THREE REAL ONLINE DANGERS YOU NEED TO WORRY ABOUT
STATE-SPONSORED CYBERTERRORISM MAY GRAB
HEADLINES, BUT MUNDANE ATTACKS—DUE TO POOR COMPUTER HYGIENE—CAUSE THE MOST
DAMAGE.
There's no shortage of
panic-inducing security news, such as flaws in web encryption that could allow
attackers to slurp up your banking information. Then there are the
proof-of-concept attacks. Security researchers seem to find hacks for every new
Apple product within days, such as making a cast of
someone's fingerprint with glue to fool the iPhone's Touch ID sensor.
But sensational
attacks require a lot of work, and luck. Hackers save them for giant
corporations and governments, not individuals or small companies. "It's
interesting to read the stories, but you don't really need to worry abut an
elite squad of cyber soldiers going after your machine," says Patrick
Nielsen, senior security researcher at antivirus company Kaspersky, and one of
four security experts I spoke with to sort the media hype from the real dangers
out there.
All four had similar
answers when I asked them to name the main security threats. The biggest
dangers I culled from their input are data breaches, unsafe Wi-Fi networks, and
mass-distributed malware that takes over a computer.
In December 2013,
hackers stole credit and debit card numbers of about 40 million customers from
Target. In February 2015, health insurer Anthem revealed that attackers had
gained personal information for about 80 million customers. This month, hackers
stole records from up to 37 million members of AshleyMadison, an online dating site for cheating spouses.
There's no point
breaking into someone's personal computer when the data of millions of people
are stored on servers owned by a mega-corporation like Home Depot or a
government agency like the Office of Personnel Management.
Individuals and
businesses can't do anything to keep a big target with their data from getting
hacked, but they can limit how much information is in there. Volunteering
information about turn-ons and affairs to an online database is not a good
idea. And don't pay by debit card, says Robert Hansen, VP of White Hat
Security. "When you lose your credit card, you lose the ability to
transact with that credit card, nothing else," he says. "When you
lose your debit card, you lose control of your banking assets."
Even a breach at a
minor site can be dangerous, because it provides access to usernames and
passwords that people re-use for more important sites, like their bank. A 2014
study by the University of Illinois, Princeton University, and Indiana
University called "The Tangled Web Of Password Reuse," estimates that about half of people
recycle passwords. That seems conservative. "Nearly everyone uses the same
passwords on different services," says Nielsen.
It's not an easy
problem to solve, according to a study called "Password Portfolios And The Finite-Effort User" by Microsoft Research and Canada's
Carlton University. "Mandating exclusively strong passwords with no re-use
gives users an impossible task as portfolio size grows," said the report.
More realistic, it said, is to develop strong, unique passwords for important
sites, and weaker, reused ones for the others.
One of the meanest
things someone can get on their own computer is ransomware that locks the
machine until the owner pays up. "That's where the cybercriminal community
get the most of their money," says Chase Cunningham, threat intelligence
lead at security firm FireHost. Ransomware has also evolved into blackmailware.
Cybercrooks can find juicy material on the computer, like incriminating photos,
then demand payment or favors to keep it secret.
"Ransom ware
combined with blackmail is . . . a great way to get access to corporate
environments," says Cunningham. "I’ve seen a case in the past in
which [crooks] say, If you don't want your wife to know what you were doing in
Vegas, you’d better give us access to your VPN."
Ransomware or other
malware often gets on to computers the old-fashioned way: Fifteen years after
the ILoveYou worm,
people are still clicking on infected attachments in emails. And bogus links in
emails go to sites riddled with malware that automatically infects a system in
what's called a drive-by download. Even legit sites host malware that slips in
through the automatically placed ads that are becoming the lifeblood of online
revenue. A massive infection in late 2014 hit about two dozen sites, including
Yahoo, AOL, and The Atlantic. "It's very easy to sneak stuff
into ads. The advertising industry is not very good about filtering that stuff
out," Cunningham says.
Ad-blocking software
can fix the "malvertising" problem, but that's an uncomfortable topic
for any company that makes its money through advertising—from news sites to
mighty Google and Facebook.
Banking trojans infect
people's web browsers as drive-by downloads and take over their bank accounts,
performing transactions without the user knowing, Jerome Segura, senior
researcher at security software maker Malwarebytes, told me in an email. Mass
infections from email attachments and drive-by downloads are also turning
computers into nodes in botnets—tens of thousands of machines commandeered for
jobs like churning out spam email or launching distributed denial of service
attacks on websites. "If you did a pretty in-depth analysis [of any
computer], chances are good you’d see some kind of botnet that’s been there in
the past," says Cunningham.
Antivirus or
anti-malware has a good chance of stopping trojans from infecting computers, or
eventually removing them once anti-virus companies learn how to recognize a new
threat, said Nielsen.
Public Wi-Fi networks
are the public toilets of the Internet—conveniently located, but likely to
cause infections. One danger is that you don't know who else is on the network.
"A lot of hackers visit coffee shops," says Hansen. They might just find
it fun to poke around.
A bigger danger is
that the network is not what you think it is. "For $50, I can grab a
system that mimics any Wi-Fi network around," says Cunningham. Instead of
expending effort to snare one person sharing the real café network, hackers can
get trick the whole café into logging onto the bogus network.
And it's not just free
Wi-Fi. Many hotel networks can be managed remotely from a cloud interface, a
vulnerability which hackers can leverage, even if they are miles away. A common
trick is to push out alerts for bogus software updates, like the constant Adobe
Flash player notifications. "We actually recommend updating [all your
software] at home and then not updating when you're away from home or on any
public network," says Nielsen.
If you have to use
public Wi-Fi, connect through a virtual private network (VPN), says Cunningham.
Many companies provide and even require employees to use their VPN connection,
and VPN services cost less than $10 a month for individuals to sign up with.
There's also the option of using a smartphone as a personal Wi-Fi hotspot,
though that may require upping your monthly data plan.
Internet security, for
most of us, is pretty dull—centered on routine attacks that utilize infected
attachments, dubious links, lousy passwords or compromised Wi-Fi. But those
boring threats fund a multibillion-dollar industry that can ruin individual
lives, and even companies, through theft, extortion and espionage.
Even as sensational
hacking stories grab the headlines, keeping safe is about sweating the small
stuff. "The drama is on this new advanced tech," says Nielsen.
"But where you should be putting attention is all the boring stuff . . .
making sure your software is up to date, running security software, trusting
your instincts when you get an email."
BY SEAN CAPTAIN
http://www.fastcompany.com/3048458/elasticity/three-real-online-dangers-you-need-to-worry-about?utm_source=mailchimp&utm_medium=email&utm_campaign=fast-company-daily-newsletter&position=6&partner=newsletter&campaign_date=07222015
No comments:
Post a Comment