Sunday, January 31, 2010

Why?


I'm talking about computer security and why some people are responsible and others not. I've written about this before, mostly in a BlogsNH/Concord Monitor Online blog called TechAlert. The reasons vary from person to person, but the two at the top of my list are laziness and apathy.

- Laziness because it takes some effort to learn how your computer works and what you need to do to protect it, and also the basic maintenance necessary to keep things like your security programs up to date. I should also add being attentive, both to how your system runs 'normally' so that you'll be alerted to events that might signal a malware infection, and also online where every web page or email could be compromised.  That's why I ended every blog post with a variation of "THINK -- BEFORE you click!"

Admittedly, nothing short of pulling the plug can guarantee you won't be hacked/infected, but that doesn't mean you shouldn't protect yourself by being informed & aware (and vigilant with a healthy dose of skepticism when it comes to unsolicited email). 

Videos or photos with "This is unbelievable!" or "You gotta see this!", and the ones about some celebrity caught naked, are typical bait to lure victims into a scammer's trap. This now includes any big celebrity (or other) news event including the recent earthquake in Haiti. If people are likely to be in a hurry to get information about a breaking event you can be sure that scammers will take advantage of the situation and use it as bait in spam email and in search engine results.
 
If an individual's security apathy just affected them it would be one thing, but it doesn't, and at some point in the future this widespread apathy will lead to something like an interruption of the power grid or air traffic control. As history has shown, often serious issues aren't addressed until after a disaster occurs. In this case I doubt anything short of prolonged widespread suffering through power/Internet outages (and intense peer pressure) will change people's behavior, and that might not be enough.. Legislation might be needed, but that will never come to pass because big business and their army of lobbyists control Congress, and requiring a license to connect a computer to the Internet would be good for overall security but bad for business. As we've seen, if Congress has a choice between what's good for the public vs what's good for big business (and the bottom line), money and influence wins most of the time.

You have to treat going online (which starts as soon as your computer connects to the Internet) like you're a spy walking through a dangerous city carrying a briefcase full of secret papers. Assume that you're being watched by people just waiting for you to make a mistake and let your guard down. Lazy or apathetic spies don't last long..

- Apathy is another shortcut to trouble. 'All I want to do is get online as fast as I can, download/watch that video, get through all this email, see that sexy pic, install this software..... All this 'security' stuff just gets in the way.'.

These two are related, and much of the time ignorance is in the mix right alongside. If you don't take the time to learn how to protect yourself, and you don't stay apprised of they daily warnings (that are freely available from people and organizations who work hard to gather and publish it) about vulnerabilities in software, hoaxes, compromised sites and other dangers, you're like a 'babe in the woods'.

The side effect of people ignoring security and getting their computers infected is that the rest of us suffer because of them. They get infected with malware that makes their computer(s) part of a huge group of computers controlled by one group of bad guys (and there are lots of these groups), who then 'rent' this powerful group of combined computers to other bad guys who can then attack banks, power companies, web sites, government computers, and the list goes on.. Sometimes they block a giant corporation's computer systems and hold it for ransom until they're paid millions of dollars. Oil companies to grocery chains secretly pay these ransoms adding millions/billions to their bottom lines, and who do you think ends up paying for it?
It's the equivalent of leaving all of your doors unlocked and your car unlocked in a parking lot with the keys on the seat, only worse.

These three traits are so prevalent that companies like Microsoft design their operating systems to cater to them and many security software companies do the same. It seems that so many people are so lazy that bothering them with anything that takes a second or two out of their precious time, or is 'too complicated', affects sales..

Think of the USA as a computer and these lazy/apathetic/ignorant people as the ones in charge of operating the government and taking care of our security, health, and safety.... 'nuff said. So to those I'm describing, wake up, grow up, get off your arses, do your part to help keep us all safer!
  -------------------------------------------------------------
Now a personal note..

Researching and writing a weekly security blog is (or was) a lot of work. When you dedicate your time and effort for the good of others you'd like to think you're making a positive difference. [I'd] like to think some people are heeding my calls for taking security more seriously and putting more effort into personal computer security awareness. Otherwise why should *I* make the effort? The responsible folks who give security the appropriate attention aren't the ones I write for (for the most part), although I did hope the security alerts I posted added some value to the readers of the Concord Monitor Online.

During the time I was actively writing the TechAlert blog I told my family (my brother and his wife & child in Florida) about it and told them to check it out. I never got any feedback good/bad about it. When asked they said they'd 'get around to it but things were hectic..'.

That was over a year (or three?) ago. Last week my niece asked me if I'd heard of something called "Internet Security 2010" and said that her mother possibly got scammed by it. I immediately recognized the typical 'generic'-type name that all the rogue (read Fake & Infected) security software programs use to fool the unaware. I did some research and found a computer help forum with specific instructions on how to remove it (and additional helpful information) then sent my niece the URL link with an offer to assist if needed. Two days later after hearing nothing I asked how it was going. My niece said the credit card company voided the transaction but the computer 'was a real mess'. To date I haven't had any request for help or advice.
A couple of things are bothersome about this.. The first thing that comes to mind is that if my sister-in-law had bothered to visit (and learn from) my blog she would have been aware of things like 'rogue security software' and hopefully not fallen for whatever scam technique she fell for. The second thing is that it doesn't appear that anything has changed despite this incident. If you don't learn how you got infected you're bound to get infected again.

Similar to STDs, if your computer habits are promiscuous and you don't know how to protect yourself you can expect trouble, and that includes infecting others. That's just plain irresponsible behavior.

So if my own family (who are otherwise highly intelligent people) don't bother to take my advice...........
Am I just wasting my time?
  --------------------------------------------------------

Please don't be part of the problem. Help be part of the solution.
And remember....
Always THINK before you click!