Every online experience is collaboration between several applications on a users PC and those on a computer or collection of computers remotely, generally completely unnoticed by the individual visiting the website or online service. Unfortunately, every layer of software contributing this experience provides an opportunity for an attacker. Most reputable websites and service providers go to great lengths to maintain a safe and stable environment on their end of the experience. Exploits and vulnerabilities are constantly being identified and exploited in Internet applications. All too often, it is the end user’s computer and software where the exploits are perpetrated. Users can limit their chances of exploitation by closely monitoring their systems and updating software regularly.

• The most common threats can be avoided by simply keeping your computer operating system and software up to date. Reputable software vendors frequently patch their software to known security flaws and provide updates to their software via their website or with automatic updates within the application itself.
• It is important to install and regularly update real-time security software on your PC. CenturyLink provides and supports industry-leading security software at no charge to our users. This software is easy to install and will update itself daily.

Operating System Updates

The computer’s Operating System is the heart and soul of its function. If this most central aspect of a PC is compromised, a remote attacker can perpetrate his or her malicious intent on thousands of PCs around the Internet without ever drawing suspicion to themselves. In fact, this is exactly how a lot of spam and “phishing” websites are powered on the Internet today. An unprotected PC will be infected with malicious code causing it to spew out thousands of spam messages or host a fake website to solicit information from unknowing individuals. The entire time this is occurring, the PC owner could be complete oblivious to what is occurring on their own PC. These same exploits can be used to aggregate personal information, log your keystrokes, or even host inappropriate or illegal content.

One of the easiest ways to prevent such compromises is to ensure that the operating system is regularly updated with security patches from the vendor. Users of Microsoft Windows operating systems should confirm that their systems are set to accept these updates automatically and regularly. Macintosh users, who have historically been targeted less frequently, have even recently become more privy to these attacks.

The links below provide information on setting up automatic updates for common operating systems:

• Windows Vista
• Windows XP
• Windows 2000
• Mac OS X

Browser Plugins

The world wide web is has evolved from small collection of static pages into a collaboration of types of code and technologies to allow users are more fulfilling experience than ever before. All of this content and plethora of features and capabilities is partly due to the browser getting assistance from plugins or “helper” applications. When your browser needs to display Java, Flash, Shockwave, or certain media content it calls for help from an application or “interpreter” to process these files that it cannot understand on its own. Just like your Operating System, these plugins sometimes present security risks of their own. All of these plug-in and helper applications should be updated regularly as well.

Many of these common helper applications are available on centuryLink.net. Click on the My Account > Settings > Downloads in the directory. Once in the Downloads area, you will see a list of software available to enhance your online experience.

Security Software

CenturyLink makes its award-winning software available to all CenturyLink High Speed Data users. Simply log into your personal homepage at centurylink.net (or create an account to do so), and click on CenturyLink Online Security from the My Services section of the left hand navigation menu to access this software.

This software is integral to the safest online experience. CenturyLink provides this software at no additional cost (a $70 retail value) on up to 8 PCs in your home. This software updates itself regularly with minimal interaction required from the end user. CenturyLink Online Security helps even the most novice Internet user to protect their online identity, personal information, and home PC investment.

CenturyLink Online Security includes the following protection modules:

• Virus and Spy Protection – Real-time and scheduled system scans for malicious code on your PC.
• Spam Control – Allows additional control over the network based spam control that CenturyLink provides to HSI users.
• Internet Shield – Firewall, application control, Intrusion Prevention, and even a Dialup Control option for users who need dialup modems when they travel.
• Content Controls – Allows parents to determine what content and time limitations are appropriate for their children or other users on their PCs.

Email Security

Email has become an integral part of most of our lives. For many of us, it may be the most common way we communicate with others. Long gone are the days when email was simple text transactions between two users looking at black and white terminals. Today’s users expect crisp fonts, colors, inline images, background patterns, HTML and other browser specific formatting as well as the ability to attach moderately sized files to their messages. The evolution of email technology that allows all of these new features has greatly enhanced the experience of email users, but has brought along with it some very common and serious security concerns. Email has historically been the most common method for attackers to get malicious code to unsuspecting users, and while many new and creative tactics are being employed, this method is still frequently use to propagate malicious code.

Email Attachments

Throughout the evolution of email and all the resulting additional features, it is likely that the most prominent would be the ability to “attach” files to email messages. While these changes certainly make the transport of such files simpler and email more useful, they also introduce some technical and security concerns. Email was not designed with these large attachments in mind and actually handles them quite inefficiently. In addition to the inefficiencies of transmitting files this way, it is a huge security risk for users to allow files of unknown origins onto their PC. As many email applications continue to allow more and more “web functionality” directly within the email program, more options are available to attackers. Users should be very cautious when opening email attachments, even from trusted sources. In best practice, email users should only download or open attachments from a recipient that they know and trust, as well as confirming they know what the attachment is before opening it. Opening any unknown email attachment (even from a trusted sender) can immediately infect your PC with malicious code. Some infected machines will further utilize their host’s mail application to spread the infection by emailing individuals in that machines address book.

CenturyLink’s feature-rich webmail provides its users additional security from storing possibly infectious code on their PCs. Our email network spam filtration will keep the majority of spam and malicious emails from ever reaching the inbox. Any suspicious email that may reach the mailbox can be deleted on our servers before it ever reaches your PC’s hard drive.

Loading Web-Content Inside of Email Messages

Some email messages contain images and web content directly in the body of the email. By default, CenturyLink Webmail will not load these external pages.

This content, if loaded, can validate the existence of an email address to an attacker. A common technique used by spammers is to send out messages blindly to “guessed” email addresses (which are generated from “dictionary” lists or purchased from old spam lists). Once a spammer confirms that an address is valid, it gets moved to an even higher value list in the spam community and will be targeted for even more spam.

Many recent Internet attacks have been based on browser or web code exploits. Once attackers find these exploits, they can quickly spread across the Internet and will often take users completely by surprise by loading pages inside innocent looking emails. Disallowing the auto loading of external content within email messages provides an additional layer of protection to users.

Clicking on Links or Executable Files Within Emails

Many spam or other malicious messages contain links to websites or even executable files. If you get an email from someone you don’t know or a company or organization that you did not subscribe to content from, do not click on links within the body of the message. In the best case scenario, these links may load to a site and drive up advertising revenue for a site that could use this income to propagate even more malicious behavior. In an even worse scenario the site this link leads you to may contain code that can compromise your PC.

It is never a good idea to run an executable file sent via email. Most respectable vendors will send software with a proper installer for your operating system that is digitally signed for that company. Any time a user elects to run an executable file, that application has access to the PC and could be executing malicious code or installing other code that may run silently in the background.

Mailing Lists and Electronic Advertisements

CenturyLink strongly enforces responsible business and personal email practices requiring that all electronic mailings be CAN SPAM compliant. The guidelines described in this law are minimum guidelines for individuals who wish to send advertisements or any other customer communications. Businesses or civic organizations wishing to conduct business via email are strongly encouraged to maintain their businesses online reputation by adhering to even higher standards by utilizing effective software that requires their recipients to “double opt-in” to their email lists and providing timely responses to unsubscribe requests. There are many companies that provide these types of services to businesses and organizations at low cost, as well as providing access to software or online tools to manage these activities. Any users found to be in violation of these practices can have their email services and/or DSL service suspended immediately. To protect email service for all of its users and to maintain a reputation as a responsible ISP within the Internet community, CenturyLink will enforce all aspects of its Acceptable Use Policy.

Interacting with businesses via email can be very convenient and provide timely updates about products that you are specifically interested in. Be sure to thoroughly evaluate a company’s privacy policy before providing them with your email address. Additionally you want to ensure that information will only be used by that company for communications that you elect to receive. Less than reputable companies may sell your information to other vendors or attempt to send you communications you do not wish to receive. If you are interacting with a company that you no longer wish to receive communications from, be sure to utilize their unsubscribe option. Simply marking message that you no longer wish to receive as spam can harm a companies online reputation and cause problems for other customer who are interested in their communications.

Note: Do not attempt to unsubscribe from email communications that you did not sign up for. This can validate that your address is valid and cause you to be targeted for more spam.

Response to Spam or Phishing Emails

Despite the exhaustive efforts that CenturyLink employs to limit spam, there will likely be occasions where every user will receive some sort of Spam message or Phishing email (a fraudulent attempt to elicit personal information by misrepresenting a reputable agency). Often users unfamiliar with these threats are not sure how to handle these communications. Please reference the list at the bottom of this document for valid addresses to report such emails. Most importantly, never respond to such an email. No good will ever come of validating your existence or a successful delivery of unsolicited emails.

CenturyLink Webmail users can simply select the message and click on the SPAM button on the webmail toolbar to report a message as spam.

Reporting Suspicious Email Communications

If you receive a phishing email which is asking for your personal information such as any account information or passwords DO NOT RESPOND TO IT. Please forward it to phishing@centurylink.net. CenturyLink will never ask for personal information via email and strongly recommends that our users do not relay such information to any company via any insecure methods.

For webmail users receiving a spam email in your inbox please click the “SPAM” button to report it as spam. If you receive an email in your SPAM folder that is not spam or junk click the “Not SPAM” button.

If you are using a third party email client such as Microsoft Outlook or Outlook Express and you receive an email that is spam please forward that particular email to spam@centurylink.net.

Online console games, interactive games and MMORPGs (Massively Multiplayer Online Role-Playing Games) all provide players the ability to interact with others in their favorite games. The addition of real-time multi-player interaction takes gaming to the next level and allows players to interact with others of similar interests. Most of the popular gaming companies go to great measures to provide players with a safe and comfortable environment. Players and parents should be aware of the possibility of scams, inappropriate player behavior, and PC security threats associated with game add-ons and player collaboration.

• Parents or guardians should closely evaluate the content and activities of children and minors participating within gaming communities. These communities can pose the same threats as other social networking environments. Online predators, inappropriate language/content, and “cyber-bullying” could all be relevant concerns.
• Online scams, cheats, and game currency scams are common in the online gaming environment. Many game providers closely monitor this type of activity and cancel or revoke memberships for inappropriate behavior. Closely monitor any type of “add-ons” or online purchases made for games and check the game vendor’s Acceptable Use Policy before purchasing 3rd party “helper” applications. Purchasing game currency, trading accounts, or installing cheats violates most of these companies’ policies and companies that provide such services should not be provided with personal or banking information. Any third-party gaming software poses the same threat of containing malicious code as other software downloads. Check with other users who may have downloaded this content before installing on your PC.
• Many gaming clans or guilds offer online user forums, instant messaging, and even voice chat (through services such as TeamSpeak or Ventrillo). If minors are utilizing such services, supervision may be appropriate until a level of comfort is established with the clan/guild in question.

Social news sites (more formally known as social bookmarking) until fairly recently have been the playground of techies and “geeks”. Several sites have expanded their subject matter or made these offerings to more common interests. Many find some of these “bookmarking” sites quite useful and profitable. Digg, Slashdot, or Reddit would be examples of some of the larger, older sites that tailor to more technical users, while sites like propeller and Newsvine would cater to more common interests. Most of these sites are relatively safe and provide some anonymity, however many do allow the creation of user profiles for which considerations should be as to how much information is appropriate. Some users may find the tone of conversation, content, or responses inappropriate for their tastes or for their children. Most of these services provide “user policing” for content and abuse, and may not be in alignment with some users personal preferences.

There are blogs for every imaginable interest. Companies or hosts providing such services often let the user base decide limitations of morality and other rules (if any) applied to the blog. It is each users responsibility to decide for themselves and children they are responsible for to determine what content is appropriate for them. The same guidelines for protection of personal data apply to these types of sites.

