Who doesn't have a social networking account these days? Whether it's because of emotional ties, business, work, or fun, most of us connects with family, friends, or colleagues across the web. However, with their hundreds of millions of users, social networking sites are in constant hacker focus. They look for personal details and login credentials to steal, so identity theft is one of the main privacy issues social web users might have to face sooner or later. The recent attack by Pony, a malware with unknown origin, compromised 2 million social networking accounts in total on Facebook, Google+, Yahoo, Twitter, and LinkedIn.
This time, the attack wasn't made possible by unplugged holes in those companies' security systems. No, it was the result of individual users installing the malware on their PCs somehow or other, and once there, it stole their usernames and passwords. And the most scary part is that those details got stolen directly from users' web browsers, claimed a Facebook spokesperson.
With so much sensitive details at stake, it is simply too risky to keep trusting our antivirus for full protection against id theft. I'm quite sure most of the victims had had an antivirus installed on their PCs, yet, Pony managed to jump over the protective fence and there it was, right in the browser of 2 million users. It's high time we looked for complementary solutions to protect our privacy on social networking sites.
In order to increase our chances to prevent our IDs to be stolen, let's take a look at how Pony "works", how it managed to steal login details straight from users' browsers. According to Trustwave, the security company that tracked the malware down, Pony
First scans through stored passwords in a user's browsers, email clients and other software. It also monitors web traffic to identify when a user is logging into a website and then attempts to steal the password.
So the two vulnerable areas are:
- Saved passwords in your browser, and
- Your web traffic, which is reflected in your browsing data, with particular focus on history of visited websites where you use your passwords.
Let's see what we can do about those two issues.
Let's start with the problem of saved passwords: as it is plain to see from the above example, no matter how convenient it may be, it's simply too risky to trust your browser when it comes to securely storing your passwords. When a malware, like Pony comes along, it scans your browser's database for saved passwords it can steal. Unfortunately, some of the most popular browsers don't make it too hard for hackers to grab what they want. Google Chrome has recently been criticized heavily for its password management policy, because it stores your saved passwords in plain text format. If an unauthorized party has access to your PC (whether physical, or remote), he can easily reveal your passwords with a few simple clicks, without having to crack, or steal a master password first. Mozilla Firefox at least offers users the option of setting a master password to protect saved passwords in the browser, although that's a feature most users aren't aware of. But if the master password gets cracked, all saved passwords can be easily viewed in plain text format in that browser too.
Problem number two: The data your browser records while interacting with a site's server. If you have passwords saved in your browser, and hackers manage to steal them from there, items of your browser data can help them track down on what pages the stolen passwords and usernames have corresponding accounts. For that they check your history to see the list of pages you regularly visit. Browser cookies, cache, form data and auto complete can reveal further sensitive data about you, such as, your name, email address, auto-filled username, credit card numbers, downloaded files, physical address and so on.
Have you noticed that if you clear your browsing data, your saved login details are gone at once? Then, even if you visit a page where your login details were previously saved, you will be asked to enter your username and password manually again. This is part of the solution: you need to regularly clear your browsing data so that previously saved, or used passwords as well as traces pointing to it, won't show in your browser data. Here I have to note that simply clearing your browsing data isn't sufficient though. It is due to a little-known vulnerability in Windows: When you attempt to delete files, for instance, your browsing data, that data doesn't actually get removed from your hard drive; only its index gets deleted. The data remains on the hard drive until it gets overwritten, and in the meantime it can be restored by third parties. So the ultimate solution is to permanently and regularly erase those sensitive traces with east-tec Eraser that seeks out and destructs them.
Now, back to the "need for convenience" issue. Is there a secure, yet handy way to manage those long, carefully crafted passwords for the dozens of accounts you regularly use?
east-tec InvisibleSecrets offers you an easy-to-use, practical and safe password management feature. You can save all your web password in it (protected by an encrypted master password), and they get encrypted on-the-fly, employing the most advanced government and industry standard algorithms. It even offers you the option of entering your passwords using a virtual keyboard, so even if a keylogger malware happens to be on your system, your login details can still be kept secure. Anytime you want to access a web account, you can simply look up and click the site's URL saved in the program's directory and the corresponding username and password will be entered securely by the software real time. You can even get a random password generated for your accounts each time you want to access them to make privacy security even tighter.
Implementing these security practices will surely minimize the chances of your social networking activities compromising your identity and data privacy.