by Erik Larkin
When the Web was young and blink tags abounded, it wasn’t hard to avoid the bad stuff online. You could generally tell by looking at a site if it was unsavoury or even dangerous, and if you were careful with your surfing and your e-mail, you could generally have gone without antivirus.
Not anymore. These days crooks like nothing more than to find a security flaw in a benign but vulnerable site and use the flaw to insert hidden attack code. Once in place, that hidden snippet will scan for security flaws on your PC any time you view the page. If it finds one, it will attempt a “drive-by-download,” which surreptitiously downloads and installs malware onto your computer.
Sites large and small, from personal pages to big-name company sites, have been hacked in this way. You won’t notice anything out of place if you view a hacked page, though if you know what to look for you might recognize an inserted ‘iframe’ if you view the page’s source code.
The same theme holds for e-mail as well. Your trained eye can likely spot the majority of e-mail attacks, and you may even get a good chuckle out of some of the clumsy grammar and spelling. But not every attack e-mail is easy to spot. The targeted attacks mentioned for myth #2 in particular are difficult to catch, and even net-cast-wide blasts can often use good social engineering hooks.
This iron man myth needs to go the way of those god-awful blink tags for two reasons: First, so you’ll know to keep your PC secure so that if you’re unlucky enough to happen across a hacked site, or accidentally open that well-crafted e-mail, the drive-by-download or e-mail payload won’t snare you. Second, if you run your own site, you’ll know to keep an eye on it to make sure it hasn’t been hacked to attack your visitors. In particular, make sure you keep blogs and any other Web application up-to-date.
If you read the previous security myth-buster, you know antivirus by itself isn’t enough. And now, you know that your good sense, while critical, isn’t enough either. So sayonara, myth three. Move on to #4…
Sure, the Web is today’s Wild West, with digital guns blazing and no sheriff in sight. But as long as you use a good antivirus program, you’re completely safe, right?
Wrong. A good security program will help a good deal, but no program can catch everything. Antivirus companies are locked into a constant battle with the bad guys, who put all their effort into staying one step ahead of antivirus detection with a flood of new techniques and programs. Security software can often deflect those threats. But sometimes, the bad guys get the upper hand.
Antivirus apps have to scramble most when faced with highly customized ‘targeted attacks.’ Crooks put a good deal more time into crafting these attacks, with smooth social engineering (ie. con job techniques) to fool the recipient into opening an e-mail attachment, for instance, and careful prep work to ensure the payload can evade antivirus protection. These targeted attacks aren’t common, but they represent a major challenge to security apps.
And then you have the vast numbers of non-targeted, run-of-the-mill malware. The bad guys spew out ridiculous numbers of variants, sometimes on the fly, to try and stay ahead of antivirus signatures. Security companies have an easier time squaring off against this technique with proactive protections that don’t require a full signature, and also (for some) with new features that can send signatures of suspicious files to online servers with larger, and more up-to-date, signature databases than can be stored on your PC. But this flood also represents a challenge to antivirus.
So don’t let your guard down just because you have a good antivirus app installed. You still need a layered defense, where the most important layer consists of knowing the threats–and dispelling the five most dangerous myths.
Next: Myth No. 3 — You can tell a fake or hacked Web site or phishing e-mail by looks alone.
by Erik Larkin
Note: This is the first of five parts. For the next part, click on the link at the bottom.
Still think that today’s computer viruses and other malware come from some maladjusted teen out to vandalize your PC to make a name for himself? Think again. The persistent myth is a holdover from days long gone, and it’s important to dispel it if you want to know what you’re up against – and how to protect yourself.
The splashy worms and malicious viruses that clogged entire networks and indiscriminately wiped hard drives are essentially gone. Today, it’s all about cash – and lots of it. If there’s a way to use evil software to make money, whether it means taking over a PC to send pharmacy-advertising spam, or stealing financial logins and credit card info, or even hacking game accounts, it’s out there in some form.
There’s even a thriving online black market that sells everything from software kits to roll-your-own malware to spam services using infected PCs to reams and reams of credit card data stolen by keylogger malware.
It’s most important to get rid of this myth in order to get rid of the idea that you can usually tell whether you’re infected by obvious signs like big pop-ups or suddenly missing files. Malware writers today work to keep infections as quiet as possible for as long as possible so that they can continue to make money.
But it’s also important to keep in mind that today’s online crooks have become very creative in figuring out how to make money with their malware. Stolen Webmail accounts have been used to send messages to the account’s contact list asking for money transfers. Popular online games such as World of Warcraft are a huge target, with thieves raiding hacked accounts to sell the items or in-game currency for real money. So don’t assume that there’s no risk using an untrusted PC as long as you don’t log onto your bank.
Now that we’ve banished the first myth, the 2nd myth will follow shortly…
If your job involves work with a committee, you will appreciate the following two jokes I heard at a conference I recently attended:
“A committee is best composed of three people, with one who is always sick and another who is always absent.”
“A committee is composed of people who individually can do nothing, who come together to conclude that nothing can be done.”
As someone who has spent a career working in and with membership organizations, and with committees, I laughed pretty hard when I heard these wisecracks. And yet, there is a rather sad truth to the indictments they make. Committees are often so indecisive and willing to split the difference that it would almost be better to leave important choices to a single leader. Committees are often convened to give the appearance of action when, in fact, there is no real intention to act. And yet committees are structures we use frequently to manage work in our organizations, so we can’t get away from them.
It is unfortunate, but in my experience, committees are not catalysts for innovation. Indeed they are frequently among the biggest barriers to innovation, and sometimes that is by design. If your job requires you to work with committees, I encourage you to challenge the committee’s members to avoid ignoring obvious problems and avoid becoming obstacles to progress. You should issue this challenge regardless of your role: committee chairman, member or staff liaison. Committees can be important contributors to the work of innovation, if only they are willing to violate the conventional wisdom embodied in the jokes we tell about them.
There are many groups of scholars and academics who have attempted to define the concept of Visual Literacy, but as with any group of individuals there is little general consensus so far. This is certainly due to the fact that those representing the different disciplines and archetypes are each wanting to interpret Visual Literacy in a way that reflects and supports their own contribution or way of thinking. The tragic result is that a theoretical concept was created with seemingly little practical value, and cannot be used productively until an agreed definition is established.
It should be self-evident that if a concept does not have a broadly-accepted framework, and that if the theory behind it is confusing, and if it is a matter of continuing controversy with every individual trying to force their will on the collective, then the only reasonable way to cope with it is to abandon it. Nevertheless, with the exception of very few and of minor importance cases, no serious attempt has ever been made towards discarding Visual Literacy altogether.
According to Wikipedia, “visual literacy” is defined as: “the ability to interpret, negotiate, and make meaning from information presented in the form of an image. Visual literacy is based on the idea that pictures can be “read” and that meaning can be communicated through a process of reading.”
Pay Visual-Literacy.org a visit and see what they are attempting…