What a Hacked PC Can Be Used For

An anonymous reader points out that the Security Fix blog is running a feature looking at the different ways hacked/cracked computers can be abused by cyber scammers. "Computer users often dismiss Internet security best practices because they find them inconvenient, or because they think the rules don't apply to them. Many cling to the misguided belief that because they don't bank or shop online, that bad guys won't target them. The next time you hear this claim, please refer the misguided person to this blog post, which attempts to examine some of the more common — yet often overlooked — ways that cyber crooks can put your PC to criminal use."

Don't be a patsy!

[Drakkenmensch]

Lately there's been a LOT of attacks on military servers and data thefts of sensitive info. You do NOT want military techies to trace this back to YOUR machine that's been used as a proxy for some 15 year old script kiddie!

Re:Don't be a patsy!

[Artifakt]

I'm a former signal corps officer who once held the electronic security officer position in a S-2 shop (that's military intelligence), and I personally know of three cases where a military computer intrusion resulted in serving a warrant at some person's home. One of them was on post and was served by MPs - the other two at civilian addresses. In ALL cases, persons bearing M-16s were present (MPs, FBI or SWAT). In ALL cases, all computer and related equipment in the home was impounded and held at least until trial.
        In one of the three cases, a firearm was actually pointed by police in my presence, and the civilian policeman informed the suspect (a 16 year old kid), "Step away from the computer NOW! Or I will splatter your dumbass fucking head all over the fucking wall". fortunately he complied at that point, although later, one of the police told me it was probably because a non-cop was present that his buddy didn't bang the kid against said wall 'just a little' before handcuffing him. Even though I was only along as a witness to identify presence of the suspected software on his machine, since this was a civilian related case, I ended up having to testify at the trial that the kid appeared to be trying to destroy evidence, because he argued at first that the language and being cuffed constituted excessive force.
        So yes, if that something is intrusion in a military system, someone may very well point a gun at you. I think the police were reasonably professional in the cases I was connected to, and I recommend that people don't rely on that. I got to where I really feared having a case come up in some areas where I would expect the police to get overexcited about it. We always had to assume a cases such as this might be espionage by foreign agent, but the police typically reacted like they never heard the word 'might' in that - to them it simply was spying and sabotage, and I also heard the word 'treason' thrown around a lot when we briefed the local DAs that the suspects were believed to be U.S. citizens. Many cops damned well may go a lot farther than pointing, and you are giving out very, very bad advice.
     

Users won't care

[node159]

Having read over the list I can tell you with absolute certainty that the common user will not care for one specific reason:

None of the items listed affects them directly.

Computer security for the common goo does not interest the average user one bit, ultimately the responsibility falls of the developers of the compromised software for not designing the software in a safe and secure way. In my home I run ALL PC's on limited user accounts, this should have been made standard 8 years ago when the push for security came about. The unwillingness to enforce this of most fundamental security provision highlights that:

As well as the average user, developers don't care about security either.

Re:Child porno?

[ShadowRangerRIT]

You're being naive. Since hosting illegal material yourself is dangerous, a fairly standard trick would be hosting it in a deniable location. Multiply the percentage of pedophiles (I'd guess upwards of 0.1%) by the percentage of hackers (including script kiddies, I'd say upwards of 0.01%), and at least 1 in 10,000,000 people would be both, or at least 600 worldwide. Not that many, no, but enough to have it be a potential use of cracked machines.

Re:They don't care

[mh1997]

Agreed. People simply use their PCs (and Macs) as appliances, with no thought whatsoever of using it *properly*, or learning how to use it safely. It's like leaving your door unlocked when you go out for the day.

I wonder why people would use a computer as an appliance. Could it be that the OEMs, software companies, and retailers are selling the computer as an appliance for online shopping, banking, and entertainment?

I wonder why they don't care when they are repeatedly told by the software companies that their brand of OS is very secure and it even has a "red, yellow, green" warning system to show how secure it is.

I wonder why users (who are told their computer is so simple to use properly, that there is no training required) don't train themselves?

From the time people are old enough to use a lock, they are told by parents, teachers, police, media, etc. to lock their doors.

There is no comparison for the average person regarding computer security. If the software companies cannot provide the level of security, without training, that they promise, then there should be a warning constantly flashing on the screen telling the person that anything and everything on that computer is likely to be stolen or used to commit a crime.

Re:They don't care

[0100010001010011]

There is a point at which people want an 'appliance'. Be it your car, computer, yard, HVAC, water conditioner or toaster.

There are people who never clean their toaster. And when it dies they toss it and get a new one. This is no different than someone who buys a new computer everytime they get a big malware hit.

Everyone is guilty of neglecting SOMETHING. It's not just that it's human nature but the time you spend keeping your computer up to date your grandparents may have spent keeping their guns polished. And I'm sure your grandpa knows someone who treated their guns like appliances. Tossed them in the dirt, never cleaned them, let them rust, etc.

Re:Child porno?

[_Sprocket_]

What are the odds that a hack0r is also a pedo that would do this?

Even if a pedo paid a hack0r what are the odds he would report him?

A friend of mine is a network admin at a local university. As such, part of his duties include network security. He knows of several anonymous FTP servers on "his" network that are routinely tagged and used as drop-points for illicit data. Attempts to fix the situation have been stone-walled or outright ignored. So he just watches what goes on with these servers. It's amazing what shows up on them. There's a pretty good trade of warez that goes on - he doesn't have to hunt down torrents. There's often interesting malware examples to poke around with. And there's often more porn covering a wide array of kinks than you can get googling for "fetish". Child porn included. On a side note - that's based on what data he can see. There's also a large number of encrypted archive files that show up. It's a mystery what's in those. But often they're found in directory structures created by the illicit data peddlers so one can make a guess that if a given directory structure includes unencrypted kiddie porn, the encrypted archives found in that directory structure are probably more of the same. Of course, this is all very old-school. Hijacking servers? How very 1990's. Today we hijack small workstations often with just as many resources as a dedicated server - without the hassle of the occasional alert sysadmin.

Now define "openly malicious"

[tepples]

Any ISP relaying openly malicious traffic needs to face consequences for it

Now define "openly malicious". Here are some minimal pairs to consider when legislating what traffic will invoke consequences:

• Are port scans malicious? Are port scans initiated by the target computer's administrator malicious?
• Is an attack intended to crack your phone malicious? Is an attack intended to crack your phone malicious if you initiated the crack in order to install an app that the phone's maker doesn't like?
• Is copying Photoshop Elements malicious against Adobe? Is copying GIMP malicious against Adobe?

Re:They don't care

[oldspewey]

They do not feel responsible for malware running on their computer.

There is one exception ... one thing that scares the bejeezus out of most people ... and that's when you tell them their computer is being used as part of a kiddie porn ring. Somehow, when people learn that their machine is being used to host images of 8-year-olds being sexually abused, they suddenly take the concept of computer security a lot more seriously.

Not that I'm advocating anybody should tell a devious lie to a friend in order to make him/her smarten the hell up ... I'm just saying is all.

Re:Sadly, no, they don't

[tepples]

I tell them that they're actually clicking "Yes please, install this virus on my computer" over and over again, every time they want a new free, useless desktop widget or application or game produced by a company no one's heard of

What company that you've heard of publishes applications like Pidgin or games like Lockjaw? But because these are free software, it's more likely that someone has looked over the source code for you.

Re:They don't care

[NeverVotedBush]

Your solution isn't ugly at all. I think it is necessary. People's compromised computers cost other people money and do harm in helping to spread malware, are used as repositories for stolen information, etc.

Holding users responsible probably opens a legal can of worms, but I think that is coming too. Once users are held responsible, ISPs will be held responsible - not only for the damage their users do, but also by users for letting malicious traffic to the user's computer. Software manufacturers will probably also end up fighting class action suits over security weaknesses.

But when some crime group blackmails a web site with a DoS attack, it's all the compromised computers that do the heavy lifting. There should be some responsibility there. Acting as repositories for stolen files and such should also carry responsibility.

There is a responsibility in owning a computer and putting it on the net. Everyone has sidestepped that issue for far too long. If someone's computer does me harm, then why shouldn't they be held responsible?

I think with all of the attention that cyber crime is now getting, holding people responsible to at least some extent will be inevitable. And I know there are lots of ways to hide which computers are contributing to DDoS attacks, but if a computer is discovered with lots of stolen data on it, attributing responsibility gets a lot easier.

Re:They don't care

[Zumbs]

Some time back, a Danish bank blocked the access of 8.000 internet bank users, as the bank could link their computers to ip adresses that might be infected by a trojan. They suspected that the trojan could be used to get access to the bank accounts of the 8.000 users. Thus, they sent (snail)mail to the customers in question that told them that they had to reinstall Windows before they could do their banking online again.

Re:They don't care

[cbiltcliffe]

Happened years ago. Didn't make a peep of difference.