Think you can hide behind the privacy of an "unlisted" cell phone number? Think again. Maybe you believe you don't need security software on a Mac or iPad. You'd swear that Firefox is the safest browser in town. Wrong on both counts.
Most of us don't think about security for our digital devices until something goes wrong, or it's time to renew an antivirus subscription. But what the security experts like to call the threat landscape changes all the time, and keeping up is hard to do. So we'll save you some time. Here are five current facts that you probably don't know about digital security, but should.
1. Your cell phone is not a juicy hacking target
How's this for a loss of privacy: Your suspicious spouse's detective hacks into your voice mail, figures out who belongs to the private numbers you've been calling, tracks their whereabouts and then listens to their voice mail messages. That's a real possibility, according to two young security researchers who have found a way to exploit weaknesses in mobile telecom networks.
The researchers, Don Bailey, of iSec Partners, and independent security researcher Nick DePetrillo, presented a paper called "We Found Carmen San Diego," at the Source security conference last month.
The title of the talk was funny, but what the researchers found "scared us as well," Bailey, 31, said in an interview. "Anyone with some basic knowledge is capable of building the attack tool we developed." Let's hope Bailey was being a bit modest, but the threats he and DePetrillo, 27, found are being taken quite seriously by wireless providers, they said.
Bailey and DePetrillo are "white hats" with no interest in publicising detailed hacking techniques, but they did give me a glimpse into how they do what they do. With my permission, the researchers did a bit of searching on my personal information and found enough to convince me that they are for real.
First and foremost, they have learned how to enter the various caller ID databases, a collection of phone numbers matched to subscriber names by providers for use in caller ID service. Like you, I never suspected that wireless numbers are also entered in those databases. But a number of major wireless providers have begun doing so. The researchers won't say which companies have and which companies have not.
Caller ID information can be matched with other data culled from the global SS7 telecommunications network, including information from the Home Location Record database, and mobile switching centers.
The good news here: the providers are working hard to plug the holes found by Bailey and DePetrillo. However, some of the weaknesses that allow that type of hacking are based on the fundamental design of the cellular network, so the fix is not an easy one.
2. Virus writers ignore Apple Macs and iPads
The iPad has only been on the market for a month, but hackers have already found a way around its security features, at least for those using the tablet in tandem with a Windows PC.
According to the BitDefender, (an antivirus maker) "This particular threat comes in the form of an unsolicited email, promising to keep iPad software updated 'for best performance, newer performance, newer features and security.' Via a conveniently provided link, the email instructs iPad users to download the latest version of iTunes to their PCs. The download page to which users are directed is a perfect imitation of the one they would use for legitimate iTunes software downloads."
Once downloaded, the code opens a backdoor into the system and attempts to read the keys and serial numbers of the software installed on the affected computer, while also logging the passwords to the victim's ICQ, Messenger, POP3 mail accounts and protected storage.
This threat does not target Mac computers, but don't get smug, Apple fans. Macs are vulnerable to other threats. The main reason you hear less about attacks on Macs, is that hackers prefer to go for systems that have the widest possible distribution, and that means Windows. At this year's CanSecWest conference, security researcher Charlie Miller used a flaw in Safari to break into a MacBook in under 10 seconds.
3. The amount of malware is waning
In fact, the threat is growing exponentially. McAfee got an ugly black eye in April when a so-called false positive by its antivirus software crashed machines running Windows XP. But even the company's competitors were quick to acknowledge that the mishap could have happened to any of them.
The big reason: The exponential growth in malware and infected web sites. "We're identifying 20,000 or more signatures every day," says Zulfikar Ramzan, technology director of Symantec's security response group.
By signature, he means the footprint of a newly discovered bit of malware. Ideally, each signature goes through a quality assurance procedure that makes sure it is, in fact, malicious. In the McAfee case, the automated procedure slipped up, and wrongly identified a Windows system file as malware. And that's why XP-based PCs with that particular update crashed.
"The explosion of signatures means humans can't analyse them, so we automate," says Ramzan. "But as we add more automation, the risk of false positives increases, and so does the performance hit to machines."
Symantec, for one, has been utilising new methods for identifying malware (including poisoned websites) including the use of crowdsourcing, or what the company calls reputation-based screening. Millions of Symantec customers allow their machines to send data on infected files and websites to the company's servers. Once the data is scrubbed of identifying information, it's used to build a database of known malware.
There's more to the method than tracking bad actors. Symantec also examines harmless code found on many computers, and in effect, whitelists it. "We look at the attributes of a file. If, for example, we see that it's on 1 million machines and has been around for a year and there are no reports that it is malicious, it's likely safe," explains Ramzan. If a file is known to be harmless, it won't be scanned, and the user's computer won't work as hard.
4. Free security software is wimpy
Spending money on a good security suite is generally a good investment, but if you're on a budget, or simply don't like the idea of forking over yet more money on another piece of software, there are free security programs that do a good job detecting and isolating computer viruses. Free software from companies such as Avast, McAfee, and Microsoft can offer very good protection against viruses, spyware, Trojan horses and the other kinds of malicious programs lurking out there in cyberspace.
No, I haven't tried all of them out, but an Austrian company called AV-Comparatives does, rating products by the percentage of malware a program fails to detect, the number of applications a program falsely identifies as malware and the speed at which the program scans your computer. At the end of each year, the independent testing outfit publishes a summary of tests it has conducted over the previous 12 months comparing antivirus products. All three of the free products I mentioned did well.
But the overall winners for 2009 were, in order, Symantec, Kaspersky and ESET. And remember, while the free programs are good at bashing viruses, they don't do everything the larger suites do, such as offering spam filters and parental controls.
5. Firefox is much safer than Internet Explorer
Microsoft's Internet Explorer gets a lot of bad press, and you might think it's got more security holes than a chunk of Swiss cheese. Not exactly.
According to a recent report by Symantec, Mozilla Firefox had the most new vulnerabilities in 2009, with 169, while Internet Explorer had just 45. However, Internet Explorer was still the most attacked browser for the reason we mentioned earlier: Hackers, like advertisers, go for market share and despite big gains by Firefox, IE is still number one.
Looking at browsers with a smaller market share, Symantec found that Safari (remember what we said Apple products being vulnerable?) had 94 new vulnerabilities, Opera had 25, and Chrome 41. All of the browsers had an average window of exposure, the time between when exploit code affecting vulnerability is made public and when it is patched, of less than 1 day, on average, except for Chrome (2 days) and Safari (13 days), according to the report.