2009/11/13

Three Persistent Security Myths

I have this cousin, and you probably have someone like this in your family too—the one that is always sending forwards even though you asked them to stop 10 years ago, and even though you’ve told them that forwarded messages can present safety risks online.
Besides the fact that netiquette has been well established and widely understood for years, and these relatives (or friends) are being impolite by spamming you, the more important fact is the messages also present a security risk, for individuals as well as organizations.
After the most recent forwarded link, I mentioned to my cousin that I hoped she had good security software. Her response: “My friend sent this to me. It’s a valid clip/link and virus free.”
And I just had to shake my head at the security fallacies in those brief statements. I hate to be the smart-ass of the family who tries to lecture or educate the less tech-savvy, but I also don’t want to see my relatives fall victim to dumb social engineering scams. Now, this particular link probably was virus-free and safe enough, but when someone continually sends links and forwards, I start to worry they don’t know how to stay safe online.

So, what’s a conscientious security professional or blogger to do?
Clearly my relatives don’t read my blog, so I’m mentioning it here! I’d love to hear your approaches and comments on this topic. For now, I’m going to try breaking down the myths that seem to persist, and see if I can think of a way to quietly explain the issue.
1. “My friend sent this to me.”
Of course you trust your friend, but that doesn’t make it safe to always trust the links they send out. First, the link could contain a virus or malware that your friend doesn’t know about either. Say your friend’s coming down with a cold, but doesn’t know it yet. You both share a drink at a café—two days later, you both get sick because your friend passed the cold on to you. Same idea.
In computers, it’s even more dangerous, because you may never know you’re sick. Spyware, for example, is designed to watch what you do and send information to the hackers about your online behavior, or even about your passwords. Malware can install itself on your computer without your even knowing. Many people get infected with software that forms a network with other computers, called a botnet. When the hacker contacts all those computers, they can be activated and do whatever he wants—like send messages from your computer to your friends.
These hackers don’t want your or friends to know you’ve been hacked. Your computer might just slow down a few hours a day…because it’s being used secretly by someone else. They can change your security settings, see your passwords, or even corrupt your files and shut down your computer without your permission.
If your password information is stolen, hackers can access your accounts and send forwarded links and emails to your friends without your even knowing. Those messages can contain more malware that installs on your friends’ computers, or spreads through your accounts.
Of course we trust our friends. But that doesn’t mean that our friends won’t have problems online, or that they won’t get infected.

2. “It’s a valid clip/link.”
Images, documents, and all sorts of valid files are used to send viruses and malware to users. The most popular are pdfs and Microsoft Office documents lately, but picture and video files can also be suspect—and for many years it was images most of all that were most dangerous. The link might contain something useful, entertaining, or even work-related. Just because the link works and does what you expect it to, doesn’t mean that it’s safe. It could also contain other problematic files– while you’re being entertained or even learning a fun factoid, something bad might be happening in the background…
3. “And it’s virus-free.”
Again, just because it works and your friend sent it, you can’t assume it’s virus free.
First, did you scan it for viruses? If your scanner says it’s virus-free, how well do you trust your scanner? Many well known and popular anti-virus programs, even if they’re mostly reliable, can’t pick up every infection. Additionally, viruses aren’t the only problems you have to worry about online.
Everyone—hey, even mac users—should get themselves a good anti-virus/malware program and check regularly for updates. But it’s also good to keep in mind that even the best program won’t always protect you. The best defense is being careful about what you click, and what the source is.

Source: Spamzy

No comments: