Sunday, March 27, 2011

Trust Me, I am a Security Pro

Everyone you talk to seems to have their own special advice on how to avoid having your game account hacked. Unfortunately, there is both good and bad advice given. While I normally blog about the good advice, I decided to take some time and dispel some of the common IT security myths out there.



Myth: You can't get hacked by simply visiting a web site

People often claim that you can't be hacked by just visiting a web site and that you need to download and install something by clicking on it.

This is false. You can indeed pick up a trojan/keylogger simply by browsing to a web site that has malicious content which takes advantage of a vulnerability and, depending on the vulnerability, you may not even know that you have been infected.

Vulnerabilities can be found in the operating system, your browser, your flash player, your media player and in any piece of software that runs on your machine. Many of these vulnerabilities, if exploited, allow remote code execution which can be used to automatically download malicious software without your interaction or knowledge.

Myth: Running Firefox/Mozilla means I am safe

Internet Explorer has traditionally been one of the most exploited browsers, mainly because of its historical prevalence. These days, Firefox is the most popular browser amongst WoW users (44%), with IE (22%) and Chrome (21%) coming next... and the hackers have followed. Many vulnerabilities and exploits have been discovered with Firefox.

Other browsers are not perfect either. For example, a competition at a security conference found that most browsers could be easily compromised with Google's Chrome being the last one standing.

Myth: Run 'noscript' and you will be fine

Noscript is an addon for firefox that allows you to block flash and javascript on web pages. It helps alleviate issues such as flash vulnerabilities that are often announced. 

Noscript is a very good idea in concept but it breaks most web sites, especially modern web sites that require flash and javascript (which is nearly all of them).  This is the traditional trade-off you get with security.  Noscript provides some excellent protection but you will not get the full functionality from web sites without extensive whitelisting.

Myth: I run a Mac and Macs don't get malware

Yes they do - just not as much malware as what Windows users can expect.

However, you can still get phished.  Given that many of the account hacks are a result of phishing attacks, Mac users need to remember that they are just as vulnerable to these as any other user.

Myth: Pick up free anti-virus software and you will be right

Honestly, you get what you pay for.  As someone that comes from the anti-virus industry, I know the investment required to produce a top-quality anti-virus solution.  Free AV is good, but paid-for AV is better. It ultimately comes down to your tolerance of risk and whether you are prepared to pay for better protection. You can see a list of AV products and their ratings at avtest.org.

Myth: I have an Authenticator therefore I am protected 100%

No security will provide 100% protection. Whenever you hear someone say that something is 100% secure then don't believe a word of it.

The authenticator recently fell victim to some malware that intercepted the authenticator's code and sent it off to the hacker. But don't despair - the authenticator is still one of the best prevention mechanisms you can buy.

I don't have an authenticator, I don't run AV, I don't have a firewall and I have never been hacked.

You should go and buy yourself a lottery ticket. Seriously, you are very lucky.

As discussed earlier, you can get infected simply by surfing a page that features some malformed objects designed to exploit a vulnerability in some piece of software on your PC.

But you avoid bad sites such as hack sites or porn sites, right? 

Well, even the good sites get hacked to become a source of malware. This is becoming a much more common method of malware propagation.

Visit our 10 Easy WoW Security Steps post to learn more about securing your WoW account.