Porn-Surfing Execs Infecting Corporate Networks With Malware 151
wiredmikey writes "According to a recent survey of malware analysts at U.S. enterprises, 40% of the time a device used by a member the senior leadership team became infected with malware was due to executives visiting a pornographic website. The study, from ThreatTrack Security, also found that nearly six in 10 of the malware analysts have investigated or addressed a data breach that was never disclosed by their company. When asked to identify the most difficult aspects of defending their companies' networks from advanced malware, 67% said the complexity of malware is a chief factor; 67% said the volume of malware attacks; and 58% cited the ineffectiveness of anti-malware solutions."
Very disappointing article. (Score:5, Funny)
It doesn't even include any of the URLs to go to!
Re: (Score:1)
Execs always demand administrative rights to their machine... No surprise!
Re: (Score:2, Funny)
" 67% said the complexity of malware is a chief factor; 67% said the volume of malware attacks; and 58% cited the ineffectiveness of anti-malware solutions."
And the remaining 40% said these numbers don't add upp.
Re: (Score:2)
It's fairly obvious that those are the percentages of people who said those items were problems. It does not say that they, individually, were the worst problem.
malware and porn (Score:1, Insightful)
last time i saw an article about that on /. it was stating how most porn sites have very little malware and most malware comes from stupid wholesome crape like smileys and bars and other retarded crap the mouth breathers think they need to install
Re:malware and porn (Score:5, Funny)
You have no idea... (Score:2)
I caught a VP of one of my former employers surfing tumblr for pics of women that flash their tits in public and ONLY that. He was very consistent when looking for these pics. I got wind of it when I was given access to our Solera Deep See box right after being brought in. I monitored his activity for a week then checked his past activity and, sure enough, big tits flashed in public. Used a tool to capture his IE history: Big tits flashed in public.
I've seen execs that liked to search for wierd stuff, and t
Re:malware and porn (Score:5, Interesting)
You don't think executives don't NEED those super important "power bars", do you?
And of course execs have admin privs on their PC. They don't know what to do with it, they don't know why they got it, but don't you dare even suggesting taking it from him!
Even as the CISO you get shouted down at the management meeting when you suggest something outrageous like that. What cheek! Those dumb techdroids having higher privileges on his PC than the CEO!
Yeah, we had a good laugh.
Re: (Score:2, Insightful)
But when it comes to IT - they just love logging in with an account with full domain admin privileges (you could create a different account for them to use if they ever need it - which could be rarely, but no, it has to be their main account).
Re: (Score:2)
And of course execs have admin privs on their PC. They don't know what to do with it, they don't know why they got it, but don't you dare even suggesting taking it from him!
Reminds me of the old observation that you can easily determine someone's software expertise from the log data showing how often they run with elevated (root, admin, whatever) privileges: The two quantities are inversely related.
I recall once impressing some people at a company that I was contracting for, when at a meeting I was asked if I needed root privileges on the machines I was using for testing. I shrugged, and said I didn't think so. When they looked puzzled, I just said that in the few cases I
Safe Surfing (Score:1)
The obvious solution is for corporation to provide safe porn on their internal networks. What could possibly go wrong?
Re:Safe Surfing (Score:5, Funny)
I shudder to think of how this'll impact the BYOD policy...
Re: (Score:3)
I am more afraid of the sexual harassment problems looming over our heads with the BYOD crap.
Re: Safe Surfing (Score:3, Insightful)
You jest but the threat is real. We have a slew of android users who had their phone done over.
It used to be that we would tell users "don't click that link. " where now web sites like yieldmanager throw apk files at them.. which download automatically .. they install... and we have to clean their phone and explain that their phone is a small pc. Sigh. The 90's all over again.
Those who do not learn from the past.
Re: (Score:1)
When I went to college the network admin (who also happened to be an instructor for one of my classes) told us the university could save a lot on network costs if it would just set up internal porn server mirrors. Unfortunately the board of regents didn't like that idea.
It's good to be the king. (Score:4, Insightful)
-- Mel Brooks, "History of the World pt 1"
Re:It's good to be the king. (Score:5, Interesting)
It's good to be the king. -- Mel Brooks, "History of the World pt 1"
Agreed. I'm one of the fortunate ones - my boss actually follows the rules, but I've worked in places where the boss is exempt from basic network security. One was a small business where the boss 'pays the bills', so he got to 'make the rules'.
When his customer database was deleted he fired his IT guy in a fit of anger. He lost a lot of money in a wrongful dismissal settlement, and lost all of his business. It might have been the IT guy who did it - but the lawyers obviously felt that 'I don't need a slow virus scanner' was more likely the cause. Or at least, reasonable doubt.
Re: (Score:2)
How fucked up was the IT infrastructure that one douche bag running windows without a virus scanner managed to nuke a database and all the offsite backups?
Must have been one hell of a virus.
Re:It's good to be the king. (Score:5, Interesting)
"Why do we need backups, we have it all here, right? So why do you want to have it there, too? Do you want to steal our customers?"
I was actually asked that once.
Re: (Score:2)
Re: (Score:2)
I should maybe mention that the statement above is about 25 years old and, as many here can imagine, the business in question does not exist anymore. It wasn't a data loss problem that fell them, though. They were incompetent in other areas too. :)
Re: (Score:2)
'I don't need a slow virus scanner' was more likely the cause.
Wait... that's a true statement. Nobody needs a slow virus scanner. Go get an application whitelisting solution such as Bitlocker, Lumension, or Bit9.
The slowest/most user-annoying of signature-based av such as Mcafee or Symantec have piss-poor detection rates anyways ---- I find possibly 90% of scans of malware yield false negatives (failure to detect). Often, virus signatures will never recognize the malware variant you happened to h
Re: (Score:2)
*Tip, to authenticate to a local account on a domain computer,use '.\' as in '.\jsmith'
Solution (Score:5, Interesting)
and 58% cited the ineffectiveness of anti-malware solutions."
So the majority of experts agree the existing solutions are ineffective. And yet the solution remains the same: Buy more of it.
Re: (Score:1)
What a truly ignorant statement. 96% of infections are covered according to the experts. Just because 4% get in doesn't mean it is 100% ineffective and useless. I see many malware programs all the time from people who say they are clean.
It is not 10 years ago where an infection slows it down. Today it is quiet and quick on purpose as your bank account numbers and credit card info gets sent to Russia quietly.
Re: (Score:2)
So the majority of experts agree the existing solutions are ineffective. And yet the solution remains the same: Buy more of it.
Was the research study funded by security companies, that may be involved some way in the antimalware business?
Re:Solution (Score:5, Insightful)
Does Antivirus software get everything? Hell no. Is it useless because of it? No, far from it.
The world is not black and white and neither is security. I mean, by the same logic you could say that anti-drug laws didn't work, so let's abolish them. Police didn't arrest every murderer out there, away with it. And since doctors fail at saving every patient, shut down those hospitals.
Would that be stupid? Of course it would be. No, anti malware programs do not catch everything. But even the worst of them (interestingly named after its currently quite mobile founder) finds about 95% of the threats. Yes, that means that one out of 20 attacks could bet past it. But the other 19 do not!
Not to mention that the best security system is powerless against user stupidity. I think I pull that link every time we're discussing this, but it just was true, is true and probably will be true forever until I find a way to kill clickmonkeys via internet: Given a choice between dancing pigs and security, users will pick dancing pigs every time [wikipedia.org]. There is exactly NO way how you can secure a system against a clickmonkey that has admin privs. And those idiotic execs do! Not that they need them or know how to wield them, but they want that "in control" feeling. Needed or not.
The very LAST thing I want is any kind of privileges beyond the bare minimum to do my job. Simple reason: Credible deniability. What I could not do, I most certainly did not do. Your database is missing? Could not have been me, I can only enter data but I can't delete or edit anything. Go look elsewhere for your culprit.
But back on topic. Statistic is a multi-layer system. Relying on only one part of security is simply dumb. There is no such thing as 100% security. It's a myth. Like 100% uptime. You can lower the chance for a security breach, with technology (firewalls, antivirus), with policies (least privileges, secure processes) and a few other things. And yes, hence the solution to security is more security. Well, within reason and at sensible points, of course, but the solution can't be "can't stop it, so why bother trying?"
