Khan Academy unit

When a computer wants to use public key cryptography to send data securely to another computer, those computers need to start a multi-step exchange of information.

The two computers send their public keys to each other.

Which statements are true about multi-factor authentication?

MFA requires evidence from at least two authentication factors. MFA adds an additional level of security to the authentication process.

Which of these combinations of evidence would count as two-factor authentication?

1. A number generated by a user's mobile application 2. The name of the user's first grade teacher

Dax is a customer of the payment company BeanMo and typically logs on to "beanmo.com". He receives an email that claims to be from BeanMo and contains a link to a webpage. Screenshot of an email with sender "BeanMo [email protected]" and body text "Hi Dax, Your transaction history for January 2020 is now available." followed by a button "View history on BeanMo.com" He clicks the link but then starts to wonder if the email may be a phishing attack, as it looks different from their usual emails. Once the webpage loads, he checks the URL in the browser to see if it's really a BeanMo URL. Which of these URLs is most likely a legitimate BeanMo domain?

account.beanmo.com

Multi-factor authentication (MFA) is typically used in computing systems. However, we could imagine how MFA could be used in non-digital settings. If we were to protect the door to a castle with MFA, which of these would be considered multi-factor?

An outer door which requires a key and an inner door that requires a pin code.

Which of the following best describes symmetric encryption?

An encryption scheme where the sender and receiver use the same shared key for encrypting and decrypting data.

Which of these describes a multi-factor authentication system?

An enterprise website asks the user to enter a code generated by an application on their mobile phone. They then ask the user for their password.

ZeuS is malware that is typically used to steal banking data from a computer's users by installing a key logger and sending the logged data to the attackers. What best describes how antivirus software can protect against ZeuS?

Antivirus software can scan the files on the drive and notify users of files that look like the ZeuS malware.

Madden connected securely with HTTPS to this website: https://www.football-gamers.com/teams/tigers His browser validated the digital certificate of the website before loading the page. The digital certificate contained this encryption key:

It's the public key of football-gamers.com

Which of the following situations is made possible thanks to public key encryption?

A customer enters their credit card number on a website, and the server securely receives the number without the possibility of cybercriminals seeing the credit card number.

The following snippet is from a 2017 article on an information security news site. "A Virginia man pleaded guilty on Friday to charges of aiding and abetting computer intrusion, accused of writing a keylogger that sold to over 3,000 people and infected 16,000 victims." In what way does a keylogger aid computer intrusion?

A keylogger records everything a user types and uploads the data to a server

Kadijah is concerned about her geolocation getting tracked and stored in a database. To avoid her geolocation being tracked, which computing devices should she avoid using? I. Devices on a wired Internet connection II. Devices on a wireless Internet connection III. Devices with a GPS receiver

I, II, and III

A website is setting up a multi-factor authentication system and considering which evidence to ask for. They've narrowed the list down to these four: I. The user's voice saying "Hello" II. The user's favorite song III. A code sent to the user's cell phone IIII. A password set by the user

II & IIII

On September 11, 2017, the Google Chrome security team announced a plan to stop trusting certificates issued from the Symantec certificate authority. The Chrome team announced the plan after reports that some of Symantec's certificate issuing organizations were issuing certificates to domains that weren't properly verified.

If a cybercriminal acquires a certificate for a domain they don't own, they can use that to secretly steal private data from that domain's website users.

A search engine collects the following search records for a user: Each record contains four pieces of information: The query typed into the search engine by the user A unique ID that identifies the user The date when the user typed the query The URL of the first result clicked by the user In what way could the search engine personalize future search results based on this history?

If the user searches for anything educational, the search engine could prioritize content from Khan Academy. The search engine could show an advertisement next to the search results for "Game of Thrones", a fantasy drama TV series.

Rin doesn't want her parents to read her letters to her sister, so she uses a Vigenère cipher to make the letters secret. Her process: Rin shares the key ("BANANA") with her sister. Using the key, Rin turns the message "Ice cream time" into "Jcr ceebm gize". Rin sends a letter with "Jcr ceebm gize" to her sister. Using the key, her sister turns the message "Jcr ceebm gize" back into "Ice cream time".

Key-sharing Encryption Communication Decryption

Kimberly is trying to understand which of her devices and apps can collect information about her location. Which of the following statements is true?

None of the above

Nisa receives this security alert about her Google account: Screenshot of email that says: Subject: ⚠️We've Detected Unusual Activity on Your Account ! ⚠️ From: Security Alert [email protected] Body: Connecting to a new device A user has just signed in to your Google Account from a new device. We are sending you this email to verify that it is you. Location : india mumbai Two buttons at bottom say "Yes me !" and "Not me !" She suspects that it's a phishing email, so she decides not to click the buttons at the bottom. Which aspect of the email is least indicative of a phishing attack?

The email includes a company logo

Femke went to a computer lab and connected her laptop to the WiFi network. She later received an email from the lab administrator warning that the WiFi network was in fact a rogue access point. Which of the following could have occurred while she was connected to the rogue access point?

When she used her laptop to submit an online form, the rogue access point could have modified her form submission on its way to the server.

An advertisement company builds a profile of a user based on their browsing history across many websites and uses that profile to create more targeted advertisements.

Cookies

A company develops a mobile app designed for parents to monitor what their children are doing. The parents install the app on the phone, and it can record details like who the child is conversing with and what apps they're using. It can also record and store the geolocation of the child. Which of these questions from parents could not be answered by the recorded geolocation data?

Did my child hang out in the park in a group of more than 20 people?

What is the difference between malware and a software bug?

Malware is designed to intentionally inflict damage on a computer; a software bug is an accident.

Agatha received an email from her bank that asked for verification of her account details. She clicked the link in the email, and entered her username and password into a form. Screenshot of webpage with heading of "Verify account" and a form with 2 input fields. First field is labeled "Username" and second field is labeled "Password". Button says "Submit". At that point, she realized the email was a phishing scam, and she had just revealed her password to the cyber criminals behind the scam. What are the effects of revealing her bank account password to cyber criminals? 👁️Note that there are 2 answers to this question.

They can use the password to login to the real bank website. They can try the password on other websites where she has a login.

In what way is multi-factor authentication (MFA) more secure than a password?

MFA adds an additional level of security for an attacker to break through.

A user complains that their anti-virus software claimed to have eliminated a virus, but it popped up again the next day. What's the most likely explanation for why a computer virus may be hard to eliminate?

A virus can copy itself into multiple files on the operating system.

Horacio is new to the Web and is concerned about his privacy while using a web browser. Which of these steps would NOT increase his privacy?

Disabling auto-play of video and audio files in the browser's settings

Rolando is using a browser that's owned by a major Internet company and is concerned about the company having access to his browsing history. Which of these next steps would be the least helpful in addressing his concerns?

Disabling cookies in the browser's privacy preferences

Madden connected securely with HTTPS to this website: https://www.football-gamers.com/teams/tigers His browser validated the digital certificate of the website before loading the page.

It's the public key of football-gamers.com

Tatsuki receives an urgent email from his bank: Screenshot of email that says: Subject: Urgent: Barclay's Bank Tax Documents From: Bank Support [email protected] Body: Dear Bank Customer, The federal government requires us to have up-to-date account information for all accounts. You must download, fill out, and send back the attached form. If we do not have form by next week, your account will be frozen! The bottom shows an attached document named "form.html" He thinks it might be a phishing scam, so he decides to ignore it. Which aspect of the email is least indicative of a phishing attack? Choose 1 answer:

The email references the federal government.

When connecting securely to a website, what information must be in their digital certificate? 👁️Note that there are 2 answers to this question.

The website's domain name The website's public key

Secure web browsing relies on a trust model to verify the authenticity of digital certificates. Which of these best describe the trust model involved?

User → Browser → Certificate Authority → Website

Sümeyye is buying a subscription from an Internet Service Provider (ISP) for her new apartment so that she can have wireless Internet access in each room. She already has a laptop that can connect to WiFi networks. Does Sümeyye need to purchase any additional hardware to have wireless Internet access?

Yes, she needs a wireless router that will send and receive packets from the apartment's wired Internet connection.

A privacy-concerned citizen wants to introduce local regulations to restrict companies that collect the geolocation data of their users. They would like every company to present users with a warning and explanation before collecting the data. Which table identifies the types of companies that would be affected by those regulations?

yes, yes, yes, yes

In 2016, the ACLU reported that a company called Geofeedia analyzed data from social media websites like Twitter and Instagram to find users involved in local protests and sold that data to police forces. The data included usernames and their approximate geographic locations. Geofeedia claims the data was all publicly available data. In response to the news, many users were eager to find ways to keep their geolocation private. Which of these actions is least likely to help a user keep their geolocation private?

Disabling third-party cookies in their browser

Annalee is setting up a research lab. She wants to be able to search the Web from her laptop anywhere in the lab but doesn't want to drag an Ethernet cable around the lab. Annalee starts browsing online for products. Which of the following products should she buy?

NetGear Wireless Access Point

If a website wants to track which pages a user visits on their website, what is required technically?

None of the above

The administration of a high school decides to install antivirus software on all of the school computers. What can the antivirus software protect the computers from?

The antivirus software can protect the computers from any malware that it is able to successfully detect.

Public key encryption was invented in the 1970s, and since its discovery, it's enabled a wide range of secure transactions on the Internet.

A teenager looks up information on a medical website in incognito mode, and won't have to see advertisements related to that medical condition in the future.

Problem Daxton reads the privacy policy of his browser and realizes he is uncomfortable with the browser's default privacy practices. What would be a good next step?

He can switch browsers to a browser that has different privacy practices. He can change the privacy settings in the browser to a level he is comfortable with.

A software engineer is developing a chatbot that can discuss political issues with a human. The engineer is concerned that people might try to break into the database to discover the political opinions of the users, so they do not want to store any PII in the database at all.

Timezone

Gael visited the website http://toast-lovers.com several times over the course of a few months. He used a browser with cookies disabled and did not log in to a user account on the site. Based on Gael's actions, what data could the website store in its database about his visits?

URL, Date, Time, IP address

Joaquin needs to use online banking to transfer large amounts of money and is concerned about an attacker using a rogue access point to intercept his bank transfer. What's the best way for him to avoid the risks of a rogue access point?

Use a wired connection instead of a wireless connection.

Each of these users has a different strategy to manage their passwords across websites.

Pablo uses a password manager to generate strong passwords for each site. Their master password is an initialism, "iw2bacsMjrw1g2c!", based on their life goal ("I want to be a CS major when I go to college").

An IT manager for a company wants to make sure that the corporate computers are secure, so they install antivirus software on every machine. In what way does the antivirus software protect the computers?

The antivirus software checks for known malware and takes action to remove or repair affected files.

Paula is creating a journalism organization to do investigative reporting. She registers the domain "whistleblowerz.org" and signs up with a hosting company to provide an email server, so that the journalists can easily communicate with each other.

The certificate for "whistleblowerz.org" would associate a public key with the domain, and enable the server to use TLS for secure email sending.

If public key encryption was never invented, what wouldn't be possible today? Choose 1 answer:

A customer logging into their bank website, with their password and secure code, without the risk of cybercriminals stealing their login information.

Which of the following algorithms is most likely to be found in a computer virus?

An algorithm that copies the virus program into a different file

Which of these statements about malware are true? 👁️Note that there are 2 answers to this question.

Malware can affect desktops, laptops, phones, and servers. A virus is a type of computer malware, but there are other types of malware

Emilia arrived to work at her company's office at 9 AM. She connected her laptop to the WiFi hotspot labeled "OfficeWiFi5thFl". After a meeting ended at 10:30 AM, she connected to a different hotspot labeled "OfficeSpace5thFl". After lunch ended at 12 PM, her laptop lost that signal and reconnected to "OfficeWiFi5thFl". If "OfficeSpace5thFl" was actually a rogue access point, which website visits could it have intercepted?

A visit to a tax software website at 10:45 AM where she filled out part of her tax form for this year.

The recent rise in popularity of smart home products (such as smart home assistants or smart thermostats) has led to an increase in concerns about their security. In June 2019, security researchers discovered an openly accessible database from a smart home products company. Anyone could potentially access that database, without a username or password, and see all the data. The database records included these details: Email addresses Passwords Username Precise geolocation IP address Family name Family ID Smart device name Which of the following are immediate risks of malicious access to that database?

