Protect your system with software, but factor
in human weakness, too
It’s shockIngly easy to get many computer users to part with vital secrets such as their passwords and personal details. Time after time, when security professionals test how easy it is to penetrate a corporate system, they demonstrate that the easiest portal is to trick a user into revealing how to access their account. Humans are invariably the weakest link, and no end of smart hardware and sophisticated software can compensate.
many
computer users to part with
vital secrets such as their passwords
and personal details
Good cybercriminals know this well. Although you may think you can spot phishing from genuine email and a bogus website from the original, every day thousands get it wrong and fall into the clutches of crooks. Sometimes they’re protected from themselves by security or antivirus software, but all too often such measures kick in too late. Other users assume that the obstructive security policies of their network will protect them from all ills, only to discover how a cunning
intruder can sneak through, exploiting that confidence.
The effective cybercriminal understands your motives and desires, so as to see where they can be exploited. Many people can’t
resist the temptation to make money,
particularly if they think they can do so with minimal effort and without paying tax. Although you may think
that you can resist invitations to
profit from a huge legacy or
ill-gotten gains in the Middle East, the crafty criminal is unlikely to offer anything so obvious. They may offer modest discounts, desirable software products at massive reductions or PDF versions of key books for which you’re searching.
Like a pickpocket, they catch you when you’re concentrating on something else. The occasion when my charge card details were stolen online, I was frantically trying to book accommodation for quite a large group in London to enable us to catch an early Eurostar train to France. One hotel looked ideally situated, but I could only discover whether it had vacancies by providing full booking details, including payment information. Within 48 hours, in a series of transactions handled through
weird businesses in Australia, my account was debited over 10,000 Australian dollars before its fraud detection service blocked the card.
Like
a pickpocket, they catch you when you’re concentrating on something else
Sometimes you have to work close to danger. Recently, I’ve been studying Georgian, purchasing books and other items from their only sources in Georgia. Rather than using my charge card, with its invitingly high credit limit, I have instead used a card with a low limit, consequently lower capacity for criminal abuse. I’m also fastidious about selecting the online shops with which I trade, creating accounts and sounding them out before providing any card details. If you travel in such countries or need to do more extensive business, consider using local banking and payment services that limit your liability even more, or discuss safe solutions with
your card provider.
Forging emails is remarkably easy and it can be difficult to see clues to their real nature. Here, you need to understand the system of domain names and the contents of internet headers, which all good mail clients can display as an option. Many of us have recently received highly plausible emails purporting to offer an Apple discount card. Its subtle giveaway lies in its origin, from apple@store.com, rather than an address within Apple’s domain of apple.com. If in doubt, check the location of the servers that it has passed through and compare these with known locations using the Lookup and Traceroute tabs in Network
Utility.
Downloading Software From untrusted sites is another
excellent way of getting into
trouble. Still images and movies can contain
malware, and when you search for them
using apparently reputable engines such
as Google, some of those hits will contain malicious material. Watch carefully for the address shown for each item and avoid those looking suspicious, with unusual domain names and countries such as .ru (Russia) and .cn (China): see the listing at iana.org/domains/root/db. Insist on obtaining software updates from trusted sources, anthologies like Download.com or checked vendor sites. Even these may become forged or diverted, so be alert for fakes.
Not
on my watch – Check all
downloaded files, including saved image, and movies with antivirus software before opening, using watched folders to do this
automatically
You must understand the goals of those who are trying to catch you out: to get you to surrender card, bank or personal details, or to get malware onto your Mac. By and large, this is now accomplished via HTML, sometimes by exploiting security flaws in other file types such as Office documents or PDF. They’re trying to trick you into opening their mail enclosure or web page, which then uses JavaScript, Java, Flash or similar to do the dirty to you.
Keeping OS X, ancillaries such as Java, plug ins
and your applications up to date is essential.
Although there’s usually a time-lag between
exploitation of a vulnerability and release
of a patch to address it, if you’re still using OS X 10.4 with its multitude
of known vulnerabilities, you’re a
sitting duck every minute that you’re
online. Gone are the days when the
wise would let early adopters find the flaws in updates over a couple of weeks before deciding to upgrade themselves. That fortnight is now an unacceptable period at risk; 14 days of unnecessary exposure.
If you do decide to install security or antivirus software, you must keep it completely up to date, and it must augment rather than
replace your human security. If you
need an update subscription to keep your
protection current, budget for that
and keep the subscription up. If you can’t, uninstall the product, as it may cause system problems as well as becoming increasingly
useless. Beware of risk compensation
– the ‘Volvo syndrome’ – whereby
increasing your absolute margin of safety induces you to compensate by behaving more dangerously.
