The Evolution of the Phisher

gurps_npc writes "An article at CNN discusses the how Phishers have moved beyond the typical email scam. Last month, Secunia (Danish security firm) documented a case where a phisher somehow modified a windows host file so that when you type in the correct url in the address, it redirects you to the phisher site. Worms and spyware are being built for the purpose of phishing, and it is also believed that phishers are attempting to compromise domain name servers. If one of these go down millions could lose their security instantly, even if they themselves have maintened the security of their computers."

Certificates changed?

[wdd1040]

And this is when users need to actually read the warnings about certificates being different than the last time accessing the site...

Again, if common-sense is used, 99% of phishing can be stopped.

Re:Certificates changed?

[gurps_npc]

And when you are using a new computer that has never logged onto that account....

Re:Certificates changed?

[x.Draino.x]

You fail to realize that the typical user doesn't even know what those certificates are for. The Slashdot crowd is probably safe for the most part, but are your parents?

Re:Certificates changed?

But even if 1% succeeds, it is still a major problem.

Re:Certificates changed?

[Jarn_Firebrand]

Wow, this is one of the stupidest things I have ever heard. If it is a new computer, then it is NEW. Meaning nothing could have been edited. Think before you open your mouth, next time. Or, in this case, touch your keyboard.

Re: Certificates Changed?

This implies that the average user has a clue about certs and what it all means...

Re:Certificates changed?

[Jedi+Alec]

common sense? is there such a thing? you know you shouldn't stick your fingers in the nice bright firy thingy because either someone told you stringently not to or you tried it once and got burned. to the majority of webusers out there most of this information is as understandable as a description of the precautions that need to be taken before summoning chtulhu. if someone went out and started changing the signs near highway offramps, and you've never been in the area, will common sense tip you off?

Re:Certificates changed?

[LithiumX]

Not very familiar with the threat level against XP?

I've tested this myself. Put up a fresh brand new install of XP. Before I could even start patching it, I had worms homing in. I think the record so far (not for me but for another article here) is 45 seconds from first boot.

By the time you get around to hitting your bank records, you're already hit. If it's a brand new computer, unless it's fully patched and defended against these specific threats, you would likely already be hit long before you browsed your first site, let alone a critical one.

Think before you flame.

Re:Certificates changed?

[blueZhift]

Hmmm. If stuff like this starts happening enough, the average user will just stop using the net. Just like people won't go wandering into a bad or dangerous neighborhood no matter how good the restaurants may be, many people will simply stop using the net if the scams, worms, and viruses continue to mount. This has significant economic consequences and consequences for individual freedoms as the government attempts to combat the problems.

Admittedly, the net is used for a lot of things that people may not be directly aware of. But as far as Joe user in front of a PC goes, if the craziness continues to escalate, he'll stop using the PC on the internet and go back to watching TV.

Re:Certificates changed?

You lost me.

Say I usually go to site A to do my banking. And I have a trusted security certificate for that site.

I get infected with one of these phishing worms which alters my host file so that whenever I type out the URL to site A, I get the IP address to site B.

I inadvertly go to site B. Site B doesn't require a security certificate. When would I get a warning about "incorrect" security certificates? As opposed to "expired" or "missing" certificates?

Or better yet, these phishing worms pre-install their security certificate at the same time they hack my hosts file. When would I get a warning? As far as my web browser is concerned, I'm going where I intended to go.

I think your solution solves the wrong problem.

Re:Certificates changed?

[gurps_npc]

Not only did I read the article, I happen to be the guy that posted it.

And if you were smart enough to have read my post you would have seen the line about DOMAIN SERVERS being attacked and how this means they do not have to have edited anything on you your computer.

Next time, before you call something stupid, think "Maybe Jarn has no idea what everyone else is talking about".

Re:Certificates changed?

[JaseOne]

It doesn't matter, there is no way for a phisher to get a valid certificate for any bogus domains they setup however they end up doing it.

They won't be able to get a signed certificate so the check to see if it is signed by a trusted source will always fail and also possible that the check to see if the domain matches the current address could fail.

Re:Certificates changed?

[ComputerSlicer23]

Yes and no. Remember, they control the DNS, they wrote to the /etc/hosts (where ever it is they bury that on windows, c:\windows\system32\hosts if I remember correctly) files. How long until they add a file to your cert list. So it looks like a trusted host when you go to their site?

Besides all that, I'm fairly sharp about my security, and I know most of the fundamentals of the math behind it, and I wouldn't be shocked if my bank switched SSL keys because their old one just expired. Imagine the bedlam that would ensue if everyone did freak out, just because a key had changed.

Now, if they hijack a DNS server, or break into Verisign and get the secret key they are in (or more likely, one of the smaller SSL Key providers that have default keys on Microsoft IE installs).

I don't remember the exact details of how you use the certs on your desktop machine, if at any point you have to connect to Verisign, they have you. They control the IP where you believe Verisign is located. The trick will be you having to establish cryptographic trust of files you us, an every bit of information between you and completing the transaction. Them being able to control any stage of the transaction, and they can wreak havoc on you.

Kirby

Re:Certificates changed?

[Jarn_Firebrand]

That's why you have all the stuff you need to patch it on a floppy/CD/flash drive, and don't have it connected to the internet right away. Common sense. Okay, maybe not common sense to most people.

Re:Certificates changed?

This story has turned into a kind of urban legend.

Your system will not become infeced, even if you leave it on for weeks.

Re:Certificates changed?

[Jeremi]

Wow, this is one of the stupidest things I have ever heard. If it is a new computer, then it is NEW. Meaning nothing could have been edited.

That's another one of those things that used to be true, before the magic of Windows made it otherwise. Remember "you can't possibly get a virus just by reading your email"? These days it is very possible to have your brand-new Windows system compromised within a minute or two of connecting to the Internet, whether you've done anything else or not.

Think before you open your mouth, next time. Or, in this case, touch your keyboard.

I trust next time you will follow your own advice? ;^)

Re:Certificates changed?

[ReverendLoki]

Wow, this is one of the stupidest things I have ever heard

Then you must not get out much. As they were talking about a DNS becoming compromised such that even secured systems become redirected, your argument makes absolutely no sense. It's akin to saying that since your new car has just come off the sowroom floor, it should be entirely unaffected by that bridge out ahead.

For further instructions, consult own advice.

Re:Certificates changed?

[Rorschach1]

It's bad enough that most users have no clue to begin with, but you should try working within the DoD. Or maybe it's just the Air Force that's so screwed up. But they've been pushing so hard on a poorly-implemented PKI plan that all their users are now conditioned to automatically accept invalid, expired, or untrusted certificates dozens of times per day to get their jobs done.

Enablement... yeah, that's a perfectly cromulent word...

Re:Certificates changed?

[SiliconEntity]

And this is when users need to actually read the warnings about certificates being different than the last time accessing the site...

What are you talking about? There is no such warning that I am aware of. I don't believe IE caches certificates and compares them with the last time you accessed a site. The only program that does this is ssh, which is hardly end-user material.

What will happen instead, if the DNS were to be hacked, is that the site will be UNABLE to come up witih a valid certificate on the DNS name it has stolen. If someone could hack and redirect paypal.com to their own site, they still wouldn't be able to offer a signature on a key named "paypal.com" with a certificate from a trusted issuer. The only certificate they could offer would be maybe a self-signed one, in which case you will get a warning. But it won't say that the certificate has changed, it will say that it is a bogus-looking certificate. That ought to alert people that something is wrong.

Re:Certificates changed?

Sure, if you're running Service Pack 2 with the firewall on. Any older version and you're lucky if you get 10 minutes before you're infected with who knows what.

Re:Certificates changed?

[statusbar]

I haven't tried this, but I heard that it is possible to create an un-signed certificate set to use 'plaintext' encryption which most web browsers will not complain about. No encryption is done and no signature is possible or required.

Does anyone know if that is correct? If so, then this is possibility.

--Jeff++

Re:Certificates changed?

[wertarbyte]

That's why you have all the stuff you need to patch it on a floppy/CD/flash drive, and don't have it connected to the internet right away. Common sense. Okay, maybe not common sense to most people.

No, that's why i don't have that windows stuff on my computers. Common sense. Okay, maybe not common sense to most people. ;-)

Re:Certificates changed?

[silicon-pyro]

The parents of the slashdot crowd are behind a secure proxy located in the basement. They just call us up and ask us if its ok to procede.

Re:Certificates changed?

[DA-MAN]

What will happen instead, if the DNS were to be hacked, is that the site will be UNABLE to come up witih a valid certificate on the DNS name it has stolen. If someone could hack and redirect paypal.com to their own site, they still wouldn't be able to offer a signature on a key named "paypal.com" with a certificate from a trusted issuer. The only certificate they could offer would be maybe a self-signed one, in which case you will get a warning. But it won't say that the certificate has changed, it will say that it is a bogus-looking certificate. That ought to alert people that something is wrong.

That assumes that you have the site bookmarked or go to https://url/

There will be no warning if the user goes to http://www.site.com/ and clicks on the login button as most users do. As a geek I know to check for the lock in my browser when I am surfing sites, most users don't know any better.

In addition, if the spyware can change your hosts file it's only an extra step to insert a new root cert that would automagically trust https://www.site.com/.

Re:Certificates changed?

[Spad]

"Unpatched" Windows 2000 SP4 system.
Clean install.
In the time it took me to download the latest definitions for my antivirus software (less than 5 minutes) I'd already acquired 3 worms/trojans.

My firewall logs are full of worm hits trying to infect my machine.

It's not an urban legend, it's a fact of internet life.

Re:Certificates changed?

[soft_guy]

Not only that, but what if the "new" computer you are buying has been opened, modified, reboxed, and sold to you? Do you trust the store where you bought it, or just buy on price? This doesn't have to be totally the store's fault either (but could be).

Also, what if someone on the inside were to modify the master disk used to image the hard drives at a factory. Sure it might make the news and eventually you'd hear about it, but it still wouldn't be fun to be one of the people affected?

Re:Certificates changed?

[A+beautiful+mind]

This is what the security manual suggests aswell at debian.org.

Which could be called paranoid for linux may be strongly recommended for windows.

Re:Certificates changed?

[LithiumX]

Also, what if someone on the inside were to modify the master disk used to image the hard drives at a factory. Sure it might make the news and eventually you'd hear about it, but it still wouldn't be fun to be one of the people affected?

Not only that, but what if it turned out to BE my bank doing the phishing, rigging the banking website to modify my certificate to accept the banking site, and then storing my login and password so my bank could get all all my banking info?

Ohhhh, phishers can be devious....

Re:Certificates changed?

[Almost-Retired]

If its that bad, WTF are you running windows for?

Believe it or not, there ARE other operating systems.

--
Cheers, Gene

Re:Certificates changed?

[DaveJay]

Isn't this why people have firewalls between their brand new computers and the internet?

Er, wait...make that:

Isn't this why people SHOULD have firewalls between their brand new computers and the internet?

Re:Certificates changed?

[sosegumu]

If it's a brand new computer, unless it's fully patched and defended against these specific threats, you would likely already be hit long before you browsed your first site, let alone a critical one.

That's a good reason not to buy your computer from BestBuy. Our company is a local reseller who offers as good (or better) prices than the big box stores, financing options, better components, better warranties, etc. When we deliver a system, it's fully patched, AV installed with latest defs, anti-spyware installed.

Strangely, we have the hardest time getting home users to buy our systems. For whatever reason, over 95% of our customers are businesses.

Re:Certificates changed?

So you're saying the phishers have the private key to verisign's CA certificates? I'm pretty scared of them, then.

Re:Certificates changed?

[pixelpunk]

Let me remind you, common sense is not so common.

Re:Certificates changed?

[Not_Wiggins]

That's why you have all the stuff you need to patch it on a floppy/CD/flash drive, and don't have it connected to the internet right away.

Or, more to the point, start pushing hardware firewalls down to people... build them into the DSL/Cable modems and have them set to block out of the box.
I've found that for most home users, having a stateful firewall that doesn't allow any connections in without first originating them is not a hinderance.

Of course, it'll be "harder" for Joe Average to use P2P software (ie, he'll have to configure the box to allow specific ports through), but that's better than having him get infected with some damnable worm.

Another potential solution would be to have Microsoft re-distribute XP (or start distributing XP) with the firewall installed (ie, with SP2). Not that I'm a fan of MS products, but giving your average user an install disc that is already somewhat protected would be a good start. Why are they still distributing the original version of the OS when they have updates that protect (to some degree) against these current threats?

Yup... I know... logistics, cost, etc. But what is it costing them in PR?

Re:Certificates changed?

[aichpvee]

Common sense is to do a clean install from -current so that you don't have to patch anything before using it. And if you did, it wouldn't be because of a critical security threat.

Re:Certificates changed?

[irote]

...except there are dozens of legitimate domains which have bad certificates, presumably because they're badly configured. what am i to do then? If it's my bank i'll probably reject a falsely set up certificate, but what do I do if it's less critical, but still important? I'd love it if every certificate worked as it should, but sometimes they don't.

