- Related Stories
-
Taking passwords to the grave
September 22, 2006 -
Phishers catch on to the Net's 'long tail'
September 12, 2006 -
Microsoft livens up instant messaging
June 19, 2006 -
Gates: End to passwords in sight
February 14, 2006 -
Microsoft releases IE 7 beta to public
January 31, 2006 -
Survey: Tech support time costly
July 28, 2004
Users are often called the weakest link in computer security. They can't select secure passwords, and they write down passwords and give them out to strangers in exchange for treats. They use old or outdated security software, can't spell the word "phishing," and click on all links that arrive in e-mail or instant messages, and all that appear on the Web.
That's the reality, Stefan Gorling, a doctoral student at the Royal Institute of Technology in Stockholm, Sweden, said in a talk at the Virus Bulletin conference here Wednesday.
When things go wrong, users call help desks, either at their company or at a technology supplier, such as a PC maker, software maker, or an Internet access provider, which can cost a fortune. The solution, many technologists say, is to educate the user about online threats. But that doesn't work and is the wrong approach, Gorling said.
"Might it be so that we use the term and concept of user education as a way to cover up our failure?" he asked a crowd of security professionals. "Is it not somewhat telling them to do our job? To make them be a part of the IT organization and do the things that we are bound to do as a specialized organization?"
In Gorling's view, the answer to those questions is yes. In corporations in particular the security task belongs with IT departments, not users, he argued. Just as accounting departments deal with financial statements and expense reports, IT departments deal with computer security, he said. Users should worry about their jobs, not security, he said.
It isn't productive, for example, to ask users to detect e-mails that seek to con them into giving up personal e-mail, he said. "Phishing is too hard to detect, even for experts."
And even if people can be trained, they can't be trusted to be on guard all the time, he said.
"I don't believe user education will solve problems with security because security will always be a secondary goal for users," Gorling said. "In order for security to work, it must be embedded in the process. It must be designed so that it does not conflict with the users' primary goal. It can't work if it interferes."
Some examples of built-in security mentioned at Virus Bulletin include a phishing shield in Web browsers, virus filtering in e-mail services and programs, and protection as part of instant messaging services such as Microsoft's Windows Live Messenger.
See more CNET content tagged:
phishing, computer security, security, goal, information technology
d@mn about security. They ignore policies and procedures and
expect the I.T. department to bail them out when they screw
things up - and so do their managers.
Over they years we have developed policies to protect users
from themselves. On our Windows machines we lock IE on high
security, no cookies, etc. and install Mozilla. Windows users are
not allowed to send/receive over 40 types of file attachments.
And many are not allowed any access to the Internet. And from
the looks of things we are going to have to tighten up on them
even more.
The handful of users that actually try to do things correctly are
treasured by our I.T. staff and are rewarded with more frequent
hardware updates, and whatever other perks we can give them.
It's too bad we haven't been able to talk management into
switching all our desktops to Macs. The departments that use
them are never a problem - regardless of the attitude of their
users.
Without cookies and IE security set at a minimum, our multi-million dollar corporate ERP will not work at all.
Without file attachments we can?t share information to our vendors and outsourced services. Today I got an internal email with embedded image(word doc converted to image) and an attached word doc with a calendar-macro executable embedded and when asked why would you do that, I got ?Oh, we have a cool software thing that we purchased that does that automatically for us..isn?t it cool?? (that happens whey you lock those departments down really tight to the point that they hire their own IT professional to learn how to work around your defences.)
If you don?t have internet access, how do you look up what raison d?etre means? or translate the service request sent in Spanish? Try asking a research professional to only use Lexus Nexus and a printed copy of a newspaper to do his job, it just doesn?t work anymore here.
And that is why we have so less time to other things.
Computer and Internet Sucks....
Founder
www.searchsucker.com
Talk about a hypocrite - writing anger about the Internet, over the Internet. =;o) Tee hee. =xoD
One item did strike as incorrect: "Phishing is too hard to detect, even for experts." I don't necessarily agree with that. It's typically pretty easy to hover over a link and see from the URL that it's phishy. Seeing a ".kr" or ".ro" as a TLD is a pretty easy hint to pick up on.
We tell them to open up any and all e-mail that they receive and we'll deal with the consequences.
Go to any Web site you want and click on any old damn thing you want and we'll pick up the pieces.
Might as well tell them that they should go home and open their door to anyone who wants to come in, or better yet, just don't lock your door.
Then let the police handle the crime that ensues...right?
Nonsense!
Just give Users 2 simple rules...
1. Don't go to Web Sites that aren't job-related.
2. Don't open e-mails you don't recognize.
Period.
IT protects them from the big stuff.
They have to protect them from themselves.
Doctors go to schools before they are allowed to operate. I wouldn't expect the maker of the surgical equipment to tell the doctors how to operate- hey doc, don't forget to suture up that artery or they may bleed to death.
User education would eliminate most of the problems with computers today. It won't happen, but we can all dream.
exchange for treats"
what the hell does that mean? when has anyone ever witnessed
this?
is not about users giving away their passwords to strangers.
Kevin Mitnick performed some of his most famous hacks not
through his computer skills, but rather through "social
engineering". In other words he conned people into giving him
passwords, modem phone numbers, etc.
I've called users at remote sites who didn't know me, asked them
for their passwords to "check out their computers" and had them
give them to me without question.
I didn't even need "treats".
Users pick poor passwords then write them down on paper or post-it. paper get's handed to someone next to them or someone who smooses them well over the phone (you crazy phreaks you). Post-it's get left on the monitor of the machine that a wood-be criminal simply read as they login.
The allusion is too public anouncement adds from years ago about talking to your kids about strangers. Don't talk to strangers, don't take candy from strangers.
Now the adults (in computer terms) are finally reaching the point where they are meeting strangers and the first thing they do is answer back and look for opertunities to hand out there passwords and information.
Needless to say, it didn't go over too well with the security folks at that establishment.
This is a wickedly common tactic for a Trojan horse. Of course, if you can get that in there, why bother getting just one password? You can get them all! =xoD
throughout my experience in desktop support.
People use computers to do a task. These People already have a
job, or profession, that they are well trained to do. They should
not be overly burdoned with
the enormous, convoluted facits of security! That's for IT
professionals, but more importantly *software vendors* to take
responsibility for!
In what other business are customers BLAMED for merely using a
product for a task while the product become damaged just by
using it?
fast, easy, secure - pick any two.
Anything that gets in the way of the user experience will
eventually be circumvented. As such security has to be easy and
intuitive to use, it can't noticibly impact the user experience, and
it has to be truly secure. The user can't be given the option of
easily disabling the security features. If the user can disable or
circumvent the features it should either result in a locked down
system or a significantly crippled level of functionality.
Education is not pointless, it's essential. The people who refuse to be educated will be the people who get run down in the middle of the intersection.
The stupid computer ate my harddrive! (after vising six questionable sites and clicking on every link that got emailed to me)
throughout my experience in desktop support.
People use computers to do a task. These People already have a
job, or profession, that they are well trained to do. They should
not be overly burdoned with
the enormous, convoluted facits of security! That's for IT
professionals, but more importantly *software vendors* to take
responsibility for!
In what other business are customers BLAMED for merely using a
product for a task while the product become damaged just by
using it?
Oh that's right, it is part of my job to travel to work. Just like it is part of my job to follow the policies laid out for computer usage, plain and simple.
The user does not need that level of detail but they need to accept some responsability and at least get a basic understanding of what they are doing.
To absolve the user of all responsability is like telling them "it's ok, you needn't lock your car, that's for someone else to worry about" then be surprised when they are angry that there car got stollen.
But then, people in general need to stop repeating a few key frases; I Know My Rights, Someone Else is to Blame and I'm a Victim.
Most viruses spread because someone clicked on a link "See stupid pictures of your boss naked" or something. It's not terribly difficult to educate people about this sort of thing and I certainly wouldn't blame an IT department for it.
include security. That goes for everything from a convoy mission to
operating a computer. Its not to much to ask computer users to be
more aware of security risks when operating a computer. The
problem is the users don't have the right motivation to learn what
security risks are. The correct motivation would be after a few
security classes fire a few people who break the rules, let it be
known why they were fired, and your other employees will start
paying attention to security more.
However, at worst, user training won't hurt; at best, it will help.
Of course you need to educate the end user. If they didn't do something stupid (because of ignorance) and wreck their system, then there would be a great reduction in these situations.
EVERY successful scam, whether or not it is Internet related, relies on people making bad decisions. One scam researcher once posed as a district manager who "showed up unannounced in order to investigate a cash drawer shortage that store had been having over the past week." He walked out with the filled cash drawers from several of the registers. Now, should that store's security have spent time training every new employee what to do if someone claiming to be a district manager shows up and wants to count the drawer, or should the guy manning the camera have been smarter and more alert about a stranger poking his fingers in the drawers without the store manager being present at the register?
Here's a fictional scenario of an "ideal Trojan" using every black-hat technique I've heard of to date - including anti-forensics:
2:00PM PST, Second Tuesday "of da Month": A hailstorm of patches is released.
3:00PM PST - "The Second Hour:" One zero-day vulnerability is publically released and will become known within a day or two - 3 more will be used by custom-made Trojan horses for quite some time before being discovered.
