{"id":251,"date":"2014-11-10T13:16:34","date_gmt":"2014-11-10T17:16:34","guid":{"rendered":"http:\/\/blog.uvm.edu\/whysecurity\/?p=251"},"modified":"2014-11-10T15:01:55","modified_gmt":"2014-11-10T19:01:55","slug":"visiting-questionable-websites-or-using-your-internet-hazmat-suit","status":"publish","type":"post","link":"https:\/\/blog.uvm.edu\/whysecurity\/2014\/11\/10\/visiting-questionable-websites-or-using-your-internet-hazmat-suit\/","title":{"rendered":"Visiting Questionable Websites (or, Using Your &#8220;Internet Hazmat Suit&#8221;)"},"content":{"rendered":"<p style=\"color: #000000\"><em><span style=\"color: #454545\">National Cybersecurity Awareness Month is an annual opportunity for folks like us to encourage folks like you to adopt a simple, three-point approach to keeping yourself and your information safe online:<\/span><\/em><\/p>\n<h2 style=\"color: #000000\" align=\"center\"><span style=\"color: #527ea3\">STOP.\u00a0THINK.\u00a0CONNECT?<\/span><\/h2>\n<p>With each <a title=\"Wikipedia article on phishing\" href=\"http:\/\/en.wikipedia.org\/wiki\/Phishing\" target=\"_blank\">phishing<\/a> campaign that&#8217;s conducted against UVM&#8217;s students, faculty, and staff, the\u00a0Information Security Office receives dozens of notifications from astute members of the community who recognize the email messages for what they are: a scam aimed at co-opting someone&#8217;s legitimate\u00a0access to UVM&#8217;s information\u00a0resources.<\/p>\n<p>Occasionally, these notifications include a comment\u00a0like, &#8220;I knew the email\u00a0was a phish, and clicked the link. Wow, was that ever a poor excuse for a website!&#8221; (or &#8220;&#8230;Wow, the site looked exactly like myUVM!&#8221;). While we appreciate the heads-up and certainly understand folks&#8217; curiosity, the sad fact is that even the simple act of <em>visiting<\/em> one of these websites can cause trouble by forcing your browser to make <a title=\"Wikipedia article on cross-site request forgery\" href=\"http:\/\/en.wikipedia.org\/wiki\/Cross-site_request_forgery\">unauthorized\u00a0requests,<\/a> instigating\u00a0<a title=\"Wikipedia article on drive-by downloads\" href=\"http:\/\/en.wikipedia.org\/wiki\/Drive-by_download\" target=\"_blank\">malware downloads<\/a>, or even by\u00a0commandeering your web browser for control by nefarious puppeteers.<\/p>\n<p>What&#8217;s the astute-yet-curious Internet citizen to do?<\/p>\n<p><strong>In short: Leave it alone, unless you&#8217;re willing to undertake a fair amount of work. Seriously: The Bad Guys have gone out of their way to take Everything That&#8217;s Nice About the Internet and turn it against us.<\/strong><\/p>\n<p>You&#8217;re still here? OK, there <em>are<\/em> a few techniques that someone\u00a0willing to go the extra mile (well, frankly, a few extra miles) can use to investigate suspicious sites in relative safety. But even all of these are only a hedge, and not a guarantee that nothing Bad will happen to your computer\/mobile device\/information. Caveat lector\/Lasciate ogni speranza\/Here be dragons, etc.:<\/p>\n<h3>The &#8220;one-time experiment&#8221; approach: A separate user account on your computer.<\/h3>\n<p>The easiest entr\u00e9e into Fearless Acts of Internet Investigation involves becoming someone else&#8230;sort of. Modern computer operating systems (including Windows, OS X, and Linux) leverage the concept of the <em>user account<\/em>. Whether you know it or not, each time you use your own computer, you log in as a particular user (even if you don&#8217;t use a password). In most &#8220;consumer computing&#8221; cases, that user is also an\u00a0<em>administrator<\/em> of the machine&#8217;s\u00a0operating system, meaning that it\u00a0is capable of doing just about anything to that computer <em>including installing <a title=\"Wikipedia article on malware\" href=\"http:\/\/en.wikipedia.org\/wiki\/Malware\" target=\"_blank\">malware<\/a> like viruses and <a title=\"Wikipedia article on keyloggers\" href=\"http:\/\/en.wikipedia.org\/wiki\/Keystroke_logging\" target=\"_blank\">keyloggers<\/a><\/em>.<\/p>\n<p>The trick to safely investigating suspicious Internet sites is to <em>NOT<\/em> have that capability. Here&#8217;s how to do it:<\/p>\n<ul>\n<li><strong>Be certain your OS, web browser, and anti-virus\/malware protections are fully up-to-date.<\/strong>\u00a0It would be sad to do all this work only to be nailed by something that&#8217;s already been addressed, no?<\/li>\n<li><strong>Copy the suspect link to a piece of paper.<\/strong>\u00a0Seriously? Yes: Where we&#8217;re going, you won&#8217;t be able to copy\/paste between &#8220;here&#8221; and &#8220;there&#8221;&#8230;<\/li>\n<li><strong>Create a non-administrator user account.