|
BOOT CAMP 312 (13/02/04)
HIDDEN PERILS
I don’t want to alarm
you but… If you’ve followed the many Boot Camp features on computer security
over the past few years then your PC should now be well protected against
viruses and hackers with a regularly updated virus scanner and a Firewall.
Hopefully you will also have installed software to purge your computer of
spyware, adware, Trojans and hidden log files tracking your web surfing
activities and don’t forget the Spam filter and pop-up stopper. If you are using
Windows XP, you should have switched off the Messenger Service and you never,
ever, open unexpected and unsolicited email attachments, so you should be fairly
safe, right?
Needless to say you are
not and here’s two new words to add to your growing vocabulary of computer
security threats: ‘Phishing’ and ‘Spoofing’. Phishing – pronounced fishing (and
no, I don’t know why it is spelt with a P …) is the practice of luring
unsuspecting Internet users to phoney or ‘spoof’ web sites, to obtain PIN
numbers, passwords, credit card details etc. Spoofing, or to give it its full
name Internet Protocol or IP Spoofing exploits a loophole in Internet Explorer
so a fake or spoofed site displays an authentic looking web address.
Spoofing is now reaching
epidemic proportions and you may already have received emails purporting to come
from PayPal, American Express, Visa, Barclays and other well known Banks,
Building Societies and credit card companies. The email may have all the
hallmarks of a genuine message, with a logo, official-sounding wording, contact
details and web addresses. The message usually says that your account is about
to expire or the company is introducing new security measures and need to renew
your password or check a statement and you are invited to click on the link to
take you to the company’s web site.
Hopefully by now most
Internet users know by now that legitimate organisations never ask their
customers for PINs and passwords except in a secure and encrypted login windows
but how do you tell? The trouble is anyone fooled by a phoney email to click
onto the link to take them to the company web site may be further tricked by IP
spoofing into believing they are on a genuine web site.
Normally when you visit
a web site the address is clearly displayed, which until recently, has provided
a quick and easy check for a site’s authenticity. However, if the address has
been spoofed all you will see is the genuine looking part, e.g. www.visa.com but
what you won’t see is the rest of the address that directed your browser to the
fraudster’s web site. By inserting combinations of characters and symbols after
‘.com’ the rest of the address is hidden. The full address could look something
like this: www.visa.com%01@inickyourcash.com,
but all you see is www.visa.com.
Providing you keep your
wits about you the chances of being caught by a spoof web site are small. The
con is obvious if you have no dealings with the company since, like Spam, these
messages are sent indiscriminately. Nevertheless, some of them can be very
convincing and it’s easy to absent-mindedly click on a link. One simple way to
avoid the more obvious spoofs is to display all emails in plain text. You won’t
be fooled by logos and web address links will be displayed in full, showing the
hidden portion. To do that in Outlook Express go to Tools > Options, select
the Read tab and check the item ‘Read all messages in plain text’.
If you find yourself on
a website asking for a PIN or password – even if you are visiting the site
intentionally and typed in the address – always carry out a couple of basic
security checks before you enter any information.
Look for the SSL Secure
Login symbol, which appears on the Status bar at the bottom of an Internet
Explorer browser window (and most other browsers). There you will see a small
yellow padlock icon. If the padlock is open the site is non-secure and you
should not divulge any sensitive information. If the lock is closed the site
should be secure and any data you key in will be encrypted but before doing so
double-click the padlock to display the site’s security certificate. The address
or domain the certificate was issued to should match the name shown in the
browser’s Address box.
The moment you visit a web site the address is entered into
the browser History. If you open the History list and hover the mouse pointer
over the entry the full web address will be displayed and this should match the
one showing in the browser address window. If a web page you have linked to site
fails any of these tests leave straight away. If for any reason you want to
visit the site enter the address manually.
Finally, see Tip of the Week to check your browser’s vulnerability to
spoofing.
Next week – Spring Clean & Upgrade
JARGON FILTER
FIREWALL
Program that monitors an
Internet connection, preventing unauthorised access by hackers and stopping
programs sending data from your PC
SSL
Secure
Sockets Layer, a powerful encryption system used to send data and information,
like credit card details, over the Internet
SPYWARE
Program, usually put
onto your PC after visiting a web site, that makes use of your internet
connection – without your knowledge or permission -- to send data back to its
parent site
TIP OF THE WEEK
There’s a quick and easy
to use spoof ‘tester’ at: http://www.secunia.com/
internet_explorer_address_bar_spoofing_test/
You will probably find
that Internet Explorer fails the test miserably and at the time of writing
Microsoft had yet to release a patch. There several third-party fixes floating
around the Internet but at least one of them contains adware components. My
preferred solution is to change to a spoof-proof browser, like Avant Browser. It
is freeware and has many useful extras, including a built-in pop-up stopper and
tabbed windows; it can be downloaded from: http://www.avantbrowser.com/
|
