How Secure are You ?

There is no such thing as a completely secure computer, or IT network. The number of threats we face from pranksters, all the way to organized crime is growing all the time. In fact, the threats themselves are increasing in both seriousness and sophistication.

It’s not just a matter of viruses, Trojans or worms that might come attached to an email and then infect your machine. If you are on the internet, then you are open to attacks of many different kinds, from hackers trying to gain direct access to your computer, malicious web sites tricking you into parting with money, tricks to get personal details such as credit card information or passwords, software slipped onto your PC that will do any number of things without detection — the list is always growing. As computers, software and the internet become more feature-rich and complex, the number of ways in which attacks can occur also inevitably increases. Everybody needs to be vigilant, particularly where online transactions involving banking or online shopping are concerned.

The original web pages that people surfed early in the 90s consisted only of text formatted with HTML together with images, tables and the like. Not much risk was involved. But things are now much more complex. You have embedded videos, JavaScript menus, PHP code and many more rich and interactive features. With this level of complexity also come programming errors and loopholes. At the best, these problems cause difficulties with the straightforward operation of a site. At the worst, they enable an attacker to take over a site, grab personal information or infiltrate hidden software onto your PC.

The language used in security circles describes computer systems as having some kind of vulnerability that is then exploited by an attacker. However, the most important vulnerability is human gullibility and lack of understanding. Conversely, the most important form of defense is a reasonable understanding of security issues combined with care and vigilance.

If you received an email from some unknown source, telling you to click on a link to “See Britney Spears naked”, would you click on that link? Most people nowadays know the danger involved and that clicking on such a link is likely to lead to computer infection of some kind. Unfortunately, there are still some who do not.

But what if the email at least appeared to be from a known source, and one that you knew had your email address. What if it appeared to be from your own bank, and included all the right graphics, logos and everything? You may be much more likely to click on the link in order to reset your PIN or password, as suggested. What if the link led you to a web page, apparently with the correct URL, that looked exactly like your bank’s correct page, complete with VeriSign security certificate logo (the little lock in the bottom right of the window frame). Would you then enter your existing user name and password, thereby allowing the attacker to empty your bank account, or purchase goods online and send them to Africa?

Such attacks are rarer than offers of naked Britney’s, but the attackers are getting this sophisticated, and making increasing efforts to make money from such attacks. They continue to do so only because previous and less sophisticated attacks have proved successful. People have clicked on the links, entered personal information, and lost money as a result.

In the following pages, we will describe the most likely types of security problems that you will encounter and give you some advice on how to behave on the internet — what to do and what not to do. Software can also of course help considerably, as long as you do not allow yourself to become complacent — you may have the best known antivirus and anti-spyware software installed, but you still need to take care.

Dangers on the internet

The method of attack we described earlier, of an email purporting to come from your bank and asking for personal information, is known as phishing. Basically, phishing is a form of con-trick, and any such trick stands a better chance of working the more believable it is. The simplistic attacks seem to be falling in number, presumably because people are increasingly aware of the problem, and so attackers are becoming more sophisticated.

This partial screenshot is from a phishing email, pretending to come from PayPal. Notice that the actual link that would be followed — in the window frame — is very different from the one in the email text. This would for certain lead to a spoofed site of some kind, with a request to enter personal data. Always check the actual link when following a link in an email, and if it is for a site involving financial transactions, never click on such a link

Perhaps the most common form of attack used in phishing is known as cross-site scripting (XSS). In this method an attacker will insert code in the embedded link — not the link that you will necessarily see — that will attempt to manipulate a web application, usually so that some code is inserted into the page that will be displayed in your browser. This doesn’t change anything on the server, but your browser will receive an amended form of the page, and will execute the malicious code as if it had come from that server. What you see will be the correct page of, say, your bank, but it will behave and perhaps appear differently — usually it will send you to another page that will have been crafted by the attacker.

