Online Data Security

Billy receives a message from a stranger on a social media website that simply says "I know where you live." Billy tried to think about his online activities, and whether or not those activities could have revealed his location. Which of these online activities is least likely to have revealed his location to the stranger?

Reading news sites in a browser with third-party cookies enabled.

A search engine collects the following search records for a user: functional fitness"A9C941509/15/19www.crossfit.com"chemistry"A9C941511/01/19khanacademy.org/science/chemistry"fantasy author"A9C941506/07/19www.ursulakleguin.com

The search engine could show an advertisement next to the search results for "Game of Thrones", a fantasy drama TV series. If the user searches for anything educational, the search engine could prioritize content from Khan Academy.

Mason receives an email from a law firm called "Baker & McKenzie". The email states that they are scheduled to appear in court and includes a link to view the court notice. Mason is suspicious that this may be a phishing attack, since this is the first they've heard about a court appearance. What would be the safest next step?

They can look in a phone directory for a number to the listed court and call the court to see if they have record of the notice.

Amos decides to use a password manager to store their passwords, and is currently coming up with a master password. Which of these is the strongest master password?

"aiwwdts1d&dd,Icub&m2md", an initialism based on song lyrics ("As I was walking down the street one dark and dreary day, I came upon a billboard and much to my dismay..")

Tatsuki receives an urgent email from his bank: He thinks it might be a phishing scam, so he decides to ignore it. Which aspect of the email is least indicative of a phishing attack?

(I forgot to write this one down but its something about using the name of Federal information)

Which of the following is the best description of the process of decryption?

Decoding data to reveal the original message

A company develops a mobile app designed for parents to monitor what their children are doing. The parents install the app on the phone, and it can record details like who the child is conversing with and what apps they're using. It can also record and store the geolocation of the child. Which of these questions from parents could not be answered by the recorded geolocation data?

Did my child hang out in the park in a group of more than 20 people?

Annalee is setting up a research lab. She wants to be able to search the Web from her laptop anywhere in the lab but doesn't want to drag an Ethernet cable around the lab. Annalee starts browsing online for products. Which of the following products should she buy?

NetGear Wireless Access Point

Kimberly is trying to understand which of her devices and apps can collect information about her location.

None of the above

Each of these users has a different strategy to manage their passwords across websites. Which user's strategy is the strongest?

Pablo uses a password manager to generate strong passwords for each site. Their master password is an initialism, "iw2bacsMjrw1g2c!", based on their life goal ("I want to be a CS major when I go to college").

Which of these statements about malware are true? 👁️Note that there are 2 answers to this question.

Malware can affect desktops, laptops, phones, and servers. A virus is a type of computer malware, but there are other types of malware.

Secure web browsing relies on a trust model to verify the authenticity of digital certificates. Which of these best describe the trust model involved? An arrow from one entity to another signifies that the first entity trusts the second.

User → Browser → Certificate Authority → Website

Why is a computer virus more dangerous than other types of malware?

A virus can make copies of itself, including copying itself into an existing file.

In 2018, the housewares company OXO discovered that attackers installed malware on their online store to steal customer information. The malware had access to the customer's name, billing and shipping addresses, and credit card information. With access to that information, which of the following actions could not be taken by an attacker?

An attacker could login to the customer's OXO account and change account details

How can attackers access a user account protected by two-factor authentication (2FA)?

It's possible for an attacker to break into an account secured with two-factor authentication, but only if they have access to both factors.

In symmetric encryption, what key does the receiver need in order to decrypt data from a sender?

They need the key that was used for encrypting the data.

A software engineer is developing a chatbot that can discuss political issues with a human. The engineer is concerned that people might try to break into the database to discover the political opinions of the users, so they do not want to store any PII in the database at all. Which of these pieces of information is least likely to be PII?

Timezone

Mr. Jones bought a server where his students can upload homework assignments and mapped the domain "writing302.org" to it. He then acquired a digital certificate for "writing302.org" from a certificate authority and installed it on the server. What does the certificate prove?

The certificate proves that "writing302.org" and its associated encryption key are both owned by the same entity.

At 9:30 AM, Thato went to a local coworking space and connected to the usual WiFi network ("COWIFI") and started browsing the morning news. At 10 AM, he noticed that webpages were slow to load and connected to a different free network ("COFFEE-FI") instead. However, a coworker walked by at 10:25 and warned him that the "COFFEE-FI" network was actually a rogue access point, so he disconnected from it and reconnected to "COWIFI". Here is his browsing history from that morning

desmoinesregister.com @ 10:07 sltrib.com @ 10:22

Karlee receives this email that claims to be from Instagram, the social media site: Which aspect of the email is least indicative of a phishing attack?

The email footer includes the company's mailing address.

In 2016, the ACLU reported that a company called Geofeedia analyzed data from social media websites like Twitter and Instagram to find users involved in local protests and sold that data to police forces. The data included usernames and their approximate geographic locations. Geofeedia claims the data was all publicly available data. In response to the news, many users were eager to find ways to keep their geolocation private. Which of these actions is least likely to help a user keep their geolocation private?

Disabling third-party cookies in their browser

A company gives phones for business use to all of its salespeople. The IT department installs a suite of security software on each phone that includes a monitoring program that sends the phone's current location back to company headquarters. Assuming the employees always have their phone near them, which of these questions could not be answered by the location data?

How many customers did the employee go to lunch with?

An IT administrator for a company discovers that someone set up a rogue access point in the office and that several employees are connected to it. The administrator is concerned about an attacker gaining access to company data. Which of these attacks are possible over the rogue access point?

Intercepting requests sent over the Internet and copying their contents

Nisa receives this security alert about her Google account: She suspects that it's a phishing email, so she decides not to click the buttons at the bottom. Which aspect of the email is least indicative of a phishing attack?

The email includes a company logo.

When a computer wants to use public key cryptography to send data securely to another computer, those computers need to start a multi-step exchange of information. What is the first information exchanged?

The two computers send their public keys to each other.

Mariana gives a social media website access to her geolocation so that she can quickly see local events happening around her. Which is NOT a risk of granting geolocation access?

The website could begin tracking Mariana's browsing history as well.

Gael visited the website http://toast-lovers.com several times over the course of a few months. He used a browser with cookies disabled and did not log in to a user account on the site. Based on Gael's actions, what data could the website store in its database about his visits?

1/11/20 9:00 AM 206.169.107.195 2/15/20 10:13 AM 206.169.107.195 3/24/20 7:37 AM 206.169.107.195

For a long time, mathematicians weren't sure that asymmetric encryption was possible. Fortunately, cryptographers discovered the necessary mathematical innovation in the 1970s and invented public key encryption. If public key encryption was never invented, what wouldn't be possible today?

A customer logging into their bank website, with their password and secure code, without the risk of cybercriminals stealing their login information.

In 2018, more than a thousand data breaches were reported and over 500 million data records were exposed in those breaches. In one particular breach, a video making website discovered unauthorized access to their database. The attackers were able to access the following user details: first name, last name, username, geolocation, gender, and date of birth. Which of the following is an immediate risk of that data breach?

A stalker could go to the house of one of the website users.

A user complains that their anti-virus software claimed to have eliminated a virus, but it popped up again the next day. What's the most likely explanation for why a computer virus may be hard to eliminate?

A virus can copy itself into multiple files on the operating system.

Ayah wants to watch Khan Academy videos in the backyard, but there is no Internet connection in her yard. Since it rains frequently, Ayah doesn't want to place a cable on the ground. What device could Ayah install in order to access the Web in the backyard?

A wireless router, because it uses an access point to interpret wireless signals and route packets through the Internet

Which of these describes a multi-factor authentication system?

An enterprise website asks the user to enter a code generated by an application on their mobile phone. They then ask the user for their password.

Addison visits a café while visiting a friend in another city. The café offers three options for Internet connection: A public WiFi hotspot An Ethernet cable along the wall A password-protected WiFi hotspot (food purchase required) Which of those could be a rogue access point?

Either of the WiFi hotspots

A teacher receives an email to his school address. The email claims to be from their school's learning management system and asks him to verify his account credentials. He follows a link in the email to a website with a username and password box. The website doesn't look quite right, so he suspects it might be a phishing scam. What would be the safest next step?

Follow his bookmarked link to the LMS website, and email their official support address to see if the email is real.

Daxton reads the privacy policy of his browser and realizes he is uncomfortable with the browser's default privacy practices. What would be a good next step?

He can switch browsers to a browser that has different privacy practices He can change the privacy settings in the browser to a level he is comfortable with.

A popular vlogger is worried about their video streaming account being broken into by attackers. The video streaming site offers them two options for authentication: a password or multi-factor authentication (with a password and SMS code). Which of these pieces of advice is accurate?

MFA will offer more security than a password, but they still need to be vigilant to protect their account from attackers.

In 2011, the Dutch certificate authority DigiNotar was infiltrated by a cybercriminal. The attacker managed to create hundreds of false certificates, including ones for popular domains like google.com and facebook.com. When the attack was publicized, companies like Apple and Microsoft blacklisted Diginotar in their lists of trusted certificate authorities. Why was it important for the Diginotar certificates to be blacklisted?

The attacker could launch a DNS spoofing attack on the certificates' domains and then intercept private data from the domains' users.

