We keep warning of Facebook scams, but people keep clicking. We keep explaining dangers of malware, but people still keep clicking. Why are people sometimes so silly when it comes to computer security? With all the warnings, with all the factual data on damage done, they still don’t take computer security seriously, even at a basic level. “That’s dangerous? I didn’t know,” is what they tell me. It’s as if they were driving a car blindfolded on the assumption that an accident couldn’t ever happen to them anyway. Here are two anecdotes from people I know that occurred recently and again got me ranting.
Once your friends learn that you’re into computer security, they’ll ask you all kinds of questions. The other day a friend rang me asking for help. He said that he urgently needed to install a pirated version of a program, but that his ESET antivirus program was preventing him from doing it. And he wanted to know how to disable the antivirus. At first I thought he was joking, but sadly he wasn’t. Think of your antivirus as a sort of virtual airbag, preventing (or at least mitigating) damage to you and your vehicle in the event of a car crash. In this case we have a driver asking how to disable the airbag when he’s driving on the wrong side of the road… Unfortunately many people still just see the antivirus as that pesky thing that is preventing them to do all the fun but risky stuff with the computer.
We all know pirated software is illegal, but we also know many people don’t care about that. But apart from the issue of legality, from a security analyst’s perspective this is a seriously naive view of human nature.
Why do you think pirates make licensed software freely available for people to download? Out of the goodness of their hearts? They have nothing better to do, so they go through the trouble of cracking software protection and giving it to people just for the kicks? If you believe that, you probably also sincerely believe there’s a pot of gold at the end of the rainbow. Well, there do seem to be people who sincerely believe that information wants to be free and that artists, musicians, authors and software publishers should not expect to be paid for their time and labour. (Try that argument with your plumber or your lawyer…) The truth is, though, that while you may get hold of entirely functional pirated software, there’s also a good chance that, unknown to you, you will also get a little something extra with it. A trojan, a keylogger, a rogue antivirus installer, or something equally desirable: a little piece of malware that can turn into a big problem when cybercriminals use it to start stealing money from you. And often, they steal a lot more than buying the licensed software would have cost you.
The second anecdote concerns a friend who walked into a cyber-cafe abroad, in order to check his mail and social networks. He found an available computer and realized that the previous user had forgotten to log out of his Facebook account. Believing this was a one-off mishap, he kindly logged him out and then checked another computer. But on that machine, someone else had also left the machine still being logged in. And he found two more machines with the same problem. What if my friend had been a bad guy and had taken the opportunity to change those people’s passwords and abuse their profiles? As it was, he merely notified them they need to be more careful, then logged them out. Many public computers don’t have logging out and other security features enabled when you close the browser. So it’s up to the computer user to be extra careful and to make certain he has logged out of all the services he has logged into and take other commonsense measures like deleting his browsing history.
So, while the bad guys are coming up with infinite ways of targeting people online with scams, swindles, infections, theft, and so on, we are appealing to all computer users at least not to be silly, and to use common sense and some basic secure behaviour when dealing with sensitive things such as malware and password protection.
While we haven’t published much specific to safe use of publicly-available computers (cyber cafes, kiosk computers, library facilities, and so on) – which sounds like a project worth spending some time on – David Harley did put together a blog series last year on safe computing in general: see http://blog.eset.com/?s=cyber-bullets.
IT Security & Cybercrime Analyst