Making Aussies cyber savvy's a tough ask

Making Aussies cyber savvy's a tough ask

Summary: I pity our government for having to try to improve national cybersecurity in a nation of "she'll be right" citizens.

SHARE:

I pity our government for having to try to improve national cybersecurity in a nation of "she'll be right" citizens.

This week news of a new report into Australia's cybersecurity surfaced saying that we weren't keeping up with the online threat. One of the things it suggested to combat this was to change our security culture.

I can understand the need for this.

It seems that despite constant warnings to be suspicious and aware, people are still choosing passwords such as "password" and not necessarily only for the sites that don't matter, but also to access their company networks. They're still presenting account numbers to phishers, whose emails claim to be from banks. They're still not putting passwords on their Wi-Fi connection. They're still turning off firewalls and not updating antivirus. They're still not reading pop-ups before clicking OK.

Just like when you're thinking about putting on sunscreen, but decide it's too much effort (it's only an hour right?), Australians are often loathe to think and act on the dangers that the internet has brought.

And when weak passwords might mean entry for an undesirable into a government or company network, this is a serious issue. Ditto when a lack of antivirus leads to a computer becoming part of a botnet which supports denial-of-service attacks.

There are actions that governments and industry can take to make citizens pull their socks up, such as the iCode, which sees internet service providers notify users whose machines are infected, but ultimately, for the nation to become secure, we all need to be a bit more savvy.

This is a tough ask.

Given our government's history, it could well turn to an advertising barrage to try and make us aware of our security faux pas. Remember the government's decision to spend $16 million on awareness for the National Broadband Network?

Most of the advertisements will probably be set at such an excruciatingly low level of assumed knowledge that security professionals will watch the television with their hands half over their eyes for fear of accidentally seeing one. They'll probably ridicule the government's efforts mercilessly among workmates.

But what needs to be remembered is that the government will be trying to raise strength of the weakest link. There will be a lot of people who will appreciate the basic advice laid out.

If security is about making your car the least attractive to steal by looking harder to break into than those around it, we are trying to increase the awareness of our citizens to the point where cyber criminals would rather tackle another nation.

I'll let you decide who that might be.

Topics: Government, Government AU, Malware, Security

Suzanne Tindal

About Suzanne Tindal

Suzanne Tindal cut her teeth at ZDNet.com.au as the site's telecommunications reporter, a role that saw her break some of the biggest stories associated with the National Broadband Network process. She then turned her attention to all matters in government and corporate ICT circles. Now she's taking on the whole gamut as news editor for the site.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

11 comments
Log in or register to join the discussion
  • I have developed a zero cost two factor authentication solution called MyCloudKey and 0pass. Users can use a device they already own to register as a security token. Both the services are free and widely used. You can access it from www.mycloudkey.com and www.0pass.com
    easysecured
  • This also applies to shopping online.
    Most eBay members are just too trusting in eBay/Paypal. They actually believe “Buyer protection” is real. Nothing is further from the truth.
    http://tinyurl.com/2c5amue
    EBay Ordered to Pay $61 Million in Sale of Counterfeit Goods

    Check out : http://tinyurl.com/2856gbf
    to get an idea of the extent of this fraud.
    grump3
  • Here we go again - blame the customer!
    STOP IT!
    Put blame where it belongs FIRST - with a totally unregulated ICT industry that offers products and systems that are INSECURE BY DESIGN.
    Example: The IBM PS/2 personal system in Europe came with a smart card reader/writer incorporated into its main box to enable full use of encryption, was easy to use with highly trusted identity management and authentication processes - no more. Today, to quote our new consumer laws, the PC must be "fit for purpose" and that means having safe and secure access to a broadband Internet - even needed to do that necessary patching (oops - unless you are a Telstra pair-gain victim and only have dial-up services at 40Kbits/sec!)
    Also just look at the confusing situation with so-called "security packages" that may even interact unfavourably with each other if installed simultaneously on the same PC! How can the ordinary home user, for example, fully configure an Internet firewall? How soes the inexpert home user assess the conflicting statements of the vendors in the marketplace? AND - wait for it - Microsoft "Security Essentials" is FREE!
    So - before we start blaming the customer let's look at the industry itself and the nonsensical messages it is sending to the consumer.
    STEP 1: Give the users security they can understand and easily manage.
    STEP 2: Make it a MANDATORY part of any system that is sold (now we are talking - make the vendors take on some responsibility!)
    STEP 3: Government has the ability to assess those what-should-not-be-necessary add-in packages for security and offer guidance to users that is REALLY USABLE - yes, a "Choice" type assessment and evaluation of those security packages.
    caelli
  • "It seems that despite constant warnings to be suspicious and aware, people are still choosing passwords such as "password" and not necessarily only for the sites that don't matter, but also to access their company networks. They're still presenting account numbers to phishers, whose emails claim to be from banks. They're still not putting passwords on their Wi-Fi connection. They're still turning off firewalls and not updating antivirus. They're still not reading pop-ups before clicking OK."

