Friday, April 11, 2008
Some useful online security advice
Last week I spoke at the Massive Tech show on a security panel. During the talk, I quickly realized how far in the dark many consumers are as to the dangers of online behavior. Many people, via sheer ignorance, expose themselves to unnecessary risks. The following are some quick tips I want to share to help raise awareness.
1. Always log out. When you log into an online application (such as your online banking or brokerage account), a session is created. If you simply close the browser without logging out, the session may remain open for a short time leaving it vulnerable to replay style attacks. In these types of attacks, someone could send a request or hit the back button on your own browser and be able to access your account as if they were you. Closing the session properly by logging out removes a huge amount of risk.
2. Use at least 3 different passwords for all your online activities. I use 3 - one for low value logins (such as a user group), one for medium risk and one password for high risk, high value applications such as online banking, paypal and our corporate network. NEVER use your highest value password for low risk accounts. It is very conceivable that someone could socially engineer an attack against you by finding out your interest and sending you an offer you cannot refuse (free iPod Touch with each new account on "someAttractiveWebsite.com"). A clever webmaster and hacker could spoof a password text field and trick you into providing your high value password for some offer when you set up a new account. USE MORE THAN ONE PASSWORD!!!
3. Be very suspicious of emails at work asking you to log in to a remote site to do something work related using your intranet credentials. I recently got an email purporting to be from our legal department telling me that I had to take some training to comply with US laws and to use my normal credentials. The URL was a remote site. While this one was real, this could have very easily been a trick (spoofed email, fake site) to compromise my corporate credentials.
4. ALWAYS check the certificate of a site and that HTTPS is working properly. Most newer browsers have technology to help alert unsuspecting consumers of fraud however it is still possible that a CRL has not yet picked up an expired certificate or the webmasters themselves have made mistakes with secure and non-secure items on the same page.
5. Set your email to not automatically download pictures from HTML email. This is an attack that a person can use to get your IP address. If you load up the HTML email and any referenced image, a trickster could easily send you an email with a unique file name and use the incoming HTTP Request envelope to get your actual IP Address. Being behind a firewall helps.
6. When logging in to high value sites, type the URL manually. Some clever tricksters have used the International Domain Name (IDN) support in Konqueror 3.2.1 on KDE 3.2.1, which allows remote attackers to spoof domain names using punycode encoded domain names that are decoded in URLs and SSL certificates in a way that uses homograph characters from other character sets, which facilitates phishing attacks. These are very hard to detect unless you know exactly what to look for.
7. DO NOT BUY PIRATED SOFTWARE ONLINE! The email ads you get advertising "special web deals" on top software brands are 100% pure fiction. If you try to buy the software, you will accomplish nothing other than giving a criminal your credit card information. Think about it - the criminals are already breaking the law by selling pirated software. Why would they comply and give you software? All they do is capture your Credit Card information leaving you wondering when your download key is coming. By the time you wise up, they have compromised your credit card. These types of attacks are often not reported as the victims themselves are often reluctant to make statements they broke the law. This can lead to further confidence tricks such as.....
8. Do not answer questions on the phone. Here is a scam that is difficult to detect. You get a call from your "credit card company". They ask you if you are the owner of credit card #
and ask you to confirm. Since they already have given you your own card number, you might be satisfied that they are the bank (after all - who else would call you and be able to give you your own CC number). They ask you if it has the same expiry date as your real expiry date. Then they tell you that your card has some suspicious activity on it and they are monitoring it and want to capture the thief in the act. At this point, you are 100% convinced they are the bank but what they are really after you will give to them willingly. The next thing they do is state that they need to verify you are in fact in possession of your card. They tell you that they need the three digit special ID number on the back of the card. If you do not suspect anything, you read it back to them.
What to do? When someone calls you telling you they are your bank or some other organization of trust, tell them you'd like to call them back to validate this. If it really is your bank calling, they will probably appreciated your vigilance. If they balk, it is probably not your bank.
9. If a deal is too good to be true it is. This rule is so old and should be the guiding principle for every person. New cons are being thought up every day. Confidence games, ID gambits and other tricks are invented to take something from you. Even if a company is borderline legitimate, ask yourself "why?". Why will someone give me a free iPod for simply looking at online ads?
10. Share your experiences. If you do get conned, tell others to save them from the same fate.
I hope this helps at least one person. If anyone reading this has any others to add, please drop a comment below to help spread the word.