Geoph Essex
SecurityNewsDaily
Strong anti-virus software and firewalls do a great job of protecting our computer systems. But even when virus definitions are fully updated and firewalls properly configured, there are still insidious threats that can worm their ways in, stealing your data or hijacking your PC and leaving you none the wiser.
The security and IT specialists upon whom we all rely can only do so much. At the end of the day, if the average user isn’t vigilant, the strongest security precautions in the world won’t stop some of the more dangerous digital intruders, with potentially disastrous consequences.
To keep you on your toes (or shivering in your boots), here are 10 schemes and scams that might have slipped under your radar. Click “next” in the upper right to proceed.
Fake Tech-Support Calls
You might get an unsolicited phone call from a tech-support representative claiming to be from Microsoft or another big-name IT corporation. But the caller won’t be who he claims to be. After warning you that “suspicious activity” has been detected on your computer, he’ll offer to help — once you give him the personal information he requires to get his job done.
That job isn’t fixing your computer. In fact, he’s really just after your personal information.
If you receive a call like this, hang up, call the company the bogus technician claimed to be from, and report the incident to a legitimate representative. If there really is a problem, they’ll be able to tell you; if not, you just thwarted a data thief.
DNS Redirection
Internet service providers (ISPs) such as Time Warner Cable and Optimum Online claim they’re trying to help with DNS redirection, but the reality seems to come down to money. Domain Name System (DNS) redirection overrides your browser’s normal behavior when you can’t reach a webpage. Instead of displaying the normal 404 “File Not Found” error, the ISP sends you to a page of the ISP’s choosing — usually a page full of paid advertising and links.
Innocent though that practice may be, computer viruses can do the same thing, redirecting your browser to a hostile page the first time you misspell a domain. With ISPs, you can opt out of their DNS redirection (you’ll find links below all the ads); with viruses, stay on your toes. Make sure you know what your browser’s default 404 page looks like, and take action if you see anything different.
Open DNS Resolvers
Another danger lies in the way some DNS servers are configured. An “open resolver” can offer information it isn’t authorized to provide. Not only are open resolvers exploited in distributed denial-of-service (DDoS) attacks, but an attacker can “poison” the DNS cache, providing false information and incorrect resolutions that must be detected to be corrected.
If your browser trips over a case of cache poisoning, the agents in charge of a hostile server can glean detailed information about your system — especially if you’re in the middle of an important transaction. How can typical users solve this dilemma? The chilling answer: They can’t. It’s up to Internet service providers to address the problem.
Fraudulent SSL Certificates
A Secure Sockets Layer (SSL) certificate reassures your browser that the site you’ve connected to is what it says it is. If you’re looking at “HTTPS” instead of plain old “HTTP,” you know there’s security involved, such as when you log in to your bank account or pay your phone bill. The most trusted SSL certificates are issued by designated Certification Authorities worldwide.
But what happens if that trust between browser and website is exploited? Acquiring or creating fake SSL certificates is unlawful, but happens often enough that we need to be aware of it. On multiple occasions in 2011, the discovery of false certificates suggested an attempt to spy on Iranian citizens as they used Gmail and Google Docs. According to the website of computer security firm F-Secure, “It’s likely the government of Iran is using these techniques to monitor local dissidents.”
Session Hijacking
If you spend afternoons using your laptop in a café with an open Wi-Fi network, you might not be the only person logged into your Facebook or eBay account. Firesheep, an add-on for Mozilla’s Firefox browser, lets its users sneak a peek at other people’s browser activity if they’re all on the same wireless network.
While the illicit observers can’t get a glimpse of secured pages, many sites secure only their login pages; once you’re logged in, your presence is maintained purely through cookies, packets of data that your browser stores to keep track of your browsing needs. But Firesheep lets its users copy your cookies, and after that happens the site you’re logged into can’t tell the difference between you and them.
Though it can be used for darker purposes, Firesheep should serve more as a warning to websites with private user accounts: They need to take security seriously. Guarding the main gate isn’t the limit of their responsibilities; attackers don’t need to storm the castle when a guest leaves the door open.
Man-in-the-Middle Attacks
While you’re still sipping your latte on that unsecured network, even your encrypted messages may not be all that safe. A Man-in-the-Middle (MTM) attack occurs when an attacker intercepts communications and proceeds to “relay” messages back and forth between the lawful parties.
While the messaging parties believe their two-way conversation is private, and might even use a private encryption key, every message is re-routed through the attacker, who can alter the content before sending it on to the intended recipient. The encryption key itself can be swapped out for one the attacker controls, and the original parties remain unaware of the eavesdropper the entire time.
SQL Injection
Databases using structured query language (SQL) rely on specially formatted queries to locate and return requested data. Human or automated attackers can send requests that exploit the database’s internal codes to alter the query as it’s processed. This year alone, SQL injection was the culprit behind a number of notorious security breaches, such as hacker group LulzSec’s alleged theft of data from the Sony Pictures server.
Once again, the solution to this problem isn’t in the user’s hands.
“Well-designed software avoids the problem by weeding out any queries that don’t meet strict standards,” said Beth Paley, a software training consultant and co-founder of Acrotrex Medical Business Systems in northern New Jersey.
Paley advises those who create and maintain database apps to “use whitelisting, not blacklisting,” letting only specific data through instead of keeping only specific data out. That way previously unseen SQL injections won’t get through.
Disguised Filenames
Modern operating systems accommodate speakers of languages such as Arabic and Hebrew by featuring codes which can reverse the direction of type to display such languages correctly: written right-to-left instead of left-to-right.
Unfortunately, these “RTL” and “LTR” commands are special Unicode characters that can be included in any text, including filenames and extensions. Exploiting this fact, a malware purveyor can disguise “.exe” files as other files with different extensions. Your operating system will display the “disguised” name, though it still treats the file as an executable — launching it will run the program and infect your computer. Practice caution with any and all files from unknown sources.
Banking Trojans
A Trojan is malicious software that disguises itself as innocent program, counting on you to download or install it into your system so it can secretly accomplish its malicious tasks. The infamous ZeuS Trojan and its rival SpyEye take advantage of security holes in your Internet browser to “piggyback” on your session when you log in to your bank’s website.
These monsters are in the Ivy League of computer malware; they avoid fraud detection using caution, calculating inconspicuous amounts of money to transfer out of your account based on your balance and transaction history.
While financial institutions continue to increase the layers of security involved in large transactions, such as requiring confirmation through “out-of-band” communications — such as your mobile device — digital crooks have lost no time adapting to the changes, with banking Trojans able to change the mobile number tied to your account and intercept that confirmation request. If you’re a tempting target, fear is an understandable response. It’s just another part of a digital arms race that shows no signs of slowing down.
Facebook Everywhere
It’s hard to find an individual who or a corporation that isn’t on Facebook. The social networking site has become an ever-present hub for everything online. For some less savvy users, Facebook is the Internet.
With developments like Facebook Connect and Open Graph, Facebook is virtually opening its doors to any third party that wants in on the action. You may have already noticed that Facebook displays ads targeting your specific demographic information, based on the personal information you’ve posted and activities you’ve participated in.
What you might not have noticed is that other sites have started targeting your Facebook demographics as well. Any time you browse the Web without first logging out of Facebook, other sites can get access to any profile information you’ve marked as fit for public consumption.
Don’t want every site on the Internet to see you coming a mile away? Just remember to log out of Facebook every time.
