Rational Rejection of Security Advice – what can we do about it? (Pt 1)

Cormac Herley of Microsoft Research has written a thought provoking paper which outlines economic reasons why security advice is often ignored.

The guts of the problem according to Herley is that:

most security advice simply offers a poor cost-benefit tradeoff to users and is rejected

If you are interested in security awareness then you should read his paper, partly because it will save me trying to explain it here (my brain hurt trying to get my head around some of the economic concepts) but also because it asks some searching questions of current security awareness practices.  I for one will be tuning my delivery of security advice as a result.

The paper however does fall down IMHO in a few ways. It is more an economics paper than a technical one, and like all good capitalists Herley assumes a level playing field with everyone starting from zero.  An example of this is where he estimates that the annual cost of phishing loses in the US is $60 million. He then goes on to explain that the cost of mitigating phishing (in the US) therefore works out at 33 cents (or 2.6 minutes of an individual’s time) if we were to spend more on fixing the problem than the loses incurred by that problem.

This all sounds reasonable, if we assume that the cost of phishing in the US is $60million without any prior phishing awareness campaigns taking effect.

As a colleague pointed out, the paper also assumes that there is a quantifiable cost associated with the time a person spends engaging with awareness information. This cost assumes that people are productive 100% of the time – which is of course how an economist would perceive the perfect workforce.  Anyone living in the real world knows this to be different.  Sure, if my awareness materials stop an employee doing something productive instead of encroaching on their Facebook time at work then yes, let the accountants have their day. But if my materials are engaging enough to replace that ‘non-productive’ time (because they’d rather play the new security awareness game than Farmville) then what they learn only has to reduce the attack surface of the organisation even minutely to be a worthwhile spend.

There’s a lot of other really good stuff in Herley’s paper, and a lot of good discussion about it.

My conclusion from reading it was that as security professionals we need to offer simple, realistic advice that is easy to follow, and focuses on quantifiable risks not worst case scenarios.

How we do this is a challenge.  I’m currently writing a submission for AusCERT. Hopefully it will get accepted because the presentation will provide some of my own answers to the questions posed by the paper. More here soon.

VeriSign Phishing Awareness Site Starts Well then Misses Point

A tweet from @Allen L. Kelly pointed me to a nice bit of phishing education from VeriSign.  www.phish-no-phish.com runs you through a challenging quiz where you are presented with two ‘identical’ screenshots and have to identify which is the phishing site.

Some of the sites were very difficult to differentiate and I even got one wrong because I was perhaps in too much of a hurry and didn’t spot a couple of minor spelling mistakes.  This though would reflect real life for most people so was an excellent way of demonstrating just how careful you need to be.

I got about half way through and was considering posting a link to the site on the corporate intranet as an awareness exercise for staff.

Then I was hit by the sales pitch.

After the fifth question a screen appeared explaining how Extended Validation (EV) SSL, triggers modern web browsers to display a green address bar when a genuine site is viewed.  Fair enough I thought. Users should be taught about this technology as it can help them identify genuine sites.

I was invited to continue the quiz to “see how easy it is to choose the correct site. Just choose the site that displays the green address bar.“

And yes it was easy after that. No more needing to look for dodgy addresses, missing padlocks or poor spelling and grammar.  As the tips pointed out:

The green address bar is a surefire way to identify the genuine Web site.

When you see the green address bar, there’s no need to scan for typo’s and misspellings.

Criminals can’t fake the green address bar.

Cool! No more need to take care, just watch for the green address bar and any site that doesn’t display it must be fake! And I know I can trust any site with a green address bar because criminals can’t fake it – yet.

You’ll have to indulge me here for while I believe technical solutions can help, I don’t believe they solve the problem.  As Mr Schneier says:

If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.

It’s a shame the VeriSign site lets itself down on this point. I know they’re trying to sell a technology solution but there should be a stronger emphasis on EV SSL being only part of an overall solution.  After all it’s not going to help users who are taken to a fake site from an email link – unless of course they’ve bought into the technology so completely that they only trust sites with green address bars. This is after all how the final five questions in the quiz run. You just click on the sites with green address bars.

But then you’d be missing out on all the fun on Facebook, Twitter, Gmail (Thawte i.e. Blue) etc.

2Degrees Pays Scant Regard to Privacy

New entrant to the New Zealand Mobile phone market 2Degrees has exposed customers personal information with some sloppy web site coding.

Customers at the site were shown the personal details of previous customers part way through the purchasing process.

In a pathetic effort to excuse this disdain for customers privacy 2Degrees blamed high traffic for the error.  This was not a traffic problem, it was a policy problem.

Then the lies continue:

“Above all else 2degrees values the privacy of our customers.”

This statement is clearly rubbish. If it were true then the proper checks would have been in place to protect customers privacy.

If you need any more proof that 2Degrees does NOT have the best interests of the public at heart, then read this story which outlines the fight a Manukau City community is having with the company.  2Dgrees wants to erect cell towers next to early childhood centres, schools, and outside peoples homes despite the jury being out on the possible damage this could cause to young children.

