Security alerts come and go with the tide, and even the most leisurely of activities is marred by new vigilance. Unfortunately, the Internet offers little escape. Every day, hackers determine new ways to relieve unwitting users of their passwords, credit card information, and other key credentials. Identity theft might seem hard to pull off to common folk like you and me, but the reality is that it usually begins with a single online password being guessed or stolen.
Firefox is determined to give you the smoothest possible online experience, and security is no exception. Still, your security online ultimately rests in your hands. This chapter outlines the safeguards Firefox includes and offers recommendations for how you can protect yourself best.
Perhaps more frustrating than the online attacks themselves is that each one has its own technical alias. You don't have to know the lingo to stay safe, but it's helpful to speak the same language as the security organizations that are working on your behalf.
One of the most popular types of attacks today falls under a category known as phishing. Phishers bait unsuspecting users into divulging their passwords by creating perfect replicas (known as spoofs) of popular Web sites. One of the most common victims of phishing, for example, is eBay (see Figures 15-1 and 15-2). Every year, hundreds of phishers set up fake versions of the renowned auction site and notify customers that, for whatever reason, they need to click a link (that loads a fake replica of eBay) and enter their eBay login information. As soon as a customer does, his username and password are sent to the owner of the fake eBay, who can then use it on the real eBay.
Figure 15-1: The real eBay. Can you tell the difference between this and the Web page shown in Figure 15-2?
Figure 15-2: A recent phishing eBay replica. Notice the eBay logo, the login form, and even the Trust button have been faithfully replicated.
Phishing scams are prevalent because they're successful, and they're successful because they're nearly impossible to detect. Some phishers are plain lazy and create error-ridden pages that no professional company would churn out, but sophisticated phishers can create look-alikes that mimic legitimate Web sites down to the pixel. The e-mails they send appear to come from respected addresses such as firstname.lastname@example.org or email@example.com. There are, however, a few precious aspects of legitimate Web sites that fakes can't duplicate. Phishers aren't expecting you to recognize these aspects, but these so-called untouchables are your window to safety, as I outline in the next few sections.
Even the most experienced computer users fall prey to well-crafted phishing scams. Keep these tips in mind while surfing and be sure to review your bank statements regularly for unusual charges, just in case a hacker gets past your guard.
Most identify thefts begin with a phishing scam, and most phishing scams begin with an e-mail or an instant message that appears to come from a reputable source (see Figure 15-3). These messages exist to convince you that you absolutely, positively must click a link and enter in your personal information immediately. Phishers have concocted a dizzying array of explanations: Your information was lost; you might have won a contest; you need to verify that your information is current; your account will be closed; and so on. Although the messages often look professional and seem to come from legitimate addresses, the links they contain take you to the hacker's replica.
Figure 15-3: A typical phishing e-mail.
Most legitimate Web sites never ask you for your personal information by e-mail or instant message. After all, why would they need to? They already have your information. Powerhouses like eBay don't take chances on losing user information: They back it up several times over in their own databases. And, I'm sorry, but you probably didn't win a contest. (Did you even enter one?)
I spend most of this chapter — and most of my programming career — examining the technical ways in which your online security can be violated. However, studies have shown that hackers often don't need complex algorithms and supercomputers; all they need is a telephone and a friendly voice. In an increasingly popular attack called social engineering, hackers call up their would-be victims and cajole the needed information out of them. Sometimes they say they're from your Internet Service Provider (ISP) and that they need your password or your Internet will be disconnected. Other times they claim they're calling on behalf of the bank or a popular site such as eBay. Whatever the guise, the end game is always the same: Convince you to divulge your personal information to a stranger who sounds friendly and authoritative.
What makes social engineering scary is that the best computer tools aren't going to protect you. What makes it scarier is that even if you are aware of this attack and know not to fall for it, your private information can still be socially engineered out of those you entrust to protect your information. That's because hackers don't just play the ISP or the bank in this sick charade; sometimes they call your ISP or bank and play you. In this scenario, the hacker doesn't play the friendly, authoritative company official. He plays the angry, exasperated user whose password is being rejected online. The hope is that if he acts frustrated enough, the company will divulge or reset your password even though the hacker can't properly verify his (your!) identity.
The best way to protect yourself against social engineering is to be aware of the scheme and to ensure that the companies who hold the keys to your identity, such as your ISP and your bank, are also aware. Confirm that your ISP's and bank's policies forbid employees from divulging your information over the phone or by e-mail to people who can't authenticate themselves, no matter how frustrated or angry they get.
If you get an e-mail asking for your personal information, delete it. If you want to be sure you're doing the right thing, contact the company by using the contact information you find in Table 15-1 or on its Web site. (And get there by typing in the company address, of course — don't click the e-mail link!)
