Continue reading »]]> Over a billion people visited social networking sites such as Facebook and Twitter last month so it’s not surprising that hackers have these sites in their cross-hairs.

The attacks come in many forms: spreading Trojan viruses including key loggers, phishing for passwords and sniffing out packets of sensitive information.

In fact, according to recent research from Breach Security Labs, social networks were the most targeted category in 2009, accounting for 19% of all malicious attacks last year.

The media reports evidence of these attacks seemingly every day.

For instance, in late January Twitter announced that they had once again fallen victim to hackers who were using torrent-based phishing attacks to steal usernames and passwords and hack into user accounts.

This is not the first time the popular social network has been hacked.

In late 2009, some Twitter users fell victim to a phishing attack when they received email notifications from their “new followers,” with a link that lead them to a fake Twitter site where they were prompted to enter their usernames and passwords.

Facebook has had its share of malicious attacks as well.

Most recently, in January there were widespread reports of users receiving direct messages from their “friends” within the network that included a link to a website that was suspected to infect the user’s computer with spyware.

Other widely reported incidents involve offers for a free iPod touch or gift cards, when in fact the only gift these unsuspecting users received was to have their usernames and passwords sold as part of a phishing list readily available for would-be cyber criminals to purchase online.

It’s no shock that these sites are being targeted considering that the time American’s spent on social networks increased 82% in 2009 from the previous year, accounting for over 17% of the total time spent online. *

Many of the more prominent networks have taken measures to increase security and privacy settings.

For example, Facebook has begun to closely monitor the number of postings from each account to detect abnormal behavior that can indicate an account has been compromised.

If a user who normally posts once or twice a day begins to send out hundreds of messages, the account is flagged within the system and attempts are made to contact the user and alert them to change their password and advise friends not click though on links from their recent postings.

In addition to setting robust social network passwords, setting personal reminders to change your passwords monthly and taking advantage of the privacy settings afforded by each individual network, consumers can also take advantage of simple and cost effective data encryption solutions designed to lock down your personal info and passwords.

The more advanced encryption software solutions available today enable the user to securely log into websites by using specialized tools like password managers that retain all of the data regarding each account in an encrypted vault or folder.

The data entered into password managers is encrypted in case of theft or loss of the computer or USB flash drive it is stored on.

These types of password protection features are also capable of creating, storing and managing strong secure passwords so you can maintain unique IDs for each website, without having to remember them each time you log on to do online banking, surf social networks or check your email.

By utilizing tools like password managers, users eliminate the risk of exposing themselves when using computers that they do not own.

Finally, there is another very simple tool that needs to be used when on any type of social networking site: common sense.

Only put info on your walls, blogs, tweets or posts that you would feel comfortable with strangers knowing. For example, you may not want everyone to know when you will be out for the night.

This opens a door for someone to be watching and break into your home knowing you are not around.

Exercising some simple common sense in terms of what information is made public could have prevented many of the social network related horror stories we hear about every week.

With the rapid growth in social networking and the increasing instances cyber criminals targeting these online destinations, it’s imperative that we all understand the potential threats of identity theft and harm to our personal reputations.

By using simple data encryption and password protection tools, you can ensure that your personal information and online identities remain secure and private.

Nielson Research Study

Continue reading »]]> We’re well into the new year now, and we’re beginning to see trends emerging on the security front. Some of the threats we’ll see this year will be similar to those in years past (after all, many of the basic con games now being perpetuated online were around long before the advent of computers and the Internet). However, attackers are becoming much more sophisticated in their methods to circumvent the increased levels of security built into operating systems and applications. Here are 10 security threats that are likely to become more prominent in 2009.

1: Social networking as an avenue of attack

Social networking has experienced a boom in popularity over the last few years. It’s now finding its way from the home into the workplace and up the generational ladder from the young folks into the mainstream. It’s a great way to stay in touch in a mobile society, and it can be a good tool for making business contacts and disseminating information to groups. However, popular social networking sites have been the target of attacks and scammers. Many people let their hair down when posting on these sites and share much more personal data (and even company data) than they should.

Think you’ll solve the problem just by blocking social networking sites on your company network? Not so fast. As Steve Riley pointed out in his recent talk on attack progressions at the 2009 MVP Summit, today’s young professionals are growing up with social networking, and they expect to have it available to them at work just as older employees expect to be able to use their office telephones for reasonable, limited personal calls. In addition, you lose the business benefits of social networking if you shut it down completely. After all, companies didn’t shut down e-mail because it could present a security threat. A better approach is to educate your workers about social networking practices and develop policies governing social media use. As an example, take a look at Intel’s Social Media Guidelines.

2: More attacks on the integrity of the data

Another point Steve made in his presentation is that “First they came for bandwidth; now they want to make a difference.” In the past, many attackers were looking for a free ride on your Internet connection (for example, by connecting to your wireless network and using it to access the Web, send e-mail, etc.). Then the nature of attacks progressed. Instead of the network being the target, it was the data. The next step was stealing data, but step after that is even more insidious: the malicious modification of data (making a difference).

This can result in catastrophic consequences: personal, financial, or even physical. If a hacker changed the information in a message to your spouse, it could harm your marriage. If the change were to a message to your boss, you might lose your job. Changing information on a reputable Web site regarding a company’s financial state could cause its stock prices to drop. A change to electronic medication orders on a hospital network could result in a patient’s death.

3: Attacks on mobile devices

Laptop computers have presented a known security risk for many years. Today, we are more mobile than ever, carrying important data around with us not just when we go on business trips but every day, everywhere we go, on smart phones that are really just small handheld computers. These devices have important business and personal e-mail, text messages, documents, contact information and personal information stored on them. Many of them have 8 or 16 GB of internal storage and you can add another 32 GB on a micro SD card. That’s much more storage space than the typical desktop computer had in the 1990s.

People lose their phones all the time, but many of these devices aren’t configured to require a password to start the system, the data on them isn’t encrypted, and very few protective measures have been taken. They are security disasters waiting to happen. Businesses should develop policies regarding the storage of company information on smartphones and require encryption of data on internal storage and on flash cards, strong passwords, use of phones that can be remotely wiped when lost, etc. Of course, you don’t have to lose the phone to have its data stolen. Attention should also be paid to the potential for attacks using Bluetooth and Wi-fi.

4: Virtualization

Virtualized environments are becoming commonplace in the business world. Server consolidation is a popular use of virtualization technologies. Desktop virtualization, application virtualization, presentation virtualization — all of these provide ways to save money, save space, and increase convenience for users and IT administrators alike. If it’s properly deployed, virtualization can even increase security — but that’s a big “if.” Virtualization makes security more complicated because it introduces another layer that must be secured. In essence, you now have to worry about two attack surfaces: the virtual machine and the physical machine on which it runs. And when you have multiple VMs running on a hypervisor, a compromise of the hypervisor could compromise all of those machines.

Another virtualization-related threat was demonstrated by the infamous Blue Pill VM rootkit. Hyperjacking is a form of attack by which the attacker installs a rogue hypervisor to take complete control of a server, and VM jumping/Guest hopping exploits hypervisor vulnerabilities to gain access to one host from another.

The easy portability of virtual images also presents a security issue. With modern virtualization technology, VMs can be easily cloned and installed to a different physical machine. The ability to go back to “snapshots” of past images can inadvertently wreak havoc with patch management.

5: Cloud computing

If virtualization was last year’s buzzword, this year it’s all about “the Cloud.” The uncertain economy and tight budgets have companies looking for ways to lower operating costs, and outsourcing e-mail, data storage, application delivery, and more to cloud providers can present some attractive potential savings. Microsoft, IBM, Google, Amazon, and other major companies are investing millions in cloud services.

Cloud advocates envision a day when we’ll all use inexpensive terminals to access our resources that are located someplace “out there.” But when your data is “out there,” how can you be sure that it’s protected from everyone else “out there?” In fact, the biggest obstacle to moving to the cloud, for many companies and individuals, is the security question. IDC recently surveyed 244 IT executives and CIOs about their attitudes toward cloud services, and 74.6% said security is the biggest challenge for the cloud computing model.

Google, a prominent player in the cloud space, is the subject of a recent complaint to the Federal Trade Commission (FTC) by the Electronic Privacy Information Center (EPIC), which seeks a suspension of Google’s cloud computing services until verifiable safeguards are established.

6: More targeted attacks on non-Windows operating systems

Although Windows still has 91% of the desktop OS market, there has been a big push in some quarters to deploy Linux or Macintosh as a supposedly more secure alternative. But are they really? One reason the non-Windows operating systems have enjoyed fewer attacks is the simple fact that the Windows installed base presents a much bigger target for attackers. Just as terrorists prefer to attack large gatherings of people where they can do the most damage, so do hackers prefer to write malware that will spread to the greatest number of computers — and that means Windows.

However, as other systems get more publicity and become more popular, they also become more attractive to the bad guys. Malware has been becoming less Windows-centric for the last few years; the 2007 Open Office worm, for example, infected Linux and Mac OS X systems as well as Windows. And Charlie Miller, a security researcher who won a recent hacking contest by breaking into a fully patched MacBook in a few seconds, said, “Hacking into Macs is so much easier. You don’t have to jump through hoops and deal with all the anti-exploit mitigations you’d find in Windows.”

Whatever the reality, the perception is that non-Windows operating systems are becoming more popular as Apple steps up its advertising campaign and vendors offer more netbooks preinstalled with Linux. As they become more high profile, look for hackers to spend more time and energy creating attacks that target non-Windows systems.

7: Third-party applications

Microsoft has put tremendous effort into securing the Windows operating system and its popular productivity applications, such as Microsoft Office. Linux and Mac receive regular security updates. As operating systems become more and more secure, attackers will focus less on OS exploits and more on application exploits. The major Web browsers are routinely updated to patch security vulnerabilities. But the vendors of many third-party applications are less security-aware. This is especially true of freeware applications written by independent developers. These programs, which may not have been written with security in mind to begin with and which do not automatically check for and download security updates, present an opportunity that we can expect attackers to take advantage of.

8: Side effects of green computing

Green computing is all the rage today, and saving energy is certainly a good thing — but as with beneficial medications, there can be unexpected and unwanted side effects. Recycling computer components, for instance, can expose sensitive data to strangers if you don’t ensure that hard drives have really been wiped cleaning. (Hint: Deleting files or even formatting disks doesn’t guarantee that the data is gone.)

On the other hand, such green initiatives as powering down systems that aren’t in use can actually enhance security, since a computer that’s turned off isn’t exposed to the network and isn’t accessible 24/7.

9: IP convergence

Convergence is the name of the game today, and we are seeing a melding of different technologies on the IP network. With our phones, cable TV boxes, Blu-ray players, game consoles, and even our washing machines connected to the network, we’re able to do things we never even imagined a decade ago. But all of those devices on an Internet-connected network present myriad “ways in” for an attacker that didn’t exist when only our computers used IP.

We can only hope that the manufacturers of all these devices put security at the forefront; otherwise, we may see a rash of new malware targeting vulnerabilities in our entertainment devices and household appliances.

10: Overconfidence

Perhaps the greatest threat to the security of our networks, whether at work or at home, is overconfidence in our security solutions. Many home users believe that as long as they have a firewall and antivirus installed, they don’t have to worry about security. Businesses tend to put too much faith in the latest and greatest security solutions. For example, there is an assumption that biometric authentication is infallible and undefeatable — but it can be compromised in various ways, and when it is, the legitimate user it was meant to protect becomes the victim. If the system shows that your fingerprint was used to log on, you may be presumed guilty, and an investigation might not even be deemed necessary.

Another type of overconfidence is common among home users and in the business environment, especially with small companies. That’s the idea that “We don’t have anything worth hacking into so we don’t need to worry about security.” In today’s interconnected world, neglecting security doesn’t just put you at risk; it also puts others at risk. Your systems could be used as zombies to attack a whole different network.

End users on a business network often think of security as somebody else’s problem and operate on the assumption that the IT department is taking care of them, so they don’t have to do anything about security.

Overconfidence of any type is a dangerous security threat — but it’s one that you can most easily do something about because it doesn’t require expensive technology or sophisticated technical skills — just a change in attitude. We all have a responsibility to keep our own systems as secure as possible.