Defending The Kingdom

First, which browsers are the most common these days? Wikipedia has a useful summary of browser usage statistics collected from various sources. The summary statistics look a little off to me (even after considering the note at the bottom of the table), but you get the basic idea: Internet Explorer and Firefox are running away with it.

Security Update

Internet Explorer 6 remains a hopelessly dangerous browser, but I’ve been impressed by Internet Explorer versions 7 and 8. If you haven’t yet upgraded, do so now.

I wanted to update previous comparisons (see here, here, and here) between the two most prominent browsers, but Secunia, the security consultancy I had been getting figures from, now advises against using its statistics for comparison purposes because of the way it reports them.

Fair enough, and it wouldn’t hurt to go to a second source. I recently ran across a report by NSS Labs, which mentions that “53% of malware is now delivered via internet download versus just 12% via email, while IFrame exploits and other vulnerabilities comprise 7% and 5%, respectively…” (If you’re wondering, IFrame exploits are just another flavour of attack aimed at web browsers.)

Check out the report summary, which has two very interesting graphs. It looks like Internet Explorer 8 is beating Firefox (and other browsers) by a wide margin when it comes to protecting against “socially engineered malware” (links that lead to infected downloads), while the two leading browsers provide about the same amount of protection against phishing attempts.

Curious about the web’s most dangerous search terms?

The categories with the worst maximum risk profile were lyrics keywords (26.3%) and phrases that include the word “free” (21.3%). If a consumer landed at the riskiest search page for a typical lyrics search, one of four results would be risky.

What makes a webpage dangerous?

• Risky downloads—Downloadable files that contain viruses, spyware, or adware or make unrelated
  changes to the downloading computer
• Browser exploits—Also known as a driveby download, this type of malicious code enables viruses,
  keystroke loggers, or spyware to install on a consumer’s computer without consent and/or knowledge
• Email practices—Registration forms and other sign-ups that result in high volume email, highly
  commercial email or both. We also test for difficultly unsubscribing.
• Phishing—Scam sites that try to trick visitors into believing the site is legitimate
• Excessive popups—Sites that engage in aggressive popup behavior or display large numbers
  of popups
• Linking practices—Sites that aggressively link to other red- or yellow-rated sites

The report, by McAfee, mentions that hacking for profit has overtaken hacking for fame. I suspect that is why we no longer worry about viruses that will wipe our hard drives clean — the tactic is attention-getting, but is unlikely to be profitable to anybody. Today, viruses that collect information about our computing habits and personal lives are the primary threats.

The previous post discussed the amount of money you ought to be willing to pay per year to avoid getting phished. By using statistics about the average cost of phishing and the probability of experiencing it, it was possible to come up with a meaningful figure. Given the right statistics, this type of analysis is possible for any type of risk.

What Should You Pay to Avoid Viruses and Spyware?

In Consumer Reports’ 2008 State of the Net summary, the odds of contracting a serious computer virus problems are given to be 1 in 7, the yearly costs $2.9 billion. The odds of a serious spyware problem are 1 in 14, with a yearly cost of $3.6 billion. (Note that these figures are for both businesses and consumers.)

From these statistics, it is possible to calculate the amount that the typical person ought to be willing to pay, yearly, in the form of insurance or a preventative product or service, to avoid the consequences of viruses and spyware.

If 1 in 7 computer users had major virus problems, it means that 26 million people suffered expenses of about $110 each. If 1 in 14 computer users had a major spyware problem, it means that about 13 million people took a hit of $275.

Using these numbers and a formula for expected costs (expected cost = average cost per incident multiplied by probability of incidence) we can conclude that the expected yearly loss per person from virus and spyware threats totals $35. Put another way, each of us should be willing to spend up to $35 per year on insurance, services, or products that would shield us from the costs of viruses and spyware.

The Value of Anti-Virus Software

Of course, my calculations could be wrong. But it’s interesting to note that McAfee and Symantec, two of the most popular anti-virus and anti-spyware providers, price their mainstay products at $40, $5 more than our calculation says is reasonable.

Is that extra $5 per year for peace of mind or is it down to overpricing? Or maybe the cost figures that Consumer Reports noted do not include the psychological cost of annoyance and time spent getting rid of viruses and spyware, which could bring the total cost per person higher than what was reported. I’m inclined to give the benefit of the doubt to the millions of consumers who indicate, by their willingness to pay, that a $40 anti-virus solution is worth it to them, but I could be off the mark.

Every so often, it helps to remind ourselves why security and privacy are important. In late 2006, Consumer Reports published its third annual State of the Net, which I think is an excellent summary and forceful reminder of why, exactly, security and privacy should be high priorities for everyone.

(continue reading…)

If your installation of Windows XP is lacking an antivirus program or firewall, it’ll take about 8 seconds for it to become rabid and foaming with worms, viruses, and spyware. At least, that’s what this BBC article suggests.

But seriously, remember when all you had to worry about was some dork impressing his friends with some virus named after a girl that kneed him in the balls last week? That was a more innocent time.

Today, viruses have come of age. And they’re not even called viruses anymore. The biggest problems today are spyware and adware. The trouble with viruses was that their sole object was to penetrate your computer, then destroy it. That didn’t make anybody rich, though, because good parasites don’t kill their hosts.

The most sinister and pervasive threats have morphed into commercially propelled vehicles for privacy extraction with a view to profit. These days, when I look at a friend’s computer that has slowed and showed signs of derangement from infection, I don’t find a lot of viruses. But I find boatloads of spyware and adware (and that’s a metric boatload, not one of those sissy imperial boatloads).

So be aware of the threat you face now. A new enemy requires new tactics–this means your anti-spyware and adware programs are more important than ever. I previously recommended Spybot and Adaware for the newly important jobs – read my review of both and find out how to get them (they’re free, of course).