Slashdot Mirror
Most Home PC Users Lack Security
Ant writes "CNET News.com and MSNBC report that a survey of home personal computer (P.C.) users found 81 percent lacked at least one of three critical types of security. However, the number of consumers using firewalls and updated antivirus software is improving, according to a report released Wednesday. The vast majority of consumers surveyed were found to lack at least one of three types of critical security--a firewall, updated antivirus software or anti-spyware protection, according to a report by America Online and the National Cyber Security Alliance. Of this group, 56 percent had no antivirus software, or had not updated it within a week, while 44 percent did not have a firewall properly configured, according to the report. Meanwhile, 38 percent of survey respondents lacked spyware protection..."
Whatya mean? I got my blanket right here...
Be a real patriot: Question authority. Think for yourself. Formulate your own conclusions.
After witnessing how easily most consumer firewalls were abused by Sony's DRM I'd say that firewalls are no longer an indicator of computer security. At least on the Windows platform.
fast as fast can be. you'll never catch me.
Yeah, since they care more about podcasting than rootkits, what did you expect...
giel.y contains 2 shift/reduce conflicts
National Cyber Security Alliance? Couldn't they at least have picked a different acronym than one that's been used in the computer field for a really long time?
Be a real patriot: Question authority. Think for yourself. Formulate your own conclusions.
We KNOW home users don't have security. Windows has been brought kicking and screaming from a single user insulated space into the big wide internet world.
Home computing has evolved just like personal motoring has.
Seat belts and safety features in cars used to be an addon luxury that not many people had or used, now every car comes with them and airbags and strengthening supports as standard.
Spyware protection is a new tact, and should really be dealt with in the same malicious software category viruses fall into - it basically uses the same engine, and its only the AV companies themselves who made a distinguisher between installed with vague permission and none whatsoever.
liqbase
I vote for AVG.
Real Daleks don't climb stairs - they level the building.
The free ones that work the best are AVG, AntiVir (Classic, Premium isn't free) and Avast!. I currently use AVG but the new version of AntiVir is supposed to work better and have a smaller footprint.
You shouldn't need an external firewall to protect your machine from hostile incoming connections -- your machine shouldn't be listening on ports it doesn't need to, and when it does listen, it shouldn't be possible for incoming connections to subvert it. You shouldn't need add-on antivirus software -- your machine should have a basic "immune system" of its own and shouldn't be vulnerable to the effects of running untrusted external code.
It is possible to design operating systems that are inherently secure in these ways. One of the larger crimes committed by the designers of the currently-popular consumer-grade operating systems is to have convinced large swaths of the population, via ubiquitous, crashing mediocrity, that it's somehow an "impossible" problem. It was largely a solved problem 20 years ago, if anyone had listened.
Frankly this subject has been one of the biggest problems I've had to deal wit hback when I was the service manager at a computer store that serviced retail users. The complete and utter lack of security. This fell into three catagories:
Lack of Anti-Virus
Most of the time I tried to hammer it into thier heads that spending $40 now would save them a ton of heartache later. If I was EXTREMLY lucky, I could persuade them to go out and buy the software from Staples, bring it back to us, and we'd install it on thier new machine before it ever left our store and it's own defenses. Most of the time however I'd install the trial version of norton or mcafee, inform them that THEY MUST get the full version before the trial period is over, and STILL see the goddamn thing within two months, loaded with enough viruses to call it the PC version of Typhoid Mary.
The part that sucked was that inspite of a verbal warning, a piece of paper taped to the computer and the monitor warning them that they NEED anti-virus programs, they still came to me with "Well why the @#$% didn't you tell me about this?"
Firewall
Actually this is no longer as much of a problem as it used to be now that we're seeing broadband and multiple computers in a house becoming the norm. We used to sell Linksys routers and that became a strong defense. Myself personally I run Norton Internet Security behind my Symantec Firewall/VPN appliance for a two pronged defense and so far I've yet to be broken into (although I've logged a ton of port sniffing attack attempts).
The third problem is Spyware.
At least this one is easy to fix. I usually install Spyware Doctor on the system that came into my shop and clean out the system (then uninstalling it unless the customer wanted to buy a license from PC Tools), then I'd install the free programs out there (Ad-Aware and Spybot Search and Destroy) to protect them in the future.
Spyware has never been too much of an issue for my customers because I could install a free program and if they ever had a problem I could talk them through the programs over the phone. For the most part that was all they needed so it wasn't too bad of a problem.
It's nice to see that more and more people are getting concerned about security. Just a little effort and a small investment and your computer can be safe with a minimum of fuss.
-- Wiccan Army, 13th Airborne Division "We will not fly silently into the night"
When you purchase a PC, you should have the option of installing freeware that might help you in the incessant barrage of spam, viruses, spyware, adware, bots and phishing emails. It might also help to have a short tutorial on how your PC becomes infected/compromised/used to propogate malicious code. Maybe then Windows would be a better and safer O/S?
d ucts/znalm/freeDownload.jsp (Zone Alarm firewall)
a milyID=321cd7a2-6a57-4c57-a8bd-dbf62eda9671&displa ylang=en (MS Anti-Spyware adware/spyware detection)
For those who need some free help:
http://free.grisoft.com/doc/2/lng/us/tpl/v5 (AVG anti virus)
http://www.zonelabs.com/store/content/company/pro
http://www.lavasoftusa.com/software/adaware/ (Ad-Aware adware/spyware detection)
http://www.safer-networking.org/en/download/ (SpyBot S&D adware/spyware detection)
http://www.microsoft.com/downloads/details.aspx?F
He who knows best knows how little he knows. - Thomas Jefferson
You can still open "AnnaKournikova.jpg.vbs" if you're running Firefox. (email trojans/viruses)
Adware and spyware can still be downloaded in Firefox or Opera.
When someone tells you they just inheritied money and need your help in order to get the cash, your response is browser-independent.
You can even be using a Firefox, anti-virus, firewall, and anti-spyware tools at work - but leave your password on a Post-It on the monitor for anyone to see.
The problem isn't Internet Explorer. It's the people.
I agree. Consumer anti-virus,firewalls, and anti-spyware are not a good metric of security. Most people can't stand blocking and unblocking programs for their outgoing firewall all day. And really, the average consumer doesn't know what's safe and unsafe. Incoming protection is pretty pointless too since so many computers are behind a nat router. Anti-virus provides protection for old viruses, but the 0-day mass speading ones generally beat anti-virus anyway. Anti-virus provides retroactive protection of viruses already written. It doesn't generally provide a means of stopping a suspected virus. I've seen some that can, but the general home user anti-virus doesn't or requires training from users not skilled enough to train it. On top of that, there's so much political bullshit that goes on within the ranks that something could be malicious to your computer, but the supplying company complained it was legit and they let it through anyway. Also! They generally provide little/no spyware protection. So you've got a bloated piece of crap anti virus program that slows down your computer almost as much as the virus itself that doesn't really work all that well.
The only retroactive solution I think is worthwhile these days is spyware scanning your box once a week. And rotate which scanner you use.
On the other hand, there is A LOT you can do not to get spyware and viruses in the first place. First, DON'T USE IE. All the fanboys will cry foul here, but it's true. I don't care if alternative browsers are just as hackable but they aren't being exploited blah blah blah... We'll cross that river when we get to it. For now, using almost anything besides IE will stop the bulk of your spyware. Also, in whatever browser you use, don't allow in browser media to be played. Flash, movies, music, etc etc. Or at the very least, make sure it prompts you first so you have the choice to only do so from websites you trust. Also, don't go to sketch sites. Plain and simple. Let's see... don't use outlook, EVER. In your MUA make sure it it either doesn't display html or prompts you to do so. Don't open attachments. It's stupid. It's so incredibly easy to spoof who you are via email that you can really never fully trust an email. Don't use AIM. There are AIM viruses left and right nowadays. Use an alternative like gaim or trillion and never accept to transfer files.
