Managing passwords is a delicate matter. Anyone who does not handle their passwords carefully risks becoming a victim of online scammers. Fortunately, there are a few simple rules that can secure your passwords and their use.

Rule No. 1: Use Appropriate Passwords

When it comes to quality, there are significant differences. Full words or names, for example, in any language, offer insufficient protection. You should avoid including parts of your username in your password. A password made up of only numbers is also a no-go. It is better to choose an arbitrary combination of uppercase and lowercase letters, numbers, and special characters. A password should be at least six characters long. On the Internet, there are numerous generators that can help you find a strong password.

Rule No. 2: Keep Your Passwords Safe

The complex passwords described above are unfortunately difficult to remember. However, it is not recommended to write them down. They should be stored in a secure place. Additionally, you should avoid saving these passwords and other security details on your computer. When the browser asks if it should save your username and password, you should decline.

Rule No. 3: Use Different Passwords

Even if it involves a bit more effort, you should have different passwords. If one of your passwords falls into the wrong hands, the damage remains limited. Moreover, passwords should be changed regularly. If you have trouble keeping track of your passwords, consider writing them down and keeping them in a safe place.

Rule No. 4: Never Disclose Your Passwords

Passwords should never be mentioned, whether in an email, by fax, or over the phone. If you ever receive a request to provide your password, it is likely a phishing attempt. Never respond to these requests.

Rule No. 5: Only Enter Your Password on an Encrypted Connection

If you are working with sensitive data on the Internet, make sure that the information flow is encrypted. This generally prevents hackers from reading and using the data. An encrypted connection is indicated by https:// at the beginning of the URL instead of http://. The “s” stands for “secure.” Additionally, with a secure connection, a small lock icon appears at the bottom of the window.

Rule No. 6: Never Leave Your Computer in Someone Else’s Hands

Another risk is leaving your computer unattended and accessible to others without security measures. In such cases, you should lock your computer, even for short absences, as otherwise all your electronic security measures are useless.

Alex Hämmerli (Swisscontent Corp, trad. m.r) / 05.09.2008

Anyone browsing the Internet needs protection against various dangers. An updated and secure browser is essential for safe Internet surfing.

The Internet harbors many dangers. Hackers are increasingly able to cause significant damage to states, companies, and private individuals. So far, cybercriminals mainly targeted pornographic and illegal download pages. They used dubious offers to download dangerous software onto the visitor’s computer. According to security experts, a PC can even get infected on legitimate websites. For instance, a Flash banner ad was discovered that, simply by visiting the blick.ch website, installed Trojans on the user’s computer, causing considerable damage.

The More Up-to-Date, the Better

The browser, which displays websites, often serves as a gateway for these malwares, especially if you browse the Internet with an outdated browser. That’s why a browser should always be up to date. To do this, enable the automatic update features. Currently, secure free programs include Microsoft’s “Internet Explorer” (minimum version 6.0 with Service Pack 1) or the competing “Firefox” by Mozilla (minimum version 1.5). For Mac users, “Safari” from version 1.3 or “Firefox” from version 1.5 are relatively secure. Experts disagree on which program offers the most security, and study results vary depending on the sponsor.

Install Browser Updates

Extended browser functions such as JavaScript, Java, ActiveX, and others require the installation of external code on the visitor’s PC. While there are various protective mechanisms to prevent such program code from causing harm, security gaps are repeatedly found that eliminate these restrictions. Many of these gaps are due to programming errors and can be addressed by installing the latest automated browser patches. Some risks can only be avoided by disabling the corresponding options in the Internet browser settings.

Is My Browser Secure?

The best defense against browser malware is knowledge and a healthy skepticism towards everything from the Web. Anyone who clicks on anything will eventually end up with malware, regardless of how new the browser or operating system is.

Security Tips

• Always work with the latest browser version. Browsers have automatic update features that are easy to find in the help menu. This allows security gaps to be quickly patched.
• Modern Internet browsers can detect unsafe websites. When a user visits such a site, they receive a warning.
• Users not dependent on Windows have the option to switch to Mac or Linux, as these systems have a structure that is much harder to attack.
• Limit the installation of Java scripts (Active Scripting) as much as possible through browser settings or only allow access to trusted sites.
• Limit the installation of ActiveX controls as much as possible through browser settings. Set the Internet Explorer security settings to “high.”

