Top 5 most common security oversights

Advancement of IT security tools hasn't stopped users from putting themselves at risk, unwittingly or otherwise. Security experts highlight five most common risky habits they still see today.

Despite the wide availability of security tools and advice on safe online usage, incidents of data theft and hacking attacks still make the headlines on a regular basis.

ZDNet Asia spoke to security experts to find out what are the top five most common bad habits IT users cannot seem to relinquish even today.

1. Poor password practices
Reminders about the importance of strong passwords appear to have fallen on deaf ears as many users today resort to using the same password across all their online accounts.

Paul Ducklin, head of technology at Sophos Asia-Pacific, pointed to a Sophos research in March 2009 that found one third of respondents use the same password for every site with which they have an account.

Using the same password for all sites is risky because if the password for any one site is hacked, keylogged or "sniffed" by a cybercriminal, all of the user's accounts will then at risk, Ducklin said in an e-mail interview.

However, consumers seem more savvy when it comes to payment cards security. A study commissioned by credit card company Visa, found that shoppers in the Asia-Pacific region use a variety of passwords for their cards and change their PINs every quarter.

Ducklin noted that many users also pick simple passwords that can be found in dictionaries. He explained that while words such as "contranym" and "passe-partout" may be unusual and hard to guess, they are included in most dictionary word lists and can be cross-checked by a computer in a tiny fraction of a second.

But this does not mean users should choose simple passwords if the words cannot be found in dictionaries--though, that has not stopped some from doing so. An analysis of passwords stolen last year found that the most common password was "123456", followed by "12345678".

2. Over-sharing on social networks
Users are also "over-sharing" personal data on their social network profiles, allowing cybercriminals to easily glean this information for use in more targeted attacks, said Ducklin.

"Imagine if I want to send you a booby-trapped e-mail and trick you into opening it. How successful do you think I will be if I claim to be from a bank you haven't ever even heard of? Not very.

"But what if I know that you are a keen badminton player, that you recently played in a local tournament and I know how pleased you were to win against that guy who beat you at the Nee Soon South Community Club last year. Now you'll probably be much more likely to trust me," he explained.

In an e-mail interview, Vincent Goh, managing director for Southeast Asia at EMC's security division RSA, added that social networks are vulnerable to phishing attacks as some users add strangers--who might actually be phishers--into their networks.

Users are also vulnerable to identity theft, especially if they include personal information such as their full names, birthdates, addresses, phone numbers and names of relatives in their social network profiles.

3. Placing too much trust on Web sites and search results
"In today's Web, there is no such thing as a 'reputable site'--all content should be treated as untrusted and be inspected," said Michael Sutton, vice president of security research at Web security vendor Zscaler, adding that even search engine results cannot be trusted.

"[Cybercriminals] have successfully automated the process of combing the Web for sites with vulnerabilities that permit content injection," Sutton noted in an e-mail interview. "When a vulnerable site is found, malicious content is injected that will then attack users who visit the page."

He added that cybercriminals are also employing search engine optimization (SEO) in their attacks to target search results on popular search engines.

Cybercriminals have developed tools that can automatically identify popular search terms, deploy SEO optimized content and host malicious content, he explained. This exploit is deployed particularly when there is breaking news, he said.

Users need to be alert of such attacks, Sutton warned, and noted that search engines fail to identify and remove the content from their database.

4. Casually clicking on links
Sometimes, even tech-savvy users such as employees from search giant Google can fall prey to malicious links posing as instant messages from friends.

Ducklin said users should be mindful of e-mail messages from people they do not know or that they are not expected or deal with a subject they have no interest in.

However, many users still needlessly click on links included in these messages simply out of curiosity, he said.

Sutton noted that users also often fall for social engineering tactics convincing them to download and install malicious software.

"We regularly encounter sites displaying fake warnings which inform users that malware has been detected on their machines, and requesting users to install either an antivirus program or an antivirus update," he said.

Unfortunately, he added, many users still fail to identify such attacks and these exploits have seen a high success rate.

5. Trading convenience for safety
RSA's Goh referred to a recent company survey which found that Generation Y users are highly susceptible to threats due to risky online behavior. According to the study, 75 percent of respondents were willing to accept more risk when purchasing items online in return for lower prices.

The survey also found that more than 50 percent admitted to both using the same passwords for all Web accounts and choosing to stay logged into the site to avoid the hassle of having to log in again.

The RSA study further discovered that Gen Y users participated in file-sharing activities such as downloading illegal content from the Internet. Not only is this against the law, users are putting themselves at risk as the files may harm their computers, Goh said.