Co m lo gin actually link to http sneakysiteco m ho

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: b sites and increasingly ro bust to o ls screen f o r co mmo n phishing tactics. But it’s still impo rtant to have yo ur guard up. So me explo its may be so new that they haven’t made it into screening systems (so -called zero -day explo its). Never click o n a link o r do wnlo ad a suspicio us, unexpected enclo sure witho ut verif ying the authenticity o f the sender. If so mething lo o ks suspicio us, do n’t implicitly trust the “f ro m” link in an e-mail. It’s po ssible that the e-mail address has been spoof ed (f aked) o r that it was sent via a co lleague’s co mpro mised acco unt. If unsure, co ntact the sender o r yo ur security staf f . Also kno w ho w to read the co mplete URL to lo o k f o r tricks. So me f irms misspell Web address names (http:/ / wwwyo urbank.co m—no te the missing perio d), set up subdo mains to trick the eye (http:/ / yo urbank.co m.sneakysite.co m—which is ho sted at sneakysite.co m even tho ugh a quick glance lo o ks like yo urbank.co m), o r hijack brands by registering a legitimate f irm’s name via f o reign to p-level do mains (http:/ / yo urbank.cn). A legitimate URL might also appear in a phishing message, but an HTML co ding trick might make so mething that lo o ks like http:/ / yo urbank.co m/ lo gin actually link to http:/ / sneakysite.co m. Ho vering yo ur curso r o ver the URL o r an image co nnected to a link sho uld reveal the actual URL as a to o l tip (just do n’t click it, o r yo u’ll go to that site). Figure 1 3. 2 This e­mail mes s age looks like it ’ s from Bank of America. H owever, hovering t he curs or above t he “Cont inue t o Log In” but t on reveals t he URL wit hout clicking t hrough t o t he s it e. Not e how t he act ual URL as s ociat ed wit h t he link is not as s ociat ed wit h Bank of America. Figure 1 3. 3 This image is from a p his hing s cheme mas querading as an eBay mes s age. The real des t inat ion is a comp romis ed . org domain unas s ociat ed wit h eBay, but t he p his hers have creat ed a direct ory at t his domain named “s ignin. ebay. com” in hop es t hat us ers will focus on t hat p art of t he URL and not recognize t hey’ re really headed t o a non­eBay s it e. Web 2.0: The Rising Security Threat So cial netwo rks and o ther Web 2.0 to o ls are a po tential go ld mine f o r cro o ks seeking to pull o f f phishing scams. Malware can send messages that seem to co me f ro m trusted “f riends.” Messages such as status updates and tweets are sho rt, and with limited backgro und inf o rmatio n, there are f ewer co ntexts to questio n a po st’s validity. Many users leverage bit.ly o r o ther URL-sho rtening services that do n’t reveal the Web site they link to in their URL, making it easier to hide a malicio us link. While the mo st po pular URL-sho rtening services maintain a blacklist, early victims are threatened by zero­day exploit s. Criminals have also been using a variety o f techniques to spread malware acro ss sites o r o therwise make them dif f icult to track and catch. The technical o penness o f many Web 2.0 ef f o rts can also create pro blems if schemes aren’t implemented pro perly. Fo r example, Mark Zuckerberg’s Facebo o k page f ell victim to hackers who used a ho le in a Facebo o k AP I that allo wed unautho rized status update po sts to public Facebo o k f an pages.G. Cluley, “Mark Zuckerberg Fan P age Hacked o n Facebo o k: What Really Happened?” NakedSecurity, January 27, 2011. AP Is can allo w f irms to share services, co llabo rate, and enable mash-ups, but if co de is po o rly implemented it can also be an o pen back do o r where the bad guys can sneak in. So me bo tnets have even used Twitter to co mmunicate by sending o ut co ded tweets to instruct co mpro mised machines.Unsaf eBits, “Bo tnets Go P ublic by Tweeting o n Twitter,” Techno lo gy Rev iew , August 17, 2009. So cial media can also be a megapho ne f o r lo o se lips, enabling a careless user to bro adcast pro prietary inf o rmatio n to the public do main. A 2009 Co ngressio nal delegatio n to Iraq was suppo sed to have been secret. But Rep. P eter Ho ekstra tweeted his f inal arrival into Baghdad f o r all to see, apparently unable to co ntain his excitement at receiving BlackBerry service in Iraq. Ho ekstra tweeted, “Just landed in Baghdad. I believe it may be f irst time I’ve had bb service in Iraq. 11th trip here.” Yo u’d think he wo uld have kno wn better. At the time, Ho ekstra was a ranking member o f the Ho use Intelligence Co mmittee! Figure 1 3. 4 A member of t he H ous e Int elligence Commit t ee us es Twit t er and reveals his locale on a s ecret t rip . Passwords Many valuable assets are kept secure via just o ne thin layer o f pro tectio n—the passwo rd. And if yo u’re like mo st users, yo ur passwo rd system is a mess.F. Manjo o , “Fix Yo ur Terrible, Insecure P asswo rds in Five Minutes,” Slate, No vember 12, 2009. With so many destinatio ns asking f o r passwo rds, chanc...
View Full Document

Ask a homework question - tutors are online