Joel Durham Jr. – ExtremeTech
If you don’t subscribe to the free PCMag.com Security Watch newsletter, perhaps you should. 2005 was a fantastic year for phishing schemes, viruses, Trojan horses, Web attacks, e-mail attacks, Wi-Fi vulnerabilities, browser vulnerabilities, Windows exploits, spyware invasions, and other things that give PC users nightmares and make Mac users laugh at us.ADVERTISEMENT
Just as security firms, security software developers, and even the governments of the world research and push for new ways to protect PCs and networks, the nefarious nincompoops with nothing better to do continue to invent new ways to exploit users.
They discover new vulnerabilities in Windows and Internet Explorer and even Mozilla Firefox 1.5; they set up Web sites for the sole purpose of taking control of your computer or stealing your identity; they spam millions of computer users daily; they orchestrate DDos (distributed-denial-of-service) attacks against major Web sites, ISPs and Internet backbones.
It’s not just the basement-dwelling, socially isolated hackers who have it in for you. Major companies pack spyware and foistware with their products. Such subapplications install themselves without your knowledge and hide deep within the file system, collecting information or altering the way you use, or can use, your computer.
A glaring example is the rootkit that Sony thoughtfully included with a bunch of its music CDs, as reported in Security Watch: Sony CDs Make Your PC Play the Blues.
Before the offending CDs were recalled, you could buy one, pop it into the optical drive of your Windows machine, and find your computer altered to Sony’s whims (for example, you could only play that CD with the media player that it installed without your permission).
If you tried to remove the rootkit without Sony’s special uninstaller, it could cause your computer to stop working completely.
Such were the efforts of a supposedly legitimate company. On the illegitimate side, hackers and identity thieves have begun to band together to form their own conglomerates, sharing resources and strategies. This can only result in a more dangerous world for casual–and even experienced–computer users.
Everything Old Is New Again
As we meander through the first month of 2006, you’ll find all of the old threats still intact. Many, in fact, are becoming more sophisticated, as their propagators become aware of the PC industry’s efforts to foil them. In fact, one spyware manufacturer used the paranoia that Internet threats create to push its own products. Read all about the notorious WinFixer here.
Then there’s identity harvesting. Last year, security experts became aware of a dangerous new offshoot of phishing.
A phishing scheme tries to fool you into giving up personal information and credit card data, usually via e-mail, by presenting a bogus retail offer or by trying to fool you into thinking that your eBay, online bank, PayPal or other Web-accessed account needs to be «updated.»
Click on the link in the e-mail and it’ll take you to a legitimate-looking Web site with fields for your name, address, credit card information, bank account numbers, social security number and/or other data that you shouldn’t regularly share.
Someone then uses that data to buy stuff on your tab or, worse, steal your identity and live a life as you. Phishing isn’t efficient enough for data wholesalers, however, so they invented pharming. That involves tricks, such as installing Trojan horse-like software, to steal account information as you try to legitimately surf the Web.
2005 had its share of viruses, worms and Trojan horses, and more are most certainly on the way, targeting everything from Windows PCs to wireless devices like mobile phones, reported in Security Watch: A Dangerous Mobile Phone Virus Calls In.
Speaking of wireless, the IEEE (Institute of Electrical and Electronics Engineers) is still working on beefing up security for Wi-Fi, as hackers find ways to sniff their way into WEP (Wired Equivalent Privacy)- and WPA (Wi-Fi Protected Access)-protected networks.
New Threats
What’s new this year? Plenty, considering that this is being written the weekend of Jan. 14. For starters, Wi-Fi-equipped notebook computers aren’t even safe 30,000 feet in the air.
When you fire up a Wi-Fi-equipped PC, it looks through the air for a wireless network. If it finds one, it tries to join it, and if it’s allowed (or if the network isn’t secure) it gains access to the network’s shares and Internet connection.
However, if it doesn’t find one, it sets itself up for an «ad-hoc» network: a Wi-Fi network without a router or access point. Should a computer lacking a firewall do this, someone else with a Wi-Fi device within radio range could «join» the ad-hoc network and thus have access to the vulnerable computer’s hard drive shares and, for a crafty hacker, the entire file system.
Another, major Windows threat this year concerned infected image files. At least two worms, and possibly more, took advantage of an exploit concerning WMF (Windows Metafile) handling of images.
Worms, distributed by e-mail, contained either images or links to Web sites with images that, when loaded, assaulted Windows computers with malicious code. The genius of this exploit was that every version of Windows, all the way back to Windows 3.0, was (or is) vulnerable. Microsoft coders worked tirelessly to release a patch to plug the WMF hole.
Look for a new trend in spyware: targeted attacks. Most anti-virus and anti-spyware programs work by checking files for lines of code that appear within known viruses and spyware—for a signature, so to speak.
What if, however, you wanted to infiltrate the network of a specific company or even a specific computer? The answer some criminals have found is to write customized «assaultware.»
Suddenly, the installed anti-virus and anti-spyware programs are defenseless, because they have yet to see the signature of the new, customized code. Infected e-mail attachments don’t get flagged; infected software executables are allowed to run. A company’s network gets overrun by programs designed to bring it down, or to send company secrets to a spy or an ambitious freeloader, which could be worse.
Take Precautions
Casual users are worried about what to do to keep their computers safe in a time when cyber-thugs are constantly finding vulnerabilities in operating systems, browsers and protection software. A great deal of protection comes from programs, such as firewalls, anti-virus software and anti-spyware applications. However, an informed, careful user is the hacker’s worst enemy. Follow these hints to keep your computer safe:
• No matter how tempting it is, don’t open e-mail attachments from unknown addresses. In fact, if you get something that seems odd from a known address, you might want to reply with, «Did you just send me an attachment? What is it?» If the other party turns out to be unaware of the message, it was probably initiated by a virus or worm.
• Learn to recognize phishing attempts. Your inbox may be clogged with Amazing Special Offers, security warnings for major banks, account update requests from online retailers, and so on. Don’t follow links in such e-mail. If you want to update your PayPal or eBay account, open a browser and type in the URL manually.
• Keep Windows up to date. Use Automatic Updates if it’s available. If not, run Windows Update at least once each week, if not every day.
• Use a firewall, an anti-virus program, and an anti-spyware program. See the sidebar Protect Your PC for Free for some suggestions that won’t cost you a dime.
• Keep all of your security software and browsers up to date. This is very important, as browser security patches, anti-virus updates, and other updates protect your computer from emerging threats. Almost all such software has built-in automated updating capability; make sure it’s turned on and set to check for updates every day.
• Don’t download warez. Warez are illegal copies of commercial software programs and games. You should avoid them and get your software through legitimate means. Besides breaking the law, warez users expose their computers to all kinds of security threats. Warez-kiddies are idiots. Don’t encourage them.
• Don’t run an executable file you’ve downloaded without scanning it for viruses. Most anti-virus programs have shell extensions that let you right-click on a file in your file system and scan it from there. Even files from trustworthy sources can be infected if a hacker gets in or a disgruntled employee acts out.
• Consider switching to Firefox. Firefox isn’t the be-all and end-all of Internet security–it, too, has been vulnerable to exploits–but it might be more secure than Internet Explorer. Some extensions, such as NoScript offer fantastic security.
• Lock down your Wi-Fi network. Use the latest supported protection for your wireless network, be it WEP, WPA, or WPA2. Change the default SSID, and don’t broadcast it. Consider using MAC (media access control) address filtering as well.
• Read computer news regularly. • Most importantly, use common sense. If an offer seems too good to be true, it probably is. If your bank sends you an e-mail asking you to click a link that, when you mouse over it, you discover leads to an unfamiliar URL, don’t click it. If someone offers you a free file copy of copyrighted material, turn it down.
Peter Parker, aka Spider-Man, learned it the hard way: With great power comes great responsibility. The Internet is a source of great power, and it’s up to you to use it responsibly. Protect your identity and your computer in any way that you can, short of pulling the plug. 2006 will undoubtedly bring with it a whole host of new and innovative security threats, but if you educate and prepare yourself, you, your PC and your company won’t fall victim to them.
Joel Durham Jr. is a freelance technology writer and author of «PC Modding for Dummies»(Wiley, 2005).
