Slashdot Log In
The NYT on the Proliferation of Botnets
Posted by
Zonk
on Sat Jan 06, 2007 08:40 PM
from the we-live-in-interesting-times dept.
from the we-live-in-interesting-times dept.
ThinkComp writes "The New York Times has a up a story on the proliferation of botnets. The article cites a number of security researchers who paint a depressing picture of the state of internet security, and concludes with the suggestion that for home users, buying a new 'updated' PC may be the only real solution. Unfortunately, as most of us know, given the number of outstanding flaws in software and the ingenuity of malicious software authors, that might not even help."
Related Stories
[+]
NYT Security Tip - Choose Non-Microsoft Products 298 comments
Giorgio Maone writes "The New York Times article 'Tips for Protecting the Home Computer' follows a story we recently discussed about the proliferation of botnets, and contains some statements which may sound quite unusual from mainstream press, especially if targeted to home users: 'Using a non-Windows-based PC may be one defense against these programs, known as malware ... Alternative browsers, like Firefox and Opera, may insulate users ... NoScript, a plug-in utility, can limit the ability of remote programs to run potentially damaging programs on your PC'."
This discussion has been archived.
No new comments can be posted.
The NYT on the Proliferation of Botnets
|
Log In/Create an Account
| Top
| 244 comments
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Not a flaw, but a feature (Score:1, Funny)
Good for them.
Welchia (Score:4, Interesting)
(Last Journal: Wednesday January 31 2007, @02:25AM)
I want a big red button (Score:1)
If something sneaks in that I don't want, then I press the big green button on the front of my computer, and select which program listing I want restored.
Well, that's sorta backwards (Score:3, Insightful)
(http://www.oreilly.com/catalog/samba/author.html | Last Journal: Wednesday August 24 2005, @03:32PM)
running under Linux (win4lin) and behind a paranoid
firewall is safer than XP or Vista.
Alas, not as safe as an unpached RH9, mind you,
but still safer than Vista (;-))
--dave
Re:Well, that's sorta backwards (Score:4, Insightful)
(http://www.underachievement.org/ | Last Journal: Sunday January 21 2007, @10:58PM)
but still safer than Vista (;-))
You say this with what evidence?
Vista hasn't even been released to the public yet and the only versions people have seen are unfinished betas and a very few corporate users who have started playing with the new RTM Enterprise. You know you're on Slashdot when a product that isn't even out yet has already been relegated to the insecure/unsafe/junk software category.
However, I see you have that little winky smiley thing at the end of your post. Does that mean you're just kidding and it's all a joke? Or are you serious, but going under the guise of joking so if somebody calls you out on your statement you can just say "whoosh!"? Emoticons are stupid--better for people to say what they mean and stick with that.
Re:Well, that's sorta backwards (Score:5, Interesting)
Re:Well, that's sorta backwards (Score:4)
(http://enharmonix.blogspot.com/)
I bet most slashdotters aren't even aware of DEP or using Run As to actually take away rights from a process in XP, so if a bunch IT geeks like /. don't know how to keep XP secure, then neither will users. XP has its share of security problems, but by and large the majority of them are caused by ignorance. The only way to really combat ignorance is to remind them "This is dangerous!" every time they do something risky. I would rather Vista err on the side of caution w/ UAC. The time lost clicking "Allow" all the time is less than the time lost having to restore a compromised machine.
As for the rest of your comment, I agree completely. Cheers.
Look at it logically and focus your efforts. (Score:5, Insightful)
#1. Worms - if you don't have any open ports, then you're pretty much immune to worms (unless they can crack basic TCP/IP operations). Ubuntu ships BY DEFAULT with no open ports. Windows ships with lots of open ports. Change that behaviour and you've solved an entire CLASS of attacks.
#2. Viruses - an infected program infects other programs, but does not otherwise change those programs. This is not very common now.
#3. Trojans - this is the biggest current threat. And there is no real way to remove it 100%, but it CAN be limited (again, look at Ubuntu). This is primarily a social engineering attack. You have to convince the user to run an app or open a message that will exploit a flaw in their email app (and so forth).
