Comments on: Scareware attacks spreading to Twitter, Google and legit media websites

By: Iterloord

Iterloord — Wed, 25 Nov 2009 20:48:57 +0000

Through you for details. It helped me in my mission

By: hoodia

hoodia — Fri, 28 Aug 2009 20:16:57 +0000

Nice but i think something is missing.

By: Joseph Bochner

Joseph Bochner — Thu, 11 Jun 2009 16:58:46 +0000

Byron,

This is a great first effort. However, as I think you realize, there’s much more to this story.

The current “anti-virus” regime places ultimate responsibility for computer protection on end users: ironically so, since in the main they are least able to cope with it. And while highly-profitable malware foundries flourish worldwide, law-enforcement stands idly by. This forces consumers to turn to companies like Symantec, who rake in billions “protecting” us from malware threats.

Now, there’s nothing wrong with making a buck cleaning up someone’s computer. So it’s no coincidence that when Symantec sued malware purveyor James Reno back in 2004, it ultimately just let him go. Reno, for his part, claims to have paid nothing in settlement of the suit, and simply moved his malware servers to Toronto. Four more years passed before the FTC sued Reno and others late last year for his malware offenses since Symantec v. Reno. How many millions of computers did Reno infect in the interim? I have gigabytes of data that provide a partial answer (i.e. sales for most of 2005), and volumes of other data showing who’s responsible.

Law enforcement and industry just aren’t interested. With the anti-virus business thriving, why should they be?

Harvard Professor Jonathan Zittrain has it right: if we don’t act soon, the future of the Internet looks grim.

By: Paul Royal

Paul Royal — Thu, 11 Jun 2009 16:20:49 +0000

In addition to knowing whether the website they are visiting is legitimate, users must also keep themselves apprised of and be ready to defend against potential security issues on that website. As Byron chronicles in his USA Today cover story, media outlets are popular targets for criminals who try to sneak increasingly aggressive malicious ad content past even the most diligent of overseers. Even USAToday.com fell victim to serving a malicious ad off its website in early May 2009 (http://blog.purewire.com/2009/05/usatoday-ads-redirect-to-rogue-av/), which did not require the user to click on or even hover over the ad to be directed to a website pushing Rogue AV software. To prevent becoming a victim of a malicious ad served off an otherwise legitimate website, the user need look no further than Firefox extensions like NoScript (http://noscript.net): the same mechanism these tools use for safeguarding you against potentially malicious javascript will also (conveniently) prevent many types of ads from even appearing.

By: Razvan Stoica

Razvan Stoica — Thu, 11 Jun 2009 11:18:07 +0000

“Whether you pay bills online or bank online do you really know that the website you are visiting is actually legit?”

There are now such wonderful things as certification authorities and cryptographic certificates.

While this infrastructure and the way it is presented to users could stand improvement, I’d still say that yes, one can verify the identity of a bank or shop website, today.

Dployment of DNSSec should also help, in the coming years.