Simple advice can be hard to take

img_2011-05-20_Krebs-On-Security

IDENTITY | SECURITY

Brian Krebs did a good post recently entitled: 3 Basic Rules for Online Safety. The summary is:

     1) If you didn't go looking for it, don't install it. 
     2) If you installed it, update it. 
     3) If you no longer need it, remove it. 

This is good advice from Krebs (@briankrebs). He's boiled it down to three main things and stated them simply. And as he says, if you follow them, you "will blunt the majority of malicious threats out there today.”

Still, even when we think we’ve put the Rules into practice, things can get tricky fast -- especially for users who just use the computer as a tool and don't care too much about the details (that's most people).

How we behave online is an extension of how we behave in the physical world. We are by nature both opportunistic and fearful, and we react reflexively when we see things that trigger these instincts (like 10-cent Lady Gaga ringtones, or a warning that our machine has been corrupted). As hackers learn how we assess a situation, they adapt their approach to lead us down the wrong path.

If we take one of the recent Mac malware attacks as a canonical example of a modern exploit, it's easy to see how the average user can get owned.

First, it uses search engine poisoning to kickstart the process. In other words, it doesn't require the user to be in a shady part of the Internet -- just to be searching (albeit for obscure terms) on Google. And to make entrapment even easier, the hackers have now adapted their bait to show up as an eye-catching Facebook link as well. Secondly, it uses lookalike Mac system alerts to gain confidence and trust. Here’s a video by @edbott that shows the 3-click, no-password process that lets the malware in.

If you follow Krebs' advice to a tee, you'd probably be OK. In fact, Rule #1 alone should stop you clicking OK to the first fake system warning. But users don't always see things so clearly, and perhaps it's easy to understand why:

We place a higher level of trust in dialog boxes and instructions from our system (Mac or Windows), and it is often in our interest to take action when we see system notifications. The Mac Software Update window is a classic example. While we may not have gone looking for something to install (as per Kreb's Rule #1) we are accustomed and expected to react when we see services trying to help us -- especially those purporting to be from our system and prompting us to scan or update our software (as per Rule #2).

To make things more confusing, the software management process is inconsistent. For instance, pre-installed software (like the OS or native browser) is updated via a centralized system utility, whereas an application installed subsequently might have it's own application-specific updater. Suddenly there's more UI and process variability for users to contend with as they are legitimately toggled between system and application level prompts, thereby losing track of what should appear where.

A great illustration of how this confusion can work against users is malware that displays a fake system window within a browser (see picture). In this case it happens to be the My Computer window running as a web page inside Internet Explorer (there is a Firefox equivalent). Hackers are doing more work to identify the user-agent string from the browser and deliver system-specific scams because they know that most users don't parse through the details of where and how things are displayed.

Fundamentally, this is all paint-dryingly boring for most people and hackers know and capitalize on this. In the realm of exploits, the Mac Guard effort is admittedly pretty weak; the initial message is poorly worded and the Security Center logo is quite frankly lame. But it doesn't need to be more sophisticated than this to trip up the typical non-interested user. By bypassing password requirements and making use of passable system dialogs, it succeeds in gaining trust.

The tech blogs are littered with comments from tech-savvy readers blaming users for being lazy or stupid and not understanding how their computer works. I even saw one that said people shouldn't be allowed to use a computer without some level of system education! All nice rhetoric for blog comments, but pretty unhelpful. I wonder how sympathetic we’d be to lenders saying the same of consumers who can't comprehend the jargon-filled fine print on their mortgages.

As people who understand security, we have to put ourselves in the shoes of people who don't care as much as we do. That means designing security systems that are not only hard to mimic, but also inform users in simple and intuitive ways. Until we do that, the hackers will continue to wreak havoc online regardless of how simple and effective the rules are.

Ramesh Rajagopal - Ramesh is Co-Founder and President of Authentic8. Before, he was VP Corporate Development at Postini, heading up strategic planning and business development until its acquisition by Google in 2007.

Topics: Identity, Security