Your brain is the most powerful defense against Internet threats
The BBC reports that users of the popular video streaming website Twitch.tv are attacked on the site which can lead to the buying, selling or trading of virtual user items on the gaming platform Steam.
Attacks are carried out via links that get posted in chat on the site according to F-Secure which reported about it first. The messages invites users to participate in weekly raffles for a chance to win virtual items for the game Counter-Strike Global Offensive, the most recent version of the popular Steam game.
Users who click on those links load a Java program which asks them for information. While it is unclear if those information are processed at all, it is clear that the program drops malicious software on the user system which allows the attacker to perform a series of commands including adding new friends on Steam, buying items with user money, sending trade offers, selling items on the market and accepting trade transactions.
Virtual items can be bought, sold and traded on Steam with some items being sold for thousands of Dollars. While the average amount is lower than that, most games have rare items that are offered for one hundred or even more Dollars.
The problem
These types of attacks, and Twitch is just an example of one attack on one site, can be addressed in several ways:
- The site that is bombarded with them could add security checks or notifications, just like Valve has done on Steam recently. These would warn users to click on links posted by unknown parties.
- The browser/operating system manufacturer could improve security.
- User education.
If a user cannot distinguish between a legitimate link and a malicious one (click on this link and a Nigerian prince will send you $10 million US Dollars for safe keeping), then this is without doubt the biggest problem.
While companies can improve security on their end, there will always be ways for attackers to exploit the naivety of Internet users.
Raffles, quizzes, surveys, phishing emails and others are used for a long time by attackers and nothing seems to have changed in that time. Users still fall pray to those scams even though magazines and sites report about them all the time.
System and program security has improved as well in that time but that does not seem to keep users safe on its own. While it may help somewhat, attackers are ingenious enough to find new attack forms or variations of existing ones to exploit.
The only thing that will help in the long run is user education. This does not have to be in form of an hour-long session either as there are only a few rules that users need to follow to improve their security on the Internet significantly:
- Use your brain. If something seems too good to be true, it usually is.
- Don't click on links in emails or chats if you don't know the sender. Even then, think about it first before you click.
- Don't click "next" or "ok" when prompts appear without knowing what this is about.
Now You: Have something to add? Feel free to share it with all of us in the comment section below.
“Your brain is the most powerful defense against Internet threats.”
If that’s true, then I might as well throw in the towel here and now. ;-)
Seriously, though, I’m having a really tough time keeping an older relative reasonably safe online. He’s the stereotypical absent-minded professor who has a hard time paying attention to anything other than his work. Briefings about safe Internet practices don’t just go in one ear and out the other — I’m not sure they go in one ear in the first place. (In fairness, though, after around a dozen explanations of how to spot and avoid phishing attacks, *that* lesson seems to have registered.) He can’t use Linux because of work requirements, and switching to a Mac would, in his case, be a prolonged and unwelcome learning curve. Seeing as how the “best defense” (his brain) is only marginally available, I do my best to install real-time security apps that require minimal attentiveness or action on his part: Avast, EMET, Unchecky, NoScript — regretfully set to “Allow Scripts Globally” by user necessity — HTTPS Everywhere, HitmanPro.Alert 2, Credit Card Nanny, and the like. Gmail has gotten pretty good at screening out English-language (most definitely not French) phishing emails … but his university’s email system is hopeless in that regard. It’s an ongoing battle.
My perspective on this is that the world will always have an ever-replenished supply of absent-minded or careless people, young, inexperienced people, aging people with diminishing mental acuity, and people who simply don’t want to have to become tech wizards in order to use the Net. Smarter, sharper, tech-savvier sociopaths will always find a way to victimize some of them unless prevented by technical and legal measures. My money for the future is on improved technical measures first and more vigorous policing second. I’m all for educating as many people as possible as well as possible, but if you’re betting on the average user’s brain to beat the bad guys in this context, you’re making a questionable bet.
Isn’t it an unwritten rule of the internet never to buy into these sorts of promotions
no matter how good they sound(?)
