URDANETA CITY

UNIVERSITY COLLEGE OF ENGINEERING

AND ARCHITECTURE
Owned and operated by the City Government of Urdaneta

MODULE 3
INFORMARTION AS RESOURCE WITH CONTROL AND PRIVACY

INTRODUCTION:
This module presents the physical, conceptual and information
resourcesthat an organization need to operate. You will gain awareness of
the pros and cons in the internet world. It talks about the importance of
Intellectual Property rights and Data Privacy of the Philippines.

LEARNING OBJECTIVES:
After studying the module, you should be able to:

1. Distinguish a physical resource from a conceptual resource.

2. Analyze the phenomenon of information overload brought by
high internet penetration.
3. Familiarize yourself with the threats and privacy in the
cyberspace.
4. Explain the major points of the revised Intellectual Property
Code of the Philippines (Republic Act No. 10372) and Data Privacy
(Republic Act No. 10173)

DIRECTIONS/MODULE ORGANIZER:

There are three lessons in the module. Read each lesson carefully
then answer the activities. For instructions about submission, you will be
guided by your instructor.

In case you encounter any difficulty, discuss this with your

instructor. Donot hesitate to contact your instructor for any concerns and
problems regardingyour lessons.

Bright future starts here Module 1: Fundamentals of Information Technology

 URDANETA CITY
UNIVERSITY COLLEGE OF ENGINEERING
AND ARCHITECTURE
Owned and operated by the City Government of Urdaneta

LESSON 2

ONLINE SECURITY, PRIVACY THREATS

AND PRACTICES

In this lesson we are going to learn about the threats to our online
security, privacy and information and become aware so that we can minimize
the threats brought by misuse and unwanted behaviors. We will also learn
about the proponents involved in breaking our security and privacy.

Information Security

We have learned from previous lesson about the value of information.

What makes it valuable is it can meet the characteristics described such as
accuracy, reliability, completeness, and others. Anything that could alter the
characteristics of information can be considered as a threat. Security is one of
those characteristics of information. Information security is a broad term in
the sense that it can encompass the protection of the information from
accidental or intentional misuse by persons inside or outside an organization.
When it comes to information security, hackers and viruses are the two most
known threats.

Hackers
We defined hackers in our previous lesson as people who use
Information Technology in unconventional or unusual way. As a threat,
hackers are labeled as bad people with bad intentions. However, not all
hackers are consideredbad. To show us what this means, we will learn more
about the different types of hackers.

• Black-hat hackers break into other people’s computer systems and

may just look around or may steal and destroy information.
• Crackers have criminal intent when hacking.
• Cyberterrorists seek to cause harm to people or to destroy critical
systems or information and use the Internet as a weapon of mass
destruction.
• Hacktivists have philosophical and political reasons for breaking

Bright future starts here Module 1: Fundamentals of Information Technology

 URDANETA CITY
UNIVERSITY COLLEGE OF ENGINEERING
AND ARCHITECTURE
Owned and operated by the City Government of Urdaneta

into systems and will often deface the website as a protest. They
usually hack into government websites.
• Script kiddies or script bunnies find hacking code on the Internet
and click-and-point their way into systems to cause damage or
spread viruses.
• White-hat hackers work at the request of the system owners to find
system vulnerabilities and plug the holes. Sometimes they are
given other titles such as penetration testers and ethical hackers.

Viruses
One of the most common forms of computer vulnerabilities is a virus.
• A virus is software written with malicious intent to cause
annoyance or damage. Some hackers create and leave viruses,
causing massive computer damage.
• A Malware (malicious software) is a software that is intended to
damage or disable computers and computer systems.
• A worm spreads itself not only from file to file but also from
computerto computer.

The primary difference between a

virus and a worm is that a virus must
attach to something, such as an
executable file, to spread. Worms do
not need to attach to anything to
spread and can tunnel themselves
into computers.

• Adware is not actually avirus,

because it serves as an outlet
for advertising,
However, it allows internet
advertisers to annoyingly display ads without the consent of the user.
Sometimes, these ads contain malicious contents like pornography or
spam ads.
• Spyware programs collect specific data about the user, ranging from
general demographics such as name, address, and browsing habits, to

Bright future starts here Module 1: Fundamentals of Information Technology

 URDANETA CITY
UNIVERSITY COLLEGE OF ENGINEERING
AND ARCHITECTURE
Owned and operated by the City Government of Urdaneta

credit card numbers, Social Security numbers, and usernames and

passwords. An example of this is a keylogger that records everything
you type on your keyboard including passwords.
• Ransomware is a form of malicious software that infects your computer
and asks for money, hence, the word “ransom”. Ransomware encrypts
your personal files and demands payment for the files’ decryption keys.
Encrypted files will not be readable unless decrypted. Ransomware is
malware for data kidnapping, an exploit in which the attacker encrypts
the victim’s data and demands payment for the decryption key.
Ransomware spreads through e-mail attachments, infected
programs, and compromised websites. A ransomware malware
program may also becalled a cryptovirus, cryptotrojan, or cryptoworm.
Attackers may useone of several different approaches to extort money
from their victims: After a victim discovers he cannot open a file; he
receives an email ransom note demanding a relatively small amount of
money in exchange for a private key. The attacker warns that if the
ransom is not paid by a certain date, the private key will be destroyed,
and the data will be lost forever.
• Trojan horse are malicious programs that are built (usually without the
manufacturer/programmer knowing) into legitimate applications. They
appear to be a legitimate software but internally it has an intentional
threat.

Hacker Weapons

Going online makes everything easy, but with it comes online security
threats. Some of these threats employed by hackers are the following.

1. Phishing. This method is a trick used by criminals to deceive you into

revealing personal information, passwords, and other credentials. They
implement these through fake emails or SMS messages, fake websites.

Watch this video about phishing: https://bit.ly/3l2X4kl

2. Pharming is a method cybercriminal might use to improve their odds

of tricking online users with phishing websites. Unlike phishing, pharming

Bright future starts here Module 1: Fundamentals of Information Technology

 URDANETA CITY
UNIVERSITY COLLEGE OF ENGINEERING
AND ARCHITECTURE
Owned and operated by the City Government of Urdaneta

doesn’t rely so much on fake messages. Instead, cybercriminals attempt

to directly redirect user connection requests to malicious websites.

Watch this video about pharming: https://bit.ly/3mXgsA1

3. Application Vulnerabilities
Application vulnerabilities are usually bugs and errors found in the code of a
specific program which can be taken advantage of by cybercriminals or
hackers to access and steal user data. These are what hackers try to exploit to
gain access to private data. These issues are normally solved with a software
update.
Bugs are part of apps that were problems not resolved or seen by the app
creators which hackers use to gain access to private data.

4. Scams
Scammers have been preying on people before the Internet was a
thing. Now, they’re more active and successful than ever since scamming
people out of their money and personal information is much easier.
Usually, scammers will employ all sorts of tactics to deceive online users and
trick them into revealing sensitive information (like their Social Security
Number, credit card details, bank account details, email login credentials,
etc.) so that they can either steal their money or their identity.

Online scams will usually involve phishing attempts, but they can also
involveother methods:
• Ponzi schemes
• Pyramid schemes
• Catfishing (Fake Profiles)

Watch videos
Pyramid Scheme: https://bit.ly/2TZQgZ6
Ponzi Scheme: https://bit.ly/2I3lADv

1. Man-in-the-Middle Attack
Man-in-the-Middle (MITM) attacks involve a cybercriminal intercepting or
altering communications between two parties.

Bright future starts here Module 1: Fundamentals of Information Technology

 URDANETA CITY
UNIVERSITY COLLEGE OF ENGINEERING
AND ARCHITECTURE
Owned and operated by the City Government of Urdaneta

A good example of that is a hacker who intercepts the communications

between your device and a website. The cybercriminal could intercept your
connection request, alter it to suit their needs, forward it to the website, and
then intercept the response. This way, they could steal valuable information
from you, such as your login details, credit card info, or bank account
credentials.

2. Spamming
Spamming can be defined as the mass distribution of unsolicited messages
on the Internet. The messages can contain anything from simple ads to
pornography. The messages can be sent through email, on social media, blog
comments, or messaging apps.

3. WiFi Eavesdropping
WiFi eavesdropping normally takes place on unsecured WiFi networks
(usually the free ones you see in public), and it involves cybercriminals taking
advantage of the lack of encryption to spy on your online connections and
communications. They could see what websites you access, what email
messages you send, or what you type into a messaging application.

4. Social Engineering
Hackers don’t only resort to exploiting computers. They also exploit social
trust. Hackers cannot hack into computers that are not connected to the
internet, so one way to hack into it is to hack into people’s minds. Phishing is
aform of social engineering because its primary method is to exploit social
trust.Dumpster diving, or looking through people’s trash, is another way for
hackers obtain information. Pretexting is a form of social engineering in
which one individual lies to obtain confidential data about another individual.

Watch this video about social engineering: https://bit.ly/3n1TCHz

What does online security involve?

