InfoWorld.com had a good, short, article on hacking here by Roger A. Grimes. Roger makes the point that security losses are not usually due to smart criminals breaking in by unpredictable means, but rather
Malicious hackers are using pretty much the same old tools and exploiting the same old weaknesses. However, companies and end-users aren’t doing what they need to defend themselves. Anyone who promotes today’s attackers and their tools as near-invincible is doing a serious public disservice.
The techniques used for breaking and entering are not new, and usually do not require much technical expertise: they follow techniques in use for the last two decades:
1. login information is harvested in bulk from some negligent corporate server through sql injection, well-known yet unpatched software defects, a keyloggers on the victim’s computers, bot nets, Trojan/Phishing emails, or some other means.
2. The harvested 1,000s or 1,000,000s of login/password combos are reviewed to see if any interesting looking logins are in the list — logins that might belong to high value victims such as celebrities or politicians.
3. People are usually too lazy to use a different password for each different web site, so a rainbow table is used to learn what the harvested password is, and then
4. the criminal tries the login / password on other high profile sites, such as FaceBook, Google, and Yahoo. And shazammm. The criminal now has all of someone’s private and embarrassing emails, teen nudie pictures, or whatever.
There are very simple rules to protect oneself.
A. Use unique passwords on high visibility web sites, such as yahoo or google or FaceBook. If you reuse passwords on trivial junk sites it probably doesn’t matter, but if you use the same password on Sony as Google, better change the Google password to something else.
B. Make your passwords more than eight characters long. Using funny junk in the password doesn’t matter — having anything longer than eight characters does — It makes it a lot harder to create a rainbow table big enough to reverse engineer the password. ‘MickeyMouse’ is every bit as safe as a password as is ‘M!ck3yM0u53’. The weirdness in the second one only makes it harder for you to remember the password and more likely that you will have to write it down so someone untended can read it.
C. Keep your personal computer OS software up to date, if possible use Mac or Linux, and install and keep up to date some antivirus software such as Microsoft Security Essentials, KlamAV, McAfee, Norton, F-Prot, Kaspersky, or AVG (formerly Grisoft Anti Virus Guard).
D. If possible always use Google Chrome as your web browser, or that lacking FireFox. Microsoft Internet Explorer has many nice automatic features for your convenience, however criminals can use these features to break into your computer and steal information.
E. Turn off javascript (instructions here and here) by default in your web browser so you must manually approve a web site to run javascript the first time — this stops cross sight scripting (XSS) attacks such as those common on FaceBook dead in their tracks — even if you click the link they can’t run because the malignant web site does not yet have javascript privileges on your browser.
It really is that easy.