Can you pause live malware?

According to an article on TechHive, a security firm has seen evidence of cable company DVRs here in the U.S. being compromised and used to distribute spam and/or badware.

This is interesting, because the security burden for network appliances like DVRs must, by design, be borne by the manufacturers and service providers. I mean, what are you going to do if your DVR becomes infected? Press the pause button? No, you're going to call your cable company and expect them to fix it. I sure hope the customer service representative has a script for that problem!

Prevention, too, falls more heavily on the device manufacturers. After all, you can't install anti-virus software on your TiVo. Computer and smartphone vendors have historically assigned responsibility for badware prevention to the device owner/user. How will vendors respond when users start calling for warranty service because their network-enabled Blu-Ray players have security vulnerabilities?

It's too soon to tell whether DVR malware is a one-off event or the start of a trend. Either way, it raises some very interesting questions for the consumer electronics market.

Americans want security, don't know how to get it

A study released today by the National Cyber Security Alliance (NCSA) and the Anti-Phishing Working Group (APWG) indicates that most Americans are genuinely concerned about online safety and security. Furthermore, according to the study, they recognize their responsibility to contribute to the Internet's overall security and are willing to take steps in that direction.

The biggest obstacle, perhaps unsurprisingly, is the lack of clear, concise instructions on what users should do to protect themselves. This is an area in which we, as an industry, have to improve. When you combine the complexity and diversity of available technologies with a lack of consistency around messaging, terminology, and visual symbols, it's no wonder that consumers are feeling confused.

The upcoming National Cybersecurity Awareness Campaign, which the NCSA and APWG are spearheading, should be a step in the right direction. It promises a unified messaging campaign to increase awareness nationwide, and perhaps even internationally. Of course, if this survey is any indication, this will be a challenge, as the issue isn't so much awareness of the problem, but rather awareness of the solution.

Over the coming months, StopBadware will be working with industry partners to help them do their part to protect consumers from badware. Part of this, undoubtedly, will be consumer education. Just as we (and, by extension, our partners like Google and Firefox) now offer webmasters specific tips on finding, removing, and preventing badware on their websites, we need to work together to present clear guidance for users on how to protect their computers, their handheld devices, and their online information.

Tom Patterson has it wrong

I'm a little behind in my blog reading, so I just came across this post by ComputerWorld blogger Tom Patterson, insisting that we should avoid modern conveniences that have the potential to introduce security risks:

We are often our own worst enemies when it comes to protecting our cyber infrastructure.  Choosing simple passwords, automatically displaying pictures from unknowns, automatically running HTML code from unknown e-mailers, and jail breaking our phones opens us up to wide-spread attacks.  So you might want to think about choosing more complex passwords (beyond 0000),  turning off the switch in your browser that auto loads images (runs faster, and you can always open any pictures that you really trust and want to see), turning off the HTML format switch in your e-mail program (it's kind of interesting to see all the blatant malware you receive without its dangerous cover), and the auto-discover switch for wireless connections (it won't kill you to ask for a connection when you really want one).

I'll grant him a couple points here. Sure, using stronger passwords and being cautious about which wireless network you connect to are basic and fairly unobtrusive security measures. But Patterson is asking ordinary computer users to forego richly formatted e-mail and visually-pleasing websites just to reduce the risk of malware and phishing! Perhaps he would also advocate for elminating cars as a form of transportation, since driving is more dangerous than walking.

Here's a better idea: let's find ways to use new technology responsibly, even as we make the technology more secure. This has worked with cars. The death rate from auto transportation has plummeted in the past few decades, as safety systems (seatbelts, air bags, etc.), driver education, traffic law enforcement, and other measures have boosted safety without sacrificing functionality. Cars have continuously added features and become more convenient, even as the risk of using them has decreased.

Similarly, we're beginning to see an emphasis on making users and products more security aware. Many e-mail apps and web browsers now provide phishing warnings. Web browsers and operating systems have stronger default security. Applications increasingly offer automatic updates to make patching easy. Many efforts are underway to educate children and adults about safe, responsible Internet use. And free and paid security products (those from legitimate vendors, anyway) offer more protection with fewer side effects than ever before.

"Simplifying, beautifying, and streamlining our lives leads to significant security risk," Patterson writes. The risk, however, can be managed, and I, for one, am willing to trade a bit of risk for a bit more simplicity and beauty in my life.