{"id":278,"date":"2018-06-14T19:04:57","date_gmt":"2018-06-14T19:04:57","guid":{"rendered":"https:\/\/pressbooks.ccconline.org\/bus3060\/chapter\/ch13-3\/"},"modified":"2026-02-03T23:17:32","modified_gmt":"2026-02-03T23:17:32","slug":"ch13-3","status":"publish","type":"chapter","link":"https:\/\/pressbooks.ccconline.org\/bus3060\/chapter\/ch13-3\/","title":{"raw":"13.3 Where Are Vulnerabilities? Understanding the Weaknesses","rendered":"13.3 Where Are Vulnerabilities? Understanding the Weaknesses"},"content":{"raw":"<div id=\"slug-13-3-where-are-vulnerabilities-understanding-the-weaknesses\" class=\"chapter standard\">\r\n<div class=\"ugc chapter-ugc\">\r\n<div id=\"fwk-38086-ch13_s03_n01\" class=\"bcc-box bcc-highlight\">\r\n<div class=\"textbox textbox--learning-objectives\"><header class=\"textbox__header\">\r\n<p class=\"textbox__title\"><span style=\"font-family: 'Cormorant Garamond', serif; font-size: 1em; font-style: normal; font-weight: bold;\">Learning Objectives<\/span><\/p>\r\n\r\n<\/header>\r\n<div class=\"textbox__content\">\r\n<p id=\"fwk-38086-ch13_s03_p01\" class=\"nonindent para\">After studying this section you should be able to do the following:<\/p>\r\n\r\n<ol id=\"fwk-38086-ch13_s03_l01\" class=\"orderedlist\">\r\n \t<li>Recognize the potential entry points for security compromise.<\/li>\r\n \t<li>Understand infiltration techniques such as social engineering, phishing, malware, Web site compromises (such as SQL injection), and more.<\/li>\r\n \t<li>Identify various methods and techniques to thwart infiltration.<\/li>\r\n<\/ol>\r\n<\/div>\r\n<\/div>\r\n&nbsp;\r\n\r\n<\/div>\r\n<div style=\"text-align: center; font-size: .8em; max-width: 497px;\">\r\n<p class=\"nonindent title\"><span class=\"title-prefix\">Figure 13.1<\/span><\/p>\r\n<p class=\"indent\"><a>\r\n<img class=\"aligncenter size-medium wp-image-1285\" src=\"https:\/\/pressbooks.ccconline.org\/wp-content\/uploads\/sites\/324\/2018\/06\/figure13-3.png\" alt=\"This diagram shows only some of the potential weaknesses that can compromise the security of an organization\u2019s information systems. Every physical or network \u201ctouch point\u201d is a potential vulnerability. Understanding where weaknesses may exist is a vital step toward improved security.\" \/>\r\n<\/a><\/p>\r\n<p class=\"indent para\">This diagram shows only some of the potential weaknesses that can compromise the security of an organization\u2019s information systems. Every physical or network \u201ctouch point\u201d is a potential vulnerability. Understanding where weaknesses may exist is a vital step toward improved security.<\/p>\r\n\r\n<\/div>\r\n&nbsp;\r\n<p id=\"fwk-38086-ch13_s03_p02\" class=\"indent para editable block\">Modern information systems have lots of interrelated components and if one of these components fails, there might be a way in to the goodies. This creates a large attack surface for potential infiltration and compromise, as well as one that is simply vulnerable to unintentional damage and disruption.<\/p>\r\n\r\n<div id=\"fwk-38086-ch13_s03_s01\" class=\"section\">\r\n<h2 class=\"title editable block\">User and Administrator Threats<\/h2>\r\n<div id=\"fwk-38086-ch13_s03_s01_s01\" class=\"section\">\r\n<h2 class=\"title editable block\">Bad Apples<\/h2>\r\n<p id=\"fwk-38086-ch13_s03_s01_s01_p01\" class=\"nonindent para editable block\">While some of the more sensational exploits involve criminal gangs, research firm Gartner estimates that 70 percent of loss-causing security incidents involve insiders (Mardesich, 2009). Rogue employees can steal secrets, install malware, or hold a firm hostage. Check processing firm Fidelity National Information Services was betrayed when one of its database administrators lifted personal records on 2.3 million of the firm\u2019s customers and illegally sold them to direct marketers.<\/p>\r\n<p id=\"fwk-38086-ch13_s03_s01_s01_p02\" class=\"indent para editable block\">And it\u2019s not just firm employees. Many firms hire temporary staffers, contract employees, or outsource key components of their infrastructure. Other firms have been compromised by members of their cleaning or security staff. A contract employee working at Sentry Insurance stole information on 110,000 of the firm\u2019s clients (Vijayan, 2007).<\/p>\r\n\r\n<\/div>\r\n<div id=\"fwk-38086-ch13_s03_s01_s02\" class=\"section\">\r\n<h2 class=\"title editable block\">Social Engineering<\/h2>\r\n<p id=\"fwk-38086-ch13_s03_s01_s02_p01\" class=\"nonindent para editable block\">As P. T. Barnum is reported to have said, \u201cThere\u2019s a sucker born every minute.\u201d Con games that trick employees into revealing information or performing other tasks that compromise a firm are known as <em class=\"emphasis\">social engineering<\/em> in security circles. In some ways, crooks have never had easier access to background information that might be used to craft a scam. It\u2019s likely that a directory of a firm\u2019s employees, their titles, and other personal details is online right now via social networks like LinkedIn and Facebook. With just a few moments of searching, a skilled con artist can piece together a convincing and compelling story.<\/p>\r\n\r\n<div id=\"fwk-38086-ch13_s03_s01_s02_n01\" class=\"bcc-box bcc-highlight\">\r\n<div class=\"textbox shaded\">\r\n<h4 class=\"title\">A Sampling of Methods Employed in Social Engineering<\/h4>\r\n<ul id=\"fwk-38086-ch13_s03_s01_s02_l01\" class=\"itemizedlist\">\r\n \t<li>Impersonating senior management, a current or new end user needing help with access to systems, investigators, or staff (fake uniforms, badges)<\/li>\r\n \t<li>Identifying a key individual by name or title as a supposed friend or acquaintance<\/li>\r\n \t<li>Making claims with confidence and authority (\u201cOf course I belong at this White House dinner.\u201d)<\/li>\r\n \t<li>Baiting someone to add, deny, or clarify information that can help an attacker<\/li>\r\n \t<li>Using harassment, guilt, or intimidation<\/li>\r\n \t<li>Using an attractive individual to charm others into gaining information, favors, or access<\/li>\r\n \t<li>Setting off a series of false alarms that cause the victim to disable alarm systems<\/li>\r\n \t<li>Answering bogus surveys (e.g., \u201cWin a free trip to Hawaii\u2014just answer three questions about your network.\u201d)<\/li>\r\n<\/ul>\r\n<\/div>\r\n&nbsp;\r\n\r\n<\/div>\r\n<p id=\"fwk-38086-ch13_s03_s01_s02_p02\" class=\"indent para editable block\">Data aggregator ChoicePoint sold private information to criminals who posed as legitimate clients, compromising the names, addresses, and Social Security numbers of some 145,000 individuals. In this breach, not a single computer was compromised. Employees were simply duped into turning data over to crooks. Gaffes like that can be painful. ChoicePoint paid $15 million in a settlement with the Federal Trade Commission, suffered customer loss, and ended up abandoning once lucrative businesses (Anthes, 2008).<\/p>\r\n\r\n<\/div>\r\n<div id=\"fwk-38086-ch13_s03_s01_s03\" class=\"section\">\r\n<h2 class=\"title editable block\">Phishing<\/h2>\r\n<p id=\"fwk-38086-ch13_s03_s01_s03_p01\" class=\"nonindent para editable block\"><span class=\"margin_term\"><a class=\"glossterm\">Phishing<\/a><\/span> refers to cons executed through technology. The goal of phishing is to leverage the reputation of a trusted firm or friend to trick the victim into performing an action or revealing information. The cons are crafty. Many have masqueraded as a security alert from a bank or e-commerce site (\u201cOur Web site has been compromised, click to log in and reset your password.\u201d), a message from an employer, or even a notice from the government (\u201cClick here to update needed information to receive your tax refund transfer.\u201d). Sophisticated con artists will lift logos, mimic standard layouts, and copy official language from legitimate Web sites or prior e-mails. Gartner estimates that these sorts phishing attacks cost consumers $3.2 billion in 2007 (Avivah, 2007).<\/p>\r\n<p id=\"fwk-38086-ch13_s03_s01_s03_p02\" class=\"indent para editable block\">Other phishing attempts might dupe a user into unwittingly downloading dangerous software (malware) that can do things like record passwords and keystrokes, provide hackers with deeper access to your corporate network, or enlist your PC as part of a botnet. One attempt masqueraded as a message from a Facebook friend, inviting the recipient to view a video. Victims clicking the link were then told they need to install an updated version of the Adobe Flash plug-in to view the clip. The plug in was really a malware program that gave phishers control of the infected user\u2019s computer (Krebs, 2009). Other attempts have populated P2P networks (peer-to-peer file distribution systems such as BitTorrent) with malware-installing files masquerading as video games or other software, movies, songs, and pornography.<\/p>\r\n<p id=\"fwk-38086-ch13_s03_s01_s03_p03\" class=\"indent para editable block\">So-called spear phishing attacks specifically target a given organization or group of users. In one incident, employees of a medical center received e-mails purportedly from the center itself, indicating that the recipient was being laid off and offering a link to job counseling resources. The link really offered a software payload that recorded and forwarded any keystrokes on the victim\u2019s PC (Garretson, 2006). And with this type of phishing, the more you know about a user, the more convincing it is to con them. Phishers using pilfered r\u00e9sum\u00e9 information from Monster.com crafted targeted and personalized e-mails. The request, seemingly from the job site, advised users to download the \u201cMonster Job Seeker Tool\u201d; this \u201ctool\u201d installed malware that encrypted files on the victim\u2019s PC, leaving a ransom note demanding payment to liberate a victim\u2019s hard disk (Wilson, 2007).<\/p>\r\n\r\n<div id=\"fwk-38086-ch13_s03_s01_s03_n01\" class=\"bcc-box bcc-highlight\">\r\n<div class=\"textbox shaded\">\r\n<h4 class=\"title\">Don\u2019t Take the Bait: Recognizing the \u201cPhish Hooks\u201d<\/h4>\r\n<p id=\"fwk-38086-ch13_s03_s01_s03_p04\" class=\"nonindent para\">Web browser developers, e-mail providers, search engines, and other firms are actively working to curtail phishing attempts. Many firms create blacklists that block access to harmful Web sites and increasingly robust tools screen for common phishing tactics. But it\u2019s still important to have your guard up. Some exploits may be so new that they haven\u2019t made it into screening systems (so-called zero-day exploits).<\/p>\r\n<p id=\"fwk-38086-ch13_s03_s01_s03_p05\" class=\"indent para\">Never click on a link or download a suspicious, unexpected enclosure without verifying the authenticity of the sender. If something looks suspicious, don\u2019t implicitly trust the \u201cfrom\u201d link in an e-mail. It\u2019s possible that the e-mail address has been <span class=\"margin_term\"><a class=\"glossterm\">spoofed<\/a><\/span> (faked) or that it was sent via a colleague\u2019s compromised account. If unsure, contact the sender or your security staff.<\/p>\r\n<p id=\"fwk-38086-ch13_s03_s01_s03_p06\" class=\"indent para\">Also know how to read the complete URL to look for tricks. Some firms misspell Web address names (http:\/\/wwwyourbank.com\u2014note the missing period), set up subdomains to trick the eye (http:\/\/yourbank.com.sneakysite.com\u2014which is hosted at sneakysite.com even though a quick glance looks like yourbank.com), or hijack brands by registering a legitimate firm\u2019s name via foreign top-level domains (http:\/\/yourbank.cn).<\/p>\r\n<p id=\"fwk-38086-ch13_s03_s01_s03_p07\" class=\"indent para\">A legitimate URL might also appear in a phishing message, but an HTML coding trick might make something that looks like http:\/\/yourbank.com\/login actually link to http:\/\/sneakysite.com. Hovering your cursor over the URL or an image connected to a link should reveal the actual URL as a tool tip (just don\u2019t click it, or you\u2019ll go to that site).<\/p>\r\n\r\n<\/div>\r\n&nbsp;\r\n\r\n<\/div>\r\n<div style=\"text-align: center; font-size: .8em; max-width: 497px;\">\r\n<div id=\"fwk-38086-ch13_s03_s01_s03_f01\" class=\"figure large\">\r\n<p class=\"nonindent title\"><span class=\"title-prefix\">Figure 13.2<\/span><\/p>\r\n<p class=\"indent\"><a>\r\n<img style=\"max-width: 497px;\" src=\"https:\/\/pressbooks.ccconline.org\/wp-content\/uploads\/sites\/324\/2018\/06\/807a212d0b60af5d9b7ea8fda4e26c51.jpg\" alt=\"This e-mail message looks like it\u2019s from Bank of America. However, hovering the cursor above the \u201cContinue to Log In\u201d button reveals the URL without clicking through to the site. Note how the actual URL associated with the link is not associated with Bank of America.\" \/>\r\n<\/a><\/p>\r\n<p class=\"indent para\">This e-mail message looks like it\u2019s from Bank of America. However, hovering the cursor above the \u201cContinue to Log In\u201d button reveals the URL without clicking through to the site. Note how the actual URL associated with the link is not associated with Bank of America.<\/p>\r\n\r\n<\/div>\r\n<\/div>\r\n<div style=\"text-align: center; font-size: .8em; max-width: 497px;\">\r\n<div id=\"fwk-38086-ch13_s03_s01_s03_f02\" class=\"figure large\">\r\n<p class=\"nonindent title\"><span class=\"title-prefix\">Figure 13.3<\/span><\/p>\r\n<p class=\"indent\"><a>\r\n<img style=\"max-width: 497px;\" src=\"https:\/\/pressbooks.ccconline.org\/wp-content\/uploads\/sites\/324\/2026\/01\/da91ad19bed13a62403b3e33bb0f8900.jpg\" alt=\"This image is from a phishing scheme masquerading as an eBay message. The real destination is a compromised .org domain unassociated with eBay, but the phishers have created a directory at this domain named \u201csignin.ebay.com\u201d in hopes that users will focus on that part of the URL and not recognize they\u2019re really headed to a non-eBay site.\" \/>\r\n<\/a><\/p>\r\n<p class=\"indent para\">This image is from a phishing scheme masquerading as an eBay message. The real destination is a compromised .org domain unassociated with eBay, but the phishers have created a directory at this domain named \u201csignin.ebay.com\u201d in hopes that users will focus on that part of the URL and not recognize they\u2019re really headed to a non-eBay site.<\/p>\r\n\r\n<\/div>\r\n<\/div>\r\n<\/div>\r\n<div id=\"fwk-38086-ch13_s03_s01_s03_n02\" class=\"bcc-box bcc-highlight\">\r\n<div class=\"textbox shaded\">\r\n<h4 class=\"title\">Web 2.0: The Rising Security Threat<\/h4>\r\n<p id=\"fwk-38086-ch13_s03_s01_s03_p08\" class=\"nonindent para\">Social networks and other Web 2.0 tools are a potential gold mine for crooks seeking to pull off phishing scams. Malware can send messages that seem to come from trusted \u201cfriends.\u201d Messages such as status updates and tweets are short, and with limited background information, there are fewer contexts to question a post\u2019s validity. Many users leverage bit.ly or other URL-shortening services that don\u2019t reveal the Web site they link to in their URL, making it easier to hide a malicious link. While the most popular URL-shortening services maintain a blacklist, early victims are threatened by <span class=\"margin_term\"><a class=\"glossterm\">zero-day exploits<\/a><\/span>. Criminals have also been using a variety of techniques to spread malware across sites or otherwise make them difficult to track and catch.<\/p>\r\n<p id=\"fwk-38086-ch13_s03_s01_s03_p09\" class=\"indent para\">Some botnets have even used Twitter to communicate by sending out coded tweets to instruct compromised machines<sup>1<\/sup>. Social media can also be a megaphone for loose lips, enabling a careless user to broadcast proprietary information to the public domain. A 2009 Congressional delegation to Iraq led by House Minority Leader John Boehner was supposed to have been secret. But Rep. Peter Hoekstra tweeted his final arrival into Baghdad for all to see, apparently unable to contain his excitement at receiving BlackBerry service in Iraq. Hoekstra tweeted, \u201cJust landed in Baghdad. I believe it may be first time I\u2019ve had bb service in Iraq. 11th trip here.