What is a Drive-by Download Attack?

As someone recently said, “you can’t have an exploit without a vulnerability”. There must be a vulnerability in some software application in use on a PC for it to be successfully attacked via a virus, worm, or other malware attack. The vulnerability is a programming mistake by the vendor that made the software that enables an attacker to coerce the software into doing something harmful to the endpoint.

In the case of a drive-by download attack, the INITIAL harmful action is forcing the attacked software application to:

1. Download another software application from the Internet
2. Place it somewhere in user-space (will define this below)
3. Launch this other software application

This other software application is often the first of many different software applications that ultimately land on an attacked machine. The security community calls this a “drive-by download attack” when it can be implemented without tricking the end-user into doing something to enable it. Sloppy drive-by download attacks are noticed by end-users. Good ones are perfectly invisible to the ordinary end-user; the end-user has no idea how it occurred.

What is a Limited User Account (LUA)?

Before defining LUA, let’s clear something up. When a person has to enter a password to use their computer, there’s either a user name explicitly visible (maybe it must be entered or selected) or implicitly implied (as a convenience, one might choose to not have to enter or choose a user ID each time one uses a computer). Each user name and password combination is an account. There may be many user accounts per computer. There may be different accounts for different people: different login names and passwords. Or, there may be different accounts that have different privileges on the computer: an account for administering (installing/updating software, configuring it, and defining user accounts) the computer and one or more for just using it.

A limited user account has fewer privileges than an account with local admin rights. This is a good thing! Any software launched by the user inherits the privileges associated with the user account used for login. So, when Internet Explorer is running for a LUA user, the operating system does not allow Internet Explorer to perform write operations to critical parts of the operating system. However, when Internet Explorer is running for a user with local admin rights, Internet Explorer may add or alter files anywhere in the endpoint, including critical parts of the operating system. New operating systems try to discourage home users from using their computer on a daily basis with an administrative account to reduce security risks. Enterprises do so likewise but many don’t (another blog post perhaps).

What is User-Space?

I didn’t want to define user-space before defining LUA. User-space consists of all of the folders (i.e., directories) in a computer where a LUA end-user and her software applications may add or modify files. In Windows, these include “My Documents”, “Desktop”, extra hard drives/partitions, and some others. With LUA in Windows, nothing may be added to or modified within “Program Files” and “Windows”, for example.

The term user-space is important. For cyber criminals to infest a computer, they must coerce a software application with programming flaws into adding or modifying files on the target computer. Most commonly, this means placing at least one software application somewhere on the hard drive.

With anywhere from one-third to two-thirds of computers today running via a limited user account, the hijacked software application would be unable to place files into “Program Files” or “Windows”. So, the first choice of where to try to place the initial software application from the attacker is to place it somewhere in user-space, where the write operation is certain to succeed. After that malicious software application starts running in user-space, it might check to see if it can write into “Program Files” or “Windows” and then adjust accordingly. Regardless, user-space is usually the initial landing place for the attacker’s malicious software. Consequently, security software and users should be very vigilant about any software residing there because most legitimate software resides in “Program Files” (Google Chrome is one of quite a few exceptions).

Are Computers Running via LUA Safe from a Drive-by Download Attack?

No. For example, if a programming mistake in Internet Explorer is exploited, such as the Microsoft Video ActiveX control under attack summer 2009, LUA does NOT prevent the “hijacked” Internet Explorer from downloading and placing an attacker’s malicious software application into “My Documents” and launching it.

If this software is allowed to launch, it can eavesdrop on all mouse-clicks and keyboard entries, steal user-ID’s and passwords, copy credit card numbers and valuable documents such as tax returns, and more. The ‘more’ gets pretty awful pretty fast, LUA would allow Internet Explorer or the attacker’s malicious software to add an entry to the Windows Registry (HK Current User / Run) that causes this malicious software to be automatically launched whenever Windows launches.

There’s far too much to enumerate in this blog entry. Suffice it to say, if the malicious software is allowed to run in user-space, it will continue to do so, and it will try to do even more harmful things. LUA just makes it more difficult for the attacker to burrow so deep into the computer that it becomes practically invisible.

AppGuard and EdgeGuard Snuff-Out Drive-by Download Attacks

Quite simply, AppGuard and EdgeGuard client security software do not trust the applications that run on computers. Consequently, they “Guard” the applications legitimately installed in “Program Files” and they prevent any software executable from launching at all if it is located in user-space. “Guarding” applications means that they are not allowed to do harmful things but otherwise leaves them alone.

As noted earlier, some legitimate applications run from user-space such as Google Chrome and GotoMeeting. AppGuard and EdgeGuard will not let them run at all unless they are added to the “Guard List”. In effect, this means that unknown software is now allowed to run from user-space.

These protections and more defeat the vast majority of malware attacks but at a fraction of the effort of other security products.

Let me point out to folk that missed my blog post on Beladen last month that there are hundreds of thousands of legitimate websites that have been secretly seeded with attack code without the knowledge of the website owners. This is why simply avoiding “bad neighborhoods” would be inadequate.

Here’s something you may not have read elsewhere, other applications could be used to activate this particular ActiveX control to be exploited. Microsoft noted that Outlook and Outlook Express email users that click on a link in an HTML based email could trigger the attack. Similarly, other applications capable of launching ActiveX controls may be used to facilitate an attack that exploits this Microsoft Video Control object. It will be morbidly interesting to see in the weeks to come what other applications are found to be vulnerable or actually targeted in these attacks.

Next, I must point out that this Video ActiveX control vulnerability is NOT the only one attackers might exploit to invade your computer. Microsoft hasn’t yet created and distributed a security patch for another recently announced vulnerability that involves how DirectX handles QuickTime files. There are others; and there will be yet more. Software application vulnerabilities are like politicians. No matter how many are chased out of office for various reasons, there will be more, and soon.

Regular readers of this blog know that anti-virus/spyware security software found on typical computers stand less than a fifty-fifty chance of stopping one of these attacks. If this assertion is new to you, please look at one or more other posts in this blog.

How Can Windows XP Users Protect Themselves?

They can follow Microsoft’s recommendation and disable select functions. Or, they can get some additional security software that is designed to stop the kinds of attacks that your antivirus software misses. I’ve got another post on the way that answers the question: do limited user accounts (LUA) deter these attacks?

AppGuard and EdgeGuard Protect Windows XP Computers from Microsoft Video Control ActiveX Attacks

If AppGuard is installed and guarding your computer, there’s only one thing you should do, and this is really a moral thing, get those you know to install something like AppGuard. Anyone can trial all of its features for 30 days for free. If your or others wonder what’s so great about AppGuard, the answer is that it provide the most protection for the least amount of effort and disruption. There are other security software products that can stop a higher percentage of possible attacks. However, they are considerably more difficult to fully set-up and tend to be quite annoying with their frequent pedantic chatter.

EdgeGuard protects enterprise computers from this Microsoft Video ActiveX attack, practically all other ActiveX attacks, attacks on the DirectShow vulnerability, and pretty much nearly every attack you’re likely to encounter. The difference between AppGuard and EdgeGuard is simple. AppGuard is a subset of EdgeGuard. EdgeGuard will protect, control, and audit enterprise computers located anywhere and in near-real time, providing total operational awareness.  Most enterprise security software intended to stop zero-day attacks is severely underutilized or dormant because its too complex to set up and maintain.  EdgeGuard can be deployed by any person that can install a web browser.

Neither AppGuard users nor EdgeGuard administrators need to implement the Microsoft workaround that disables the Microsoft Video ActiveX control.  Generally speaking, when these security software products are guarding a PC, ActiveX controls do not have to be disabled.  Additionally, if one wishes to open a malware infested Microsoft Word document, for example, one can safely do so when guarded, exceptions are extremely rare but possible.  No security solution offers 100% protection.

2. Your vendor will not sign up to a security SLA. Security breaches are a common occurance these days. There are many well publicised breaches that have cost millions of dollars to cleanup and untold dollars in customer confidence. Yet, for you to compete effectively requires real-time access to store and customer data to make sure shelves are stocked and customers can fly through the checkout lanes. However, the constant movement of data increases your exposure to the risk of data loss. A security SLA will ensure your network provider keeps up with the latest PCI-DSS requirements and will help you sleep better at night. 

3. The quality of Vendor support declines as your contract ages. All vendors promise good customer service, but few can deliver. How long does it take to make a change to your network configuration? How responsive is your Support Representative? When was the last time you received a call from your vendor just to ‘check in”? Is 24×7x365 Level 1 support included in your contract? Retailers are constantly challenged to deliver outstanding customer service. You should receive nothing less from your network provider.

4. Your network prevents you from rolling out innovative revenue generating programs. With consumers spending less during these lean economic times, retailers must get creative in how they capture and maintain the customer relationship. Inevitably this means developing loyalty programs that require customer data during an in-store transaction. If your network is incapable of rapidly delivering data, you will likely be unable to introduce the types of programs that diferentiate you from the competition. A next generation fast, low cost data network will provide the foundation for deploying data intensive programs that increase sales and keep customers.

5. You are constantly hit with unexpected charges and expenses. Running on tight margins, retailers especially, need to have a handle on their network costs. Providers that get your business with a low monthly bid just to “nickel and dime” you throughout the term of the contract make the budgeting and reporting processes difficult at best and create an environment of distrust. Look for data network providers that charge a fixed monthly fee, regardless of the number of network changes or helpdesk calls. Also negotiate with the provider to deploy your network with no up front capital expenses.

The Zen of Malware and UnPatched Software

The end result of a malware attack is that some malicious software runs continuously and indefinitely in a computer to steal anything of value such as credit card numbers, passwords, or insider information within a corporation.  Actually, that software was almost certainly installed by some other software.  The purpose of that ‘other’ software is to penetrate and install the malicious software that remains operational on a PC indefinitely.  That ‘other’ software is the virus, worm, or other malware that your anti-virus/spyware software strives to detect upon entry.  The virus, worm, or whatever might be within a document, media file, web page, communication, or something else.

Let’s look at a virus; the same will apply to a worm and other malware.  In the organic world of people, a virus can only harm a person that is susceptible to the virus.  Similarly, a cyber virus can only harm a computer with a software application or component that is susceptible to that virus.  That susceptibility is called a vulnerability, which is a programming mistake by its vendor.  Ideally, software patches fix programming mistakes such that one or more vulnerabilities to malware attacks are permanently eliminated.

A Perfectly Patched Computer is Safe from Virus, Worm, and other Zero-Day Malware Attacks

If all theoretically possible software patches were implemented on a computer, then there would be no need for anti-virus/spyware security software because there would be no programming mistakes left to be exploited.  This “theoretically possible” qualifier is absolutely unrealistic in this era.

Average Computer Has a Dozen Unpatched Pieces of Software

Our good friends from Secunia, a security intelligence firm, report that the average computer in North America has a dozen unpatched software vulnerabilities.  If your computer handles a maliciously crafted file or communication designed for one of those unpatched software components or applications, your computer would be compromised, as well as everything within it and to some extent everything it interacts with.

With Anti-Virus/Spyware Alone, Resistance is Futile

There are two major reasons why your anti-virus/spyware security software will offer you less than a 50% chance of protecting you from an attack.

First, anti-virus/spyware products rely mostly on signatures, which are like fingerprints or photographs.  Signature-based technology fails to stop UNKNOWN virus and worms.  Unknown malware is considered zero-day malware.  It takes weeks to months to discover and disseminate new signatures for new malware in the wild.  Attackers create them in minutes.  Do the math, protecting a PC from today’s malware attacks is like protecting your city from tanks and bombers with slings and arrows.

The second reason for their weakness is just as terrifying.  Anti-virus/spyware is useless for protecting a PC from attacks on software vulnerabilities known only to the attackers.

Protection from Attacks on Unpatched Software Vulnerabilities

Businesses, governments, and home computers can be used almost worry free.  Blue Ridge offers two software security solutions that employ what we call AppGuard Technology.  This prevents attackers from using programming mistakes in software to infest your computer with malware, even zero-day attacks.  Read this white paper on how AppGuard Technology protects computers from virus, worm, Trojan, and other zero-day malware attacks.

AppGuard protects home and enterprise computers.  AppGuard is available for a free 30 day trial, fully featured. EdgeGuard protects enterprise computers.  However, EdgeGuard is available as both a product and a managed service.  A Managed EdgeGuard pilot can be launched in less than a week.

What Are Phishing Attacks?

Phishing attacks are launched by cybercriminals upon consumers primarily to gain a few pieces of important data that can be used for financial gain, such as a person’s user ID and password to their online bank account. Typically, consumers receive emails that appear to be from their bank or some other legitimate organization that trick the recipient into literally telling the criminals their user ID and password, for example. One class of phishing attacks increasingly prevalent today no longer relies on tricking end-users but instead employ what security practitioners call a ‘man-in-the-browser’ attack.