Re: (Score:3)
If my own corporate experience with antivirus/antimalware tools is any indication they actually find 120% of the threats.
How do they do that you say? By flagging legitimate files as malware and trojans. It's a very real problem for small software d
Re: (Score:2)
You bring back memories of slashdot's badanalogyguy.
I mean, by the same logic you could say that anti-drug laws didn't work, so let's abolish them.
That would only be a good analogy if antivirus actually caused more infections than they stopped. The societal ills blamed on drugs are actually caused by the laws against them.
That said, the rest of your argument is logical.
Re: (Score:2)
Well, considering that some false positives can actually cause more havoc than some infections...
Re: (Score:2)
When kept updated, antivirus software should do a pretty good job keeping all the older, known attacks out of the door. That leaves only a (relative small) number of new attacks that can affect you.
Combine that with some proper lockdown of the computer (not running as admin/root should help a lot, for example) and you can keep many of those newer attacks at bay as well.
Re: (Score:2)
Re: (Score:2)
the next rev will fix your problem...
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Why would you ever have to touch their computer? Put up a sacrificial server with a virtual host running Samba, and modify their login script and group to have them interface to this virtual host. Have something on the virtual host analyze and sanitize their crap, and physically isolate their network services so that they're not on the same network as everyone else. Give them their porn and keep them off of the corporate network.
Right because executives never need to share files with the rest of the teams in the company. It is not like they have important things to do all day or anything
Re: (Score:2)
Re: (Score:1)
Until you point out to the CFO how much those who are violating corporate policy are costing the company. Shit gets straightened out right quick then.
Re: (Score:2)
they would say, your our IT you fix it.
Twenty years ago I'd have not had a clue what you were trying to say, but slashdot helps me. I hope English is a second language for you. If so, know that "your" is a possessive; "your house is our house" so you can see why "your our" is confusing to someone literate in English. You're looking for "you're", a contraction for "you are".
If English is your first language, get your GED.
</education>
Re:Solution (Score:5, Funny)
I'd rather be out of the job than stuck between "I need access to EVERYTHING for no goddamn reason" and "ME COMPOOTER IS BOKE-BOKE AGAIN FIX IT A+ PRIORITY ONE"
Ah. The naitivity of youth. So refreshing. And yet they wonder why nobody hires them.
Re: (Score:1)
This is your bank. You gonna pay me or what!
You have until the end of the month to come up with the money or I will repo your car.
Maybe you shouldn't of told that guy who paid your bills to fuck himself when he demanded it high priority? Not my problem as I get your car and will auction it either way at the end of the month if I do not have my money etc.
Re: (Score:2)
Of course buy more of it - hey, 58% + 58% = 116%, doesn't it?????
Yeah, I think you've got it. And it makes perfect sense to the "team leaders" who expect their employees to "give 110%".
So, in other words, they violate basic IT policy (Score:5, Insightful)
Re:So, in other words, they violate basic IT polic (Score:5, Insightful)
And there's a reason why the executive suite doesn't listen:
"You're not the boss of me!"
(Supported by "If anything does happen, it's your fault anyway.")
Re: (Score:3)
I was the execs personal IT support (not my job, but hey) in the last company I worked for.
One day the CEO brought his "wife's" laptop for me to fix because it was really slow.
I had never seen so much and so varied porn on one persons computer before. I learned so much back then...
Re: (Score:2)
(Supported by "If anything does happen, it's your fault anyway.")
No... this is when you bring them a paper; "Please sign here that you agree that you will have exclusive responsibility for the security of this workstation which will be excluded from the security rules --- you understand the risk, and the concerns of the IT department, attempting to maintain due care with regards' to the security of the organization's assets and proprietary and sensitive information."
Copy in triplicate; keep a co
Re: (Score:2)
What you need in this case is a CISO with a hell of a backbone who cares more about doing his job than about keeping it.
In other words: Good luck.
Re: (Score:2)
The more I get older, the more I realise that the majority of adults are essentially still children.
Re: (Score:1)
Yeah, all the old behaviors still exist from childhood. Maturity just takes off enough of the rough edges to not be continually abrasive. Well, in those that have matured anyway. About a third of population didn't made it past puberty personality wise. And, about 9% never made it past the terrible twos. That latter group frequently clusters at the extremes of society, for example, in positions where they make and/or break the rules.
Re: (Score:2)
There is a reason us IT folks tell people not to do these things at work.
PERHAPS; it would be more credible if IT folks would actually explain a plausible reason, every time they tell people not to do something.
People will assume you're telling them not to surf porn, because it's against the rules, or because you in IT feel that is immoral, and maybe you warn them about "malware" as a scare tactic to try and keep them doing what you want them to do, instead of what they want to do.
Re: (Score:2)
Management and bosses aren't peons and want carte blanche when it comes to IT. At my work we had a problem with people using facebook and porn. Its a small shop with about 20 PC's and there were only two culprits: the office "manager" who spent her entire day on FB and a skeevy shop worker who used his PC for porn. The office manager tried to hide her addiction but she was caught time and time again with FB open. She once had the nerve to tell an overworked and overloaded secretary that she was too busy to
Big Picture (Score:2)
Lets not forget the big picture here. While they may be violating IT policy, possibly opening the network up to many infiltration risks, and potentially costing many hours of lost productivity across many departments; this is all true.
The fact is, before internet porn, they were spending their time between meetings giving HR headaches with torrid office affairs and sexual harrasment lawsuits.
Believe it or not, this is cheaper.
Flash Update Scam (Score:1)
It gets 'em every time.
Re: (Score:1)
Well, when even Google tells people that their software needs to be updated, without being asked, then of course people will eventually believe that a web site is an acceptable channel for that kind of information. You can tell people that they should never heed the warnings of a web site as often as you like: Your authority does not come close to Google's clout. It is like banks embedding links in their emails: When the good guys make themselves look like the fraudsters, then the fraudsters start looking l
The real problem (Score:2)
Is executives trying to claim sovereign immunity to IT regulations.
I doubt those of lower rank would be given anything but a pink slip if they were caught doing the same thing.
Re: (Score:3)
Pretty much this.
One of the core reasons this problem exists in the first place is that execs insist that the rules don't apply to them. Oh sure, we have insanely tight corporate rules concerning computer usage... but of course not for C-Levels, certainly not. And their secretaries (who are collectively ignorant enough to be a security crisis all by themselves) have to be exempt, too. And while we're at it, we not only need to bypass the firewall entirely but we also need administrative privileges on our ma
Re: (Score:3)
Is executives trying to claim sovereign immunity to IT regulations.
Perhaps.... but this is one of the reasons IT security cannot be built from the bottom up.
IT security inherently requires management buy-in, and management has to be made to understand about leadership by example. They must be sold on it. If they themselves can't adhere to it, then they sure aren't sold on it! How could they expect their hired help to be sold on it, if they don't even agree with it?
If the manager or their fa
Porn! (Score:2)
OS Design failure (Score:3, Interesting)
So, none of this mentions the lack of a proper security design in the Operating System. When someone says run a program, it let it use this much ram, this much cpu, and this folder.... that should be it.
But no existing commodity OS lets you do that, does it? Until capability based security becomes the norm, this will never be fixed, and information security jobs will flourish.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
No OS can protect you against user stupidity. When the user says "execute program", the OS can yell ten times how unsafe it is and how much this is a virus, when the user overrides it all it accomplishes is to annoy the user.
He needs administrative privileges to do that you say? And he doesn't need them to do his job you say? I agree. The C-Level in question does not. Since you can't fire him but he can fire you, guess who gets his way.
Do different rules apply to senior managers? (Score:5, Insightful)
Re: (Score:1)
Because they can.
Re: (Score:2)
My guess would be a misplaced feeling of entitlement combined with turf war mentality. Combined with a pretty comfy security that they won't get fired over something as trivial as surfing porn.
