11 hidden security threats and how to stop them
- — 26 January, 2010 02:45
Trojan Horse Texts
Some attackers will send spam text messages to your mobile phone that appear to be from your network provider or financial institution. These Trojan horse text messages may direct you to a malicious site or request permission to install an update that will change the settings on your cell phone to allow the attackers to capture usernames, passwords, and other sensitive information from your device.
Go to the source for updates and news: If you receive a text message that appears to be from a trustworthy source, but it directs you to install or update software, or if it initiates the installation and requests permission to continue, immediately exit the text-messaging app and contact the customer service department for the wireless provider or business in question to verify whether the software is legitimate.
You may receive a lot of unsolicited e-mail from companies that you do business with--e-mail that you might even regard as spam--but reputable companies will not send you unsolicited links and updates via e-mail. Similarly, reputable companies will not send unsolicited text messages to your mobile device directing you to install an update or download new software.
Attackers prey on your tendency to trust your wireless provider or financial institution. Do not blindly accept software updates or download applications to your mobile phone simply because the text message appears to be official. If in any doubt, follow up with your wireless provider or with the business.
Lost Laptops, Exposed Data
The portability of laptops and cell phones is convenient, of course, but that same portability means that such devices are easily lost or stolen. If your laptop, netbook, phone, or other device falls into the wrong hands, unauthorized users may access the sensitive data that you've stored there.
Encrypt your data: You can use a utility such as Microsoft's BitLocker to encrypt data. Unfortunately, BitLocker is available only for Windows Vista and Windows 7, and even then it's exclusive to the Ultimate and Enterprise editions of those OSs (and is also available in Windows Server 2008); you won't find the tool in the consumer versions of Vista and Windows 7.
Fortunately, BitLocker isn't the only game in town. You can use another encryption program, such as TrueCrypt (available for free under open-source licensing), to protect your data from unauthorized access.
Encrypting your data is not without a pitfall or two, however. The biggest issue is to ensure that you always possess the key. If you lose your encryption key, you will quickly discover just how good encryption is at keeping out unauthorized users.
Use stronger passwords: If encrypting seems to be more of a hassle than it's worth, at least use strong passwords to protect your PC. Longer passwords are better; more characters take longer to crack. You should also mix things up by substituting numbers and special characters for letters. For example, instead of using the plain "PCWorldMagazine", you could use "PCW0r1dM@g@zin3". Though that's still a phrase you can easily remember, the character diversity makes it significantly harder to guess or crack.
You should have a secure password to log in to your user account even if you're the only person who uses your computer. Note, however, that while strong passwords are a great deterrent, they aren't impervious to attack: An invader who has physical possession of your computer can find ways to get around that protection.
Lock down your BIOS: By implementing a BIOS password or a hard-drive password (or both), you can ensure that no one else can even boot the computer. Getting into the BIOS varies from system to system. The initial splash screen that your PC displays usually tells you which key to press to access the BIOS settings; watch as the computer is booting, and press Del, Esc, F10, or whichever key it specifies.
Once inside, find the security settings. Again, these settings vary from vendor to vendor, but the BIOS settings are fairly rudimentary. Learn more about accessing and navigating your system's BIOS in "Tweak Your PC's BIOS Settings the Safe Way."
You can set a master password that prevents other people from booting your computer or altering the BIOS settings. This option goes by different names, but it is often called an administrator password or supervisor password. If you wish, you can also set a hard-drive password, which prevents any access to the hard disk until the password is entered correctly.
Methods for circumventing these passwords exist, but having the passwords in place creates another layer of security that can help to deter all but the most dedicated attackers.
Use a recovery service: If your equipment gets lost or stolen, you'd like to recover it; but if you can't get your hardware back, you'll at least want to erase the data it holds. Some vendors, such as HP and Dell, offer services that try to do both for select laptop models.
Both HP's Notebook Tracking and Recovery Service and Dell's Laptop Tracking and Recovery are based on Computrace from Absolute Software. When you report that a laptop protected with one of these services has been lost or stolen, a small application running in the background on the PC waits for the computer to connect to the Internet and then contacts the monitoring center to relay location information for finding the machine. If a protected lost or stolen laptop cannot be retrieved, or if the data on a system is highly sensitive, these services allow you to remotely erase all of the data stored on it.
Though less comprehensive, free utilities such as the FireFound add-on for Firefox provide similar capabilities. You can configure FireFound to automatically delete your passwords, browsing history, and cookies following a failed login attempt.
Mobile phones can hold a significant amount of sensitive data, too. Fortunately, services such as Find My iPhone, part of Apple's MobileMe service, and Mobile Defense for Android-based smartphones perform similar feats of location tracking and remote data wiping for smartphones. Both MobileMe and Mobile Defense can use the built-in GPS capabilities of your smartphone to pinpoint the current location of the device and relay that information back to you.