Contact Info to Report a Scam
America Online (AOL)
When you read about all the devious schemes I describe in this chapter, it's easy to believe that it's you and your computer against a sea of brilliant hackers. The truth is that in the fight against hackers, you have some very powerful allies. The world's largest corporations — and not just those in the computer industry—have some very good reasons to win the war. First of all, these schemes cost some companies tens of millions of dollars every year. When a thief splurges with your credit card, for example, your bank typically foots the bill. And that's just the direct monetary cost What about the harm done to a company's brand and reputation when a phisher posing as a company official steals your password?
Many companies have set up e-mail addresses or phone numbers you can use to report hacker solicitations. For example, if you receive an e-mail that appears to be from eBay and directs you to a Web site that asks for your password, forward it to firstname.lastname@example.org. Table 15-1 lists the companies that are most often targeted by phishers, as well as the e-mail address to use when you receive a phishing scam.
It's important (and comforting) to realize that companies like eBay aren't kidding around. If the company catches a hacker, it doesn't send him a warning notice; it sends him to jail, in collaboration with local authorities.
The links in phishing e-mails and instant messages rarely display an address such as http://www.ebay.com.Rather, they generally offer enticing text like Billing Information, or simply eBay. That's because the Web site address is the one fundamental aspect of a legitimate site that phishers cannot copy. There is exactly one http://www.ebay.com in the world, and it's the real eBay. The hope, then, is that when you click the link and Firefox opens it automatically, you'll forget to check the Location Bar. So that's an important step:
Always verify that you're really at the Web site you think you're at by checking the address in the Location Bar.
Unfortunately, protecting yourself isn't that simple. As you can tell by now, phishers are nothing if not persistent. They've devised a number of clever ways to disguise or obfuscate the addresses of their fake replicas so that even people who know to check are fooled! Here are some indicators to watch out for:
Most legitimate Web site addresses don't contain the at sign (@). This symbol has special meaning when contained within a Web address: The phrase before it is considered to be login information, and the phrase after it is interpreted as the Web site to which you wish to login. For example, an address of email@example.com, is interpreted as user http://www.ebay.com logging in to the Web site http://blakeross.com and will actually navigate to http://blakeross.com, even though it might appear to point to eBay at first glance. If all that didn't make much sense, that's okay — it's a technical detail you don't need to worry about. When you visit these kinds of addresses, Firefox automatically asks you to confirm the decision, as shown in Figure 15-4. (I use my Web site for demo purposes.)
Figure 15-4: Firefox asks you to confirm going to suspicious Web sites.
Practically no legitimate Web sites use this kind of addressing scheme, so if you ever encounter a window like this, the right answer is almost certainly No.
Be wary of numerical addresses. Reputable Web sites use words or phrases in their addresses so you can return to them easily. Malicious sites often sport numerical addresses, such as http://22.214.171.124, to make them more difficult to trace.
Follow the yellow brick road, er, Location Bar. Legitimate Web sites that ask you for highly sensitive information, such as banks, always use a security technology such as SSL (Secure Sockets Layer). Firefox makes it easy to tell whether you are at a secure Web site: The entire Location Bar turns yellow and is punctuated by a lock icon, as shown in Figure 15-5. Note that if you aren't using the default theme, the Location Bar might be shaded with another color, such as green. Although the other developers and I don't encourage it, some themes change the color to better match their design. (See Chapter 17 for more information about the themes feature.)
Figure 15-5: The Location Bar turns yellow, and a lock appears at the end of it, when you view a secure Web site.
If you ever find yourself entering critical information into a Web site whose address is not enshrouded in yellow, something is wrong. If you attempt to submit information at a non-secure Web site, Firefox displays the warning shown in Figure 15-6.
Figure 15-6: If you attempt to submit information at a non-secure Web site, Firefox displays this warning.
If you aren't entering sensitive information, you don't need to concern yourself with this warning. It isn't unusual for Web sites to transmit nonsensitive data in an unencrypted (non-secure) fashion. In fact, it's so common that by default, Firefox doesn't show this confirmation again unless you specifically request it by selecting the Alert Me check box. If you leave the confirmation off, you can continue to detect suspicious activity by observing the Location Bar, as I describe earlier in this section.
Likewise, when you leave a secure Web site through a link on its page, Firefox warns you that you're venturing back out into non-secure territory (see Figure 15-7). Again, this should be a concern only if you expected to remain in secure territory — that is to say, if you intended to enter sensitive information into the newly loaded Web site.
Figure 15-7: Firefox warns you when you leave secure territory.
Firefox always displays the actual address of any secure Web site you view in the bottom-right corner of the window, regardless of whatever tricks a phisher uses to try to disguise it. Note that a secure Web site is simply one that transfers your information securely over the Internet; whether it's transferring that information to a reputable source is another matter. See the following section, "Phending off pharming," for more information.
Get in the habit of asking yourself "Where am I typing this?" each and every time you enter your password. Some phishers try to deceive you by opening browser windows that replicate not other Web sites, but other programs on your computer. For instance, a phisher might design a Web site that looks like an AOL Instant Messenger (AIM) window and asks you to verify your password. If you're an AIM user and are currently logged on to AIM, you might be fooled into thinking this is an AIM window.
Remember this simple rule: If the title bar of the window begins with "Mozilla Firefox," it is a Web site masquerading as a program, not another program, because another program on your computer would have its own name in its title bar or something even more descriptive. The AIM Buddy List window, for example, contains your instant messaging screen name (such as Johnny 123's Buddy List Window). A phisher can't replicate that part of the window in his spoof Web site because he doesn't know your screen name, just as he can't prevent Mozilla Firefox from appearing in the title bar.
A new crop of attacks is on the horizon, and it's even more insidious than phishing — and more poorly named. Pharming is a new way of luring you to fake Web sites with the same old goal: stealing your identity. Instead of setting up a convincing replica of a popular site, hackers attack the site itself and set up a site redirect that takes effect when you and others try to visit it. In other words, even if you type the correct address yourself, you can still end up at a fraudulent Web site. Because the Location Bar actually reflects the correct address and because the scammer didn't interact with you in any other fashion, none of the phishing tests can help you detect pharmers!
Imagine that you have to call a friend for directions to his house. Now imagine that someone posing as your friend answers the phone and, with a voice just like your friend's, directs you to his house instead so he can rob you. Now you can begin to understand why pharming is so sinister.
The good news here is that pharming is a very difficult attack to pull off because hackers need to successfully break into the Web site itself. Technical details aside, they essentially need to update the table of information that says, "when the user types http://www.ebay.com, load the information off this computer." Furthermore, if a hacker does manage to successfully pharm a major Web site, the company that operates it can notice and correct the problem very quickly.
The rarity of pharming is a saving grace, but you should still take steps to prevent being pharmed. Doing so requires a little knowledge of browser certificates. These aren't gift certificates; instead, they're more like the documents certifying that your doctor is trained to perform an operation. Browser certificates help you verify that you're interacting with the desired site, which cuts to the very heart of pharming.
In the phishing section, I discuss the concept of secure Web sites that use SSL technology and mention that all reputable sites asking for sensitive information should use this technology. Certificates are the next layer of security. Whereas SSL technology ensures that your information is being securely transferred, certificates ensure that your information is being securely transferred to the organization you intend to entrust with it. Trusted third parties such as VeriSign issue certificates to consummate your transactions with secure Web sites, just as an independent public notary would preside over the dealings of two strangers. These companies issue certificates only to reputable companies.
Keep in mind that certificates are built atop the SSL technology. Therefore, if the malicious Web site the pharmer is secretly redirecting to doesn't support SSL (which it might want to do as a ruse), Firefox won't be expecting a certificate and therefore won't warn of a mismatch. This is intentional because SSL should be considered the first hurdle that any legitimate Web site should pass. In other words, if the Web site doesn't support SSL — if that Location Bar doesn't turn bright yellow — something is already suspect before you even begin worrying about certificates.
The bottom line is that it's impossible — as far as I know today — for any hacker to replicate the combination of SSL technology (which displays the bright yellow Location Bar!) and a legitimate, matching certificate.
Your password is the prize most hackers are seeking. It is often the key to your credit card and Social Security numbers, to your home address and other private data, and you should guard it with the same vigilance as you do the key to your home.
Besides using tricks like fake e-mail and fake Web sites to steal your passwords, there are hackers working on an entirely different approach: Rather than persuade you to give us your password, they'll just guess it themselves! Yes, that's right: guess it.
|TECHNICAL STUFF|| |
When you go to a secure site today, Firefox asks the site for the certificate issued to it by VeriSign or another trusted third party. If it's a legitimate site, it can do so without concern. If the site has been pharmed and is thus secretly redirecting to a different site, the new, illegitimate site has no access to the authentic certificate. Firefox smells something fishy, and — here's the important part — warns you that the provided certificate does not match and asks whether you want to continue. You should say no in all cases. There are very few cases where legitimate sites would cause this error—usually when they forgot to renew their certificates — and in those rare instances, you should say no and wait for the company to get its act together.
The unfortunate fact of security is that it often comes at the expense of convenience. Although computing power isn't yet to the point where hackers can quickly guess any combination of letters and numbers, they can realistically try every password in the dictionary and then some. And if the idea of a hacker slaving away at home entering passwords gives you some consolation, think again: Hackers today use sophisticated networks of computers that work together to guess passwords automatically (see the "How they do it" sidebar). That means that using your favorite color or even your mother's maiden name as your password just isn't going to cut it anymore. Here are some tips for keeping your password safe from prying eyes:
Throw convenience to the wind. If you're using a password that has any kind of recognizable personal significance (such as your mother's maiden name or your birth town), you're putting yourself at risk. Hackers have assembled vast collections of words far beyond those found in the dictionary, including slang and names of people, streets, and pets. The safest route is to choose a random combination of letters and numbers, such as y94pJ332k. Mix the letters and numbers together and use both upper-and lowercase. If the Web site allows it, include special characters such as ! or $.
