Archive for February, 2010

This is part three of a series on the new threat landscape of the Internet, and how you as an average, non-technical user, can navigate it safely.  Part 1 discusses why ordinary people often don’t take even basic precautions: they feel the cost-benefit balance not worth it to them personally, and mainly they’re right.  Part 2 defines overall Internet-based security threats.  Now in this post we’ll deal with an effective, and minimally-invasive, strategy for keeping safe — four simple rules.  OK, if you’re a security geek, you will think these are woefully inadequate, but I believe that if the average person will follow them, their security effort-expenditure will be acceptable and they will be protected from the the most significant exposures.  To the security geeks among us, average people aren’t following the rules and guidelines we’ve been publishing anyway, so if they follow just these, they’ll be much better off.

Preparing To Face the Internet

First, I strongly suggest that you take your machine to someone who will do a “full system backup” for you.  This is not your data files, just the computer’s programs and settings.  If you get a serious malware infection, the only way to get rid of it is to wipe the disk and restore the system, and this will make that faster and easier and get you back in business.  Find a good local help-person or go to Geek Squad or someone like them.

Then, take a few minutes to develop a couple of passwords for yourself, for which I have a few hints below under Password Strategy.

Finally, turn on the Windows firewall and Windows Defender if you have a recent machine, or get a techno-friend to install a good firewall and basic anti-virus program.  They’re not perfect, but they help a lot.  There are free ones for Windows, including Comodo, AVG, Avast, and others.  You don’t need a massive, full-featured “Grand Internet Security” system, take it from me.  You don’t need much, but you do need something.  If you have trouble doing this, go into the store or get a consultant.  The hour or so you will pay them will be, in the long run, very much worth it.

Now, Here Are the Rules!

Versions of these same “average-person” rules have also been promulgated by Leo Laporte, Steve Gibson, and others, they’re not unique with me.  But I say, follow these and be safe(er)!

  • Set Windows Update or the Mac Software Update to run automatically.  This is by far the most powerful weapon you have, and it’s free, and self-running.  Yet large numbers of people for reasons I can’t imagine don’t do it.  This, by itself, will protect you from more trouble than you will believe.
  • Never click on a link in an emailNever.  Better to highlight the URL (the HTTP:// . . . thing) with your mouse without clicking it, and copy / paste it into your browser’s address bar.  The problem here is that the actual link destination is hidden under what is visible (which is a label, even if it looks like a URL), so even if the visible link looks OK, the real destination might not be.
  • Don’t open email attachments.  These are also sources of malware infections, one of the chief ones.  This is especially true of presumably funny ones forwarded all around, the ones that end in .wmv (Windows Media Player files).  Tell your Aunt Doris to have her pre-teen daughter post it to YouTube or Flickr or whatever, if she thinks it’s so great.  but don’t open it from the email.  When you put something on YouTube, for example, it’s filtered and anti-virused and you’re safe looking at it there.
  • Stay away from questionable websites.  This includes almost anything “free”  — porn (even soft porn), free music, free software, and the like.  These sites are laden with viruses and trojans — that’s why their music is free, because they’re being paid by somebody to load malware on your machine!

A New, Simpler, Password Strategy

In the past, I’ve repeatedly produced careful recommendations on constructing strong passwords, great long strings of gibberish that can withstand a brute-force attack for on average several years.  However (see Part 1) these recommendations have been almost universally ignored because the time and effort to implement / forget / recover / look them up and so on actually exceeds the expected average loss to the average user.  So, ever congruent with reality, I’ve revised my suggestions to make them much simpler and more in alignment with the effort people are actually willing to put in.

Now, you only need two or three passwords, and they can be something you can remember.  But please, not “password” or “letmein” or “asdflkjh” or something like that.  If you’re in Minnesota, it should not be “vikings.”  I mean, don’t just give away the keys.  Choose something meaningful to you, yes even English words (a common recommendation is “nothing in a dictionary”), your dog, or whatever.  But not “111111”

You need just two, and maybe three passwords:

  • One for almost everything that makes you register: every newspaper, weather site, and all the other things that think they need to recognize you personally when you return.  Use the same username (if you can) and a nice, comfortable password.  To the extent that these are really trivial sites, respond “yes” when the browser asks you, “shall I remember you next time?”
  • Financial sites believe strongly in “trial by ordeal” for you to get in, and of course it’s in their best interest to strongly authenticate you as it reduces their fraud costs.  So they will probably have more or less elaborate rules, like mixed-case, letters-and-numbers, X characters long, and all that.  My suggestion is to select one that meets their minimum standards, write it down, and put it in your wallet (without the bank name or userid on it, of course).  That’s all you need.  Note that these sites are now all aflame with the concept of multiple questions, “secret pictures” and other hassle-laden rubbish.  Do what they demand, of course, but I can tell you that these things really don’t work and they’re just a huge hassle for you.
  • Optionally, you might want to have a different password for your email accounts, different from the throwaway one, this is up to you.  I do, but I’m a little more freaky about this than maybe you are.  The actual incremental safety from this is fairly small, but I do it anyway.

So that’s it — four rules, two or three passwords, and you will have made yourself fairly safe at a very minimal cost / effort.  So if you do nothing else, do these!

Read Full Post »

This is the second in a three part series on a highly revised approach to keeping yourself safe and sound when you’re on the Internet.  (If you missed it, the first part is here).  This is an entirely new approach, because the whole threat profile we face has been changing, and most of the recommendations passed out by presumed security gurus (including yours truly) are no longer appropriate or effective.  This post is going to describe the current threat landscape so that my recommendations on protecting yourself will make a little more sense; those will be in Part 3.

OK then, what does it look like out there?  There are lots of pressing threats, seemingly an infinite number and growing (if that’s possible!).  But as we try to identify how we might best protect ourselves when we’re connected to the Internet, the actual number turns out to be much more manageable.  Here’s a breakdown of the overall threat landscape, from the planetary to you, as I see it now.  It includes:

Infrastructure threats, which target the basic routing and transport of content throughout the globe.  This is not our problem, at least for this discussion, although it is an extremely serious problem for our government and the Internet’s managers.

Organization threats, those that aim at businesses, governments, or other entities, and which are mainly focused on network intrusion, data theft, site defacement, and operational disruption.  I’m not dealing with those here, either.

Personal threats, what we care about here.  These threats, at least the ones that you should worry about, can all be clumped into two main categories:

  • Attempts to steal money from you via account break-in, unauthorized credit-card charges, or (occasionally) malicious transactions aimed at disrupting your life, e.g. as caused by an errant ex-spouse;
  • Attempts to steal account numbers, passwords, and other personal or family data from  you by loading malicious hidden software onto your computer.  In addition to enabling financial theft, this data might allow someone to impersonate you on the Internet and do things like post obscene messages in Facebook or put porn in your Flickr albums.  Malicious software can also take your computer and make it a spam-spewing robot, or a participant in various kinds of attacks against organizations or even against the Internet’s infrastructure itself, and you don’t want to be a part of this, either.

Now, these are significant threats, of course, and you don’t want to be the one caught standing when the music stops.  Just because these are high-order threats doesn’t mean that you can be excused to do nothing.  On the contrary, you need to take some steps to avoid being victimized, but these steps can — surprisingly — be simpler than you might be thinking, or than what you’ve been told in the past.  What is it that has changed over the last increment of time that modifies our approach to personal Internet security?  Lots of things.

What’s Changed

First of all, the bad news is that the attacks are becoming vastly more sophisticated and therefore vastly more difficult to defend against.  When I look at the technical dissection of typical first-line malware, I’m really impressed: these people really know what they’re doing.  If you let one of these things into your machine, you’re gone.  Attack software is exploiting vulnerabilities that the honest software vendors are hard-pressed to patch by the time the attacks start occurring.  And once something gets into your computer, it’s essentially impossible to remove so your only recovery is a down-to-the-metal system restore.  It’s really nasty.

However, at the same time we’ve learned how to cope with it, just as our immune system learns to cope with an infection, and just as (as a species) we and the infectious agents tend to co-evolve in ways that reduce the impact of a given infection, so that not all the hosts die!  When national credit cards became popular, certain kinds of fraud became possible that weren’t possible when the merchant knew every customer face-to-face.  So our financial system developed ways to deal iwth it — transaction limits, anti-fraud software triggers, merchant interventions, and most importantly, consistent rules for managing disputes and apportioning fraud liabilities.  Thus, the worst of the threats are blunted, coping mechanisms are created, the losses are contained, and the benefits are achieved.

Lets consider for a moment identity theft.  Five years ago this was almost unheard of.  People who claimed identity theft were generally not believed, their credit was ruined, they were threatened with arrest, their assets were attached, and they worked for sometimes years to clear things up, all the time being abused by attorneys, police, and everyone else who just couldn’t believe this was real.  What happens now?  It’s a known and accepted risk, kind of like a fender-bender: nobody wants one, but they happen, and we all know what to do.

Now, if you are an identity theft victim, you call the police, fill out a form, send out the form to your banks and other merchants, get new credit cards, and so on.  The average time to resolve an identity theft incident now is about 10 hours of your time, spread out over a couple of weeks.  Like a fender-bender, not fun and worth avoiding, but fixable.

Same principle applies to electronic account access and transfers.  Banks want people to use electronic transfers, it’s much cheaper than teller-assisted transactions or paper checks.  So to standardize everything, the Federal Reserve Board issued Regulation E, which specifically states that it was issued “to protect consumers using electronic funds transfers.”    Under the provisions of Reg E, it’s almost impossible for a consumer to be held responsible for the consequences of unauthorized electronic access to their accounts, the bank absorbs any unrecoverable losses.  Based on the cost savings and customer satisfaction, they come out ahead even with these losses from time to time.

So . . .

So the net of all this is, although the direct attacks are increasingly cunning and vicious, even when they succeed they don’t impact the individual consumer as much as they used to.  “We,” the society, have learned to cope with the resulting losses, keep the unlucky victims from being unduly penalized, and move on.  And given this, the rules for keeping safe and sound on the Internet have changed, too, and actually simplified quite a bit.  I’ll cover them in Part 3.

Read Full Post »

We hear constantly of the cost of online security failures — of bank accounts vacuumed, of credit card numbers and passwords stolen, or of medical records compromised, a veritable drumbeat of disaster.  But we seldom hear about the cost side of implementing security measures, especially the cost borne individuals like you and me who are exhorted to carry out these procedures.  Even with the threat of all the losses, compromises, and penetrations, the Average User still has a pretty dismal record of taking even the most basic precautions to protect themselves.  But why?  Are we all just that stupid and lazy?

As a security-oriented systems guy, I have tried to figure this out, and I was just starting to deal with it as a basic economic cost-benefit analysis when I discovered a great paper presented this at this year’s New Security Paradigms Workshop by Cormac Herley of Microsoft.  It’s entitled So Long, and No Thanks for the Externalities: The Rational Rejection of Security Advice by Users.  If you’re not up to reading it, I’ll be summarizing it below as a context for my own recommendations.

Herley summarizes the situation thus:

In this paper we argue for a third view, which is that users’ rejection of the security advice they receive is entirely rational from an economic viewpoint. The advice offers to shield them from the direct costs of attacks, but burdens them with increased indirect costs, or externalities. Since the direct costs are generally small relative to the indirect ones they reject this bargain. Since victimization is rare, and imposes a one-time cost, while security advice applies to everyone and is an ongoing cost, the burden ends up being larger than that caused by the ill it addresses.

So then, as he points out, Average Users aren’t stupid, they are pretty good intuitive cost-benefit analysts.  The paper points out that “user effort is not free” although it is treated as such on virtually all analyses. In other words, most analysts look only at the loss side of the equation — what is being stolen — but not at the time and effort required of users taking steps to prevent these losses.  This failure to account for the costs of implementing security procedures leads to lots of users (rationally) ignoring most of what various security gurus prescribe for them — instead of adopting reasonably-effective safeguards, then end up adopting almost none.

Just for example, with respect to the standard litany of “choose longer passwords, don’t re-use them across sites” and so on, Herley demonstrates that for an average user with about 25 distinct passworded accounts the actual benefit to the user disappears if the user has to spend more than a few minutes per year making up, remembering, and forgetting all their passwords.  Of course, in reality most of us spend more than that per day dealing with passwords.  He also points out that if the user falls victim to a phisher or has a trojan keylogger in his machine, all the standard password protections are rendered useless anyway.

And yet, financial institutions continue to insist on longer passwords with composition-complexity rules and have implemented various other schemes such as “security questions” or “secret pictures” and the like.  None of these are very effective and do NOT per se reduce the likelihood of man-in-the-middle attacks, although it seems like they would.  They mainly irritate users who forget what they answered for their first car’s horsepower, fail the test, and have to have the bank reset their password.

And even this incurs a significant cost: using Wells-Fargo data, a password reset costs the bank $10 in personnel time, and if 10% of their users do a reset every year, that would be a $48,000,000 cost to Wells, which is vastly higher than Wells’ share of the annual $60,00,000 phishing losses.  Clearly in this case, the medicine is worse than the disease!

In addition to the security-related costs users are asked to absorb, they are also overwhelmed by the volume of advice dispensed by various security gurus (including yours truly, in retrospect).  Naive users lack the technical expertise to carry these suggestions out, and their best efforts can often be readily subverted by evil-doers anyway.  Herley points out that the US-CERT CyberSecurity Tips publication has 51 “tips,” each one backed up with a page or more of detailed instructions.  No wonder they bail on security.  Not only is it expensive, it’s incomprehensible.

Does this dismal state of affairs free us to give up and just ignore Internet security?  Not at all! We still face threats that we CAN do something about, and we should.  See my next post on What This Means.

Read Full Post »