Most In US Have False Sense of Online Security

BaCa sends along a link from Net-Security on a study of attitudes among Americans about the security of their PCs, versus their actual vulnerability. "More than half of computer users who think they are protected against online threats like spyware, viruses, and hackers actually have inadequate or no online protection, according to an independent research study conducted for Verizon... While 92 percent of participants thought they were safe, the scans revealed that 59 percent were actually vulnerable to a variety of online dangers. Ninety-four percent of those surveyed said they would find it helpful to be able to diagnose or check their online security status on a regular basis to make sure their PCs were safe."

At least once a year...

[betterunixthanunix]

At least once a year, these results come out in yet another study. Perhaps we should declare a new holiday: False Sense of Security Day (and of course, False Sense of Security Eve, when a hacker in a Santa suit constructs an enormous botnet and takes down a few small mailservers with spam).

Re:At least once a year...

[secPM_MS]

This should be called the neverending story. Unfortunately, I think that name is already taken by a children's book. The query is a bit inappropriate. I am not safe simply if I have my AV and anti-malware SW installed and updated. I MAY be safer, but the AV and anti-malware SW can itself be a vulnerability.

Increasingly, the attacks are made at the application level, not the OS level. The OS can protect itself from a non-administrative user, but cannot be expected to protect itself from an administrative user who has been fooled into doing something inappropriate. The AV and anti-malware SW try to protect against known issues, but it is a best effort sort of thing.

If you are browsing, do you have javascript, java, flash, etc. enabled? If so, you have the neat functionality, but you are very vulnerable to compromise by hostile / compromised web servers.

If you are running as a normal (non-administrative) user such compromise can compromise anything you do. If you are running as an administrative user such a compromise can compromise your system (in Vista, you would have to OK the UAC prompt).

If you open .pdf attachements or pdf's on web sites, is your pdf reader fully updated? Exploitable security issues have been found routinely in certain pdf readers.

If you open Microsoft Office documents, is your Office software fully updated? Numerous attacks have been launched via such documents. Office 2007 has far fewer vulnerabilities than Office 2003. Note that using OpenOffice does not inherently protect you. The same type of vulnerabilities exist in OpenOffice.

If you have Apple's QuickTime, do you keep it updated? It has had large numbers of vulnerabilities.

Then we can go into the world of media and games, where many vulnerabilities exist and all too often the application in question is internet facing.

If you want ease of use, feature richness, and dynamic extensibility, you are not going to have a high level of "security / assurance". A web world of static HTML without any scripting and limited media is quite safe - but it is not what the customers want. A similarily restricted application functionality set can be made truly safe as well, but is not what customers want. Users feel comfortable and safe with what they routinely work with, even if this is inherently dangerous. This is as true for computer users as it is for industrial / research workers, who tend to get a bit casual about even truly dangerous issues (I used to be an industrial safety officer in research laboratories).

Old news

[Billosaur]

It's not like this hasn't been noted before: PEBKAC Still Plagues PC Security. Your average user firmly believes what they are told by "experts" or the guy who sells them the computer. They are not web-savvy and don't dig into the background on computer security. They think that all they have to do is run their spyware remover and update their anti-virus and their fine. Heck, too many don't even know they have such utilities, and if the do know, aren't actually aware if they are running or not!

Computer security must be taken out of the hands of the user where the user is likely to not have a clue how it works.

Re:Old news

[Frosty+Piss]

Your average user firmly believes what they are told by "experts" or the guy who sells them the computer. They are not web-savvy and don't dig into the background on computer security. They think that all they have to do is run their spyware remover and update their anti-virus and their fine.

And why shouldn't they? Honestly, "average users" shouldn't have to be computer security experts. Average users use computers to play or do productivity tasks unrelated to software development and computer science. The fact is, the average user shouldn't have to be "computer savvy" and running spyware cleaners should do just that. Blaming "average users" for the fact that such dangers exist is missing the point.

Re:Old news

[Cro+Magnon]

Exactly. As if removing the spyware also went back in time and actually prevented the spyware from HAVING SPIED on you already!