Basically, ‘man-in-the-browser’ attacks exist because the security within a web browser is alarmingly flawed from the perspective of stuff separate from other stuff. So, that other tab in your browser, or that web page you visited prior to your online bank website, might leave malicious code inside your web browser that allows cybercriminals to eavesdrop or insert financial transactions such as a bank payment to an overseas account.

This is why I strongly recommend that all computer users utilize two or more different web browsers, not separate web browser windows or tabs from the same web browser software, but use Internet Explorer, Firefox, or whatever all at the same time but for different types of websites. BTW, the web browser that you use for financial activities should not be the one that renders a web page after you’ve clicked on a link in your email, instant messenger, or PDF reader!

What Are Spear Phishing Attacks?

Phishing Attacks sound pretty scary. Fortunately, using two or more different web browsers radically reduces your risks from phishing attacks. There are additional risks when web browsing from a hotel room or public Wi-Fi that I’d have to address in another post if anyone is interested (let me know).

Spear Phishing Attacks are phishing attacks that target a specific person or organization. For the most part, spear phishing attacks are carried out via email, though instant messengers and social networks such as Facebook, MySpace, and LinkedIn can be used also. These attacks exploit the trust that we all have with our familiars: friends, family, and business associates. We’ll read an email or some other kind of message from a familiar. More importantly, we’re quite likely to accommodate a request or recommendation from a familiar to:

• Open a document
• Play a multimedia file
• Click on a hyperlink
• Install software
• Add a Facebook app

Any one of these actions is intended to install malicious software into the targeted user’s PC. Attacks do so by exploiting programming mistakes in the PC software that we use every day. Once this malware has infested a PC, it systematically steals anything of value. Computers users do not have to be tricked into revealing their bank account number, user ID, and password to be robbed.

Small Businesses Are “Out of Luck”

As Brian Krebs of The Washington Post wrote in a recent article on Spear Phishing Attacks, American consumers who bank online are covered by a statute called “Regulation E”, which “generally holds the consumer harmless for money stolen from their accounts via cyber crime”. However, business owners that are victims of Spear Phishing Attacks would “more than likely be out of luck if a scammer empties their business account”.

I strongly recommend that business owners talk to their banks immediately! If your business seldom involves payments to overseas accounts, see if you can require such payments get verbal or other approval prior to processing.

Ineffective Protection from Today’s Spear Phishing Attacks

Those of you with up-to-date anti-virus/spyware software from Symantec, McAfee, or other well known vendors have less than 50-50 odds of deflecting a Spear Phishing Attack. That is because they rely on malware detection technology invented over a decade ago that utilizes signatures, which are like electronic fingerprints. Cyber criminals effectively alter the fingerprints of their Spear Phishing Attack instruments (malicious PDF or PowerPoint document, spiked JPEG or AVI, etc.) in minutes, orders of magnitude faster than vendors add new fingerprints to the ‘most wanted list’.

AppGuard and EdgeGuard Block Spear Phishing Attacks

Adding AppGuard or EdgeGuard to a computer with any anti-virus/spyware security software boosts protection to 90%. Without AppGuard or EdgeGuard, anti-virus/spyware software, which only stop OLD malware, only block about 45%, including Spear Phishing Attacks.

At a Black Hat Europe Conference last April a team of researchers released tools that can automate attacks on MPLS and Ethernet backbone technologies.  According to one of the researchers,”These technologies do not provide any security themselves, but just rely on the assumption that the underlying network is secure.”

As MPLS VPNs evolved from proprietary networks to supporting internet-based services, so did their risk of attack increase. German researcher Ray says,”Enterprises that use these VPN services should be aware they are vulnerable. Perform risk analysis and encrypt your traffic.  ”Just because it’s called MPLS VPN [doesn't mean] you should [automatically] trust it.”

Many retailers followed their service providers advice and simply migrated from Frame Relay and ATM networks to MPLS.  However, over time the majority of problems meant to be solved by MPLS no longer exist, and holes in the technology are being exploited. 

Total information security for retail data networks is possible.  Solutions using PKI technology, unique digital certificates with mutual mandatory authentication between security appliances, end-to-end data encryption and data integrity checking can provide a standalone data network solution or act as the security layer for
an existing MPLS VPN network.

Retailers need to re-examine wide area networking technologies and topologies as they seek to optimize the security, reliability and cost of their current data network.

