Home Columns The State of Security

The State of Security


by Jeremy Lesniak

It seems that I’m always writing about technology security. My articles are often full of advice about backups and infections. Unfortunately, as time has passed, we’ve seen a dramatic rise in the frequency and severity of infections. The attacks are becoming more sophisticated and creative as users are becoming savvier. Let’s look into a few of the items causing problems in our technology world today.

A Web with Holes

While infections are most common on Windows-based computers, we’re seeing growth in infections targeting Apple computers and various smart phones, too. Back in the spring I talked about Heartbleed, a security vulnerability affecting many web servers. At the time, some considered this the most catastrophic vulnerability ever discovered. Now we’re facing another, potentially more disastrous security hole: Shellshock.

While Heartbleed only allowed attackers to extract information from the compromised computer, Shellshock enables one to control the compromised system. This new threat exists because of a vulnerability in a piece of code first written in 1989. This code exists in a great number of computers, including web servers, and has been vulnerable since a revision to it was introduced in 1992. While the vulnerability was only discovered in mid-September of this year, updates for the code have been released, but they don’t address all the major problems. Only time will tell how much impact Shellshock has.

Attack by Phone

Over the last few years I’ve witnessed a rise in a complicated and confusing type of computer threat: the malicious phone call. Yes, people are receiving a number of computer-centric phone call scams. These vary in their details, but seem to follow a similar pattern. First, the caller will claim to be from Microsoft and inform the person answering that his or her computer is infected. The phony Microsoft representative will offer help for a small fee—around $50.

If you agree to the offer of help, the con artist will take your credit card information and then talk you through the installation of some software. That software will give the “representative” access to your computer, something that more people are becoming comfortable with. Once the fake tech-support person has access, he or she will pretend to discover something that seems terrible.

At this juncture the stories diverge. Some people say that the fake representative will claim that the problem is too severe to be handled at that moment, and that another representative will call back. Others say that the caller in this case requests more money. Either way, these calls are fraudulent. Microsoft probably doesn’t have your phone number. Even if it does, the software giant will never call you. In fact, you should never provide your credit card number to someone over the phone unless you’ve initiated the call. This is sound advice in all realms, not just technology. If you think the call might be legitimate, tell the person you’ll have to call back. Contact the company the caller claims to be from and see if things are on the up and up.

If you’ve been on the receiving end of one of these tech-support scams, I hope you didn’t accept the scammer’s offer. If you’ve given the caller your credit card number, contact your bank immediately and cancel the card, even if you haven’t seen any fraudulent charges. If you let such a person into your computer, shut it down immediately and have a knowledgeable person or firm inspect it.

Even Your Thumbdrive Is Vulnerable

These last few months we’ve seen multiple researchers release proof that any USB device—hard drive, flash drive, printer and so forth—can be compromised. Connecting a compromised USB device to a computer can yield a wide variety of results, and the severity can be dramatic. Anything is possible, from someone accessing your information to someone assuming remote control of your computer.

It’s important to note that no cases of thumbdrive-mediated system compromise have actually been documented. To date, the only examples have come from research firms. However, it’s now a race between the companies involved in producing USB devices and the malicious types that would do nasty things with them. The easiest way to stay safe is to purchase only new USB devices, and only from reputable retailers.

Final Thoughts

True, this piece makes the world seem awfully bleak. And with even bleaker topics unrelated to internet security flooding the news of late, it’s easy to get discouraged. Technology, though, is one place where you do have a bit of control. You know the things you should do—use good passwords, pay attention, don’t click things you shouldn’t, and so on. By exercising some patience and awareness, you’re far better off. And no, there’s no strain of Ebola that can jump between computer and human. At least not yet.