2013-10-29

Get Safe Online

By: Stuart Waddington

We recommend the website Get Safe Online



In today’s cybercrime inclined world it is full of good and useful advice:

Do you have a PIN on your phone?

Do you know when a web page is secure?

Can you spot a phishing email?

Your passwords are the most common way to prove your identity when using websites, email accounts and your computer itself (via User Accounts). The use of strong passwords is therefore essential in order to protect your security and identity. The best security in the world is useless if a malicious person has a legitimate user name and password.

Get started…

Always use a password.

Ensure you use strong passwords, and do not disclose them to anyone else.

Passwords are commonly used in conjunction with your username. However, on secure sites they may also be used alongside other methods of identification such as a separate PIN and/or memorable information. In some cases you will also be asked to enter only certain characters of your password, for additional security.

The Risk of Using Weak Passwords

People impersonating you to commit fraud and other crimes, including

Accessing your bank account

Purchasing items online with your money

Impersonating you on social networking and dating sites

Sending emails in your name

Accessing the private information held on your computer

Choosing the Best Passwords

Do:

Always use a password.

Choose a password with a combination of upper and lower case letters, numbers and keyboard symbols such as @ # $ % ^ & * ( ) _ +. (for example SP1D3Rm@n – a variation of spiderman, with letters, numbers, upper and lower case). However, be aware that some of these punctuation marks may be difficult to enter on foreign keyboards.

Choose a password containing at least eight characters. However, longer passwords are harder for criminals to guess or break.

Don’t:

Use the following as passwords:

Your username, actual name or business name.

Family members’ or pets’ names.

Your or family birthdays.

Favourite football or F1 team or other words easy to work out with a little background knowledge.

The word ‘password’.

Numerical sequences.

A commonplace dictionary word, which could be cracked by common hacking programs.

When choosing numerical passcodes or PINs, do not use ascending or descending numbers (for example 4321 or 12345), duplicated numbers (such as 1111) or easily recognisable keypad patterns (such as 14789 or 2580).

Looking After Your Passwords

Never disclose your passwords to anyone else. If you think that someone else knows your password, change it immediately.

Don’t enter your password when others can see what you are typing.

Change your passwords regularly.

Use a different password for every website. If you have only one password, a criminal simply has to break it to gain access to everything.

Don’t recycle passwords (for example password2, password3).

If you must write passwords down in order to remember them, make sure they are meaningless to, and unusable by other people by writing them in code (substituting the characters in your password with others that you can remember, or easily work out).

Do not send your password by email. No reputable firm will ask you to do this.

Controlling User Accounts

Everybody who uses a computer should be assigned their own user account so that only they can access their files and programs. Each user account should be accessible only by entering a username and password in order to safeguard users’ privacy. Other user account features can also be set up in user accounts – including parental controls (Windows Vista and Windows 7 only).

Do not use an account with administrator privileges for everyday use, as malware could assume administrator rights. Even if you are the only user, set up an administrator account to use when you need to carry out tasks such as installing programs or changing the system configuration, and another ‘standard user’ account as your regular account. If you are not logged in as administrator, you will be prompted to enter an administrator password when you install a new device driver or program. You can manage user accounts in Windows Control Panel.



Safe Internet Use

The internet has revolutionised the way we live our lives – enabling us to read the news, enjoy entertainment, carry out research, book our holidays, buy and sell, shop, network, learn, bank and carry out many other everyday tasks.

However, there are a number of risks associated with going online. These result from either visiting malicious websites or inadvertent disclosure of personal information.

The Risks

Get started…

Always be vigilant when supplying personal or financial details.

Ensure your browser is up to date.

The risks of visiting malicious, criminal or inappropriate websites include:

Viruses and spyware (collectively known as malware).

Phishing, designed to obtain your personal and/or financial information and possibly steal your identity.

Fraud, from fake shopping, banking, charity, dating, social networking, gaming, gambling and other websites.

Copyright infringement – copying or downloading copyright protected software, videos, music, photos or documents.

Exposure to unexpected inappropriate content.

When you use the internet, your browser (for example Internet Explorer, Opera, Chrome, Safari or Firefox) keeps a record of which sites you have visted in its ‘history’.

When you use the internet, the websites you visit are visible to your Internet Service Provider and browser provider, and it is possible that records are kept.

Use the Internet Safely

It is very easy to clone a real website and does not take a skilled developer long to produce a very professional-looking, but malicious site.

Being wary of malicious, criminal or inappropriate websites:

Use your instincts and common sense.

Check for presence of an address, phone number and/or email contact – often indications that the website is genuine. If in doubt, send an email or call to establish authenticity.

Check that the website’s address seems to be genuine by looking for misspellings, extra words, characters or numbers or a completely different name from that you would expect the business to have.

Roll your mouse pointer over a link to reveal its true destination, displayed in the bottom left corner of your browser. Beware if this is different from what is displayed in the text of the link from either another website or an email.

If there is NO padlock in the browser window or ‘https://’ at the beginning of the web address to signify that it is using a secure link, do not enter personal information on the site.

Websites which request more personal information than you would normally expect to give, such as user name, password or other security details IN FULL, are probably malicious.

Avoid ‘pharming’ by checking the address in your browser‘s address bar after you arrive at a website to make sure it matches the address you typed. This will avoid ending up at a fake site even though you entered the address for the authentic one – for example ‘eebay’ instead of ‘ebay.

Always get professional advice before making investment decisions. Sites that hype investments for fast or high return – whether in shares or alleged rarities like old wine, whisky or property – are often fraudulent.

Be wary of websites which promote schemes that involve the recruitment of others, receiving money for other people or advance payments.

If you are suspicious of a website, carry out a web search to see if you can find out whether or not it is fraudulent.

Be wary of websites that are advertised in unsolicited emails from strangers.

Secure Websites

Before entering private information such as passwords or credit card details on a website, you can ensure that the link is secure in two ways:

There should be a padlock symbol in the browser window frame, that appears when you attempt to log in or register. Be sure that the padlock is not on the page itself … this will probably indicate a fraudulent site.

The web address should begin with ‘https://’. The ‘s’ stands for ‘secure’.

The above indicate that the website owners have a digital certificate that has been issued by a trusted third party, such as VeriSign or Thawte, which indicates that the information transmitted online from that website has been encrypted and protected from being intercepted and stolen by third parties.

When using websites that you do not know, look for an Extended Validation (or EV-SSL) certificate, which indicates that the issuing authority has conducted thorough checks into the website owner. The type of certificate held can be determined by clicking the padlock symbol in the browser frame which will launch a pop-up containing the details.

Do also note that the padlock symbol does not indicate the merchant’s business ethics or IT security.

Cookies

Cookies are files on your computer, smartphone or tablet that websites use to store information about you between sessions. Most of the time they are innocuous – carrying out tasks such as keeping track of your username so that you don’t have to log into a website every time you visit it, and storing your usage preferences. However, some are used to track your browsing habits so that they can target advertising at you, or by criminals to build a profile of your interests and activities with a view to fraud.

Set your browser to warn you when a cookie is installed. Note that some sites will not work if you block cookies completely.

Some browsers will let you enable and disable cookies on a site by site basis so you can allow them on sites you trust.

Use an anti-spyware program that scans for so-called tracker cookies.

There are also cookie management programs that can delete old cookies and help manage them. In addition you can use settings in some browsers to delete unwanted cookies.

Use a plain text email display instead of HTML email so that tracking files and cookies cannot be included in email files.

UK websites must gain your permission to enable cookies.

Safe Use of Browsers

The most common internet browsers enable you to manage your settings such as allowing and blocking selected websites, blocking pop ups and browsing in private. Respective browsers will tell you to do this in slightly different ways, so we recommend that you visit the security and privacy section of their websites, or the help area of the browsers themselves:

Internet Explorer

Opera

Chrome

Safari

Firefox

Some browsers also have the ability to identify fraudulent websites by default.

Always ensure that you are running the latest version of your chosen browser that your operating system will support. Also, be sure to download and install the latest updates.

It is important to remember that turning on the private browsing setting or deleting your browsing history will only prevent other people using your computer from seeing which sites you have visited. Your internet service provider, search engine, law enforcement agencies and possibly (if browsing at work) your employer, will still be able to see which sites you have visited or keywords you have searched for.

Always remember to log out of a secure website when you have completed your transaction, and before you close the browser. Closing the browser does not necessarily log you out.

Ensure you have effective and updated antivirus/antispyware software and firewall running before you go online.

What to do if you Encounter Illegal Material 

If you come across content that you consider to be illegal such as child abuse images or criminally obscene adult material, you should report this to the IWF: www.iwf.org.uk.

If you come across content that you consider illegal such as racist or terrorist content, you should report this to the Police.

Wireless Networks and hotspots

Wireless networks have revolutionised the way we can use computers and mobile devices, both in the home and office – and when we are out and about. Home and office wireless networks make it easier to use the internet and send and receive email in any room in the building and even outside… and enable visitors to do likewise. ‘Public’ wireless networks or hotspots mean that we can do the same in places like cafés, hotels and pubs. And plug-in mobile broadband devices, or ‘dongles,’ provide even more flexibility, allowing you to work online where there is cellular 3G or 4G coverage.

Get started…

Ensure your wireless hub/router/dongle has security turned on.

Unless you are using a secure web page, do not send or receive private information when using public WiFi.

Home/office/mobile and public WiFi (as wireless connections are commonly known), use the same technology (802.11). There are some common potential issues, whilst each has its own particular risks. You can protect yourself easily with a few simple precautions.

Home/Office Wireless Networks

The Risks

If your wireless hub/router/dongle is not secured, other people can easily gain access to it if they are within range. This can result in unauthorised people doing the following:

Taking up your bandwidth – affecting the online speed of your own computers and other devices.

Using your download allowance, for which you have paid your Internet Service Provider (ISP).

Downloading inappropriate material, which would be traced to your address and not their computer.

Accessing sensitive information that you may be sending or receiving online.

Safe Wireless Networking

All of the above risks can be avoided simply by ensuring that the wireless hub/router/dongle that you wish to connect to, is secured. To check that this is the case, simply search for available wireless networks, and those that are secured will be indicated with a padlock symbol.

When you first connect a computer, smartphone, tablet, printer or any other wireless-enabled device to any wireless hub/router/dongle, you will be prompted to enter a password/key, provided the network is in secure mode. This will enable the device to connect on this occasion and normally, for future use. The password/key will be supplied with the hub/router/dongle, but you may be given the opportunity to change it to one of your own choice.

If you are setting up a new hub/router/dongle, it will probably have been supplied with security turned on as the default. There are three main encryption levels available (WEP, WPA and WPA2), WPA2 being the highest. Most hubs/routers give you the option of selecting a higher level, but remember that some older devices may not be compatible with higher levels.

If for any reason a home/office/mobile wireless hub/router/dongle you wish to connect to is not secured, consult the user manual.

Ensure you have effective and updated antivirus/antispyware software and firewall running before you connect to a wireless network.

Keep WiFi codes safe so that others cannot access or use them.

Public WiFi

The Risks

The security risk associated with using public WiFi is that unauthorised people can intercept anything you are doing online. This could include capturing your passwords and reading private emails. This can happen if the connection between your device and the WiFi is not encrypted, or if someone creates a spoof hotspot which fools you into thinking that it is the legitimate one.

With an encrypted connection, you will be required to enter a ‘key’, which may look something like: 1A648C9FE2.

Alternatively, you may simply be prompted to log in to enable internet access. This will tell the operator that you are online in their café, hotel or pub. There is almost certainly no security through encryption.

Safe Public WiFi

Unless you are using a secure web page, do not send or receive private information when using public WiFi.

Wherever possible, use well-known, commercial hotspot providers such as BT OpenZone or T-Mobile.

Businesspeople wishing to access their corporate network should use a secure, encrypted Virtual Private Network (VPN).

Ensure you have effective and updated antivirus/antispyware software and firewall running before you use public WiFi.

Other Advice

Don’t leave your computer, smartphone or tablet unattended.

Be aware of who is around you and may be watching what you are doing online.

Privacy

Maintaining privacy whilst online is essential in avoiding identity theft and fraud. Apart from these risks, however, there is personal information about you which you undoubtedly do not want to reveal to certain other people.

It is surprisingly easy to inadvertently give away your personal information online, especially when prompted to do so by an email, on social networking sites or on company websites requesting information which they do not necessarily need to do business with you.

Get started…

Don’t give away personal information.

In addition, certain organisations hold information about you which enables you to carry out transactions with them. These include government departments such as HMRC, financial institutions such as banks, building societies and insurance companies, retailers, search engines … the list is virtually endless. They are all subject to the Data Protection Act, but you still need to be vigilant about their use of your data.

The Risks

Identity theft

Blackmail/extortion

Defamation of character

Unsolicited selling and marketing

People using awareness of your activities and movements to act against you

Employers using the information to exploit you

How Your Privacy can be Compromised

Unencrypted email and most website interactions can be monitored, including by your employer and your ISP.

Via phishing – where an illicit email prompts you to click on a link to a bogus website which will collect your private or financial infomation.

Via vishing (short for ‘voice phishing‘), where fraudsters call you either on the phone or in person, to collect your private or financial information.

Using unsecured WiFi networks – both in the home/office and when out and about.

Using unencrypted links for sensitive communications (for example not using a VPN to connect to the office).

Not using secure websites when banking or making online payments, including those for purchases.

Not using strong passwords, not regularly changing passwords, not using passwords at all or revealing passwords to other people.

Not using a secure email or webmail account.

Using a work email account for personal email.

Staying logged in to a website or email account when the computer/smartphone/tablet is going to be used by somebody else.

Via spyware and viruses, including those that log your keystrokes to determine your online activity.

Via physical keystroke loggers attached to the keyboard cable.

Not storing personal or financial documents securely.

Not shredding unwanted personal or financial documents.

Being taken into people’s confidence too easily.

Maintaining Your Privacy

Ensure you always have effective and updated antivirus/antispyware software running.

In a public or work environment, check your computer physically for any unusual devices that may be plugged in, especially on the keyboard cable.

Use secure websites when shopping or banking online.

Log out of secure websites when you have finished your transaction, as closing the window may not automatically log you out of the site.

Use strong passwords, change your passwords regularly and never reveal them to other people.

Avoid using a work email address for personal use. Instead, have a separate, private email address for private business.

Make sure your home/office WiFi network is secured.

Store personal and financial documents securely.

Shred unwanted personal or financial documents.

Be careful to whom you disclose personal information.

Where possible, avoid using your real name online.

Be cautious about who is trying to befriend you online including via email and social networks/dating sites.

Be wary of disclosing personal information on a work or personal web site.

Use a disposable, anonymous webmail account for websites that demand an email address to register.

Set clear guidelines for children about when and how they can reveal information.

Additional Information

You are legally entitled to request a copy of all the personal data that an organisation holds on you, known as a subject access request. The organisation is obliged to deliver the data within 40 calendar days, and may charge a fee of up to £10 to do so.

Click here to access the Information Commissioners Office

Spam and Scam email

email is both an excellent communication tool and also a way that companies can inform you about their latest products and services. However, email is frequently used to deliver unwanted material which is at best, annoying and at worst, malicious – causing considerable harm to your computer and yourself.

These include the following:

Spam (or Junk) email

Get started…

Always be vigilant when receiving or responding to emails.

Make sure your spam filter is always switched on to minimise the risks.

The vast majority of email sent every day is unsolicited junk mail. Examples include:

Advertising, for example online pharmacies, pornography, dating, gambling.

Get rich quick and work from home schemes.

Hoax virus warnings.

Hoax charity appeals.

Chain emails which encourage you to forward them to multiple contacts (often to bring ‘good luck’).

How spammers obtain your email address

Using automated software to generate addresses.

Enticing people to enter their details on fraudulent websites.

Hacking into legitimate websites to gather users’ details.

Buying email lists from other spammers.

Inviting people to click through to fraudulent websites posing as spam email cancellation services.

From names/addresses in the cc line, or in the body of emails which have been forwarded and the previous particpants have not been deleted.

The very act of replying to a spam email confirms to spammers that your email address exists.

How to spot spam

Spam emails may feature some of the following warning signs:

You don’t know the sender.

Contains misspellings (for example ‘p0rn’ with a zero) designed to fool spam filters.

Makes an offer that seems too good to be true.

The subject line and contents do not match.

Contains an urgent offer end date (for example “Buy now and get 50% off”).

Contains a request to forward an email to multiple people, and may offer money for doing so.

Contains a virus warning.

Contains attachments, which could include .exe files.

The risks

It can contain viruses and spyware.

It can be a vehicle for online fraud, such as phishing.

Unwanted email can contain offensive images.

Manual filtering and deleting is very time-consuming.

It takes up space in your inbox.

email Scams

Scams are generally delivered in the form of a spam email (but remember, not all spam emails contain scams). Scams are designed to trick you into disclosing information that will lead to defrauding you or stealing your identity.

Examples of email scams include:

emails offering financial, physical or emotional benefits, which are in reality linked to a wide variety of frauds.

These include emails posing as being from ‘trusted’ sources such as your bank, the Inland Revenue or anywhere else that you have an online account. They ask you to click on a link and then disclose personal information.

Phishing emails

Phishing is a scam where criminals typically send emails to thousands of people. These emails pretend to come from banks, credit card companies, online shops and auction sites as well as other trusted organisations. They usually try to trick you into going to the site, for example to update your password to avoid your account being suspended. The embedded link in the email itself goes to a website that looks exactly like the real thing but is actually a fake designed to trick victims into entering personal information.

The email itself can also look as if it comes from a genuine source. Fake emails often (but not always) display some of the following characteristics:

The sender’s email address is different from the trusted organisation’s website address.

The email is sent from a completely different address or a free webmail address.

The email does not use your proper name, but uses a non-specific greeting such as “Dear customer.”

A sense of urgency; for example the threat that unless you act immediately your account may be closed.

A prominent website link. These can be forged or seem very similar to the proper address, but even a single character’s difference means a different website.

A request for personal information such as username, password or bank details.

You weren’t expecting to get an email from the organisation that appears to have sent it.

The entire text of the email is contained within an image rather than the usual text format. The image contains an embedded link to a bogus site

Use email safely

Do not open emails which you suspect as being spam.

Do not forward emails which you suspect as being spam.

Do not open attachments from unknown sources.

Do not readily click on links in emails from unknown sources. Instead, roll your mouse pointer over the link to reveal its true destination, displayed in the bottom left corner of your screen. Beware if this is different from what is displayed in the text of the link from the email.

Do not respond to emails from unknown sources.

Do not make purchases or charity donations in response to spam email.

Don’t click on ‘remove’ or reply to unwanted email.

Check junk mail folders regularly in case a legitimate email gets through by mistake.

When sending emails to multiple recipients, list their addresses in the ‘BCC’ (blind copy) box instead of in the ‘To’ box. In this way, no recipient will see the names of the others, and if their addresses fall into the wrong hands there will be less chance of you or anybody else receiving phishing or spam emails.

Similarly, delete all addresses of previous parties in the email string, before forwarding or replying.

If you are suspicious of an email, you can check if it is on a list of known spam and scam emails that some internet security vendors such as McAfee and Symantec feature on their websites.

Most Microsoft and other email clients come with spam filtering as standard. Ensure yours is switched on.

Most spam and junk filters can be set to allow email to be received from trusted sources, and blocked from untrusted sources.

When choosing a webmail account such as gmail, Hotmail and Yahoo! Mail, make sure you select one that includes spam filtering and that it remains switched on.

Most internet security packages include spam blocking. Ensure that yours is up to date and has this feature switched on.

Social Networking



Social networking is a global revolution, enabling around a billion people worldwide to stay in touch with their friends, share experiences and photographs and exchange personal content. In many ways it has replaced the telephone and email. For many users, it has become a way of life.

Get started…

Never disclose private information when social networking.

Be wary about who you invite or accept invitations from.

Be careful about clicking on links in an email or social networking post.

Various social networking sites are also valuable tools used by many companies and individuals to extend their contacts and deliver marketing messages.

The nature of social networking – having such a massive base of users who are unknown to you – means that using it carries a degree of risk including becoming a target for cyber-criminals.

The Risks

Disclosure of private information by either yourself or friends/contacts.

Bullying.

Cyber-stalking.

Access to age-inappropriate content.

Online grooming and child abuse.

Prosecution or recrimination from posting offensive or inappropriate comments.

Phishing emails allegedly from social networking sites, but actually encouraging you to visit fraudulent or inappropriate websites.

Friends’, other people’s and companies’ posts encouraging you to link to fraudulent or inappropriate websites.

People hacking into or hijacking your account or page.

Viruses or spyware contained within message attachments or photographs.

Safe Social Networking

You can avoid these risks and enjoy using social networking sites by following a few sensible guidelines:

Do not let peer pressure or what other people are doing on these sites convince you to do something you are not comfortable with.

Be wary of publishing any identifying information about yourself – either in your profile or in your posts – such as phone numbers, pictures of your home, workplace or school, your address or birthday.

Pick a user name that does not include any personal information. For example, “joe_glasgow” or “jane_liverpool” would be bad choices.

Set up a separate email account to register and receive mail from the site. That way if you want to close down your account/page, you can simply stop using that mail account. Setting up a new email account is very simple and quick to do using such providers as Hotmail, Yahoo! Mail or gmail.

Use strong passwords.

Keep your profile closed and allow only your friends to view your profile.

What goes online stays online. Do not say anything or publish pictures that might later cause you or someone else embarrassment.

Never post comments that are abusive or may cause offence to either individuals or groups of society.

Be aware of what friends post about you, or reply to your posts, particularly about your personal details and activities.

Remember that many companies rout

Show more