Of course you can always show your support to the company by signing up for their facebook app which will potentially share your personal details with millions of others…

Shame on you 2Degrees, ‘values the privacy of our customers’ indeed.

How to be worth more than 89p on Facebook

 According to Trend Micro, an email address along with a date of birth full name from a facebook account is worth 89p (NZ$2.33) to a cybercrook.

To avoid having your identity stolen, Trend say you should look for the padlock, use social networking privacy settings, protection software and vary your passwords.  The advice is good and just what you would expect from a commercial operation that makes its money by convincing people that they will be secure if they just rely on the right technology (theirs of course) and set it up properly. Even the password comment suggests the technology will save you here.  There’s no suggestion that your new password need be a good one and hard to guess, just different from last week, month, year or other website.

Perhaps what they’re suggesting is that  if it’s going to cost more than $2.33 worth of time and effort for a cybercriminal to get your details, then maybe they will move on.  This tactic resembles one I used when as a student I used to go door to door selling  invisible markers that came with bright stickers. The line when something like this: “If you’ve got a sticker and the neighbour hasn’t, guess where is the burglar going to go?”

Of course there were multiple reasons why this might not be the case, but it made me a lot of commission. For example, if you have a sticker but leave your front door open and your stickerless neighbour keeps theirs closed, who’s going to get home and find their brand new double cassette ghetto blaster missing (yes it’s a while since I was a student).  Likewise, even if you both lock your dooors and windows, but your ghetto blaster is proudly displayed in the front window, you’ll probably have to go next door to listen to your Def Leopard tracks for a while.

So where does the analogy fit in or is this just pointless reminicing about the 80′s?  

Well think of the open window.  Even with a password, good privacy settings and anti-malware on your machine, if you join networks or groups on social sites anyone else in those groups can usually see your pages. And usually anyone can join those groups.  For example if you join the New Zealand network on Facebook, then potentially anyone in the New Zealand network can see everything you post. This includes your date of birth, full name and email address if you were foolish enought to post these.

So Trend should also say ‘Don’t join any networks (which kind of makes social networking a whole lot less fun).

They should also warn you to restrict the amount of personal identification you post ( don’t display your wares in the front window) and think very carefully before responding to messages or opening unexpected attachments least they fall victim to social engineering or malware such as Koobface. 

Just because you have a sticker on your letter box doesn’t mean you shouldn’t lock your door.

Lawyer uses Facebook to get keys to house.

In another example of convergence on social networking sites, an Australian couple are to receive, via Facebook, a legally binding notice that they are to hand over the keys to their home to their mortgage lender because they defaulted on their loan payments.

PWNED! via Facebook

Apparently such notices have been served via text message and email, but this is the first time it’s been tried via Facebook.  The lawyer for the mortgage lender claims he had tried other avenues to contact the couple and resorted to using details provided on the loan application form to hunt them down on Facebook.  He was able to find them because they had not used the security options to keep their pages private.

Kudos to the judge who has ruled that Facebook can be used to serve the notice as he also imposed the restriction that the lawyer must use the private mail system in Facebook rather than posting a comment on the womans’s Facebook wall.  Clearly this judge is a rare find as someone in the judiciary who at least has an inkling of how social networking (or any web 2.0 system) works.

I might be wrong here, but I had a quick look at the settings on Facebook and couldn’t see a way to set up spam filters on the internal message system.  Given the tactics of some of the latest malware to send spam amongst friend networks on the bigger social sites, I don’t think it will be long before we see such filtering options become available.  On my Hotmail account I have a number of filters set up to block spam containing words such as ‘viagra’, ‘sex’, ‘enlargement’, ‘porn’ and ‘mortgage’.

If I had such filters set up on Facebook, would a message such as the lawyer above was trying to send, containing the word ‘mortgage’ be blocked? And could I therefore honestly deny receiving the notice?

This of course may already have happened in other cases where notices have been served via regular email.

Of course I will never read one of these in my email inbox anyway, because I’m always being told email messages purporting to be from my bank are scams.

Christmas Comes Early for Identity Thieves

MySpace and Google are teaming up (again) in the battle for the web.  Both services run login systems  which aim to simplify the login process for users across multiple sites.  Essentially it means one username and password gets you into all the associated partner sites.

The idea is not new.  A Google ID already gives you access to multiple services. So does a Live ID from Microsoft.  And don’t forget every app you use on Facebook is accessing your details (and your friends’ details) all under your single Facebook login.

Even the open source crowd are in on the act. OpenID is used across a number of sites as a kind of escrow authenticator.

People find it difficult to remember multiple passwords yet passwords remain the most convenient and widely used authentication system on the web.  Provided a password is difficult to guess and is protected by good encryption when it is stored or transmitted it is still a pretty good means of authentication.  And so as long as every site you use a common login ID with follows the correct protocols, every computer you use to visit those sites is secure, and you don’t tell anyone else your password then there isn’t a significant issue.

But as I was reading the article something was nagging in the back of my mind, and it was this. It’s not the risk of the password being compromised that is the problem.  The issue for individuals is that they will be using a common username across many sites.  The username, or some minor deviation from it will in many cases be public because it will appear next to their comments, blog posts, profiles etc. 

It has always been possible to build a profile of a person using information from multiple websites.  You can even pay money to have this done for you.  But there has been a certain hit and miss element to this, even if you focus on usernames rather than actual names.  Two people can share the same username on different sites.

But with a single sign on service, if I know your username I have an assurance that any information which has been posted under that username on any website that uses that service pertains to you. I can therefore build a much more reliable profile of you – and therefore make more money when I sell it!

I’m sure the websites know this, and I’m sure the bad guys know it, but do the general public who will be the losers when things go wrong?

2008 IT Security Blunders

I love these lists. At this time of year we start hearing about the top ten whatevers of this year and the predictions for top ten whatevers for next year. The lists are often thought provoking and provide a nice refresher on the last 12 months.

On security island the pundits release their views of the year’s biggest breaches and then predict next year’s top ten threats. This is of course a promotional exercise and often ends with “To protect against many of these threats companies should invest in our product X”.

I was expecting NCC  Group’s list of Top Ten IT Security Blunders of 2008 to follow a similar vein.  But as I read through the list I realised why this one was titled blunders rather than hacks, breaches or compromises. Blunder is a term used to describe a human behaviour. At least half of the items in NCC Group’s list are direct results of a human doing something stupid, no malicious intent involved. Here is the list described in simple terms:

1. MoD lost 200 devices (including 4 desktop computers. How do you lose a desktop computer? A memory stick is understandable but a desktop you have to unplug everything, physically lug it somewhere, then forget about it entirely with no memory of where you put it) 

2. Hackers infiltrate presidential candidates’ email
3. Hackers infiltrate hockey mom’s email (albeit due to poor use of security questions)
4. A laptop containing data on millions of individuals to be auctioned online (the owner was an archiving firm for goodness sake!)
5. AOL hands over information on the searches of 650,000 customers
6. Home Office loses a memory stick containing data on 127,000 criminals
7. Booking system hacked – 8 million customer details lost
8. Facebook hands over dates of birth of 80 million users
9. 38,000 Credit card details stolen from retailer
10. Data stick containing security information of government IT systems left in a carpark of a pub.
    

For some time now the IT security industry has been warning about the high proportion of breaches which occur simply through human error, stupidity, forgetfulness or just general lack of awareness. While technologies such as encryption can help protect data on memory sticks (which seems like an ironic name) this list highlights the growing need for awareness raising measures be they training, posters and other reminders, or regular reviewing of IT policies by both staff and managers.

Unfortunately there are still many (probably the majority in fact) IT managers who value technical solutions over and above trying to educate the ‘ignorant’ masses. After all, computers have been these managers’ friends. They behave predictably, can easily be fixed or replaced, and have never stood in the way of scoring top jobs. Unlike their human colleagues. Typically, IT managers have far too much influence over general company direction.  Their specialised technical knowledge of mission critical company resources, allows them to baffle and bulls__t at strategic meetings, placing disproportionate emphasis on their own narrow field of expertise i.e. technical solutions.

So my prediction for the foreseeable future  is that until we see as much time, effort and money go into securing the meatware as the hardware and the software,  then we will continue to see Top Ten IT Security Blunder lists, with ever increasing losses.

Contextual Malware in Context

A recent report from MessageLabs (‘Now part of Symantec’ – in case you missed it) outlines that organisation’s predictions for the threat landscape in 2009.

Once you stumble through the Malware Makes It’s “Mash-up” parargraph (which I had to read three times before it made sense) it makes for thought provoking reading.  MessageLabs predicts that next year the bad guys are going to use personalised web based accounts such as webmail or social networking profiles to send concise and more believable messages to targeted users. The messages will draw users into the scams slowly over a number of contacts rather than reveal themselves at the outset.

Users will also be targetted via their mobile phones, weaving an ever more elaborate and believable trap containing the victim’s online accounts, friends and their mobile services. And the initial attack vector could be a sophisticated and almost undetectable piece of malware hidden within a virtual machine running on their own computer, or for that matter any other machine into which they enter any personally identifiable information.

The guts of the article is that the criminals are getting cleverer, perhaps realising that the general public is also becoming wiser to the old scamming techniques. After all, who really ever falls for the old Nigerian scam? One answer to that question is here, but increasingly the crims are going to rely on the trust we have within our existing online networks. Users of the big three, Facebook, MySpace and Bebo are learning this the hard way.  Take a look at the comments on just about any Bebo account and you’ll see posts from users of the Bebo mobile service (identified by the logo next to the comment).  Some are obviously phishing attempts but others are not so obvious.

What red-blooded teen user of Bebo wouldn't respond to this?

These messages are targetting the ‘MyFaceBo’ demographic.  The language is there, lack of correct grammar and all, the content is about right, and the message is coming in using a mobile which surely a scammer wouldn’t bother with, would they?

As we operate more and more in interconnected spaces we are all going to have to be more careful about who and what we trust, and as usual the youth market is experiencing the cutting edge of technological change.

2009 is looking like it is going to be an interesting year. Perhaps it will be the year security awareness training comes of age?