[AI] 2010 WEB THREATS REVEALED
ilovecold at gmail.com
Tue Jul 20 03:42:15 EDT 2010
Crimes of convenience
Crimes of convenience
Don't fear scareware
Lost laptops & exposed data
Data theft in public & private
Antivirus software and a firewall alone can't guarantee your safety. Tony
Bradley explains how to foil the latest crop of sneaky attacks and nefarious
attempts to steal your data
If there's one technology-related story that's caught your attention this
it's probably the one about Google pulling out of China (see
grams ). Leaving aside the issues of human rights and web filtering, the
this story is that Google was attacked because the browser its employees
using to perform web searches was insecure. Internet Explorer (IE) was so
riddled with holes that Microsoft was forced to issue an emergency patch.
the damage had already been done: Chinese hackers were able to target
and an international dispute was ignited.
When the government urges you to seriously consider switching allegiance
to Mozilla Firefox or Google Chrome (as happened in France and Italy), you
there's some pretty bad stuff going on behind the scenes.
Unfortunately, IE vulnerabilities aren't all you need to worry about. Many
the web threats out there are avoidable: in most cases, you simply need to
to spot the signs or recognise that the information you're sharing may leave
open to attack.
Scareware, for instance, has proved one of the biggest security headaches of
past two years, trading on your fear that your PC and the data stored on it
might be at risk. Sometimes, such malware will also try to dupe you into
believing it's there to help.
Do you know how to guard against scareware? How about Trojan horse text
messages? Or social-network data harvesting? Malicious hackers are a
resourceful bunch and their methods continually evolve to target the
ways we use our computers. New attack techniques allow bad guys to stay one
step ahead of security software and to get the better of even cautious and
well-informed PC users.
Don't let that happen to you. Read on for descriptions of the most recent
most malignant security threats, as well as our advice on how to stop them
Make a few sensible changes to the way you behave and you'll avoid almost
the threats with ease. But with more - and more sophisticated - threats out
there than ever before, it's worth casting your eyes over the following and
checking you're not at risk.
CRIMES OF CONVENIENCE
One of the biggest hidden threats on the web today has come about through
desire to get where we want faster and with less fuss. The problem is
URLs, which offer a shorthand link to a website without you having to type
You'll find shortened URLs in newspapers, magazines and online, particularly
you use Twitter. Bit.ly, TinyURL, Tr.im and Goo.gl are all common examples.
use such links to point to longer reviews or in-depth news stories to which
we've alluded in print. They break up the narrative less and are easier and
quicker to type in than the original web address. In short, they're
The trouble is, it's not immediately clear where those links will take you.
Short URLs give no hint of the destination, which means attackers can
them to send you to malicious sites.
AVOID SHORT URL PITFALLS
If you're keen to continue using shortened URLs, use a preview tool to see
that seemingly innocent link intends to take you.
Twitter users should try TweetDeck ( tweetdeck.com), which includes an
the Settings menu to display previews of shortened URLs. With this enabled,
clicking a shortened URL within a tweet brings up a screen that shows the
destination page's title, as well as its full-length URL and a tally of how
other people have clicked that link. With this information at your
you can make an informed decision about whether to click through and visit t
You can use similar methods on other short links you come across. Several
browser plug-ins and services offer a preview function. When you create a
shortened address at TinyURL.com, for instance, the service provides both a
shortened URL and a preview version that will show readers where it goes
they click on it. Conversely, if you're considering visiting a TinyURL
you can enable its preview service ( tinyurl.com/preview.php) to see the
complete URL. Note that you must have cookies enabled in your browser.
Both ExpandMyURL.com and LongURLPlease.com provide web-browser plug-ins or
applets that will verify the safety of the full URLs behind abbreviated
from all the major URL-shortening services. Rather than changing the
links to their full URLs, however, ExpandMyURL checks destination sites in
background and marks the URLs green if they are safe.
Goo.gl, Google's URL-shortening service, provides security by automatically
scanning the destination web address to detect and identify malicious
It also warns you when the shortened URL might be a security concern.
Unfortunately, Goo.gl has limited usefulness because it works only with
Google products and services.
DON'T LEAVE CLUES ON SOCIAL NETWORKS
Some of the personal details you might share on social networks, such as the
name of your secondary school, your place of birth or your birthday, are
'secret' security questions requested by online banking and other websites.
careless and you'll leave digital clues that could be combined to piece
your personal profile and exploit or steal it.
It's all too easy to do. Listing your maiden name as well as your married
identifying yourself as someone's mother or joining a 'family' group and
friends with other relatives on Facebook could leave you open to a
data-harvesting attack. An attacker who collects enough details may be able
access your secure accounts.
FACEBOOK PRIVACY SETTINGS
After signing into your Facebook account, click Settings on the menu bar and
select Privacy Settings. From here, you can choose who is allowed to see
various personal details. You can hide your details from everyone but your
Facebook friends (our recommendation), allow members of your networks to
your details as well, or open the floodgates and permit everyone to see your
You probably wouldn't set things up for everyone to view, but be cautious of
Network setting too - especially if that network happens to be London or
Manchester. That's an awful lot of people who can see your current status,
you look like and, perhaps, when you were born and where you work. Be
You can also set the privacy level for each component of your profile, so
might share your birthday but not the year, and hide your religious and
political views, the photos you post and your status updates.
Don't accept any friend requests from strangers. Some such requests will be
perfectly legitimate, but others will be from hackers who are keen to see
information other people in your circle of Facebook friends are privy to.
you're serious about protecting your personal information, you shouldn't
such requests. If the person knows you, they'll have other means of getting
touch and will probably also be Facebook friends with other people you have
Consider removing valuable information such as your birth date and home town
from your profile. You should also think twice before participating in
quizzes and chain lists. Although it seems innocent and fun to share your
favourite breakfast cereal, your pet's name, the names of your children, the
first concert you attended or where you met your spouse, an attacker armed
enough of these titbits can assume your identity.
SOCIAL NETWORK IMPOSTORS
If you're connected with someone on Facebook, LinkedIn, Twitter or another
social network, it's probably because you know and trust the person.
however, can take control of your friend's online persona and then exploit
trust. It's another important growth area for hackers and an more invidious
approach that calls for extra vigilance.
One of the most established tactics is the scam sent from a 'friend'.
can hijack one of your friend's social-networking accounts using malware,
phishing scams and other techniques. They then use the stolen accounts to
you, steal your personal data or even con you out of cash.
Once the thieves have locked your friend out of the account, they may send
note saying, Help! I'm in Milan and my wallet was stolen. Can you transfer
some money to me for a plane ticket? Or they may recommend that you click
dodgy links that allow them to infect your PC or compromise your own
suggesting you watch a funny video is a popular method of doing so.
Now that so much entertainment, shopping and socialising is conducted
every web user leaves a rich digital trail of preferences. The books you
the films you rent, the people you interact with, the items you buy and
details constitute a gold mine of demographic data for search engines,
advertisers and anyone who might want to snoop around.
Stick with the companies you trust. Despite reassuring messages displayed
some sites, privacy policies can be vague. Make yourself aware of the
policies of the websites and services you interact with and restrict your
dealings to those that you trust to guard your sensitive information. For
on the ins and outs of which sites are able to track your web trails and how
prevent it, see below.
USE PRIVATE BROWSING
The latest versions of IE, Firefox, Safari and Chrome include
modes that remove all traces of your web session when you shut down the
By deleting your site history, form data, searches, passwords and other
these features can help you foil nosy colleagues or relatives.
I don't have anything an attacker would want
Many users believe the data stored on their PCs is valuable only to them or
no intrinsic value at all, and that they have nothing to protect and
no need to worry about PC security. There are three problems with this.
First, instead of pilfering data, attackers often want to take control of
computer itself, as they can employ a compromised PC to host malware or to
Secondly, you may not think that your PC has any sensitive information, but
attacker can use trivial information such as your name, address and birth
to steal your identity.
And third, most attacks are automated and simply seek out and attempt to
compromise all vulnerable systems; they don't discriminate based on a
DON'T FEAR SCAREWARE
You're probably familiar with the garden-variety phishing attack. Like a
weekend angler, a phisher uses bait, such as an email message designed to
as if it came from a bank or other financial institution, to hook a victim.