That's why you need a Mac. It has a Time Machine.

Completely content-free

[$RANDOMLUSER]

* Spyware Protection: When asked how safe they felt their home PC was from spyware, 92 percent of respondents felt "safe" or "somewhat safe." In contrast, the Verizon Security Advisor scan revealed that the majority (58 percent) were "at risk" or "potential risk" from spyware infection. Nineteen percent were critically "at risk" from spyware infection.
* Virus Protection: When asked how safe they felt their home PC was from viruses, 92 percent of respondents felt "very safe" or "somewhat safe," whereas the Verizon Security Advisor scan revealed that 45 percent were "at risk" or "potential risk" from virus infection.
* Firewall Protection: Nineteen percent of respondents had their personal firewall turned off.

Please define "at risk", "potential risk", "critically at risk".
And by "personal firewall" do you mean that POS built into XP, or the POS from Symantec? Or do you mean the router firewall?

The best protection is a smart user.

[CastrTroy]

I don't have any virus scanner or malware blocker, or firewall or any kind of security software whatsoever installed on my computer. Actually, I have clamwin, but I only run it once a week. It never finds any viruses. Yet I would say that I'm adequately protected because I have a brain. I don't run software from sites I don't trust. I use Firefox, which doesn't have a history of letting websites run malicious code, and I try to stay on sites that I trust. I have a router, and no incoming ports are forwarded to my PC, so I'm safe in that way I guess. At work I have Norton installed, because it has to be. To date, it has blocked 0 spyware, 0 viruses, and 0 worms. Because it hasn't encountered any, because I practice safe computing. It hasn't actually done anything except slow my computer down. What a great waste of money that was.

What am I supposed to do?

[maillemaker]

Look, my Windows machines auto-update themselves, and I have AVG running, which also updates itself. I have a firewall downstream of my modem and upstream of every other machine on the network.

What else can I do?

My wife is constantly playing and downloading games from the internet. No doubt she is polluting machines on our network.

Basically my approach to security on my home machines is I wipe them and rebuild them every 6 months or so, in case there is some hidden malware on there that has turned my machine into a zombie.

What I would really like is a "smart firewall" I could buy and put in place of my current firewall. This device would monitor all network traffic going in and out of my house, and it would stop the bad things from going through. It could even be a service whereby the device is managed by some security firm and I pay them to protect my network through this device.

94%?

[Delusion_]

This would be the target demographic of the malware antivirus attack, where a site does a browser hijack, slows your computer to a crawl, then starts bombarding you with ads for its "solution" to the problem its own malware caused.

There is no single answer here. Affordable (or free) antivirus software that actually works would be a start, providing it isn't on the McAfee/Norton bandwagon of getting you to pay for a subscription and using up a fair amount of resources when running. There are good community-governed host file lists which can be a real help on many different levels - adware, phishing, malware, viruses, and some of the more onerous types of advertising. User education about basic practices is key - I'd like to see some Public Service Announcements on this, in the style of some of the American Lung Foundation's 1970's PSAs.

I have to tell people over and over: "It doesn't matter if you trust Jackie not to send you a bad file. You also have to trust that Jackie is vigilant about computer security, and that she knows a lot about the subject. You also have to trust that her computer hasn't been compromised, or that her e-mail isn't a spoof, which requires you to understand a lot about message headers at the very least. Is an animated stripper dancing on your start bar really worth the risk?"

I think there's a more telling bit of evidence ...

[ubrgeek]

"Hi. I'm with Verizon. We're trying to see if your computer is secure. Mind if we scan it for vulnerabilities?"

When they answered yes, why bother to go any further? In my mind, they're obviously potentially victims for spear-phishing types of attacks.

I know I'm secure

[gEvil+(beta)]

I know I'm secure. I use only genuine Microsoft products. I remember seeing an ad that said that they're the most secure computer company there is.

Re:XP

[Billosaur]

Most people have a yellow light on their dashboard that tells them when they are running low on gas, and yet people still run out of gas. I suspect most people wouldn't know what the green light meant if you asked them.