Thursday, January 24, 2008

Fakin' Care of Business

OK, you already know you can get infected with malware by visiting web sites in the Internet's red light district or by foolishly clicking on links in e-mails promising to decrease your mortgage payments or increase the size of various body parts. So you should be fairly safe, right?

Wrong.

It turns out that avoiding obviously shady web sites isn't enough. According to Websense's Second Half of 2007 review the majority (51%) of malware attacks in the last half of 2007 came from legitimate web sites that had been hacked.

How is this possible? Here's what Websense's vice president of security research, Don Hubbard, had to say in a January 23rd, 2008 article in Computerworld:

Sites are hacked in a variety of ways, said Hubbard, who noted that there is no one method that stands out. "[Compromises are] all over the place, unfortunately, [including] miss-configurations, no patches and so on."

In other words, the companies responsible for the compromised sites aren't taking security seriously. That's because making web sites and applications secure costs money without making any obvious contribution towards profits. Given the choice between making a web site more secure and sticking more bells and whistles on it, corporate America's empty suits will inevitably choose the latter.

And it's not just web sites you have to worry about. The Websense report also notes that 87% of email messages are spam and that 67% of those unwanted emails include links to malicious or spam-producing sites.

In fact, thanks to the proliferation of digital add-on devices, you can get infected without even opening an email or starting up your web browser. As reported in a January 19th product alert, digital picture frames made by Insignia (and sold at Best Buy) "were contaminated with  a computer virus during the manufacturing process." When you use the frame's USB connector to download an image from your PC, the frame reciprocates by uploading an (unspecified) virus.

Insignia doesn't say where the infected frames were made, but given the low prices of their products and some comments in on-line forums, it seems likely that they're made in that hotbed of high product quality, China.

The fact that China is actively engaged in cyberwar with the USA is, of course, just a coincidence.

No comments: