Arun Marballi

In my previous column, I had suggested schemes for setting up "strong" passwords so that they are not easily broken - after all most often this is all that stands between a malicious hacker and his access to valuable, confidential data. Yet, even the most strong and secret passwords are susceptible to being compromised by crooks using techniques such as password sniffing, keystroke logging and social engineering.

We are quite familiar with Social Engineering - a technique that manifests itself in multiple forms - from phishing e-mails and convincing-looking fake Web sites to simple phone calls from shady doppelgangers posing as persons of authority soliciting your confidential information. In prior columns, we have addressed at length that we can thwart social engineering tactics by not following links in unsolicited e-mails and also not giving out passwords and such information on phone calls that we did not initiate. Keystroke loggers, on the other hand, usually find their way onto our computers in the form of Trojan spyware from compromised Web sites that we may inadvertently visit.

And perhaps the most widespread exposure is password sniffing on open unencrypted Wi-Fi networks, such as the ones we find at airports and hotels. To make matters worse, we don't even have to go that far - consider the wireless network that most folks have at home - how many of us have activated the security settings on our wireless router? Research has shown that a large majority use the router straight out of the box using the default settings - which leaves it unsecured. It is easy to check this out, go to your computer's wireless network settings and look for the wireless networks available in your neighborhood and you will be able to see the one's that are not secured.

Ideally, you should secure your wireless network using at least the 128-bit WPA2 encryption setting - additionally use a sentence-based pass phrase to secure the encryption.

What would the Internet be if not a large ubiquitous marketing mechanism? Aiding marketers are software objects called cookies that a Web site will place on your computer to carry out many innocuous and sometimes not so innocuous information-gathering tasks.

The browsers are equipped to provide us with control over how we want to deal with these cookies and we also could use Anti-Spyware products to control the cookie infestations - so all was reasonably well with this scenario - until now. Marketers frequently stifled by "cookie tossing" or removal have resorted to what are called "Local shared objects" or "Flash Cookies."

As the term Flash indicates, these cookies use the Macromedia Flash Player (which allows us to see embedded movie clips on Web pages) to install themselves; and the Anti-Spyware programs in use today do not eliminate them. Most users are unaware of these cookies and they can potentially remain on your computer indefinitely collecting the information they have been programmed to gather. As marketing companies increase their use of Flash Cookies (that will persist) as redundant backups of normal cookies (which could be removed by the user), the question that should be asked is - should these marketing agencies not recognize the fact that by deleting the normal cookies users are sending a strong message that they do not wish to be tracked and hence stop attempting to subvert this user desire by not resorting to the use of Flash Cookies?

The rise of Social Networking has not only created a new culture of friendly collaboration but it also has spawned a new vector for distribution of malware. The recent discovery of a Twitter profile being used to tweet botnet updates and links is another indication that cyber-crooks are using the same tools that we are and it shows how effective Social Networking sites can be in spreading malicious content.

New data research shows that most tweets are meaningless and the large percentage of "blabber" provides a perfect place for hiding in plain sight - almost akin to the "Where's Waldo?" picture puzzles. This then leads us to the next chilling question. Besides cyber-crooks, who else is sending hidden messages in the largely meaningless current of Social Networking traffic?

And then there is the "too little too late" news from Redmond that Microsoft plans to ship free security software as a replacement for the former Windows Live OneCare, a for-a-fee security suite that was retired in June 2009. The question that comes to mind is if Microsoft knew how to compensate for its operating system security gaps with a separate product - one wonders why it just didn't build it into the operating system in the first place?

Arun Marballi has worked in the Information Technology arena for more than 20 years with extensive experience in software development, process design and network/workstation management. For comments, questions, tips or suggestions, e-mail [email protected].

Home