Cybersecurity's twitter-fast shifts
Twitter, despite its chirpy logo and its endorsement from Oprah, isn't as harmless as it seems.
Throughout April, worms have ripped through the "microblogging" platform, infecting user accounts with malicious code that spread from profile to profile as Twitterers visited one another's compromised pages. Every time Twitter's administrators declared that they had cleaned up the infection, a new strain of malicious code would begin propagating through thousands of accounts, week after week.
So far, that string of 140-character epidemics has seemed to be nothing more than an experiment in hacking Twitter, designed by a 17-year-old Brooklynite named Mikey Mooney. But the warnings for the microblogging platform and its explosively growing user base are clear enough: Next time, the same sort of worm could be designed to steal users' passwords or hijack their PCs with malicious software.
Cybersecurity researchers may not be surprised that novel attacks follow every new digital medium that becomes popular. But for everyone else, the recognition that cybercriminal exploits are changing almost as rapidly as Twitter's real-time updates presents a daunting problem: How do we practice safe online behavior when the Web's safety code is constantly in flux?
"The rules are always changing as the threat landscape changes," says Jeremiah Grossman, a Web security researcher with White Hat Security. "It's like you're told not to shake hands with the guy who's coughing and whose nose is running. But then it turns out that someone who looks healthy can infect you just as easily."
One of those new rules, Grossman says, is that generic messages from "friends" on social sites like Twitter and Facebook can no longer be completely trusted, given that both sites have been repeatedly hijacked by hackers.
'Our security practices have become paranoid to the point that we have to assume that practically everything is compromised.' —Jeremiah Grossman, research
But the erosion of trust online goes further: Simply visiting a site that's been infected with malicious software can download password-stealing software to a user's PC, a technique known as a "drive-by download." An evolving breed of attack known as DNS (Domain Name System) redirection can send users to invisible look-a-like sites when they type an address directly into a browser. And hacker tricks like Cross-Site Scripting and Cross-Site Request Forgery allow some sites to steal the "cookie" files downloaded to your browser, giving hackers access to any past site you've visited.
"Our security practices have become paranoid to the point that we have to assume that practically everything is compromised," says Grossman.
Rise in phishing victims
That growing paranoia is at least partly justified. According to Gartner Research, more than 5 million Web users lost money to phishing attacks over the 12 months ending in September 2008, a 40 per cent increase in the number of victims during the same period the year before.
That increase marks a shift in strategy among cybercriminals. Thanks in part to fraud-detection systems that prevent identity thieves from withdrawing more than a few hundred dollars from compromised bank accounts, cybercriminals are expanding their tricks to draw in a higher volume of credit card numbers than ever before.
But a few simple measures can cut off most of those attacks. Preventing a compromised Web site from infecting your computer with malware, for instance, is often as simple as using a secure, well-updated browser, says Dan Holden, a Web security researcher with IBM's Internet Security Systems. "The browser is still the lowest common denominator, the universal application that attackers will look at first," he says.
Keeping your browser updated helps to ensure that any recently discovered vulnerabilities in the software won't be exploited by cybercriminals. And not all browsers are created equal. In the Pwn2own hacking contest last March, only Google's Chrome browser couldn't be hacked by contestants, thanks in part to its "sandboxing" feature that keeps Web sites from accessing a user's PC resources. Apple's Safari browser, by contrast, was compromised in minutes.
Just as important as browser security, says Holden, is updating plug-ins, the programs that run within a browser to enable functions like animation or video, such as Adobe Flash or Microsoft's ActiveX. Cybercriminals often design their infections to exploit vulnerabilities in embedded programs as well as in browser software, so every plug-in requires constant patching to avoid malware download. In fact, four out of five of the Web attacks recorded by IBM in the last year exploited weaknesses in ActiveX, Holden says.
Less common new attacks like DNS hijacking have solutions too. Those attacks exploit the Domain Name System, a kind of digital directory hosted by broadband carriers, to redirect users to look-a-like phishing sites when they type an address into their browser. But users who want to be sure that their DNS isn't being compromised can check their connection at Doxpara.com. Those who are still vulnerable can protect their browsing by switching to a private, free DNS service like OpenDNS.
Still, the truly security conscious take more serious measures. White Hat's Jeremiah Grossman, for instance, uses two browsers — one is for normal browsing, while the other is for accessing secure sites like banking and e-commerce.
By splitting his Web time between the two, Grossman argues it's less likely that an insecure site could use a trick like Cross-Site Scripting or Cross-Site Request Forgery to steal the "cookie" files that would allow access to the secure sites. "That way I compartmentalize my risks," says Grossman.
Call it cyber paranoia. Or, given the Web's roiling landscape of risk, you could also call it common sense.