To secure your account on a website, a method called authentication and

authorization is required. Authentication is simply a method of verifying who
the person or user is before it can gain access to a set of information. Most
implemented authentication online is the combination of username and

Bright future starts here Module 1: Fundamentals of Information Technology

 URDANETA CITY
UNIVERSITY COLLEGE OF ENGINEERING
AND ARCHITECTURE
Owned and operated by the City Government of Urdaneta

password. You can login to your account through authentication by means of

entering your username and password. Authorization, on the other hand, is
the level of access that a user is permitted to do (What certain things can they
able to see, change or do).
To put it simply, authentication determines whether users are who they claim
to be, and authorization determines what users can do and access.
Authentication and authorization techniques fall into three categories; the
most secure procedures combine all three:

1. Something the user knows, such as a user ID and password.

2. Something the user has, such as a smart card or token. Tokens are
small electronic devices that change user passwords automatically. A
smart card is a device about the size of a credit card containing
embedded technologies that can store information and small amounts of
software to perform some limited processing. Today we have our phones
which has our unique contact numbers to be used as an authenticator. If
you have experienced using OTP (One-time Pin / One-time Password),
that is an example of this. For example, when sending money through
mobile banking, the banks send an OTP to your phone which you can
enter to the mobile banking app to authenticate whether it is really you
who is doing the transaction. OTPs usually are in the form of 4 to 6- digit
numbers.
3. Something that is part of the user, such as a fingerprint or voice
signature. This is by far the best and most effective way to manage
authentication. Biometrics are devices that are used for this type of
authentication. It recognizes one or more of your physical features such
as fingerprints, face, iris, voice, and others which are unique to every
person.

Single-factor authentication is
the traditional process which
requires a username and
password. Some websites have
only this level of authentication.

Bright future starts here Module 1: Fundamentals of Information Technology

 URDANETA CITY
UNIVERSITY COLLEGE OF ENGINEERING
AND ARCHITECTURE
Owned and operated by the City Government of Urdaneta

Two-factor authentication requires the user to provide two means of

authentication.

As in the case of Facebook, it allows its users to enable two-factor

authentication or 2FA for short. What happens in a 2FA is when a user logs in
to Facebook with a username and password, they will be prompted for an
OTP/pin/code sent to their phone or email. After receiving that code as SMS,
they type them on Facebook to be logged in to their account.

Video about 2-Factor Authentication: https://bit.ly/3691UXd

Multifactor authentication or MFA requires more than two means of

authentication such as what the user knows (password), what the user has
(security token), and what the user is (biometric verification).
With 2FA and MFA it is harder for unauthorized users to access your account.

Things You Can Do to Boost Your Online Security

1. Install an antivirus. Especially, if you are using a desktop computer with
Windows installed in it you must have this protection to protect the
integrity of your files.
2. Backup your files/data. Copy your files from one device to another or
duplicate your files in an external storage such as USB flash drives. This
will save you from a lot of headaches when you deal with lost or
corrupted files. It is highly recommended that you backup your files
into a cloud storage such as Google Drive, Dropbox, and SkyDrive.
3. Always beware of emails and SMS that you receive. Don’t believe
everythingto avoid phishing attempts.
4. Use strong password. Kevin Mitnick, a convicted hacker, now a
computer security consultant suggests the following properties in
creating a password.
▪ Passphrase usage instead of a standard password
▪ Contains upper and lowercase letters
▪ Contains numbers and symbols
▪ Contains spaces

A passphrase contains multiple words or structured as a sentence. For

Bright future starts here Module 1: Fundamentals of Information Technology

 URDANETA CITY
UNIVERSITY COLLEGE OF ENGINEERING
AND ARCHITECTURE
Owned and operated by the City Government of Urdaneta

example,“eating a banana daily is better than smoking” Who would dare to

guess this kind of password, right? If you are not satisfied with this password,
you may take it further by applying uppercase letters, numbers and symbols
on the same passphrase and we could change it to: Eating @ Banana Da!ly i$
be++er than Sm0king

5. Enable 2FA (Two Factor Authentication) on your online accounts if

provided.
6. Update your apps. Updates are usually bug fixes that removes
applicationvulnerabilities.
7. As much as possible, avoid connecting to free public Wi-Fi (those that
do notrequire password to connect).
8. Investigate before investing on something to avoid scams.
9. Be cautious on visiting websites with http:// or with open padlock
symbol.Go to sites with https:// or websites with a closed padlock
symbol.

