Trojan plunders $480k from online bank account
A Pennsylvania organization that helps develop affordable housing learned a painful lesson about the hazards of online banking using the Windows operating system when a notorious trojan siphoned almost $480,000 from its account. News reports here and here say $479,247 vanished from a bank account belonging to the Cumberland …
Type your comment here — plain text only, no HTML
Any details on the circumvention of the "clearing house token" ? This sounds like an RSA style token to me, and the only way I know of to circumvent this is a brute force attack with many retries against the bank's systems. If this is the case, the bank should have detected these many failed login attempts, and may arguably be at fault for the emptying of the bank account on this basis.
Your article is a defeatist piece of crap, I have been using online banking for over 10 years and not an issue.
Maybe you should recommend patching, updating , using antivirus, its the users not the operating system, locks can always be broken
running away, I bet a five year old could give me that advice,
what about ATM's , they get skimmed , stop using, what about cash people mug you. stop using.
people steal your identity, give it up bury your head in the sand now thats an idea
you really are an idiot, and I am sure that smug Apple users get screwed too, it's just Steve Jobs this doing it.
Why don't banks implement some sort of random mouse driven gesture that would be difficult if not impossible for a trojan to detect. My bank uses a PIN-like drop-down, but I figure it wouldn't be too hard to calculate the mouse-traveled distance and compute the number selected. Unless the numbers in the drop-down were arranged in a random order each time.
Simples, no?
The problem there is known as 'human stupidity' - ie. opening random email attachments.
Do people really still fall for that?
...The state of a linux system administered by a guy who clicks random email attachment executables. No need for a trojan if you've got root...
The problem is not Windows, the problem is the end users. Most of the vulnerabilities that are exploited in the wild have a.) been patched and the user has not kept up on them, or b.) use a third party application to 'ninja' attack into getting control. One of your examples clearly states that the user had to download the file manually, which will bypass even the best security. It is a social engineering attack, they prayed on the users ignorance and capitalized on it. I am an IT professional who specializes in security and viruses. It is also a numbers game, if 95% of the world used Macs or Linux even, the hackers would target them as well. As a matter of fact, I came across an article the other day that offered $.43 for every bot infected Mac that someone could produce to them. Simply switching operating systems will never do the trick, education to users on how to avoid infecting their PCs or how to perform regular scans, keep the OS patched, patch all third party applications, replace end of life applications, and even upgrading the the newer versions of windows. A little common sense and self-education goes a long way in mitigating these types of scenarios. I support thousands of end users everyday, and the biggest problem is them going to infected sites (drive-by malware attacks) and downloading files that are not legitimate. I understand that learning this stuff is hard, but as we become more dependent on computers, people will have to learn how to defend themselves. Using up to date Anti-virus programs in addition to running Spyware removal programs can take care of a lot of these. There are some extremely effective FREE software out there to help with this. I use a set of 4 or 5 FREE programs to clean peoples PCs that get brought to me that are infected. After I give them their computer back, with a little training (and I mean very minimal, basic stuff...click here, then click here kind of stuff) they usually do not get infected again unless they stop keeping things up to date. Fact is that most companies are presented with the vulnerabilities ahead of time and are warned to patch it, which most do. Microsoft is VERY good at this. The problem is that most people find it 'annoying' or 'inconvenient' to do so and let it slide, and the result is losing a lot of money. My guess is that the Cumberland Housing Authority does not have an IT department, or get routine monthly maintenance done to make sure that their PCs are not infected. If they do, then they need to get a different company, such as mine (shameless plug here...Certeks Computer Consultants) to do a better job. I personally oversee Accountant offices, Lawyers offices, Doctor offices, and many more that have very confidential information that cannot be leaked and keep them secure for only a few hours of work per PC per month, some not even that much. The users can run the same scans I do for FREE, but do not want to be bothered. Do not blame Microsoft, it is strictly because when malware authors want to write a virus, would you go after 10 people or 1,000,000 people? The answer is obvious, so if everyone dropped Windows for another operating system, eventually the same thing will have to be done with those. I personally would rather stick with the company that has been in the game fighting this stuff from the beginning rather than switch to a company that doesn't even recommend trying to protect yourself and has no experience defending from these. It is like picking the new guy over the seasoned veteran.....It is a mere knee-jerk reaction that would accomplish nothing, but making things worse, as people will automatically think they are safe when in fact they are not. Man-in-the-middle attacks do not care what OS you are using, that takes your data straight off the cable, no infections necessary (to a point, security guys back off I am trying to keep it simple). What about your phone? Those are not completely safe either. With an RFID scanner I can walk by you and steal all your card information in your wallet. Please, do not hop on the 'I hate Microsoft' band wagon without doing some research and talking to the experts.
the kind of people who will both see and follow this advice are the kind of people who don't click on random email attachments. And like david w, i'd love to see them try
As said before, by thousands of people a million times: "On *Nix, nothing that is downloaded is executable."
Flawed article....
Hey folks - if you don't want to be involved in a plane crash then don't go flying - and also make sure the captain doesn't do the checks before you fly either. Therefore all planes = bad.
Right on....
> On *Nix, nothing that is downloaded is executable."
Not quite true. Haven't you seen stuff like:
wget http://example.com/progs/script.sh && sh ./script.sh
Plus, just because you download a tarball and do sh ./configure && make, does that really mean that you've examined the code to make sure that no evil was lurking within? Or, indeed, have you actually set your umask so that downloaded files *don't* have the executable bit set?
I know I'm being pedantic, and almost beside the point. But don't rule out the possibility of doing stupid things on *nix systems either. You don't have to go as far as Denis Ritchie's Reflections on Trust to come up with ways of duping a *nix admin. The smug attitude that you're above such deceptions as tainted downloads or that your machine is practically immune to viral code could be the fatal step before your downfall...
To be fair to Microsoft here, it's pretty clear that user stupidity or momentary lapse of judgement on their part is the main problem. Put these users on a Linux or BSD system, and you'll still see them falling for tricks like I mentioned above.
That's not to say that I agree with the article, mind. It's a pretty pathetic piece of trollbait, if you ask me. I'm not saying that MS doesn't deserve flak for its laissez-fair attitude to security, but why doesn't the article heap equal blame at the foot of the banks? Trollbait, as I said...
Lets just have a "LiveCD"/USB image that is distributed/certified by the major banks. That way they couldn't go blaming customers for client security.
Oh wait. Silly me.
I was wondering who would defend an operating system it is so riddled with security holes that they just had their biggest patch Tuesday ever.
Then I recalled the 'Windows Fan Boy' thing. They do seem like apologists for an insecure operating system.
The fact is: if you want to do secure online banking, don't use Windows. If you dispute the fact, look at the numbers for clarification.
Excuses for why the numbers are coming up so bad for Windows are just excuses. Sure there are lots of excuses that research will find, but it doesn't change the facts much.
As is Linux, OSX and any other OS. Windows is more of a problem than other operating systems because it runs on over 80% of the worlds desktop PC's. Coders are human, they make mistakes. Any software with more than a few thousand lines of code is likely to be flawed.
Most Computer users see PC's as a consumer device and expect their PC's to run and be as safe to use as a TV set, they trust their computer as they trust other consumer devices. Microsoft, Apple and developers of Linux distro's make no effort to discourage this trust as they all simplify the use of their products and extol their virtues.
Anti-virus software is not a solution, a recent email I received purporting to come from HM Revenue and Customs invited me to download and run my tax statement. This tax statement, an executable, was infact a zbot variant detected by only one of the virus scanning engines used by Jotti's malware scan that's 1 out of 22. I use Avast! that did not detect it.
Linux is safer than Windows but only until it has dominant market share, then someone will work out a way of infecting a Linux system without root access. I use Linux, I prefer Linux, but I am under no illusion. I subscribe to Full Disclosure and the number of exploitable vulnerabilities in OS software is at least comparable to the number of exploitable vulnerabilities in commercial products. The difference is that on the whole, they do get fixed quicker.
