Slashdot Mirror
20,000 Zombie PCs -- $3000
Saint Aardvark writes "From F-Secure blog comes these links to two USA Today articles on spamming. The first gives an example of how a grandmother ended up becoming a security expert after Comcast cut her connection for spamming. The second quotes spammers advertising networks of Zombie PCs for sale. The price? $3000 for 20,000 machines."
How many % are running Microsoft Windows ?
Zombie Macs and Zombie Linux boxes are about as common as snowcones in hell, it would seem.
Heather Hall can trace the start of her online banking nightmare to the day she received what she thought was a legitimate e-mail request from Bank of America asking her to click a link to a bank Web page. The 27-year-old health services worker typed in her login, password and account number. ...
Bank of America agreed to reimburse the money stolen from Hall's account, but only after she badgered them. "They wanted me to believe it was my fault," says Hall.
Yes, it's her fault. She did something foolish.
Zombie victim Carty took matters into her own hands: She did research on how to clean up and protect her PC and diligently updates programs that scan her computer for various types of malicious code. Her PC now runs clean. "I had no clue at Christmas that I would become a security expert," she says.
It is quite sad that a person who just updates their computer and runs a virus scanner is now considered a "security expert."
My bet is 100% Windows. It doesn't make sense to devote time for development to target anything else.
Why would a spammer want to deal with the increased complexity and labor involved in infecting and managing a heterogeneous zombie herd when it would increase its size by less than 10%? It's a waste of time and money.
A one-eyed man in the land of the blind is King.
Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
- a list of machines that need to be cleaned up
- a bank account or other information that can be used to track down the spammers/crackers
I guarantee $3k is cheaper than what it would actually cost tax payers if the authorities did their job with normal investigative work.The sad part is that she is a security expert compared to most people. If the majority of people didn't know that cars used internal combustion engines, you'd practically be a car wizard if you knew things like that the car has a transmission and different gears.
English is easier said than done.
Let's see...$3000 for 20,000 windows boxen works out to 15 cents per machine. Yeah boy, that's about what one is worth.
Money? Lots and lots of money?
There are two types of people in the world: Those who crave closure
Just start monitoring for bursts of spam from their clients, and simply *pick up the phone* and *call them.* "Sir, we've detected mass spam coming from your connection. Please clean up your computer. You have one week."
"People" using "unnecessary" quotes should be "shot".
And one wonders why users do not recieve some of they blame they rightly deserve, either.
First lady in the story - obviously had zero protection beforehand, and it took a major problem w/her connection being disconnected before she got some. If nothing else, at least it sounds like she has the concept of basic security down a little better now.
Second lady mentioned - a single call to her bank for verification would have likely saved her any trouble. I have gotten several "phishing" mails myself, and they are incredibly easy to recognize - often from a bank I have no accounts with or that never sends mail otherwise, they contain grammatical/spelling errors that would never appear in a real mail, and ask for information that the real bank would have absolutely no reason to need verified.
Third lady mentioned - more Microsoft's fault than the others, due to the security holes. Still, it sounds like she either didn't patch things, opened a nasty attachment, or otherwise brought the software on through her own action. Hard to tell since they don't mention anything by name.
So yes, Microsoft is evil. But don't fool yourself into thinking that users aren't contributing their share of problems either.
- The perpetrator (a spammer) is almost universally hated.
- Spammers do real damage.
- They are doing this damage for a pure profit motive.
- They are operating out in the open, making for an easy arrest.
So why are these bozos still in business?===== Murphy's Law is recursive. =====
She did research on how to clean up and protect her PC
Wanna bet some cash money that "research" meant asking the guy at Best Buy who sold her a copy of Norton for Enterprises and a few sets of Monster Cables?
I don't need no instructions to know how to rock!!!!
Yeah, it's nasty all right.
Wanna be more disgusted, though? Say we did get a good handle on one of them. Well, then the federal prosecutor has a hell of a job on his hands. All he has to do is make 12 people understand how spam works, how they found the guy, why their "searches" were legal, what he was doing, and why it's a crime. Which, if it were possible to make people understand, would have prevented the crime in the first place.
And, if he's really unlucky, the defendant waives jury trial and he instead has to convince one very conservative 70 year old man of all these things.
adam b.