(And stop the macho strutting about the 'users', for god's sake...some people on Slashdot seem to regard themselves as Übermenschen to the serf-like users down below...You're all users too!)

Re:Certificates changed?

[ComputerSlicer23]

Nope. I'm saying that would be an outstanding way to do phisihing attacks.

Next, I'm saying, that I'm confident, that if a phisher can figure out how to write to your /etc/hosts file, it's merely a matter of time, until they write to where ever your cert's are installed. They will install a cert that makes them the equivilent of Verisign. There's a file on your machine that is all you have that makes you trust Verisign. I can create one of those files, call it "Phisher Cert's R US".

Then any site that has a cert signed by "Phisher Cert's R US" will not give you an alert in IE.

If you you aren't actively checking your certs files, that could be a serious issue. To the best of my knowledge, your cert files aren't cryptographically checked in any manner. I know you can just add a cert to your own machines to make self-signed cert messages go away.

If you have to contact Verisign in order to authenticate your cert with them, that's not a problem either. They control your DNS via the hosts file. They will direct you to thier site and feed you bogus information. What a wonderful thing.

The problem is to the best of my knowledge nothing will alert you that your cert files has been tampered with or been added to. However it's signed, I have to be able to add certs to them myself. Phisher's they can just set themselves up as a cert provider you trust.

Kirby

Re:Certificates changed?

[pinchhazard]

Another potential solution would be to have Microsoft re-distribute XP (or start distributing XP) with the firewall installed (ie, with SP2).

I think they do.

Re:Certificates changed?

1. Many bank sites run on IIS
2. Most phishers host on free webhosting providers. Who run unix.

Re:Certificates changed?

[op00to]

Alarms go off in a web browser when a certificate is not signed by a 'trusted' CA. This has nothing to do with encryption or anything else. If the site's cert, whether the data is encrypted in plaintext or quantum bits, is not blessed (signed by Thawte or whomever), user gets the Scary Box.

Re:Certificates changed?

[Ash-Fox]

I just did the same, installed a fresh copy of windows xp which had service pack 2 slipstreamed into it. Connected it directly to the internet.. left it over night while it downloads openoffice and other stuff.

Nothing bad occured.

Note: I did not tamper with windows's default settings at the time.

Think before you flame.

Re:Certificates changed?

[Ash-Fox]

I'm glad mine doesn't.

Re:Certificates changed?

[BlueCodeWarrior]

a fresh copy of windows xp which had service pack 2 slipstreamed into it

SP2 has the firewall turned on by default. Pre-SP2 XP systems is what we're talking here.

Re:Certificates changed?

[BlueCodeWarrior]

SpoofStick

It's not perfect, but it'll help.

Re:Certificates changed?

At that point it is too late. My bank for instance will load the login/password page without throwing up a certificate in firefox. Most people won't even check if the site at that point is encrypted or not. You wouldn't even need to encrypt the page to fool the majority.

The difference between encrypted and not is a small change in a small icon in the bottom right hand corner of the browser. At least firefox also changes the colour of the address bar.

Re:Certificates changed?

[dspeyer]

The post was about SSL certificates, not DNS. Cracking DNS (which is a lot harder than it sounds, anyway, with all the redundancy and caching) does nothing about SSL certificates. Whenever you begin an https transaction, you receive a certificate of identidy signed by someone your browser trusts. The list of trustees here is very small (Verisign is the most famous of them). These companies are vouching for the non-fraudulent nature of the websites and aren't easily fooled. When you connect to the phishing site, your browser should warn yoou that the source is untrusted.

If a worm managed to add a malicious certificate signer to the list of trusted certificate signers, this protection would be removed. Hopefully, the worm would be publicized thoroughly so people didn't fall for the phishing attacks that followed, but many people probably wouldn't get the word.

All this can be circumvented by simply not using SSL on the phishing site, but anyone who transmits their credit card numbers unencrypted deserves what they get.

Re:Certificates changed?

[Jarn_Firebrand]

Then it's not a new computer. It's a computer that was newm but has now been opened, modified, and reboxed. :P

Re:Certificates changed?

[kronchev]

not very familiar with a FIREWALL? I've never had that problem before.

Re:Certificates changed?

[stutterbug]

Exactly. So the proper way to install Windows from an old CD without a prior or alternate connection to the Internet and no hardware firewall/router is to 1) Install Windows, 2) Connect to Internet, 3) Download patches and service packs, 4) Burn CD with patches, 5) Get off Internet, 6) FDISK, Reinstall, patch. Regardless of whether this is a reasonable solution, at the moment it is the only solution for most single-PC homes that use Windows (and that would be almost ALL single-PC homes.)

Of course, sometimes this doesn't work. I have a friend in Toronto who was essentially unable to install Windows for two days because of the Blaster worm. He installed three times and was unable to finish downloading the Windows Updates before his PC rebooted.

This is really a problem of having installation software on disks that can get out-of-date. It is not a Windows-only problem, but it happens to be an overwhelmingly, predominantly Windows problem. It is also a result of most ISPs doing absolutely nothing about reigning in infected machines. Microsoft: bad. ISPs: Double-plus bad.

Re:Certificates changed?

[That's+Unpossible!]

Common sense. Okay, maybe not common sense to most people.

Hmmmm...........

Re:Certificates changed?

[That's+Unpossible!]

Say I usually go to site A to do my banking. And I have a trusted security certificate for that site.

I get infected with one of these phishing worms which alters my host file so that whenever I type out the URL to site A, I get the IP address to site B.

I inadvertly go to site B. Site B doesn't require a security certificate. When would I get a warning about "incorrect" security certificates? As opposed to "expired" or "missing" certificates?

Assuming you are smart enough to require a site to be secured with SSL before submitting your information to them, you'd first look to see if the connection is secure. If it IS secure, that means the SSL certificate that site has must match up to the domain your browser thinks you are viewing.

The phishing site might trick you into thinking you're at bankofamerica.com, they may also have an SSL certificate installed on their phishing hole, but there is no way in hell they have an SSL certificate (from a trusted SA) for that bankofamerica.com domain. They'd need BoA's private key for that kind of trickery.

Therefore 1 of 3 things should tip you off:

1. The site is not SSL secured. Stop.

or

2. The site is SSL secured, but the SSL certificate triggers an alert that the domain in the cert doesn't match the domain you're viewing. Stop.

or

3. The site is SSL secured, the domain in the cert matches, but your browser triggers an alert because it was not issued by a trusted SA.

Re:Certificates changed?

[wozza96]

1. disconnect form internet
2. install original xp
3. when the oobe asks to connect, set up isp account or look for updates, don't.
4. install a firewall. turn it on. an sp2 cd will also be fine.
5. only then may you connect to the internet

Re:Certificates changed?

[eventhorizon5]

Newer phishing scams try to obtain most of their site content from legitimate SSL-enabled sites (like Paypal), display the "real" paypal address in the user's address bar, but have the actual submission form and submission scripts on their own server. So when you visit the site, you will establish a legitimate SSL connection to Paypal, except for the forms. In this type of situation you need to block all non-SSL content.

-eventhorizon

Re:Certificates changed?

[eventhorizon5]

one thing to add-
It's also important to remember that many internet users don't even know what SSL is, and if the site or email says that it is "secure", that's basically all they need to know in order to trust it.

-eventhorizon

Re:Certificates changed?

[bickerdyke]

> Of course, it'll be "harder" for Joe Average to use P2P software (ie, he'll have to configure the box to allow specific ports through), but that's better than having him get infected with some damnable worm.

Not quite. joe average wants his p2p to work and doesnt give a sh&% about worms.

And he might start complaining about MS if his favourite Kazaa-thingy doesnt work anymore...

Re:Certificates changed?

[AdeBaumann]

...and they supply the trusted SA themselves. If they can manipulate your hostfile, adding an additional "phishy" SA shouldn't be too hard.

Of course, this doesn't apply if the hack the DNS. Then I agree, they won't. But they could conceivably manipulate the DNS entry for any trusted SA to one of their own servers and just - as it were - proxy the SA.

Disclaimer: Haven't given this too much thought, it's before my morning coffee...

Re:Certificates changed?

[andynz]

Do you have any evidence of point number 1? Or are you pulling it out of your arse like you are point number 2.

Most phishers run on compromised cable or DSL boxes on a non standard port. Very very few use free webhosting providers. In fact, I have never seen one.

Re:Certificates changed?

[mo^]

In this age of terrorism its the thought that some arab could plant a dirty bomb in my nice new Dell box, whilst its still in the factory....

Then of course therese the Anthrax in my vacuum selaed copy of San Andreas!!!

can never be too cautious you know.......

-22.4 Sarcasm Modifier

Re:Certificates changed?

[mo^]

hehehehe

Re:Certificates changed?

[dorward]

I've tested this myself. Put up a fresh brand new install of XP. Before I could even start patching it, I had worms homing in.

This is why I love my external ethernet/ADSL router and didn't bother getting a USB speedtouch thing.

I wouldn't run Windows at all, but its the price you pay to sanely test webpages in IE - one day we might be able to code to standards and expect Microsoft to get it right ... on day.

Re:Certificates changed?

[TheCrazyFinn]

I do mail abuse. The vast majority of our phishing complaints involve free hosting providers, not compromised cable/dsl boxes (Which are however, the overwhelming osurce of the emails).

Re:Certificates changed?

[Ash-Fox]

So, you're talking about a outdated version of windows... Well, I suppose the simular stuff would happen if I used a outdated distribution of linux with it's default settings was put online.

The evolution of the Phisher...

...took an important turn once Native Americans discovered smoking "cannabis" herb.

Re:The evolution of the Phisher...

Umm, how is this flamebait? Silly mods!

and this is accomplished how?

[ChipMonk]

Oh, that's right, Windows' nearly non-existent privilege system!

Go ahead and whine about how much better traditional Unix privileges could be. It's still better than nothing, which is what most Windows desktops have.

Re:and this is accomplished how?

[ImaLamer]

I was going to mod you off topic...

But I'll bite - attacks on DNS servers will direct everyone to the wrong site, Windows, Linux, UNIX, and Amiga users.

Sorry.

Re:and this is accomplished how?

[tbase]

Yeah, and if the DNS Servers are compromised, all your *nix security BS goes out the window. Even if your mother could use *nix, AND you could convince her to do it, AND she didn't have a Dell with Windows on it that she hides when you visit so she doesn't hurt your feelings, she'd still be vulnerable, and she's the one their targeting, not you.

Re:and this is accomplished how?

[malfunct]

If they hijack the DNS so that https://www.paypal.com actually goes to a site owned by the phisher but looks exactly like paypal it doesn't matter what OS you are on you will get scammed if you type in username/password to log on. I don't see a way to know that you are on the wrong site when its DNS that sent you to the wrong place unless you keep a list of valid paypal IP's and check the IP of the site you went to.

Re:and this is accomplished how?

> Oh, that's right, Windows' nearly non-existent privilege system!

Windows has a pretty extensive privilege system -- it's hardly ever used to its capacity, and tends to be subverted by users running as administrators. But it's a hell of a lot better than the crapola unix security system.

Re:and this is accomplished how?

[Aeiri]

He wasn't talking about that part of the article, he was talking about this part:

Last month, Secunia (Danish security firm) documented a case where a phisher somehow modified a windows host file so that when you type in the correct url in the address, it redirects you to the phisher site.

What he is saying is, you can't alter the permissions of the hosts file on windows, but with the Unix permission system, you could make the permissions be 644, owner root, and no regular user (or compromised program running AS a regular user) could alter that file.

Re:and this is accomplished how?

[braindead]

• But I'll bite - attacks on DNS servers will direct everyone to the wrong site, Windows, Linux, UNIX, and Amiga users.

Yes, but that site won't have a cert, so you won't type in your account info because the little "lock" or "key" symbol will be missing. Hence clueful users of any operating system are protected against that attack.

Re:and this is accomplished how?

[harlows_monkeys]

What he is saying is, you can't alter the permissions of the hosts file on windows, but with the Unix permission system, you could make the permissions be 644, owner root, and no regular user (or compromised program running AS a regular user) could alter that file

So instead you simply modify the library path to include a directory that is writable, and drop a compromised resolver library in there.

Re:and this is accomplished how?

[dioscaido]

Oh, that's right, Windows' nearly non-existent privilege system!

Hmm... lets see.

*runs regedit, tries to modify system registry keys -- ACCESS DENIED*

*runs setup.exe, windows prompts for administrator password, I don't provide it -- ACCESS DENIED*

*try to delete or modify a file on C:\Windows, or C:\Program Files\ -- ACCESS DENIED*

*go into Hardware > Device Manager , tries to change hardware settings -- ACCESS DENIED*

etc...

I dunno... seems to be working pretty well from here.

Don't confuse users choosing to run as root as having a failing privilidge system. Remove your account from the Administrator group and into the User group, and you'll see how extensive the privilidge system is. Conversely, use root as your daily linux account and see how much protection that gives you.

Re:and this is accomplished how?

