December 25, 2004
SAN JOSE, Calif. - Hackers, spammers and spies go into overdrive in December and January, when unsuspecting neophytes unwrap new computers, connect to the Internet, and, too often, get hit with viruses, spyware and other nefarious programs.
"People want to get on the Net right away, just like they want to put together and start using any Christmas present," said Tony Redmond, chief technology officer of Palo Alto, Calif.-based computer giant Hewlett-Packard Co., whose new PCs ship with 60 days of virus and adware protection. "They should be warned that the Net is a very, very dangerous place."
Susan Love's problems began with a smile.
The New York City fund-raiser clicked on a happy-face attachment in a friend's e-mail last year. The virus crashed her computer within an hour.
Love, 57, salvaged her data. But within a few months her computer's performance slowed to a crawl. In December 2003, she upgraded to a Sony Vaio with an extra-large monitor and Microsoft Windows XP operating system.
Within a few days, "spyware" - programs that sneak onto computers uninvited - began sponging up valuable memory. Then her e-mail stopped arriving.
Instead of crafting holiday e-mails, she spent hours installing the latest antivirus, anti-advertising and anti-spyware software. She also instituted a rule: Her computer never gets turned off, so security programs patch vulnerabilities around the clock.
"You have to become something of a nerd to make sure your computer is safe," said Love, a former English teacher who recently installed anti-adware on her daughter's computer. "If you don't sweep the computer every night, you could hit."
Love won't be the last to get a holiday crash-course in computer security.
Although few researchers produce holiday-specific security data, experts at IBM Corp., Dell Inc., Hewlett-Packard Co., software companies and Internet service providers agree that the holidays are prime time for hackers.
Holiday viruses are so rampant that consumers could be attacked even if their first online destination is to a Web site for updating security patches.
Kris Murphy, help desk coordinator for North Carolina Internet service provider Indylink.org, said his minister got attacked last year, only a few minutes after unpacking and connecting the machine. At the time of infection, the minister was updating security patches to Windows.
"Hackers know that you are most vulnerable as soon as you go online for the first time," said Murphy, whose 10-person company hires temp consultants during the holidays to handle higher call volume. "Inexperienced people tend to fall into traps more readily because they don't recognize that this guy might be trying to get your credit card information."
Technology executives describe the relationship between hackers and security programmers as an arms race - both sides keep ratcheting up fire power. But lack of consumer awareness - if not downright naivete - allows the war to escalate.
According to a recent survey by the National Cyber Security Alliance, of the 185 million Americans with home computers, one in three say they'll never get hit by viruses or other cyber attacks. In a Consumer Reports study, 36 percent of U.S. home computers showed signs of being infected with spyware and only 41 percent of surveyed households said they actively try to prevent it.
American businesses are savvy about firewalls, spam filters, multiple passwords and other network protections, said Stuart McIrvine, director of corporate security strategy at IBM. But problems at the consumer level - from spyware to security risks in coffee shop wireless networks - are so severe that every hardware and software vendor should be worried about a backlash.
Seasonal attacks start around Thanksgiving, when online shopping begins an annual spike and marketers pummel consumers with junk e-mail - from the perfect stocking stuffer for a balding spouse to a limited-offer holiday cruise.
With the rise in e-commerce, identity thieves try even harder to obtain credit card and other financial data from wireless and home networks. They set up dummy Web sites that seem to be hosted by major financial institutions in hopes that gullible consumers will provide their account information.
Virus writers hide viruses and worms in holiday-themed e-mails, seasonal greetings cards and screensavers.
"W32/Zafi-D," a mass mailing and peer-to-peer worm, harvests addresses from Windows address books and other files. Infected e-mails' subject line begins, "Merry Christmas!" and the text reads, "Happy Hollydays."
The most vulnerable computers are the ones that have sat under Christmas trees for days or weeks. If a consumer buys equipment that arrives on Dec. 15, and it sits in the living room until Dec. 25, it could be hit by hundreds of viruses written in the 10-day interim.
Tony Ross, analyst at British security firm Sophos Plc., advised consumers to get a CD-ROM with the newest updates from their electronics vendor, next-door neighbor or the computer at their office before connecting to the Internet. They should prohibit children - who tend to be liberal in distributing their personal data - from using the machine until it's patched.
Consumers should vigilantly buy and update security software, which can add hundreds of dollars over the course of a computer's lifetime. Popular anti-spyware and anti-adware programs include Webroot Software Inc.'s Spy Sweeper ($29.95 for a one-year subscription), LavaSoft's Ad-Aware SE Professional ($39.95), Tenebril Inc.'s SpyCatcher ($29.95), the free Spybot Search & Destroy and Computer Associate Inc.'s eTrust PestPatrol ($39.95).
Some experts wonder whether the computer has become the digital age equivalent of a puppy - an enthralling treasure on Christmas morning, but a sinkhole for time and energy for years after. At very least, computers are far more demanding than the typical holiday toy, which merely requires batteries.
"At some point, people who receive them for Christmas often ask, 'Is this computer a gift or a curse?'" Ross said.