Most In US Have False Sense of Online Security

BaCa sends along a link from Net-Security on a study of attitudes among Americans about the security of their PCs, versus their actual vulnerability. "More than half of computer users who think they are protected against online threats like spyware, viruses, and hackers actually have inadequate or no online protection, according to an independent research study conducted for Verizon... While 92 percent of participants thought they were safe, the scans revealed that 59 percent were actually vulnerable to a variety of online dangers. Ninety-four percent of those surveyed said they would find it helpful to be able to diagnose or check their online security status on a regular basis to make sure their PCs were safe."

At least once a year...

At least once a year, these results come out in yet another study. Perhaps we should declare a new holiday: False Sense of Security Day (and of course, False Sense of Security Eve, when a hacker in a Santa suit constructs an enormous botnet and takes down a few small mailservers with spam).

Re:

False Sense of Security Day

It would be on the anniversary of the signing of the patriot act.

So many political jokes to make about this...so little time to post them all

Re:At least once a year...

This should be called the neverending story. Unfortunately, I think that name is already taken by a children's book. The query is a bit inappropriate. I am not safe simply if I have my AV and anti-malware SW installed and updated. I MAY be safer, but the AV and anti-malware SW can itself be a vulnerability.

Increasingly, the attacks are made at the application level, not the OS level. The OS can protect itself from a non-administrative user, but cannot be expected to protect itself from an administrative user who has been fooled into doing something inappropriate. The AV and anti-malware SW try to protect against known issues, but it is a best effort sort of thing.

If you are browsing, do you have javascript, java, flash, etc. enabled? If so, you have the neat functionality, but you are very vulnerable to compromise by hostile / compromised web servers.

If you are running as a normal (non-administrative) user such compromise can compromise anything you do. If you are running as an administrative user such a compromise can compromise your system (in Vista, you would have to OK the UAC prompt).

If you open .pdf attachements or pdf's on web sites, is your pdf reader fully updated? Exploitable security issues have been found routinely in certain pdf readers.

If you open Microsoft Office documents, is your Office software fully updated? Numerous attacks have been launched via such documents. Office 2007 has far fewer vulnerabilities than Office 2003. Note that using OpenOffice does not inherently protect you. The same type of vulnerabilities exist in OpenOffice.

If you have Apple's QuickTime, do you keep it updated? It has had large numbers of vulnerabilities.

Then we can go into the world of media and games, where many vulnerabilities exist and all too often the application in question is internet facing.

If you want ease of use, feature richness, and dynamic extensibility, you are not going to have a high level of "security / assurance". A web world of static HTML without any scripting and limited media is quite safe - but it is not what the customers want. A similarily restricted application functionality set can be made truly safe as well, but is not what customers want. Users feel comfortable and safe with what they routinely work with, even if this is inherently dangerous. This is as true for computer users as it is for industrial / research workers, who tend to get a bit casual about even truly dangerous issues (I used to be an industrial safety officer in research laboratories).

Re:At least once a year...

***If you are running as a normal (non-administrative) user such compromise can compromise anything you do. If you are running as an administrative user ...***

All the data that I actually care about compromising is in my user account so it's at risk no matter what. I suppose that I really should move my financial and other sensitive stuff to a different user account that never uses the internet. I don't know anyone who does that and I've never seen it in a list of security suggestions.

And I don't see anything that prevents my user account from being used in Denial Of Service attacks against external servers. Or that prevents my user account from attacking servers of any sort on my local PC or on the intranet. And what -- other than the fact that it's probably not necessary -- is to stop the virus maker from including a selection of privilege escalation exploits in his bundle of aggravation?

Overall, I think that the Don't_Run_As_Admin_And_You'll_Be_OK lot are another bunch of folks with a false sense of security. I'd fault them because unlike naive users, they should know better. (However, running as admin in a multiuser environment really does put other users at additional risk).

While we're talking about false sense of security, let's don't forget the smug Mac and Linux users. We don't need virus checkers. More accurate would be We don't need virus checkers yet. Both systems are built with the same flawed by design technologies used to build Windows. If we insist in coding in a language that permits buffer overflows, we are probably going to have buffer overflows. Same for many other attacks on sloppy/incomplete/nonexistent legality checking, etc. Carbon/Cocoa/Linux are by no means immune from these problems even if there are few current attacks.

I also strongly suspect that the biggest current positive factor preventing a total PC security meltdown is the use of NAT routing which strongly discourages unsolicited attacks on non-server PCs. What's going to happen when/if ipv6 comes along and NAT routing goes away?

Re:

If you are using your machine as a single user system you are clearly right. The data you care about is in your user account. It is easier to clean up a user-space compromise than an administrator compromise, where you probably have to flatten the system a

Verizon + online bank security

I don't know how good Verizon is at online bank security. I mean ... how safe can you be when you look at your bank account and can't distinguish .02 dollars and .02 cents?

*ducks*

Old news

It's not like this hasn't been noted before: PEBKAC Still Plagues PC Security [slashdot.org]. Your average user firmly believes what they are told by "experts" or the guy who sells them the computer. They are not web-savvy and don't dig into the background on computer security. They think that all they have to do is run their spyware remover and update their anti-virus and their fine. Heck, too many don't even know they have such utilities, and if the do know, aren't actually aware if they are running or not!

Computer security must be taken out of the hands of the user where the user is likely to not have a clue how it works.

Re:

They think that all they have to do is run their spyware remover and update their anti-virus and their fine.

Exactly. As if removing the spyware also went back in time and actually prevented the spyware from HAVING SPIED on you already!

Re:

Spyware removal is flawed, the focus should be on preventing it getting there in the first place.
Same with viruses.

The big problem is that people believe the hype..
"Windows $version is the most secure windows ever!"
"$program makes your machine secure"
Rathe

Re:

except most good antiviruses/antispyware checks for incoming stuff, not just what is already there. So it can still be useful.

Not as useful as a good sense of paranoia, but quite useful.

Re:Old news

Exactly. As if removing the spyware also went back in time and actually prevented the spyware from HAVING SPIED on you already!

That's why you need a Mac. It has a Time Machine.

Re:

Computer security must be taken out of the hands of the user where the user is likely to not have a clue how it works.

But then you have the problems of

(a) who do they trust to do it. Part of the reason for this problem is that the user is too trusting, and

Re:

My idea is that the security has to be built-in. An application, web or standalone, has to be built to be secure enough that it would not require the user's intervention (or outside third-party software) to secure it. As to the user's too dumb not to click

Re:

The problem is, short of a secure list of what can install/run (like application branding, properly implemented), and absolute prohabition of running non-branded applications, nothing can save the users from themselves.

You have the trade off of "flexibilit

Re:

Make home directories non-executable, and set up the profiles to only get their startup config from a location other than the home directory, one that's protected from user writing? It wouldn't be that hard.

Re:

and you immediately lose a lot of the flexibility a user would want on their home system, for example - to add a program they find they need.

If I'm working on my system and I find I don't have an advanced photo editor that I want/need, I could not install

Re:Old news

Your average user firmly believes what they are told by "experts" or the guy who sells them the computer. They are not web-savvy and don't dig into the background on computer security. They think that all they have to do is run their spyware remover and update their anti-virus and their fine.

And why shouldn't they? Honestly, "average users" shouldn't have to be computer security experts. Average users use computers to play or do productivity tasks unrelated to software development and computer science. The fact is, the average user shouldn't have to be "computer savvy" and running spyware cleaners should do just that. Blaming "average users" for the fact that such dangers exist is missing the point.

Re:

That's my point. Security should be something that is taken out of the hands of the average user. They shouldn't be expected to become security experts. They should be taught how to be a little more web-savvy. I hear a commercial all the time on the radio

Completely content-free

* Spyware Protection: When asked how safe they felt their home PC was from spyware, 92 percent of respondents felt "safe" or "somewhat safe." In contrast, the Verizon Security Advisor scan revealed that the majority (58 percent) were "at risk" or "potential risk" from spyware infection. Nineteen percent were critically "at risk" from spyware infection.
* Virus Protection: When asked how safe they felt their home PC was from viruses, 92 percent of respondents felt "very safe" or "somewhat safe," whereas the Verizon Security Advisor scan revealed that 45 percent were "at risk" or "potential risk" from virus infection.
* Firewall Protection: Nineteen percent of respondents had their personal firewall turned off.

