So recently Business Week magazine ran an article about keylogger software being used in espionage. Essentially, defense contractors are being tricked into infecting their computers with keylogger malware, sent in targeted emails that appear to come from the Pentagon and other governmental sources.
The thing I find interesting about this, and also about things like the Storm and Kraken worms, is that they don’t take advantage of security flaws or vulnerabilities. They don’t attack holes in a computer’s operating system or applications, and they don’t rely on technical exploits of programming errors. These attacks all rely on tricking the victim into deliberately, intentionally infecting himself.
For that reason, I don’t think there’s a technological solution. The solution to a human gullibility problem isn’t in better programming or more elaborate firewalls; it’s in user education. No matter how sophisticated and bulletproof a security system is, there’s no defense against a person who deliberately chooses to permit someone through it.
But when it comes to the Intertubes, folks don’t get that.
If we had a situation where a criminal walked into a bank and, without weapons or violence, tricked a security guard into opening the vault for him and handing him all the money inside, we would not say “Oh, we need to build bigger vaults with thicker doors and more complicated locks!” It’s obvious to anyone who thinks about something like that that a bigger door or thicker walls won’t prevent someone from tricking a gullible guard into unlocking the door.
Yet with computer malware, we tend to jump on technological solutions. Someone in China tricks an American defense contractor into deliberately installing a key logger on his computer, and everyone says “We need tighter computer security and more computer defenses.” Which is as pointless and ineffectual as saying “we need thicker bank vault walls” if someone persuades the guard to intentionally, deliberately unlock the vault door and hand him the money.
What we need isn’t better computer security; better computer security will not and can not address this kind of problem. What we need is less gullible people.
A few weeks back, someone posted an ad on Craigslist saying that they were moving suddenly and they needed to get rid of everything in their house, including their horse. They said that the house would be unlocked and anyone who wanted to could come and take anything they liked. Hundreds of people showed up and ransacked the house, even taking light fixtures and plumbing fixtures.
Needless to say, the Craigslist ad was bogus. Some people had robbed the house earlier, then posted the ad to conceal the evidence of their robbery.
Of course, the police showed up, but what was most interesting was how indignant the folks who ransacked the house were. They were angry and upset that the police tried to stop them. Many of them waved printouts of the Craigslist ad around, as if it justified what they were doing. They genuinely, sincerely believed that the ad on Craigslist meant they were doing nothing wrong.
That’s the mentality a lot of folks–including folks who ought to know better, including defense contractors–have. They truly believe that if an email says it is from someone they know and they should download and run the attached program, it must be OK to do. They sincerely think that if they see it in an email, it can not possibly be false. And that gulllibility makes them easy to dupe.
These are not idiots. If a person walked up to them on a street and said “I live at 423 Main Street but I have to move in a hurry, so go into that house and take anything you like,” they’d be like “Yeah, right.” If someone walked into their office and said “I’m from the pentagon, take this CD and run the program that’s on it,” they’d never in a million years do it.
But because it’s on the Intertubes, somehow it gets past their bullshit filters, and they suspend their ordinary skepticism. And I think that’s really, really interesting.
One of my all-time favorite books is Why People Believe Weird Things: Pseudoscience, Superstition, and Other Confusions of Our Time, by Michael Shermer, who’s one of my personal heroes. I met him briefly at a science fiction convention last October, and he’s just as amazing in person as he is in print.
One of the things he talks about, and one of the things I’ve written about as well, is the idea of the brain as a “belief engine,” a tool for forming beliefs about the physical world. As a tool for survival, the brain works amazingly well, but survival pressures have tended to shape and mold it in such a way that its default state is to accept ideas uncritically rather than reject them. For our early hunter-gatherer ancestors, the consequences of accepting a false belief (“keeping this magic stone in my pocket will help me ward off evil spirits”) were generally less dire than the consequences of rejecting true beliefs (“a leopard is dangerous to me,” “keeping upwind of my prey will cause my prey to escape more often”), and so we have developed these amazing brains that find it much easier to accept than to reject ideas.
