Netsikkercomputer 2013
- 1. Netsikker Computer Kursusleder: Ewan Andreasen (ea@vejlebib.dk)
- 2. Dagens program • Lidt om truslen • Hacking: det tekniske angreb • Phishing • Identitetstyveri: det personlige angreb • Computerprogrammer og beskyttelse • E-mail (og anden kommunikation på nettet) • Kodeord: dine nøgler på nettet • E-handel: Trygt og sikkert
- 4. • Gener i forbindelse med brug af computeren (reklamer, langsom net, langsom PC, ..) • Beskadigelse af: – Dit udstyr (computer, mobiltlf., ..) – Dine data – Dine finanser • Indtrængen i dit privatliv • Blotlæggelse af dine personlige oplysninger
- 5. Hacking: det tekniske angreb
- 6. • Hvad er cracking/black hat hacking? • Indgang ad ubeskyttede porte på PC’en • Programmer installeres, som går på nettet • en 2-vejs firewall er bedst (eks. ZoneAlarm) • Konsekvenser • Informationer om dig sendes ud på nettet • Din PC bliver ”slave” • Installation af ”bagdør” for andre crackere og virus
- 7. Phishing
- 9. • Spiller på godtroenhed • Ikke nyt fænomen – fandtes før e-mail – Klassikeren kaldes Nigeria Scam/419 Scam • Tegn på phishing-mail: – Stavning – Links i e-mailen – Trusler – Afsendt fra kendt firma – Læs mere: https://www.paypal.com/dk/cgi-bin/webscr?cmd=xpt/ • Du lokkes ud i et kostbart forløb eller franarres personlige oplysninger
- 11. • ”Identitetstyveri er, når en person udgiver sig for at være en anden og misbruger vedkommendes oplysninger, fx cpr- nummeret eller bankkontoen. ” (Kilde: http://taenk.dk/tema/pas-på-dit-cpr-nummer/sådan-foregår-ident ) • Hvad skal jeg gøre? – Pas på hvad du smider i skraldet – Vær nærig med dit CPR-nr og personlige oplysninger – Flere råd: http://www.dr.dk/DR1/kontant/Gode/2012/01/31171946.htm • Test: Søg dit navn på Google • Test: Søg dit CPR-nr. på Google • Test: ID-tyveri-testen på http://idtyveri.info/selvtesten/Index.html
- 12. Computerprogrammer og beskyttelse
- 13. • Firewall – kontrollerer trafik til/fra din computer – Windows Firewall (indbygget i Windows) – ZoneAlarm: http://www.zonealarm.com/security/en-us/zonealarm-free-ant • Antivirus, anti-spyware og anti-malware – finder og uskadeliggør skadelige programmer – Windows Defender (indbygget i Windows) – Microsoft Security Essentials (Antivirus - DANSK): http://windows.microsoft.com/da-DK/windows/products/secur – Avast! (Antivirus): – http://www.avast.com/en-dk/index – Ad-Aware (Anti-spyware): – http://www.lavasoft.com/products/ad_aware_free.php
- 14. - MEN: • Programmers prøveversioner udløber og du bør sikre at PC’en fortsat er beskyttet – en ubeskyttet PC holder kun få minutter • Sikkerhedshuller opdages i gamle programmer – Slet programmer du ikke bruger – Opdatér de programmer du bruger • Mobiltelefonen: det næste mål – Antivirus til telefonen (AVG, Lookout) – Programmer til at lokalisere en stjålen telefon (Prey: http://preyproject.com/
- 15. - TEST: • Tjek ”skjoldet” med en kunstig virus – http://www.rexswain.com/eicar.html • Se om Windows på din PC er opdateret – http://update.microsoft.com • Se om dit internetprogram er sikkert • https://browsercheck.qualys.com • Se om øvrige programmer på din PC er opdaterede – http://secunia.com/vulnerability_scanning/online/?lang=dk
- 16. E-mail ..
