Internet Explorer is broken, and the bad guys know it. As you type, criminal hackers could be recording your bank login and password information. Robert offers some tips for staying safe online.Microsoft's Internet Explorer is broken, and criminal hackers (crackers) know it. Within the last few weeks, these evildoers have staged several well-orchestrated Internet Explorer attacks designed to steal your banking and credit card information. The result has been that you can't trust Internet Explorer -- how will you know if a secure site is truly safe? Here's a look at what's wrong with Internet Explorer and what you can do to keep your data under lock and key.
At issue are not one, but several flaws within Internet Explorer, some well known and some not so well known (so-called zero day attacks). All of the serious attacks also use tiny apps called keystroke-logging Trojan horses, which capture IDs, passwords, and credit card information as you type them. And all of the attacks so far happen without users even suspecting there's anything wrong. Note: Only Windows users are at risk; Mac and Linux folks, you're safe for now.
Two weeks ago, elements of the Russian mafia coordinated a brilliant attack that turned the Internet into millions of points of digital infection. First, the Russians (or their hired crackers) managed to secure malicious code on vulnerable Microsoft IIS Web servers worldwide. Then, using flaws within Internet Explorer, malicious JavaScript automatically downloaded whenever a user visited an infected site (which included popular search and auction destinations). That JavaScript in turn downloaded a keystroke-logging Trojan horse from another server located in Russia. The attack ended once the Russian server was taken offline.
Last week, a second attack targeted accounts with major financial institutions, such as Citibank and Deutsche Bank. Spread by pop-up advertising, which in turn loaded malicious code, this attack uses a Browser Helper Object (BHO), a type of file that developers frequently use to monitor Internet Explorer sessions. In this case, whenever a user visits a banking site, just before the encrypted secure socket layer (SSL) session starts between user and bank, the Trojan records all the POST and GET information before it is encrypted. The Trojan then starts its own encrypted session, sending your personal banking data to a remote server.
How could this happen? Blame monopolies. When Microsoft launched its browser war against Netscape a few years ago, we all lost. By encouraging Web site developers to "optimise for Internet Explorer," Microsoft killed off the competition by offering Web surfers flashing images and pretty sounds. Internet Explorer now holds a commanding 95 percent of the Internet browser market. Because of that market dominance, however, Internet Explorer engineers have been lax about browser innovations and battening down its hatches.
In the wake of these serious security events, the software giant posted instructions to secure your Internet Explorer.
In a nutshell, the instructions say to increase the security settings within Internet Explorer, turn off JavaScript and ActiveX, and start reading e-mail in plain text (because Outlook uses Internet Explorer to render HTML). In other words, we should turn off everything Web developers have been told to optimise for. No more flashing images, no more cute sounds, just bland old, flat Web pages. And if you do follow these instructions, many Web sites you use every day simply will not work properly. Thanks a lot, Microsoft.
Here's the best part: there's one flaw that Microsoft fixed six years ago in Internet Explorer 3.0 and 4.0 that has resurfaced in versions 5.01, 5.5, and 6.0. And there are a few new bugaboos within Internet Explorer that even the software giant in Redmond, Washington, didn't know existed, despite its own efforts, a.k.a. Microsoft's Trustworthy Computing campaign. To its credit, Microsoft has since posted a patch for one of the new Internet Explorer flaws, but it waited a week to do so, and this patch still doesn't resolve all the problems.
The crisis with Internet Explorer is so bad that the U.S. Computer Emergency Response Team (US-CERT) now recommends that you move away from Microsoft Internet Explorer. You have Netscape 7.1, Mozilla 1.7, and Opera 7.5 to choose from, however, there is much excitement surrounding Mozilla's new Firefox browser, currently in beta, if only because Firefox reunites several original Netscape developers.
Short of bailing from Internet Explorer, you can also stop remote-access Trojan horses with a good personal desktop firewall such as ZoneAlarm or those included within Norton Internet Security and McAfee Internet Security. Finally, several of the banking Trojans can be removed with apps such as Spybot Search and Destroy and Ad-aware, as well as your favourite antivirus app. If you aren't currently checking for spyware, you should be. And if you aren't running antivirus protection, well, now's a really good time, don't you think?
What do you think? Do these security problems make you rethink your use of IE? Or have you already switched? TalkBack to me below!
Linkedin 
RSS Feeds 
Newsletters 
Alerts
I am a Business Dev Manager (BMECHENG GRADDIPINFOSYS) for a small Network Services Integrator with several customers with e-commerce sites (5-500 users). We have deployed Spy Sweeper (www.webroot.com) and BHODemon (www.definitivesolutions.com) to cover Cisco Pix Firewall/Sophos Enterprise Small Business Server 2003 or Windows Server 2003 to protect ourselves, and we are evaluating enterprise versions of Spy Sweeper and Pest Patrol for customers. It is clear, that standards have sufferred at the expense of "it looks cool" and this is unacceptable. If the industry doesn't regulate itself now, governments will surely do so shortly re consumer affairs.
This biggest problem is that Microsoft covered itself by asking users to select the High setting which includes the line - "less secure features disabled", and most good websites only permit the user to enter at medium or with certain custom settings (the fact that IE allows the security settings to be reset by websites with lower security is ludicrous - especially when it allows the same in trusted sites). So apart from the expected Active X issues see if you can get a response on what other custom settings are secure, and what the less secure features are, once and for all.
As there is now a known vunerability in Mozilla, will the industry protect itself, or are we headed for a Royal Commision here in Australia? There is very little running in the major media here, despite attempts by myself (and no doubt others) to provide background information - it's all too complicated for the public, they've decided.