\u201d You\u2019d think he would have known better. At the time, Hoekstra was a ranking member of the House Intelligence Committee!<\/p>\r\n<p class=\"indent para\"><span class=\"title-prefix\">Figure 13.4<\/span>\r\n<img style=\"max-width: 497px;\" src=\"https:\/\/pressbooks.ccconline.org\/wp-content\/uploads\/sites\/324\/2026\/01\/3ef08ba025847404b26c05ec0bf901ad.jpg\" alt=\"A member of the House Intelligence Committee uses Twitter and reveals his locale on a secret trip. Pete Hoekstra:\" \/>\r\n<span style=\"text-align: initial; text-indent: 2em; font-size: 0.8em; background-color: initial;\">A member of the House Intelligence Committee uses Twitter and reveals his locale on a secret trip.<\/span><\/p>\r\n\r\n<\/div>\r\n<div style=\"text-align: center; font-size: .8em; max-width: 497px;\">\r\n<div id=\"fwk-38086-ch13_s03_s01_s03_f03\" class=\"figure large\">\r\n<p class=\"indent\"><\/p>\r\n\r\n<\/div>\r\n<\/div>\r\n<\/div>\r\n<\/div>\r\n<div id=\"fwk-38086-ch13_s03_s01_s04\" class=\"section\">\r\n<h2 class=\"title editable block\">Passwords<\/h2>\r\n<p id=\"fwk-38086-ch13_s03_s01_s04_p01\" class=\"nonindent para editable block\">Many valuable assets are kept secure via just one thin layer of protection\u2014the password. And if you\u2019re like most users, your password system is a mess (Manjoo, 2009). With so many destinations asking for passwords, chances are you\u2019re using the same password (or easily guessed variants) in a way that means getting just one \u201ckey\u201d would open many \u201cdoors.\u201d The typical Web user has 6.5 passwords, each of which is used at four sites, on average (Summers, 2009). Some sites force users to change passwords regularly, but this often results in insecure compromises. Users make only minor tweaks (e.g., appending the month or year); they write passwords down (in an unlocked drawer or Post-it note attached to the monitor); or they save passwords in personal e-mail accounts or on unencrypted hard drives.<\/p>\r\n<p id=\"fwk-38086-ch13_s03_s01_s04_p02\" class=\"indent para editable block\">The challenge questions offered by many sites to automate password distribution and reset are often pitifully insecure. What\u2019s your mother\u2019s maiden name? What elementary school did you attend? Where were you born? All are pretty easy to guess. One IEEE study found acquaintances could correctly answer colleagues\u2019 secret questions 28 percent of the time, and those who did not know the person still guessed right at a rate of 17 percent. Plus, within three to six months, 16 percent of study participants forgot answers to <em class=\"emphasis\">their own<\/em> security questions (Lemos, 2009). In many cases, answers to these questions can be easily uncovered online. Chances are, if you\u2019ve got an account at a site like Ancestry.com, classmates.com, or Facebook, then some of your secret answers have already been exposed\u2014by you! A Tennessee teen hacked into Sarah Palin\u2019s personal Yahoo! account (gov.palin@yahoo.com) in part by correctly guessing where she met her husband. A similar attack hit staffers at Twitter, resulting in the theft of hundreds of internal documents, including strategy memos, e-mails, and financial forecasts, many of which ended up embarrassingly posted online (Summers, 2009).<\/p>\r\n<p id=\"fwk-38086-ch13_s03_s01_s04_p03\" class=\"indent para editable block\">Related to the password problem are issues with system setup and configuration. Many vendors sell software with a common default password. For example, for years, leading database products came with the default account and password combination \u201cscott\/tiger.\u201d Any firm not changing default accounts and passwords risks having an open door. Other firms are left vulnerable if users set systems for open access\u2014say turning on file sharing permission for their PC. Programmers, take note: well-designed products come with secure default settings, require users to reset passwords at setup, and also offer strong warnings when security settings are made weaker. But unfortunately, there are a lot of legacy products out there, and not all vendors have the insight to design for out-of-the-box security.<\/p>\r\n\r\n<div id=\"fwk-38086-ch13_s03_s01_s04_n01\" class=\"bcc-box bcc-highlight\">\r\n<div class=\"textbox shaded\">\r\n<h4 class=\"title\">Building a Better Password<\/h4>\r\n<p id=\"fwk-38086-ch13_s03_s01_s04_p04\" class=\"nonindent para\">There\u2019s no simple answer for the password problem. <span class=\"margin_term\"><a class=\"glossterm\">Biometrics<\/a><\/span> are often thought of as a solution, but technologies that replace conventionally typed passwords with things like fingerprint readers, facial recognition, or iris scans are still rarely used, and PCs that include such technologies are widely viewed as novelties. Says Carnegie Mellon University CyLab fellow Richard Power, \u201cBiometrics never caught on and it never will\u201d (Summers, 2009).<\/p>\r\n<p id=\"fwk-38086-ch13_s03_s01_s04_p05\" class=\"indent para\">Other approaches leverage technology that distributes single use passwords. These might arrive via external devices like an electronic wallet card, key chain fob, or cell phone. Security firm RSA has even built the technology into BlackBerrys. Enter a user name and receive a phone message with a temporary password. Even if a system was compromised by keystroke capture malware, the password is only good for one session. Lost device? A central command can disable it. This may be a good solution for situations that demand a high level of security, and Wells Fargo and PayPal are among the firms offering these types of services as an option. However, for most consumer applications, slowing down users with a two-tier authentication system would be an impractical mandate.<\/p>\r\n<p id=\"fwk-38086-ch13_s03_s01_s04_p06\" class=\"indent para\">While you await technical fixes, you can at least work to be part of the solution rather than part of the problem. It\u2019s unlikely you\u2019ve got the memory or discipline to create separate unique passwords for all of your sites, but at least make it a priority to create separate, hard-to-guess passwords for each of your highest priority accounts (e.g., e-mail, financial Web sites, corporate network, and PC). Remember, the integrity of a password shared across Web sites isn\u2019t just up to you. That hot start-up Web service may not have the security resources or experience to protect your special code, and if that Web site\u2019s account is hacked, your user name and password are now in the hands of hackers that can try out those \u201ckeys\u201d across the Web\u2019s most popular destinations.<\/p>\r\n<p id=\"fwk-38086-ch13_s03_s01_s04_p07\" class=\"indent para\">Web sites are increasingly demanding more \u201csecure\u201d passwords, requiring users to create passwords at least eight characters in length and that include at least one number and other nonalphabet character. Beware of using seemingly clever techniques to disguise common words. Many commonly available brute-force password cracking tools run through dictionary guesses of common words or phrases, substituting symbols or numbers for common characters (e.g., \u201c@\u201d for \u201ca,\u201d \u201c+\u201d for \u201ct\u201d). For stronger security, experts often advise basing passwords on a phrase, where each letter makes up a letter in an acronym. For example, the phrase \u201cMy first Cadillac was a real lemon so I bought a Toyota\u201d becomes \u201cM1stCwarlsIbaT\u201d (Manjoo, 2009). Be careful to choose an original phrase that\u2019s known only by you and that\u2019s easy for you to remember. Studies have shown that acronym-based passwords using song lyrics, common quotes, or movie lines are still susceptible to dictionary-style hacks that build passwords from pop-culture references (in one test, two of 144 participants made password phrases from an acronym of the Oscar Meyer wiener jingle) (Summers, 2009). Finding that balance between something tough for others to guess yet easy for you to remember will require some thought\u2014but it will make you more secure. Do it now!<\/p>\r\n\r\n<\/div>\r\n&nbsp;\r\n\r\n<\/div>\r\n<\/div>\r\n<div id=\"fwk-38086-ch13_s03_s02\" class=\"section\">\r\n<h2 class=\"title editable block\">Technology Threats (Client and Server Software, Hardware, and Networking)<\/h2>\r\n<div id=\"fwk-38086-ch13_s03_s02_s01\" class=\"section\">\r\n<h2 class=\"title editable block\">Malware<\/h2>\r\n<p id=\"fwk-38086-ch13_s03_s02_s01_p01\" class=\"nonindent para editable block\">Any accessible computing device is a potential target for infiltration by malware. <em class=\"emphasis\">Malware<\/em> (for malicious software) seeks to compromise a computing system without permission. Client PCs and a firm\u2019s servers are primary targets, but as computing has spread, malware now threatens nearly any connected system running software, including mobile phones, embedded devices, and a firm\u2019s networking equipment.<\/p>\r\n<p id=\"fwk-38086-ch13_s03_s02_s01_p02\" class=\"indent para editable block\">Some hackers will try to sneak malware onto a system via techniques like phishing. In another high-profile hacking example, infected USB drives were purposely left lying around government offices. Those seemingly abandoned office supplies really contained code that attempted to infiltrate government PCs when inserted by unwitting employees.<\/p>\r\n<p id=\"fwk-38086-ch13_s03_s02_s01_p03\" class=\"indent para editable block\">Machines are constantly under attack. Microsoft\u2019s Internet Safety Enforcement Team claims that the mean time to infection for an unprotected PC is less than five minutes (Markoff, 2008). Oftentimes malware attempts to compromise weaknesses in software\u2014either bugs, poor design, or poor configuration.<\/p>\r\n<p id=\"fwk-38086-ch13_s03_s02_s01_p04\" class=\"indent para editable block\">Years ago, most attacks centered on weaknesses in the operating system, but now malware exploits have expanded to other targets, including browsers, plug-ins, and scripting languages used by software. <em class=\"emphasis\">BusinessWeek<\/em> reports that Adobe has replaced Microsoft as the primary means by which hackers try to infect or take control of PCs. Even trusted Web sites have become a conduit to deliver malware payloads. More than a dozen sites, including those of the <em class=\"emphasis\">New York Times<\/em>, <em class=\"emphasis\">USA Today<\/em>, and <em class=\"emphasis\">Nature<\/em>, were compromised when seemingly honest advertising clients switched on fake ads that exploit Adobe software (Ricadela, 2009). Some attacks were delivered through Flash animations that direct computers to sites that scan PCs, installing malware payloads through whatever vulnerabilities are discovered. Others circulated via e-mail through PDF triggered payloads deployed when a file was loaded via Acrobat Reader. Adobe is a particularly tempting target, as Flash and Acrobat Reader are now installed on nearly every PC, including Mac and Linux machines.<\/p>\r\n<p id=\"fwk-38086-ch13_s03_s02_s01_p05\" class=\"indent para editable block\">Malware goes by many names. Here are a few of the more common terms you\u2019re likely to encounter<sup>2<\/sup>.<\/p>\r\n<p id=\"fwk-38086-ch13_s03_s02_s01_p06\" class=\"indent para editable block\">Methods of infection are as follows:<\/p>\r\n\r\n<ul id=\"fwk-38086-ch13_s03_s02_s01_l01\" class=\"itemizedlist editable block\">\r\n \t<li><em class=\"emphasis\">Viruses.<\/em> Programs that infect other software or files. They require an executable (a running program) to spread, attaching to other executables. Viruses can spread via operating systems, programs, or the boot sector or auto-run feature of media such as DVDs or USB drives. Some applications have executable languages (macros) that can also host viruses that run and spread when a file is open.<\/li>\r\n \t<li><em class=\"emphasis\">Worms.<\/em> Programs that take advantage of security vulnerability to automatically spread, but unlike viruses, worms do not require an executable. Some worms scan for and install themselves on vulnerable systems with stunning speed (in an extreme example, the SQL Slammer worm infected 90 percent of vulnerable software worldwide within just ten minutes) (Broersma, 2003).<\/li>\r\n \t<li><em class=\"emphasis\">Trojans.<\/em> Exploits that, like the mythical Trojan horse, try to sneak in by masquerading as something they\u2019re not. The payload is released when the user is duped into downloading and installing the malware cargo, oftentimes via phishing exploits.<\/li>\r\n<\/ul>\r\n<p id=\"fwk-38086-ch13_s03_s02_s01_p07\" class=\"indent para editable block\">While the terms above cover methods for infection, the terms below address the goal of the malware:<\/p>\r\n\r\n<ul id=\"fwk-38086-ch13_s03_s02_s01_l02\" class=\"itemizedlist editable block\">\r\n \t<li><em class=\"emphasis\">Botnets or zombie networks.<\/em> Hordes of surreptitiously infected computers linked and controlled remotely by a central command. Botnets are used in crimes where controlling many difficult-to-identify PCs is useful, such as when perpetrating click fraud, sending spam, registering accounts that use <span class=\"margin_term\"><a class=\"glossterm\">CAPTCHAs<\/a><\/span> (those scrambled character images meant to thwart things like automated account setup or ticket buying), executing \u201cdictionary\u201d password cracking attempts, or launching denial-of-service attacks.<\/li>\r\n \t<li><em class=\"emphasis\">Malicious adware.<\/em> Programs installed without full user consent or knowledge that later serve unwanted advertisements.<\/li>\r\n \t<li><em class=\"emphasis\">Spyware.<\/em> Software that surreptitiously monitors user actions, network traffic, or scans for files.<\/li>\r\n \t<li><em class=\"emphasis\">Keylogger.<\/em> Type of spyware that records user keystrokes. Keyloggers can be either software-based or hardware, such as a recording \u201cdongle\u201d that is plugged in between a keyboard and a PC.<\/li>\r\n \t<li><em class=\"emphasis\">Screen capture.<\/em> Variant of the keylogger approach. This category of software records the pixels that appear on a user\u2019s screen for later playback in hopes of identifying proprietary information.<\/li>\r\n \t<li><em class=\"emphasis\">Blended threats.<\/em> Attacks combining multiple malware or hacking exploits.<\/li>\r\n<\/ul>\r\n<div id=\"fwk-38086-ch13_s03_s02_s01_n01\" class=\"bcc-box bcc-highlight\">\r\n<div class=\"textbox shaded\">\r\n<h4 class=\"title\">All the News Fit to Print (Brought to You by Scam Artists)<\/h4>\r\n<p id=\"fwk-38086-ch13_s03_s02_s01_p08\" class=\"nonindent para\">In fall 2009, bad guys posing as the telecom firm Vonage signed up to distribute ads through the <em class=\"emphasis\">New York Times<\/em> Web site. Many firms that display online ads on their Web sites simply create placeholders on their Web pages, with the actual ad content served by the advertisers themselves (see the Google chapter for details). In this particular case, the scam artists posing as Vonage switched off the legitimate-looking ads and switched on code that, according to the <em class=\"emphasis\">New York Times<\/em>, \u201ctook over the browsers of many people visiting the site, as their screens filled with an image that seemed to show a scan for computer viruses. The visitors were then told that they needed to buy antivirus software to fix a problem, but the software was more snake oil than a useful program\u201d (Vance, 2009). Sites ranging from Fox News, the <em class=\"emphasis\">San Francisco Chronicle<\/em>, and British tech site The Register have also been hit with ad scams in the past. In the <em class=\"emphasis\">Times<\/em> case, malware wasn\u2019t distributed directly to user PCs, but by passing through ads from third parties to consumers, the <em class=\"emphasis\">Times<\/em> became a conduit for a scam. In the same way that manufacturers need to audit their supply chain to ensure that partners aren\u2019t engaged in sweatshop labor or disgraceful pollution, sites that host ads need to audit their partners to ensure they are legitimate and behaving with integrity.<\/p>\r\n\r\n<\/div>\r\n&nbsp;\r\n\r\n<\/div>\r\n<div id=\"fwk-38086-ch13_s03_s02_s01_n02\" class=\"bcc-box bcc-highlight\">\r\n<div class=\"textbox shaded\">\r\n<h4 class=\"title\">The Virus in Your Pocket<\/h4>\r\n<p id=\"fwk-38086-ch13_s03_s02_s01_p09\" class=\"nonindent para\">Most mobile phones are really pocket computers, so it\u2019s not surprising that these devices have become malware targets. And there are a lot of pathways to exploit. Malware might infiltrate a smartphone via e-mail, Internet surfing, MMS attachments, or even Bluetooth. The \u201ccommwarrior\u201d mobile virus spread to at least eight countries, propagating from a combination of MMS messages and Bluetooth (Charney, 2005).<\/p>\r\n<p id=\"fwk-38086-ch13_s03_s02_s01_p10\" class=\"indent para\">Most smartphones have layers of security to block the spread of malware, so hackers typically hunt for the weakest victims. Easy marks include \u201cjail-broken\u201d iPhones, devices with warranty-voiding modifications in which security restrictions are overridden to allow phones to be used off network, and for the installation of unsanctioned applications. Estimates suggest some 10 percent of iPhones are jail-broken, and early viruses exploiting the compromised devices ranged from a \u201cRick roll\u201d that replaced the home screen image with a photo of 1980s crooner Rick Astley (Steade, 2009) to the more nefarious Ikee.B, which scanned text messages and hunted out banking codes, forwarding the nabbed data to a server in Lithuania (Lemos, 2009).<\/p>\r\n<p id=\"fwk-38086-ch13_s03_s02_s01_p11\" class=\"indent para\">The upside? Those smart devices are sometimes crime fighters themselves. A Pittsburgh mugging victim turned on Apple\u2019s \u201cFind My iPhone\u201d feature within its MobileMe service, mapping the perpetrator\u2019s path, then sending the law to bust the bad guys while they ate at a local restaurant (Murrell, 2009).<\/p>\r\n\r\n<div style=\"text-align: center; font-size: .8em; max-width: 497px;\">\r\n<div id=\"fwk-38086-ch13_s03_s02_s01_f01\" class=\"figure medium\">\r\n<p class=\"nonindent title\"><span class=\"title-prefix\">Figure 13.5<\/span><\/p>\r\n<p class=\"indent\"><a>\r\n<img style=\"max-width: 300px;\" src=\"https:\/\/pressbooks.ccconline.org\/wp-content\/uploads\/sites\/324\/2026\/01\/bae80f7601e3121ddbcef6490faa2f7f.jpg\" alt=\"A\" \/>\r\n<\/a><\/p>\r\n<p class=\"indent para\">A \u201cjail-broken\u201d iPhone gets \u201cRick rolled\u201d by malware.<\/p>\r\n\r\n<\/div>\r\n<\/div>\r\n<\/div>\r\n&nbsp;\r\n\r\n<\/div>\r\n<\/div>\r\n<div id=\"fwk-38086-ch13_s03_s02_s02\" class=\"section\">\r\n<h2 class=\"title editable block\">Compromising Web Sites<\/h2>\r\n<p id=\"fwk-38086-ch13_s03_s02_s02_p01\" class=\"nonindent para editable block\">Some exploits directly target poorly designed and programmed Web sites. Consider the SQL injection technique. It zeros in on a sloppy programming practice where software developers don\u2019t validate user input.<\/p>\r\n<p id=\"fwk-38086-ch13_s03_s02_s02_p02\" class=\"indent para editable block\">It works like this. Imagine that you visit a Web site and are asked to enter your user ID in a field on a Web page (say your user ID is smith). A Web site may be programmed to take the data you enter from the Web page\u2019s user ID field (smith), then add it to a database command (creating the equivalent of a command that says \u201cfind the account for \u2018smith\u2019\u201d). The database then executes that command.<\/p>\r\n<p id=\"fwk-38086-ch13_s03_s02_s02_p03\" class=\"indent para editable block\">But Web sites that don\u2019t verify user entries and instead just blindly pass along entered data are vulnerable to attack. Hackers with just a rudimentary knowledge of SQL could type actual code fragments into the user ID field, appending this code to statements executed by the site (see sidebar for a more detailed description). Such modified instructions could instruct the Web site\u2019s database software to drop (delete) tables, insert additional data, return all records in a database, or even redirect users to another Web site that will scan clients for weaknesses, then launch further attacks. Security expert Ben Schneier noted a particularly ghastly SQL injection vulnerability in the publicly facing database for the Oklahoma Department of Corrections, where \u201canyone with basic SQL knowledge could have registered anyone he wanted as a sex offender\u201d (Schneier, 2008).<\/p>\r\n<p id=\"fwk-38086-ch13_s03_s02_s02_p04\" class=\"indent para editable block\">Not trusting user input is a cardinal rule of programming, and most well-trained programmers know to validate user input. But there\u2019s a lot of sloppy code out there, which hackers are all too eager to exploit. IBM identifies SQL injection as the fastest growing security threat, with over half a million attack attempts recorded each day (Wittmann, 2009). Some vulnerable systems started life as quickly developed proofs of concepts, and programmers never went back to add the needed code to validate input and block these exploits. Other Web sites may have been designed by poorly trained developers who have moved on to other projects, by staff that have since left the firm, or where development was outsourced to another firm. As such, many firms don\u2019t even know if they suffer from this vulnerability.<\/p>\r\n<p id=\"fwk-38086-ch13_s03_s02_s02_p05\" class=\"indent para editable block\">SQL injection and other application weaknesses are particularly problematic because there\u2019s not a commercial software patch or easily deployed piece of security software that can protect a firm. Instead, firms have to meticulously examine the integrity of their Web sites to see if they are vulnerable<sup>3<\/sup>.<\/p>\r\n\r\n<div id=\"fwk-38086-ch13_s03_s02_s02_n01\" class=\"bcc-box bcc-highlight\">\r\n<div class=\"textbox shaded\">\r\n<h4 class=\"title\">How SQL Injection Works<\/h4>\r\n<p id=\"fwk-38086-ch13_s03_s02_s02_p06\" class=\"nonindent para\">For those who want to get into some of the geekier details of a SQL injection attack, consider a Web site that executes the code below to verify that an entered user ID is in a database table of usernames. The code executed by the Web site might look something like this:<\/p>\r\n\r\n<div id=\"fwk-38086-ch13_s03_s02_s02_bl01\" class=\"blockquote\">\r\n\r\n\u201cSELECT * FROM users WHERE userName = \u2018\u201d + userID + \u201c\u2018;\u201d\r\n<p id=\"fwk-38086-ch13_s03_s02_s02_p08\" class=\"nonindent para\">The statement above tells the database to SELECT (find and return) all columns (that\u2019s what the \u201c*\u201d means) from a table named users where the database\u2019s userName field equals the text you just entered in the userID field. If the Web site\u2019s visitor entered smith, that text is added to the statement above, and it\u2019s executed as:<\/p>\r\n\r\n<div id=\"fwk-38086-ch13_s03_s02_s02_bl02\" class=\"blockquote\">\r\n\r\n\u201cSELECT * FROM users WHERE userName = \u2018smith\u2019;\u201d\r\n<p id=\"fwk-38086-ch13_s03_s02_s02_p10\" class=\"nonindent para\">No problem. But now imagine a hacker gets sneaky and instead of just typing smith, into the Web site\u2019s userID field, they also add some <em class=\"emphasis\">additional<\/em> SQL code like this:<\/p>\r\n\r\n<div id=\"fwk-38086-ch13_s03_s02_s02_bl03\" class=\"blockquote\">\r\n\r\nsmith\u2019; DROP TABLE users; DELETE * FROM users WHERE \u2018t\u2019 = \u2018t\r\n<p id=\"fwk-38086-ch13_s03_s02_s02_p12\" class=\"nonindent para\">If the programming statement above is entered into the user ID, the Web site adds this code to its own programming to create a statement that is executed as:<\/p>\r\n\r\n<div id=\"fwk-38086-ch13_s03_s02_s02_bl04\" class=\"blockquote\">\r\n\r\nSELECT * FROM users WHERE userName = \u2018smith\u2019; DELETE * FROM users WHERE \u2018t\u2019 = \u2018t\u2019;\r\n<p id=\"fwk-38086-ch13_s03_s02_s02_p14\" class=\"nonindent para\">The semicolons separate SQL statements. That second statement says delete all data in the users table for records where \u2018t\u2019 = \u2018t\u2019 (this last part, \u2018t\u2019 = \u2018t,\u2019 is always true, so all records will be deleted). Yikes! In this case, someone entering the kind of code you\u2019d learn in the first chapter of <em class=\"emphasis\">SQL for Dummies<\/em> could annihilate a site\u2019s entire user ID file using one of the site\u2019s own Web pages as the attack vehicle (Schneier, 2008).<\/p>\r\n\r\n<\/div>\r\n<p id=\"fwk-38086-ch13_s03_s02_s02_p15\" class=\"indent para editable block\">Related programming exploits go by names such as cross-site scripting attacks and HTTP header injection. We\u2019ll spare you the technical details, but what this means for both the manager and the programmer is that all systems must be designed and tested with security in mind. This includes testing new applications, existing and legacy applications, partner offerings, and SaaS (software as a service) applications\u2014everything. Visa and MasterCard are among the firms requiring partners to rigorously apply testing standards. Firms that aren\u2019t testing their applications will find they\u2019re locked out of business; if caught with unacceptable breaches, such firms may be forced to pay big fines and absorb any costs associated with their weak practices<sup>4<\/sup>.<\/p>\r\n\r\n<\/div>\r\n<\/div>\r\n<div id=\"fwk-38086-ch13_s03_s03\" class=\"section\">\r\n<h2 class=\"title editable block\">Push-Button Hacking<\/h2>\r\n<p id=\"fwk-38086-ch13_s03_s03_p01\" class=\"nonindent para editable block\">Not only are the list of technical vulnerabilities well known, hackers have created tools to make it easy for the criminally inclined to automate attacks. <a class=\"xref\" href=\"part-014-chapter-14-google-search-online-advertising-and-beyond.html\">Chapter 14 \u201cGoogle: Search, Online Advertising, and Beyond\u201d<\/a> outlines how Web sites can interrogate a system to find out more about the software and hardware used by visitors. Hacking toolkits can do the same thing. While you won\u2019t find this sort of software for sale on Amazon, a casual surfing of the online underworld (not recommended or advocated) will surface scores of tools that probe systems for the latest vulnerabilities, then launch appropriate attacks. In one example, a $700 toolkit (MPack v. 86) was used to infiltrate a host of Italian Web sites, launching Trojans that infested 15,000 users in just a six-day period<sup>5<\/sup>. As an industry executive in <em class=\"emphasis\">BusinessWeek<\/em> has stated, \u201cThe barrier of entry is becoming so low that literally anyone can carry out these attacks\u201d (Schectman, 2009).<\/p>\r\n\r\n<div id=\"fwk-38086-ch13_s03_s03_s01\" class=\"section\">\r\n<h2 class=\"title editable block\">Network Threats<\/h2>\r\n<p id=\"fwk-38086-ch13_s03_s03_s01_p01\" class=\"nonindent para editable block\">The network itself may also be a source of compromise. Recall that the TJX hack happened when a Wi-Fi access point was left open and undetected. A hacker just drove up and performed the digital equivalent of crawling through an open window. The problem is made more challenging since wireless access points are so inexpensive and easy to install. For less than $100, a user (well intentioned or not) could plug in to an access point that could provide entry for anyone. If a firm doesn\u2019t regularly monitor its premises, its network, and its network traffic, it may fall victim.<\/p>\r\n<p id=\"fwk-38086-ch13_s03_s03_s01_p02\" class=\"indent para editable block\">Other troubling exploits have targeted the very underpinning of the Internet itself. This is the case with so-called DNS cache poisoning. The DNS, or domain name service, is a collection of software that maps an Internet address, such as (<a class=\"link\" href=\"http:\/\/www.bc.edu\" target=\"_blank\" rel=\"noopener\">http:\/\/www.bc.edu<\/a>), to an IP address, such as 136.167.2.220. 220 (see <a class=\"xref\" href=\"part-012-chapter-12-a-managers-guide-to-the-internet-and-telecommunications.html\">Chapter 12 \u201cA Manager\u2019s Guide to the Internet and Telecommunications\u201d<\/a> for more detail). DNS cache poisoning exploits can redirect this mapping and the consequences are huge. Imagine thinking that you\u2019re visiting your bank\u2019s Web site, but instead your network\u2019s DNS server has been poisoned so that you really visit a carefully crafted replica that hackers use to steal your log-in credentials and drain your bank account. A DNS cache poisoning attack launched against one of China\u2019s largest ISPs redirected users to sites that launched malware exploits, targeting weaknesses in RealPlayer, Adobe Flash, and Microsoft\u2019s ActiveX technology, commonly used in browsers (London, 2008).<\/p>\r\n\r\n<\/div>\r\n<div id=\"fwk-38086-ch13_s03_s03_s02\" class=\"section\">\r\n<h2 class=\"title editable block\">Physical Threats<\/h2>\r\n<p id=\"fwk-38086-ch13_s03_s03_s02_p01\" class=\"nonindent para editable block\">A firm doesn\u2019t just have to watch out for insiders or compromised software and hardware; a host of other physical threats can grease the skids to fraud, theft, and damage. Most large firms have disaster-recovery plans in place. These often include provisions to backup systems and data to off-site locales, to protect operations and provide a fall back in the case of disaster. Such plans increasingly take into account the potential impact of physical security threats such as terrorism, or vandalism, as well.<\/p>\r\n<p id=\"fwk-38086-ch13_s03_s03_s02_p02\" class=\"indent para editable block\">Anything valuable that reaches the trash in a recoverable state is also a potential security breach. Hackers and spies sometimes practice <span class=\"margin_term\"><a class=\"glossterm\">dumpster diving<\/a><\/span>, sifting through trash in an effort to uncover valuable data or insights that can be stolen or used to launch a security attack. This might include hunting for discarded passwords written on Post-it notes, recovering unshredded printed user account listings, scanning e-mails or program printouts for system clues, recovering tape backups, resurrecting files from discarded hard drives, and more.<\/p>\r\n<p id=\"fwk-38086-ch13_s03_s03_s02_p03\" class=\"indent para editable block\">Other compromises might take place via <span class=\"margin_term\"><a class=\"glossterm\">shoulder surfing<\/a><\/span>, simply looking over someone\u2019s shoulder to glean a password or see other proprietary information that might be displayed on a worker\u2019s screen.<\/p>\r\n<p id=\"fwk-38086-ch13_s03_s03_s02_p04\" class=\"indent para editable block\">Firms might also fall victim to various forms of eavesdropping, such as efforts to listen into or record conversations, transmissions, or keystrokes. A device hidden inside a package might sit inside a mailroom or a worker\u2019s physical inbox, scanning for open wireless connections, or recording and forwarding conversations (Robertson, 2008). Other forms of eavesdropping can be accomplished via compromised wireless or other network connections, malware keylogger or screen capture programs, as well as hardware devices such as replacement keyboards with keyloggers embedded inside, microphones to capture the slightly unique and identifiable sound of each key being pressed, programs that turn on built-in microphone or cameras that are now standard on many PCs, or even James Bond-style devices using Van Eck techniques that attempt to read monitors from afar by detecting their electromagnetic emissions.