Friday, December 28, 2007

what average users need to know

i read a very interesting post about average users and how they only care about usability to the exclusion of security and it got me thinking...

i think one of the main reasons people focus so much on usability and so little on security is because the threat is too abstract... they've heard of viruses (and so probably use anti-virus software, though probably don't update it) but the current threat landscape (as opposed to the one from 20 years ago that they are more familiar with) is too disconnected from the average person's day to day reality for them to comprehend the need for the security measures we more security conscious folks keep advising...

this is a problem, especially for those who advocate safe hex, so how do we address it?

one avenue we should probably consider is describing what threat a particular safe hex practice is meant to counter - but that only connects security measure with the threat, it doesn't actually make the threat itself seem any more real or anymore like something the user actually needs to worry about...

i think users might benefit from knowing what they have that attackers would want as well as what lengths attackers are willing to go to in order to get those things... what attackers would want from average users isn't a difficult list to compile (it may not be complete, but it certainly gets the point across):
  • money
  • credit card numbers for getting money
  • personal identification information for getting new credit cards in your name so as to get money
  • user names and passwords for financial institutions like banks or paypal so as to get money
  • user names and passwords for any other site because you might be one of those people who uses the same user name and password everywhere and if so they can use that to get money
  • cpu cycles, storage space, and bandwidth for attacking others, usually to get money from them
  • fame and various other social rewards (though these are older goals that are much less relevant nowadays)
obviously the major goal is to get money and the more money the attackers get, the more they can invest on developing more effective and sophisticated attacks that reach even more people...

what attackers are willing to do to get what they want isn't too hard to list either:
  • trick you (via social engineering) or your computer (via exploits) into installing malware to steal your credit card number, passwords, or any other information they can use
  • trick you (phishing) or your computer (pharming) into believing a fake bank/paypal/whatever website is the real one so as to steal your account details or trick you into buying fictional goods - ultimately to steal your money
  • trick you or your computer into installing malware to show unwanted advertisements (adware)
  • trick you or your computer into installing malware that makes your data inaccessible until you pay a ransom
  • trick you or your computer into installing malware to give the attacker enough access to your computer (generally making it part of a botnet) in order to use it to attack others (by trying to overload legitimate sites, hosting fake and/or exploit laden sites, sending junk mail, sending malware or links to malware sites, etc)
  • trick administrators or systems at legitimate (and in some cases very popular) sites to host exploits for tricking the computers of visitors to those sites
  • plant malware on or construct malware that can spread itself to removable media (floppy disks, cd's, dvd's, flash media, or basically anything with memory that you can plug into your computer)
and of course, the bad guys are willing to launch their attacks on average users on a wide scale so as to reach as many potential victims as possible... encountering such attacks are not isolated incidents, there are very few computer users out there who haven't been a victim in some way at least once...

ultimately the average user needs to be made to understand that a computer is not an appliance that just does what they want it to (nor can it be), but rather it's a tool that can allow many people to do many things and not all people want to do good things... if they have stuff (money, personally identifiable information, data, etc) they want to keep safe then they need to care about security...

2 comments:

Unknown said...

Another amazing post that I fully agree with.

I like how all the things attackers want to do start with or heavily involve "trick you/someone..."

I think it is important in regards to home users to remember they really don't understand the abstract threats and how easy they can happen. And how so many people are just not technically proficient enough. I like to use the VCR/DVD player flashing clock as an example. So many people don't even take the effort to figure out how to fix their clock after a power outage. Sure, it might not be that important, but almost everyone I've known who has a flashing clock (including myself at times) will firstly respond with, "well, I can't figure the durn thing out..."

kurt wismer said...

"I think it is important in regards to home users to remember they really don't understand the abstract threats and how easy they can happen."

i think you're right... so the question then becomes how to we change that or at least how do we approach changing that?

"Sure, it might not be that important, but almost everyone I've known who has a flashing clock (including myself at times) will firstly respond with, "well, I can't figure the durn thing out...""

hmmm... maybe i'm just a consummate problem solver but my first reaction is more along the lines of "ok, how do fix this?" and then i generally start pressing buttons... i hate admitting that i can't figure something out 'cause that means i have stoop to reading the destructions...

in fact, back in my bbs days i recall an online game that pitted the user against a vcr whose buttons had been randomized - i generally did pretty well against it...