FSAfety News

October 2009

It's time to refresh our memories about IT security and its importance to you, the student.

How do hackers get your personal data? Primarily through tricking ordinary users such as you into freely giving it to them. The technique used comes under the name, "Social Engineering." The name given to online social engineering to garner personal information is "phishing."

Social engineering is the process of convincing you, the victim, that he, the hacker, is legitimate and that you should give him your personal information — everything from login IDs and passwords for online systems to SSNs and credit card information is stolen in this manner. Social engineers use everything from the phone ("Hi, I'm a network technician and there's a problem with your node. Can you give me your ID and password?") to emails ("FROM: Security Dept., YourBank, Inc.; SUBJECT: Problems with your account") to falsified web pages (http://Myspace.ru — the real URL is http://myspace.com). And, the unwary Internet user — that's you, remember — doesn't notice until it's too late. This kind of activity is big business! It's not just something computer geeks do for fun, and it can cause you a lot of trouble, time, headaches, effort, and money.

One of the most difficult-to-deal-with methods of stealing information is through what's called a "key-logger." A keylogger is a small piece of code — a program, actually — surreptitiously inserted onto your computer's hard drive and loaded with all the other bits of code when the computer starts up. Once in memory, the code captures each keystroke on the machine and saves it to a hidden file. Then, periodically, that file is sent over the network to a holding area on the hacker's drive, where it's examined for personal data. Anything that helps steal an identity is extracted and available for use or sale to other scammers who need a credit card number to buy something with your money.

How are keyloggers added to users' computers? There's that social engineering thing again. You get asked to load it ("Free! Download this free Michael Jackson screen-saver") or you get inveigled into visiting a dodgy Web site where it's done without asking, while you're doing something else. Increasingly, hackers/scammers are using social-networking Web sites such as MySpace, Facebook, and Twitter. Here's an example of a Twitter scam just discovered by security researchers: http://www.theregister.co.uk/2009/09/24/twitter_phishing_worm/

So, I hear you ask, how do I protect myself? And the answer is, sometimes you can't avoid a scammer Web site, sometimes you can't avoid hidden programs, but you can always remember to keep your virus/spyware programs up-to-date, and, if your school network allows them, use a personal firewall program on your workstation. Ask your network administrators about these programs, and always scan your PC if you've used it off the school network (to avoid spreading the keylogger you accidentally "caught" on vacation). Watch where you're going on the Internet, too, and don't be fooled by social engineers.

If your school network doesn't have virus/spyware scanner software, see about installing some on your own machine anyway. But be careful to use legitimate scanning software — there are several fake scanners "out there" that install their own keyloggers and other malware. A "free virus scanner" is worth every penny you pay for it, and may hide a bonus you don't want.

Here's a Web site with good advice for avoiding phishing and social engineering traps: http://www.antiphishing.org/consumer_recs.html