Write your password down on paper until you remember it. It's going to take you awhile to remember Iw2ih4smpw as easily as you remember your mother's maiden name. However, saving passwords on your computer is a bad idea because if someone is able to gain access to your computer, she can retrieve it. Instead, write it down on paper and store it in a safe location in your home. Throw it out as soon as you're comfortable with your new password.
You can also try using a mnemonic device to remember a seemingly nonsensical password. For example, Iw2ih4smpw looks like complete gibberish. but I remember it as "I want to (2) imprison hackers for (4) stealing my password."
Never give your password or other private information to anyone. Anyone. This tip is just common sense. Employees of reputable companies will never contact you out of the blue to request your password or other private information.
Make your password as long as possible. Different sites allow different length ranges. The longer you make your password, the harder it is for hacking technology to guess it.
Use different passwords for different sites. Yes, it's much more convenient to remember a single password. But using the same password at multiple places weakens your overall security because your security is only as strong as the weakest link. If a hacker steals your password at a low-security site, you can bet he's going to see whether it also works at your bank.
Be careful where you log in. Sites you're liable to visit frequently — such as your Web mail site, if you use a Web-based e-mail service — often remember who you are automatically so you don't have to keep entering your login information (see Figure 15-8). This is great when you're at home, but it's dangerous at a public computer where the very next person might also use your Web mail provider. Many Web sites offer a check box that says something to the effect of Remember Me on This Computer. Select this check box only if you're on your home computer. Alternatively, some Web sites remember you by default and offer an I Am on a Public Computer check box to bypass it, and you should select this whenever you are not on your home computer. If you can't tell whether a particular Web site will remember you, I recommend using that site only on computers that belong to you.
Figure 15-8: The Google Gmail service allows you to specify whether your login information should be remembered.
Limit access to your computer. The Firefox Password Manager remembers your login information for you so you don't have to keep entering it when you return to Web sites. Although this is convenient, it might be undesirable if you share a single computer with other people, such as family members or co-workers. Unless you trust the other people who have access to your computer, you might want to disable the Password Manager or use its Master Password feature, as I describe in Chapter 8.
|TECHNICAL STUFF|| |
While your computer takes its sweet time booting up, hackers are guessing thousands and thousands of letter combinations to crack a victim's password. How do they do it? And better yet, where can we common folk get such fast computers?
The truth is that hackers use the same kinds of computers that you and I use, but with a few differences. One is that hackers aren't actually using the computer interactively; they're using the computer only to try passwords endlessly until the correct one is found. This means they don't care to see a helpful error message or click an OK button when the wrong password is tried. Their programs run automatically and very quickly without any human interaction until the correct password is found.
The second and most important difference is that hackers aren't limited to a single computer. Instead, they can network multiple computers together and have them work in parallel to multiply the processing power and reduce the length of the operation. For example, while one computer is trying all the words beginning with A, another computer could try all the B words, and so forth.
The worst part comes when you ask that burning question: Where do those additional computers come from? Unfortunately, one way or another, the computer supplier is typically you or someone like you. Either the hacker purchases additional computers with the money he obtains by stealing a victim's banking information, or he is actually using a victim's computer directly because he stole the victim's password. Yes, you read that correctly: Many hackers take control of victims' computers and put them to work guessing other would-be victims' passwords. In this way, hacking is a viciously self-supporting endeavor.
Most modern Web sites try to counter or slow a hacker's ability to guess a user's password by pausing a second or two before revealing whether a guessed password is correct or not, or by preventing users who use an incorrect password three times from logging in. These measures have been fairly successful at staving off hackers.
Another silver lining is that the same networking technique (called distributed computing) used by hackers to guess passwords is also used by leading scientists and researchers worldwide for the benefit of mankind. Many researchers who require enormous amounts of computing power to solve the problem they're working on distribute a program you can download to "donate" your computer's processing power to the research effort. When you aren't using your computer, these programs use your computer to work on complex mathematical calculations and submit the results back to the researchers. Although your computer is only solving a miniscule portion of the overall problem, researchers can aggregate all the data they receive to figure out the larger picture. Two of the most famous projects to use this method are Stanford's Folding@Home (http://folding.stanford.edu), which seeks to understand protein folding and cure-related diseases such as Alzheimer's, and Berkeley's Seti@Home (http://setiathome.ssl.berkeley.edu), which analyzes radio telescope data in the hopes of discovering extraterrestrial communication.