As one who often talks to less technically inclined people about internet security issues, I find myself telling people to use “common sense” a lot. A conversation with my Dad (who’s moderately technically savvy) really brought home to me how little this concept has permeated the Internet Culture.

Most folks get that you need to regularly update your AV software. Some folks have even grasped that updating your application/OS software regularly is a very good thing. And yet there are still an astounding number of people who fall victim to social engineering techniques like we’ve been seeing with Downloader-BAI which we discussed yesterday, and which has pretty much been used since the dawn of computer viruses and phishing.

Memorizing lists of Do’s and Don’ts can be a bit daunting for people, so I’ve started advising people to look at their computer like it was their house. People can “come to your house” by email, via web-sites, by comment spam, by portable media or storage devices, whatever. Just like people can come to your real house by ringing your front door-bell, using the door-knob, crawling in a window, etc. Regardless of how the technology changes, the metaphor is the same.

  • Would you trust someone who came to your house purporting to be from your bank, asking for your personal and financial details?
    Few banks would actually go to this length, especially because it would be so easy for someone to impersonate a bank official. (I know this isn’t always the case but it’s still a perfectly sound rule to follow)
  • Would you open packages you weren’t expecting, especially if it was addressed strangely or vaguely, or smelled or looked funny?
    People rarely hesitate to open attachments which look like they could contain something scary or titillating, but I imagine most folks would find it extraordinarily off-putting if they got a package on their doorstep that had no return address and promised snuff film footage or pictures of their neighbor’s wife naked.
  • Would you leave your house unattended and unlocked?
    Granted, there are places in the world where this is still a reasonable thing to do, but most of us live in areas with enough population that this is considered unsafe even (or especially) if we are home. And yet many people don’t update their application/OS software, don’t put password-protection on their wi-fi connections, and don’t have a firewall. These are essentially the doors, windows and locks of your computer - the things which allow people to get in and out of your system. With these left wide open, people are free to come and go as they please, taking or leaving whatever they want.

Is this incredibly simplistic? Yes. Do most people need to understand protocol filtering and white-listing? For the average user, no. Most folks can get by well enough, or would at least be much safer than they are now, if they just understood the most basic security concepts.