Interesting to see some of the results of CanSecWest. Within “seconds” Safari/MacBook fell, and the others were soon to follow. The Safari attack was, of course, planned beforehand to execute flawlessly.
I have heard it said that ‘obscurity does not equal security.’ There are two sides to that. One (obivously) is that you can’t assume you’re secure simply because you’re obscure. But the flip side of that is this: while no system is truly secure, many systems are ignored by ‘street security analysts’ (in part) due to a low ROI.
So what’s the point? I think part of the point is that every system can be exploited – even ones that aren’t market giants. And while this is true, most security/obscurity concepts are very basic. So be safe out there. Here’s a brief list for starters (add more in the comments, readers!)
– Keep A/V software installed and updated (especially on a Windows system). Use only one A/V system. Geeks disagree as to the best A/V program, but I personally recommend Kaspersky or AVG. If you need a free system, try AVG or Avast!, but Kaspersky is worth the money.
– Don’t use cracked software. I’m not saying I think it’s ethical to exploit users by overcharging them for a piece of software (nor will I say that it’s ethical to pay nothing for the same software). I’m just saying that many people who are willing to exploit a major software company by cracking their software are also willing to exploit you. There are plenty of totally legal and reputable downloads out there (Linux distros, freeware, music released under the Creative Commons License, etc). But be prepared to suffer if you download the shady stuff.
– Secure your wireless network (that one’s for my neighbors). It’s not really that hard. Or pay me $50 to do it for you. It’s worth it.
– Keep all your software patched. This is basic stuff, but it’s important.
– Stay off of questionable Web sites. Think before you click.
– Don’t click links in dubious emails that read like they were written by a fourth grader. Don’t even bother responding to them. If you need to get to an important Web site, make sure you know what the official URL is, and use only that URL. Don’t be afraid to contact a company directly to verify the authenticity of any communication you receive which claims to be from them.
– Remember that your bank/credit card lender/PayPal/MySpace won’t ever ask for any kind of account information, including your PIN, SSN, or password via email. Along that line, most businesses which require you to have an important financial account will almost always contact you via regular mail if your account status is in jeopardy. If you receive an email stating that your account is in bad standing or requires an update to your information, DON’T use the contact information in the email. Contact the company, but use contact information you KNOW is good (like through their official website or literature), and ask about the email. 99% of the time, they are false, but know how to contact the company in the other 1% of instances.
– Just maybe, consider one of the less pervasive OSes out there. Ubuntu is a good one for former Windows users, and it runs pretty well on the x86 (Pentium-type computer – your typical PC). Mark and I have both posted (he more than I) about how relatively simple Ubuntu is to install and run, even as a second operating system. Look through the archives for some of those posts about Wubi and the like.
Something else you might consider is running Ubuntu as a second OS to use mainly when you’re on the Web, especially if you do financial transactions on the Web. Many of the exploits out there are based on drive-by downloads (as in the ones used in CanSecWest), and you’re less likely to be exploited on the Web if you’re running Linux/Firefox. Not necessarily less ABLE to be exploited, just less likely. Because even though obscurity doesn’t equal security, obscurity does equal … well, obscurity – you aren’t an easy target if you’re obscure. Sounds lame, but it’s true.