UK PC Users Hit By Huge Fake Antivirus Attack 75
An anonymous reader writes "UK Internet users were on the receiving end of a large drive-by web attack at the end of February, which attempted to push fake antivirus at least 750,000 times on a single day alone, security company AVG has said. According to a company analysis, on Sunday 27 February, detection levels for the previously obscure Russian 'Blackhole' exploit kit suddenly spiked to 900,000 globally from a few tens of thousands that would be typical for such kits, before dropping back again. Unusually, almost 750,000 of these detections were for UK PCs, which offers a baseline for what must have been a sustained attack several times that size against mainstream web servers frequented by users in the country."
Re:Computers not fun anymore? (Score:4, Insightful)
1) You try exploiting a system that has MANY documented holes and that its users are more than likely less security conscientious than other tighter systems; ergo, unlikely to cancel credit cards in time or change passwords.
2) You try exploiting a system where it's generally harder to implement a successful exploit and where its users are more likely to reset their security in a blink of an eye if they smell foul play.
Hint: "The Bad Guys" are lazy by nature...
Re:Computers not fun anymore? (Score:1, Insightful)
Non-creative types? What shit is this?
Are you really suggesting that creative types, by definition, will want to take their PC's apart? Really?
Hollywood Hackulture (Score:3, Insightful)
Had a typical midwesterner conversation this morning in college. It wasn't over exactly this antivirus fakeout, but it led up to the flaws behind the antivirus system, namely the symbiotic relationship between virus/antivirus. But the reason the antivirus companies make so much money, and the reason why fake virus attacks work, and so on, is because people are educated from the wrong directions.
This morning, after somebody realised I was a computer programmer they asked if I could hack into computer systems. Once we got past my incredulous phase where I can't believe somebody would ask something like that out in the open in front of other people, it came down to, "no, I can't, or if I can I don't want to".
Do you walk up to people and say "could you jack a car?" "Could you murder somebody?" Just right out in the open, not even meeting them? Try it out like this: do you tell them, "yeah, oh yeah!" You know how much federal time that is, right out the gate? By the time you affirm something like that, it's not the other person's liable time, either, it's yours. Even if it's also illegal to ask in the first place, seeking to conspire over these things and soliciting such skill through such a line of questioning.
But if it's computer hacking, well everybody feels that's a great thing. Everybody wants to know a hacker, see a hack going on. This is why it's very lucrative to make games where a person believes they are hacking a computer system, but never to make it very complex: they wouldn't know a hack if they were one, but they love the idea of trumping all this new-fangled computer nonsense that puts knots in their brains and makes them feel inferior. Oh, if only they could hack the machine and get it out of the damn way and just get down to brass tacks and business.
So I had to weather wave after wave of this guy begging for the reality of the grey-hat market. That maybe it's okay to commit computer crimes because if you get caught, you won't go to jail, the NSA will show up with the men in black and hire you into the upper, upper, uppity echelon of secret dream, top-level, wish fulfillment and instant gratification the real world won't let you have.
He promoted himself as some kind of brilliant business person, because he's spending money to go to college for business. He didn't even know to bring cash with him to do the printing he needed for this uppity business class trip of his, and wasn't independent minded enough to put it together on his own. I explained to him how to put the scanner and the printer together through the computer and pay for it off his printing account instead. I didn't even get a thanks, just a frankly indifferent, self-scolded, urban-culture "yeah that'll work that's cool".
So, when he got on me about where's all the grey hat money money, I told him, it's not supposed to be like that. The systems should be installed properly and used properly the first time. You don't go around giving your housekey away to strangers all in order to sustain the police records filing level industry, do you? You keep your shit secure because you want it. You do that because that's what your instincts want, is security. That's exactly what an employer is thinking, too. They aren't saying, hey, I want holes in my security to hire a grey-hat, so I'm going to go buy a security system, have it installed properly, and then have a mad hatter at the front desk surfing the web from an admin level unpatched windows desktop and taking bathroom breaks with the system password post-it noted over the keyboard numerical pad. That way I can hire a cool-sounded thing, like, the rugged individualist down on his luck who got caught stealing my wife's credit card number and now has been hand-picked by the NSA to come to me to charge me twice for my security: once to point out how I screwed it up and again to install the whole new system.
When I put it to him like that, he said, well, ha-ha, it's obvious you don't know biz-niss. I explained as well as I could that, in fact, he doesn't know bu
Re:Computers not fun anymore? (Score:4, Insightful)
I like to fiddle with computers as much as anyone else, but oddly enjoy having an iPhone that just does and is locked down. So perhaps the way forward is to ship products that are, by default, locked up tighter than an iPhone but with the option to incrementally relax restrictions. This way the average user who couldn't care less about what is going on under the hood and is susceptible to drive-by attacks is fairly safe. But then those who would like to fiddle and are probably a lot more security conscious have the freedom they need.
That's much like Andriod behaves together with the Google store. The Google store provides the safety catch and you can get around that if you want to. A difference is that it does not rely on code inspection, so there is more chance of bad programs getting through. It also does not protect as much against programs that are just badly designed or are careless regarding security/privacy. The access conditions make sure that applications cannot just access any API even if you use another store or direct download. E.g. a game would require me to allow it to use phone functions.
I also think that continual updates don't help much. The average user does just want a machine that they can use to browse the internet, type the odd letter, and so on. Continually pushing new versions of this and that gets them into the habit of updating and installing stuff they don't understand. It might be better to encourage these people to take their machine in for a regular service to someone who knows what they are doing, same as a car.
I'm sorry, but that's a very bad idea. Even applications that are not susceptible to buffer overflows and other low level memory management related attacks are vulnerable to other kinds of attacks. If I would have a banking application on my mobile, I would like to make sure that it is up to date. Hey, maybe there is a bug in the SSL handling where they allow third party certs to be accepted.
The trick is to let the OS handle the updates, and make applications resistant against these updates. Again, with Android you get continuous messages that your application update won't harm your user data (and configuration, most of the time). That said, Android 2.1 has only been given auto-update functionality some time ago, and users need to activate it themselves. It would be a good idea to make that a access condition/setting as well for security relevant applications.
The problem with updates is that many people associate it with the (old) windows way of doing updates. Some kind of application specific updater (within the app itself or as a service/tray icon) indicates that there is an update. The user then has to go through X steps for the update to take place, shutting down all the required applications. Then the user may even be asked to do a restart, and should pray that the update went successfully. It's just so stupid if you have an operating system that does not even reliably let you manage your applications, it's just beyond belief.
AVG is past tense (Score:4, Insightful)
I don't give credence to anything AVG says, since I caught its version 9.0 product red-handed denying me the ability to format any of my disk drives so long as it was installed. It maintained continually open files/folders on every drive, such that Windows would refuse to allow formatting any of them, and not just the boot drive. I uninstalled it and never looked back. The day an AV product denies me the ability to use a fundamental feature of the operating system is the day that product gets the boot.