The Internet Storm Center has an insightful response to the statement, “There is nothing on my computer that a hacker would be interested in.” Let’s leave aside the question of your personal data for the moment. Just the fact that you’ve got a computer with an internet connection could prove very useful to someone who wants to cover their tracks or just add more power to their own distributed system.
Tag: malware
Surprise Attack Vectors
Beware the unexpected attack vector – The Register (not that one)
Your enemy may not come at you from the direction you expect. Set up sentries around the beach, they’ll get you through the ocean. Set up a firewall, they’ll get you through web browsers. It’s mainly about computer/network security, but it has an interesting story explaining why there’s only one major newspaper in Los Angeles. (TL;DR: the LA Times bought up all the independent distributors and sabotaged their rivals’ deliveries.)
Internet Explorer: Spyware Source!
I’ve got to start reading BBspot more often. I wandered in there via Mozillazine and found this post about Microsoft’s new antispyware program removing Internet Explorer.
“It shows how powerful our AntiSpyware program is,” said Weatherbee. “Not only is it able to remove spyware from the system, but also the source of most spyware. Our competitors can’t match that.”
Ah, techie satire!
Insecurity updates
Last month I finally got around to installing antivirus software on the one Windows computer we have at home. While I’ve found Norton Anti-Virus has worked well on my system at work, I ended up choosing McAfee Internet Security Suite for two reasons: (1) unlike Symantec, they don’t use a product activation scheme, and (2) since McAfee bought Deersoft, purchasing a McAfee-related anti-spam product should help fund SpamAssassin development.
Big mistake.
Since installing McAfee, this computer has crashed at least once each time I’ve turned it on (usually with a McAfee dialog box visible). The privacy service adds another login prompt, whether you want it or not. It tends to pop up dialogs when you’re in the middle of, say, running ScanDisk to make sure the system survived the crash McAfee caused five minutes earlier. And, ridiculously, the software and virus definition update runs through Internet Explorer.
By this I don’t mean that it expects you to go to the website and download an installer. That would be inconvenient, but acceptable (since you could choose what web browser to use). No, it pops up a “Check for updates” dialog box which then opens Internet Explorer, goes through a set of redirects until it opens a pop-up that looks like a download manager (but is clearly done using HTML), and then downloads and installs the update.
Now forget any issues you might have with buggy rendering, feature parity, monopoly abuse, antitrust, etc. Just look at IE’s track record on security.
Why would you want a security system to rely on something so notoriously insecure?
Symantec has its own update program that calls out, checks for updates, downloads them and installs. You can run it manually, or you can set it to grab and install virus updates automatically. Nowhere in this whole process does Internet Explorer come into the picture – or if it does, it’s hidden away where the power user won’t see it and say “What the hell do they think they’re doing?”
Who’s REALLY responsible for spreading viruses? (UPDATED)
My dad forwarded me an opinion piece from the eWeek newsletter called Idiocy Imperils the Web. Jim Rapoza argues that – especially by now – people should really have figured out not to click on unknown attachments. My favorite quote: “Most people figure out that if they keep grabbing the electric fence, they’ll get a shock every time.”
I’ve thought along these lines for several years now. [Update: Not anymore (see below)] Once the first two waves of high-profile email viruses hit, it was time for people to wise up. Instead we have a variation on the classic joke:
Three guys walk into a bar. You’d think the third one would have ducked.
Except it’s more like “Ten guys walk into a bar. You’d think the third, fourth, fifth…”
Although I’m also reminded of a quote from Jakob Neilsen’s “Alertbox” usability column from April 1996:
The fact that the Internet doubles every year implies that at any time half of the users will have been on the net for less than a year. In other words, we are doomed to have 50 percent novice users for the foreseeable future.
This has, of course, slowed down since 1996 – recent statistics show Internet growth in the US has dropped to 5% – but it seems very unlikely that newbies can account for all – or even most – of the virus spreaders.
Yes, the responsibility rests ultimately on the jerks who write these things – but they wouldn’t be able to get anywhere without the idiots who click on them.
Update March 2023: In the 20(!) years wince I wrote this, I’ve come around to agree with Bruce Schneier’s remarks on the subject from 2011:
People get USB sticks all the time. The problem isn’t that people are idiots, that they should know that a USB stick found on the street is automatically bad and a USB stick given away at a trade show is automatically good. The problem is that the OS trusts random USB sticks. The problem is that the OS will automatically run a program that can install malware from a USB stick. The problem is that it isn’t safe to plug a USB stick into a computer. (emphasis added)
Yes, people absolutely need to be careful with storage they plug in, with files they download, with apps they install. Of course they do. But that only gets you so far. In addition to unintended security vulnerabilities, the software and hardware makers need to do better at not building glaring holes like auto-running malware.
I mean, just yesterday the YouTube channel for Linus Tech Tips — a channel that’s all about the tech — was taken over through malware that installed itself from a malicious PDF file and collected the session tokens from the computer’s web browsers, enabling the hackers to clone their login session and replace the channel with one promoting cryptocurrency. If YouTube — owned by Google, one of the biggest tech companies in the world — had flagged the IP-hopping or region-hopping of the login session, it could have at the very least thrown up some roadblocks.
(The number of things I just typed that wouldn’t have made any sense back in 2003…)
Admittedly, it’s hard to blame Microsoft or Google for exploding USB sticks, but I certainly wouldn’t blame the victim for it either.