Everybody talks about cyber security. But quite frankly,
most computer users are woefully uninformed about what it takes to make sure
their systems are secure.
Good security requires more than anti-virus (AV) software.
It means taking action to protect yourself from cyber criminals who try to
access your information when you make an online purchase or when you do your
banking. It's about making sure no one can get a peek at the sensitive data you
have stored on your computer.
Update and patch
Everyone needs to get
into the habit of installing all updates and patches, especially for
applications such as Windows Media Player, Oracle's Java Run time Engine and
Adobe Flash Player, all of which have seen a number of vulnerabilities
recently.
But all updates and patches, no matter what software is
involved, are there for a reason and shouldn't be ignored.
Don't send personal information over public
Wi-Fi
Data sent over a
wireless network can be easily intercepted.. If you want to access your bank
while sitting at the coffee shop, you may be better off using your 3G carrier
on your mobile device.
Install a good Internet-security software
package
Who wants to spend
money for something that’s free? A lot of companies offer a free version of
their security software package, but in most cases it provides the barest
minimum coverage.
Understand how social engineering works
Social engineering is
one of the top tools used by cyber criminals, and every computer user should be
familiar with how it might be used to trick him or her.
Social engineering often uses popular events to lure users
to fake sites laden with malware, or uses techniques like spear phishing and
specially targeted email with malicious links. Sometimes it's just a good
old-fashioned confidence trick in digital form.
Learning how cyber criminals are trying to trick you can go a
long way toward protecting yourself.
Don't trust everyone online
Going hand in hand
with advice about social engineering is warning
not to trust everyone you meet online.
"Keep your mind switched on while dealing with people,"
"Don’t trust everyone in your social media networks, especially people you
don't know well."
This is especially important to remember when using a
service like Twitter, where you follow someone, or someone follows you, based
on shared interests rather than an actual relationship.
Strong anti-virus software and firewalls do a great job of
protecting our computer systems. But even when virus definitions are fully
updated and firewalls properly configured, there are still insidious threats
that can worm their ways in, stealing your data or hijacking your PC and
leaving you none the wiser.
The security and IT specialists upon whom we all rely can
only do so much. At the end of the day, if the average user isn't vigilant ,
the strongest security precautions in the world won't stop some of the more
dangerous digital intruders, with potentially disastrous consequences.
To keep you on your toes (or shivering in your boots), here
are 10 schemes and scams that might have slipped under your radar. Click
"next" in the upper right to proceed.
DNS Redirection
You might get an unsolicited phone call from a tech-support
representative claiming to be from Microsoft or another big-name IT
corporation. But the caller won't be who he claims to be. After warning you
that "suspicious activity" has been detected on your computer, he'll
offer to help — once you give him the personal information he requires to get
his job done.
That job isn't fixing your computer. In fact, he's really
just after your personal information.
If you receive a call like this, hang up, call the company
the bogus technician claimed to be from, and report the incident to a
legitimate representative. If there really is a problem, they'll be able to
tell you; if not, you just thwarted a data thief.
Internet service providers (ISPs) such as Time Warner Cable
and Optimum Online claim they're trying to help with DNS redirection, but the
reality seems to come down to money. Domain Name System (DNS) redirection
overrides your browser's normal behavior when you can't reach a webpage.
Instead of displaying the normal 404 "File Not Found" error, the ISP
sends you to a page of the ISP's choosing — usually a page full of paid
advertising and links.
Innocent though that practice may be, computer viruses can
do the same thing, redirecting your browser to a hostile page the first time
you misspell a domain. With ISPs, you can opt out of their DNS redirection
(you'll find links below all the ads); with viruses, stay on your toes. Make
sure you know what your browser's default 404 page looks like, and take action
if you see anything different.
Open DNS Resolvers
Another danger lies in the way some DNS servers are
configured. An "open resolver" can offer information it isn't
authorized to provide. Not only are open resolvers exploited in distributed
denial-of-service (DDoS) attacks , but an attacker can "poison" the
DNS cache, providing false information and incorrect resolutions that must be
detected to be corrected.
If your browser trips over a case of cache poisoning, the
agents in charge of a hostile server can glean detailed information about your
system — especially if you're in the middle of an important transaction. How
can typical users solve this dilemma? The chilling answer: They can't. It's up
to Internet service providers to address the problem.
