Week 8 Security Issues
This lesson should be the first lesson for this Educational Technology course. If students and staff are not operating in a safe virtual environment, then not much else is going to matter.
We have looked at several web tools that allow for users to edit someone's work, enable chat room applications, have whiteboard applications, offer free email, and permit uploading and downloading without bias. All of these tools allow users to interact with each other either in a synchronous or asynchronous manner. These interactions make us vulnerable. We need to keep our home computers safe, personal mobile devices safe, school networks safe, and students safe. This begs the question how do we keep ourselves safe in the rapidly evolving tech world. Let's try to answer that question. Once we have answered this question, I want you to reflect on your own life. Are you modeling safe internet conduct? We have to practice these guidelines ourselves before we can prove their effectiveness to our kids, students, and administrators.
First, let's look at the threats we are face.
MALICIOUS SOFTWARE
This article explains malicious software in easy-to-understand terms. How Stuff Works- Viruses, Worms, Trojans.
Basically, malicious software damages your files and programs. Depending on how the malware is written, it can send itself to your contacts in your email address book. It has the potential to infect the masses in mere minutes. The malware damage results in loss of functionality and may completely shut down your computer.
HACKERS
Hackers are people that deliberately breach security barriers and leak sensitive information contained therein. They usually aren't interested in deleting or modifying files as much as making them public.
PHISHING
This attack comes in two forms. The first form is the phishing website and/or ad banner (a.k.a. pop-up.) This website is actually a portal to a criminal's database. The criminal waits for you to enter your personal information and send it to them via typing in the fields provided and clicking "submit." The second form is a phishing email. This email seems like it is from a real person or company. The email asks for you to send some kind of sensitive information in a reply. Either way, scam artists want your personal information and will stop at nothing trying to get it. Some want a thrill; some want bragging rights. Others are simply in it for the money. Why buy a gun and forcibly rob you when they can create a simple website and you hand them your bank account information willingly (albeit unknowingly)? The why is irrelevant though. These guys are sneaky and growing in number.
CYBERBULLYING
This PBS link is actually a documentary that examines how people are constantly wired up, tuned in, and powered on. Cyberbullying is not specifically mentioned but other equally disturbing issues are.
PBS Reports on Our Digital Nation and the Detriment of Being Connected 24/7
The days of "leaving work at work" are gone. Bullying used to be an evil person in your face when you walked into the school building or got on the bus. Those jerks would have to use their own the time and effort to physically seek you out. Now, students can slip in the side entrance, have their parents drive them everywhere, and change their schedules but bullies still find them. While students and parents may be putting physical effort into protecting students, bullies have changed the location of the battlefield. Brandishing their cowardice like a war medal, they hide in the shadows of the intangible, virtual world of social networking, phone messaging, and victim gullibility. With mobile devices increasing their presence in schools, it's easy to snap a picture of the "fat girl" changing in the locker room and post it on Facebook/Twitter for all the high school population to see. Facebook also allows people to privately message each other without permission from the recipient. What kids were saying in gym class is then PM'd to the "fat girl's" Facebook account. She makes the connection between the muffled laughter and her classmates' stares.
As I write this, I cannot stop thinking about one the most grotesque exercises of cyberbullying- The Rape of 15 Year Old Steubenville, Ohio Jane Doe in August 2012. She didn't die but her captors thought she had. . .
Jane started that evening at a school volleyball pizza party at 7 p.m. The high school volleyball team was celebrating in the gym. Jane got text messages from a girl she knew and trusted while attending the party. The texting girl was dating a football player. The football player was friends with Jane's ex-boyfriend, another football player. The ex-boyfriend wanted revenge on Jane for dumping him. He convinced his friend's girlfriend to text Jane and invite her to a "party with all the cool kids." The girl promised to pick Jane up from school and no one would know. Jane's girlfriend (and a posse) picked Jane up from school and gave Jane a drugged glass of champagne. After the ruffies set in, the male passengers in the SUV starting raping her... and snapping pictures of her bent over the seat, unconscious, half-naked. She was heavily drugged and raped multiple times by multiple boys in multiple ways at multiple locations that night. Rape is the ultimate form of bullying- someone overpowering someone else just because he (or she) can. The rapists then posted pictures of Jane and themselves online via Twitter and Facebook. Jane is unconscious in all of them. Several followers of the graphic posts left nasty comments like "I have no respect for whores." Cyberbullying at its best...