So, why aren't we seeing a focus on the biggest security issue?
Why hasn't Microsoft released a bootable CD so you can run the anti-virus/spyware/adware stuff easier? Clean up the junk AND patch the vulnerabilities in Outlook. Even if it means turning off some of the functionality.
If you cannot do it securely, then you should not do it.
Firewalling them is not the same as closing them. (Score:5, Insightful)
Nope. There are still lots of ports open, it's just that Microsoft put a firewall on the system, too.
The problem still exists. But now there is a wrapper obscuring it that you have to get through. That isn't solving the problem. That's just attempting to hide it.
And exploits have been found for Microsoft's firewall. Which demonstrates the problem with not solving it at the lowest level.
I can put an Ubuntu machine with a default install onto the Internet without any firewall and still be safe from worms.
I cannot do that with WinXP (or Win2K or Win9x or WinNT). If you aren't solving the problem at the lowest level, you're not really solving it. You're just hiding it.
Re:Firewalling them is not the same as closing the (Score:4, Informative)
Capitol Punishment (Score:5, Funny)
(http://www.subgenius.com/ | Last Journal: Wednesday April 16 2003, @05:39PM)
O.K.,O.K. maybe just corporal punishment
Rootkits (Score:1)
There's was so much crap and adware on someone's new Dell (I heard about), it took an hour to get it all off so I could install my pirated version of Microsoft Office. (err... at least, that's what my friend told me.)
Make Microsoft liable (Score:5, Insightful)
(http://www.thetao.info/tao/whitecloud1.htm)
If you sell me a chain saw, and I ignore the instructions and cut off my hand, it's my own damn fault. If I ignore morality and criminality and cut off my spouse's head, it's still my own damn fault. But if the chainsaw goes off on its own power, while I'm sleeping, and slices and dices the whole damn town, it's your fault for selling me such a product, especially if you manufactured it with the knowledge that it could, in certain not-uncommon circumstances, do exactly that.
Re:Make Microsoft liable (Score:5, Insightful)
(http://aqpeag.blogspot.com/ | Last Journal: Saturday April 21 2007, @05:39AM)
Ever been part of the warez scene on IRC?
I'm assuming you haven't, so I'll explain. That system is entirely trust based, and self-regulating. If a file ever comes from anyone which has a virus or anything else suspect included, the source of the file immediately gets ostracised, at least as a source, and most likely in terms of download access as well, since the system is based on reciprocal trade. Wrong, I hear you say...what about cracks coming from warez *web* sites or p2p nets which have malware? Said malware would likely be put into the archives by the webmasters of those sites themselves...the upstream cracking groups would NOT be doing it, because there are a lot of people in the warez food chain who are not going to want to receive/propogate known malicious files. ANY group which includes files for compromising a system with a release has just destroyed its' ability to subsequently release files that people will trust at any point in the future. Ditto for eMule files that have nasties in them...they get intercepted/recreated downstream. That is part of the entire reason why nets like eMule use the sorts of file hashing systems that they do; if you know the hash of a particular group's release, you can download said release and get entirely clean warez.
Ditto with any moron who was going to be dumb enough to try and write GPL licensed malware...they'd gain a horrible reputation very, very quickly. The other thing is, anyone who is sufficiently interested in doing the wrong thing as to be writing malware in the first place is not going to care about licensing it unless they are exceptionally stupid...which malware authors generally aren't. Sociopathic and deserving of being used as live shark bait, yes. Stupid, no.
Accidental bugs which lead to buffer overflows and such are different. They are unavoidable, and people know that...despite the best of developer intentions, occasionally they happen. As such, although the author of said bug will not risk ostracision for authoring it, in most cases (at least if the program in question has more than half a dozen or so users) it gets patched very quickly.
Re:Make Microsoft liable (Score:5, Funny)
(http://trolltalk.com/ | Last Journal: Saturday November 03, @08:45PM)
Hans Reiser, is that you?
Buying a new computer won't help you (Score:2, Insightful)
(http://jjjiii.livejournal.com/)
The people offering this "advice" have got to be idiots. True, it might cost more to pay someone else to de-own your PC and train you on how to avoid problems in the future than the cost of replacing the hardware. That doesn't mean that educating yourself isn't the right answer though. What does buying a new machine do to make you more secure? Buy a $400 brand spankin' new bottom of the line Dell, throw it up on the net, and get owned in under 20 minutes. Does anyone make the $1200/hr it would take to keep a steady supply of new bottom of the line bot-to-be PC's flowing into the households of idiot users who can't be bothered with learning fundamental literacy?
Being proficient with a computer is not optional if you want to own and use a computer. Learn about TCP/IP. Learn about NAT. Learn about not trusting everything. Learn about understanding how things work at least a little bit before you try to run. You don't need to be a security guru, but you can't get by thinking you can just use a computer and never have to learn anything more about it than that. Casual users on the internet are presently walking through the worst parts of town with $100 bills sticking out of their pockets, and until they can figure out that this isn't smart and why and what to do better, they're going to continue to get themselves in trouble and drag down the community by feeding the predators that eat away at it.
Not quite.... (Score:5, Insightful)
Ummm, most Mac OS X users don't have to know anything about TCP/IP or NAT, etc. Of course, they have an OS that has security built in at a very low level, not tacked on as an after thought. Windows, at least through XP, is still based on the notion that it wants to make it easy to connect to everything and everyone. As such, it's pretty open and malware takes advantage of that. OS X and the various *nix distros start at the other end of the spectrum where things are locked down unless you open them up (although OS X has more opened up than, say Ubuntu and various other linii).
As others have posted, if Windows shipped with all ports closed except those that were really needed, then the user wouldn't need to worry about all these things. They wouldn't be opening a port until they needed it for some specific application and then that application could explain the dangers, if any to having the port open. It's basically a compromise between ease of use and security. Microsoft chose to maintain it's ease of use model from the pre-internet days, when everything was local and has tried to add security on top. It just doesn't work that well.
So, the real choice is, it seems, that if you want a Windows pc, then you need to learn about TCP/IP, NAT, firewalls, etc. On the otherhand, if you just want to use your computer, either buy a Mac or put a secure Linux, like Ubuntu, on your pc. (I just use Ubuntu as an example, there are others, too)
Re:Not quite.... (Score:4, Interesting)
(http://plan99.net/~mike/)
I cannot believe people are still saying this. How many stories about botnets do we have to have on Slashdot before people realise that UNIX is not secure either.
Look. The vast majority of this crap comes in via browser exploits these days. Running malicious attachments etc is not such a favoured technique anymore. There is nothing in UNIX that stops applications from being written in an insecure fashion, there is nothing in UNIX that stops apps hooking each other to hell and back (which is largely what these bots are doing when they steal data), there is nothing in UNIX that even makes it hard to install a rootkit. Just phish the password out of the user, or wait until an authentication dialog appears and overlay your own, or wait until a privilege escalation attack is found (new ones appear all the time). But as you don't need root to steal data, send spam, display popup ads or any of the other things bots do this is really just a nice-to-have bonus, it's not essential.
The fundamental architecture of Windows NT is no different to UNIX these days. They are both seriously flawed because they are based on a threat model from the 70s, when the world of computing was totally different. Having an administrator user and also a "regular" user who are really the same person is a nasty hack that doesn't solve the problems at all. Apple don't have the answers ... have you seen how easy it is to suck SSL protected form data out of Safari? Neither does the Linux community. SELinux has gone down the route of totally static policy, which is fine for servers but worthless for desktops.
MacOS and Linux are statistically insignificant, but if people keep recommending them as a "solution" then soon they won't be and then we'll find, oh look, it's just as easy to create Mac botnets as it is Windows botnets. What little trust is left in computer security people will then be gone.
The fact is, residential computing is fucked. Utterly, utterly fucked. The guy quoted by the NYT is right, the war was already lost a long time ago, and people keep pretending it wasn't. The war was lost when the computing community decided that user based DAC security models could stop malicious software. They can't, they don't, and they never will so please stop saying MacOS or Linux are somehow inherantly better, when they aren't! They are at best temporary band-aids.
Re:Not quite.... (Score:4, Informative)
Really? Every XP box has hidden files shares turned on automatically. There isn't anyway to turn them off without resorting to executing a batch file after Windows starts. If you are relying on the Window's firewall for security, it is only providing a false sense of security, at best. There have been numerous tech articles against it (yes, it is better than nothing, but it isn't a full firewall).
Many malware rely on open ports to do their dirty work (connecting to IRC is just such an example). Several Linux distros have all ports disabled, other than those needed for actual use. OS X has most ports disabled. Even with the Windows firewall, there are many ports that are open, because otherwise, all the "neat" things Microsoft has touted you can do won't work. The problem is, that they are open whether you do those neat things or not and they don't show as an open threat because Microsoft wants them to be open.
Try it for yourself. There are many security websites that you can hit that will "test" your pc and tell you what is at risk with the default Windows settings. In short, the default Microsoft security settings may stop the kid down the block, but they won't stop the real hacker any more than copy protection does on CDs. At best, it just makes it a little less convenient.
An easy answer (Score:5, Insightful)
(Last Journal: Thursday December 09 2004, @09:25AM)
Any traffic that isn't specifically requested by the user is blocked. You manually open and close ports as you need them.
Oh, right, that would break most authenticity checks to combat "piracy", and totally botch most advertising on the net, and set us back to the early 90s. BTW - sign me up.
New PC (Score:5, Insightful)
The root of the problem is responsibility (Score:5, Insightful)
(http://www.silverglass.org/)
The core of the problem is responsibility, or a lack thereof.
Vendors aren't responsible for the results of the flaws in their programs. Worse, they aren't responsible for deliberate design decisions that make it impossible to secure systems. I make an analogy to automobiles. Auto makers aren't generally liable for defects in cars, unless the source of the defect goes beyond a simple mistake or defective part, but they are responsible for repairing those defects and can be sued if they refuse to do so. And they're liable for design decisions they make. Witness the Ford Pinto. The current state of software liability is akin to Ford claiming that, because they had a valid business reason for building the gas tank on the Pinto the way they did (it was cheaper, thus let them price the car cheaper), they cannot be held liable for the fires that happened as a direct result of their decision. The courts slapped Ford around for making that claim, why are software vendors not treated the same? I can live without strict liability for software flaws, but lack of liability for design decisions that directly lead to security problems is probably the biggest reason we still have problems.
And users aren't held responsible for their use of a computer. They treat it as some sort of plug-and-play device like a television or a radio: plug it in, turn it on and stop thinking about it. A computer isn't an appliance, you can't just ignore it after initial set-up. Again, cars make a good analogy. You can't just ignore a car's maintenance after you buy it, you need to put new tires, new brakes and such on it regularly. And car owners get held liable if they don't. If you wore your brakes out so they don't work anymore and didn't get them serviced, when you rear-end someone because you don't have any brakes you will be held responsible by the courts and the insurance. If you're running on bald tires because you don't think you should have to check and change anything, you're going to get ticketed by the cops at some point for unsafe mechanical condition and the car's registration will get suspended until you fix the problem. Sure it's a hassle and expense to keep maintaining all those things about a car that need maintained, but we don't accept that as an excuse for someone not maintaining them and causing damage or injury to others as a result. So why do we let computer users off the hook when they say "But I don't know anything about computers!".
Software vendors and computer users need to grow up. They've been both acting like spoiled 5-year-olds who were running in the house after being told not to, knocked over the china cabinet and broke everything in it, and now that Mom and Dad are standing there they're whining that they shouldn't have to own up to it and take their punishment. No dice.
Yes! Buy a new PC... (Score:3, Insightful)
(http://jlarocco.com/)
and sell your old one cheap.
Just the other day I bought an older Dell that "wouldn't boot" for $15, sans hard drive. An hour of hacking around inside, and I was able to get it going. It's a little old, but it'll make a nice LiveCD tester.
Consumers are getting raped by MS and Dell, but they're not going to learn, so might as well take advantage.
Doesn't advise getting a new PC for everyone (Score:2)
Did anyone really expect a middle-aged, non-techie to think "Gosh, I should finally install Linux with a lightweight window manager!"
New PC isn't going to help... (Score:2, Insightful)
Use Macs (Score:1, Insightful)
(http://www.delifisek.net/)
Case Closed
Retail Youngsters (Score:1)
Ubuntu (Score:2)
(http://www.bigattichouse.com/)
Push for Windows CDs (Score:5, Insightful)
(Last Journal: Friday March 26 2004, @04:22PM)
Heck, a 700MB USB flash drive isn't expensive now. They should build read only flash drives with windows into the box, and put an option to run a reinstall in the bios. Solder it in so no one will steal it.
It's the least they could do, considering. I mean, Windows compes preinstalled on almost every PC sold, and there are a zillion pirate copies of Windows floating around on the net, so hardly anyone needs to steal it, and anyone who wants to steal it can. But legitimate users are screwed when they have problems because they don't get CDs, because giving them CDs would encourage piracy. And, I suspect, because it's good for business if people trapped in a monopoly have to buy extra computers to solve this problem.
A new PC will help for what, a month? (Score:1)
A Simple Solution: power off when not using a PC (Score:1, Interesting)
I work with a Cisco VPN concentrator at a Medical/Dental/Nursing school, and every day a co-worker comes in early and forces off the users that have been connected all night and more. Usually it is 30-40 people but over weekends and holidays the number climbs to 70-80. Why stay connected, why leave your computer on all the time?
I'll leave the M$ bashing to others, the "open any email you get" bashing to others. I run an OpenBSD firewall on an old Dell at home, and I tell my kids to turn off the computer when they are done. I'm doing my part.
Printed Article (Score:2)
(http://aqfl.net/ | Last Journal: Wednesday July 09 2003, @01:16AM)
January 7, 2007
Attack of the Zombie Computers Is Growing Threat
By JOHN MARKOFF
In their persistent quest to breach the Internet's defenses, the bad guys are honing their weapons and increasing their firepower.
With growing sophistication, they are taking advantage of programs that secretly install themselves on thousands or even millions of personal computers, band these computers together into an unwitting army of zombies, and use the collective power of the dragooned network to commit Internet crimes.
These systems, called botnets, are being blamed for the huge spike in spam that bedeviled the Internet in recent months, as well as fraud and data theft.
Security researchers have been concerned about botnets for some time because they automate and amplify the effects of viruses and other malicious programs.
What is new is the vastly escalating scale of the problem -- and the precision with which some of the programs can scan computers for specific information, like corporate and personal data, to drain money from online bank accounts and stock brokerages.
"It's the perfect crime, both low-risk and high-profit," said Gadi Evron, a computer security researcher for an Israeli-based firm, Beyond Security, who coordinates an international volunteer effort to fight botnets. "The war to make the Internet safe was lost long ago, and we need to figure out what to do now."
Last spring, a program was discovered at a foreign coast guard agency that systematically searched for documents that had shipping schedules, then forwarded them to an e-mail address in China, according to David Rand, chief technology officer of Trend Micro, a Tokyo-based computer security firm. He declined to identify the agency because it is a customer.
Although there is a wide range of estimates of the overall infection rate, the scale and the power of the botnet programs have clearly become immense. David Dagon, a Georgia Institute of Technology researcher who is a co-founder of Damballa, a start-up company focusing on controlling botnets, said the consensus among scientists is that botnet programs are present on about 11 percent of the more than 650 million computers attached to the Internet.
Plagues of viruses and other malicious programs have periodically swept through the Internet since 1988, when there were only 60,000 computers online. Each time, computer security managers and users have cleaned up the damage and patched holes in systems.
