouldn't use any of the above passwords! Treat these examples as guidelines only. As necessary as passwords are, they unfortunately are usually the first thing a cracker will try to "break" to gain access to your system, and even well-composed passwords are vulnerable to being intercepted and "stolen" by today's more sophisticated system attackers. More detailed security techniques for password security on the server level are covered in more advanced computer security classes, but see this module's relevant URLs for online resources. Browser Cache: Cookies and History Files In addition to security while you are online, you must be aware of others using your system. If you share your computer with other users, your browser cache (pronounced "cash") and history files can be potential security risks. A later user can take advantage of these features to find out where you've been on the Internet and possibly even view private information. To clean your browser cache, open your browser and select Tools from the menu toolbar. In Internet Explorer, select Internet Options (as shown below), and Delete Files and Clear History. In Netscape, open the Edit menu and choose Preferences. Under the Advanced category, click Cache. Choose Clear Cache. To clear the history, under the same Preferences menu, choose History and then click on Clear History. To clear the cache when using Firefox, select Tools from the menu toolbar, select Options, and then select the Privacy button on the left toolbar. Click on the Clear button to the right of the word Cache. You can clear your history at the same screen by choosing the option Clear to the right of the word History. Module 6: Internet Security, Privacy, and Legal Issues Cookies A cookie is a small file that resides on your hard drive and enables you to personalize the Web pages you visit. For example, when you place an order with an online retailer, a cookie file is created that "saves" the information you entered, such as your name and shipping address, so that you do not have to reenter this information the next time you visit. Cookies are also used to customize Web pages. For example, you may have set your default homepage to be one of the many portal sites such as Yahoo. When you log on each day, you're given customized news, weather, and stock quotes based on choices you have made. Cookie files are the technology behind this service. So, what's bad about cookies? Some people believe that cookies are an invasion of privacy. Advertisers can gather information about your browsing habits by using cookies to track where you go on the Web and which of the ads (if any) you've clicked. All current browsers allow you the option of turning off cookies. To turn off cookies, open your browser and select Tools from the menu toolbar. In Internet Explorer, select Internet Options and then select the Privacy tab (as shown below). In Netscape, open the Edit menu and choose Preferences. Under the Privacy & Security category, click Cookies. Set your cookies preferences. In Firefox, select Tools from the menu toolbar, select Options, and then select the Privacy button on the left toolbar. Module 6: Internet Security, Privacy, and Legal Issues Be aware that blocking cookies may prohibit you from visiting certain sites. For example, Microsoft E-Learning uses cookies to ensure the privacy of its users' accounts when they enter secure parts of its site. Microsoft argues that the cookies allow users to log in, participate in sessions, and access chat areas. When users exit the browser, the cookie is erased from memory. Users who do not have cookies turned on, however, are denied access to this site. Pop-Ups Pop-ups usually contain an advertisement. Overloading a system with pop-up advertisements can cause a computer to crash. This is a common symptom of a computer attack that could be avoided with proper antivirus software and maintenance. You can obtain software to block pop-ups. In addition, some ISPs install pop-up blocking software on their servers. The latest versions of Internet Explorer and other browsers such as Netscape and FireFox have pop-up protection built into the program. You should always allow the browser to help protect your computer against pop-ups; however, do realize that some sites, such as Web Tycho, use pop-ups. You will have to allow the pop-ups from these sites to let you use the site as it is meant to be used. Java Applets Web developers often use Java to create Java applets, which perform such things as calculations and interactive animations. Applets do not generally pose a security threat to your computer because the specification for the Java programming language limits what they can do on your computer. For example, applets cannot write to your hard drive. In addition, they can make a network connection back only to the domain from which they came. Because Java is a programming language, a programmer can write malicious code for a Web site that will activate when the user enters the site. Luckily, very few programmers have chosen to write malicious code that uses Java or ActiveX. Your chances of running into this type of problem will be minimal if you make sure that you install the latest version of the browser you use and stick to sites you consider trustworthy. A site called Fred's Web Site of Hacking would not be considered trustworthy. ActiveX Controls ActiveX controls can be very dangerous unless you trust the site from which they came. This is because, once downloaded to your computer, unlike Java Applets, an ActiveX control has access to your entire computer Module 6: Internet Security, Privacy, and Legal Issues system. Therefore, among other things, it can modify or delete files, change configuration settings, reformat your hard drive, or contact a remote server. You can manage ActiveX controls with your browser settings. Network Shares Sometimes, you connect your computer to a shared network, even at home. You use these networks to share resources such as files, disk space, and printers. When you access the Internet, the rest of the world can see and access these shared resources, including your login name, computer name, and other information. In addition, any computer connected to the Internet is vulnerable to viruses if file sharing is turned on and you do not set your file and folder permissions. If this functionality is available, you can control whether files can be read, deleted, created, or modified. In general, you should not turn on file sharing unless you need it. Then, be sure the files being shared do not include private information such as credit card numbers or passwords. Make sure you turn off file sharing when you've finished sharing your files. Virus Protection In the initial days of online viruses, the riskiest action you could take on the Internet was to download and run an executable file. Executable files have the extension .exe and should never be run if you are unsure what the program is or who sent it to you. Executable files can contain viruses that can wreak havoc with or even disable your computer. Today, however, the threat is even greater and expands past executable files. Microsoft Word and Excel are particularly susceptible to macro viruses, and you should be wary even of files sent to you from people you know. You can't be certain of the origins of these files. Without antivirus software on your system, you are deliberately setting up your computer for a virus that can significantly slow your computer operations, lock it up completely, or even destroy the data, software, or hardware. Two leading virus-protection software packages are McAfee VirusScan and Norton AntiVirus. Before the Internet, in the days of stand-alone computers, viruses were transmitted from computer to computer mainly by sharing diskettes. Today, e-mail is the main vehicle for transmitting viruses. Viruses usually hide in a program and activate when the program runs. To protect your computer from viruses, you should have antivirus software installed and update its data file regularly. Most virus-scanning programs actually consist of two components: the main program and a data file. The data file contains virus signatures. To protect your computer from viruses, you must install antivirus software on your computer or subscribe to an online service, and you must keep the software and data files used by this program up to date. This does not mean that you should stop backing up the important files on your computer, but it does give you another level of defense while using the Internet. Many antivirus programs can: scan your computer for viruses inoculate your computer against known viruses repair damage caused by a virus To get the benefit of the program, make sure you run it as recommended. You should scan all your computer hard drives for viruses regularly and update your virus data files at least once a week. Most antivirus programs allow you to automatically schedule both the scan and the update and to receive new information about viruses. Consider your virus-protection coverage part of your computer purchase. Without it, your computer may not work for very long. Module 6: Internet Security, Privacy, and Legal Issues Although you can buy antivirus software, freeware and shareware programs are available. In addition, most major antivirus vendors offer free online virus scans. If you represent an organization, these vendors offer virus scans for a fee. E-Mail and Viruses E-mail messages are essentially text-only and cannot transmit a virus on their own. However, many e-mail programs use HTML to format documents, enabling someone to hide viruses in e-mail messages by using technologies such as Microsoft's ActiveX controls. In addition, most e-mail programs allow you to add an attachment. Because this attachment can be almost any file type, it could contain a virus. Attachments that can contain viruses include executable programs (.exe and .com), word processing (.doc), spreadsheets (.xls), and zip (.zip) files, which can contain any of the above. This is not an exhaustive list; many other file types can contain viruses. One of the key things you can do to protect your computer is to avoid downloading files from sources you do not trust. If you have your browser configured properly, when you are about to download a type of file that could contain a virus, your browser will display a warning and ask whether you want to open the file or save it to disk. If you are certain the file came from a trusted source, you may want to open it. Alternatively, to be extra safe, you may want to save it to your hard drive, scan it for viruses, and then open it. If unsure, you should cancel your download. You should be careful when you open your e-mail and download files. Do not, however, believe every virus warning you receive via e-mail. There are almost as many virus hoaxes as there are actual viruses. Hoaxes are considered worse than viruses to many companies for two reasons: (1) hoax messages have been discovered that actually contain viruses, and (2) the amount of bandwidth used to send the hoax messages to your hundred closest friends can shut down a company's network. A special type of hoax message is known as phishing (pronounced "fishing"). A phish is a message that looks like it comes from a company that you have dealings with and that asks you to respond or click on a link within the message. The main purpose of a phish is to collect sensitive information about you so that your identity can be stolen. If you ever receive a message from a company that asks you to click on a link, do not do it. Instead, go directly to that company's Web site and log in to see if there really is a message for you. One hint that the message you have received is a phish is that the message does not use your name in the greeting; instead, you will see something like "Dear Pay Pal Customer." Because of the risk of viruses, e-mail messages regularly circulate around the Internet regarding new virus threats. You should always try to verify these new threats before forwarding virus warnings. Many of these messages are hoaxes, as are the messages regarding free stock or other products, offers of money, and warnings about safety. Such messages are known as urban legends. You can check the validity of virus warnings at the McAfee and Norton sites listed above or by checking the Web site of any major news source. You can check urban legends at the AFU and Urban Legends Archive. What Is Not a Virus? Sometimes people incorrectly use the term virus when referring to other types of attacks that are launched against the Internet, computers connected to the Internet, or data and resources stored on the Internet. Below is a brief definition of these attacks. (You will get more in-depth coverage of this topic in the advanced Internet course.) Attack Bomb Definition A bomb executes when a specific date, time, action, or event occurs. It then sets off some other malicious action, such as executing a virus or a worm. Module 6: Internet Security, Privacy, and Legal Issues Trap door A trap door, also known as a back door, is a hidden entrance or access point built into a computer system that allows later unauthorized access to the computer. Trojan horse A Trojan horse disguises itself behind some other program. It may appear to be a useful program, but after the program executes it does something malicious, such as deleting your files. Worm A worm is a stand-alone program that copies itself from computer to computer. Its main purpose is to fill up a computer's memory or disk drive or to consume other resources. Timing attack Timing attacks explore the contents of a Web browser's cache. These attacks allow a Web designer to create a malicious form of cookie that is stored on the client's system. The cookie could allow the designer to collect information on how to access password-protected sites. Another attack by the same name involves attempting to intercept cryptographic elements to determine keys and encryption algorithms. Spyware Spyware is installed on your computer by "hiding" behind another software package, by a virus, through pop-up windows, or simply by visiting a Web site. Once the information is collected, it can be sent to advertisers and other interested parties via the Internet. Spyware can: reconfigure your browser by changing your homepage, search pages, or favorites folder cause your computer to run more slowly be used to collect sensitive data or personal information from your computer Anti-spyware software works almost like antivirus software. Each spyware installation has a unique signature or fingerprint. Anti-spyware software will look for evidence of these signatures, identify them to you, and give you the option to delete them. Free anti-spyware software such asAd-Aware is available on the Internet. Spam Spam is a big issue today. In fact, it has become such a big issue that the U.S. Congress has passed laws to deal with it. Most of the time, the spam contains an offer for you to buy something. You should never respond to spam. If you do, the sender will know he has a legitimate e-mail address. Similarly, you should never unsubscribe to spam. If you try to unsubscribe, either it will not work or, again, the spammer will know he has a legitimate e-mail address and as a result, you will get many more e-mails. Most legitimate marketers do not use spam because they know it angers recipients. Therefore, if you receive spam, the offer is probably unreliable anyway. A spammer can obtain your e-mail address in a number of ways, including those listed below. Method Comment Web spiders Search engines send these. Chat room Your screen name is the first part of your e-mail address. Random address generation Computer programs guess e-mail addresses and automatically send the spam. Businesses Some businesses sell your e-mail address without telling you. Other entities or people A person compiles e-mail addresses from other spammers, people, or businesses by virtue of past associations. You can do a number of things to slow down spamming, such as: Use more than one e-mail address. Use one of these addresses for when you have a high assurance that if you give it out you will not receive spam. For example, you can use one address for e-mailing your friends (after you tell them not to give out your e-mail address) or to sign up with a trustworthy Module 6: Internet Security, Privacy, and Legal Issues business that has a very good e-mail privacy policy. You should never use this e-mail address on the Web. Instead, get a free address to use on the Web. Before you hit the Submit button on a form on the Web, make sure you understand the entire form and what will happen to your information. Read the privacy policy. Use your e-mail client's filter, which allows you to block or automatically delete specific e-mail addresses and domains. Report spam to the U.S. Federal Trade Commission. As a last resort, change your screen name or open a new e-mail account. After you do this, make sure you protect your e-mail address. Encryption Two of the most popular technologies available for securing your data are Secure Sockets Layer (SSL) and Pretty Good Privacy (PGP), both of which use encryption techniques. Usually, SSL encrypts HTTP traffic (Web browser to Web server communications), and PGP encrypts e-mail and other files. Secure Sockets Layer (SSL) When you access a server on the Internet, or when you receive data from the Internet, what you do could be monitored. With more than 200,000 Web sites worldwide set up to accept e-commerce transactions, the need for security is immense. The Secure Sockets Layer (SSL) protocol is designed to make it difficult, if not impossible, for anyone to understand the data sent or received without expending a lot of resources. SSL uses public-key technology. A Web browser that understands SSL uses encryption to scramble the data you send to a Web site. That means the Web site must also understand SSL. When the Web site receives this scrambled data, the server's SSL software converts it back into the original data. With SSL, your Web interactions are very private. To be certain you are using a secure Web site before making a transaction, look for the padlock symbol on your task bar (as shown below): Module 6: Internet Security, Privacy, and Legal Issues In addition to providing privacy, SSL makes sure you are communicating with the Web site with which you intended to communicate. To identify a safe and secure Web site, the browser and server exchange digital certificates. The digital certificate portion of SSL is a file that states a company or person is who he says he is. SSL uses digital certificates to authenticate Web sites and Web browsers. A third-party company, Certification Authorities (CA), issues these certificates. Once a Web site has registered with the CA, the browser can determine whether the site is legitimate. Although there are currently an estimated quarter of a million Web sites with their own public keys, there are only about 40 commercial certificate authorities. To offer a secure Web site, the site operator has its public key certified by one of these established certificate authorities. A browser that accesses the site may not know whether it can trust the site itself, but it can trust the certificate authority that has signed the site's public key certificate. When your browser receives a certificate, it checks its list of CAs. If it finds a match, it allows your activity to continue. However, if your browser software warns you that something is not right, you should cancel whatever you are doing. SSL was originally developed by Netscape Communications. Although Netscape always promoted open use of the protocol, it was and still is proprietary. Indeed, during the height of the browser wars, Microsoft promoted a different, though very similar, protocol known as Private Communications Technology. To fully promote SSL as a true open standard, its developers, along with others in the security community, decided to hand off responsibility for the protocol to a true international standard organization known as the Internet Engineering Task Force. The IETF renamed the protocol TLS, but otherwise made very few changes. Note that TLS version 1.0 is SSL version 3.1 (Thomas 2006). Encryption and Pretty Good Privacy (PGP) When you send information over the Internet, your message goes through several computers on the way to and from its destination. How can you be sure that the information you send is secure? Three issues are involved here: Module 6: Internet Security, Privacy, and Legal Issues 1. Eavesdropping: Other computers overhear information you transmit. 2. Manipulation: Third parties somehow alter information you transmit. 3. Impersonation: You may not be sending the information to the entity you think you are; an entity (person or organization) is impersonating another. To secure information, encryption is used. Encryption is the process of translating your data into a type of "secret code." There are two types of encryption: 1. Asymmetric encryption (also called public key) is most often used to preclude the exchange of keys among many users, particularly in situations in which the users are unknown to each other. 2. Symmetric encryption is most often used where key distribution is limited to an exchange among a few users (e.g., in banks). Pretty Good Privacy (PGP) is software that lets you send and receive e-mail and other files using encryption. Using PGP, you will know: if the sender of information is who he or she claims to be (authentication) if the information has been altered in transit (integrity) that only the intended recipient can read the message (confidentiality) PGP is the most popular security and privacy program used by private individuals. You can download it from the Internet free of charge, or you can buy a commercial version. You can also use PGP to encrypt files stored on your hard drive or another storage medium so that other people or intruders cannot read the files. PGP is based on the public-key encryption method, which uses two keys: (1) a public key that you give out to anyone with whom you wish to communicate and (2) a private or secret key that is known only to you. For example, when James wants to send a secure message to Alice, he uses Alice's public key to encrypt the message. Alice then uses her private key to decrypt it. To encrypt a message using PGP, you need the PGP software, which is available free of charge from a number of different online sources and vendors. See additional resources for PGP in your Relevant URLs section. Blocking Web Sites A concern for many people, particularly parents, is blocking potentially offensive content. There have been many cases in recent years in which public institutions, such as libraries, have installed blocking or filtering software, or the community has asked that it be installed. Although anyone is free to install such software on his or her personal computer, First Amendment issues are raised when it is installed on public machines. Much has been written about efforts to control content on the Web, as you will see at the following sites: Citizens' Internet Empowerment Coalition Platform for Internet Content Selection (PICS) The Net Labelling Delusion (Australia) Electronic Frontier Foundation Archives The World Wide Web Consortium (W3C, the organization that maintains HTML standards) has developed the Platform for Internet Content Selection (PICS) protocol to enable ratings of Web sites to be transferred across the Internet. A handful of organizations have made the effort to view and rate the millions of pages on the Internet.PICS maintains a list of these raters. Software is available for filtering or blocking Web sites according to criteria set by the user. Three of the leading filtering software packages are: 1. Cyber Patrol 2. Net Nanny 3. Cybersitter Module 6: Internet Security, Privacy, and Legal Issues Privacy Because users of the Internet enter information about themselves at many different sites, there is a real fear that this aggregate information could be collected and become greater than the sum of its parts. Congress has passed laws to help protect the privacy of Internet users. The Privacy of Customer Information Section of the common carrier regulation specifies that any proprietary information shall be used explicitly for providing services and not for any marketing purposes. It also stipulates that carriers cannot disclose this information except when necessary to provide their services. The only other exception is when a customer requests the disclosure of information, and then the disclosure is restricted to that customer's information only. The privacy standards of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) severely restrict the dissemination and distribution of private health information without documented consent. The standards give patients the right to know who has access to their information and who has accessed it. The standards also restrict the uses of health information to the minimum necessary for the health-care services required (Whitman & Mattord, 2005). Identity Theft Identity theft is a very big issue today. Seemingly ordinary transactions, such as placing mail in your mailbox, writing a check, making a credit card purchase, applying for a credit card, using your cell phone, mailing your tax returns, or putting out your garbage, can put you at risk. Without your knowledge, the thief can use your personal information to open accounts, obtain services from utility companies, purchase vehicles, rent apartments, and apply for Social Security and other benefits, loans, and credit cards in your name. Online shopping allows you to purchase almost anything via the Internet. These and other transactions require you to share personal information. The identity thief takes some piece of your information and then shares the information while pretending to be you. He then uses it to commit fraud or theft, in your name. Identity Theft Methods Although identity theft cannot be completely prevented, you can minimize your risk by managing your personal information better. Some of the ways an identity thief can use your information are: using counterfeit checks or debit cards or both and stealing money from your bank account calling your credit card issuer, pretending to be you, and giving a change of address for your credit card account opening new credit card accounts in your name, using your name, birth date, and Social Security number opening a bank account in your name, writing bad checks on the account, and then leaving you to rectify the problem establishing mobile phone service in your name buying vehicles by using your name and taking out a loan using phishing to get you to respond with personal information Preventing Identity Theft Module 6: Internet Security, Privacy, and Legal Issues Steps you can take to reduce your chances of being a victim of identity theft include: checking your credit report at the major credit reporting companies at least once a year, or better yet, once every six months; and making sure you check to see who else is looking at your report securing your Social Security number by not giving it out unless absolutely necessary and by not carrying it in your wallet avoiding having your home telephone number, driver's license number, or Social Security number printed on your checks shopping online only at secure Web sites with a customer-centered privacy policy destroying or shredding information and papers that include any of your personal information before you put them in the trash making sure you know your credit accounts' billing cycles and watching your account statements for any abnormal activity The Federal Trade Commission (FTC) added a section to the Fair Credit Reporting Act stating that all Americans are entitled to receive a free credit report from each of the three credit-reporting agencies—Equifax, Experian, and TransUnion. Alternatively, you may visit the FTC's Web site for information about obtaining your free report. Online Content and Legal Use A common misconception is that if material is published on the Web, it is in the public domain and is available to anyone. This is not true. Items published on the Web are available to anyone to view, but the material is not available for anyone to take or "borrow." Copyright laws protect online content just as they protect printed materials. You should assume that all works available on the Web, including images, text, logos, software, sounds, movie clips, e-mail, and postings to newsgroups, are copyrighted. Under copyright law, unless you have obtained permission to use or copy a work for a particular purpose, you may not copy it, even though it is as easy as a right-click to do so. The instant a Web document is placed on the Internet, its content and images are copyrighted. Absence of a copyright notice does not mean that the document is not copyrighted. In some cases, permission statements are included with the work, and you may use the work for the purposes stated without any further permission or license. Always look for the "terms of use" link on a site that is offering "free" graphics, backgrounds, and so forth. Although many of the items may be available, they are available with limitations. For example, the Animation Factory Web site offers great graphics for free use, but it still requires a link back to its homepage on any site that borrows its free graphics. Also, these graphics cannot be resold or made available for free on your site, among other limitations. For an example, look at Animation Factory's Terms of Use page. Online Content and Citations Just as you would have to cite your source if you quoted or paraphrased information from a book or magazine article, you must also cite information quoted or paraphrased from a Web site. Again, copyright limitations begin the moment an item is published without regard to the posting of a copyright registration. Copyright limitations cover both content and images. Guidelines for citing online resources can be found at UMUC's Information and Library Services citation resources page. Always cite your resources for any academic project. If you took material directly from another Web site, be sure to place that information in quotation marks and cite the original source. Even if you paraphrase information from another source, you must still cite the original source, though the paraphrased text (your words) would not be in quotation marks. Module 6: Internet Security, Privacy, and Legal Issues See the following guidelines from theU.S. Copyright Office (2005) Web site's frequently asked questions: How much of someone else's work can I use without getting permission? Under the fair use doctrine of the U.S. copyright statute, it is permissible to use limited portions of a work including quotes, for purposes such as commentary, criticism, news reporting, and scholarly reports. There are no legal rules permitting the use of a specific number of words, a certain number of musical notes, or percentage of a work. Whether a particular use qualifies as fair use depends on all the circumstances. See FL 102, Fair Use, and Circular 21, Reproductions of Copyrighted Works by Educators and Librarians. How much do I have to change in order to claim copyright in someone else's work? Only the owner of copyright in a work has the right to prepare, or to authorize someone else to create, a new version of that work. Accordingly, you cannot claim copyright to another's work, no matter how much you change it, unless you have the owner's consent. See Circular 14, Copyright Registration for Derivative Works. References Carnegie Mellon University. (2006). CERT/CC statistics 1988–2005. Retrieved January 9, 2006, from http://www.cert.org/stats/cert_stats.html Federal Trade Commission. (2005, February 1). National and state trends in fraud and identity theft. Retrieved January 8, 2006, from http://www.consumer.gov/idtheft/pdf/clearinghouse_2004.pdf National White Collar Crime Center (NWC3). (2005). IC3 2004 Internet fraud—Crime report. Retrieved January 10, 2006, from http://www.nw3c.org/research_topics.html Miniwatts Marketing Group. (2006). Internet usage statistics—the big picture. Internet World Stats. Retrieved January 11, 2006, from http://www.internetworldstats.com/stats.htm Thomas, Stephen A. (2006). SSL and TLS essentials: Securing the Web. TechOnLine. Retrieved January 9, 2006, from http://www.techonline.com/community/tech_topic/14730 U.S. Copyright Office. (2005). Can I use someone else's work? Can someone else use mine? Retrieved January 11, 2006, from http://www.copyright.gov/help/faq/faq-fairuse.html Whitman, Michael E., & Mattord, Herbert J. (2005). Principles of information security (2nd ed.). Boston: Thompson Course Technology. Return to top of page Report broken links or any other problems on this page. Copyright © by University of Maryland University College . These are the popups for this section, in order of their appearance. Popup 1: Cracker—Someone who intentionally breaks into computers or networks for malicious and illegal reasons. Popup 2: Module 6: Internet Security, Privacy, and Legal Issues Hackers—Exceptionally proficient programmers who enjoy finding solutions to computer-related problems and challenges. Popup 3: Denial of service—A denial-of-service attack happens when an intruder consumes so much of a computer or network resource that no one can use any of the resources on the computer or network. Popup 4: /CMST385/0602/Modules/M6-Module_6/../G1-Glossary.html#IP_spoof Popup 5: Zombie—A computer under the control of a malicious hacker. Popup 6: Encryption—A process that scrambles data as it is being transferred from one place on the Internet to another so that no one can make sense of it until it reaches its destination. It is also used to scramble data that resides on storage media. Popup 7: /CMST385/0602/Modules/M6-Module_6/../G1-Glossary.html#engineering Popup 8: http://www.zonelabs.com/store/content/home.jsp Popup 9: http://www.tinysoftware.com/home/tiny2?la=EN Popup 10: Module 6: Internet Security, Privacy, and Legal Issues http://www.astaro.com/ Popup 11: http://us.mcafee.com/root/package.asp?pkgid=103&cid=16260 Popup 12: http://www.symantec.com/home_homeoffice/products/internet_security/npf2006/index.html Popup 13: http://www.digitalriver.com/dr/v2/ec_dynamic.main?SP=1&PN=10&sid=26412 Popup 14: http://www.junkbusters.com/ht/en/cookies.html Popup 15: https://www.microsoftelearning.com/ Popup 16: /CMST385/0602/Modules/M6-Module_6/../G1-Glossary.html#popup Popup 17: Java—A computer programming language. Popup 18: Java applets—Small Java programs that are downloaded from a Web site and executed on your computer. Module 6: Internet Security, Privacy, and Legal Issues Popup 19: /CMST385/0602/Modules/M6-Module_6/../G1-Glossary.html#Act-X Popup 20: Virus—A computer virus, designed to go undetected, is a self-replicating computer program that interferes with the operation of your computer or damages your files. Popup 21: http://www.mcafee.com/centers/anti-virus/ Popup 22: http://www.symantec.com/home_homeoffice/products/virus_protection/nav2006/index.html Popup 23: Virus signature—A unique string of bits that uniquely identifies a particular virus and is like a fingerprint. Popup 24: Hoax—A virus hoax, usually sent via e-mail, is a false warning about a virus. Popup 25: http://tafkac.org/ Popup 26: http://www.webopedia.com/DidYouKnow/Internet/2004/virus.asp Popup 27: Module 6: Internet Security, Privacy, and Legal Issues Spyware—Software secretly installed on your system that keeps a record of information about you without your knowledge, such as the products you buy, the files you download, or the Web pages you visit. Popup 28: http://www.download.com/3000-2144-10045910.html Popup 29: Spam—Also known as junk mail, spam is unsolicited, mostly commercial, e-mail. Popup 30: http://www.ftc.gov/index.html Popup 31: Encryption—A process that scrambles data as it is being transferred from one place on the Internet to another so that no one can make sense of it until it reaches its destination. It is also used to scramble data that resides on storage media. Popup 32: /CMST385/0602/Modules/M6-Module_6/../G1-Glossary.html#SSL Popup 33: Digital certification—A digital certification informs you who is responsible for a specific Web site and verifies that it is free of malicious components, such as viruses, and that it has not been tampered with since being certified. Popup 34: http://webopedia.internet.com/TERM/p/public_key_cryptography.html Popup 35: http://webopedia.internet.com/TERM/s/symmetric_encryption.html Module 6: Internet Security, Privacy, and Legal Issues Popup 36: http://www.pgpi.org/ Popup 37: http://www.ciec.org/ Popup 38: http://www.w3.org/pub/WWW/PICS/ Popup 39: http://libertus.net/liberty/label.html Popup 40: http://www.eff.org/Censorship/ Popup 41: http://www.w3.org/PICS Popup 42: http://www.w3.org/PICS/raters Popup 43: http://www.microsys.com/ Module 6: Internet Security, Privacy, and Legal Issues Popup 44: http://www.netnanny.com/ Popup 45: http://www.cybersitter.com/ Popup 46: Identity theft—Identity theft occurs when someone steals your personal information and uses it to commit fraud and/or other crimes without your knowledge. Popup 47: https://www.annualcreditreport.com/cra/index.jsp Popup 48: http://www.ftc.gov/bcp/conline/pubs/credit/freereports.htm Popup 49: Public domain—The "public domain! includes all inventions, creations, and so forth that are not protected by any intellectual property rights. Such information is not owned by anyone, so everyone can use or copy it however they like. Popup 50: http://www.animationfactory.com/ Popup 51: http://www.animationfactory.com/company/terms_of_use.html Module 6: Internet Security, Privacy, and Legal Issues Popup 52: http://www.umuc.edu/library/citationguides.html Popup 53: http://www.copyright.gov/help/faq/faq-fairuse.html Popup 54: http://www.copyright.gov/fls/fl102.html Popup 55: http://www.copyright.gov/circs/circ21.pdf Popup 56: http://www.copyright.gov/circs/circ14.html Module 6: Internet Security, Privacy, and Legal Issues Self-Assessment There is no self-assessment for module 6. Report broken links or any other problems on this page. Copyright © by University of Maryland University College . Module 6: Internet Security, Privacy, and Legal Issues Due dates for the following assignments and directions for submitting assignments are listed in the course syllabus. Tasks 1. Find a cookie file on your computer and count the number of cookies set. How many are there? If you have already turned cookies off, ask the browser to prompt you each time a site wishes to set a cookie. How often is this happening? Module 6: Internet Security, Privacy, and Legal Issues 2. Explain what an Internet firewall is and evaluate its usefulness. 3. Does the computer you use have virus-protection software installed? If so, which program? Is the program regularly updated? 4. Locate your browser cache and history files. How would you empty or change the preferences for these files in the browser you are using? (Be sure to specify which browser you use.) 5. What is the security policy of your computer? Do you believe it should be changed? Why or why not? 6. What was the intent of the Communications Decency Act (CDA), and what were its key provisions? What was the U.S. Supreme Court decision, and what were the opinions expressed? 7. Examine the access and censorship situations with three major U.S. trading partners or allies or both. Write a summary of what you find. 8. Compare at least two filtering software packages. If you were considering purchasing such a package for your home computer to keep children from viewing offensive content, which package would you choose, and why? Report broken links or any other problems on this page. Copyright © by University of Maryland University College .
