Internet Security Zone Blog

By Laura Yecies

What would you do if the Internet simply couldn’t be secured?

If you believe all the threat reports/analysis/discoveries/warnings frenetically crossing the wires on an almost daily basis, it may seem like the hackers are winning despite over a decade of security innovation. The latest headlines have been enough to make even the most security conscious second-guess their security strategy.

Not that I agree with those gloom-and-doom reports, but I got to thinking…what if someday they were right? What if things deteriorated so badly that security was rendered totally ineffective against the bad guys?

What would you do?

The easy answer…you could unplug altogether. Extreme, but effective I guess.

More likely, you’d have to adapt. Just like people living in rough neighborhoods can’t simply hide indoors with gang wars raging on outside, you’d still probably use the Internet. But in a world with no online security, much of what you do on the ‘Net every day would have to change. You’d have to be extremely wary all the time.

First, you’d have to severely limit your activities to mitigate the risk of exposure.

You’d have to assume as soon as you plug in that squeaky clean brand-new PC, it would be compromised by hackers within seconds (true even today...port scans to random IP addresses can find a firewall-less PC in less than 8 seconds in our testing). So no personal files could be kept on the PC. Ever. You’d probably end up having two …a disposable PC for the Internet and a disconnected PC for any personal computing or storing anything remotely sensitive

Once surfing with the “dirty” PC, you’d have to take extra care to remain totally anonymous. No credit cards, no online banking, no stock trading etc. You couldn’t do anything involving information that could lead back to you in real life. Why is anonymity so critical?

Because the information you transmit over the Internet to bank, shop or conduct other sensitive transactions is the same information that make identity thieves thrive. Either they steal your credit card for immediate purchases or hack into your stock/bank account with your keylogger-captured username and password and transfer out all your funds, or they build a more complete profile of you and sell it in aggregate form on the Internet’s black market for as little as 50 cents. At that point, some unscrupulous identity thief has free reign over your life…s/he can open up new credit in your name, redirect your mail, turn off your utilities, travel in your name etc.

E-mail would remain possible, assuming you were willing to wade through thousands of spam mails a day, but you’d have to set up online e-mails using fake registration information (IE address, phone etc) and a pseudonym. Content would be limited to social and benign topics, because you’d have to assume everything you typed or sent was being read by someone. Same with gaming, social networking etc. You’d have to pretend to be someone else.

Your PC may even be rendered useless, riddled with spyware, adware (remember those pesky pop-ups you so rarely see these days??) and viruses. Hackers may even hold it for ransom. Bandwidth on the Net would be sucked up and traffic would slow to a crawl under the weight on all the DDoS attacks, spam, malicious downloads etc.

And this is just how insecurity on the ‘Net would affect your personal ‘Net life. The implications on corporations would be devastating, potentially grinding the economy to a standstill. Business communications over the Internet would have to be halted, so all of the productivity gains made in the past two decades would disappear overnight. Remember when your credit card was carbon-copy-swiped? The only way to know what hit your account was through the mailed monthly statements. You’d have to go to the bank to deposit your paycheck…no more direct deposit (and it would take days and days to access the money). Phone calls would cost dollars-per-minute instead of pennies, because VoIP networks would be rendered useless. Just the tip of the iceberg.

So, when you put it all into perspective, maybe things aren’t as bad today as some would have you think. Of course, everything isn’t so hunky-dory that you can run around ‘naked’ on the ‘Net, but with a few basic precautions, IE a little ‘Net smarts, a tough firewall, effective A/V+anti-spyware, and browser security, you can stay safe online.

By Laura Yecies

(Search Strikes Back, Part #1 here)

 
Search continues to be a major avenue for hacker attacks. This time, existing and potential customers of the uber-exclusive Citadel Investment Group were duped into visiting a cloned site hosted somewhere in China. It’s akin to a phishing attack, except instead of tricking people through e-mail, the hackers used Google…

 
“If you typed "Citadel,""hedge" and "fund" into Google in December, a curious site called "cita del-group.net" popped up. It bore the hedge fund's turreted logo, but the site contained some unique alterations, such as contact information written in Chinese.”

Full story: http://news.postbulletin.com/newsmanager/templates/localnews_story.asp?z=20&a=348547

 
This tactic is one that worries those of us in security, because it takes more than just one product or idea to have a fully effective defense strategy: 

-It takes the vendors, with innovations like ZoneAlarm ForceField to warn you about potentially fake or cloned Web sites appearing on search engines before you fall victim;

-It takes extra diligence on your part and a healthy dose of skepticism when linking to any site that exposes you to financial risk (type the URL yourself instead);

-It takes extreme vigilance from search engines to prevent them from being exploited as a platform for hackers (the days of simply cataloguing any and all Web sites must end…legitimacy must be determined);

-And it requires financial and shopping sites to make security the highest consideration (instead of “managing risk” with ROI calculators).

Search engines are useful and necessary tools of your Internet experience. Armed with a little knowledge and a little technological help, and you can have a safe searching experience too…

by Laura Yecies

Back when I was in school (you know…when we had to walk to school in six feet of snow *uphill both ways*, and microwave ovens were the new electronic novelty), the only way to stay in touch with your friends over the summer was the home phone, and in person. That basically meant that you only ever spoke to your closest friends, and perhaps the neighborhood bully.

Nowadays, my 4 kids are using social networks to keep close tabs on each other during the summer months, sharing videos, gossip and twittering away the long sunny days. Posting videos on YouTube, sharing their current mood on Facebook, blogging on MySpace, and sharing every random thought to Twitter friends. They even build and inhabit virtual meeting places in Second Life. This doesn’t even count Instant Messaging, e-mail, chat rooms, and all the other ways kids communicate nowadays.

You can’t lock them in a closet until the fall or disconnect the Internet (as tempting as that may be), but even with a kid that may be light-years more Internet-savvy than you, there are a few simple steps you can take to mitigate the danger and keep tabs on your kids.

1. Link to your kids. Know what social networking sites they frequent, and become a “friend”. That way, you can see what they are posting, and keep an eye on their other friends. Yeah, they probably won’t thank you for it and say it makes them look uncool, but it’s an easy way to keep tabs without looking over their shoulder. Just don’t try to participate. That *is* uncool.

2. Move the PC. It’s not good for kids to be holed up in their room anyways for the summer. So put the PC in the dining room or living room. It may not stop them from visiting social networks, but it will make it uncomfortable to push boundaries.

3. Security software. You can protect your kids from many social networking dangers, such as drive-by spyware, video viruses and more with a core security suite and browser security. If you’re kids are younger, you may want to set some specific parameters with parental control features (for example, banning file-sharing or gambling sites).

4. Teach them. As parents of hyper-tech-savvy children, it can be daunting to assert a leadership position and teach them how to avoid danger when your own expertise may be limited. But a few old familiar lesions may be more valid than you think: don’t talk to strangers, look both ways, and stay away from bad neighborhoods.

And in the meantime, let them teach you a thing or two as well. Social networks are also great fun for adults. Maybe this summer you’ll reconnect with your best friend from high school, and you can reminisce over lunch about how easy kids have it today.   

by Laura Yecies

More and more, security companies are irresponsibly creating unnecessary publicity around new attacks, misguidedly seeking credibility for their products by trying to show off their security expertise by establishing a “cutting edge” reputation. Honeypots are dispatched, threat reports sternly issued, and zero-day vulnerabilities frantically announced. The world is ending, or so some would have you believe.

Much of the noise it just that, noise. In a bid to outdo one another, companies often rush to publish a new “discovery” before it’s been properly vetted or disclosed (ie. the recent Adobe Flash non-vulnerability). Old threats are re-dressed in a new package (ie. LinkedIn instead of MySpace as the ‘new’ social networking threat), or simply pulled out of the closet and dusted off.

Part of this new publicity battle stems from the general lack of interest from the major media. Gone are the days of new virus attacks headlining CNN, the cover of Time or the front page of the Wall Street Journal. Hackers went underground, retooling their attacks to *avoid* massive new coverage. So the dangers still lurk, but it’s now up to us as an industry to use creativity to alert the public and offer advice on how to stay protected.

Most critically, we, as an industry, must maintain the code of advanced, responsible disclosure. If your researcher discovers a new vulnerability, you must notify the affected company(ies) and give them time to patch it before releasing the details to the public.

If researchers skip this step, they must be held accountable. Because a cottage industry has sprung up whereby people do nothing but search for vulnerabilities and use them to generate publicity for a product or brand. Some self-styled security experts appear to do little besides check their spam folder and write press releases. A few “independent” firms even sell the “research” with the threat of media exposure if the affected company doesn’t purchase it (not referring to legit bounty programs). All of these behaviors are undermining the legitimacy of the industry as a whole, leaving reporters and consumers/businesses unsure of who to believe, and ultimately creating more insecurity.

Yes, there is PR value in establishing security expertise, but the trend of competitive threat reporting is out of control. More restraint is needed. Security PR should revolve around educating the public about threats and offering protection tips, highlighting product differentiators (for example, if a new exploit is discovered, tell your customers if/why they are protected) and new product releases. It should not revolve around creating hysteria, tapping into “hot” Internet news trends, or exploiting another company’s misfortune.

Maintaining the proper disclosure protocol is a responsibility that all security companies must take seriously. While we are all businesses and have a bottom line to consider, we aren’t selling ringtones. The public is counting on us to keep them informed, educated, and protected, without faking it.

by Laura Yecies

With hackers increasingly sneaking their malicious Web sites in search results, search engines are seeking ways to counsel you before you accidentally click a bad link. For example, Yahoo recently announced a deal to integrate McAfee SiteAdvisor to warn you of possibly nefarious sites. We’re glad to see Yahoo taking this threat seriously, and a little advanced notice is certainly helpful. But what if you make a mistake? What if, despite a warning (or a lack thereof), you still choose to surf to a malware-infested Web site? Or what if the site is legit but it’s been hacked? (See the Warren County example below). You still want to be protected, right?