On top of that, our brains are so highly optimized for efficient and rapid pattern recognition that they can tend to see patterns even where none exist (“when I updated to OS X 10.4.11, my hard drive failed; the update was responsible for the failure”).
I wrote an essay about the belief engine a while back. I think that it applies to things like Internet hoaxes and Trojan-horse malware in part because we are wired by selective adaptation to accept ideas uncritically, but we are also taught from a young age when that kind of uncritical acceptance is dangerous.
Everyone (well, almost everyone) learns from an early age not to trust strangers. So if a stranger stopped us on the street and said “I live in the house at the end of the block but I have to leave, so walk on in and take whatever you like,” there’s no way we’d believe him. But we aren’t taught to distrust the Internet.
To make matters worse, I think the Internet confuses people by messing with the signs we have been taught to accept to mark trustworthy people and institutions. We are taught to separate folks within our sphere of trust from folks outside of it, but we are not taught that this trust doesn’t extend to the Internet.
So, for example, most of us trust our mothers. If we receive an email and it’s got Mom’s “from” address on it and claims to be a greeting card, we’ll likely download it and run it without a second thought, because we trust Mom. What we haven’t been taught is not to trust the From: address on any email. People don’t realize how easily that is faked; the email is trusted because it bears the mark of being from a person inside our sphere of trust, but that mark itself is untrustworthy.
Same deal for a defense contractor who receives an email that claims to be from his Pentagon contact. Because the email carries a mark of a person inside the sphere of trust, the email is accepted.
Phishing scams rely on that, too. We mostly trust our banks, and we are familiar with what our bank Web site looks like. So we associate things like the bank’s logo and the bank’s Web site layout, which are familiar and comforting, with that feeling of trust. We so strongly associate things like the bank’s logo witht he bank itself that just the appearance of the bank’s logo can make whatever it’s attached to seem trustworthy.
In contemporary society, this is intentional; businesses do a lot of work and spend a lot of money to associate things like logos with the business, and to attach the logo to our emotional response. But what that means is the logo and the familiarity of the Web site layout make us trust the fraudulent phishing site. These things are more important than, say, the padlock that shows a secure connection, or the URL of the site, because we have not been taught about those things but we have been taught to associate the logo with our feelings of trust in the bank, so that makes us fall for the scam Web sites, and we voluntarily turn over information that otherwise we would be unlikely to give to anyone.
So again what happens is that we see the Internet as a technological construction, and we seek technological solutions to security problems, when perhaps it might be more effective to see the Internet as a social construct, and teach people “never trust an email from anyone” or “never trust a Web site that does not show a padlock on it” the same way we teach people “don’t talk to strangers” and “don’t give your bank account number to people you don’t know.”
I’m not saying there’s no need for technological security, mind you. There are still folks who exploit technical flaws in computers, or who attack computers using technical attacks like DNS cache poisoning or DNS rebinding attacks. Securing computer networks is still a necessary thing to do, and on that score the Internet as it now exists gets pretty dismal marks.
But what gives the Internet its power is the way people use it, not the hardware that makes it up. It is a social construct; it’s essentially nothing more than a communication medium. And any time you have communication, you have the potential for cons and fraud. I really do think that we have not yet, as a society, learned to extend the same degree of distrust to the Internet as we have to things in “real life,” and as a result the natural tendency for us to believe rather than disbelieve is easily exploited on the Internet.
Another excellent post.
Would you mind if I used some of this at my work. (I wouldn’t claim it as my own, and if anyone asked, I’d provide the source.)
Not at all; feel free! 🙂
Another excellent post.
Would you mind if I used some of this at my work. (I wouldn’t claim it as my own, and if anyone asked, I’d provide the source.)
Not at all; feel free! 🙂
As the thing ahead of you in my flist was a Register article on “whaling” I can only nod my head in agreement. There are social things that get past people’s filters that no amount of technology can ameliorate.
As the thing ahead of you in my flist was a Register article on “whaling” I can only nod my head in agreement. There are social things that get past people’s filters that no amount of technology can ameliorate.