[DA-MAN]

Yeah, and if the DNS Servers are compromised, all your *nix security BS goes out the window. Even if your mother could use *nix, AND you could convince her to do it, AND she didn't have a Dell with Windows on it that she hides when you visit so she doesn't hurt your feelings, she'd still be vulnerable, and she's the one their targeting, not you.

Not true. Not all DNS Servers are *nix, nor does *nix require bind. That's like saying that AutoCad has a buffer overflow, Windows is insecure.

Re:and this is accomplished how?

Probably off-topic, but on Windows I have changed permissions on a file so that no one, not even Admisitrator could edit it. Talk about shooting yourself in the foot. Any tips on getting write permissions back? Cacls just errors out with a permission error.

Re:and this is accomplished how?

[swv3752]

You hope. If they can crack DNS then they can crack Verisign or whoever to get a "valid" certificate. A well coordinated attack with a bit of planning could wipe the accounts of millions.

Re:and this is accomplished how?

[Cro+Magnon]

*try running many regular programs -- ACCESS DENIED*

There's a reason why many people run Windows as root, and it's not always cluelessness.

Re:and this is accomplished how?

[dioscaido]

It's very true. But not the fault of Windows. Applications can be written with user priviledges in mind. For example, I was pleasantly surprised recently when I installed Nero v6 and it installed a configurable CD burning service for non-Administrators. Thankfully most of the big ones work (most MS apps, Adobe Apps, Macromedia Apps, Mozilla).

I personally thing it's about time users demand that software makers stop coding applications that require admin access simply to run. That's unheard of in linux/unix.

Re:and this is accomplished how?

If it's not cluelessness, then it's laziness.

There's no excuse for doing non-administrative tasks as the superuser. Stupid programs that aren't compatible with the security model can be worked around without compromising the security of the rest of the system.

Re:and this is accomplished how?

[dioscaido]

Oh, and for those apps that suck and require admin priviledges, you can shield yourself slightly by still running your account as User, and running only the offending application as Administrator. This can be done quite easily using runas.

http://support.microsoft.com/?kbid=225035

Re:and this is accomplished how?

[dioscaido]

Administrators still have access to change permissions back. So just browse to the file in question, right click, select 'security', and add Administrator back in w/ read rights.

The smarter thing would be to run your daily account as a regular User (not Administrator) and then programs would not have access, but you could easily run apps as Administrator (using runas...") when you need a access.

Re:and this is accomplished how?

[wingspan]

And don't you confuse a typically WinXP Home user, who uses the default setup and runs as Admin, with a seasoned user, who knows better. The key point for you to understand is that the DEFAULT is admin!

That's NOT the default on my Suse and OSX boxes, BTW.

Re:and this is accomplished how?

[Software]

If you're a power user (e.g., somebody who installs software a lot), it's not easy to run as a regular user. What I do is follow the advice at http://blogs.msdn.com/aaron_margosis/archive/2004/ 06/23/163229.aspx and switch to admin mode only when necessary.

To do this, make the script below into a batch file. (The script below assumes you've renamed your administrator account to something - I chose XXXAdministrator). Read the comments in the script to see how it works - it's pretty nifty.

@echo off
REM
REM This batch file starts a command shell under the current user account,
REM after temporarily adding that user to the local Administrators group.
REM Any program launched from that command shell will also run with
REM administrative privileges.
REM
REM You will be prompted for two passwords in two separate command shells:
REM first, for the password of the local administrator account, and
REM second for the password of the account under which you are logged on.
REM (The reason for this is that you are creating a new logon session in
REM which the user will be a member of the Administrators group.)
REM
REM CUSTOMIZATION:
REM The following values may be changed in order to customize this script:
REM
REM * _Prog_ : the program to run
REM
REM * _Admin_ : the name of the administrative account that can make changes
REM to local groups (usu. "Administrator" unless you renamed the
REM local administrator account). The first password prompt
REM will be for this account.
REM
REM * _Group_ : the local group to temporarily add the user to (e.g.,
REM "Administrators").
REM
REM * _User_ : the account under which to run the new program. The second
REM password prompt will be for this account. Leave it as
REM %USERDOMAIN%\%USERNAME% in order to elevate the current user.
REM

setlocal
set _Admin_=%COMPUTERNAME%\XXXAdministrator
set _Group_=Administrators
set _Prog_="C:\Program Files\Internet Explorer\iexplore.exe file:///c:/"
set _User_=%USERDOMAIN%\%USERNAME%

if "%1"=="" (
runas /savecred /u:%_Admin_% "%~s0 %_User_%"
if ERRORLEVEL 1 echo. && pause
) else (
echo Adding user %1 to group %_Group_%...
net localgroup %_Group_% %1 /ADD
if ERRORLEVEL 1 echo. && pause
echo.
echo Starting program in new logon session...
runas /savecred /u:%1 %_Prog_%
if ERRORLEVEL 1 echo. && pause
echo.
echo Removing user %1 from group %_Group_%...
net localgroup %_Group_% %1 /DELETE
if ERRORLEVEL 1 echo. && pause
)
endlocal

Re:and this is accomplished how?

Oh, and for those apps that suck and require admin priviledges, you can shield yourself slightly by still running your account as User, and running only the offending application as Administrator. This can be done quite easily using runas.

The linked page lists a very inconvenient way to run explorer.exe as admin (closing all open instances, killing the taskbar, etc.). Instead, make a shortcut to something like "c:\.....\iexplore.exe c:\" and set it to run as admin (iexplore functions as a regular explorer window when browsing a local drive, but will not refuse to run while your taskbar is running).

Re:and this is accomplished how?

Tiny fact: The windows NT kernel has been designed to keep access controll lists for anything the OS has to offer, from files to pipes to semaphores to rpc functions to individual configuration options in the registry... Users on these ACL`s can come from a kerberos authentication system meaning full controll over who on the network can do what down to every last configuration detail of every application.

Now what operating system still on sale offers full ACL`s on individual configuration options (few peolpe have seen it, have a look at regedt32.exe>security>permissions)?

To talk about a "non-existent privilege system!" on "most Windows desktops" is completly justified for the dos desendants which may in fact have a huge portion of the market. Regardless of their market share they often made me cry late at night when I had to clean out the porn dialers/spyware/ddos zombie slave code of a friends machine. But when you start comparing to unix alikes you should compare to the NT architecture as designed by Dave cutler, a DEC/VMS runaway who microsoft wisely gave shelter becouse they realized what a mess they would make if they tried to do OS design/arhitecture on their own.

The shell/browser/mail client codeblob, administrative rpc function mess and all users administrator, all apps usable to administrators only installers and active-x are inexcusable ofcourse. Architecture, not the CAP computer but well done, implementation... not so much.

Re:and this is accomplished how?

[dioscaido]

Actually, if you set

HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ SeparateProcess = 1

then you can do runas on explorer (the .exe or the links to it in the start menu) and it will come up without any complicated procedures.

Re:and this is accomplished how?

[braindead]

• You hope. If they can crack DNS then they can crack Verisign or whoever to get a "valid" certificate. A well coordinated attack with a bit of planning could wipe the accounts of millions.

Well, actually the keys that are used to sign the certificates are not stored on internet-accessible machines, so cracking into Verisign would do no good. These keys are split into sub-keys such that you need all the sub-keys to sign a certificate. Also, these subkeys are stored on a physical medium (not connected to a general-purpose computer, let alone the internet) that has very good physical security.

So yes, stealing Verisign's private keys would enable a cracker to do significant damage. Verisign is however also one of the hardest targets you could pick, so I think that crackers are more likely to focus on easier targets.

Re:and this is accomplished how?

[Sinner]

*go into Hardware > Device Manager , tries to change hardware settings -- ACCESS DENIED*

True story... at my last job, I had a new Toshiba laptop running Windows 2000. One day, I needed to change a BIOS setting, so I used the handy Windows BIOS editing utility provided. Then I remembered that I happened to be logged in as "Guest".

My workmates never understood why I was laughing so hard. Windows users, eh?

Re:and this is accomplished how?

[mo^]

my linux box was so secure that after 30 days it locked out my root password and i had to reinstall...

admittedly im dumb as fuck where linux is concerned... just needed to share the pain

Old game

[psi42]

Exactly how is this different from password-harvesting trojans/viruses?


It's not like this is anything new.

Re:Old game

[FishBrain]

It's becoming far more widespread and is so easy to fall prey to, so now all of us have to worry about it. If you're tech savvy you should be able to avoid getting caught, but grandma may not be that sharp, even if warned, and she's possibly got the most to lose.

Matthew 4:16-19

Simon called Peter, and Andrew his brother, casting a net into the sea: for they were phishers. And he saith unto them, Follow me, and I will make you phishers of men.

Jesus p0wns you.

in case the site goes down....

mirror here

oh, and don't let the lil /. linker helper thingy fool you...it's perfectly legit. just register and you'll see the site in seconds ;)

Phising on Linux

[stecoop]

Email:

Although I could have written a very complex and well written virus that probably wouldn't work on you operating system I am asking you to reply with you account name, password and any other card numbers you might have.

I further ask that you forward this email message to all your friends and for that matter any one you don't know urging them to send me all your information.

Yours Truly,
Mr Phisher

Re:Phising on Linux

[Martin71a]

Do I need any special equipment for phishing on Linux or will my fly rod setup be ok? Are there any type of limits as far as size and number of phish? What type of license is needed and is it more expensive if I phish from a Windows OS? And are there any local guides that could help me find where the best phishing might be?

Re:Phising on Linux

[AceCaseOR]

Well, in order to tell you that I'll need your name & Credit Card number.

Re:Phising on Linux

[Red+Herring]

Better:

Mr l33t:
I am sending an email to BILL GATES to show him how badly LINUX is HURTING WINDOWS. To do that, I would like to show him the NUMBER OF ACCOUNTS that have NEVER GIVEN MICROSOFT A DIME. Let's show BILL how smart we are and how we're NOT SPENDING OUR MONEY ON WINDOWS! To help me, please send your name, bank account numbers, and credit card numbers to me so that I can put togther a HUGE LIST! Send your information to billsucks@linuxrox!.com immediately!

Thanks,
Ali Gator

From TFA

[lucabrasi999]

"If you think of phishers initially as petty thieves, now they're more like an organized crime unit," said Paris Trudeau, senior product manager for Internet-security firm SurfControl.

Did I read that correctly?

A senior employee of an Internet Security firm used to think of Phishers as "petty thieves"? Maybe Paris Trudeau needs to find a new line of work.

Re:From TFA

[swb]

Well, didn't phishing initally get its start as a small-time deal to snag AOL accounts?

After that it's largely a semantic debate as to what makes something an organized crime (2 guys working together?) and how many thousands you have to steal to not be petty.

Re:From TFA

[jephthah]

IF you think of Phishers AS petty thieves ...

NOW they're MORE LIKE an organized unit.

it's called metaphorical comparison. It's an abstract logical tool.

But don't worry, Luca. In your late teens and early 20's, your brain will physiologically be more able to handle abstract concepts, and you will have to rely on concrete expressions less often.

Re:From TFA

Bad grammer/choice of words creates confusion

Probably should read
You may think of phishers as petty thieves, but rather they are more like an organized crime unit.

Re:From TFA

Your rewrite changes the meaning of the original sentence. The emphasis of the original statement is that phishers are more sophisticated now than they used to be in the past.

Re:From TFA

[lucabrasi999]

in your late teens and early 20's, your brain will physiologically be more able to handle abstract concepts, and you will have to rely on concrete expressions less often.

And when your emotional state gets to the pre-teens age group, you will learn that a flame doesn't accomplish anything. Other than making you sound like an ass.

My point, which obviously you will require a map to understand, is that this person (Paris Trudeau) should not have been using 'soft' language like 'petty thieves' to refer to Phishers.

People that are not technologically inclined need to be reminded, constantly, that Phishers are hard-core criminals that are trying to steal your personal information in order to become wealthy at your expense. And, Phishers have been well-organized for years. Paris didn't emphasize what should have been emphasized for the average reader of CNN.com.

In short, there are thousands of people that read that article that will compare Phishers with Tony Soprano, instead of taking the time to protect themselves from what could happen.

Re:From TFA

"If you think of phishers initially as petty thieves, now they're more like an organized crime unit," said Paris Trudeau, senior product manager for Internet-security firm SurfControl."

Right. That is if you have absolutely no reading comprehension whatsoever. About the only way you would read that sentence and think that phishers are harmless people would be if you read it as follows:

"Phishers are like petty thieves".

Then again, if you read it that way you're probably borderline retarded and shouldn't have a credit card anyways.

It's not me I'm worried about...

[LithiumX]

Any phishing of that type will result in a certificate error (assuming they don't do some heavy modding of your browser as well), which I can catch. But I'm sure most of us have parents who we've told the common "If you don't understand it say Ok" - ie not the safest thing in the world, but better than being called every 2 hours. Usually this works well, since even relative illiterates understand the idea of software being installed without them specifically wanting it, and can say no. But a certificate error? Quite a few people will shrug and click OK anyway. And moreover, what will this do to the economy, considering that suddenly a far greater level of financial intrusion will now be possible?

Re:It's not me I'm worried about...

[KingEomer]

Is it possible for them to modify the certificate stored on your hard-drive? If so, then they shouldn't have to change the browser.

Re:It's not me I'm worried about...

[Twanfox]

This tends to be one of those days that I'm thankful that my parents are not nearly as wired into the Internet as I am. They still pay their bills by check, buy just about everything at stores, and much of their information hardly ever reaches the Internet.

How weird to be saying "Thank You mom and dad for being averse to technology" as a geek and actually be praising them.

Re:It's not me I'm worried about...

[me+at+werk]

I suppose you could install Deep Freeze and have it reboot nightly. A really big "Thaw Space" and their windows install is (relatively) secure, as it won't be able to keep viruses/bugs, and will reset nightly/rebootly.

It's askin to having a small windows partition and a large data partition, except the windows partition resets itself every reboot.

Re:It's not me I'm worried about...

[BoogieChile]

Well, actually I always thought that saying no if you don't understand it was the better course.

similar to the block everything first principle in firewalls, nu?

Then you can teach them that there are some things that it is safe to say yes to - as, on the whole, the subset of things it is safe to say yes to is far smaller than the ones you want to say no to.

Defaulting to OK, yes, open, available, however you want to describe the ON switch is what got Windows into all this trouble in the first place.

Anti-Phishing browser

[MindStalker]

Ok Microsoft really needs to pick up the ball on this one. They need to make an extremly obvious security certificate key information. Such that when you log onto any "secure" website it pops up information about the key authority that can be understood by all. Then they need a expansive advertising campain to tell users to look for these signs when entering confidential information, and not enter such information otherwise.

Of course then you would see popups that look identical to the key information, infact I believe I've seen a fullpage website that implemented this trick before. So any ideas on what can be done outside of a box that sits next to your computer that displays said information.

Re:Anti-Phishing browser

[Spydr]

YES. The real problem here is the usability of sercure certificates. Even experienced web users get lost in the jumble of alerts that are near impossible to read unless you have a very solid understanding of what is going on.

Once these alerts are fixed up, maybe we could make it easier to install secure certificates in your e-mail clients so people can sign/encrypt their e-mails easier instead of having to read an ecyclopedia on secure certificates and then find a certificate authority and then figure out exactly how to install it on your OS/e-mail client.

It's really rediculous how difficult it is to do something that should be very simple by now.

Re:Anti-Phishing browser

Of course then you would see popups that look identical to the key information

This is why systems like PassMark exist. If you really need to secure the channel all the way to the user's machine to establish the marks in the first place, then you're talking about something like Palladium, aren't you?

Physical tokens like a SecurID also defeat spoofing attacks, and issuing them is pretty much routine for European banks. The US lags behind in this area, as usual.

Re:Anti-Phishing browser

NO. The real problem is that the hosts file is user-writable. Or root-writable with the user logged in as root. If you can't modify hosts, you can't use that exploit.

Evolution of the phish?

[drivinghighway61]

Everyone knows phish evolved into amphibians.

Re:Evolution of the phish?

[Sexy+Bern]

Amfibians, surely?

I blame christians...

[Anita+Coney]

Didn't Jesus say in Matthew 4:19 that if we follow him he'll make us phishers of men?

(Yeah, I know that was bad, but I just couldn't resist!)

Shouldn't it be....

[GillBates0]

phisherman.

Fishermen fish.
Phishermen phish.

It's not "Fishers fish".

Carrying the analogy further, IE becomes a "phishing net" and Windows becomes a "phishing boat". The intarweb may be viewed as the "ocean" and your average AOLer a dumb "phish". Smarter geeks could be viewed as smarter"dolphins".

Interesting, huh.

Re:Shouldn't it be....

[rbarreira]

No, the phishing net would be the spam programs + fake bank web sites...

Re:Shouldn't it be....

[meringuoid]

I am the Phisher King. I con pagans out of their PayPal accounts.

Re:Shouldn't it be....

[SpongeBobLinuxPants]

To carry your analogy out a little more... smarter geeks could be viewed as smater "dolphins" which are not fish or this case "phish" but are mamals.

Re:Shouldn't it be....

[Xtifr]

> It's not "Fishers fish".

It's not?

From Webster's Revised Unabridged Dictionary (1913) [web1913]:

Fisher \Fish"er\, n. [AS. fiscere.]
1. One who fishes.
[...]

From WordNet (r) 2.0 [wn]:

fisher
n 1: someone whose occupation is catching fish [syn: {fisherman}]
[...]

From M-W online:

Main Entry: fisher
Pronunciation: 'fi-sh&r
Function: noun
1 : one that fishes
[...]

Anyway, what about fisherwomen, you insensitive, sexist clod? And did you know that the word "gullible" doesn't appear in any dictionary?

Re:Shouldn't it be....

[Johnny_Law]

Smarter geeks could be viewed as smarter"dolphins".

I think you misspelled "penguins".

Re:Shouldn't it be....

[Elwood+P+Dowd]

You must be using some definition of the word "interesting" with which I have never been acquainted.

Re:Shouldn't it be....

[sesquipedalian_one]

Right. And we are starting to see the advent of drag-net phishing. Being a dolphin doesn't necessarily help much if they compromise a DNS server.

Re:Shouldn't it be....

[Stanistani]

Would that make slashdot "dolphin-safe" tuna, or is anything in a can - spam?

Re:Shouldn't it be....

[abiessu]

"Carrying the analogy further..." I think the terms work out better as "the newest virus/spyware that harvests info becomes a phishing net" and "the development machine for new viruses/spyware becomes a phishing boat". The 'ocean' and 'average AOLer' are spot-on, but 'smarter geeks' could potentially be viewed rather as the smaller phish that the 'net' just couldn't catch (where relative phish size does not directly relate to catch value).

Re:Shouldn't it be....

[scooby-doo]

"Smarter geeks could be viewed as smarter"dolphins"."

Well at least we know all the tuna would be dolphin safe with your average slashdotters.

Re:Shouldn't it be....

I think you missed the obvious "surfing the net" in your analogy. Not that fish surf, but an oceanographic activity like this surely should be included.

hmmm.....

Re:Shouldn't it be....

Carrying the analogy further, IE becomes a "phishing net" and Windows becomes a "phishing boat". The intarweb may be viewed as the "ocean" and your average AOLer a dumb "phish". Smarter geeks could be viewed as smarter"dolphins".

I'm pretty sure that if fish -> phish, then dolphin -> dolfin. It's the conservation of stupid spelling rules.

Re:Shouldn't it be....

[Red+Herring]

So Linux is a Dolphin safe phishing net, then?

Re:Shouldn't it be....

[RedBear]

Carrying the analogy further, IE becomes a "phishing net" and Windows becomes a "phishing boat". The intarweb may be viewed as the "ocean" and your average AOLer a dumb "phish". Smarter geeks could be viewed as smarter"dolphins".

More like "whales", if we are speaking of cetaceans.

Bwahahahaha! I made a joke about geeks being fat!
Ohhhh, I'm a fat geek too. Now I've made myself sad...

Bah! If anyone wants me, I'll be in the Angry Dome!

Re:Shouldn't it be....

[RedBear]

Carrying the analogy further, IE becomes a "phishing net" and Windows becomes a "phishing boat". The intarweb may be viewed as the "ocean" and your average AOLer a dumb "phish". Smarter geeks could be viewed as smarter"dolphins".

Funny. The more things change...

Let us all hearken back to the days when traveling carnivals were popular. You were either a mark (phish) or a carnie (phisher). Those running the show get trained to pick out the marks and reel them in. Everyone pick up your copy of Heinlein's classic Stranger in a Strange Land, wherein Michael joins a carnival for a time and learns just how dumb most of the human race really is...

But we really shouldn't talk. We're all marks in the right situation. Take the dolphin out of its regular environment and it can be just as vulnerable as the dumb AOL phish. Humans are the craftiest beings in the known universe. They are always looking for a way to screw you, and there are only so many precautions one can take.

Our strongest weapon against scammers is cooperation. And redundant webs of trust. Our two strongest weapons against scammers are co-- oh, nevermind.

Re:Shouldn't it be....

[ozbird]

So an angler is one who angles?

Re:Shouldn't it be....

[magus_melchior]

It's not "Fishers fish".
Actually, that's valid. A fisher is just an older term for the more recent "fisherman".

Re:Shouldn't it be....

Moron.
They didn't compromise a DNS server. They changed the local DNS settings.

Big. Fucking. Difference.

DNS? Bah!

[saintp]

it is also believed that phishers are attempting to compromise domain name servers. If one of these go down millions could lose their security instantly, even if they themselves have maintened the security of their computers.

That's why only sissies and noobs use DNS. "Don't have to remember numbers," they cry. "Makes life easier," they whine. Hah! So does Gator! But I've got the upper hand now! My security won't be compromised while posting on 66.35.250.150, bitches.

Re:DNS? Bah!

Damn I wish I had some mod points. Somebody mod this man +5 funnytacular!

Re:DNS? Bah!

[frostfreek]

I hope you are using Lynx to browse, then, 'cuz those image hyperlinks to akamai will get you!

Re:DNS? Bah!

That's great until the address legitimately changes. You _HAVE_ to be able to trust the DNS for the internet to work in the real world.

Re:DNS? Bah!

[ziplux]

What about sites hosted on virtual servers? You _need_ DNS for those sites to work, otherwise the server doesn't know what site you want.

Re:DNS? Bah!

[SpongeBobLinuxPants]

In that case, could you please send your credit card numbers, dob, ssn, and mother's maiden name to spongeboblinuxpants@64.4.19.134?

Re:DNS? Bah!

[saintp]

Images? What the heck are you talking about? Oh brave new Internet that has such things in it!

Re:DNS? Bah!

[Spad]

You think you're so smart, just wait until everyone's using IPv6.

Re:DNS? Bah!

That won't work you frickin' moron. You need to use brackets around the IP address.

Re:DNS? Bah!

[B2382F29]

You don't need DNS for them to work, a simple entry in your hosts-file is enough, the name used in virtual hosting is sent in the http-request

Passwords updated

[BrGaribaldi]

My questions is who thinks that a message saying all your bank passwords need to be updated on one website is really from the bank. The bank won't even send your pin# and your atm cards to you in the same envelope. They send them a week apart from each other. Now they're asking you to submit everything? At once? Who does that?

Re:Passwords updated

[gurps_npc]

Part of the problem I was discussing is that the new Phishers do not send you email. They just modify your host file /attack the Domain Server and wait for you to log in normally. Many more people will fall for this.

Re:Passwords updated

[MightyMartian]

Let's be perfectly blunt. The average human being is functionally retarded. They're perfectly capable of being taught a few neat tricks like reading the newspaper or buying a member of the opposite sex a drink before groping them, but when it comes right down to it, about 95% of the species H. sapiens are gibbering morons who will refuse to listen to constant warnings about opening suspicious attachments, paying attention to certificate warnings, but will happily supply their credit card numbers to the first guy that comes along and says "We're from PayPal and we need to verify your account information".

I used to think something should be done about this, but since the average daft ninny who bought a computer from Big Ticket Computer Store is pretty much incapable or unconcerned about these matters, I figure what the hell! Let the scammers steal their money and their identities. People this idiotic and unwilling to learn even the rudiments of keeping themselves safe on the Internet deserve everything they get.

Re:Passwords updated

[lawpoop]

I have to disagree. People evolved to live in small, related, co-operative groups. These days most people live in large hostile cities surrounded by strangers. In order to keep society from breaking down into looting, riots, and revenge killings, the government has to constantly train people from kindergarten to stand in line, sign their name, show their papers, write checks/give their credit card numbers for the bills every month, do what the man in the suit/uniform says.

Now, you have the situation where a hostile stranger poses as a man in the uniform asking joe citizen to do what he's been trained all his life to -- show his papers, give his numbers, sign right here... are you surprised at the results?

Re:Passwords updated

[dilg]

Add to that society's information overload and most users will click without batting an eye.

Re:Passwords updated

Let's be perfectly blunt. The average human being is functionally retarded. They're perfectly capable of being taught a few neat tricks like reading the newspaper or buying a member of the opposite sex a drink before groping them, but when it comes right down to it, about 95% of the species H. sapiens are gibbering morons who will refuse to listen to constant warnings about opening suspicious attachments, paying attention to certificate warnings, but will happily supply their credit card numbers to the first guy that comes along and says "We're from PayPal and we need to verify your account information".

I guess you have a job in tech support. I know the feeling :-)

Re:Passwords updated

[LuxFX]

The average human being ... will refuse to listen to constant warnings about opening suspicious attachments, paying attention to certificate warnings, but will happily supply their credit card numbers to the first guy that comes along

As far as I'm concerned, the point of these security alerts is simply liability. Sure, the idiots won't listen. But at least the alerts were there. When they do get scammed out of their entire bank account, they won't be able to say, "We didn't know!" Instead, the geeks will be able to say, "There were warnings!" and the blame will rest squarely on the idiots' shoulders.

