Nobody's child - the problem with ordinary computer users

Allikas: KakuWiki
Mine navigeerimisribaleMine otsikasti


For introduction: A crazy dream

Once upon a time, an evil wizard made all the traffic policemen to disappear. There was suddenly a huge mess in traffic, as no one was watching over it any more. Then, all driving schools disappeared too - noboby was able to get any good training in how to drive a car. And in a while, most of the traffic signs were also gone.

On that day, the traffic started to look like Internet.

Meet Joe Sixpack

This fantasy character is actually nothing fantastic - he is a car mechanic who works day by day to support his family: a wife and three children. His friends say that he is nothing special, but after all he's a good buddy.

Now, one day before Christmas, Joe noticed a big advertisement offering a killer deal on a new computer, with printer and scanner included and half a year of Internet broadband connection subscription also added to the set - all with a very reasonable price (it was Christmas, after all). After his daily work done, he went to check. Everything was as advertised - he came out of the story happy and loaded all his new stuff into his car. The next day, a technician from the local telecom paid him a visit and helped to connect his machine to Internet.

Joe was happy - he could read news and watch videos on YouTube, his wife went to chat with her friends on Facebook and his children got hands on some new games. For a couple days, everything was in order.

Then, about after a week, things went sour. His new machine became increasingly slower, he saw some weird advertisements from time to time - and on Saturday, his wife was enraged as she found a lot of pornography loaded to the hard disk. Explanations did not quite work. Something was seriously wrong.

What is the problem

In our story, Joe Sixpack had dealt with

  • Computer seller
  • Software seller
  • Network company

Yet, none of them were concerned of his security. He was able to buy all the technology without learning how to use it.

We can draw a good comparison with cars. Like computers, cars are very convenient things to have. But cars - just like computers - can be also dangerous when used unwisely. Therefore, to obtain a car to drive around, one is supposed to go to school, spending many hours in studying theory and many more in practicing how to drive. Finally, several exams have to be passed in order to get the license. And more than often, all this is not free. Moreover, if one is caught seriously breaking the rules or driving while drunk, the licenses can be revoked and the whole process needs to be repeated.

But in case of computers, we do not have neither traffic regulations nor driver's licenses (there is a system called ECDL or European Computer Driving License, but this is far from being ubiquitous). Everybody is entitled to do (almost) everything, misbehaviour caused by both lack of knowledge or malice can often go unsanctioned. Some results can be read e.g. from here: http://www.securelist.com/en/analysis

There is a saying that goes "A Fool with a Tool is Still a Fool". Actually, this kind of a fool is a well-equipped one. And a well-equipped fool is likely one of the worst things in the world.

Joe Sixpack is not a bad man. He is just terribly neglected.

In Times of Old

... cracking computers was hardly common - the first actual computer break-ins occurred .... And even if it happened, these occasions were

  • less malicious - the main point was either to fool one's friend or maybe put an administrator in his place, not to destroy information.
  • much less motivated economically - these attacks were a test of one's prowess, rarely a revenge, but almost never an attempt to earn money.
  • a contest of equals - as computers were mostly accessible for professionals only, there were no clueless grannies to be bullied.
  • demanding some skill - if one was to attempt these things, he or she was to develop his/her own 'arsenal', no crack/exploit collections were available.
  • done by quite a small number of people - as the overall number of users, these activities lacked the mass factor of today.

It started to change with two things: first the emergence of IBM PCs and the omnipresent, easy-to-use (at the cost of security) Microsoft software in the 80s, and even more so with the emergence of the web in the 90s. The first wave of computer malware were viruses which ranged from small pranks to serious destruction (e.g. Dark Avenger, CIH or [Dir II]) - but they were just 'kick the fool in the butt' -type nasty tricks. Then around the turn of the millennium appeared malware which allowed control over others' computers - probably the best known were Back Orifice, NetBus and SubSeven) - they brought along some rather frightening case like the one of Magnus Eriksson[1]. And the third wave of malware in the new century was already more or less commercially oriented - controlling others' machines became a crooked way to earn money (whether by spreading spam or engaging in more serious cybercrime like online racket).

To make things more complicated, another class of 'well-equipped fools' appeared - but now not as victims anymore but rather as henchmen of criminals. The company earlier known as 'script kiddies' - typically young men with no interests, no life outside computers and plenty of time to burn - used to just a limited nuisance with their attempts to 'be big and bad' by cranking some easier malware program over and over and attacking neglected computers (web page defacement was a typical attack). These folks started to be employed by bigger players as footsoldiers, given access (and training) to more serious 'cyber-weapons' and launched at the designated targets. Sometimes they get paid, some would work just for glory. Yet the result is a cracker with a force of minions (each one well-equipped) instead of just a lone cracker.

A side issue: the terms

When talking about this topic. We should get the terms straight. While the mainstream media has used 'hacker' as a negative term for awhile (despite the protests of real hackers), it is not the correct way.

  • Hacker – the original positive term, means a dedicated, originally-thinking fan
  • Cracker – the bad guy (whom media labels as the hacker)
  • Script kiddie – the undersized cracker, mostly evil but (fortunately) stupid
  • Cyberpunk – in this context, it means usually just the superficial wannabe, who wants to be cool. Yet the term has another, more serious (but less numerous) user base connected to deeper issues like cyberpunk and steampunk literature, a similarly sounding term 'cypherpunk' has a different meaning altogether, meaning crypto-anarchists of sorts.

We can also mention the division often used by many computer security specialists:

  • white hat - a hacker, good guy (mostly defensive)
  • black hat - a cracker, bad guy (mostly offensive)
  • grey hat - someone who does both white and black jobs.

The classification has been said to be originating from old Western movies where heroes wore white cowboy hats and villains wore black ones.

A good reference about this world would be the Jargon File at http://www.catb.org/jargon .


Wild shots and ignorance

In fact, in the above example no one actually aimed to nail Mr Sixpack, It was just another undefended machine (we could recall some crime movies where assassins tell their victims “Nothing personal” followed by two head shots).

The kiddies comb a segment of the Net, typically scanning for a certain vulnerability - as said before, they can also function as foot soldiers for more sophisticated cracker gangs or RBN-like criminal networks.

This also brings us to another issue. Many ignorant users say “I am no president/businessman/actor/politician/sportsman... Who cares if my machine is cracked?”. Actually, they may run into various types of trouble - including the case where their machine is used to 'bomb' some expert gray hat who would retaliate by wiping the hard disk of the guilty computer (remember that this may even happen without the slightest knowledge from the original owner).

Today, one can easily build botnets of thousands of hijacked computers - and the combined computer power of those machines can rise to the level of supercomputers. And just as supercomputers are rented out to scientists and businesses, their dark brethren are too - for a couple of hundred dollars per hour (http://blog.damballa.com/?p=330)

Major uses for such botnets include

  • Sending spam and propagating scams
  • DDoS (Distributed Denial-of-Service) attacks – increasingly used in organized extortion schemes
  • Increasingly used in political attacks

The goals are changing

In today's war, the goal is not to kill, but disable – the wounded soldier will be a liability. Likewise, we do not see destructive viruses – rather, today's malware wants to get control over a working computer (sometimes even repairing/patching it).

New types of organized crime targetting SME's in Western Europe with no significant IT competence but having their life depending on being online. These businesses are approached with demands like „Pay us 5000 pound sterlings – or you'll be offline for two weeks!“ It is not a bluff – botnets (which can be built by the same criminals themselves or rented from others) can achive this easily.[2]

Businesses in such a situation will often give in as „sensible” amounts invite payment. Of course, the next step of the extortion will be a new round with inflated numbers.

Some other uses for a hijacked PC

  • Online porn archive – ordinary is just an embarrassment, but child/snuff porn also exists – and earns the propagators a long time in prison

Warehouse for illegal software – BSA will freak out

  • IRC trading channel for e.g. stolen credit cards
  • Spam engine
  • Attack springboard
  • Money source (via online banking)

Simple, affordable, secure

Typical perception of the three most popular system platforms are:

  • Windows PC: (quite) affordable, simple
  • Mac: simple and (quite) secure
  • Linux PC: affordable and secure

While not exactly true, it is not completely without merit and is definitely hard to change. We can use the car race analogy: Joe Sixpack in a top-notch race car vs Sebastian Loeb in an old Lada would be an interesting contest – the driver counts the most, but the platform plays a role too

Hopeless....?

Not really. Most really simple attacks (especially those operated by script kiddies) target systems without updates – keeping a system up to date helps a lot. Using the apartment door analogy: all sensible people invest in locks which won't last against any special operations unit – but will keep out the guys needing the round of drugs.

Remember: there is no 100% security – but we may raise the level high enough to keep a majority of smaller pests out.

Ten Commandments for home users

  1. Thou shalt keep your Systems updated
  2. Thou shalt not take the Rights of Administrator in vain
  3. Thou shalt choose all passwords carefully, paying utmost care to the Administrator account, likewise shall thine passwords not have valid meaning in any known language
  4. Thou shalt create separate accounts for each User of thine Computer
  5. Thou shalt have good shields if thou insist on using Windows
  6. Thou shalt not touch unknown Attachments in thine Mail and not allow anyone who lives in thine household to do it
  7. Thou shalt put junk mail filters into good use
  8. Thou shalt know what Software lies in thine Computer
  9. Thou dost well if thou usest OpenOffice.org, Mozilla Thunderbird and Firefox instead of MS Office, MS Outlook and Internet Explorer
  10. Thou shalt seek wise people to help thee, and wisdom for thyself. A wise Man may err once, while a Fool keeps doing it all over

(Amen!)

Scripture commentary follows

  1. Update, update, update. Every system
  2. Have at least two accounts in XP – one for administration, another for everyday use. Vista/7 UAC may make it a little less important, but it can be done there too
  3. Typical password attacks are based on dictionary-type files. Therefore – no straight meaning (hidden ones are recommended though), at least 12 symbols, at least two cases plus numbers
  4. If there are more than one user, each should have their own account – makes it easier to track problems
  5. Shields in Windows include
    • Antivirus (ClamWin is free and open-source)
    • Anti-spyware (Defender, S&D, others)
    • Firewall (Comodo is good)
    • Browser popup and script blockers (for Firefox e.g. AdBlock Plus and NoScript)
  6. If you don't know the sender, don't open it
  7. Junk mail filters can be combined if needed, e.g. may add SpamAssassin to Thunderbird etc, they also need to be trained
  8. Your computer is not a box of chocolates (sorry, Forrest!). Or else the bad guys won't even need a rootkit
  9. MS Office, Outlook and IE are
    • Big targets - they are extremely widespread
    • Easy targets - they have a well-established history of bugs and vulnerabilities which are also well-published
  10. “A man learns all his life, yet dies a fool” - the question is, how big a fool...

Some notes about the Web

Passwords should not be

  • written down
  • recycled

In case of a monetary transaction over the web

  • Check the address. Twice
  • Check the web page – is it the right one or only poses as one?
  • Think critically – does a bank ask things like this?

Conclusion

We can see that things are bad enough - and there are several reasons for this. For more technical people, gaining good knowledge about at least basic computer security is a must - protecting one's machine adequately means one less machine in botnets. When one has learned enough, it is absolutely necessary to spread the knowledge - a primary reason for the difficult situation is the lack of knowledge by ordinary people. People have learned to lock doors, use alarms on vehicles and think carefully when signing contracts - yet they have to learn similar things in the online world as well.

PROTECT YOURSELF AND TEACH OTHERS


References

Additional reading