8:00PM PST: Brand X, Inc.'s system adminstrators (understandably) see system utilization fall to a reasonable enough level to justify rebooting 2,000 PCs.
9:00AM PST, the Friday after Patch Tuesday: A user at Brand X receives an email with a custom-written Trojan horse, using one of the three unknown holes. Being custom-written, the mail gateways miss it in their virus screening.
9:00AM and 1 second: The user opens that file.
9:05AM: The Trojan horse contained a worm, and has spread to hundreds of machines in Brand X, Inc., including machines used by those with highly sensitive information - the target, which was the reason this Trojan was commissioned in the first place (by someone in Brand Y, Inc.)
11:00AM: The Trojan has gathered enough proprietary information to bring Brand X to its knees. It compresses and encrypts this info, uses a botnet to hide the destination, and sends the info to the writer.
5:00PM: The virus writer shows the results to the guy in Brand Y which commissioned the Trojan. They come to the consensus that it's a plenty.
6:00PM: The virus writer issues a command to the copy of the Trojan which "phoned home" - decrypted and translated into plain English, it means, "Mission accomplished: Initiate self-destruct."
6:00PM and 30 seconds: Another cascade through the network is well underway, as the "self-destruct" command propogates. When copies receive the command, they uninstall themselves and run a Gutmann-style shred on their files and traces, making later forensic analysis difficult, if not impossible.
6:10PM: 60% of all evidence destroyed.
6:30PM: 95% of all evidence destroyed.
6:45PM: All copies are uninstalled and wiped - almost 100% of all the evidence is destroyed.
7:00PM: Brand X's IT staff is none the wiser!
Here's a fictional scenario of an "ideal Trojan" using every black-hat technique I've heard of to date - including anti-forensics:
2:00PM PST, Second Tuesday "of da Month": A hailstorm of patches is released.
3:00PM PST - "The Second Hour:" One zero-day vulnerability is publically released and will become known within a day or two - 3 more will be used by custom-made Trojan horses for quite some time before being discovered.
8:00PM PST: Brand X, Inc.'s system adminstrators (understandably) see system utilization fall to a reasonable enough level to justify rebooting 2,000 PCs.
9:00AM PST, the Friday after Patch Tuesday: A user at Brand X receives an email with a custom-written Trojan horse, using one of the three unknown holes. Being custom-written, the mail gateways miss it in their virus screening.
9:00AM and 1 second: The user opens that file.
9:05AM: The Trojan horse contained a worm, and has spread to hundreds of machines in Brand X, Inc., including machines used by those with highly sensitive information - the target, which was the reason this Trojan was commissioned in the first place (by someone in Brand Y, Inc.)
11:00AM: The Trojan has gathered enough proprietary information to bring Brand X to its knees. It compresses and encrypts this info, uses a botnet to hide the destination, and sends the info to the writer.
5:00PM: The virus writer shows the results to the guy in Brand Y which commissioned the Trojan. They come to the consensus that it's a plenty.
6:00PM: The virus writer issues a command to the copy of the Trojan which "phoned home" - decrypted and translated into plain English, it means, "Mission accomplished: Initiate self-destruct."
6:00PM and 30 seconds: Another cascade through the network is well underway, as the "self-destruct" command propogates. When copies receive the command, they uninstall themselves and run a Gutmann-style shred on their files and traces, making later forensic analysis difficult, if not impossible.
6:10PM: 60% of all evidence destroyed.
6:30PM: 95% of all evidence destroyed.
6:45PM: All copies are uninstalled and wiped - almost 100% of all the evidence is destroyed.
7:00PM: Brand X's IT staff is none the wiser!
I have tried to motivate and even threaten users to behave and pay attention to security. Not a chance.. They just didn't care.
I tried restricting internet access. This was hell FOR ME. Maintaining the list of allowed sites was just too much.
Now I have something that seems to work.
Everybody has unrestricted access to the internet and email. But.... If a computer is infected by malware, the user responsible for the infection is put on a diet of restricted internet access for a month and a copy of every email received or sent by this person is automatically sent to management. After a month this person may file a request to have the sanctions lifted...
Now they have a self interest in security and I have had virtually no 'malware incidents' any more.
Your lucky you had or are management who could put such polocy into practice.
This doesn't require becoming a security expert and is a very simple insruction. Why is it every computer I have to fix had software downloaded from the internet and installed on the computer?
So, as an IT professional, I am not interested in calculating a budget, which is a function of accounting. I JUST WANT TO DO MY JOB!
Is this justification enough for my errant budget submission to the fiscal plans of C-Level Executives? Can I still expect to receive copious quantities of cash to batten down the hatches for the hairless apes that occupy my cube farm?