Last week, Websense estimated that 30,000 websites were infected. Earlier this week, they estimated that this had grown to 40,000, a one third growth in 72 hours supposedly. Nothing but speculation exists as to how the integrity of these websites is compromised: keyloggers on website administrator PCs, intercepted FTP credentials, who knows? If the malicious javascript added to the bottom of compromised web pages cannot be discovered via search engines, I’m curious how Websense and others are deriving their estimates. Nonetheless, I suspect they have a credible means for generating their estimates.

.
An unsuspecting PC users visits one of these compromised sites. The pages they view have malicious Javascript added to them that exploits vulnerabilities in client software on the PC without the end-user having to do anything. They simply visit the page and they become infected. These web pages can be updated with even newer zero-day exploits that attack the same or other client software. If not already, Beladen will be attacking unpatched Acrobat Reader software, not yet reported to be attacked by Beladen.

.
The consequences these compromised websites are impressive. If each of the compromised websites receives an average of only 100 visits per day, 90% of the visiting PCs are Windows, 95% of them do not have Javascript disabled, and 50% of them (a very conservative figure) have just one of the targeted client software applications unpatched (Firefox, Internet Explorer, Quicktime), then that equates to 1.7 million infected PCs per day. Beladen may be approaching a Conficker-like magnitude of PC infections.

.
What should you do? First thing, patch Firefox, Internet Explorer, Quicktime, and while you’re at it, Acrobat Reader. For organizations, if you don’t have a centralized means to do so, write instructions for all of your personnel to do so manually. After they’re done, insist that each individual estimate how long it took them to do so. You may find the results useful in justifying the acquisition of new endpoint security tools.

.
Speaking of tools, I’m sure regular readers of this blog see it coming, get something to supplement your anti-virus/spyware software. Peruse through many of the articles here and you’ll find plenty of rationale to move beyond the past, to not rely on technologies invented over a decade ago that feeble-minded junkies with user-friendly software can create in minutes malware that evades those venerable relics. And, one more thing, yes, the regulars are probably anticipating this next point, worry less about what percentage of attack vectors a particular system stops and focus more on the usability and operational burden of such systems.

.

The usability of a protection product is directly proportional to its effectiveness. The most potentially capable protection products are also the least utilized products because they are so complicated. Consequently, their effectiveness is severely compromised in practice and overrated in reviews.

We cannot trust the software that runs on our computers. We cannot rely soley on traditional PC protection software that rely on signatures. This means that we cannot trust the documents we receive from people we know.

Most malware seeks to infest computers by exploiting a programmer mistake in a piece of software that runs on our computers. When the software consumes a malicious file or communication, it becomes hijacked and compelled to do things, such as:

• Download a malicious executable that permanently implants malware
• Download an executable that launches from user-space (e.g., desktop, My Documents, etc.)
• Use the hijacked application itself to permanently install malware

Today’s malware makers do so to make money. Therefore, they do not want their malware to be noticed. If they can, they’ll root the malware in places that make detection practically impossible. They want to steal any valuable information, user names and passwords, and use your computer to penetrate other resources.

So, next time you see a PowerPoint from a friend or colleague, ask yourself one question: do you feel lucky? Well, do ya?

You do not know that your friend or colleagues’ computer hasn’t already been infested without anyone knowing it. If it has, Excel or PowerPoint documents, or others, could have been tainted. And, just as Botnets change the disguise of their malware every 10 minutes to elude detection, your tried and true anti-Virus/Spyware software probably will not see the harm in your opening your colleague’s PowerPoint document because your Anti-Virus/Spyware does a very poor job of intercepting zero-day malware (i.e., unknown).

Before I elaborate on my opening, I must say that people have a right to know if they are at risk due to a security breach. Few places exist within developed economies where legislation does not mandate disclosures of security breaches. Second-generation regulation is rapidly following first generation legislation to close loop holes and increase penalties for non-compliance. It’s becoming ever more cheaper to invest in prevention and incident response planning than to react to incidents.

Okay now, let’s start from the point where a malware infestation on a client PC has been discovered. The malware found is the kind that communicates its booty to a BotNet. Setting prevention and proliferation aside for the moment, what matters from here on out is what did the attackers get?

Before assessing the damage, IT personnel should change the PC user’s credentials on the machine as well as every other networked resource the user is authorized to access. This should be done in hours not days! This activity also identifies every networked resource the user is authorized to access.

Again, who came into contact with Typhoid Mary and what did they have in their pockets when they did?