Senior managers are a bit like little kids. They have no real worries in life and they have nothing really important to do, so they start a bling war. Who got the better car, who gets the better parking space at work, who has the secretary with the bigger hooters and so on. Of course this entails the feeling of needin
Re: (Score:1)
Lets turn this around... (Score:3)
A. A very stern email would go out to all employees regarding the issue.
B. A whole lot of employees would get canned.
Since it's executives, there will be no scolding or even talk of it. Not to mention their security for no good reason is low, so they access anything they want on the internet. It will just keeping going on. After all, this is hardly news. It's well known (at least in support) that executives have been infecting their machines and the network by the sackful for ages. When I did internal corporate IT support, I personally saw it. Over and over and over. The standard course of action? Remote into their machine, silently remark at the sheer number of porn related icons on their desktop, start removing things (toolbars too), climb around in the registry fixing all the damage the porn did, patch anything I had to, and then disconnect - walking away from the whole matter without a word. Also, these events were never properly documented to protect the executive, and therefor my job. The funny thing is, a lot of the higher ups would watch me while I was remoted into their machine, seeing everything they had been up to - they truly didn't give a shit due to their level of authority. I sometimes wondered if they got off on it. No shame at all.
Not 40% of Execs (Score:2)
This is not 40% if executives infecting phones. In fact, based on the article, we don't know how many execs get malware on their phone. However, out of that total unknown percentage of execs with malware, 40% of them get their malware from porn sites. The summary is using a method of lying with statistics, letting the reader infer something that isn't true by showing a similar true statistic.
This statistic wasn't even the point of the article, but rather that breaches are not being reported by companies.
http://yourbrainonporn.com/ (Score:3)
http://yourbrainonporn.com/ [yourbrainonporn.com]
All that needs to be said...
Good God (Score:2)
I really want to say "UNBELIEVABLE", but it's all too believable.
Apparently it's just too much to ask that some jackass making over a million a year show a tiny little bit of emotional maturity and/or professionalism and NOT view porn at work. More is expected of teenagers at their first minimum wage job than that.
Why porn sites and malware? (Score:2)
Why do porn sites have more malware than other sites?
It stands to reason that porn on the internet shouldn't have any more to do with malware than sports on the internet. Both are popular with about the same demographic and both are providing an entertainment product.
By now, considering the money associated with porn and the relative competiton, porn sites should be like any other site selling entertainment, wanting to maintain a "safe" shopping experience for their customers lest they take their entertai
Re: (Score:1)
It's because execs don't want to pay for porn, so they end up on the bad side of the webs, where free porn is used to lure people to malware sites.
Re: (Score:2)
Re: (Score:2)
My guess is that with porn sites and infections it is much like in RL with STDs. There are not really that many infected porn sites, but people tend to move around and switch frequently, hence eventually catching something.
Stay faithful to your porn page and you will be fine. Ramen.
Re: (Score:2)
Simple, really. Tell a sports fan, "Save as. Wait. Type 'mount' and press enter. No, in the other window. Mount. Yes. Does your /home say noexec next to it? Yes, in parenthesis. I don't care about nodev, I asked about noexec. Oh, good. JUST A MINUTE, this won't take long if you just do what I say. Save as, malware.sh in your home directory. Your home directory. Now, type 'chmod +x malware.sh' Yes. Yes. No, chmod. C as in Catcher. H as i
what exactly is a "visit" to a porn site (Score:2)
I was once googling for "evacuated cylinder solar collector", and cmd-clicking all the links to open a batch of tabs to vendors of such. A few dozen tabs in, I looked over at my secondary monitor, and it was filled with a porn site. So you see, I "visited a pornographic site" that day.
Re: (Score:3)
Well, if you're googling for such perverted stuff, it's your own damn fault!
Re: (Score:2)
I was once googling for "evacuated cylinder solar collector",.
Holy cow, that's some nasty porn!
Re: (Score:2)
The problem is the latency - you needed to cmd click all those pages because clicking and hitting the back button to click the next link doesn't work. First, your browser wants to refresh the original page every time because...why again?
Then, each page has a ton of 3rd party includes that break the page layout if they don't load in the right order (and have their own... 4th party, I guess.. includes, which are computed on the fly, so you have to run some of the js before you can even find out you're missin
Throw the bums out (Score:1)
Any executive who gets a virus from a porn site instead of a hooker is grossly incompetent and should be fired.
