[LINK] Consumer computer security

Roger Clarke Roger.Clarke at xamax.com.au
Sun Jan 14 11:38:46 AEDT 2007


G'day Alan

At 6:50 +1100 14/1/07, Alan L Tyree wrote:
>I'm looking for some help here. I'm writing a submission to ASIC on the
>review of the EFT Code of Conduct. One of the things that Industry has
>been pushing for is to make consumers liable for losses caused by
>computers infected with malware.
>The argument I wish to make is that consumers are hopelessly ill
>equipped to secure their (Windows) computers. Can someone point me to
>real research/statistics about the way that people *actually* run their
>computers?

It's not what you asked for, but ...

I did some expert evidence a little while back which required me to 
catalogue the ways in which 'accesses to inappropriate sites' and 
'storage of inappropriate images' might occur, without the intention 
of a device's user, and even without their knowledge.  The context 
was alleged unfair dismissal.

The material could be turned to the purpose of demonstrating that:
(1)  consumers' computers are not under consumers' control
(2)  it is not practicable for consumers to exercise control

The first few parts are of marginal relevance to the current context.

This section has some relevance but would need to be cut down:
http://www.anu.edu.au/people/Roger.Clarke/II/OffIm0511.html#AUC

The key bits are the short sections on Malware and 'Hacking' starting at:
http://www.anu.edu.au/people/Roger.Clarke/II/OffIm0511.html#MW

If it would help, I could use the above to produce a 2-pager 
summarising the problems.


Further mutterings ...

I meant to track down some text-books and key articles, but the 
document had to be prepared in 24 hours, and I've never got back to 
it.

Some obvious starting-points:
http://en.wikipedia.org/wiki/Computer_insecurity
http://en.wikipedia.org/wiki/Malware
http://en.wikipedia.org/wiki/Trojan_horse_%28computing%29
http://en.wikipedia.org/wiki/Keystroke_logging
http://en.wikipedia.org/wiki/Security_cracking
http://en.wikipedia.org/wiki/Exploit_%28computer_science%29
http://en.wikipedia.org/wiki/Computer_forensics

I've got a set of a dozen slides on malware that could be put to use 
if they were actually interested.

I was involved in an RBA/APSC subcommittee back about 1988-89, which 
considered an early version of the Code and specifically the need for 
consumer protections in relation to ATM design and processes.  (Banks 
were finally forced to get rid of the exposed vertical key-pads that 
made PIN capture a cinch).

They had some interest in solid evidence, which was a pleasant 
surprise.  (They = the RBA / regulatory members, not the bank reps of 
course).  So maybe the offer of a presentation might be an angle that 
would attract their attention.

Re the question you actually asked, Googling with mixtures of terms 
like <infection key-logger trojan statistics> and suchlike turns up 
some sources:
http://www.webroot.com/resources/stateofspyware/excerpt.html
http://www.secureworks.com/researchcenter/researchoverview.html
http://www.sans.org/reading_room/?portal=2027af4cebaac272f701e38e131117a1

But nope, nothing's obvious that actually answers the question ...

Regards  ...  Roger

-- 
Roger Clarke                  http://www.anu.edu.au/people/Roger.Clarke/
			            
Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
                    Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/

Visiting Professor in Info Science & Eng  Australian National University
Visiting Professor in the eCommerce Program      University of Hong Kong
Visiting Professor in the Cyberspace Law & Policy Centre      Uni of NSW



More information about the Link mailing list