Nobody's child - the problem with ordinary computer users

For introduction: A crazy dream
Once upon a time, an evil wizard made all the traffic policemen to disappear. There was suddenly a huge mess in traffic, as no one was watching over it any more. Then, all driving schools disappeared too - noboby was able to get any good training in how to drive a car. And in a while, most of the traffic signs were also gone.

On that day, the traffic started to look like Internet.

Meet Joe Sixpack
This fantasy character is actually nothing fantastic - he is a car mechanic who works day by day to support his family: a wife and three children. His friends say that he is nothing special, but after all he's a good buddy.

Now, one day before Christmas, Joe noticed a big advertisement offering a killer deal on a new computer, with printer and scanner included and half a year of Internet broadband connection subscription also added to the set - all with a very reasonable price (it was Christmas, after all). After his daily work done, he went to check. Everything was as advertised - he came out of the story happy and loaded all his new stuff into his car. The next day, a technician from the local telecom paid him a visit and helped to connect his machine to Internet.

Joe was happy - he could read news and watch videos on YouTube, his wife went to chat with her friends on Facebook and his children got hands on some new games. For a couple days, everything was in order.

Then, about after a week, things went sour. His new machine became increasingly slower, he saw some weird advertisements from time to time - and on Saturday, his wife was enraged as she found a lot of pornography loaded to the hard disk. Explanations did not quite work. Something was seriously wrong.

What is the problem
In our story, Joe Sixpack had dealt with
 * Computer seller
 * Software seller
 * Network company

Yet, none of them were concerned of his security. He was able to buy all the technology without learning how to use it.

We can draw a good comparison with cars. Like computers, cars are very convenient things to have. But cars - just like computers - can be also dangerous when used unwisely. Therefore, to obtain a car to drive around, one is supposed to go to school, spending many hours in studying theory and many more in practicing how to drive. Finally, several exams have to be passed in order to get the license. And more than often, all this is not free. Moreover, if one is caught seriously breaking the rules or driving while drunk, the licenses can be revoked and the whole process needs to be repeated.

But in case of computers, we do not have neither traffic regulations nor driver's licenses (there is a system called ECDL or European Computer Driving License, but this is far from being ubiquitous). Everybody is entitled to do (almost) everything, misbehaviour caused by both lack of knowledge or malice can often go unsanctioned. Some results can be read e.g. from here: http://www.securelist.com/en/analysis

There is a saying that goes "A Fool with a Tool is Still a Fool". Actually, this kind of a fool is a well-equipped one. And a well-equipped fool is likely one of the worst things in the world.

Joe Sixpack is not a bad man. He is just terribly neglected.

IN PROGRESS HERE
In the old times

Cracking computers was less malicious (pranks) seldom economically motivated a contest of equals demanding some skill done by quite a small number of people

Today: Netbus.... Back Orifice 2000.... Sub7 The mass factor For each malicious AND skilled cracker, there is a large number of script kiddies with no skills no life lots of free time to burn Again the well-equipped fools – but this time a bit different kind

A side issue: the terms Hacker – the original positive term, means a dedicated, originally-thinking fan Cracker – the bad guy (whom media labels as the hacker) Script kiddie – the undersized cracker, mostly evil but (fortunately) stupid Cyberpunk – usually just the superficial wannabe, who wants to be cool Also: white hat, grey hat, black hat http://www.catb.org/jargon Wild shots In fact, no one actually aimed to nail Mr Sixpack It was just an undefended machine “Nothing personal” (followed by two head shots) The kiddies comb a segment of the Net, typically scanning for a certain vulnerability (can also function as foot soldiers for more sophisticated cracker gangs or RBN-like criminal networks) “Well, who gives a shit?” Quite a common reaction – “I am no president/businessman/actor/politician/ sportsman... Who cares if my machine is cracked?” I DO! Because it will typically join thousands of others in Storm or similar botnet – AND I MAY GET HIT A botnet? Lots of hijacked computers controlled centrally – the computing powers rivals most supercomputers A service for hire – for a couple of hundred dollars per hour (http://blog.damballa.com/?p=330) Major uses Sending spam and propagating scams DDOS attacks – increasingly used in organised extortion schemes Increasingly used in political attacks Goals are changing In today's war, the goal is not to kill, but disable – the wounded soldier will be a liability! Likewise, we do not see destructive viruses (e.g. Dark Avenger, DIR II or CIH) – today's malware wants to get control over a working computer (sometimes even repairing/patching it)! Offer you cannot refuse New types of organized crime targetting SME's in Western Europe with no signifi-cant IT competence but having their life depending on being online „Pay us 5000 pound sterlings – or you'll be offline for two weeks!“ It is not a bluff – botnets do work „Sensible” amounts invite payment So, the fool paid – let's raise the fee in some months! Some other uses for a hijacked PC Online porn archive – ordinary is just an embarrassment, but child/snuff porn also exists – and earns the propagators a long time in prison Warehouse for illegal software – BSA will freak out IRC trading channel for e.g. stolen credit cards Spam engine Attack springboard Money source (via online banking) Another problem: pick two of three Simple, affordable, secure Typical perception: Windows PC: (quite) affordable, simple Mac: simple and (quite) secure Linux PC: affordable and secure Not exactly true, but hard to change Car race analogy: Joe Sixpack in a top-notch race car vs Sebastian Loeb in an old Lada – the driver counts the most, but the platform plays a role too Hopeless....? Not really Most really simple attacks target systems without updates – keeping a system up to date helps a lot The apartment door analogy: all sensible people invest in locks which won't last against any special operations unit – but will keep out the guys needing the next needle Remember: there is no 100% security – but we may raise the level high enough to keep a majority of smaller pests out Ten Commandments for home users 1. Thou shalt keep your Systems updated 2. Thou shalt not take the Rights of Administrator in vain 3. Thou shalt choose all passwords carefully, paying utmost care to the Administrator account, likewise shall thine passwords not have valid meaning in any known language 4. Thou shalt create separate accounts for each User of thine Computer 5. Thou shalt have good shields if thou insist on using Windows

6. Thou shalt not touch unknown Attachments in thine Mail and not allow anyone who lives in thine household to do it 7. Thou shalt put junk mail filters into good use 8. Thou shalt know what Software lies in thine Computer 9. Thou dost well if thou usest OpenOffice.org, Mozilla Thunderbird and Firefox instead of MS Office, MS Outlook and Internet Explorer 10. Thou shalt seek wise people to help thee, and wisdom for thyself. A wise Man may err once, while a Fool keeps doing it all over

(Amen!) Scripture commentary follows 1. Update, update, update. Every system 2. Have at least two accounts in XP – one for administration, another for everyday use. Vista/7 UAC may make it a little less important, but it can be done there too 3. Typical password attacks are based on dictionary-type files. Therefore – no straight meaning (hidden ones are recommended though), at least 12 symbols, at least two cases plus numbers

4. If there are more than one user, each should have their own account – makes it easier to track problems 5. Shields in Windows include Antivirus (ClamWin is free and open-source) Anti-spyware (Defender, S&D, others) Firewall (Comodo is good) Browser popup and script blockers (for Firefox e.g. AdBlock Plus and NoScript) 6. If you don't know the sender, don't open it 7. Junk mail filters can be combined if needed, e.g. may add SpamAssassin to Thunderbird etc, they also need to be trained ... 8. Your computer is not a box of chocolates (sorry, Forrest!). Or else the bad guys won't even need a rootkit 9. MS Office, Outlook and IE are Big targets Easy targets 10. “A man learns all his life, yet dies a fool” - the question is, how big a fool... Some notes about the Web Passwords should not be written down recycled In case of a monetary transaction over the web Check the address. Twice Check the web page – is it the right one or only poses as one? Think critically – does a bank ask things like this? Conclusion Things are bad enough Protecting one's machine adequately means one less machine in botnets PROTECT YOURSELF AND TEACH OTHERS Thanks