Oh yes. (Score:3)
Re: (Score:3)
The support staff are either full of shit (which is the most likely scenario) or breaking the law themselves by not reporting this "jail time category" porn.
And if they are more concerned with keeping their job than reporting it they are in the same low-life category as the execs accessing the stuff.
Re: (Score:2)
I also used to work in a bank, and there was this opt-in network (you actually had to ask for it, and it of course put you on a "watch" list for performance and such) on a regular home-grade connection, called "red cable". It got you access to a nearly unrestricted NAT connection (separation for each floor, wireless network segments, and meeting rooms), and incidentally allowed IT folks to download packages and other cumbersome images that the regular proxy would not download/filter.
Meeting rooms also were
Tyrants (Score:1)
Yep, above the law, above company policy...these modern lords "tax" by paying woefully less to the peons than their labor is worth (usually less than half the profit created by said peons is returned to them) . A majority provide only the "leadership" of following the latest trends from books or from successful start-ups...except the execution is typically poor because they try to do it cheaper. Anyone who has worked for a corporation probably recognized the enthusiastic rantings every time some new initia
Mangagement style (Score:5, Funny)
These porn-surfing execs are just taking a more "hands-on" approach to management and want to make sure they have a firm grasp on their critical infrastructure.
It gives new meaning to The Peter Principle.
get a linux box (Score:4, Insightful)
True. (Score:1)
I have a family member who is a VP at a top 100 company. I've spoken to him and he mentions that they don't worry about IT coming
after execs that high up and porn. I was shocked and tried to warn him that it just gives the company a good out if something should
happen, yet he continues to surf porn. As I work in IT and as one of my former jobs was to monitor the midnight biology lessons that
would take place and report on them, I found this both disturbing and pissed me off. Here I am busting my ass to k
Is this because of downloaded executables? (Score:2)
Is this because porn sites are serving actual exploits that use Flash or browser bugs, or because people downloaded and ran .exe files?
This study seems factually inaccurate (Score:1)
Two words. Irene Demova. (Score:2)
She's a killer man!
Mostly bad ads or malware sites that use lure porn (Score:2)
The "well known" paid for and free porn sites try hard to keep their servers free from malware. It's the ad servers they use to generate income that usually get infected. The other way to get malware from going to porn sites, is going to malware sites that use the promise of free porn to get you to click on stuff.
The best way to prevent this from happening if you can't do anything about the browsing habits of your users, is to block all ad servers, regardless of what site they serve ads on on your firewal
Bossless Office (Score:2)
don't make me laugh (Score:2)
Re: (Score:2)
When it comes to corporate IT, they're idiots at removing viruses. I'm head IT manager but also run a mostly residential computer repair shop. I know how to remove a virus! Anyone who doesn't remove viruses for a living does not. Its as easy as can be to delete any virus manually then clean up with other tools if you know what you're doing. Unfortunately, they do not.
Corporate IT doesn't need to know now to remove viruses beyond clicking 'delete' in the installed AV software. If it goes beyond that then there is a security issues and the best practice is just to replace the computer which usually takes less time, work, and worry than trying to remove viruses manually.
Re: (Score:2)
Re: (Score:2)
So if the submitter won't doi it, or the slashdot editors won't do it, the next time you read about malware infecting a bunch of users computers don't forget to add "in windows" to the end.
It similar to the advice I ran across years ago: If any news story talks about problems with "computers", you should always add "running MS Windows". If it were any other kind of computer, they would have told you its brand name. Since then, I've been looking for exceptions, where a computer problem bad enough to make the news was on machines using non-MS software. So far the only cases I've run across have always mentioned the brand or the OS name. I keep expecting exceptions, and maybe some day I'll
Re: Occam's Razor (Score:5, Insightful)
They don't get fired for it.
Re: (Score:2)
Besides not getting and having access to more sensitive data (if they get own3d). So they are exactly the same as all of the other employees except that their totally different. ;-)
Re: (Score:2)
OMG, we'll make billions with the targeted ads.
You get the domain registered, I hire the coders. Maybe we should find a few execs to harvest the pages.
Oh. And there go our billions...