Slashdot Mirror
Cyber Crime Hits Big Time This Year
An anonymous reader writes to point out the Washington Post's analysis of this year's spike in junk email and online attacks, such as botnets and worms. Image-embedded spam emails made up an amazing percentage of all messages sent in the months of October and November, and something like four million bots are actively adding to that total. These botnets are also increasingly connected to organized crime, as are 'independent' hacker groups. The article goes on for three pages, and doesn't have a lot of hope that 2007 will look a whole lot better. From the article: "Experts worry that businesses will be slow to switch to the [Windows Vista]. And even if consumers rush to upgrade exiting machines or purchase new ones that include Vista, Microsoft will continue to battle security holes in legacy versions of Microsoft Office, which are expected to remain in widespread use for the next 5-10 years."
"Experts worry that businesses will be slow to switch to the [Windows Vista]. "
Maybe because Vista isn't written for security or for the businessess, or for anyone who buys it, its written for DRM and for the RIAA and MPAA.
As the number of people online grow, the crime scene grows with it (at a slight delay).
A large enough number of people for crime to be viable online will stay gullible, no matter what we do.
This is another one of those "Wars" we simply cannot win. We can try to educate the masses, but in general it will not work.
A number of people within any social network will be defrauded somehow, and as they tell their stories (which most of them won't, afraid to seem a fool in the eyes of their peers), eventually these networks will become more resistant to attacks.
We can design tools to help this process. But there will never be a technical tool to stop all, or even a significant amount of the crime and fraud that goes on out there.
It's the American dream - everyone can make it rich, and some people will always think that it's the mail/phonecall/whatever they just received that'll make it happen for them.
I'm a dreamer, the world is my playpen. But hey, I'm a serious person, I can't dream all the time.
What we need is more effective law enforcement. There aren't that many spammers any more. Look how few different spams show up. The top three or four spams represent most of the volume. We need a law enforcement effort aimed at finding the top ten spammers and putting them in jail.
Because to profit on writing anti-virus software you have to have a lot of financial backing, and it takes a lot of patience. If you get steal an identity, it can be a major windfall tomorrow. To write good antivirus software, you have to compete with a bunch of people who are attempting to monopolize the market and have the credentials. And be able to advertise. It's just a lot easier overall to steal large chunks of cash from stupid Americans.
My little site.
And don't forget that one cracker can find one exploitable hole and make a lot of money off of it. Either in "identity theft" for by creating a zombie army and selling those services.
If s/he went legit and tried to sell anti-virus software, s/he would need to be as good or better than all the other virus/worm/trojan writers out there. The payoff vs effort quickly becomes worthless. A little effort for a big payoff is what crime is all about (and a number of other endeavors).
The attached image is my own personage representing me as a reasonable and trusted person. My truthful intentions are above reproach and presented to you in a reasonable and trusted manner.
I get one of these about every other two or three months. I just build another filter and notify my ISP.
The only thing new in this world is the history that you don't know.[Harry Truman]
If they hadn't made such an insecure operating system, we wouldn't have any of these problems!!
I hate that argument, because its completely incorrect. The vast majority of people who use computers have little idea how they work, or the difference between viruses and spyware and adware. If it's easy for them to do what they need to do, they'll be happy. Linux may be extremely secure, but the reason it is hardly used as a desktop OS is because the vast majority of people don't know how to easily do what they need to do using it. To meet all users desires, you'll always have to sacrifice some security for ease-of-use. IMHO, Microsoft has done quite a decent job of making this balance in Windows. For all the people who do know how to use a computer and want security, there's Linux and OS X.
The fact is that you'll always have a lot people who use the easiest thing available, even if it is insecure. You'll always have the people who turn off the firewall because it makes their IM program not work, you'll always have the people who ignore the 'This file may harm your computer!' dialog. As a result, malware, worms, etc. will always be a problem.
Commodore64_love: I don't comprehend people who're so frightened of death that they'll bankrupt themselves to stay alive
So, under the auspices of Economic Security, some random ideas to rebuild confidence in the email network:
The domain name is the primary reference point for a reputation base. If a domain can be spoofed, reputation fraud ("Identity theft") becomes more likely. So, harden DNS with some ubiquitous public key crypto. If you want a domain, you must provide a public key; the key authenticates you to modify the entry. If you lose the key, tough cookies; you'll have to wait for the registration to expire before you can regain control of it.
All clients presenting mail for delivery must present credentials. No credentials, no delivery. In an ideal universe, the client's credentials (public key?) would be presented as part of the SSL connection, so the SMTP server wouldn't have to do anything special.
If you're not on the local subnet, and your IP is not registered as a Mail Exchange, then no relaying for you without prior arrangement. Assuming a hardened DNS, we can reasonably rely on the authenticity of the MX record.
Blanket blocking of connections on port 25 is excessive -- some people have a legitimate need to drop mail on smarthosts outside the local subnet. However, if the routers observe an internal IP address spraying port 25 connections to, say, a dozen different IPs over the course of a minute, then that's probably something the network admins would want to look at more closely. This would do nothing to thwart a parallel "shadow" network of compromised hosts acting as spam relays for the subnets on which they're located. But for a while you'd get a pretty good map of machines to clean up.
Schwab
Editor, A1-AAA AmeriCaptions
Yes, I can agree with that.
And it is not going to change. Which is why it is necessary for the OS vendors to ship their product so that the default configuration is as locked down as possible. In my opinion, Ubuntu achieves this in an admirable fashion.
Actually, that would be because of Microsoft's monopoly on the desktop. Breaking free of the monopoly takes a LOT of effort.
Nope. Look at a Mac. Talk to Mac users. They don't need to become experts on their systems to use them more securely than Windows. This is because Apple has implemented a more effective security model than Microsoft.
But it is Microsoft that is using the monopoly to restrict access to more secure systems. Don't blame the users if the monopoly is actively trying to limit the options.
Why do you have to turn off the firewall so you can run your IM program? Would you accept a car that you had to disable the air bag in order to play a CD? Ubuntu is effectively immune to worms because it, by default, does not have any open ports.
Microsoft is skipping the FIRST rule of security: do not run anything that is not absolutely necessary.
The reason that so many Windows machines are infected is NOT because they're running some IM client without a firewall. It's because the default configuration was insecure. Too many services that were not needed were running and vulnerable.
If 100% of the Windows boxes start vulnerable - you need a LOT of extra work to secure them.
If 100% of the boxes start without open ports - you'll need a LOT of extra work just to make them vulnerable.
In the end, it all comes down to how much effort is needed. Start secure and you'll always win that scenario.
... thinks Vista will change anything? The exploits are already being marketed and published. It reminds me of the "use XP SP2" chorus, when the only thing that did was break existing applications and push more obnoxious EULAs and DRM. We will soon see the Vista added to the list of threats which currently list XP, 2000, XP, 98 etc back to the earliest version the watchers care to add. The reason those threats typically break every previous version of Windoze is because M$ rarely rewrites anything and the same old binaries are passed on from version to version. Vista was made the same way the other versions were and the same old process is going to yield the same old results. Vista is the same old same old.
Friends don't help friends install M$ junk.
And if they can fix security problems with One Care, why couldnt they fix them in the OS in the first place?
So first, we pay MS for the OS... then we have to pay them again to make it secure? Sounds like a scene from The Godfather.
Considering the cost of Windows Upgrades in General I realy cannot see Vista taking over on a consumer level any way other than new machine purchases.