Security: educating the unwashed masses

If you ask the average Internet user about security for their computer, and they either look blankly at you, or mumble something about anti-virus and firewalls, most often without any real idea of what these things are or what they do.

In fact, many of the people who have these products installed on their computer still open strange email attachments promising pictures of celebrities undressed, or some mysterious, unrequested information. So, what's driving this urge for self-destruction?

Zip no more

We've been watching the latest crop of viruses, including the MyDoom, Netsky, and Bagle virus families and it has caused a re-examination of some fundamental beliefs. Optimistic it may be, but we had always believed that if we, as information security professionals, could present one or two simple rules for security and explain why they matter, the average user could begin to recognise when someone is pulling their strings when they happily unleash viruses, or fall for some phishing scam. These latest viruses have eroded that belief.

Some of these mass-mailing viruses require that users:

1. open an email message
2. 
   
3. open a picture to determine a word used as a password
4. 
   
5. open a zip file
6. 
   
7. enter the password when prompted
8. 
   
9. and then run what is included in the zip file

The virus authors have people jumping through more hoops than a circus seal, and all for what, a glimpse of a naked celebrity?

Some commentators from the IT industry seem to enjoy malicious glee at pointing out how users almost have to work at getting infected by these viruses; in other words, they are morons. While we don't agree with the moron statement, it would be misleading to say that these users aren't aware of the potential risk. The media has picked up on many of the successful versions of these mass mailing viruses and written stories warning about opening attachments. In some cases, they will get infected multiple times and they will do it knowingly. If they aren't morons, and they know the risk of virus, then where does the problem lie?

Some of the blame for this latest crop of viruses does lay with us as security professionals. For years we have said that zip files are the safest and best way to transfer files. This is no longer the case. It is time to retreat, move the line of engagement with the viruses further back, and rethink the defence.

Technology can certainly help or hinder the process. MS-Windows' reliance on hidden file extensions to enable this behaviour combined with the ability to change the icons of files, certainly makes the process easier. How does a user differentiate between my_vacation.jpg and my_vacation.jpg.exe if they can't see the file extension? What rule can we give?

How can we change users' behaviour?
I believe the answer to this question is not technological. Reactionary systems like anti-virus certainly have their place, but a fast-spreading virus is often able to penetrate into organisations prior to signatures being made available - despite the speed that signatures are written and shipped by all the anti-virus firms.

Attachment filtering isn't the answer. We have slowly added more and more attachment types to the list to be blocked. In fact we are almost back at the point where plain text email is the only option to get through gateways. Six months ago, zip files were the most reliable way to get MS-Word documents, batch files, and other potentially harmful file types through filtering gateways. Zip files are now regarded as rats carrying the plague.

How about dumping SMTP mail all together? Won't that be a step in the right direction? After all, everyone knows that viruses don't spread through Web downloads, Peer-to-Peer file sharing systems, IM file transfers or IRC DCC connections. So much for the argument that the weakness is because SMTP was not designed for file transfer. PGP encryption would just prompt the user to type their passphrase; there is always a way to fool the punter. Changing the technology used won't stop people being conned, because any technology can be subverted if decisions are put in the hands of the end user. Fool the user, fool the technology.

Human nature and security: natural enemies?
Security is hard work. Human nature is to look for the shortest route between two points - with the minimum expenditure of effort. What's needed to address the virus menace is a fundamental sea change in peoples' attitudes to viruses. After all, you wouldn't leave your front door open when you went on holiday, would you? No, that would be stupid - you'd get burgled.

Only by making people realise that there are serious personal consequences of opening suspect attatchments can we seriously hope to address the issue. In the end, technology can't do it for them - it's the everyday user who must take the fight to the virus writers.

Copyright © 2004,

Daniel Hanson manages the Focus Incidents area of SecurityFocus as well as the Incidents mailing list.