Some new statistics on how widespread malware has become. This research comes from Google’s Anti-Malware team (full document is here)
- The majority of malware sites are hosted in China
- 1.3% of Google searches return a link to a malicious site
- They found more than 3 million unique URLs on over 180,000 web sites that automatically install malware
That’s 3 million web pages that will attempt to install some form of malicious code on your computer.
With things this bad you’d be crazy to use the internet without some kind of web filtering. This is different to virus scanning. Web filtering scans each web page before your web browser loads it, looking for things like phishing and malicious code.
All of the big antivirus products include web filtering these days, it’s a good investment if you haven’t purchased one already.
The US Federal Trade Commission (FTC) has released a report showing some statistics on fraud for 2007. These statistics come from people who report incidents of fraud to them, so it’s really limited to USA. The problem worldwide would be much much worse.
The top 20 complaint categories were:
Rank Category Complaints
- Identity Theft 258,427
- Shop-at-Home/Catalog Sales 62,811
- Internet Services 42,266
- Foreign Money Offers 32,868
- Prizes/Sweepstakes and Lotteries 32,162
- Computer Equipment and Software 27,036
- Internet Auctions 24,376
- Health Care Claims 16,097
- Travel, Vacations, and Timeshares 14,903
- Advance-Fee Loans and Credit Protection/Repair 14,342
- Investments 13,705
- Magazines and Buyers Clubs 12,970
- Business Opportunities and Work-at-Home Plans 11,362
- Real Estate (Not Timeshares) 9,475
- Office Supplies and Services 9,211
- Telephone Services 8,155
- Employ. Agencies/Job Counsel/Overseas Work 5,932
- Debt Management/Credit Counseling 3,442
- Multi-Level Mktg./Pyramids/Chain Letters 3,092
- Charitable Solicitations 1,843
That’s 258,427 cases of identity theft in one year, in one country! The total fraud losses recorded in this report totals more than $1.2 billion. The full report is here.
A recent survey by a security company called Secunia shows that only 5% of computers are fully patched. The other 95% are running insecure software.
It’s important to patch all of your software. This includes the operating system itself (e.g. Windows, Mac OS, Linux), your web browser (e.g. Internet Explorer, Firefox), and all your applications. And of course in an office environment patches should be carried out by IT administrators (complete with backups).
This serves as a gentle reminder to our previous post on patching. Read Secunia’s article here.
The US Army has been upgrading their servers and workstations to Macs and are claiming they’re harder to hack (i.e. they’re more secure).
The primary reason they state is that fewer attacks are written for Macs than for Windows. This seems true for now.
One common weakness between all operating systems (Mac, Windows, Linux, etc) is the user. People can be tricked into clicking on things or carrying out other hazardous tasks no matter what computer they use (this is where security education comes in).
More details here.
Sophos (a large IT security company) recently conducted a survey of 560 people. 54% of them admitted to using someone else’s wireless network without permission. That’s more than half the respondents. Why should you care?
If you have a wireless network that isn’t well secured then:
- Someone could be using your internet account and incurring expenses (or pushing you over a capped limit and effectively slowing down your connection)
- Someone could be illegally downloading copyrighted content (such as using a file sharing program to download commercial movies – it’s illegal and you’re liable for providing the connection)
- Someone could be using your internet connection to commit online crimes (just read the posts on this site to get an idea of how common this is).
- It lets anyone within range bypass your firewall, making your computers and other wireless devices vulnerable. This is especially important if you have wireless in an office environment
- It’s easier for someone to install spyware on your computer, making activities like online banking very dangerous
The most important reason of these is how easy it makes it for someone to use your network to commit crimes. Imagine being involved in a child pornography investigation, or having your internet disconnected because your network was used to send millions of spam emails.
I’ve written before on how to secure a wireless network and if you haven’t done so it’s worth reading through here.
If you’re in the 54% of people who wouldn’t think twice of using someone else’s wireless network without permission then you should know that:
- It’s illegal in a lot of countries (people get arrested for this quite often)
- It’s effectively stealing. It isn’t a victimless crime
- You can’t trust the network you’re using. It’s easy for someone to setup a wireless network in such a was that they can record all the traffic from it. This is one way to eavesdrop on other people’s traffic and to capture passwords
So the message here is to secure your wireless network, and don’t use other people’s wireless networks without permission.
A quick update about online crime.
In Italy, 26 people were recently arrested for taking part in running phishing sites (web sites that look like bank sites (for example) but are designed to capture your account number and password). Two of these people have already been sentenced (5.5 – 6 years prison). It’s important to realise how common this problem is in the world.
And a short while ago I wrote about some important disks that were lost by the British government, containing personal data on 25 million people. That incident received a lot of press coverage and it’s not an isolated case. This stuff happens frequently, like in Northern Ireland. Two CDs were lost this week by one of their government agencies containing personal data on 6000 residents. These disks were not encrypted, as the previous case. Full article here.
Then in California a laptop was stolen containing personal information on 45,000 patients of Sutter Lakeside Hospital. Again the data was not encrypted, making it all too easy for anyone to use this personal information as they see fit. I recently wrote an article on protecting laptops when used to take home work. Full press article here.
Some lessons to be learnt are:
- There are a very large number of online criminals doing everything they can to try and steal your money
- Disks and notebooks (laptops) are lost or stolen all the time. If they contain sensitive information they should be encrypted
- Keep in mind that your personal details are not all that private anymore