The Five Most Dangerous Security Myths: Myth #3


When the Web was young and blink tags abounded, it wasn't hard to avoid the bad stuff online. You could generally tell by looking at a site if it was unsavory or even dangerous, and if you were careful with your surfing and your e-mail, you could generally have gone without antivirus.

Not anymore. These days crooks like nothing more than to find a security flaw in a benign but vulnerable site and use the flaw to insert hidden attack code. Once in place, that hidden snippet will scan for security flaws on your PC any time you view the page. If it finds one, it will attempt a "drive-by-download," which surreptitiously downloads and installs malware onto your computer.

Sites large and small, from personal pages to big-name company sites, have been hacked in this way. You won't notice anything out of place if you view a hacked page, though if you know what to look for you might recognize an inserted 'iframe' if you view the page's source code.

The same theme holds for e-mail as well. Your trained eye can likely spot the majority of e-mail attacks, and you may even get a good chuckle out of some of the clumsy grammar and spelling. But not every attack e-mail is easy to spot. The targeted attacks mentioned for myth #2 in particular are difficult to catch, and even net-cast-wide blasts can often use good social engineering hooks.

This iron man myth needs to go the way of those godawful blink tags for two reasons: First, so you'll know to keep your PC secure so that if you're unlucky enough to happen across a hacked site, or accidentally open that well-crafted e-mail, the drive-by-download or e-mail payload won't snare you. Second, if you run your own site, you'll know to keep an eye on it to make sure it hasn't been hacked to attack your visitors. In particular, make sure you keep blogs and any other Web application up-to-date.

If you read the previous security myth-buster, you know antivirus by itself isn't enough. And now, you know that your good sense, while critical, isn't enough either. So sayonara, myth three. Move on to #4.

Subscribe to the Security Watch Newsletter

Comments