One of the things that can be very frustrating in the computer security field is getting some users to take the idea of security seriously:
Computer users often dismiss Internet security best practices because they find them inconvenient, or because they think the rules don’t apply to them. Many cling to the misguided belief that because they don’t bank or shop online, that bad guys won’t target them.
This is the opening of a really good article, “The Scrap Value of a Hacked PC“, by Brian Krebs of the Washington Post in his Security Fix blog. As he points out, the “direct” items people think of being stolen, such as passwords or credit card numbers, are not the only, or even the most valuable, targets:
When casual Internet users think about the value of their PC to cyber crooks, they typically think stolen credit card numbers and online banking passwords. But as we have seen, those credentials are but one potential area of interest for attackers.
He lists a number of ways in which a criminal can make use of your PC, some of which you really don’t want, including:
- Use as a Web host for pirated software or movies, or for kiddie porn
- Use as a relay for junk E-mail (spam) or for “laundering” connections
- Use as a tool for Internet advertising “click fraud”
- Use in denial-of-service or extortion attempts on other Web sites.
Bad guys also have a keen interest in any access credentials, or clues thereto, that may be lying around on your machine, Those might include other people’s E-mail addresses, or credentials to connect to your workplace network. Miscellaneous personal information is also grist for the identity thief’s mill.
There’s another thing, too. Although I am not aware of any specific cases, it does not seem at all improbable to me, in our litigious society, that a PC user might be sued for damages on account of his PC being used in an attack on someone else. I am not a lawyer, of course, but I think there is a legal doctrine sometimes referred to as “The Attractive Nuisance”, under which a person can be liable for negligence if he leaves a dangerous situation or condition untended, or without reasonable care. I can visualize this being reworked along the lines of: “The defendant knew, or should have known, that his PC was insecure and could be used to damage someone else.” You would probably also prefer not to have to prove that the kiddie porn pictures someone downloaded from your PC were put there without your knowledge.
So be careful out there.