Thursday, November 22, 2007

Internet Security Issue

Internet is so convenient and useful. It opens a wide door to the world. For most people, it is an important part of their lifes. However, Internet security is a problem for most people who use Internet, especially who use it doing emails, banking and evening personal stuff in their local computer. Most people don't know about it and don't know how to protect their private information.

As a programmer, I realized it and I found it so easy to get some personal private information by writing a simple program, for example, login id and password. For window users, there are some window API functions which can be used to monitor process and keyboard. They are part of Windows' core and available for all windows platforms. A programmer can easily write a program by including those APIs to log keyboard and mouse activities without user's notice (in background).

For example, I wrote a program just for personal test purpose and as a demo to show to my friends. It is a console application. When you start it in a console, it starts to monitor keyboard and mouse activities and print out keys and mouse click on the console. I tried it to login many secured programs such log in and web sites. I can see their login ids and password!

The following is a snap-shot of a case: login to a bank's web site:



You can see that login id is "watchme", then tab to the password text box with "password".

You can image that this feature can be enhanced to work with some process monitors to monitor specified process and steal your personal information (I also verified that there are Windows APIs available to check current process and their titles such browser changes). Some virus or unknown programs can be easily installed in one's machine with those kind of spies.

How can you protect yourself? As a demo shown above, I always advice people don't type in your personal information in a regular habit: login id, tab or mouse click, and then password! You can make fool of these monitor programs. Don't type in your login and password continuously and correctly! You may purposely type in wrong ones or partial ones. Jump around between login and password, even browser tabs. Type something on the page. Make it hard for the spy programs to get your personal information! As well, change your login password regularly.

Some web sites provide more security options for users. For example, in above demo, there is an optional description for you to type in anything. After login the site, this site may ask you additional questions you have previously set if you login from a new location (which may be inconvenient for many users). All these efforts are made to protect you.

0 comments: