backtop


Print 98 comment(s) - last by SlyNine.. on Sep 26 at 9:28 PM


The new study from the North Carolina State University's Psych department shows just how dumb the average user is when it comes to computer security. The study shows users are willing to do anything, including throwing security caution to the wind, to get rid of minor annoyances.  (Source: DailyTech)
A new study is giving computer savvy users a look at the "other" users' behavior

You often wonder how users fall for seemingly obvious ploys -- you know, the letter from Makib in Ethiopia seeking for donations for an orphanage, or perhaps the most recent fake ticket emails that claim to have your ticket in a ZIP file.  To the computer savvy, these silly attempts might make for a good morning laugh, but security experts say there's nothing to laugh about when millions of naïve users fall for the scheme and their computers become part of a botnet, used to launch devastating DoS attacks.

A new study from the Psychology Department of North Carolina State University gives some insight into just how easily tricked many users are.  On compromised websites one form of malware distribution is through popup windows.  If users click to dismiss them, they often download malware onto their computers.  So just how many users would be tricked into clicking?

The researchers crafted 4 dialog boxes and exposed 42 college students to them in a normal browsing atmosphere.  Each box contained the cryptic message "The instruction at '0x77f41d24 referenced memory at '0x595c2a4c."  The first one bore the markings of a standard Windows dialog, but the remainder had noticeable differences that should have warned users that it was malware.

In each of the dialogs putting the mouse over the "OK" button turned the cursor into a hand, a sign that it was a browser control, not a Windows dialog.  The dialogs also all had minimize and maximize buttons.  Starting with the second one, a browser status bar was added to the bottom.  Finally the last one was made blatantly obvious by text that flashed from black on a white background to white on a black background.

To properly lure the college students into the ruse, they created a series of fake medical websites in Flash.  The students were told they were going to be quizzed on the information on the sites after the test.  The popups were then activated as the students were browsing the sites.

Of the 42 college students, 26 clicked the "OK" button on the most normal looking dialog, 25 clicked on each of the more obvious fakes, and 23 clicked on the most obvious fake, the one with the flashing text.  This study should be welcome news to malware crafters -- college educated users will click obviously dangerous dialogs over 50 percent of the time.

In all only 9 users closed the dialogs.  The rest minimized them, or dragged them out of the way, risky behaviors, as the next user at the computer could be exposed to the dialog.  The time between the dialog appearing and the user clicking remained approximately constant for all the dialogs.  This seems to indicate that the users did not even think much before clicking the foreign message.

In follow up questions, over half of students said the dialog boxes were a distraction from the task at hand and they would do anything to get rid of them.  The study seems to indicate that computer exposure, with lack of understanding has bred an atmosphere where users are unsurprised by dialogs and GUIs, and care little for their contents.

While the study's authors suggested education of students to warn them of these kind of dangers, the apathy of the students towards the dialogs seems to bring the fruits of such education into question. 

The study is appearing soon in the journal Proceedings of the Human Factors and Ergonomics Society.


Comments     Threshold


This article is over a month old, voting and posting comments is disabled

Not surprised
By lifeblood on 9/24/2008 9:08:26 AM , Rating: 2
In the past month I have had three different people bring me their kids laptop to fix. All three's kids were in college and none of them had anti-virus or anti-malware software installed. I ended up having to do a wipe and reinstall on all three as they were so badly infected with viruses, trojans, and everything else.

I know of at least three excellent FREE anti-virus packages. I use one of them and have never had a problem. It's amazing that people still don't practice basic computer security.




RE: Not surprised
By Denithor on 9/24/2008 9:22:20 AM , Rating: 2
And these are the same people reproducing and raising our next generation of dumbasses.

Pleasant thought, no?


RE: Not surprised
By Alexstarfire on 9/24/2008 9:55:52 AM , Rating: 2
No... it really isn't. May not have been so bad when computing and such wasn't very widespread... but now it should be the jocks who are the outcasts. This is a tech savvy world and the non-tech savvy are the ones reproducing. I'm not just saying saving sex either... because that's not true. We shouldn't allow this ignorance to spread. Again... I'm not saying that we kill them... but perhaps some forced education wouldn't hurt.


RE: Not surprised
By Rebel44 on 9/24/2008 10:23:28 AM , Rating: 2
Idiocracy :(


RE: Not surprised
By tential on 9/24/2008 10:38:48 AM , Rating: 2
Who would be surprised? We are all people who use the computer a lot. Most people use computers for just web browsing and instant message. You can tell how much people know about computers when they buy one. People now a day spend 2000 dollars on a laptop sometimes when all they do is web browse. Then there are others who buy an XPS because they THINK it's a gaming laptop (when dell hasn't even upgraded to Centrino 2 yet).

Computers are confusing to most people and I don't think any amount of training will help them. They have to be generally interested in computers and most just want to keep in touch with their friends. This is why the IT industry is flourishing and also why people in the IT industry usually don't have much trouble with their jobs. All they have to do is remind people to turn on their computers or to plug it in(the most frequent problems according to my IT friend in the Navy). Ya it's a problem that they become part of a bot network but there isn't much we can do to stop people from not caring.


RE: Not surprised
By afkrotch on 9/24/2008 12:23:16 PM , Rating: 2
quote:
when dell hasn't even upgraded to Centrino 2 yet


Centrino 2 is a platform. You don't need to comply to Centrino 2 standards to make a gaming laptop.

An XPS M1730 with a C2D Extreme and 8800M GTX SLI is a extremely capable gaming laptop. Many gamer's desktops couldn't even match it in performance. It's not Centrino 2, cause it uses an Nvidia chipset.

If I wanted a gaming laptop, I'd probably go with a Dell over HP/Compaq, Gateway, or the other high priced alternatives.


RE: Not surprised
By JediJeb on 9/24/2008 10:54:40 AM , Rating: 2
I think it's all about the money. Easiest way to solve this would be for Microsoft and other software companies to just remove the ability to create popups from the operating system and browser software. But then they would lose money from advertisers, and the ones who sell anti-virus, anti-malware software would lose business because fewer computers would become infected ect.

What actual purpose does a browser popup serve? I never have and never will even look at one before killing it.

Also for the majority of people the error popups in the operating system should be disabled. An error pops up a message and to all but those who know programing they are meanlingless. It would be just as efficient for the system to crash for the average user than to have a message pop up that says " your system is going to crash, nothing you can do about it, just click OK and get it overwith" What information in a message about not being able to access memory at xxx location is even useful to the average user, even our IT guy usually just tells us to reboot and not worry about it. Make those messages something you need to turn on if you really want to see them.


RE: Not surprised
By Oregonian2 on 9/24/2008 1:08:34 PM , Rating: 2
In the very few and simple websites I've done, there have been times when popups were appropriate, particularly when some information needed to be told to the user but without wanting to change the context of the current screen (not changing the current page). Maybe I just wasn't clever enough, but it was all I could think of.


RE: Not surprised
By leexgx on 9/25/2008 1:05:10 AM , Rating: 2
thats an very good idea with the blocking popups all out

all legit ads are not popups thay norm stay inside the page at the top or down the side, some poorly made web sites use popups to make new windows

ATI need to Fix there drivers web site as it trys to open an survey page as an new window but all popup blockers (so 99% users most likey never see it)


RE: Not surprised
By SavagePotato on 9/24/2008 11:31:37 AM , Rating: 2
Really anti-virus and anti-malware are only as effective as the user makes them most of the time. If I only had a dollar for every computer that came through with popups springing from the antivirus tray icon proclaiming that it has been out of date or expired for six months.

You still have the same dumb user with a program trying to be smarter than they are.

In addition it's not foolproof. I have seen so many computers blisteringly infected and the user is confused as hell because they have norton and that means they can't get infected right? wrong.

Anti-virus and anti-malware are a band aid on the underlying problem, proper education on how not to get infected in the first place.

Maybe they should start teaching things like this at the elementary school level.


RE: Not surprised
By Spivonious on 9/24/2008 11:47:43 AM , Rating: 2
Send them to me next time. I've never had to do a wipe and reinstall and I've seen cases so severe that they couldn't even boot into safe mode.


RE: Not surprised
By SlyNine on 9/26/2008 9:28:57 PM , Rating: 2
This guy probably complains when people bug him about fixing their computers too.


RE: Not surprised
By afkrotch on 9/24/2008 12:08:25 PM , Rating: 2
quote:
It's amazing that people still don't practice basic computer security.


Smart computing > antivirus+anti-malware

I don't use any antivirus or malware blockers. I have multiple computers and I use my old laptop to surf questionable sites. Ever month, I reimage the laptop (if I bothered to surf a questionable site). It doesn't touch my network either. I use the available open WAPs in my apt complex.


RE: Not surprised
By lifeblood on 9/24/2008 2:02:36 PM , Rating: 2
You are lucky to have multiple PC's and to know enough about computers to be able to do this. Most non-IT people I know have one computer and just want it to work when they use it.

Anti-virus & anti-malware software are not perfect, but they do make it much safer. They are a nessasary first step.

Smart computing includes, but is not limited to, antivirus+anti-malware.


"This is about the Internet.  Everything on the Internet is encrypted. This is not a BlackBerry-only issue. If they can't deal with the Internet, they should shut it off." -- RIM co-CEO Michael Lazaridis














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki