Have you ever been asked:
- What’s all the fuss about computer security? I don’t have any sensitive data on my home computer, and at work, I don’t have access to any sensitive data.
- Why would anyone attack my computer?
How do you respond? Here’s how I handle it.
First, I ask them if they ever receive spam. Then I ask where they think spam comes from. Usually, they have no idea.
So I explain that a large portion of spam is sent from compromised computers, both those on corporate networks, and especially home computers, which typically are poorly protected and maintained. I then ask them whether they’d be comfortable if their computer was used to send out pornographic spam. Now I have their attention, so I continue.
Second, I remind them that while they may not have access to sensitive applications or servers at work, they have more access than attackers do. Attackers, I tell them, after gaining access to a computer account, look for information on the hard drive and on the servers to which the account has access, and then use the information learned to compromise other accounts and systems.
Similarly, I continue, once attackers gain access to an application (using their account), much more company information is available. Furthermore, even with limited user access, a skilled attacker can sometimes trick an application into displaying more data than it should.
Third, keeping in mind this is getting a bit technical, I note how attackers need several compromised computers to attack others and cover their trail. To avoid being traced, attackers compromise and link several computers together electronically, usually from different companies in different countries with different computer crime laws.
If the attack is discovered, the computer connection must be traced back from Company D’s compromised computer to Company C’s computer, then Company B’s, and then Company A’s, and finally back to the attacker’s computer. The chances of all those companies cooperating in the investigation and having the appropriate logs required to trace the connection is slim. I ask my friend, “Do you want your computer to be part of that trail?”
Fourth, I mention zombies–everyone knows that zombies, whatever they are, are on the dark side. I simply describe how many compromised computers are electronically linked together, like a massive conference call, and used to “call” another computer over and over, causing a nasty busy signal (called a distributed denial of service attack) that prevents others from using the attacked computer.
Finally, I bring it all back home and make it personal.I ask whether they ever use their home computer to:
- Store family photos, movies, or MP3 collections?
- Do taxes?
- Do online banking?
- Buy anything with a credit card?
- Visit web sites of which their mother would not approve?
- Send emails containing personal opinions regarding their sweetie, boss, family members, or global warming research?
If the answer is Yes to any of those questions, then I suggest to them that there IS sensitive and/or precious data on their computer, and they should be applying updates, using antivirus software, using strong passwords, doing backups, etc.
If you don’t want your computer to be a pawn in another person’s castle–and if you have any secrets–you need security.
Here’s a great article describing many ways attackers can use a hacked PC. Includes a nice graphical summary too.