Stop making it so easy to be attacked online

Simplifying, beautifying, and streamlining our lives leads to significant security risk.

For most of us, having pictures come up automatically when browsing the Web is standard.  Getting e-mail in HTML format is normal, and setting our phones to automatically sync up with Wi-Fi and Bluetooth is natural.  After all, these are technical innovations that allow our electronic lives to be beautified and streamlined so we'd be crazy not to use them.  Or would we?

Many of the most potent cyber attacks reach us through these modern conveniences, such as HTML formatted mail,  auto-sync wireless connections, and default passwords.  While it's very hard to stop all of these attacks from getting in, one of the most effective methods of defense is to step back from some of these conveniences and insert yourself back into many of these processes.

If a hacker website asked you to open up an image to initiate Cross Site Request Forgery (CSRF) attacks and start sending information out on your behalf, would you open it?  Of course not.  But if your Facebook page displayed an image that was a disguise for a CSRF attack, and you have your settings set to auto display pictures -- you have just launched this attack!  This fall a piece of malicious code with a picture of a scantily clad woman spread through Facebook, known as the ‘Bikini malware.'  This scam could potentially work the same way on any web site that has images.


How does your e-mail look these days?  Is it pretty, with all the right formatting, fonts, and graphics?  If so, you are seeing what they want you to see, not what's really in the e-mail.  By setting your e-mail client to display HTML formatted messages, you are in effect telling your computer that all the e-mail you receive is 'safe'. which is never the case with spam and other malware these days.   While HTML will display pictures in many formats  (usually chosen to put you at ease or convince you of something), the raw text can be a URL linking directly back to a malicious site -- even a known .ru (Russian) or .cn (Chinese) malware server farm.

It's not just your computer that's at risk either.  When you set up your smart phone to automatically sync with 'known' Wi-Fi SSIDs, you will then automatically sync with any site called 'Linksys' or 'D-Link' or 'Free Wireless', and these services can be used to inject hostile code into your phone.  Also, most users never bother to change the default Bluetooth access code from '0000', meaning that most hackers don't even have to guess anymore to listen in.  And don't think iPhones are immune anymore either.  For any of you who have 'jail broken' your iPhone to allow it to work more efficiently and run more programs, there is now a fast spreading exploit that attacks through your Wi-Fi port, as long as you have turned off key security features by jail breaking your phone.

We are often our own worst enemies when it comes to protecting our cyber infrastructure.  Choosing simple passwords, automatically displaying pictures from unknowns, automatically running HTML code from unknown e-mailers, and jail breaking our phones opens us up to wide-spread attacks.  So you might want to think about choosing more complex passwords (beyond 0000),  turning off the switch in your browser that auto loads images (runs faster, and you can always open any pictures that you really trust and want to see), turning off the HTML format switch in your e-mail program (it's kind of interesting to see all the blatant malware you receive without its dangerous cover), and the auto-discover switch for wireless connections (it won't kill you to ask for a connection when you really want one).

By stepping back a bit, I suspect you'll find that the benefits of being much more secure significantly outweigh the costs of the few extra steps you take to surf the web.

Tom Patterson is the Chief Security Officer for MagTek, the leading secure transaction technology provider to the global financial community and  is leading the Campaign to Wipe Out Counterfeit Card Fraud (http://www.nocardfraud.com/)