""Consumers should demand what they do of other utilities," says Kip McClanahan, CEO of security firm Tipping Point. "When I pay my water bill, I expect my water to be drinkable out of the tap. Today, when you pay your Internet bill, the data you get is not consumable.""
how is it my ISP's fault if i am too stupid to secure my own system? it is quotes like this that pass the buck from the end-user/consumer. hey, if you want to drive a car, you need a license. want an internet connection over 56k? make people pass some sort of security review or test.
(yes, save your breath, i know ISPs can do things to reduce the problems, but it's not their fault in the end that these machines are messed up.)
I'm sorry, but calling that woman a Security Expert is wrong. She discovered the hard way that not being aware of security was a mistake but all that makes her is a security-aware user. Of course, that implies most computer owners aren't.
I mean, it's like "I transfer you 3 grand and then you mail me a password to a controller server", or something like that ? I guess you have to be mighty sure of the delivery of the goods to enter in such deals.
Rome taught me patience and assiduous application to detail. Virtues which temper the boldness of great, general views.
How many who drive cars know how to fix it? I certainly don't, nor do I have any desire to learn to fix my car.
It's not the end users' fault the majority of home computers are by default magnets for virii, trojans, worms and spyware.
Certain OS manufacturer is at fault here, as well as the Dells and Gateways of the world, who insist on selling zombie networks when solutions to prevent them from occurring have been in place for quite a while.
In Soviet Russia, I ruled you
yeah, she did do something foolish... I don't care how realistic the email or web page looked. If people are going to use the Internet for banking and business they should learn about the threats that are out there.
I resent deeply our overlords at the banks reimbursing this woman or anyone, in fact since we all end up paying for this craziness with higher banking fees.
We really end up paying twice as well - first for the money that was obtained by the criminal and again by the bank's giving more money to the victims.
It's as bad or worse than the early to mid eighties where banks would just pay hackers hundreds of thousands of dollars or more when they were successfully hacked to avoid the unwanted publicity.
That is a leading question that seems typical of a smug linux zealot. A better question would be, 'What is the ratio of zombied linux boxes in proportion to it's total installed user base.' Since most people use Windows, it follows that most of the zombie boxes should be windows boxes.
Even that isn't totally informing, as how many of those people who run Windows would be less vunerable if they ran linux? Most of the problem isn't the OS, but the lack of understanding on how a computer works. If you aren't a skilled admin, you are going to get haxxored regardless of the OS.
I think Linux is a superior idea and platform, but win the argument with sound logic, not snyde comments.
HA! I just wasted some of your bandwidth with a frivolous sig!
Even closer to the mark, if I use my ATM card to pay for a product and that product later turns out to not work as advertised, that's a crime (at least in the state of California, where I live). We have "lemon laws" that say that products we buy should perform as advertised. I deserve my money back. But even though the company that sold me the product deducted the money directly from my account, it defrauded me -- not the bank. Why should the bank be held liable? Because I failed to investigate the seller and/or the product beforehand? Because I failed to file a civil suit against the party that defrauded me?
"Give people an inch and they'll take a mile" is the phrase that comes to mind here. Bank of America did the right thing by ol' grandma in this case. They didn't have to, so let's applaud them for it.
Breakfast served all day!
Maybe I've been lucky, but I've ran a Windows XP system for about a year now (and a Windows 98SE system for about 2 years prior under the same conditions), doing the occasional patches from Windows Update, without a virus scanner or firewall. If I do something stupid that makes me suspect that I've contracted something, I'll drop over to http://housecall.antivirus.com/ and do a quick scan. This generally only happens when I'm trying to find a crack for something on a P2P network and the bastards have embedded a keystroke logger or some other little nasty in a trojan crack package.
I don't think you're lucky, but rather that you are unaware of the real state of your computer. Not all viruses/worms/cracks make themselves known to the end user, even a savvy user who is checking the process listing. It's very easy to hide processes from the user, regardless of their system-administrative credentials on a Windows system. Malware is designed by folks who know the ins-and-outs of a Windows box far better than you or I, with the goal that it might be able to fool the author himself.
I highly recommend adding a firewall to your situation at the bare minimum.
I do not personally use Antivirus software on my Windows boxen, but only because I use them only for software testing, and do not install any software other than that produced by either myself, the Fortune 500, or well-known open source developers. I also do not use Outlook or MSIE on these boxes, with the exception that MSIE is used in the software testing.
