Download
1 / 21
E N D
1. The i-SAFE mission is to educate and empower youth to safely take control of their Internet experiences.
As part of that mission, I am here today to increase awareness and knowledge of Internet safety.
As our children‘s primary teacher, it is our responsibility to know how to recognize and avoid dangerous, destructive, inappropriate, or unlawful online behavior.
Armed with this knowledge, not only can we teach our children about Internet safety, but we can also show them how to respond and be safe.
Partnering with other parents, your child’s school, and your community ensures Internet safety reaches into more homes.
And that is what the i-Parent Campaign is all about.
The i-SAFE mission is to educate and empower youth to safely take control of their Internet experiences.
As part of that mission, I am here today to increase awareness and knowledge of Internet safety.
As our children‘s primary teacher, it is our responsibility to know how to recognize and avoid dangerous, destructive, inappropriate, or unlawful online behavior.
Armed with this knowledge, not only can we teach our children about Internet safety, but we can also show them how to respond and be safe.
Partnering with other parents, your child’s school, and your community ensures Internet safety reaches into more homes.
And that is what the i-Parent Campaign is all about.
2. In addition to exposing students to inappropriate material, the Internet
can threaten fraud, harassment, and hardware infection. Whether a
student is the victim or the perpetrator, each of these cyber security
issues can have serious consequences.
In addition to exposing students to inappropriate material, the Internet
can threaten fraud, harassment, and hardware infection. Whether a
student is the victim or the perpetrator, each of these cyber security
issues can have serious consequences.
3. In this area, we discuss spam, identity theft, malicious code, and steganography creating a baseline of knowledge to teach the Cyber Security lesson. The lesson focuses on the following general student learning objectives:
• Develop vocabulary associated with e-mail and e-mail protocol.
• Identify and understand the critical attributes of malicious code and prevent computer infection.
• Understand the consequences of malicious online behavior.
We will also review homeland security issues to prepare instructors interested in teaching the supplemental lesson. The Homeland Security lesson addresses the potential for danger stemming from a cyber attack, as well as how to be a proactive cyber citizen in protecting the national infrastructure.
In this area, we discuss spam, identity theft, malicious code, and steganography creating a baseline of knowledge to teach the Cyber Security lesson. The lesson focuses on the following general student learning objectives:
• Develop vocabulary associated with e-mail and e-mail protocol.
• Identify and understand the critical attributes of malicious code and prevent computer infection.
• Understand the consequences of malicious online behavior.
We will also review homeland security issues to prepare instructors interested in teaching the supplemental lesson. The Homeland Security lesson addresses the potential for danger stemming from a cyber attack, as well as how to be a proactive cyber citizen in protecting the national infrastructure.
4. As previously discussed, students who open or respond to spam are often exposed to sexually explicit or otherwise inappropriate graphic images or messages. Spam can cause additional harm by plugging up the Internet and e-mail systems, spreading viruses, and as a means for fraud. Unsolicited bulk messages now account for roughly 83% of all e-mail traffic.22
Howard Carmack of Buffalo, New York, was sentenced in June 2004 to seven years in prison for sending out 850 million junk e-mails through accounts he opened with stolen identities. He was convicted of forgery, identity theft and falsifying business records. Carmack ran 343 illegal e-mail accounts under false names, using them to send unsolicited e-mail ads for things like get-rich-quick schemes and sexual enhancers.23
Worldwide more than 13 billion spam e-mails are sent daily. It is estimated that in the United States alone, spam costs more than $10 billion annually due to expenses for anti-spam equipment, software, manpower, and lost productivity.24
In addition to e-mail, spammers also use instant messaging. This is commonly referred to as “spim”. Yahoo reported that over 11 million spim messages were sent out in 2003 (which equates to 2% of all IMs sent worldwide).2As previously discussed, students who open or respond to spam are often exposed to sexually explicit or otherwise inappropriate graphic images or messages. Spam can cause additional harm by plugging up the Internet and e-mail systems, spreading viruses, and as a means for fraud. Unsolicited bulk messages now account for roughly 83% of all e-mail traffic.22
Howard Carmack of Buffalo, New York, was sentenced in June 2004 to seven years in prison for sending out 850 million junk e-mails through accounts he opened with stolen identities. He was convicted of forgery, identity theft and falsifying business records. Carmack ran 343 illegal e-mail accounts under false names, using them to send unsolicited e-mail ads for things like get-rich-quick schemes and sexual enhancers.23
Worldwide more than 13 billion spam e-mails are sent daily. It is estimated that in the United States alone, spam costs more than $10 billion annually due to expenses for anti-spam equipment, software, manpower, and lost productivity.24
In addition to e-mail, spammers also use instant messaging. This is commonly referred to as “spim”. Yahoo reported that over 11 million spim messages were sent out in 2003 (which equates to 2% of all IMs sent worldwide).2
5. In December 2003 President Bush signed the first legislation designed to protect consumers against unwanted spam e-mails. The Can-Spam Act does not ban spam outright but requires that spammers follow certain guidelines including honoring unsubscribe requests, clearly indicating in the subject line that the spam is an advertisement or is pornographic in nature. It also required the Federal Trade Commission (FTC) establish a do-not-spam list, similar to their do-not-call list. Those transmitting spam can be sentenced up to five years in prison.26 On June 14, 2004, the Wall Street Journal summarized a 60-page FTC report indicating that a “do-not-e-mail” registry simply wasn't feasible and could actually encourage more spam. Congress asked the FTC, as part of the Can Spam Act, to determine whether such a registry would work. The FTC's three-month study revealed current technology’s inability to track the specific identity of spammers. E-mail technology doesn't “stamp” a sender's address on an e-mail, making it difficult to trace the origin. Without that “authentication” ability, spammers might actually use the registry to verify e-mail addresses and send more! It would take years to develop the no-spam registry.
And we are “spammed if we do, and spammed if we don’t.” As of June 2004, not one illegal spammer had been charged under the Can-Spam Act, despite the fact that half of all staffers in the Federal Trade Commission's marketing-practices division were investigating spam. The FBI is currently targeting 50 of the 100 worst spammers in the USA for prosecution.27
Due to the ineffectiveness of the Can-Spam Act, many states, beginning with Maryland and Florida, are enacting their own anti spam legislation with stiff penalties. Virginia’s prosecution of a brother and sister team in November 2004 resulted in the nation’s first-ever felony spam convictions. Under Virginia’s new anti-spam law, which took effect last year, the two were
convicted of falsifying transmission or routing information and sending an excessive volume of e-mails (10,000/24 hours).28In December 2003 President Bush signed the first legislation designed to protect consumers against unwanted spam e-mails. The Can-Spam Act does not ban spam outright but requires that spammers follow certain guidelines including honoring unsubscribe requests, clearly indicating in the subject line that the spam is an advertisement or is pornographic in nature. It also required the Federal Trade Commission (FTC) establish a do-not-spam list, similar to their do-not-call list. Those transmitting spam can be sentenced up to five years in prison.26 On June 14, 2004, the Wall Street Journal summarized a 60-page FTC report indicating that a “do-not-e-mail” registry simply wasn't feasible and could actually encourage more spam. Congress asked the FTC, as part of the Can Spam Act, to determine whether such a registry would work. The FTC's three-month study revealed current technology’s inability to track the specific identity of spammers. E-mail technology doesn't “stamp” a sender's address on an e-mail, making it difficult to trace the origin. Without that “authentication” ability, spammers might actually use the registry to verify e-mail addresses and send more! It would take years to develop the no-spam registry.
And we are “spammed if we do, and spammed if we don’t.” As of June 2004, not one illegal spammer had been charged under the Can-Spam Act, despite the fact that half of all staffers in the Federal Trade Commission's marketing-practices division were investigating spam. The FBI is currently targeting 50 of the 100 worst spammers in the USA for prosecution.27
Due to the ineffectiveness of the Can-Spam Act, many states, beginning with Maryland and Florida, are enacting their own anti spam legislation with stiff penalties. Virginia’s prosecution of a brother and sister team in November 2004 resulted in the nation’s first-ever felony spam convictions. Under Virginia’s new anti-spam law, which took effect last year, the two were
convicted of falsifying transmission or routing information and sending an excessive volume of e-mails (10,000/24 hours).28
6. But there are things we can do to reduce the amount of spam received:
• Choose a non-obvious e-mail address; for example, john@yahoo.com will receive more spam than kpzxry54@yahoo.com).
