Friday, October 05, 2007

The Interweb is a Dangerous Place

You think it's dorky to still say Interweb? Anyway, I know it's been a while, but the busier I am the more motivating the news has to be for me to report on it, and there's just been kind of a drought recently. I think it'll be easier after this semester since 15 hours and football is tanking me.

Anyhow, the good news is that Amazon has cut down my job search with a full time offer, and it's a big deal to me to finally get this opportunity. I feel blessed to have such a great offer in front of me, and it's really a product of everyone who has helped me over the past 20 years, so thanks to all you guys. Whenever I give Amazon good press here, it's because I'm honestly impressed by the product, and that's what really excites me about potentially going there full time. They never had to brainwash me to like them or believe in them as a company.

What I really wanted to talk about today though was security. I'm still trucking along in my Network Security and Privacy class, and it's been a lot of fun though there's so much material that I wonder if our first exam will swallow me whole. Our first project is actual to steal fake sensitive data from a fake site they set up by impersonating the user or getting them to "accidentally" send it to me, except that it's not so fake. Yes, it was created solely for this project, but the ideas it's based on are, frighteningly enough, actually used for authentication.

I think what this course has done for me most of all is make me more afraid of the state of online security. I just wanted to share my fear in an effort to help you guys protect yourselves better. I used to think that the people who got viruses and other bad things were just way too naive and opened spam e-mail or went to shady sites or something. In actuality, it's so much easier than that to be compromised. A botnet searches for unpatched holes in your system's security to make it a zombie and use it to send spam and mount distributed denial of service attacks (a fancy way of saying that it'd make you an accessory to illicitly taking down web sites and, likely, extortion), and you may not even know.

There's much worse though. If you don't have a password set up on your router, someone could plant a one pixel (unnoticeably small) applet on a web page that would maliciously change your router's firmware and make it so that legitimate sites (like PayPal or banking sites) redirect to phishing sites (sites engineered to steal your credentials without you knowing). So would go to their malicious site, though the URL wouldn't change and it'd look exactly like the real thing. Scary, huh? It's called drive-by pharming, which is actually a pretty cool name.

If you're worried about phishing, you should keep your web browser patched, and your OS for that matter, and maybe try out PwdHash. There's much more I can say about phishing, but the I want to move on to something else that PwdHash helps with (slightly): user authentication. This process is largely dependent on the server authenticating you being smart, but it also relies on you choosing a good password. If you must use the same password at multiple sites, use PwdHash. It fights against phishing (though not drive-by pharming) and it gives you a different, seemingly random password everywhere. If you can find your password that you use at any site in a dictionary, that means it's pretty easily crackable. Please, include numbers and symbols in your passwords!

Of course, even if you set up a firewall, change your router's password, use random passwords, and don't go to shady sites (or trust phishy e-mails), you're still in danger. Crazy, huh? There's always the threat of cross site scripting (XSS) attacks, where-by a hacker basically injects code into a web page or a URL and uses it to take cookies from you or just does generally bad stuff to your machine or uses you to inflict damage on other sites. Speaking of cookies, there's not quite as bad and insecure as you may think (as I once thought): only the site and server that created them can read and edit them, but unfortunately there are ways around this for a smart hacker dealing with a naive user.

You could blame the creator of cookies for not designing it well enough, but the rule that he established would sound pretty good to me if I didn't know any better. You could blame the creators of TCP/IP for not having stronger security protocols, but how long until someone finds a loophole? What I've come to learn more than anything is that when it comes to technology, there's always a way to get screwed. If it's hard enough to get screwed over, then you'll likely be fine because hackers prey on things that are computationally less greedy. But still, your system is only as secure as the least secure part of it (and for a network, the same goes for the weakest computer on it), and how you authenticate is only as safe as the most vulnerable part of the process. It's scary, very scary, but there's definitely hope.

There's plenty of public knowledge out there about these issues to protect yourself. For the most part, the little things count (like what I cited above). Just don't be too trusting when you're out there on the web, and keep a progressive back-up of your data. Live every day like it's your computer's last. No matter how careful you are, it's still possible for you to lose everything, if not to a hacker than to hardware failures.

No comments: