Don't Lose Yourself on the Internet

Authors:
  • Eric Goldman

27 Apr 2009   ::   Security   ::   #security awareness #Internet safety #phishing #identity theft

 

Security Awareness is really important to me. I believe that creative and long lasting reminders, slogans, and images can really do a lot to help reduce IT security threats. The goal is to keep these ideas and concepts fresh in people’s minds. They may not really understand what the slogan means, but they will be more conscious of what they are doing.

I created this poster for a Security Awareness Competition sponsored by Educase (contest info and past winners). The target placement was for university computer labs, in order to remind users to stay safe on the Internet. One of the big issues in user-space security right now is Phishing and Identity Theft. I decided to tackle this topic in a simple to digest format.

Here is a scaled-down for the Internet version of my poster:

Poster - Don't lose yourself on the Internet

Creative Common License Icon Don’t Lose Yourself on the Internet by Eric Goldman is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 United States License.

The title and main slogan for the poster is “Don’t lose yourself on the Internet”. It is very easy to quickly run through account setup on most websites. It is also a fairly understandable and mundane activity for most users. However, you really need to take the time and consider what information you are giving to whom. In general, you want to give the LEAST amount of information possible. Does a video game forum really need to know my home address and phone number? You should always take the time to check out any website before you give them any information. Some of the most important things to look out for are there privacy policy and any obvious signs they will not protect your data.

First, take the time to read the small print. What will they use your information for, and how will they protect it? In the EU, omnibus privacy laws provide a lot of protection and if they collect your information, they must provide a lot of detail on how it will be used, who will see it, and when it will be removed. That is great for if you are dealing with legitimate companies in the EU, and to some extent most US and International companies that do business in the EU and countries with similar laws; however, in reality this is hard to enforce on the Internet, with people just starting websites and business, scammers, and people who are simply ignorant of such laws or even good technical security practices. Don.t just sign up, unless you really trust the company or website. Better to miss out than to lose out later in respect to your identity and other personal information.

When you visit a website, what should you look out for to help ease your security fears? First, do they even claim to protect your security? What are their account-lockout and password retrieval policies? Will you be like Sarah Palin and have your account hijacked-via-research? Whenever possible, I personally do not use security questions and if I do I either use some quazi-code or alternate answer which cannot easily be researched or found. Another thing which often worries me is when I receive an email confirmation after my account is setup that includes my e-mail address in plain text! First, this means they are storing it without strong encryption and furthermore you sent it to me over email which is not secured at all. Be really careful if you go to sign up for a site and the password field is not even encrypted or hidden when you type. Definitely use a different password here; they will likely be emailing it to you anyway. It.s really hard to know if a site is safe ahead of time. If it.s not a big name, do some research first. Even the big names can be unsafe. Usually, I like sites that offer OpenID or Live login because these are services focused solely on authentication and have a much better chance of being secured, also its less information I am giving out to another party, thus reducing the possible attack surface (less information stored on less websites).

An interesting project would be to start a wiki where people can comment and post on the security quality of various websites. Users could post their security concerns, and hopefully site owners could respond and improve their websites. This really sounds like one of the Internet community and activist things that should be done and popular. Services such as Web of Trust (WOT) are good, but they are not looking at the technical security aspect which most users will not understand; the site may not be scamming you, but they may not know how to protect your data. Cross referencing and linking between two such resources would really be useful for end users.e

Other ways to stay safe are to use services like BugMeNot.com, where people create shared accounts so they don.t have to sign up themselves, or MyTrashMail.com, which lets you create a temporary anonymous email address for suspicious sign-ups.

There are some more hints in the poster itself. These tips are very high level and will help people think before they act. It is very hard to influence specific actions under specific situations, but the broad approach will help ensure people are at least aware and making a semi-informed decision.

The poster you see above is a low resolution image. If you want to actually use this poster in your own computer labs, library, Internet café, etc, please let me know. I may be able to provide you with the full resolution image to use for printing. Alternatively, you can buy copies of the poster direct from CafePress.com by visiting http://www.cafepress.com/secaware1. The poster is released under the Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 United States License. If you require different usage terms (commercial usage or modification), please contact me for permission.