If you're running cracks and warez though, you're putting yourself in a very compromising position even with antivirus software. Running without it is foolish if you value your data, privacy, or have any regard for what your computer does while you're away.
What has *science* done?!? -- Dr. Weird (ATHF)
A bank that loses money to a criminal act that refuses to reimburse its customers might well lose its status as a bank.
It didn't "lose" her money. It followed the proper security procedures involving the use of a login name, password, and bank account number.
They took from her, without her permission, money from her bank account.
That's the key: "They took from her." They didn't steal from the bank. There wasn't negligence on the part of the bank. The bank didn't leak her account number, login name, or password. She did. She fell for a scam through no apparent fault of the bank. And now we all pay for it in the form of higher fees, lower savings account interest, etc.
Suppose she was duped into giving her house key to some burglar posing as someone from a carpet cleaning service. Should the mortgage company have to pay when the burglar steals her stuff? Should the home builder? Should the maker of her door lock? Of course not. So why do we treat physical keys so differently than virtual keys (login credentials)? You'd never suggest that anyone but the homeowner was responsible for the loss if they gave their house key to some con artist. So why is the bank responsible when the customer gives away the "keys" to their bank account?
And I had no clue that in a time when a majority of middle aged and elderly people using PC's with just enough knowledge to turn them on, an elitist asshole could belittle someone who took time out of their life to learn nuances of security on the internet.
it's not that she took the time to learn a little bit, it's that she called herself an "expert," which she certainly is not
She's probably an expert within her peer group. It's all relative, isn't it? :)
No. It didn't follow the proper security procedures. It followed its choice of security procedures. The success of this kind of phishing scam is evidence that those security procedures are not proper; they're inadequate because they're so easily defeated with a bit of social engineering. The bank needs to design a better security system- one that uses a time-dependent smart card, for instance- so that phishing doesn't work.
There's no point in questioning authority if you aren't going to listen to the answers.
From the article:
----------
Heather Hall can trace the start of her online banking nightmare to the day she received what she thought was a legitimate e-mail request from Bank of America asking her to click a link to a bank Web page. The 27-year-old health services worker typed in her login, password and account number.
[deletia]
Bank of America agreed to reimburse the money stolen from Hall's account, but only after she badgered them. "They wanted me to believe it was my fault," says Hall.
----------
Gee, I hate to break it to you, sweetheart, but it WAS your fault. YOU were the gullible one who clicked on the wrong link and gave thieves your username, password and account number!
As long as her attitude is prevalent among the majority, the problem of malware will never go away. Not only are these people completely oblivious to the dangers waiting to snare people using Windows PCs, even when something bad befalls them they just flat out refuse to believe it was their fault.
~Philly
If you all want this stuff stopped, contact your local Attorney General and demand they start prosecuting these cases. The Feds can't do anything if the AGs won't prosecute. Call your AG and tell him you'll make sure he isn't re-elected if he doesn't start prosecuting people for computer tampering.
Seems to me this is off the mark, and it typifies what is wrong with our telecom-oriented providers, as they too believe this all too often.
The provider provides a connection. He does not provide content. ISDN was a gigantic failure because telco's thought they had to provide content, rather than just a reliable connection.
If I want content, I will buy an AOL subscription. Otherwise, what I expect is not clean water but a reliable liquid movement mechanism. You don't call it a pipe for nothing. The liquid that comes out will be determined by me, not by the provider of pipes!
MW
---
BDOS ERR ON A:>
However it is your responsibility to make sure your car does not fall apart on the road, so you hire people to take care of it. Same thing should be done with home pc's.
Or parents either...
Got mom an iMac last christmas, and the number of phone calls starting with. "Hey, I have a computer problem... drop from weekly to one ever 3 or 4 months."
Judging from the amount of people that don't install antivirus and don't turn on auto windows updates, she does indeed seem like a security expert.
ROMANES EUNT DOMUS
Would that be for one spam run or for "ownership" as long as they're available? If it's just for one run, that's pretty good money as you can sell the product over and over again.
A fine is a tax you pay for doing wrong and a tax is a fine you pay for doing all right.
Oh if I had mod points, my friend, you would be more karma-ful than you are right now. I couldn't agree more. At least she did something about it, instead of sitting ignoring it, hoping it gets better, unlike the other 20,000 plus people mentioned.
What he can't kill, he has sex on. Trent.
