On Websites and Web Surfing
Beware of surfing the web for personal reasons on company computers. A new web attack has surfaced called “water-holing.” Attackers acquire prior knowledge of the websites employees visit most frequently, such as hobby, sports or news sites. They then bribe and lure employees to similar, yet malicious websites that host malware. This type of attack can lead to the breach of a corporate network.
Be cautious when accessing social networks on the same computer used for financial transactions. Recent cases of online fraud have been traced to unsecured computers and inadequately secured web browser configurations. Since not everyone owns multiple computers, another web safety tip is to “Log out” whenever possible.
Beware of shortened URLs like ‘hxxp://tinyurl.com/ycctrzf” as these may contain alpha-encoded exploits. Shortened URLs may also be used to serve spam. A familiar example is the shortened URL “hxxp://goo.gl/Xb1VM” which distributed spam onto Facebook profiles.
Do not rely solely on web mail providers (Gmail, Hotmail, etc.) for the detection of malicious PDF files, images and links within the body of email messages. If an email attachment or hyperlink looks suspicious, it is likely malicious in nature. Be certain all suspicious attachments or links are scanned by the security software installed on your computer. If no security software exists, install one right away. Files and links can also be manually scanned on the VirusTotal website.
For more advanced web users, beware of interchanging the use of VPN (Virtual Private networks) and TOR (The Online Router) for web surfing. VPN provides privacy, thus protecting your data. TOR provides anonymity, thus protecting you, not the other way around. Use TOR first over VPN.
On Web Browsers:
A victim’s browser can be exploited to attack others and can lead to the compromise of a local network. Realize that malware attacks do not strictly occur from visiting malicious websites, they are most often due to exploited browser vulnerabilities. Two common types of browser attacks and the appropriate counter-attack security measures follow.
Drive-by downloads are web attacks designed to escape the browser walls and infect the computer’s operating system. Sandboxing, software security updates, and scanners can help quarantine these. Check if your security software offers these protection services.
Attacks that remain within browser walls that can compromise cloud-based data like Twitter and Facebook accounts is another common attack. Secure cookies and content policies are used to control these types of attacks. However, these security measures may be optionally implemented by the website owners. As a result, users may not be able to fend for themselves.
Web browser reaction times to patch vulnerabilities can vary significantly. Much also depends on how often users run updates. It is best not to ignore update notifications from Chrome, Firefox, Internet Explorer, Safari, or other web browsers.
On Facebook and Twitter Attacks:
The gravity and likeliness of users falling prey to attacks on Facebook and Twitter has been quite common, even with the ongoing security enhancements deployed by each entity. Two of the newer types of web attacks include:
- Website login detection – attackers are able to detect and identify the websites a user is logged-into, in addition to the date and times of active sessions. Attackers then spam users when they appear online.
- Deanonymization – attackers insert images near “Like” or “share” buttons in hopes that users will accidentally click on them. Doing so redirects users to third party websites. On the server side, when users click on these devious images, the attacker can attain the user’s name and scrape out other public profile information.
The use of mobile apps over desktop apps is recommended. Mobile apps act like custom mini-browsers that isolate browsing sessions. Log-in detection and deanonymization are less of a risk. From an online privacy standpoint, however, mobile apps may collect far more personal information than any website.
“Unless you’ve taken very particular precautions, assume every website you visit knows exactly who you are, where you’re from, etc.” – Jeremiah Grossman
On the Types of Attackers:
There are three main sources of cyber-attacks: The criminals, the hacktivist and the government.
The most troubling are the criminals. They target anyone and everyone. Their motive is to get rich quick by deploying spam campaigns, botnets, and conducting phishing and fraud attacks. Unlike viruses and exploits, these attacks are very hard to detect, track and contain.
The motives of hacktivists are mostly for self-gratification and fun. They hack because they can, and aren’t afraid to leave their mark. Anonymous is one of the most popular hacktivist organizations and typically deface websites or breach networks in parallel with political or social causes or events. Interestingly enough, companies like Microsoft and Google encourage such hacktivists to find and report bugs in their products or systems through contests. Some may be rewarded or even offered a job.
Certain governments are notoriously linked to cyber espionage. The biggest attacks have arguably been Stuxnet and Duqu. Huge resources are allocated for these types of sophisticated attacks, which tend to target government security defenses and big company infrastructures.