Fraudulent SSL Certificates
A Secure Sockets Layer (SSL) certificate reassures your
browser that the site you've connected to is what it says it is. If you're
looking at "HTTPS" instead of plain old "HTTP," you know
there's security involved, such as when you log in to your bank account or pay
your phone bill. The most trusted SSL certificates are issued by designated
Certification Authorities worldwide.
But what happens if that trust between browser and website
is exploited? Acquiring or creating fake SSL certificates is unlawful, but
happens often enough that we need to be aware of it. On multiple occasions in
2011, the discovery of false certificates suggested an attempt to spy on
Iranian citizens as they used Gmail and Google Docs. According to the website
of computer security firm F-Secure, "It's likely the government of Iran is
using these techniques to monitor local dissidents."
Session Hijacking
If you spend afternoons using your laptop in a café with an
open Wi-Fi network, you might not be the only person logged into your Facebook
or eBay account. Firesheep , an add-on for Mozilla's Firefox browser, lets its
users sneak a peek at other people's browser activity if they're all on the
same wireless network.
While the illicit observers can't get a glimpse of secured
pages, many sites secure only their login pages; once you're logged in, your
presence is maintained purely through cookies, packets of data that your
browser stores to keep track of your browsing needs.
Though it can be used for darker purposes, should serve more
as a warning to websites with private user accounts: They need to take security
seriously. Guarding the main gate isn't the limit of their responsibilities;
attackers don't need to storm the castle when a guest leaves the door open.
Man-in-the-Middle Attacks
While you're still sipping your latte on that unsecured
network, even your encrypted messages may not be all that safe. A
Man-in-the-Middle (MTM) attack occurs when an attacker intercepts
communications and proceeds to "relay" messages back and forth between
the lawful parties.
While the messaging parties believe their two-way
conversation is private, and might even use a private encryption key, every
message is re-routed through the attacker, who can alter the content before
sending it on to the intended recipient. The encryption key itself can be
swapped out for one the attacker controls, and the original parties remain
unaware of the eavesdropper the entire time.
Disguised Filenames
Modern operating systems accommodate speakers of languages
such as Arabic and Hebrew by featuring codes which can reverse the direction of
type to display such languages correctly: written right-to-left instead of
left-to-right.
Unfortunately, these "RTL" and "LTR"
commands are special Unicode characters that can be included in any text,
including filenames and extensions. Exploiting this fact, a malware purveyor
can disguise ".exe" files as other files with different extensions.
Your operating system will display the "disguised" name, though it
still treats the file as an executable — launching it will run the program and
infect your computer. Practice caution with any and all files from unknown
sources.
Banking Trojans
A Trojan is malicious software that disguises itself as
innocent program, counting on you to download or install it into your system so
it can secretly accomplish its malicious tasks. The infamous ZeuS Trojan and
its rival SpyEye take advantage of security holes in your Internet browser to
"piggyback" on your session when you log in to your bank's website.
These monsters are in the Ivy League of computer malware;
they avoid fraud detection using caution, calculating inconspicuous amounts of
money to transfer out of your account based on your balance and transaction
history.
While financial institutions continue to increase the layers
of security involved in large transactions, such as requiring confirmation
through "out-of-band" communications — such as your mobile device —
digital crooks have lost no time adapting to the changes, with banking Trojans
able to change the mobile number tied to your account and intercept that
confirmation request. If you're a tempting target, fear is an understandable
response. It's just another part of a digital arms race that shows no signs of
slowing down.
Facebook Everywhere
It's hard to find an individual who or a corporation that
isn't on Facebook. The social networking site has become an ever-present hub
for everything online. For some less savvy users, Facebook is the Internet.
With developments like Facebook Connect and Open Graph ,
Facebook is virtually opening its doors to any third party that wants in on the
action. You may have already noticed that Facebook displays ads targeting your
specific demographic information, based on the personal information you've
posted and activities you've participated in.
What you might not have noticed is that other sites have
started targeting your Facebook demographics as well. Any time you browse the
Web without first logging out of Facebook, other sites can get access to any
profile information you've marked as fit for public consumption.
Don't want every site on the Internet to see you coming a
mile away? Just remember to log out of Facebook every time.