    I don't think this is a particularly Australian problem. The real issue is that passwords don't work. They have never worked. You can only set a password policy for a few people - perhaps 15 or 20. Above that, human nature makes it untenable as a collective security measure. Passwords are only good for the individual and not for a group. This is because only an individual has control over all that individual's access and therefore there is a chance that passwords are usable. A corporation however puts trust and faith (erroneously) into getting hundreds of people to act to perfection. This will never happen.

    People choose simple passwords like 'password' because they have given up, and that's because the system does not work (see above). Each individual has now to register for every damn thing under the sun, and conform to differing and sometime crippling rules to choose user names of different styles - some real names - some screen names - some email addresses, some random looking, and then pick a password with upper and lower case and special characters and varying limits in length minimum and/or maximum. Make it memorable. Change it often... and do this for 50 or 100 sites. Make them all different.

    Come on ! is there no wonder people have given up and choose password pr passw0rd etc?

    Phishing is getting sophisticated. Again, there is no way that one can educate the whole country in how to spot a scam. Heck, find the roots of this equation: ( 3x^2 + 4x - 5 ). Sure - some can do it, many can't, even more WON'T. Never will you get everyone educated to the same level. This is not peculiar to Australia.

    The same goes for WiFi. If the product comes out of the box insecure, then some are going to leave it at that. There is no getting around it.

    Passwords don't work, products are inherently insecure - like email and ftp and telnet. WiFi defaults and Windows firewall is simply PIA so people turn it off. It gets in the way. Products that don't work get shunned -- it's as simple as that. This is not the consumer's fault. It's the fault of engineers designing for engineers and the top 20% of the skilled people rather than building something simple and transparent that just works. How many people will know whether to "allow" some program to access KJDNNN8.dll or not?

    You see the same problem with something as apparently simple as a remote control for a TV. Almost all are such bad design that you have to hunt and peck and turn the light on to read some weird symbol and fumble with modal controls rather than having a few simple controls that you can find in the dark.

    Pop ups are not read because they are boring and far too common and they get in the way. They are often rude or even condescending and unhelpful. After seeing thousands of pop ups for every conceivable reason, of course people stop reading them. And if you are one of the non-computer savvy people struggling with the technology, then it's worse. Even if they read it it would be meaningless. "Error 0x234766 you have lost all your data. Click OK (it's your fault - you are stupid and you have to happily clock OK as there is no other option.)

    PKI is so complicated that people - that's normal people using certificated so called secure web sites have no chance in a hundred years to understand whether it's ok to proceed or not just because a popup says some gobbledygook about Verisign or credentials or something. It means nothing to ordinary (the majority) of people. They click through these warnings because the warnings are useless to normal people.

    Security engineers and designers are at fault here - not the end user.
    rumbletumym@...
  • I have to disagree with some of what 1401 and sp00k said above: Legislation tends to encourage ignorance, and although some level of legislation is useful (seat-belts in cars, for example) over-legislation can cost far more than it's worth, particularly if it's difficult (or impossible) to enforce. For example, suppose the government introduced mandatory "security they [the users] can understand and easily manage", as suggested by 1401 above. Now, as an IT professional, you go out and build yourself a shiny new BSD server and are told that you can't connect it to the net until you've installed the latest version of XYZ-antivrus. What now? Install it until a VM just to satisfy a law that doesn't make sense? Obviously, this would lead to a plethora of conditions and what-ifs which would make such legislation untenable.

    However, legislation is not without promise - consider driving on a road if licenses were optional, or didn't even exist. Now allow me to use that example as a metaphor for the current state of ICT legislation: we work in an environment comparable to providing cars (computers) to people without instruction or education, giving them access to roads (the internet) and letting them loose. Unsurprisingly, accidents happen. The solution for ICT matters may eventually be similar to that for road users, requiring licenses and 3rd-party insurance for users prior to ISPs allowing internet access, although such draconian measures may seem extreme at present.

    As for engineers designing products for engineers, that's a fair comment, but consider that some of the blame lies not with the engineer, but with the marketing department who claims that a device is, in fact, designed for an uneducated user. Very few internet connected devices can provide sufficient flexibility to perform a variety of tasks while simultaneously providing security for those tasks, particularly when much of the software used is not provided by the device manufacturer. When Telstra sends out their "home starter pack" with a modem pre-configured to use a wireless password of "admin" (as they recently did to my father) t's hardly the fault of the engineer: the device provides the necessary security capabilities, but has been hamstrung by third-party vendors trying to make a product more "user-friendly".

