US urges 'cyber hygiene' effort

http://news.bbc.co.uk/go/rss/-/1/hi/technology/8279867.stm

Version 0 of 1.

The US government has urged all internet users to play their part in protecting the network from attack.

The call comes at the start of National Cyber Security Awareness month.

The Homeland Security Department said "all computer users, not just industry and government, have a responsibility to practice good 'cyber hygiene'".

Security experts agree and have said users need to think before they click as part of an effort to highlight how vulnerable e-mail is to cyber scams.

A recent report claimed e-mail spam is on the rise and accounted for 87% of all e-mail sent in August.

"E-mail is a critical application so users need to think before opening that mail," said Rohyt Belani, the founder and chief executive of Intrepidus Group, a security consultancy.

"Our studies have shown that within the first hour of someone receiving a phishing e-mail, 60% of people click on them. That is not enough time for the security folks to act."

Phishing attacks are specifically aimed at getting people to divulge personal information like social security numbers or bank details.

Attackers may send an e-mail that appears to legitimately come from a credit card company or a financial institution requesting information that is then used to steal the users' identity.

The theme for this year's national cybersecurity awareness month, which is sponsored by the Homeland Security Department, is "our shared responsibility".

The campaign, now in its sixth year, was given a boost Wednesday when the Senate passed resolution 285 to support its goal to make U.S. citizens more aware of how to secure the internet.

'Keys to the kingdom'

Intrepidus said the attacks it is increasingly seeing are more targeted than ever before at key players in an organisation.

Over 20,000 new sources of malware are detected every day

"We are seeing the random scattergun attack fading away to some degree and attackers not so much focusing on sending out spam e-mail for Viagra in the hope two people will click on the link," Mr Belani told BBC News.

"They are more focused on let's say a system administrator at organisation X because the hackers know if they break into that computer, they will have the keys to the kingdom. Or someone high up in organisation Y where they might see all the M&A (mergers and acquisition) information."

Mr Belani also said his company had noticed that with the increasing popularity of social networks it is all too easy for the bad guys to get valuable personal information to make a spoof e-mail look like the real thing.

"These attackers mine a trove of information from Twitter, MySpace, Facebook and the like to try and compromise the systems of targeted victims.

"Once they have enough information about a person, it is relatively simple to draft an e-mail that looks legit. This scary trend with social networking comes with a real security risk that most consumers just don't seem to be aware of," added Mr Belani.

This week, Facebook revealed in its official blog that there has been an increase in what it terms 419 scams. These occur when cyber-criminals log into someone's account and pose as that person to ask everyone who is a friend for money.

"While the total number of people who have been impacted is small, we take any threat to security seriously and are redoubling our efforts to combat the scam," said Facebook engineer Alok Menghrajani in a blog post.

Safety online

In the future, Intrepidus said it believes smart phones will become more vulnerable because of the applications users download and also as the workforce becomes more and more mobile

The President has likened threats to the internet to that of a nuclear attack

"Developers are churning these apps out as quickly as they can and the goal is mass adoption. This often means security takes a back seat," warned Mr Belani.

"Everyone now has a mobile device in their hand and each employee has e-mail on it with sensitive and perhaps confidential information. There has to be a huge paradigm shift to make employees understand they are an integral part of an organisation's security," added Mr Belani.

Security vendors throughout the industry advise on a number of ways to stay safe online or practice what the government has dubbed cyber hygiene.

These steps include not opening e-mail attachments from people you do not know or if you are not expecting them to send anything and making sure operating systems are up to date with the latest security.

Other pointers include unsubscribing from legitimate mailings you no longer want to receive and typing web addresses directly into a browser rather than relying on links within a message.