Malware

Malware is short for “malicious software” and is any software employed to bring damage to computing devices (computers, smartphones, etc.) or the stored content (data or applications). Malware corruption can manifest in different ways, such as formatting your hard disk, deleting or corrupting files, stealing saved login information, gathering sensitive information (your files and private photos), or simply displaying unwanted advertisements on your screen. Many malware variants are stealthy and operate silently without the user’s knowledge or awareness. Malware is a term used to refer to many types of malicious software such as computer viruses, worms, Trojan horses, spyware, ransomware, scareware, and adware.

Hacking

Hacking is the process of invading your privacy by gaining unauthorized access to your computing device. Hackers usually scan your machines for vulnerabilities (such as unpatched Windows updates) and gain access through them. After gaining access, they may install a keylogger or a Trojan horse to maintain their access, to begin stealing information, or to spy on user activities.

Pharming

Pharming is a cyber-attack intended to redirect users from a legitimate web site to a fraudulent site without their knowledge. Pharming can be conducted either by changing the hosts file on a victim’s computer or by poisoning the Domain Name System (DNS) server records with false information to lead users to unwanted destinations. DNS servers are computers responsible for resolving Internet names into their real Internet Protocol (IP) addresses.

If the Windows hosts file gets infected with malware, it can change its contents and insert redirects, so when the user types the legitimate URL, the browser may then redirect to a malicious web site that has the same look and feel. When the user enters his or her username and password, the malicious web site will receive them instead of the original one, thus resulting in a compromised user account and credentials.

To mitigate such attacks, you can prevent hosts file modifications by following these steps:

1. Navigate to the %SYSTEMDRIVE%WindowsSsystem32driversetc folder (SYSTEMDRIVE is where you installed Windows, usually at C:).

2. Right-click the hosts file, select Properties, and select the Read-only attribute; finally click OK (see Figure 2-1).

   

   Figure 2-1. Changing hosts file attributes to Read-only to avoid pharming attacks on Windows machines

Phishing

Phishing messages come in different shapes, such as SMS messages, e-mails, and web site links (URLs), all of which are designed to look genuine and use the same format as the legitimate company. Phishing aims to collect user-sensitive details (such as banking information, passwords, and credit card details) by tricking the end user into handing the information to the attacker. Phishing is covered in detail later in this chapter.

Ransomware

Ransomware is computer malware that installs silently on the user machine. Its objective is to deny access to user files, sometimes encrypting the entire hard disk drive and even all the attached external disk drives. It then demands that the user pay a ransom to get the malware creator to remove the restriction so the user can regain access to the system and stored assets.

Most ransomware hits devices through phishing e-mails and pop-up advertisements. There are three major types of ransomware.

• The first one locks the system in a way that is not difficult for a technical person to reverse; it displays a message requesting payment to unlock it.

• The second type encrypts the whole disk drive, including any removable storage, and demand a ransom to decrypt it (but there’s no guarantee of getting any data back).

• The third is a variant that pretends to be ransomware but is actually trickware, which can easily be removed. Figure 2-2 shows an example that was mounted against the iPad and iPhone.

  

  Figure 2-2. Sample trickware mounted against Apple devices

Victims of ransomware usually pay the ransom through the bitcoin digital currency (more on bitcoins in Chapter 4).

Ransomware usually comes hidden in a legitimate file. When the user installs the legitimate program, the ransomware gets installed as well without the user’s knowledge.

Ransomware is now the number-one security concern for organizations. As the number of attacks increase, it has become a global problem that threatens both individuals and companies. According to CNN, cyber-criminals collected $209 million in the first three months of 2016, meaning that at the end of 2016 this number may reach $1 billion. This number may be even bigger than that, though, because some victims may choose to pay and not report the crime. ¹

Adware and Spyware

Adware is used to collect information about you and your machine. It usually comes with free software or useful plug-ins or search bars for web browsers; once installed, it begins tracking your online activities and may then send it to outside parties. Many free games and free system utilities contain adware. As we already said in Chapter 1, few users read the end-user license agreements (EULAs) and simply click the “I agree” button without knowing that the freeware may contain adware (which is clearly stated in their EULAs).

Spyware in the form of a keylogger will seek to steal everything you type on your keyboard (usernames and passwords) and send it to its operator. Some spyware can facilitate installing a virus on your operating system, rendering it inoperable. Other forms can do this via the in-house/in-home Wi-Fi connection, communicating any acquired credentials and information into the hands of an awaiting actor.

Trojan

This type of malware can infect computer silently. It usually installs itself as part of a legitimate software installation. In fact, many Trojans work stealthily in the background and are undetectable by antivirus programs. Most of the popular banking threats come from a Trojan family like Zeus and SpyEye. Trojans can potentially gain access to all your system functions including the camera and microphone . They also have the ability to delete files and monitor your online activities and keystrokes or even to detect other Trojans that may be installed by other criminals and then to remove them, making the new resident Trojan the only active variant on the target system.

Virus

Computer viruses have been around now for at least two decades and are one of the oldest traditional risks known since the early days of personal computers. They have morphed through many variations of dangerous profiles. A virus is a malicious program that infects a target PC or its content with the objective to make the computer inoperable, thus possibly forcing drastic action like a reformat to return to its normal state. Some viruses cause more damage such as stealing your contact list and credentials and facilitating unauthorized access to your machine. Nowadays, viruses are not widely used because they have been replaced with other types of malware that enable attackers to generate revenue from their attacks such as ransomware.

Worms

The Morris worm, or Internet worm, was one of the first to be seen in the wild. In November 1988, it was distributed via the Internet and caused significant damage to the infected systems. This is now another type of old-school attack that is still widely used. However, unlike viruses, which aim to destroy or compromise the OS, the worm works to spread from one machine to another through internal networks or the Internet. Many types of worms attack the e-mail client (e.g., Microsoft Outlook or Thunderbird) and copy themselves to all contacts in the address book to further distribute their infection to new locations. Worms can make computers run slowly because they can consume your disk space and Internet bandwidth. Worm propagations can cause tremendous lost in revenue for companies when spread inside a company’s intranet.

Wi-Fi Eavesdropping

No matter whether you are at home, at work, or at a public access point, hackers can intercept communication communicated through unprotected wireless networks and access points. Such attacks can result in intercepting all your online communications, including your usernames and passwords, and of course may provide access to your online banking details.

Scareware

Scareware is a form of malicious software that uses social engineering to cause shock, anxiety, or the perception of a threat in order to manipulate users into buying unwanted software. ² For example, scareware can report to a user that his or her machine is full of spyware and other infections and he or she must act promptly and purchase an anti-malware solution (which is fake!). The idea here is to trick the user into purchasing something unnecessarily in order to take his or her money.

Distributed Denial-of-Service Attacks

A distributed denial-of-service (DDoS) attack is an attempt to make an online service unavailable by overwhelming it with traffic from multiple sources. Attackers build networks of infected computers, which could be millions of machines, known as botnets, by spreading malicious software through e-mails, web sites, and social media . Once infected, these machines can be controlled remotely by a bot master, without their owners’ knowledge, and used like an army to launch an attack against any target.

Botnets can generate huge floods of traffic to overwhelm a target. These floods can be generated in multiple ways, such as sending more connection requests than a server can handle, manipulating the TCP flags (like the well-known Christmas Tree attack did), or having computers send the victim huge amounts of random data to use up the target’s bandwidth.

Cyber-criminals don’t have to make their own malware these days; they can purchase ready-made malware in the form of crime wave as a service (CaaS) that is ready to launch DDoS attacks against any web site they choose. An underground black market (we will talk about this later in the book) offers the Bot Malware Kit, which can be used to infect a large number of computers, create a botnet, and launch a DDoS attack for only $200. ³

Rootkits

A rootkit is a dangerous type of malware; it can potentially gain full access (administrative access) over the system and has the ability to prevent normal detection programs (antivirus and anti-rootkit programs) from noticing its presence. Some dangerous rootkits attack at the hardware level (firmware rootkit ), and removal may require hardware replacement or specialized intervention.

Juice Jacking

In this attack, an intruder will steal your private data through the USB charging port of your smartphone, tablet, or laptop when you connect your device to a public power-charging station such as the ones available in airports, conferences, and restaurants. Malware can also get installed using this technique. To counter such risks, do not charge your computing device in public charging stations; use personal power bank units instead.

How to Select Your Antivirus Program

Antivirus software usually uses three basic methods for detecting, blocking, and removing viruses.

• Signature-based detection

• Heuristics detection

• Rootkit detection

Most personal antivirus solutions use a combination of signature-based detection and heuristic technology. Although most antivirus programs have a similar approach for detecting malicious software, some are better than others. To help you select the best one, we have created a number of criteria that should be met by your future antivirus solution.

• The antivirus program should detect and remove malware of all kinds (including ransomware or any other financial malware).

• It should be able to detect phishing attacks and dangerous web sites and deny access to them.

• It should be able to integrate with major e-mail clients (such as Microsoft Outlook and Thunderbird) to scan incoming and outgoing e-mails automatically in addition to filtering spam e-mails.

• It should be compatible with the currently installed operating system and programs.

• It should come equipped with a personal firewall.

• It should update itself automatically.

• It should be efficient in terms of discovering zero-day malware and updating its virus signature database instantly.

• If the antivirus has the ability to detect rootkits, this is an excellent extended feature.

• It should have a lower number of false positive alerts or false alarms (this happens when antivirus software recognizes legitimate software as malware).

• It should be able to protect your browser from outside attacks.

• It should have a DNS protection feature (more about DNS in Chapter 4).

• It should be lightweight and not consume high computing resources when scanning files or working in the background.

• It should not renew its license automatically without explicit approval.

• It should be affordable to you.

Microsoft has a free antivirus solution that provides protection against different types of computer malware called Microsoft Security Essentials (MSE). MSE has received generally positive reviews for its simple user interface, low resource usage, and freeware license. MSE can be installed on Windows 7; however, modern versions of Windows (Windows 8, Windows RT, Windows 8.1, Windows RT 8.1, and Windows 10) have Windows Defender built into Windows that helps guard your PC against viruses and other malware. Windows Defender surpasses MSE for having enhanced protection against rootkits and bootkits. If you’re looking to protect an older PC running Windows 7, you can use Microsoft Security Essentials ( http://windows.microsoft.com/mse/ ).

The main disadvantage of both MSE and the modern Windows Defender is the lack of a personal firewall. Despite this fact, these products are excellent choices for Windows. With regard to the firewall issue, you can install a separate solution from Comodo, as you are going to see later.

Other free antivirus solutions offer good basic protection for your Windows PC, as shown in Table 2-1.

If you want to purchase a paid antivirus solution (always recommended as they offer more comprehensive protection), you can always check the Independent IT-Security Institute web site at https://www.av-test.org/en/ , which conducts regular tests to find the best antivirus solution for different operating systems (including smartphones) according to specific technical and security criteria.

Anti-exploit

An antivirus program by itself is no longer an adequate security measure on its own. Emerging threats require you to install additional solutions for full protection. Anti-exploit programs help you survive against sophisticated attacks such as Flash and Silverlight exploits and Browser vulnerabilities. Anti-exploit tools also provide protection against zero-day malware.

The Enhanced Mitigation Experience Toolkit (EMET), available at https://www.microsoft.com/en-us/download/details.aspx?id=50766 , is a free product from Microsoft. EMET anticipates the most common techniques that adversaries might use in compromising a computer and helps protect by diverting, terminating, blocking, and invalidating those actions. EMET helps protect your computer systems even before new and undiscovered threats are formally addressed by security updates and anti-malware software.

Anti-spyware

Running anti-spyware software for computer safety is considered to be just as important as having antivirus software. Spyware is a kind of malware that tracks your online activities and sends it to third parties. The more dangerous spyware can steal everything you type on your keyboard and send it to its creator. Antivirus solutions have the ability to detect different kinds of spyware; however, it is advisable that you have a dedicated solution for spyware removal for maximum protection.

Spybot S&D ( https://www.safer-networking.org ) is a popular free program used to detect and remove different kinds of adware, malware, and spyware from your computer system. Spybot S&D (the free edition) is not an antivirus tool. It can, however, run alongside antivirus software to enhance the security of your PC. The paid edition comes supplied with antivirus functionality.

Anti-malware

As we said previously, malware includes all types of malicious software that can damage your operating system and stored files. Every day a large number of malware programs are launched online. The security solutions we already talked about can stop many types of malware, but it is recommended that you have a dedicated solution to stop malware attacks only. Spybot S&D (the free edition) comes with an anti-malware functionality, but there is another famous program for detecting malware called Malwarebytes ( https://www.malwarebytes.com ). The free edition can detect and remove malware and advanced threats in addition to removing rootkits and repairing the files they damage. Malwarebytes doesn’t require advanced configuration. Install it and you are ready to go, making it a preferable solution for beginners.

Firewalls

A firewall monitors and controls the incoming and outgoing network traffic and helps you to screen out hackers, viruses, and worms that try to reach your computer over the Internet. All Windows versions, beginning from Windows XP SP2, have a firewall built in and turned on by default. However, this firewall has some limitations compared with third-party firewalls. (For example, it monitors incoming traffic only, while letting outgoing traffic flow freely; also it does not offer an easy-to-use interface for its advanced features.) You can access Windows Firewall (in all Windows versions) from Control Panel ➤ Windows Firewall.

The primary function of a firewall is to block unrequested incoming and outgoing connections. It allows you to set access permissions for each program on your computer. When one of these programs tries to connect to the Internet, your firewall will block it and launch a warning message unless it recognizes the program and verifies that you have given it permission to make that sort of connection. By doing this, your firewall prevents any currently installed malware from connecting to the outside world to spread viruses or to communicate with hackers to invade your machine.

The majority of the paid versions of antivirus solutions come equipped with a personal firewall, but if you opt to install a free edition, then you need to have a dedicated personal firewall installed on your machine. There are many free firewall solutions for Windows; however, configuring a firewall could be a daunting task for beginners, so it is better to install one that is easy to configure and provides maximum protection. The free Comodo firewall has such characteristics.

Because of the importance of a robust firewall on every computer accessing the Internet, we will describe how to set up and configure the Comodo firewall in some detail. Before beginning the installation of Comodo firewall , though, make sure that your current antivirus software doesn’t have its own firewall activated as part of it. Also, make sure to deactivate the built-in Windows Firewall.

Install the Comodo firewall by following these steps:

1. Download the Comodo firewall from https://www.comodo.com/home/internet-security/firewall.php . The current version of the Comodo firewall is 10. After downloading the program, execute the installer to begin the installation wizard. The first screen in the wizard asks you to select your installation language. In our case, we are selecting English. Then click the I AGREE button to move to the next step.

2. Comodo may ask you to set Yahoo as your default home page and search engine. In our case, we are unchecking this option. Click Next to continue.

3. The next wizard has two tabs. The first one asks whether you want to send anonymous program usage information and whether you want to use cloud-based behavior analysis. Uncheck both options.

4. The next tab asks you whether you want to install the additional components, which are Comodo GeekBuddy (for technical support) and Comodo Dragon Web Browser. In this case, we are unchecking both. Now click the Install button to begin installing the firewall (107MB). This may take some time depending on your Internet connection speed.

5. Upon finishing, the final wizard window will ask you to enter your e-mail if you want to receive offers and news from Comodo. In our case, we are selecting not to receive anything. Click the Finish button. Restart your computer to finish the installation.

6. After Windows restarts, Comodo will detect your current network connection and ask you about your location. In this case, select “I am at Home.”

7. The Comodo firewall desktop icon appears in the system tray. To access the firewall settings, double-click this icon.

   Note  The default settings of Comodo are suitable for most users; however, we prefer to use custom rules in order for interactive protection to investigate all incoming and outgoing connections.

8. Once Comodo’s main interface appears, click Settings (see Figure 2-4).

   

   Figure 2-4. Comodo program main interface

9. Go to Firewall ➤ Firewall Settings and check Enable Firewall (Recommended). From the drop-down menu, select Custom Ruleset. Finally, click the OK button to accept the new settings (see Figure 2-5).

   

   Figure 2-5. Modifying the firewall settings to become a custom ruleset for interactive protection

10. After implementing the new setting, every time the Comodo firewall receives a connection request, it activates a pop-up firewall alert prompting you to either allow or block access to your system to and from the Internet (see Figure 2-6).

    

    Figure 2-6. Example of Comodo firewall alert when trying to access the Internet using Mozilla Firefox

It is advisable to be strict in allowing programs to connect to the Internet. Do not hesitate to stop any suspicious program from connecting to the Internet. If you suspect any program, you can simply click its icon to open the Properties window and learn more about the process or program requesting access (see Figure 2-7).

Figure 2-7. Investigating iexplore.exe by clicking its process name in the Comodo alert message

You can further configure application rules and change the rules for previously running applications by going to Settings ➤ Firewall ➤ Application Rules. From here you can see the list of firewall application rules currently activated on this system. Select any one (by selecting its check box) and then click Edit to further customize its online behavior (e.g., allowing outbound traffic while denying inbound traffic) (see Figure 2-8).

Figure 2-8. Configuring specific application firewall rules (Firefox in this case)

The Comodo firewall comes with a default host intrusion prevention system (HIPS ) ruleset that works “out of the box,” providing extremely high levels of protection without any user intervention. For example, HIPS automatically protects system-critical files, folders, and registry keys to prevent unauthorized modifications by malicious programs. Advanced users looking to take a firmer grip on their security posture can quickly create custom policies and rulesets using the powerful rules interface.

We will not delve more into how to configure the Comodo firewall. We cover its basic usage here to impress upon you the importance of having a firewall on your computer. You can find everything you want to know about the Comodo firewall in the help section of the product online page ( http://help.comodo.com ). We highly encourage you to have a firewall installed on your PC before going online because there are many threats that cannot be stopped by regular antivirus/anti-malware software.

Tips to Use Antivirus Software Efficiently

Here are some tips to follow in order to achieve the maximum efficiency when using your antivirus software:

• Do not install two antivirus programs at the same time. They may be in conflict, slow down your machine, or cause instability problems in your computer.

• Make sure your antivirus program is updating itself automatically. If you are suddenly disconnected from the Internet, make sure to update it manually when you have your connection back.

• Perform or schedule a full scan for the entire system. Antivirus programs usually perform automatic scans; however, this scan doesn’t cover all system areas (only critical locations), so it is advisable to run a full system scan each week for maximum protection.

• Be cautious before executing any software downloaded from the Internet. It is better to execute such programs on an isolated virtual machine before installing them on your work PC.

• Do not open e-mail attachments before scanning them using your antivirus program. Executable programs and scripts should not be opened at all when sent through e-mails.

• Do not insert removable media (such as USB stick drives, DVDs, CDs, external hard disks, and SD cards) from unknown sources into your computer. Many viruses reside on such removable media and can infect your computer even when you have an antivirus program installed.

Create Secure Passwords

Here are some tips to create secure passwords:

• The password should be at least 15 characters in length for maximum security.

• The password should contain at least one lowercase letter, one uppercase letter, one number, and one symbol (e.g., # % &).

• The password shouldn’t be your username or even part of it.

• Do not use your spouse’s, family member names (including your name), or pet’s name as part of your password.

• Do not share the same password between your spouse or friends (have two e-mails with the same password).

• Do not use your gender or birth date/place as part of your password.

• Do not use places names for your password (country, city, street name, school, or university name).

• Do not use famous people’s names as your password (e.g., famous movie actors, political leaders, public figures, singers).

• Avoid sequences when creating passwords (consecutive letters, numbers, or keys on the keyboard such as 123456 or asdfghjkl).

• Do not use the same passwords for two different accounts (e.g., your bank account password and your private e-mail password should not be the same).

• Change your password once every three months.

• Do not use the same password again (e.g., when you change your e-mail password, do not return and use any password you were using during the last year).

• Do not use dictionary words as your password or part of it.

• Do not use real words from foreign languages as your password.

• Use a password manager to organize and protect passwords, generate random passwords, and automatically log into web sites.

• Don’t store your passwords in an unencrypted text file or Microsoft Excel spreadsheet or any other file type that is not encrypted. Also, never write down your password on paper. If you want to take your password with you and you are afraid that you may forget it (because it is complex), then use a portable password manager and keep it on your smartphone or on your USB stick drive.

• Do not let your web browser save your entered passwords.

• Do not use tools to automatically generate your password for top important accounts (e.g., bank accounts and medical record accounts). For such important accounts, follow the rules already mentioned and create something from your mind.

• Do not send your password if someone requests it from you. Many social engineering attacks involve making users trust the attacker and getting them to share their passwords.

• Whenever you hear about a data breach in press, instantly change your affected account password.

• Do not ever type your password on a computer that does not belong to you.

Password Generation Tools

Obviously, it is important to change your passwords continually and to use strong, complex passwords that can be difficult or impossible to crack using brute-force , dictionary, or guessing attacks. Many users may fail to create such complex passwords or may simply repeat and use a portion of the old password to create the new one, which is considered an insecure practice. In this section, we will give you some tools and services that can help you to generate strong and complex passwords.

• Free Password Generator ( https://www.securesafepro.com/pasgen.html ) is a free, lightweight tool for generating secure and complex passwords. It has a portable version and can run on all Windows versions.

• PWGen ( http://pwgen-win.sourceforge.net ) is an open source professional password generator capable of generating large numbers of cryptographically secure “classical” passwords, pronounceable passwords, pattern-based passwords, and passphrases consisting of words from word lists. It uses a “random pool” technique based on strong cryptography to generate random data from indeterministic user inputs (keystrokes , mouse handling) and volatile system parameters. It also has some interesting features because it can encrypt, decrypt, and clear the clipboard so that no information is intercepted when copying passwords out of this program.

Many web sites offer online password generation services. However, we prefer not to use such services because your password can be intercepted while traveling to your PC (even though some of these services encrypt the password before sending it to you or simply use a script to run locally on the user’s client machine).

Now you may wonder that after you have successfully created your strong passwords, how can you keep them all in a safe location? The next section will answer this.

Password Managers

As you already saw, the majority of users use weak passwords and repeat using them across different web sites. This bad practice happens because humans have difficulty remembering long, complex passwords, especially if they have many accounts with different passwords. The solution for this problem is to use a password manager.

A password manager allows you to store all your online accounts’ login details in one place. When you want to log in to any service/web site, all you have to do is copy the username/password to the login form. A password manager encrypts the database that contains your login information and protects it with a master password. This is the only password you have to remember.

Warning! Avoid using Browsers’ Built-in Password Manager

Major web browsers have their own built-in password manager; however, they can’t compete with a dedicated program specialized for this purpose. Internet Explorer, Chrome, and Opera store their saved passwords in unencrypted form, meaning that anyone can crack them (see Figure 2-9) unless the entire disk drive has been encrypted.

Figure 2-9. Saved passwords in major web browsers can be extracted using portable tools. WebBrowserPassView from NirSoft reveals saved passwords in the Chrome and Opera browsers.

One exception is Mozilla Firefox , which allows you to encrypt your saved passwords using a master password. However, the Firefox password manager lacks many functionalities found in a traditional password manager program.

It is always preferable to use open source tools, especially when dealing with security software. Open source tools can be audited for backdoors , thus providing confidence to its users. The following sections highlight open source password managers that also have a password generation feature.

Master Password

Master Password ( https://ssl.masterpasswordapp.com ) has a unique approach to generating user passwords. Its passwords aren’t stored in an encrypted database or uploaded to a secure cloud service. Instead, they are generated on the fly using the following parameters: your name, the site you are going to use the password for, and your master password (which is the main password used to log in to the Master Password program). This unique approach to password creation/management guarantees that your passwords will not get intercepted as you synchronize your account between devices (for example, your smartphone and PC). In addition, you do not need any repository to store these passwords. All you need to do is install the Master Password tool on each device you want to use and then enter your name and site names and you are ready to go (see Figure 2-10).

Figure 2-10. Sample password generated using the Master Password tool

Turn On Private Browsing

Most modern web browsers have a privacy feature called private browsing that lets you browse web sites without your history being tracked locally on your computer. When this is enabled in Firefox, Firefox will not record your visited pages, cookies , temporary files, and searches. Firefox will also activate tracking protection , which will block parts of web sites that try to track your browsing history across multiple sites.

To enable private browsing in Firefox, go to the Firefox menu at the top-right corner of your browser window and then click New Private Window (see Figure 2-11). You can also use the Ctrl+Shift+P keyboard shortcut to access it directly.

Figure 2-11. Setting New Private Window in the Firefox browser

A new Firefox window will appear showing you what is saved and what is not saved while browsing in this mode.

As we said, Firefox will also enable tracking protection, which blocks common advertising trackers , social sharing trackers, and analytics trackers. If you want Firefox to be more aggressive in blocking all trackers, you can enable this feature from the Firefox menu (see Figure 2-11). Select Options, go to the Privacy tab, click the Change Block List button, and select “Disconnect.me strict protection. Blocks known trackers. Some sites may not function properly.” Finally, click Save Changes (see Figure 2-12).

Figure 2-12. Enabling aggressive tracking protection to block all online trackers using Mozilla Firefox

Keep in mind that activating strict protection may break the functionality of some web sites, so if this happens and you want to disable protection for a specific web site, click the little shield icon in the address bar and then click “Disable protection for this session” (see Figure 2-13).

Figure 2-13. Disabling tracking for a specific web site when you are in private mode

Read Web Site Privacy Policies

When you join a social networking web site or buy something online, you are asked to agree to the terms of use and to read and agree to the privacy policy agreement before proceeding. Such policy agreements will usually contain information on how the web site will collect data from your computer and how the web site will share it. Because the privacy policy agreement is long and full of legal terms, people tend not to read it at all.

Another misconception about privacy policies is that users assume having a privacy policy on a web site means that their personal information is protected. In truth, many privacy policy agreements contain terms that violate users’ rights to privacy.

We always encourage you to read the privacy policy agreement in full (for critical services and software) or at least the important sections of it to be aware of any violation against your personal data. To make things simpler for you, just look out for these key items while reading:

• What type of information will the site/software collect about you?

• Will your personally identifiable information (PII) or anonymous information be shared with third-party affiliates?

• Will your information will be disclosed overseas?

• Can you opt out from this agreement later?

• Where will your information be stored ?

• Who has access to your information (check all possible parties, including law enforcement and security services)?

• Can you access the service later to update or delete your personal information ?

• Can you make a privacy complaint?

• When will your information be discarded or deleted? Some sites store information for specific periods of time, while some store your information indefinitely.

• What kind of security measures will protect your information?

• Focus on everything written in capital letters.

• Use Ctrl+F to conduct a search for the following keywords in the agreement: third party, affiliate, opt out, arbitration, contents, advertisers. When finding any of these words, read the corresponding section carefully.

• When signing your agreement, make sure that https:// appears in the browser bar to indicate a secure connection.

These tips will help you read the privacy policy agreement quickly, but they may not prevent you from signing a bad agreement; nevertheless, it’s still better than signing an agreement without reading it!

Disable Location Information

Sure, it sounds like a great idea to check into your favorite bar or restaurant on Facebook, Yelp, Google+, and more, but a simple click with your smartphone could unknowingly put you in trouble. Major social networking web sites give you the ability to “check in” and reveal your current location on a map. For example, many people “check in” with their Facebook account at home to announce some events (e.g., a birthday party), which will reveal the user address publicly. The same person can later announce he or she is at a restaurant or going on a vacation; for thieves, this means an empty home ready for robbery.

Robbery is not the only danger of revealing your location through the check-in feature; your child’s safety can be at risk. If your child also performs regular check-ins, this will reveal the current location of your family members and will simplify attacking them if you or they become a target someday. It is highly advisable to deactivate location services in your social networking app, teach your children to do the same, and ask them not to reveal their location using written status updates either.

To disable the location service in the Facebook app (on Android ), open the Facebook app, tap the menu button, and select Account Settings ➤ Location ➤ Location Services ➤ Turn it OFF.

Each version of Android, iOS, and Windows Phone has its own settings to disable location services. As a rule of thumb, you can search for disable location services X (substitute your operating system version or phone model for the X) to find a detailed guide on how to disable it on your phone/tablet.

Another important feature that must be turned off on your smartphone is recording geotagging information, which contains the GPS coordination of your current location when a photo has been taken. This feature is sometimes useful, but, for instance, it could reveal your address information if you take pictures in your home or work office.

The GPS information stored with your shots is part of the Exchangeable Image File (EXIF) data. This is metadata about the image file itself and does not appears to the naked eye; it contains different technical metadata information such as the time and date of each photo and the camera used to take it (see Figure 2-14).

Figure 2-14. Metadata of a JPEG image showing mobile phone and camera type that took the shot

You can disable the “location tag ” on your smartphone, thus preventing it from recording your current geolocation on all future shots. To do this on an Android phone, turn on the camera, go to Settings ➤ Location tags, and turn it off (see Figure 2-15).

Figure 2-15. Disabling “Location tags” on Android smartphones

On iOS, go into Settings, tap Privacy, and then tap Location Services; toggle the Camera option to off. If you cannot find the specified setting on your smartphone, search for disable location tags in X (with your smartphone or OS type instead of the X).

Some social networking web sites strip out geolocation information and other metadata automatically before publishing it online. Twitter and Facebook do so, but some web sites do not. So, to stay in the safe zone, always turn location tags off and read the next section to learn how to remove metadata of different digital file types.

Remove Metadata from Digital Files

Metadata is a data about data. In technical terms, it contains hidden descriptive information about the file it belongs to. For example, some metadata included in a document file might include author name, date/time created, and comments.

From a privacy perspective, users are mainly concerned about the metadata that exists in digital images, but keep in mind that metadata exists in almost all digital files such as documents, video and audio files, and web pages. Metadata usually comes stored in the digital file; however, some file types store it in a separate file.

There are three types of image metadata.

• Technical metadata: This data is usually generated by the capturing camera. It contains information such as camera type and brand name, date/time when the photo was captured, geolocation information (if enabled) of the captured image, and the ID number of the device.

• Descriptive metadata : This data is added by the user using a specific software program to add details about the captured images. For example, the user can add the photographer name, comments, title, and caption, among other things.

• Administrative data: This data is added manually by the image creator to protect the photo; such data may contain copyright information and the contact address for licensing.

EXIF is a standard that specifies the format for images, sound, and ancillary tags used by digital cameras (including smartphones), scanners, and other systems handling image and sound files recorded by digital cameras. ⁴

EXIF data is embedded within the image file and works with JPEG images only. EXIF metadata can contain geolocation metadata in addition to a wide array of technical information.

Other metadata standards include the Extensible Metadata Platform (XMP) and the International Press Telecommunications Council (IPTC). XMP is a metadata standard developed by Adobe Systems. It’s based on XML and was designed to allow the exchange of standardized and custom metadata for digital documents and data sets. Hence, it’s a format that can be used to describe any kind of asset, not limited to pictures (e.g., support video, audio, and PDF files).

IPTC is an older meta-information format, which is slowly being phased out in favor of XMP . The newer IPTCCore specification uses the XMP format. IPTC information can be found in JPEG, TIFF, PNG, MIFF, PS, PDF, PSD, XCF, and DNG images. ⁵

It is advisable to check the metadata of all images before uploading it to the Internet to avoid leaking private information about yourself and the device. There are many freeware tools that can view and edit a digital file’s metadata; we’ll begin with digital images.

Exif Pilot ( www.colorpilot.com/exif.html ) is a free EXIF editor that allows you to view, edit, and remove EXIF, EXIF GPS, IPTC, and XMP data in addition to adding new tags and importing and exporting EXIF and IPTC to/from text and Microsoft Excel files (see Figure 2-16).

Figure 2-16. Using Exif Pilot to view and edit EXIF/IPTC tags

Other free tools that can be used to remove image metadata are GIMP ( https://www.gimp.org ) and XnView ( www.xnview.com/en/ ).

Windows comes supplied with a built-in function that allows you to view and remove some metadata associated with documents and digital images. However, keep in mind that Windows may not be able to remove all EXIF tags, so if you intend on sharing important files, always use the suggested third-party tools already mentioned.

To remove EXIF using Windows, right-click the image, select Properties, and go to the Details tab. At the bottom, click Remove Properties and Personal Information to open the EXIF removal tool. The tool lets you either create a copy of the image with all metadata removed or pick and choose which properties to erase from the selected file (see Figure 2-17).

Figure 2-17. Removing EXIF metadata using the Windows built-in function

As we already said, Microsoft Office documents, PDF files, and audio and video files all have metadata associated with them. We will cover how to remove them quickly in a moment.

To clear metadata from PDF files, Adobe has a feature called Sanitize Document. After clicking it, you can remove all hidden metadata from the intended PDF file (see Figure 2-18).

Figure 2-18. Clearing PDF file metadata

Please note that not all versions of Adobe Reader support the sanitization feature. If your currently installed version does not support it, you can use a third-party tool for this purpose such as ImageMagick ( https://www.imagemagick.org/script/index.php ) or Pdf Metadata Editor ( http://broken-by.me/pdf-metadata-editor/ ).

To view/edit and remove audio file metadata, use Mp3tag ( www.mp3tag.de/en/ ). This is a powerful and easy-to-use tool to edit the metadata of audio files. It supports batch tag-editing of ID3v1, ID3v2.3, ID3v2.4, iTunes MP4, WMA, Vorbis Comments, and APE tags for multiple files at once, covering a variety of audio formats.

To remove a video file’s metadata, use MediaInfo ( https://mediaarea.net/en/MediaInfo ).

To remove metadata from Microsoft Office documents, do the following: for Microsoft Office 2010, 2013, and 2016, you can check the document metadata by selecting File and then going to the Info tab. The Properties panel will be on the right side; from here you can remove document metadata by clicking the Properties button and selecting Advanced Properties (see Figure 2-19).

Figure 2-19. Removing Microsoft Office document metadata

In Microsoft Office 2007, you need to click the Microsoft Office button and then select Prepare ➤ Properties to edit the document metadata.

Another issue you need to consider when sending Microsoft Office documents to outside parties is deleting other hidden metadata. Fortunately, Microsoft Office provides a functionality for deleting hidden metadata. You can access this feature in Microsoft Word 2013/2010/2016 from File ➤ Info ➤ Check for Issues ➤ Inspect Document. In Microsoft Word 2007, you can access this feature by clicking the Office button and selecting ➤ Prepare ➤ Inspect Document.

Make Sure to Log Out

Whenever log in to your social networking account, your e-mail, or an online retail account, make sure to log out when finished. Web sites usually put the login/logout links at the top of the web site. If you are using Firefox in private mode, it will log you out automatically when you close it. Giant companies like Facebook and Google can track your online activities and link them back to your real identity (on Facebook or Google ID ) easily when you remain logged in while you browse the Internet or conduct regular searches. The same thing happens to smartphone applications; the majority of users remain logged in to their Facebook app while browsing the Internet on their mobile device. This practice is bad and will reveal much about your personality and online habits, as we mentioned in Chapter 1.

How to Know Whether a Web Site Is Secure

Millions of dollars are spent daily on web sites such as Google, Amazon, and eBay. These giant companies use the latest technology to protect their assets and customers from cyber-criminals , but when comes to new web sites and online stores, you should be careful that the web site is secure before giving any information or making any purchase. The following are some quick tips that you can use to tell whether a site is secure.

Check the Web Site SSL Certificate

SSL certificates are small data files that digitally bind a cryptographic key to web site details. When installed on a web server, the certificate activates a padlock and the Hypertext Transfer Protocol Secure (HTTPS) and allows a secure connection between the company server and the client machines. Upon installing the SSL certificate, the URL of the web site will begin with https:// instead of http:// (the s stands for “secure”).

To get an SSL certificate, a company must undergo a validation process. There are different levels of validation. Some require only a valid domain name; others require more information about the company behind the certificate. The lowest validation level requires that you prove that you have the right to use the domain name that you are trying to secure (usually done through checking the Whois record of your domain). This type of validation is not secure because an attacker could buy an SSL certificate and bind it to a web site dedicated to conducting phishing attacks.

A more stringent validation will require (in addition to domain validation) you to submit official documents about your company such as a business license/certificate, public records filing for a new business entity, certificate of payment of business tax, or any official documents that can validate your business legitimately. This kind of validation is called extended validation (EV) and uses the highest level of authentication and a rigorous verification process. You can tell when a site is using an EV certificate because the address bar will be green, and the security status bar will reveal detailed information about the company operating the web site when you hover the mouse over it (see Figure 2-20). EV certificates incorporate some of the highest standards for identity assurance to establish the legitimacy of online entities.

Figure 2-20. Sample web site protected with EV SSL certificate

Do Not Install Pirated Software

As software prices increase, many users illegally download pirated software from the Internet to save costs. Such software usually comes with an executable program named Crack or Patch to unlock the pirated program trial version and make it work like the paid one. Running executable programs to unlock legitimate software is dangerous, especially because many pirated program instructions ask the user to turn off antivirus software to avoid any conflict while installing. The pirated software might be disguised malware that will install silently upon executing it. This will effectively jeopardize your personal security.

Another risk is disabling updates . Users are forced to stop automatic updates of pirated software to avoid being discovered by the developer company. For example, when you install a cracked version of Windows or any security solution (e.g., an antivirus solution), you may not be able to update it regularly like the original version. This will leave your software or OS vulnerable to different risks.

If you prefer to use freeware programs downloaded from the Internet, it is highly advisable to use your antivirus solution to scan them before executing them. To become more confident, you can scan the downloaded program with free scan services, which comes in handy when you want to scan a specific file/program using multiple antivirus engines.

VirusTotal ( https://www.virustotal.com ) is a free service that analyzes suspicious files and URLs and facilitates the quick detection of viruses, worms, Trojans, and all kinds of malware. All you need to do is enter the web site URL you want to check or to upload the file/program to see whether it is clear from malware threats.

Update Everything

Be careful to configure Windows to install automatic updates ; your web browser and antivirus should both update automatically.

To configure Windows (applicable to Windows 7 and 8) to install updates automatically, go to Control Panel ➤ System. On the bottom left, click Windows Update. On the left side, click “Change settings,” and from the drop-down menu, select “Install updates automatically (recommended)” (see Figure 2-21).

Figure 2-21. Configuring Windows 8 to install updates automatically

In Windows 10, automatic updates are enabled by default.

Phishing

The United States Computer Emergency Readiness Team (US-CERT) defines phishing as follows:

“…an attempt by an individual or group to solicit personal information from unsuspecting users by employing social engineering techniques. Phishing emails are crafted to appear as if they have been sent from a legitimate organization or known individual. These emails often attempt to entice users to click on a link that will take the user to a fraudulent website that appears legitimate. The user then may be asked to provide personal information, such as account usernames and passwords, that can further expose them to future compromises. Additionally, these fraudulent websites may contain malicious code.” ⁶

What Does a Phishing E-mail Message Look Like?

Certain characteristics distinguish phishing e-mails from legitimate ones. Here is a list of the main ones:

• Many phishing e-mails use urgent or threatening language in the subject line (e.g., they threaten you about account closure if you do not act promptly). Such e-mails ask you to send your details, fill in online forms, or click a link to renew your subscription or to update your personal details. This could be for your e-mail service, bank account, or any of your social networking accounts.

• They make job offers or talk about work-from-home opportunities with high salary and simple requirements.

• They offer prizes, like a lottery. Some phishing e-mails say that your e-mail won the lottery and you must send your personal details, including bank account, to receive the funds or tax repayment.

• They offer business deals with promises of great profits.

• They are business e-mails with programs or executable code attached to them. Businesses usually do not send programs to execute on client machines.

• Some immigration firms claim an ability to give you a U.S. visa or other country’s visa and request your personal details or ask for a tiny payment to submit the application for you.

• Phishing e-mails usually contain grammatical errors and seem unprofessionally written.

• Phishing e-mail addresses come from a different domain name than the company presents. For example, an e-mail sent from a free service (Google or Outlook) asking you to update your PayPal account details is a phishing scam.

• They contain links that take you to web sites other than the company they are pretending to represent.

Whenever you suspect an e-mail to be a scam , do not reply to it. To check whether it is a phishing e-mail, rest your mouse (but don’t click) on the links contained in the e-mail to see whether the address matches the link that was typed in the message or the sender domain name.

Some attackers may use short URL services to mask the real phishing URL sent to the user. Services like Bitly ( https://bitly.com ) and TinyURL ( https://tinyurl.com ) allow users to shorten any URL. If you suspect that a short URL could be a scam, you can expand it using a free online service like the one at http://checkshorturl.com to see the destination.

You can also check whether the link is safe before clicking it by using free online services such as Norton Web Safe ( https://safeweb.norton.com ) and ScanURL ( http://scanurl.net ).

Phishing is not only limited to e-mails or a digital medium; many phishing attacks are done through phone calls. Phishers will say anything to cheat people out of money. They seem friendly and usually have some previous information about you. They call you by your first name and ask about your life and family to gain your trust. Many of them claim to work for companies you already deal with; others may first send you an e-mail asking you to call them later on their free phone line.

Phishing attacks can also target employees in giant companies. A good example is when an attacker tries to gain some sensitive information about a specific person. If the attacker knows the targeted person’s phone number, he or she can pretend to be that person and call the targeted user’s mobile phone operator technical support and ask for an account reset because he or she forgot the online password. If the trick is successful, the attacker can access the targeted user’s online account and gain sensitive information about him or her that can be used to impersonate him or her or to launch further attacks.

Here are some countermeasure steps against phishing attacks:

• Do not give your credit card , bank details, or other sensitive personal information over phone calls or through e-mails. Some phishers may have part of your personal information and ask you to confirm it; beware of this trick and do not give any information or confirm your details.

• Refuse to answer calls from telemarketing people. Some of them could be genuine; however, it is preferable to avoid them for security purposes.

• Do not give information to charity organizations that you do not know. Some attackers may pretend to be working in a charity to steal your money or to gain more information about you.

• Do not give information about the company you work for. This also includes revealing information about it online (e.g., on social networking sites ).

• Pay attention to the URL of a web site. A phishing web site may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (.com becomes .org or .info).

• Do not click hyperlinks or links attached in the suspected phishing e-mail, especially when you want to check your bank account. Always type the bank URL directly in the web browser address bar.

• Check your bank account regularly to make sure it is safe and no illegal transactions have been made.

• If you suspect that a phishing e-mail could be a legitimate one, try to contact the company behind the e-mail directly using its web site’s Contact Us page. Do not use the Contact Us e-mail or link supplied as part of the suspected e-mail because it could be false and part of the phishing attack.

• Do not install programs or download files sent as attachments in e-mails from unknown senders.

• Do not access your important accounts on public computers , and use a virtual keyboard where applicable.

• Always discard pop-up screens and never enter information using them.

• Make sure the web site you deal with to enter your personal information is protected by an SSL certificate (HTTPS).

• Phishing is not limited to one avenue. Although most phishing attacks target bank accounts, there are many that target social networking sites and other companies such as eBay and PayPal.

• Consider the anti-phishing working group at www.antiphishing.org for a list of previously recorded phishing attacks. ISIT Phishing ( http://isitphishing.org ) checks phishing URLs using heuristic technology coupled with machine learning.

• Enhance the security of your computer by keeping your antivirus software up-to-date, update your Windows machine continuously, and do not ignore any warning raised by your web browser or e-mail service provider about any a suspected phishing e-mail/web site.

• Organizations should invest in educating their employees about cyber-security attacks. If employees learn how to protect their data and the company’s confidential data, they’ll be able to recognize a social engineering attempt and mitigate its consequences.

• Business organizations should have a data classification policy, where only the employees who really need to access sensitive data are given access to it.

If you suspect that you are a victim of a phishing attack, contact the Federal Trade Commission and raise a complaint at https://www.ftc.gov/complaint . You can report identity theft at the same page if you suspect that someone or a company is misusing your private data. You can also file a complaint on the FBI web site at https://www.ic3.gov/complaint/default.aspx .

Note! Authentication Icon for Verified Senders

Spammers can “spoof” a message to make it look like it’s sent by a real web site or company that you might trust. To help protect you from such messages, Google tries to verify the real sender using e-mail authentication . As an additional security measure, you can enable the “Authentication icon for verified senders” option. After enabling it, you will see a key icon next to authenticated messages (see Figure 2-23) from trusted senders, such as Google Wallet, eBay, and PayPal.

Figure 2-23. Activating “Authentication icon for verified senders” to distinguish original senders from spoofing e-mails

To enable this feature in a Gmail account, do the following:

1. Access your Gmail e-mail at https://mail.google.com .

2. Access the Gmail Settings in the top right.

3. Click the Lab tab.

4. In the “Authentication icon for verified senders” section, select Enable.

5. At the bottom of the page, click Save Changes.

Other Social Engineering Attack Types

Social engineering attacks are a preferred method to gain access to sensitive information in a relatively easy way compared with technical attacks such as brute-force or man-in-the-middle attacks. Phishing is the most common technique currently used to trick users into handing over their sensitive information; however, there are other techniques used to perform social engineering attacks. The following are the most popular:

• Shoulder surfing : This is trying to gain sensitive information from users while they perform their regular tasks. For example, it means capturing user passwords by watching them type them on the keyboard.

• Dumpster diving : This attack tries to gain sensitive information from materials thrown in the trash. Many organizations discard different types of papers without proper shredding (e.g., calendar of meetings, users list, system usage manuals). In fact, some organizations get rid of old computers without properly destroying them or securely wiping data on the hard disk. An attacker can gain important information by looking in the garbage or recovering data from old computers’ hard disks.

• Role-playing : In this kind of attack, an attacker will impersonate technical support staff at some company and try to take sensitive information from users to gain illegal access to their accounts.

• Keyloggers/Trojan horses: Here, an attacker tricks the user into installing malicious software on his or her machine (e.g., through an e-mail attachment or freeware downloaded from the Internet). The installed tool will record everything the user types on the keyboard and send it back to its operator.

• OSINT: Open source intelligence (OSINT) is where attackers investigate publicly published information about a specific company or person to gain intelligence. Different tools exist to perform these attacks such as Maltego ( https://www.paterva.com/web7/ ) and Social-Engineer Toolkit (SET) ( https://github.com/trustedsec/social-engineer-toolkit ).

As you can see, there are different kinds of social engineering (SE) attacks, and all try to gain unauthorized access through exploiting the “human factor,” which remains the weakest element in computer security. Educating users about SE risks is still the best countermeasure technique against such attacks.

Change the Network SSID Name

Each router comes with a default name (SSD or wireless network name ), which is usually the name of the manufacturer (e.g., D-Link). Changing this name to something else (don’t use your personal information; use something ordinary and not related to you personally) will help you to prevent outsiders from knowing which router belongs to you.

You can also hide your Wi-Fi SSID completely. (Router settings allow you to hide your Wi-Fi network from prying outsiders. Note that once you do this, you’ll stop seeing the network pop up in your own devices’ Wi-Fi lists, and you’ll need to type the SSID into each device you want to connect to.)

Enable Wi-Fi Encryption

When you are at your router’s settings page, go to Wireless setup ➤ Wireless security and select a strong encryption standard to secure your Wi-Fi transmission. For instance, WPA2 is the most secure one (see Figure 2-25). Finally, enter a passphrase to protect your Wi-Fi connection (this passphrase is used by all devices that want to use your Wi-Fi connection; it is different from the first password used to secure your router’s settings area).

Figure 2-25. Enabling strong encryption standard for Wi-Fi connection using D-Link router

Filter MAC Addresses

All computing devices (laptops, tablets, desktops, and smartphones) have a MAC address . This is a unique address hard-coded on the network interface card of each device capable of interacting with the Internet. You can go into your router settings (usually the MAC filter area) and type in the MAC addresses of only those devices you want to allow on the network. This will effectively help you to restrict access to your local network.

Update Firmware

Make sure to update your router firmware continually. Manufacturers release updates to counter future vulnerabilities, and leaving your router without an update is a security hole.

Security Section

The Login Alerts setting allows you to get an alert (e-mail or SMS) when anyone logs into your account from an unrecognized device or browser.

The Two-Factor Authentication setting enables two-factor authentication (you need a security code generated automatically) when logging in to your Facebook account using a new browser. You have the following options to receive this security code:

• You can receive an SMS message on your cell phone.

• You can use a Universal 2nd Factor (U2F) security key to log in through USB or NFC.

• You can use Code Generator in your Facebook mobile app to reset your password or to generate Login Approval security codes.

• You can use recovery code (pregenerated security codes; you can keep them with you on paper) to access your account when you do not have your mobile phone with you.

The Where You’re Logged In setting allows you to see all the places where you are currently logged in. You can also terminate the session of any device currently logged into your account that you do not recognize.

The Deactivate Your Account setting will disable your profile and remove your name and photo from most things you’ve shared on Facebook. Some information may still be visible to others, such as your name in their friends list and messages you sent. You can reactivate the account at any time you want.

There are other settings, but they are all self-explanatory.

Privacy Section

The next section that you should access and configure properly is the Privacy settings (which resides below the Security section on the left side of the Settings page). This section shows you the basic privacy settings and helps you make sure that your profile and the content you share are viewable only by the audience you select (see Figure 2-27).

Figure 2-27. Accessing the Privacy section in the Facebook settings

The “Who can see my stuff?” group of settings lets you edit who can see your future posts. It is recommended that you set the default sharing option to Friends.

The “Who can look me up?” group of settings allows other people to look you up using your e-mail address and phone number. It also determines whether search engines from outside Facebook can link to your Facebook profile directly. This setting is important because it will determine how outsiders can find you online; select the best privacy setting commensurate to your needs.

The next important section is Timeline and Tagging Settings. It contains the following settings:

• The “Who can add things to my Timeline?” group has two settings. The first one is “Who can post on your Timeline?” The recommended setting is “Only me.” The next one is “Review posts friends tag you in before they appear on your Timeline?” The recommended setting is Enabled.

• “Who can see things on my Timeline?” has three settings. The first one is “Review what other people see on your Timeline.” This tool lets you see what your Timeline looks like to the public or a specific friend. The second setting is “Who can see posts you’ve been tagged in on your Timeline?” The recommended setting is Friends. The third one is “Who can see what others post on your Timeline?” The recommended setting is Friends.

• “How can I manage tags people add and tagging suggestions?” has three settings. The first one is “Review tags people add to your own posts before the tags appear on Facebook?” The recommended setting is Enabled. This is an important privacy option because if someone adds a tag to one of your posts, his or her entire list of friends will see the post and not just the friends you’ve selected. Enabling this option will allow you to review the tag first. The recommended option for the next two settings is Friends.

The last groups of settings we are going to cover is the Mobile section; click it on the left side of the Settings page.

Enter a mobile phone and verify it. This setting is important to protect your account from theft attempts. If your browser is not recognized, you will receive a confirmation code via text message to log in to your Facebook account.