    As this article points out, education is vital for improved security, and I applaud the efforts of those who continue to provide such education. I can only hope that the federal government listens.
    dsheludko
  • @dsheludko I agree that legislation is not a universal pill. You are quite correct. An yes, the marketing department is also at fault. But mostly, engineers build stuff (and I am one) and it goes to market as an engineering tool that get's pummeled into a pseudo appliance which only places a thin veil over the product. When it fails - security or function, the ugly guts come spilling out. A classic example is "Something went wrong. Please try again." I've even seen "Error. No error. [OK]" and "This should not happen" (I can guess from that one that the programmer used "assert" system calls which is a good thing, but the handling is bad.

    This is because often, product is not *designed* by a designer. It's not used by normal people before marketing get hold of it. Engineers make stuff work and sell that side of the product, but there are no market pressures to make products secure or fail "properly". And by fail "properly" I mean to design all the failure modes with the end-user in mind as if the failure mode was a feature. This might sound a little silly but it makes sense when you consider that in many cases simple failures - like a faulty disk drive are reported in terms like, "Error 433 CRC match failed on sector 0xbbf665". In reality it should say, "The disk with the red flashing light has failed and needs to be replaced."

    It's the same with security. Why should anyone have to invent a password? It's not technically required. There are several methods for a computer to generate control and use one time passwords. And the better solution is to involve a physical token. We almost all have one these days (the SIM in a mobile phone).

    Another example, rooted in historical legacy engineering is booting. Computers don't need to boot. It's just how it was done from the very early days. There is no reason for it today except in a special maintenance mode. And file-systems. No human uses a file-system, that's a computer programmers data structure. It should be hidden so the user just needs to recall 'stuff' about the thing he or she was working on: "It's recent, it was a spreadsheet, it had the words Ted and exacting in it, and It was sent to marketing."

    We need to do the same for passwords - design them OUT or abstract them away not force normal people to use them through pressures of education and legislation.
    rumbletumym@...
  • Biometrics are currently being used as a physical measure of security. As you said spOOk, the better solution is to involve a physical token. What better personal physical item is there than your own fingers, face or eyes? This is being incorporated here and now, even for a home user system, but how many people actually use this stuff?

    That's another part of the argument. Designers and developers devoted time and money into 1) working out the constraints and requirements to provide these functions (design), 2) making that stuff work at all (prototyping), and 3) implementing them in a limited capacity to test and refine them (testing), before it 4) reaches the home user market. But when it gets to the home, how many of us as a percentage would admit to disabling these features for reasons like "it's too fiddly to set up", or "I can't get it to work properly", or worse still "I couldn't be bothered"?

    Which leads to the third argument. Operating systems have become increasingly complex over the course of years (hark back to the days of DOS, which fitted on a floppy disk, to desktop and server OSes that take at least one DVD to install (taking up to 15-20GB on the hard drive once the files are extracted and expanded)). No software developer (except perhaps those working within scientific, government or military organisations) has yet incorporated these security features into their code, REQUIRING that these security measures be passed before accessing a system. No, these features had been added later, meaning that the processes used to add these features can be undone. And once the average user realises that it can be done (usually under the pretence of one of the excuses listed earlier), they usually do.

    Pinning the blame on any one group is hard to judge when things seemingly end in a draw.
    dmh_paul
  • Which is all good until your biometrics are stolen. Thoughts?

    Suzanne Tindal
    suzanne.tindal
  • RE Security,

    I purchase a self updating security Security Suite, on top of which i examine any thing that i am not certain of, if it appears suspicious it gets deleted, if the security suite gives me a forewarning, it goes into the blocking device in the suite.

    Further , my only complaint about this suite, is that it does not lookfor spam, orviruses in my Hotmail, correspondingly any thing i do not know goes into the junk box.

    IE., anything that is not recognised, by me personally, after having set the security suite. goes into the Anti spamblock, or if it is a website not recognised by me, it is placed in the blocked section of antispam.

    Perhaps my ignorance is losing me some benefits, i understand Https function.
    But i have had no instruction about security, and i feel that this is a sadly lacking instruction, by whomever should be responsible, not me, as i follow everything i manage to glean from technicians, and my security suite technicians.

    At almost 68 years of age, one would think that somebody should be holding classes for my age group, as we grew up with a pencil, and paper, not even calculators.

    Regards, i would appreciate any advice, (truthful) that could assist, as i am very anal retentive, as far as my computer is concerned.

    PS, with all of the precautions , whenever i give the security suite, a full scan it comes up clean of worms. and trojans, etc.

    Any advice to make my use of the computer more pleasurable would be very much appreciated
    Fredsan
  • Passwords don't work. It would be more logical to use bio-security.

    I have a laptop with a fingerprint scanner - the cost isn't great. This is much harder to defraud and I never forget my fingerprints.
    Craigthomler
  • A case in point: "Vodafone has confirmed it believes its secure customer database has been breached by an employee or dealer who has shared the access password, revealing the personal details of millions of customers...According to Fairfax newspapers,"

    This is another reason why passwords don't work (on their own). It's common to find shared administrative passwords in a company, and this practice thwarts accountability.
    rumbletumym@...