One longstanding criticism of information security products and tools - including browsers and operating systems - is that they're not user-friendly. Indeed, rather than automatically securing data, many systems instead rely in large part on alerting or warning users, and then asking them what to do.
But according to researchers at Brigham Young University, University of Pittsburgh and Google, the resulting glut of these security warning messages has led to users becoming habituated to them, and thus tending to ignore security warnings altogether.
That finding should call into question the effectiveness of any technology that attempts to use security alerts or warnings, says information security expert Alan Woodward, who will be participating on the "Know Your Adversary: Who is the Cybercriminal?" panel discussion at the upcoming Infosecurity Europe conference in London.
"People are receiving so many security notices and messages on their systems now, they're just ignoring them, they're just washing over them," says Woodward, who's a visiting computer science professor at Surrey University, as well as a cybercrime advisor to Europol. "The market for security software now is billions of dollars a year. These bits of technology are trying to help people by saying, 'Oh, do you really want to do this?' or 'Here's a warning for this, I wouldn't do that,' and people are just clicking through it, because there are so many of them coming up now."
Some of the blame lies with browser makers, who rely both on alerts as well as the absence of alerts, such as green browser padlock icons, which are meant to appear to tell users when the site that they are browsing has been signed with a digital certificate by a proper certificate authority. But in an interview with Information Security Media Group, Woodward notes that by using the wireless networking tool WiFi Pineapple, together with the SSLstrip tool, an attacker could launch a man-in-the-middle attacks against hotspot-connected systems and feed them fake browser icons, thus undercutting the entire system. And that is only one of many potential ways to subvert that trust-based system.
Woodward says today's antiquated digital certificate system, which attackers and researchers continue to find novel ways of subverting, is also partially to blame (see Microsoft Blacklists Fake Certificate). "It is this constant arms race ... unfortunately it's 'painting the Forth Road Bridge' - you never stop, as soon as you get to the end, you have to start again," Woodward says.
Unfortunately, attempts to address the ways in which attackers have been abusing certificates have been only partially adopted - such as certificate pinning, in which only certificates with a certain origin get trusted - and all too often add complexity for end users. "It really needs to be made very simple for users, not because users are simple, but users are not the enemy," Woodward says. "Unless you make it simple, users will either not know what to do, or they'll get so frustrated with it that they'll just ignore it anyway.
In this interview, Woodward also discusses:
- The use and abuse of security-related warning messages and alerts;
- How spam-combating techniques could help address widespread problems with digital certificates;
- The need to replace "secure by design" with "secure by default."
Woodward is a visiting professor at the department of computing at England's University of Surrey, a cybersecurity adviser to Europol's European Cybercrime Center, as well as non-executive director at TeenTech, which encourages teenagers to pursue careers in the fields of science, engineering and technology.