…in the last two years alone, cyber thieves have cost Americans more than $8 billion and that last year worldwide they stole data worth up to $1 trillion. He described how even his own presidential campaign network had been compromised last fall, with hackers gaining access to policy position papers and travel plans. (The Washington Post)

From a cyber defense perspective, in 2007 the US Department of Defense detected about 360 million attempted attacks against its computer networks. That’s up from just 6 million in 2006. The cost to defend against these attacks was $100 million over the last six months.

I have to say: If the DoD can’t keep cyber criminals out of its computers, what chance has an average Internet user?

• Matt Knox was motivated to write this piece of adware because he needed money; he wasn’t seeking fame nor pursuing any other agenda. It was just a job to him.

• The adware he wrote had many self-protective capabilities; it actively resisted efforts by the machine owner to remove it. Knox described using one particular advanced tactic: “We did create unwritable registry keys and file names” by exploiting backwards compatibility functions in Windows. This meant it was impossible to even see the adware’s registry keys with regular tools, let alone alter or delete them.
• It also removed any viruses and other adware that happened to already be present so as to have the resources of the machine available to do its work.
• The adware this guy wrote was typically installed by people who thought they were getting something useful for free (e.g., a funny screen saver).
• Knox’s company aimed for the biggest, easiest target: “Most adware targets Internet Explorer (IE) users because obviously they’re the biggest share of the market. In addition, they tend to be the less-savvy chunk of the market.”
• Here’s the obvious follow on question: “In your professional opinion, how can people avoid adware?” Answer: “Um, run UNIX.” (e.g., MacOS X or possibly Ubuntu Linux.)

Clearly, adware authors like Knox count on infecting those people using the dominant desktop operating system (Windows) and web browser (Internet Explorer) while at the same time relying upon old-fashioned confidence schemes.

For the “average” Internet user (and I have some stats on who this person is that I’ll share with you soon) I’d say the easiest way to avoid malware in general is to stop using Windows computers. That means they need to take up MacOS X or possibly Ubuntu Linux. If they buy certain netbooks, they will get an easy-to-use version of Linux that would give them the same protection.

If they can’t or won’t give up Windows, they need to switch to Firefox. And then install effective malware control software and adopt a more critical mindset that is more resistant to being swindled online.

As we go forward, I’ll have a lot more to say about how to avoid adware and all kinds of malware. What do you think?

Wikipedia says “Adware or advertising-supported software is any software package which automatically plays, displays, or downloads advertisements to a computer after the software is installed on it or while the application is being used. Some types of adware are also spyware and can be classified as privacy-invasive software.”

Take a look at the interview. There are sections that get a bit technical; skip over them if you like and you’ll still learn a lot. I’ll give you my reaction in my next post.

Of course, what did I get today? A spam from Lighting Universe. At this point, knowing what I know about this topic, my reaction is one of anger and frustration. As I told my wife, they have lost me as a customer for a very long time, perhaps forever. No matter how sincere the saleswoman was, Lighting Universe lied to me. Now I don’t trust that brand enough to shop there. Since I have many other choices for buying light fixtures, I doubt it’s worth my time and energy to let them know.

You know what I mean?

No surprises on the malware list. The fact that “job search” made it to #9 tells me the bad guys are paying attention to the newest ways to find people who are feeling desperate and vulnerable. Of course, this list is somewhat academic: These days you can get malware from just about any web site. MySpace, Excite, and Blick are good examples.

The only surprise to me is the #1 item on the phishing list: Health & Medicine. I would have guessed banks and credit cards (a.k.a., finance). Anyone know why it was Health & Medicine?

By way of analogy, I believe the mentality of the average Internet user is a lot like that of the average car driver. As an “average” car driver myself, I do not need to know how the engine works in order to drive myself to work or the store. Likewise, I don’t need to understand the inner workings of the electronics, brakes, or airbags. The car should just work with a minimal amount of learning on my part. If something goes wrong, I just get the car to a repair shop and pay an expert to fix it. To save a little money, I might decide to get smart about some simple things like wiper blades but I don’t have to go any further than I wish. The point is, I do not have to be an automotive expert in order to buy and use my car.

In the same way, an average Internet user does not expect to be required to study the inner workings of operating systems and networks in order to buy access to and enjoy the benefits of the Internet. Because you can’t get around the ‘net without a minimal base of knowledge, it is reasonable to expect them to know how to enter in a web site address and tell the difference between email and instant messaging, among other things.

Of course, that’s where the analogy starts to fall apart. People are licensed to drive a car; there are lines on the pavement so you know where to drive; police to remind people to obey the various traffic laws; insurance companies to fix us and our cars when we crash; etc.

My belief is we have to become as expert as we can to protect ourselves while we wait until the Internet provides all those “extras”. Until then, we are on our own. Does that sound about right to you?

One day, while working really hard as the chief information security officer at an insurance company, I realized that so much of our organization’s network security was in the hands of ordinary users of our computers. That no matter how much my team did to safeguard our customer’s confidential data, no how much money we spent on our mission, all it would take was one average Internet using employee to cause major damage, either deliberately or accidentally.

That got me thinking about all my friends and family who have asked me to figure out why their computers were so slow or just misbehaving. And I thought about all the crud I would find when I finally got my hands on their machines. And how it was often impossible to undo the damage, so I erased their hard disks and had them start again from scratch. I heard the same questions: How did this happen? Where did I go wrong? How can I keep this from happening again? They were both mystified and embarrassed.

One of my friends had even spent $40 trying to buy anti-virus software from a browser pop-up window in the midst of his struggles with his computer. All he had to show for his effort was a compromised credit card. More embarrassment and frustration.

The point of this blog is to connect with you so we can figure out how average Internet users can be safe and secure online. My hope is we’ll discover some practical things that anyone can do. And, we’ll talk about why the Internet can be so dangerous. I have my own opinions on the topic and I intend to share them. And, no, I don’t think the situation is hopeless, nor are the people involved. But, there are major challenges. What do you think is the greatest challenge?