next up previous
Next: Users don't understand how Up: Why do users make Previous: Social issues

Poor system setup or poor work practices

If you are ill, can anyone access your files? Frequently, people must share passwords because the system is not designed in such a way that information can readily be shared. The sample password policy provided by SANS specifically lists ``don'ts" that include revealing a password to a boss, or to co-workers on vacation [SANS, 2003]. Why? Because these are common practice in workplaces, even though they work at odds with good password security.

Once people get into the practice of revealing passwords, it doesn't seem strange when someone phones up, claiming to be from IT, and asks for their password to check for something. Most times, it really is someone from IT, but it could equally be an attacker. Kevin Mitnick, perhaps the world's most famous hacker, testified that he'd obtained more passwords by tricking users than through more technical means [Sasse et al., 2001].

This practice of password-sharing also hinders other security goals of passwords. The U.S. Federal Information Processing Standard for password usage recommends that individual passwords be used to establish illicit use and establish accountability [FIPS, 1985], but if a co-worker commonly uses a user's password, it becomes much harder to establish who is really at fault. A frustrated employee could easily abuse the system to cause problems for co-workers.

Poor system setup can go beyond passwords. Consider the case of email viruses. Many viruses have been spread based on the fact that one popular piece of software, Microsoft Outlook, automatically executes certain types of attachments. (For example, the Sobig virus, discovered this summer, spread in this manner by using a .pif attachment [Nahorney and Gudmundsson, 2003].) While Outlook has options to make it more secure, these are not the default choices, leaving uninformed users vulnerable.

Sometimes users will be required to make otherwise insecure choices in order to do what they want to do. For example, one of the assignment submission systems at Carleton included an applet which was not signed. In order to submit assignments, students were required to allow unsigned applets to execute code on their machines. Allowing all sites to use untrusted applets is not a particularly secure choice, but few browsers allow a per-site customization. Even Internet Explorer, currently the most popular browser, only allows different settings for a few security zones. In order to submit work, users were forced by the system to lower their security settings. Those lowered settings could potentially affect more than the one site, perhaps even all other sites unless the student remembers to change the settings before and after submitting each assignment. Many users of other systems have had the experience of turning security down or off (eg: disabling a firewall) in order to do what they wanted to do [Dourish et al., 2003].


next up previous
Next: Users don't understand how Up: Why do users make Previous: Social issues
Terri 2004-01-05