Social networks and smartphones are being increasingly targeted by malware designers, while botnets are now available, ready to use, for a few thousand dollars.
Those were the major items of interest for ordinary consumers at the recent RSA 2010 security conference held in San Francisco. The conference tends to be more concerned with business-level computer security, but some of the discussion topics also have an impact on home computer users.
NetGuide has written extensively about the risks of posting too much information about yourself on social networks like Facebook and MySpace; after all, the point of social networking is ‘me, me, me’ – not to mention ‘my heaps of cool friends’.
But writers of malware are able to target people via their network pages, analysing their habits and preferences, and sending them all sorts of ‘fabulous offers’ that exploit their favourite pastimes and interests, to steal information or use their computers to push spam and other nasties.
Author and security researcher Nitesh Dhanjani introduced a new term to the RSA conference: ‘hacking the psyche’. He said that by analysing commonly posted information on networking pages, malware distributors could gain some useful – and potentially risky – information. For instance, they could hazard a fairly reasonable guess about keywords you might use in the event of losing a password. Once they learn a password (for your email account, or even your bank account), they’ve got information they can use themselves, or sell to others.
The answer here is simple: don’t share personal information in social networks, and if pressured to do so by someone you don’t know, lie through your teeth. And remember too that even trusted friends can have their accounts hacked. If you get a message from the address of a friend that seems unusual, treat it with caution. It may not be from them at all. For more about privacy in social networks, see last month’s issue, page 44.
As more people start using smartphones, so malware writers are getting better at creating products specifically aimed at these devices. Smart users don’t do anything sensitive over wi-fi networks. Doing a quick financial transaction with your mobile may seem handy, but should never be done over anything but your 3G or 2G network. If you’re not certain that all such data is encrypted, don’t use it. And be very careful about downloading applications. You should only do this from official sources; Apple is generally thought to be pretty careful about iPhone apps, but Android remains under a bit of a cloud, as do Symbian and Windows Mobile. All those platforms were hacked in demonstrations at the RSA conference.
Botnets remain the biggest single source of concern for security experts worldwide, and a piece of malware known as Zeus is the current bête noire. A botnet running Zeus can now be built for around $NZ4500. Latest versions of the malware can be bought online for around $NZ1200, while some of the older versions are available for free.
Zeus gathers data and allows remote control of infected computers, but worse, it directly injects content into pages and intercepts credentials before they are sent to legitimate sites. Web pages can thus be turned into phishing sites. Criminals can even launder money gained in this way through hacked online bank accounts. This is often done through spamming or getting users to click onto infected sites (pharmaceuticals, adult material and job searches are commonly used).
An easy way to tell if your online banking site has been hacked is when you get unusual requests for information. You should only be asked for your username and password. If you get asked for your account number or PIN, get out and alert your bank immediately.
Delegates to RSA 2010 tried to be upbeat about security as a whole, but even producers of security software conceded that around 20% of malware attacks aren’t being picked up by the latest anti-virus software.
The onus, therefore, still rests heavily on the user to be sensible; not to click on seemingly tempting offers, and to be sure they know just where they are when they’re online. Keep an eye on the address bar: a long URL where it should normally be fairly simple is an indicator that you may have been diverted – especially if various invitations start popping up.