Bernhard Bircher-Suits (Swisscontent Corp., trad. m.r) / 05.09.2008

Almost every day, both at work and at home, we are bombarded with suspicious emails that, when opened, can cause serious problems. To protect yourself from this threat, it is important to know your enemies.

Malware (the “mal-” from “malicious” and “-ware” from “software”) is classified into three types of malicious software: Trojans (see special report), viruses, and worms.

Viruses

Computer viruses are the oldest form of malware: they replicate by self-copying and infiltrating healthy programs, documents, and data storage devices. Viruses come in many forms and cause uncontrollable changes in the operating system, some software, and hardware, for instance by manipulating connections or the graphics card. As a result, viruses can compromise the security of data and programs on the PC, causing interference and data loss.

Worms

Today, computer worms have almost replaced viruses. Worms are similar to viruses but spread through networks independently, for example by sending infected emails, instant messaging, or peer-to-peer programs like “Kazaa,” “Morpheus,” or BitTorrent systems. Worms do not need a host to spread. They use existing distribution lists. Since almost all computers are networked, worms spread incredibly fast.

How Can I Protect Myself?

Generally, worms activate automatically when downloaded to the hard drive. So, be especially cautious when opening attachments: only open files that you are sure are safe, and especially avoid “.exe” files. The file extension indicates that it is a program. Even known senders do not guarantee safe attachments. Worms spread due to users’ careless behavior, excessive comfort, and ignorance. Use instant messaging, email, and peer-to-peer programs cautiously.

Never forget: worms are masters of disguise. Pay particular attention to file name extensions such as “.jpg.exe” and long file names that obscure the true nature of the file. It is also risky to download files whose purpose remains unknown to laypeople. Here are some examples: .dll, .ax, .ini, .com, .pif, or .bat.

Use an Antivirus Program

Before opening a file from the Internet, have it checked by an antivirus program. Many virus scanners do this automatically today. However, the program must always be up to date; otherwise, new malware could slip through. Antivirus programs are particularly essential for Microsoft Windows: there are numerous viruses for this operating system, and new ones are added almost daily. For Macs, security has also become necessary as more viruses are targeting them.

Alex Hämmerli (Swisscontent Corp, trad. m.r) / 05.09.2008

Anyone who occasionally surfs the Internet and sometimes installs programs must protect their computer from viruses, Trojans, and other malware. In this regard, free downloadable protection programs are generally as effective as often very expensive paid programs.

There is a moment in the life of every new PC or laptop, freshly configured, that all viruses, worms, and other spyware programs eagerly await: the moment when the computer first connects to the Internet. Without effective protection, malware can invade an Internet-connected PC in as little as 20 minutes, according to the American Internet Storm Center (ISC).

Access Points and Remedies

How does an infected program reach a PC? It’s quite simple: to access the Internet, the device is assigned an IP address that allows every PC to be identified on the Web. Sophisticated piracy software constantly tries to find IP addresses on the Internet. When found, a virus, worm, or Trojan horse can be launched onto the computer in a targeted way. Another access point is email. When a worm transmitted by email is introduced and installed without notice, it bypasses the system’s security measures and spreads. Attacks on PCs are increasingly sophisticated and happen at shorter intervals. That’s why security service providers must frequently perfect their protective mechanisms at breakneck speed. To ensure a high level of protection, each PC should have three different protection tools: a firewall against IP attacks on the Web, antivirus software, and spyware software against spy programs. It is also advisable to get software that allows anonymous browsing on the Internet.

Similar and Less Expensive Alternatives

Those who don’t want to spend a fortune on protection software each year can rely on free programs. According to various studies, they are generally no less effective than paid alternatives from well-known manufacturers. In the antivirus field, Avira Antivir (www.free-av.de) and Avast Home (www.avast.com) are convincing options. However, the application is only free for private users. In the realm of free software, sophisticated complete security packages are not yet available. This means that typically, for each type of threat, a specific protection software must be installed.

