Storage

12:00 PM
Connect Directly
RSS
E-Mail
50%
50%

Loss of Innocence

Hackers are on the road, in your browser - and getting Grandma's attention

8:00 AM -- It was comforting, even reassuring, that there was a world out there where everyday folk were mostly insulated from the security worries that we on the front lines obsess and debate about every day. Sure, we've gotten Grandma to update and run her antivirus regularly and watch her credit-card bills for anomalies, and we've educated the kids about the risks of social networking and downloading music off Limewire. They may still be fresh meat for botnet herders, but they aren't losing sleep at night over cross-site scripting (XSS) and data leakage.

So what's this world coming to when even truck drivers -- as in their 18-wheelers -- can get hacked? These guys are sleep-deprived enough without having to worry about their RFID-based electronic product code (EPC)-based load of plasma TVs getting hacked in a drive-by, which researchers have shown is easily doable with off-the-shelf, standard EPC Generation 2 readers and antennas. (See Hacking Truckers.) It could make them an easy mark for criminals as well as for a competitor sniffing around for shipping intelligence.

Consumers are getting savvier about detecting phishing emails, but there's not much they can do if there's a "man in the browser," where an attacker intercepts and manipulates an online banking customer's transactions, to hijack their accounts or identities. (See Killing That 'Man in the Browser'.)

And the so-called sleeping giant vulnerability, cross-site request forgery (CSRF), is slowly emerging from his slumber. The bug has been detected in the products of eight security vendors, including Check Point, which this week patched the bug in its Safe@Office Unified Threat Management device. (See CSRF Bug Runs Rampant.) Seven more vendors have CSRF-vulnerable products, but thanks to responsible disclosure, they remain anonymous until they decide to patch.

Besides the fact that the bug is in security products, which we rely on to protect us, even more scary is it's in most everything with a Web-based interface, including your home printer, firewall, DSL router, and IP phone. Plus it's tough to detect, much less mitigate.

Meanwhile, enterprises are questioning the old standby, encryption. U.S. Trust's business information security officer says encryption can be overkill in some situations because criminals are more likely to go after the low-hanging fruit, the endpoint, by sliding in a keylogger, or sending out a phishing email -- rather than going after an encrypted file. (See Users: Encryption No Silver Bullet.) An employee gone bad could lift an encrypted file merely by taking a digital photo of it, pointed out another speaker on a user panel on enterprise data protection, which was held in New York this week.

Then there's Grandma, who's now attending Black Hat USA, the famous hacker conference held in Las Vegas. And she's not there to play the one-armed bandits, either: Researcher Dan Kaminsky, who is best known for his Black Ops talks at Black Hat and his work on Microsoft Windows Vista security, proudly notes that his 80-something grandmother -- who basically bankrolled his first Black Hat trip to Vegas after his college graduation -- regularly goes to the hacker show because "it's interesting." And she likes listening to her grandson chat about his latest research, especially when he uses "pretty" graphics in his presentations. (See Black Ops & Grandma.)

What happened to getting away from it all, over the river and through the woods to grandmother's house? Blame it on the man who jumped between Grandma's browser and her online bank account.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Check Point Software Technologies Ltd. (Nasdaq: CHKP)

    Comment  | 
    Print  | 
    More Insights
  • Cartoon
    Slideshows
    Audio Interviews
    Archived Audio Interviews
    Jeremy Schulman, founder of Schprockits, a network automation startup operating in stealth mode, joins us to explore whether networking professionals all need to learn programming in order to remain employed.
    White Papers
    Register for Network Computing Newsletters
    Current Issue
    Video
    Twitter Feed