Top 20 Internet Security Risks

SANS is an organisation that does a lot of security research as well as other things, and they have a good reputation for their work. They’ve just published a report showing the top 20 internet security risks. They point out that social engineering is one of the biggest risks at the moment. Social engineering is the term used to describe how people effectively trick (or otherwise convince) others to provide sensitive details.

There’s a lot of detail in this report and it’s well worth reading. Below are a few bits of information from the report and it’s just not possible to summarise it all here. Have a read through it if you have time.

  • Web applications are vulnerable to being hacked and information misused or stolen.
  • People can be manipulated
  • The following applications are the most vulnerable:
    • Web Browsers
    • Office Software
    • Email Clients
    • Media Players
  • Unencrypted laptops are a risk to losing large amounts of data
  • Instant messaging and peer-to-peer programs are a risk to businesses

The full report is here. It’s long and very detailed, and well worth your time in reading it.

Bluetooth Headsets

Most Bluetooth headsets are not secure. I encourage everyone to watch the video linked below to see how easy they are to hack.

In this demonstration by Joshua Wright he connects to a stranger’s bluetooth headset and is able to eavesdrop on the random stranger. He also briefly shows how audio can also be sent to the headset. Anyone with a Bluetooth headset that’s currently on is at risk of something like this. The biggest part of the risk is that almost all Bluetooth headsets use a default PIN (usually 0000).

Watch the video here.

Suspicious Websites

It's a trapWith apologies to all those who conduct legitimate activties on the following sites I’d like to warn you on the current trend of malicious sites.

At the moment a lot of sites hosted on Geocities contain various bits of malware. So if you see a link anywhere (in an email, in a chat window, on another web page) that begins with geocities.com be very suspicious.

And secondly there’s been so much malware coming from Chinese web sites. So be cautious of any link that has .cn in the address.

A plug-in must be installed

In order to view the photos a plug-in must be installed.”

Binoculars These dreadful words have been appearing in some spam emails, in Dutch. And on top of that the emails, at first glance, appear to be a legitimate news article. Interested readers might be tempted to click on the link, install the suggested plug-in, and hope to view photos of whatever the email is about.

You should never install anything an unsolicited email tells you to. You shouldn’t have to install anything to view photos. These particular spam emails will provide a link to a file called iPIX-install.exewhich is in fact a trojan that spies on your computer.

Another point worth mentioning is that spam and malicious emails are now being sent in languages other than English in the hope of catching out people who live in non English speaking countries (by trying to win their trust).

Collecting Passwords

This statement from Bruce Schneier is interesting,

How to harvest passwords: Just put up a password strength meter and encourage people to submit their passwords for testing. You might want to collect names and e-mail addresses, too.

It points out how easy it is for someone to collect passwords. A couple of human weaknesses are at play here:

  • People tend to trust programs they come across on the internet (and websites and services) . More-so if it looks new and shiny.
  • People tend to use the same password on multiple sites.

The internet’s a very dynamic environment, and with the rise of Web 2.0 we have lots of interesting new sites appearing daily. Most of them ask us to register, to provide a username and a password.

And behind every interesting new site are people (the programmers). Most of the time their intentions are honourable, providing an application online (and often for free). But what if a website’s intentions are more devious? What happens when you register an account and type in a (new) password? Usually it gets encrypted and stored in a database. It would be a simple task for the programmer to change the code and get it to store your password in some other way. And if people continue to use one or two password for all sites this information becomes a little more valuable.

In other words it would be easy for the programmer of any new and interesting web site to collect user names, email addresses, and your favourite passwords.

So always be cautious of where you type your password, it can be a valuable thing.

Don’t always trust websites. There are a few exceptions – Google for example does an excellent job with their users’ security.

And whenever possible don’t reuse important passwords on websites you don’t trust.

Keep critical software up to date

Some programs you use are critical to the safe use of your computer, and it’s important to keep these patched.

In this article critical software is the collection of programs (both visible and those that run in the background) that transport information from a web server to your screen. It’s the chain of data flow that you use the most often when using the internet.

You have your operating system (e.g. Windows, MacOS, Linux), a web browser, and a stack of drivers that basically make the internet work for you. This is a simplified model, most people’s computers will be unique and full of all sorts of programs.

Because information is flowing along this chain of programs, data being handed off from the operating system to the web browser, every link in the chain is critical. And like the old mantra, the price of security is eternal vigilance. In this case we’re looking at the eternal task of patching your software.

Patches are released by software vendors, whether it’s a free open source program or from a commercial software company. Patches are written because the programmers are always fixing bugs, in particular they’re always fixing security vulnerabilities as they are discovered. It’s a way of strengthening each of the links in your data chain.

The point of this article is that you should always update the following:

  • Patch your operating system (Windows, Mac OS, Linux, etc). Yes there’s a risk in being the first to install a patch, it might break something. Large companies have long complicated procedures to test patches before installing them. Small companies and home users need to take the risk and apply the patch blindly, trusting the vendor. It’s a choice between having the most secure computer possible or waiting to see if a patch is released by mistake. My advice is to take the secure option and make regular backups of all your data (backups would be a good topic for a future article). Most operating systems these days have automated patching systems in place making this simple and often a transparent process.
  • Patch your web browser. All web browsers need to be patched – Microsoft Internet Explorer (IE), FireFox, Opera, Safari, etc. Apply patches as soon as they’re released. Today a web browser is the most vulnerable program on a computer, it gets used to run code that other people write. Code that comes from all corners of the world and is almost always not certified in any way and there’s almost no way of trusting the code. Your web browser will execute it blindly, trusting that it’s safe and you trust that all other programs on your computer (including the operating system) will handle the attacks in a graceful way. Web browsers will be attacked, this is almost a certainty these days. So you need to very latest version that hopefully has had every known vulnerability fixed.
  • Patch your antivirus software. This is often automatic, and it’s often a paid service. Antivirus companies spend a lot of time and money keeping their tools up to date and it’s in your best interest to use their technology. Consider it a good investment, it could cost you thousands of dollars if your system is compromised.
  • Sometimes routers will have to be patched as well. This is a little more advanced and you should only do it if you’re comfortable working with your router.
  • Personal firewalls should also be patched. If your antivirus software includes a [personal] firewall then it’ll be patched automatically, otherwise it’s a separate process.

Chain and padlockAll software that uses the internet in any way, including the various video and music players, needs to be kept up to date. Web browsers and operating systems are the most critical and should be patched the most often. The time and effort you spend is the price you pay for having a safe computer.

When A Government Office Loses Disks.

As well as the usual advice on staying safe online it’s often useful to hear about security incidents that have made the media. And this time I’d like to point out what happens when a government loses disks containing personal data on 25 million individuals.

The two disks that were lost contained names, addresses, insurance numbers and bank account details of 25 million people. This is personal data that could be used to commit fraud or identity theft. This hasn’t been the case so far but it could still happen. Nobody seems to know where the disks are now.

How can this happen? The people handing the transport of the disks didn’t follow proper procedures. They’re human and they made mistakes. The disks were not encrypted before being shipped. The courier company lost them and have no records of where the disks might be. Then the police were involved only about 3 weeks after the incident occurred.

These kinds of accidents can and do happen every now and then. Your personal details can easily end up where you least expect it. One solution would be to make the agencies pay heavy fines for such security breaches, making it worth their time to ensure all procedures are followed.

The other lesson to be learnt here is that when you fill out a form these days you just have to assume it could one day end up in the wrong place. These days some of your personal details are no longer private. It’s just something that’s been happening slowing over the past couple of decades.

Some detailed articles can be found here.

The Popularity of Videos

Online videos are popular these days and as with anything popular scams are everywhere. The following two items take advantage of this popularity.

1. A movie called ” Lust, Caution” has been attracting some attention lately. Some websites have been setup (in China) that promise the ability to download a bootleg copy of the movie. What the websites don’t point out is that the download is infected with a virus that steals your passwords.

So don’t try illegally obtaining copyrighted movies, and especially not this one.

2. YouTube Scams – An email has been doing the rounds containing an ad for a video supposedly hosted on YouTube. The email goes on to explain how the video is about two lovers, includes comments and reviews.

If someone was to click on the link in this email (a link that at first sight appears to point to YouTube) they’ll be taken to a fake website made to look a little like YouTube. Then a message comes up saying that a new Flash player is required. Don’t install this player, it’s a virus. Pay close attention to links (URL’s) in emails.

Laos Airlines Website

It used to be that your computer could become infected if you went to a pornographic or warez website (warez sites are where people can illegally obtain software cracks). While this is still true, “normal” websites can also be vulnerable these days.

The Laos Airlines website was hacked and some code was added at the bottom – malicious code that isn’t visible to the average person. If you were to visit their website (whether to look up travel information or to book a flight) your web browser will also try to load a web page (being hosted in China) that then will try to install malware onto your computer.

The airline itself was a victim, and now that it’s been discovered and made public they’ll no doubt fix it. It’s certainly no reason not to travel to Laos or to use their airline. And the fact that the malicious code was hosted in China is an indicator that a lot of (black hat)hackers are setting up shop over there (until recently Russia was their country of choice to hide their malicious activities).

A couple of tips to avoid being a victim of crimes like this:

  • Use alternative web browsers whenever possible. Use FireFox or Opera instead of Internet Explorer.
  • Use a good antivirus program that monitors web browsing, and that constantly updates itself (these are usually not free, and it’s well worth paying their fee to keep you safe).

And keep reading as much as possible about online security. Education can only help you.