Thursday, January 22, 2009

Where Did All the Nice Web Sites Go?

There is a new report out from Websense that summarizes their research into the status of web-based malicious code in the second half of 2008. The major takeaway for me was: there are no safe web sites anymore. By "safe" I mean not likely to contain malicious code that will infect your browser or your computer.

Here are a some snippets from the report:

77 percent of Web sites with malicious code are legitimate sites that have been compromised.
By "legitimate sites" they mean web sites that Internet users would not expect to be hosting malicious code. Sites like the New York Times, Business Week, and CNET. It's remarkable that Websense numbers show there are more legitimate websites distributing malware than there are malicious websites set up by the bad guys!

70 percent of the top 100 sites either hosted malicious content or contained a masked redirect to lure unsuspecting victims from legitimate sites to malicious sites.
A large majority of the most-visited web sites on the Internet either had malicious content on them or had links to malicious sites posted by users who exploit social networking features like comments and messages.

39 percent of malicious Web attacks included data-stealing code.
If you regularly visit web sites in the top 100 most-visited sites, chances are you were exposed to malware. You could still be safe if your operating system, web browser and plug-ins like Adobe Viewer and Flash were all the latest versions AND you did not encounter an exploit for an unpatched vulnerability. Secunia's statistics show that less than 2% of computers are fully patched, and over 45% have 11 or more insecure programs.

These numbers show the shocking truth: there is a very high chance an average Internet user will get infected with data stealing malware even if they stay on the well-lit, well-traveled portions of the web.

Dedicate a Computer for Banking and Shopping
My advice is to keep a dedicated computer for banking and shopping. Here is a checklist for this "safe computer:"

  • Make sure Windows Updates are set to automatic.
  • Always keep Adobe and Flash plugins up-to-date (make sure you don't click on fake update windows).
  • On this dedicated computer, never visit any social networking site like MySpace or Facebook.
  • Do not view any videos.
  • Do not check your email.
  • Do not read news sites.
  • Do not install any programs other than a web browser like Firefox or Safari.
  • Do not use Internet Explorer.
  • Wipe the disk and re-install Windows once every three months (more frequently if it starts behaving erratically)
  • If you are up to it, use Linux rather than Windows

I know this is a large list and it may be easier to lose weight and quit smoking than abide by its rules. I hope you're not reading this list on your dedicated safe computer, because you will have just broken a rule!

Another thing you can do is install SafeCentral and use its secure browser for banking, shopping and financial services. We built SafeCentral knowing that there are too many hoops a user needs to jump through to keep their identity and their money safe online.