security

Google: 95% of users ignore warnings of bad site

According to Google security researcher Fabrice Jaubert 95% of users ignore the warning page that Google presents when they try to access a website that is likely to harm their system. It used to be that this warning offered a button which allowed them to proceed to the page, and it is this button that users clicked.Google thus changed the page so that users must copy and paste the URL.

We've long known that users will click through, presumably without reading, any dialogs or alerts that are in the way of them getting what they want. I think this confirms it.

Just wow.

Related article: A peek into Google's anti-malware operation

Wired: Facebook privacy

Continuing on my theme of whinging about Facebook privacy policies, I thought this was a pretty good article.

Unintended consequences of computer viruses

The Spanish newspaper elpais.com  last week reported that the crash two years ago of Flight JK 5022, killing 154 of 172 on board, was indirectly caused by malicious software.

A computer, located at the airline's headquarters, was responsible for sounding an alarm if the plane registered three faults. In this case a tube had twice reported as overheated, but the third instance was not received because the computer was infected with a Trojan virus.

Three things come to mind here:

The first is that critical systems should be more secure. Ultimately, however, it is very difficult to make a system that is completely secure that also connects in any way with the outside world. Certainly such systems should not be based on a consumer OS that allows injected DLLs such as Microsoft Windows.

The second is that there should be consequences for those perpetrating such cyber crimes. We are well beyond the point in history where viruses are generated by kids working from their bedrooms. Today such acts are those of organized criminals, hidden behind levels of indirection and international borders. It is perhaps the verdict of murder that might galvanize action against these activities.

The third is the global threat we now face from politically driven cyber attacks. The recent Stuxnet virus illustrates just how sophisticated and dangerous these attacks can be. If you weren't paying attention, this virus is first spread via USB drive, then exploits four zero-day vulnerabilities to enable remote code execution, escalate priviledge, and pass itself between computers. This worm has burrowed it's way into some of the most secure and critical control systems in the world including, famously, a few thousand computers in Iran.

I'd like to close with an uplifting statement of how governments are taking cyber crime and cyber warfare very seriously, which they are, and how things will be alright. But I'm not optimistic enough to do this.

Update: A NYTimes article on the cost to Google of handling attacks

You've received a message from you doctor

Did I really? Which doctor? Who is RelayHealth? Am I supposed to click on that link, maybe provide some personal information to confirm my identity?

It’s shocking that it’s 2010 and the enterprises you care most about, such as your doctor, your bank, your investment manager, don’t have a simple electronic way to securely communicate with you. Except for FAX of course!

Cookie Wars

Lately the press has been on a rampage about user behavior being traced with browser cookies. Most of this attention ignored Flash cookies, until now. Not yet mentioned in the press are the other ways to leave cookies on your machine, including plug-ins, HTML5 or even (gasp) browser history.

Read More