The University of Arizona
Internet Use, Internet Security
and Safe Web Browsing
Kelley Bogart
UA Information Security Office
Co-Chair EDUCAUSE Security Awareness Task Force
Opportunities for Abuse…
To break into a safe, the safe cracker needs to
know something about safes (one to one vs. one to
many).
To break into your computer, the computer cracker
only needs to know where to download a program
written by someone else who knows something
about computers.
Identity Theft is the fastest growing crime in the
U.S. and it accounts for more than 750,000
victims a year and losses exceeded 2 Billion
dollars.
How Can the Situation Affect You?
 A compromised computer provides access to
all accounts, keystrokes, and data. Account
and keystroke information can be used to
access other resources
– Email and documents
– Financial transactions
– Identity theft
 Other reasons for compromise
– Use of your computer computer (DOS Attacks, to
hide their identity, etc.)
– Operational difficulties
– Because they can!
What is Security Awareness?
Security awareness is recognizing what types of
security issues and incidents may arise and knowing
which actions to take in the event of a security breach.
An Awareness Mindset is understanding that
there is the potential for some people to deliberately or
accidentally steal, damage or misuse data stored on
your computer and doing what you can to prevent that.
Most security incidents can be prevented.
Microsoft’s definition of Computer Security
The discipline, techniques, and tools designed
to help protect the confidentiality, integrity, and
availability of data and systems.
Technology alone will not keep you secure!
More core concepts, technologies, and
products associated with computer security
available at
http://www.microsoft.com/security/glossary/glossary_a_z.asp
What is “Information Security”?
To decide whether a computer system is “secure”,
you must first decide what “secure” means to you,
then identify the threats you care about.
Confidentiality
Email
Virus
Integrity
Identity
Theft
Safeguarding
identity and
password
Reputation
Availability
Copyright
So Where Do We Start?

Be aware or beware
–
Know how to identify a potential issue
–
Use sound judgment
 Learn and practice good security habits
– Incorporate secure practices into your everyday
routine
– Encourage others to do so as well

Report anything unusual
– Notify the appropriate contacts if you become
aware of a suspected security incident
In the World of the Internet, Some
of the Most Popular Features







World Wide Web
E-mail
Usenet newsgroups
Chat rooms Instant messaging
Listservs
Video-conferencing
Multiple User Dungeons (MUDs)
Where Do Intruders Come From?
Anywhere - at any time - intruders can attack, often
hiding their identity. Ironically, the Internet, which was
originally designed to promote unrestricted sharing of
academic information, has become a global
communications system where sensitive data is
potentially available to anyone with a connection.
So who are these threat agents?





Teenage pranksters
Hacker junkies
Disgruntled former employees
Terrorists or criminals
Foreign intelligence agents
The Intruders Toolkit
How easy is it to hack?
The unsophisticated hacker can search the
Internet, find and download exploitable tools,
and then "point and click" to start a hack.
According to NIST (National Institute of
Standards and Technology), hackers post 30-40
new tools to Internet hacking sites every month.
Tools Intruders Use for Access &
Exploitation of Your Computer
Vulnerability Scanning: Internet hackers constantly
scan networks to try and identify where systems are
vulnerable.
Pre-Attack Probes is another name for this type of
scanning.
Password Cracker: Intruders use a program that
automatically keeps trying to log in to a system using
a series of easily Guessed passwords, or using a
dictionary as a source of guesses.
Tools Intruders Use for Access &
Exploitation of Your Computer
Network Spoofing: Intruders set up a program that
impersonates the sign-on routine for another system.
When you attempt to log in to the system, the
intruder's program collects your password, and then
returns a message that the system is unavailable.
These programs can collect hundreds of valid
passwords.
Virus: A program that "infects" computer files, usually
executable programs, by inserting a copy of itself into
the file. Copies are usually executed when the
"infected" file is loaded into memory, allowing the virus
to infect other files.
Tools Intruders Use for Access &
Exploitation of Your Computer
Worms: An independent computer program that
reproduces by copying itself from one system to
another across a network. Often triggered when
someone opens an infected email attachment, the
worm program can send replicas to everyone listed in
the person's mail directory. Worm infections clog
network traffic and may eventually shut down email
servers and can also damage your files.
Logic bombs: A form of sabotage in which a
programmer inserts code that causes the program to
perform a destructive action when some triggering
event occurs.
Tools Intruders Use for Access &
Exploitation of Your Computer
Sniffer: A program that intercepts routed data and
examines each Packet (information is transmitted in
chunks called 'packets') in Search of specified
information such as passwords or credit card
Numbers transmitted in clear text.
Trojan horse: A Trojan horse usually masquerades as
a useful program that a user would wish to execute,
like a game or screen saver. However the program
conceals a harmful code. The Trojan horse program
may actually collect information such as passwords.
How Do You Know If Your Computer
Is Infected or Is Under Attack?
You May Experience..
 A long delay starting up your computer or decline in
system performance.
 You have corrupted, inaccessible, or missing files.
 You can't access your hard drive or data disks.
 Your computer has suddenly run out of memory.
 You have lost control of your computer.
You May See...
 a blue screen, strange items like graphics, odd
messages, unexplained files or system error
messages on your monitor.
On the other hand... you might not experience any symptoms and
be totally unaware that your machine has been compromised
The Consequences of
Letting Your Guard Down
Case Study
Dr. Porter installed a powerful new operating
system on his computer and connected it to
the Internet before applying the necessary
patches. His machine was hacked within 30
minutes. The hacker inserted software that
corrupted his hard disk. He lost years of
scientific work, his historical email archives,
and a research manuscript.
How much of his life and institutional data was on that computer?
When was the last time I backed-up my data?
The Consequences of
Letting Your Guard Down
Someone is running up your credit card account.
It's the same card you used to set up automatic
billing for that slightly questionable Internet
company.
 Where have I been on the Internet and what type of
personal information have I given out?
 Was it O.K. to give my Social Security Number and
my credit card number?
 Am I at risk for identity theft?
The Consequences of
Letting Your Guard Down
You downloaded a the latest really cool
screensaver from a random web page you came
across and later found out that simultaneously a
second devious program installed itself on
YOUR computer for the purpose of collecting
YOUR passwords.
 What have they got access to, and what have they
done?
 When and how this program get installed on my
computer?
 Will I be able to recognize what has been done?
Anyone Can Become Prey
Be aware that there are hackers out there that
don’t care who you are or what you are doing,
you are simply a target to them.
Be mindful that some people will use ploys to
lure you to their sites in order to compromise
your systems or to get credit card numbers to
steal your money.
Visiting Internet Sites
Web surfing feels both safe and anonymous.
It's not!
Be cautious, careful and aware
about installing screen savers, games, or programs from
questionable Internet sources is risky. You don't know
what software code might be hidden within them.
about providing personal, sensitive information to an
Internet site. Find out what the organization's security
and privacy policies are, they could be collecting your
information, sharing, or selling it to other sources.
Be cautious, careful and aware (continued)
 using the auto complete function on browsers
(usernames and associated passwords).
 about using public access computers. You have no
idea how they are secured, who used it before you
and what they might have done or installed on it.
 you can get viruses from Internet Relay Chat and
Instant Messenger-type services.
Be cautious, careful and aware (continued)
 active content, such as ActiveX controls and Java
applets, introduces the possibility that Web browsing
will introduce viruses or other malicious software into
the user's system.
 A variety of security risks in the PC and MAC
versions of Internet Explorer and Netscape browsers
that involve the JavaScript, Java and ActiveX
subsystems.
- These risks can be removed by turning off those
features.
Tips For Safeguarding Your
Privacy Online
Practice Heads Up Computing
Refers to an attitude you bring to
computer use.
Your Account Is Only As
Secure As It’s Password

Create passwords with nonsensical
combinations of upper and lower case letters,
numbers and symbols, for example tY8%uX.

Use the first or last letters in a favorite line of
poetry. Intermingle these letters with numbers
and punctuation marks.
"Mary had a little lamb" becomes m*ha2ll
Your Account Is Only As
Secure As Its Password

Change your password often.

Don't let others watch you log in.