- 17. • Pas på hvad du skriver i indholdet - skriv aldrig: – CPR-nr. – konto-nr. – Kodeord af nogen art – andre fortrolige oplysninger • E-mail, du ikke bør besvare – Reklamer der generer dig – ”Personlige” henvendelser fra personer du ikke kender – Mail fra folk du kender, men mystisk formuleret og med underlige vedhæftninger – SPAM generelt • Strategier mod uønskede mails – SPAM-filtre, såsom • SPAMFighter ( http://www.spamfighter.com/SPAMfighter/Lang_DA/Product_Info.asp ) • eller internetudbyders eget filter – Brug af ekstra mailadresse for tilmelding til konkurrencer m.m. (”Honningkrukke”)
- 18. ..og anden kommunikation på nettet
- 19. • Privatlivsindstillinger på sociale netværk – Hvert site har deres indstillinger (Facebook, Picasa, Google+, LinkedIn, ..) – Facebook: en god guide på dansk • http://komfo.com/da/ressourcer/guide-styr-dit-privatliv-paa – Google+: engelsk guide • http://www.ghacks.net/2011/07/03/google-privacy-notificat
- 20. Kodeord – dine nøgler på nettet
- 21. • Desværre ingen gode alternativer til kodeord • Hvad er et godt kodeord? – Ikke et kendt ord – Blanding af tal, tegn, store og små bogstaver – Langt (mindst 7 tegn) – Læs: http://www.it.life.ku.dk/vejledninger/kodeord.aspx • Tips: – Brug evt. lange sætninger i stedet for ord – skift så ofte som muligt – Brug mange forskellige kodeord – Brug krypteret USB-pen med kodeords-program Test dit kodeord: http://www.passwordmeter.com
- 22. E-handel: trygt og sikkert
- 23. • Sikkert at handle på nettet – I Danmark hæfter din bank for evt. tab • Tjek butikken – Se efter e-mærket – Se at betalingssiden viser ”hængelås” og ”https://” i internetadressen – Slå butikken op på • Trustpilot: http://www.trustpilot.dk • Forbrugerklagenævnets firmatjek: http://www.forbrug.dk/Forbrug/forside/Dine %20klagemuligheder/Naar%20du%20har %20klaget/Firmatjek • Test: Slå en butik op i trustpilot og firmatjek
- 24. Gode links & ressourcer • http://opdaterdinpc.tdc.dk/ • http://komputer.dk/netsikker (fra 2010) • https://www.cert.dk/vejled/ • http://www.forbrug.dk/Test-og-raad-foer-du- koeber/Ehandel/Inden-du-handler-paa-nettet
- 25. Tak for i dag!
Editor's Notes
- #12: http://www.smartplanet.com/blog/thinking-tech/how-to-steal-an-identity-in-seven-easy-steps/9487: The victim: He knew her name was Kim, where she was from, where she worked and roughly her age. He also knew the name of her bank and her username although as Thompson says, this was easy to guess—it was her first initial and last name. (Note: Change your username to something a bit less obvious.) Seven Steps: 1) Google search. He googles her. Finds a blog and a resume. (Thompson called her blog a “goldmine.”) He gets information about grandparents, pets, hometown. Most important he gets her college email address and current gmail address. 2) Next stop: Password recovery feature on her bank’s web site. He attempts to reset her bank password. But the bank sends a reset link to her email, which he does not have access to. So he needs to get access to her gmail. 3) Gmail access. He attempts to reset her gmail password but gmail sends this to her college email address. Gmail tells you this address’ domain (at least it did in 2008 when Thompson conducted the experiments) so he knew he had to get access to that specific address. 4) College email account page. Thompson clicks the “forgot password” link on this page and winds up facing a few questions. Home address, home zip code and home country? No problem, Thompson has it all from her resume. The same resume found from the simple google search done earlier. Then came a stumbling block: the college wanted her birthday. But he only had a rough idea of her age, no actual birth date. 5) State traffic court web site. Apparently you can search for violations and court appearances by name! And such records include a birth date. (Facebook also makes this piece of data very easy to get even if people do not note their birth year…remember Thompson knew roughly how old Kim was.) But he had no luck with the Department of Motor Vehicles. 6) Thompson goes back to the blog and does a search for “birthday.” He gets a date but no year. 7) Finally, Thompson attempts the college reset password again. He fills in her birth date, and simply guesses the year. He gets it wrong. But the site gives him five chances, and tells him which field has the error. So he continues to guess. He gets access in under five guesses. He changes her college password. This gives him access to her gmail password reset email. Google requires some personal information which he is able to get easily from her blog (e.g., father’s middle name.) Thompson changes the gmail password and that gives him access to the bank account reset password email. Here again he is asked for personal information but nothing that he could not glean from Kim’s blog (e.g., pet name and phone number.) He resets the bank password and bingo, has immediate access to all her records and money. From Thompson: Needless to say, Kim was disturbed. Her whole digital identity sat precariously on the foundation of her college e-mail account; once I had access to it, the rest of the security defenses fell like a row of dominoes. What’s striking about Kim’s case is how common it is. For many of us, the abundance of personal information we put online combined with the popular model of sending a password reset e-mail has our online security resting unsteadily on the shoulders of one or two e-mail accounts. Yes in this case the personal information came from her blog but it could have easily come from a Facebook page or other online community pages.
- #14: Vis hvordan siderne ser ud, hvorfra man henter programmerne – at man skal undgå at klikke PRO versioner, hvis det skal være gratis
- #15: Problemer med apps til mobilen/tabletten – telefonen skal være tændt. Du skal tænke: aktiver tracker og wipe telefonen. Der findes programmer, som kan installeres remotely selvom du har glemt det.. ”Plan B” på Play store. Husk at tyveri af mobilen er guf mht. identitetstyveri – hvad hvis facebook er tændt på den? Andre programmer, hvor du er logget ind?
- #22: Evt. alternative til passwordmeter: http://howsecureismypassword.net/ eller http://password-checker.online-domain-tools.com/