Roy Schestowitz wrote:
> __/ [ dsteel0@xxxxxxxxxxx ] on Monday 26 June 2006 10:06 \__
>
> >
> > Roy Schestowitz wrote:
> >> Open source gets results, while Microsoft blames malware on 'stupid users'
> >>
> >> ,----[ Quote ]
> >> | Two very different news articles crossed my desk today. First, there was
> >> | a report that open source developers on 32 projects fixed 900 bugs in
> >> | two weeks that were reported by an automated scan program from Coverity,
> >> | sponsored by a grant from U.S. Homeland Security. Second, a presentation
> >> | was given by a Microsoft security official who said that rootkits,
> >> | phishing, trojans, spyware, and other forms of malware had gotten so bad
> >> | on Windows that IT departments needed to come up with a fast way to
> >> | "nuke the systems from orbit", i.e., wipe out the hard drive and start
> >> | over. He goes on to say that phishing is a problem because "there really
> >> | is no patch for human stupidity".
> >
> > So how does the statement "phishing is a problem because there really
> > is no patch for human stupidity" equate to "Microsoft Blames Malware on
> > 'Stupid Users"?
>
>
> That is a valid point. I just used the same heading as in, due to laziness:
>
> http://digg.com/software/Microsoft_blames_malware_on_stupid_users_
>
>
>
> > IMO, Phishing is not malware, and neither is is specific to any OS. His
> > comment regards human stupidity is absolutely true, and the most secure
> > system in the world will do you no good if your user is stupid enough
> > to give "someone from technical support" their username and password,
> > will it?
>
>
> Phishing can be attributed to a plethora of different factors. Among them:
>
> * Mass-mailing (SPAM) which constantly urges users to visit malicious sites.
> 80% of the SPAM comes from Windows machines that have been hijacked.
>
> * Browser deficiencies. Need I say more? How many flaws have so far been
> discovered in IE? They allowed redirections of all sorts, pop-ups that
> appear to come from different sites, prompting for passwords.
>
> * Infected machines. How many users are routed to sites to "fix their
> Registry", having spotted a fake system notification and pressed OK?
>
> * There are more, but I'll omit them.
Of course you're right that spamming, browser deficiencies, etc, can
help enable phishing. But phishing itself is not malware, its a type
of confidence trick, and it is platform-agnostic.
Since I started posting on Usenet, this gmail account has received an
awful lot of phishing messages. One scam that I repeatedly get mail
for tells me that Paypal thinks mt account has been compromised, and
want me to go to a certain site to sort it out. I find this one quite
amusing as I don't have a Paypal account.
After the umpteenth email exhorting me to "safeguard" my Paypal
account, curiosity got the better of me. Not knowing exactly what to
expect, I used a computer at the local library to follow the link in
the email. But it was a pretty boring, predictable kind of scam. To
"prove" that I was the owner of the Paypal account and not an evil
hacker who'd cracked the password, I was told to type my account name
and password into a box.
The fact that I have received a lot of emails telling me to do this
suggests to me that the phishers aren't too bright. I mean, I don't
/have/ a Paypal account. I thought crooks like this would get a list
of Paypal customers and target them. But the high volume of these
emails also suggests that these people have been doing this for a while
now - it started not long after my first Usenet post and is still going
on. So they've been doing this Paypal scam for quite a while. I'm
sure they wouldn't keep on with it if it wasn't making them any money.
Which means this totally untargetted spamming is hitting a reasonable
number of folk with Paypal accounts and no sense.
And that's pretty worrying. There have been regular warnings and news
items about phishing scams for a long time now. I'm tempted to say
that anyone who falls for this deserves everything they get. But
that's uncharitable.
And it really isn't down any particular operating system. Sure, if
there weren't so many compromisable Windows boxes out there it'd be
harder for the crooks to generate their spam. But they'd find another
way. With so many morons waiting to be exploited, the crooks would get
to them. Necessity is the mother etc.
|
|