<\/strong> On both Windows and OS X computers, this is called a &#8220;Standard&#8221; user.<\/li>\n<li><strong>Switch to this newly-created user account.<\/strong> The process differs between\u00a0<a title=\"How to switch users under Windows\" href=\"http:\/\/windows.microsoft.com\/en-us\/windows\/switch-users-without-logging-off#1TC=windows-7\" target=\"_blank\">Windows<\/a> and <a title=\"How to switch users under OS X\" href=\"http:\/\/support.apple.com\/kb\/PH6983?viewlocale=en_US&amp;locale=en_US\" target=\"_blank\">OS X<\/a>.<\/li>\n<li><strong>Disable JavaScript, Java, Flash, and ActiveX in your web browser.<\/strong>\u00a0This will address common avenues for &#8220;silent&#8221; delivery of downloads and remote control of your browser. Again, different processes for different browsers like Firefox, Chrome, Internet Explorer, and Safari. Search engines like Google, Bing, and company\u00a0are your friend, here.<\/li>\n<li><strong>Visit the site.<\/strong> (You&#8217;ve been so patient!)<\/li>\n<li><strong>STOP if you are presented with\u00a0prompts that request Administrator privileges or the installation of browser plugins.<\/strong> (We&#8217;re specifically trying to rob the website of these capabilities, remember? :-))<\/li>\n<\/ul>\n<p>It&#8217;s important to note something here: In disabling all those browser capabilities\/plugins (JavaScript, Flash, etc.), we&#8217;ve traded &#8220;fidelity&#8221; for &#8220;safety&#8221;. In other words, the site you visit may not look as intended without those bells and whistles enabled, so it could be difficult to tell whether it&#8217;s a clone of myuvm.uvm.edu, or trying to do something sneaky like turn your browser into a zombie. The antidote to this is the next\u00a0method, below.<\/p>\n<h3>The &#8220;dedicated&#8221; approach: A\u00a0virtual machine.<\/h3>\n<p>A &#8220;virtual machine&#8221; is basically a second\u00a0computer running inside your computer&#8217;s operating system. The great thing about virtual machines is that they can generally be copied. So you can, say, create a very basic virtual Windows or Linux machine <em>template<\/em> on your Windows, Mac, or Linux computer, make a copy of it to use when visiting unsavory websites, and then throw it away when you&#8217;re done. The next time you find yourself itching to check out another questionable site, make another copy, use that, throw it away when done. A lot like a disposable <a title=\"Wikipedia article on hazardous material protective garments\" href=\"http:\/\/en.wikipedia.org\/wiki\/Hazmat_suit\" target=\"_blank\">hazmat suit<\/a>!<\/p>\n<p>Popular virtualization technologies for desktop computers include VMware products for <a href=\"http:\/\/www.vmware.com\/products\/workstation\/\" target=\"_blank\">Windows<\/a> computers and <a href=\"http:\/\/www.vmware.com\/products\/fusion\/\" target=\"_blank\">Macs<\/a>, <a href=\"https:\/\/www.virtualbox.org\" target=\"_blank\">VirtualBox<\/a> for both, <a href=\"http:\/\/www.parallels.com\/products\/desktop\/\" target=\"_blank\">Parallels Desktop<\/a> for Macs, and <a href=\"http:\/\/www.linux-kvm.org\/page\/Main_Page\" target=\"_blank\">KVM<\/a> and <a href=\"http:\/\/www.xenproject.org\" target=\"_blank\">Xen<\/a> for Linux. You could even try out one of the free cloud offerings from the likes of <a href=\"http:\/\/aws.amazon.com\/ec2\/\" target=\"_blank\">Amazon<\/a> if you just want to dip your toe in the water without installing software on your own computer. <em>(Please note that UVM doesn&#8217;t formally\u00a0endorse or support any of these products, even though\u00a0they may be in use by various units. Caveat emptor\/your mileage may vary.)<\/em><\/p>\n<p>The advantage of this method\u00a0over the &#8220;separate user account&#8221; approach is that the isolation from your everyday operating system (known as the &#8220;host OS&#8221; in virtulization lingo) is more complete, so you can let\u00a0the browser run active content (JavaScript, Flash,\u00a0etc.) and get the &#8220;full website experience&#8221; with more confidence. <em>This does make it important that you destroy the virtual machine when you&#8217;re done,<\/em> since it&#8217;s basically a full-fledged computer which you&#8217;ve just exposed to a bunch of Internet contagion. Which means, if it does catch some Exotic Internet Flu, it will be an infected computer with access to other computers on your home network\/UVM&#8217;s network\/the Internet.<\/p>\n<h3>Wait: What about my phone\/tablet?