If grandma figures that all out, and especially if she tells all her friends, then I have no problem with her calling herself an expert. Don't worry, no prospective employer is going to hire her over someone who knows something, unless maybe she's hired to train end-users in the humdrum tasks of everyday workstation security. Imagine, if you will, a Beowulf Cluster of "grannies-who-get-it" showing everyone they know the nuts and bolts of how not to infect their computers! How to manage Microsoft update, how to d/l, install and run SpyBot S&D, a virus scanner, a spam filter program like POPFile, and maybe even a more secure browser (read, one that doesn't automatically install and run whatever random piece of code it finds on the net). They would do more for overall Internet security than a batallion of security experts preaching arcane router strategies to tired and jaded Network Admins. There would still be occasional viruses, worms, and exploits, but those could be left to the experts. I see no reason to be cynical about this.
Everything I've ever learned the hard way was based on a statistically invalid sample.
Anyone who has an e-mail address gets spam. It's an ugly fact of life in the modern age. Figure that, out of a pool of - say - 100 potentials, at least 10 of them have kids. Spammers are notorious about not checking the ages of the people who own the addresses that they spam - and they work very hard on ways to get around filters.
Leaving the parents aside for the moment, everyone in the hypothetical jury pool gets flooded with this crap, because everyone with an e-mail account does. Period. Plus, I've observed that the less tech-savvy a person is, the angrier they get about spam, because they don't know how to stem the tide. Now, imagine a spammer going up against even 12 of the most sane, rational, mentally well-balanced of his vict^H^H^H^Hpeers. True, a lot of people don't quite understand the tech stuff; but break it down into dollars and sense ("misspelling" intended), and you'll see lightbulbs going off overhead all through the jury box.
And that goes triple for the conservative old man. A guilty plea would be much safer, all around.
Doing my level best to piss off the religious right wing...
"in labs we don't manage"? The ones we do manage, Solaris, Linux, Windows, etc don't get hacked. We have a firewall, and then firewalls on the systems themselves, auto updating, etc. However, we do not manage all the labs, and those we don't get hacked frequently (Windows and Linux).
I have gotten several "phishing" mails myself, and they are incredibly easy to recognize - often from a bank I have no accounts with or that never sends mail otherwise, they contain grammatical/spelling errors that would never appear in a real mail, and ask for information that the real bank would have absolutely no reason to need verified.
You should see some of the semi-literate shite that comes from my bank. And not on emails asking me to verify my account details either.
The first few batches of truly illiterate youngsters have made it into the media, and now serve to corrupt the next generation by example. We're all doomed. Before long, we'll have the reverse of what you've pointed out - anyone who can string a sentence together will be regarded as either (i) a dumb criminal who "cant' rite propper" or (ii) a smart criminal who's put far too much effort into his writing to be from a real bank.
...and the mods call this troll attempt insightful...
MODS NEED TO STOP FEEDING THE DAMNED TROLLS, it's a fooking joke to the IT groups in the Midwest. Instead of providing help, true insite into securing a MS OS. slashdot mods will bait and encourage the MS Bashing, why??? Is there one MATURE reason to do this????
That's the key: "They took from her." They didn't steal from the bank. There wasn't negligence on the part of the bank. The bank didn't leak her account number, login name, or password. She did. She fell for a scam through no apparent fault of the bank. And now we all pay for it in the form of higher fees, lower savings account interest, etc.
Banks are legally responsible for securing the funds in your account, and for only giving those funds to authorized people. To do this, banks have a wide number of security choices available to them.
Banks have deliberately chosen a pretty flimsy set of security procedures, even though they are held financially liable. This is because the amount they lose due to fraud with existing systems (more often, due to insurance premiums to make someone else pay for fraud) is less than it would cost them to beef up security more (both in direct cost, and in lost customers who want an "easy" bank).
When a particular kind of fraud increases, the banks try to pick the cheapest and easiest way to curtail that specific kind of fraud. And then they stop, because they have no financial incentive to secure things any more than they already are.
Suppose she was duped into giving her house key to some burglar posing as someone from a carpet cleaning service. Should the mortgage company have to pay when the burglar steals her stuff? Should the home builder? Should the maker of her door lock?
No, because none of these people have contracted to secure her home. The closest is the maker of her door lock, and all they are contracted to do is make a door lock that can be used to assist in securing her home.
When you put money in a bank, you have a contract for them to secure your money, that's the difference.
----
Open mind, insert foot.