You can have all the firewalls and Internet security software in the world, but sometimes there’s just no accounting for human curiosity and stupidity.
Bloomberg reports that The US Department of Homeland recently ran a test on government employees to see how easy it was for hackers to gain access to computer systems, without the need for direct network access.
Computer disks and USB sticks were dropped in parking lots of government buildings and private contractors, and 60% of the people who picked them up plugged the devices into office computers. And if the drive or CD had an official logo on it, 90% were installed.
The full report on the Homeland Security study is due to be published later this year.
You may remember the Stuxnet Microsoft Windows worm last year, which targeted industrial software and equipment. Basically, computers with no external network connections were infected with the worm through what was thought to have been contaminated hardware, such as USB drives.
We’ve written a lot about IT security of late, much of which was related to the LulzSec hackers. Whilst systems that are pretty robust and ‘secure’ are still susceptible to hacks from those hellbent on causing havoc, it seems that the inherent curiosity and carelessness of humans is still at the root of many problems.
All this points to the much-used ‘user error’ acronym, PICNIC: problem in chair, not in computer.
Mark Rasch, director of network security and privacy consulting for Falls Church, Virginia-based Computer Sciences Corp., told Bloomberg:
“There’s no device known to mankind that will prevent people from being idiots.”
Something unexpected surprise– Hello. My friend the good shopping place please input our website === http://www.betterwholesaler.us ===== YOU MUST NOT MISS IT!!! thank you!!! === http://www.jordanforworld.com ==== Believe you will love it. == http://www.betterwholesaler.us ====
Something unexpected surprise Hello. My friend the good shopping place please input our website http://www.betterwholesaler.us YOU MUST NOT MISS IT!!! thank you!!! http://www.jordanforworld.com Believe you will love it. http://www.betterwholesaler.us
The idiot factor is apparent in the design of WINDOWS. When installed, XP defaults to autoplay of CDs and USB sticks. Is this stupid or what? I blame Microsoft. I do not need to know how refrigeration works when I plug in my mew refrigerator. I expect it to be safe and do the job safely. But with WINDOWS, this is not the way.
Hate to say it, as tempted as I am to blame Windows, the issue is, has been, and always will be human naiveté.
Can’t blame the gun when it goes off if the person cleaning it keeps the barrel pointed at their eye.
AUTOPLAY isn’t the problem. I bet the users would run executables if given half a chance.
Try blaming the real problem, IT people.
Auto-play can be turned off on windows. Running an OS can be like having to learn refrigeration to operate your fridge, so your saying only IT people should have computers, then only fridge techs should have cold food. The OS is made to be simple for unexperienced users, it is a capable OS. Open source is much harder to use, and in some cases can be very powerful (because it does not have all the extras making it easy to use). Don’t blame the OS, blame the IT guy that lets unsecured machines in. No matter what it is IT and the decision makers that are responsible.
PICNIC is much used? I think you mean error ID10T
OK I have been using this method for years as a professional pentester. If you think this one is bad try leaving a CD-ROM laying in a corporate bathroom with a label “XX company 2011 company layoffs” and see who picks it up and reads the malware I attached to a fake spreadsheet. This is a people problem, not a MS or any other vendors problem. The ONLY solution is awareness and end user training to not do it. And even then some will, its all about risk mitigation. Sure I can lock down the OS,l and have the IT guys disable autorun for USB and CD-ROM, but remember the setup above, I don’t need autorun when a user double clicks a spreadsheet. Blaming the IT guys is like blaming fridge delivery guy because it gets too cold, be a responsible owner/user and read the manual and reach in and turn the dial down.
Diligence and common sense goes a long way here
@David Bieranowski ha ha, never heard that one before.
If you are going to blame IT, then we could always just uninstall the cd rom drive, plug up the usb drives, and secure the networks to the point of local ethernet networks only.
But hey, they don’t have the time to do that because they are far too busy fixing stupid end user errors.