Nine Paranoid Internet Security Tips
In its must read release of Websense Security Labs State of Internet Security, Q1 Q2, 2009, whitepaper, Websense reveals several frightening internet trends. It seems no website is safe.
For example, Websense reveals a 233% growth in the number of malicious websites in the last 6 months. Seventy-seven percent of sites spewing malicious code are legitimate sites that have been compromised. Even scarier, "61% of the top 100 sites either hosted malicious content or contained a masked redirect to lure unsuspecting victims from legitimate sites to malicious sites"
In 2009 the web community has experienced a sharp incline in spam, cross-site scripting, web redirects, identity theft and a myriad of other schemes, cons and self-induced security flaws. The problems are at times subtle but often glaring. As a case in point, this past week we assisted in an investigation of hackers stealing the identity of an entire company.
In this case, a Nigerian style cyber-criminal gang was able to develop impressive credit credentials by stealing very basic financial info from a company based in Atlanta, Georgia. The cyber criminals then used a mass email script to contact thousands of companies in the United States to either make purchases or offer to act as a dealer for these companies. In the ruse they would email a pdf version of credit documents, including financials, banking information, company location and other data used to form a credit decision. The documents were all on the letterhead of the legitimate company, but included phony (800) numbers. They also listed a website address hosted on Google. The domain was nearly identical to the valid domain, with the exception of a hyphen in the center.
The criminal gang used several proxies in Nigeria, Israel and elsewhere to make the contacts. In some cases the proxies were chained making it nearly impossible to track the gang. In all cases the email headers were either malformed or otherwise engineered to hamper tracking the original sender.
Within two weeks several companies had sold and shipped product on credit to the identity thieves.
Individuals and companies engaging in business on the internet need to do so with a heightened sense of awareness and extreme caution.
Hacking a website can be fairly easy to accomplish. Just ask Google. Do a search query on how to hack. Depending on the day of the week you may get close to 200 million results. Two hundred million may also represent the current number of hacked websites and home computers.
If 61% of the top 100 websites have been hacked, chances are good your website can be hacked as well. Hack attacks can be simple or complex. But, more importantly, they are inexpensive to perpetrate, anonymous, often invisible and nearly impossible to prosecute.
Hacking groups, script-kiddies and professional cyber-criminals are always on the lookout for systems and programs to exploit. Malware is available for free through many websites. Cyber-criminals can afford to hire professional programmers to target specific exploits. Regardless of the cost to the crime-gangs, it is relatively cheap to develop criminal code because the code is available to use against millions and millions of systems all at the same time. A small percentage of success reaps exponential financial rewards.
It is time to get paranoid. Assume you have been, will be, or are being hacked. Take your paranoia and do something about it.
Here are 9 Security Tips to Keep Your Paranoia Under Control