Security's weakest link is people

Off the Beat: Bruce Byfield's Blog

A few years ago, a neighbor asked me to help secure their computer. I'm not an expert on Windows, but I told them to run non-administrative accounts except when doing maintenance, and set passwords for their regular accounts. I also suggested that if they avoided dodgy download sites, they might not have to pay to have their computer cleaned up every few months.

Several months later, I learned that they had gone back to using administrative accounts and stopped using passwords because they were "too much trouble." As for the hazards of download styles, they had just paid another $200 to have the malware and viruses removed.

I think of these neighbors whenever I see efforts to promote security and privacy like the EFF's An Introduction to Public Key Cryptography and PGP  or Qube OS' use of Xen to provide a "reasonably secure operating system." However much those of who already understand the importance of such efforts applaud, however desktop-ready security and privacy tools become, they will still be rejected by large numbers of computer users as too much trouble (as opposed to losing the use of your computer every few months while everything is reinstalled). When it comes to security and privacy, people are the greatest vulnerability.

In 2004, the BBC reported on a survey in which 70% of those stopped on the London underground would either reveal their passwords in return for a chocolate bar, or after mentioning that their passwords were based on the names of pets or children would go on to reveal that name in conversation. Twelve years later, the annual worst password list suggests that the understanding of the importance of passwords had not improved.

Faced with a choice of securing their system and short-term convenience, far too many people still prefer short-term convenience, ignoring the potential long-term costs. If they do not ignore basic precautions altogether, they carry them out in such a way as to make them useless, such as choosing a password like "123456," or writing their passwords down in an address book that they conveniently leave beside their workstation

Some of this carelessness might be due to a misplaced faith in static measures like firewalls or anti-virus applications, that people believe can be set up once and then ignored. However, given how often I have seen people give a guilty start and mutter lame excuses when I recommend a firewall, even one-time actions are too much inconvenience for many people.

In Unix-like operating systems like Linux, this carelessness often takes the shapes of an uninformed faith in the how the operating system is structured. People who are unable to explain exactly what features make Linux secure are nonetheless convinced that it is secure, and reject any suggestion that configuration plays a role as FUD propagated by Windows users.

Needless to say, this faith is misplaced. Anyone who doubts the importance of configuration only needs to look at the wide-open state of Android on the average tablet to understand that having a Unix-like operating system is not an automatic protection. Similarly, many security distributions routinely disable the automounting of flash drives and other external devices -- a practice that early distributions routinely followed, but which was discontinued shortly after the turn of the millennium in the hopes of making Linux as convenient as Windows.

Admittedly, viruses and other attacks on Linux usually go no further than the current account. Still, that is enough if a user is running all the time in root, or using no password or a weak one, especially if sudo is set up, and no defence in depth -- that is, multiple security measures -- are in place. In fact, even if an exploit is successfully confined to a single account, careless users may still be in trouble because making regular backups requires too much short-term inconvenience.

Beyond social engineering

The idea that people are the weakest link in security is not news to security experts. They even have a name for it: social engineering.

Social engineering refers to any exploit against a system that is not based on technology. It covers a wide variety of actions, from finding a list of passwords taped under the keyboard to using personal information such as a person's birthday or favorite sports star to break into a computer. Depending on configuration, breaking into a regular account based on knowledge of its owner can even be the first step to gaining root access.

However, the kind of carelessness I am describing goes beyond the usual examples of social engineering, although obviously this carelessness enables many types of it. But this carelessness can make any form of cracking unnecessary, leaving a system open without the need for any special effort. All too often, users who value convenience over security are defeating themselves before the crackers even begin their probe.

Developing tools for encryption or enforcing strong passwords is something I would like to see more of, but such efforts are only effective when people understand the need for them, and the tools themselves are as user-friendly as possible. Yet, besides providing tools, efforts to improve security have to educate people, not only about why they are needed, but of the consequences of ignoring them. Otherwise, carelessness is going to continue to undermine security, just as it has for the last thirty-five years.