By CORILYN SHROPSHIRE Pittsburgh Post-Gazette July 17, 2006
It doesn't help that experts are saying that most security breaches are the result of human failures, not technical ones. These include frequent use of easily breakable passwords, outdated anti-viral software, and sometimes even clueless computer users not knowing what do.
"It's hard for the average computer user to keep track" of all the potential pitfalls, said Lorrie Cranor, director of the Usable Privacy and Security Laboratory at Carnegie Mellon University "It's just hard for people to know out what's out there." Cranor and about 100 academic and industry computer security wonks spent three days this week hoping to help by swapping ideas on how average computer users can beef up security in their virtual lives at the second annual "usable privacy and security" symposium at CMU's Collaborative Innovation Center. It's unrealistic to expect people to keep track of dozens of passwords that use both numbers and letters without writing them down, Cranor said. As a result, many people use one alphanumeric password for everything - from logging on to their computers to doing their online banking - even though such a practice puts them at increasing risk. To cut their risk of falling victim to cyber-crimes, consumers can take such simple steps as recording passwords in a computer program that is then secured by one master password, and encrypting information on laptops, Blackberrys and other wireless-enabled devices, Cranor said. "People often forget when they are sitting in Wi-Fi hot spots" that other nearby users can hack into their computers. Memory tricks also can help keep precious computer-stored information safe, she said, including creating a mnemonic password by using the first letter of each word of a phrase that the user has made up. Still, being virtually street smart sometimes isn't enough since hackers, too, are getting smarter. Unlike the worms and viruses that for years gobbled up private information and crashed hard drives, it's increasingly common for hackers to weasel their way into computers by "exploiting human vulnerabilities," Cranor said. The number of computer users falling victim to "phishing scams," in which users are lured into giving away important personal information such as credit card numbers, bank account numbers and Social Security numbers to seemingly legitimate e-mail requests, is steadily rising. The number of new phishing Web sites jumped to nearly 8,000 in December from its high of 5,259 less than five months earlier, according to the Anti-Phishing Working Group. Now the threat has moved beyond computer screens to the telephone, with the latest scams sending Internet-based phone users an e-mail requesting they call a seemingly legitimate phone number to call to update their bank accounts. Tricks such as these, with automated voice system and caller ID that look and sound like the real thing, demonstrate how increasingly sophisticated hackers have become, said Carnegie Mellon University social scientist Julie Downs. The phone phishing, or "vishing" as its known in the industry, is clever she said, "in part because people think that they can use the phone if they don't trust the e-mail." The vishing scams could be hampered by building a database of known "scam" phone numbers or by creating a software filter that warns consumers of incoming fraudulent calls, she said. "Educating users is great if it works, but it's hard to reach them all and keep current," Downs said. Downs, who has studied how susceptible people are to phishing attacks, co-authored with Cranor a paper on the subject. The two also are working with other researchers to develop software tools to better detect fraudulent e-mails before they get to users, and are creating games for users to learn about phishing scams.
Distributed to subscribers for publication by Scripps Howard News Service, www.scrippsnews.com Publish A Letter on SitNews Read Letters/Opinions
|