• Limit where you enter your e-mail address.
• Use spam-blocking software.
• Do not open spam. Spam often incorporates an auto response to the sender, notifying them your e-mail address is valid as it has been opened. (Ensure your e-mail program does not automatically open your e-mail in “Preview Pane” or through another feature.)
• Do not respond to spam. Again, you would be confirming a valid email address.
• Report spam to your ISP.
• The most effective action? Contact the spammer’s ISP. Many ISPs have Terms of Service or Acceptable Use Policies that forbid spamming. If you advise their ISP they violated the policy, the
account will be canceled. The difficulty is locating the spammer’s ISP, since the heading of the e-mail is almost always forged. Your ability to access e-mail headers depends on your system.But there are things we can do to reduce the amount of spam received:
• Choose a non-obvious e-mail address; for example, john@yahoo.com will receive more spam than kpzxry54@yahoo.com).
• Limit where you enter your e-mail address.
• Use spam-blocking software.
• Do not open spam. Spam often incorporates an auto response to the sender, notifying them your e-mail address is valid as it has been opened. (Ensure your e-mail program does not automatically open your e-mail in “Preview Pane” or through another feature.)
• Do not respond to spam. Again, you would be confirming a valid email address.
• Report spam to your ISP.
• The most effective action? Contact the spammer’s ISP. Many ISPs have Terms of Service or Acceptable Use Policies that forbid spamming. If you advise their ISP they violated the policy, the
account will be canceled. The difficulty is locating the spammer’s ISP, since the heading of the e-mail is almost always forged. Your ability to access e-mail headers depends on your system.
7. Unsolicited e-mail can be sent for a variety of reasons, including identity theft. Identify theft is the fastest-growing crime in the United States with close to 10 million people victimized each year.29 Within the 10 million, an increasing number are being victimized through online means.
The Federal Trade Commission defines identity theft as the theft of personal identifying information (name, address, credit card or social security number) and use of that data to open new charge accounts, order merchandise, or borrow money.30 To help combat identity theft,
President Bush signed the Identity Theft Penalty Enhancement Act on July 15, 2004, which established the federal offense of aggravated identity theft.31
To minimize their risks of identity theft in this regard, students need to examine the company’s privacy policy when shopping online. They should only use secure sites, looking for the padlock in the lower right hand corner of the screen, or “https” in the url—the s indicates that the site is secure. Keep in mind that this is not a catchall, but a starting point for students to evaluate the security of the site. While the FTC has defined identity theft with regards to bank accounts and purchases made in another person’s name, it actually can encompass additional circumstances.
For example, a 15-year-old boy in Los Angeles, California assumed the identity of a girl he had gone to school with, using her name and personal information to participate in acts of cyber-sex. The boy created a profile in her name, which included a description of the sex acts she was willing to perform and her actual home phone number in an easily deciphered code. He used the same account to send and receive pornography. After engaging in sexually explicit online conversations with strangers, he encouraged them to phone the girl for sexual favors. Several men called the girl, each beginning the conversation with a code phrase indicating she wanted to be raped. Through caller ID, police tracked down the men and subsequently the boy pleaded guilty to identity theft.3Unsolicited e-mail can be sent for a variety of reasons, including identity theft. Identify theft is the fastest-growing crime in the United States with close to 10 million people victimized each year.29 Within the 10 million, an increasing number are being victimized through online means.
The Federal Trade Commission defines identity theft as the theft of personal identifying information (name, address, credit card or social security number) and use of that data to open new charge accounts, order merchandise, or borrow money.30 To help combat identity theft,
President Bush signed the Identity Theft Penalty Enhancement Act on July 15, 2004, which established the federal offense of aggravated identity theft.31
To minimize their risks of identity theft in this regard, students need to examine the company’s privacy policy when shopping online. They should only use secure sites, looking for the padlock in the lower right hand corner of the screen, or “https” in the url—the s indicates that the site is secure. Keep in mind that this is not a catchall, but a starting point for students to evaluate the security of the site. While the FTC has defined identity theft with regards to bank accounts and purchases made in another person’s name, it actually can encompass additional circumstances.
