Feeds

Trojan Horse Christmas

That shiny new Windows PC

  • alert
  • submit to reddit

Internet Security Threat Report 2014

Column My wife Denise is really a brilliant woman, probably the smartest person I know. Earlier this year, we went to see the movie Troy, about, obviously, the Trojan War. At the end of the movie, just in line with the world famous story, the Trojans find an enormous wooden horse on the beach and, after some discussion, drag it into the city. They proceed to celebrate wildly, celebrating what they think is the abandonment of the war by the Greeks, and eventually everyone collapses into a drunken stupor. Cut to the waiting Greek ships, hidden a few miles away, just waiting for the signal. Cut back to the center of Troy and the horse, bathed in soft moonlight, when slowly, slowly, a door in the belly of the great wooden horse creeaaaks open, and out softly slither the Greeks who were hidden inside ...

... when to my left, I heard Denise whisper to herself, as sincerely as could be: "Oooh ... I knew that was going to happen!"

Yup. Sometimes it's pretty obvious that a gift is going to bring problems with it. You'd like to think that people would know better, but really, most folks have no idea what they're getting into. The Trojan Horse I'm talking about is that shiny new Windows PC that thousands and thousands of people unwrapped during the holidays this year. They think they're getting a modern convenience, something they can use to communicate with the grandchildren, or check stocks, or buy stuff on eBay, but in reality they're providing an opening for invaders of the worst sort.

"Want to get Mom's attention? Ask her how she'd like the Russian mob to have her credit card number. Or how happy she'd be to find out that Ukrainian gangsters have access to her bank account."

Now, you could try to advise your family of the dangers by giving them all sorts of technical talk, but that won't work. You'll just be causing MEGO (Mine eyes glaze over). You could tell them about the damage insecure computers cause to the Net, businesses, and society, but people don't really care unless something directly affects them. I mean, you could tell Mom that phishing cost the banking and credit card industries around $10 billion last year, but unless she works at Goldman Sachs, Citibank, or Visa, I doubt if she'll really care much.

No, the solution is to personalize the problem and focus on only a few key problems. Keep the problem list short and bring everything back to the problems that Grandpa, Mom, and Uncle Gussie will face with their new PC unless they understand just a few simple things.

Spam

Grandpa Ralph is going to ask you a good question after he's been using email for a few days: why does he keep getting emails about things he'd rather not mention in front of Grandma? Once you tell him about spam, emphasizing that he should never, ever, ever reply to one of those emails, he's going to have another question: why do these slammers do it? After you explain that it's actually "spammer," not slammer, tell Grandpa about Jeremy Jaynes.

Jeremy Jaynes was found guilty in a Virginia court (yes, Virginia, there is an AOL, and its headquarters is in Virginia) of fraud and sentenced to nine years in jail. Every day he sent out over 10 million emails to folks all over the world, advertising garbage like software that supposedly protects your PC, stocks, and "work from home" jobs that were worthless. Only one out of every 30,000 email Jaynes sent out netted a reply. That's not a lot ... unless you're sending out 10 million emails a day, in which case it's enough to make between $400,000 and $750,000 each month.

Grandpa Ralph won't want to help dirtbags like Jaynes get rich. Tell him to delete any unsolicited email that offers to sell him anything. Set him up with an email program that provides Bayesian filtering (I like Thunderbird) and help get those filters trained (don't call it "Bayesian filtering"; instead, compare it to training a dog). After a few weeks, Grandpa won't be talking about those slammers much.

Phishing

In September, over 500 websites were used for phishing; in October, that number had jumped to over 1100 sites. Here's another way to put it: in the past year, phishing attempts have increased at a rate of 50 per cent each month.

And who's behind this rising epidemic? Increasingly, organized crime. Want to get Mom's attention? Ask her how she'd like the Russian mob to have her credit card number. Or how happy she'd be to find out that Ukrainian gangsters have access to her bank account.

If Mom's a know-it-all (or she works in IT; same thing) and thinks she won't get fooled, ask her to take the MailFrontier Phishing IQ Test. Trust me - she won't get 'em all right. I didn't.