When did the malware infection begin? Sophisticated malware will frustrate forensic investigations, provided the organization has any or hires any such resources to do so. In addition to what can be found in the PC, much success comes from data mining all relevant logs: firewalls, DHCP servers, DNS servers, etc. One hopes to find likely BotNet communications to and from the infected PC. I would love to know what percentage of forensic investigations establish a 90% confidence in the malware infestation date.

While investigating the infestation date, the team should conduct an assessment of what data assets were on the PC: documents, databases, cached credentials, etc.

With an information inventory of the PC, and an information inventory of the PC user’s networked resources, the team has a broad idea of what data might have been compromised.

Next, one has to determine if the malware was sophisticated enough to steal and spoof other user credentials and access other networked resources? Was there sufficient exposure to facilitate secondary breaches? This is not fantasy.

Today’s malware routinely consists of a downloader that can plug-in a number of modules as needed. One of these could be a widget that sniffs Ethernet traffic, intercepts Windows domain and other hashed credentials, sends them off to the BotNet to be dictionary attacked and classified, and then other modules loaded to access the discovered and cracked resources.

Obviously, this begs the question, were other PCs infected and controlled by the BotNet? If so, the potential breach inventory is broadened further.

Good news, server logs and other data can rule out data that might have been compromised. For example, if the PC user never actually accessed one or more of the networked resources, and if those credentials were not cached in the PC, the team can rule out the data from these resources.

I’m not a forensics expert, and I haven’t played one on TV either. My intent here was to illustrate how pervasive a data leak can be with just one malware infestation on one PC. I also wanted to show yet another good reason for maintaining a practical inventory of one’s information assets.

With the tremendous uncertainty of what data might have been compromised by a single PC infested with malware, it’s no wonder there’s so little data on infected PC security breaches. As few as 20% are reported. Reporting one leads to many questions that are difficult to answer. If not already, the new disclosure laws will make locking down and protecting PCs much cheaper than reacting to incidents.

Attackers are impersonating the “friends” of the victims who trust that the files, documents, photos, and hyperlinks their “friends” send are not malicious. When victims open these items or visit the web pages per the sent hyperlinks, they are assaulted. Some are confronted with phony security software prompts declaring massive infections: ‘click here to clean your PC’. The result is a relatively clumsy malware infestation. More sophisticated malware in the wild is far more difficult to detect. That malware is sure to follow soon.

As if this weren’t enough to fear, these popular social networks feature browser applets such as “Facebook Applications” that enhance the user-experience with specialized functionality such as games, movie preference comparisons with friends, ancestry, cities friends have/will visit, and numerous others. These applets dynamically load into one’s web browser after the user subscribes to it. They are designed to motivate the users to invite their “friends” to use the applications too.

What’s wrong with these applets? Plenty! The advertising revenue seeking social networks distribute them, lending an air of legitimacy without testing them for malicious functionality. The social network provides rely on EULAs. When an outbreak is detected, the social network revokes the developers license and takes aggressive measures to eradicate the applets. With thousands of these applets arriving and updating a month, the profit margins of these providers would suffer greatly if each version of each applet were thoroughly evaluated. What should we reasonably expect of them?

Personally, these applications scare me more than spoofed messages among “friends” that lead victims to malicious content.

First, highly critical web browser vulnerabilities come and go every month like the new moon. These applets can reside on user machines doing whatever fun thing they were designed to do until their developers get their hands on new exploit code for the web browser vulnerability of the month.

Second, there’s no background check on the developers and little to no consequences for their applets getting identified as malicious. If identified, the malware makers merely need to create a new email address and apply again for a developers account.

Will the threat from malware attacks kill social networks? I very much doubt that!

What do I recommend Facebook, MySpace, Bebo, MyYearbook, and other social networks do to protect themselves?

First, they should use two or more different web browsers. Using multiple windows and/or tabs from the same web browser application is a major part of the problem, not the solution. So, use Firefox for Facebook and Myspace. And, use Internet Explorer for online banking and shopping. Its also a good idea to do one sensitive thing like online banking at a time. Other browsers users should consider having on their PC include Google Chrome, Opera, and Apple Safari.

Second, there will seemingly always be some programming flaw in any of these web browsers that can be exploited by cybercriminals to rob users and Shanghai their PCs into Botnets. So, you need some security software that guards these browsers and prevents them from doing harm should they be hijacked. Your typical AntiVirus or Anti-spyware won’t be enough. Regular readers of this blog will know why.