Tada. Liability. The warnings aren't for their sake, it's for ours.

Re:timmyshow@hotmail.com

"Somehow modified the windows hosts file."

Yes, that's pretty clever of them. Nobody would think of that. It's pretty hard to do. You will need extensive knowledge of a fucking text-editor.

Seriously, where is the news?

Everybody, remember all IPs

[nsasch]

This is why we should all stop using DNS and just remember IPs for all our favorite sites. A nice feature for a browser or an extension would be to cache IPs and compare before connecting to a site. Imagine if the IP ever changed for a site, you would be asked immediately if you would like to continue. For sites like no-ip.com it could be annoying, but financial sites would instantly be known to have something wrong going on.

Re:Everybody, remember all IPs

[TigerNut]

Cache them where? In the filesystem or in the registry? At a discoverable file or key location, presumably?
This would only be secure if the cache was secured using a secret key (i.e. using local serial number information that wasn't ever visible from the network a machine might be on).

Re:Everybody, remember all IPs

[Mercano]

"For sites like no-ip.com it could be annoying, but financial sites would instantly be known to have something wrong going on." Problem, though: big sites tend to have web server clusters, with a different IP address for each mirroring box. Really big sites use some sort of geographic load balancing scheme, like akamai where you never know quite what you will get back from the DNS server. Do an nslookup on google some time to see.

Re:Everybody, remember all IPs

[yetdog]

I love it. Maybe we could get a Firefox extension written for exactly this!

Re:Everybody, remember all IPs

[codemachine]

I know, we could write a program that stores known IPs for our favorite sites in a local database, then shares that information with anyone who wishes to use it. If you don't have the IP in your local cache, you can go to one of these other places to get it. If we wanted to get real fancy, we could arrange these "IP caches" in a hierarchy, and provide mechanisms to store mailserver IPs.

Now if only FireFox supported such a system...

Re:Everybody, remember all IPs

> Imagine if the IP ever changed for a site, you would be asked immediately if you would like to continue.

Round-robin DNS. Not so good. How about caching SSL certs instead? That's what ssh does. That would tend to protect against upstream DNS hijacking too.

Of course if your local machine is compromised, there's nothing you can do, since any security mechanism could be subverted or just disabled.

Re:Everybody, remember all IPs

[nsasch]

This almost makes me want to get into Firefox extensions and start a project for this. But....I'm too busy right now :(

Re:Everybody, remember all IPs

For those that didn't get it, he's describing DNS, and FireFox obviously already supports it.

Simple cure

[Turn-X+Alphonse]

Banks need to start charging MS for all the money they have to "return" to customers after thay get caught by a scam like this. It must be costing them millions and alot of it is from people using Windows. I'm sure Bill would get stick his thumb out and get moving if he had several million dollars fines he can't pay in Windows 98 CDs.

Re:Simple cure

[ScentCone]

Banks need to start charging MS

And if your ISP's name server or your border router or something not on your desktop is lying to you about a forward lookup on a trusted domain name? This doesn't even have to include SSL hacking, because most users will see the phish mail, and if they're typical people, see that the target URL is mybank.com and just go there, and suffer.

This ain't just an MS thing.

spyware problem: admin users v. regular users

[rjnagle]

Wow! I had some spyware overwrite the windows etc/hosts file every time I rebooted, and I couldn't remove it. The solution (for me) was backing up the hosts file and surfing under a user account to prevent a similar kind of infection.

If Admins can modify this file willy-nilly, then could be a major problem for users who haven't bothered to create user accounts.

rj

Re:spyware problem: admin users v. regular users

Hello, Mr Obvious.

Re:spyware problem: admin users v. regular users

[Technician]

Wow! I had some spyware overwrite the windows etc/hosts file every time I rebooted, and I couldn't remove it.

More users need to learn to use tripwire. It should be part of most AV packages. The Hosts file should not change except when the user changes it. The best bet is to put it in the router instead of the PC where it can be easly modified.

The other big problem is the bad habbit of Windows trying to run everything bright and flashy by default. A browser should be more of a browser instead of a command interface for websites.

DNS

[tommyth]

I would be very concerned if someone who owns/runs a DNS server was not net-savvy enough to avoid phishing scams.

A few simple rules

[KiltedKnight]

1. Call your financial institution before even attempting to use the web. They generally have toll-free numbers, and major ones tend to have 24 hour customer service. Ask them if there really is a problem with your account, and if there is, ask them how to remedy it.
2. If you run IE, shut it down and use Mozilla, Firefox, Netscape, Opera, or some other browser. If you don't want to go through the downloading, go into your internet preferences and disable ALL forms of ActiveX and VBScript.
3. If it's an email claiming to be your bank or other financial institution and they ask you to click on a link contained therein, don't do it. Go to your web browser and type in the link manually.
4. If you use Firefox, try installing something like SpoofStick

Sometimes, the simplest things you do can make all the difference whether your account gets compromised or not.

Re:A few simple rules

[malfunct]

I think the DNS attacks they are talking about in the article may trick even SpoofStick as the domain your browser went to really was the site you thought you went to. Its just that DNS (or your hosts file) gave you a bogus IP for that domain which sent you to a phishers server. Your browser really does think it went to: "https://www.paypal.com" for example.

Re:A few simple rules

[KiltedKnight]

Unfortunately, unless you run your own DNS server, there isn't much you can do about DNS server attacks.

Disabling ActiveX and VBScript guards against your hosts file being compromised, because most people just set their Windows user accounts to be an administrator of the box. Unix/Linux users don't have to worry about this, unless they're running the web browser as root, in which case they deserve what happens to them.

Of course, if you're mildly net-savvy, you can always use "dig" or "nslookup" and check about four or five well-known servers before you even go to the financial web site. If all of them return the same thing, you're probably safe. If any of them return something different, wait 12 hours and see what happens.

Re:A few simple rules

[nzkbuk]

That's exactly the problem even your dig or nslookup on 4 or 5 servers won't work.

If a server is compromised high enough up the DNS chain then all the 4 or 5 servers will be getting the same info.

Assume one of the root servers was compromised. Instead of giving you whois for the real domain holder they give you whois info (authoritive DNS servers) for the Phisher.

Eg whois slashdot.org gives me the following name server info

Name Server:NS2.OSDN.COM
Name Server:NS1.OSDN.COM
Name Server:NS1.VASOFTWARE.COM
Name Server:NS2.VASOFTWARE.COM
Name Server:NS3.VASOFTWARE.COM

A Phisher gets a key dns server and you might as well have
Name Server:NS1.Phisher.COM
Name Server:NS2.Phisher.COM
Name Server:NS3.Phisher.COM

For the most part getting into AOL's resolvers would provide enough victims if they changed www.paypal.com to point to their server.

Re:A few simple rules

[KiltedKnight]

You also have to consider the "reverse lookups."

A whois sent to any of the domain registrars will tell you who the appropriate DNS host is, or at least who should have the authority.

If they go through all the trouble of not only compromising the DNS servers themselves, but creating something that will handle commands like
whois -h whois.networksolutions.com ebay.com
either they've got an extremely elaborate setup to begin with, or their site will end up coming down in short order because of the sheer volume of requests coming in for all kinds of information. Test out whether they've compromised everything by entering some obscure domains that you know about and see if they're reporting the correct information.

Yes, you can sort of spoof all that by having the request for an "unknown" domain pass through to the real server, then pass that data back to the requestor, but unless you end up hijacking and rerouting all of the major domain registrars' web server resolutions...

Yes, you invest a lot. Yes, your potential for returns goes way up. So does the chance that someone out there will notice what's going on. Like most thieves, they want to be "gone in 30 seconds or less." Anything that ends up adding additional "time" to commit the actual crime increases the chance that they'll be discovered.

Re:A few simple rules

[surgespike]

Simple Solution: Enter deliberate incorrect password at first login.

Re:A few simple rules

[Technician]

If it's an email claiming to be your bank or other financial institution and they ask you to click on a link contained therein, don't do it. Go to your web browser and type in the link manually.

Don't follow the link regardless. Use your old proven bookmark to go to your bank's site, then try to find the link from there. If you can't find the link from the existing bookmark, notify the bank and forward the e-mail to the bank's fraud department. They would love to hear from you.

Re:A few simple rules

[nzkbuk]

While in an ideal world I'd have to agree with you about reverse dns lookups, too many places don't care / have bad / missing reverse lookup data.
So if a Phiser was was to have no reverse lookup data, then they would probably match ALOT of legit sites

eg www.barclays.co.uk (a major bank in the UK)
www.barclays.co.uk has address 193.128.3.187
www.barclays.co.uk has address 62.172.239.187

Host 187.3.128.193.in-addr.arpa not found: 3(NXDOMAIN)
Host 187.239.172.62.in-addr.arpa not found: 3(NXDOMAIN)

Re:No more new made up words for things that exist

[Perl-Pusher]

New words are continously invented and have been since the dawn of spoken language, get over it.

Car - horseless carraige.

As the bible says

[awhelan]

If you give a man a fish, he will eat for a day. If you teach a man to phish, he will steal your money, and buy enough fish to eat for life.

Mod Parent Up

[handy_vandal]

That's why only sissies and noobs use DNS ... my security won't be compromised while posting on 66.35.250.150, bitches.

Damn I wish I had some mod points. Somebody mod this man +5 Insightful.

I scrolled down the posts, looking and looking for someone to address the problem of DNS compromise.

You nailed it, thus the +Insightful -- and throw in some +Funny, for good measure.

-kgj

Re:Mod Parent Up

[nzkbuk]

Funny, yes, Insightful, no
Most web sites are hosted on a shared platform. That's the whole reason HTTP 1.1 was invented. Go to any site on there and unless you type in the commands directly and like reading text with html tags (not displayed as web pages), then over 90% of web sites will be inaccessable.

How's your phishing-picking-out-skills?

[froggero1]

Even straightforward phishing attacks are getting more sophisticated. Spelling errors and mangled Web addresses made early scams easy to spot, but scam artists now commonly include legitimate-looking links within their Web addresses, said Kate Trower, associate product manager of protection software for EarthLink Inc.

I have noticed this lately as well... so now I scrutenize every email I get, hovering over links, and occasionally, entering the first line or so into google. I do consider myself to be pretty good at figuring out if it's a phish or not though. I found a fun little phishing-finding-outting test to take on i-am-bored.com. Try it out and see how well you do!

We're from the government; we're here to help

[Doc+Ruby]

Who trusts the Department of Homeland Security to help secure DNS with a task force from their Cybersecurity department?

Re:We're from the government; we're here to help

[lengau]

Oh yeah. I trust the dep't of Homeland secruity for EVERYTHING!!! Just like we trusted them before 9/11/01 when they said we were safe!

Let's face it

[rbarreira]

Computers were not made to be safe, much less the internet. Anyone who thinks that by accessing his bank online, they're not risking anything, is just heavily misguided. Anyone who does online banking, shopping and so on, is at risk.

If you don't want those risks, go doing those tasks the traditional way.

Re:Let's face it

[Clod9]

Even ignoring the online banking is getting to be difficult.

I recently opened a new account and they told me "oh, by the way, online banking is free! All you have to do is XYZ to start using it." It turns out my account was already open to all comers if they happened to know my account number and part of my SSN. So I was FORCED to at least set a password. No, I haven't yet written a letter to the bank, because I don't think it will really do any good.

Eventually, as banks find higher profit in not providing physical branches, most people will be forced to do their banking online. In ten years I think we'll find there's not much choice. We'll actually have to pay extra fees NOT to do it that way.

Re:Let's face it

If you don't want those risks, go doing those tasks the traditional way.

You mean like giving your credit card to slacker teens working at the mall?

Re:Let's face it

[rbarreira]

Yeah, but that would be a different risk then ;)

Re:Let's face it

[Joel+from+Sydney]

Eventually, as banks find higher profit in not providing physical branches, most people will be forced to do their banking online. In ten years I think we'll find there's not much choice. We'll actually have to pay extra fees NOT to do it that way.

Clearly you've never dealt with an Australian bank. Getting cash out over the counter from a human being can cost you anywhere between $1 and $5. Want to get a bank cheque because you're buying a car? $10 fee. The privilege of having an account with the bank? $5 per month "account keeping" fee. Use an ATM or EFTPOS terminal on a different bank's network, $1.50.

The situation here in Australia with banks gouging fees and charges has just gotten ridiculous. With a bit of research and careful planning, you can minimise the amount of fees you're paying, but for Grandma who's been using the same passbook since 1967, can't use a computer and hates talking to machines on the phone, that simply isn't an option.

It's not only about certificate errors

[DingerX]

Folks, let's do the math:
Phishers do not need to be successful very often. Think sperm here: if conditions are right, most of time only one gets lucky 20% of the time. (Sorry for the anchorman gag)
Consider the facts:
1) Only a few sites transact critical personal data (Credit cards, identity info) without proper security
2) Only a few sites use security certificates that are A) out of date B) for a different site C) otheerwise invalid.
3) only a modest majority of IE users have been trained into clicking "OK" on every security warning they see, especially for sites they know they trust.

If a phisher jacks a DNS, if they're good and have volume, they'll only go for 1); the certification warnings in 2) are worthless. They're worthless for two reasons. First, browser sgives the user the option of proceeding. Second, browsers don't distinguish between unimportant in-the-clear transmissions and stuff that looks like credit card numbers and identity information. Ideally, all browsers should have a cert mismatch not be an "ignorable" offense, but be one that causes the connection to fail.
3) As a backup, any attempt at in-the-clear transmission of numeric data longer than 5 digits should cause a whole storm of scary looking warnings (get rid of the "saturate the user with needless warnings" garbage that does more harm than good) stating that this is a really bad idea if it's anything valuable and to please, for the love of jeebus, reconsider.

I have no doubt they're hammering away at DNSs around the world; and they'll probably get one.

Oh yeah, and Mandatory Email encrpytion should be enabled, dammit.

Re:It's not only about certificate errors

[me+at+werk]

On the "discern between unimportant stuff and cc stuff", I know in Norton AV (and I think, somehow, in Firefox) you can tell it what your personal data is, such as credit cards etc. I've never used it, but I think this allows it to go "Hey, You just sent your credit card encryption via an insecure connection. I'm going to have to say no, until you confirm that you want to ignore that and do it anyway."

Here's a web page explaining it in detail, and yes, it works as I described it seems.

dnssec

[martok]

I am surprised dnssec tsig et al haven't really
taken. The technology's been around for some
time in one form or another but hasn't been
adopted by many if any tlds and the root zone.
That should render DNS attacks ineffective for
phishing attacks provided keys were properly
secured.

Re:dnssec

[lengau]

The problem is that average users are scared of change. It works like this:

WWW domain owners: most users are average users, we must conform to what average users use

Micro$oft: Well, we control the world of computers, why update? we're going just fine on IPv4, regular DNS, etc. Why should we make the newer, better, stuff available by default? that would mean we'd have to update. Let's rather put it all in a command line program that lets you install it. Normal users are scared of the command line

Normal users: What's DNS? is that like www?

Actual example anyone?

I'd like to see a pair of domain names:

a) the real site (e.g. www.bankofamerica.com)
b) its phisher version (probably hosted in a lawless country)

Cyber terrorism?

[GrouchoMarx]

Here's where our laws are truly screwed up.

On the one hand, downloading music from "unauthorized" sources such as P2P networks will get million dollar fines and, if the companies get their way, jail time, when there is actually no evidence that they are causing a loss of revenue (even if they are technically violating copyright law).

Meanwhile, people who write spyware, break into computers and DELETE data, shut down networks, and attack DNS servers in order to disrupt all traffic on the Net (roughly the online equivalent of putting tacks all over a major expressway junction) get.... what? Really, I have no problem with seeing these people get 20-life hard time.

When will the people who [ run the country | have money | bought Congress ] realize who the real threat to the Internet and to their bottom line is? It's not cheap Britney Spears fans. It's the people trying to break the Internet in order to get better advertising.

Oh wait, I forgot. Advertising is always good, because companies do it, so they can't object when someone tries to advertise. Silly me. Greedy SOBs have to stick together.

Re:Cyber terrorism?

[rbarreira]

Not forgetting that phishing attacks always (?) leave a non deletable clue behind - the address of the fake server which will receive the info. Have there been prosecutions resulting from this? I'm not aware, but... I haven't searched either.

Don't trust DNS

[MattW]

The simply answer: for all places where you have sensitive information, bookmark an SSL-enabled url.

For example, instead of logging into your bank by typing in "www.mybank.com", bookmark their login info like:

https://www.mybank.com/login.bnk?gz=1

Or whatever.

When you visit the https url, even if a phisher has completely altered dns and hijacked your connection, they do not have the private key for the institution.

If you want to be paranoid, save your institutions certificates locally so that even if a hijacked compromised a root server and spoofed a response AND got a cert issued for the legitimate domain (which, as anyone familiar with it knows, is not that hard), they still can't trick your browser.

Really, all institutions containing sensitive data should establish secondary data channels as well - like, any time you log into your bank or brokerage, you should be able to specify an email address...say, of your cell phone.... which will receive an email saying you just logged in. Then someone who manages to get your info still can't effectively use it.

Who needs DNS?!

[scovetta]

I just keep a copy of the IP addresses to all of the sites that I visit on a piece of paper. Who needs DNS anyway?

Seriously though, any reason why the kernel's DNS-lookup procedure couldn't be changed to verify the IP through N servers instead of just the primary server? Of course, if one of the root dns servers go down, then that's it, but it's more likely that YOUR ISP's box will get rooted.

Re:Who needs DNS?!

[codemachine]

Better yet, a browser that gets a certificate mismatch could check a couple of other DNS sources before assuming that it has the correct site. If both the DNS servers and certificates don't agree, then there is a big problem.

Of course that assumes that sites transferring secure data use SSL, which is not always true. But I'm not sure whether adding even more DNS queries for every lookup is a good idea, since there is already more DNS traffic on the wire than there needs to be.

Re:Who needs DNS?!

any reason why the kernel's DNS-lookup procedure couldn't be changed to verify the IP through N servers instead of just the primary server?

(It's actually the resolver library, not the kernel, but never mind.)

First, that would make latency unbearable. Most of the time you wait for a web page to start displaying is spent waiting for DNS replies. Even if you chose to make n requests in parallel, you'd still have to wait for the slowest of all of them.

Second, it wouldn't work. DNS is a distributed database, and when the address of a machine changes, the new IP propagates in a few days, or weeks (depending on how it was set up). So inconsistencies between data cached in different DNS servers are normal.

Easy Short Term Fix

[ftzdomino]

Most phishing sites use images pulled from the real sites, as well as direct people to them when they are done entering their information. Many banks and sites such as paypal could easily track these people by watching their referral logs and looking for foreign referrals to things such as their navigation images. They could then contact the nocs of ISPs who are unknowingly hosting them on hacked machines to get them taken down immediately. Most ISPs are extremely willing to take these down quickly, I've had quite a few respond to me within minutes when I've informed them. Eventually phishers would just grab the whole site and host the images as well, but the increased bandwidth would be more likely to be noticed.

Mail clients should also notify users when the displayed http:// url differs from the actual href.

A better fix would be for banks and other organizations to set up contact addresses for people to inform them. Many of them take days to read feedback I've sent them regarding someone trying to scam their customers.

Re:Easy Short Term Fix

[s0meguy]

Most ISPs are extremely willing to take these down quickly, I've had quite a few respond to me within minutes when I've informed them In my experience most phishing sites now get hosted in places like rural China - not so easy to take down. And if they are smarter and register a domain they just keep moving the site from one compromised machine to another.

Re:Easy Short Term Fix

[cmburns69]

However, if DNS is hijacked in any form, the site would not see anything weird in their referral logs. The browser would send "Give me image X, and I was referred by site X". It would match, because the DNS was wrong.

This is very scary, as it would be almost impossible to detect! Fortunately, certain sites are releasing "security plugins" which tell you if the site you're connected to is legit. Unfortunately, it's only a matter of time before spyware and phishermen start to hijack these security plugins as well.

What a hopeless world we live in!

Re:Easy Short Term Fix

[ftzdomino]

Usually they forward the submitted form data to a US host via mysql or email. You can sometimes find out what these are by crashing their scripts and having them dump debug info. Some common ways to do it are disabling javascript and placing quotes into numeric fields. Another way is to modify the form and submit a large file with it. Phishers tend to be clueless when it comes to writing code.

Re:Easy Short Term Fix

[Better.Safe.Than.Sor]

"Mail clients should also notify users when the displayed http:// url differs from the actual href." Mine does - Try Eudora 6 Hi Mom!

Re:Easy Short Term Fix

Paypal doesn't even have an email where you can forward phishing attempts. You have to _log in_ to their website and then click through several pages to find a form where you can paste the email in a web form. They obviously don't really care about phishers, so you think their going to bother scanning their logs for dodgy referrers? Fat chance.

Re:Easy Short Term Fix

[Frogbert]

I like to go to these sites and enter a heap of my own creations for account numbers and passwords such as:

user: Fuck
pass: You

or assuming they are using some sort of script to verify their passes

user: I_am_a
pass: Phisher

Re:Easy Short Term Fix

Most phishing sites do host the images themselves, and it's really not a whole lot of extra bandwidth -- the phishing sites don't last very long anyway, and they're paid for with stolen credit cards.

Re:Easy Short Term Fix

[cheekyboy]

Cant the bank afford to;

1. pay $5000 for an exmarine to fly to china, maybe use a chineese-american marine
2. hire a AVIS min van , drive to the country side
3. find the ISP or hoster
4. camp outside till 4am
5. firebomb them torch the place
6. drive to the nearest tourist centre and continue on to hongkong as a tourist.

No, you didn't read it correctly, you idiot.

The senior employee was talking to the general public and how they may have viewed phishers in the past and how they should now view the phenomenon.

The passage you quoted said nothing of his own personal or professional views on the matter.

You. Fucking. Moron.

Re:No, you didn't read it correctly, you idiot.

[lucabrasi999]

Oh, isn't that nice. An AC calls me a moron. How cute. Grow some gonads, AC.

I'm confused

[TiggertheMad]

The article was a little vague on this point, but aren't Phisher scams where you pretend to be a slightly paranoid ex-chess geinus hiding out in Japan?

Re:I'm confused

[HeliumHigh]

Might I ask what a gienus is?

--
The spelling Nazis are everywhere!

Comment removed

[account_deleted]

Comment removed based on user account deletion

compromising name servers...

[mike.newton]

it is also believed that phishers are attempting to compromise domain name servers.

To: hostmaster@arl.army.mil
From: no_really_i_am_the_management@H.ROOT-SERVERS.NET
Reply-To: somekid@nigeria_or_china_or_bulgaria.net
Subject: Account Maintenance


Dear hostmaster;

We have monitored spam coming from your account, and
you must take immediate action to prevent your account
from being deactivated. Please reply with your account
name and password to ensure continued access to your
account.

Yours Truly,
H.ROOT-SERVERS.NET management

I am safe.

I have online access, but all I can do is transfer between my savings and checking accounts. I told my bank that is all I will do and any other transactions are automatically fraudulant.

The grandparent is ignorant about Windows

[Steeltoe]

I'm typing this in a normal user account in XP with no special privileges. There's no way this account can write to the Windows hosts-file, except for a root-exploit. I've set most files to read-only.

Actually, the XPs security system is more sophisticated than the typical UNIX file-attributes. The only stupid thing is that it's global RW by default, and the installation routine doesn't create an unprivileged account for the people to use.

Of course, it made Microsoft more money to make it easy for people, and now we're all paying the price for the stupidity..

Re:The grandparent is ignorant about Windows

When you set up XP Pro for the first time, it asks you for a bunch of user names to create accounts for. Every one of them will be Adminstrator accounts, and as you say, the entire FS is R/W by default.

Yes, XP has security mechanisms. You can buy an off the shelf with XP preloaded and those mechanisms will not help you.

But honestly, no user would be happy with a system that didn't let you surf on IE and happily click 'Install' when you hit a site with Quicktime, Flash or some other plugin you are missing. We, as geeks, understand the danger in such a system, but we'll never convince everyone else.

Re:The grandparent is ignorant about Windows

[NatasRevol]

Do you realize where you contradicted yourself?

Try reading the first sentence in the first paragraph, pay particular attention to the end of it. Now read the third sentence of the first paragraph.

Now, what you were saying about "security" in windows? And how are the 100 million mom & pop users supposed to know about these special 'security' fixes that protect the mythical normal, but secure, user account?

Re:The grandparent is ignorant about Windows

Most Mom & Pop can't even install Windows.

All I'm saying is that XP is secure, if you know how.

I'm not playing the blame game.

Re:The grandparent is ignorant about Windows

[NatasRevol]

All I'm saying is that XP is NOT secure if you don't know how. And >95% of Windows users don't know how.

It's kind of like having to know the secret code to get your seatbelt to work.

Indeed

[phorm]

Since the tactic mentioned involves editing hosts to redirect a site, doesn't that already mean that the system has been owned by a virus/trojan? At that point the game is already lost

Load of BS

[janoc]

Sorry folks, but this is so overblown that it is incredible. Similar to the recent "Evil twin" story.

Does anybody really think that compromising a root DNS server will suddenly redirect customers of e.g. Citibank to a phishers site and it wouldn't be immediately noticed ? C'mon:

- DNS is distributed and any change in DNS takes a while to propagate (on the order of days). Moreover, more and more sites are switching for digitally signed updates to DNS, so bogus updates have no chance to go through.

- Do you really think that e.g. a bank or eBay would not notice that somebody hijacked their domain? The only think a potential phisher would achieve is to attract a very close attention to himself and very quickly at that.

More credible threat are tricks like changing the hosts file, however with that we are in the domain of common adware/spyware which hijacks the browsers on Windows routinely.

