We explore the pinterest security
problem and reveals how to check if you’ve been Pwned.
Check Point, the firm behind ZoneAlarm,
published a report revealing interesting variations in how security is
perceived and applied by different age groups. This "generation gap in
computer security" report looked at attitudes of "Generation Y"
(18 to 25-year-olds) versus "Baby Boomers" (56 to 65-year-olds) and
its results were surprising. Generation Y users were surer of themselves
concerning IT security than Baby Boomers, but had experienced more security
problems over the past couple of years than the latter. In fact, the research
suggests 78% of younger users don't follow best practices when it comes to
computer security, while Baby Boomers are twice as likely to install and use
security software. This could prove more problematic for the UK than the other
regions covered, since it was there that reported security breaches over the
past two years peaked at 67%, compared to 57% in Australia and 50% in Canada,
Germany and the USA.
Perhaps the problems for Generation Y users
are due to poor prioritisation, since they value entertainment and community
above security - only 31% of them placed security at the top of their list
compared to 58% of 56 to 65-year-olds. Combine this with overconfidence when it
comes to their perception of risk, and you're asking for trouble, especially if
you throw in cost. Some 45% of Generation Y users think security software is
too expensive, and are far less likely to use antivirus and third-party
firewalls, for example.
Of course, there are free security suites
available that perform very well in a domestic setting, and would almost
certainly lead to a lowering of those infection rates were these people to use
them. Assuming a Windows 7 platform - more specifically Windows 7 64-bit, which
is pretty well the norm in both the domestic and small-business circles I
frequent nowadays - it's easy enough to ward off malware and phishing attacks
by installing Microsoft Security Essentials and Windows Defender, together with
keeping everything you use properly patched and updated. That goes a long way
towards mitigating most threats and it costs nothing. Using Gmail as a spam
filter helps keep most of the archived malware attachments off your PC as well.
It's even possible to defend against
oft-used DNS redirects that send your browser off to a drive-by exploit site,
should something nasty sneak past your initial defences. Both OpenDNS (www.opendns.com) and Google Public DNS are
free DNS services that can bolster your security. For example, OpenDNS offers a
phishing filter and domain blocking with typo correction. This kind of secured
DNS, with free options that are fine for most users, simply requires you to
type the relevant DNS server addresses (208.67.222.222 and 8.8.8.8
respectively) into the DHCP server settings of your router and let it deal with
everything on the network.
Have you been owned?
What a month for database breaches June
was, with membership database leaks confirmed by Linkedln, eHarmony and
TechRadar to name but three. Usually, individual members know about the
potential risk they've been exposed to only once the news story breaks, or they
receive an email telling them to change their passwords due to a security
problem. The latter will often be ignored because people are wary of any email
that asks them to "click here to change your password", which
nowadays is perceived as potentially phishy. If you're among the masses that
still reuse the same password across multiple sites, despite constant warnings
to the contrary, this can be a major issue.
What
a month for database breaches June was, with membership database leaks
confirmed by Linkedln, eHarmony and TechRadar to name but three
The bad guys know the value of trying a
cracked password against webmail accounts in order to scrape useful personal
data and perpetrate further scams, but they have to do this before the victim
has a chance to change the password in question. Luckily for them and unluckily
for you all too often this is easily achieved, since official notifications go
unnoticed and media stories unread. In the case of the Linkedln compromise, it
was easy to check whether your password was among those affected by the breach,
since a list of six-and- a-half million or so unsalted SHA-1 password hashes
had been posted online in a bid to get help from other hackers in decrypting them.
One web developer who was on the list of leaked passwords made an app that
compared your password - using a SHA-1 hash generator to the published list and
reported whether it had been compromised or not.
Of course, the professional advice is never
to give your password to anyone, so an app such as this could all too easily
have been a scam designed to collect yet more passwords. As it turns out, this
wasn't the case, and Leakedln (great name) employs JavaScript to hash your
password so that the password itself never need leave the confines of your
computer. Whether or not your password was on the list, however, my advice
would still be to change it, having used Leakedln or any other such resource
just as a matter of sense.
The best advice when it comes to passwords
is to not reuse them - it's really asking for trouble. Invest in a password
management solution such as LastPass or IPassword, which not only generates
truly "strong" passwords, but also stores them safely in an encrypted
format on your home computer, external drive, USB memory stick or smartphone.
This way, you only have to remember one super-strong password in order to
access all the others, and memorising a single complex string isn't beyond the
ability of most folk. With a product such as this in place, it becomes easy to
establish a rotation routine where you change all your passwords on a regular
basis, adding to the security layers already in place.