Mom needs to understand that eBay, Amazon.com, PayPal, and her bank will never send out emails requesting personal data. Better yet, tell her to immediately delete any email that requests personal data (if you don't mind an increase in your Inbox, go ahead and tell her to forward any she's not sure about to you). If Mom's an eBay-aholic, tell her that eBay just announced that it will no longer send emails concerning account information; instead, it will display messages in each user's account when she logs in to eBay. I'm expecting that we're going to see more companies adopt the same strategy in 2005; of course, they're going to have to deal with the problems associated with the awful passwords that folks are going to want to use, but that's another column.

Viruses & worms

In 2004, we finally broke a barrier: the 100k barrier, as in, there are now 100,000 known viruses for the new computer that Uncle Gussie set up on Christmas morning. Hey, break out the noisemakers and the funny hats! Even worse, the number of viruses grew by more than 50% throughout the year. Super!

Do not let Uncle Gussie set up that machine by himself. You need to harden that box before you let turn him loose on the Net, or we're going to have a new zombie machine faster than you can say "Brains!" (that's a reference to a great '80s movie, by the way). I've written before about the steps you'll need to take; review that column and follow the links in it for help making that PC safe.

Finally, make sure Uncle Gussie has Automatic Updates turned on, so he's less likely to get slammed by worms, and get him anti-virus protection installed and set up to automatically do everything: update, scan, and innoculate. You know the drill. He doesn't. Do it for him.

What you're going to do

Educate your family, but in a gentle way. Focus on the problems, and keep it personal. Try to make them understand how it all ties together: criminals increasingly use viruses and worms to infect machines so that they can use them to send out spam and phishing attacks. Education is not enough, however. You're the expert here, so you're going to have to roll up your sleeves and do some work.

Spend some time on everyone's computer replacing insecure software with something safer. You know what I'm talking about: Firefox instead of Internet Explorer (remember, it's time to dump IE), Thunderbird instead of Outlook Express, Sunbird instead of Outlook, Media Player Classic (an open source media player - check it out!) instead of Windows Media Player, and GAIM instead of Messenger. You'll be glad you did. I've done this for everyone in my family, and it has greatly reduced the tech support calls I get.

Or, you could just make sure that your family doesn't use Windows. My mother-in-law Joy uses a Mac, and my father-in-law Larry uses Linux (Xandros 3.0, to be precise), as does my wife Denise (SUSE 9.1 for her, although I may move her to Xandros some time soon as well - yes, it's that good for non-Penguinheads). My Mom uses WebTV (now MSN TV) since all she basically does is email, and it's perfect for her - and perfect for me, since I don't have to worry about too many security issues. Heck, I've even thought about getting a 3Com Audrey (remember the Audrey?). It's making a comeback on eBay, and that might be a great solution for family members with simple needs. I know that some family members are just going to have to use Windows - believe me, I'm well aware of that unfortunate necessity - but try to minimize it whenever possible.

And now I'm off to see a movie with Denise. I was thinking about Ray (the Ray Charles biopic) or The Aviator (about Howard Hughes), but I'm worried that she knows how they end. Do you have any suggestions for her?

Copyright © 2004, SecurityFocus logo

Scott Granneman is a senior consultant for Bryan Consulting Inc. in St. Louis. He specializes in Internet Services and developing Web applications for corporate, educational, and institutional clients.

Intelligent flash storage arrays

More from The Register

next story
Knock Knock tool makes a joke of Mac AV
Yes, we know Macs 'don't get viruses', but when they do this code'll spot 'em
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
Shellshock over SMTP attacks mean you can now ignore your email
'But boss, the Internet Storm Centre says it's dangerous for me to reply to you'
Why weasel words might not work for Whisper
CEO suspends editor but privacy questions remain
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
BlackEnergy crimeware coursing through US control systems
US CERT says three flavours of control kit are under attack
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The hidden costs of self-signed SSL certificates
Exploring the true TCO for self-signed SSL certificates, including a side-by-side comparison of a self-signed architecture versus working with a third-party SSL vendor.