A cybercriminal could log into a user's account on the smart home product website and change the behavior of one of their smart devices. A burglar could break into a user's home and steal the smart home devices.

The following snippet is from a 2020 news article: "On March 18, we uncovered an email campaign that pushed victims into unwittingly downloading an invasive keylogger called Agent Tesla." What is the primary danger of accidentally downloading a keylogger?

A keylogger will record every key stroke and upload the data to an attacker.

Aliza visited a website over HTTPS and saw a lock icon in the URL bar, indicating a secure connection with a valid digital certificate.

Aliza trusts the browser, the browser trusts the certificate authority, and the certificate authority trusts the website.

Jairo is shopping for a new pair of shoes online and has found four online stores that sell the shoes. He opens them all up in different browser tabs and begins the checkout process so that he can find out what the final price (with shipping and taxes) will be and decide if any of the websites aren't legitimate.

The store that asks for his name, drivers license number, credit card number, and address in the checkout form.

In symmetric encryption, how many keys are needed to encrypt the data between a sender to a receiver?

One key: the same key is used for encryption and decryption, and that key is shared between the sender and receiver

Which of the following could not occur if your computer is connected to the Internet over a rogue access point?

The rogue access point could read the files on your device.

A search engine collects the following search records for a user: QueryUserIDDateURL "basketball"Y2X37AT01/29/19www.nba.com "kobe bryant"Y2X37AT12/07/18www.imdb.com/title/tt6794476 "video games"Y2X37AT03/11/19www.amazon.com/Video-Games Each record contains four pieces of information: The query typed into the search engine by the user A unique ID that identifies the user The date when the user typed the query The URL of the first result clicked by the user In what way could the search engine personalize future search results based on this history?

When the user searches for any products, the search engine could prioritize search results from Amazon. The search engine could show an advertisement next to the search results for "Pop-a-shot", an electronic basketball game.

At 9:30 AM, Thato went to a local coworking space and connected to the usual WiFi network ("COWIFI") and started browsing the morning news. At 10 AM, he noticed that webpages were slow to load and connected to a different free network ("COFFEE-FI") instead. However, a coworker walked by at 10:25 and warned him that the "COFFEE-FI" network was actually a rogue access point, so he disconnected from it and reconnected to "COWIFI". Here is his browsing history from that morning: DomainTimecnn.com9:42theverge.com9:56desmoinesregister.com10:07sltrib.com10:22espn.com10:28bbc.com10:34 Which requests would the rogue access point have seen? 👁️Note that there are 2 answers to this question.

desmoinesregister.com @ 10:07 sltrib.com @ 10:22

Lana visits a news website she's never visited before. She notices a section called "Recommended for you" with a list of articles that are related to articles she'd been reading on other news sites. Which technology was most likely responsible for the recommended articles?

web cookies

For a long time, mathematicians weren't sure that asymmetric encryption was possible. Fortunately, cryptographers discovered the necessary mathematical innovation in the 1970s and invented public key encryption.

A customer logging into their bank website, with their password and secure code, without the risk of cybercriminals stealing their login information.

In 2018, more than a thousand data breaches were reported and over 500 million data records were exposed in those breaches. In one particular breach, a video making website discovered unauthorized access to their database. The attackers were able to access the following user details: first name, last name, username, geolocation, gender, and date of birth. Which of the following is an immediate risk of that data breach?

A stalker could go to the house of one of the website users

Why is a computer virus more dangerous than other types of malware?

A virus can make copies of itself, including copying itself into an existing file.

Ayah wants to watch Khan Academy videos in the backyard, but there is no Internet connection in her yard. Since it rains frequently, Ayah doesn't want to place a cable on the ground. What device could Ayah install in order to access the Web in the backyard?

A wireless router, because it uses an access point to interpret wireless signals and route packets through the Internet

Jaime received an email from his favorite movie streaming service. The email stated that all customers were being asked to reset their passwords (due to a security breach) and linked to a webpage with a password reset form. The webpage asks him to confirm his old password and then enter a new password. Screenshot of webpage that has a form with 2 input fields. First field is labeled "Old password" and second field is labeled "New password". Button says "Reset password". At that point, Jaime wonders if the email and webpage are part of a phishing scam. He searches the Web and finds other reports of the scam, so he closes the webpage and marks the email as spam. What could have happened if he had filled out the form? 👁️Note that there are 2 answers to this question.

The attackers could try using the "old password" and "new password" to login to Jaime's accounts on other sites. The attackers could use Jaime's "old password" to login to the actual movie streaming website.

Paula is creating a journalism organization to do investigative reporting. She registers the domain "whistleblowerz.org" and signs up with a hosting company to provide an email server, so that the journalists can easily communicate with each other. She's debating whether to acquire a digital certificate for her domain from a certificate authority.

The certificate for "whistleblowerz.org" would associate a public key with the domain, and enable the server to use TLS for secure email sending.

Nombeko is creating a social messaging app to use with her friends. She registers the domain "friendzers.com" to host the backend for the app. She then signs up for a digital certificate from a certificate authority and installs the certificate on the domain.

The certificate proves that "friendzers.com" and the associated public key are owned by the same entity.

Mr. Jones bought a server where his students can upload homework assignments and mapped the domain "writing302.org" to it. He then acquired a digital certificate for "writing302.org" from a certificate authority and installed it on the server.

The certificate proves that "writing302.org" and its associated encryption key are both owned by the same entity.

BBC News wrote an article with this headline: "HP laptops found to have hidden keylogger" After reading that headline, what should HP laptop owners be most concerned about?

The keylogger could be recording what they type and sending the logs to a server.

When connecting securely to a website, what information must be in their digital certificate?

The website's domain name The website's public key

In symmetric encryption, what key does the receiver need in order to decrypt data from a sender?

They need the key that was used for encrypting the data

In 2019, a security research firm discovered that it was possible to monitor the geographic location of users in four dating apps. All they needed to know was their username and they could map the most recent location of the user.

A stalker could find a user that rejected them and follow them around.

Computer A wants to send data securely to Computer B using public key encryption.

Computer B's public key

Addison visits a café while visiting a friend in another city. The café offers three options for Internet connection: A public WiFi hotspot An Ethernet cable along the wall A password-protected WiFi hotspot (food purchase required) Which of those could be a rogue access point?

Either of the WiFi hotspots

Melodie connected securely with HTTPS to this website: https://www.farm-fresh-csa.com/customize Her browser validated the digital certificate of the website before loading the page. Which table is most representative of the contents of the digital certificate?

Field: name*.farm-fresh-csa.com *Public* key: MIGeMA0GCSqGSIb3DQEBAQUAA Certificate authority: DST Root CA X3

A software architect is designing the database for the Department of Motor Vehicles in their state. They need to carefully consider which information in each user account should be considered PII, so that they can better protect those fields in the database.

Hair color

Mason receives an email from a law firm called "Baker & McKenzie". The email states that they are scheduled to appear in court and includes a link to view the court notice. Mason is suspicious that this may be a phishing attack, since this is the first they've heard about a court appearance. What would be the safest next step?

They can look in a phone directory for a number to the listed court and call the court to see if they have record of the notice.

Apple, the producer of iPhones, includes a feature called Location Services that can be used by apps. The following snippet is from their article on the feature: Location Services allows Apple and third-party apps and websites to gather and use information based on the current location of your iPhone or Apple Watch to provide a variety of location-based services. For example, an app might use your location data and location search query to help you find nearby coffee shops or theaters, or your device may set its time zone automatically based on your current location. To use features such as these, you must enable Location Services on your iPhone and give your permission to each app or website before it can use your location data. Apps may request limited access to your location data (only when you are using the app) or full access (even when you are not using the app). A user installs an app that requests full access to Location Services and grants the requested permissions. What location-related data can be stored by the app?

The app can store all the locations visited by the user while they have their phone with them

In 2017, the credit report company Equifax suffered a data breach that exposed the PII of more than 100 million Americans to attackers. The exposed data included names, home addresses, phone numbers, dates of birth, Social Security numbers, and driver's license numbers. With access to only that information, which of these actions could not be taken by an attacker?

An attacker could send an email to an affected person that contained their PII and a threat to reveal them.

A teacher receives an email to his school address. The email claims to be from their school's learning management system and asks him to verify his account credentials. He follows a link in the email to a website with a username and password box. The website doesn't look quite right, so he suspects it might be a phishing scam. What would be the safest next step?

Follow his bookmarked link to the LMS website, and email their official support address to see if the email is real.

Problem An IT administrator for a company discovers that someone set up a rogue access point in the office and that several employees are connected to it. The administrator is concerned about an attacker gaining access to company data. Which of these attacks are possible over the rogue access point?

Intercepting requests sent over the Internet and copying their contents

Karlee receives this email that claims to be from Instagram, the social media site: Screenshot of email that says: Subject: !! New login to your Instagram account !! From: I-nstagram [email protected] Body: We noticed a new login from a device you don't usually use: Chrome Mobile, in Oslo, Norway, on Thu Feb 28 2:55PM If this was you, you can disregard this email. If this wasn't you, Click here to protect your account. © Instagram. Facebook Inc. 1601 Willow Road, Menlo Park, CA 94025 Which aspect of the email is least indicative of a phishing attack?

The email footer includes the company's mailing address.

An analytics website offers web developers a script that can track where users are navigating and clicking on their website. The analytics script places a third-party cookie on each website that uses it.

They can record all the webpages that the individual has visited that have their cookie embedded.

Secure web browsing relies on a trust model to verify the authenticity of digital certificates.

User → Browser → Certificate Authority → Website

An investigative journalist connects to the Internet over a wired Ethernet connection in a government building. They don't want anyone else to see which websites they're visiting. Which entities might be able to see the websites visited in that browsing session? \text{I}Istart text, I, end text. A rogue access point \text{II}IIstart text, I, I, end text. The building's Internet Service Provider (ISP) \text{III}IIIstart text, I, I, I, end text. Their computer's web browser

II and III only

How can attackers access a user account protected by two-factor authentication (2FA)?

It's possible for an attacker to break into an account secured with two-factor authentication, but only if they have access to both factors.

Kamdyn is at a cafe and sees an unsecured network called "Free WiFi". As soon as he connects to the network, someone near him warns him that it's probably a rogue access point. He's concerned now about an attacker having seen his Internet requests. Which of his Internet requests could have been seen by the rogue access point?

The rogue access point could have seen all the Internet requests sent by his laptop after the connection was made.

In 2011, the Dutch certificate authority DigiNotar was infiltrated by a cybercriminal. The attacker managed to create hundreds of false certificates, including ones for popular domains like google.com and facebook.com. When the attack was publicized, companies like Apple and Microsoft blacklisted Diginotar in their lists of trusted certificate authorities.

The attacker could launch a DNS spoofing attack on the certificates' domains and then intercept private data from the domains' users.

A search engine collects the following search records for a user: Query User IDDateURL "board games"XE3AL0801/07/20boardgamegeek.com "seafood recipes" XE3AL0802/23/20www.seafoodwatch.org/consumers/sustainable-recipes "news without ads"XE3AL0802/27/20npr.org Each record contains four pieces of information: The query typed into the search engine by the user A unique ID that identifies the user The date when the user typed the query The URL of the first result clicked by the user In what way could the search engine personalize future search results based on this history?

The search engine could show an advertisement next to the search results for "Terra Mystica", a strategy board game. If the search results includes news articles, the search engine could give higher ranking to articles from the news site NPR.

Sigourney has an account on the social media website InstaTag and typically logs on to the domain name "instatag.com". She receives an email that claims to be from InstaTag and contains a link to a webpage. Screenshot of an email from "Instatag [email protected]" with the text "Hi SigSpider, Sorry to hear you're having trouble logging into InstaTag. We can help you get straight back into your account." It contains a button that says "Log in as SigSpider" and a link "You can also reset your InstaTag password." She clicks the link but then realizes that the email may be a phishing attack, as she hasn't had any recent trouble logging into InstaTag. Once the webpage loads, she checks the URL in the browser to see if it's really an InstaTag URL. Which of these URLs is most likely owned by InstaTag?

user.instatag.com

A user doesn't want a website to know which of the website's webpages they visit. Which action(s) can the user take to prevent the website from recording their browsing history along with any form of user identifier? I. Logging out of their account on the site II. Disabling cookies in their browser III. Restarting the browser for each page visit

No combination of those actions is completely sufficient.

Bailey uploads a video of their neighborhood to YouTube. In what way could the uploaded video be used as PII?