Discussion forums share some similarities to the previously mentioned platforms, but are often a bit more “intimate” in nature. It is very common for MMORPG “guilds”, hobbyists, and even churches or civic organization to have personal discussion forums. Again, users should be very aware of the type of content that may be discussed or posted in these forums as well closely investigating the Privacy Policy of the host and what information is requested in the registration. It is not uncommon for these services to request information such as home addresses, birth dates, IM and email information.

The three mentioned platforms above are very commonly used to harvest email addresses for spammers. If you feel the need to post your personal or business email contacts to such forums, it is a good idea to either post it as an image (see if the site allows this) or spell it out like someuser(at)centurylink(dot)net or similar. This makes it at least somewhat more difficult for applications used by spammers to farm addresses from these sites with “web crawling” scripts they commonly use for this purpose.

More commonly found in discussion forums than the other two, users should also be careful of “spamvertisements” on these sites as well. While blogs and social bookmarking sites generally have a little more traffic and user policing, some forums have a hard time or limited resources to track down spam posts. Users should not click on any links or respond to any thread that appears to be spam. Some forums create “spam trap” threads to try and isolate these posts. Do not peruse these threads or open any of the links. The same dangers exist here as in email or IM spam content.

Even if you don’t personally utilize Instant Messaging, Video Chat services, or some sort of chat applications on the web, you likely will not need to look far to find someone who does. If you have middle-school or above aged children in your home, it’s highly likely that such services are used in your home.

Some instant messaging platforms include AOL Instant Messenger, ICQ, Yahoo IM, MSN IM, Google chat, Skype, Jabber, and IRC just to name a few of the larger ones. Many of these also incorporate the ability for users to take advantage of video and voice chat as well.

With an always-on, high speed data connection what is there not to like about the ability to chat, talk, or share content with friends, family, and loved ones any time of the day. Such tools provide a great way for us to easily keep in touch and share with those we care about. Prior to setting up your account and installing the service, there are several considerations you may want to make.

• Protect your identity – While the vast majority of these services are free, you are typically required to register and build a “profile”. Be sure to carefully read the terms of service and privacy policy on whatever platforms you choose. Also make sure you know what information is visible and available for reference to others. While you may be comfortable with family or close friends knowing certain things about you or your personal life, the “stranger” that you exchange IM names with in-game, on a forum, or elsewhere may not be someone you are comfortable with having access to the same information.
• Incoming files – Most of the IM platforms and several “group chat” platforms like IRC (Internet Relay Chat) provide mechanisms for transferring files. This is extremely handy if you want to exchange photos of a recent event with a family member or maybe even pass a large spreadsheet or presentation document to a co-worker. The same precautions taken with files received via email or the web should be exercised in this medium. Be sure you know and trust the sender. Only open files if you know what they contain, and it’s never a good idea to exchange or run executable files from others.
• IM “Spam” – Just like in email, Instant message clients are also targeted for unsolicited communications. These contacts are harvested and perpetrated in much the same way as email spam targets (aggregated form website, “randomly” generated dictionary attacks, etc.). As such, the best response is to just close any window from an unknown sender and report the username to that service’s abuse contact. Often these messages will contain links to a website. No matter how tempting, do not open these links. Often the sites will contain malicious code that will infect your machine, or at a minimum you may be generating advertisement revenue for the individual or group perpetrating this behavior.
• Online predators – Unfortunately, the same “anonymity” that a well educated and careful user is afforded in many social mediums is also extended to those with less honorable or innocent intentions. This anonymity allows predators to project whatever image they want to a victim and often allows them to gain trust and possibly get more personal information than that victim would normally give out. Children or teens are very susceptible to these types of ploys and parents should be very cautious about their “buddy list” and provide constant scrutiny to their children online activities. Make sure that any minors that use your PC are educated as to what information is and is not safe to provide, make attempts to monitor and restrict their contact lists, and if you do find that your child’s safety appears to have been compromised online, do not hesitate to contact the site’s abuse department and even local law enforcement if you feel there may be an imminent threat to you or your child.

Dare you take on the Great and Powerful P2P Master? A game of tic-tac-toe awaits anyone willing to test their peer-to-peer file-sharing smarts. Courtesy of OnGuardOnline.gov.