Networking

10 technologies that cybercriminals love to exploit

Cybercriminals can go after your users in any number of ways, and the results can be devastating. Share this list with them to help them stay on their toes in this increasingly risky online world.

Cybercriminals can go after your users in any number of ways, and the results can be devastating. Share this list with them to help them stay on their toes in this increasingly risky online world.


New technologies make it easier for all of us to get our work done online, communicate with others, and take advantage of all the Internet-based entertainment that's available today. But many of those same technologies have also made it easier for cybercriminals -- the bad guys who use the ‘Net for illegal purposes -- to do their dirty deeds. We're talking about hackers, attackers, spammers, scammers, phishers, and other criminal types.

In this article, we'll take a look at the top 10 online technologies that they love to exploit and see how you can protect yourself, both at home and at your business, when using those technologies.

Note: This information is also available as a PDF download.

#1: Broadband connectivity

Broadband has come to most of the United States, with almost 73 million subscribers as of the end of 2007. That's more than 50% of U.S. households and more than 70% of all home Internet subscribers. Experts predict that by 2012, more than 70% of households will have broadband access.

Broadband has many advantages for users, including high speed at relatively low cost and the "always-on" nature that eliminates the need to log onto the ISP each time you want to access Internet resources. But those same characteristics also make it the perfect technology for exploitation by hackers and attackers. Having your computer connected to the ‘Net 24/7 means the cybercriminals have a much wider window of opportunity to gain access and steal your data, crash your computer, or otherwise do you harm. And the high speed of new access technologies (for example, Verizon now offers 50Mbps plans and predicts speeds up to 100Mbps or more in the near future) means a "drive-by download" can put even a large malicious file on your machine in just seconds.

#2: Wi-fi networking

Another technology that has become incredibly popular is wi-fi, or 802.11 wireless networking. With increasing frequency, both home and business networks are connected by wireless technologies instead of Ethernet cables, and wi-fi hotspots proliferate in public places such as coffee shops, airports, hotels, and city parks. Wi-fi offers maximum convenience because you can move around and stay connected, but it also makes it more convenient for a criminal to get onto your network and into your system without your even knowing, since anyone with a wireless-enabled laptop within range can intercept the signals.

Unlike their older counterparts, new wireless access devices use encryption by default -- but you need to check and ensure that yours uses the more secure encryption, such as WPA/WPA2/802.11i rather than WEP, which is easy to crack. You should also use strong encryption for the applications you run over a wireless network (for example, SSH and TLS/HTTPS). You can use a VPN (virtual private network) or IPsec to encrypt traffic traveling over a wireless LAN, and you should create a separate network segment for your wireless communications if you also have a wired LAN. For more information about wi-fi security, see http://www.wardrive.net/.

#3: Removable media

Floppy drives have been almost entirely replaced by CD/DVD readers/writers, flash card readers, and USB drives, but whatever the form, cybercriminals love removable media. If they can get physical access to a computer, they can quickly and easily copy files and remove them, often with no one the wiser. Removable media also pose a security risk because it's easy to lose discs, thumb drives, flash cards, and the like.

You can use Group Policy in Vista or edit the registry in XP to disable use of USB devices. You can also get third-party software that will block the use of any I/O devices through USB and IEEE1394 ports or using BlueTooth wireless connections. For an example, see http://www.lumension.com/usb_security.jsp

If you're concerned about removable drives or cards being lost or stolen and the data on them accessed, you can encrypt the data on flash cards, CDs, and DVDs so that you can still work with them on different computers but a thief can't. For example, see http://www.dekart.com/howto/howto_disk_encryption/encrypt_flash_drive_cd_dvd/.

#4: The Web

The Web is hardly a "new" technology now, but it's still a favorite of cybercriminals because almost everyone who connects to the Internet uses a Web browser. Back when the Web was text-based, browsing was a pretty safe activity, but today's Web pages are expected to do much more, and many of them run programs -- such as Javascripts and Active-X controls -- to give users a much richer multimedia experience. The problem is that attackers can use these browser capabilities to run their own malicious programs on your computer.

Don't be fooled into thinking that because you use a particular browser, you're safe. All popular browsers have vulnerabilities and can be exploited. More important is the browser's settings. If you disable Javascript and Active-X for most sites, you'll make it more difficult for attackers to get to your computer through your browser (but you may also not be able to properly view some sites). It's also important to install security updates for your browser as they're released.

#5: E-mail and instant messaging

E-mail is becoming ubiquitous. Almost everybody has one or more e-mail addresses, and it's one of the most convenient ways to communicate. It has almost the same immediacy as a phone call or instant message without the pressure to answer in real time unless you want to.