Paid Programs with User Interface

Paid security packages protect private computers quite effectively and can easily be replaced thanks to a consistent user interface. However, they are not complete, contrary to what manufacturers like to claim. The German computer magazine “c’t” compared various Internet security software packages and found that in every case, at least one protection component was weak. In the worst cases, the antivirus entirely cuts off the Internet connection or gives the user a false sense of security. No program tested by this magazine constitutes real, comprehensive protection, according to “c’t.” Nonetheless, installing security software is essential. As cybercriminals are highly imaginative, it is advisable to maintain a certain level of caution in all online activities, in addition to using protection software, especially when it involves sharing personal data.

Bernhard Bircher-Suits (Swisscontent Corp., trans. m.r) / 05.09.2008

If you regularly install supposedly useful free software on your computer from the Internet, you must protect your PC against email attachments and dangerous Trojan horses.

A Trojan horse, or simply “Trojan,” refers to a program that appears legitimate but is designed to surreptitiously carry out harmful actions on the user’s computer. Often, free programs downloaded from the Internet or download sites are infected with these malicious programs. Trojans belong to the family of unwanted or harmful programs called “malware.” Most of the time, they infiltrate the victim’s computer in a targeted and clandestine manner, though they can also arrive by chance. Generally, they disguise themselves as a useful program by, for example, using the name of a beneficial file, or offering a useful feature in addition to their concealed harmful function.

Transport Means for Criminal Purposes

Many Trojan horses are used to surreptitiously install harmful programs on the user’s computer. These malicious programs operate autonomously on the computer, meaning they cannot be disabled simply by closing or even deleting the Trojan. The actual function of the installed file can be of any type. Thus, spyware programs like “Keylogger” may infiltrate the computer. These programs track keystrokes on the keyboard and send the collected data to criminals. The clandestine installation of programs with backdoors is also possible. Such software allows for remote control of the computer over the Internet, enabling malicious actions without the user being able to control it.
Access Points

Trojan horses can reach a computer through the same access points used for electronic data transmission, including all data storage media or network connections like the Internet. File-sharing networks, manipulated “Drive-by-Download” sites, as well as file or email attachments, are the most frequently used entry points for trojans. From the user’s unsuspecting PC, they can spread to other computers. Hackers often use a computer worm as a vector to carry the Trojan.

Protection with Antivirus Programs

To protect yourself effectively from trojans, avoid using programs from unknown or unreliable sources. Providers of programs or services on the edge of legality are particularly dangerous. Another protective measure is installing antivirus software. Numerous antivirus programs are available on the market to combat malicious intruders, such as Panda Internet Security (www.pandasoftware.ch), Norton Internet Security (www.symantec.com/de/ch/index.jsp), or Eset Smart Security (www.eset.com/smartsecurity). If a trojan is detected by antivirus software before the user distributes it, this antivirus program provides effective protection. However, once a trojan has begun its destructive mission, antivirus programs can only remove it from the system to a certain extent. If a previously installed trojan is detected, it’s highly recommended to clean the PC by restoring the last “clean” disk image. A virus scanner tends to carry out this task reliably. Generally, a healthy degree of caution is advised when downloading software from the Internet or installing programs from data storage on your computer.

Bernhard Bircher-Suits (Swisscontent Corp., trans. mfp) / 05.09.2008

Caution and skepticism on the Internet: if you receive an email asking for confidential information about your bank account, delete it immediately.

The goal of phishing is to obtain personal information from unsuspecting internet users by using fraudulent web addresses. For example, this might include information about your online auction account (e.g., eBay or Ricardo) or login data for e-banking. Scammers exploit their victims’ trust by sending emails with fake sender addresses. These messages might state, for example, that account information or login data (username and password) is no longer secure or up to date and should be changed or confirmed through a link provided in the email. The link does not lead to the original service provider’s website (e.g., the bank) but to a counterfeit site created by the scammer. With the fraudulently obtained data, a scammer can, for instance, conduct banking transactions on behalf of the victim (internet user) or place bids on an auction site.

Protecting Yourself with Vigilance

It’s essential to stay cautious when browsing the Internet. Only heightened vigilance can prevent the worst. A legitimate bank will never ask to change passwords or other sensitive data via email. Often, the recipient will be addressed with a general phrase like “Dear customer” rather than by name—another sign of forgery, as a legitimate bank would know the customer’s name. Poor grammar or spelling can also indicate a phishing attempt. These emails should be deleted immediately. Using a unique password for each application is a wise practice.

It’s also advisable to manually enter the bank’s web address each time. Under no circumstances should links in emails or on third-party websites be clicked to reach the desired website. If you do end up on “your bank’s” site via a hyperlink, you must verify the site’s authenticity by checking its security certificate. Encryption of the connection should also be checked by double-clicking the “closed padlock” symbol at the bottom of the browser window, where the certificate details should appear. It should be in the bank’s name. If the certificate’s “Fingerprint” matches that published on the bank’s homepage, it’s a secure, encrypted connection to the correct site.

Protecting Yourself with Software

Aside from required caution, software can also contribute to online security. Depending on the installed software, an antivirus program’s email filter can detect phishing emails, block them, and delete them, provided the antivirus software is continuously updated. Browsers like Internet Explorer or Mozilla Firefox also warn against phishing sites. Browsers and email filters relying on blacklists published online depend on their updates. This is a significant drawback with new forms of phishing attacks, as neither the method nor the defense is yet known.

Dajan Roman (Swisscontent Corp., trans. mfp) / 05.09.2008

To protect a computer from malicious incoming connections, a NAT router offers at least partial protection. A router essentially separates the global network from your personal computer. A router with a built-in firewall allows for setting the authorized Internet services.

When connected to the Internet, there’s a risk that programs or people might access your computer through weak points or security gaps, enabling them to read, manipulate, or delete files. Besides typical antivirus software and firewall software, there’s another method that offers initial protection before an intruder can access your computer.

Connection Between the Computer and the Internet

Most operators’ routers are equipped with NAT. NAT stands for “Network Address Translation.” The NAT process connects the local private network computer to the Internet. In theory, every computer connected to the Internet needs a unique identification number, the IP address. This address is generally assigned to a single computer by the Internet service provider. When installing a router, it remains the IP address holder. Computers connected to the home local network receive independent addresses separately from the Internet service provider.

Invisible Private Network from the Outside

With a router, multiple computers can share a single Internet connection. From a security strategy perspective, this system also has the advantage of separating the international network from the local network. Indeed, the router’s private IP addresses are not visible on the Web, making malicious access to the computer difficult.

Limiting Data Flow

If the router has an integrated firewall, you can also define the Internet services for which data traffic is allowed. In the corresponding list within the router’s user interface, select only the applications you really need, blocking unwanted data flows from outside the router. If an application does not work on the computer due to the firewall, the issue can be resolved by unblocking the port. This is possible with the “Port-Forwarding,” “Virtual Server,” or “Static Routing” options, generally found in the router configuration tool’s advanced settings. The manual or the software producer’s website will indicate the port of each application.

No Substitute for Firewall Software

However, this overall limitation on external access should not be overestimated. It cannot replace effective firewall software. A good firewall also provides adequate protection for outbound data flows and includes additional options for regulating specific access points that a router does not offer. To optimize security, it’s recommended to install firewall software on the computer in addition to using a router. If you are using a simple USB modem, firewall software is essential. This also applies to any user with an Internet connection from a cable operator without a connected router. Since Windows XP, a firewall with some basic functions has been built into the system.

Routers/modems from different Internet providers (Example from Switzerland)

Source: data from selected Internet providers

Christian Iten (Swisscontent Corp., trans. mfp) / 09.05.2008

By following a few basic security measures, you can perform online payments without issues. The key is to secure your computer and stay vigilant during e-banking sessions.

Many people remain skeptical about e-banking. Fearing their account may be emptied, they have little trust in the systems and prefer to conduct banking operations via paper and mail. However, anyone can tamper with a mailbox, whereas accessing a PC requires a minimum level of computer knowledge. The risk can also be minimized quite simply by following some advice (www.melani.admin.ch).

Computer Protection

For secure e-banking, it is highly recommended to use only a computer with firewall software and antivirus software. Regularly update all software and use the latest versions of the browser and other programs. If available, enable the automatic update function, especially for antivirus software. When the firewall is active, it blocks unwanted Internet connections. Never open emails from unknown sources or install unreliable programs.

Before Logging In

Before logging onto the e-banking platform, close all browser windows. To start an e-banking session, reopen the browser and always manually enter the address. During the session, keep all other connections closed, and do not visit other websites. Password rules must also be followed. Financial institutions require multi-level authentication for online clients (e.g., contract number, tick-off list, and password or similar). Most of the time, the client can choose their password freely. Choose a hard-to-guess password with letters, numbers, and special characters (at least 8 characters), and change it regularly. Do not share this or any other passwords with anyone, not even with the bank. The bank will never ask you to provide your password. Never write down your password or save it on your computer.

During the E-Banking Session

Verify the authenticity of the website with the authenticity certificate and check the encryption of the connection (see article on “phishing”). Take any error or warning messages seriously. If in doubt, contact your bank immediately.

Ending the E-Banking Session

It is important to log out and properly end the e-banking session. All banking interfaces have a dedicated function for this, called “end,” “logout,” or “quit.” Usually, a new page will confirm the session has ended correctly. After leaving the e-banking session, it is advisable to delete temporary Internet files stored in the browser’s cache to clear the “memory” of your session from your computer.

• Internet Explorer: Extras/Internet Options/delete cookies/OK.
• and: Extras/Internet Options/delete files/delete all offline content/OK
• Firefox: Extras/settings/privacy/delete everything
• Safari: Safari/empty cache

Dajan Roman (Swisscontent Corp., trans. mfp) / 09.05.2008

Internet users who surf wirelessly or exchange data via a wireless network risk encountering unscrupulous hackers in the network. A few simple W-LAN router settings are enough to enhance security.

Surfing the Internet wirelessly on a PC or laptop, or exchanging data between devices in a wireless network, is very convenient. However, when using W-LAN (Wireless Local Area Network), often referred to in advertising by the technical term Wi-Fi, caution is advised. If the wireless network is not secured well enough, intruders could use the Internet connection for illegal activities or even spy on the data saved on the computer. A few simple W-LAN router settings can minimize the risk.

Protect Router Access with a Password

To keep the router installation private, it’s best to connect the computer by cable. The first rule is to choose a personal password for router access. But be careful: if you forget the password, you will not be able to reconfigure the setup and must reset the computer manually, losing all previous settings!

Encryption, the Essential Measure

The most important measure for W-LAN security is encryption. Several methods are generally available in the configuration interfaces. The safest method is called Wi-Fi Protected Access (WPA or WPA2). All current routers support this method. Older W-LAN components may not yet support WPA2. It’s also worth checking the router provider’s website. A software update might be available for download and installation on the router.

Allow Only Known Devices

To enhance the security of your W-LAN network, you can enable MAC filtering: if you input the MAC addresses of authorized devices into the router’s corresponding list, only these devices will have access to the W-LAN network. The MAC address, represented by 12 digits, is unique and allows identification. It cannot be modified. However, security is not 100% guaranteed. Skilled hackers can forge MAC addresses. By systematically trying random addresses, they could access the W-LAN network.

Enable the Firewall and Change the Network Name

Generally, a W-LAN router has a built-in firewall. If your computer has this option in the settings menu, it is worth enabling it. Another protection measure is to change the default SSID set in the router to a general description for Wi-Fi access, without associating it with the owner or location of the wireless network. This SSID is simply the name of the W-LAN network.

Christian Iten (Swisscontent Corp., trans. mfp) / 09.05.2008

Social engineering is one of the most dangerous and effective forms of cybercrime. The biggest risk is the human factor.

“Social engineering” is a technique designed to extract information, confidential data, or unauthorized services from people by exploiting their trust. Security measures are manipulated. Social engineering can be divided into three areas: based on personal approach, based on computer systems, and reverse social engineering.