More than anything, just be smart about where you go and what you do. Understand that the internet really isn't a safe place. Security isn't a product, it's a process. I can't stress this enough. Doing certain things yourself will keep you safer than any anti-virus ever could.
If an officer ever threatens to taze you, say you have a pacemaker.
from the news-at-eleven dept.
Bug writes "CNN and Al Jazerra reported in a joint statement that a survey of slashdot articles found that 81% of them lacked at least on of the three critical contents of a newsworthy report. However, the number of dupes has been recently improving, according to a report released yesterday."
Ok, really. Everyone with even the slightest interest in computer security knows that there's not much that's easier than taking over a dozen or so home PCs. Why else, do you think, do prices for botnets range in the cents-per-machine range? Because it takes maybe one cent of effort to break into the average home machine, otherwise those selling the botnets wouldn't be turning a profit. It's probably more expensive keeping other botnet harvesters out than getting in in the first place.
Assorted stuff I do sometimes: Lemuria.org
The GP wasn't referring to Vax or Unix machines of 20 years ago with regard to their simplicity. It referred to the fact that security was a solved problem on those machines. You yourself go on to say:
The thing really worth noting in your statement is that OS X uses a >20-year-old security system. It's using Unix permissions, straight from the BSD core of the system. The same BSD core used in the NeXTStep operating system a little under 20 years ago (albeit slightly upgraded since then).
Individual software packages, particularly those designed to listen for commands from the network and execute things locally (ssh, etc.) can have the sort of issues you decribe in your last paragraph; As they get more complex, the task of maintaining security does potentially also become more complex. But on an operating system level, there have been sufficient rules in effect for a long long time now. For instance, just saying "this can only be done with root privileges" and "root privileges can only be gained interactively, and on a one-shot basis" will cover a vast amount of potential issues, and is pretty much what OS X does, as you describe (albeit with slight timeouts to root privileges, rather than pure one-shot operation -- although that timeout is user-configurable).
At the end of the day, MS-DOS, QDOS, and such, left that out in the interests of expediency, size, and (maybe) end-user perceived complexity/ease-of-use. It then became a standard. I like to quote my boss on this one:
He tells me that, having worked with Unix/BSD/Vax -level machines in the late seventies, when the IBM PC came out, he and his cohorts were interested to see it. They took one look and put it down as a failure -- a joke, even -- because it lacked so much of what they saw in their current machines. Unfortunately, it became the standard, in the process setting back the state of the art by many years.
Not least is the point that Unix/Vax systems were inherently multi-user systems, and they needed a robust way of preventing one user from destroying another's data. So this was built in from the very start. MS-DOS and QDOS didn't have this capability, so the standard became that any program had full access to just about anything. The only high security implemented was in the CPU itself, where a system trap was needed to get access to 'Ring 0' (privileged) instructions. On top of this, the somewhat limited nature of the system itself led many programmers -- used to working on a more capable OS -- to make modifications to the core system, to help their stuff work. That required privileged access to the system, in order to install hooks, drivers, and so on.
Of course, once this became a standard, it was hard to change that behaviour, and it never was changed because 'backwards compatibility' was the highest goal. So when mutli-user functionality was built into Windows 9x/NT, privileged operation became the norm. People logged in as an administrator, because their programs were designed needing full access to the system, and little or no provision was made for interactive temporary privilege escalation within the OS itself. Unlike Unix/BSD, you couldn't just ask the user for an admin user & pass to get the privs needed to put some file somewhere special, and then lay down those privileges when you were done with them.
As a result, you get the horrible mess we're talking about: An IM program that can corrupt the core operating system and ultimately gain access to privileged-mode CPU cycles? WTF? A game that can modify the system kernel, or the boot sector of the hard disk? They can only do that because the system lets them, or because the system won't let them do some small operation without high privileges, and requires that the entire process runs with those privileges as a result.
-Q