National Cybersecurity Awareness Month is an annual opportunity for folks like us to encourage folks like you to adopt a simple, three-point approach to keeping yourself and your information safe online:
STOP. THINK. CONNECT?
With each phishing campaign that’s conducted against UVM’s students, faculty, and staff, the Information Security Office receives dozens of notifications from astute members of the community who recognize the email messages for what they are: a scam aimed at co-opting someone’s legitimate access to UVM’s information resources.
Occasionally, these notifications include a comment like, “I knew the email was a phish, and clicked the link. Wow, was that ever a poor excuse for a website!” (or “…Wow, the site looked exactly like myUVM!”). While we appreciate the heads-up and certainly understand folks’ curiosity, the sad fact is that even the simple act of visiting one of these websites can cause trouble by forcing your browser to make unauthorized requests, instigating malware downloads, or even by commandeering your web browser for control by nefarious puppeteers.
What’s the astute-yet-curious Internet citizen to do?
In short: Leave it alone, unless you’re willing to undertake a fair amount of work. Seriously: The Bad Guys have gone out of their way to take Everything That’s Nice About the Internet and turn it against us.
You’re still here? OK, there are a few techniques that someone willing to go the extra mile (well, frankly, a few extra miles) can use to investigate suspicious sites in relative safety. But even all of these are only a hedge, and not a guarantee that nothing Bad will happen to your computer/mobile device/information. Caveat lector/Lasciate ogni speranza/Here be dragons, etc.:
The “one-time experiment” approach: A separate user account on your computer.
The easiest entrée into Fearless Acts of Internet Investigation involves becoming someone else…sort of. Modern computer operating systems (including Windows, OS X, and Linux) leverage the concept of the user account. Whether you know it or not, each time you use your own computer, you log in as a particular user (even if you don’t use a password). In most “consumer computing” cases, that user is also an administrator of the machine’s operating system, meaning that it is capable of doing just about anything to that computer including installing malware like viruses and keyloggers.
The trick to safely investigating suspicious Internet sites is to NOT have that capability. Here’s how to do it:
- Be certain your OS, web browser, and anti-virus/malware protections are fully up-to-date. It would be sad to do all this work only to be nailed by something that’s already been addressed, no?
- Copy the suspect link to a piece of paper. Seriously? Yes: Where we’re going, you won’t be able to copy/paste between “here” and “there”…
- Create a non-administrator user account. On both Windows and OS X computers, this is called a “Standard” user.
- Switch to this newly-created user account. The process differs between Windows and OS X.
- Visit the site. (You’ve been so patient!)
- STOP if you are presented with prompts that request Administrator privileges or the installation of browser plugins. (We’re specifically trying to rob the website of these capabilities, remember? :-))
The “dedicated” approach: A virtual machine.
A “virtual machine” is basically a second computer running inside your computer’s operating system. The great thing about virtual machines is that they can generally be copied. So you can, say, create a very basic virtual Windows or Linux machine template on your Windows, Mac, or Linux computer, make a copy of it to use when visiting unsavory websites, and then throw it away when you’re done. The next time you find yourself itching to check out another questionable site, make another copy, use that, throw it away when done. A lot like a disposable hazmat suit!
Popular virtualization technologies for desktop computers include VMware products for Windows computers and Macs, VirtualBox for both, Parallels Desktop for Macs, and KVM and Xen for Linux. You could even try out one of the free cloud offerings from the likes of Amazon if you just want to dip your toe in the water without installing software on your own computer. (Please note that UVM doesn’t formally endorse or support any of these products, even though they may be in use by various units. Caveat emptor/your mileage may vary.)
Wait: What about my phone/tablet?
Sadly, there aren’t a lot of great options here for mobile devices. For better or for worse, most mobile device operating systems (like Android, iOS, and Windows RT) only support one all-powerful user account, so the “create a non-administrator user” option is out. (Notable exception: Windows Surface tablets running Windows 8.) And while there are some “sandboxing” options that mimic running virtual machines on these devices, they’re generally part of expensive enterprise mobile device management packages. Certainly it’s possible to remotely control a virtual machine using special apps on your mobile device, but you still have to have a virtual machine to control.
So, as of this writing: Stick to a laptop or desktop computer. (But look for that to change in the future. Maybe.)
That’s pretty involved.
Is it possible to do this? Yes, if you’re committed to taking appropriate precautions. Is it for everyone? We leave that up to you.
So, in conclusion…
We encourage you to STOP before clicking the link in that scam email.
Then THINK about what information you might be putting at risk by visiting that website on the device you’re currently using (your phone? tablet? laptop?) — How many passwords are saved on there? What’s in the files contained in its local storage? Have you logged into your bank using this device? Did you ever log off?
Finally, CONNECT only if you’ve taken the extensive precautions required in order to do so safely.
Questions or comments? Get it touch with us: firstname.lastname@example.org
Sam Hooker, for the Information Security Operations Team