Want to hijack people's PCs? Pay them a few cents

Posted on 6/16/2014
Balancing pennies on fingers

Apparently, hackers wanting to control PCs are wasting their time with elaborate botnets andvulnerability exploits -- all they may really need is some pocket change. A study found that between 22 to 43 percent of people were willing to install unknown software on their PCs in return for payments ranging from a penny to a dollar, even when their OS flagged the app as a potential threat that required permission to run. While you might think that respondents would naturally be a bit suspicious, that wasn't usually the case. As researcher Nicolas Christin notes, just 17 people out of 965 were running virtual machines that limited the possible damage; only one person went in fully expecting trouble, according to exit surveys.

It's no surprise that you can get someone to compromise security if you say the right things. Just ask Kevin Mitnick, who breached networks by getting logins from overly trusting workers. However, the study also suggests that it would make more financial sense for hackers to pay targets directly rather than to pay for a botnet. Since people don't seem to attach much monetary value to their security, criminals could pay roughly what they do now to steal data while avoiding the use of unreliable bots and equally sketchy bot sellers.

The study isn't a big one, so it's difficult to know if the results would be consistent on a larger scale. Also, people looking at tasks in Mechanical Turk are already eager for money; it may be tougher to pay for control of a PC when the offer comes out of the blue. Even if the voluntary infections would be lower in practice, though, the finding is a friendly reminder to always treat unfamiliar code with caution, no matter how much profit you'll make by installing it.

Heartbleed Bug - What you need to know

Posted on 4/29/2014

Be honest, don't you kinda wish we could just rub our collective eyes and all this Heartbleedbusiness would just disappear? Tough luck hombre, it's still here, and some kid's trying to steal your vacation photos (probably). When we spoke to the open source initiative about it recently, we got a less than reassuring reply -- that the problem is partly about resources. What is more reassuring this this: The Core Infrastructure Initiative. If that sounds like a conference you'd pay money to not attend, we're with you, but trust us, it's for your benefit. In short, some of the biggest names in tech (Facebook, Google, Amazon, Intel and many more) have pledged to work with the Linux Foundation to make sure something like Heartbleed doesn't happen again. How? Mostly with cold hard cash, with each of the 13 company's involved chipping in to the "multi-million" dollar project. But how's it actually going to work?

The Linux Foundation claims that the OpenSSL project (that makes the software exploited by Heartbleed) has received about $2,000 in donations "in past years." That's barely enough to buy the team a new embroidered polo shirts. The Core Infrastructure Initiative will divvy up the cash to similar projects that have been identified as needing proactive assistance, something that it hopes could prevent the next Heartbleed. Unsurprisingly, the first project to benefit from the scheme is OpenSSL itself. Worried that your Facebook stock dollars are funding "free" open source projects? Don't. So much of the internet relies on this technology that it's not a question of commercial strategy, it's common sense. As we're all finding out now, the hard way.

Windows XP support officially ends today, still used by over 25 percent of PCs

Posted on 4/8/2014

It's been over 12 years, folks: It's time to let that aging operating system go. In case the insistent cries of all your favorite applications and anyone who's used your computer recently weren't enough indication, we're here to make it totally clear that today is the day Microsoft ends official support for Windows XP. That means no more security updates and no more customer service calls. A paid option is available to organizations (think: governments, corporations, etc.) that offers "critical" patches and support, but even Microsoft suggests upgrading to a newer version of Windows instead of footing the bill.

We won't rib you too much for sticking to XP, though; over 25 percent of you are still running Microsoft's 2001 release, according to NetMarketShare. And that's to say nothing of the world's ATMs, 95 percent of which were still running XP as of two weeks ago. Egads!

Relax, y'all -- the company in charge of those ATMs, NCR Corporation, says it's in the process of upgrading and (as of last check-in a few weeks ago) should have one-third upgraded ahead of... today. After speaking with a rep this afternoon, however, the company is updating its upgrade estimate to "less than 20 percent." Not exactly a thrilling prospect when it comes to safety, though many banks are ponying up to Microsoft for ongoing updates.

A variety of countries are also still dependent on XP for governmental affairs, such as the United Kingdom and the Netherlands, both of which had to work out paid measures with Microsoft for continued security support. China's population is largely dependent on XP as well, with nearly half of the country's computer users running the aged OS. Still, between years of warning, financial incentives to upgrade and an update to XP that outright told users of today's news, it's hard to be upset at Microsoft. There was even free software for migrating content over.

So today we say goodbye to Windows XP: You were there for us back before the internet was cool, and you set the standard for desktop OSes.

Windows XP only the latest example of risky software, argues KPMG

Posted on 4/7/2014

The fact that millions of PCs and embedded systems will continue to run Windows XP beyond this week’s End of Life (EOL) deadline is only the latest example of obsolete, risky software that shouldn’t be used to stoke up unnecessary fear, KPMG analyst Stephen Bonner has argued.

As this week's deadline has approached, a wide range of firms including Microsoft have warned of the dire consequences of continuing to use an operating system that will no longer receive updates or patches so Bonner’s view runs counter to this conventional wisdom.

His view is pragmatic. XP cannot easily be upgraded on many embedded systems such as ATMs, ticketing, point-of-sale and military systems, which means that one way or another it will be with us for some time. Ditto consumers, with huge numbers around the globe simply indifferent to the fact that XP is about to become past tense.

“So XP will be with us for some time, and in some quite unexpected places. Little wonder banks and governments are paying millions of pound to extend support beyond April 8,” said Bonner.

This was absolutely predictable because a sizable minority of PC users already run many other types of obsolete software such as browsers, plug-ins and other software. Obsolete software is endemic and has been for years.

“It is worth remembering just how much obsolete software resides on our desktops. A survey of Java versions on a million end points last year found many had multiple versions of Java installed. On average organisations ran over 50 different Java versions, and more than half the organisations surveyed had Java software running which was over 5 years old,” he said.

Bonner has hit on one of the biggest weaknesses of the claim that running XP after this week represents an unfathomable risk – people already run a lot of risky software so is the operating system necessarily making this much worse?

“There has been speculation about cyber criminals holding back a large store of XP vulnerabilities ready to exploit obsolescent systems. I doubt that will happen - the incentive to exploit early and make money is just too great. However, I suspect some intelligence agencies might have a few zero days still in stock just in case.”

Legacy systems were in “difficult to reach places,” protected as much by physical as software security and so most of the risk was in the consumer sector. But this population already has major problems, something that running an out-of-date operating systems simply draws people’s attention to.

Bonner undoubtedly has a point but the fact t remains that the stats are against the hold-outs. With recent figures from security management firm Qualys reminding us that 70 percent of 2013’s Microsoft security bulletins affected XP, getting off this desktop is inevitable.

On the other hand, the industry’s real problem with XP is that it has never before had to confront the deep indifference to security that has been the backbone of the problems faced by Windows in the last decade. Having made little effort to deal with the issue of obsolescence before, future migrations had to be handled better than this one or the same pattern will be repeated.

“So let’s look beyond XP, but learn some lessons about the importance of managing obsolescence, removing obsolete software, and remembering to secure those out of sight computers.”

With Prime Air, Amazon plans to deliver purchases via drones

Posted on 12/2/2013

Delivery drones are on their way.

Amazon.com on Sunday introduced Prime Air, a futuristic delivery system that the company says will get packages into customers' hands in half an hour or less, delivered via unmanned aerial vehicles.

The online retail behemoth posted a video on its website that shows images of a recent Prime Air test flight.

In the 80-second clip, which you can watch below, a shopper buys an item on Amazon. The item is then placed into a plastic yellow Amazon container and picked up at the end of a conveyor belt by an Amazon drone, which takes off and soars over a grassy field before depositing the package with a thud outside the shopper's doorstep.

"One day, Prime Air vehicles will be as normal as seeing mail trucks on the road today," the company said in a brief Q&A on its website.

Amazon said the company has been working on Prime Air in its next-generation research and development lab, but cautioned that it would be a while before customers could choose it as a delivery option.

"Putting Prime Air into commercial use will take some number of years as we advance the technology and wait for the necessary FAA rules and regulations," the company said.

Amazon added that it hoped the agency would put in place rules for unmanned aerial vehicles by 2015. "We will be ready at that time," it said.

Amazon founder and Chief Executive Jeff Bezos introduced the delivery-by-drone concept during a segment on CBS' "60 Minutes" on Sunday. He said Prime Air would be available for packages weighing 5 pounds or less.

Already known for free, two-day delivery via its Amazon Prime membership program, the company has lately been experimenting with same-day delivery; it has also expanded its grocery delivery offerings and, most recently, announced that it was teaming with the U.S. Postal Service to deliver Amazon packages on Sundays.

Earn Rewards!