Here’s more great advice from the computer security gurus at SANS. This time in the form of the top ten security myths, complete with the SANS sense of humor.
[SANS Editor’s Note: (Wyman) What you don’t know can hurt you, and there’s even greater danger in believing things that aren’t true. This month we bust the Top Ten Computer Myths, and offer some security tips that won’t cost you a lot or take much of your time. And you don’t have to be a tech guru to use them.]
#10. Viruses and worms are created by sociopathic teenagers.
In days of yore, geeks sometimes went bad and vandalized computers to make a name for themselves. But in those days, if your system got infected it would act wonky, and you knew something was wrong. Today, well-financed, tech-savvy participants in international criminal conspiracies craft malware that keeps infections as quiet as possible for as long as possible so that they can continue making money and taking your money. They build botnets–armies of innocent computers, like yours, that have been hijacked and made to spew out spam or launch denial-of-service attacks. They steal usernames and passwords and credit card numbers by the score and sell them in lots on the black market.
#9. The Internet isn’t safe. It’s smart to use it as little as possible.
Does the potential for getting the flu prevent you from leaving your house? Have you stopped driving your car because of all the accidents lately? Did you give up hamburgers when Mad Cow Disease was discovered? Not likely. Yes, you can get into trouble using the Internet. The key is to be aware of the real risks and prepare for them so you can enjoy what the Web has to offer. While you can’t eliminate all risk in the online world, any more than you can guarantee your safety in the real world, there are steps you can take to shift the odds in your favor.
#8. If it ain’t broke, don’t fix it.
What if it is broken, only you can’t tell it is? Tales of woe abound about computer users who’ve been bitten in the past by applying a recommended patch to a piece of software, only to see that software break[s] or foul[s] up something else on their computers. Sounds like a good argument for skipping patches. There’s just one problem. Today, a recommended patch is often, even usually, meant to close a security hole. Not installing it is tantamount to parking your car in a bad neighborhood at 2 a.m. with the windows rolled down.
#7. If my browser displays the locked padlock, the website is secure.
Chances are you’ve been hearing for years about how that padlock in your browser will keep you safe. But it won’t. In fact, it never did. The padlock has to do with securing the connection between your computer and the website. Data sent via a secured connection is encrypted in both directions, but that does not mean the website or your computer is secure.
#6. I can tell a shady website by looking at it.
Not any more. Even websites that look professional and belong to established companies are not immune to the machinations of cybercrooks who hunt for security flaws and insert hidden code that attacks visitors surreptitiously. Case in point: The New York Times website was invaded last September by Bad Guys who smuggled in pop-up ads promoting bogus antivirus software. More insidious is malware implanted on websites that [scan] your computer quietly for security flaws while you are viewing a page. When it finds one, it dumps malicious software onto your system. This kind of “drive-by-download” can be rigged up on any website–big or small, slick or homely, official or unofficial-at anytime, anywhere in the world.
#5. If I go to a website, and don’t do anything while I’m there, I’ll be OK, right?
No! If a site or page has been rigged with the right malware, all you have to do is browse to it. If your computer is not protected, that is all a Trojan Downloader needs to get a foothold on your system. A cascade of crud can follow, as that Trojan goes about silently infecting your computer with more malware.
#4. If a friend on Facebook or Twitter posts a link, it’s safe.
As Facebook and Twitter have grown in popularity, a swarm of attackers [have] come along for the ride. These are the same people who have been sending spam and spinning online scams for years. Today, they target social networks because, like con-artists and pickpockets, they follow the crowds. Standard in their bag of dirty tricks are ways to post messages that look like they are from your friends.
#3. If I just view an email message without clicking on any attachments or links, I’ll be safe.
Sometimes emails don’t pass the “sniff” test, but we figure there’s no harm in viewing them just to be sure. Bad idea. There are ways an attacker can launch an email attack that [doesn’t] require you to click on a link, and these techniques can be just as dangerous as clicking on an infected attachment. Simply opening the email may be enough to confirm that your account is active and that makes your email address more valuable to sell to spammers.
#2. This email sure looks authentic.
Deception in cyberspace is as common as camouflage in nature. Has the Bank of America really placed a hold on your account? The email looks official. It even has the BofA logo. But stop and think. Doesn’t your bank call you when there’s been suspicious activity on your account? So, call the bank and find out what’s up. Have you really overpaid your federal income tax? That email sounds like you are in line to get a gift, but only if you don’t know that the IRS never communicates with taxpayers by email. Is that Amazon email cancellation notice legitimate? The embedded link promises a quick way to find out. The far safer way is to log into your account as you usually do and check the status of your order. Never use any of the contact information that’s provided in the same message. Refer back to trusted information you already have or can get independently.
#1. This email is from someone I know.
How did Aunt Jennifer get stranded in London without any way to get home? Odds are she didn’t. Spammers send out emails with forged “From” addresses because they know that a familiar name or address will make you give them a second look. That’s the nibble. You may even open it just to make sure it’s not real. Another nibble. Now, what if Aunt Jennifer just happens to be traveling in Europe at the time? The coincidence may prompt you to read the message, perhaps take it seriously, and worst of all, act on it. You’ve taken the bait. Email messages, like envelopes, can be made to display any “From” address the sender chooses to use.
1. Remember, crooks are out for money, and they can make money by stealing anything from files to credit card numbers to passwords.
2. To ward off drive-by-downloads and other attacks that exploit hidden software flaws, keep your software up-to-date.
3. Be on guard against con jobs (a.k.a. social engineering). Double-check any email attachment or download you are not 100% sure about.
4. Protect your passwords. If you have to enter one on a risky computer, like at an Internet caf[e] or other public place, change it as quickly as possible using a computer you can trust.
5. Use a good-quality security suite and keep it updated.
Copyright 2010, SANS Institute (http://www.sans.org) Editorial Board: Bill Wyman, Walt Scrivens, Phil Hoffman, Alicia Beard, Alan Paller
OUCH! Security Information Service: http://www.sans.org/newsletters/ouch/updates/
Download the formatted version of the OUCH!: https://www.sans.org/newsletters/ouch
Permission is hereby granted for any person to redistribute this in whole or in part to any other persons as long as the distribution is not being made as part of any commercial service or as part of a promotion or marketing effort for any commercial service or product. We request that redistributions include attribution for the source of the material.