User:Lania Elderfire/Rant/Passwords
Having unique passwords and secure account policies may not be enough[edit]
Having strong passwords, using unique passwords, and never sharing your account with anyone is still a good policy to follow. However the trend right now is that even if people follow all those secure account policies, more and more people are getting their accounts stolen. This phenomenon may partially explained by changes in the trend of how online accounts and identities are stolen in the corporate world. According to Symantec [1], in 2008, about 48% of stolen identities came from insecure account practices like weak passwords, shared passwords etc. Only 22% of stolen identities came from hackings, while the rest from physical theft and other causes. In 2009 the rate of hacking-based identity theft increased dramatically to 60% while theft from insecure account policies dropped to 37%. Recent 2010 Statistics from Symantec/OSF DataLoss DB published recently indicate that in 2010 over 60% of stolen identities occurs through hacking (similar to 2009) while theft due insecure account policies dropped precipitously to just over 7%. Physical loss of data or theft accounts for 15% of stolen identities, and another 15% of stolen identities occur due to insider leaks. It can be now thought that most users of the internet and corporations are fairly aware of what constitutes as "secure account practices", while awareness into hack prevention methods are severely lagging.
Why are there so much more successful hackings now?[edit]
Previously, when someone wanted to hack something the hacker needed an extensive knowledge of programming languages and knowledge of the target systems to program tools, hacks, and cracks to successfully break into something. This limited these kinds of hacks to a select few people with the proper prerequisite skills. The growing market for "attack kits" being sold in the online black market now allows a programming novice or something with no background in computer science to use easy to use tools to hack into sophisticated systems. These type of attack kits are also affecting MMO accounts due to the increased lucrative business of selling online gold, items, and stolen accounts.
What are these attack kits?[edit]
Starting in 2006, program packs with documentation started seeing sales on the online black market. The early kits were fairly rudimentary and had a limited number of exploits it can use but this started the framework of having a dedicated select group of very talented hackers to create a tool kit with such sophistication that the world has never seen. With the advent of the Zeus attack kit in 2007, it changed the entire attack kit landscape with the sales of a package of very sophisticated tools that allows a novice hacker to obtain online identities and financial information on a massive scale across the internet. There are different packs you can buy with some that include regular updates to the pack that allow a hacker to circumvent even a recently patched machine. The price of these kits can range from 15$ for a very limited range of tools to over 8000$ for automatically updating set of tools with extensive documentation. With competitors to the Zeus attack kits surfacing in 2010 such as the spy eye, golod, it now gives identity thieves more options and even a wider range of kits they can possibly use. The next version of the Zeus toolkit was also released in 2010 which includes even more sophisticated tools in an attempt to maintain their dominance in the attack kit underground market. Gone are the days of lone hackers working alone and in isolation... now hackers work in teams, groups and even as a large organization to steal information from even the most hardened targets. In 2010 more than 2/3 of web based attacks were attributable to attack kits.
How do they work?[edit]
Most of these attack kits exploit certain weaknesses in web-browsers in a way where the hacker can create "attack websites" to install programs on unsuspecting victims. About 95% time, successful injection of malicious code into victims computers did not arouse suspicion and the code will usually run for a long time w/o the computer owner's knowledge. The compromised computers can be used in different ways by the hackers to do their bidding. They can record information that the user types into the keyboard, intercept packets that might contain personal information, work as part of a DDoS attack, act as a platform to carry out hacking attempts etc... Generally, the information thieves don't carry out the theft of money or items but rather sell account information to the online black market, which actual account thieves buy to strip accounts of money, gold, items, etc.
How do you protect yourself?[edit]
The most important thing you can do is update your browser, operating system, antivirus, and firewall as soon as an update is available. Attack tool kit programmers are becoming even more sophisticated and will update their kit in response to security patches, but updating your system will help to render older exploits ineffective. Even the most updated computer is still not as secure as it can be. Be suspicious about clicking on links to websites. Many of these attack sites look normal and are no longer confined in the "porn" websites. Some of these sites are compromised legitimate sites, or duplicates of real sites.
Also use your computer with limited account privileges by using user account controls for for Vista and windows 7 or by using a non-administrator account. Windows XP users should seriously consider either upgrading to windows 7, or limit the account privileges. There are a lot of step by step tutorials available on how to setup a limited account. Always using a unlimited administrator account, which most windows users do, will allow malicious codes to install programs and access sensitive parts of the operating system. Using a limited account can prevent a large portion of malicious codes from affecting your system.
Also follow these guidelines as well User:Gaile Gray/Support FAQs/Account Security.
Emerging Threat[edit]
Since smartphones were introduced years ago, it was speculated that these devices will be targeted by malware to steal personal information. Many proof of concept viruses and trojans were created in the period between 2007-2009, and none of these threats became widespread. As smartphones become more sophisticated and allow a larger variety of programs to run, the number of potential vulnerabilities increase. In august 2010 the first trojan to target the andriod platform was discovered, but never posed much of a threat. While threat of account and identity threat via smartphones is very low in comparison to PC based attacks, this threat is predicted to grow fairly rapidly in the coming years. As smartphones with additional capabilities to replace credit cards emerge, and as more people use their smartphones to do their banking and financial transactions, more hackers will be attracted to the mobile platform. To prevent trojans from affecting your smartphone, users should only download apps from regulated, well trusted marketplaces, and pay attention to comments and rating which could also help spot malicious apps. Also be wary of apps that ask for additional permission than what should be necessary. New threats for smartphones are also rapidly changing, and may indicate that most of these threats are tests to see what works and what doesn't. These threats also appear to test to see what kind of methods can potentially yield profitable theft of information.