Give your head a shake, we can all stand the noise! Users must be prepared to exercise COMMON SENSE when crossing the road, and should exercise the same neural network when traversing the "Information Superhighway". IT should reduce and potentially eliminate the threats that it can with the money, tools and training allotted to it.
Cheers, and good luck with leading your untrained lemmings, Stefan Gorling. We will watch for you on the other side...
Mark
If you aren't using common sense or not willing to accept responsibility for your own actions, then you aren't responsible enough to be handed a butter knife without hurting yourself, let alone a networked computer.
By the way Stefan- the butter goes on top. I'm sorry that you buttered the bottom and then stuck it in your ear when you called Toast Support and complained that they hadn't configured the Butter for you in advance to avoid such a tragedy.
Because obviously a Mac will make all your security problems magically disappear as if Windows were the only security threat on the net.
Please look up "phishing" and post back here how a Mac will help guard my users against that.
But keep trying, keep saying it, maybe someone will listen some day and you'll get your macs.
Mac could be an option, but I'm a bit claustrophobic (I fear confined spaces...)
Users can be ignorant.
IT can be ignorant.
Accounting can be ignorant.
Management can be ignorant.
Corporate Executives can be ignorant.
Computer Salespeople can be ignorant.
Computing companies can be ignorant.
Design Engineers can be ignorant.
CNET news folks can be ignorant.
HP execs can be ignorant.
Government can be ignorant.
The industry has created this mess. The internet was not designed for it's current use. The computer is still slow, and obsolete. The OS that runs on it is not superior, but inferior. The hardware is designed to be upgraded with costs.
You want to blame the enduser; instead you should blame the industry for allowing such exploit.
But you can't. A socially engineered system is based on the society that it mimicks. One that is flawed, will have flaws. So now, we put up walls both physical and virtual. Yet we still encourage the ignorance...
If this was an easy thing to do, it would already have been done. There is no doubt that once the cost of doing business in the online swamp gets high enough, and the risk of staying connected gets bad enough (getting there now...) a tranisition will HAVE to take place.
Until that time, SOMEONE must be responsible and accountable for the safety and security of systems. Both at a high level (IT) and at a granular level (user).
The user is provided various services from IT. One of these services is security. When IT attempts to protect users from themselves by creating policies in Windows through GPO objects, ACL's or what have you, they are most often met with thunderous disapproval and the "you're taking my what away? You can restrict my access when you can pry my keyboard from my cold, dead hand..." attitude.
Until the Internet is tamed and properly controlled, it should be treated with the caution and consideration one would give any hostile environment. If you can't control yourself, then you should lose the ability to enter that environment. If you can't do your job because you can't get access, because you can't control yourself, you should be fired.
Cheers!
Mark
1. Use some kind of anti-virus
2. Do not open email from unknown users and do not open any attachments you are not aware of the source. This includes phishing scams. Always anything you are not 100% sure of. Should I click this link, should I open this file, can you get it from the official web site or maybe give a phone call to verify.
3. Unknown web sites. Why click on anything if you are not sure what you are looking at is trustworthy.
Never been sliped poison.
2. Antivirus
3. Firefox
4. Good Spam Filter.
OK so there should have been 5...... Windows Update Once in a while. (I generally do it about once every 6 months.)
I'm in the same boat. I had a single virus back on 3.11. Was called NYB. Nice boot sector virus. Since then nothing. For one reason...I use the above methodology when I work with my computer.
- Users are stupid and that needs to be the starting point
- by qwerty75 October 12, 2006 5:26 PM PDT
- ... for software developers.
- Like this Reply to this comment
-
-
- also
- by qwerty75 October 12, 2006 5:54 PM PDT
- As another example of where developers drop the ball, look at the documentation that comes with XP. Next to no docs printed, the system help is rarely correct and the best docs are stupidly online, so if someone can't get their networking to function, they are SOL.
- Like this View reply
Processing -
Showing 1 of 3 pages (104 Comments)Most places do not do this and we are all paying the price.
There are many things you can do to protect your software from idiots and they aren't being done. Yes, you can't protect them from everything, but many things can be stopped before the end-user even gets close to your software.
Car makers spend billions to help protect its customers for theirs and other stupidity. Places like MS spend little and what they do implement is half-assed at best. No car makers can't stop stupidity and accidents, but they can reduce the damages caused by them and even prevent many accidents from happening.
The software industry as a whole(and MS specifically) need to do this as well.
Buy a Linux distro and see what kind of documentation is normally available before you even install it. If you don't buy a retail box, the in-system documentation is absolutely outstanding.
It is funny how often free software beats the pants off the richest software corporation. Too bad MS has no ethics and only run on marketing hype, maybe then the software world wouldbe where it should be.
Of course, MS isn't the only offender, only the most flagrant.