This article appeared in the July/August 2010 issue of Writer’s Journal.
Dateline: January 12, 2010. Google announces that it, along with 34 other companies, was on the receiving end of a Chinese government-backed hack attack. Dateline: February 18, 2010. Herndon-based, NetWitness, reports that more than 75,000 computers in 2,500 companies have been infiltrated with Kneber bot, an Eastern European private ring’s cyber attack, that compromised log-in credentials, credit card information, emails, and proprietary corporate data.
You might be thinking, “Well that’s between the large corporations and the Chinese government and what does that have to do with me?”
Well, now is a good time to talk about your own cyber security because this hack does affect you. One of those 34 companies was Adobe, the company responsible for Acrobat PDF reader, and for all those Flash movies you know and love. Google reported that the Chinese government stole intellectual property while it tried to get access to Gmail accounts. Adobe didn’t say what was stolen, but it’s a good bet that China was interested in the code that drives Acrobat and Flash. Access to this would allow them to discover vulnerabilities in both those popular programs.
Add to that, the attacks exploited a vulnerability in Internet Explorer along with a lot of social engineering. For those of you who aren’t familiar with the term, “social engineering” is the science of getting human beings to give you information that will allow you to access their sensitive data. Let me illustrate this with a story about what happened to Google.
Social Engineering and Operation Aurora
Google has offices in China and also has a hate-hate relationship with the Chinese authorities over censorship. Operation Aurora had inside help from Chinese employees at Google. What they did was create a website that, when visited using Internet Explorer, would install a little program (called a “Trojan”) on the visitor’s computer. This little program would run in the background and allow the bad guys to remotely take control of the infected system. The way they got people to go to the website was to send out an email to the administrators at Google with a link and instructions that the company had business with the site in question. That last bit is the social engineering part. Kneber bot also relied heavily on tricking people into clicking on email links and opening email attachments.
China’s been cyber attacking the world ever since it was just a little cyber. Until recently, the primary focus has been on military and government systems, or those with potentially sensitive information from a national security standpoint. This latest attack differed in that it was aimed at business instead of government.
Now before you write this off and say that your personal system is not of any interest to the Chinese or to Eastern European underworld rings and therefore you’re immune, let me mention that the hack vulnerabilities used by Operation Aurora and Kneber bot are now a part of the general hacking tools—which means that anyone, anywhere, for any reason can attempt to exploit them. Trojans have been around as long as computers, and there’s a good chance you’ve picked up one at some time in your email or Internet browsing tenure. The lesson from Google is that even people who are aware of the possibilities and are in the habit of questioning the email links and attachments they receive can be fooled. In this case, they trusted the email sender enough to click on the link.
It’s a Matter of Trust
The processes that the Internet draws its functionality from date back to 1960s universities. As frightened as everyone was of imminent nuclear destruction, the general population, and universities in particular, still believed in honesty and honor. As foolish as this may sound, the Internet and all its components (email included) function on a 50-year-old system of trust. It’s trust that makes SPAM possible and trust that has created the need for “blacklists” and “whitelists” and “firewalls” and CAN-SPAM legislation.
Social engineering includes everything from clandestine breaking and entering to steal passwords, credit card numbers, social security card numbers, etc. from people’s desks or even the garbage to pretty Power Point presentations that deliver entertainment while robbing you blind. I have a working theory that the bulk of those Viagra or golf ball SPAM emails with links that we all get were actually tests to see what people would click on so the messages could be refined into fake Bank of America or eBay account termination notices.
Before you unplug your computer and throw your hands up at the entire Internet mess, take a step back and consider that there are a great deal of things you can and should do to make your Internet experience a pleasant one.
Minimally, you should update your Internet Explorer to the latest version (8) and keep it up to date so all the latest security patches are made.
You can also install an anti-malware program like McAfee, which will run in the background and ask you sensible questions like, “Do you really want to open that?” You can also do an active run of the software to detect corrupt files on your system and neutralize them.
Ultimately, it’s a good time to remember the basics:
- Change your passwords regularly and use strong passwords. Do not use your pet’s name, street address, God, Jesus, or any variation of yours or your child’s/grandchild’s name. Choose something memorable by you, but not traceable to you. Here’s an example of a good password: LiteratureLover!66 This is a good password because it includes both upper and lower case letters, a symbol and a number. Do not use the same password for everything.
- Backup, backup, backup. Make CD, external hard drive, or flash drive back-ups of your data and keep these in a fireproof safe. If you have a trusted relative, leave a copy with them.
- If it’s important to you, treat it as important! This may mean not making it available on the Internet at all. Perhaps your sensitive data will be handled on a separate computer from your email and Internet browsing.
- Let your technical help know about “odd” behavior. Sometimes it points to security issues that need to be addressed.
When selecting IT help or a web designer/developer, choose the person or company carefully. In order for them to do their job, you have to trust them with the username and password to your web registrar and host. This might also mean the password to your email account as well. This gives them the power to install anything they want onto your website, or even hijack it completely. Make sure that your credit card is billed for the domain name and hosting services. Ideally, you’ll set up the account yourself. If you need shopping cart features, you’ll also end up trusting this person with your credit card number and even your bank account number. Get references.
Mac People, Don’t Get Cocky
Just because you only comprise 10% of the computer-using population and government and military systems are on PC’s doesn’t mean that you’re immune to Trojans and malware. Mac’s proprietary software makes crafting hacks harder, but there are approved Mac coders in the private sector (think of all those iPhone apps). Practice safe Internet at all times.
Email Social Engineering
We’ve talked about SPAM and tricky emails sent to you by the bad guys, or by bad guys posing as friends, but there is one more place Trojans can come from and that is your friends themselves. I’m not accusing your friends of malicious intent. The friends that I’m warning you about are the ones that constantly forward you links or attachments with cute or entertaining content.
Rule #1: Never click on any link they forward to you. If you feel the sender is a discriminating individual and careful about the things they forward, copy and paste the link into a web browser. The reason being is that the link you see displayed in the email might be coded to take you someplace else entirely.
Rule #2: Never open a file with a .exe ending. A .exe is an executable file which means it’s going to run a program when you double-click on it. You’d better intimately trust the sender and call them first to make sure they really sent it to you before you open one.
Rule #3: Never open an unsolicited PowerPoint attachment. Like .exe files, PowerPoint allows people to program in scripts that run upon opening the program.
Rule #4: Come to think of it, don’t open anything you don’t know the source of.
Privacy and the Internet
I’ve mentioned in previous articles the importance of keeping the personal information you share in the Internet to a minimum. However, there are sneaky-insidious ways companies are tracking you right now. Pleaserobme.com gives a good demonstration of how the GPS in your phone or car is giving out TMI (too much information) about you.
Companies like Google, Twitter, and Facebook have looked into offering fully targeted coupons delivered to your phone from businesses near where you’re located—now. Real-time, personally targeted advertising.
On the subject of Facebook, they’re in the process of making huge changes in what they offer up to whom, so check your security settings often to make sure only what you want to share is available. Do the same with all of your Social Networking efforts.
Now, take a deep breath and exhale slowly. This is not a panic situation. This is a reminder to stay sharp and practice basic safety measures. You wouldn’t jog alone in the woods at night, and you wouldn’t light a candle and set it next to the drapes. Your parents didn’t know about Internet safety so they couldn’t drill it into you like they did, “don’t talk to strangers,” or “don’t lick the car.” Luckily, Internet security measures aren’t rocket science. Take a few precautions and remain vigilant and you’ll be fine.
- McAfee on Operation Aurora
- Microsoft Security Advisory (979352) Vulnerability in Internet Explorer Could Allow Remote Code Execution
- More than 75,000 computer systems hacked in one of largest cyber attacks, security firm says (Washington Post, February 18, 2010)
- Internet Explorer 8
Angela Render is an author who has been designing and developing websites for over a decade. With free-lance editor Ally Peltier, she is offering her first ever one-day seminar: Self Publishing Success Intensive.