by Laura Yecies
Today,
I’m very excited to announce the launch of ZoneAlarm ForceField. We first
released ZAFF into beta last fall, and now it’s now ready for primetime. On
behalf of the entire ZoneAlarm team, I’d like to extend a very sincere thank
you to everyone in the ZA community for your valuable insight and testing
help…this is a major milestone not only for our company but in the fight
against cybercrime. We look forward to your feedback.
As
tempting as it is to delve into all the product details of this new
virtualized browser/Web security solution, I think I’d rather talk to you today
about a few of the reasons why we built ForceField.
In the
past year or so, we’ve seen the consumer threat environment shift rather
dramatically. Like the evolution of viruses and spyware, attack vectors have
also evolved. The prime target used to be your operating system. So a good
firewall, combined with antivirus and anti-spyware, was pretty sufficient
protection against hackers looking for vulnerable PCs.
Now, armed
with a new arsenal of Web-based attack strategies, hackers no longer need to
seek you out. You’ll find them all on your own.
It’s
rather easy to accidentally compromise your PC while innocently surfing the
Web. Here’s how:
Search Portals: When you search for something on
your favorite search engine, like Google or Yahoo, do you automatically assume
that all the results are legitimate, safe Web sites? Hackers have found ways to
seed search engines with malicious Web sites, or dummy pages that automatically
redirect you to a Web site that can automatically download hundreds of pieces
of malware without your knowledge. One of the strategies behind ZoneAlarm
ForceField was to create an environment where you can make mistakes. You can
accidentally click one of these links, and the malware will be contained in
your virtualized, ForceField protected browser (and unable to harm your PC).
Random Web sites: Your favorite Web site, yes, the
one you visit every day, could send malware your way next time you drop in. And
they may not even know it. You see, these perfectly legitimate and responsible
sites can become hacked themselves. A vulnerability in an ad server or database
can allow a hacker to use the Web site as an otherwise trusted conduit to
deliver a malicious payload onto your PC. As I write this, one such SQL
Injection attack, using the worm “winzipices.cn,” is believed to have compromised
over 4,000 Web sites around the world.
We’re
also receiving reports of demographic attacks: hackers compromising specific
Web sites that cater to a desirable audience…for example wealthy or older
surfers. Like with the search engine
attacks, by using ForceField you can confidently surf as usual. Even if your
favorite Web site has been hijacked, you stay safe.
Social networking/Web 2.0: Social networking sites, by their
very viral nature, are an irresistible attack vectors for hackers. Alicia Keys’
fans learned that the hard way last year when her MySpace page was infected.
Facebook, with all its fun apps, proved compelling to adware distributor Zango.
Not only can these communities be exploited to spread malware, but they can
also fall prey to what we call “man in the middle” attacks. This is where a
hacker basically inserts himself in the middle of your upload or other file
sharing to steal your password or other sensitive personal information.
Social
networking is a great way to stay connected with friends and family and build
online communities, but always take precautions and be careful what you share.
It’s a lot harder to delete personal information off the ‘Net than to post it.
Gaming/Virtual Worlds: Virtual worlds and games like
Second Life and World of Warcraft are a blast. My kids love them. But one
security researcher recently claimed that he could compromise your PC if your
avatar wandered into his “realm.” If he could see you, he could take over your
PC remotely. While we haven’t seen real world reports of this type of breach,
we believe it can be done.
So what’s a security-minded
Netizen to do?
Besides using a comprehensive Web security solution like ForceField (in tandem
with your PC security), make sure *all* your applications are patched
regularly. Don’t forget your Java, IE, Flash, Quicktime etc. They’re easy to
overlook but crucial to an overall Web security strategy. We’ll be posting more
tips in the coming days, but in the meantime, we’re interesting in hearing your
experiences on Web-based attacks. Have you fallen victim? What steps do you
take to avoid falling in a hacker trap on the Web?
