Sponsor for PC Pals Forum

Author Topic: Security: educating the unwashed masses  (Read 811 times)

Offline Clive

  • Administrator
  • *****
  • Posts: 75153
  • Won Quiz of the Year 2015,2016,2017, 2020, 2021
Security: educating the unwashed masses
« on: March 31, 2004, 14:39 »
By Daniel Hanson, SecurityFocus
Posted: 31/03/2004 at 11:50 GMT
   
If you ask the average Internet user about security for their computer, and they either look blankly at you, or mumble something about anti-virus and firewalls, most often without any real idea of what these things are or what they do.

In fact, many of the people who have these products installed on their computer still open strange email attachments promising pictures of celebrities undressed, or some mysterious, unrequested information. So, what's driving this urge for self-destruction?

Zip no more
We've been watching the latest crop of viruses, including the MyDoom, Netsky, and Bagle virus families and it has caused a re-examination of some fundamental beliefs. Optimistic it may be, but we had always believed that if we, as information security professionals, could present one or two simple rules for security and explain why they matter, the average user could begin to recognise when someone is pulling their strings when they happily unleash viruses, or fall for some phishing scam. These latest viruses have eroded that belief.

Some of these mass-mailing viruses require that users:

open an email message

open a picture to determine a word used as a password

open a zip file

enter the password when prompted

and then run what is included in the zip file


The virus authors have people jumping through more hoops than a circus seal, and all for what, a glimpse of a naked celebrity?

Some commentators from the IT industry seem to enjoy malicious glee at pointing out how users almost have to work at getting infected by these viruses; in other words, they are morons. While we don't agree with the moron statement, it would be misleading to say that these users aren't aware of the potential risk. The media has picked up on many of the successful versions of these mass mailing viruses and written stories warning about opening attachments. In some cases, they will get infected multiple times and they will do it knowingly. If they aren't morons, and they know the risk of virus, then where does the problem lie?

Some of the blame for this latest crop of viruses does lay with us as security professionals. For years we have said that zip files are the safest and best way to transfer files. This is no longer the case. It is time to retreat, move the line of engagement with the viruses further back, and rethink the defence.

Technology can certainly help or hinder the process. MS-Windows' reliance on hidden file extensions to enable this behaviour combined with the ability to change the icons of files, certainly makes the process easier. How does a user differentiate between my_vacation.jpg and my_vacation.jpg.exe if they can't see the file extension? What rule can we give?

How can we change users' behaviour?
I believe the answer to this question is not technological. Reactionary systems like anti-virus certainly have their place, but a fast-spreading virus is often able to penetrate into organisations prior to signatures being made available - despite the speed that signatures are written and shipped by all the anti-virus firms.

Attachment filtering isn't the answer. We have slowly added more and more attachment types to the list to be blocked. In fact we are almost back at the point where plain text email is the only option to get through gateways. Six months ago, zip files were the most reliable way to get MS-Word documents, batch files, and other potentially harmful file types through filtering gateways. Zip files are now regarded as rats carrying the plague.

How about dumping SMTP mail all together? Won't that be a step in the right direction? After all, everyone knows that viruses don't spread through Web downloads, Peer-to-Peer file sharing systems, IM file transfers or IRC DCC connections. So much for the argument that the weakness is because SMTP was not designed for file transfer. PGP encryption would just prompt the user to type their passphrase; there is always a way to fool the punter. Changing the technology used won't stop people being conned, because any technology can be subverted if decisions are put in the hands of the end user. Fool the user, fool the technology.

Human nature and security: natural enemies?
Security is hard work. Human nature is to look for the shortest route between two points - with the minimum expenditure of effort. What's needed to address the virus menace is a fundamental sea change in peoples' attitudes to viruses. After all, you wouldn't leave your front door open when you went on holiday, would you? No, that would be stupid - you'd get burgled.

Only by making people realise that there are serious personal consequences of opening suspect attatchments can we seriously hope to address the issue. In the end, technology can't do it for them - it's the everyday user who must take the fight to the virus writers.

http://www.theregister.co.uk/content/55/36689.html

Offline Simon

  • Administrator
  • *****
  • Posts: 77923
  • First to score 7/7 in Quiz of The Week's News 2017
Re:Security: educating the unwashed masses
« Reply #1 on: March 31, 2004, 18:00 »
The amount of people I know with little or no protection is amazing.  Also amazing is that many of these people have been happily surfing for years, without even the sniff of a virus!  I have been slowly trying to educate the people I know, and the word is gradually spreading.  Each time I build a PC for someone, I stack it full of the usual defences we recommend, and leave specific, but simple instructions for updating, scanning, etc, and in most cases, people seem to be getting the message.
Many thanks to all our members, who have made PC Pals such an outstanding success!   :thumb:

Offline TR

  • Forum Fanatic
  • ******
  • Posts: 7149
Re:Security: educating the unwashed masses
« Reply #2 on: March 31, 2004, 18:21 »
I really must get Glasses.. I thought the headline was  :D


Serenity educating the unwashed masses  ;D

On a more serious note, anybody that runs a PC with out any protection needs there head examining  ::)


Show unread posts since last visit.
Sponsor for PC Pals Forum