Sunday, January 4, 2009

I can't believe I have to say this...

I assume everyone around me has the same thoughts, background, and experiences as myself, buzzing around in their heads. I'm always amazed when I discover this isn't true. Note, the sarcasm. I just noticed something disturbing in a demographic I wouldn't have expected to see it in; twitter. Twitter is a niche marketplace with tech savvy users (or at least it used to be). However, evidence of Twitter going mainstream just hit me in the face. Twitter just blasted a front-page service warning to users about a phishing scam some of their users have seen, and fallen victim to. I was taken back to my days at AOL when corporate communications felt it prudent to internally educate employees about phishing scams. I knew I was in trouble when I saw one of the Internet's supposed powerhouses having to educate its employees about such a topic.

I can't believe I have to say this, but... dear latest-web-generation, understand the risks around you, as well as how to avoid falling victim to scams, while reading email and web browsing.

Here are my general safety/scurity rules of thumb that apply to surfing anything running in a browser (webmail, shopping, browsing, whatever). I should disclose that my world view is confined to Mozilla based derivative technologies such as Firefox and Thunderbird, though there are generally equivalents to these tips/techniques for IE.
  1. Pay attention. There's no super secret amazing technology that lets a wrongdoer steel your information magically. Computers, the Internet, and email are surprisingly secure. 99 times out of 100, if someone lost information, it was because they weren't paying attention. They either clicked a link they weren't supposed to, and exposed themselves to some form of phishing, a bug exploit, or downloaded software they shouldn't have.
  2. Use a decent password. Something like 2/3's of all MySpace account passwords are the word "password." You can guess the quality of the remaining 1/3rd.
  3. Clicking on links, even "evil" ones, is ok; it's what you do once you've arrived at the final destination where you can get into trouble. Every now and then someone exploits a browser security hole and gets you to go to the webpage that does the exploiting, but these are very rare. Related to #1, pay attention on every page you're on.
  4. Never give a web page information if something (e.g. an email from your "bank") directed you to the page to do so. The old-world equivalent of this rule is "never give your social security number to someone who calls you on the phone." There is never a legitimate email, or web-page that asks you for personal information of any kind, if it initiated the exchange; 99 times out of 100 it's a scam. Giving web-pages your information is perfectly secure, as long as you initiated the exchange. For example, if you get an email suggesting your account information is out of date, guess what, it's not, someone's trying to scam you. If your account information is out of date, you'll find out on your own terms; only update account information under those circumstances. Legitimate services' privacy policies and terms of service clarify that they will never ask for your personal information, under any circumstances; that's all you need to know.
  5. Always notice the fully-qualified-domain-name of a web-page you're about to enter information into. If it's not where you think you should be entering information; don't. Just pay attention to the domain name; 99 times out of 100, that's enough. For example, http://paypal.services.com is bogus. http://services.paypal.com is valid.
  6. Always ignore graphics and text in a web-page that say things like "this page is secure." The only thing that guarantees encrypted security of data transmission is an https URL (e.g. https://your-bank.com). Be aware of your browser's encryption/security UI elements and features, and look out for those. I have never seen a browser exploit that fooled the base-level ssl certificate UI; trust your browser.
  7. Hover over a link to determine where clicking it will take you. If the hovered link isn't where you want to go, don't bother clicking on it. I suspect there are some cute DOM tricks to obfuscate where clicking a link will take you, so to be really sure about where clicking a link will take you, select the link text (note, that's different than a click), right-click it, then select "view selection source" from the context menu. From there, you'll see the actual href that will be navigated to upon click.
  8. If you're generally suspicious/interested, install Live HTTP Headers for Firefox based browsers, or HTTP Watch for IE, and watch/block the traffic you don't want. Firefox 3.1 (finally!) supports native HTTP header interrogation as well. Just view the page info (Tools->Page Info) and click the "Headers" tab.
Good luck.

No comments: