Ask Slashdot: What To Tell Non-Tech Savvy Family About Malware?

First time accepted submitter veganboyjosh writes "I got an instant message from an uncle the other day, asking me what was in the link I sent him. I hadn't sent him a link so I figured that his account had been hacked and he'd received a malicious link from some bot address with my name in the 'From' box. This was confirmed when he told me the address the link had come from. When I tried explaining what the link was, that his account had been hacked, and that he should change the password to his @aol.com email account, his response was 'No, I think your account was hacked, since the email came from you.' I went over it again, with a real-life analog of someone calling him on the phone and pretending to be me, but I'm not sure if that sunk in or not. This uncle is far from tech savvy. He's in his 60s, and uses Facebook several times a week. He knows I'm online much more and kind of know my way around. After his initial response, I didn't have it in me to get into the whole 'Never click a link from an unfamiliar email address' bit; to him, this wasn't an unfamiliar email address, it was mine. How do I explain this to him, and what else should I feel responsible for telling him?"

i think your uncle is right

[notgm]

you've been compromised, and now you're spamming /.

Re:i think your uncle is right

[Billly+Gates]

He couldn't be.

He is middle aged and knows better. He doesn't click on shit or go to weird sites. He also doesn't use IE. THerefore a AV scanner is not needed especially if you have a firewall. AV software is for wusses according to these folks and I am sure his 3 year old version of flash and 5 year old unpatched Java on his machine are no match to the mighty security of running firefox!

Don't believe me? Just ask any slashdotter who has not used Windows in 12 years. They know what they are talking about when it comes to Windows security as they post this all the time.

Re:i think your uncle is right

If that is the level of reasoning among "tech savvy" people, then we're screwed.

veganboyjosh's computer wasn't hacked, and his uncle's computer wasn't hacked until the link in the email was clicked. Someone else, who had both of them in the address book, was hacked and, after grabbing the address information from that third person's computer, a Facebook account, an uploaded Android contacts list, etc., the botnet sent the malicious email "from" someone in the address book to someone else in the address book, because that's how you make fake emails look legit and apparently it's also how you dumbfound enough geeks.

Fake one yourself.

[jx100]

Log into AOL's SMTP server with telnet and make an email that looks like it's coming from your uncle. Show him how easy it is to fake, and that the "to" field is actually incredibly untrustworthy.

Re:Fake one yourself.

[toygeek]

I did this once to prove the point to my wife. I made up some ridiculous email and then called her and asked her if she got it. She had. When I told her it was from ME, she finally got the point. The email was telling her she was a winner of free tickets to a concert for an artist that hasn't performed in a VERY long time. And I didn't have to telnet into a server to do it. I just set up my mail program.

Think up a meatspace analogy

[The+MAZZTer]

In this case, let's say your uncle mails his letters by leaving them in his mailbox (I think some places let you do this) for the mailman to pick up. Now let's say a shady guy comes along and copies the names of people your uncle is mailing letters to, including yours, then sends him a letter purportedly from you asking him to loan you money by wiring it to a specific bank account or whatever.

Your NAME was involved but you had nothing to do with it, and the scammer found out your name from him.

Re:Think up a meatspace analogy

[houghi]

With email, I also always use the snail-mail analogy.
Everybody can send your name on an envelope.
Everybody can write my name on the back.
There is no way of telling where it was then send from, except the country where the person put it in the mailbox.

That will help most of the time (some people just don't WANT to understand), yet I can go further:
Email is like a postcard, everybody can read it. If you encrypt it, it is like an envelope.

An email has two parts. The part before the @ and the part after it.
The last part is the address. Street, and city/country. The part before it is your mailbox. It can have your name, but can also be a mailbox or anything that you put on the mailbox.

Your email program puts it in the mailbox. That is emptied by the post people. Then it si put in trucks to the postal dispatch. That will sort it and send it with a lot of others to another dispatch, where it will be sorted again and given to the postman. He will put it then in your mailbox.
So it is not like a fax where the machine speaks directly to another machine. It takes a lot of steps and on all those steps there can be a delay. That is the reason your email might not arrive in the 7 seconds you have been waiting for.

Just make shit up

Seriously. Show him a segment in the e-mail header and say that's proof his shit was hacked. He won't know the difference anyway.

Re:Nothing

[Grishnakh]

This used to be good advice, because Macs were such a small share of the market that the malware authors didn't bother with them. This isn't quite so true any more.

If you want to get them a platform that won't be targeted by malware authors for quite some time, install Linux Mint on their PC. As a bonus, it won't cost anything extra (unless they have some shitty printer that has no Linux support, but a new Linux-compatible printer is much cheaper than a new Mac). As an extra bonus, you can install the KDE version of Linux Mint and assuming they're coming from XP or Win7, they won't even have to learn a whole new GUI paradigm.

Tagged as funny, but makes a point.

[mark-t]

Really, I can't think oi a good reason to presume that either account was actually hacked. What's evidently happened, however, is that both parties have had their email addresses harvested, using one (falsely) as a sender and the other as recipient.

Re:Tagged as funny, but makes a point.

[FatLittleMonkey]

This was my first thought.

Specifically, harvested from a third party who has both the poster and his uncle's email address.

In other words, the poster, veganboyjosh, should be looking into his other relatives. His aunt, his nan & pop, his mum & dad, etc. First to see if they are receiving spam from each others' addresses, and to try to narrow down who has been compromised. Start with the oldest relative and work your way down.

If he asks and doesn't take your advice

[Rob+the+Bold]

A person can ask for advice. They can act on it as they see fit. If your adult uncle ignores your advice, you are off the hook. Maybe you know what's best for him, but if he's asked you and doesn't believe you, there's nothing you can do. I know you wish you could help, but you can't. We sell computers to people who aren't IT admins with the implication that they don't need to be one in order to operate them. Sadly this isn't true, but it's beyond your duties as a nephew to try to disabuse him of this notion.

This answer is probably less than satisfactory, but the world is an imperfect place and our ability to change that is very limited.

Perhaps other Slashdotters have some Jedi mind tricks for you to try, but I'm not optimistic, based on personal experience.

Keep it simple.

[jonadab]

Just tell him email is very easy to forge. That's it.

You don't have to explain the technical details of exactly how it is forged, what headers are, how SMTP works, how malware mines personal data, or any of that. If he cared about the technical details, he'd read up on them, and then he wouldn't need you.

Keep it simple: "email is very easy to forge."

Re:Nothing

[Austerity+Empowers]

What he's getting at is that any OS on any computer is vulnerable to this sort of attack. Any OS at all that has a web browser: Windows, OSX, Linux, Android, iOS, *BSD, Solaris, whatever.

Once you click that link and enter your credentials, you are hacked. No resident virus required that has to hook your system via known attack vectors. Of course once you are hacked, it is much easier to get to that next step, if that's important to the attacker. But usually it's not, they're perfectly happy with your accounts.

Re:Nothing

[lucm]

This used to be good advice, because Macs were such a small share of the market that the malware authors didn't bother with them. This isn't quite so true any more.

It is true that Macs are not (relatively) free from threats anymore, but damn, they sure have a lot fewer to deal with. No?

Not anymore. Remember that story posted not so long ago?
http://thenextweb.com/microsoft/2012/11/02/microsofts-security-team-is-killing-it-not-one-product-on-kasperskys-top-10-vulnerabilities-list/

Apple is on that list twice (QuickTime and iTunes). Adobe is there a lot. No Microsoft products.

Feel free to bring the conspiracy/fraudulent research theories but really it's time people move on with old stuff.

Re:Nothing

[disambiguated]

Even when you explain it to them, most of them are too dumb to understand it.

If you are a programmer, you are part of the problem. The user isn't dumb, s/he just has better things to do than become a Software Engineer just to use what has become an everyday appliance. The problem here is bad design, period. Accept that and maybe we can move on.

Re:Nothing

[hairyfeet]

Unless he is willing to be full time 24/7 tech support that would be a BAD idea. Just look at the serious guttings that have happened to Linux in just the last 5 years, ALSA for Pulse, Gnome 2 for GnomeShell then this funky ass hybrid of the 2, KDE 3 to KDE 4 (which was frankly shoved out in alpha quality at best by ALL the "user friendly" distros) and finally the changes in the wireless networking that has made USB wireless hit or miss, usually miss.

Frankly if you know what you are doing you can set up an "idiot proof" Windows that short of the old guy clicking "Why yes, I DO want to get infected, STFU and let me get infected!" then nothing is gonna happen. With this system I've had customers that picked up more bugs than a Bangkok whore on coupon day and they are squeaky clean. Everybody ready? Here we go..

You start by doing the most obvious thing, that is making sure all their software is up to date. Once that is finished you get their ass OFF IE onto something that doesn't have a giant bullseye on it, personally I prefer Comodo Dragon as not only does it have low rights mode like Chrome, but it also has Privalert, which will block all the tracking crap (you can of course whitelist any page with a single click, even grandma could do it) and you have the option of Comodo DNS which in this case i would say YES, use it, as it blocks many malware pages from loading. Once its installed go ahead and add ABP, in less he likes ads bugging the shit out of him, and I usually install ForecastFox as its nice to have the 5 day forecast and the radar right there.

Next you install Paragon Backup and Recovery Free as this will let you not only make a hidden backup capsule (think OEM restore partition, only custom made by you and up to date) but you can set it to any kind of schedule you like, including differential, daily, weekly, whatever. I used to use Comodo Time Machine as it allows you to restore even if they hosed the boot image but its not supported on Windows 8. if you are running 7 might want to check it out. Next you install FileHippo Update Checker and tell it to ignore beta releases. the reason you do this is to keep the old guy for falling for the "you need the latest flash, just download "Iz_Not_Bug_Iz_Flash.exe" right now!". you tell him if the little Hippo don't say there is an update there is NO update, period.

Finally you have the AV, here you can use either Avast free or Comodo IS, I prefer the latter as its not as "chatty" and has built in sandboxing by default but some folks like chatty, both are VERY good at stop malware pages before load and Comodo IS sandboxing means if the old guy does try to run something nasty it'll minimize the risk.

so there you have it, it looks more complex than it actually is, takes about an hour all told depending on how out of date the software on the system is. Once its done that's it, just leave them be, they'll be safe as houses. The browser is sandboxed and in low rights mode, you have the AV scanning every page before load, the browser is blocking ads (one of the biggest attack vectors) and tracking crap, and to top it all off the OS has a hidden encrypted partition with a backup image so if they by some miracle ever do figure out how to break something you can have it back up in under 30 minutes, no problem.

Re:Nothing

[stenvar]

I would have said the reverse. The menu bar being at the top creates modality that makes it easy to discover which windows belonging to a given application. In the Windows/X11 world, trying to figure out which application a particular window came from can be a usability nightmare

People don't usually care what "application" a window belongs to; the fact that you care on the Mac is a holdover from the Mac's single tasking heritage (where the entire menu bar paradigm originated). What people do care about is that the menu entry they select operates on the document they are working on, and people get confused about that relationship on the Mac.

Or SSH or iChat/Messages screen sharing. The latter makes more sense for home use, IMO.

SSH isn't a good option because OSX command line administration is extremely obscure. iChat is mac specific.That points out another problem with switching to Mac: if you switch your parents, you really have to buy another Mac for yourself and set up Apple-related accounts and infrastructure everywhere. You can't maintain a Mac if you don't use one yourself, it is just too different.

I went down that road; bought a Mac for my parents and a MacBook and desktop for myself. It was a lot of work. In the end, the small benefits of OS X over Windows just didn't justify the big expense and work. A couple of machine generations later, my parents are on Linux, I'm back on Windows and Linux, and we're all a lot happier.