I’m not sure if it’s so much people being credulous, or people being so intimidated by the amount of education or intelligence they perceive as being necessary that they simply classify computers as “magic”, and thus something that they just can’t be expected to understand. Or, in some cases, if they’re just lazy.
I went over this recently on a message forum I’m on. I consider myself a barely competent computer user, a proto-geek in an early larval stage at best. I am, regularly, stunned and horrified that the following simple operations are not common knowledge:
1. Buy a computer and all its necessary accessories without assistance or being “escalated” unnecessarily by the salesweasel.
2. Install an OS from a series of disks.
3. Download and install patches.
4. Download and install and configure Firefox, Thunderbird, AVG, Ad-Aware, Spybot, and various Firefox plugins.
5. Install chat clients.
6. Install a RAM upgrade (although I still have a hard time with that as I tend to be afraid of “forcing” it and then breaking something).
7. Navigate a LAN fairly well.
8. Successfully use usernames & passwords.
9. Identify and delete suspicious emails.
10. Check “Virus alert” forwards on Snopes.
11. Connect to various wifi spots while out & about.
12. Basic troubleshooting; Googling error messages, searching forums for answers, rebooting computer, power cycling modem, router, etc.
IMO, these are basic – very, very basic – computer skills. And yet, there seems to be a significant portion of the population that simply flatly *refuses* to learn any of these. I have to wonder if this has more to do it than credulity/gullibility. I think there’s an element among the broad population that simply classifies computers as “that geek stuff” and thus either unlearnable except by a special few, or is an undesirable field of study because it will “make you a geek” – depending on if the individual admires “geeks” or views them with derision.
I really hope that made sense. :-/
The main difference, I’ve found, between the computer savvy and the non-savvy is whether they fear the computer or not. When I go into a computer and start futzing with software and settings or pull open the case, my assumption is that I won’t break anything. However, non-savvy people get spooked every time they have to drift slightly outside their realm.
When I do training with people (it’s been a while but used to do this a lot), I try to make a point of getting them comfortable with it. Helping them to play with it and learn and try to teach them that if things break, it’s because some programmer or hardware designer screwed up, not them. That it’s helpful to experiment and that the only reason I’m “good” at this stuff is because I’ve spent way way way too much time experimenting.
Thats how I learn what not to disable on startup. shut a bunch of stuff I don’t know what it is off, and if something does not work when I restart, then I start turning things back on. MSCONFIG is a great thing to learn to NOT be scared of.
I’m not sure if it’s so much people being credulous, or people being so intimidated by the amount of education or intelligence they perceive as being necessary that they simply classify computers as “magic”, and thus something that they just can’t be expected to understand. Or, in some cases, if they’re just lazy.
I went over this recently on a message forum I’m on. I consider myself a barely competent computer user, a proto-geek in an early larval stage at best. I am, regularly, stunned and horrified that the following simple operations are not common knowledge:
1. Buy a computer and all its necessary accessories without assistance or being “escalated” unnecessarily by the salesweasel.
2. Install an OS from a series of disks.
3. Download and install patches.
4. Download and install and configure Firefox, Thunderbird, AVG, Ad-Aware, Spybot, and various Firefox plugins.
5. Install chat clients.
6. Install a RAM upgrade (although I still have a hard time with that as I tend to be afraid of “forcing” it and then breaking something).
7. Navigate a LAN fairly well.
8. Successfully use usernames & passwords.
9. Identify and delete suspicious emails.
10. Check “Virus alert” forwards on Snopes.
11. Connect to various wifi spots while out & about.
12. Basic troubleshooting; Googling error messages, searching forums for answers, rebooting computer, power cycling modem, router, etc.
IMO, these are basic – very, very basic – computer skills. And yet, there seems to be a significant portion of the population that simply flatly *refuses* to learn any of these. I have to wonder if this has more to do it than credulity/gullibility. I think there’s an element among the broad population that simply classifies computers as “that geek stuff” and thus either unlearnable except by a special few, or is an undesirable field of study because it will “make you a geek” – depending on if the individual admires “geeks” or views them with derision.
I really hope that made sense. :-/
Have you read “The Art of Intrusion” by Kevin Mitnick? It’s a simple and entertaining read about social engineers and how they use personal skills to bypass tech security. Talks a bit about the beliefs that get people into that trouble.
Also, your linked article about our evolutionary propensity towards belief was wonderful and I enjoyed it very much.
Have you read “The Art of Intrusion” by Kevin Mitnick? It’s a simple and entertaining read about social engineers and how they use personal skills to bypass tech security. Talks a bit about the beliefs that get people into that trouble.
Also, your linked article about our evolutionary propensity towards belief was wonderful and I enjoyed it very much.
On the other side of the coin, I’m dealing with knee-jerk reaction to security as companies frantically struggle to close off their Sarbanes-Oxley compliance. Since precedents are not yet set, it is a bit of a free for all when comes to security audit recommendations on suitable system controls. Some of them end up being pointless because they are either not auditable or unmanageable.
An excellent example would be enforced password controls – at least 9 digits, a lower case alpha, and upper case alpha and a symbol or a number, 30 day mandatory expiry. Sounds great, but now when you walk past “cubicle-clerk-Murielle” she’s got a post-it note on her monitor with her password written on it.
I don’t think this situation is much different than the ones you describe, but there is an element of intersectionality between the gullibility you describe and just plain lack of sophistication.
While some sophisticated users may make errors in judgment (gullibility), I find those are easier to address with training than users who have been placed into sophisticated positions despite their practical system experience. Often times training becomes very complex because there are additional issues like user age(anxiety), forced change(hostility), et cetera.
OMG HATE PASSWORD CONTROLS
I cannot tell you how much those stupid password controls have driven me nuts. Most systems do the thing where you have to change your password, but it’s not that picky about new password similarity. So you can just rotate a number or some such.
I did have to deal with one system though where it would ask for a brand new and very complex password every month and it wouldn’t allow any repeats. I know well enough not to write down a password but I was sorely tempted every time I had to do it.
It also drives me nuts when I pick a password that would be utterly impossible to guess or crack but doesn’t happen to meet the precise criteria of their algorithms. Like I could have a 10 character password that’s all lower case letters and read as total gibberish, yet get rejected because it doesn’t have special characters, numbers, different cases, etc. But could put in my name and just l33t it, and it would get through just fine and be easy to guess.
Re: OMG HATE PASSWORD CONTROLS
I feel your pain.
Do a search for some free password software called “whisper”. It is a nifty little program that I use and keep right on my desktop. It is encrypted so safer than keeping in most password protected documents. The developer makes no guarantee of its safety and it is complete freeware, so the problem ends up being that is absolutely not sanctioned by tech security groups. But we end up recommending this under the table for a lot of users that are about to pop a vein from password controls.
You have is my word that I’ve been using it for years and I keep all my VAST number of personal and work passwords tracked in this software. But of course, you’ll want to download/validate it through a site like PCWorld so that you don’t end up proving the point of this original post about trust and gullibility!
On the other side of the coin, I’m dealing with knee-jerk reaction to security as companies frantically struggle to close off their Sarbanes-Oxley compliance. Since precedents are not yet set, it is a bit of a free for all when comes to security audit recommendations on suitable system controls. Some of them end up being pointless because they are either not auditable or unmanageable.
An excellent example would be enforced password controls – at least 9 digits, a lower case alpha, and upper case alpha and a symbol or a number, 30 day mandatory expiry. Sounds great, but now when you walk past “cubicle-clerk-Murielle” she’s got a post-it note on her monitor with her password written on it.
I don’t think this situation is much different than the ones you describe, but there is an element of intersectionality between the gullibility you describe and just plain lack of sophistication.
While some sophisticated users may make errors in judgment (gullibility), I find those are easier to address with training than users who have been placed into sophisticated positions despite their practical system experience. Often times training becomes very complex because there are additional issues like user age(anxiety), forced change(hostility), et cetera.