In an extended form of this attack, known as persistent XSS, the manipulated URL is stored on a server in some form or another — in a database, forum content, and so forth — and is then accessed by unsuspecting users. In this case, you do not have to click on a manipulated URL in a phishing email, but it exists in some other source that you might stumble upon innocently.

Another variant on this kind of attack is known as frame-spoofing, which can also be triggered by a manipulated URL in an email. Frames have long been considered to be insecure by security experts, and their use is slowly fading away, but there are still a great number out there. In frame spoofing — first recognized by Microsoft back in the days of Windows 3.1 — an attacker is able to insert their own window as a frame within the window of a legitimate website. This means that, again, the page you are viewing is the correct one, with the correct URL and with the security icon visible, if relevant. But, part of it has been replaced with malicious purpose. This can be very difficult to spot.

In these types of attack, the malicious code is inserted in such a way that it runs in your browser — the server of the bank or other service has not been compromised. However, there is a form of attack known as remote code execution in which the web application is itself tricked into executing the attacker’s code. Very often, this results from weaknesses in PHP, one of the most common scripting languages used for creating web sites. Again, the relevant scripts can be triggered from within manipulated URLs. Many programmers have simply assumed that their program will always receive valid input data at all times, and do insufficient validation of such data: URLs, form data, and so on.

Many, if not all, of the websites with which we are likely to have online transactions are backed by large SQL databases. Again, problems occur when data that a user might input is not filtered and checked properly by the web site. If this data has been manipulated in some way, a skilled attacker can make use of special SQL characters (typically, the comment and end-of-command characters) and infiltrate his own commands in order to execute an attack. With this kind of attack, it is the web service that is the target, rather than the user directly. However, there have been instances where attackers have been able to compromise an SQL database and access customers’ credit card and transaction details.

Another component in online transactions that is supposed to safeguard such details, and that has attracted attention in the last year, is security certification. If you are online to an e-commerce site and are about to enter your credit card information, the window you are working in should have a little lock icon in the bottom right corner of the frame. This is the security certificate, and strictly speaking, you should click on the icon, and check that the certificate is genuine and was issued to the right organization. This is a pain, and there must be very few people who actually bother to do this, or even know that it might be a wise thing to do. Such checks are being introduced into browsers, but this has been very slow in coming.

You may think these security certificates are rock solid and reliable, but earlier this year, the commonly used OpenSSL package in Debian — used to generate the keys for this kind of encrypted communication — was found to have contained a bug since 2006. This resulted in the creation of weak keys. This makes the keys more predictable and the communication therefore open to attack; the communication over which your credit card or other details might be passed.

This partial screenshot is of a phishing email saying that it comes from The Royal Bank of Scotland presenting a link allowing the user to pay a bill. The link is of a known and correct URL, and the actual link that would be followed — which is displayed in the window frame at bottom — matches correctly the link in the text. Even though this is clearly correct, it better practice never to use such a link, but use your bookmarked link to your utility company in order to pay such a bill. Even a small difference in the actual link might take you to a spoofed site

Finally, although our list of security vulnerabilities is going to be far from comprehensive, we should mention keyloggers, which are a particularly pernicious form of infiltrated software. You might pick up a keylogger in much the same way as a virus, trojan or worm. Once it is inside your system, it will do nothing to give away its presence, but it will sit there noting the keystrokes that are made and sending these off across the internet to the attacker. Of course, it will be looking for the tell-tale signs of credit card or banking information and the relevant PINs and passwords. It is because of attacks such as these that some banks have started supplying virtual keyboards when you enter your password. With these, instead of using your physical keyboard to enter the password you use the keyboard on screen, pressing keys with the mouse. The keylogger is blind to this activity — at least up until now!

It should be clear by now that the complexity of modern computer systems carries with it a vast number of possibilities for attackers to infiltrate systems and gain access to confidential data. The increasing trend towards such concepts as cloud computing and Web 2.0, involving more private data being hosted on the internet and ever more code and transactions being passed across the internet, is only likely to make the situation worse. In the following pages we describe the steps you can take to protect yourself in that dangerous online world, and the software that can help you on the way.