For example, a 15-year-old boy in Los Angeles, California assumed the identity of a girl he had gone to school with, using her name and personal information to participate in acts of cyber-sex. The boy created a profile in her name, which included a description of the sex acts she was willing to perform and her actual home phone number in an easily deciphered code. He used the same account to send and receive pornography. After engaging in sexually explicit online conversations with strangers, he encouraged them to phone the girl for sexual favors. Several men called the girl, each beginning the conversation with a code phrase indicating she wanted to be raped. Through caller ID, police tracked down the men and subsequently the boy pleaded guilty to identity theft.3
8. Online identity theft can happen through responding to scams such as “Phishing” and by accidentally downloading spyware and adware programs.
Phishing is the term coined by hackers who imitate legitimate companies in e-mails or pop-ups written to entice people to share passwords or credit-card numbers. There are increasing instances of e-mail appearing to come from one’s bank, credit-card company or other business seeking personal information. Many tech-savvy criminals send out millions of very sophisticated forged e-mails asking recipients to update their account information or verify passwords through provided links. The cyber criminals use the data to withdraw funds from the victim’s accounts or apply for credit cards in their name.33Online identity theft can happen through responding to scams such as “Phishing” and by accidentally downloading spyware and adware programs.
Phishing is the term coined by hackers who imitate legitimate companies in e-mails or pop-ups written to entice people to share passwords or credit-card numbers. There are increasing instances of e-mail appearing to come from one’s bank, credit-card company or other business seeking personal information. Many tech-savvy criminals send out millions of very sophisticated forged e-mails asking recipients to update their account information or verify passwords through provided links. The cyber criminals use the data to withdraw funds from the victim’s accounts or apply for credit cards in their name.33
9. At first glance, the e-mail may appear a legitimate Citibank official notice. However, students should be aware of some of the warning signs indicating it is a phishing e-mail.
• The e-mail prompts an update of data.
• Most financial institutions take security seriously. They already have this information and have no need to seek this information via e-mails. Most companies indicate this in the security or privacy sections of their website.34
• The e-mail provides a link.
• The e-mail should be closed and a visit made to the company or bank’s website. There will be an indication additional information is needed if necessary on accessing the account. If you receive an e-mail like this, close the e-mail, launch your browser, and go to the company or bank’s website. If they need information from you, they will indicate that when you log into your account.
• When in doubt, a call to the company or bank should be made to verify their request.
• The e-mail contains grammatical errors.
• Grammar and spelling mistakes are definite red flags and characteristic of forged e-mails.At first glance, the e-mail may appear a legitimate Citibank official notice. However, students should be aware of some of the warning signs indicating it is a phishing e-mail.
• The e-mail prompts an update of data.
• Most financial institutions take security seriously. They already have this information and have no need to seek this information via e-mails. Most companies indicate this in the security or privacy sections of their website.34
• The e-mail provides a link.
• The e-mail should be closed and a visit made to the company or bank’s website. There will be an indication additional information is needed if necessary on accessing the account. If you receive an e-mail like this, close the e-mail, launch your browser, and go to the company or bank’s website. If they need information from you, they will indicate that when you log into your account.
• When in doubt, a call to the company or bank should be made to verify their request.
• The e-mail contains grammatical errors.
• Grammar and spelling mistakes are definite red flags and characteristic of forged e-mails.
10. Discussion: What steps can be taken for protection from phishing?
Students should know to:
• Be wary of any e-mail asking for personal information.
• Avoid hyperlinks to a fraudulent site.
• Report phishing to local criminal authorities or financial institutions.
• Save all correspondence that may serve as evidence.
Discussion: What steps can be taken for protection from phishing?
Students should know to:
• Be wary of any e-mail asking for personal information.
• Avoid hyperlinks to a fraudulent site.
• Report phishing to local criminal authorities or financial institutions.