Joaquin needs to use online banking to transfer large amounts of money and is concerned about an attacker using a rogue access point to intercept his bank transfer. What's the best way for him to avoid the risks of a rogue access point?

Use a wired connection instead of a wireless connection.

Sümeyye is buying a subscription from an Internet Service Provider (ISP) for her new apartment so that she can have wireless Internet access in each room. She already has a laptop that can connect to WiFi networks. Does Sümeyye need to purchase any additional hardware to have wireless Internet access?

Yes, she needs a wireless router that will send and receive packets from the apartment's wired Internet connection.

Sigourney has an account on the social media website InstaTag and typically logs on to the domain name "instatag.com". She receives an email that claims to be from InstaTag and contains a link to a webpage.

user.instatag.com

Horacio is new to the Web and is concerned about his privacy while using a web browser. Which of these steps would NOT increase his privacy?

Disabling auto-play of video and audio files in the browser's settings

Rolando is using a browser that's owned by a major Internet company and is concerned about the company having access to his browsing history. Which of these next steps would be the least helpful in addressing his concerns?

Disabling cookies in the browser's privacy preferences

Lana visits a news website she's never visited before. She notices a section called "Recommended for you" with a list of articles that are related to articles she'd been reading on other news sites. Which technology was most likely responsible for the recommended articles?

Web cookies

Femke went to a computer lab and connected her laptop to the WiFi network. She later received an email from the lab administrator warning that the WiFi network was in fact a rogue access point. Which of the following could have occurred while she was connected to the rogue access point?

When she used her laptop to submit an online form, the rogue access point could have modified her form submission on its way to the server.

A teacher in a computer science classroom is writing guidelines for her classes. She would like to explicitly forbid the creation of malware. Which of these rules bans the creation of malware?

"Don't create a program that intentionally damages a computing system or takes unauthorized control of it."

An advertisement company builds a profile of a user based on their browsing history across many websites and uses that profile to create more targeted advertisements.

Cookies

Evelyn receives an email that claims to be from the IRS, the United States Internal Revenue Service. The email states that their tax refund is ready and includes an attachment labeled "taxrefund.doc". Evelyn is eager for their refund but worried the email is a phishing scam. What is the safest next step?

Evelyn can find the official IRS website by searching the Web, and contact IRS through a listed email address to inquire about the email.

A search engine collects the following search records for a user: "functional fitness" chemistry "fantasy author"

If the user searches for anything educational, the search engine could prioritize content from Khan Academy. The search engine could show an advertisement next to the search results for "Game of Thrones", a fantasy drama TV series.

Leanne decides to use the Caesar Cipher encryption scheme to send a secret message to her classmate. Her process: Leanne shares the key (the number 13) with her classmate. Using the key, Leanne turns the message "Underground" into "Haqretebhaq". Leanne sends a letter with "Haqretebhaq" to her classmate. Using the key, her classmate turns the message "Haqretebhaq" back into "Underground". Which of the steps could be labeled the "decryption" step?

Step 4

Paula is creating a journalism organization to do investigative reporting. She registers the domain "whistleblowerz.org" and signs up with a hosting company to provide an email server, so that the journalists can easily communicate with each other. She's debating whether to acquire a digital certificate for her domain from a certificate authority. What benefit would the certificate bring?

The certificate for "whistleblowerz.org" would associate a public key with the domain, and enable the server to use TLS for secure email sending.

A user doesn't want a website to know which of the website's webpages they visit. Which action(s) can the user take to prevent the website from recording their browsing history along with any form of user identifier? Logging out of their account on the site Disabling cookies in their browser Restarting the browser for each page visit

No combination of those actions is completely sufficient.

If a website wants to track which pages a user visits on their website, what is required technically?

None of the above

The administration of a high school decides to install antivirus software on all of the school computers. What can the antivirus software protect the computers from?

The antivirus software can protect the computers from any malware that it is able to successfully detect.

Sahed works for admissions at a university. One day, she receives an email about a new admissions tool that she needs to start using ASAP. The email links to a webpage with a registration form.

The cyber criminals can sell her email and password combination to other attackers. The cyber criminals can try that password on the actual admissions tool and successfully gain access.

BBC News wrote an article with this headline: "HP laptops found to have hidden keylogger" After reading that headline, what should HP laptop owners be most concerned about?

The keylogger could be recording what they type and sending the logs to a server.

A privacy-concerned citizen wants to introduce local regulations to restrict companies that collect the geolocation data of their users. They would like every company to present users with a warning and explanation before collecting the data. Which table identifies the types of companies that would be affected by those regulations?