Security begins and ends with the user and the sooner developers admit that they cannot guarantee security of their code, and that ALL their products are a liability, the average user will continue to trust their computer as they trust their TV. This needs to change. Just like a packet of cigarettes carries a health warning, software packaging should also carry a warning stating that use of this software could result in severe financial loss. Maybe then users might just be a little less trusting.
I would say do not use Windows for anything other than playing games and as a media center because that is all it is fit for. And, when Linux has a much larger user base it won't be much better than windows from a security perspective either.
I have owned PCs and been online since 1982, and I always recommend to people to NOT use online banking, regardless of OS. Call the bank, it is WAY harder to get hacked that way...banks hate it because it costs more to them than online, but what matters is the safety of your money...
I can attest that some banks have sites that doesn't play well with Linux. One particular bank I use has a site that keeps stalling and timing out under Firefox in Linux, but on the exact same version of Firefox in Windows it works fine.
...against a zero-day cross-platform drive-by attack slipped into a trusted website (even here)? Financially- or politically-motivated hackers are some of the most motivated in existence, so they'll resort to ANYTHING to get their malware across--even develop something truly novel, like a cross-platform zero-day malware that slips through even NoScript or the like.
"I would say do not use Windows for anything other than playing games"
1. Is that because no-one can be arsed writing games for a bunch of tight fisted opensource wankers who'd never pay to play on their 0.1% desktop penetration OS?
"and as a media center because that is all it is fit for. "
2. So I'm guessing you've not been able to get a cheep out of the fucked up monstrosity that is the linux audio system(s).
"And, when Linux has a much larger user base it won't be much better than windows from a security perspective either."
3. Man you guys are so optimistic it makes me weep.
Bullshit. Let's use an analogy...
Motor car X is poorly-designed and constructed and known to regularly crash and burn, killing its occupants and, often, innocent pedestrians. Most of the times a crash happens the manufacturer issues a recall, and anyone who has the fix applied every time a recall is issued is a little better-protected than the 95% of owners who never respond to the recall notices.
Motor car Y is well-designed and constructed and, while not completely immune to crashes, hardly ever does due to its inherent design and construction qualities. (Drivers still run into trees, of course.)
Which one are you going to drive?
I gather almost all domestic Windows PCs run as Administrator. Buy a pre-configured Windows box and it will have the one, all-powerful user. From what I have read it looks like Vista had a heap of extra control stuff added to it to try and get round the problem, which people found very irritating. Any Linux distro will have a root user, even if you can't actually log in as root, to quarantine administrative functions. I'm sure that when Linux achieves a critical level of market share the crooks will devote time to it, but it remains an inherently far more securable OS than Windows, which was originally designed as a single-user, stand-alone OS, and, due to the marketing imperative of continuity, has what amounts to severe genetic defects passed on from version to version. If Bill Gates had known what he was creating, I bet he would have taken more trouble over it.
I've used online banking on Windows for many years without any issue... but then I don't click on attachments (and have educated my wife not to either), and in addition to running Anti-virus I also run other malware scanners regularly.
As so many others have pointed out, it's not specifically a failing with Windows, just a failure of users to think about what they're doing.
It's idiots who should not even have access to a computer who are the problem, not windows.
Doesn't any of those banks involved, have any options for authenticating transactions? How about those companies involved, don't they look for banks that authenticates transactions, and opt for such a service?
The simplest transaction authentication (I can think of) is, for a transaction to complete, by sending a text message (from the bank) to the account owner? Containing either an additional challenge code, or by having the recipient text/call back? Of course, this could be rendered useless if, say, changing of phone number is not properly/securely handled.
Dear Mr .Barbour,
If the post was given with some paragraphs to separate the mass of words , I may have read it..
Kind regards.
I see reference above to freeware tools for cleaning and inspecting Windows PCs. I'm aware that such tools exist, but I also know that fake tools of this type are a prime vector for malware. So how does one determine which tools are in fact 'safe', and which ones are scams? I've been careful and so far have managed to avoid infection, so far as I know, by implementing a reasonable degree of paranoia. An e-card, no matter from whom, is automatically assumed to be fraudulent. I delete most forwarded stuff un-opened if it has links in it that go somewhere I don't recognize, and I run Firefox with NoScript and a lot of 'features' turned off.
Any advice from those who know?
windows was (re-(re-))built from the ground up as a multi-user addon to an inherently single user system. A Linux desktop is going the other way, so there's a lot of security already in there in terms of separation.
@David W ("No need for a trojan if you've got root...") -- clicking on an attachment does not execute anything, and even if desktops become like that (some are, sadly) they won't execute as root.
@Charles9 ("malware that slips through even NoScript") -- can you show me an example of anything that slips through NoScript? I haven't seen one yet
The key thing is using a live CD or other method that ensures the computer starts from a totally clean slate and then connects to the bank!
If Windows had live CD:s like this, they could be used as well. But I guess the live CD concept is hard for Microsoft to integrate into their OS, or at least their business model. Here Linux wins.
Note that using a fresh Linux or a Windows installation in a virtual machine would NOT help; a Trojan on the host OS could be stealing your keypresses anyway. You really need to boot physically.
That is called virtual keyboard. Not particularly successful. A couple of American banks had that introduced 2-3 years back and it was dealt with very fast.
The only two systems so far which have been successful in eliminating banking fraud 100% are:
1. Using smartcards for authentication _AND_ signing each transaction with the smartcard. Popular in jurisdictions with high hacking pressure like SA, Eastern Europe, etc. You get a an internal browser popup which shows what you are signing for and asks you for the smartcard and its pin every time. If you got one of the readers with pin entry on the reader itself the system is totally bombproof. If not, it is still generally better than most banking auth currently in use in the western world. It has the side bonus that it makes use of digital sigs so you can actually sign any document not just transaction.
2. Using the debit card as a smartcard to sign every transaction. Used by Nationwide in the UK. You are given a couple of numbers to punch in the reader and the reader generates a hash. No fraud period. Which is not surprising as it is effectively a sneakernet - there is no physical connection between the machine and the reader.
Over and over, end users are told "Don't click on email links... especially ones that want you to sign on." And then what do the banks do? They send emails (HTML format, of course) with a nice button labeled "Sign on now".
I don't understand why you keep repeating the argument that this happens because Windows is "full of holes". The article clearly states that the user executed an unverified attachment, probably while running as admin. On Vista, he also had to either explicitly disable UAC or ignore one or more warnings. No OS bug was used. A similar attack against a similarly-clueless user would have worked on either Linux or Mac, if only hackers bothered to target these systems.
Oh, wait, yeah, I do understand - smug elitism combined with not having actually read the article.
FFS, the actual solution to the problem should be patently obvious - switch to a bank that uses one-time-only passwords for online operations.
Quote:
This bozo should be fired at once and sue by MS #
By Anonymous Coward Posted Thursday 15th October 2009 04:52 GMT
It's idiots who should not even have access to a computer who are the problem, not windows.
It's clear to me that the only idiots here are the ones jumping up to defend Windows as they clearly haven't got a FUCKING clue and haven't read the original articles by Krebs. Man, you Wintards truly take the biscuit when it comes to defending the indefensible. READ THE ORIGINAL ARTICLES. Don't rely on El Reg tor report them either accurately or with reference to all the facts. Haven't you idiots learnt anything?
Blah blah blah old 'if Windows was a car' joke recycled ...
Then the truth of the matter:
> Drivers still run into trees, of course.
Frumious Bandersnatch has aleady given one example of a downloadable linux infector, and there are loads more around.
*People*, not operating systems, click on unsafe links and download trojans.
If linux ever manages through some bizarre tragic accident to get any sort of desktop and home user market penetration, we will see the proliferation of malware for linux: and the only upside of that will be that it'll be hilarious to watch the l33t linux g33k5 suddenly changing their tune ...
Keep your OS patched.
Keep your apps patched (secunia)
Use key scrambling software (google it, i use QFX)
Run your AV.Malware scanner DAILY.
