security tips - security myths

Five Common Myths About Computer Security

Five Common Myths About Computer Security

Having a strong password, running a good anti-virus program and using a firewall are all good security measures. Unfortunately, there are a number of common myths surrounding these basic security measures.

Myth: I'm secure because I have a personal firewall.

Using a personal firewall is an important security step; however, a firewall will not prevent you from opening an infected Email attachment, visiting a malicious web site, or sending private and confidential data over instant messaging. A firewall only prevents other computers from making a network connection to your computer without your permission--- it's like locking the door to your house.

Myth: I'm secure because I have anti-virus.

Running an anti-virus program is a good thing and it does stop a lot of malicious software from being installed. Unfortunately, the anti-virus makers are losing the battle against malicious software. Most spyware and spam BOTS are encrypted. Encrypting the malicious software makes it invisible to your anti- virus program. Most malicious software is automatically downloaded and installed by your Web browser when you visit an infected web site without you even knowing it. Email and instant messaging are other common avenues for malicious software to get onto your computer.

Myth: This Web site is secure because it uses https.

HTTPS (SSL/TLS) encrypts the network connection between your computer and the Web site, but that's all it does. How secure a Web site is depends on how well its software is written, how well the Web server is maintained and on the business practices of the Web site operator. A Web site whose software is vulnerable to buffer overflows, SQL injection, or cross-site scripting is not a secure Web site regardless of SSL. A Web site that sells or trades your information is not a secure Web site regardless of SSL.

Myth: My account is secure because it has a password.

Requiring a username and password to log into your account provides some degree of security. However, usernames and passwords alone are no longer good enough. There are too many ways to intercept passwords or trick people into giving out their password, and password cracking has become very quick and easy to do. People continue to choose weak passwords and share their passwords. A username and password is no longer a secure or reliable way of verifying the identity of the person logging into the account. Some computer systems are starting to augment the standard username and password with an additional form of authentication (2-factor) such as a swipe card or USB token when verifying the identity of the user. Until strong 2- factor authentication becomes widely, available we will need to continue to use strong, complex passwords and keep them secret.

Myth: Neither my computer nor my cell phone can be attacked because they use wireless.

It is nearly impossible to have a truly secure wireless network connection. Bluetooth wireless is particularly vulnerable. While Bluetooth does use encryption, it uses a 4 digit PIN number called an association key. The factory default value is usually 0000. This 4 digit association key can be cracked in less than 30 seconds using freely available software from the internet. Once cracked, the attacker is able to listen into your conversations and, in some cases, may even be able to join your conversation. Other forms of wireless are also vulnerable to attack. Wireless access points that do not have some type of encryption enabled are not at all secure; most wireless cafes and other wireless hot spots provide open unencrypted, unsecured wireless access. Ad hoc peer-to-peer wireless is also a high security risk. Even when encrypted, wireless access can be attacked using techniques such as "Monkey in the middle". When used, wireless access should be augmented with additional network security such as VPN, SSH, or SSL tunneling. Bluetooth and other wireless connections should be turned off when not in use.

The Internet is a dangerous place. No single security technology can provide complete protection. The best we can do is use our computers wisely and build up layers of defense---keep your computer software up to date, use a personal firewall, run a good anti-virus program, choose strong, complex passwords, and be cautious when opening Email attachments, surfing the web or using messaging applications.