The girl was unceremoniously dropped onto her own front lawn at approximately 3 a.m. The story continues though. When her parents found her, they immediately took her to the hospital as she was unresponsive, bloody, and barely clothed. Her ex-boyfriend and his football friends started texting her, threatening her! More bullying from the shadows!! They realized that between social media snipits, the rape kit from the hospital, and Jane's text message logs that she was piecing together what happened. They didn't want her to go forward. Needless to say, all the records that I just mentioned were examined as damning evidence in the convictions of only two of the rapists.
I said all that to say this- we are fighting a unknown enemy in foreign territory. We must learn about our enemy and arm ourselves.
WEAPONS AT OUR DISPOSAL
CONTACT A CREDIT BUREAU FOR A FREE 90 DAY IDENTITY WATCH
You can contact any of the three credit bureaus and put a free 90 day alert on your credit report. If any new accounts or strange activity are detected within those 90 days, one of the bureaus will contact you to authenticate it. I have had to do this. After my last divorce, my crazy ex-husband and his even crazier girlfriend had all my personal information. Here is a link for more information
Equifax 90 Credit Fraud Alert
Having said that, you should read over your credit report at least once a year to check for accuracy. I have personally had to dispute items that were wrong- credit card lines I had open but was told I was initially declined for, addresses I haven't lived at, and strange inquiries from third party companies.
ONLY free annual credit report site
OPERATING SYSTEMS
The operating site you choose for your PC and mobile device can lower your chances of intercepting malware. As Marshall Brain and Wesley Fenlon explain in "How Stuff Works- Viruses, Trojans, and Worms", if you're truly worried about traditional (as opposed to e-mail) viruses, you should be running a more secure operating system like Linux and, to a lesser extent, Apple's Mac OS X. You never hear about viruses on these operating systems because they represent such a small part of the market they're targeted by far fewer viruses than the Windows operating system. Apple's OS X has seen its share, but viruses are still predominately a Windows problem.
Cell Phone Viruses
Julie Layton recommends these ways to protect your cell phone in her article "How Stuff Works- How Cell-phone Viruses Work"
ANTI-VIRUS SOFTWARE
Options: Free or Commercial
Whether it's your home computer or a school network, everyone needs anti-virus software. There anti-virus programs for free and for a fee. PC Magazine voted BitFender AV as the best commercial anti-virus program. They also voted AVG Free Anti-virus program the best free AV program.
PC Magazine Reviews Best AV programs
Scan everything! You should be running anti-virus scans on your computer at regular intervals (at least once a week) to detect and address problems as soon as they arise.
Updates! Enable automatic updating and actually download the updates.
REMOTE ACCESS
LogMeIn.com
Most schools have remote access programs in place. Parents can also do this for their children's computers. LogMeIn is an application designed for business people who work out of multiple locations. This programs allows you to remotely log into a specific computer and access its files. If you are trying to be covert, be advised. When the overseer moves the mouse, the mouse moves on the remote computer screen as well. Follow this hypothetical example. I am on PC#1 and remotely logged into my son's PC #2. If he is playing a game and I move his mouse to the exit button, he will see the mouse on his screen move to the exit button. If I click exit, he will see the mouse click and the window closing.
AD/POP-UP BLOCKERS, INTERNET CONTROLS
Internet settings can also be used to aid in security. You can block cookies or allow cookies from certain sites. You can also make cookies downloadable with your permission only. This last setting is taxing time wise but can be worth it. Along with cookies, block pop-up windows. Often, they are ads. Sometimes applications that launch in a separate window are filtered and blocked as a pop-up. Be sure to allow yourself the permission to see both instances. Of course parents can use safe search and password controls as well. School generally have website genre restrictions in place. Most of these options are located in the "Tool" tab in the Menu bar of your browser.
ACCEPTABLE USE POLICIES
Most schools and businesses have an acceptable use policy in place. Examples of such policies would be no email unless it's school server email and you can't open attachments. In the Army, we had to take classes on information awareness. We had to be aware of the risks of everyday computer use while on a government network. The Army didn't allow external storage devices to be used on government computers. We had plastic ID cards with magnetic strips. The strips carried our credentials. Without an ID card, you couldn't log in. Without the right credntials, you couldn't go onto certain sites. Sensitive information had to be labeled, sent on a secured network, and opened by someone with an appropriate security clearance.
HACKERS AS EMPLOYEES
Have you ever seen the Discovery Channel series "It Takes a Thief"? The show has two former felons as the hosts. They used to be professional robbers. Now, they use their expertise to educate homeowners about faulty home security. Discovery would put surveillance cameras in a home one the hosts had decided to rob. Said host would conduct a robbery. The second host would watch the live action camera footage with the homeowners. After the robbery, the hosts would score the homeowners based on the following criteria: did anyone in the neighborhood react to the robbery, did the police respond, how long did it take for the police to arrive, the total the value of the merchandise stolen, and damage to the property. The second host would then give suggestions on how to fix the home's security issues.
This link has an interview with the anonymous hacking group SpexSec. Spexsec hacked the Clarksville Montgomery County School System and leaked 14,500 names, SSN, and email passwords to the internet. The group pointed to CMCSS complacency as main reason for the hacking.
SpexSec says why they hacked CMCSS
If people want to make a living doing this type of work, organizations need to hire the hackers. Businesses shouldn't be investing in security measures with the promise that they will work. These security measures should be tested regularly. Last year's efforts won't stop this year's hackers. We need to pay these guys to do their jobs and see how we fare.
We have looked at several web tools that allow for users to edit someone's work, enable chat room applications, have whiteboard applications, offer free email, and permit uploading and downloading without bias. All of these tools allow users to interact with each other either in a synchronous or asynchronous manner. These interactions make us vulnerable. We need to keep our home computers safe, personal mobile devices safe, school networks safe, and students safe. This begs the question how do we keep ourselves safe in the rapidly evolving tech world. Let's try to answer that question. Once we have answered this question, I want you to reflect on your own life. Are you modeling safe internet conduct? We have to practice these guidelines ourselves before we can prove their effectiveness to our kids, students, and administrators.
First, let's look at the threats we are face.
MALICIOUS SOFTWARE
This article explains malicious software in easy-to-understand terms. How Stuff Works- Viruses, Worms, Trojans.
Basically, malicious software damages your files and programs. Depending on how the malware is written, it can send itself to your contacts in your email address book. It has the potential to infect the masses in mere minutes. The malware damage results in loss of functionality and may completely shut down your computer.
HACKERS
Hackers are people that deliberately breach security barriers and leak sensitive information contained therein. They usually aren't interested in deleting or modifying files as much as making them public.
PHISHING
This attack comes in two forms. The first form is the phishing website and/or ad banner (a.k.a. pop-up.) This website is actually a portal to a criminal's database. The criminal waits for you to enter your personal information and send it to them via typing in the fields provided and clicking "submit." The second form is a phishing email. This email seems like it is from a real person or company. The email asks for you to send some kind of sensitive information in a reply. Either way, scam artists want your personal information and will stop at nothing trying to get it. Some want a thrill; some want bragging rights. Others are simply in it for the money. Why buy a gun and forcibly rob you when they can create a simple website and you hand them your bank account information willingly (albeit unknowingly)? The why is irrelevant though. These guys are sneaky and growing in number.
CYBERBULLYING
This PBS link is actually a documentary that examines how people are constantly wired up, tuned in, and powered on. Cyberbullying is not specifically mentioned but other equally disturbing issues are.
PBS Reports on Our Digital Nation and the Detriment of Being Connected 24/7
The days of "leaving work at work" are gone. Bullying used to be an evil person in your face when you walked into the school building or got on the bus. Those jerks would have to use their own the time and effort to physically seek you out. Now, students can slip in the side entrance, have their parents drive them everywhere, and change their schedules but bullies still find them. While students and parents may be putting physical effort into protecting students, bullies have changed the location of the battlefield. Brandishing their cowardice like a war medal, they hide in the shadows of the intangible, virtual world of social networking, phone messaging, and victim gullibility. With mobile devices increasing their presence in schools, it's easy to snap a picture of the "fat girl" changing in the locker room and post it on Facebook/Twitter for all the high school population to see. Facebook also allows people to privately message each other without permission from the recipient. What kids were saying in gym class is then PM'd to the "fat girl's" Facebook account. She makes the connection between the muffled laughter and her classmates' stares.
As I write this, I cannot stop thinking about one the most grotesque exercises of cyberbullying- The Rape of 15 Year Old Steubenville, Ohio Jane Doe in August 2012. She didn't die but her captors thought she had. . .
Jane started that evening at a school volleyball pizza party at 7 p.m. The high school volleyball team was celebrating in the gym. Jane got text messages from a girl she knew and trusted while attending the party. The texting girl was dating a football player. The football player was friends with Jane's ex-boyfriend, another football player. The ex-boyfriend wanted revenge on Jane for dumping him. He convinced his friend's girlfriend to text Jane and invite her to a "party with all the cool kids." The girl promised to pick Jane up from school and no one would know. Jane's girlfriend (and a posse) picked Jane up from school and gave Jane a drugged glass of champagne. After the ruffies set in, the male passengers in the SUV starting raping her... and snapping pictures of her bent over the seat, unconscious, half-naked. She was heavily drugged and raped multiple times by multiple boys in multiple ways at multiple locations that night. Rape is the ultimate form of bullying- someone overpowering someone else just because he (or she) can. The rapists then posted pictures of Jane and themselves online via Twitter and Facebook. Jane is unconscious in all of them. Several followers of the graphic posts left nasty comments like "I have no respect for whores." Cyberbullying at its best...
The girl was unceremoniously dropped onto her own front lawn at approximately 3 a.m. The story continues though. When her parents found her, they immediately took her to the hospital as she was unresponsive, bloody, and barely clothed. Her ex-boyfriend and his football friends started texting her, threatening her! More bullying from the shadows!! They realized that between social media snipits, the rape kit from the hospital, and Jane's text message logs that she was piecing together what happened. They didn't want her to go forward. Needless to say, all the records that I just mentioned were examined as damning evidence in the convictions of only two of the rapists.
I said all that to say this- we are fighting a unknown enemy in foreign territory. We must learn about our enemy and arm ourselves.
WEAPONS AT OUR DISPOSAL
CONTACT A CREDIT BUREAU FOR A FREE 90 DAY IDENTITY WATCH
You can contact any of the three credit bureaus and put a free 90 day alert on your credit report. If any new accounts or strange activity are detected within those 90 days, one of the bureaus will contact you to authenticate it. I have had to do this. After my last divorce, my crazy ex-husband and his even crazier girlfriend had all my personal information. Here is a link for more information
Equifax 90 Credit Fraud Alert
Having said that, you should read over your credit report at least once a year to check for accuracy. I have personally had to dispute items that were wrong- credit card lines I had open but was told I was initially declined for, addresses I haven't lived at, and strange inquiries from third party companies.
ONLY free annual credit report site
OPERATING SYSTEMS
The operating site you choose for your PC and mobile device can lower your chances of intercepting malware. As Marshall Brain and Wesley Fenlon explain in "How Stuff Works- Viruses, Trojans, and Worms", if you're truly worried about traditional (as opposed to e-mail) viruses, you should be running a more secure operating system like Linux and, to a lesser extent, Apple's Mac OS X. You never hear about viruses on these operating systems because they represent such a small part of the market they're targeted by far fewer viruses than the Windows operating system. Apple's OS X has seen its share, but viruses are still predominately a Windows problem.
Cell Phone Viruses
Julie Layton recommends these ways to protect your cell phone in her article "How Stuff Works- How Cell-phone Viruses Work"
- Turn off Bluetooth discoverable mode. Set your phone to "hidden" so other phones can't detect it and send it the virus. You can do this on the Bluetooth options screen.
- Check security updates to learn about filenames you should keep an eye out for. It's not fool-proof -- the Commwarrior program generates random names for the infected files it sends out, so users can't be warned not to open specific filenames -- but many viruses can be easily identified by the filenames they carry. Security sites with detailed virus information include: F-Secure, McAfee and Symantec.
- Some of these sites will send you e-mail updates with new virus information as it gets posted.
- Install some type of security software on your phone. Numerous companies are developing security software for cell phones, some for free download, some for user purchase and some intended for cell-phone service providers. The software may simply detect and then remove the virus once it's received and installed, or it may protect your phone from getting certain viruses in the first place. Symbian has developed an anti-virus version of its operating system that only allows the phone's Bluetooth connection to accept secure files.
ANTI-VIRUS SOFTWARE
Options: Free or Commercial
Whether it's your home computer or a school network, everyone needs anti-virus software. There anti-virus programs for free and for a fee. PC Magazine voted BitFender AV as the best commercial anti-virus program. They also voted AVG Free Anti-virus program the best free AV program.
PC Magazine Reviews Best AV programs
Scan everything! You should be running anti-virus scans on your computer at regular intervals (at least once a week) to detect and address problems as soon as they arise.
Updates! Enable automatic updating and actually download the updates.
REMOTE ACCESS
LogMeIn.com
Most schools have remote access programs in place. Parents can also do this for their children's computers. LogMeIn is an application designed for business people who work out of multiple locations. This programs allows you to remotely log into a specific computer and access its files. If you are trying to be covert, be advised. When the overseer moves the mouse, the mouse moves on the remote computer screen as well. Follow this hypothetical example. I am on PC#1 and remotely logged into my son's PC #2. If he is playing a game and I move his mouse to the exit button, he will see the mouse on his screen move to the exit button. If I click exit, he will see the mouse click and the window closing.
AD/POP-UP BLOCKERS, INTERNET CONTROLS
Internet settings can also be used to aid in security. You can block cookies or allow cookies from certain sites. You can also make cookies downloadable with your permission only. This last setting is taxing time wise but can be worth it. Along with cookies, block pop-up windows. Often, they are ads. Sometimes applications that launch in a separate window are filtered and blocked as a pop-up. Be sure to allow yourself the permission to see both instances. Of course parents can use safe search and password controls as well. School generally have website genre restrictions in place. Most of these options are located in the "Tool" tab in the Menu bar of your browser.
ACCEPTABLE USE POLICIES
Most schools and businesses have an acceptable use policy in place. Examples of such policies would be no email unless it's school server email and you can't open attachments. In the Army, we had to take classes on information awareness. We had to be aware of the risks of everyday computer use while on a government network. The Army didn't allow external storage devices to be used on government computers. We had plastic ID cards with magnetic strips. The strips carried our credentials. Without an ID card, you couldn't log in. Without the right credntials, you couldn't go onto certain sites. Sensitive information had to be labeled, sent on a secured network, and opened by someone with an appropriate security clearance.
HACKERS AS EMPLOYEES
Have you ever seen the Discovery Channel series "It Takes a Thief"? The show has two former felons as the hosts. They used to be professional robbers. Now, they use their expertise to educate homeowners about faulty home security. Discovery would put surveillance cameras in a home one the hosts had decided to rob. Said host would conduct a robbery. The second host would watch the live action camera footage with the homeowners. After the robbery, the hosts would score the homeowners based on the following criteria: did anyone in the neighborhood react to the robbery, did the police respond, how long did it take for the police to arrive, the total the value of the merchandise stolen, and damage to the property. The second host would then give suggestions on how to fix the home's security issues.
This link has an interview with the anonymous hacking group SpexSec. Spexsec hacked the Clarksville Montgomery County School System and leaked 14,500 names, SSN, and email passwords to the internet. The group pointed to CMCSS complacency as main reason for the hacking.
SpexSec says why they hacked CMCSS
If people want to make a living doing this type of work, organizations need to hire the hackers. Businesses shouldn't be investing in security measures with the promise that they will work. These security measures should be tested regularly. Last year's efforts won't stop this year's hackers. We need to pay these guys to do their jobs and see how we fare.
Comments
Post a Comment