Most public computers that I have scanned in my travels are infested with spyware, viruses and/or trojans (malware). It is hard enough to keep a Windows computer clean of viruses if you are the only one using the computer. It is extremely difficult to keep a computer clean if hundreds or even thousands of people are using it.
These are some common activities that people do that can get a Windows computer infected with malware:
- Opening email attachments, even ones sent by friends
- Browsing the Web with Internet Explorer (especially non-XP/SP2 version of Windows)
- Using programs like Kazaa, Limewire, and Bearshare to share files online
The New York Times ran an article on the dangers of using public Internet access.
While it is hard to say how likely it is that someone is lurking on a public network, many public networks do not have adequate security.
Last fall, InfoWorld magazine published an article about a security researcher who managed to collect more than 100 passwords, per stay, at hotels with lax security (about half the hotels she tested).
Gathering reliable statistics about security breaches is notoriously difficult, since companies are reluctant to reveal this information. Still, the most recent computer crime and security survey, conducted annually by the Computer Security Institute with the Federal Burea Description of Investigation, found that the average loss from computer security incidents in 2005 was $167,713 per respondent (based on 313 companies and organizations that answered the question).
As Jim Louderback, editor of PC Magazine, noted, the statistics may not matter given the problems one data breach can cause.
The article mostly covers wireless computing. You can read the full article here.
A recent story on the Register describes a computer attack that shows how easily a Windows computer can become infected with a keylogger:
"Surfers who follow this link are taken to a spoof copy of the BBC story hosted on a maliciously constructed site that exploits the unpatched createTextRange vulnerability in an attempt to install key logging software on victim PCs.
This key logger monitors activity on various financial websites and uploads captured information back to the attacker, security firm Websense warns."
It is very easy to infect a Windows computer with malicious software, which is why strong precautions should be taken when using public computers for financial purposes.
CIO.com has an article about a new type of invisible rootkit.
"Security researchers have discovered a new type of rootkit they believe will greatly increase the difficulty of detecting and removing malicious code.
The rootkit in question, called Backdoor.Rustock.A by Symantec and Mailbot.AZ by F-Secure, uses advanced techniques to avoid detection by most rootkit detectors."
A rootkit, is a type of malicious program that allows someone to conceal that they have taken over your computer. Rootkits are very difficult to find, and this new method is even more sophisticated.
As usual, using a Linux live CD will bypass all possible rootkits that may be running on public computers.
According to a Federal Trade Commission Report, "Internet-related complaints accounted for 46 percent of all fraud complaints."
In contrast, a study by Javelin Strategy and Research indicated that 9% of identity theft comes from malware and hacking. The Javelin study suggests that most identity theft happens offline, but that online identity theft can be more severe and harder to figure out:
"...per-incident losses for online fraud have increased from an average of $2,897 in 2004 to an average $6,432 in 2005 (an increase of 122 percent)...
Phishing scams also seem to take longer for victims to figure out: the average length of misuse of personal information resulting from a phishing scam was found to be 173 days. Personal information stolen by friends, family, or employees was misused for an average of 134 days, while lot or stolen credit cards were misused for an average of 75 days."
For more information on identity theft, visit the Federal Trade Commission's identity theft web site.
Bruce Schneier has an article that describes a way that people can steal your passwords just by plugging an iPod or USB thumb drive into your Windows computer:
"...basically you can configure a file on your USB device to automatically run when it's plugged into a computer. That file can, of course, do anything you want it to.
Recently I've been seeing more and more written about this attack.The Spring 2006 issue of 2600 Magazine, for example, contains a short article called "iPod Sneakiness" (unfortunately, not on line). The author suggests that you can innocently ask someone at an Internet cafe if you can plug your iPod into his computer to power it up — and then steal his passwords and critical files."
An article at webuser.co.uk says that spyware and trojans are on the rise. Another good reason to use Linux live CDs when on a public computer.
"Webroot's latest report shows that during the first quarter of 2006 the number of spyware infections jumped to 87 per cent from 72 per cent in the same period in 2005; a rise of 15 percent.
According to Webroot's figures, the total number of Trojan horses also increased from 18 percent over the previous quarter to an average of 29.5 per cent."
PBS.org has an interesting interview with Richard Power on their web site where he talks about some of the bad guys in the world of computer security. In the following quote, he mentions rise of organized crime on the Internet.
"I think we have to take organized crime much more seriously than we do hackers. Organized crime goes where the money is, and the money is moving to the internet. And if you can go on the internet and steal people's credit card numbers, and steal identities, and steal phone numbers, and steal products and money and possibly sell faulty goods, organized crime will move to that. They're going to move to it as long as it's profitable. And organized crime is likely to be better funded, better skilled and better organized than lone criminals, than hackers are. . . . I think organized crime is a big worry, and I think it's going to get worse, as criminals realize that there's money to be made on the internet. . . ."