What a Hacked PC Can Be Used For

An anonymous reader points out that the Security Fix blog is running a feature looking at the different ways hacked/cracked computers can be abused by cyber scammers. "Computer users often dismiss Internet security best practices because they find them inconvenient, or because they think the rules don't apply to them. Many cling to the misguided belief that because they don't bank or shop online, that bad guys won't target them. The next time you hear this claim, please refer the misguided person to this blog post, which attempts to examine some of the more common — yet often overlooked — ways that cyber crooks can put your PC to criminal use."

They don't care

[stoolpigeon]

Over the years I've offered help staying secure to friends, co-workers, etc. and I've learned that they just don't care. Most people only want help in one situation- when they have a virus that interferes with their computer working properly. Then they want it removed so they can go back to doing all the stuff that got it on their machine.

If you don't believe me - tell someone who isn't a tech person to go read this blog post. A week or two later ask them if they read it. I'm gonna go out on a limb and say over 90% wont.

Or talk to someone like that about security. Watch as their eyes glaze over and they look for a way to escape.

Re:They don't care

[ae1294]

I agree, I worked at a computer store doing service for many many years and I would see the same old people over and over and over again. I would tell them to just stop installing kazzzza! or stop browsing seedy porn sites but they never did and it was always their teenage son's fault.

(If it was me i'd ask how to lock him out after the 5th $100 reload) - didn't always need a reload just saying...
I even offered to explain to them how to setup a bios password and sold special case locks for three bucks... no takers.

They would however, always be very mad at me for not preventing their computers from getting reinfected. I guess they expected I would create some sort of magic barrier for them.... I donno... It's funny hearing "I'll never come back here AGAIN!" from the same person and then see them back in two months or so....

People don't mind going out to the bar and spending $200 on shots but don't try and charge for fixing their porn box or you'll get beat...

Re:They don't care

This is unfortunately very true. Several of my co-workers bring me their machines from home every few months to fix and 90% of the time none of the Windows updates are installed and the anti-virus software is either outdated or completely disabled. I finally sent an email to all employees that I will no longer fix any non work machines. My main reason is that they seem to think that my expertise is worth nothing to them..none of them have ever offered to buy me a pack of beer, much less pay me for the hours I spend on their personal computers, but also because it's extremely frustrating that they don't really care about preventing the problems in the first place.

Re:They don't care

[Junior+J.+Junior+III]

The answer to this is to put the "personal" computer into context. PCs really stopped being personal computers the moment the availability of internet access became the norm. They should be called "social" computers now, but most people don't think of them that way.

How you put the "social" computer into context varies from person to person. I have a family member who I support who knows little about how computers work, and barely knows how to use one. He happens to be very politically minded, in a right-wing hardcore military patriot kind of way. I forward him some info about the Chinese hacking into US military and government networks and "cyber warfare" and that woke him up. Now he thinks it's his patriotic duty to keep his antivirus updated, and not open email attachments. I have very few problems from him these days, and the last few have been due to his security software being *too* tight. He thinks any problem he has with the computer could be a virus, as opposed to a bug or human error, or whatever, but he has gained enough sense of paranoia that he's made his usage habits a lot safer than they were when he was first going online.

You just have to find the right button to press (in the person, not on the computer) and then the rest will follow naturally because they finally care. If the user's a businessman, play up financial scammers and anarchist punk hackers. If the user's religious, invent satanic hackers. If the user's a leftist, talk about The Man and government spooks. If they're a concerned parent type, talk about child predators.

Re:They don't care

[mh1997]

Agreed. People simply use their PCs (and Macs) as appliances, with no thought whatsoever of using it *properly*, or learning how to use it safely. It's like leaving your door unlocked when you go out for the day.

I wonder why people would use a computer as an appliance. Could it be that the OEMs, software companies, and retailers are selling the computer as an appliance for online shopping, banking, and entertainment?

I wonder why they don't care when they are repeatedly told by the software companies that their brand of OS is very secure and it even has a "red, yellow, green" warning system to show how secure it is.

I wonder why users (who are told their computer is so simple to use properly, that there is no training required) don't train themselves?

From the time people are old enough to use a lock, they are told by parents, teachers, police, media, etc. to lock their doors.

There is no comparison for the average person regarding computer security. If the software companies cannot provide the level of security, without training, that they promise, then there should be a warning constantly flashing on the screen telling the person that anything and everything on that computer is likely to be stolen or used to commit a crime.

Re:They don't care

[gnick]

The solution is obvious (albeit ugly). Punish the user. We are a long way from having a "secure" OS - I use Windows at work and both Windows & Linux at home and have used them for years. They both used to be swiss-cheese concerning security and both have improved dramatically, but neither are secure nor will they be any time soon.

1) Any ISP relaying openly malicious traffic needs to face consequences for it - Force them to self-monitor.
2) ISPs will start threatening users responsible for malicious traffic with disconnection.
3) Users with compromised connections will either have to start caring about security or give up Internet service.

I can feel the flames rising around me - They're welcome. As long as when you shout me down for this ugly step "forward", please present an alternative solution more insightful than "OS designers need to fix their security", 'cuz nobody's hit end-game yet. (Or "4 - ???" "5 - Profit", please... It's tired... But it did appear very recently in the WSJ as an analogy for Obama's stimulus plan - How cool is that!)

Re:They don't care

[oldspewey]

They do not feel responsible for malware running on their computer.

There is one exception ... one thing that scares the bejeezus out of most people ... and that's when you tell them their computer is being used as part of a kiddie porn ring. Somehow, when people learn that their machine is being used to host images of 8-year-olds being sexually abused, they suddenly take the concept of computer security a lot more seriously.

Not that I'm advocating anybody should tell a devious lie to a friend in order to make him/her smarten the hell up ... I'm just saying is all.

Based on movies....

[Kenja]

Based on what I see in movies, they can be used to blow things up, crash alien space ships and steal Sandra Bullocks identity.

Users won't care

[node159]

Having read over the list I can tell you with absolute certainty that the common user will not care for one specific reason:

None of the items listed affects them directly.

Computer security for the common goo does not interest the average user one bit, ultimately the responsibility falls of the developers of the compromised software for not designing the software in a safe and secure way. In my home I run ALL PC's on limited user accounts, this should have been made standard 8 years ago when the push for security came about. The unwillingness to enforce this of most fundamental security provision highlights that:

As well as the average user, developers don't care about security either.

Re:Users won't care

[pilgrim23]

If anyone believes that the average user cares about how their actions can effect other people on the "Net" ... Try driving on an average interstate....

Sadly, no, they don't

[RulerOf]

Of all the people I've done computer work for, one of the worst offenders is a man who owns a small business I do side work for. He would somehow manage to acquire viruses at alarming rates.

It stopped when I forced him to use Firefox instead of Internet Explorer, and set him up with a limited user account and told him he'd need to log out or switch users to an administrator if he wanted to install something.

Hasn't had a problem since.

Everyone else I've tried that (or something similar) with is too obstinate or stubborn to recognize or believe when I tell them that they're actually clicking "Yes please, install this virus on my computer" over and over again, every time they want a new free, useless desktop widget or application or game produced by a company no one's heard of... that just has to have Admin privileges to run...

My hacked PC

[Dystopian+Rebel]

If I can no longer read files because of changes to proprietary formats,
if I cannot play media because of DRM,
if I cannot use my hardware because proprietary drivers don't exist and the manufacturer won't release the information needed to create an open-source driver,
if I cannot obtain security updates because my OS is wrongly deemed to be an unauthorized copy,
if I am not allowed to install the software that I buy on any PC I choose without having to call for permission,
if the software on my computer calls home without my explicit permission,
if the software on my computer transmits information about my computer without my explicit permission,

I have lost control of my computer and it has been hacked.

Now define "openly malicious"

[tepples]

Any ISP relaying openly malicious traffic needs to face consequences for it

Now define "openly malicious". Here are some minimal pairs to consider when legislating what traffic will invoke consequences:

• Are port scans malicious? Are port scans initiated by the target computer's administrator malicious?
• Is an attack intended to crack your phone malicious? Is an attack intended to crack your phone malicious if you initiated the crack in order to install an app that the phone's maker doesn't like?
• Is copying Photoshop Elements malicious against Adobe? Is copying GIMP malicious against Adobe?

That's because they WANT an appliance

[zogger]

Consumers want a secure easy to use web surfing appliance, but it is unobtanium to them. I mean wtf, why isn't this obvvious yet? Not everyone is a computer nerd and specialist, most people aren't, and they have no huge desire to become one, they just want to surf the net. The computer industry just freeking *insists* on selling them devices that actually take a fairly high level of sophistication to keep running smooth and clean, because it makes them shedloads more money. Megaboatloads. The only web surfing appliances that have been on the market have mostly all sucked and been grossly over priced, and we all (here) know that.

And the computer repair and fixit industry doesn't want more rugged and fool proof net surfing appliances either, cleaning up borked windows machines is a multi BILLION a year industry. I bet for most whitebox shops it might be the bulk of their income. The computer hardware makers like borked computers because they get people on a hardware upgrade path once the consumer has been pwned a few times and people just decide a brand new machine will be the magic fix.. The operating system industry wants borked because they get people on an upgrade path, again, get them thinking/hoping new version "Grand Horizon 7.0 XPU" will be the magic fix.

This won't change until we have software lemon laws and consumer warranties.

  If a product is not "suitable for purpose", in this instance being on the net 24/7, without having to be a computer expert and installing a crapflood of other additional software, etc, this will just continue. Once it starts costing computer sellers and operating system sellers serious coin because of defective by design products, then things will change for the better, just like what happened in all other industries. It's the last industry with legalized "caveat emptor" out there, the magic get out of all legal responsibility EULA.

Obligatory car analogy: What would you think of paying big bucks for a new car, then finding out after you left the lot that you needed an additional entire trunk full of tools you needed to purchase and carry around with you all the time and at least a medium professional/serious gearhead hobbiest level knowledge of car mechanics in order to drive all the time?

That's the situation with computers and software today. Don't blame the end user all that much for getting broken computers when that is all they are provided with in the first place, no matter how much they spend on them.

Computer security is like a convertable car

[AnAdventurer]

You buy a nice convertible car and you are out driving it around. The sky is cloudy and it looks looks like rain. What do you do and who responsibility is it to put the top up?

1) Do you wait for the car manufacturer to install a rain sensor (now that you are on the road and you see that it sometimes rains, that would have been a good option to get) that will automatically put the roof up when it senses the first rain drop?

2) Do you pull over before it rains and put the top up to be safe?

3) Do you drive around with the top down blaming the car maker for designing a car that can get wet and/or doesn't keep the rain out automatically all the time forever?

How is computer security different (metaphorically speaking)? I am sorry, but we all know it's up to the user.

Re:Don't be a patsy!

[Artifakt]

I'm a former signal corps officer who once held the electronic security officer position in a S-2 shop (that's military intelligence), and I personally know of three cases where a military computer intrusion resulted in serving a warrant at some person's home. One of them was on post and was served by MPs - the other two at civilian addresses. In ALL cases, persons bearing M-16s were present (MPs, FBI or SWAT). In ALL cases, all computer and related equipment in the home was impounded and held at least until trial.
        In one of the three cases, a firearm was actually pointed by police in my presence, and the civilian policeman informed the suspect (a 16 year old kid), "Step away from the computer NOW! Or I will splatter your dumbass fucking head all over the fucking wall". fortunately he complied at that point, although later, one of the police told me it was probably because a non-cop was present that his buddy didn't bang the kid against said wall 'just a little' before handcuffing him. Even though I was only along as a witness to identify presence of the suspected software on his machine, since this was a civilian related case, I ended up having to testify at the trial that the kid appeared to be trying to destroy evidence, because he argued at first that the language and being cuffed constituted excessive force.
        So yes, if that something is intrusion in a military system, someone may very well point a gun at you. I think the police were reasonably professional in the cases I was connected to, and I recommend that people don't rely on that. I got to where I really feared having a case come up in some areas where I would expect the police to get overexcited about it. We always had to assume a cases such as this might be espionage by foreign agent, but the police typically reacted like they never heard the word 'might' in that - to them it simply was spying and sabotage, and I also heard the word 'treason' thrown around a lot when we briefed the local DAs that the suspects were believed to be U.S. citizens. Many cops damned well may go a lot farther than pointing, and you are giving out very, very bad advice.