Personal Approach-Based Social Engineering

In this form of social engineering, criminals try to directly access information by posing as authorities or trusted individuals. Disguised in this way, they fraudulently obtain sensitive data. Dumpster diving is also a tactic used in social engineering. Company or private trash bins are searched for passwords, files, photos, and other information. This data can be used directly, for instance, as leverage in cases of blackmail, or indirectly, by providing the attacker with information to create a false identity.

Computer-Based Social Engineering

In this form of social engineering, identities are impersonated through technical means such as emails or websites to obtain desired data. “Phishing” is the prime example of this type of fraud. Read more on this topic in other articles within this dossier. Many sweepstakes or prize games also fall into this category of social engineering. The goal is to collect personal data, which is later misused for advertising purposes.

Reverse Social Engineering

The objective of reverse social engineering is to deceive the victim by posing as a supposed emergency rescuer, prompting them to disclose sensitive information or engage in harmful actions. Most often, this type of attack creates a problematic situation that causes stress or anxiety for the victim. Reverse social engineering hackers may simulate, for example, a computer attack or system failure that immediately requires access to the user account of a supposed technician.

Protection Against Social Engineering

Protection against social engineering can hardly be guaranteed by a technical solution, as such defenses are circumvented. Thus, only the victim can contribute the most to security by ensuring the true identity and legitimacy of the person they are dealing with, and only then should they provide sensitive data. In case of doubt, it is essential to ask for the name, phone number, and location of the caller to verify all these details afterward. Seemingly harmless information, such as an out-of-office message, should not be freely shared, as it could help an attacker create a false identity. It is particularly important to prevent the attacker from obtaining the desired information through skillful questioning and cross-referencing. Additionally, old files, papers, hard drives, and other sensitive documents should be carefully destroyed.

Alex Hämmerli (Swisscontent Corp., trans. mfp) / 09.05.2008

The Internet harbors numerous dangers: visitors to legitimate websites can also infect their PCs, as cybercriminals may distribute malicious software through dubious online offers. However, PC users are not defenseless against these cyber attacks. By knowing potential intrusions and following a few simple tips, Internet users can easily protect themselves.

To safeguard your computer, your online behavior is crucial. This starts with the proper use of passwords, which should be appropriate, securely stored, varied, and encrypted. Passwords should also be entered only on encrypted network connections to ensure the encrypted transmission of sensitive information. A running computer should not be left unattended unless secured with a password; otherwise, intruders could access confidential data without control.

If you browse the Internet, your browser should always be secure and kept up to date. Outdated Internet browsers that display websites often become entry points for malicious software. A few simple tips can help you improve your browser’s security.

If you surf wirelessly or exchange data over a wireless network, you risk malicious hackers breaking in. A few simple settings on the W-LAN router are enough to enhance security.

When securing your computer against potential malicious external attacks, a NAT router provides at least partial protection, as it separates the global network from the home computer. With a router equipped with a built-in firewall, you can also define the Internet services you want to allow access to.

Security programs are also essential. Without these software programs, virtual threats can quickly compromise an unsecured computer. For complete protection, four security tools should be installed on every PC: a firewall against network attacks, antivirus software against malware, spyware protection, and a reliable browser.

Viruses, worms, and trojans are dangerous. Viruses and worms are often spread via dubious emails that users open unsuspectingly. Trojans are software disguised as useful applications but perform other functions in the background without the user’s knowledge. Free software from the Internet or download sites is often infected with these malicious programs. You can protect yourself from malware by not opening files whose contents are unclear or by refusing to use programs from unknown or unreliable sources.

Another risk for Internet users is “phishing.” Its goal is to obtain confidential data from unsuspecting users through falsified addresses. To avoid this, caution and vigilance are essential.

One of the most dangerous and effective forms of cybercrime is certainly social engineering. The greatest risk factor is the human element. This technique aims to extract information, confidential data, or unauthorized services from individuals by exploiting their trust. Security measures are manipulated. Therefore, only the victim can significantly contribute to security by ensuring the true identity and legitimacy of the contact.

Jeannette Schläpfer (Swisscontent Corp., trans. mfp) / 09.05.2008