Most In US Have False Sense of Online Security

BaCa sends along a link from Net-Security on a study of attitudes among Americans about the security of their PCs, versus their actual vulnerability. "More than half of computer users who think they are protected against online threats like spyware, viruses, and hackers actually have inadequate or no online protection, according to an independent research study conducted for Verizon... While 92 percent of participants thought they were safe, the scans revealed that 59 percent were actually vulnerable to a variety of online dangers. Ninety-four percent of those surveyed said they would find it helpful to be able to diagnose or check their online security status on a regular basis to make sure their PCs were safe."

At least once a year...

[betterunixthanunix]

At least once a year, these results come out in yet another study. Perhaps we should declare a new holiday: False Sense of Security Day (and of course, False Sense of Security Eve, when a hacker in a Santa suit constructs an enormous botnet and takes down a few small mailservers with spam).

Re:At least once a year...

[iminplaya]

False Sense of Security Day

It would be on the anniversary of the signing of the patriot act.

So many political jokes to make about this...so little time to post them all

Re:At least once a year...

[secPM_MS]

This should be called the neverending story. Unfortunately, I think that name is already taken by a children's book. The query is a bit inappropriate. I am not safe simply if I have my AV and anti-malware SW installed and updated. I MAY be safer, but the AV and anti-malware SW can itself be a vulnerability.

Increasingly, the attacks are made at the application level, not the OS level. The OS can protect itself from a non-administrative user, but cannot be expected to protect itself from an administrative user who has been fooled into doing something inappropriate. The AV and anti-malware SW try to protect against known issues, but it is a best effort sort of thing.

If you are browsing, do you have javascript, java, flash, etc. enabled? If so, you have the neat functionality, but you are very vulnerable to compromise by hostile / compromised web servers.

If you are running as a normal (non-administrative) user such compromise can compromise anything you do. If you are running as an administrative user such a compromise can compromise your system (in Vista, you would have to OK the UAC prompt).

If you open .pdf attachements or pdf's on web sites, is your pdf reader fully updated? Exploitable security issues have been found routinely in certain pdf readers.

If you open Microsoft Office documents, is your Office software fully updated? Numerous attacks have been launched via such documents. Office 2007 has far fewer vulnerabilities than Office 2003. Note that using OpenOffice does not inherently protect you. The same type of vulnerabilities exist in OpenOffice.

If you have Apple's QuickTime, do you keep it updated? It has had large numbers of vulnerabilities.

Then we can go into the world of media and games, where many vulnerabilities exist and all too often the application in question is internet facing.

If you want ease of use, feature richness, and dynamic extensibility, you are not going to have a high level of "security / assurance". A web world of static HTML without any scripting and limited media is quite safe - but it is not what the customers want. A similarily restricted application functionality set can be made truly safe as well, but is not what customers want. Users feel comfortable and safe with what they routinely work with, even if this is inherently dangerous. This is as true for computer users as it is for industrial / research workers, who tend to get a bit casual about even truly dangerous issues (I used to be an industrial safety officer in research laboratories).

Re:At least once a year...

[vtcodger]

***If you are running as a normal (non-administrative) user such compromise can compromise anything you do. If you are running as an administrative user ...***

All the data that I actually care about compromising is in my user account so it's at risk no matter what. I suppose that I really should move my financial and other sensitive stuff to a different user account that never uses the internet. I don't know anyone who does that and I've never seen it in a list of security suggestions.

And I don't see anything that prevents my user account from being used in Denial Of Service attacks against external servers. Or that prevents my user account from attacking servers of any sort on my local PC or on the intranet. And what -- other than the fact that it's probably not necessary -- is to stop the virus maker from including a selection of privilege escalation exploits in his bundle of aggravation?

Overall, I think that the Don't_Run_As_Admin_And_You'll_Be_OK lot are another bunch of folks with a false sense of security. I'd fault them because unlike naive users, they should know better. (However, running as admin in a multiuser environment really does put other users at additional risk).

While we're talking about false sense of security, let's don't forget the smug Mac and Linux users. We don't need virus checkers. More accurate would be We don't need virus checkers yet. Both systems are built with the same flawed by design technologies used to build Windows. If we insist in coding in a language that permits buffer overflows, we are probably going to have buffer overflows. Same for many other attacks on sloppy/incomplete/nonexistent legality checking, etc. Carbon/Cocoa/Linux are by no means immune from these problems even if there are few current attacks.

I also strongly suspect that the biggest current positive factor preventing a total PC security meltdown is the use of NAT routing which strongly discourages unsolicited attacks on non-server PCs. What's going to happen when/if ipv6 comes along and NAT routing goes away?

Re:At least once a year...

[secPM_MS]

If you are using your machine as a single user system you are clearly right. The data you care about is in your user account. It is easier to clean up a user-space compromise than an administrator compromise, where you probably have to flatten the system and rebuild.

I have kids who use my systems. They run under normal accounts (The biggest security advantage of Vista is that normal accounts run well, unlike XP) and hence can mess up their own accounts, but are not so likely to mess up my account.

User accounts can perform DOS's and network attacks against other systems every bit as easily as administrator accounts, but it is easier for administrative tools to monitor the behavior of user accounts than it is for these tools to monitor the action of things running as system.

Verizon + online bank security

[UbuntuDupe]

I don't know how good Verizon is at online bank security. I mean ... how safe can you be when you look at your bank account and can't distinguish .02 dollars and .02 cents?

*ducks*

Old news

[Billosaur]

It's not like this hasn't been noted before: PEBKAC Still Plagues PC Security. Your average user firmly believes what they are told by "experts" or the guy who sells them the computer. They are not web-savvy and don't dig into the background on computer security. They think that all they have to do is run their spyware remover and update their anti-virus and their fine. Heck, too many don't even know they have such utilities, and if the do know, aren't actually aware if they are running or not!

Computer security must be taken out of the hands of the user where the user is likely to not have a clue how it works.

Re:Old news

[ByOhTek]

Computer security must be taken out of the hands of the user where the user is likely to not have a clue how it works.

But then you have the problems of

(a) who do they trust to do it. Part of the reason for this problem is that the user is too trusting, and will download/run anything properly "padded" with the right context. What's to keep them from trusting Joes Bot Shop for their security?

(b) when they do need something setup/installed quickly, it could be problematic for them to wait for the person/people in charge of security.

(c) the extra cost if they don't have family/friends who are sufficiently competant and have the time?

While taking it out of their hands might be a good idea, it might also not be feasable.

Re:Old news

[Bert64]

Spyware removal is flawed, the focus should be on preventing it getting there in the first place.
Same with viruses.

The big problem is that people believe the hype..
"Windows $version is the most secure windows ever!"
"$program makes your machine secure"
Rather than being vigilant, they believe the hype around some product claiming to take away all the security risks.

End users really need managed workstations, managed by people who know what they're doing.
Or perhaps kiosk style systems for browsing, booted from non writable media, perhaps with a writable memory card to store your personal settings (with no ability to execute anything on the memory card).

Someone should do that, create a standard for a bootable CD/DVD, which loads settings from a removable media device (usb stick, memory card etc) but strictly prevents any code being executed (mount the removable device noexec?).

Re:Old news

[ByOhTek]

except most good antiviruses/antispyware checks for incoming stuff, not just what is already there. So it can still be useful.

Not as useful as a good sense of paranoia, but quite useful.

Re:Old news

[Frosty+Piss]

Your average user firmly believes what they are told by "experts" or the guy who sells them the computer. They are not web-savvy and don't dig into the background on computer security. They think that all they have to do is run their spyware remover and update their anti-virus and their fine.

And why shouldn't they? Honestly, "average users" shouldn't have to be computer security experts. Average users use computers to play or do productivity tasks unrelated to software development and computer science. The fact is, the average user shouldn't have to be "computer savvy" and running spyware cleaners should do just that. Blaming "average users" for the fact that such dangers exist is missing the point.

Re:Old news

[Cro+Magnon]

Exactly. As if removing the spyware also went back in time and actually prevented the spyware from HAVING SPIED on you already!

That's why you need a Mac. It has a Time Machine.

Re:Old news

[PitaBred]

Make home directories non-executable, and set up the profiles to only get their startup config from a location other than the home directory, one that's protected from user writing? It wouldn't be that hard.

Re:Old news

[ByOhTek]

and you immediately lose a lot of the flexibility a user would want on their home system, for example - to add a program they find they need.

If I'm working on my system and I find I don't have an advanced photo editor that I want/need, I could not install it on my system with what you described, UNLESS there was a way around the unwriteable execution directories - and in that case the hackers could get around that too.

Re:Old news

[Billosaur]

That's my point. Security should be something that is taken out of the hands of the average user. They shouldn't be expected to become security experts. They should be taught how to be a little more web-savvy. I hear a commercial all the time on the radio in NYC for CyberStreetSmart.org, which is run by the New York Public Interest Research Group (NYPIRG), trying to do just that. The commercial is compelling because they say (paraphrasing) "If someone came up to you on the street and said they had a million dollars to give you and all you had to do is give them $1000 to get it, you'd laugh at them, but on-line, most people don't think twice." That's why security has to be built-in rather than added-on: the average user has been sold the idea that the Internet is magic. They don't apply the same rules to information there that they would to things that happen to them directly.

Completely content-free

[$RANDOMLUSER]

* Spyware Protection: When asked how safe they felt their home PC was from spyware, 92 percent of respondents felt "safe" or "somewhat safe." In contrast, the Verizon Security Advisor scan revealed that the majority (58 percent) were "at risk" or "potential risk" from spyware infection. Nineteen percent were critically "at risk" from spyware infection.
* Virus Protection: When asked how safe they felt their home PC was from viruses, 92 percent of respondents felt "very safe" or "somewhat safe," whereas the Verizon Security Advisor scan revealed that 45 percent were "at risk" or "potential risk" from virus infection.
* Firewall Protection: Nineteen percent of respondents had their personal firewall turned off.

Please define "at risk", "potential risk", "critically at risk".
And by "personal firewall" do you mean that POS built into XP, or the POS from Symantec? Or do you mean the router firewall?

I have absolute faith

[ackthpt]

this missive is stored on a secure server.

My name is Milo T. Farnsworth, D.O.B 27/07/1974 My Switch number is 3975-4438-0098-2310, expry 04/09

Please take care of this, I will be on an extended trip for the next 2 months, during which I will require great use of my $10,000 credit limit.

Online security - HA , Stolen 1949 Chevy Saga

[benadamsdotcom]

Even after meeting online criminals in person, they still tried to rip me off. Fortunately, I tracked them down and got them. Stolen and Recovered 1949 Chevy Saga

XP

[truthsearch]

Doesn't XP have a big green light that tells users they're secure with a firewall and anti-virus protection? If an OS tells an average user they're secure, even if they're only marginally more secure, I wouldn't expect the average user to question it.

Re:XP

[Billosaur]

Most people have a yellow light on their dashboard that tells them when they are running low on gas, and yet people still run out of gas. I suspect most people wouldn't know what the green light meant if you asked them.

The best protection is a smart user.

[CastrTroy]

I don't have any virus scanner or malware blocker, or firewall or any kind of security software whatsoever installed on my computer. Actually, I have clamwin, but I only run it once a week. It never finds any viruses. Yet I would say that I'm adequately protected because I have a brain. I don't run software from sites I don't trust. I use Firefox, which doesn't have a history of letting websites run malicious code, and I try to stay on sites that I trust. I have a router, and no incoming ports are forwarded to my PC, so I'm safe in that way I guess. At work I have Norton installed, because it has to be. To date, it has blocked 0 spyware, 0 viruses, and 0 worms. Because it hasn't encountered any, because I practice safe computing. It hasn't actually done anything except slow my computer down. What a great waste of money that was.

Re:The best protection is a smart user.

[Phaldor]

> Firefox not having a history of letting websites run malicious code

You obviously do not pay too much attention to the news. There was one just released that had to do with Quicktime and Firefox. I know of several others where Firefox was either named specifically or generally, and why do you think they update their browser so often? More features? Get real dude, most of those updates are SECURITY VULNERABILITY fixes.

What am I supposed to do?

[maillemaker]

Look, my Windows machines auto-update themselves, and I have AVG running, which also updates itself. I have a firewall downstream of my modem and upstream of every other machine on the network.

What else can I do?

My wife is constantly playing and downloading games from the internet. No doubt she is polluting machines on our network.

Basically my approach to security on my home machines is I wipe them and rebuild them every 6 months or so, in case there is some hidden malware on there that has turned my machine into a zombie.

What I would really like is a "smart firewall" I could buy and put in place of my current firewall. This device would monitor all network traffic going in and out of my house, and it would stop the bad things from going through. It could even be a service whereby the device is managed by some security firm and I pay them to protect my network through this device.

Re:What am I supposed to do?

[Bert64]

Don't give her privileged access to any machine...
If you screw up your own account, wipe that user's files, the rest of the system should be fine and you can re-create the user.

94%?

[Delusion_]

This would be the target demographic of the malware antivirus attack, where a site does a browser hijack, slows your computer to a crawl, then starts bombarding you with ads for its "solution" to the problem its own malware caused.

There is no single answer here. Affordable (or free) antivirus software that actually works would be a start, providing it isn't on the McAfee/Norton bandwagon of getting you to pay for a subscription and using up a fair amount of resources when running. There are good community-governed host file lists which can be a real help on many different levels - adware, phishing, malware, viruses, and some of the more onerous types of advertising. User education about basic practices is key - I'd like to see some Public Service Announcements on this, in the style of some of the American Lung Foundation's 1970's PSAs.

I have to tell people over and over: "It doesn't matter if you trust Jackie not to send you a bad file. You also have to trust that Jackie is vigilant about computer security, and that she knows a lot about the subject. You also have to trust that her computer hasn't been compromised, or that her e-mail isn't a spoof, which requires you to understand a lot about message headers at the very least. Is an animated stripper dancing on your start bar really worth the risk?"

I think there's a more telling bit of evidence ...

[ubrgeek]

"Hi. I'm with Verizon. We're trying to see if your computer is secure. Mind if we scan it for vulnerabilities?"

When they answered yes, why bother to go any further? In my mind, they're obviously potentially victims for spear-phishing types of attacks.

I know I'm secure

[gEvil+(beta)]

I know I'm secure. I use only genuine Microsoft products. I remember seeing an ad that said that they're the most secure computer company there is.

In Other News

[Fnord666]

In other news, 92% of all drivers feel that their driving ability is above average.

Re:In Other News

[Kingrames]

to be fair, around 50% of them actually are.

headline

[The+Clockwork+Troll]

Most In US Have False Sense of Security

There, fixed that for you.

lulz

[thatskinnyguy]

*GASP* I thought AOL was keeping us all safe online!

I Smell Corporate Marketing, and /. fell for it

[StickyWidget]

the Radialpoint Software[me:the security advisor maker], in its default configuration, does not block ads from third parties or Verizon or its affiliates and business partners, and may not identify as spyware certain websites and applications from Verizon and its affiliates or business partners, Radialpoint Inc. and/or Verizon and its affiliates have the right and do access and modify the Software as well as the software (including registry settings on your computer) and/or your hardware for various purposes in connection with the Verizon Internet Security Suite (e.g. for the installation and implementation of the Software and updates to it) as well as to download, install and/or gather, obtain, collect and then use, in relation to the delivery and operation of Verizon Internet Security Suite, various information and data, including information necessary to identify you and your computer to ensure that Verizon Internet Security Suite is received as well as information necessary for the reporting of this service, and (iii) use of such information and data by Verizon will be in accordance with Verizon's privacy policy.

Lemme translate: This software collects data about you when you run it, will continue to collect data about you, and if Verizon's business partners happen to be skeeze, they won't warn you about their spyware. Do. Not. Want. By the way, by using their security advisor, I agree to use their "Internet Security Suite" as well. Which reports on me, and allows Verizon to edit settings on my computer. Sounds a little like remote access, yes?

Here's another thing: On the installation page itself, it says "Administrator rights are required to install this software." So that means that this ActiveX has access to ALL KINDS of fun functions and methods. Who is to say this can't be hijacked and turned into a mal-ware infection source?

~Sticky
/Cannot believe this made the front page of Slashdot.

Sales Pitch

[Frosty+Piss]

...independent research study conducted for Verizon...

In a related story, Verizon has a $29.95 / month package just for the consumer worried about this sort of thing.

It bears repeating here,at this time

[zappepcs]

We do NOT need to protect our children from the evils on the Internet. We need to protect people in general. While the US might have more people who are gullible, there are gullible people all over the world. Computers are not simple to use and operate like a toaster, or other kitchen appliance. Even if they were, one look at the statistics of fire departments on the day before and the day of Thanksgiving should tell you that people, in general, are not competent to operate anything more complex than the shoestrings of their shoes.

You can buy a car that costs less than some computers, but still need a license to drive it, and insurance in case you get into a wreck. Why should computing be any different? Oh, don't believe in the nanny-state? Well, stfu about kids needing protection from the evils of the Internet. Yes, give me that argument that motor vehicles are a life and death issue, or could be. I'll argue this, losing your identity or giving your life savings to some Nigerian prince is more or less a life and death issue, especially if you need that money in the near future for heart medicine.

The point is, and well demonstrated in this report, that NOBODY is safe, and not just kids need some training and guidance. Using the Internet is not a game, and people should be taught better how to use it and avoid the pitfalls of modern life. If it sounds too good to be true, well it probably is. If someone is advertising it in an email, it probably is something you don't need or can live without. That goes also for television and other advertisements.

I think that it is high time we, the human race, began to look at things a bit more intelligently. False sense of security? If it were not for Dept. of Homeland Security, most people in the US would think that flying was safe. This and other such campaigns are not about raising awareness or traning, it is about selling antivirus and antimalware software.

Why this should come as a surprise to anyone is beyond me. How long did it take to get people to wear seatbelts? The public, at large, is wont to believe experts, yes, but this is true despite the news that those same experts are paid by large corporations more often than not, and have been shown to be less than 100% honest.

How long before 'made in China' means it is a lethal device? (won't happen) How long before people riot in the streets because the food we eat is not labeled correctly? (won't happen). This is just one more thing that the US populace in particular is blissfully ignoring. If you have to spend 2-6 months salary on something, you tend to figure out how it works and treat it with care, take it in for tune ups and such. How many reading this know of one or more people that just go get another pc when theirs acts up, or becomes slow?

Ranting done. If you can't get people to read directions on the kitchen appliances, or cleaning recommendations on the tag in their clothes, you can't protect them from the evils of the Internet. Who would have thought we'd need instructions (too small to read) on cigarette lighters to stop them from ending up in baby's mouths? or warning notes on coffee cups that the contents are hot? I don't want to imply that people are ignorant... but

Key point

[gillbates]

The interesting thing about these studies is that they often conflate "computer users" with "Windows users". The problem is, that as a Linux user, I have no need to run anti-virus software or a firewall. I know which services are running on my machine, and have accepted the security risk thereof. But, consequently, we, (and the Mac users) get counted in the insecure group because of the faulty study methodology.

I really don't think most users expect their machine to be secure. Microsoft Windows has been insecure for so long now that getting hacked is just expected after a certain period of time. In fact, I had a rather interesting conversation with an anasthesiologist:

Him: I'm thinking about buying a new computer. What kind should I buy...
Me: (I rattle off some specs) Why?
Him: Well, it's slowed down again.
Me: Well, why don't you just run Linux.
Him: Well, I do a lot of gaming. I figure you're going to have to replace your PC once a year, anyway.
Me: Why don't you just format and reinstall, and get yourself a good virus scanner and firewall?
Him: What, do all that work? And then I have to reinstall everything? No, I'll just buy a new PC.
Me: But you're just going to have the same problem a later on. You'll get infected by a virus, etc... and you'll have to buy antivirus software.
Him: No I won't - I'll just buy another PC. It's not worth my time to do all of that antivirus and firewall stuff...

Words failed me at that point. But he did have a point. Most users believe that computers "just wear out" and slow down like an old automobile. They think that virus infection is a normal part of owning a computer.

The problem isn't Windows, per se. It's that people don't expect any better.

Easy to do, thanks to RFC 3514

[Digital_Quartz]

I'm surprised such a router isn't readily available, especially with the new "evil bit" in RFC 3514: http://www.faqs.org/rfcs/rfc3514.html :P