I'd seriously recommend doing this if you're
one of our hobbyist or small business readers. Take the opportunity to change
all your passwords: you may as well get off to the best start, and it will be a
worthwhile investment of your time. In the meantime, you may want to make use
of a neat tool called PwnedList (https://pwnedlist.com),
which will check whether your email address has appeared in any of the hacker
dumps from corporate data breaches that appear online. If it has, then you're
at an increased risk of falling victim to fraud, and should set a password changing
strategy in motion immediately.
PwnedList
and Leakedln identify at-risk accounts, but a secure password strategy is the
best protection.
PwnedList started when security researchers
wondered how many compromised accounts could be harvested automatically by a
scraping routine - the answer was 30,000 within two hours, complete with logins
and passwords attached. They decided to create a one-click service to allow
people to check if their email was in any of these account dumps, and to do so
for free. At the time of writing, the number of "pwned" emails
harvested and compiled in this way is almost 15 million. It should be noted
that PwnedList only scrapes the emails, and the accompanying password and login
data is discarded. The emails are put through a one-way hash and the clear text
is then destroyed, and when you enter your email address in the checker it
isn't stored in any form.
Forget BYOD, what about BYOB?
While Bring Your Own Device (BYOD)
continues to soak up headlines and hyperbole in equal measure, I'm willing to
gamble that you probably haven't yet heard about BYOB. Bring Your Own Browser
is the name applied to a security threat that enables a potential hacker to
make the leap from a compromised home PC to a work PC, in much the same way
that BYOD opens up a consumer-to-workplace threat channel, but without any
physical device being involved. The key, according to the Imperva Application
Defense Center researchers who uncovered the threat, is the tab-syncing feature
introduced in recent versions of the Google Chrome browser. It looks like a
great feature, syncing your browser tabs across multiple computers so whatever
pages were open when you left your office will still be open when you fire up
Chrome at home, and vice versa.
Many
of us know to “bring your own bottle” (BYOB) to parties and like BYOB in social
circles, “bring your own device” (BYOD) is an extremely popular trend in the
workplace.
Where's the risk in this? According to Rob
Rachwald, director of security at Imperva, it's a pretty straightforward one:
sign in to your sync account at home and work to enable the tab synchronisation
to be utilised; if the home PC is compromised by a malware infection then the
data you sync from your work PC is also compromised. Now you might still think
that this is no big deal, that even if a hacker were able to see what internal
corporate URLs you've been accessing, this information alone isn't necessarily
going to lead to a breach. But it isn't only data about which tabs are open
that's synced to Chrome when you sign in. In fact, to enable a "personal
Chrome experience" across all devices, pretty well all browser settings
are synced, including apps installed, bookmarks, extensions and browsing
history, for example.
Now the threat surface has just expanded
considerably, and all of a sudden the value of that kind of information to a
potential hacker is far greater, especially when you consider that the Chrome
default for syncing is to include everything. Remember, unlike BYOD scenarios,
where there's the opportunity to implement security measures to manage what
data can flow between devices when you connect your home laptop or smartphone
to the company network, managing what you do with your home web browser or the
one that lives in your pocket is impossible for enterprise IT bods.
Malware detection will spot and stop most
infections, but "most" isn't good enough. What if a home PC, by
virtue of the corporate acceptable use policy not stretching into the domestic
environment, became infected by malware that does the drive-by thing and
redirects an open URL to an infected page distributing a zero-day exploit? If
the same settings are synced to the work computer, then that browser is at risk
from the same infection as soon as it's opened - and this being a zero-day
means the chances are high that the company network will be compromised even if
there are methods in place to mitigate the zero-day risk.
Malware
detection will spot and stop most infections, but "most" isn't good
enough
How so? Because the home PC will remain
infected even though the corporate one has detected the exploit and disinfected
itself, leaving the bad guys (should they be of the advanced, persistent threat
variety) to tweak and morph the malware that would get a fresh chance at
antivirus avoidance every day. Then there's the small matter of apps and
extensions, which are also synced between devices by default. I'm sure you
don't need me to remind you of the dangers of rogue extensions, especially in
terms of JavaScript injection attacks. Now think back to the no AUP at home
dilemma, and while an AUP may guard against the installation of non-trusted
apps and extensions in the workplace, it can't reach into the home, where
defences are likely to be lower and users more relaxed when it comes to the
nature of the extensions they install, and the provenance of the developers who
create them.
