Security: educating the unwashed masses

Users, not technology, must lead anti-virus war

  • alert
  • submit to reddit

SANS - Survey on application security programs

If you ask the average Internet user about security for their computer, and they either look blankly at you, or mumble something about anti-virus and firewalls, most often without any real idea of what these things are or what they do.

In fact, many of the people who have these products installed on their computer still open strange email attachments promising pictures of celebrities undressed, or some mysterious, unrequested information. So, what's driving this urge for self-destruction?

Zip no more

We've been watching the latest crop of viruses, including the MyDoom, Netsky, and Bagle virus families and it has caused a re-examination of some fundamental beliefs. Optimistic it may be, but we had always believed that if we, as information security professionals, could present one or two simple rules for security and explain why they matter, the average user could begin to recognise when someone is pulling their strings when they happily unleash viruses, or fall for some phishing scam. These latest viruses have eroded that belief.

Some of these mass-mailing viruses require that users:

  1. open an email message

  2. open a picture to determine a word used as a password

  3. open a zip file

  4. enter the password when prompted

  5. and then run what is included in the zip file

The virus authors have people jumping through more hoops than a circus seal, and all for what, a glimpse of a naked celebrity?

Some commentators from the IT industry seem to enjoy malicious glee at pointing out how users almost have to work at getting infected by these viruses; in other words, they are morons. While we don't agree with the moron statement, it would be misleading to say that these users aren't aware of the potential risk. The media has picked up on many of the successful versions of these mass mailing viruses and written stories warning about opening attachments. In some cases, they will get infected multiple times and they will do it knowingly. If they aren't morons, and they know the risk of virus, then where does the problem lie?

Some of the blame for this latest crop of viruses does lay with us as security professionals. For years we have said that zip files are the safest and best way to transfer files. This is no longer the case. It is time to retreat, move the line of engagement with the viruses further back, and rethink the defence.

Technology can certainly help or hinder the process. MS-Windows' reliance on hidden file extensions to enable this behaviour combined with the ability to change the icons of files, certainly makes the process easier. How does a user differentiate between my_vacation.jpg and my_vacation.jpg.exe if they can't see the file extension? What rule can we give?

How can we change users' behaviour?
I believe the answer to this question is not technological. Reactionary systems like anti-virus certainly have their place, but a fast-spreading virus is often able to penetrate into organisations prior to signatures being made available - despite the speed that signatures are written and shipped by all the anti-virus firms.

Attachment filtering isn't the answer. We have slowly added more and more attachment types to the list to be blocked. In fact we are almost back at the point where plain text email is the only option to get through gateways. Six months ago, zip files were the most reliable way to get MS-Word documents, batch files, and other potentially harmful file types through filtering gateways. Zip files are now regarded as rats carrying the plague.

How about dumping SMTP mail all together? Won't that be a step in the right direction? After all, everyone knows that viruses don't spread through Web downloads, Peer-to-Peer file sharing systems, IM file transfers or IRC DCC connections. So much for the argument that the weakness is because SMTP was not designed for file transfer. PGP encryption would just prompt the user to type their passphrase; there is always a way to fool the punter. Changing the technology used won't stop people being conned, because any technology can be subverted if decisions are put in the hands of the end user. Fool the user, fool the technology.

Human nature and security: natural enemies?
Security is hard work. Human nature is to look for the shortest route between two points - with the minimum expenditure of effort. What's needed to address the virus menace is a fundamental sea change in peoples' attitudes to viruses. After all, you wouldn't leave your front door open when you went on holiday, would you? No, that would be stupid - you'd get burgled.

Only by making people realise that there are serious personal consequences of opening suspect attatchments can we seriously hope to address the issue. In the end, technology can't do it for them - it's the everyday user who must take the fight to the virus writers.

Copyright © 2004, 0

Daniel Hanson manages the Focus Incidents area of SecurityFocus as well as the Incidents mailing list.

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story


Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.