<\/p>\r\n\r\n<\/div>\r\n<\/div>\r\n<\/div>\r\n<\/div>\r\n&nbsp;\r\n\r\n<\/div>\r\n<\/div>\r\n<div id=\"fwk-38086-ch13_s03_s03_s02_n01\" class=\"bcc-box bcc-highlight\">\r\n<div class=\"textbox shaded\">\r\n<h4 class=\"title\">The Encryption Prescription<\/h4>\r\n<p id=\"fwk-38086-ch13_s03_s03_s02_p05\" class=\"nonindent para\">During a routine physical transfer of backup media, Bank of America lost tapes containing the private information\u2014including Social Security and credit card numbers\u2014of hundreds of thousands of customers (Mardesich, 2009). This was potentially devastating fodder for identity thieves. But who cares if someone steals your files if they still can\u2019t read the data? That\u2019s the goal of encryption!<\/p>\r\n<p id=\"fwk-38086-ch13_s03_s03_s02_p06\" class=\"indent para\"><span class=\"margin_term\"><a class=\"glossterm\">Encryption<\/a><\/span> scrambles data, making it essentially unreadable to any program that doesn\u2019t have the descrambling password, known as a <span class=\"margin_term\"><a class=\"glossterm\">key<\/a><\/span>. Simply put, the larger the key, the more difficult it is for a brute-force attack to exhaust all available combinations and crack the code. When well implemented, encryption can be the equivalent of a rock solid vault. To date, the largest known <span class=\"margin_term\"><a class=\"glossterm\">brute-force attacks<\/a><\/span>, demonstration hacks launched by grids of simultaneous code-cracking computers working in unison, haven\u2019t come close to breaking the type of encryption used to scramble transmissions that most browsers use when communicating with banks and shopping sites. The problem occurs when data is nabbed before encryption or after decrypting, or in rare cases, if the encrypting key itself is compromised.<\/p>\r\n<p id=\"fwk-38086-ch13_s03_s03_s02_p07\" class=\"indent para\">Extremely sensitive data\u2014trade secrets, passwords, credit card numbers, and employee and customer information\u2014should be encrypted before being sent or stored (Mardesich, 2009). Deploying encryption dramatically lowers the potential damage from lost or stolen laptops, or from hardware recovered from dumpster diving. It is vital for any laptops carrying sensitive information.<\/p>\r\n<p id=\"fwk-38086-ch13_s03_s03_s02_p08\" class=\"indent para\">Encryption is also employed in virtual private network (VPN) technology, which scrambles data passed across a network. Public wireless connections pose significant security threats\u2014they may be set up by hackers that pose as service providers, while really launching attacks on or monitoring the transmissions of unwitting users. The use of VPN software can make any passed-through packets unreadable. Contact your firm or school to find out how to set up VPN software.<\/p>\r\n<p id=\"fwk-38086-ch13_s03_s03_s02_p09\" class=\"indent para\">In the Bank of America example above, the bank was burned. It couldn\u2019t verify that the lost tapes were encrypted, so it had to notify customers and incur the cost associated with assuming data had been breached (Mardesich, 2009).<\/p>\r\n<p id=\"fwk-38086-ch13_s03_s03_s02_p10\" class=\"indent para\">Encryption is not without its downsides. Key management is a potentially costly procedural challenge for most firms. If your keys aren\u2019t secure, it\u2019s the equivalent of leaving the keys to a safe out in public. Encryption also requires additional processing to scramble and descramble data\u2014drawing more power and slowing computing tasks. Moore\u2019s Law will speed things along, but it also puts more computing power in the hands of attackers. With hacking threats on the rise, expect to see laws and compliance requirements that mandate encrypted data, standardize encryption regimes, and simplify management.<\/p>\r\n\r\n<\/div>\r\n&nbsp;\r\n\r\n<\/div>\r\n<div id=\"fwk-38086-ch13_s03_s03_s02_n02\" class=\"bcc-box bcc-highlight\">\r\n<div class=\"textbox shaded\">\r\n<h4 class=\"title\">How Do Web Sites Encrypt Transmissions?<\/h4>\r\n<p id=\"fwk-38086-ch13_s03_s03_s02_p11\" class=\"nonindent para\">Most Web sites that deal with financial transactions (e.g., banks, online stores) secure transmissions using a method called <span class=\"margin_term\"><a class=\"glossterm\">public key encryption<\/a><\/span>. The system works with two keys\u2014a public key and a private key. The public key can \u201clock\u201d or encrypt data, but it can\u2019t unlock it: that can only be performed by the private key. So a Web site that wants you to transmit secure information will send you a public key\u2014you use this to lock the data, and no one that intercepts that transmission can break in unless they\u2019ve got the private key. If the Web site does its job, it will keep the private key out of reach of all potentially prying eyes.<\/p>\r\n<p id=\"fwk-38086-ch13_s03_s03_s02_p12\" class=\"indent para\">Wondering if a Web site\u2019s transmissions are encrypted? Look at the Web address. If it begins with \u201chttps\u201d instead of \u201chttp\u201d, it should be secure. Also, look for the padlock icon in the corner of your Web browser to be closed (locked). Finally, you can double click the padlock to bring up a verification of the Web site\u2019s identity (verified by a trusted third party firm, known as a <span class=\"margin_term\"><a class=\"glossterm\">certificate authority<\/a><\/span>). If this matches your URL and indicates the firm you\u2019re doing business with, then you can be pretty sure verified encryption is being used by the firm that you intend to do business with.<\/p>\r\n\r\n<div style=\"text-align: center; font-size: .8em; max-width: 497px;\">\r\n<div id=\"fwk-38086-ch13_s03_s03_s02_f01\" class=\"figure large\">\r\n<p class=\"nonindent title\"><span class=\"title-prefix\">Figure 13.6<\/span><\/p>\r\n<p class=\"indent\"><a>\r\n<img style=\"max-width: 497px;\" src=\"https:\/\/pressbooks.ccconline.org\/wp-content\/uploads\/sites\/324\/2026\/01\/d13b00964f8c01a55206a11f3b870ae4.jpg\" alt=\"In this screenshot, a Firefox browser is visiting Bank of America. The padlock icon was clicked to bring up digital certificate information. Note how the Web site\u2019s name matches the URL. The verifying certificate authority is the firm VeriSign.\" \/>\r\n<\/a><\/p>\r\n<p class=\"indent para\">In this screenshot, a Firefox browser is visiting Bank of America. The padlock icon was clicked to bring up digital certificate information. Note how the Web site\u2019s name matches the URL. The verifying certificate authority is the firm VeriSign.<\/p>\r\n\r\n<\/div>\r\n<\/div>\r\n<\/div>\r\n&nbsp;\r\n\r\n<\/div>\r\n<div id=\"fwk-38086-ch13_s03_s03_s02_n03\" class=\"bcc-box bcc-success\">\r\n<div class=\"textbox textbox--key-takeaways\"><header class=\"textbox__header\">\r\n<p class=\"textbox__title\"><span style=\"font-family: 'Cormorant Garamond', serif; font-size: 1em; font-style: normal; font-weight: bold;\">Key Takeaways<\/span><\/p>\r\n\r\n<\/header>\r\n<div class=\"textbox__content\">\r\n<ul id=\"fwk-38086-ch13_s03_s03_s02_l01\" class=\"itemizedlist\">\r\n \t<li>An organization\u2019s information assets are vulnerable to attack from several points of weakness, including users and administrators, its hardware and software, its networking systems, and various physical threats.<\/li>\r\n \t<li>Social engineering attempts to trick or con individuals into providing information, while phishing techniques are cons conducted through technology.<\/li>\r\n \t<li>While dangerous, a number of tools and techniques can be used to identify phishing scams, limiting their likelihood of success.<\/li>\r\n \t<li>Social media sites may assist hackers in crafting phishing or social engineering threats, provide information to password crackers, and act as conduits for unwanted dissemination of proprietary information.<\/li>\r\n \t<li>Most users employ inefficient and insecure password systems; however, techniques were offered to improve one\u2019s individual password regime.<\/li>\r\n \t<li>Viruses, worms, and Trojans are types of infecting malware. Other types of malware might spy on users, enlist the use of computing assets for committing crimes, steal assets, destroy property, serve unwanted ads, and more.<\/li>\r\n \t<li>Examples of attacks and scams launched through advertising on legitimate Web pages highlight the need for end-user caution, as well as for firms to ensure the integrity of their participating online partners.<\/li>\r\n \t<li>SQL injection and related techniques show the perils of poor programming. Software developers must design for security from the start\u2014considering potential security weaknesses, and methods that improve end-user security (e.g., in areas such as installation and configuration).<\/li>\r\n \t<li>Encryption can render a firm\u2019s data assets unreadable, even if copied or stolen. While potentially complex to administer and resource intensive, encryption is a critical tool for securing an organization\u2019s electronic assets.<\/li>\r\n<\/ul>\r\n<\/div>\r\n<\/div>\r\n&nbsp;\r\n\r\n<\/div>\r\n<div id=\"fwk-38086-ch13_s03_s03_s02_n04\" class=\"bcc-box bcc-info\">\r\n<div class=\"textbox textbox--exercises\"><header class=\"textbox__header\">\r\n<p class=\"textbox__title\"><span style=\"font-family: 'Cormorant Garamond', serif; font-size: 1em; font-style: normal; font-weight: bold;\">Questions and Exercises<\/span><\/p>\r\n\r\n<\/header>\r\n<div class=\"textbox__content\">\r\n<ol id=\"fwk-38086-ch13_s03_s03_s02_l02\" class=\"orderedlist\">\r\n \t<li>Consider your own personal password regime and correct any weaknesses. Share any additional password management tips and techniques with your class.<\/li>\r\n \t<li>Why is it a bad idea to use variants of existing passwords when registering for new Web sites?<\/li>\r\n \t<li>Relate an example of social engineering that you\u2019ve experienced or heard of. How might the victim have avoided being compromised?<\/li>\r\n \t<li>Have you ever seen phishing exploits? Have you fallen for one? Why did you take the bait, or what alerted you to the scam? How can you identify phishing scams?<\/li>\r\n \t<li>Have you or has anyone you know fallen victim to malware? Relate the experience\u2014how do you suppose it happened? What damage was done? What, if anything, could be done to recover from the situation?<\/li>\r\n \t<li>Why are social media sites such a threat to information security? Give various potential scenarios where social media use might create personal or organizational security compromises.<\/li>\r\n \t<li>Some users regularly update their passwords by adding a number (say month or year) to their code. Why is this bad practice?<\/li>\r\n \t<li>What kind of features should a programmer build into systems in order to design for security? Think about the products that you use. Are there products that you feel did a good job of ensuring security during setup? Are there products you use that have demonstrated bad security design? How?<\/li>\r\n \t<li>Why are SQL injection attacks more difficult to address than the latest virus threat?<\/li>\r\n \t<li>How should individuals and firms leverage encryption?<\/li>\r\n \t<li>Investigate how you might use a VPN if traveling with your laptop. Be prepared to share your findings with your class and your instructor.<\/li>\r\n<\/ol>\r\n<\/div>\r\n<\/div>\r\n&nbsp;\r\n\r\n<\/div>\r\n<p class=\"indent\"><sup>1<\/sup>UnsafeBits, \u201cBotnets Go Public by Tweeting on Twitter,\u201d <em class=\"emphasis\">Technology Review<\/em>, August 17, 2009.<\/p>\r\n<p class=\"indent\"><sup>2<\/sup>Portions adapted from G. Perera, \u201cYour Guide to Understanding Malware,\u201d <em class=\"emphasis\">LaptopLogic.com<\/em>, May 17, 2009.<\/p>\r\n<p class=\"indent\"><sup>3<\/sup>While some tools exist to automate testing, this is by no means as easy a fix as installing a commercial software patch or virus protection software.<\/p>\r\n<p class=\"indent\"><sup>4<\/sup>Knowledge@Wharton, \u201cInformation Security: Why Cybercriminals Are Smiling,\u201d August 19, 2009.<\/p>\r\n<p class=\"indent\"><sup>5<\/sup>Trend Micro, \u201cWeb Threats Whitepaper,\u201d March 2008.<\/p>\r\n\r\n<h2>References<\/h2>\r\n<p class=\"nonindent\">Anthes, G., \u201cThe Grill: Security Guru Ira Winkler Takes the Hot Seat,\u201d <em class=\"emphasis\">Computerworld<\/em>, July 28, 2008.<\/p>\r\n<p class=\"indent\">Avivah, L., \u201cPhishing Attacks Escalate, Morph, and Cause Considerable Damage,\u201d <em class=\"emphasis\">Gartner<\/em>, December 12, 2007.<\/p>\r\n<p class=\"indent\">Broersma, M., \u201cSlammer\u2014the First \u2018Warhol\u2019 Worm?\u201d <em class=\"emphasis\">CNET<\/em>, February 3, 2003.<\/p>\r\n<p class=\"indent\">Charney, J., \u201cCommwarrior Cell Phone Virus Marches On,\u201d <em class=\"emphasis\">CNET<\/em>, June 5, 2005.<\/p>\r\n<p class=\"indent\">Garretson, C., \u201cSpam that Delivers a Pink Slip,\u201d <em class=\"emphasis\">NetworkWorld<\/em>, November 1, 2006.<\/p>\r\n<p class=\"indent\">Keizer, G., \u201cBotnet Busts Newest Hotmail CAPTCHA,\u201d <em class=\"emphasis\">Computerworld<\/em>, February 19, 2009.<\/p>\r\n<p class=\"indent\">Krebs, B., \u201c\u2018Koobface\u2019 Worm Resurfaces on Facebook, MySpace,\u201d <em class=\"emphasis\">Washington Post<\/em>, March 2, 2009.<\/p>\r\n<p class=\"indent\">Lemos, R., \u201cAre Your \u2018Secret Questions\u2019 Too Easily Answered?\u201d <em class=\"emphasis\">Technology Review<\/em>, May 18, 2009.<\/p>\r\n<p class=\"indent\">Lemos, R., \u201cNasty iPhone Worm Hints at the Future,\u201d <em class=\"emphasis\">Technology Review<\/em>, November 29, 2009.<\/p>\r\n<p class=\"indent\">London, J., \u201cChina Netcom Falls Prey to DNS Cache Poisoning,\u201d <em class=\"emphasis\">Computerworld<\/em>, August 22, 2008.<\/p>\r\n<p class=\"indent\">Manjoo, F., \u201cFix Your Terrible, Insecure Passwords in Five Minutes,\u201d <em class=\"emphasis\">Slate<\/em>, November 12, 2009.<\/p>\r\n<p class=\"indent\">Mardesich, J., \u201cEnsuring the Security of Stored Data,\u201d CIO Strategy Center, 2009.<\/p>\r\n<p class=\"indent\">Markoff, J., \u201cA Robot Network Seeks to Enlist Your Computer,\u201d <em class=\"emphasis\">New York Times<\/em>, October 20, 2008.<\/p>\r\n<p class=\"indent\">Murrell, J., \u201cThe iWitness News Roundup: Crime-fighting iPhone,\u201d <em class=\"emphasis\">Good Morning Silicon Valley<\/em>, August 31, 2009.<\/p>\r\n<p class=\"indent\">Ricadela, A., \u201cCan Adobe Beat Back the Hackers?\u201d <em class=\"emphasis\">BusinessWeek<\/em>, November 19, 2009.<\/p>\r\n<p class=\"indent\">Robertson, J., \u201cHackers Mull Physical Attacks on a Networked World,\u201d <em class=\"emphasis\">San Francisco Chronicle<\/em>, August 8, 2008.<\/p>\r\n<p class=\"indent\">Schectman, J., \u201cComputer Hacking Made Easy,\u201d <em class=\"emphasis\">BusinessWeek<\/em>, August 13, 2009.<\/p>\r\n<p class=\"indent\">Schneier, B., \u201cOklahoma Data Leak,\u201d <em class=\"emphasis\">Schneier on Security<\/em>, April 18, 2008.<\/p>\r\n<p class=\"indent\">Steade, S., \u201cIt\u2019s Shameless How They Flirt,\u201d <em class=\"emphasis\">Good Morning Silicon Valley<\/em>, November 9, 2009.<\/p>\r\n<p class=\"indent\">Summers, N., \u201cBuilding a Better Password,\u201d <em class=\"emphasis\">Newsweek<\/em>, October 19, 2009.<\/p>\r\n<p class=\"indent\">Vance, A., \u201cTimes Web Ads Show Security Breach,\u201d <em class=\"emphasis\">New York Times<\/em>, September 14, 2009.<\/p>\r\n<p class=\"indent\">Vijayan, J., \u201cSoftware Consultant Who Stole Data on 110,000 People Gets Five-Year Sentence,\u201d <em class=\"emphasis\">Computerworld<\/em>, July 10, 2007.<\/p>\r\n<p class=\"indent\">Wilson, T., \u201cTrojan On Monster.com Steals Personal Data,\u201d <em class=\"emphasis\">Forbes<\/em>, August 20, 2007.<\/p>\r\n<p class=\"indent\">Wittmann, A., \u201cThe Fastest-Growing Security Threat,\u201d <em class=\"emphasis\">InformationWeek<\/em>, November 9, 2009.<\/p>\r\n\r\n<\/div>\r\n<\/div>\r\n<\/div>","rendered":"<div id=\"slug-13-3-where-are-vulnerabilities-understanding-the-weaknesses\" class=\"chapter standard\">\n<div class=\"ugc chapter-ugc\">\n<div id=\"fwk-38086-ch13_s03_n01\" class=\"bcc-box bcc-highlight\">\n<div class=\"textbox textbox--learning-objectives\">\n<header class=\"textbox__header\">\n<p class=\"textbox__title\"><span style=\"font-family: 'Cormorant Garamond', serif; font-size: 1em; font-style: normal; font-weight: bold;\">Learning Objectives<\/span><\/p>\n<\/header>\n<div class=\"textbox__content\">\n<p id=\"fwk-38086-ch13_s03_p01\" class=\"nonindent para\">After studying this section you should be able to do the following:<\/p>\n<ol id=\"fwk-38086-ch13_s03_l01\" class=\"orderedlist\">\n<li>Recognize the potential entry points for security compromise.