Finally, any bank worth my money does not use just a stupid username/password for authentication! Most European banks have as a standard feature a challenge/response mechanism (in addition to the username/password pair).

Some banks even go that far, that they issue you a smartcard with a pocket "calculator", which generates correct responses to the challenges from the bank. The smartcard is used as a seed for this and is protected with its own PIN that you have to enter before typing in the challenge code from the bank. The codes transmitted are usable just once, so they are completely useless to the phisher. Oh the mindless scaremongering ...

Re:Load of BS

[gurps_npc]

You seem to be unaware of the more advanced Phishing tactics.

1) The Phishers are not fools. Even now, the majority of them now redirect you back to the real site after stealing your information. They can easily set it up sot that it would be days before the bank/ebay figured out what was up.

2) The more advanced secuirty methods you mentioned would stop some of the tricks that the phishers use, but a smart phisher could steal cash even if you are using the one use codes - the same session you login, they wait till you log out, but don't log you out - instead they do one more "send money to x bank account" transaction.

Any security person can tell you that by definition, any system that is truly "secure" will cost more than the security is worth. This is because if something is worth $x, then thieves are willing to spend $x/2 to defeat the security, which means that a truly secure system will cost at least x/10, and over time it will need to be updated enough times to make it value's > x. All security systems are forced to depend on:

1. the general honesty of people

2. the rarity of anti-security training

3. some level of theft being considered acceptable.

#1 is pretty constant, #2 fluctuates, and we all want #3 to be low.

Re:Load of BS

[The+Cisco+Kid]

A. 'Propogation' is a myth. Changes do not 'propogate'. What there actually is is 'caching'. *IF* a users ISP had previously queried for some info, it will cache it, and if it is changed at the auth server before the cached data times out, then the user will continue to see the old data until it does. But if a change is made for a domain, and you then go to an ISP at which no one has accessed that site, you will immediately get the new data.

B. The root servers wouldnt be the target, individual resolvers at ISP's or company networks would, the attacker would only be changing the info that users of *that* ISP/company were seeing, the rest of the net (and the target bank/etc) wouldnt know the difference. In fact modifying the 'hosts' file is basically that, but it only affects that one machine.

C. Yes, check the certificates. And if a legit site has a bad cert, dont use it, and instead call the company running the site and scream at them to fix it, becuase as far as you are concerned its down.

the evolution of the insidious PostBlock devise

sure enough, we break DOWn, get broadband & a membership (already_gone) on robbIE's blog, & a posting we will goo?

not for long. without even so much as a mynuts won: consitently annoying, we're PostBlocked yet again. makes dialup look ever so much more attractive in relation to freedom of speech/anonymity, etc...

no matter. lookout bullow. the daze of the whoreabull corepirate nazi felon execrable are WANing.

consult with/trust in yOUR creators, using newclear power to rescue the planet/population since/until forever. see you there?

as for robbIE's corepirate nazi suckup blog, phewww!@#$%

One small change to your plan...

[Duhavid]

Rather than Microsoft and I.E., Mozilla and Firefox.

Re:One small change to your plan...

[MindStalker]

No, because few Mozilla/Firefox users fall for phishing exploits. The big problem is the masses of people who use IE, these are the people who are being targetted and who need the help.

Re:One small change to your plan...

[Duhavid]

Yeah, so use this as an encouragement to move to Firefox.

Why use https?

[coyote-san]

Why bother using https at all? How many people do you think actually check for that little lock symbol in their browser.

What's to keep them from sticking in a Verisign graphic just to look safe? Think they're going to be stopped by copyright law?

Re:Why use https?

[LithiumX]

What's to keep them from sticking in a Verisign graphic just to look safe? Think they're going to be stopped by copyright law?

That's pretty unlikely. I mean, copyright violation is technically illegal. Plus, the government has been cracking down on it pretty heavily. No, safer to just stick to fraud.

Who uses https?

[coyote-san]

Why do you think they're going to use HTTPS? How many people actually look for the lock symbol?

No HTTPS, no prompt whether to accept a new certificate.

If you want to be even nastier I think you can set up Apache so it will use a "null" cipher. I'm not sure whether certificates are even needed in that case, but to anyone who doesn't drill through the "security" dialogs it will look like a genuine site.

Re:Who uses https?

> How many people actually look for the lock symbol?

A lot. I used to do support for a site with online ordering, and I'd get a call a day about people asking "where's your lock icon?" because we didn't enable https until the very last moment. Technically still secure, but from a design POV it was disastrous.

IE won't accept null or extremely weak ciphers. If you have the access to make IE to change that setting, you may as well just add a new root CA or install a keylogger.

Much harder though

[SuperKendall]

You would have to write a specific library, indeed a specific version of the library - and then you still woulnd't be sure what you'd be fooling.

While you could do that, no-ine has done it yet - whereas in the story it noted a case of the Windows host file being modified already.

I would say modifying a text file is an order of magnitude or two easier than creating a working resolver spoofing library and getting it installed.

On top of all that, you'd only have installed it for one user of the box.

Where to watch?

[SuperKendall]

I went to ESPN looking for when they broadcast the X-chess games, but no luck - what channel are these on?

Somehow eh?

[nielo]

"somehow modified a windows host file so that when you type in the correct url in the address, it redirects you to the phisher site" I'd say lmhosts file was the somehow. I did the same thing to redirect my boss to a fake spoof website of our company's with Mr T. on it for April Fools last year. ;-)

SecurID would not defeat spoofing attacks

[SuperKendall]

SecurID helps, but basically you can have the spoof site act as a passthrough and use the information the user is feeding real-time to log the spoofer in behind the scenes - more hands-on for sure though, as you'd have to do whatever you were up to at that time instead of just logging account names and passwords...

Also potentially if you knew the users PIN and a few correct passcodes/times, I think you can crack the token and have your way with the server. I forget how or if that really works though.

Re:SecurID would not defeat spoofing attacks

SecurID helps, but basically you can have the spoof site act as a passthrough and use the information the user is feeding real-time to log the spoofer in behind the scenes

Any authentication scheme is vulnerable to Man In The Middle, sure. Forcing a MITM to really be "in the middle" the whole time instead of just casually eavesdropping at the start is one of the points of strong authentication schemes.

Also potentially if you knew the users PIN and a few correct passcodes/times, I think you can crack the token and have your way with the server. I forget how or if that really works though.

The PIN's easy, you just sniff it. You'd have to get a lot of passcodes though, since the algorithm's quite non-trivial. So if the requirement is that you have to watch the token for several months, it's done its job quite well.

DNS compromise

You don't have to compromise a root DNS server to wreak havoc. It would be enough to compromise the DNS servers for a small or medium sized ISP. That way, everyone who used that ISP would get false DNS results.

Re:DNS compromise

[janoc]

Indeed, however how long do you think that it would take to notice and fix it ? The phishers are not likely to go after small companies, which are using services of such ISPs. They are going after banks, eBay, gambling sites and such - these are usually multihomed, with multiple redundant and load-balanced DNS servers. Such attack would be noticed immediately and probably limited in effect because of the redundancy of the service.

Re:DNS compromise

They are going after banks, eBay, gambling sites and such - these are usually multihomed, with multiple redundant and load-balanced DNS servers. Such attack would be noticed immediately and probably limited in effect because of the redundancy of the service.

This comment demonstrates a fundamental misunderstanding of how DNS works.

eBay would never notice a thing if the DNS of a small town ISP were to be compromised. There is no amount of redundancy or multihoming that eBay can do to affect the customers of that ISP in such a scenario.

However, the customers of that ISP would be vulnerable, because they rely on their own internet service provider for DNS service, and their own ISP's DNS service is compromised.

If I am a customer of an ISP (small or large), I am not going to be using eBay's DNS servers directly under normal circumstances, even when I visit eBay. The vast majority of internet users rely on their own ISP's DNS servers for DNS service. When Joe User sends out a DNS query, the query goes to his own ISP's server. The ISP's DNS server would normally recursively look up whatever information is desired on a root server or eBay's server.

By compromising an ISP's DNS server, you can affect the DNS responses that are sent out to every customer of that ISP. Since this happens upstream of the target site (eBay, banks, whatever), there is nothing the target site can do about it.

Or...

[SuperKendall]

Buy a Mac.

No help if DNS servers get compromised, but I think that's a lot less likley. After all, they aren't generally Windows boxes.

Sorry, had to be said... while you can do all the things you mentioned I know most people wuld not go that far.

Also, I feel somewhat uncomfortable storing any links to me bank on the computer lest someone steal it. Of course it's not like I always remember to clear out browser history and caches after I visit...

Re:Or...

[MattW]

(1) I'm using a linux box, so I'll pass on the MAC. I'm not concerned about spyware and trojans even for my windows box, because I don't use ie, I have everything but the KSP (Kitchen Sink Protocol) filtered and so on. But I have no control over the DNS servers.

(2) I don't care about most people. I'm talking about how to stop phishers from stealing your data. If people don't want to go that far, fine... let them deal with the identity theft that follows. I'm more concerned with preventing attacks upon those who at least are aware of the danger and would like to prevent damage.

(3) That's funny. So you're taking on a higher risk (accessing your bank via non-trusted urls) activity so you can avoid a low-risk activity (storing a bookmark to a login page)? Especially when the bookmark is redundant to the history/cache?

I'll go ahead and stick with Plan A.

silent assumption there

[ChipMonk]

You are assuming they're running XP or 2000/NT, and as a non-admin user. How many Windows users are still on 9x or ME?

The first Internet worm was long before 32-bit Windows hit the scene. For BillG and co. to release an OS touted as "Where do you want to go today?", while ignoring even basic privileges, was negligent at least, and criminal at worst.

Supposedly now five minutes

[michaelmalak]

According to a July Slashdot story, DNS updates should now take five minutes.

I've always worried about either terrorists or the FBI conducting an attack on the populace where a component of that attack was causing mass confusion and disturbing communication (e-mail and blogs) via a DNS takeover.

DNS is a weak point. Sure, "only" 99% of Internet users rely on one of the main DNS servers, and, sure, like all censorship on the Internet, the Internet will route around it. But confusing/misinforming 99% of the people for an hour, or at least several minutes, would be enough for some purposes.

RE: Phishing

Will somebody please have a go at owning these bastards.

Cheers.

Would that be so bad?

[grahamsz]

If the people who aren't bright enough to spot more obvious scams leave the internet - we'll be better off :)

Why hosts file? Why not more, or less?

[whoever57]

If a phisher can modify the hosts file, then the phisher can also:

Install a key-logger -- and eliminate the need to have the victim go to a fake site.

Add their own certificates to the root certificates store, so that the victim can be (re)directed to an SSL phishing site without any certificate errors.

Either way, it seems a little pointless to modify the hosts file alone.

Do it with real https + certificate

[grahamsz]

I've seen this done with a phishing scam on my bank...

You click on the typical link that's for http://www.bank.com.ewroijwer.@somewhere.illegal/s cam.php

That the returns a page which pops up a toolbarless window saying "Please verify your account information...". It then reloads the main window so it actually displays https://www.bank.com

That way you see your banks homepage, you see the lock icon, the certificate checks out, but the popup window asking for your account information isn't secure and posts information to russia.

I was very very impressed - took me a while to realize what they were doing.

Re:Do it with real https + certificate

You click on the typical link that's for http://www.bank.com.ewroijwer.@somewhere.illegal/s cam.php

Such URLs don't work in IE anymore. I think firefox and opera display a stern warning.

Re:Do it with real https + certificate

[grahamsz]

True,

But you can still code them up with html so the text of the link starts https://www.bank.com.

The phising url only appears momentarily in the address bar since the javascript reload actually grabs your banks site.

One word

[karnat10]

um... three words actually: FUD

Screenplay...

[FooGoo]

I am writing a movie caller The Phisher King. It's about a guy who was scammed out of all his money by a internet conman and goes crazy. He meets up with a slick internet conman on the street and through a bond of guilt/friendship reforms the evil con artist. It's gonna be a tearjerker.

Specialized Browsers.

[emjoi_gently]

If the problem gets too serious (and I'm not convinced it has, yet) maybe Banks will have to take a step backwards into the old world of Specialized Apps for online banking.

You go to the Bank, they give you a CD with the "National Bank Online Transaction" application, which you install and it does that one thing. Connects to a specific IP address, verifies the heck out of you, and allows you to do nothing but Banking.

But then you'll have wizeguys distributing hacked CDs....

Stupid system

[haakoneide]

Everything about phishing comes down to this: The passwords are reusable. If you can just get the password from the user once, you can whatever you want. In scandinavia, all banks use RSA-tokens or lists whith one-time passwords (these are rare nowadays). The file on the token is secret, and the pin that the user puts into the token never have to be plotted into a computer, so that's secret too. The password you get out only lasts for a minute. US banks apparently has the security level of Hotmail. Scandinavian banks (and probably most european) have had this system for like 10 years. Should I laugh or cry?

Re:Stupid system

[wereHamster]

I'd say cry..

it's because of them (american banks' poor security) that we recieve these mails.

