[LINK] Consumer computer security
Roger Clarke
Roger.Clarke at xamax.com.au
Sun Jan 14 11:38:46 AEDT 2007
G'day Alan
At 6:50 +1100 14/1/07, Alan L Tyree wrote:
>I'm looking for some help here. I'm writing a submission to ASIC on the
>review of the EFT Code of Conduct. One of the things that Industry has
>been pushing for is to make consumers liable for losses caused by
>computers infected with malware.
>The argument I wish to make is that consumers are hopelessly ill
>equipped to secure their (Windows) computers. Can someone point me to
>real research/statistics about the way that people *actually* run their
>computers?
It's not what you asked for, but ...
I did some expert evidence a little while back which required me to
catalogue the ways in which 'accesses to inappropriate sites' and
'storage of inappropriate images' might occur, without the intention
of a device's user, and even without their knowledge. The context
was alleged unfair dismissal.
The material could be turned to the purpose of demonstrating that:
(1) consumers' computers are not under consumers' control
(2) it is not practicable for consumers to exercise control
The first few parts are of marginal relevance to the current context.
This section has some relevance but would need to be cut down:
http://www.anu.edu.au/people/Roger.Clarke/II/OffIm0511.html#AUC
The key bits are the short sections on Malware and 'Hacking' starting at:
http://www.anu.edu.au/people/Roger.Clarke/II/OffIm0511.html#MW
If it would help, I could use the above to produce a 2-pager
summarising the problems.
Further mutterings ...
I meant to track down some text-books and key articles, but the
document had to be prepared in 24 hours, and I've never got back to
it.
Some obvious starting-points:
http://en.wikipedia.org/wiki/Computer_insecurity
http://en.wikipedia.org/wiki/Malware
http://en.wikipedia.org/wiki/Trojan_horse_%28computing%29
http://en.wikipedia.org/wiki/Keystroke_logging
http://en.wikipedia.org/wiki/Security_cracking
http://en.wikipedia.org/wiki/Exploit_%28computer_science%29
http://en.wikipedia.org/wiki/Computer_forensics
I've got a set of a dozen slides on malware that could be put to use
if they were actually interested.
I was involved in an RBA/APSC subcommittee back about 1988-89, which
considered an early version of the Code and specifically the need for
consumer protections in relation to ATM design and processes. (Banks
were finally forced to get rid of the exposed vertical key-pads that
made PIN capture a cinch).
They had some interest in solid evidence, which was a pleasant
surprise. (They = the RBA / regulatory members, not the bank reps of
course). So maybe the offer of a presentation might be an angle that
would attract their attention.
Re the question you actually asked, Googling with mixtures of terms
like <infection key-logger trojan statistics> and suchlike turns up
some sources:
http://www.webroot.com/resources/stateofspyware/excerpt.html
http://www.secureworks.com/researchcenter/researchoverview.html
http://www.sans.org/reading_room/?portal=2027af4cebaac272f701e38e131117a1
But nope, nothing's obvious that actually answers the question ...
Regards ... Roger
--
Roger Clarke http://www.anu.edu.au/people/Roger.Clarke/
Xamax Consultancy Pty Ltd 78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au http://www.xamax.com.au/
Visiting Professor in Info Science & Eng Australian National University
Visiting Professor in the eCommerce Program University of Hong Kong
Visiting Professor in the Cyberspace Law & Policy Centre Uni of NSW
More information about the Link
mailing list