Don’t print your password on a post-it note
and attach it to your video monitor. If you
must write down or record your password,
take steps to secure or disguise the
information.
Check Your Web Browsers
Settings
 We’ve come a long way from the days when
browsers hid their cookie activity and gave
users no options. Now you may accept or
reject all cookies, or you may allow only
those cookies generated by the website you
are visiting.
– Be aware that when you use cookie management
options, you might delete cookies for websites
you trust. You may want to set a security level for
trusted websites while blocking cookie activity for
all others.
Shop Around
Investigate new services before using
them.
 Post a question about a new service in a
dependable forum or newsgroup.
 Use a search engine such as
http://groups.google.com to find archived
discussions and newsgroup postings
about the service that you are
considering. Bad reputations get around
quickly in cyberspace. If others have had
negative experiences with a service, you
should get the message.
Start Up Software
Be cautious of "start-up" software that registers
you as a product user and makes an initial
connection to the service for you. Typically,
these programs require you to provide financial
account data or other personal information,
and then upload This information automatically
to the service. These programs may be able to
access records in your computer without your
knowledge.
– Contact the service for alternative
subscription methods
Public Postings
Public postings made on the Internet are often
archived and saved for posterity. It is possible to
search and discover the postings an individual has
made to Usenet newsgroups. (See
http://groups.google.com.) Ask yourself if you want
an employer, family member, or a marketer to be
able to link you to your public postings.
–Use a pseudonym and a nondescriptive e-mail
address when you participate in public forums.
–Consider obtaining an e-mail address from one of
the free web-based e-mail services.
–Create a non- identifying e-mail address and use
it when you participate in newsgroups and other
public forums.
Your online biography, if you create one, maybe
searched system-wide or remotely "fingered" by
anyone.
– If for any reason you need to safeguard your
identity, don't create an online "bio."
– Ask your ISP to remove you from its online
directory.
If you publish information on a personal web
page, note that marketers and others may
collect your address, phone number, e-mail
address and other information that you provide.
– If you are concerned about your personal privacy,
be discreet in your personal web site.
Be aware of the possible social dangers of being
online: harassment, stalking, being "flamed“
(emotional verbal attacks), or "spamming" (being
sent unsolicited messages). Women can be
vulnerable if their e-mail addresses are
recognizable as women's names.
–Consider using gender-neutral e-mail
addresses and pseudonyms.
If your children are online users,
–teach them about appropriate online privacy
behavior.
–Caution them against revealing information
about themselves and your family.
Safe Web Browsers for Family
• BOUNCE http://www.bouncefilterware.com
• KiddoNet http://www.kiddonet.com
Delete?????
The "delete" command does not make your email
messages disappear. They can still be retrieved
from back-up systems. Software utility programs
can retrieve deleted messages from your hard
drive.
– Use a file erasing program such as the freeware
program at http://cleanup.stevengould.org or the
cleanup features of general utility software such as
Norton's CleanSweep
(http://www.symantec.com/sabu/ncs/)
– Refer to the U of A Procedure, Disposal of
Computer Hard Drives at
http://security.arizona.edu/guidelinesetc.html
Use only secure web sites when you transmit
sensitive personal information over the
Internet. When you provide your credit card
account number to a shopping site, for
example, be sure that the transmission is
secure.
– Look for the locked padlock at the bottom right of
the screen.
– Also make sure the web address has the letter ‘s’
after http in the address bar at the top of the page
or “shtml” at the end of the URL. For additional
online shopping tips, read the Privacy
RightsClearinghouse’s e-commerce guide at
www.privacyrights.org/fs/fs23-shopping.htm
Privileges and Responsibilities
 Use of you U of A computer account is a
privilege granted by the University so you
can do academic work, communicate with
faculty and students, and take advantage of
both University of Arizona's online resources
and the Internet at large.
 Along with the freedom of using U of A’s
network resources come some
responsibilities.
Privilege and Responsibilities
 You are responsible to comply with University
of Arizona’s policies and State and Federal
law when using U of A’s resources.
 It is also your responsibility to read and
understand UA’s policy on Acceptable Use of
computer and network, which you can find at
http://security.arizona.edu/uaacceptableuse.html
 Many university services have their own
policies that you will be responsible for if you
are to use them, so be sure to read all
policies!
Summary
 Common sense, some simple rules and a
few pieces of technology can help protect
your computer systems from
unauthorized use
 Important to remember that by protecting
your own computer system, you're also
doing your part to protect computers
throughout the university
Resources at the
University of Arizona
 Kerio Firewall
https://sitelicense.arizona.edu/kerio/kerio.shtml
 Sophos Anti Virus
https://sitelicense.arizona.edu/sophos/sophos.html
 VPN client software
https://sitelicense.arizona.edu/vpn/vpn.shtml
 Policies, Procedures and Guidelines
http://security.arizona.edu/guidelinesetc.html
 Security Awareness
http://security.arizona.edu/awareness.html
University Information Security Office
Bob Lancaster




University Information Security Officer
Co-Director – CCIT, Telecommunications
Lancaster@arizona.edu
621-4482
Security Incident Response Team (SIRT)


sirt@arizona.edu
626-0100
Kelley Bogart



Information Security Office Coordinator
Bogartk@u.arizona.edu
626-8232