I’m really glad that I’m Dutch and live in the Netherlands. I also get all these scams, spams and phishing stuff. But since they are almost always in another language than Dutch, it’s not likely to come from my Dutch bank.
And by the time the Dutchies found out that they too can spam and scam, we other Dutchies were a little bit better educated.
But I still have this one friend, who keeps asking me whether this or that is real or not. At least she’s asking me now…
Hah! Most of my spam is in Russian :). Every day I click on maybe half a dozen cyryllic e-mails and throw them into my spam folder.
I’m really glad that I’m Dutch and live in the Netherlands. I also get all these scams, spams and phishing stuff. But since they are almost always in another language than Dutch, it’s not likely to come from my Dutch bank.
And by the time the Dutchies found out that they too can spam and scam, we other Dutchies were a little bit better educated.
But I still have this one friend, who keeps asking me whether this or that is real or not. At least she’s asking me now…
http://zapatopi.net/mindguard/ One technological solution to stopping social engineering? Or more evidence of the gullibility of people on teh interwebz?
http://zapatopi.net/mindguard/ One technological solution to stopping social engineering? Or more evidence of the gullibility of people on teh interwebz?
The first thing you learn if you do any amount of research into computer security is that the number one weakness is people. When a company is hired to exploit the security of a company, the first thing they do is find people they can exploit. Follow an employee in through a door. Call up somebody pretending to be tech support and ask for their password. Cracking firewalls and such is much much harder than it’s made out to be in the movies. Tricking people is easy.
The trouble of course is that by our nature, humans are rather trustworthy. You can train people in all the security procedures in the world and they’ll still let some guy follow them into the office that they don’t know. Why? Because they assume the person’s harmless and it’d be rude to tell them no.
I was working as a contractor at a company for several months and there was a delay in getting me a security pass. So every morning I’d sneak in behind somebody. Only once did somebody question me and then, as I recall, I was able to talk them into letting me in anyway. Now, my reasons for being there were totally legitimate but nobody knew that.
Now, as for the specific issue of mass infection worms like Storm, etc, I think the best approach will, in the end, be to treat them as an infectious agent. Sure you try to encourage people to protect themselves, but at the end of the day, I think we’re going to have to look into creating an Internet immune system where we launch counterattacks on these systems to remove dangerous infections.
Having said that, the irony is that a giant botnet is probably secure against most common threats because the botnet can be forcibly upgraded to patch security holes that would lead to breaches in the botnet. Also, possessing control over hundreds of thousands of computers makes it far easier to detect and isolate security breaches.
The first thing you learn if you do any amount of research into computer security is that the number one weakness is people. When a company is hired to exploit the security of a company, the first thing they do is find people they can exploit. Follow an employee in through a door. Call up somebody pretending to be tech support and ask for their password. Cracking firewalls and such is much much harder than it’s made out to be in the movies. Tricking people is easy.
The trouble of course is that by our nature, humans are rather trustworthy. You can train people in all the security procedures in the world and they’ll still let some guy follow them into the office that they don’t know. Why? Because they assume the person’s harmless and it’d be rude to tell them no.
I was working as a contractor at a company for several months and there was a delay in getting me a security pass. So every morning I’d sneak in behind somebody. Only once did somebody question me and then, as I recall, I was able to talk them into letting me in anyway. Now, my reasons for being there were totally legitimate but nobody knew that.
Now, as for the specific issue of mass infection worms like Storm, etc, I think the best approach will, in the end, be to treat them as an infectious agent. Sure you try to encourage people to protect themselves, but at the end of the day, I think we’re going to have to look into creating an Internet immune system where we launch counterattacks on these systems to remove dangerous infections.
Having said that, the irony is that a giant botnet is probably secure against most common threats because the botnet can be forcibly upgraded to patch security holes that would lead to breaches in the botnet. Also, possessing control over hundreds of thousands of computers makes it far easier to detect and isolate security breaches.
Hah! Most of my spam is in Russian :). Every day I click on maybe half a dozen cyryllic e-mails and throw them into my spam folder.