Scareware is a twist on the standard phishing attack that tricks you into
installing rogue antivirus software by warning you that your PC may be
Scareware works by making you doubt yourself and your security setup. Don't
take the bait. If you don't have any security software installed on your
how did the alert magically appear? And if you have got a security utility
identifies and blocks malicious software, why would it tell you to buy or
download more software to clean the supposed infection? Become familiar
what your security software's alerts look like so you can recognise fake
You should already have antimalware protection installed on your PC. If you
haven't, and you're concerned that it may be infected, use a free online
such as Trend Micro's HouseCall to give your machine the once-over (
housecall.trendmicro.com). Another option is Microsoft's Malicious Software
Removal Tool ( tinyurl.com/lh23mw). Then install a reputable antimalware
protect your PC in the future. For additional resources, see below.
UPDATE YOUR BROWSER
If you've haven't updated your web browser recently, do so immediately.
fake messages will prompt you to visit the scammer's website, which may
your PC further, but current versions of most browsers and many
internet-security suites have phishing protection to alert you to dodgy
While the databases these filters use are updated frequently to identify
sites, they aren't fail-safe, so you should still pay attention to every
To make this easier, both IE 8.0 and Chrome highlight the real, or root,
of the URL in bold so that you can easily tell whether you're visiting, say,
genuine pcadvisor.co.uk or a spoofed site such as pcadvisor.co.uk.
TROJAN HORSE TEXTS
Some attackers will send spam text messages to your mobile phone that appear
be from your network provider or financial institution. Known as Trojan
text messages, they may direct you to a malicious site or request permission
install an update that will allow hackers to capture usernames, passwords
other sensitive information from your device.
Go to the source for updates and news. If you receive a text message that
appears to be from a trustworthy source, but it directs you to install or
software, or if it initiates the installation and requests permission to
continue, immediately exit the message and verify the legitimacy of the
with your service provider.
You may receive unsolicited emails from companies that you do business with,
reputable firms won't send you unsolicited links and updates via email.
Similarly, such companies won't send you unsolicited text messages that
you to install an update or download new software.
Attackers prey on your tendency to trust your network provider or financial
institution. Don't blindly accept software updates or download apps to your
phone simply because the text message looks official. If in any doubt,
up with your network provider.
I have antivirus software installed, so I'm safe
Antivirus software is a necessity and a great start, but installing it won't
protect against everything. Some antivirus products are just that - they
and block viruses, but not spam, phishing attempts, spyware or other
Even if you have a comprehensive product that protects against more than
viruses, you still need to update it regularly. New threats are discovered
daily, and antimalware protection is only as good as its last update.
Also bear in mind that security-software vendors need time to add protection
against emerging threats, so your antimalware software won't guard you from
zero-day or newly launched attacks.
LOST LAPTOPS & EXPOSED DATA
The portability of laptops and mobile phones is convenient, but it also
that such devices are easily lost or stolen. If your laptop, netbook or
falls into the wrong hands, unauthorised users may access the sensitive data
stored on it.
Encrypt your data using a utility such as BitLocker. If you're using the
Ultimate or Enterprise versions of Windows Vista or Windows 7, you'll find
built in. BitLocker is also available in Windows Server 2008 but you won't
it in the consumer versions of Vista and Windows 7. For these operating
(OSes), instead use the free, open-source program TrueCrypt (
Encrypting your data isn't without a pitfall or two, however. First, you
ensure that you always possess the key. If you lose your encryption key,
quickly discover just how good encryption is at keeping out unauthorised
USE STRONGER PASSWORDS
If encrypting seems to be more of a hassle than it's worth, at least use
passwords to protect your PC. Longer passwords are better, with more
taking longer to crack. You should also mix things up by using numbers and
special characters in place of letters. For example, instead of
PCAdvisorMagazine, you could use PCAdvi$0rM at g@zin3.
You should have a secure password to log into your user account even if
the only person who uses your computer.
Note, however, that while strong passwords are a great deterrent, they
impervious to attack. An invader who has physical possession of your
can find ways to get around that protection.
LOCK DOWN YOUR BIOS
By implementing a Bios password or a hard-drive password (or both), you can
ensure no one else can even boot the computer.
Getting into the Bios varies from system to system. The initial splash
that your PC displays at startup usually tells you which key to press to
the Bios. Once inside, find the security settings. Again, these vary from
vendor to vendor, but the Bios settings are fairly rudimentary. Boot into
Bios, enter an eight-character password and navigate to the menu to apply
password on every boot up. Press the Save & Exit option.
You can set a master password that prevents other people from booting your
computer or altering the Bios settings. This option goes by different
but it's often called an administrator or supervisor password. If you wish,
can also set a hard-drive password. This will prevent access to the hard
until this is successfully entered.
Methods for circumventing these passwords exist (removing the Bios battery
one method), but having the passwords in place creates another layer of
USE A RECOVERY SERVICE
If your equipment gets lost or stolen and can't be recovered, you'll at
want to erase the data it holds. Some vendors, such as HP and Dell, offer
services that promise to do both for certain laptop models.
Both HP's Notebook Tracking and Recovery Service ( tinyurl.com/y98
millilitres22) and Dell's Laptop Tracking and Recovery are based on Absolute
Software's Computrace. When you report that a laptop protected by one of
services has been lost or stolen, a small application on the PC contacts the
monitoring centre with news of its whereabouts once it's connected to the
If a laptop can't be retrieved or the data stored on it is highly sensitive,
these services allow you to erase all the data stored on it.
Less comprehensive but free utilities such as the FireFound add-on for
firefound.com) provide similar capabilities. You can configure FireFound to
automatically delete your passwords, browsing history and cookies following
failed login attempt.
Security is a concern only if I use Windows
Windows has had its share of security issues over the years, but that
mean that other platforms or applications are immune from attack. While
Microsoft's products are the biggest target, Linux and Mac OS X have
vulnerabilities and flaws too. As alternative OSes and web browsers gain
so they become more attractive targets to malware writers. Increasingly,
attackers are targeting widely used third-party products that span OSes,
HP's laptop-tracking service lets you delete sensitive data from a laptop
can't be retrieved, while FIREFOUND, an add-on for Firefox, can delete your
passwords, history and cookies following a failed login attempt.
DATA THEFT IN PUBLIC & PRIVATE
Like laptops, mobile phones can hold a significant amount of sensitive data.
You can protect yourself using services such as Find My iPhone, part of
$99 (ukp61)-per-year MobileMe service, and Mobile Defense for Android-based
smartphones; these perform location tracking and remote data-wiping. Both
use the built-in GPS capabilities of your smartphone to pinpoint the current
location of the device and relay that information back to you.
AVOID ROGUE WI-FI HOTSPOTS
Free Wi-Fi networks are available almost everywhere you go. Attackers
set up a malicious open Wi-Fi network to lure unsuspecting users into
connecting. Once you've connected to a rogue network, the attacker can
your PC's traffic and gather any sensitive information you send, such as
usernames and passwords.
If you want to get online at a coffee shop or in another public place, find
the service set identifier (SSID) of the establishment's network. The SSID
the name of the wireless network that appears in your list of available
connections. The SSID for a network at a McDonald's restaurant, for
might be 'mickeyds'.
An attacker could set up a rogue wireless router in the vicinity of the
McDonald's location and set its SSID to 'mcdwifi' or 'mickeyds2'. Your
would then display both names on the list of available networks. The rogue
wireless network might even have a stronger signal and appear higher on the
list. Make sure that you connect to the official network.
When in doubt, don't trust any open network. Most free wireless networks
unencrypted and therefore unprotected. That means that the data travelling
between your computer and the wireless router can be intercepted and viewed
other parties that happen to be within range of the wireless network.
Unless you have your own secure connection, such as a virtual private
(VPN), you should avoid using public Wi-Fi for logging into sensitive
Limit your web usage here to reading the news and checking weather updates.
WEAK WI-FI SECURITY
If you're cautious, you've already secured your wireless network with a
to keep outsiders from accessing it or using your internet connection. But
password protection alone may not be sufficient.
Use stronger encryption: several types are available and there are some
important differences between them. Wired equivalent privacy (WEP)
is the most common variety found on wireless networks. If you have a WEP
password in place on your Wi-Fi network already, you've taken a significant
towards protecting it from intruders.