<\/li>\n<li>Understand infiltration techniques such as social engineering, phishing, malware, Web site compromises (such as SQL injection), and more.<\/li>\n<li>Identify various methods and techniques to thwart infiltration.<\/li>\n<\/ol>\n<\/div>\n<\/div>\n<p>&nbsp;<\/p>\n<\/div>\n<div style=\"text-align: center; font-size: .8em; max-width: 497px;\">\n<p class=\"nonindent title\"><span class=\"title-prefix\">Figure 13.1<\/span><\/p>\n<p class=\"indent\"><a><br \/>\n<img decoding=\"async\" class=\"aligncenter size-medium wp-image-1285\" src=\"https:\/\/pressbooks.ccconline.org\/wp-content\/uploads\/sites\/324\/2018\/06\/figure13-3.png\" alt=\"This diagram shows only some of the potential weaknesses that can compromise the security of an organization\u2019s information systems. Every physical or network \u201ctouch point\u201d is a potential vulnerability. Understanding where weaknesses may exist is a vital step toward improved security.\" \/><br \/>\n<\/a><\/p>\n<p class=\"indent para\">This diagram shows only some of the potential weaknesses that can compromise the security of an organization\u2019s information systems. Every physical or network \u201ctouch point\u201d is a potential vulnerability. Understanding where weaknesses may exist is a vital step toward improved security.<\/p>\n<\/div>\n<p>&nbsp;<\/p>\n<p id=\"fwk-38086-ch13_s03_p02\" class=\"indent para editable block\">Modern information systems have lots of interrelated components and if one of these components fails, there might be a way in to the goodies. This creates a large attack surface for potential infiltration and compromise, as well as one that is simply vulnerable to unintentional damage and disruption.<\/p>\n<div id=\"fwk-38086-ch13_s03_s01\" class=\"section\">\n<h2 class=\"title editable block\">User and Administrator Threats<\/h2>\n<div id=\"fwk-38086-ch13_s03_s01_s01\" class=\"section\">\n<h2 class=\"title editable block\">Bad Apples<\/h2>\n<p id=\"fwk-38086-ch13_s03_s01_s01_p01\" class=\"nonindent para editable block\">While some of the more sensational exploits involve criminal gangs, research firm Gartner estimates that 70 percent of loss-causing security incidents involve insiders (Mardesich, 2009). Rogue employees can steal secrets, install malware, or hold a firm hostage. Check processing firm Fidelity National Information Services was betrayed when one of its database administrators lifted personal records on 2.3 million of the firm\u2019s customers and illegally sold them to direct marketers.<\/p>\n<p id=\"fwk-38086-ch13_s03_s01_s01_p02\" class=\"indent para editable block\">And it\u2019s not just firm employees. Many firms hire temporary staffers, contract employees, or outsource key components of their infrastructure. Other firms have been compromised by members of their cleaning or security staff. A contract employee working at Sentry Insurance stole information on 110,000 of the firm\u2019s clients (Vijayan, 2007).<\/p>\n<\/div>\n<div id=\"fwk-38086-ch13_s03_s01_s02\" class=\"section\">\n<h2 class=\"title editable block\">Social Engineering<\/h2>\n<p id=\"fwk-38086-ch13_s03_s01_s02_p01\" class=\"nonindent para editable block\">As P. T. Barnum is reported to have said, \u201cThere\u2019s a sucker born every minute.\u201d Con games that trick employees into revealing information or performing other tasks that compromise a firm are known as <em class=\"emphasis\">social engineering<\/em> in security circles. In some ways, crooks have never had easier access to background information that might be used to craft a scam. It\u2019s likely that a directory of a firm\u2019s employees, their titles, and other personal details is online right now via social networks like LinkedIn and Facebook. With just a few moments of searching, a skilled con artist can piece together a convincing and compelling story.<\/p>\n<div id=\"fwk-38086-ch13_s03_s01_s02_n01\" class=\"bcc-box bcc-highlight\">\n<div class=\"textbox shaded\">\n<h4 class=\"title\">A Sampling of Methods Employed in Social Engineering<\/h4>\n<ul id=\"fwk-38086-ch13_s03_s01_s02_l01\" class=\"itemizedlist\">\n<li>Impersonating senior management, a current or new end user needing help with access to systems, investigators, or staff (fake uniforms, badges)<\/li>\n<li>Identifying a key individual by name or title as a supposed friend or acquaintance<\/li>\n<li>Making claims with confidence and authority (\u201cOf course I belong at this White House dinner.\u201d)<\/li>\n<li>Baiting someone to add, deny, or clarify information that can help an attacker<\/li>\n<li>Using harassment, guilt, or intimidation<\/li>\n<li>Using an attractive individual to charm others into gaining information, favors, or access<\/li>\n<li>Setting off a series of false alarms that cause the victim to disable alarm systems<\/li>\n<li>Answering bogus surveys (e.g., \u201cWin a free trip to Hawaii\u2014just answer three questions about your network.\u201d)<\/li>\n<\/ul>\n<\/div>\n<p>&nbsp;<\/p>\n<\/div>\n<p id=\"fwk-38086-ch13_s03_s01_s02_p02\" class=\"indent para editable block\">Data aggregator ChoicePoint sold private information to criminals who posed as legitimate clients, compromising the names, addresses, and Social Security numbers of some 145,000 individuals. In this breach, not a single computer was compromised. Employees were simply duped into turning data over to crooks. Gaffes like that can be painful. ChoicePoint paid $15 million in a settlement with the Federal Trade Commission, suffered customer loss, and ended up abandoning once lucrative businesses (Anthes, 2008).<\/p>\n<\/div>\n<div id=\"fwk-38086-ch13_s03_s01_s03\" class=\"section\">\n<h2 class=\"title editable block\">Phishing<\/h2>\n<p id=\"fwk-38086-ch13_s03_s01_s03_p01\" class=\"nonindent para editable block\"><span class=\"margin_term\"><a class=\"glossterm\">Phishing<\/a><\/span> refers to cons executed through technology. The goal of phishing is to leverage the reputation of a trusted firm or friend to trick the victim into performing an action or revealing information. The cons are crafty. Many have masqueraded as a security alert from a bank or e-commerce site (\u201cOur Web site has been compromised, click to log in and reset your password.\u201d), a message from an employer, or even a notice from the government (\u201cClick here to update needed information to receive your tax refund transfer.\u201d). Sophisticated con artists will lift logos, mimic standard layouts, and copy official language from legitimate Web sites or prior e-mails. Gartner estimates that these sorts phishing attacks cost consumers $3.2 billion in 2007 (Avivah, 2007).<\/p>\n<p id=\"fwk-38086-ch13_s03_s01_s03_p02\" class=\"indent para editable block\">Other phishing attempts might dupe a user into unwittingly downloading dangerous software (malware) that can do things like record passwords and keystrokes, provide hackers with deeper access to your corporate network, or enlist your PC as part of a botnet. One attempt masqueraded as a message from a Facebook friend, inviting the recipient to view a video. Victims clicking the link were then told they need to install an updated version of the Adobe Flash plug-in to view the clip. The plug in was really a malware program that gave phishers control of the infected user\u2019s computer (Krebs, 2009). Other attempts have populated P2P networks (peer-to-peer file distribution systems such as BitTorrent) with malware-installing files masquerading as video games or other software, movies, songs, and pornography.<\/p>\n<p id=\"fwk-38086-ch13_s03_s01_s03_p03\" class=\"indent para editable block\">So-called spear phishing attacks specifically target a given organization or group of users. In one incident, employees of a medical center received e-mails purportedly from the center itself, indicating that the recipient was being laid off and offering a link to job counseling resources. The link really offered a software payload that recorded and forwarded any keystrokes on the victim\u2019s PC (Garretson, 2006). And with this type of phishing, the more you know about a user, the more convincing it is to con them. Phishers using pilfered r\u00e9sum\u00e9 information from Monster.com crafted targeted and personalized e-mails. The request, seemingly from the job site, advised users to download the \u201cMonster Job Seeker Tool\u201d; this \u201ctool\u201d installed malware that encrypted files on the victim\u2019s PC, leaving a ransom note demanding payment to liberate a victim\u2019s hard disk (Wilson, 2007).<\/p>\n<div id=\"fwk-38086-ch13_s03_s01_s03_n01\" class=\"bcc-box bcc-highlight\">\n<div class=\"textbox shaded\">\n<h4 class=\"title\">Don\u2019t Take the Bait: Recognizing the \u201cPhish Hooks\u201d<\/h4>\n<p id=\"fwk-38086-ch13_s03_s01_s03_p04\" class=\"nonindent para\">Web browser developers, e-mail providers, search engines, and other firms are actively working to curtail phishing attempts. Many firms create blacklists that block access to harmful Web sites and increasingly robust tools screen for common phishing tactics. But it\u2019s still important to have your guard up. Some exploits may be so new that they haven\u2019t made it into screening systems (so-called zero-day exploits).<\/p>\n<p id=\"fwk-38086-ch13_s03_s01_s03_p05\" class=\"indent para\">Never click on a link or download a suspicious, unexpected enclosure without verifying the authenticity of the sender. If something looks suspicious, don\u2019t implicitly trust the \u201cfrom\u201d link in an e-mail. It\u2019s possible that the e-mail address has been <span class=\"margin_term\"><a class=\"glossterm\">spoofed<\/a><\/span> (faked) or that it was sent via a colleague\u2019s compromised account. If unsure, contact the sender or your security staff.<\/p>\n<p id=\"fwk-38086-ch13_s03_s01_s03_p06\" class=\"indent para\">Also know how to read the complete URL to look for tricks. Some firms misspell Web address names (http:\/\/wwwyourbank.com\u2014note the missing period), set up subdomains to trick the eye (http:\/\/yourbank.com.sneakysite.com\u2014which is hosted at sneakysite.com even though a quick glance looks like yourbank.com), or hijack brands by registering a legitimate firm\u2019s name via foreign top-level domains (http:\/\/yourbank.cn).<\/p>\n<p id=\"fwk-38086-ch13_s03_s01_s03_p07\" class=\"indent para\">A legitimate URL might also appear in a phishing message, but an HTML coding trick might make something that looks like http:\/\/yourbank.com\/login actually link to http:\/\/sneakysite.com. Hovering your cursor over the URL or an image connected to a link should reveal the actual URL as a tool tip (just don\u2019t click it, or you\u2019ll go to that site).<\/p>\n<\/div>\n<p>&nbsp;<\/p>\n<\/div>\n<div style=\"text-align: center; font-size: .8em; max-width: 497px;\">\n<div id=\"fwk-38086-ch13_s03_s01_s03_f01\" class=\"figure large\">\n<p class=\"nonindent title\"><span class=\"title-prefix\">Figure 13.2<\/span><\/p>\n<p class=\"indent\"><a><br \/>\n<img decoding=\"async\" style=\"max-width: 497px;\" src=\"https:\/\/pressbooks.ccconline.org\/wp-content\/uploads\/sites\/324\/2018\/06\/807a212d0b60af5d9b7ea8fda4e26c51.jpg\" alt=\"This e-mail message looks like it\u2019s from Bank of America. However, hovering the cursor above the \u201cContinue to Log In\u201d button reveals the URL without clicking through to the site. Note how the actual URL associated with the link is not associated with Bank of America.\" \/><br \/>\n<\/a><\/p>\n<p class=\"indent para\">This e-mail message looks like it\u2019s from Bank of America. However, hovering the cursor above the \u201cContinue to Log In\u201d button reveals the URL without clicking through to the site. Note how the actual URL associated with the link is not associated with Bank of America.<\/p>\n<\/div>\n<\/div>\n<div style=\"text-align: center; font-size: .8em; max-width: 497px;\">\n<div id=\"fwk-38086-ch13_s03_s01_s03_f02\" class=\"figure large\">\n<p class=\"nonindent title\"><span class=\"title-prefix\">Figure 13.3<\/span><\/p>\n<p class=\"indent\"><a><br \/>\n<img decoding=\"async\" style=\"max-width: 497px;\" src=\"https:\/\/pressbooks.ccconline.org\/wp-content\/uploads\/sites\/324\/2026\/01\/da91ad19bed13a62403b3e33bb0f8900.jpg\" alt=\"This image is from a phishing scheme masquerading as an eBay message. The real destination is a compromised .org domain unassociated with eBay, but the phishers have created a directory at this domain named \u201csignin.ebay.com\u201d in hopes that users will focus on that part of the URL and not recognize they\u2019re really headed to a non-eBay site.\" \/><br \/>\n<\/a><\/p>\n<p class=\"indent para\">This image is from a phishing scheme masquerading as an eBay message. The real destination is a compromised .org domain unassociated with eBay, but the phishers have created a directory at this domain named \u201csignin.ebay.com\u201d in hopes that users will focus on that part of the URL and not recognize they\u2019re really headed to a non-eBay site.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<div id=\"fwk-38086-ch13_s03_s01_s03_n02\" class=\"bcc-box bcc-highlight\">\n<div class=\"textbox shaded\">\n<h4 class=\"title\">Web 2.0: The Rising Security Threat<\/h4>\n<p id=\"fwk-38086-ch13_s03_s01_s03_p08\" class=\"nonindent para\">Social networks and other Web 2.0 tools are a potential gold mine for crooks seeking to pull off phishing scams. Malware can send messages that seem to come from trusted \u201cfriends.\u201d Messages such as status updates and tweets are short, and with limited background information, there are fewer contexts to question a post\u2019s validity. Many users leverage bit.ly or other URL-shortening services that don\u2019t reveal the Web site they link to in their URL, making it easier to hide a malicious link. While the most popular URL-shortening services maintain a blacklist, early victims are threatened by <span class=\"margin_term\"><a class=\"glossterm\">zero-day exploits<\/a><\/span>. Criminals have also been using a variety of techniques to spread malware across sites or otherwise make them difficult to track and catch.<\/p>\n<p id=\"fwk-38086-ch13_s03_s01_s03_p09\" class=\"indent para\">Some botnets have even used Twitter to communicate by sending out coded tweets to instruct compromised machines<sup>1<\/sup>. Social media can also be a megaphone for loose lips, enabling a careless user to broadcast proprietary information to the public domain. A 2009 Congressional delegation to Iraq led by House Minority Leader John Boehner was supposed to have been secret. But Rep. Peter Hoekstra tweeted his final arrival into Baghdad for all to see, apparently unable to contain his excitement at receiving BlackBerry service in Iraq. Hoekstra tweeted, \u201cJust landed in Baghdad. I believe it may be first time I\u2019ve had bb service in Iraq. 11th trip here.\u201d You\u2019d think he would have known better. At the time, Hoekstra was a ranking member of the House Intelligence Committee!<\/p>\n<p class=\"indent para\"><span class=\"title-prefix\">Figure 13.4<\/span><br \/>\n<img decoding=\"async\" style=\"max-width: 497px;\" src=\"https:\/\/pressbooks.ccconline.org\/wp-content\/uploads\/sites\/324\/2026\/01\/3ef08ba025847404b26c05ec0bf901ad.jpg\" alt=\"A member of the House Intelligence Committee uses Twitter and reveals his locale on a secret trip. Pete Hoekstra:\" \/><br \/>\n<span style=\"text-align: initial; text-indent: 2em; font-size: 0.8em; background-color: initial;\">A member of the House Intelligence Committee uses Twitter and reveals his locale on a secret trip.<\/span><\/p>\n<\/div>\n<div style=\"text-align: center; font-size: .8em; max-width: 497px;\">\n<div id=\"fwk-38086-ch13_s03_s01_s03_f03\" class=\"figure large\">\n<p class=\"indent\">\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div id=\"fwk-38086-ch13_s03_s01_s04\" class=\"section\">\n<h2 class=\"title editable block\">Passwords<\/h2>\n<p id=\"fwk-38086-ch13_s03_s01_s04_p01\" class=\"nonindent para editable block\">Many valuable assets are kept secure via just one thin layer of protection\u2014the password. And if you\u2019re like most users, your password system is a mess (Manjoo, 2009). With so many destinations asking for passwords, chances are you\u2019re using the same password (or easily guessed variants) in a way that means getting just one \u201ckey\u201d would open many \u201cdoors.\u201d The typical Web user has 6.5 passwords, each of which is used at four sites, on average (Summers, 2009). Some sites force users to change passwords regularly, but this often results in insecure compromises. Users make only minor tweaks (e.g., appending the month or year); they write passwords down (in an unlocked drawer or Post-it note attached to the monitor); or they save passwords in personal e-mail accounts or on unencrypted hard drives.<\/p>\n<p id=\"fwk-38086-ch13_s03_s01_s04_p02\" class=\"indent para editable block\">The challenge questions offered by many sites to automate password distribution and reset are often pitifully insecure. What\u2019s your mother\u2019s maiden name? What elementary school did you attend? Where were you born? All are pretty easy to guess. One IEEE study found acquaintances could correctly answer colleagues\u2019 secret questions 28 percent of the time, and those who did not know the person still guessed right at a rate of 17 percent. Plus, within three to six months, 16 percent of study participants forgot answers to <em class=\"emphasis\">their own<\/em> security questions (Lemos, 2009). In many cases, answers to these questions can be easily uncovered online. Chances are, if you\u2019ve got an account at a site like Ancestry.com, classmates.com, or Facebook, then some of your secret answers have already been exposed\u2014by you! A Tennessee teen hacked into Sarah Palin\u2019s personal Yahoo! account (gov.palin@yahoo.com) in part by correctly guessing where she met her husband. A similar attack hit staffers at Twitter, resulting in the theft of hundreds of internal documents, including strategy memos, e-mails, and financial forecasts, many of which ended up embarrassingly posted online (Summers, 2009).<\/p>\n<p id=\"fwk-38086-ch13_s03_s01_s04_p03\" class=\"indent para editable block\">Related to the password problem are issues with system setup and configuration. Many vendors sell software with a common default password. For example, for years, leading database products came with the default account and password combination \u201cscott\/tiger.\u201d Any firm not changing default accounts and passwords risks having an open door. Other firms are left vulnerable if users set systems for open access\u2014say turning on file sharing permission for their PC. Programmers, take note: well-designed products come with secure default settings, require users to reset passwords at setup, and also offer strong warnings when security settings are made weaker. But unfortunately, there are a lot of legacy products out there, and not all vendors have the insight to design for out-of-the-box security.<\/p>\n<div id=\"fwk-38086-ch13_s03_s01_s04_n01\" class=\"bcc-box bcc-highlight\">\n<div class=\"textbox shaded\">\n<h4 class=\"title\">Building a Better Password<\/h4>\n<p id=\"fwk-38086-ch13_s03_s01_s04_p04\" class=\"nonindent para\">There\u2019s no simple answer for the password problem. <span class=\"margin_term\"><a class=\"glossterm\">Biometrics<\/a><\/span> are often thought of as a solution, but technologies that replace conventionally typed passwords with things like fingerprint readers, facial recognition, or iris scans are still rarely used, and PCs that include such technologies are widely viewed as novelties. Says Carnegie Mellon University CyLab fellow Richard Power, \u201cBiometrics never caught on and it never will\u201d (Summers, 2009).<\/p>\n<p id=\"fwk-38086-ch13_s03_s01_s04_p05\" class=\"indent para\">Other approaches leverage technology that distributes single use passwords. These might arrive via external devices like an electronic wallet card, key chain fob, or cell phone. Security firm RSA has even built the technology into BlackBerrys. Enter a user name and receive a phone message with a temporary password. Even if a system was compromised by keystroke capture malware, the password is only good for one session. Lost device? A central command can disable it. This may be a good solution for situations that demand a high level of security, and Wells Fargo and PayPal are among the firms offering these types of services as an option. However, for most consumer applications, slowing down users with a two-tier authentication system would be an impractical mandate.<\/p>\n<p id=\"fwk-38086-ch13_s03_s01_s04_p06\" class=\"indent para\">While you await technical fixes, you can at least work to be part of the solution rather than part of the problem. It\u2019s unlikely you\u2019ve got the memory or discipline to create separate unique passwords for all of your sites, but at least make it a priority to create separate, hard-to-guess passwords for each of your highest priority accounts (e.g., e-mail, financial Web sites, corporate network, and PC). Remember, the integrity of a password shared across Web sites isn\u2019t just up to you. That hot start-up Web service may not have the security resources or experience to protect your special code, and if that Web site\u2019s account is hacked, your user name and password are now in the hands of hackers that can try out those \u201ckeys\u201d across the Web\u2019s most popular destinations.<\/p>\n<p id=\"fwk-38086-ch13_s03_s01_s04_p07\" class=\"indent para\">Web sites are increasingly demanding more \u201csecure\u201d passwords, requiring users to create passwords at least eight characters in length and that include at least one number and other nonalphabet character. Beware of using seemingly clever techniques to disguise common words. Many commonly available brute-force password cracking tools run through dictionary guesses of common words or phrases, substituting symbols or numbers for common characters (e.g., \u201c@\u201d for \u201ca,\u201d \u201c+\u201d for \u201ct\u201d). For stronger security, experts often advise basing passwords on a phrase, where each letter makes up a letter in an acronym. For example, the phrase \u201cMy first Cadillac was a real lemon so I bought a Toyota\u201d becomes \u201cM1stCwarlsIbaT\u201d (Manjoo, 2009). Be careful to choose an original phrase that\u2019s known only by you and that\u2019s easy for you to remember. Studies have shown that acronym-based passwords using song lyrics, common quotes, or movie lines are still susceptible to dictionary-style hacks that build passwords from pop-culture references (in one test, two of 144 participants made password phrases from an acronym of the Oscar Meyer wiener jingle) (Summers, 2009). Finding that balance between something tough for others to guess yet easy for you to remember will require some thought\u2014but it will make you more secure. Do it now!<\/p>\n<\/div>\n<p>&nbsp;<\/p>\n<\/div>\n<\/div>\n<div id=\"fwk-38086-ch13_s03_s02\" class=\"section\">\n<h2 class=\"title editable block\">Technology Threats (Client and Server Software, Hardware, and Networking)<\/h2>\n<div id=\"fwk-38086-ch13_s03_s02_s01\" class=\"section\">\n<h2 class=\"title editable block\">Malware<\/h2>\n<p id=\"fwk-38086-ch13_s03_s02_s01_p01\" class=\"nonindent para editable block\">Any accessible computing device is a potential target for infiltration by malware. <em class=\"emphasis\">Malware<\/em> (for malicious software) seeks to compromise a computing system without permission. Client PCs and a firm\u2019s servers are primary targets, but as computing has spread, malware now threatens nearly any connected system running software, including mobile phones, embedded devices, and a firm\u2019s networking equipment.<\/p>\n<p id=\"fwk-38086-ch13_s03_s02_s01_p02\" class=\"indent para editable block\">Some hackers will try to sneak malware onto a system via techniques like phishing. In another high-profile hacking example, infected USB drives were purposely left lying around government offices. Those seemingly abandoned office supplies really contained code that attempted to infiltrate government PCs when inserted by unwitting employees.<\/p>\n<p id=\"fwk-38086-ch13_s03_s02_s01_p03\" class=\"indent para editable block\">Machines are constantly under attack. Microsoft\u2019s Internet Safety Enforcement Team claims that the mean time to infection for an unprotected PC is less than five minutes (Markoff, 2008). Oftentimes malware attempts to compromise weaknesses in software\u2014either bugs, poor design, or poor configuration.<\/p>\n<p id=\"fwk-38086-ch13_s03_s02_s01_p04\" class=\"indent para editable block\">Years ago, most attacks centered on weaknesses in the operating system, but now malware exploits have expanded to other targets, including browsers, plug-ins, and scripting languages used by software. <em class=\"emphasis\">BusinessWeek<\/em> reports that Adobe has replaced Microsoft as the primary means by which hackers try to infect or take control of PCs. Even trusted Web sites have become a conduit to deliver malware payloads. More than a dozen sites, including those of the <em class=\"emphasis\">New York Times<\/em>, <em class=\"emphasis\">USA Today<\/em>, and <em class=\"emphasis\">Nature<\/em>, were compromised when seemingly honest advertising clients switched on fake ads that exploit Adobe software (Ricadela, 2009). Some attacks were delivered through Flash animations that direct computers to sites that scan PCs, installing malware payloads through whatever vulnerabilities are discovered. Others circulated via e-mail through PDF triggered payloads deployed when a file was loaded via Acrobat Reader. Adobe is a particularly tempting target, as Flash and Acrobat Reader are now installed on nearly every PC, including Mac and Linux machines.<\/p>\n<p id=\"fwk-38086-ch13_s03_s02_s01_p05\" class=\"indent para editable block\">Malware goes by many names. Here are a few of the more common terms you\u2019re likely to encounter<sup>2<\/sup>.<\/p>\n<p id=\"fwk-38086-ch13_s03_s02_s01_p06\" class=\"indent para editable block\">Methods of infection are as follows:<\/p>\n<ul id=\"fwk-38086-ch13_s03_s02_s01_l01\" class=\"itemizedlist editable block\">\n<li><em class=\"emphasis\">Viruses.<\/em> Programs that infect other software or files. They require an executable (a running program) to spread, attaching to other executables. Viruses can spread via operating systems, programs, or the boot sector or auto-run feature of media such as DVDs or USB drives. Some applications have executable languages (macros) that can also host viruses that run and spread when a file is open.<\/li>\n<li><em class=\"emphasis\">Worms.<\/em> Programs that take advantage of security vulnerability to automatically spread, but unlike viruses, worms do not require an executable. Some worms scan for and install themselves on vulnerable systems with stunning speed (in an extreme example, the SQL Slammer worm infected 90 percent of vulnerable software worldwide within just ten minutes) (Broersma, 2003).<\/li>\n<li><em class=\"emphasis\">Trojans.<\/em> Exploits that, like the mythical Trojan horse, try to sneak in by masquerading as something they\u2019re not. The payload is released when the user is duped into downloading and installing the malware cargo, oftentimes via phishing exploits.<\/li>\n<\/ul>\n<p id=\"fwk-38086-ch13_s03_s02_s01_p07\" class=\"indent para editable block\">While the terms above cover methods for infection, the terms below address the goal of the malware:<\/p>\n<ul id=\"fwk-38086-ch13_s03_s02_s01_l02\" class=\"itemizedlist editable block\">\n<li><em class=\"emphasis\">Botnets or zombie networks.<\/em> Hordes of surreptitiously infected computers linked and controlled remotely by a central command. Botnets are used in crimes where controlling many difficult-to-identify PCs is useful, such as when perpetrating click fraud, sending spam, registering accounts that use <span class=\"margin_term\"><a class=\"glossterm\">CAPTCHAs<\/a><\/span> (those scrambled character images meant to thwart things like automated account setup or ticket buying), executing \u201cdictionary\u201d password cracking attempts, or launching denial-of-service attacks.<\/li>\n<li><em class=\"emphasis\">Malicious adware.<\/em> Programs installed without full user consent or knowledge that later serve unwanted advertisements.<\/li>\n<li><em class=\"emphasis\">Spyware.<\/em> Software that surreptitiously monitors user actions, network traffic, or scans for files.<\/li>\n<li><em class=\"emphasis\">Keylogger.<\/em> Type of spyware that records user keystrokes. Keyloggers can be either software-based or hardware, such as a recording \u201cdongle\u201d that is plugged in between a keyboard and a PC.<\/li>\n<li><em class=\"emphasis\">Screen capture.<\/em> Variant of the keylogger approach. This category of software records the pixels that appear on a user\u2019s screen for later playback in hopes of identifying proprietary information.<\/li>\n<li><em class=\"emphasis\">Blended threats.<\/em> Attacks combining multiple malware or hacking exploits.<\/li>\n<\/ul>\n<div id=\"fwk-38086-ch13_s03_s02_s01_n01\" class=\"bcc-box bcc-highlight\">\n<div class=\"textbox shaded\">\n<h4 class=\"title\">All the News Fit to Print (Brought to You by Scam Artists)<\/h4>\n<p id=\"fwk-38086-ch13_s03_s02_s01_p08\" class=\"nonindent para\">In fall 2009, bad guys posing as the telecom firm Vonage signed up to distribute ads through the <em class=\"emphasis\">New York Times<\/em> Web site. Many firms that display online ads on their Web sites simply create placeholders on their Web pages, with the actual ad content served by the advertisers themselves (see the Google chapter for details). In this particular case, the scam artists posing as Vonage switched off the legitimate-looking ads and switched on code that, according to the <em class=\"emphasis\">New York Times<\/em>, \u201ctook over the browsers of many people visiting the site, as their screens filled with an image that seemed to show a scan for computer viruses. The visitors were then told that they needed to buy antivirus software to fix a problem, but the software was more snake oil than a useful program\u201d (Vance, 2009). Sites ranging from Fox News, the <em class=\"emphasis\">San Francisco Chronicle<\/em>, and British tech site The Register have also been hit with ad scams in the past. In the <em class=\"emphasis\">Times<\/em> case, malware wasn\u2019t distributed directly to user PCs, but by passing through ads from third parties to consumers, the <em class=\"emphasis\">Times<\/em> became a conduit for a scam. In the same way that manufacturers need to audit their supply chain to ensure that partners aren\u2019t engaged in sweatshop labor or disgraceful pollution, sites that host ads need to audit their partners to ensure they are legitimate and behaving with integrity.<\/p>\n<\/div>\n<p>&nbsp;<\/p>\n<\/div>\n<div id=\"fwk-38086-ch13_s03_s02_s01_n02\" class=\"bcc-box bcc-highlight\">\n<div class=\"textbox shaded\">\n<h4 class=\"title\">The Virus in Your Pocket<\/h4>\n<p id=\"fwk-38086-ch13_s03_s02_s01_p09\" class=\"nonindent para\">Most mobile phones are really pocket computers, so it\u2019s not surprising that these devices have become malware targets. And there are a lot of pathways to exploit. Malware might infiltrate a smartphone via e-mail, Internet surfing, MMS attachments, or even Bluetooth. The \u201ccommwarrior\u201d mobile virus spread to at least eight countries, propagating from a combination of MMS messages and Bluetooth (Charney, 2005).<\/p>\n<p id=\"fwk-38086-ch13_s03_s02_s01_p10\" class=\"indent para\">Most smartphones have layers of security to block the spread of malware, so hackers typically hunt for the weakest victims. Easy marks include \u201cjail-broken\u201d iPhones, devices with warranty-voiding modifications in which security restrictions are overridden to allow phones to be used off network, and for the installation of unsanctioned applications. Estimates suggest some 10 percent of iPhones are jail-broken, and early viruses exploiting the compromised devices ranged from a \u201cRick roll\u201d that replaced the home screen image with a photo of 1980s crooner Rick Astley (Steade, 2009) to the more nefarious Ikee.B, which scanned text messages and hunted out banking codes, forwarding the nabbed data to a server in Lithuania (Lemos, 2009).<\/p>\n<p id=\"fwk-38086-ch13_s03_s02_s01_p11\" class=\"indent para\">The upside? Those smart devices are sometimes crime fighters themselves. A Pittsburgh mugging victim turned on Apple\u2019s \u201cFind My iPhone\u201d feature within its MobileMe service, mapping the perpetrator\u2019s path, then sending the law to bust the bad guys while they ate at a local restaurant (Murrell, 2009).<\/p>\n<div style=\"text-align: center; font-size: .8em; max-width: 497px;\">\n<div id=\"fwk-38086-ch13_s03_s02_s01_f01\" class=\"figure medium\">\n<p class=\"nonindent title\"><span class=\"title-prefix\">Figure 13.5<\/span><\/p>\n<p class=\"indent\"><a><br \/>\n<img decoding=\"async\" style=\"max-width: 300px;\" src=\"https:\/\/pressbooks.ccconline.org\/wp-content\/uploads\/sites\/324\/2026\/01\/bae80f7601e3121ddbcef6490faa2f7f.jpg\" alt=\"A\" \/><br \/>\n<\/a><\/p>\n<p class=\"indent para\">A \u201cjail-broken\u201d iPhone gets \u201cRick rolled\u201d by malware.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<p>&nbsp;<\/p>\n<\/div>\n<\/div>\n<div id=\"fwk-38086-ch13_s03_s02_s02\" class=\"section\">\n<h2 class=\"title editable block\">Compromising Web Sites<\/h2>\n<p id=\"fwk-38086-ch13_s03_s02_s02_p01\" class=\"nonindent para editable block\">Some exploits directly target poorly designed and programmed Web sites. Consider the SQL injection technique. It zeros in on a sloppy programming practice where software developers don\u2019t validate user input.<\/p>\n<p id=\"fwk-38086-ch13_s03_s02_s02_p02\" class=\"indent para editable block\">It works like this. Imagine that you visit a Web site and are asked to enter your user ID in a field on a Web page (say your user ID is smith). A Web site may be programmed to take the data you enter from the Web page\u2019s user ID field (smith), then add it to a database command (creating the equivalent of a command that says \u201cfind the account for \u2018smith\u2019\u201d). The database then executes that command.<\/p>\n<p id=\"fwk-38086-ch13_s03_s02_s02_p03\" class=\"indent para editable block\">But Web sites that don\u2019t verify user entries and instead just blindly pass along entered data are vulnerable to attack. Hackers with just a rudimentary knowledge of SQL could type actual code fragments into the user ID field, appending this code to statements executed by the site (see sidebar for a more detailed description). Such modified instructions could instruct the Web site\u2019s database software to drop (delete) tables, insert additional data, return all records in a database, or even redirect users to another Web site that will scan clients for weaknesses, then launch further attacks. Security expert Ben Schneier noted a particularly ghastly SQL injection vulnerability in the publicly facing database for the Oklahoma Department of Corrections, where \u201canyone with basic SQL knowledge could have registered anyone he wanted as a sex offender\u201d (Schneier, 2008).<\/p>\n<p id=\"fwk-38086-ch13_s03_s02_s02_p04\" class=\"indent para editable block\">Not trusting user input is a cardinal rule of programming, and most well-trained programmers know to validate user input. But there\u2019s a lot of sloppy code out there, which hackers are all too eager to exploit. IBM identifies SQL injection as the fastest growing security threat, with over half a million attack attempts recorded each day (Wittmann, 2009). Some vulnerable systems started life as quickly developed proofs of concepts, and programmers never went back to add the needed code to validate input and block these exploits. Other Web sites may have been designed by poorly trained developers who have moved on to other projects, by staff that have since left the firm, or where development was outsourced to another firm. As such, many firms don\u2019t even know if they suffer from this vulnerability.<\/p>\n<p id=\"fwk-38086-ch13_s03_s02_s02_p05\" class=\"indent para editable block\">SQL injection and other application weaknesses are particularly problematic because there\u2019s not a commercial software patch or easily deployed piece of security software that can protect a firm. Instead, firms have to meticulously examine the integrity of their Web sites to see if they are vulnerable<sup>3<\/sup>.<\/p>\n<div id=\"fwk-38086-ch13_s03_s02_s02_n01\" class=\"bcc-box bcc-highlight\">\n<div class=\"textbox shaded\">\n<h4 class=\"title\">How SQL Injection Works<\/h4>\n<p id=\"fwk-38086-ch13_s03_s02_s02_p06\" class=\"nonindent para\">For those who want to get into some of the geekier details of a SQL injection attack, consider a Web site that executes the code below to verify that an entered user ID is in a database table of usernames. The code executed by the Web site might look something like this:<\/p>\n<div id=\"fwk-38086-ch13_s03_s02_s02_bl01\" class=\"blockquote\">\n<p>\u201cSELECT * FROM users WHERE userName = \u2018\u201d + userID + \u201c\u2018;\u201d<\/p>\n<p id=\"fwk-38086-ch13_s03_s02_s02_p08\" class=\"nonindent para\">The statement above tells the database to SELECT (find and return) all columns (that\u2019s what the \u201c*\u201d means) from a table named users where the database\u2019s userName field equals the text you just entered in the userID field. If the Web site\u2019s visitor entered smith, that text is added to the statement above, and it\u2019s executed as:<\/p>\n<div id=\"fwk-38086-ch13_s03_s02_s02_bl02\" class=\"blockquote\">\n<p>\u201cSELECT * FROM users WHERE userName = \u2018smith\u2019;\u201d<\/p>\n<p id=\"fwk-38086-ch13_s03_s02_s02_p10\" class=\"nonindent para\">No problem. But now imagine a hacker gets sneaky and instead of just typing smith, into the Web site\u2019s userID field, they also add some <em class=\"emphasis\">additional<\/em> SQL code like this:<\/p>\n<div id=\"fwk-38086-ch13_s03_s02_s02_bl03\" class=\"blockquote\">\n<p>smith\u2019; DROP TABLE users; DELETE * FROM users WHERE \u2018t\u2019 = \u2018t<\/p>\n<p id=\"fwk-38086-ch13_s03_s02_s02_p12\" class=\"nonindent para\">If the programming statement above is entered into the user ID, the Web site adds this code to its own programming to create a statement that is executed as:<\/p>\n<div id=\"fwk-38086-ch13_s03_s02_s02_bl04\" class=\"blockquote\">\n<p>SELECT * FROM users WHERE userName = \u2018smith\u2019; DELETE * FROM users WHERE \u2018t\u2019 = \u2018t\u2019;<\/p>\n<p id=\"fwk-38086-ch13_s03_s02_s02_p14\" class=\"nonindent para\">The semicolons separate SQL statements. That second statement says delete all data in the users table for records where \u2018t\u2019 = \u2018t\u2019 (this last part, \u2018t\u2019 = \u2018t,\u2019 is always true, so all records will be deleted). Yikes! In this case, someone entering the kind of code you\u2019d learn in the first chapter of <em class=\"emphasis\">SQL for Dummies<\/em> could annihilate a site\u2019s entire user ID file using one of the site\u2019s own Web pages as the attack vehicle (Schneier, 2008).<\/p>\n<\/div>\n<p id=\"fwk-38086-ch13_s03_s02_s02_p15\" class=\"indent para editable block\">Related programming exploits go by names such as cross-site scripting attacks and HTTP header injection. We\u2019ll spare you the technical details, but what this means for both the manager and the programmer is that all systems must be designed and tested with security in mind. This includes testing new applications, existing and legacy applications, partner offerings, and SaaS (software as a service) applications\u2014everything. Visa and MasterCard are among the firms requiring partners to rigorously apply testing standards. Firms that aren\u2019t testing their applications will find they\u2019re locked out of business; if caught with unacceptable breaches, such firms may be forced to pay big fines and absorb any costs associated with their weak practices<sup>4<\/sup>.<\/p>\n<\/div>\n<\/div>\n<div id=\"fwk-38086-ch13_s03_s03\" class=\"section\">\n<h2 class=\"title editable block\">Push-Button Hacking<\/h2>\n<p id=\"fwk-38086-ch13_s03_s03_p01\" class=\"nonindent para editable block\">Not only are the list of technical vulnerabilities well known, hackers have created tools to make it easy for the criminally inclined to automate attacks. <a class=\"xref\" href=\"part-014-chapter-14-google-search-online-advertising-and-beyond.html\">Chapter 14 \u201cGoogle: Search, Online Advertising, and Beyond\u201d<\/a> outlines how Web sites can interrogate a system to find out more about the software and hardware used by visitors. Hacking toolkits can do the same thing. While you won\u2019t find this sort of software for sale on Amazon, a casual surfing of the online underworld (not recommended or advocated) will surface scores of tools that probe systems for the latest vulnerabilities, then launch appropriate attacks. In one example, a $700 toolkit (MPack v. 86) was used to infiltrate a host of Italian Web sites, launching Trojans that infested 15,000 users in just a six-day period<sup>5<\/sup>. As an industry executive in <em class=\"emphasis\">BusinessWeek<\/em> has stated, \u201cThe barrier of entry is becoming so low that literally anyone can carry out these attacks\u201d (Schectman, 2009).<\/p>\n<div id=\"fwk-38086-ch13_s03_s03_s01\" class=\"section\">\n<h2 class=\"title editable block\">Network Threats<\/h2>\n<p id=\"fwk-38086-ch13_s03_s03_s01_p01\" class=\"nonindent para editable block\">The network itself may also be a source of compromise. Recall that the TJX hack happened when a Wi-Fi access point was left open and undetected. A hacker just drove up and performed the digital equivalent of crawling through an open window. The problem is made more challenging since wireless access points are so inexpensive and easy to install. For less than $100, a user (well intentioned or not) could plug in to an access point that could provide entry for anyone. If a firm doesn\u2019t regularly monitor its premises, its network, and its network traffic, it may fall victim.<\/p>\n<p id=\"fwk-38086-ch13_s03_s03_s01_p02\" class=\"indent para editable block\">Other troubling exploits have targeted the very underpinning of the Internet itself. This is the case with so-called DNS cache poisoning. The DNS, or domain name service, is a collection of software that maps an Internet address, such as (<a class=\"link\" href=\"http:\/\/www.bc.edu\" target=\"_blank\" rel=\"noopener\">http:\/\/www.bc.edu<\/a>), to an IP address, such as 136.167.2.220. 220 (see <a class=\"xref\" href=\"part-012-chapter-12-a-managers-guide-to-the-internet-and-telecommunications.html\">Chapter 12 \u201cA Manager\u2019s Guide to the Internet and Telecommunications\u201d<\/a> for more detail). DNS cache poisoning exploits can redirect this mapping and the consequences are huge. Imagine thinking that you\u2019re visiting your bank\u2019s Web site, but instead your network\u2019s DNS server has been poisoned so that you really visit a carefully crafted replica that hackers use to steal your log-in credentials and drain your bank account. A DNS cache poisoning attack launched against one of China\u2019s largest ISPs redirected users to sites that launched malware exploits, targeting weaknesses in RealPlayer, Adobe Flash, and Microsoft\u2019s ActiveX technology, commonly used in browsers (London, 2008).<\/p>\n<\/div>\n<div id=\"fwk-38086-ch13_s03_s03_s02\" class=\"section\">\n<h2 class=\"title editable block\">Physical Threats<\/h2>\n<p id=\"fwk-38086-ch13_s03_s03_s02_p01\" class=\"nonindent para editable block\">A firm doesn\u2019t just have to watch out for insiders or compromised software and hardware; a host of other physical threats can grease the skids to fraud, theft, and damage. Most large firms have disaster-recovery plans in place. These often include provisions to backup systems and data to off-site locales, to protect operations and provide a fall back in the case of disaster. Such plans increasingly take into account the potential impact of physical security threats such as terrorism, or vandalism, as well.<\/p>\n<p id=\"fwk-38086-ch13_s03_s03_s02_p02\" class=\"indent para editable block\">Anything valuable that reaches the trash in a recoverable state is also a potential security breach. Hackers and spies sometimes practice <span class=\"margin_term\"><a class=\"glossterm\">dumpster diving<\/a><\/span>, sifting through trash in an effort to uncover valuable data or insights that can be stolen or used to launch a security attack. This might include hunting for discarded passwords written on Post-it notes, recovering unshredded printed user account listings, scanning e-mails or program printouts for system clues, recovering tape backups, resurrecting files from discarded hard drives, and more.<\/p>\n<p id=\"fwk-38086-ch13_s03_s03_s02_p03\" class=\"indent para editable block\">Other compromises might take place via <span class=\"margin_term\"><a class=\"glossterm\">shoulder surfing<\/a><\/span>, simply looking over someone\u2019s shoulder to glean a password or see other proprietary information that might be displayed on a worker\u2019s screen.<\/p>\n<p id=\"fwk-38086-ch13_s03_s03_s02_p04\" class=\"indent para editable block\">Firms might also fall victim to various forms of eavesdropping, such as efforts to listen into or record conversations, transmissions, or keystrokes. A device hidden inside a package might sit inside a mailroom or a worker\u2019s physical inbox, scanning for open wireless connections, or recording and forwarding conversations (Robertson, 2008). Other forms of eavesdropping can be accomplished via compromised wireless or other network connections, malware keylogger or screen capture programs, as well as hardware devices such as replacement keyboards with keyloggers embedded inside, microphones to capture the slightly unique and identifiable sound of each key being pressed, programs that turn on built-in microphone or cameras that are now standard on many PCs, or even James Bond-style devices using Van Eck techniques that attempt to read monitors from afar by detecting their electromagnetic emissions.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<p>&nbsp;<\/p>\n<\/div>\n<\/div>\n<div id=\"fwk-38086-ch13_s03_s03_s02_n01\" class=\"bcc-box bcc-highlight\">\n<div class=\"textbox shaded\">\n<h4 class=\"title\">The Encryption Prescription<\/h4>\n<p id=\"fwk-38086-ch13_s03_s03_s02_p05\" class=\"nonindent para\">During a routine physical transfer of backup media, Bank of America lost tapes containing the private information\u2014including Social Security and credit card numbers\u2014of hundreds of thousands of customers (Mardesich, 2009). This was potentially devastating fodder for identity thieves. But who cares if someone steals your files if they still can\u2019t read the data? That\u2019s the goal of encryption!<\/p>\n<p id=\"fwk-38086-ch13_s03_s03_s02_p06\" class=\"indent para\"><span class=\"margin_term\"><a class=\"glossterm\">Encryption<\/a><\/span> scrambles data, making it essentially unreadable to any program that doesn\u2019t have the descrambling password, known as a <span class=\"margin_term\"><a class=\"glossterm\">key<\/a><\/span>. Simply put, the larger the key, the more difficult it is for a brute-force attack to exhaust all available combinations and crack the code. When well implemented, encryption can be the equivalent of a rock solid vault. To date, the largest known <span class=\"margin_term\"><a class=\"glossterm\">brute-force attacks<\/a><\/span>, demonstration hacks launched by grids of simultaneous code-cracking computers working in unison, haven\u2019t come close to breaking the type of encryption used to scramble transmissions that most browsers use when communicating with banks and shopping sites. The problem occurs when data is nabbed before encryption or after decrypting, or in rare cases, if the encrypting key itself is compromised.<\/p>\n<p id=\"fwk-38086-ch13_s03_s03_s02_p07\" class=\"indent para\">Extremely sensitive data\u2014trade secrets, passwords, credit card numbers, and employee and customer information\u2014should be encrypted before being sent or stored (Mardesich, 2009). Deploying encryption dramatically lowers the potential damage from lost or stolen laptops, or from hardware recovered from dumpster diving. It is vital for any laptops carrying sensitive information.<\/p>\n<p id=\"fwk-38086-ch13_s03_s03_s02_p08\" class=\"indent para\">Encryption is also employed in virtual private network (VPN) technology, which scrambles data passed across a network. Public wireless connections pose significant security threats\u2014they may be set up by hackers that pose as service providers, while really launching attacks on or monitoring the transmissions of unwitting users. The use of VPN software can make any passed-through packets unreadable. Contact your firm or school to find out how to set up VPN software.<\/p>\n<p id=\"fwk-38086-ch13_s03_s03_s02_p09\" class=\"indent para\">In the Bank of America example above, the bank was burned. It couldn\u2019t verify that the lost tapes were encrypted, so it had to notify customers and incur the cost associated with assuming data had been breached (Mardesich, 2009).<\/p>\n<p id=\"fwk-38086-ch13_s03_s03_s02_p10\" class=\"indent para\">Encryption is not without its downsides. Key management is a potentially costly procedural challenge for most firms. If your keys aren\u2019t secure, it\u2019s the equivalent of leaving the keys to a safe out in public. Encryption also requires additional processing to scramble and descramble data\u2014drawing more power and slowing computing tasks. Moore\u2019s Law will speed things along, but it also puts more computing power in the hands of attackers. With hacking threats on the rise, expect to see laws and compliance requirements that mandate encrypted data, standardize encryption regimes, and simplify management.<\/p>\n<\/div>\n<p>&nbsp;<\/p>\n<\/div>\n<div id=\"fwk-38086-ch13_s03_s03_s02_n02\" class=\"bcc-box bcc-highlight\">\n<div class=\"textbox shaded\">\n<h4 class=\"title\">How Do Web Sites Encrypt Transmissions?<\/h4>\n<p id=\"fwk-38086-ch13_s03_s03_s02_p11\" class=\"nonindent para\">Most Web sites that deal with financial transactions (e.g., banks, online stores) secure transmissions using a method called <span class=\"margin_term\"><a class=\"glossterm\">public key encryption<\/a><\/span>. The system works with two keys\u2014a public key and a private key. The public key can \u201clock\u201d or encrypt data, but it can\u2019t unlock it: that can only be performed by the private key. So a Web site that wants you to transmit secure information will send you a public key\u2014you use this to lock the data, and no one that intercepts that transmission can break in unless they\u2019ve got the private key. If the Web site does its job, it will keep the private key out of reach of all potentially prying eyes.<\/p>\n<p id=\"fwk-38086-ch13_s03_s03_s02_p12\" class=\"indent para\">Wondering if a Web site\u2019s transmissions are encrypted? Look at the Web address. If it begins with \u201chttps\u201d instead of \u201chttp\u201d, it should be secure. Also, look for the padlock icon in the corner of your Web browser to be closed (locked). Finally, you can double click the padlock to bring up a verification of the Web site\u2019s identity (verified by a trusted third party firm, known as a <span class=\"margin_term\"><a class=\"glossterm\">certificate authority<\/a><\/span>). If this matches your URL and indicates the firm you\u2019re doing business with, then you can be pretty sure verified encryption is being used by the firm that you intend to do business with.<\/p>\n<div style=\"text-align: center; font-size: .8em; max-width: 497px;\">\n<div id=\"fwk-38086-ch13_s03_s03_s02_f01\" class=\"figure large\">\n<p class=\"nonindent title\"><span class=\"title-prefix\">Figure 13.6<\/span><\/p>\n<p class=\"indent\"><a><br \/>\n<img decoding=\"async\" style=\"max-width: 497px;\" src=\"https:\/\/pressbooks.ccconline.org\/wp-content\/uploads\/sites\/324\/2026\/01\/d13b00964f8c01a55206a11f3b870ae4.jpg\" alt=\"In this screenshot, a Firefox browser is visiting Bank of America. The padlock icon was clicked to bring up digital certificate information. Note how the Web site\u2019s name matches the URL. The verifying certificate authority is the firm VeriSign.\" \/><br \/>\n<\/a><\/p>\n<p class=\"indent para\">In this screenshot, a Firefox browser is visiting Bank of America. The padlock icon was clicked to bring up digital certificate information. Note how the Web site\u2019s name matches the URL. The verifying certificate authority is the firm VeriSign.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<p>&nbsp;<\/p>\n<\/div>\n<div id=\"fwk-38086-ch13_s03_s03_s02_n03\" class=\"bcc-box bcc-success\">\n<div class=\"textbox textbox--key-takeaways\">\n<header class=\"textbox__header\">\n<p class=\"textbox__title\"><span style=\"font-family: 'Cormorant Garamond', serif; font-size: 1em; font-style: normal; font-weight: bold;\">Key Takeaways<\/span><\/p>\n<\/header>\n<div class=\"textbox__content\">\n<ul id=\"fwk-38086-ch13_s03_s03_s02_l01\" class=\"itemizedlist\">\n<li>An organization\u2019s information assets are vulnerable to attack from several points of weakness, including users and administrators, its hardware and software, its networking systems, and various physical threats.<\/li>\n<li>Social engineering attempts to trick or con individuals into providing information, while phishing techniques are cons conducted through technology.<\/li>\n<li>While dangerous, a number of tools and techniques can be used to identify phishing scams, limiting their likelihood of success.<\/li>\n<li>Social media sites may assist hackers in crafting phishing or social engineering threats, provide information to password crackers, and act as conduits for unwanted dissemination of proprietary information.<\/li>\n<li>Most users employ inefficient and insecure password systems; however, techniques were offered to improve one\u2019s individual password regime.<\/li>\n<li>Viruses, worms, and Trojans are types of infecting malware. Other types of malware might spy on users, enlist the use of computing assets for committing crimes, steal assets, destroy property, serve unwanted ads, and more.<\/li>\n<li>Examples of attacks and scams launched through advertising on legitimate Web pages highlight the need for end-user caution, as well as for firms to ensure the integrity of their participating online partners.<\/li>\n<li>SQL injection and related techniques show the perils of poor programming. Software developers must design for security from the start\u2014considering potential security weaknesses, and methods that improve end-user security (e.g., in areas such as installation and configuration).<\/li>\n<li>Encryption can render a firm\u2019s data assets unreadable, even if copied or stolen. While potentially complex to administer and resource intensive, encryption is a critical tool for securing an organization\u2019s electronic assets.<\/li>\n<\/ul>\n<\/div>\n<\/div>\n<p>&nbsp;<\/p>\n<\/div>\n<div id=\"fwk-38086-ch13_s03_s03_s02_n04\" class=\"bcc-box bcc-info\">\n<div class=\"textbox textbox--exercises\">\n<header class=\"textbox__header\">\n<p class=\"textbox__title\"><span style=\"font-family: 'Cormorant Garamond', serif; font-size: 1em; font-style: normal; font-weight: bold;\">Questions and Exercises<\/span><\/p>\n<\/header>\n<div class=\"textbox__content\">\n<ol id=\"fwk-38086-ch13_s03_s03_s02_l02\" class=\"orderedlist\">\n<li>Consider your own personal password regime and correct any weaknesses. Share any additional password management tips and techniques with your class.<\/li>\n<li>Why is it a bad idea to use variants of existing passwords when registering for new Web sites?<\/li>\n<li>Relate an example of social engineering that you\u2019ve experienced or heard of. How might the victim have avoided being compromised?<\/li>\n<li>Have you ever seen phishing exploits? Have you fallen for one? Why did you take the bait, or what alerted you to the scam? How can you identify phishing scams?<\/li>\n<li>Have you or has anyone you know fallen victim to malware? Relate the experience\u2014how do you suppose it happened? What damage was done? What, if anything, could be done to recover from the situation?<\/li>\n<li>Why are social media sites such a threat to information security? Give various potential scenarios where social media use might create personal or organizational security compromises.<\/li>\n<li>Some users regularly update their passwords by adding a number (say month or year) to their code. Why is this bad practice?<\/li>\n<li>What kind of features should a programmer build into systems in order to design for security? Think about the products that you use. Are there products that you feel did a good job of ensuring security during setup? Are there products you use that have demonstrated bad security design? How?<\/li>\n<li>Why are SQL injection attacks more difficult to address than the latest virus threat?<\/li>\n<li>How should individuals and firms leverage encryption?<\/li>\n<li>Investigate how you might use a VPN if traveling with your laptop. Be prepared to share your findings with your class and your instructor.<\/li>\n<\/ol>\n<\/div>\n<\/div>\n<p>&nbsp;<\/p>\n<\/div>\n<p class=\"indent\"><sup>1<\/sup>UnsafeBits, \u201cBotnets Go Public by Tweeting on Twitter,\u201d <em class=\"emphasis\">Technology Review<\/em>, August 17, 2009.<\/p>\n<p class=\"indent\"><sup>2<\/sup>Portions adapted from G. Perera, \u201cYour Guide to Understanding Malware,\u201d <em class=\"emphasis\">LaptopLogic.com<\/em>, May 17, 2009.<\/p>\n<p class=\"indent\"><sup>3<\/sup>While some tools exist to automate testing, this is by no means as easy a fix as installing a commercial software patch or virus protection software.<\/p>\n<p class=\"indent\"><sup>4<\/sup>Knowledge@Wharton, \u201cInformation Security: Why Cybercriminals Are Smiling,\u201d August 19, 2009.<\/p>\n<p class=\"indent\"><sup>5<\/sup>Trend Micro, \u201cWeb Threats Whitepaper,\u201d March 2008.<\/p>\n<h2>References<\/h2>\n<p class=\"nonindent\">Anthes, G., \u201cThe Grill: Security Guru Ira Winkler Takes the Hot Seat,\u201d <em class=\"emphasis\">Computerworld<\/em>, July 28, 2008.<\/p>\n<p class=\"indent\">Avivah, L., \u201cPhishing Attacks Escalate, Morph, and Cause Considerable Damage,\u201d <em class=\"emphasis\">Gartner<\/em>, December 12, 2007.<\/p>\n<p class=\"indent\">Broersma, M., \u201cSlammer\u2014the First \u2018Warhol\u2019 Worm?\u201d <em class=\"emphasis\">CNET<\/em>, February 3, 2003.<\/p>\n<p class=\"indent\">Charney, J., \u201cCommwarrior Cell Phone Virus Marches On,\u201d <em class=\"emphasis\">CNET<\/em>, June 5, 2005.<\/p>\n<p class=\"indent\">Garretson, C., \u201cSpam that Delivers a Pink Slip,\u201d <em class=\"emphasis\">NetworkWorld<\/em>, November 1, 2006.<\/p>\n<p class=\"indent\">Keizer, G., \u201cBotnet Busts Newest Hotmail CAPTCHA,\u201d <em class=\"emphasis\">Computerworld<\/em>, February 19, 2009.<\/p>\n<p class=\"indent\">Krebs, B., \u201c\u2018Koobface\u2019 Worm Resurfaces on Facebook, MySpace,\u201d <em class=\"emphasis\">Washington Post<\/em>, March 2, 2009.<\/p>\n<p class=\"indent\">Lemos, R., \u201cAre Your \u2018Secret Questions\u2019 Too Easily Answered?\u201d <em class=\"emphasis\">Technology Review<\/em>, May 18, 2009.<\/p>\n<p class=\"indent\">Lemos, R., \u201cNasty iPhone Worm Hints at the Future,\u201d <em class=\"emphasis\">Technology Review<\/em>, November 29, 2009.<\/p>\n<p class=\"indent\">London, J., \u201cChina Netcom Falls Prey to DNS Cache Poisoning,\u201d <em class=\"emphasis\">Computerworld<\/em>, August 22, 2008.<\/p>\n<p class=\"indent\">Manjoo, F., \u201cFix Your Terrible, Insecure Passwords in Five Minutes,\u201d <em class=\"emphasis\">Slate<\/em>, November 12, 2009.<\/p>\n<p class=\"indent\">Mardesich, J., \u201cEnsuring the Security of Stored Data,\u201d CIO Strategy Center, 2009.<\/p>\n<p class=\"indent\">Markoff, J., \u201cA Robot Network Seeks to Enlist Your Computer,\u201d <em class=\"emphasis\">New York Times<\/em>, October 20, 2008.<\/p>\n<p class=\"indent\">Murrell, J., \u201cThe iWitness News Roundup: Crime-fighting iPhone,\u201d <em class=\"emphasis\">Good Morning Silicon Valley<\/em>, August 31, 2009.<\/p>\n<p class=\"indent\">Ricadela, A., \u201cCan Adobe Beat Back the Hackers?\u201d <em class=\"emphasis\">BusinessWeek<\/em>, November 19, 2009.<\/p>\n<p class=\"indent\">Robertson, J., \u201cHackers Mull Physical Attacks on a Networked World,\u201d <em class=\"emphasis\">San Francisco Chronicle<\/em>, August 8, 2008.<\/p>\n<p class=\"indent\">Schectman, J., \u201cComputer Hacking Made Easy,\u201d <em class=\"emphasis\">BusinessWeek<\/em>, August 13, 2009.<\/p>\n<p class=\"indent\">Schneier, B., \u201cOklahoma Data Leak,\u201d <em class=\"emphasis\">Schneier on Security<\/em>, April 18, 2008.<\/p>\n<p class=\"indent\">Steade, S., \u201cIt\u2019s Shameless How They Flirt,\u201d <em class=\"emphasis\">Good Morning Silicon Valley<\/em>, November 9, 2009.<\/p>\n<p class=\"indent\">Summers, N., \u201cBuilding a Better Password,\u201d <em class=\"emphasis\">Newsweek<\/em>, October 19, 2009.<\/p>\n<p class=\"indent\">Vance, A., \u201cTimes Web Ads Show Security Breach,\u201d <em class=\"emphasis\">New York Times<\/em>, September 14, 2009.<\/p>\n<p class=\"indent\">Vijayan, J., \u201cSoftware Consultant Who Stole Data on 110,000 People Gets Five-Year Sentence,\u201d <em class=\"emphasis\">Computerworld<\/em>, July 10, 2007.<\/p>\n<p class=\"indent\">Wilson, T., \u201cTrojan On Monster.com Steals Personal Data,\u201d <em class=\"emphasis\">Forbes<\/em>, August 20, 2007.<\/p>\n<p class=\"indent\">Wittmann, A., \u201cThe Fastest-Growing Security Threat,\u201d <em class=\"emphasis\">InformationWeek<\/em>, November 9, 2009.<\/p>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"author":217,"menu_order":3,"template":"","meta":{"pb_show_title":"on","pb_short_title":"","pb_subtitle":"","pb_authors":[],"pb_section_license":""},"chapter-type":[49],"contributor":[],"license":[],"class_list":["post-278","chapter","type-chapter","status-publish","hentry","chapter-type-numberless"],"part":267,"_links":{"self":[{"href":"https:\/\/pressbooks.ccconline.org\/bus3060\/wp-json\/pressbooks\/v2\/chapters\/278","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pressbooks.ccconline.org\/bus3060\/wp-json\/pressbooks\/v2\/chapters"}],"about":[{"href":"https:\/\/pressbooks.ccconline.org\/bus3060\/wp-json\/wp\/v2\/types\/chapter"}],"author":[{"embeddable":true,"href":"https:\/\/pressbooks.ccconline.org\/bus3060\/wp-json\/wp\/v2\/users\/217"}],"version-history":[{"count":2,"href":"https:\/\/pressbooks.ccconline.org\/bus3060\/wp-json\/pressbooks\/v2\/chapters\/278\/revisions"}],"predecessor-version":[{"id":417,"href":"https:\/\/pressbooks.ccconline.org\/bus3060\/wp-json\/pressbooks\/v2\/chapters\/278\/revisions\/417"}],"part":[{"href":"https:\/\/pressbooks.ccconline.org\/bus3060\/wp-json\/pressbooks\/v2\/parts\/267"}],"metadata":[{"href":"https:\/\/pressbooks.ccconline.org\/bus3060\/wp-json\/pressbooks\/v2\/chapters\/278\/metadata\/"}],"wp:attachment":[{"href":"https:\/\/pressbooks.ccconline.org\/bus3060\/wp-json\/wp\/v2\/media?parent=278"}],"wp:term":[{"taxonomy":"chapter-type","embeddable":true,"href":"https:\/\/pressbooks.ccconline.org\/bus3060\/wp-json\/pressbooks\/v2\/chapter-type?post=278"},{"taxonomy":"contributor","embeddable":true,"href":"https:\/\/pressbooks.ccconline.org\/bus3060\/wp-json\/wp\/v2\/contributor?post=278"},{"taxonomy":"license","embeddable":true,"href":"https:\/\/pressbooks.ccconline.org\/bus3060\/wp-json\/wp\/v2\/license?post=278"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}