ego.istic.org

I have spent some minutes today looking at a series of cartoons illustrating infosec concepts. They are supposed to be aimed primarily at non-technical computer users, and present the everyday concepts of securing your computer, and what sort of threats there are, in the comic strip format to make it more accessible and to attract viewers. I'd say it's not quite there yet, as the tone is still rather preachy, and it's a bit too scare-mongery, sounding like it's telling you never to open any attachments, install any software, or visit any websites, rather than showing you how to tell. Experience has taught us that simply telling users not to do things doesn't work, and I don't think that dressing the message up with pictures will help.

I would like to thank Srikwan & Jakobsson, the authors of SecurityCartoon, for providing me with a useful simile for explaining how malware gets into your computer. (It is featured in this strip.) A computer is like a house.

If you think about burglaries, there are several ways a burglar can get into your house. Sometimes they might be able to get your door open with a credit card, or smash the window in your back door, reach through, and open the lock from the inside. These are failures in the house itself: they are security vulnerabilities. You can protect against these by fitting secure windows, doors, and locks, and by checking with a security consultant who will spot problems like accessible upstairs windows. Similarly, you protect against security vulnerabilities in computer equipment (and don't forget, this covers routers and phones as well as the big box under your desk) by using software with a reputation for security, keeping it up-to-date, and getting an expert to ensure your firewall is configured correctly &c.

Sometimes, the burglar will enter by masquerading as a policeman, a meter-reader, a salesman, or someone else, bearing false credentials or pretending that someone in the house sent for them. Check their credentials with the issuer, check whether someone really did send for them, and “if in doubt, keep 'em out.” Similarly, some malware will masquerade as useful software, with authentic-looking websites or installers; it might pretend to be a cutesy kitten animation or greetings card; and it might pretend to have been sent by one of your friends. So, in the same way, check with Google or an infosec company whether this software is genuine or a trick; ask your friend whether he really did send that email (but bear in mind that even if he did, he might have just let the malware on his computer too); and remember that a genuine picture won't have a .exe or .scr file extension or make your computer ask if you really want to install it.

Sometimes, though, the burglar will find the front-door key under a flowerpot, or will climb in through an open window. In the same way, often computers or online service accounts are compromised by people having passwords that are dictionary words, or by the computer's firewall having been turned off.

There is an important difference between burglaries and computer misuse, though. A burglar might run off with your credit cards and money, but he won't use your house to get into the house next door, or start using your house to deal drugs or run a child pornography ring. After the usual tricks of stealing your internet banking passwords or credit card numbers, most malware these days leaves a ‘backdoor’ on your computer that the malware's author (or criminal gangs who pay him for the privilege) can use to install more software later. It might sit quietly on your computer, unknown to you, and start sending the same “click here to see the cute kitten” emails to your friends' computers. It might start sending those annoying spam emails that offer to sell drugs or other services, meaning that everyone starts receiving more spam. Worse yet, it can set up a website, running from your computer, that powers the criminal gang's activities: selling those same drugs advertised by email, or serving pictures of child porn to perverts. In this country, it is a criminal offence to possess pictures of child porn, even if it was put on your computer by an attacker. All these are profitable businesses for the mafia types who control these ‘backdoored’ or ‘rooted’ machines (which are also known as ‘bots’ or ‘zombies’ on account of their acting not under the control of their owners).

The other important difference between houses and computers is that there are no good neighbourhoods on the internet. Maybe you live in a low-crime area, and you rarely bother to lock the front door. But the whole internet is a high-crime area: it's just as easy for an attacker to attack any computer on the internet.

So remember, all security is the same, really. Use the same sort of common sense when securing your computer that you use when securing your home. The technologies are different, the threats and risks are different, but the principles are the same.