In recent years, however, such attacks have increasingly become endemic, forcing increasingly stringent security responses. And the emergence of botnets has alarmed not just computer security experts, but also specialists who created the early Internet infrastructure.
"It represents a threat but it's one that is hard to explain," said David J. Farber, a Carnegie Mellon computer scientist who was an Internet pioneer. "It's an insidious threat, and what worries me is that the scope of the problem is still not clear to most people." Referring to Windows computers, he added, "The popular machines are so easy to penetrate, and that's scary."
So far botnets have predominantly infected Windows-based computers, although there have been scattered reports of botnet-related attacks on computers running the Linux and Macintosh operating systems. The programs are often created by small groups of code writers in Eastern Europe and elsewhere and distributed in a variety of ways, including e-mail attachments and downloads by users who do not know they are getting something malicious. They can even be present in pirated software sold on online auction sites. Once installed on Internet-connected PCs, they can be controlled using a widely available communications system called Internet Relay Chat, or I.R.C.
ShadowServer, a voluntary organization of computer security experts that monitors botnet activity, is now tracking more than 400,000 infected machines and a
What about the ISP? (Score:2)
Bullshit: Just turn off services. (Score:4, Informative)
I really, really don't get it. It's not that hard to keep a Windows box safe. I do understand how grandma can screw up, but I just do not buy the rubbish that every Windows machine gets compromised in five minutes.
People talk about "open ports." To me, that's right up there with "oh no! My IP address is visible!" paranoia. It's just not how computers work! Worms don't somehow jump into your computer through magic holes called "ports:" They exploit bugs in services.
So, disable all the services you don't need. Get rid of the blasted Windows filesharing cruft. Shoot the scripting host. Turn off the remote desktop crap. Look through all the services, and just clean all that junk out. If you don't have idiot programs running that worms can fool into executing arbitrary code or otherwise misbehaving, you're ok! Then connect to the 'net and install the latest updates. In the time it takes you to do that, nobody will jump up through your NIC and give your computer gonorrea.
A firewall is a safety net, and it makes perfect sense in, say, a production IT department to have as many safety nets and backups as you can. But a properly-configured machine, without exploitable crap running, shouldn't strictly need it, and I really think that a competent personal user can easily stay safe.
As for the "security software" the article speaks of: Though an up-to-date antivirus is a decent idea, most software firewalls and other pieces of security software really just operate something like modern-day politicians, keeping users alarmed so as to justify their own existance. "Someone is trying to HACK you!" they scream, as an innocent ICMP ping request arrives at your computer. Pfft. Save your CPU cycles and just don't be a fool!
And without a single use of "hacker" (Score:3, Insightful)
It's not the PC's being targeted... (Score:1)
IRC control (Score:1)
Couldn't the OS block access to IRC by default?
It seems to me anyone naive enough to install a trojan would not be using IRC anyway, and conversely, anyone who uses IRC would probably be computer savvy enough to avoid trojans.
how come no mention of DDOS? (Score:3, Insightful)
(http://circletimessquare.com/)
is it because the issue is outside the scope of the article or am i hopelessly behind the times and that's not really a problem anymore for some reason i'm not aware of?
It is not a hardware or software Problem! (Score:1)
Guiding the users to more responsibility is the only thing which can help - in all security affairs.
WTF is this? (Score:1)
Since When? Cites, Markoff, Please! (Score:2)
I have NEVER heard of ANY "botnets" on Linux OR MacIntosh.
"botnet-related"? Meaning somebody TRIED to create a botnet virus or trojan for Linux? Make that clear, please.
As far as I know, the number of viruses (almost none "in the wild") on Linux is something less than 20 (not counting variants). And almost all of them only infect the local user. Without being able to exploit a privileges-escalation loophole to gain root, Linux and Mac are nearly invulnerable to viruses.
Yes, it's bad that a virus can infect the local user. For a home user, that is VERY bad. For a business server, that is very good - which is why you see very few viruses on Linux and Mac.
Re:Woot (Score:1, Offtopic)
(http://slashdot.org/)
Re:Consumerism (Score:2)