It's not the SYSTEM but it's the USER whose the problem

[jimbo45]

Hi all

I think we've blown system security our of all proportion to the number of times it actually happens in real life.

These days people commit FRAUD big time by not getting in to your system with a Virus etc but by posing as a legitimate supplier / Bank etc etc and obtaining vital information which is supplied quite freely irrespective of HOW much security is on the system.

Even today how many people still send Money up front for the most elementary SCAMS (Canadian Lottery, Nigerian Businessman etc etc). and these scams have been going on for as long as "Pontius was a Pilot".

How many people also give out passwords when they get an email from what appears to be a Bank , Utility company etc etc.


I don't really care if some nerdy sub teen wants to blow my hard disk away -- it only takes me 15 mins to restore anyway but what I DO take more care over is

1) NEVER open ANY email unless I know who it's from - and certainly don't open attachments - especially those on a typical mass corporate circular email system like "jokes" etc unless again you trust 100% the source.

2) NEVER EVER supply a password / bank details to ANY site that requests "We need to update our information" --- if they are BANK for .....'s sake they will WRITE to you if they need to re-set your password etc.

3) Never use an online shopping system that REQUIRES you to register on their site.

4) Be very wary of "Unsolicited" requests from Utility companies - Gas, Water, Electricity etc requesting Online payments where they want all bank details etc. By all means pay them online BUT DON'T GIVE OUT PRIVATE INFO.

5) If you DO make any payment online ensure the Bank has an extra security popup requesting a password etc before the request is processed.

6) Never download Pirated music / other P2P stuff from "Free Torrent" or other P2P file sharing sites. If you really must use these then use something like the 'OID which has a private / restricted membership.

7) Always take an image backup before installing any software from a Site you don't 100% trust.

8) If you are a computer admin BAN ANYBODY plugging in USB devices to a machine on a corporate LAN. These (especially if the computer is running XP) can infect computers big time via the AUTOPLAY feature (finally disabled by default in W7).

9) Use something like a Linux machine or a Linux VM to access links you are unsure of when downloading software - especially Free software.

Most AV software is pretty hopeless anyway and usually causes more problems than it solves. False positive research takes more time to resolve than just taking 15 mins to restore an infected computer back to health anyway and as nearly all AV software show different false positives the work required into researching what is OK and what isn't makes the whole process just a HUGE WASTE OF TIME.

If you use your machine intelligently and regularly perfom backups you should never run into Virus problems.

In over 30 years of using computers I've NEVER had virus problems.

A post in this forum on phishing amply exemplifies its those sort of threats that are the REAL problem.

Just my observations however -- YMMV of course.

Cheers
jimbo

 

[Lunarpancake]

I agree completely. We have a few terms in the industry that we like to use to refer to these issues.

THe two we use most are:

ID10T Error (idiot error)- Tell customer the issue was an ID Ten T Error
PEBKAC Error - Problem Exists Between Keyboard and Chair

 

[johngalt]

Just make them all lusers and be done with it....

Oh, right, we can't, b/c so many of said lusers *love* XP.....

And we wonder why there was a major proliferation of malware for Windows system during the time which XP was in its heyday....

 

[jimbo45]

Just make them all lusers and be done with it....

Oh, right, we can't, b/c so many of said lusers *love* XP.....

And we wonder why there was a major proliferation of malware for Windows system during the time which XP was in its heyday....

Hi it wasn't just because it was XP -- fashions and ideas change -- in those days it was considered cool / super smart to hack or be a top notch hacker -- these days most non computer people tend to regard these guys as a cross between a pathetic UFO hunter or some poor old loney geek with zero social life idling away in some squalid hideout and peer pressure definitely counts with younger members of society.

I remember the days of the old "Phone Phreaks" - the pre-cursor to hacking --nobody does this stuff on mobile phones --although they could of course quite easily - remember not so long ago when a private conversation by Prince Charles got out "into the wild".

Smarter options these days are "Identity Fraud and phishing". For criminals its more profitable too.

It's not just because systems have better in built security -- whilst I'm sure MS is quite a reasonable employer ANY organisation (especially large one's) will have its share of misgruntled employees so whatever security you build in the OS some of the internals will ALWAYS leak out into the public domain. Same with the Telcos -- a few friends in "Low places" will yield results. The CIA and Mossad (and others) do this stuff routinely every day and I'm sure they don't go into a public court and ask permission first.

