How Secure Are You On The Internet?
Malware on the web has exploded in recent years. Malicious organizations and users have moved from the Windows operating system as their main target to the web, and that with great success. When you look at the operating system in past years, you will notice that Microsoft has improved the security of it considerably, thanks to automatic updates and additional free security tools.
There are two main attack vectors on today's Internet. First the programs that users make use of to connect to websites, and second user ignorance, carelessness and lack of security sense.
Inexperienced users fall prey to attacks at a much higher rate than experienced users. Even commonly known best security practices, like making sure that an Internet browser is updated when the developer releases a new security patch, are often run in a time frame that is giving attackers ample time to exploit already fixed issues.
But it is not only the technology that is making attacks successful. It is also the users. Phishing for instance has been a problem for more than a decade on the Internet. One would think that users would learn to identify phishing emails by now, but that's not the reality. People fall for phishing attacks on a daily basis. This article would go too far to look at the root causes for this, but it is likely that ignorance plays a large part in this.
Lets go back to the browser for a moment. Most users know that they have to upgrade the browser when a new version comes out. Most browsers come with automatic update checks and installations these days. Only Google Chrome updates without user interaction, the other browsers, at least for now, display the update notification and give the user the option to run the update. If users opt out, they leave their browser insecure if the update fixed security issues.
Do you want to know how your browser compares to others? Sites like Browserscope allow you to run tests and compare the results with other versions of the same browser and Internet browsers from other companies.
Lets assume you have updated your browser to the latest version, and that you generally update the application immediately when a new version comes out.
You are secure now, right? Nope, you are not. Why? Because it is not only about the browser software. Browsers make automatic use of other applications, commonly called plugins. Popular plugins like Adobe Flash, Microsoft Silverlight or Java are attack vectors as well, and successful ones too.
If you fail to update the plug-ins that are enabled in the browser, you are still prone to attacks. That's why companies like Mozilla have started to integrate plug-in checks into the browser to inform the user about updates.
But you are secure when you update your operating system, browser and plugins whenever they are updated, right? Wrong again. Two attack vectors remain. First the user and second software vulnerabilities that have not been discovered or fixed yet. (There are actually more if you consider the local network as well. The computer could have a virus for instance that could render all browser security pointless. Another vector are local area network attacks)
A browser cannot help a user who enters credit card number, verification code and social security number in a web form on a site like paypal.com.sxrixxree.cn. Browsers could block the web address if it has been previously identified as a phishing website, if it was not, it is up to the user to come to that conclusion.
Browser developers are trying to automate security as much as possible, especially for users who do not know a thing about it. But even with all that automation, it boils down to the individual user in the end. Tech savvy users know that everyone should have at least a basic understanding of security to avoid the dangers on today's Internet. The reality on the other hand looks grim, and it does not look like it is going to change anytime soon.
How do you cope with the dangers on today's Internet? Do you try to educate family and friends, or have you given up on that?
I know you don’t agree Martin, but I am opposed to constantly updating everything.
Not only do I think that it is not necessary if you are reasonably experienced and careful on the internet but you also spare yourself a lot of hassle as often those updated install secretly some unwanted elements (Java, .NET, …) that I always waste lots of time to kick out again.
Secunia is a very useful tool that I recommend highly. It monitors installed programs and plugins and can auto-update if you desire.
Unfortunately no browser is immune from vulnerabilities that can be potential exploits, so it always for the best to keep up to date with not only your browser but all your application and the underlying OS as well.I highly recommend FileHippo Update Checker to keep watch on latest updates.
Or else just run your browser inside Sandboxie, Geswall, Buffer Zone Pro, etc. be worry free, yes its as simple as that.Other things I highly recommend for protecting login credentials in browser is to use always site in HTTPS and using something like Trusteer Rapport, Bitdefender Traffic light, etc.
Safe surfing and
Even if you run it sandboxed, it is still possible to exploit the user directly.
Ah I see what you are trying to mean here Martin, Social engineering right!
Well didn’t they say something about human stupidity ;)
Fake AV’s peddlers are making a killing(talking about billions of dollars) all thanks to that crucial human element.
I was basically talking about browser security not the complete Internet Security as a whole since browsers are where most malwares, exploits, et al. make use of as one of the standard entry point.
Personally I don’t trust the network at all.
Between us we both(I’m sure you as well) know how to use layered(many) security approach properly ;)
I try to stir away friends and family from using Windows. For simple task as Browsing, emails, music, video.. I recommend using iPads. For more intensive usage I recommend Linux.
“The reality on the other hand looks grim, and it does not look like it is going to change anytime soon.” Totally agree Martin, the problem is many people just don’t care two hoots about security – even if it hits them in the pocket after they have been hacked/infected/phished.
I deal with home users daily and still try to educate them but it seems a losing battle – if it means not being able to do what they like (torrents/dodgy sites etc) or lifting a finger to update their computer or ban their kids from installing rubbish I may as well be whistling in the wind…
Some people seem to almost take pride in knowing nothing about computers – and not wanting to. Still, keeps me in a job!
I have long given up on the majority of users. I try my best to keep my family’s computer systems safe but that’s as far as I go these days. It is funny that you can get them to use better software easily as long as it works the way they want it. Then again, I’m lucky that all my parents do for instance is emailing, research and some light shopping.