In today’s Web 2.0 world, information sharing, online shopping and remote working are just a few examples of the many benefits the Internet and Web 2.0 technologies offer us. Blogs and social networks such as Facebook, Twitter and MySpace are becoming increasingly popular, with individual users and enterprises blogging, tweeting and uploading content on a daily basis. But where users go, cyber-criminals are quick to follow. Do-it-yourself crimeware toolkits that incorporate multiple vulnerability exploits lower the entry barrier for cyber-criminals, making it harder for users to keep up with adequate Web security.
Cyber-criminals are constantly looking for new opportunities and more efficient ways to spread their data-stealing malware or scareware to generate illicit earnings-duping users into purchasing fake software such as antivirus is a popular method. Cyber-criminals know how to capitalize on the latest consumer interest on social networks and news Websites. They capitalize on consumer interest over natural disasters, celebrity doings and other major news (such as President Obama’s election and Michael Jackson’s death). By using crimeware to booby-trap Web pages with these keywords on popular news sites, social sites and fan pages, cyber-criminals reach millions of potential victims.
It has been estimated that Web pages are infected with malware every 4.5 seconds, putting users’ computers as well as corporate computers at risk. According to the Anti-Phishing Working Group (APWG), the number of sites infecting PCs with password-stealing crimeware reached an all-time high of 31,173 in December 2008. This is an 827 percent increase from January 1 of that same year. Furthermore, one in five online consumers in the United States have fallen victim to cyber-crime in the last two years.
Cyber-criminals maximize their profits by turning unsuspecting users that visit infected Websites into business assets. The victims’ computers are stealthily infected with malicious code designed to steal data and take control of user machines. In a common scenario, the victims’ compromised PCs become part of a botnet. This means that their infected machine can be traded again and again on a botnet trading platform, adding more “masters” that have control over their machines-without their knowledge.
Resulting Damage From Data Breaches
Resulting damage from data breaches
The results and damages of a successful data breach are far reaching for the victims and for society as a whole. For example, stolen medical and patient data can be used for illegal and/or bogus treatments, setting up fake clinics, facilitating the purchase of addictive drugs and obtaining prescription drugs for the purpose of selling them.
Stolen medical and patient data can also result in the loss of health coverage for victimized patients, as well as inaccurate records of the victimized patients-which could result in incorrect and potentially harmful treatments.
Stolen Social Security numbers can be used for a variety of illegal activities such as opening new credit card accounts in the victim’s name, which results in the criminal’s payment history appearing on the victim’s credit report. Other illegal activities include opening phone accounts in the victim’s name, running up charges on the victim’s existing account, getting utility services in the victim’s name, taking loans out in the victim’s name, and getting a driver’s license or official ID card issued in the victim’s name using the criminal’s picture.
Criminals who steal Social Security numbers can also try to use them to fraudulently receive governmental benefits, land a job, get a fraudulent tax return, rent a house or get medical services-all in the victim’s name. Thieves can even try to use bogus Social Security numbers during police interrogations to avoid prosecution or arrest.
How Web 2.0 Users Can Stay Safe
How Web 2.0 users can stay safe
Educate yourself. Humans are still the weakest Web security link. Social engineering (for example, phishing) is still a popular and successful tactic used by cyber-criminals. Michael Stawasz, senior counsel for the Department of Justice’s Computer Crime and Intellectual Property Section (CCIPS), preaches a simple rule: “Skepticism is your best defense.”
Before transferring money, giving out Social Security numbers or passwords, you need to make sure that the received request is legitimate. When shopping online, only do so from a secure PC and at sites you know and trust and that have a Secure Sockets Layer (SSL) certificate.
Laptops and USB sticks are popular among thieves, which forces their users to take steps to prevent their loss or theft. The containing data and information should be useless for any unauthorized user. Data encryption is highly effective. The annual 2009 U.S. Encryption Trends Report by The Ponemon Institute shows that 59 percent of respondents rate encryption of mobile devices as very important and/or critical.
Unintentional leakage of data is a growing concern for all of us, since shared information on social networks can be abused by criminals including sex offenders, stalkers and pedophiles. For example, an innocent Facebook posting can have dire consequences. Sir John Sawyer, the new head of the MI6 foreign intelligence service, found this out the hard way. His wife Shelley published details of his new position on her Facebook profile, which resulted in calls for a governmental investigation. Up-to-date information on Sir John’s address, as well as photos of numerous family members, would not only put the new head at risk but also pose a potential threat to national security.
Companies Need to Educate Customers and Clients
Companies need to educate customers and clients
To protect online shoppers and users of online banking and payment services, companies must comply with sets of applicable rules and regulations. For example, the Payment Card Industry Data Security Standard (PCI DSS) for card payments is one such regulation. Companies not only have to inform their customers if they are regulatory-compliant but also instruct them on how to conduct their transactions as safely as possible. If they should experience a data breach, they should inform their customers and immediately take measures to limit the damage and (of course) compensate the victims.
Pay attention to your own Web security
True Web security starts at home. Every PC and every laptop needs to have updated anti-malware solution in place. Operating system and application providers regularly issue patches to fix vulnerabilities and to keep their users as safe as possible. Individuals need to protect themselves first and foremost. To prevent becoming a victim, be on the alert for social engineering (phishing) tactics and make sure you have the latest version of your anti-malware in place to prevent data-stealing Trojans and other malware from infecting your PC.
The use of a browser add-on will warn a Web 2.0 user about potentially malicious links-also on social Websites. Especially in the case of shortened URLs, it is hard to find out if the link will go to legitimate content or to an undesirable or infected Web page. Such an add-on will give a security alert before accessing the link, warning about potential malicious content lurking in the URL.
Web security vendors are waging a war against cyber-crime. They have their own labs and research centers where the latest malware trends, developments in cyber-crime and malicious codes are analyzed. They also work together with law enforcement to try and catch cyber-crooks. They also publish the latest findings on threats and trends on their Websites and blogs. Subscribing to newsletters, bulletins and RSS feeds from security blogs is a good way to keep up with the latest developments. Forewarned is forearmed!
Yuval Ben-Itzhak is Chief Technology Officer at Finjan. A security industry veteran, Yuval brings strong technology leadership capabilities to Finjan, as gained in over 15 years of high-level management positions. Prior to joining Finjan, Yuval was the founder and CTO of KaVaDo Inc., a leader in Web application security (acquired by Protegrity). Prior to KaVaDo, Yuval was CTO at Ness Technologies, a global provider of end-to-end IT solutions and services. As a senior project manager at Intel Corp., Yuval was in charge of the design and development of multimillion dollar software projects. He began his professional career as a member of an elite intelligence unit of the Israeli Defense Forces, where he was responsible for the design and development of security systems for mission-critical projects. Yuval earned a Bachelor of Science in Information Systems and Engineering, cum laude, from Ben-Gurion University, Israel. He can be reached at ybitzhak@finjan.com.