Better the devil you know?

So our government has dumped Microsoft and opened the door for open source on our desktops.  Now all we have to do is find an easy to use, secure, familiar feeling open source desktop operating system.

Yes Linux has made progress over the last few years and there are distributions that should look familiar enough to windows users to allow them to open Firefox – if they know what that is.  And you can’t complain at the price, provided you don’t factor in all the extra support calls as people have to relearn basic skills.

But this blog is about security, and more specifically the meatware that forms the weak link in the chainmail.  My concern is that just as average user skill levels are rising to a point where most people no longer freak out like my mother does when windows deviates slightly from the expected path and pops up a dialogue box, we will have to start user education all over again.

But this time, people are more confident, less afraid to click you see.  More inclined to tinker around perhaps when something doesn’t quite work as expected.  Like Mac Users, Windows users have got to a point where they are so used to everything being dumbed down that they have complete faith in their ability to fiddle with their operating system because they have been told time and again ‘you can’t break it just by clicking’.

But throw Ubuntu or some other ‘friendly’ Linux distro at them and they might find the little tricks they learned from their windows days no longer work. So they’ll try something else, bugger something up, not report it, and open some gaping hole in the defenses.

I’d rather deal with users that know what they did wrong or can recognise at least when somethings not right, than deal with over-confident but in experienced users who have no real idea what they want to do or what in fact they’ve just done.

The International Network of Spam Targets

Steve Riley is a senior security strategist in Microsoft’s Trustworthy Computing Group.  I read his blog occasionally.  His latest post is nothing too heavy, just reflecting on the ridiculousness of the latest serving of spam in his inbox.  He puts it eloquently when he says:

I guess enough people are lured by cheap mortgages for their penis extensions that the spammers rake in enough money to cover their costs…

Anyway the post made me take a look at what spam I had in my inbox today, and what do you know? I had some of the exact same spam as Steve.  One of his was titled ‘PayPal – Email Handling Opinion Needed’. The sender was IPv6@microsoft.com which is apparently an internal discussion group at Microsoft. So a technical discussion group was talking about email handling…

My version of the same email however was from myself. I’m pretty sure I hadn’t sought my own opinion on PayPal email handling – I don’t even use PayPal.

Regardless, what this little exercise did for me was make me feel like part of one big worldwide network. Yes a network of targets for spammers, but hey at least I’m a good guy and not a bad guy!

By the way – the PayPal spam was actually trying to get you to link to the site ordeep.com which was selling, wait for it……. male enhancement pills.

Christmas Comes Early for Identity Thieves

MySpace and Google are teaming up (again) in the battle for the web.  Both services run login systems  which aim to simplify the login process for users across multiple sites.  Essentially it means one username and password gets you into all the associated partner sites.

The idea is not new.  A Google ID already gives you access to multiple services. So does a Live ID from Microsoft.  And don’t forget every app you use on Facebook is accessing your details (and your friends’ details) all under your single Facebook login.

Even the open source crowd are in on the act. OpenID is used across a number of sites as a kind of escrow authenticator.

People find it difficult to remember multiple passwords yet passwords remain the most convenient and widely used authentication system on the web.  Provided a password is difficult to guess and is protected by good encryption when it is stored or transmitted it is still a pretty good means of authentication.  And so as long as every site you use a common login ID with follows the correct protocols, every computer you use to visit those sites is secure, and you don’t tell anyone else your password then there isn’t a significant issue.

But as I was reading the article something was nagging in the back of my mind, and it was this. It’s not the risk of the password being compromised that is the problem.  The issue for individuals is that they will be using a common username across many sites.  The username, or some minor deviation from it will in many cases be public because it will appear next to their comments, blog posts, profiles etc. 

It has always been possible to build a profile of a person using information from multiple websites.  You can even pay money to have this done for you.  But there has been a certain hit and miss element to this, even if you focus on usernames rather than actual names.  Two people can share the same username on different sites.

But with a single sign on service, if I know your username I have an assurance that any information which has been posted under that username on any website that uses that service pertains to you. I can therefore build a much more reliable profile of you – and therefore make more money when I sell it!

I’m sure the websites know this, and I’m sure the bad guys know it, but do the general public who will be the losers when things go wrong?

Your Computer Might Be At Risk!

A couple of weeks ago the geeky part of the mainstream media was reporting about a malware scam involving pop-up windows, bot-nets and rather dubious anti-virus software called Antivirus2009. The scam is not new, and in the instance I came across the attack vector was a piece of paid advertising on very reputable and well frequented news website. As is the Redmond way, Microsoft carefully analysed the trend and released their own response two weeks later after all the fuss has died down – an entry in their security blog yesterday. The piece referred to a study released on September 22nd (which of course pre-dates all the fuss) from North Carolina State University titled “New Study Highlights Risk of Fake Popup Warnings for Internet Users”.

The researchers found that most people are unable to distinguish fake warnings from real ones, but sshhh, don’t tell the criminals that. The professor of psychology and co-author of the study notes that:

companies and other credible entities may want to incorporate additional unique features into the real messages to allow people to differentiate between genuine warning messages and fake popups. However, he says, “I don’t know if you could develop a legitimate message that could not be duplicated and used illegitimately.”

This thinking is partly right but takes the wrong approach. A warning system that cannot be ‘faked’ does need to be developed. But rather than using ‘additional unique features’ the system should be simple, consistent, and probably open source.

Consider for a moment the warning systems in your car. Self contained, consistent (the low fuel light is always going to look the same) and reliable. It’s only when cars started getting complicated computer management systems that these warnings became oddly suspicious at times.

Computer alerts need to be extremely simple, reliable and trustworthy. Complexity is the enemy of security so additional features won’t work, not for long anyway before they are faked. As computer users we are trained to click OK or Close and the crims play on this.

So perhaps real warnings just need to say something like ‘I’ve detected a virus’. And that’s it. No options, no further warnings and no way to get rid of the message until the user takes some other action which is consistent and secure. Like perhaps a bios linked key stroke built into the secure kernel which fires up a trusted anti-malware product. Then even if the warning is faked, only the trusted product is run.

I’m no programmer so for all I know this may be impossible. But a system like this, which worked the same way on all platforms would be easy enough to train users to on.

Oh and by the way, I was a bit hard on the MSDN blog team earlier. There is actually some very good info on their Security at Home site.