• Save all correspondence that may serve as evidence.
11. While phishing and spam typically require that the user actively provide information or participate in some way, there are other ways they can be victimized online without their knowledge.
“Spyware” is a general term to describe programs hiding on the computer to steal information such as credit card numbers, e-mail addresses, home addresses, surfing habits (e.g. sites visited, time online, etc), and more.35
Most spyware are adware programs. Adware programs are a marketing tool companies use to track frequented sites. The user receives pop up advertisements directing them to particular sites
based on their surfing habits, finds new icons on their desktop or task bars, and receives search results skewed with advertisements. Spyware and adware are often bundled in with free programs that you download, such as peer-to-peer program downloads. Though it can be downloaded through “drive-by-download” i.e., simply clicking on a webpage.
An April 2004 study of 1 million Internet connected computers, found an average of 28 spyware programs on each computer.36
Legislation has been proposed to ban spyware, though Utah is the only state to ban it as of June 2004. Careful examination of the free download policy reveals an agreement to allow some tracking programs. Companies employing spyware argue users are informed they are downloading the programs, and therefore, it is a legal practice.While phishing and spam typically require that the user actively provide information or participate in some way, there are other ways they can be victimized online without their knowledge.
“Spyware” is a general term to describe programs hiding on the computer to steal information such as credit card numbers, e-mail addresses, home addresses, surfing habits (e.g. sites visited, time online, etc), and more.35
Most spyware are adware programs. Adware programs are a marketing tool companies use to track frequented sites. The user receives pop up advertisements directing them to particular sites
based on their surfing habits, finds new icons on their desktop or task bars, and receives search results skewed with advertisements. Spyware and adware are often bundled in with free programs that you download, such as peer-to-peer program downloads. Though it can be downloaded through “drive-by-download” i.e., simply clicking on a webpage.
An April 2004 study of 1 million Internet connected computers, found an average of 28 spyware programs on each computer.36
Legislation has been proposed to ban spyware, though Utah is the only state to ban it as of June 2004. Careful examination of the free download policy reveals an agreement to allow some tracking programs. Companies employing spyware argue users are informed they are downloading the programs, and therefore, it is a legal practice.
12. Students should be aware if:
• There are more pop-ups than usual, some even appearing while the computer is idle.
• The computer runs slowly.
• Icons appear on desktop or task bars.
• The default browser is changed.
• Even when the computer is not in use, programs can be heard running. You hear programs running even while you are not using the computer.
The best precautions are to:
• Install anti-spyware software.
• Read policies of companies carefully before downloading.Students should be aware if:
• There are more pop-ups than usual, some even appearing while the computer is idle.
• The computer runs slowly.
• Icons appear on desktop or task bars.
• The default browser is changed.
• Even when the computer is not in use, programs can be heard running. You hear programs running even while you are not using the computer.
The best precautions are to:
• Install anti-spyware software.
• Read policies of companies carefully before downloading.
13. Not all spyware is arguably legal. In fact, some spyware programs are associated with malicious code, so that the perpetrator can infect your computer, access documents, and record keystrokes.
Malicious code is any software created to cause damage, steal information, or use up resources on a computer or network. Within the category of malicious code, there are three key terms:
viruses, worms, and Trojan horses.
Discussion: What is the difference between viruses, worms, and
Trojan horses?Not all spyware is arguably legal. In fact, some spyware programs are associated with malicious code, so that the perpetrator can infect your computer, access documents, and record keystrokes.
Malicious code is any software created to cause damage, steal information, or use up resources on a computer or network. Within the category of malicious code, there are three key terms:
viruses, worms, and Trojan horses.
Discussion: What is the difference between viruses, worms, and
Trojan horses?
14. According to Symantec:37
• A computer virus is a small program written to alter the way a computer operates, without the permission or knowledge of the user. A virus must meet two criteria:
• It must execute itself. It will often place its own code in the path of execution of another program.
• It must replicate itself. For example, it may replace other executable files with a copy of the virus-infected file. Viruses can infect desktop computers and network servers alike.
• Worms are programs that replicate themselves from system to system without the use of a host file.