Yes Yes Yes Yes

The recent rise in popularity of smart home products (such as smart home assistants or smart thermostats) has led to an increase in concerns about their security. In June 2019, security researchers discovered an openly accessible database from a smart home products company. Anyone could potentially access that database, without a username or password, and see all the data. The database records included these details: Email addresses Passwords Username Precise geolocation IP address Family name Family ID Smart device name Which of the following are immediate risks of malicious access to that database?

A cybercriminal could log into a user's account on the smart home product website and change the behavior of one of their smart devices. A burglar could break into a user's home and steal the smart home devices.

The following snippet is from a 2017 article on an information security news site. "A Virginia man pleaded guilty on Friday to charges of aiding and abetting computer intrusion, accused of writing a keylogger that sold to over 3,000 people and infected 16,000 victims." In what way does a keylogger aid computer intrusion?

A keylogger records everything a user types and uploads the data to a server.

In 2019, a security research firm discovered that it was possible to monitor the geographic location of users in four dating apps. All they needed to know was their username and they could map the most recent location of the user. Which of the following risk becomes possible due to the accessibility of the geolocation data?

A stalker could find a user that rejected them and follow them around.

Multi-factor authentication (MFA) is typically used in computing systems. However, we could imagine how MFA could be used in non-digital settings. If we were to protect the door to a castle with MFA, which of these would be considered multi-factor?

An outer door which requires a key and an inner door that requires a pin code.

ZeuS is malware that is typically used to steal banking data from a computer's users by installing a key logger and sending the logged data to the attackers. What best describes how antivirus software can protect against ZeuS?

Antivirus software can scan the files on the drive and notify users of files that look like the ZeuS malware.

Madden connected securely with HTTPS to this website: https://www.football-gamers.com/teams/tigers His browser validated the digital certificate of the website before loading the page. The digital certificate contained this encryption key:

It's the public key of football-gamers.com

What is the difference between malware and a software bug?

Malware is designed to intentionally inflict damage on a computer; a software bug is an accident.

An IT manager for a company wants to make sure that the corporate computers are secure, so they install antivirus software on every machine. In what way does the antivirus software protect the computers?

The antivirus software checks for known malware and takes action to remove or repair affected files.

Apple, the producer of iPhones, includes a feature called Location Services that can be used by apps. The following snippet is from their article on the feature: Location Services allows Apple and third-party apps and websites to gather and use information based on the current location of your iPhone or Apple Watch to provide a variety of location-based services. For example, an app might use your location data and location search query to help you find nearby coffee shops or theaters, or your device may set its time zone automatically based on your current location. To use features such as these, you must enable Location Services on your iPhone and give your permission to each app or website before it can use your location data. Apps may request limited access to your location data (only when you are using the app) or full access (even when you are not using the app). A user installs an app that requests full access to Location Services and grants the requested permissions. What location-related data can be stored by the app?

The app can store all the locations visited by the user while they have their phone with them.

Jaime received an email from his favorite movie streaming service. The email stated that all customers were being asked to reset their passwords (due to a security breach) and linked to a webpage with a password reset form. The webpage asks him to confirm his old password and then enter a new password.

The attackers could try using the "old password" and "new password" to login to Jaime's accounts on other sites. The attackers could use Jaime's "old password" to login to the actual movie streaming website.

Kamdyn is at a cafe and sees an unsecured network called "Free WiFi". As soon as he connects to the network, someone near him warns him that it's probably a rogue access point. He's concerned now about an attacker having seen his Internet requests. Which of his Internet requests could have been seen by the rogue access point?

The rogue access point could have seen all the Internet requests sent by his laptop after the connection was made.

Which of the following could not occur if your computer is connected to the Internet over a rogue access point?

The rogue access point could read the files on your device.

A search engine collects the following search records for a user: Basketball Kobe Bryant Video games

The search engine could show an advertisement next to the search results for "Pop-a-shot", an electronic basketball game. When the user searches for any products, the search engine could prioritize search results from Amazon.

A search engine collects the following search records for a user: Board Games Seafood Recipes News without ads

The search engine could show an advertisement next to the search results for "Terra Mystica", a strategy board game. If the search results includes news articles, the search engine could give higher ranking to articles from the news site NPR.

When connecting securely to a website, what information must be in their digital certificate?

The website's domain name The website's public key

Agatha received an email from her bank that asked for verification of her account details. She clicked the link in the email, and entered her username and password into a form.

They can try the password on other websites where she has a login. They can use the password to login to the real bank website.

Dax is a customer of the payment company BeanMo and typically logs on to "beanmo.com". He receives an email that claims to be from BeanMo and contains a link to a webpage.

account.beanmo.com

Sacha uses a payment app called CircleCash and typically logs on to his merchant account at "circle.com". He receives an email that claims to be from CircleCash and contains a link to a webpage.

io.circle.com