The street addresses could help locate where Bailey lives.

An account is protected by multi-factor authentication with these two-factors: An alphanumeric password A code generated by a hardware device

The password and the hardware device

Computer A is sending data securely to Computer B using public key encryption. In order for Computer A to encrypt the data, they need to use information from Computer B in a mathematical operation. What information from Computer B is used in that operation?

Computer B´s public key

Which of the following is the best description of the process of decryption? Choose 1 answer:

Decoding data to reveal the original message

Evelyn receives an email that claims to be from the IRS, the United States Internal Revenue Service. The email states that their tax refund is ready and includes an attachment labeled "taxrefund.doc". Evelyn is eager for their refund but worried the email is a phishing scam. What is the safest next step?

Evelyn can find the official IRS website by searching the Web, and contact IRS through a listed email address to inquire about the email.

A company gives phones for business use to all of its salespeople. The IT department installs a suite of security software on each phone that includes a monitoring program that sends the phone's current location back to company headquarters. Assuming the employees always have their phone near them, which of these questions could not be answered by the location data?

How many customers did the employee go to lunch with?

Billy receives a message from a stranger on a social media website that simply says "I know where you live." Billy tried to think about his online activities, and whether or not those activities could have revealed his location.

Reading news sites in a browser with third-party cookies enabled.

A teacher in a computer science classroom is writing guidelines for her classes. She would like to explicitly forbid the creation of malware. Which of these rules bans the creation of malware? Choose 1 answer:

"Don't create a program that intentionally damages a computing system or takes unauthorized control of it."

Johannes learns about certificate authorities and is concerned that he doesn't know which authorities to trust when browsing the web.

"If you trust your browser, then you don't need to worry about exactly which certificate authorities to trust."

Amos decides to use a password manager to store their passwords, and is currently coming up with a master password.

"aiwwdts1d&dd,Icub&m2md", an initialism based on song lyrics ("As I was walking down the street one dark and dreary day, I came upon a billboard and much to my dismay..")

A popular vlogger is worried about their video streaming account being broken into by attackers. The video streaming site offers them two options for authentication: a password or multi-factor authentication (with a password and SMS code). Which of these pieces of advice is accurate?

MFA will offer more security than a password, but they still need to be vigilant to protect their account from attackers.

Which of these users has the strongest password?

Marijorie

Sacha uses a payment app called CircleCash and typically logs on to his merchant account at "circle.com". He receives an email that claims to be from CircleCash and contains a link to a webpage. Screenshot of an email from "Circle [email protected]" with the heading "Reset your CircleCash password", the text "We received a request to change your CircleCash account password. To reset your password, press the Reset Password button below within 24 hours.", and a button labeled "Reset Password". He clicks the link but then realizes that the email may be a phishing attack, as he didn't request a password reset recently. Once the webpage loads, he checks the URL in the browser to see if it's a legitimate CircleCash URL. Which of these URLs is most likely owned by CircleCash?

io.circle.com

Sahed works for admissions at a university. One day, she receives an email about a new admissions tool that she needs to start using ASAP. The email links to a webpage with a registration form. Screenshot of webpage with heading of "Create account" and a form with 2 input fields. First field is labeled "Email" and second field is labeled "Password". Button says "Register". She decides to re-use her password from the old administration tool, and signs up with her email and that password. Unfortunately, she then receives a message from her manager that the email is a phishing scam targeting everyone in their department, and that she should ignore it. What are the effects of revealing that password to the cyber criminals?

The cyber criminals can sell her email and password combination to other attackers. The cyber criminals can try that password on the actual admissions tool and successfully gain access.

In 2011, the certificate authority GlobalSign reported that a cybercriminal managed to hack into their user-facing website. Upon discovery, GlobalSign stopped issuing new certificates and asked a security company to investigate whether the cybercriminal had infiltrated their certificate issuing infrastructure as well. They needed to make sure the cybercriminal did not make any false certificates during the attack.

The cybercriminal could create false certificates linking other organization's domains to their own private key, and then use those certificates during DNS spoofing attacks.

Mariana gives a social media website access to her geolocation so that she can quickly see local events happening around her. Which is NOT a risk of granting geolocation access?

The website could begin tracking Mariana's browsing history as well