comp527

As if worrying about security on your computer wasn’t enough, your smartphone is increasingly becoming a significant target.

Besides the standard virus and worm attacks via email attachments, one recent attack used the phone’s bluetooth capabilities to spread between other nearby bluetooth-enabled devices.

Research indicates that a significant amount of the problem is that, while many users know to be careful on their home computer, many people feel their phone is more immune to security threats. Not so. The article’s suggestion – “treat your smartphone like a computer, not a telephone.”

Unfortunately, there are many people who don’t treat their home computer security properly, much less their smartphone security. People need to continue to be educated about internet security. If you’re going to fall for a phishing attack on your home computer, you’re probably going to fall for anything on your smartphone. Awareness is key.

News article: http://www.cnn.com/2009/TECH/10/25/smartphone.security/index.html

If you look at today’s copy of the Rice Thresher it’s got a couple of stories about the recent string of phishing scams going through the university.

Apparently there are still people who are being stupid enough to give out their personal information to random malicious people. It makes you think about how much psychology is needed in security as well. The best crypto in the world won’t help if Alice will blithely tell Eve her key/password/etc.

In the satire article on the back page, it quotes some senior undergrad as thinking it’s the IT department’s job to keep everything secure. Other than the numerous warnings posted on paper and online, no one can keep other people from being stupid if they want to be.

There are also several funny suggestions about how to solve this problem. I particularly like the police department sending out fake phishing emails and whoever falls for them gets cut off from the network. It sounds kinda harsh, but people need to learn somehow.

Elaine

Microsoft recently published its latest Security Intelligence Report, which details vulnerabilities and exploits in both the Windows OS and third-party Windows applications from January through June of this year. In addition to some interesting statistics, like the fact that the total number of unique vulnerabilities is down 4% from the second half of 2007 and 19% from the first half of 2007, the report seems to blame naive users for a great deal of the unwanted software and attacks.

In particular, a discussion of phishing attacks and spam make up a large portion of the report, which Microsoft claims it can’t (directly) do anything about. The report also attempts to categorize vulnerabilities as either OS vulnerabilities or “application” vulnerabilities, and it clearly delineates the Microsoft vs. non-Microsoft vulnerability disclosures. Based on this report, it seems that Microsoft is trying to say, “Vista and XP are pretty secure now, and the security issues are mostly due to other people screwing up”.

So, what’s your take on the report (and Microsoft’s security attitude in general)? More specifically, at what point is it actually the case that the OS engineers have done all they can and the majority of problems are due to naive (or stupid) users clicking on every link that pops up on the screen and downloading software that they shouldn’t?