Even today there are many web surfers who don’t pay enough attention to internet security. That should change and in this article we collected top 10 issues which should be well known by common internet user. Some of the next few tips are often discussed anywhere on the web in discussion boards, but the point of the problem is by many readers missed. The next few lines should give you an easy intro to the most common web threats.
1. One password in all your web application accounts
Passwords in web applications is certainly one of the most discussed topics. Using just one unique password in all web application accounts is common for many web users. That’s not a surprise, since there are tens of accounts in using by one person. To remember so many unique passwords is a challenge. But this way has very overlooked cons that are missed by many people. If somebody got password to any of your web account, he would get password to all of your accounts.
Simple passwords can be decrypted in a few seconds
Take a look at random discussion board on the web. If you want to register yourself to one of them usually you need to type e-mail address, where you obtain the activation details. The problem is if an attacker get a dump of board database with user credentials. A simple script can extract all e-mail addresses and sell them to spammers. And/Or he can try to decrypt all user passwords in database. If he succeed, there’s no problem to login to e-mail addresses with these passwords. If an user used the same (and simple) password to his e-mail account and discussion board account, the attacker got user’s e-mail account. Every task in this process is, of course, automated using the simple scripts. In the beginning of 2009 something similar happened to phpBB.com, when hacker obtained the database with over 400 000 registered users.
Useful information:
http://www.wikihow.com/Choose-a-Secure-Password
2. Phishing and typosquatting
Although there are many people considering phishing as hacker attack aiming to grab credentials to bank accounts, there are many other web accounts facing the phishing attacks, too. You can think about any other web application accounts like e-mail services or auctions, boards, social networks and any of the subscribed web services. Protection against phishing attacks isn’t trivial mostly because of many attack vectors which can be combined to create a new uncommon attack. Everybody probably know an old, well known attack, when users receive an e-mail in which are instructed to fill in the form and send it. You may think nobody can believe this old trick, but unfortunately a lot of people is not educated in web security and one or two percent of all sent e-mail are successful (from spammer’s point of view). There are people what in believe to make a good thing follow the steps in e-mail and send their information (credit card details, login credentials etc.) to spammers.
But the attack vectors are not always just about the fake e-mails. Users are tricked very often just because they made a typo while writing web address in browser (and they get a victim of typosquatting at first). Users see the webpage very similar or the same as the genuine is, but that’s the attacker’s website.
You can defend against phishing with the advanced JavaScript’s settings in the web browser
If you access to your web accounts from internet cafe or any other public computer you should care about the fake home page. Attackers often set their crafted website as the default home page to sniff the user’s login and password. When an user try to login, the fake webpage saves his login and password and redirect him to genuine website and login with provided credentials. An attacker has login name and password and user can still works without any notice.
A lot of web applications provide one of the best protections against typosquatting. I think about the history log of the latest account visits with IP address of the computer. This type of protection helps the users to know that they account was compromised. Every web application should implement this type of web account protection.
Useful information:
http://en.wikipedia.org/wiki/Typosquatting
http://en.wikipedia.org/wiki/Phishing
http://www.microsoft.com/protect/yourself/phishing/identify.mspx
Top 10 threats on the web 1 of 5
Top 10 threats on the web 2 of 5
Top 10 threats on the web 3 of 5
Top 10 threats on the web 4 of 5
Top 10 threats on the web 5 of 5