Net dangers still lurk

Ivor Rankin, senior security specialist at Symantec, says in second half 2007 the company identified around 11 000 websites that were seriously vulnerable with regard to security but only 4% took any action to resolve the issue.

Web 2.0 refers to types of web technologies that make sites and Internet-based applications more interactive and use more active content. Rankin says while most of the attention in this field is focused on social networking and other similar services, the same underlying technology is being used in numerous business services.

He says a hacker's strategy is to conduct what's known as multi-stage attacks, starting with a small program that can slip past anti-virus software before it builds itself into a more dangerous state capable of capturing private data and compromising corporate IT systems.

While the focus of such attacks remains obtaining personal information, Rankin says in second half 2007 Symantec began to observe more concerted attacks on specific industries, such as the vehicle manufacturing industry.

More pressing is the problem the security industry faces with PC users eager to access information and services with the least possible hassle. The problem facing security experts, says Jack Martin, vice-president for worldwide field operations at security vendor TriCipher, is you can't trust consumers to do the right thing. He says even his daughter, who should know better, will use an insecure PC to access websites, giving potential identity thieves her personal information.

Rankin adds that while it's possible to remedy identity theft in the real world through the legal route, trying to prevent impersonation in the virtual world is much more difficult.

Rankin says: "On the web it's easy to impersonate someone. What happens is that fraudsters create profiles of their victims on a number of social networking sites and then use their control of those profiles to encourage friends and colleagues to join up to the site. After that they use the information that friends and colleagues of the victim post to the site to gather information needed to commit fraudulent transactions, such as opening credit card accounts." However, Martin says that much of the responsibility for security in the Web 2.0 world needs to be laid at the door of those companies offering such services.

He says because consumers will always put convenience above security, there's a desperate need for better security to be built into applications themselves.

That means the user name and password we use to log on to many websites need to be strengthened by another level of security. Martin says most people tend to use the same user name and password on multiple sites, so if one of those sites is compromised, it's possible to use it as the thin end of the wedge to access other, more personal information. A better authentication could include additional security questions or even locking entry to sites if the consumer isn't accessing it from his main computer.

Rankin commends the call for web applications to be designed with better security in mind and adds it's equally important for those people administering systems to keep their technology updated to eliminate vulnerable security applications as quickly as possible.

He adds that while consumers should be vigilant - especially on sites they haven't visited before - the basic principles of Internet security still apply, including installing up-to-date anti-virus systems, a desktop firewall and using a browser that has some anti-phishing capabilities built in. Anti-phishing capabilities notify you when the link you click on to isn't sending you to the site it says it is.

Although the Internet can provide hours of distraction from serious work, it's important to remain vigilant when surfing.