I like to help the phishers out

[Jon_Hanson]

I love getting phishing e-mails. I dutifully go to the fishing link (from a safe web browser and operating system, of course) and fill out their form:

Name: Phishers R Losers
Address: 123 Get A Life Lane

etc.

Re:I like to help the phishers out

[mlk]

I like the emails you get back with that.

Funny, yes, Insightful, no.

[handy_vandal]

Funny, yes, Insightful, no.

You're right. I posted too quickly.

What I really want to know: what about DNS hijacking? What's the threat, what's the answer?

-kgj

Why are you linux guys hung up on Admin/user bit

[hairyfeet]

I know on /. this will probably be a hanging offense,But why are you linux guys so hung up on the admin/user bit?If you stick a monkey(average dumbass)on a internet pc it WON'T matter whether he's the admin because he'll pick the "yes i would like free pr0n button"and the virus/spyware writer will do the rest.I've been running my win2k box on the net for 4 YEARS straight without A SINGLE bug(And yes,I'm running as admin the whole time) How do I do it?Because I'm not a MONKEY!I ALWAYS put on a firewall before connecting to the net,ALWAYS install the latest AVG antivirus before I do anything else.People need to take care of their own @ss.We don't expect the government to make all roads have 20MPH speedlimits just because morons walk out in front of cars,Why should we expect them to make the net safe for the idiots who click the "yes,i want free (insert cash,pr0n,stuff)button? The only thing we as a people should worry about is the DNS servers.That would be like letting a robber take over the freeway.As for the rest?Oh,Look-Another monkey got hit by a truck,How sad.If they don't have the brains to use the medium with at LEAST a little bit of sense,Then let the monkies get hit.

Phlinter Cell

[Nahor]

It's because of all those damned terrorists, the government has to hire lots of people very quickly and can't make a deep background check.
And given the reputation of Sam Fisher, they where bound to hire a crook calling himself Sam Phisher.

"Thanks you, thank you, I'm here all week..."

NTFS does give SOME protection

[abb3w]

If Admins can modify this file willy-nilly, then could be a major problem for users who haven't bothered to create user accounts.

And who don't have the sense to manually edit the security permissions on the hosts file to "read only", even for administrators. (Which is mostly the same group, I admit.) When I need to hand edit hosts, I change it back for a little bit, and then lock it up again.

Similarly, inserting empty install target directories into /Program Files for the usual spyware suspects and removing ALL permissions from those folders causes most spyware installers to crash nicely. Of course, it's only a matter of time before the spyware writers fix that, and it only works for known install locations, but it's just one more stumbling block to put in spyware's way.

On the other hand, this little trick doesn't WORK in XP-Home... a compelling arguement for upgrading (or sticking with 2K) IMHO.

I already went one step further than this...

[ukdiveboy]

Gosh darn it! I thought I was the first one to come up with this idea.

Actually I took it one step further. I combined my previous brilliant idea (Controlling Zombies Anonymously Via Google - http://sagar.org/malbot/.

This is what I came us with: Building a Better Phishing Rod (http://sagar.org/malbot/building_a_better_phishin g_rod.pdf)

Sorry it's a PDF, I was in the process of drafting it this week before tweaking to HTML. How could I have known CNN would cover 'my invention'.

HOW DOES THIS GET MODDED INSIGHTFUL?

[muzzmac]

This person clearly does not understand how: - Phishing works - Certificates work Yes, users would not gt compromised if they use common sense. Well, they don't. No matter what we say. Phisher hit rates are quite low but they are there.

Linux is fine as well of course

[SuperKendall]

Of course Linux is fine, but currently not an easy solution for most people.

Two is three, as you will see...

I think you misunderstood (3), here I am saying that I do not bookmark my bank URL's - I type them by hand. Why that is more insecure (assuming DNS is OK) is beyond me. You can manually type HTTPS urls as well you know.

I would say a bookmark would be slightly more risky, if only because in theory a browser compromise could lead to bookmark re-writes (something I wonder I have not yet heard happening in IE yet!). My typing by hand is as secure as DNS, which is about as good as you can get. Even typing in the IP I think could be more dangerous, what if the bank moved the server for some reason and a spoofer managed to set up on he old address after a while? Pretty remote but more likely than DNS being compromised in any lasting way.

And as I said people stealing the computer might be able to get to your bookmarks.

*sigh*

[kjh]

This is about MONEY. The people committing the crimes are CRIMINALS. Surprised at someone's clue level raising enough to speculate that criminals might target DNS to obtain cash? If the technology can be used as a means to money, it WILL be used, if it isn't ALREADY being used. The only news here is that someone other than the criminal did clue++.

Better colours

http://shit.slashdot.org/article.pl?sid=05/01/20/2 030201

CallerID fraud will be huge

Watch out for fake caller ID phishers... Imagine getting a call from the police, FBI, Wells Fargo, someone famous, etc.. at least that's what it says on your caller ID.. Its been happening in Denver.. should start getting nasty soon.

Functionally retarded

[Dire+Bonobo]

> Let's be perfectly blunt. The average human being is functionally retarded.

As a general rule of thumb, I find the main error in these statements is that people forget to include themselves.

Probably the most important ability to modern humans is to socialize well. Typically, running around calling everyone else "functionally retarded" is...not such a promising sign of great ability in that critical field.

Not to mention that one often fails to realize that those "functionally retarded" people may in fact be extremely skilled, smart, or well-educated, but simply in different fields. Electrician? Chef? Historian? Lawyer? None of them have great need of l33t computer skillz, but dismissing them all as "functionally retarded" is...well, we've discussed that already.

Modern humanity lives in a complex society where it is not optional to rely on and value the differing skills of others. To be unable to realize and do that is to be functionally retarded.

Just sayin'.

Re:Functionally retarded

[MightyMartian]

I'm sorry. I don't buy that the problem is mine.

At least once a month I see a newspaper article or TV news spot warning about phishing scams, email scams, worm outbreaks, etc. The warnings aren't hidden, and yet tens of thousand of people are either incapable or totally unconcerned.

You can try to toss this off as "no one should expect a lawyer/electrician/religious leader/whatever" doesn't have expertise, but that doesn't cut it. I'm no public health expert, but when I get a boil advisory, I boil my bloody water.

If many people aren't functionally retarded, then they are outrageously unconcerned. I'll leave it to you to decide what the fine line is in that distinction.

What happened to the days...

[Misanthropy]

...when phishing consisted mainly of dirty dreadlocks, dank nugs, veggie burritos, and lizards?

[OT] Can and Must set Dvorak globally under XP.

[spaceturtle]

*tries to set keyboard type to devorak -- ACCESS GRANTED*

Linux also lets unprivileged (guest) users to set the keyboard type to devorak, but not *globally*. Since I had made my account guest I had assumed that I wouldn't not be able to accidently mess up global settings. I was wrong.

Running XP as guest means most applications won't work correctly; You will have to deal with hundreds of popups on startup warning you that various quick start applications can't run; You may not be able to access the "public" documents stored in "All Users"; You will still be able to accidentally screw the machine you are on; as I understand viruses will still be able to root your system.

I don't really see the point of running as "guest" on an XP box.

Re:They install themselves as a CA

The idea is that they install their public key as a trusted CA just like verisign. If you don't believe me, open MSIE and go to tools, internet options, content, publishers, trusted root certification authorities and you will see an import button which you can use to add your own public key to the list of trusted root CAs like verisign. Once that is done you can sign certificates yourself just like verisign does and they will be accepted as valid on the system you just imported yourself as a root CA on. If you were to create a worm that installed your public key as a root CA in addition to modifying the hosts file, you could self sign your phishing site and to MSIE it would appear as trustworthy as verisign. Unless the user manually checked the name of the CA and actually called (on the telephone, the worm could redirect access to verisign.com too) verisign (otherwise the worm could just overwrite verisign's public key with it's own) to verify the fingerprint the user would never know.

A Problem

[Wizarth]

A lot of people have said "check the certificates". Well, I've seen local (Australian) banks use bad certificates! Yes, the Commonwealth Bank's website has at various times provided invalid certificates, usually due to not updating them quick enough. So, when you go to their secure section, you would get a warning box! Yet it really was the right site.

Counterattacks

[eventhorizon5]

I've been working on some material to counter-attack email phishers directly at their puny (hopefully) servers. Does anyone know of any new software projects that help feed tons of false information into the phishers' web forms (to their database)? As a Linux mail server admin, I've been getting royally pissed with the amount of email scams that have gotten through my 5-stage spam filter (even though most are stopped; I want *zero* to get through; I might add some detection for this stuff). My guess (correct me if i'm wrong) is that if people like us can dilute the phishing databases (similar to the idea of web honeypots to screw up email bots), hopefully the attackers can become somewhat crippled. Or just post an address like this one on Slashdot ;) (that's one lame phisher's email submission address - looks like it's on a private machine in hong kong) - never underestimate the Slashdot effect; you'll be sorry.

So the bottom line is that there has to be something that us admins/whitehats/slackers/geeks etc can do - :-/

Re:Why are you linux guys hung up on Admin/user bi

[SlimFastForYou]

Though this may be getting a little offtopic, I think it is a valid question and should be addressed.

But why are you linux guys so hung up on the admin/user bit?

From what I was able to gather from your post, you are trying to convey to everyone that it should not matter if a user runs under a "Limited" account, or an "Administrator" account (using Windows terminology).

Unix was designed with multiple users in mind. In fact, many system services run under their own user account. The one, all powerful account is 'root', and is normally used only under special circumstances (i.e. installing a software package). Most other times, even the sysadmin logs on to a limited user account.

The theory is, a system service can only do so much damage as it's user account permits. Similarly, a user can only do so much damage as his/her account permits. If there is some hole in MySQL server, and an attacker is able to exploit it, they gain all the privilages of the MySQL user account. The rest of the system should theoretically remain unaffected.

What does this have to do with Windows? In my experience in a computer repair shop, I have fixed XP box after XP box brought to it's knees by viruses and spyware. The removal of these malware programs can prove to be a quite tedious undertaking, because the entire family who owns the computer each has their own Administrator logon account. If the RPC service is comprimised (a la Blaster), it was running with Administrator privileges and the whole system is vulnerable. If a web site exploits a flaw in IE, the whole system is vulnerable because the user runs as Administrator.

Windows XP is simply designed to where home users need to have administrator privilages, otherwise many things will not seem to work right. For example, many DirectX games will not load at all unless run as an Administrator.

So to answer your question, a "stupid" user could only do so much damage with a unix-based security model. Lets imagine a family using a Linux computer. Assuming a 13 year old kid installed a program that secretly contained a keylogger, the keylogger would be powerless against the mother and father. The keylogger could not wedge itself deep down in the system files, therefore cleaning it would be a relatively painless task for a moderately competent user.

In conclusion, I would like to say that the fact you have never had any unexpected malware (spyware, viruses, etc) installed on your windows machine whatsoever is unusual. You are either mistaken, haven't used your computer much, or are both smart AND lucky. This is my understanding of the current state of security affairs as far as Windows and *nix are concerned - if anyone has anything to add, I'd like to hear it.

Advice for your moms, brothers, cousins, etc

[The+Cisco+Kid]

I would hope everyone that visits slashdot probably knows most of this, but may not know how to explain it clearly to a non-savvy relative or friend. I beleive this advice is the best available for such folk, I give permission for it to be copied, pasted, printed, etc, by anyone hoping to help anyone they know avoid being taken in by a scammer.

-----

DO NOT click on links in any email you receive that purports to be from any organization or company that has anything to do with your finances, credit, identity, or security.

If you receive such an email, and you are not 100% sure that you know how to check it for authenticity (which involves checking the full headers of the message, as well as the full source of the message to see the *actual* URL of any included links [which in a phish email, may differ greatly from the URL your end-user email program displays in the message]), then DO NOT CLICK.

If you suspect such a message may really from who it purports to be, then call them directly, and explain that you are concerned about the email and ask that they confirm its content as legitimate (most of the time, that would mean calling them - if the email says not to call, thats a pretty good sign that its fake - no legitimate company would discourage calling to verify the legitimacy of such an email.) It may also be a good idea to suggest that they avoid using email in that manner, to avoid any possibility of their customers falling victim to forgeries.

If the message claims your account or access is suspended, *STILL* DO NOT CLICK. Instead, close the message, open a *NEW* browser window, and TYPE IN BY HAND the normal URL that you use to access that account or site, (and if the site involves money, or SSN's, that URL should start with https://, NOT http:// (note the 's'), and log in normally. If your account works and no notices are shown about it being suspended or whatever, thats a pretty good sign the email was a fake. Again, if you are remotely unsure, *CALL* them and ask. If its a bank, you should have a way to call them.

Two popular targets for the scammers are eBay and Paypal - email from either of those two sites will *always* include your full real name, it will NEVER say 'Dear PayPal user' or 'Deay valued ebay customer', or anything like that. If you are John Henry Smith, the email will say exactly that - 'Dear John Henry Smith'. Any email from either of those that doesnt have your full real name is pretty much guaranteed to be a fake.