We covered the Facebook security settings in some detail because of Facebook’s widespread usage, but keep in mind that social media sites exist to simplify sharing and making connections between people online. It is essential to use such services wisely and avoid releasing your personal information or work details online. Make sure to activate Two-Factor Authentication and have some sort of second authentication (e.g., your mobile phone and password) for maximum security. It is also advisable to keep your browser, antivirus, and anti-malware programs up-to-date. Do not use the same password twice on Facebook and remember to log out when you’re done.

Remember what we said in Chapter 1: anything that goes online will remain there, even after deleting it. Be cautious before posting anything online, especially your personal pictures and private data.

Internet Dangers for Kids

Here’s a list of possible Internet dangers for kids:

• Pornography: Viewing porn pictures and movies by kids may affect their look on life and will change their sexual attitudes and beliefs. This can have a huge negative impact on your child’s social life and health .

• Cyber-criminals/cyber-bullying: People may trick your children in giving sensitive information about their family to conduct different crimes later.

• Gaming: Many online games involve playing with other unknown people online. In addition, these games can include sexual content, violence, and crude language. You can see the same dangers in public chat rooms.

• Social media sites: Most kids have social media accounts (especially on Facebook), and posting personal pictures and revealing geolocation positions online can pose a great danger to kids and their entire family. Social media sites facilitate making friends online, but you cannot trust all people online in today’s digital age, and your kids may easily fall victim to cyber-criminals.

• Health effects: Using a computer for long hours will affect a kid’s health. The risk of eye strain, wrist strain, and other injuries increases when using computers for long hours. It is crucial to limit the amount of time your kids spend on computing devices.

• Internet addiction: This has become a modern heath problem. Spending long hours online will heavily affect your kid’s personal life (offline life).

This does not mean your child may encounter these threats when going online. However, knowing about the dangers can help you and your kids make smart decisions online.

Now, we’ll give some countermeasures to protect your kids online.

Teach Your Kid About Internet Dangers

It is important to have a discussion with your kids and teach them about Internet safety. Your kids certainly do not know what is waiting them when going online; it is your responsibility to educate them well on how to use the Internet following safety rules.

Here is a list of rules that your children should understand and agree to follow when using the Internet:

• They will not post personal information about their parents or any family members online without clear consent from their parent. This includes home address, parents’ work address and contact information, geolocation information, and anything else that is considered private.

• If they come across something inappropriate online, they should immediately inform their parents or guardian and close the page (e.g., seeing porn material).

• They should not make friends online or chat with strangers without their parental consent.

• They will not post pictures/videos about family to social media sites without parents’ consent.

• They will not respond to e-mails or chat messages that pop up from unknown people; they always must inform an adult to check such issues.

• They will not install games or freeware on their computing device.

• They should understand that anything that goes online will remain there, even after deleting it.

• They will not use the Internet extensively and must follow their parents’ advice on the amount of time they can spend online daily.

• They should not share their passwords with others, even their close friends, and must store these passwords in a location that their parents can access (e.g., a password manager).

Written rules and discussions are effective means to communicate with your kids; however, some technical measures will also help you enforce these rules.

Parental Control Software

Parental control software helps parents to monitor and track their children’s online activity. You should block dangerous sites and protect kids from online bullying or even the potential of an approach from a pedophile. There is software already available for this purpose; many of them are free and have excellent features. The following are the most popular ones.

Set Up a Family-Safe DNS

Another technical method to prevent viewing porn and malicious web sites is to use a safe DNS service. DNS works transparently in the background to convert human-readable web site names into computer-readable numerical IP addresses. By setting a safe DNS on your Windows PC, you can assure, to a large extent, that bad web sites will not open when your kids use the Internet.

There are many family-safe DNS providers; we will demonstrate how to use a popular free service called OpenDNS Family Shield, which comes preconfigured to block adult content without user intervention. Later we will show you how to use a simple program that can change between different safe DNS providers.

To configure your Windows to use OpenDNS Family Shield, follow these steps:

1. Go to Control Panel ➤ Network and Sharing Center and click “Change adapter settings” on the left side. Right-click the network connection you’re using and select Properties.

2. Highlight Internet Protocol Version 4 (TCP/IPv4) and click Properties.

3. Select “Use the following DNS server addresses” and type the OpenDNS addresses 208.67.222.222 and 208.67.220.220 in the “Preferred DNS server” and “Alternate DNS server” fields (see Figure 2-32).

   

   Figure 2-32. Using a custom DNS server for your current connection

4. Click OK, then Close, and then Close again. Finally, close the Network Connections window.

Note! Ensure that Your New DNS Configuration Settings take Effect Immediately

Open the command prompt as the administrator (right-click it and select Run as Administrator).

Run the following command at the command line and hit Enter (see Figure 2-33):

Figure 2-33. Flushing DNS on Windows to force new DNS settings to take effect immediately

ipconfig /flushdns

There are other family-safe DNS providers that offer similar services in blocking adult content and fraudulent web sites. Examples include Yandex.DNS ( https://dns.yandex.com ) and Norton ConnectSafe ( https://dns.norton.com ). Configuring Windows to use the DNS of these services is like what you already did previously. However, there is a tool that can simplify this process and change between different DNS services automatically.

DNS Angel (see Figure 2-34) is a portable freeware application for changing the DNS setting automatically in Windows. You can download it from www.sordum.org/8127/dns-angel-v1-4/ .

Figure 2-34. DNS Angel used to change between different DNS services automatically on Windows

Google Alerts

Google Alerts is a notification service offered by Google; it works by sending an e-mail to the user when it finds new results such as web pages, newspaper articles, blogs, or scientific research that matches the user’s entered search terms . You must be logged into your Google account to create a new alert.

You can set up a new alert at https://www.google.com/alerts . In the box at the top, enter a topic you want to follow. You can create as many alerts as you like and adjust the settings to be notified on a daily, weekly, or “as it happens” basis (see Figure 2-35).

Figure 2-35. Setting up Google Alerts to get notified when your search terms are mentioned online

The free people search engine at https://pipl.com is another web site to search about yourself and other people online. It allows you to search by name, address, or e-mail and has the most comprehensive database of people profiles online.

Auditing Facebook Profile

Many users have been using Facebook for a long time. Some people have thousands of likes and posts on their Timelines. Humans have a tendency to forget their previous online actions, though. For instance, any person who previously posted his or her political opinion or comment (aggressively) may find that it will be more suitable to hide previous online actions for many reasons. Performing a check on every post and action conducted on Facebook is a daunting task, especially if the user has been active on Facebook for a long time.

Stalkscan ( http://stalkscan.com/en/ ) is a free online service that allows anyone to look up any Facebook user’s public information. It is a great auditing tool for Facebook profiles and allows any person to see previously posted images, comments, events attended in the past in addition to future events planning to attend, places where they “checked in,” and everything they “like” online (posts, video, pictures, etc.).

This tool shows you just how easy it is to find any public information on Facebook, so be careful before posting anything publicly online.

Check Whether Someone Has Taken Your Personal Picture

Sometimes you may encounter a case where someone took your personal pictures (or your child’s pictures) from your Facebook profile and used them on a profile or blog without your consent or even used them for the wrong reasons. Reverse Image Search helps you to find any photo you have uploaded to the Internet along with a list of all other web sites where this photo appears.

TinEye ( https://www.tineye.com ) is a reverse search engine with more than 17.4 billion images indexed (at the time of writing). You can upload the image you want to search for online or simply enter its URL, and TinEye will find all the locations and web sites where this image is located.

Google has a similar service to search for images online. To use it, follow these steps:

1. Go to https://images.google.com .

2. In the search bar, click the camera icon (see Figure 2-36).

   

   Figure 2-36. Using a Google image search to find all instances of a selected picture online

3. You can either upload a picture from your computer or enter its URL to search for it.

4. Google will return every instance of that image it can find.

Another free service to conduct an image search is https://www.imageraider.com . This web site allows you to search popular search engines like Google, Bing, and Yandex to find all web sites using your photos.

A good practice when publishing personal photos online is to watermark them. This allows you to prove ownership of your photos. There are many tools and online services that offer watermarking for free. https://www.watermarquee.com offers free online watermarking, as does Picasa (retired but available) at http://filehippo.com/download_picasa .

Check Your Data Breach Status

Almost every week the press announces a data breach that hit a major web site. To tighten your security, it is essential to check whether your account was among the ones that got breached. Fortunately, there are many free services to check whether your account was compromised.

https://haveibeenpwned.com is a free resource for anyone to quickly assess whether they may have been put at risk because of an online account being compromised or “pwned” in a data breach. It is run by security researcher Troy Hunt, who tracks data breaches. To use this web site, enter the e-mail address or username in the search box to check whether you have an account that has been compromised in a data breach.

You can also sign up for alerts tied to your e-mail address so you can be notified as soon as another breach is detected by clicking “Notify me” at the top of the page.

https://breachalarm.com offers a similar service; it allows you to check anonymously if your password has been posted online and sign up for e-mail notifications about future password hacks that affect you.

It is highly advisable whenever you hear about a data breach in the press and you have accounts at a company that has been breached that you change your affected account’s password. Checking the previously mentioned sites to see whether your account was stolen is a good thing, but it is important to act promptly and change your affected account’s password. Remember, do not use the same password on two different accounts.

Delete All Your Online Profiles

If you decide to delete your online presence from the Internet and return to the “offline age,” there is a free service that can help you achieve this. Deseat.​me is a service that lets you see all the web sites you’re signed up for and asks if you’d like to delete them or unsubscribe . It asks for your e-mail address and password so it can scan for the sites you’re signed up to. The sign-in must done using a Google account (using Google’s OAuth protocol); this makes this service limited because it requires users to have a Google e-mail address that is used for all their online accounts. This will result in discarding online accounts where the user registered using a non-Google e-mail account like Microsoft or AOL account.

Another value-add security service that can help you to find all major web sites that you may have accounts at is http://backgroundchecks.org/justdeleteme/ . It is not like Deseat.​me in terms of searching for online accounts automatically. This service is a directory of direct links to delete your account from web services. It offers a direct link and some information on how to disable your account for each listed online service.

Remove the Offending Content

Sometimes your personal information is made available to the public without your consent, or it may happen that someone writes something inappropriate or false about you that may affect your reputation and you want to remove it. Removing the offending content or even personal data is not an easy task online. The nature of the Internet allows the information to be replicated quickly. (For example, posting a photo to your Facebook Timeline will make it appear on all your friends’ feeds, and if some of your friends share it using the public state, it can replicate and appears in the timeline of millions of people.)

Removing yourself completely from the Internet is extremely difficult, and no one can guarantee 100 percent successful removal. However, you can minimize your online footprint in many ways and remove offending content.

We already covered how to delete yourself from major social media sites, but remember, you may have been using some less famous sites in the past and forgotten about it. The same thing applies to shopping web sites (e.g., Amazon and eBay). Your information is still available and must be deleted to minimize your online footprint.

To delete old accounts, you need to handle each one separately. Each one should have an option in the settings area to cancel, remove, and deactivate your current account. If you have problems deleting it, you can search the Internet for information on how to remove it using how to remove my X account (replace the X with your account provider name). For example, use how to remove my Reddit account and Google will return detailed instructions accordingly.

If you cannot delete your account or the account providers don’t supply such an option, change your real information to something fake or random.

Data collection sites are another threat to your online privacy. These web sites gather your information from primary sources, such as public records from government entities, social media sites , Whois records of registered domain names, and any source that is publicly available. They sell this information to interested third parties and to advertisement companies. There are plenty of data collection web sites (Intelius, LexisNexis, PeopleFinders, Spoke, WhitePages, BeenVerified, DOBSearch, Pipl, Radaris, Mylife, Wink, LookUp, PeekYou, and Waatp, to name a few!), and removing yourself from them is a daunting task. This is why we always emphasize thinking twice before posting personal information about yourself online. For instance, we will give an example of how to remove yourself from one of these web sites. Unfortunately, not all data collection sites have similar removal procedures. You need to check each one’s privacy policy agreement to see how you can remove yourself from it.

To remove your record from the Intelius database, go to https://www.intelius.com/optout.php . Fill in the form and submit your details (you need to provide an acceptable ID to validate your ownership of the data you want to remove).

There are some companies that will offer to delete your personal information from the Internet for a price. We will not endorse anyone for this task; you can always search online about such companies and compare their features and prices.

If someone has written something bad or offensive about you and you want to remove it, you need to follow different procedures than what you have already learned about. For instance, if you encounter a blog post about you and it contains inaccurate information that may damage your personal or business reputation, you can ask the web site that publishes it to remove it. Here is a list of methods you can use to remove false, unlawful, and damaging information from the Internet:

• Most web sites that allow its users to post their opinions or to make online reviews about products and services have set guidelines (often called community and review guidelines) that must be followed by all users when posting content. If someone violates their policies, you can “flag” or “report” the content to the site moderator, who will act to see whether this content is violating the site’s terms of use. For example, Amazon allows its users to report abuse about any item review if you find it inappropriate (see Figure 2-37).

  

  Figure 2-37. Users can report abuse about any customer review posted on Amazon.com if inappropriate

• If you have images or other copyright content that has been copied and used elsewhere without your consent, you can ask the web sites that host this content to remove it. If they do not respond, you can file a complaint according to the Digital Millennium Copyright Act, which preserves your rights when it comes to content that belongs to you.

• You can make direct contact with the web site owner asking to remove the damaging content. Of course, you should have a legal reason for this. It is advisable to contact the people in charge, not the person who wrote the damaging post. You can find out who is responsible for a web site by going to its About Us and Contact Us page. If you do not find the proper contact you are searching for, you can send your e-mail to the site webmaster (check to get the webmaster contact information at www.whois.com/whois/ ).

Note! Who is Hosting this?

If you can’t contact the person responsible for the web site that published the damaging content about you, you can try to contact the web site hosting service that hosts the site. Their contact information can be obtained by going to www.whoishostingthis.com/ and entering the URL of the web site. The hosting provider name will appear along with the URL (see Figure 2-38). Try to contact them directly because the hosting providers are more efficient in removing illegal content from their networks than web site owners.

Figure 2-38. Using whoishostingthis​.​com to find the name of the hosting provider of a specific web site

• If the content contains your sensitive information , you have the right to get it removed. Google allows users to remove their personal content from its search results. To see the Google removal policy, check this page: https://support.google.com/websearch/answer/2744324 . To remove information from Google, go to https://support.google.com/legal/troubleshooter/1114905 . You can check what Google accepts you to remove (see Figure 2-39). To remove nude pictures of yourself from Google search results, visit https://support.google.com/websearch/troubleshooter/3111061#ts=2889054%2C2889099%2C2889064%2C3143868%2C6256340%2C6256363 .

  

  Figure 2-39. Information that can be removed by Google

• If you have personal old information published online and you successfully manage to remove it but it still appears in Google search results (because Google cached it), you can ask Google to remove this old content by filling out the form at https://www.google.com/webmasters/tools/removals?pli=1 .

• The final method to lower the impact of offending content about you is to push such content from Google’s first-page results. You can achieve this by posting content online and optimizing it with proper search engine optimization techniques to make it appear in the first Google result page.

Disposing of Old Computers

There is a large amount of computer equipment that is simply thrown away because people don’t have the time to get it ready to donate or the equipment is no longer desirable to any consumers. You should make sure that your computing device’s hard disk is wiped securely and does not contain any sensitive data that can be recovered later using forensic analysis techniques.

Most ordinary computer users do not know that deleting files from a hard disk, emptying the Recycle Bin, and even formatting the hard disk drive will not erase the data completely. There are many recovery tools that can be employed to recover this data. For instance, use these tips before selling or throwing away your old computing device:

• Ensure you destroy data stored on a disk completely using specialized software (also known as disk wiping). Data on the disk includes your main visible data and remnants of data left after deleting old files. Both should be cleaned completely.

• For Windows machines, you can turn on BitLocker encryption of all disk partitions, set a complex password, and then format the disk. This will make recovering data near impossible. We will show you how to use encryption techniques in Chapter 5.

• Use physical destruction techniques to destroy the hard disk drive/solid-state drive when you want to achieve the maximum security possible.

The security risks of recovering sensitive data from disk drives are applicable to more than just computers because there is a lot of IT office equipment that stores and processes data; recovering such data can impose great security risk on companies if it falls into the wrong hands. An example is an office copier or multifunction printer; whenever documents are copied or sent to the printer, they are backed up to a hard drive inside the copier. This isn’t a problem, but if the printer suffers from a technical problem and needs to be sent for maintenance (or simply resold or sent for parts) and if the data stored (or remnants of it) in the printer’s hard drive is not erased securely, this will effectively expose your sensitive documents that were previously printed to danger.

Mobile phones also store a considerable amount of sensitive information about their users. When getting rid of your old device, it’s important to take steps to help ensure that no sensitive data is left for recovery.

All smartphones have a setting that allows you to return the device to its factory reset. This will wipe all data stored on your device. To know how to do this for your device, search for the topic on the device manufacturer’s web site or consult the device manual.

The second thing you need to erase in your smartphone is the SD card; you can remove the SD card from the phone, attach it to your computer, and erase it securely using one of the tools already mentioned to erase data on a computer’s hard drive.