Please define "at risk", "potential risk", "critically at risk".
And by "personal firewall" do you mean that POS built into XP, or the POS from Symantec? Or do you mean the router firewall?

I have absolute faith

this missive is stored on a secure server.

My name is Milo T. Farnsworth, D.O.B 27/07/1974 My Switch number is 3975-4438-0098-2310, expry 04/09

Please take care of this, I will be on an extended trip for the next 2 months, during which I will require great use of my $10,000 credit limit.

Online security - HA , Stolen 1949 Chevy Saga

Even after meeting online criminals in person, they still tried to rip me off. Fortunately, I tracked them down and got them. Stolen and Recovered 1949 Chevy Saga [blogspot.com]

XP

Doesn't XP have a big green light that tells users they're secure with a firewall and anti-virus protection? If an OS tells an average user they're secure, even if they're only marginally more secure, I wouldn't expect the average user to question it.

Re:

Doesn't XP have a big green light that tells users they're secure with a firewall and anti-virus protection?

Only with SP2. But you can bet a lot of folks aren't using SP2, or even Windows XP, for that matter. Windows 2000, 98, 95, ME ... they're all sti

Re:XP

Most people have a yellow light on their dashboard that tells them when they are running low on gas, and yet people still run out of gas. I suspect most people wouldn't know what the green light meant if you asked them.

The best protection is a smart user.

I don't have any virus scanner or malware blocker, or firewall or any kind of security software whatsoever installed on my computer. Actually, I have clamwin, but I only run it once a week. It never finds any viruses. Yet I would say that I'm adequately protected because I have a brain. I don't run software from sites I don't trust. I use Firefox, which doesn't have a history of letting websites run malicious code, and I try to stay on sites that I trust. I have a router, and no incoming ports are forwarded to my PC, so I'm safe in that way I guess. At work I have Norton installed, because it has to be. To date, it has blocked 0 spyware, 0 viruses, and 0 worms. Because it hasn't encountered any, because I practice safe computing. It hasn't actually done anything except slow my computer down. What a great waste of money that was.

Re:

> Firefox not having a history of letting websites run malicious code

You obviously do not pay too much attention to the news. There was one just released that had to do with Quicktime and Firefox. I know of several others where Firefox was either name

What am I supposed to do?

Look, my Windows machines auto-update themselves, and I have AVG running, which also updates itself. I have a firewall downstream of my modem and upstream of every other machine on the network.

What else can I do?

My wife is constantly playing and downloading games from the internet. No doubt she is polluting machines on our network.

Basically my approach to security on my home machines is I wipe them and rebuild them every 6 months or so, in case there is some hidden malware on there that has turned my machine into a zombie.

What I would really like is a "smart firewall" I could buy and put in place of my current firewall. This device would monitor all network traffic going in and out of my house, and it would stop the bad things from going through. It could even be a service whereby the device is managed by some security firm and I pay them to protect my network through this device.

Hear hear...

I've got several family members machines that I've got the firewall on, spybot installed (and immunized) and AVG and they still get spyware out the wazoo because they click "yes" to "ya wanna install this nifty search toolbar?"

I've got a cousin that calls

Re:

Don't give her privileged access to any machine...
If you screw up your own account, wipe that user's files, the rest of the system should be fine and you can re-create the user.

Easy to do, thanks to RFC 3514

I'm surprised such a router isn't readily available, especially with the new "evil bit" in RFC 3514: http://www.faqs.org/rfcs/rfc3514.html [faqs.org] :P

94%?

This would be the target demographic of the malware antivirus attack, where a site does a browser hijack, slows your computer to a crawl, then starts bombarding you with ads for its "solution" to the problem its own malware caused.

There is no single answer here. Affordable (or free) antivirus software that actually works would be a start, providing it isn't on the McAfee/Norton bandwagon of getting you to pay for a subscription and using up a fair amount of resources when running. There are good community-governed host file lists which can be a real help on many different levels - adware, phishing, malware, viruses, and some of the more onerous types of advertising. User education about basic practices is key - I'd like to see some Public Service Announcements on this, in the style of some of the American Lung Foundation's 1970's PSAs.

I have to tell people over and over: "It doesn't matter if you trust Jackie not to send you a bad file. You also have to trust that Jackie is vigilant about computer security, and that she knows a lot about the subject. You also have to trust that her computer hasn't been compromised, or that her e-mail isn't a spoof, which requires you to understand a lot about message headers at the very least. Is an animated stripper dancing on your start bar really worth the risk?"

I think there's a more telling bit of evidence ...

"Hi. I'm with Verizon. We're trying to see if your computer is secure. Mind if we scan it for vulnerabilities?"

When they answered yes, why bother to go any further? In my mind, they're obviously potentially victims for spear-phishing types of attacks.

I know I'm secure

I know I'm secure. I use only genuine Microsoft products. I remember seeing an ad that said that they're the most secure computer company there is.

Re:

Yes, they're a very secure company. Their operating system, however...

Whatever gets you through the day

I'm pretty sure online commerce would come to a screeching halt ( "Oh N003355!! My Pr0n tax $$$s!!!111eleven!", cries the establishment) if the great unwashed masses ever knew that their main, and possibly only, line of defense was safety in numbers.

In Other News

In other news, 92% of all drivers feel that their driving ability is above average.

Re:

to be fair, around 50% of them actually are.

headline

Most In US Have False Sense of Security

There, fixed that for you.

Sensationalistic much?

Let's keep this sort of journalism on Dateline please.

The world is a dangerous place. Somehow, I think that humanity will soldier on nevertheless....

lulz

*GASP* I thought AOL was keeping us all safe online!

There are always ways around.

You always need to be vigilant. You can't trust a software program to keep it safe. There are work around and security breaches for every platform. Even Linux or Macs...

*** DO NOT RUN THIS UNLESS YOU ARE STUPID *****
#!/bin/csh
set uname = `whoami`
if $uname

Re:

Yes it probably won't work because I forgot to end the loop I wasn't going to go debugging it on my system...

Must have a false sense...

I must have a false sense of security. If I see things realistically, I am going to have to don a tin foil hat and end up like the protagonist in John Varley's excellent story, "Press Enter."

Most in US have false sense of security: News @ 11

I think this is a piece of research that anyone with a brain knows, and won't be accepted by those without one.

$.02: don't even have to read the article - just the post saying it's a perennial dupe

I Smell Corporate Marketing, and /. fell for it

the Radialpoint Software[me:the security advisor maker], in its default configuration, does not block ads from third parties or Verizon or its affiliates and business partners, and may not identify as spyware certain websites and applications from Verizon and its affiliates or business partners, Radialpoint Inc. and/or Verizon and its affiliates have the right and do access and modify the Software as well as the software (including registry settings on your computer) and/or your hardware for various purposes in connection with the Verizon Internet Security Suite (e.g. for the installation and implementation of the Software and updates to it) as well as to download, install and/or gather, obtain, collect and then use, in relation to the delivery and operation of Verizon Internet Security Suite, various information and data, including information necessary to identify you and your computer to ensure that Verizon Internet Security Suite is received as well as information necessary for the reporting of this service, and (iii) use of such information and data by Verizon will be in accordance with Verizon's privacy policy.

Lemme translate: This software collects data about you when you run it, will continue to collect data about you, and if Verizon's business partners happen to be skeeze, they won't warn you about their spyware. Do. Not. Want. By the way, by using their security advisor, I agree to use their "Internet Security Suite" as well. Which reports on me, and allows Verizon to edit settings on my computer. Sounds a little like remote access, yes?

Here's another thing: On the installation page itself, it says "Administrator rights are required to install this software." So that means that this ActiveX has access to ALL KINDS of fun functions and methods. Who is to say this can't be hijacked and turned into a mal-ware infection source?

~Sticky
/Cannot believe this made the front page of Slashdot.

Sales Pitch

...independent research study conducted for Verizon...

In a related story, Verizon has a $29.95 / month package just for the consumer worried about this sort of thing.

Oh jeez

Also note, that while 98% of the people walking on the sidewalk felt safe, 100% of them were vulnerable to attack!

I've been using home computers for as long as there have been ghome computer. The number of viruses/Trojans:
1 Trojan the was on a floppy being

It bears repeating here,at this time

We do NOT need to protect our children from the evils on the Internet. We need to protect people in general. While the US might have more people who are gullible, there are gullible people all over the world. Computers are not simple to use and operate like a toaster, or other kitchen appliance. Even if they were, one look at the statistics of fire departments on the day before and the day of Thanksgiving should tell you that people, in general, are not competent to operate anything more complex than the shoestrings of their shoes.

You can buy a car that costs less than some computers, but still need a license to drive it, and insurance in case you get into a wreck. Why should computing be any different? Oh, don't believe in the nanny-state? Well, stfu about kids needing protection from the evils of the Internet. Yes, give me that argument that motor vehicles are a life and death issue, or could be. I'll argue this, losing your identity or giving your life savings to some Nigerian prince is more or less a life and death issue, especially if you need that money in the near future for heart medicine.

The point is, and well demonstrated in this report, that NOBODY is safe, and not just kids need some training and guidance. Using the Internet is not a game, and people should be taught better how to use it and avoid the pitfalls of modern life. If it sounds too good to be true, well it probably is. If someone is advertising it in an email, it probably is something you don't need or can live without. That goes also for television and other advertisements.

I think that it is high time we, the human race, began to look at things a bit more intelligently. False sense of security? If it were not for Dept. of Homeland Security, most people in the US would think that flying was safe. This and other such campaigns are not about raising awareness or traning, it is about selling antivirus and antimalware software.

Why this should come as a surprise to anyone is beyond me. How long did it take to get people to wear seatbelts? The public, at large, is wont to believe experts, yes, but this is true despite the news that those same experts are paid by large corporations more often than not, and have been shown to be less than 100% honest.

How long before 'made in China' means it is a lethal device? (won't happen) How long before people riot in the streets because the food we eat is not labeled correctly? (won't happen). This is just one more thing that the US populace in particular is blissfully ignoring. If you have to spend 2-6 months salary on something, you tend to figure out how it works and treat it with care, take it in for tune ups and such. How many reading this know of one or more people that just go get another pc when theirs acts up, or becomes slow?

Ranting done. If you can't get people to read directions on the kitchen appliances, or cleaning recommendations on the tag in their clothes, you can't protect them from the evils of the Internet. Who would have thought we'd need instructions (too small to read) on cigarette lighters to stop them from ending up in baby's mouths? or warning notes on coffee cups that the contents are hot? I don't want to imply that people are ignorant... but

Safe to say...

Most people probably feel the same way in the real world.

Key point

The interesting thing about these studies is that they often conflate "computer users" with "Windows users". The problem is, that as a Linux user, I have no need to run anti-virus software or a firewall. I know which services are running on my machine, and have accepted the security risk thereof. But, consequently, we, (and the Mac users) get counted in the insecure group because of the faulty study methodology.

I really don't think most users expect their machine to be secure. Microsoft Windows has been insecure for so long now that getting hacked is just expected after a certain period of time. In fact, I had a rather interesting conversation with an anasthesiologist:

Him: I'm thinking about buying a new computer. What kind should I buy...
Me: (I rattle off some specs) Why?
Him: Well, it's slowed down again.
Me: Well, why don't you just run Linux.
Him: Well, I do a lot of gaming. I figure you're going to have to replace your PC once a year, anyway.
Me: Why don't you just format and reinstall, and get yourself a good virus scanner and firewall?
Him: What, do all that work? And then I have to reinstall everything? No, I'll just buy a new PC.
Me: But you're just going to have the same problem a later on. You'll get infected by a virus, etc... and you'll have to buy antivirus software.
Him: No I won't - I'll just buy another PC. It's not worth my time to do all of that antivirus and firewall stuff...

Words failed me at that point. But he did have a point. Most users believe that computers "just wear out" and slow down like an old automobile. They think that virus infection is a normal part of owning a computer.

The problem isn't Windows, per se. It's that people don't expect any better.