Incidentally adding to the list of caveats in my previous post

BE VERY CAREFUL if you use private or anonymous proxies - these are increasingly popular to get round a lot of geographical limits on listening / viewing audio / video streams which are restricted geographically. Unless you know and trust the proxy take care.

Cheers
jimbo

 

[TheSchaft]

I agree that social engineering is a larger problem than most viruses, but it is a bit of a chicken and egg problem also.

If I click over to a scammer site, I run the real risk of getting a trojan/virus/rootkit that then sends, in my name, an e-mail to my contacts, who would trust something coming from me, continuing the cycle of identity theft or establishing a botnet by getting them to click on a link.

I now routinely Google almost everything, even links, to get a reading on the site from WoT and to see if there are any negative reviews.

 

[Antman]

I do not receive much crap email or spam. Beginning years ago, and having to last repeat it about a 18 months ago, whenever I receive one of those massive CC emails - jokes or "you gotta see this" - I post a nuclear flame specifically designed to enrage each and every person on the CC list. Five to seven paragraph essay type dissection. I get visceral.

Ask the lady that sent me an Obama bash using her Catholic school email account replete with school letterhead and signature. St. Peter is likely waiting for my hard *ss with a gleam in his eye.

I do not f'ng care how any of them feel or respond. Period.

My email is for my use.

 

[jimbo45]

I agree that social engineering is a larger problem than most viruses, but it is a bit of a chicken and egg problem also.

If I click over to a scammer site,.

That says it all -- and these guys are always way way ahead of the AV software development cycle.

It's really obvious when you think about it -- how much "Quality control" checking and development planning goes into "Scams" / or virus development. :devil:

Companies who have a product to get out have to go through all sorts of development cycles / QA checks, meetings etc etc before the product gets released - the bigger the company the longer this will normally take except in real emergency like MS with conficker -- even here it took them a few days to sort it out.

The virus writer just does his stuff and it really doesn't matter if it works 100% or 60%. Even 1% can do damage.

However if you stick to sensible guidelines you shouldn't have computer problems of this sort.

Actually most hackers these days seem to be relishing the next challenge which is to cause massive Dos (Denial of Service) to large providers causing real chaos and disruption rather than wiping some remote users hard disk.

A real Dos attack against a large provider would probably be accompanied by an "extortion threat" -- pay me xxxx Roubles / dollars etc or your system will STOP.

Btw I like the expression "Social Engineering" --waht on earth are we teaching in schools these days.

Cheers
jimbo

 

[TheSchaft]

Clicking over to a scammer's site - like a bank, or the now popular IRS "response to your underreported tax" site will get you in trouble. Most of these are easy to see and avoid. Just take the excellent advice above and DO NOT DO IT.

E-mail attachments are a bit more dicey. From someone you don't know? Trash it. From someone you do know? Save it, unopened, and scan it (If your scanner doesn't kick in automatically when you save it.)

The ones I see that are more worrysome are the links to what should be "safe" sites - some appearing on web pages as part of the site's ad package. I ran into that on a site where the ad automatically kicked off if you moused over it. WoT blocked it, but still it was an unexpected diversion.

While you can't stay ahead of the bad guys, you can use caution - Use something like WoT to at least tell you which are acceptable sites, ones not compromised (probably).

BTW - I think Kevin Mitnick first used the term "Social Engineering", even before he wrote his book - [ame="http://www.amazon.com/Art-Deception-Controlling-Element-Security/dp/0471237124"]Amazon.com: The Art of Deception: Controlling the Human Element of Security (0723812237128): Kevin D. Mitnick, William L. Simon, Steve Wozniak: Books[/ame]


Whoa! That pops a big ad!

 

[TheSchaft]

I do not receive much crap email or spam. Beginning years ago, and having to last repeat it about a 18 months ago, whenever I receive one of those massive CC emails - jokes or "you gotta see this" - I post a nuclear flame specifically designed to enrage each and every person on the CC list. Five to seven paragraph essay type dissection. I get visceral.

Ask the lady that sent me an Obama bash using her Catholic school email account replete with school letterhead and signature. St. Peter is likely waiting for my hard *ss with a gleam in his eye.

I do not f'ng care how any of them feel or respond. Period.

My email is for my use.

I'd love to see one of your epistles, Antman :roflmao:

I've always liked the following:

"If anything I've said here bothers you, please feel free to ignore this, If you don't know how to ignore an e-mail, please send me a reply, and I'll be glad to show you".

 

[Antman]

I'd love to see one of your epistles, Antman.

No problem. Just send me a stupid email with a long list of CCs.

I will not hold my breath, though. Your keyboard probably has a stupid email prevention filter.

 

[ultraplanet]

3) Never use an online shopping system that REQUIRES you to register on their site.

I am curious how this is even possible? Doesn't amazon, newegg, overstock, buy .... well .... everybody require you to register?

 

[Jacee]

That one has me puzzled too ultraplanet

 

[Antman]

3) Never use an online shopping system that REQUIRES you to register on their site.

I am curious how this is even possible? Doesn't amazon, newegg, overstock, buy .... well .... everybody require you to register?

Registering at a site and storing bank data at the site are two different things.

 

[jimbo45]

3) Never use an online shopping system that REQUIRES you to register on their site.

I am curious how this is even possible? Doesn't amazon, newegg, overstock, buy .... well .... everybody require you to register?

Registering at a site and storing bank data at the site are two different things.

Sorry slight confusion - I meant registering a Credit Card with them so you can "Shop quickly" next time using the same card even if they only want the last 4 digits

Intervideo Windvd used that sort of trick -- it's Corel now but if you retrieve say a lost serial number they want you to enter part of the credit card you used when you made the purchase -- so they MUST have that stuff stored).

I was younger and less experienced in those days - but have since changed Banks and Cards,




Cheers
jimbo

 

[ultraplanet]

Thanks for clearing that up jimbo! Be safe out there!

<off topic>Is antey sence like spidey sense or what?</ off topic>

 

[johngalt]

This turned out to be an interesting thread, despite my having not a chance to see it in a while....

I like the things being discussed here, and while I may have reservations on agreeing with some of the things being said (IOW those arguing with me - OK, OK, j/k) it is fairly obvious that even though malicious behavior has been blown out of proportion I stipulate that it has been blown far too *little* out of proportion. We hear of stories every single day about this breach of trust and that illegal data access, yada yada yada, and yet people never once think that they should be pro-active about it and use preventative techniques. Heck, there are folks out there that think that getting a malware infection is normal, fer pete's sake!

And yet more and more people engage in potentially harmful activities b/c 'their friend said it was OK, and he knows about computers.'

 

[macgyver2]

my sister in law installed one of those web browser control bars she found on my space, could have been an add. Either way weeks later she has major Trojan infection.

My wife who also installed said control bar was lucky, NIS 2009 caught it and kept my laptop clean so uninstalling it was all I needed to do.

So we need to educate and tighten security at the same time.

 

[Zidane24]

my sister in law installed one of those web browser control bars she found on my space, could have been an add. Either way weeks later she has major Trojan infection.

My wife who also installed said control bar was lucky, NIS 2009 caught it and kept my laptop clean so uninstalling it was all I needed to do.

So we need to educate and tighten security at the same time.

The problem here is that educated people in computers are outnumbered 10000:1 or even greater. Being an extortionist online (hacker, identity theft stealer, etc) is not only easy, it is probable and profitable due to so many *dumb people who use computers. I have to say though that I am thankful that many people are computer illiterate (pays my bills...) but at the same time I have to take a step back and grimace at the fact that some poor person out there every minute of every day has just been compromised.

 

[Dunsailing]

I have a "Verified by Visa" protection scheme on anything I order from Amazon. If I don`t enter the Verified by Visa password, the order will not be allowed.

 

[jimbo45]

I have a "Verified by Visa" protection scheme on anything I order from Amazon. If I don`t enter the Verified by Visa password, the order will not be allowed.

Hi there

are you sure that the "Verified by Visa" is genuine - Amazon is a prime target for intrusion as it is just about the largest online retailer anywhere.

Ebay is usually safe from this type of attack -- scammers don't "outscam" other scammers usually. -- there's enouh "Social Engineering" type of gigs on that site anyway.

Just kidding

actually all credit card purchases should throw up an extra level of security which prompts you to enter some extra data - not a whole password in clear text.

cheers
jimbo