Stop clicking on email attachments
Type the banks URL in yourself (ie, dont follow links)
And finally, SOMEONE THINK OF THE USERS. EDUCATION EDUCATION EDUCATION.
There. Simples. (no, i cant do the cute squeak)
"Contrary to what banks say, writing checks really isn't that much of a hassle, at least if you don't write that many of them."
You're lucky to live in a country where that is actually an option. Many, including the one I live in, have banking systems that have jumped straight from being cash-only to all-virtual without stopping at the check/cheque on the way. And all the banks here are owned by multinational banking houses, too.
As to evading systems... my local bank sends a unique session code to my mobile phone whenever I want to do anything on my account. This means that anyone wishing to impersonate me and do more than just look at the figures must have my certificate (or access to a copy), AND my password, AND my mobile phone SIM card.
I was one of the first people to browbeat my local bank into allowing me to have online banking access - it was so new back then that the branch staff didn't have a clue. The only time I've had problems since was with my UK bank paying out to someone who'd hijacked a trade website I did business with - and even then they refunded both quickly and without quibble.
Of *course* any machine used for online banking purposes should be swept, cleansed, detoxed and whatever on a very regular basis indeed - but that's true whatever the operating system. I'm no great fan of Windows, and certainly not of Microsoft, but blaming the OS in this case is just ridiculous. So I shall use the rarely employed St Bill icon in revenge!
As an alternative to not using Windows people could instead use a decent online banking service if they heve large amounts of money in their accounts.
Asking for parts of a security number rather than the whole number is enough to thwart most trojans. That is suitable for personal banking, although in time those little security "calculators" will be needed.
For business banking or people with large assets then the "calculators" or the small "random number" machines completely defeat keylogging, even if the keylogger manages to work out the security number after a dozen logins.
Why don't American Banks use them? Because banking is different in America. There's lots of little inefficient banks, compared to the UK where there are less banks, but they're all big.
Your analogy is FUD. Shut up.
Microsoft Windows is at fault because xp issues "admin by default" user accounts, up until Windows Vista.
The rest is user error. Idiot computer users who download and install patches regularly, who download and run "superscreensaverboobies.exe" from an anonymous email, or who suffer drive-by attacks from poorly configured browsers (My pr0n won't load! I need unsigned ActiveX and Javascript to run it! AMAGAD OPEN OPEN OPEN!). Note that it could be IE, Firefox, Opera; They'll all do it if told to by the USER.
Your analogy is not accurate. What it should be is:
Motor car X is the most popular model on the market. Everyone can get it, it's easy to refuel, service, and comfortable to drive. It almost drives itself. The trouble is people take this for granted, and let it run away sometimes, causing accidents. It also has an idiots guide to tuning the engine, meaning folks who know about it can get the best performance, but idiots who use it end up wrecking the engine and costing themselves lots of money. Because there are more on the road of this model, there are more accidents. It's a direct correlation. These cars are also have an automated tool to bypass the immobiliser, but this is broken every month or so (Every second tuesday, actually) which means the bad guys need to update too.
Motor car Y is a kit car. It comes in a default configuration which runs 99% of the time, but it starts with a rattle that the owner doesn't like. He also notices that the headlights, indicators, and rear wiper don't work immediately. There is no idiot guide to maintenance; He has to ask other owners. These owners reply with "OMGLULZ U R N00BX0rZ GO BACK TO CAR X, TARD!" and shun him. He is left to read documents written by people who more than likely have qualifications in automotive maintenance. He has difficulty understanding it, and gives up. Car X was so much easier to drive.
Get it?
But car X is red and shiny and goes faster so it's better.
Don't tread in it or you will have ..........
Has anyone looked at Ubuntu 9.04 yet ?
Talk about bloat ware, it's reminiscent of MS Windose these days.
I mean, do I need to have MySQL, PHP, Python, C, C++, and God knows what else, installed by default ?
No I don't !
What do they do ?
Make it so someone that it's possible for a person not on your machine to use them, if they know how.
How do you stop them, if you weren't born with Penguin blood ?
You can't ! Or you have a long uphill climb where the terrain changes as fast as the English weather.
I think Linux fans need to shut up and read a book some times.
That would help us none penguin blooded folks arrive at a solution without all the PROPAGANDA getting ion the way.
Don't get me wrong. I hope there is a Linux solution, but genuine penguin heads ain't got it.
Thanks Mark.
ALFAZED
Use a live-boot CD. (Or probably better and more convenient - though I don't know if such a thing exists - a live-boot USB *ROM*)
That way, it doesn't matter what's polluting your computer; the main hard drive is never touched and you know that the same OS and code is running first time every time. There will never be an issue of downloaded viruses[1] - except in the original image, and that would be known about pretty quickly - since the only thing you would ever use this for would be to talk to your bank. No cookies either, come to think about it, beyond the session.
At the moment, the only live CDs are (I think - I stand to be corrected) Linux variants, but that's neither here nor there; I'm sure if MS got together with the bank they could get a minimal OS approved by the banks and delivered on a read only medium. It doesn't need much more than a minimal screen driver and browser... hmm, something for Android?
Yes, you would need to configure your internet every time you used it, but so what? How much is your bank account worth, vs a couple of minutes of your time?
[1] I suppose there's a possibility that some bright spark might come up with a virus which can burrow into the bios eeproms of the various common motherboards and be capable of recognising a CD/USB boot as an interesting one to sniff at... but how much use is made of the bios once the boot has started?
Crap analogy. A more accurate one would be:
Motor Car X is the most popular car in the world, owned and used by 80% of the worlds population. If anyone, anywhere is going to do some driving, the vast majority of them will use this car. It has reasonble security, if correctly administered by the driver, but will always be open to theft if the driver doesn't follow sensible precautions and lock the damn doors.
Motor Car Y is another motor car, that some feel is just as good as X but is only used by a very small number of drivers for various marketing reasons, not the least of which is that it hasn't been around as long as X. The security on this car is comprable to that of X, however the drivers of Y tend, because of it's nature as a smaller, less popular car to be hobbyists or enthusiasts and spend more time fiddling with the system to make it work better. In addition, because of it's niche market, thieves have found it more profitable to target X instead of Y.
If you were to do a study on the number of thefts of property from Motor Car X or Motor Car Y, would you be at all suprised to learn that the majority of thefts occur from X, rather than Y?
No, didn't think so.
Doesn't matter. Visit a compromised website (which may be reputable, not just dodgy porn/warez) and you've been done. Just visit them as a Windows user and you've been infected. http://www.theregister.co.uk/2008/10/31/sinowal_trojan_heist/
As for those who say that its all down to dominant market share, tosh and piffle. Do they think there is something magical about market share that makes it technically possible to break in once a system attains a high enough percentage? If *nix could be broken easily, it would have been done already, irrespective of market share.
Mac users, with no virus protection, and presumably on average higher net worth as they can afford the Apple Tax, are already much more lucrative targets than Windows. Yet number of Mac viruses=zero, Mac trojans=2. That's not because no one can be bothered to attack the systems, its because, so far, they have proven much more secure, by design.
Not wanting to cause agggro, but perhaps in this case the example slightly misses the mark...
A better example would be:
Car X is poorly designed and constructed and fragile, but strangely popular. Many VIP's who use them get assassinated.
Car Y is well designed and tough but very few people use it. An even smaller percentage of those get assassinated.
You'd take Car Y of course. And then when everyone has Car Y, said assassins would just develop ways to destroy Car Y.
OK my analogy isn't perfect, but more accurate to the situation don't you think? Your example implies that Windows crashes and then hacks all the banks and steals everyones money (which it may well do tbh)
I see the Microsoft apologists are out in full force again.
