Slashdot Mirror
20,000 Zombie PCs -- $3000
Saint Aardvark writes "From F-Secure blog comes these links to two USA Today articles on spamming. The first gives an example of how a grandmother ended up becoming a security expert after Comcast cut her connection for spamming. The second quotes spammers advertising networks of Zombie PCs for sale. The price? $3000 for 20,000 machines."
GTRacer
- Things to do
Defending IP by destroying access to it? That makes sense, RIAA/MPAA. Go to the corner until you can play nice!
How many % are running Microsoft Windows ?
Zombie Macs and Zombie Linux boxes are about as common as snowcones in hell, it would seem.
I, for one, welcome our new security grandmother overlord. All bow to thee.
I wonder how the processing power would compare to WETA's supercomputer cluster and their pricing. It would be slower to coummunicate data among the computers and ensure data quality, but I wonder how it compares.
Heather Hall can trace the start of her online banking nightmare to the day she received what she thought was a legitimate e-mail request from Bank of America asking her to click a link to a bank Web page. The 27-year-old health services worker typed in her login, password and account number. ...
Bank of America agreed to reimburse the money stolen from Hall's account, but only after she badgered them. "They wanted me to believe it was my fault," says Hall.
Yes, it's her fault. She did something foolish.
What is the percentage of OS broken down. Is it consistant with the OS spread. Such as 90% Windows, 7% Linux, 3% Mac? Anybody know of a break down? What does everybody think it is?
Zombie victim Carty took matters into her own hands: She did research on how to clean up and protect her PC and diligently updates programs that scan her computer for various types of malicious code. Her PC now runs clean. "I had no clue at Christmas that I would become a security expert," she says.
So that's all it takes to be a security expert these days? No f'ing wonder there are so many security problems these days
Also, it lightens my heart and makes me feel all warm and fuzzy that it only took "as many as 70,000 pieces of mail" in a day to get Comcast to shut her down.
"When I pay my water bill, I expect my water to be drinkable out of the tap. Today, when you pay your Internet bill, the data you get is not consumable."
Not without some kind of sauce or dressing. Plain 1's and 0's taste like cardboard.
Last fall, a small Internet service provider asked cybersleuth Don Bowman to find out which of its 70,000 subscribers were broadcasting spam.
I didn't know that an ISP with >70,000 subscribers considered small.
Lets buy a whole bunch of these zombified pcs, and launch a DDoS attack against the isps of known spammers! It may force some action, and I think it would be worth the cost.
That unbeliveable.... mine calls me all the time to say "my computer won't work" when i ask what was the last thing she did when she used it last she says "well.... i turned it off" when i ask how she says "by pulling the plug out, it wont shut down when i click shutdown" when i ask about that she says "well i click it.... and then nothing hapens after for a while" then i'm told about how she pulls the plug after ten seconds.... next time i'm there i urn it on and shut it down, takes about 30. these are the people who need to be banned from the internet.
Zombie victim Carty took matters into her own hands: She did research on how to clean up and protect her PC and diligently updates programs that scan her computer for various types of malicious code. Her PC now runs clean. "I had no clue at Christmas that I would become a security expert," she says.
It is quite sad that a person who just updates their computer and runs a virus scanner is now considered a "security expert."
I didn't realize the zombies of voodoo legend were online.
Telenor takes down 'massive' botnet (From the story, they didn't really take down the botnet, just rendered it headless for a little while.)
One line blog. I hear that they're called Twitters now.
I have to say, I don't understand how people get into so much trouble.
Maybe I've been lucky, but I've ran a Windows XP system for about a year now (and a Windows 98SE system for about 2 years prior under the same conditions), doing the occasional patches from Windows Update, without a virus scanner or firewall. If I do something stupid that makes me suspect that I've contracted something, I'll drop over to http://housecall.antivirus.com/ and do a quick scan. This generally only happens when I'm trying to find a crack for something on a P2P network and the bastards have embedded a keystroke logger or some other little nasty in a trojan crack package.
Otherwise, I do an occasional glance-over at the list of processes running, and if my modem is lighting up like a Christmas tree I might fire up Sygate Personal Firewall or something just to see what's happening with the traffic, but I've never seen it give me real cause for concern. I still get some port traffic for the old Code Red worms and what not, but nothing that seems to have been really problematic.
As I said, maybe I'm just lucky. Then again, maybe I don't use Internet Explorer or Outlook Express, and maybe that helps a lot. Who knows.:-)
picpix image polls. create - share - vote. fun!
It's interesting that articles like this don't blame Microsoft. One wonders how Microsoft arranges that.
Very few people realise that deploying a cheap effective reverse firewall will save them from being unwitting spam zombies (kinda sounds like sex slaves don't it? It sure is as demeaning!).
Granny had the right ideas.
Home users, please note - a. You need a firewall
b. You need a reverse firewall
c. You need to dump IE and use Firefox
d. You need to try dumping windoze and move on - that puppy is probably crapping all over your machine.
--
See that long UID - that's what you get for lurking too long
Are these Scoobie Doo type zombies? They aren't all that bad it's just some guy with a mask. As long as it's not the new "Dawn of the Dead" uberzombies I think we'll all be ok, just walk around them.
Actually, according to my spammeter the amount of spam has been slightly declining over the past few months. I'm still at around 400/day level though...
...the ability to DoS SCO for the rest of the century...priceless.
There are some things money can't buy. For the rest, there's my Zombie Army of Evil.
adam b.
Why would a spammer want to deal with the increased complexity and labor involved in infecting and managing a heterogeneous zombie herd when it would increase its size by less than 10%? It's a waste of time and money.
Imagine a beowulf cluster of these :)
Instead of brain, they crave spam?
-Randy
Zombie victim Carty took matters into her own hands: She did research on how to clean up and protect her PC
So which distro is she running, then?
We have more to fear from the bungling of the incompetent than from the machinations of the wicked.
" It is quite sad that a person who just updates their computer and runs a virus scanner is now considered a "security expert.""
Just because she states "security expert" doesn't literally mean that she has infact become a "security expert" and is now working for the NSA or something. It does, however, mean that she is much more cautious about security than your (or the average) SPAM-assisting mother/grandmother/dog/etc.
It's funny you should mention computer problems.
Whenever I view this it.slashdot.org site, everything on my screen is all washed-out.
Is this a symptom of being a zombie PC?
________________________________________________
suwain_2
The first article states, Cyberintrusions traditionally have been the domain of socially inept males launching electronic attacks for fun and bragging rights...
Sorry maybe it's just me, but aren't nerds by definition socially inept. Let's be honest, it's the socially inept who keep the world running.
- a list of machines that need to be cleaned up
- a bank account or other information that can be used to track down the spammers/crackers
I guarantee $3k is cheaper than what it would actually cost tax payers if the authorities did their job with normal investigative work.Frome the article:
"We have a large population that is easily tricked"
Yes we do. Especially into thinking posting on Slashdot makes you cool.
I'm no Trekkie (nor am I an accountant), but we are getting closer to BORG style control every day. Pretty soon, our cell phones will start giving us cancer. Oh wait....
GetTheJob.com : Nothing but Real Jobs.
Let's see...$3000 for 20,000 windows boxen works out to 15 cents per machine. Yeah boy, that's about what one is worth.
Thank you, Microsoft, you're helping to spawn new industries all over the place!
** Zombie Machines
** Anti-Virus Software
** Anti-Spam Software
** Anti-Spyware Software
And the best "industry" of all:
** Open Source Software
Thanks, Bill, we couldn't have done it without you...
I've done some of the overhyped generic end user PC support stuff this year, and I am apalled by the ignorance and lack of responsibility of the typical end luser running a mass-market computer.
Firewall? Duuuh, why should I want that, it costs, duhhh. Anti-virus? "oh, they wanted me to pay money to update it so I just shut it off." Popups? "Sometimes I click on them to make them go away.
Also: stupid asshole arrogant teenagers who decide that they're oh so fucking brilliant and decide to disable the AV or firewall, or who "repair" the computer by going in and ignorantly deleting system DLLs, are also my pocketbook's friends.
Ownership and online use of an internet-connected PC should require a license. Just like ham radio, driving a car, or connecting a house to the public sewer. Really.
what a big ... mailbox you have.
I mean, with all the taxes I'm paying for all those federal agencies including local police departments - how come nobody is even trying to track these people down? Spamming is illegal, right? And hijacking computers is most likely not exactly something the average computer user would want to be exposed to? So, how come we all have to setup a friggin' fortress including the proverbial moat in order to keep one's computer clean? Another example how inefficient those federal agencies are out there. And the companies who condoning all this spam and pertinent IP traffic are not exactly innocent either. All this is really disgusting - if I wasn't a software engineer, I would probably just pull the plug and start reading books. Sorry for letting steam here, but I just get disgusted reading articles like this...
Does anybody make a cheap, simple software (or better, standalone) reverse firewall that would be handy for deploying on the networks of friends and family? It's all well and good for you, the least likely type of person to be zombied in the first place, to be reverse firewalled, but it is much more effective when placed where trouble is more likely to occur.
Just start monitoring for bursts of spam from their clients, and simply *pick up the phone* and *call them.* "Sir, we've detected mass spam coming from your connection. Please clean up your computer. You have one week."
"People" using "unnecessary" quotes should be "shot".
- The perpetrator (a spammer) is almost universally hated.
- Spammers do real damage.
- They are doing this damage for a pure profit motive.
- They are operating out in the open, making for an easy arrest.
So why are these bozos still in business?===== Murphy's Law is recursive. =====
In Soviet Russia, zombie PCs own you!
We get Linux boxes in labs we don't manage hacked all the time. They usually aren't used for SPAM, they are instead used for warez, eggdrops or shells, but they get hacked all the same. Reason is the same too: someone fails to patch their system, and it gets exploited.
Linux needs patching as well because OSS is not immune to security holes. SSH, BIND and even PNG are three off the top of my head that have had security problems in the past. If you run a Linux box that has an SSH server, and you don't patch it when an SSH venurability comes out, someone WILL hack it.
MS, AOL, Yahoo, and the other majors ISPs actually sell spamming service to the large spammers. In particular, MS, AOL, and Yahoo will sell your address (those that do not belong to them), and will provide IP's and bandwidth for the spammers. Sometime ago, I was at a major bandwidth provider who worked closely with MS (it was not widely known at the time, but it is now) when a spammer approached the VP. He was upset that MS was going to change the agreement and charge 5 million a month (rather than 1 million a month). So who was the spammer? It was none other than the guy from Denver (ATM, I forget his name) who was turned over to the feds for spamming by MS.
""Consumers should demand what they do of other utilities," says Kip McClanahan, CEO of security firm Tipping Point. "When I pay my water bill, I expect my water to be drinkable out of the tap. Today, when you pay your Internet bill, the data you get is not consumable.""
how is it my ISP's fault if i am too stupid to secure my own system? it is quotes like this that pass the buck from the end-user/consumer. hey, if you want to drive a car, you need a license. want an internet connection over 56k? make people pass some sort of security review or test.
(yes, save your breath, i know ISPs can do things to reduce the problems, but it's not their fault in the end that these machines are messed up.)
It just means that spammer will be out of $3000.
It's not like you can call the cops to tell them someone stole your weed... Err... Spam...
Although, criminals have been known to do that when they get ripped off.
I'm sorry, but calling that woman a Security Expert is wrong. She discovered the hard way that not being aware of security was a mistake but all that makes her is a security-aware user. Of course, that implies most computer owners aren't.
10,000 Homo DJ's - $14.99
If spammers are scammers, can you really expect good value for your money?
I fully expect follow-up news stories on how someone who wanted to open a business online fell for a mass marketing scam, paying spammers thousands of dollars only to see the spammers vanish in thin air with their money.
When I was in Bejiing in 2002, I had someone comment that I must be a computer expert, because I used a command line.
Fight Spammers!
"There's a sucker born every minute."
"This way to the egress ----->"
excuse me, I have much grifting to do.
music lover since 1969
I mean, it's like "I transfer you 3 grand and then you mail me a password to a controller server", or something like that ? I guess you have to be mighty sure of the delivery of the goods to enter in such deals.
Rome taught me patience and assiduous application to detail. Virtues which temper the boldness of great, general views.
SPAM is dying.
from the article:
Zombie victim Carty took matters into her own hands: She did research on how to clean up and protect her PC and diligently updates programs that scan her computer for various types of malicious code. Her PC now runs clean. "I had no clue at Christmas that I would become a security expert," she says.
Umm, riight. Anyone who downloads ad-aware and turns on their firewall is a security expert now? Shit, my networking prof must be a god damn diety then.
The "Insert Quote Here" line is almost as predictable as inserting an actual quote.
Fight Spammers!
Why ask for what people will give you for free?
It would be a bit alarming to see if your own computer is in the list. Should be enough of an epiphany for some to actually do something about their personal computer security.
w3 0wn y00r pc & w1ll r3nt 1t b@ck t0 y00
A feeling of having made the same mistake before: Deja Foobar
So running windows update and a firewall makes you a security expert? Can I put that on my resume?
Ardente veritate incendite tenebras mundi
From the USA Today article: Are hackers using your PC to spew spam and steal?
"Consumers should demand what they do of other utilities," says Kip McClanahan, CEO of security firm Tipping Point. "When I pay my water bill, I expect my water to be drinkable out of the tap. Today, when you pay your Internet bill, the data you get is not consumable."
Huh? Where does this guy live that he gets consumable water out of his tap? Mine tastes like a dirty swimming pool.
I don't drink the water out of my tap; it goes through a filter before it goes in my body. I also don't open the gas line and hold a match to it; it goes through a burner in a carefully crafted device. And I don't have bare wires lying around carrying electricity; they are all installed in receptacles to keep me from electrocuting me and my guests.
I certainly can't sue the gas company if my faulty furnace causes my house to burn down (well, who knows these days, I probably could but it'd be wrong). And blaming the electric company for pushing too many electrons through my heart when I tried to pry some bread out of my toaster with a butter knife isn't right either. If you're daring enough to consume the water out of the tap you are probably ignorant of its contents: heavy metals, pesticides, chlorine variants, sometimes fluoride, and who knows what else.
So why should I blame my ISP for giving me data from the Internet? That's what I'm paying for and it is exactly what I want. As long as the signal levels are right for my modem and the information is IPv4 they are doing no wrong by me.
The burden of protection lies within the devices and software connected to the net. The consumer shouldn't have to give this any more thought than what they give their car about changing its oil. So who does the average consumer have to blame? You guessed it! I'm not even going to say it.
The article states:
Over the past eight months, USA TODAY interviewed more than 100 tech-industry executives, consultants, analysts, regulators and security experts who say top-tier code writers now create malicious programs mainly to amass networks of zombie PCs. They then sell access to zombie networks to spammers, blackmailers and identity thieves who orchestrate fraudulent for-profit schemes.
Why don't our top-tier coders have jobs?
I've never heard of a reverse firewall. Is that something that only lets in people trying to break into the computer and blocks legitimate requests?
A firewall is a device that controls access between you and the outside world. Whether it's blocking incoming or outgoing traffic or both there's no need to "reverse" it.
AccountKiller
Oi! If you're going to be selling my PC without my permission, I demand a cut.
PocketGamer.org - For the gamer on the go!
Does anyone else wonder where MessageLabs gets their statistics? I can't help but wonder at their methodology (though I suspect rectal extraction). I get daily reports on SpamAssassin and my configured DNS block lists for the servers I manage. Their spam traffic doesn't start to approach 95% of inbound messages. After eliminating all internal email from the statistics, SpamAssassin flags about 20% of incoming email as suspicious and SpamHaus blocks another 10% or so. These are not confidential, hard-to-find addresses. These are university servers where staff and faculty are required to have valid email addresses posted on the department web pages. Any spider worth a damn should have harvested them long ago. I find it very hard to believe that this environment is getting 60% less spam than systems that don't provide a directory of valid addresses.
Spam is a problem, but it's time journalists (online and otherwise) start taking stats with a grain of salt. Too many organizations are willing to publish questionable numbers in an attempt to sound like they have thoroughly researched the issue.
Or in the MessageLabs case, to sell a product that will 'solve' the problem.
yeah, she did do something foolish... I don't care how realistic the email or web page looked. If people are going to use the Internet for banking and business they should learn about the threats that are out there.
I resent deeply our overlords at the banks reimbursing this woman or anyone, in fact since we all end up paying for this craziness with higher banking fees.
We really end up paying twice as well - first for the money that was obtained by the criminal and again by the bank's giving more money to the victims.
It's as bad or worse than the early to mid eighties where banks would just pay hackers hundreds of thousands of dollars or more when they were successfully hacked to avoid the unwanted publicity.
"Sir, we've detected mass spam coming from your connection. Please clean up your computer. You have one week."
"Sir, we've detected mass spam coming from your connection. Please clean up your computer. If you do not believe that you are capable of doing it we can send you a free booklet, or failing that, send out a nerd to do it for you. Oh, and we'll sent you a knoppix CD"
Yes, it would be expensive, but if ISP's get a reputation for cutting people off because someone else took over their PC's and they were unable to fix it, that ISP will be going out of business, particularly if someone else does start offering to help people deal with the problem. I mean, what would it cost to send out a CD with all the windows security updates, Zonealarm, AVG & AdAware on it? a few pence? Less than it would cost them to refund for the time cut off, compensation for the inconvenience & the loss of income when the customer cancels?
FGD 135
Sorry, I didn't get a chance to read your message in it's entirety, but I did catch the last two lines.
:)
So, uhh, there you go!
Using simple tools, I have watched the inbound connection attempts made to my personal computer. Many of these attempt simple http style requests on unregistered ports. The requests are in the form: ttp://www.helllllabs.com/cgi-bin/found_one.cgi or something like that.
Going to the website, I find its one that sells proxies of some form. Gee.
Now this seems like they are signing their own name to their evil deeds. Could this mean anything other than this company is scanning for proxies and registering them using their own website?
Considering these very same computers are probably overloaded with spyware/adware to a point of being nearly non-functional, the power available here is probably not worth the price...
And let's not talk about dialup and downtime either, as most of these machines are probably off/disconnected at night, etc...
She did research on how to clean up and protect her PC and diligently updates programs that scan her computer for various types of malicious code. Her PC now runs clean. "I had no clue at Christmas that I would become a security expert," she says.
Wow! this makes me some sort of God since in addition to her security practices I have NAT and two software firewalls. Admittedly one of the firewalls in Norton Internet Security, so really I only have one software firewall, Zone Alarm.
What the hell do you mean my Karma is fuc*in' negative?
...the money was removed from the bank due to a criminal act.
sure, if the criminals walked into the bank and robbed it, if they directly hacked the bank's computers or caused a fradulant transfer then the bank was robbed. This is entirely different...
so you are saying that if the lady was convinced to withdraw money herself and then give it to the criminals for some sort of Nigerian scam or other bad business that the bank should still reimburse her for the "criminal act"???
what if she were robbed while taking money from an ATM??? Forced to withdraw money by criminals after an abduction or a house invasion???
I still resent having to pay higher fees to the bank because some people just toss bank pin numbers out over the Internet whenever they get an email... such sheep deserve what they get.
The security of my bank account is not based on secret codes or passwords or account numbers or any other blamed thing.
Every check you writing contains the account number and the routing number and everything else needed to withdraw money from that account. If somebody creates a fake check using that info, and withdraws money from my account, then that is is no way my fault and I'm entitled to reimbursement of those funds.
Likewise, somebody doing the same thing electronically is not my fault either. There is nothing essentially different in the transaction. Fraud is fraud.
Bank accounts have never been based on secrets. It might not be smart for me to give out my account number to everybody, but it's something I do every time I write a check or use a debit card or use one of several forms of payment. I *must* give my account number to somebody I want to pay from my bank account.
Is this a flaw in the system itself? Yes, absolutely. But until everybody moves towards public/private key authentication and so forth, it's just the way things are.
The public-private key method is the only solution to this sort of thing that I'm aware of. To "write a check" or make a payment of any sort, I form a message that essentially says 'Pay so much to this person, using this transaction number, on this date' and encrypt it using my private key. Then I give it to that person. They give it to their bank. Their bank gets my public key from my bank (it's a public key, they can give it to anybody who asks for it), verifies the message is valid (since it's signed by my private key, my public key can decrypt it and it validates itself that way), and does the transaction. My bank also verifies the same message before releasing the cash from my account. Unforgeable money transfer accomplished.
Sounds great? It's a long ways off.What's needed is:
-Every account holder to have a public/private keypair.
-Banks have the public key, people have the private key on some sort of device.
-Device allows transfers of cash from one person to another, probably by simply plugging in a key or wirelessly or whatever. You can think of a thousand ways to do this.
-Banks need a protocol to transfer public keys around, and all have to agree to some form of standard.
-Etc, etc, ad infinitum. It gets more complex the more you think about it. If you assume that the electronic cash transfer happens in real time (eliminating "float"), then it's actually slightly easier. If not, then you get the concept of people transferring funds that was just transferred to them before telling the bank about it, and it gets hella complicated. But it's all doable with the crypto, it's just complex.
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
As they say "you can't cheat an honest man". You pay your 3k, get nothing, then who are you going to complain to?
Engineering is the art of compromise.
That is a leading question that seems typical of a smug linux zealot. A better question would be, 'What is the ratio of zombied linux boxes in proportion to it's total installed user base.' Since most people use Windows, it follows that most of the zombie boxes should be windows boxes.
Even that isn't totally informing, as how many of those people who run Windows would be less vunerable if they ran linux? Most of the problem isn't the OS, but the lack of understanding on how a computer works. If you aren't a skilled admin, you are going to get haxxored regardless of the OS.
I think Linux is a superior idea and platform, but win the argument with sound logic, not snyde comments.
HA! I just wasted some of your bandwidth with a frivolous sig!
Buy all these PCs, and force them to run adaware/spybot weekly. Might be more constructive, mind you some 'victims' will never learn to be more careful.
Why are there no companies writing such 'vaccines', patching vulnerable systems? Some might complain and say some patches make people's systems behave strangely in some apps, but is the spyware any better or more trustworthy? Think of it as a voluntary virus. "Click OK to vaccinate your PC".
Makes we wonder, do these guys read the articles then draft these emails based on them, or write the emails then publish articles to make people's minds more maniable.
"Consumers should demand what they do of other utilities," says Kip McClanahan, CEO of security firm Tipping Point. "When I pay my water bill, I expect my water to be drinkable out of the tap. Today, when you pay your Internet bill, the data you get is not consumable."
I only partially agree with this. What should happen is they should sell me access, and I should be able to waive their protections under the promise that I provide my own. I want to run my low-traffic web and email servers from my connection. Most people don't need to. I will take the extra work of securing them in return for being allowed to use them.
A blanket stop of much of this is all but impossible, though.
My blog. Good stuff (when I remember to update it). Read it.
Even closer to the mark, if I use my ATM card to pay for a product and that product later turns out to not work as advertised, that's a crime (at least in the state of California, where I live). We have "lemon laws" that say that products we buy should perform as advertised. I deserve my money back. But even though the company that sold me the product deducted the money directly from my account, it defrauded me -- not the bank. Why should the bank be held liable? Because I failed to investigate the seller and/or the product beforehand? Because I failed to file a civil suit against the party that defrauded me?
"Give people an inch and they'll take a mile" is the phrase that comes to mind here. Bank of America did the right thing by ol' grandma in this case. They didn't have to, so let's applaud them for it.
Breakfast served all day!
Oh! I remember. He's in Lord of the Rings. King of um, somewhere, right? I don't remember him decapitating anyone though.
Freedom: "I won't!"
Basically the Undead could have rights too, I suppose.
"Forgive us our trespasses, as we forgive those who trespass against us." -Jesus Christ The Lord's Prayer
A bank that loses money to a criminal act that refuses to reimburse its customers might well lose its status as a bank.
It didn't "lose" her money. It followed the proper security procedures involving the use of a login name, password, and bank account number.
They took from her, without her permission, money from her bank account.
That's the key: "They took from her." They didn't steal from the bank. There wasn't negligence on the part of the bank. The bank didn't leak her account number, login name, or password. She did. She fell for a scam through no apparent fault of the bank. And now we all pay for it in the form of higher fees, lower savings account interest, etc.
Suppose she was duped into giving her house key to some burglar posing as someone from a carpet cleaning service. Should the mortgage company have to pay when the burglar steals her stuff? Should the home builder? Should the maker of her door lock? Of course not. So why do we treat physical keys so differently than virtual keys (login credentials)? You'd never suggest that anyone but the homeowner was responsible for the loss if they gave their house key to some con artist. So why is the bank responsible when the customer gives away the "keys" to their bank account?
I'm not sure how this is appeasement. Please notice that #2 above is all about throwing someone in jail.
Now, these zombied computers have been vandalized, and hence are the victims of criminal activity (IANAL, etc). This seems to be further indication of the formation of spamming networks controlled by organized crime. One wonders given the parallels between these activities and advertising for porn whether human trafficking is involved too, which could implicate large international crime rings.
I suspect that the close link between certain types of spyware and certain porn sites may also mean that other forms of online advertising such as popup ads are likely to move into this black market.
LedgerSMB: Open source Accounting/ERP
Grandma does not have to become a computer security expert. All she needs is a Macintosh.
Friends don't let elderly friends drive Windows on the Internet.
That is so true... thought I had security pretty tight on my Cobalt Qube running Linux... then my ISP called me up telling me I'd already used 30G upload and download for the month after two weeks... I normally have like 400MB for a month on my little family server. The spammers were using the Squid vulnerability to make my box a zombie remailer. Had to slap on greatly increased security onto my firewall! They never logged in to my box at all - simply routed their filthy spam through my open port. From all the hits I got googling my issue, I'd say this is way to common... this is one case where Linux is easier to abuse than windows!
One indication of the going rate for zombie PCs comes from a June 11 posting on SpecialHam.com, an electronic forum for spammers.
And you guys didn't put that link in the main Slashdot article?!?!?! Oh come on! If there's a site that deserves to be slashdotted, that one must be it.
-S
--- What parts of "shall make no law", "shall not be infringed", and "shall not be violated" don't you understand?
No. It didn't follow the proper security procedures. It followed its choice of security procedures. The success of this kind of phishing scam is evidence that those security procedures are not proper; they're inadequate because they're so easily defeated with a bit of social engineering. The bank needs to design a better security system- one that uses a time-dependent smart card, for instance- so that phishing doesn't work.
There's no point in questioning authority if you aren't going to listen to the answers.
From the article:
----------
Heather Hall can trace the start of her online banking nightmare to the day she received what she thought was a legitimate e-mail request from Bank of America asking her to click a link to a bank Web page. The 27-year-old health services worker typed in her login, password and account number.
[deletia]
Bank of America agreed to reimburse the money stolen from Hall's account, but only after she badgered them. "They wanted me to believe it was my fault," says Hall.
----------
Gee, I hate to break it to you, sweetheart, but it WAS your fault. YOU were the gullible one who clicked on the wrong link and gave thieves your username, password and account number!
As long as her attitude is prevalent among the majority, the problem of malware will never go away. Not only are these people completely oblivious to the dangers waiting to snare people using Windows PCs, even when something bad befalls them they just flat out refuse to believe it was their fault.
~Philly
If you all want this stuff stopped, contact your local Attorney General and demand they start prosecuting these cases. The Feds can't do anything if the AGs won't prosecute. Call your AG and tell him you'll make sure he isn't re-elected if he doesn't start prosecuting people for computer tampering.
I see no way that the spammers can argue their way out of this. If they're selling the use of other people's hardware and connections, for thousands of dollars, that's got to be theft of services, and they can't argue away the value of the services they're stealing.
It's long past time for a DA or two to start throwing some of these assholes in the clink.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
Seems to me this is off the mark, and it typifies what is wrong with our telecom-oriented providers, as they too believe this all too often.
The provider provides a connection. He does not provide content. ISDN was a gigantic failure because telco's thought they had to provide content, rather than just a reliable connection.
If I want content, I will buy an AOL subscription. Otherwise, what I expect is not clean water but a reliable liquid movement mechanism. You don't call it a pipe for nothing. The liquid that comes out will be determined by me, not by the provider of pipes!
MW
---
BDOS ERR ON A:>
Oh if I had mod points, my friend, you would be more karma-ful than you are right now. I couldn't agree more. At least she did something about it, instead of sitting ignoring it, hoping it gets better, unlike the other 20,000 plus people mentioned.
What he can't kill, he has sex on. Trent.
Regardless of how heavily you armor plate the bank, or the merchant devices, or the internet or the home users' PCs, it always comes down to a matter of trust. At some point, the user is required to trust that the entity they're dealing with is legitimate, and the retailer and the banks are required to trust the user they're dealing with is legitimate. Those points of trust are the weak points the attackers will always aim for, and they're the precise targets of the phishers.
I believe that's why we haven't seen the adoption of a system like you mentioned. Visa could mandate such a setup, but that would cost them billions of dollars (educated guess.) If they did it, and the bad guys continued to fool the Heather Halls of the world via phishing scams, then Visa will have wasted those billions. I imagine Visa knows exactly how much they lose in fraud, and how much it would cost them to implement a secure system, but I'm not sure they know how effective such a system would be against all the varieties of spoofing attacks. I do know that if the payback were there now Visa would start rolling it out tomorrow.
Public key cryptography certainly raises the difficulty bar for committing fraud, but nothing will raise it so high that bad guys won't still figure out a way to run around the side.
John
I really don't want the SS breaking down my door and seizing all the computers (and then I have to sue the state and wait a few years to get my stuff back maybe) because some clerk at HQ typed in the wrong address.
Unlimited growth == Cancer.
Computer Tampering is a felony. In some cases the penalty could even be interpreted under the Patriot Act to be an act of "terrorism" (disrupting commerce and national security services) and punishable by death! Most states have sentences of up to 3 years in prison for each instance of installing a zombie on a PC.
You can see details here on each state's laws and then we also have a plethora of federal laws that these guys are breaking.
These are all serious, criminal violations.
As I said in another post, you need to contact your Attorney General and encourage them to prosecute. The FBI collects information, but they're at the mercy of the Federal and State Attorneys to prosecute the people who do this. As far as I know, they haven't gone after anyone.
It's just disgusting. This is a political issue. NOT a technological one. Our officials are not prosecuting the people who break the law!
Of the people outside of work I know, none use Linux. About 90% use Windows and 10% Macs, and most of my friends are designers. Of the two camps, I can't ever see any Windows users switching to Linux, while a large percentage will likely switch to Macs because of the iPod influence. Of the Mac users, perhaps one or two will eventually switch to Linux for political reasons but the majority will stay Mac users forever.
Anyone who has an e-mail address gets spam. It's an ugly fact of life in the modern age. Figure that, out of a pool of - say - 100 potentials, at least 10 of them have kids. Spammers are notorious about not checking the ages of the people who own the addresses that they spam - and they work very hard on ways to get around filters.
Leaving the parents aside for the moment, everyone in the hypothetical jury pool gets flooded with this crap, because everyone with an e-mail account does. Period. Plus, I've observed that the less tech-savvy a person is, the angrier they get about spam, because they don't know how to stem the tide. Now, imagine a spammer going up against even 12 of the most sane, rational, mentally well-balanced of his vict^H^H^H^Hpeers. True, a lot of people don't quite understand the tech stuff; but break it down into dollars and sense ("misspelling" intended), and you'll see lightbulbs going off overhead all through the jury box.
And that goes triple for the conservative old man. A guilty plea would be much safer, all around.
Doing my level best to piss off the religious right wing...
"in labs we don't manage"? The ones we do manage, Solaris, Linux, Windows, etc don't get hacked. We have a firewall, and then firewalls on the systems themselves, auto updating, etc. However, we do not manage all the labs, and those we don't get hacked frequently (Windows and Linux).
...and the mods call this troll attempt insightful...
MODS NEED TO STOP FEEDING THE DAMNED TROLLS, it's a fooking joke to the IT groups in the Midwest. Instead of providing help, true insite into securing a MS OS. slashdot mods will bait and encourage the MS Bashing, why??? Is there one MATURE reason to do this????
Didn't rtfa, but it seems like these guys are selling stolen bandwidth, stolen processing time, stolen electricity, etc. Can we please start charging malware, spyware, "anyware that does things w/o you knowing about it" makers with a crime!?
..was the one sending all of us those Vi4gr4 spam ?
you do know it was the original pentium, not the pentium 3, that had the infamous division bug, right?
I know Zombified Humans tend to call out "Brains! Brains!"
Now does that mean that Zombified PC's call out "CPU Cycles! Need CPU Cycles!"?
or perhaps "Bandwidth! Need Bandwidth!"?
DEAD DEAD DEAD DELETE ME
If it hadn't already been published that the list was available (Like it's still for sale now that it's public knowledge), this would be a perfect opportunity for Comcast etc to reclaim some bandwidth. They could team with the FBI/Scottland Yard/Interpol (who would be very interested in such fraud) then buy the list with something tracable.
.sig?
If the deal is a scam, follow the money and bust the crook. If it's real, follow the money and bust the crook then clean up the zombies on your network.
Basically it's a no lose opportunity.
Psst... Hey buddy, can you spare a
I'm going to wait til I can get one second hand. It's bound to come down in price to something more like $1000.
meh
What does it mean when your DSL modem lights are freaking out, smoke is coming out of the back and the case is hot to the touch?
Pete Carr Owner Chatmag.com
The people responsible for Xombie PCs are the vendors who refuse to fix long-standing security flaws in their software. None of the big OS and application vendors should be let scot-free, though of course Microsoft is the biggest problem... not only because they're the biggest target, but because of their practices (like shipping Windows with all services enabled and listening... whether behind a local firewall or not... and a browser that includes far too much dangerous functionality that should be moved to separate applications) that make them so easy to get into.
There's a few simple things that they could have done, and that all other vendors HAVE done (though Apple seems to want to undo some of them, the Safari protocol hole from earlier this year hasn't been fixed) that would make Windows inherently secure. But they won't, because it might cause a modest surge in problem reports as people have to explicitly turn on services and install plugins rather than have everything... safe or not... turned on and open by default.
Its procedures were completely, 100%, totally adequate. Had she followed them and not given out her login, password, and account number, not a penny would have been taken. How much information do you want? Here's the Bank of America web page on "phishing":
Broadband companies could do more to protect their users and the internet in general - here are a few suggestions:
1. Block outbound port 25 from residential users that OBVIOUSLY have compromised machines sending out hundreds or thousands of emails a day.
2. Provide cable/DSL modems with some NAT/Firewalling capability turned on by default. Tech savvy users will figure out how to forward ports or disable NAT if necessary.
3. Provide free trial anti-virus software with their configuration software.
4. During installation of supplied software, ask the user if they would like to turn on "automatic software updates".
These steps would go a long way to securing 90% of non-tech savvy people. Geeks could ignore all this and go about their business.
-ted
That's the key: "They took from her." They didn't steal from the bank. There wasn't negligence on the part of the bank. The bank didn't leak her account number, login name, or password. She did. She fell for a scam through no apparent fault of the bank. And now we all pay for it in the form of higher fees, lower savings account interest, etc.
Banks are legally responsible for securing the funds in your account, and for only giving those funds to authorized people. To do this, banks have a wide number of security choices available to them.
Banks have deliberately chosen a pretty flimsy set of security procedures, even though they are held financially liable. This is because the amount they lose due to fraud with existing systems (more often, due to insurance premiums to make someone else pay for fraud) is less than it would cost them to beef up security more (both in direct cost, and in lost customers who want an "easy" bank).
When a particular kind of fraud increases, the banks try to pick the cheapest and easiest way to curtail that specific kind of fraud. And then they stop, because they have no financial incentive to secure things any more than they already are.
Suppose she was duped into giving her house key to some burglar posing as someone from a carpet cleaning service. Should the mortgage company have to pay when the burglar steals her stuff? Should the home builder? Should the maker of her door lock?
No, because none of these people have contracted to secure her home. The closest is the maker of her door lock, and all they are contracted to do is make a door lock that can be used to assist in securing her home.
When you put money in a bank, you have a contract for them to secure your money, that's the difference.
----
Open mind, insert foot.
Senderbase provides monthly and dail counts on mail seen from particular IP addresses and thus is capable of spotting when something dramatically out of the (previously known) ordinary happens.
...when you are on the receiving end of a torrent of spam / virus email.
When someone complains to an ISP and the ISP finds out that the complaint is substantiated, they really have little choice but to do some sort of cutting off to prevent the ongoing attacks on other systems. In an ideal world the ISP would just block up the ports that the were doing the sending but maybe this isn't feasible.
...a firewall of some-sort.
If there's nothing stopping random incoming ports, to Windows boxes in particular, you're SOL no matter what else you've got going. These days viruses can saturate a population within a couple days, much faster than virus definitions can be distributed.
The public-private key method is the only solution to this sort of thing that I'm aware of. To "write a check" or make a payment of any sort, I form a message that essentially says 'Pay so much to this person, using this transaction number, on this date' and encrypt it using my private key. Then I give it to that person. They give it to their bank. Their bank gets my public key from my bank (it's a public key, they can give it to anybody who asks for it), verifies the message is valid (since it's signed by my private key, my public key can decrypt it and it validates itself that way), and does the transaction. My bank also verifies the same message before releasing the cash from my account. Unforgeable money transfer accomplished.
You weren't paying attention to the SHA/MD5 articles last week?
Most public/private key systems merely sign a hash of the message (apparently, signing is computationaly *expensive* per byte compared to the current method). All the attacker has to do is intercept your payment authorization (pay X to Y), change a few bits so that the hash comes out the same and now it says to pay A to B.
Or, as the attacker, I could just as easily write a trojan to collect your personal financial details off of your hard drive, including private keys and pass phrases (key logging).
PK is, as Bruce S. put it, a 100' pole... it doesn't make a good security fence.
The only products idea that I've seen that looks fairly secure is a smart card in place of the bank card / credit card. It contains the secret key, and does the work of signing things, or you use it to generate on-the-fly PINs for entering on a web site.
The fundamental problem with the utility metaphor for the internet is that it is a two way connection. We do not pass our household water discharge into the same stream as the drinking water we get out of the tap (well, at least not directly :-). We do not feed gas into the pipe that arrives at our home nore do we pump electricity back into the grid.
In those remote circumstances when customers of utulities do feed back into the "system" there are legal or pricing constraints to control the quality of their inputs. It is this last point that is missed by the "utility model" advocates.
"The first thing to do when you find yourself in a hole is stop digging."
Is it just me or does the article mention absolutely nothing about this grandmother's security expertise?
From reading the opening where she is discussed it would imply that she is a typical ignorant user, yet the summary implies(/.) that she "became" a security "expert".
You weren't paying attention to the SHA/MD5 articles last week?
Most public/private key systems merely sign a hash of the message (apparently, signing is computationaly *expensive* per byte compared to the current method). All the attacker has to do is intercept your payment authorization (pay X to Y), change a few bits so that the hash comes out the same and now it says to pay A to B.
Signing and encrypting are the same thing. In signing, I'm simply encrypting a hash of the message itself. Solution: Use a better hash, or just don't freakin worry about it since the SHA/MD5 crap last week still won't be enough to fake a small message along the lines of "Pay X to Y".
In order for your attack to work, the attacker would need to be able to create a message in the format of "Pay A to B" that produces a hash which is identical to "Pay X to Y". Not only that, but He'd have to be able to determine what B is in advance. Realize that he can't fake my signature, which is an encrypted hash of "Pay X to Y". Even if we assume that the message is really "Pay X to Y" and not some binary form of same, faking such a thing is still utterly impossible. Unless the message is long, you can't figure out a hash collision with any meaningful value. And if it's a small message, the odds of finding one go as close to zero as you can possibly get.
In other words, signatures are way safe for anything where you're not signing actual executable code or something with a little more range in which to produce your faked message.
The only products idea that I've seen that looks fairly secure is a smart card in place of the bank card / credit card. It contains the secret key, and does the work of signing things
How is this any different from what I proposed? Keep your private key on you, on the smart card. The key doesn't get output, instead a hash gets fed in and an encrypted hash comes back out. The smartcard does the processing. The public key is still stored at the bank.
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
Public key cryptography certainly raises the difficulty bar for committing fraud, but nothing will raise it so high that bad guys won't still figure out a way to run around the side.
A bit of advance thinking about this sort of thing will prevent this.
First, keep the private key in a device. Other poster suggests a smart card. I like that idea.
Phishing scam is worthless in this case. Unless they have her private key, they cannot authenticate to her *real* bank. No amount of them sending public keys or what not will change her private key. In order to get access, she has to give away her private key, and she *can't do that*, short of handing her smart card to somebody. And the smart card doesn't give out the key itself, it only signs data that you feed it. So even getting the card, duplicating it becomes a bit of a bitch.
Yes, any system can be hacked. But the most common ones can be eliminated. Public key crypto is not a magical cure all, and yes it can be worked around as well. But you can eliminate phishing scams using it, for certain. No amount of phishing will get somebody to reveal their secret private key when they don't even have the capability of doing so.
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
Banks are legally responsible for securing the funds in your account, and for only giving those funds to authorized people.
No, banks are legally required to use due diligence to protect your funds. They can't be held legally liable for your losses if you write your PIN on your ATM card and leave it at the ATM.
To do this, banks have a wide number of security choices available to them.
There is nothing that the bank can do, short of requiring that you show up in person with photo ID for all transactions, to prevent a bad guy from getting your money if you give the bad guy your login credentials, account number, ATM card, RSA SecurID token, etc.
Banks have deliberately chosen a pretty flimsy set of security procedures, even though they are held financially liable.
Login names and passwords are considered adequate to secure most computer networks. Why is that suddenly "flimsy" when a bank does it?
Security is a cooperative venture. If I rent you a lockable storage facility for your valuables, it's not an indictment of my security procedures if you leave your keys hanging on a nail beside the door. Nor should I be liable for the loss of your valuables if you do that.
When you put money in a bank, you have a contract for them to secure your money, that's the difference.
Part of that contract is that you will comply with the security procedures. You won't give your login credentials out in response to unsolicited e-mails claiming to be from your bank. You won't write your PIN on your ATM card and then give it to some random stranger. You won't leave signed blank checks on park benches.
Login names and passwords are NOT considered secure.
pls post below this thread
What I'm saying is that there will be other attacks that aren't necessarily crypto based. Perhaps the bad guys will send "replacement" smart cards via U.S. Postal mail, with instructions to "dial 1-800-PHI-SHING to activate your new card", and get PIN information that way. Or maybe a corrupt insider at Verisign will sell his soul for a couple of million dollars and give up the master signing key for Visa International. Or any one of a dozen attacks I can't even imagine today.
That's what I meant by 'you can't raise the bar so high that the bad guys can't go around it.' I wasn't trying to shoot down the crypto portions, but rather point out that crypto is only a fraction of the defense. The human factors will remain the weakest links.
John
Login names and passwords are NOT considered secure.
Yes they are. I know, because I consider them secure and I have computer security expertise, having been a key player in getting a system through a C2 evaluation. The U.S. government considers user names and passwords a viable means of controlling access. If you disagree, explain why.
What I'm saying is that there will be other attacks that aren't necessarily crypto based.
Oh, I agree with that, but I can't think of any phishing attack that would work.
Your example of sending a new card to the person is no good, because you still don't gain access to their old private key which matches the bank's public key. Forget gaining access to a PIN, the mechanism I described needs no PIN's at all, it's wholly key based.
See, I have a private key, the bank, or the whole world for that matter, has my public key. By me making a message using my private key, anybody with my public key can read the message and know that I wrote it. Mainly, my bank can read the message and know that I said to give some cash to somebody from my account. You can conjure up any phishing scam you like, but unless you get a copy of my private key, you can't withdraw one dime from my account, because my bank won't give it to you unless they can verify that I said to do so.
There's other insecurities, but I was just thought-designing a way to verify, to my bank, when and who to give money to. Public-key encryption makes that pretty straightforward to do, really, and the math makes it extremely difficult to crack.
Sure there's human weaknesses. If you steal my smartcard holding my private key, then you can do whatever you like. So it breaks down to a "something you have" security. You can add on a "something you know" security by requiring a device to authenticate to the smart card before it'll encrypt a hash (there's secure protocols for this as well), but then an attacker could hack a device to get that something you know (PIN, password, whatever). There's no perfect system, but you can raise the bar high enough to eliminate the most common phishing mechanisms and the most common crimes.
Whether it's worth it or not is debatable though. It certainly would not be cheap to implement.
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
The phishers mail you a new card with a hacked URL they put on it, and when you pop it into your home computer to do your banking, this hacked card's URL will direct you to their phishing web site. (Or, maybe the same day that your phake card hits your mailbox, they DNS spoof your segment of Comcast to redirect FirstAmericanBank.com to 111.112.113.114, the (mythical) address of PhirstNationalBankOfPhishing.) By whatever means, they direct you to a phishing site which will collect your real pass phrase; then, they'll politely ask the victim to reinsert their old card to "deactivate it" while they run some hacked program that uses the combination of your valid card and newly discovered pass phrase to transfer all your money to FrontBankOfCorruption.ru.
Yes, it's harder than today's phishing scams, but it's certainly much easier than breaking the RSA algorithm. And it would only take a few well-chosen attacks on some very wealthy people to steal a lot of money.
For that matter, the attack would work without the phake card. Infest the victim's computer with a trojan (20,000 zombie PC's have got to be good for something) and when they go to their own banking site with their real smart card inserted in their machine, the phishing site instead collects their pass phrase and misuses it to redirect money in the same manner I described above.
As I said, I understand that the public key encryption isn't going to be broken. But it doesn't have to be broken. The human's trust is always going to be the easiest thing to hack, no matter how strong the encryption routines are. And the PC is not a secure device, it can be made to act as a "man-in-the-middle", sometimes dealing with the real bank, but sometimes dealing with the crooks.
John
True.. I had not thought about using the key with an existing computer and website kind of deal. I was thinking more along the lines of a special-purpose device for talking to the bank directly. Not using existing insecure hardware.
But yes, a man in the middle attack could be mounted if the attacker could gain access to something that talks to the card. No doubt.
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
My approach curbs the onslaught of spam and malware spewed from compromized 'Wintel' zombie PCs.
Full details here.
For what its worth, I use the software I wrote myself to protect my PC from compromise via email.