[LINK] Security

stephen at melbpc.org.au stephen at melbpc.org.au
Fri Jul 6 01:13:37 AEST 2012

Here's a recent 101 update on security. I'd add advice about passwords, 
but, still, this could be of assistance for co-workers. Any additions?

Eg, "Any time you browse the Web, without first logging out of Facebook, 
other sites can get access to (your) profile .."


Strong anti-virus software and firewalls do a good job of protecting our 
computer systems. But even when virus definitions are fully updated and 
firewalls properly configured, there are still insidious threats that can 
worm their ways in, stealing your data or hijacking your PC and leaving 
you none the wiser.

The security and IT specialists upon whom we all rely can only do so 
much. At the end of the day, if the average user isn't vigilant , the 
strongest security precautions in the world won't stop some of the more 
dangerous digital intruders, with potentially disastrous consequences.

To keep you on your toes, here are 10 schemes and scams that might have 
slipped under your radar ..

Fake Tech-Support Calls

You might get an unsolicited phone (or mobile) call from a tech-support 
representative claiming to be from Microsoft or big-name IT corporation. 
But the caller won't be who he claims to be. After warning you 
that  "suspicious activity" has been detected on your computer, he'll 
offer to help — once you give him the personal information he requires to 
get his job done.

That job isn't fixing your computer. In fact, he's really just after your 
personal information.

If you receive a call like this, hang up, call the company the bogus 
technician claimed to be from, and report the incident to a legitimate 
representative. If there really is a problem, they'll be able to tell 
you; if not, you just thwarted a data thief.

DNS Redirection

Internet service providers (ISPs) claim they're trying to help with DNS 
redirection, but the reality seems to come down to money. Domain Name 
System (DNS) redirection overrides your browser's normal behavior when 
you can't reach a webpage. Instead of displaying the normal 404 "File Not 
Found" error, the ISP sends you to a page of the ISP's choosing — usually 
a page full of paid advertising and links.

Innocent though that practice may be, computer viruses can do the same 
thing, redirecting your browser to a hostile page the first time you 
misspell a domain. With ISPs, you can opt out of their DNS redirection; 
with viruses, stay on your toes. Make sure you know what your browser's 
default 404 page looks like, and take action if you see anything 

Open DNS Resolvers

Another danger lies in the way some DNS servers are configured. An "open 
resolver" can offer information it isn't authorized to provide. Not only 
are open resolvers exploited in distributed denial-of-service (DDoS) 
attacks , but an attacker can "poison" the DNS cache, providing false 
information and incorrect resolutions that must be detected to be 

If your browser trips over a case of cache poisoning, the agents in 
charge of a hostile server can glean detailed information about your 
system — especially if you're in the middle of an important transaction. 
How can typical users solve this dilemma? The chilling answer: They 
can't. It's up to Internet service providers to address the problem.

Fraudulent SSL Certificates

A Secure Sockets Layer (SSL) certificate reassures your browser that the 
site you've connected to is what it says it is. If you're looking 
at "HTTPS" instead of plain old "HTTP," you know there's security 
involved, such as when you log in to your bank account or pay your phone 
bill. The most trusted SSL certificates are issued by designated 
Certification Authorities worldwide.

But what happens if that trust between browser and website is exploited? 
Acquiring or creating fake SSL certificates is unlawful, but happens 
often enough that we need to be aware of it. On multiple occasions in 
2011, the discovery of false certificates suggested an attempt to spy on 
Iranian citizens as they used Gmail and Google Docs. According to the 
website of computer security firm F-Secure, "It's likely the government 
of Iran is using these techniques to monitor local dissidents."

Session Hijacking

If you spend afternoons using your laptop in a café with an open Wi-Fi 
network, you might not be the only person logged into your Facebook or 
eBay account. Firesheep , an add-on for Mozilla's Firefox browser, lets 
its users sneak a peek at other people's browser activity if they're all 
on the same wireless network.

While the illicit observers can't get a glimpse of secured pages, many 
sites secure only their login pages; once you're logged in, your presence 
is maintained purely through cookies, packets of data that your browser 
stores to keep track of your browsing needs. But Firesheep lets its users 
copy your cookies, and after that happens the site you're logged into 
can't tell the difference between you and them.

Though it can be used for darker purposes, Firesheep should serve more as 
a warning to websites with private user accounts: They need to take 
security seriously. Guarding the main gate isn't the limit of their 
responsibilities; attackers don't need to storm the castle when a guest 
leaves the door open.

Man-in-the-Middle Attacks

While you're still sipping your latte on that unsecured network, even 
your encrypted messages may not be all that safe. A Man-in-the-Middle 
(MTM) attack occurs when an attacker intercepts communications and 
proceeds to "relay" messages back and forth between the lawful parties.

While the messaging parties believe their two-way conversation is 
private, and might even use a private encryption key, every message is re-
routed through the attacker, who can alter the content before sending it 
on to the intended recipient. The encryption key itself can be swapped 
out for one the attacker controls, and the original parties remain 
unaware of the eavesdropper the entire time.

SQL Injection

Databases using structured query language (SQL) rely on specially 
formatted queries to locate and return requested data. Human or automated 
attackers can send requests that exploit the database's internal codes to 
alter the query as it's processed. This year alone, SQL injection was the 
culprit behind a number of notorious security breaches, such as hacker 
group LulzSec's alleged theft of data from the Sony Pictures server.

Once again, the solution to this problem isn't in the user's hands.

"Well-designed software avoids the problem by weeding out any queries 
that don't meet strict standards," said Beth Paley, a software training 
consultant and co-founder of Acrotrex Medical Business Systems in 
northern New Jersey.

Paley advises those who create and maintain database apps to "use 
whitelisting, not blacklisting," letting only specific data through 
instead of keeping only specific data out. That way previously unseen SQL 
injections won't get through.

Disguised Filenames

Modern operating systems accommodate speakers of languages such as Arabic 
and Hebrew by featuring codes which can reverse the direction of type to 
display such languages correctly: written right-to-left instead of left-

Unfortunately, these "RTL" and "LTR" commands are special Unicode 
characters that can be included in any text, including filenames and 
extensions. Exploiting this fact, a malware purveyor can disguise ".exe" 
files as other files with different extensions. Your operating system 
will display the "disguised" name, though it still treats the file as an 
executable — launching it will run the program and infect your computer. 
Practice caution with any and all files from unknown sources.

Banking Trojans

A Trojan is malicious software that disguises itself as innocent program, 
counting on you to download or install it into your system so it can 
secretly accomplish its malicious tasks. The infamous ZeuS Trojan and its 
rival SpyEye take advantage of security holes in your Internet browser 
to "piggyback" on your session when you log in to your bank's website.

These monsters are in the Ivy League of computer malware; they avoid 
fraud detection using caution, calculating inconspicuous amounts of money 
to transfer out of your account based on your balance and transaction 

While financial institutions continue to increase the layers of security 
involved in large transactions, such as requiring confirmation 
through "out-of-band" communications — such as your mobile device — 
digital crooks have lost no time adapting to the changes, with banking 
Trojans able to change the mobile number tied to your account and 
intercept that confirmation request. If you're a tempting target, fear is 
an understandable response. It's just another part of a digital arms race 
that shows no signs of slowing down.

Facebook Everywhere

It's hard to find an individual who or a corporation that isn't on 
Facebook. The social networking site has become an ever-present hub for 
everything online. For some less savvy users, Facebook is the Internet.

With developments like Facebook Connect and Open Graph , Facebook is 
virtually opening its doors to any third party that wants in on the 
action. You may have already noticed that Facebook displays ads targeting 
your specific demographic information, based on the personal information 
you've posted and activities you've participated in.

What you might not have noticed is that other sites have started 
targeting your Facebook demographics as well. Any time you browse the Web 
without first logging out of Facebook, other sites can get access to any 
profile information you've marked as fit for public consumption.

Don't want every site on the Internet to see you coming a mile away? Just 
remember to log out of Facebook every time.


Message sent using MelbPC WebMail Server

More information about the Link mailing list