Here we have a company who is single-handedly responsible for the fact that users DO click on any and every attachment that comes their way, without providing any form of checking or security. Why? Because it was made ultra-convenient and for years was marketed as perfectly safe. This is a company that has, for 30 years, implemented a system that is completely insecure at its very core. A company that deliberately allowed user actions to affect core system resources without any form of restriction. A company that has continuously used its muscle not to push GOOD security, but to redefine what "good security" actually means. A company that does all sorts of security theatre, but continues to put out a product that can be so easily compromised.
And it's not their fault? Pull the other one, it's got bells on.
They've had a monopoly on the desktop for almost 30 years, since they (illegally) sold a product they did not yet own to the monopoly of the day. Instead of doing it right, they decided to do it any way that made the most profit - but certainly not the way that was best for consumers in the long run. This is just another example, and yes, lack of security and lack of protection for users IS their fault.
@Jacob Reid - It's not always the user at fault. If you've got a hacked website (where even the owner doesn't know it's been got at), and a zero-day exploit, then the user doesn't need to do anything different today than what he did yesterday to get his machine compromised. Of course, this can happen to Macs and Linux machine just as much as Windows, but there will be less useful results because there are less of those out there.
@b166er - when using the drop-down box I do sweep the mouse off to the side just in case. However, I believe the common work-around for fraudsters is a screen grab that shows what you've selected in the boxes. Not so suitable for automated hacking because someone's got to interpret the image, but still valid.
Why - cos they tell you computing is easy. They make a fortune out of selling something that is made easy for you to use. For easy read 'as secure as a fishnet condom'.
Sure some people use 'easy' versions of Linux as root cos they think computers should be easy after MS told them it should be. Sheep! Living the MS lie.
Computing with MS is like buying an electrically powered exercise bike. Might impress the neighbours but its only going to cost you money and get you nowhere in the long run.
You want secure computing? Dont expect to be able to buy it off the shelf. Dont expect it to be easy. Dont expect it to be MS.
All I'll add to the hopeless hubbub, the this story will attract, is that if you think "there's no way to know your Linux machine isn't compromised, either", then its because you can't be arsed looking. Describe to me the circumstances, under which a Linux owner would be unable to find out if there was something nasty lurking on their machine? You may think it bad, you may think it good, but the one thing you cannot argue about with Linux is that it gives you total control, if you can be bothered taking it.
The problem is two fold.
1. Abysmal out of the box configuration (which is significantly improved for the versions of windows that no-one wants for other reasons).
Running with admin rights???
2. Bundled Unsafe web and email programs.
Any HTML based email system is far more vulnerable to phishing and trojans than a plain text system. It is easy to make an email look like a corporate one and embed links that go to somewhere other than they indicate. And if someone is expecting an email they may get caught out. (I very nearly did once, on a web based email system, I never use HTML normally).
Internet Explorer is very vulnerable.
I doubt any of those compromised were using firefox with noscripts and an email client set to only use plain text. (Or a firewall configured to achieve the same end result.)
The blame is the way it is packaged. And for corporates the blame is for hiring people too stupid to understand this and re-do it properly. (if they *insist* on using windows).
That is why I am dissapointed windows 7 still comes with IE.
Anyone looked at using a dedicated VM guest for online banking, and doing all email, web surfing, risky activity in a different guest?
"(And yes, as Apple's market share continues to rise, it's likely OS X will be targeted. We can cross that bridge when we get to it.)"
AAAARRRGGHHHH.
You've been saying this for 8 years. Market share is such a minor part of it - if OS X was so easy to crack, all it would take would be a trojan in an email attachment. Sure, less people would open it, but 35 million people is hardly not worth bothering with.
Look at the numbers: Linux users tend to not be prone to the problems that plague MS users.
That is all that matters. Why is not important. Move to a Linux desktop and enjoy not having to always worry about infection.
Many have said that when more desktops run Linux that it will fall prey to malware. I agree that there will be more attempts; however the whole design is inherently more secure. But to you it should not matter - you should be concerned about your security today and the best way of achieving that is to move to a Linux desktop. What will happen in the future is another thing.
Don't get me wrong: I do keep my machines patched & up to date, that is easy under Linux.
Sign up, sign up for The Register's weekly IT security newsletter - click here