OMG HATE PASSWORD CONTROLS
I cannot tell you how much those stupid password controls have driven me nuts. Most systems do the thing where you have to change your password, but it’s not that picky about new password similarity. So you can just rotate a number or some such.
I did have to deal with one system though where it would ask for a brand new and very complex password every month and it wouldn’t allow any repeats. I know well enough not to write down a password but I was sorely tempted every time I had to do it.
It also drives me nuts when I pick a password that would be utterly impossible to guess or crack but doesn’t happen to meet the precise criteria of their algorithms. Like I could have a 10 character password that’s all lower case letters and read as total gibberish, yet get rejected because it doesn’t have special characters, numbers, different cases, etc. But could put in my name and just l33t it, and it would get through just fine and be easy to guess.
The main difference, I’ve found, between the computer savvy and the non-savvy is whether they fear the computer or not. When I go into a computer and start futzing with software and settings or pull open the case, my assumption is that I won’t break anything. However, non-savvy people get spooked every time they have to drift slightly outside their realm.
When I do training with people (it’s been a while but used to do this a lot), I try to make a point of getting them comfortable with it. Helping them to play with it and learn and try to teach them that if things break, it’s because some programmer or hardware designer screwed up, not them. That it’s helpful to experiment and that the only reason I’m “good” at this stuff is because I’ve spent way way way too much time experimenting.
Re: OMG HATE PASSWORD CONTROLS
I feel your pain.
Do a search for some free password software called “whisper”. It is a nifty little program that I use and keep right on my desktop. It is encrypted so safer than keeping in most password protected documents. The developer makes no guarantee of its safety and it is complete freeware, so the problem ends up being that is absolutely not sanctioned by tech security groups. But we end up recommending this under the table for a lot of users that are about to pop a vein from password controls.
You have is my word that I’ve been using it for years and I keep all my VAST number of personal and work passwords tracked in this software. But of course, you’ll want to download/validate it through a site like PCWorld so that you don’t end up proving the point of this original post about trust and gullibility!
Internet as a social construct
I like it!
Internet as a social construct
I like it!
Thats how I learn what not to disable on startup. shut a bunch of stuff I don’t know what it is off, and if something does not work when I restart, then I start turning things back on. MSCONFIG is a great thing to learn to NOT be scared of.
Great analysis, as usual. Not having kids myself, I’m really curious about whether kids who grow up with networked communication from Day 1 have better reflexes about such things.
Great analysis, as usual. Not having kids myself, I’m really curious about whether kids who grow up with networked communication from Day 1 have better reflexes about such things.
One of my all-time favorite books is Why People Believe Weird Things: Pseudoscience, Superstition, and Other Confusions of Our Time, by Michael Shermer, who’s one of my personal heroes. I met him briefly at a science fiction convention last October, and he’s just as amazing in person as he is in print.
An excellent book ( got it for me for Christmas), and meeting Dr. Shermer was a high point of D*C for me as well.
At the CFI conference in Orlando a couple of months ago I picked up a book that, while a much quicker read than Weird Things, is more focussed on the practical side of becoming aware of the innate-but-surmountable limitations of our reasoning. It’s Don’t Believe Everything You Think, by Thomas Kida (ISBN 159102408-0). I just started reading it yesterday and I’m hooked. Each chapter reads like the best of your LJ essays. I highly recommend it.
One of my all-time favorite books is Why People Believe Weird Things: Pseudoscience, Superstition, and Other Confusions of Our Time, by Michael Shermer, who’s one of my personal heroes. I met him briefly at a science fiction convention last October, and he’s just as amazing in person as he is in print.
An excellent book ( got it for me for Christmas), and meeting Dr. Shermer was a high point of D*C for me as well.
At the CFI conference in Orlando a couple of months ago I picked up a book that, while a much quicker read than Weird Things, is more focussed on the practical side of becoming aware of the innate-but-surmountable limitations of our reasoning. It’s Don’t Believe Everything You Think, by Thomas Kida (ISBN 159102408-0). I just started reading it yesterday and I’m hooked. Each chapter reads like the best of your LJ essays. I highly recommend it.