Security: educating the unwashed masses

Users, not technology, must lead anti-virus war

  • alert
  • submit to reddit

Protecting users from Firesheep and other Sidejacking attacks with SSL

If you ask the average Internet user about security for their computer, and they either look blankly at you, or mumble something about anti-virus and firewalls, most often without any real idea of what these things are or what they do.

In fact, many of the people who have these products installed on their computer still open strange email attachments promising pictures of celebrities undressed, or some mysterious, unrequested information. So, what's driving this urge for self-destruction?

Zip no more

We've been watching the latest crop of viruses, including the MyDoom, Netsky, and Bagle virus families and it has caused a re-examination of some fundamental beliefs. Optimistic it may be, but we had always believed that if we, as information security professionals, could present one or two simple rules for security and explain why they matter, the average user could begin to recognise when someone is pulling their strings when they happily unleash viruses, or fall for some phishing scam. These latest viruses have eroded that belief.

Some of these mass-mailing viruses require that users:

  1. open an email message

  2. open a picture to determine a word used as a password

  3. open a zip file

  4. enter the password when prompted

  5. and then run what is included in the zip file

The virus authors have people jumping through more hoops than a circus seal, and all for what, a glimpse of a naked celebrity?

Some commentators from the IT industry seem to enjoy malicious glee at pointing out how users almost have to work at getting infected by these viruses; in other words, they are morons. While we don't agree with the moron statement, it would be misleading to say that these users aren't aware of the potential risk. The media has picked up on many of the successful versions of these mass mailing viruses and written stories warning about opening attachments. In some cases, they will get infected multiple times and they will do it knowingly. If they aren't morons, and they know the risk of virus, then where does the problem lie?

Some of the blame for this latest crop of viruses does lay with us as security professionals. For years we have said that zip files are the safest and best way to transfer files. This is no longer the case. It is time to retreat, move the line of engagement with the viruses further back, and rethink the defence.

Technology can certainly help or hinder the process. MS-Windows' reliance on hidden file extensions to enable this behaviour combined with the ability to change the icons of files, certainly makes the process easier. How does a user differentiate between my_vacation.jpg and my_vacation.jpg.exe if they can't see the file extension? What rule can we give?

How can we change users' behaviour?
I believe the answer to this question is not technological. Reactionary systems like anti-virus certainly have their place, but a fast-spreading virus is often able to penetrate into organisations prior to signatures being made available - despite the speed that signatures are written and shipped by all the anti-virus firms.

Attachment filtering isn't the answer. We have slowly added more and more attachment types to the list to be blocked. In fact we are almost back at the point where plain text email is the only option to get through gateways. Six months ago, zip files were the most reliable way to get MS-Word documents, batch files, and other potentially harmful file types through filtering gateways. Zip files are now regarded as rats carrying the plague.

How about dumping SMTP mail all together? Won't that be a step in the right direction? After all, everyone knows that viruses don't spread through Web downloads, Peer-to-Peer file sharing systems, IM file transfers or IRC DCC connections. So much for the argument that the weakness is because SMTP was not designed for file transfer. PGP encryption would just prompt the user to type their passphrase; there is always a way to fool the punter. Changing the technology used won't stop people being conned, because any technology can be subverted if decisions are put in the hands of the end user. Fool the user, fool the technology.

Human nature and security: natural enemies?
Security is hard work. Human nature is to look for the shortest route between two points - with the minimum expenditure of effort. What's needed to address the virus menace is a fundamental sea change in peoples' attitudes to viruses. After all, you wouldn't leave your front door open when you went on holiday, would you? No, that would be stupid - you'd get burgled.

Only by making people realise that there are serious personal consequences of opening suspect attatchments can we seriously hope to address the issue. In the end, technology can't do it for them - it's the everyday user who must take the fight to the virus writers.

Copyright © 2004, 0

Daniel Hanson manages the Focus Incidents area of SecurityFocus as well as the Incidents mailing list.

The next step in data security

More from The Register

next story
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
'Speargun' program is fantasy, says cable operator
We just might notice if you cut our cables
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
prev story


Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.