But WEP can be cracked easily: tools are available that allow even unskilled
attackers to crack the code and access your network in a matter of minutes.
is still helpful, since most aspiring wireless network hijackers aren't
dedicated enough to take the time to break in, but to be safe you should use
Wi-Fi protected access (WPA) or its successor, WPA2. These encryption types
resolve the weaknesses of WEP and provide much stronger protection.
Log into your router's web interface and find the wireless security
There, enable encryption and select either WPA or WPA2. Enter a password,
the settings, and restart your router - and you'll start surfing more
ENDANGERED DATA BACKUPS
You know that you should regularly back up your data, especially files of
irreplaceable items such as family photos. Storing backups on an external
drive or burning them to blank CDs or DVDs and keeping them in a cupboard
enable you to restore files easily if your hard drive crashes or corrupts.
that approach also creates a portable and thus easily stolen archive of your
Be sure to use a backup utility that allows you to protect your data with
encryption, or at least a password, to prevent unauthorised access. If you
to take things a step further, you can put your backup files on an encrypted
external USB drive such as the Seagate Maxtor BlackArmor. You can also find
external drives with biometric fingerprint scanners, such as the Apricorn
Bio or the LaCie d2 Safe. See page 80 for hard-drive buying advice and
If you prefer, you can use an online storage service such as Windows Live
SkyDrive ( skydrive.live.com), which provides 25GB of free storage and
measure of security by requiring a username and password for access.
Unfortunately, copying 25GB of data and keeping it updated via SkyDrive can
time-consuming and cumbersome process. For a small fee, you can use a
such as Mozy ( mozy.com), which includes tools to automate the process and
ensure that your data is backed up regularly.
KEEP SOFTWARE UP TO DATE
Microsoft's products have long been favourite targets for malware, but the
company has stepped up its game, forcing attackers to seek other weak links
the security chain. These days, third-party products such as Adobe Reader
provide attackers with alternative options for hitting your PC.
You should have both a firewall and an antimalware utility protecting your
system. However, one of the simplest and most effective ways to guard
attack is to make sure your OS and applications are kept up to date.
Attackers have discovered that a considerable number of third-party
such as Adobe Reader and Adobe Flash are present on virtually every computer
contain exploitable weaknesses. To guard against threats, you can use a
such as the Secunia Personal Software Inspector ( secunia.com) to scan your
system, identify applications that have known vulnerabilities and install
Do your best to stay informed of existing flaws for the various applications
use, and apply appropriate patches as soon as possible. The About.com
Software site ( antivirus.about.com) is a good resource to use in collecting
such information. You can also check sites such as McAfee's Avert Labs
Library ( vil.nai.com/vil/default.aspx) for the latest news on emerging
While attacking third-party products may be the path of least resistance,
guys haven't given up entirely on Microsoft products. Windows users should
Automatic Updates enabled and set to download and install important security
updates automatically. Automatic Updates will keep the Windows OS and other
Microsoft software patched and current.
My router has a firewall, so my PC is protected
A firewall is great for blocking random, unauthorised access to your
and it will protect your computer from a variety of threats. But attackers
worked out long ago that the quickest way through the firewall is to attack
via ports that commonly allow data to pass freely.
By default your firewall won't block normal traffic such as web data and
and few users are comfortable reviewing firewall settings and determining
traffic to permit or block. In addition, many attacks today are web-based
originate from a phishing attack that lures you into visiting a malicious
your firewall can't protect against such threats.
We won't share your information with third parties. You've no doubt seen
phrase in privacy policies many times. You might think that means the site
question won't divulge details about your visit to other companies or
organisations. But, according to a study conducted last year by privacy
researchers at the University of California, websites have a huge amount of
wiggle room with that promise (see bit.ly/P7NVK).
The in-depth study dug into the privacy policies and tracking practices of
50 most visited websites as listed by Quantcast. Researchers discovered
loopholes such as affiliate sharing and tracking code allowed for more data
sharing than you might expect.
Websites often reserve the right to share your data with affiliates,
entities owned by the same parent company or even outside contractors. But
probably don't know how many affiliates a site has. News Corporation (the
parent company of MySpace and Photobucket) has 1,578 affiliates, for
CBS (the parent company of download.com) has 637. Likewise, a site may not
actively share data with an unrelated company, but it might let that company
place a 'web bug' image or code on a site that can effectively track you.
Many sites try to protect data such as email addresses and personal
and some restrict the data web bugs can collect. For example, the report's
authors were careful to note that Google doesn't automatically aggregate the
data that its many Google Analytics trackers gather, although it does offer
incentives to share that information.
All that aside, the fundamental issue is that many users don't want digital
bloodhounds sniffing their tracks, even if those tracks are tied only to an
address or some other numerical code. Right now, you have little say in
information is collected and what it can be used for.
PROTECT YOUR PRIVACY
While there's no one simple solution, you can take some steps with browser
settings and add-ons to help retain your privacy. For once, these steps
require deleting all your cookies (including those that you want) after
IE 8.0's InPrivate Filtering monitors content from third parties that
appears on other sites (something that often, but not always, indicates the
presence of a tracker) and either blocks such content by default or allows
to select it for blocking. Click on Safety, InPrivate Filtering to enable
You'll need to enable InPrivate Filtering each time you start the browser.
Firefox has a range of privacy-protecting add-ons. BetterPrivacy (
tinyurl.com/6 grams 76na) gets rid of Flash cookies, which some advertisers
and normally can't be deleted. Taco ( taco.dubfire.net) creates behavioural
advertising opt-out cookies (the good kind) that will stick around even if
get rid of your other cookies. And CookieSafe ( tinyurl.com/2qrvd6) offers
fine-grained management of all cookies.
The Ghostery ( ghostery.com) add-on alerts you to hidden trackers but
noscript.net). Bear in mind that while the other add-ons mentioned here
significantly change your browsing habits, NoScript will; it prevents many
from working properly until you manually approve them.
reports a tracker, right-click on the NoScript icon to set the tracker
but it means far less hassle in your day-to-day browsing. You can also go
the advanced options for untrusted sites and click a box to forbid web bugs.
The GHOSTERY add-on can alert you to hidden tracking devices but doesn't
I visit reputable sites, so I've got nothing to worry about
You increase your PC's odds of being infected or compromised when you visit
shady side of the web, but even well-known websites are occasionally
infiltrated. Sites such as those for Apple, CNN, eBay, Microsoft, Yahoo and
even the FBI have been compromised by attackers running cross-site scripting
attacks to gather information about users or to install malicious software
Many online sites and services can help you learn more about PC security
threats, or can analyse your machine to make sure it's clean and safe
The About.com Antivirus site has a comprehensive database of email and virus
hoax messages. Before you forward the next 'urgent' alert to your friends,
check for it on this list. tinyurl.com/e32cp
MICROSOFT MALICIOUS SOFTWARE REMOVAL TOOL (MSRT)
This tool is designed to scan for and remove current, pervasive threats.
scan is smaller and faster than a complete antimalware scan, but it
only a handful of threats. Microsoft releases a new version of the tool
with security fixes on the second Tuesday of each month. tinyurl.com/lh23mw
MICROSOFT CONSUMER SECURITY SUPPORT CENTER
On this page you can find solutions to common security problems, as well as
links to other information and resources for Microsoft's security products.
MCAFEE VIRUS INFORMATION LIBRARY
McAfee maintains a complete listing of malware threats, including details on
they spread and how you can protect your computer against them.
A community project, PhishTank is a database of known phishing sites. You
search the database to identify phishing sites, and you can add any new
you've encountered to the list. phishtank.com
MICROSOFT SECURITY ESSENTIALS
This free antivirus application provides real-time protection for Windows
against viruses, worms, spyware and other malicious software.
Content filtering offers another means of protecting a home or small
network. It works by comparing sites and web apps against a constantly
database of threats and white-listing sites that are legitimate and pose no
threat. Available with Draytek routers (among others), GlobalView costs
per year and helps prevent unauthorised access at the point of entry,
guest PCs on a network are checked too. tinyurl.com/yhvrwtw
TREND MICRO HOUSECALL
Trend Micro's free HouseCall service scans your computer online to discover
remove any viruses, worms or other malware that may be residing on it.
Technical telepathy: 09969636745
Saints are not always saints; sinners are not always sinners.
More information about the AccessIndia