Online Protection

Professional Development Goal: Learn how your online security can be compromised and take practical steps to secure school (and personal) security.

Common Types of Scams:


Many phishers go right for the money, and that pattern is reflected in the continued heavy targeting of online commerce sites like eBay & PayPal. Even though we’re still seeing some of the same techniques we first saw 5+ years ago, since they unfortunately still catch victims, phishing attacks are also getting more creative and sophisticated. As they evolve, we improve our system to catch more and newer attacks (Chart 1). Modern attacks are:

  • Faster - Many phishing web pages (URLs) remain online for less than an hour in an attempt to avoid detection.
  • More diverse - Targeted “spear phishing” attacks have become increasingly common. Additionally, phishing attacks are now targeting companies, banks, and merchants globally (Chart 2).
  • Used to distribute malware - Phishing sites commonly use the look and feel of popular sites and social networks to trick users into installing malware. For example, these rogue sites may ask to install a binary or browser extension to enable certain fake content.
  • Help Google find bad sites. Chrome users can select the check box on the red warning page. The data sent to us helps us find bad sites more quickly and helps protect other users.


During the 1990s, the term "hacker" originally denoted a skilled programmer proficient in machine code and computer operating systems. In particular, these individuals could always hack on an unsatisfactory system to solve problems and engage in a little software company espionage by interpreting a competitor's code.
Unfortunately, some of these hackers also became experts at accessing password-protected computers, files, and networks and came to known as "crackers." Of course, an effective and dangerous "cracker" must be a good hacker and the terms became intertwined. Hacker won out in popular use and in the media and today refers to anyone who performs some form of computer sabotage. (see:

  • For broader and quite interesting reading about the morals of hacking, go to the following website:

Lottery Scams:

You may receive an email/letter/fax that claims that you have won a great deal of money in an international lottery even though you have never bought a ticket. The email may claim that your email address was randomly chosen out of a large pool of addresses as a "winning entry". Such emails are almost certainly fraudulent. In some cases, the emails claim to be endorsed by well-known companies such as Microsoft or include links to legitimate lottery organization websites. Any relationships implied by these endorsements and links will be completely bogus.

There is no lottery and no prize. Those who initiate a dialogue with the scammers by replying to the messages will be first asked to provide a great deal of personal information. Eventually, they will be asked to send money, ostensibly to cover expenses associated with delivery of the supposed "winnings". They may also become the victims of identity theft. DO NOT respond to these messages. DO NOT supply any personal information whatsoever to the scammers.

PayPal Fraud

In a collection in person PayPal scheme, the scammer targets eBay auctions that allow the purchaser to personally collect the item from the seller, rather than having the item shipped, and where the seller accepts PayPal as a means of payment.

The fraudster uses a fake address with a post office box when making their bids, as PayPal will allow such an unconfirmed address. Such transactions are not covered by PayPal's seller protection policy. The fraudster buys the item, pays for it via PayPal, and then collects the item from the victim. The fraudster then challenges the sale, claiming a refund from PayPal and stating that they did not receive the item. PayPal's policy is that it will reverse a purchase transaction unless the seller can provide a shipment tracking number as proof of delivery; PayPal will not accept video evidence, a signed document, or any form of proof other than a tracking number as valid proof of delivery.
This form of fraud can be avoided by only accepting cash from buyers who wish to collect goods in person.

Protecting yourself!

Right Here at KIS:

Case 1: Student accesses teachers email accounts and PowerSchool to change grades...
We often think of scamming and whatnot as alien and far way, but in fact, it happened right here at KIS. During the holiday, several teachers received an email from a gmail account claiming to be a Korean staff member. The email claimed that there was a problem with the PowerSchool server and that teachers needed to follow the link. The link went to a page that looked similar to the PowerSchool login page. Teachers were instructed to enter their username and password. The student in question was then able to enter those teachers’ gradebooks and manipulate his/her grades. It is important to be vigilant against these type of attacks. One teacher who received the email noticed that the email address wasn’t from a KIS account and thought it was odd; he called it to our attention. Because of this person’s suspicion, we were able to catch the student.

Case 2: Elementary Computer HiJacking
Referred to excitedly as 'hacking' by seemingly all students, a situation arose recently whereby ES students were having their computers hijacked. Applications would get shut down, messages (sometimes quite explicit) were sent, and in worse cases, whole files and folders would get Trashed.
This was NOT hacking though...
The persons responsible were using 1 of 3 methods.
1. ARD: Yes, it is 'dead'. This is because it cannot be configured for our current network infrastructure. As teachers we cannot reliably find our own students to be able to use it effectively.
But if you're a student looking to interfere with someone random, then ARD does the job.
ARD was tested by MacSquare extensively on the ES computers because KIS owns them, and they are available out of school hours. Unfortunately, the 'gate' was left open on most of these computers. This of course has been fixed now!
2. 'Sharing' using a native Mac feature: being able to share screens is at times a very handy feature of the Mac, but when a computer has poor username and password protection (and these usernames and passwords are shared quite freely among students, then hijacking is easy.
3. Google Docs:

PowerSchool logo.jpeg
Increased security for all Teacher and Administration Accounts has been activated (effective 1/13/13).

Summary of changes:

Password complexity has change from a minimum of 1 character to 6
Passwords must contain at least 1 uppercase letter, 1 lower case letter, 1 special character, and 1 numeric character
Passwords expire every 100 days
Passwords can be 'recycled' after 3 cycles

Again, the biggest threat to security in PowerSchool is if students actually observe you logging in. Currently, the only authorised people who should be issuing instructions about PowerSchool are Ben Summerton, Chris Bernhardi, and Andrew Cho. Treat all other emails with caution and contact EdTech if in any doubt.

Evernote: Account Details and Password Encryption

Evernote Encryption Example .png
1. Create a Note called: _ (whatever triggers that this is your Accounts)
2. Type in the body of the Note the name of the Account: i.e.

u: port
p: port78

3. Highlight the password

4. Right mouse select, or select ‘Edit’ from the Menu at top of screen, and then ‘Encrypt Selected Text’.

Effective Password Creation

1. Come up with a password that has absolutely no significance. I call this the “root password.” Use at least six characters. More is better. So is a variety of letters, numbers, & symbols. example: k5$3b4 Suggest using this to create something a little easier to remember:

2. Memorize it. (You can write it down somewhere without worrying about it. Read on.)

3. For whatever site you need a password for, take two characters from that site’s name and then add them to the root password. Use the same system for all sites.

For example, you can use the first two letters of a site’s name. Facebook = fa, YouTube = yo Add them to the beginning of your root password and your password for Facebook becomes fak5$3b4, YouTube is yok5$3b4.

Security and Privacy on the Mac

If you do not have a password (i.e. you never set one up when you received your computer back from re-imaging this year, you need to pause for a moment and first go to System Preferences > Users and Groups > Change Password - before proceeding any further)Walkthrough.jpg

Install a VPN

Your Internet Service Provider (ISP), or owner of a network you’re connecting through, issues you something called an IP address. This is a unique identifier, sort of like a phone number.
Not only can it be quite easy to match up an IP address with its owner, it also reveals your general location and other information about you. Every single website you visit using this IP address is recorded by the website owner, your Internet Service Provider, and others with the knowledge to do so. This information may be stored for years and years.
A VPN acts as a go-between. You connect to websites via the VPN servers that you have subscribed to.
Do your research: read reviews from multiple sources. Use reputable sources. You often get what you pay for (some free ones include adverts, which can be eliminated by upgrading to a pay version...).
VPNs are used by individuals most commonly for:
1. Personal Banking
Your ISP (Internet Service Provider) issues you with an IP (Internet Protocol) address. If you are using open WIFI, this makes you particularly vulnerable to being hacked because it is not all that difficult for an ‘observer’ to match unencrypted data transfers to an owner (opening the gate to access to all manner of other data).
2. Wi-Fi Hotspots
Although most don’t realize it, Wi-Fi Hotspots, whether paid or free, are horrifically insecure. You are literally broadcasting all of your data “in the clear” with typically no security whatsoever. This can include your e-mail, IM messages, web searches, and any other data sent or received over the wireless network.
It is shockingly easy for anyone to “sniff” and capture your data without your knowledge. Due to the ease of the crime, and the fact Wi-Fi Hotspots are typically frequented by folks with a little change in their pocket, a Wi-Fi Hotspot is a tantalising place for bad guys to lurk.
One common tactic is something called the “evil twin” attack where the evildoer sets up a laptop as a seemingly legitimate Wi-Fi Hotspot. You connect to the Internet through “FREE Airport Wi-Fi” — or anything the bad guy wishes to name it — and although all seems fine you are actually sending all of your data through a hacker’s laptop.
Honestly, we’re not sure how often this happens, and it may even be pretty rare. Nevertheless, with data crimes, it usually only takes once to cause some pretty serious havoc in your life.
With a VPN service though, you could even connect through the hacker’s laptop and all they would be able to capture is a lot of encrypted gibberish they will never be able to crack.
This same advice applies to hotels. Do you really want to be potentially sharing a data stream with a potential hacker, who with a little know-how, can capture what you are sending/receiving? Once again, a VPN can protect you.
Articles about VPNs:
The Five Best VPNs

Posting things to Facebook or other Social Media:

Facebook looks to help protect you.

Your information that is “public” on your profile, or “friends of friends” can be used against you. For example, A person that really wants to go and see a concert, might show the tickets on their profile. A scalper can use the image to create fake tickets with your tickets barcode. See here

Take the Quiz

Can you spot a fake email?

Printable Brochure

More information