A recent study (http://people.deas.harvard.edu/~rachna/papers/why_phishing_works.pdf) proved what we all don't like to admit.
That even as super human beings blessed with keen intellect and sage experience, human nature is undeniable.
Most anyone can be duped and most people tend to overestimate their chances of success and their skills
The study focused on phishing, but there are a number of other relevant examples.
This is what makes information security so hard. Its the humans! Just check out the list of all these other biases which have been researched experimentally (http://en.wikipedia.org/wiki/List_of_cognitive_biases) while thinking about security policies, social engineering, etc.
As security professionals we really can't just write off "everyone else on the planet" as dumb. (BOFH's everywhere will disagree). It is for this reason that insecurity can never be solved solely through technology. There is no silver bullet. (well if everyone followed this Tip of the Day http://isc.sans.org/diary.php?storyid=1530 and left them off maybe....)
There really is no silver bullet. User education is a must. So most of you out there know all of this. Which also means the future rests on each of you doing your part to educate those around you.
So we have gobs of busy people that might not know a lot about computers and security clicking and surfing all over the web (logged in as admin), but that think they know what they are doing. Sounds like a recipe for disaster or a great Monty Python episode involving loaded shotguns.
One disturbing finding of the report was that many users are not even looking at (and/or understanding) the indicators they have available in a browser that relate to their safety (SSL padlocks, location fields, status bars, etc). This is akin to getting off on the _wrong_ exit at 3am in an unfamiliar city holding a map. Not good.
There are some current tools out there which may help users make better choices (or block their bad choices). I'm just going to talk about browser toolbars. For the user class of not completely hopeless up to expert I really recommend McAfee's SiteAdvisor. This toolbar works with Firefox and IE and will provide more prominent and granular indicators that a site is dubious (or downright malicious). Users will need to keep an eye on their browser corner (which may require education) or optionally glance at the pretty red, yellow, green icons next to their google search results (RED means BAD)
http://www.siteadvisor.com/ (IE and Firefox)
Also for those looking at getting involved in the community sign up to be a reviewer. Help SiteAdvisor catch and correctly flag all those bad sites that try oh so hard to look legit.
So back to phishing. Netcraft has a really nice toolbar which can provide visual clues (YMMV) as well as speed bumps to doing something unsafe. It can actually block access to a site pending user verification (ok so we all know most users click OK on anything that pops up to get it out of the way)
http://toolbar.netcraft.com/ (IE and Firefox)
Expect this warning and popup trend to continue. Google is taking steps to prevent accidental wrong exits (see http://www.stopbadware.org/ for details on this initiative)
The next versions of IE and Firefox should have some of these protections built in. None of these will remove the need for user education (good luck explaining hostnames and mouse-overs to grandma). The criminals will figure out ways to circumvent these technologies and users will continue to ignore all the annoying popup warning windows and glaring red warning symbols. Its just human nature. If only it were as simple as just telling people to "only surf trusted sites". Right. uh huh.
Other cool stuff and links:
Aug 28th 2006
Aug 28th 2006
1 decade ago