Slashdot Mirror
Cyber Crime Hits Big Time This Year
An anonymous reader writes to point out the Washington Post's analysis of this year's spike in junk email and online attacks, such as botnets and worms. Image-embedded spam emails made up an amazing percentage of all messages sent in the months of October and November, and something like four million bots are actively adding to that total. These botnets are also increasingly connected to organized crime, as are 'independent' hacker groups. The article goes on for three pages, and doesn't have a lot of hope that 2007 will look a whole lot better. From the article: "Experts worry that businesses will be slow to switch to the [Windows Vista]. And even if consumers rush to upgrade exiting machines or purchase new ones that include Vista, Microsoft will continue to battle security holes in legacy versions of Microsoft Office, which are expected to remain in widespread use for the next 5-10 years."
"Experts worry that businesses will be slow to switch to the [Windows Vista]. "
Maybe because Vista isn't written for security or for the businessess, or for anyone who buys it, its written for DRM and for the RIAA and MPAA.
As the number of people online grow, the crime scene grows with it (at a slight delay).
A large enough number of people for crime to be viable online will stay gullible, no matter what we do.
This is another one of those "Wars" we simply cannot win. We can try to educate the masses, but in general it will not work.
A number of people within any social network will be defrauded somehow, and as they tell their stories (which most of them won't, afraid to seem a fool in the eyes of their peers), eventually these networks will become more resistant to attacks.
We can design tools to help this process. But there will never be a technical tool to stop all, or even a significant amount of the crime and fraud that goes on out there.
It's the American dream - everyone can make it rich, and some people will always think that it's the mail/phonecall/whatever they just received that'll make it happen for them.
I'm a dreamer, the world is my playpen. But hey, I'm a serious person, I can't dream all the time.
Not much on specifics in TFA, but apparently the major increase in spam (mainly those pump'n'dump stock scams) appears to due to the Spamthru trojan which is being dropped by Warezov.
We've had a few stories on this before here and here.
henry -- the human evolution news relay
Yet, with a boot CD on Linux, I can inventory everything on the local hard drive and quarantine any suspect files. Yes, including loadable modules for the kernel.
Why aren't we seeing that for Windows? Running an anti-virus app on the system itself is useless if the system can be compromised at a more privileged level than the app is running at.
Not to mention that the users are notorious for NOT keeping their anti-virus apps updated.
And ISP's really should be looking at blocking or actively monitoring outbound connections to port 25. Come on! It's not that difficult.
Seriously. I have like 5 email accounts, and I doubt that's a lot compared to some people who use e-mail more than me. Three of which I will drop at a moments notice. The other two I consider untouchable. They are whitelisted. You want to get to my good ones? You gotta go through the other three. Then, and only then, will you get to my inner e-mail sanctum.
So bots and spam and worms and identity phishers don't get to me. Part of the reason is that I simply don't pay attention to e-mails from unsolicited sources. That's half the reason cyber crime works at all: people are idiots when it comes to computers. Odds are you know someone who sees a pop-up disguised to look like an authentic Windows message box and clicks on the buttons thinking they are actually talking to Windows and not some porn-site-based phisher and thief. Odds are you know someone who thinks those e-mails are from someone with an actual product instead of a phishing scam, like a second chance offer from www.ebay.cra.cz or something similar.
These criminals are simply separating stupid people and their money. I know, I know, it's a harsh perspective. You know somebody who got nailed so you want to mod me down because I called your friend stupid. Well, hopefully they learned. The saying goes, fool me once, shame on you, fool me twice, shame on me. It's true.
TLF
I do not respond to cowards. Especially anonymous ones.
What we need is more effective law enforcement. There aren't that many spammers any more. Look how few different spams show up. The top three or four spams represent most of the volume. We need a law enforcement effort aimed at finding the top ten spammers and putting them in jail.
An anonymous reader writes to point out the Washington News's analysis of this year's spike in telemarketers gulling lonely old people, such as lonely old men and lonely old women, out of their life's savings.
As long as there is prey, there will be predators. Stamping out the predators is a game of whack-a-mole, so the best solution is to try to educate the prey. And if you can't, well, what are you going to do? Legislate against it? Pfft!
--Rob
Towards the Singularity.
Spamhous! http://www.spamhaus.org/statistics/networks.lasso/
The only thing new in this world is the history that you don't know.[Harry Truman]
A series of entries on my discovery of click fraud, how I detected it.
o g?catname=%2FClickFraud
I'm planning to work it into a Defcon 15 submission.
http://www.realmeme.com/roller/page/realmeme/Webl
So, under the auspices of Economic Security, some random ideas to rebuild confidence in the email network:
The domain name is the primary reference point for a reputation base. If a domain can be spoofed, reputation fraud ("Identity theft") becomes more likely. So, harden DNS with some ubiquitous public key crypto. If you want a domain, you must provide a public key; the key authenticates you to modify the entry. If you lose the key, tough cookies; you'll have to wait for the registration to expire before you can regain control of it.
All clients presenting mail for delivery must present credentials. No credentials, no delivery. In an ideal universe, the client's credentials (public key?) would be presented as part of the SSL connection, so the SMTP server wouldn't have to do anything special.
If you're not on the local subnet, and your IP is not registered as a Mail Exchange, then no relaying for you without prior arrangement. Assuming a hardened DNS, we can reasonably rely on the authenticity of the MX record.
Blanket blocking of connections on port 25 is excessive -- some people have a legitimate need to drop mail on smarthosts outside the local subnet. However, if the routers observe an internal IP address spraying port 25 connections to, say, a dozen different IPs over the course of a minute, then that's probably something the network admins would want to look at more closely. This would do nothing to thwart a parallel "shadow" network of compromised hosts acting as spam relays for the subnets on which they're located. But for a while you'd get a pretty good map of machines to clean up.
Schwab
Editor, A1-AAA AmeriCaptions
Microsoft has done quite a decent job of making this balance in Windows.
What a joke. The following are purely design flaws which you cannot excuse by saying that they are being exploited only because Windows/Office are popular.
1. By default, all userland applications are granted Administrator's privileges. I cannot think of a suitable comment for this stupidity.
2. By default, IE is capable of running applets with the said privileges. This would be dumb even if they were user privileges. Executable code which affects the system should be downloaded and then run locally. Just two more clicks, but now even a very dim user knows that a program is being run, whereas before he assumed that he's just browsing the Web.
3. The de-facto document exchange format, .doc, is imbued with executable code
which, wait for it... runs with administrative privileges. Let's not whine about
how .doc is not an exchange format, because it is. That's what people corroborate on and
email each other for revisions. It has its flaws but it does a good job. Sticking
VBA in it is like handing little Johnnie a vial of nitroglycerin and saying: now
be a good kid; if you jump too much, you won't have a good time.
4. Getting a program involves running an executable file. This is a very grave flaw in the design. Much malware would be curbed if MS switched to a good packaging scheme and eliminated the need of ever dealing with .exe (for a not-so-clever user, that is). Ubuntu can do it, why cannot Microsoft?
On my laptop, the only program I ever had to install by hand was ies4lin. Everything
else (and I am quite a whore when it comes to software) was available through the
Multiverse. Once a user is shown the kosher way of installing new programs,
i.e. from inside the package manager which talks to the trusted repositories,
he will naturally regard standalone files as suspect, and most likely will
not even encounter them.
These are just off the top of my head. All four are atrocious decisions, given that catering to the lowest common denominator is in Microsoft's mission statement. All four became problems because MS chose to completely ignore the fact that every Windows computer is connected to the Internet. Why bother? The monopoly status works just fine.
Yes, I can agree with that.
And it is not going to change. Which is why it is necessary for the OS vendors to ship their product so that the default configuration is as locked down as possible. In my opinion, Ubuntu achieves this in an admirable fashion.
Actually, that would be because of Microsoft's monopoly on the desktop. Breaking free of the monopoly takes a LOT of effort.
Nope. Look at a Mac. Talk to Mac users. They don't need to become experts on their systems to use them more securely than Windows. This is because Apple has implemented a more effective security model than Microsoft.
But it is Microsoft that is using the monopoly to restrict access to more secure systems. Don't blame the users if the monopoly is actively trying to limit the options.
Why do you have to turn off the firewall so you can run your IM program? Would you accept a car that you had to disable the air bag in order to play a CD? Ubuntu is effectively immune to worms because it, by default, does not have any open ports.
Microsoft is skipping the FIRST rule of security: do not run anything that is not absolutely necessary.
The reason that so many Windows machines are infected is NOT because they're running some IM client without a firewall. It's because the default configuration was insecure. Too many services that were not needed were running and vulnerable.
If 100% of the Windows boxes start vulnerable - you need a LOT of extra work to secure them.
If 100% of the boxes start without open ports - you'll need a LOT of extra work just to make them vulnerable.
In the end, it all comes down to how much effort is needed. Start secure and you'll always win that scenario.
"Are you a competent attorney? Tax accountant? Automotive Mechanic? Manufacturing supervisor? Medical doctor?
What would you think if professionals in these various areas figured you were a moron because you did a stupid in their field of expertise?"
These are not cases of being a moron because you don't know how to do something, it's because you ignore that you are not smart enough to do them. A lot of people get their cars fixed for them, hire lawyers, have people do their taxes, etc... How many people forward their emails to people to make sure they are legit? None. People who don't know how to drive but drive anyway and crash the car have only themselves to blame, this case is the same.
Emails are too easy to get, if it was harder; cases of this would drop by a LOT, because people who didn't know how to use emails wouldn't be using them. Not like that's going to happen, or if it would even be a good thing, but it does say people should avoid messing with things they can't comprehend.
Great Intellect...
And if they can fix security problems with One Care, why couldnt they fix them in the OS in the first place?
So first, we pay MS for the OS... then we have to pay them again to make it secure? Sounds like a scene from The Godfather.