Unfortunately, e-mail also has some characteristics that make it attractive to criminals. They can send mail with spoofed return addresses so that it's difficult or impossible to discover the true origin of the messages. Thus, they can get away with sending spam, phishing messages, threats, child pornography, and other types of illegal correspondence.

Instant messaging programs can also present a threat. As with e-mail, IMers can pretend to be someone else, and most IM programs now support file transfer, which provides a way for criminals to download malicious software to your machine.

Technologies to authenticate the identity of e-mail senders, such as Microsoft's Sender ID and the more generic SPF, can solve the spoofing problem -- but only if all e-mail domain owners use them. Meanwhile, you can protect yourself with spam filtering software that allows you to create a whitelist or safe senders list and by following best practices such as not clicking on hyperlinks in e-mail, viewing your mail in text format only (no HTML mail), and not engaging in IM conversations or file exchange with people you don't know.

#6: Unified communications

Unified communications (UC) is a popular trend in the enterprise space, and companies are finding many advantages in combining their e-mail, telephony, IM, and conferencing applications so that these programs can interact with each other. With voice over IP (VoIP) slowly replacing traditional telephone services, all these communications technologies can be run over the same network.

However, this also means that now your phone calls are subject to some of the same threats to which your data has always been vulnerable: VoIP packets can be intercepted or even modified in transit just as other data traffic can. For more about UC security threats, see http://www.techrepublic.com/blog/security/?p=406.

To protect yourself in a unified world, use encryption to keep important data confidential -- whether it's text, voice, or other. Also make sure UC software is updated regularly (along with the underlying operating system) and use authentication to verify the origin of messages and to ensure that messages haven't been tampered with.

#7: Peer-to-Peer (P2P) programs

The most popular means of exchanging large files quickly across the Internet is through the use of P2P software and networks, such as BitTorrent, KaZaA, Gnutella, and Napster. People use them to share music and movies in violation of copyright laws, but also for legitimate purposes, such as distributing their own home movies and pictures. The number of songs swapped via P2P networks is estimated to be in the billions per year.

Criminals love P2P networks because they can mislabel the files they share and cause you to download malware (such as a program that will allow the criminal to take over your computer) when you think you're downloading a song. Since most of these networks also strive to protect the anonymity of users, the bad guys have little risk of getting caught.

The best way to protect yourself from the dangers of using P2P applications is not to use them at all.

#8: E-commerce and online banking

More and more of us are conducting more and more of our business over the Internet. It's convenient to buy what we need from home and have it delivered to our doorsteps and to pay our bills and transfer money between our accounts without a trip to the bank. Criminals love this trend, because it gives them additional opportunities to get hold of your money. They can intercept information as it travels across the network, break into the databases of online businesses or financial institutions to steal information, or set up their own fake e-commerce sites and lure you into giving them your credit card number and other information under the pretense of selling you something.

To protect yourself when buying or banking online, do business only with well-known sites and ensure that your Web traffic is encrypted (your browser will indicate when a site is secure). Navigate to those sites directly. (Don't click a link in e-mail to get there.) Don't save your credit card information on the Web sites, either -- type it in each time. Keep a close watch on your credit card statements and bank statements and immediately report any suspicious or unauthorized activity.

#9: Mobile computing

Computing has become increasingly mobile and devices ranging from small PDA phones to full-size laptops are being used to store important data and connect to home and company networks. Because of their mobility, however, these devices can easily be lost or stolen -- and the data goes with them. If the device contains your personal information, you could be subject to identity theft. If it contains client information for your company, you could put those clients at risk and possibly put your company in violation of regulatory compliance requirements. Luckily, there are a number of ways to protect yourself from these threats.

Many portable computers today come with built in TPMs (Trusted Platform Modules), which are hardware-based cryptography chips that work with software technologies such as Microsoft's BitLocker (included in some editions of Vista and Server 2008) to encrypt the drive and prevent a thief from being able to log on or access any of the files. More and more laptops also include fingerprint recognition software and other extra security measures. You can also install tracking software that will cause the laptop to "phone home" when connected to the Internet if you fail to enter the correct password.

Many PDA phones provide for password protection and you can buy third-party programs to encrypt data on the phone. The latest versions of Windows Mobile allow you to encrypt the information on the storage card without a third-party program, and you can also remotely wipe the device and card.

#10: Universal connectivity

Closely related to mobility is universal connectivity. We are putting not just our computers but our entire lives online. There are now kitchen appliances and laundry machines that can connect to the Internet, pool and spa equipment that can be accessed online, and so forth. Many of us have security surveillance cameras with built-in Web servers, which we can monitor from anywhere in the world as long as we have an Internet connection. All of this connectivity is great, but it opens up avenues by which criminals can invade our homes without ever setting foot inside.

We also put ourselves online in another way. We have personal Web sites, MySpace or FaceBook accounts, Second Lives, and other venues where we reveal much more about ourselves than we might realize. Criminals love these social networking tools because it makes it easy for them to pick victims and get to know them, sight unseen.

Reasonable precautions

What's the solution, then? Should we disconnect from the global network, erase our presences from the Web, and go hide in our rooms? Even if that were possible (and it's not), the cure would be worse than the disease. In today's world, functioning without the technology is becoming increasingly difficult, and once you've taken the technological plunge, the information is "out there" -- there's no going back.

The key is increased awareness and constant vigilance. Use common sense, as you do in the real world. Don't automatically trust strangers. Don't wander into places (virtual or physical) where you're unfamiliar with the terrain. Don't divulge sensitive information, such as credit card and bank accounts numbers, social security numbers, and birthdates, that can be used to steal your identity.

Most cybercriminals are like most other predators: They go for the easy marks. By taking some precautions, you can still use the technologies that they exploit -- so long as you use them wisely -- without becoming a victim.


More on cybercrime

You may also want to check out this sample chapter from Scene of the Cybercrime, 2nd Edition. In it, Deb Shinder and coauthor Michael Cross discuss cybercrime definitions and categories, jurisdictional issues, prioritizing cybercrime enforcement, educating criminal justice professionals and the IT community, and strategies for fighting cybercrime.

About

Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 add...

22 comments
reisen55
reisen55

My former manager was at an internet cafe in New York City, checking email and such. He is now a certified Business Continuity / Disaster Recovery planning and extremely worried about security issues. Decided to see where his wireless was coming from. NOT THE INTERNET CAFE...NOPE. MORGAN STANLEY office just across the street. No kidding. Wide open.

wsmith
wsmith

anyone have name of company with good endpoint protection. I have looked at GFI and Symantec but still looking. Thanks.

The Scummy One
The Scummy One

Some Key Items "We???re talking about hackers, attackers, spammers, scammers, phishers, and other criminal types." Hackers are people who alter code, for good/bad/or special needs. Crackers are hackers with malicious intent. You offer solutions for each of these (to help secure) however nothing is mentioned about Broadband. If the computer is sitting on the net, all one needs to do is have a batch file to disable the network card, or turn off the computer when not in use. e-Mail and IM are 2 different technologies. Aside from that, good article

Tony Hopkinson
Tony Hopkinson

Would that include windows networking by any chance ? Seeing as the best way to protect yourself is to not have I'll ju Oh small technical difficulty. Yes there's a lot of bad stuff available over P2P, most of it is offered by way of a hook. Such as NoCD, keygens, hacked programs. ie getting people right where it counts, in the greed. Upto date virus checker is the real solution. The chances of you getting hit by a new virus delivered over P2P, if you take elementary precautions are minimal. The bad guys favourite weapons are ignorance and greed.

NotSoChiGuy
NotSoChiGuy

Address the security concerns with this 'technology', and you'll see a drastic reduction in cyber-crime. In seriousness, I am still surprised to see/hear how little regard computing security/best practices are given at major organizations. Companies mandate training seminars to employees on not harassing other employees in order to mitigate the risks associated with a lawsuit. I can't fathom why a similar precaution isn't taken with regards to computing. My 2 cents, though.

martian
martian

Malicious dolts out there are referred to as "crackers", NOT "hackers". Please get it right. You'd think a tech column writer would know better...

astro01
astro01

We use device lock with Group Policy, great product.

s31064
s31064

Take a look at Sophos EndPoint Securty package. Not many people know about Sophos, but every now and then someone remembers to include Sophos in a test or review and they wind up blowing everyone else away. We've been using it on our machines for more than five years, and we've never had a problem in all that time. http://www.sophos.com

Neon Samurai
Neon Samurai

The best description I've heard: "I am a Hackers. That means I belong to a community that values high quality programming. Hackers are simply people who [legally] explore technology in a playful and creative way." "Cracker" is the term given to mass media so they could differentiate but scare marketing and modern boogiemen sell more articles. Crackers are not members of the community or culture though many members may have gone through a cracker period when maturing. "Black Hat" was another attempt to offer differentiation. Really, I'd just love to see computer aided crime refered to as crime rather than buzzword-crime or "Hackers done this"; why differentiate because of the tool used, fraud is fraud. As someone else pointed out though, the biggest problem remains the apathy intake valve in the PE-BKAC interface. Users who don't care will continue to be herded.

Neon Samurai
Neon Samurai

In all my years from Napster to the latest name, I've never seen a successful hit from P2P. I've seen buggy and mistitled files but between the AV and my delete button, they don't last long. Granted, my Windows machines used to be locked down well enough to hit some of the dark and scary alleys of the Internet without anything getting through. Either way, I think P2P's threat is overrated. Users do have to be smart and realize that the "allggw.zip" 135kb file is not the complete works of girls gone wild packaged with really, really good compression. It's just that too much focus is put on the technology as if it's magically turning everything transfered into a malicious payload. "The bad guys favourite weapons are ignorance and greed." So vary true. Play the person across the table from you, not the cards.

Locrian_Lyric
Locrian_Lyric

Very laid back, but firm. You don't 'get in trouble' for security breaches, but you might find that you have to go to security to pick up your laptop that you left in your unlocked desk. But it goes no further than that. You don't go on report, you don't get harassed by security, and you don't feel like you are in a prison.

Neon Samurai
Neon Samurai

The rest of popular media will use whatever term generates the most fear to drive viewer numbers. You'd think a technology website would at least get it right but the number of TR writers let alone readers that can not distinguish is amazing. Worse still, some of the writers covering security topics have to include "hacker" in the purely pejorative as if the article content itself won't get viewers without scaring people into looking. To all written and broadcast mass media; please use the title in it's correct context and find a new cool sounding buzzword for modern day boogieman. At minimum, those who claim a technology background and regularily write technology pieces. I'd go so far as to even point out "cyber-criminal"; why the F do we need to preface it with "cyber". Criminal is criminal and does not need a trendy preface. Why do we even distinguish between criminal acts just because a B&E uses a computer instead of a crowbar? My pages long rants on both topics have been repeated often enough so I digress.

Tony Hopkinson
Tony Hopkinson

you really shouldn't like warez sites, ring tones, free mp3s Far more dangerous places than P2P Anyone who downloads cracked.exe and runs it even with an up to date AV deserves everything they get, or don't as the case may be.

The Scummy One
The Scummy One

desk drawers, cabinets, etc.. I am surprised that nobody has filed a lawsuit by now.

luc_andre
luc_andre

Just wanted to illustrate that while all people committing crimes are criminals they do have labels for those who commit specific crimes. Examples are: Crimes of Death/Murder - Murderers Theft - Thieves or Robbers etc.

Neon Samurai
Neon Samurai

I used to use astala-you-know-where for testing. If I can take a Windows box there, do a search and hit a few of the pages in the results; I know the machine has taken some good hits. If I get very few popups (unclicked; I'm not crazy, just a little nuts) and/or still scan clean afterwards; I know the system good or it was something new and interesting that got through. (Then I restore the clean VM image and make the successful changes to the production system. ;) )

Neon Samurai
Neon Samurai

My background includes some work on military bases so my view of personal privacy is a bit scewed towards having issued gear. It's one of the few places I'm less paranoid; if you issued the gear, you can look it over any time you like. That's a fantastic policy. We did similar with recycling bins here (I got a few notes from the cleaning staff initially) so the practice is not hard to implement event and it would at least give staff a superficial reason to care. I've actually considered plugging in a wireless router; not to the network, only the power outlet. The risk of explaining myself to security is not worth satisfying my curiousity by confirming if we actually do rouge router scanning. While fun, screwing with inhouse security is too far outside my job description to be a remote consideration.

NotSoChiGuy
NotSoChiGuy

...to catch a criminal. We (place I was working at the time)were suffering a string of thefts of equipment (laptops, PDAs, you name it, it was gone...DURING THE DAY). So, we setup a honeypot; an unsecured laptop in a fairly open spot. Next, we used one of those adjustable size ballcaps (that result in having a hole in the back) to hide a webcam. Voila...instant end to office theft, and criminal charges being filed. It was like a scene from Law & Order or something. When we were reviewing the footage...we were all 'turn to the camera...turn to the camera....ooooh...gotcha'. :)

Locrian_Lyric
Locrian_Lyric

People get huge green or red notes notifying if they passed or failed. NO administrative action is taken.

Neon Samurai
Neon Samurai

It's probably a strange point of view but I tend to view the work issues desktop, notebook, phone, desk and drawers as work property. People become so attached and protective of there little cubicles. Work issues me the desk, if security wants to rummage through; be my guest. Another staffer needs a pen; top drawer on the right. But there is a limit; want to rummage through my personal bag or my coworker's purse, now you'll need just cause and some documents. Granted, you'd want to tell new hires upfront but I don't see why it should be a problem.

Neon Samurai
Neon Samurai

Their are horse theives and car theives. I mostly just find "cyber" as a preface overused especially "cybercriminal" as of recent. It seems to be the hip thing to do when one needs to pump a little fear or cool sounding jargon into there news blurb. Fraud by email seems no different than fraud by phone or in person but I see your point when used in context.

Editor's Picks