<\/h3>\n<p>Sadly, there aren&#8217;t a lot of great options here for mobile devices. For better or for worse, most mobile device operating systems (like Android, iOS, and Windows RT) only support one all-powerful user account, so the &#8220;create a non-administrator user&#8221; option is out. (Notable exception: Windows Surface tablets running Windows 8.) And while there are some &#8220;sandboxing&#8221; options that mimic running virtual machines on these devices, they&#8217;re generally part of expensive enterprise mobile device management packages. Certainly it&#8217;s possible to remotely control a virtual machine using special apps on your mobile device, but you still have to have a virtual machine to control.<\/p>\n<p>So, as of this writing: Stick to a laptop or desktop computer. (But look for that to change in the future. Maybe.)<\/p>\n<h3>That&#8217;s pretty involved.<\/h3>\n<p>If both of those approaches seem like a bunch of work, it&#8217;s because they are. Over the last two decades, computer operating systems and\u00a0web browsers have developed capabilities for the rapid acquisition (read: download)\u00a0of content, convenient installation of software (easy-to-use administrator accounts), and a rich interactive experience (JavaScript and friends), and\u00a0hacking techniques have evolved to take advantage of those capabilities for nefarious purposes. So, in order to have a truly safe experience when visiting potentially-dangerous websites, one really needs to short-circuit a whole bunch of features that the modern Internet user takes for granted.<\/p>\n<p>Is it possible to do this? Yes, if you&#8217;re committed to taking appropriate precautions. Is it for everyone? We leave that up to you.<\/p>\n<h3>So, in conclusion&#8230;<\/h3>\n<p><strong>We encourage you to STOP<\/strong> before clicking the link in that scam email.<\/p>\n<p><strong>Then THINK<\/strong> about what information you might be putting at risk by visiting that website on\u00a0the device you&#8217;re currently using (your phone? tablet? laptop?) \u2014 How many passwords are saved on there? What&#8217;s in the files contained in\u00a0its local storage? Have\u00a0you logged into your bank using this device? <em>Did you ever log off?<\/em><\/p>\n<p><strong>Finally, CONNECT <em>only if you&#8217;ve taken the extensive\u00a0precautions required in order to do so safely<\/em>.<\/strong><\/p>\n<p>Questions or comments? Get it touch with us: iso@uvm.edu<\/p>\n<p>&nbsp;<\/p>\n<p>Safe surfing,<\/p>\n<p>Sam Hooker, for the Information Security Operations Team<\/p>\n","protected":false},"excerpt":{"rendered":"<p>National Cybersecurity Awareness Month is an annual opportunity for folks like us to encourage folks like you to adopt a simple, three-point approach to keeping yourself and your information safe online: STOP.\u00a0THINK.\u00a0CONNECT? With each phishing campaign that&#8217;s conducted against UVM&#8217;s students, faculty, and staff, the\u00a0Information Security Office receives dozens of notifications from astute members of &hellip; <\/p>\n<p class=\"link-more\"><a href=\"https:\/\/blog.uvm.edu\/whysecurity\/2014\/11\/10\/visiting-questionable-websites-or-using-your-internet-hazmat-suit\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Visiting Questionable Websites (or, Using Your &#8220;Internet Hazmat Suit&#8221;)&#8221;<\/span><\/a><\/p>\n","protected":false},"author":16,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-251","post","type-post","status-publish","format-standard","hentry","category-uncategorized","entry"],"featured_image_src":null,"featured_image_src_square":null,"author_info":{"display_name":"Sam","author_link":"https:\/\/blog.uvm.edu\/whysecurity\/author\/sthooker\/"},"_links":{"self":[{"href":"https:\/\/blog.uvm.edu\/whysecurity\/wp-json\/wp\/v2\/posts\/251","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.uvm.edu\/whysecurity\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.uvm.edu\/whysecurity\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.uvm.edu\/whysecurity\/wp-json\/wp\/v2\/users\/16"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.uvm.edu\/whysecurity\/wp-json\/wp\/v2\/comments?post=251"}],"version-history":[{"count":23,"href":"https:\/\/blog.uvm.edu\/whysecurity\/wp-json\/wp\/v2\/posts\/251\/revisions"}],"predecessor-version":[{"id":276,"href":"https:\/\/blog.uvm.edu\/whysecurity\/wp-json\/wp\/v2\/posts\/251\/revisions\/276"}],"wp:attachment":[{"href":"https:\/\/blog.uvm.edu\/whysecurity\/wp-json\/wp\/v2\/media?parent=251"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.uvm.edu\/whysecurity\/wp-json\/wp\/v2\/categories?post=251"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.uvm.edu\/whysecurity\/wp-json\/wp\/v2\/tags?post=251"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}