How Do People Use Security in the Home

Transcription

1 How Do People Use Security in the Home Kaarlo Lahtela Helsinki University of Technology Abstract This paper investigates home security. How much people know about security and how they use it. Six person were interviewed and observed how they use computer especially in relation to how they handled the security features. What was found, was that the main basics and terms were mostly known to everyone. They were avoiding using security, if it brings too much trouble to them. Many users have nowadays wireless network connection, which have encryption enabled. Users have anti-virus and firewall softwares installed to their computers, and they work fine. Private mail is not kept so vulnerable for attacked that they would use encrypted mail. KEYWORDS: home security, security threats, user point of view, wireless network, private . 1 Introduction World is going to use more and more technology, which means that we relate on computers more. Sensitive materials, namely passwords, financial information and personal documents, are stored in computer and also transferred through networks. These new techniques produce new threats to us. Attackers can get information from us easily, even in a way that we do not recognise that the attacker gets the information from us. In the past, attacks had to be done in a way where attacker was close to the victim, in other words, now attacks can be safely done from distance. There are several examples to describe the new threats. First, people use their bank account from home, in other words they pay the bills from the home computer. So they do not have to go to a city and join a queue in bank to get the bills paid. Second, there are also people who work at home or when they are travelling. Nowadays they have to connect to company s network. This creates new security issues to the company to keep their information secure. Although distance work is more employee s company s problem, but the company have to be aware of the lack of the employee s home network security. Third, our messages can be read, when message encrypting is not in use. This leads to easy access to our messages So there are different level of new threats that users have to acknowledged. The main point is here that normal users also need education of security when using computers and mobile devices, and connect them to Internet. Few years ago there were no fixed Internet connections, just dial-up connections. This fixed connection brings us threat that can attack any time. Web browsers and instant messaging applications have very much vulnerabilities, meaning that we have threats in the most common software that users exploit [4]. Nowadays, just learning to use the equipment may cause serious security problems, if there is not any knowledge of security. There are lots of different security methods that normal user should know. I do not present them here. I will briefly go throw, what kind of aspects I have in my research. Short introduction to these techniques can be found in Home Network Security [7]. Banking connections are made with HTTPS [2] connection, what means that connection is encrypted. So attacker who is listening to the connection cannot see what information is transferred. Encrypted connection is recommended, when user is transferring sensitive information, for example user name and password. Internet bank services use this kind of encrypted connections. In this connection the encryption is also verified by certificate so that user connecting, for example to the bank, can see that it is the bank s service and not some attacker s fake service. If connection is not encrypted, the attacker could have this way user s log in name and password. Wireless networks are becoming more common, because of the lack of wires and laptops and mobile computers are becoming more popular. Wireless connection is easier to use, because there is no need to plug the wire, just use it. Wireless connections brings more new threats to users [9]. Attacker can just scan radio waves from distance, and do not need to be connected to the network by wire. Users send in plain text. There is also possibility to send encrypted . Most common is PGP [1]. At least encrypted is used in companies, but how much is it used in home, and for personal communication? is also used by attacker for sending viruses that could take over user s computer. Virus attacks are used for disturb user or to take control computer for larger attacks to somewhere. Computer worms have come more common by spreading in . There is also risk having a with a virus. What kind of protection does users have? 2 Related Work In the article The Work to Make a Home Network Work [8] is written how home networks are becoming wider and more complex. How these new bigger networks could be maintained and kept secured. I research in this paper how well users know home networks and security. How much people really know about security and are they able to contain it to software. When do we know software

2 is secure enough? We can make software to handle security [6], but we should be able to make users use security and not bypass it. Nucleus Research and KnowledgeStorm made a research, where was investigated that one third of employees write down their password on a paper [3]. This gives advantage to attacker to steel the passwords strait from the papers. This is one kind of risk, what user do. 3 The Study I made few interviews regarding user s knowledge of security. First, I collected background information of users. This helps us to categorise them in different groups. Second, I discussed about their knowledge of basic and advanced security terms. I asked them to explain them. Also investigated how they use them, if they are familiar with them. Finally, I made few tests with them and collected information of their behaviour in security aspect. 3.1 Test Procedure To get information about security behaviours in person s home, I went to person s home and made my research there. These persons, who are in my research, have many different profiles of using computers. The scale was from young to old and from beginner to expert. First, I made an interview and collected background information about of the user, such as education, age and how long they have been using computer. The latter was usually easier for them to remember as the same day when they or their parent bought the first computer. They had to describe how much they have been using computer in that time, meaning like couple hours a week or several hours in a day. Next I asked about how much they use computer in their work. Does the work relate to computers, like software development, document writing or graphical design, or is their work more like physical work, where they do not use computers. Same kind of question, related to school, were asked, if the user were studying and did not have job yet. Computer can be used in several purposes, so I had to resolve where the computer was mainly used. Is it just for checking , playing video games or was it like a hobby for the user. Second, there was several questions about how well they know security. I went through threat terms like virus, computer worm, spyware, Trojan horse and phishing. This reveals how much they know about basic language on computer security and as well reveals if they have some wrong believes, what some of those mean. About the software they are using, I wanted to know from anti-virus program. How often they scan their hard drives and have updates to virus databases. Are they using some sort of firewall and is it configured by themselves or someone else. And if they are configured, is there basically the default setting or do they know how to make secure settings. In addition, I went though their local network. Were they using wireless networks, and if were, what kind of security practises were used. Was there encryption over the air, like WEP or WPA. Last, users told what kind of other security practises they were using. And I also asked question related to their previous answers, so that I could have clearer vision about their real knowledge of security in their home. 3.2 Users Brief description of users. First little about their background, meaning users age, education, computer knowledge and computer habits. And then following the security knowledge of computers and networks Retired computer beginner Background This is an older person, who has been few years retired. He started using computers about five years ago. Mainly he uses the computer to pay bills in Internet bank and he sends couple messages in a week. Other things he does with computer is storing pictures from digital camera and finding information from Google and Wikipedia. He can use only Finnish, because he do not know any English. Knowledge Security issues are not familiar to him. Antivirus is installed to his computer, but he do not administrate the computer. Windows Security Center and anti-virus software updates themselves for critical updates and virus databases, but still one of his children checks that new security updates are installed. He has Windows of local language, but his anti-virus and firewall software are in English. That is big disadvantage for his security behaviour. Usually he allows the question that comes from the firewall, but when something unfamiliar happens, he calls to his child and tries to explain what is going on. Usually the call resolves the problem, but sometimes it is hard to find a solution. Wireless network is also found in his home, but he does not use it. He uses network cable connection. He has been taught how to bay bills in Internet bank, but he do not actually know about certificates or secure HTTP connection. In problems he has someone to call, as described above. Security threat terms are familiar to him, but he was not sure about their meaning. The basics were quite correct, when he was explaining the meanings of the terms. Phishing was familiar from news couple weeks ago. He is protected from viruses, computer worms and spam in software. At least he has not had any bigger problems with the computer. Computer is only used for couple basic purposes Senior Software Engineer Background Next we have on person, who is in late thirties. He had used computer since he were little child. He has graduated to Bachelor of Business Administration. Now he is working in large software company as Senior Software Engineer, for four years now. He uses computer daily few hours at home, excluding his work. Computer is used in almost any possible way.

3 Knowledge He knows about security quite well. Uses antivirus software and updates virus databases regularly. He knows what viruses are and last time had virus attack in early 90 s, which deleted all files from his hard drive. This was the only attack that made something harmful to him. He has software and hardware firewalls to prevent attacks from Internet and also from suspicious behaviour of software, which are trying to send information to network. Wireless network is installed to his home, but he uses mainly network cable to connect computers. Wireless network is used for laptops and mobile phones. It uses WEP encryption and MAC filtering, to prevent unwanted users to the network. Certificate and encrypted HTTP connections are familiar to him. Secure HTTPS connection is always used, when he enters user name and password and when sensitive information is transferred. He do not empty web browser cache, because he is using own computer for viewing bank information and no one else has access to that computer. Mail is sent using plain text, no PGP or other encryption is used. He describes that there is no need to encrypt the messages, and so few of his friends have capability to receive encrypted messages. Connection to the mail server is encrypted. Trojan horse, computer worm, phishing and spyware are well-known to him. He is aware of these attacks. In addition he uses McAfee SiteAdvisor and NetCraft plugins in his web browser to notice attacks Journalist Background Then we have almost thirty years old journalist. He works with the computer everyday, especially with word processing, sheet charts, layout design and listening for music. He is almost ready Master of Economics, and is mainly working nowadays. Writing articles is the main task in work. Knowledge He does not have own computer at home and uses the laptop computer from work. There are Anti-virus and firewall software from company he works. He knows the basics of these softwares, but mainly keeps them at default settings. He has avoided been attacked by viruses. At home he uses wireless network, because it is easy to use and do not need to connect cables. He did not know, if there is used an encryption in the network connection, but as I checked there were strong WEP encryption. Someone helped him to install the network and obviously he also enabled the encryption. Different kinds of security threats were familiar to him. He knows viruses, spyware, computer worms and Trojan horse. Some of those had small guesses and he was not sure about the meaning, but mainly it was knowledge. What he was not aware of was the phishing threat, but after giving some examples, he recognises it. So he knew the threat, but only the term was new. Certificates were familiar, and he said that banks have some kind of high level certificates. He was not so familiar of how they work, and how to see threats on other sites. What was more concerning that he did not know about the HTTPS connection. In banking he noticed that it was used, but did not demand encrypted connection on other web pages, where user name and password are required. He told that after this he is more aware of demanding HTTPS connections when it is needed Physiotherapist Background A physiotherapist is in mid thirties. She has been using computes for about ten years. Now she uses computer in work also, meaning basic softwares, like documenting. She uses computer occasionally at home. The main usage is creating documents, browsing Internet and checking . Knowledge She is not very familiar with the security terms. She have heard about them, but do not know their exact meaning. She uses the basic windows firewall, to prevent attacks from Internet. The cable modem has as well basic firewall, which prevents attacks. Anti-virus software is installed to her laptop, by recommendation of her friend. Her laptop is connected by the wireless connection of her cable modem. It is encrypted. When she is using the banking service, she checks that web browser has a sign of lock that tells it is encrypted. She did not know about certificates, or that it is recommended to see who the owner of secured connection is. Encrypted mail is not used and she uses basic webmail user interface University student Background A young student, namely early twenties, is studying English Philosophy in University. Her computer is Macintosh laptop, what mainly differs from other users that I have interviewed. She has been using computers for about ten years now. She has computer at work also, so she uses computer often. Computer is mainly used for creating documents and browsing Internet. Knowledge Basic security is not very known to her. She believes that her computer is safer than Windows computers, and no virus can attack to her computer. She was not aware, if the computer had anti-virus and firewall installed. The terms virus, computer worm and Trojan horse was familiar to her. The newest term, phishing, she was not familiar with. Wireless network is used at home, at least when it works, which means that she sometimes uses a network cable to connect Internet. The wireless network is secured, which means, in this situation, WEP encryption. She is using Internet also for paying bills in Internet. Certificates are not familiar to her. She is also unaware of encrypted HTTP connection. She just used the bank services and did not know any threats that could happen to her. She believed that paying bills was safe in the Internet Helsinki Business Polytechnic student Background Last we have a student from Helsinki Business Polytechnic and he is graduating in next year as Bachelor of Business Administration. He has been computing almost ten years, starting from upper level school. Computer is used to make homework from school. In other words, word

4 processing and sheet charts are used. Games are also played with the computer. He uses the computer several hours a day. Knowledge He has some knowledge of security threats. He uses anti-virus and software firewall, knowing also the purpose of those softwares. There is as well firewall from the Internet service provider. He still do not care so much of the warnings of the firewall, meaning that he allows almost any question from the firewall. The main point is that the software, he is using, is working. He is not so keen of solving which of warnings can be harmful. Virus and spyware terms were the only two that he knew the meaning. When describing about the computer worm, Trojan horse and phishing, he did not actually knew what they were or described them wrong. Paying bills is something what he does in Internet, but he did not know anything about security of Internet banks. He was satisfied when he did not get any claims not paying the bills. When bringing topics like certificate and encrypted HTTP connection, he did not know anything about those two. I see this as a big risk. Mail he uses from basic front end in web. Mail encryption was unknown to him, and did not found any reason to use encryption. 4 Discussion Short wrap up from the interviews I made. Second, brief comments of good design in secure equipment and services available. 4.1 Test Result Computers in home are used in basic needs, which are writing a document, browsing Internet for information and reading . They use computers mainly everyday from few minutes to several hour. Three hours being the average using time. This does not include the distance work. Users have mainly good knowledge of basic security terms. They know what a virus or a computer worm is. Trojan horse was also known quite well. Newer term like phishing was familiar for only couple. And the meaning was actually more familiar than the term it self. Very few noticed that they have been attacked by virus or other threats. Usually firewalls and anti-virus programs have taken care of threat and gave notice to user that threat has been defeated. So attacks have been taken care of before they could produce any harm. Users usually just install the firewall and antivirus software, and leave them then in background. Only few made configuration on them. On the basic configuration they update them selves and notice the user, if attention is needed. They work quite well in background with default configuration. Most users have also wireless network connection, at least if they have laptop computer. Access points were using encrypting connection to the mobile devices. It was the older WEP encryption, but the main point is that there was some kind of protection. No one could even accidentally connect to these networks. They have to know the key to the access point, if they want to connect to the access point. One Property u1 u2 u3 u4 u5 u6 Virus x x x x x x Computer Worm x x x Trojan horse x x x Phishing x x x Encrypted WLAN x x x HTTPS x x Certificate x x sum Table 1: A table about how users know different terms and security techniques of the users used also MAC filtering, so only preconfigured users could connect to the access point. This is a good solution, when the users are known in advantage, and so could be configured to access point. He was more advantage user and clearly knew more of security risks. Mail privacy was not concerning almost anybody s mind. They were happy to things as they are now. It was enough for them to have encrypted connection to mail server, but nobody actually saw benefit from encrypted mail. The trouble was bigger than benefit. It is like good enough quality for software as here for privacy. 4.2 How to make existing techniques easier and more secure As the results of this study can be seen that users have wireless connection encrypted. These kind of techniques, like one button configuration for secure the wireless connection, should be more [5]. No more access points with large amount of help pages, to guide the user to enable encryption. Internet bank services use encrypted transport protocols and it is easy to notice from web browser, that it is used. The lock sign next to URL or in status bar. User does not have to activate it in any way. Users cannot even bypass the encryption, because it is required from the service provider. So they cannot do it wrong. These are good examples of implementing security. 5 Conclusion Security is usually avoided, if it is to hard to use. Users are more likely to disable the security configurations, if they bring more work to them. This happens especially when they do not see the treats that can affect to them. The security should be more automatic, other words user should not notice much difference if he is using the security or not. It would be better, if there were some kind of security sign in the service, if security or encryption is enabled. That way it is fast to see if security is enabled. Warning would come in non-secure services. This way users more likely have security, because it is less work. User should have more education of security before they use new services and softwares. First there should be some kind of driving license, as cars do have, that person is capable of using the equipment of program. It is a risk to when you

5 cannot see or do not know the threats, that can make harm to you. 5.1 Further work This was just a small research and gives some hypotheses to larger scale interviews and tests. These security studies were just a random pick, with very mixed profiles. These hypotheses can be used in future tests. This just brings some kind of direction what kind of result it might bring along. References [1] Pgp message exchange formats, August [2] Http over tls, May [3] One in three employees compromise corporate security through lax password practices, nucleus research study finds. web, October releases/prpassword1006.html. [4] Sans institute, the top 20 most critical internet security vulnerabilities. web, October [5] D. Balfanz, G. Durfee, R. E. Grinter, D. K. Smetters, and P. Stewart. network-in-a-box: How to set up a secure wireless network in under a minute in proceedings of the usenix security symposium pages , August [6] P. Dourish. Security in the wild: user strategies for managing security as an everyday, practical problem. Personal Ubiquitous Comput., 8(6): , November [7] C. Ellison. Home network security. Intel Technology Journal, interoperable Home Infrastructure, 6(4):36 48, November [8] R. E. Grinter, W. K. Edwards, M. W. Newman, and N. Ducheneaut. the work to make the home network work: in proceedings of the 9th european conference on computer supported cooperative work (ecscw 05). pages , September [9] V. Gupta and S. Gupta. Securing the wireless internet. IEEE Communications Magazine, 39(12):68 74, December 2001.