Myth No. 1: I Would Know If MyComputer Got A Virus Or Malware

How do you know?Once upon a time,hackers wrote virusesto wreak as muchhavoc as possible—freezing computers,obliterating files and

delivering the fateful “blue screen of death.” Not soanymore. Nowadays, attacks are designed to quietlysit on a user’s computer and stealthily steal sensitivedata and passwords without a user’s knowledge. Onceinfected, the computer becomes part of a maliciousnetwork of computers controlled by a remote com-mand and control center. And more sophisticatedattacks are designed to evade antivirus engines andspam filters. The only way to know that you’re infect-ed is to do a comprehensive scan of the computer.And you might be surprised by what you find.

Myth No. 2: A Web Page Is Safe If It’sAt The Top Of Google SearchSadly, no. Google’s algorithms rank the pages by keywords and a variety of other factors, depending onthe search topic. But Google has no way to deter-mine if a site is malicious or hasbeen compromised. Meanwhile,hackers are becoming more adeptat search engine optimization tech-niques, which rocket malicioussites to the top of the search pages,banking on the fact that users willnaturally gravitate toward the firstfew pages listed.

It might be a tad unsettling toknow that not all Google searchescan be trusted. However, there area few signs that indicate if a searchengine’s page rankings are legiti-

mate. Pay close attention to the domain (if a site isregistered to India or China, be wary). Also, payattention to the URL, and treat unknown or unfa-miliar sites with a healthy dose of skepticism. Whenin doubt, go directly to a known site.

Myth No. 3: Users Can’t Get AroundCompany Web PoliciesWanna bet? More and more users are circumventingan organization’s security policies by anonymizingproxies, which make it easy for employees to getaround Web filtering.

Users often set up their own private proxies athome that enable them to surf the Web freely with-out fear of reprisal, while also making it easy for themto circumvent Web filtering policies and visit any sitethey like.

Meanwhile, hundreds of anonymizing proxies arebeing published daily in an attempt to keep aheadof Web security companies and corporate IT policies.All users have to do is simply Google “bypass Webfilter” and take their pick from the more than 1.8million ways to do this.

Meanwhile, unlike years past, many organizationscan’t simply crack down on social networking andother sites. More and more organizations are relying

upon social networking and other Web services asbusiness-critical applications. In fact, many organi-zations view social networking as a business acceler-ator. While a few years ago, companies could easilypull the plug on the use of these sites to do so nowcould potentially mean forfeiting opportunities tocompetitors.

Unfortunately, this fact is not lost on hackers.And along with the benefits of social networkingcomes copious risk, as hackers are increasingly tak-ing advantage of these sites to distribute spam andmalicious links designed to infect users with malware.Subsequently, most organizations will likely have tomake a choice regarding the level of access their userswill have to social networking sites and the level ofacceptable risk they are willing to swallow to placatesocial networking users.

Myth No. 4: Only Porn, Gambling AndOther Sketchy Sites Distribute MalwareIf only that were so. But it’s not so easy anymore.Hackers are continuing to hijack trusted, legitimatesites and infect themwith malware inwhat are known as“drive-by download”attacks. Users haveonly to visit the siteto become infected.Hackers take advantage of popular high-traffic sitesto distribute malware to as many users as possible.Malware authors inject malicious code into popularsites and then take advantage of the high volumes oftraffic to distribute malware and, not surprisingly, themajority of infected sites are ones that users trust andvisit daily.

Predictably, attackers continue to take advantageof high-profile world events and other news, to enticeusers to click on a link or visit an infected site. Andas usual, most users will have no idea that they havebeen infected.

Myth No. 5: Apple Apps Are Much SaferFrom Security Threats Than OthersNot so much. Apple App malware is on the rise asthe use of iPhones, iPod and iPad devices increases.In addition, security experts predict that Appleattacks will increase in the next few years as consumer

By Stefanie Hoffman

Even in the Web 2.0 day and age, there remain myriad Web application securitymyths. Some of the oldies but goodies persist (e.g., users will know when there’s avirus or Trojan on their computer) to newer myths developed around Google search,social networking and Web browsers. With the preponderance of information aboutWeb 2.0 security, it’s easy to become overwhelmed. Here is our attempt to addresssome of the biggest lingering misconceptions about Web application security.

Ignorance Is NotBliss: We Reveal 10 Web Application Security Myths

Electronically reprinted from Tuesday, August 24, 2010

devices, such as the iPhone 4, are more frequentlyused in the workplace.

Essentially, any malware exploiting a browser-based vulnerability on the iPhone or iPod Touch willwork equally as well on the iPad, given that all threedevices share a practically identical OS. And as withthe iPhone, one of themost vulnerable attackvectors in the new iPadwill be browser-based,which will likely subjectthe device to numerousWeb kit vulnerabilities. In addition, security expertscontend that they have seen malicious apps maketheir way into Apple’s App Store.

Meanwhile, Apple prohibits any third-party soft-ware, including security software, from beinginstalled on its mobile devices, which doesn’t bodewell for the iPad, considering its anticipated massconsumer appeal, security experts say.

Myth No. 6: Users Can Only BecomeInfected If They Download FilesRemember that thing we talked about—a “drive-bydownload?” These days, users only have to visit amalicious site to become infected. During theattack, hackers inject malicious code into the Webpage content, which is automatically downloadedand executed within the browser once a user opensthe page. Drive-by attacks are becoming more com-mon in light of the fact that hackers have increasing

access to exploit kits that lever-age known exploits in thebrowser, operating system orplug-ins, designed to infectthe computer and downloadmore malware.

Attackers routinely lureusers to these sites via socialengineering schemes delivered

via e-mail. Then they entice users to click on infect-ed links. There are an unlimited number of waysusers can become infected, without any interventionexcept viewing a Web page.

Myth No. 7: Firefox Is More Secure ThanInternet ExplorerWell, not quite. Surprise, but all browsers are equal-ly at risk of attack. Why? Because all browsers pro-vide a wide-open playing field for JavaScript execu-tion, the programming language of the Web.Subsequently, all Web browsers are susceptible tomalware attacks exploiting JavaScript vulnerabilities.In addition, many exploits leverage third-party

browser plug-ins such as Adobe Acrobat Reader soft-ware, which is applied to all browsers. As the morepopular Web browser, IE is likely a bigger target byhackers wanting to get the biggest bang for theirbuck and is also subject to more publicity about secu-rity vulnerabilities.

However, it’s the unpublicized exploits usersshould be most concerned about, primarily becausethey’re more likely to fly under the radar and less like-ly to be addressed or repaired in a timely manner.The fact is, there is no safe browser. And accordingto security research firm Secunia, Firefox was actu-ally significantly less secure when compared toother browsers, receiving the highest number ofbrowser exploits in 2008.

Myth No. 8: A Web App Is Secure If ItHas That Lock Icon In The CornerThe lock icon indicates there is an SSL encryptedconnection between the browser and the server toprotect the interception of personal sensitive infor-mation from external threats. The lock icon is oftenused by sites transmitting sensitive financial or per-sonal information to verify that it is legitimate. How-ever, that little symbol does not necessarily indicatethe absence of information-stealing malware.

Meanwhile, some malware can exploit vulnera-bilities to spoof SSL certificates, impersonate legit-imate sites and trick the user into submitting sensi-tive information to a malicious site. Hackers spoofthe SSL symbol in elaborate phishing schemes thatreplicate bank, credit card or PayPal sites, which arechallenging, if not impossible, for the average userto identify as fraudulent. As such, the infamous pad-lock icon could potentially provide a false sense ofsecurity, representing one more way for hackers totake advantage of users.

Myth No. 9: Links Sent From Facebook‘Friends’ Are SafeDid that message from your best Facebook friendseem a little weird the other day? It read something

like, “Hey, I caughtyou in a video.Check it out,” alongwith an embeddedlink. It was impossi-ble to resist, so ofcourse you clicked.But when you did, it linked to you to a weird land-ing page where nothing happened.

Chances are your real Facebook friend had noth-ing to do with this. These kinds of attacks—calledspoofing attacks—are becoming more common onpopular social networking sites. Hackers will hijacka user’s social networking account and then gainentry to their contact list to distribute spam or mal-ware. Which means that sometimes, you can’t eventrust that your friends are your friends.

In general, view all links delivered on social net-working sites with skepticism, and avoid clicking ifthere’s even a shadow of doubt it wasn’t sent by yourfriends.

Myth No. 10: Social Networking SitesAre Safe Because Only ‘Friends’ AreIncludedIn recent years, social networking sites such as Face-book and Twitter have exploded in popularity. Butsecurity levels have failed to keep pace with their rock-etlike success. All you have to do is read the news tofind out about the latest worm or security threat onFacebook.

True to form, hackers arecapitalizing on the explosion ofsocial networking use, leverag-ing the trust that users have onthe network to launch mali-cious attacks. In fact, hackersare routinely launching spoof-ing attacks— impersonating a user’s profile—toentice other users to click on malicious links anddownload malware onto their computers. And whileusers might have developed a healthy amount of skep-ticism when opening attachments and links deliveredvia e-mail, that same skepticism has yet to translateto social networking sites.

As such, Facebook and other social networkingusers should exercise caution when clicking onlinks, opening videos on these sites—even if they’resent from someone the user knows and trusts ontheir network.

No. 1 rule of thumb—don’t put anything onsocial networking sites that you wouldn’t wantexposed to the world, because chances are one dayit will be.

Tuesday, August 24, 20102 0 1 0 X C H A N G E A M E R I C A S

Posted with permission from August 24, 2010. CRN, United Business Media LLC. Copyright 2010. All rights reserved.

For more information on the use of this content, contact Wright’s Media at 877-652-5295

70740