While the SiteAdvisor announcement is a positive step, it’s unreasonable to think that a warning is sufficient. It’s like mom repeatedly warning you against the perils of riding your bike after dark…you probably would have been better off if she’d just given you a flashlight. And what about those perils that can’t be detected in advance, or false-positives?

The idea of proactive protection, longtime a mantra of ZA developers, was one of the main reasons we anchored the new ZoneAlarm ForceField with virtualization technology. If you make a mistake, you’re safe because your surfing session is compartmentalized away from the rest of your PC. The malware thinks it’s infecting your PC, but it’s kept in a bubble. To take it a step further, even if you invite a bad program onto your PC (say a hacker has cleverly hidden a virus into a free game program), ForceField can still catch it with a dangerous download detector. ForceField continues where other solutions stop.

That protection goes way beyond advice or warnings. It enables you to surf the Web freely and without inhibition. Because whether a site is clean, malicious, or legitimate-but-hacked, you’re safe.

So why are hackers targeting search engines? I think there are several reasons, but one big one is trust. We (users) inherently trust that search results only contain legitimate sites. But with billions and billions of pages on the Web, there currently is no easy way to ensure that every site is clean. Or even that most sites are clean.

Hackers have also been fairly well stymied by many of the old malware delivery techniques. Anti-virus and anti-spam technologies have combined to reduce the desirability of e-mail based attacks. Firewalls (especially the ZA two-way firewall and OS Firewall) protect your raw connection to the Internet and monitor the security of your programs, managing the communications to and from your PC and between programs to detect stealth invaders.

The new frontier is the Web…and what are the main portals to the Web? Search engines. Hackers know this, and they’ve even studied up on search engine optimization techniques to improve their chances of snagging you in their net. But as this threat continues to evolve, we’ll continue to develop ForceField to protect you against new tricks on the Web. More coming soon…

by Laura Yecies

Doesn’t it seem like every Web site wants a plethora of personal information from you today? It’s getting out of hand. “Register now” they say and, then proceed to ask everything from your favorite color to your mother’s maiden name so you can buying that rare antique tea set, connect with old friends or simply read a news story. Beyond the sheer annoyance factor, do you really want so much info about you floating around out of your control?

(FYI…I understand why Web sites want the info, to better understand customer desires and in some cases target advertising…and in the interest of full disclosure we do ask for some information but only require a valid e-mail for the free firewall. I’m not questioning their goal or intentions, just the practice risks).

Because of all this data, your PC may no longer be the holy grail of hackers. That’s because there are far more valuable assets to target…consumer databases. Every form you fill out results in data stored in some data canter somewhere in the world. Since 2005, Privacyrights.org has been maintaining a list of all the reported cases of data breaches (link to list: (http://www.privacyrights.org/ar/ChronDataBreaches.htm#CP). I’m not going to pick on any specific companies in this forum, but I encourage you to scroll through the list. It’s pretty shocking just how many companies and organizations have lost data on people like you.

How it works: 
Hackers can use any number of attack techniques to gain entry into a customer database, including something as simple as stealing a laptop containing customer data. More elaborate attacks may include employee password theft, a backdoor Trojan, a compromised Web server, and more.

Once they have access to the database, a hacker can look up (or download) customer records such as a transaction history, credit card numbers, date of birth, passwords, and on occasion even your social security number.

That personal profile data, depending upon how complete, can fetch up to $100+ on black market Web sites frequented by identity thieves. According to our researchers, the most active ID theft markets are China and Russia.

When an identity thief or hacker has an adequate profile of you, they can institute any number of different attacks, depending upon the information at hand. For example: 

- Without ever attacking your PC directly, an ID thief can open up credit cards in your name and run up the bill. When you fail to pay it, your credit can be damaged.

- A hacker can use a little bit of personal knowledge to trick you into downloading malware onto your PC, thereby allowing him to steal the password to your online bank or stock brokerage account (and drain it), or steal your credit card and spend freely without consequence.

- Hackers are also morphing bits of data from multiple people to create a new fictitious person, thereby often escaping notice of credit bureaus and watch groups.

What to do?

For one, try to limit the kind of information you give out online. If a Web site requires registration for non-transactional purposes (IE reading a story, joining a message board etc), consider using an alias, a “disposable” e-mail address, and/or a birth month that’s off by a month. Restrict the number of sites that know all about you. For hackers, it’s a numbers game, and the fewer sites that know who you really are, the better. If you do any sort of shopping or banking online, you can’t totally prevent this, but it’s about risk mitigation.

Sign up for a credit watch program. YES, we’ve heard all about the recent challenges at LifeLock (link to: http://blogs.pcworld.com/staffblog/archives/007008.html). But we maintain that it’s important to have a credible service keep an eye on your credit (unless you plan to do so yourself). It’s an integral part of your Internet Security, which is why we offer it as an option with your ZA suite. 

Opt out of junk mail. By opting out of physical junk mail, an ID thief can’t steal credit applications out of your mailbox and sign up in your name.

We have more general ID Theft tips here (link to the ID Theft Protection center).