• This is in contrast to viruses, which require the spreading of an infected host file. Although worms generally exist inside other files, often Word or Excel documents, there is a difference in
how worms and viruses use the host file. Usually the worm will release a document that already has the “worm” macro inside the document. The entire document will travel from computer to computer, so the entire document should be considered the worm.
• Trojan horses are impostors, files that claim to be something desirable, but in fact are malicious.
• A very important distinction between Trojan horse programs and true viruses is that they do not replicate themselves.
• Trojans contain malicious code that when triggered cause loss, or even theft, of data.
• For a Trojan horse to spread, you must invite these programs onto your computers—for example, by opening an e-mail attachment or downloading and running a file from the Internet.According to Symantec:37
• A computer virus is a small program written to alter the way a computer operates, without the permission or knowledge of the user. A virus must meet two criteria:
• It must execute itself. It will often place its own code in the path of execution of another program.
• It must replicate itself. For example, it may replace other executable files with a copy of the virus-infected file. Viruses can infect desktop computers and network servers alike.
• Worms are programs that replicate themselves from system to system without the use of a host file.
• This is in contrast to viruses, which require the spreading of an infected host file. Although worms generally exist inside other files, often Word or Excel documents, there is a difference in
how worms and viruses use the host file. Usually the worm will release a document that already has the “worm” macro inside the document. The entire document will travel from computer to computer, so the entire document should be considered the worm.
• Trojan horses are impostors, files that claim to be something desirable, but in fact are malicious.
• A very important distinction between Trojan horse programs and true viruses is that they do not replicate themselves.
• Trojans contain malicious code that when triggered cause loss, or even theft, of data.
• For a Trojan horse to spread, you must invite these programs onto your computers—for example, by opening an e-mail attachment or downloading and running a file from the Internet.
15. Show attendees a portion of high school webcast, Security: Malicious Code.
This lesson incorporates:
• A webcast delivered via streaming video at www.isafe.org.
• Three directed student discussion breaks during the webcast, facilitated by the classroom instructor, regarding Internet security issues inherent to Internet usage, such as viruses, worms, Trojan horses, and Identity Theft.
• Cooperative group exercises at the conclusion of the webcast, which include implementation of a Youth Empowerment activity. (For details, please refer participants to the Curriculum Sample
Section of the CD and/or handout copies you made.)Show attendees a portion of high school webcast, Security: Malicious Code.
This lesson incorporates:
• A webcast delivered via streaming video at www.isafe.org.
• Three directed student discussion breaks during the webcast, facilitated by the classroom instructor, regarding Internet security issues inherent to Internet usage, such as viruses, worms, Trojan horses, and Identity Theft.
• Cooperative group exercises at the conclusion of the webcast, which include implementation of a Youth Empowerment activity. (For details, please refer participants to the Curriculum Sample
Section of the CD and/or handout copies you made.)
17. Sometimes forwarding e-mail can also unintentionally aid a criminal act if the e-mail contains steganography.
“Stego” is Greek for “covered writing.” Digital steganography replaces bits of unused space in an image, video, or audio file with text or pictures. This allows people to embed messages in any digitized media. Steganography is used as an alternative to encryption because it is undetectable. In fact, it must be coded with software that is legal and can be downloaded from many software websites. Without the software to reveal the message on the receiver’s end, it is undetectable to the naked eye. Modern steganography dates back to the microdot during WWII. The microdot was a photograph reduced to the size of a period and used at the end of a sentence. The person receiving the message enlarged the dot to reveal the secret informationSometimes forwarding e-mail can also unintentionally aid a criminal act if the e-mail contains steganography.
“Stego” is Greek for “covered writing.” Digital steganography replaces bits of unused space in an image, video, or audio file with text or pictures. This allows people to embed messages in any digitized media. Steganography is used as an alternative to encryption because it is undetectable. In fact, it must be coded with software that is legal and can be downloaded from many software websites. Without the software to reveal the message on the receiver’s end, it is undetectable to the naked eye. Modern steganography dates back to the microdot during WWII. The microdot was a photograph reduced to the size of a period and used at the end of a sentence. The person receiving the message enlarged the dot to reveal the secret information