10. Educate yourself and the people around you about online security

LEARNING ACTIVITY 8

Give a long answer. Your answers can be short and direct to the point.
Article was excerpted from Wired.com:
https://www.wired.com/story/facebook-security-breach-50-million-
accounts/

Everything We Know About Facebook’s Massive Security Breach

Up to 50 million Facebook users were affected—and possibly 40 million
more—when hackers compromised the social network's systems.

Facebook’s privacy problems severely escalated Friday when the social

network disclosed that an unprecedented security issue, discovered
September 25, impacted almost 50 million user accounts. Unlike the

Bright future starts here Module 1: Fundamentals of Information Technology

 URDANETA CITY
UNIVERSITY COLLEGE OF ENGINEERING
AND ARCHITECTURE
Owned and operated by the City Government of Urdaneta

Cambridge Analytica scandal, in which a third-party company erroneously

accessed data that a then- legitimate quiz app had siphoned up, this
vulnerability allowed attackers to directly take over user accounts.

The bugs that enabled the attack to have since been patched, according to
Facebook. The company says that the attackers could see everything in a
victim's profile, although it's still unclear if that includes private messages or if
any of that data was misused. As part of that fix, Facebook automatically
logged out 90 million Facebook users from their accounts Friday morning,
accounting both for the 50 million that facebook knows were affected, and an
additional 40 million that potentially could have been. Later Friday, Facebook
also confirmed that third-party sites that those users logged into with their
Facebook accounts could also be affected.

Facebook has yet to identify the hackers, or where they may have originated.
“We may never know,” Guy Rosen, Facebook’s vice president of product, said
on a call with reporters Friday. The company is now working with the Federal
Bureau of Investigation to identify the attackers. A Taiwanese hacker named
Chang Chi-yuan had earlier this week promised to live-stream the deletion of
Mark Zuckerberg's Facebook account, but Rosen said Facebook was "not
aware that that person was related to this attack."

“If the attacker exploited custom and isolated vulnerabilities, and the attack
was a highly targeted one, there simply might be no suitable trace or
intelligence allowing investigators to connect the dots,” says Lukasz Olejnik, a
security and privacy researcher and member of the W3C Technical
ArchitectureGroup.

On the same call, Facebook CEO Mark Zuckerberg reiterated

previous statements he has made about security being an “arms race.”

“This is a really serious security issue, and we’re taking it really seriously,” he
said. “I’m glad that we found this, and we were able to fix the vulnerability
and secure the accounts, but it definitely is an issue that it happened in the

Bright future starts here Module 1: Fundamentals of Information Technology

 URDANETA CITY
UNIVERSITY COLLEGE OF ENGINEERING
AND ARCHITECTURE
Owned and operated by the City Government of Urdaneta

first place.”

The social network says its investigation into the breach began on September
16, when it saw an unusual spike in users accessing Facebook. On September
25, the company’s engineering team discovered that hackers appear to have
exploited a series of bugs related to a Facebook feature that lets people see
what their own profile looks like to someone else. The "View As" feature is
designed to allow users to experience how their privacy settings look to
another person.

The first bug prompted Facebook's video upload tool to mistakenly show up
on the "View As" page. The second one caused the uploader to generate an
access token—what allows you to remain logged into your Facebook account
on a device, without having to sign in every time you visit—that had the same
sign-in permissions as the Facebook mobile app. Finally, when the video
uploader did appear in "View As" mode, it triggered an access code for
whoever the hacker was searching for.

“This is a complex interaction of multiple bugs,” Rosen said, adding that

the
hackers likely required some level of sophistication.

That also explains Friday morning's logouts; they served to reset the access
tokens of both those directly affected and any additional accounts “that have
been subject to a View As look-up” in the last year, Rosen said. Facebook has
temporarily turned off "View As," as it continues to investigate the issue.

“It’s easy to say that security testing should have caught this, but these types
of security vulnerabilities can be extremely difficult to spot or catch since they
rely on having to dynamically test the site itself as it’s running,” says David
Kennedy, the CEO of the cybersecurity firm TrustedSec.
…

1. What was the security breach all about?

2. What was the problem identified that caused this security breach?
3. What type of online security threat happened?

Bright future starts here Module 1: Fundamentals of Information Technology

 URDANETA CITY
UNIVERSITY COLLEGE OF ENGINEERING
AND ARCHITECTURE
Owned and operated by the City Government of Urdaneta

4. What was the action taken by Facebook against this breach?

5. If you found out that you were affected by this attack, what would you
havedone?

Prepared by:

REYNANTE M. PASCUA, CpE

Faculty, College of Engineering and Architecture

Bright future starts here Module 1: Fundamentals of Information Technology