What a Hacked PC Can Be Used For 364
An anonymous reader points out that the Security Fix blog is running a feature looking at the different ways hacked/cracked computers can be abused by cyber scammers. "Computer users often dismiss Internet security best practices because they find them inconvenient, or because they think the rules don't apply to them. Many cling to the misguided belief that because they don't bank or shop online, that bad guys won't target them. The next time you hear this claim, please refer the misguided person to this blog post, which attempts to examine some of the more common — yet often overlooked — ways that cyber crooks can put your PC to criminal use."
Don't be a patsy! (Score:5, Interesting)
Users won't care (Score:5, Interesting)
Having read over the list I can tell you with absolute certainty that the common user will not care for one specific reason:
None of the items listed affects them directly.
Computer security for the common goo does not interest the average user one bit, ultimately the responsibility falls of the developers of the compromised software for not designing the software in a safe and secure way. In my home I run ALL PC's on limited user accounts, this should have been made standard 8 years ago when the push for security came about. The unwillingness to enforce this of most fundamental security provision highlights that:
As well as the average user, developers don't care about security either.
Re:Child porno? (Score:4, Interesting)
Hello, I'm "misguided" (Score:2, Interesting)
Until recently, I played the tin-folied-hat, security/privacy paranoid nutjob, being very careful when visiting unkown or shady sites (always using FF or Netscape back then), stacked under layers upon layers of AV, firewall, NAT router, anti-spyware/malware, anti-trojan, and whatever other crap Symantec and McAffee could sell me. I couldn't buy/download/update enough secuity software.
And yes, I've been doing trouble-free banking and shopping online since 1995. And who says money can't buy security??
One day I decided I had enough!! Partly due to a period of unemployment (03-04), partly due to a slow PC (Pentium with 64 MB of RAM), I decided to shun most of that security stuff little by little. The free AV (resource-hog Avast) was the last to go.
Fast-forward to 2008, 3 PCs later. The only security feature I have is my NAT router, and best of all I'M STILL DOING TROUBLE-FREE ONLINE BANKING AND SHOPPING!! No virii, no malware, no nothing!!!! I scan my PC once a year, just to be safe, and still nothing!!
As it turns out, unlike Symantec, McAffeee et al would have you beliveve, COMMON SENSE goes a very long towards keeping your PC safe. Best of all it's free!!!!
And yes, I've been using Windows all this time, and my PC stays online almost 24/7.
Re:They don't care (Score:5, Interesting)
I wonder why people would use a computer as an appliance. Could it be that the OEMs, software companies, and retailers are selling the computer as an appliance for online shopping, banking, and entertainment?
I wonder why they don't care when they are repeatedly told by the software companies that their brand of OS is very secure and it even has a "red, yellow, green" warning system to show how secure it is.
I wonder why users (who are told their computer is so simple to use properly, that there is no training required) don't train themselves?
From the time people are old enough to use a lock, they are told by parents, teachers, police, media, etc. to lock their doors.
There is no comparison for the average person regarding computer security. If the software companies cannot provide the level of security, without training, that they promise, then there should be a warning constantly flashing on the screen telling the person that anything and everything on that computer is likely to be stolen or used to commit a crime.
Re:They don't care (Score:5, Interesting)
There is a point at which people want an 'appliance'. Be it your car, computer, yard, HVAC, water conditioner or toaster.
There are people who never clean their toaster. And when it dies they toss it and get a new one. This is no different than someone who buys a new computer everytime they get a big malware hit.
Everyone is guilty of neglecting SOMETHING. It's not just that it's human nature but the time you spend keeping your computer up to date your grandparents may have spent keeping their guns polished. And I'm sure your grandpa knows someone who treated their guns like appliances. Tossed them in the dirt, never cleaned them, let them rust, etc.
Re:Hello, I'm "misguided" (Score:3, Interesting)
I was reinstalling a PC at work, started it downloading/installing the 50+ updates it needed, after SP1 was installed ....got called away ....
Next day remembered I had not finished it ... had an error on the screen, and the System32 folder had only *6* files in it!
The error was two viruses fighting each other for control and one losing .... ...all this while logged in as a default user, and behind a NAT and firewall .....
Needless to say the machine was wiped to the bare metal and reinstalled .....
Re:Child porno? (Score:5, Interesting)
What are the odds that a hack0r is also a pedo that would do this?
Even if a pedo paid a hack0r what are the odds he would report him?
A friend of mine is a network admin at a local university. As such, part of his duties include network security. He knows of several anonymous FTP servers on "his" network that are routinely tagged and used as drop-points for illicit data. Attempts to fix the situation have been stone-walled or outright ignored. So he just watches what goes on with these servers. It's amazing what shows up on them. There's a pretty good trade of warez that goes on - he doesn't have to hunt down torrents. There's often interesting malware examples to poke around with. And there's often more porn covering a wide array of kinks than you can get googling for "fetish". Child porn included. On a side note - that's based on what data he can see. There's also a large number of encrypted archive files that show up. It's a mystery what's in those. But often they're found in directory structures created by the illicit data peddlers so one can make a guess that if a given directory structure includes unencrypted kiddie porn, the encrypted archives found in that directory structure are probably more of the same. Of course, this is all very old-school. Hijacking servers? How very 1990's. Today we hijack small workstations often with just as many resources as a dedicated server - without the hassle of the occasional alert sysadmin.
Now define "openly malicious" (Score:5, Interesting)
Any ISP relaying openly malicious traffic needs to face consequences for it
Now define "openly malicious". Here are some minimal pairs to consider when legislating what traffic will invoke consequences:
Re:They don't care (Score:5, Interesting)
They do not feel responsible for malware running on their computer.
There is one exception ... one thing that scares the bejeezus out of most people ... and that's when you tell them their computer is being used as part of a kiddie porn ring. Somehow, when people learn that their machine is being used to host images of 8-year-olds being sexually abused, they suddenly take the concept of computer security a lot more seriously.
Not that I'm advocating anybody should tell a devious lie to a friend in order to make him/her smarten the hell up ... I'm just saying is all.
Re:Hello, I'm "misguided" (Score:3, Interesting)
Re:Sadly, no, they don't (Score:4, Interesting)
I tell them that they're actually clicking "Yes please, install this virus on my computer" over and over again, every time they want a new free, useless desktop widget or application or game produced by a company no one's heard of
What company that you've heard of publishes applications like Pidgin [pidgin.im] or games like Lockjaw [pineight.com]? But because these are free software, it's more likely that someone has looked over the source code for you.
Re:They don't care (Score:3, Interesting)
My problem with that reasoning is that you knew they were lying. When you buy Microsoft stuff, and they say, "this works," BOTH parties are grinning and winking at each other. If you pretend that you thought it was ok to hook that computer up to the internet, then you're just as dishonest as Microsoft. So take at least some of the responsibility, dammit.
Re:Now define "openly malicious" (Score:3, Interesting)
"Openly malicious" is really tricky - I'll grant you that. But before going for the borderline cases, I'd start at the ones that are more "open".
E.g.
* E-mail with 1000s of recipients that are readily identifiable by postini-style filters as spam.
* Packets containing known exploit strings that are currently "popular" for compromising PCs
Now, ideally I'd like a system that didn't require these kind of measures. Short of that, I'd like a system where I could at least have a warning from my ISP so that I could respond and say, "That traffic was only directed at systems that I own or at systems from which I had consent from the owner" so that they had deniability and I could pen-test my computers or hack my phones without risking consequences. But I acknowledge that it's messy... I'd love a cleaner solution.
Re:They don't care (Score:5, Interesting)
Holding users responsible probably opens a legal can of worms, but I think that is coming too. Once users are held responsible, ISPs will be held responsible - not only for the damage their users do, but also by users for letting malicious traffic to the user's computer. Software manufacturers will probably also end up fighting class action suits over security weaknesses.
But when some crime group blackmails a web site with a DoS attack, it's all the compromised computers that do the heavy lifting. There should be some responsibility there. Acting as repositories for stolen files and such should also carry responsibility.
There is a responsibility in owning a computer and putting it on the net. Everyone has sidestepped that issue for far too long. If someone's computer does me harm, then why shouldn't they be held responsible?
I think with all of the attention that cyber crime is now getting, holding people responsible to at least some extent will be inevitable. And I know there are lots of ways to hide which computers are contributing to DDoS attacks, but if a computer is discovered with lots of stolen data on it, attributing responsibility gets a lot easier.
Re:Don't be a patsy! (Score:5, Interesting)
I'm a former signal corps officer who once held the electronic security officer position in a S-2 shop (that's military intelligence), and I personally know of three cases where a military computer intrusion resulted in serving a warrant at some person's home. One of them was on post and was served by MPs - the other two at civilian addresses. In ALL cases, persons bearing M-16s were present (MPs, FBI or SWAT). In ALL cases, all computer and related equipment in the home was impounded and held at least until trial.
In one of the three cases, a firearm was actually pointed by police in my presence, and the civilian policeman informed the suspect (a 16 year old kid), "Step away from the computer NOW! Or I will splatter your dumbass fucking head all over the fucking wall". fortunately he complied at that point, although later, one of the police told me it was probably because a non-cop was present that his buddy didn't bang the kid against said wall 'just a little' before handcuffing him. Even though I was only along as a witness to identify presence of the suspected software on his machine, since this was a civilian related case, I ended up having to testify at the trial that the kid appeared to be trying to destroy evidence, because he argued at first that the language and being cuffed constituted excessive force.
So yes, if that something is intrusion in a military system, someone may very well point a gun at you. I think the police were reasonably professional in the cases I was connected to, and I recommend that people don't rely on that. I got to where I really feared having a case come up in some areas where I would expect the police to get overexcited about it. We always had to assume a cases such as this might be espionage by foreign agent, but the police typically reacted like they never heard the word 'might' in that - to them it simply was spying and sabotage, and I also heard the word 'treason' thrown around a lot when we briefed the local DAs that the suspects were believed to be U.S. citizens. Many cops damned well may go a lot farther than pointing, and you are giving out very, very bad advice.
Re:They don't care (Score:4, Interesting)
Some time back, a Danish bank blocked the access of 8.000 internet bank users, as the bank could link their computers to ip adresses that might be infected by a trojan. They suspected that the trojan could be used to get access to the bank accounts of the 8.000 users. Thus, they sent (snail)mail to the customers in question that told them that they had to reinstall Windows before they could do their banking online again.
Re:Don't be a patsy! (Score:3, Interesting)
One thing is hacking and another being part of a botnet of 300.000 units.
Re:They don't care (Score:3, Interesting)
If we, the technorati, keep insisting that computers and networks are somehow special and require special handling, then all we are doing is turning a blind eye to avoid seeing our own failures. Notice the trend to more appliance-like devices in both the desktop and mobile realms that run their OS out of firmware.
Customers are trying to tell us something. Are we listening?
But... computers are special and require special handling. Is there any other device in modern or ancient life that's used for more things? I might say the wheel or the knife, but beyond that, I can't think of anything. The wheel's pretty innocuous unless you put them on a big metal thing that moves fast. Knives, however, require special training. You probably don't remember it, but your parents were constantly guiding you and watching you while you used knives for the first time. Even as adults, people make stupid mistakes with knives: grabbing at a falling knife out of reflex, cutting themselves while peeling fruit, threatening someone who has a concealed-carry license. And computers can do a lot more stuff (some that seems to have no relation to computing) than any wheel or knife.
Customers are trying to tell us that they like GPS computers: it only does GPS. They like set-back thermostats: it only regulates temperature. They like Tivo: it only records shows. They like their car's computer: it computes gas mileage for them. They like their Wii: it plays games. But you had better not mess with their Office 2007 machine, because it has all their unencrypted income tax data on it, and little Billy likes to use it to play the latest FPS which requires quite a few open ports, and to be run as Administrator.
Re:They don't care (Score:4, Interesting)
Happened years ago. Didn't make a peep of difference.
Re:They don't care (Score:3, Interesting)
Whether they admit it or not, they resent finally encountering something that requires them to think, that cannot be reduced to a short list of simple steps that they can execute mechanically.
People resent having to think about SOMETHING BORING. It's not that people won't think, they just think computers are boring. It's kind of like the tax code. I resent my thinking being wasted on something so inane, but I find lots of other kinds of thinking interesting. You and I happen to think that computers are not boring, but this does not put us above everyone else. E.g. the steoreotype is that the average Slashdotter resents having to really think about how to best interact with other people... so the average Slashdotter doesn't like thinking? It's just not so.
I'm sorry, because it gives me no pleasure to say this, but the mentality you just described belongs to a bunch of overgrown children who call themselves adults. That's the real reason why technical advances alone have not made this problem go away.
It's a package deal. That "something boring" is inseparable from the things they really want to do. It takes a lot of immaturity to fail to recognize this and to be unwilling to deal with it even if that unwillingness causes you or others to suffer, which insecurity certainly does. I'll put that another way. You may resent the tax code, and I'd agree you have lots of valid reasons for doing so. But you still handle it, you still pay your taxes, you still file you return. Why? Because you have a responsibility. Because you know bad things will happen (i.e. the IRS coming after you) if you don't. I know bad things will happen if I fail to secure the machines I put on the public Internet. That has been proven again and again with the examples provided by those people who didn't think security was important. I would have no excuse for failing to take reasonable measures to take care of it and my personal feelings about this reality are quite irrelevant.
"Boring" versus "exciting" is valid when you're talking about preferences. It might determine what movies you want to watch or which books you want to read, because with movies and books generally all of your choices are morally equivalent, so it really is just a matter of taste. The failure to recognize when you are dealing with something that is not simply a matter of taste, where one choice really is morally and pragmatically superior to all other choices, is a personal shortcoming. That's why I spoke about this in terms of a character weakness. You seem to think you are explaining something to me that I didn't already know. I am well familiar with what you are saying, I just think it's completely invalid and unworthy of the "excuse" status you seem to want to give to it.
The thing is, right now there is so much low-hanging fruit that you hardly need to be an expert to avoid the vast majority of attacks. The respectable decision-making would be that if you don't want to deal with learning a few new things and don't want to become familiar with the basic steps needed to make yourself a much harder target, then maybe connecting a machine to the Internet isn't for you. There are things I don't get involved in that would be nice, except that I know I don't want to take the time and effort to do them properly. There's nothing wrong with that. If you think being on the Internet IS for you, and you really want to be there, that's good too. Ideally, lots more people would use and enjoy it. Just do it right and don't make the network a worse place for everyone else because of your negligence.
I don't think this concept is hard to understand at all. I think you just don't like it and want an easy way out of it. The funny thing about that, is that if all of the effort spent coming up with excuses and defending personal negligence were put towards securing systems and networks, we'd have already made tremendous progress. I make only one assumption there: that the most average people can astound you with what they can accomplish if they really want to. They just need to get over the ways in which they are their own worst enemies, and that mentality you described is one of the biggest.
Re:If you can't get people to wear seat-belts (Score:3, Interesting)
which save their lives, what chance is there to voluntarily inconvenience themselves, to stop bad things happening to others.
Regarding seatbelts: I've had better luck explaining to people that in a crash, seatbelts aren't there just to save their lives, but also that of their passengers. In a side-collision, if the driver is not wearing a seat belt, but the passenger is (or vice-versa), the one without a seatbelt becomes a bouncing projectile, injuring or killing the "safe" person in the seatbelt.
This argument appeals to the same people that never tried to quit smoking until they had kids ("I'm only hurting myself. A baby? Time to quit.")
Re:They don't care (Score:2, Interesting)
And I'm sure your grandpa knows someone who treated their guns like appliances. Tossed them in the dirt, never cleaned them, let them rust, etc.
etc = left them loaded and sitting out in the open?