Back when I used to use the internet as a teen you would see all sorts of warnings on website
tell you to never share personally identifying information on the net, it seems like this ethos
has gone out the windows ever since those social network started to become the norm.
Even back when I was at school I received a 101 lecture on what and what not to do on the net.
OK, the post and the responses to it are very much on-target. A measure of wariness and care goes a long way toward neutralizing internet threats.
I do think, though, that attacks are becoming more sophisticated. For instance, a lot of software should be updated periodically. Most of us have figured out that the “Your Flash player needs updating, click to install” popup is a *bad bad thing*, but my pessimistic side tells me that the cleverness of the malware designers is increasing faster than the awareness of average users.
A report by Checkpoint Security, quoted on FierceRetailIT in May, 2014, claimed:
“Malware activity has grown dramatically year-over-year, according to the report. The research found malicious software within 84 percent of the organizations, and this malware was downloaded at an average rate of one every ten minutes. It’s a big increase from 2012, when the same study found just 14 percent of organizations experienced a user downloading malware every two hours or less.”
I don’t think the increase in malware is because users are getting stupider — I think users are, in fact, getting smarter and more wary. I think it’s because malware designers are getting cleverer *faster* than users. And malware designers are beating software defense systems more often too. One article quoted a RAND study as saying whereas in 2006 cybercriminals had 1 exploit kit available, they now have 33 different software kits to use.
Not meaning to spread FUD. Smart browsing can defeat a lot, as mentioned. There are more tools now than ever before for selectively disabling attack vectors like Javascript. And native system-wide sandboxing — see Qubes OS — may offset the malware increase, at least for awhile.
What ya think? Is what I’ve written in any way accurate, or am I just speaking from relative ignorance?
The biggest threat to personal computer security is the lump of flesh facing the screen.
I suppose it’s a twist on that old motoring joke that did the rounds when I was a lad…
“What part of a car is most prone to to failure?”
— “The nut holding the steering wheel !”
NullPointerException found in brain.exe … would you like to restart? :D
I imagine many of us here have suffered trying to help neighbours who just don’t want to be helped. Whatever you tell them, they have some mate down the pub who’s told them differently.
Of 2 dozen routers in my immediate neighbourhood, half are totally unsecured (unless you count ‘admin’ and ‘password’ as security.) More than half my neighbours’ computers have no adequate online security – about a quarter have none at all. “You don’t need all that stuff mate! Just a con to get you to buy security software! (Says my mate down the pub.)”
One neighbour had his router hacked – previously non-existent password changed so he was locked out. All he had to do was reset his router with a pin. But he ‘sorted’ his problem by replacing the router with a more expensive one – also totally unsecured. If anyone hacks this one he’s going to sue the manufacturers – so there.
I’ve put one or other of the free security suites on a dozen neighbours’ machines (usually after pointing out that their ‘free’ month’s McAfee or Norton was now years out of date.) Only to check a few months later to find it’s simply been overwhelmed by insane browsing habits and multiple browser toolbars. In a couple of cases the security had vanished altogether (“That AVG thing? Bloody nuisance – always nagging me! I chucked it!”)
As for spotting frauds – we’re none of us infallible, but the gullibility of some people often leaves me breathless.
“How was I supposed to know that email asking me to confirm my bank details wasn’t kosher?”
“But he said he was calling from Microsoft! Are they allowed to tell lies?”
“He told me if he could use my bank account, I could make a lot of money!” (Yes – REALLY!!! – twice in my locality in the last 4 years!)
And IMHO the best cop-out of them all – and a direct quote…
“The guy asked me to allow him access to my computer – it MUST be all right, surely, or it wouldn’t be allowed!”
There is a tool that puts most malware onto a computer, it’s the one sitting behind the keyboard.
I haven’t had a virus or malware in many years thanks to following your three rules. While there is much more that could be said, I try hard to make your three points to my friends and relatives. It’s an uphill battle to convince some people, even when they have been severely burned by not permanently practicing these three gems.