The Culture of Cybersecurity

Interesting survey of the cybersecurity culture in Norway.

96% of all Norwegian are online, more than 90% embrace new technology, and 6 of 10 feel capable of judging what is safe to do online. Still cyber-crime costs Norway approximately 19 billion NKR annually. At the same time 73.9% argue that the Internet will not be safer even if their personal computer is secure. We have also found that a majority of Norwegians accepts that their online activities may be monitored by the authorities. But less than half the population believe the Police is capable of helping them if they are subject to cybercrime, and 4 of 10 sees cyber activists (e.g. Anonymous) play a role in the fight against cybercrime and cyberwar. 44% of the participants in this study say that they have refrained from using an online service after they have learned about threats or security incidents. This should obviously influence digitalization policy.

Lots of details in the report.

Posted on October 3, 2016 at 6:23 AM • 24 Comments

Comments

Who?October 3, 2016 9:16 AM

At the same time 73.9% argue that the Internet will not be safer even if their personal computer is secure.

I agree completely. My computers are "secure" (at least I try!): all run OpenBSD, usually -current, all are firewalled behind non-Intel computers running pf(4) except a laptop I sometimes carry to the field (some of them are even full-time air-gapped), and I do some basic OPSEC. Most of time they are connected to other OpenBSD computers around the world establishing secure channels. It does not make the Internet more secure at all.

Even if all computers connected to the Internet were secure (what an impossible dream!), we should not ignore the human factor in both lack of intelligence and avarice.

Internet is as great and as abject as the human beings themselves.

ab praeceptisOctober 3, 2016 9:46 AM

Who?

Two (absolutely friendly) remarks:

- "My computers are "secure" (at least I try!)" is what many windows users say, too. Only their reasoning is different, maybe something along the line "I always update and I have bought and running 2 AVs and a firewall plus I've bought an expensive router box".

- You are wrong. You *do* make the internet somewhat more secure. Reason: Quite probably some less botnet slaves on the internet, namely the machines at your place.
This is not sufficient to make the internet secure, but multiply that by 100 Mio and we're starting to see some major effect.

Little Ms. πOctober 3, 2016 10:17 AM

Having had my Blackphone 2 confiscated by the police and threathened with having it destroyed in the process of trying to crack it unless I gave up the security-phrase, it's going to be interesting to see what comes of that.

It could even set a precedence in Norway, for how FIPS 140-2 Level 'X' (in this case, 2) devices are treated by the authorities: As devices that are free to destroy in fruitless attempts at cracking the *certifiably* uncrackable, or... something else.

Also getting an ORWL mid january, FWIW.

Who?October 3, 2016 1:08 PM

@ab praeceptis

Wow, thanks for these kindly words!

I have doubts about what makes the Internet "secure" right now. There are too many interests in this game (ok, only one, money). Even a secure computing infrastructure that stops mistakes made by human beings not understanding basic security concepts ―or, why not, knowledgeable people that has a bad day― (something that OpenBSD tries hard) means nothing when NSA programs like PRISM show how easy is corrupting large corporations effectively removing the need to attack the endpoints or exploiting weak service configurations.

In the nineties it was a matter of protecting our own infrastructure and trust the big corporations do the same on theirs. Now even a remote DNS may be snooping our activities, not to say the uncomfortable feeling that in the last years has become more and more difficult setting up our own personal services.

No, I do not really think all is "national security" or "the risk of being imprisoned after breaking a NSL" with relation to these large corporations collaborating with governments. There are other, less high-minded, interests in play.

You are right, my current computing infrastructure is likely secure enough to avoid being exploited by botnets. But it can hardly make a difference on an Internet where the large players are so easily corrupted by governments and their own interests.

Some day Bruce should talk about this worrying trend to centralize services on large providers while making it difficult to run our own servers. Or is it just me who has this uncomfortable feeling? Not to say the feeling that some basic services (like email) are irredeemably weakened.

Who?October 3, 2016 1:38 PM

@Little Ms. π

Please, let us know what happens to your secure phone!

(But remember it is just an Android device, even if FIPS certified, and as any other phone it is based on unsecure communication protocols and services. Better than other phones? Sure, but just a phone after all.)

I would like getting an ORWL computer too, but these must be expensive and difficult to buy (even if they reach the production status some day). At this time I feel secure enough by adding another protection layer to my computing infrastructure, this one based on smart and Java cards, thanks to the kindly advice of Thoth. Not exactly an ORWL computer, but secure enough to me when combined with a reasonably secure ―and updated― operating system and FDE.

I am impressed by ORWL features. Looks like a sensible design to me.

Let us know how the ORWL computer behaves too.

BobbyOctober 3, 2016 2:37 PM

I keep things simple:

I consider everything that goes over the internet as public.
If my information stays private that is fine, if it is hacked no harm done.

I am not prepared to spent serious time to get the necessary expertise on " securing" all aspects of my online life to a "certain" degree and mostly have to trust others.

Easier to expect the worse case and act accordingly.

Little Ms. πOctober 3, 2016 3:13 PM

@Who?

Well, the Blackphone uses the ZRTP-protocol if you have a subscription (https://www.silentcircle.com/products-and-solutions/technology/zrtp/).
And you could chose a phone-number from wherever in the world, including Switzerland which would put you about as far out of the fourteen eyes nations' reach as you could get.
I never bothered testing it properly as the implementation was buggy at the time and Silent Circle ended up changing the subscription model, so I don't know the state of that today.
The ZRTP protocol seems sound end-to-end encrypted though, regardless of actual implementation.

For the ORWL, Joanna (of @QubesOS fame) unfortunately chose to make some highly critical remarks, and unrealistic demands in regards to openness (from a business world perspective).
Those two VM-breaking Xen security bugs really must have hurt her pride, bless her perfectionist heart.

Then again, you could probably replicate a lot of the security for the ORWL by a combination of motion-sensor(s), USBKill, LUKS Nuke and a yubikey / usbarmory / whatever HW-token key.
For half / a third of the price.

But, I bought it because I chose to believe, and in chosing to do so I encourage others to do the same and also other parties to invest of their time and money in creating even better security products than the ORWL.

I don't think posting about the blackphone belongs on kopimi.is, but I may post about it on freak.no or diskusjon.no.
Norwegian cops sadly have a tendency to confiscate and destroy (read: steal for themselves) whatever they can get their hands on (or just to spite you for not showing the 'proper' respect), so we'll see. :)

Bruce EdigerOctober 3, 2016 3:27 PM

@Who? writes:

Some day Bruce should talk about this worrying trend to centralize services on large providers while making it difficult to run our own servers. Or is it just me who has this uncomfortable feeling? Not to say the feeling that some basic services (like email) are irredeemably weakened.

I'll bet I'm not the Bruce requested, but I'll pontificate. I have this feeling as well. Just when it's possible to run your own server entirely, the ability is being taken away from us. Look at the number of infosec professionals who stridently warn against running your own email server, for example. ISPs prevent "servers" from running, except maybe for Small Business class accounts. Printing presses, and later radio got taken away from the masses, we should learn lessons from those historical experiences, and not let corporations take away The Internet. If you have the technical wherewithal, run your own SMTP, HTTP, SSH, DNS and NTP infrastructure. Preserve the "common knowledge" of how to fight spam, be secure, and generally run things. Don't let corporate entities usurp free communications. Remain human, but get things out there.

Do you remember how obviously slanted and stifled newspapers were? Run your own servers. Otherwise, we'll see "Intellectual Property" getting tightened down even more, and some Dread Horseman of the Apocalypse (child porn, terrorism, self-radicalization, etc) being used to create some technologically-enforced division between "client" and "server", and it'll cost a whole lot of money to get licensed to own and run a "server".

You've been warned before.

ChristopherOctober 3, 2016 4:40 PM

@Bobby

That may work for you, but that is not remotely a valid solution to laypersons who want to use history's biggest communication tool to socialize. Humans are a social species after all.

It's also effectively giving up on ever securing data and telling users "if you want privacy, don't talk online". It's a defeatist attitude.

TedOctober 3, 2016 5:34 PM

Thank you for sharing the report. It’s a very thoughtful analysis of the integration of cybersecurity behavior, perception, and knowledge within a population, measured beyond organizational culture. I have never taken a cybersecurity survey like the one at the end of the report, but I thought it was good one, and would be glad to have a survey/study administered within my own community as a framework to gauge awareness and start conversations. It appears that the report was released in coordination with Norway’s safety month.

“National Safety Month conducted in October for the 6th time in Norway. The campaign is coordinated and run by the independent expert body Norwegian Centre for Information security (NorSIS). All countries in Europe are encouraged to arrange safety month in their respective countries, but Norway is distinguished by both the scope and feasibility. European coordinator is the European Union Agency for Network and Information Security (ENISA).” https://norsis.no/apning-nasjonal-sikkerhetsmaned-2016/

October is also National Cyber Security Awareness Month in the US. As a part of the awareness campaign there will be a weekly NCSAM Twitter Chat series at 3pm on each Thursday in October. #ChatSTC

Some of the guests will include: Council of Better Business Bureaus (@bbb_us), Federal Trade Commission (@FTC), PCI Security Standards Council (@PCISSC), U.S. Department of Homeland Security (@cyber), and National Cyber Security Alliance (@StaySafeOnline)

Little Ms. πOctober 4, 2016 3:41 AM

@Bobby

I think you are barking up the wrong tree, here.
Most users have absolutely no interest in "running their own email server", they want ready-to-go end-to-end encrypted solutions out of the box, such as protonmail.ch

And that's probably more secure than any setup you can come up with, too.

I suspect the same goes for many of the other issues you raise.

But the fundamental problem that I have with your post, is that you are nowhere near having any kind of relationship to proper Threat Modeling, Compartmentalization, or Risk Assessment.

If you cannot identify the threat you are working to address, you cannot assess how much of a danger is represents, and you can't allocate the *appropriate* resources to safeguard against it.


PaulOctober 4, 2016 4:59 AM

I can't help wondering what one would reasonably want an ORWL for.

That is, assuming running the next Silk Road or anything like that would be unreasonable - for most people.

A computer whose contents are potentially irretrievable seems to me to be an accident waiting to happen, somehow. It seems an extreme use case, better suited to an undercover agent in a hostile country than any routine personal or business use.

What could it really achieve that an encrypted volume wouldn't -- in terms of protecting data? (That is discounting the Darth Vader look).

Personally, I would be far more interested in a piece of software that makes my phone look as if it had no contacts or any other (non-story) apps installed. Someone at MIT started work on an Android shim to do just that but I haven't come across any news of it for a few years. Meanwhile, IoT powdered surveillance is about to take off.

My Sony TV (Android) surveils and reports on all TV programmes watched (date, time, channel, adverts shown, inputs in use - HDMI1 etc) and will not show a programme guide without surrender of privacy.

I'll take some routine privacy over extreme security any day. If there was a marque for products whose makers commit to not monetising identifiable customer data I would purchase only products that featured it. It seems weird to me that this should be a crank perspective, but that's where we are.

Peter A.October 4, 2016 5:12 AM

@Little Ms. π

It's not about John Doe, it's about those few self-made people in whatever aspect. The freedoms are taken from us one-by-one. I mean freedoms to tinker, to roll your own things, to do something your own way - just to have fun or to make a small or medium business out this tinkering/DIYing etc. It is not solely about IT or technology in general. Most people don't care about this particular aspect of their lives, and do care about some other, but governments and corporations are taking away the right and/or possibility to do that by "regulating" more and more human activities in the name of "security", "safety", "public interest" and the like - or by monopolizing manufacturing/services and refusing to deal with those "out of the house" by cutting them off, imposing limiting ToSes and pressing the governments to regulate them out.

In an effect, the fruits of technological, scientific and other advances of humanity are refused to most of it.

ab animalibusOctober 4, 2016 5:23 AM

@ab praeceptis

As we know, most computer users use Windows and as long as they're using a modern version of the OS (7, 8, 8.1, 10) they've got a reasonable amount of protection on the internet.

Microsoft enable Defender by default and whilst it doesn't score very highly on independent AV tests at least the user has some protection - and it's kept up-to-date automatically, for free. Microsoft have now started to use Defender for "periodic scanning" on systems where there is a third-party solution installed to offer additional protection.

Of course it's better if the user installs and maintains a third-party solution with integrated firewall, anti-virus, anti-malware and anti-exploit protection. I find many users do have such protection and that's great.

For the majority of users keeping their OS up-to-date, maintaining their AV solution, using unique and secure passwords on each site (with the assistance of a password manager) and encrypting their system (done by default on new Windows laptops) they're secure enough. A VPN can help those who need a extra protection.

And therein lies the answer. It's about stopping the majority of attackers from breaking into their computers and keeping their data safe if their computer is lost/stolen.

A sophisticated attacker will always find a way into the most secure of systems but with increased security comes decreased usability and a system so secure will mean users either don't use it (and find workarounds) or they circumvent the protection entirely.

Little Ms. πOctober 4, 2016 8:45 AM

@Peter


It's not about John Doe, it's about those few self-made people in whatever aspect. The freedoms are taken from us one-by-one. I mean freedoms to tinker, to roll your own things, to do something your own way - just to have fun or to make a small or medium business out this tinkering/DIYing etc.

Well I'm seeing lots of interesting DIY projects popping up all over the place (crowdsupply, kickstarter, pihut), and especially geared towards the general public.

And over in my neck of the woods the ISPs don't really mind if you set up a rack in your basement as long as you are not running a business out of it.

So if anything, I think DIY-projects and the (hobby) electronics are becoming more affordable and available to the public. And what is defined as "hobby" electronics are becoming increasingly sophisticated, really.

@Paul


I can't help wondering what one would reasonably want an ORWL for.

...

A computer whose contents are potentially irretrievable seems to me to be an accident waiting to happen, somehow. It seems an extreme use case, better suited to an undercover agent in a hostile country than any routine personal or business use.

I think agents and organized criminals roll their own, each in their way.

To address the core of your query, it seems to be predicated on the assumption that people do not have up to date rolling backups. That in itself is really, really strange, when you look at it.
In a perfect world, backups should be continuous and distributed (and encrypted), and you shouldn't even have to think about the concept "backup".
But as has been said, the media companies do not want it to be easy to share big files, so we're stuck in the middle ages having donkeys haul our racing cars.
Leaving the issue of outdated scribes and backwards monks in the age of the printing press aside, in such a perfect world your question should rightly be turned on its head: Why would anybody want their data to be accessible to thieves?

Or for that matter, law enforcement. Can't remember your password? Jailed for being found in contempt of court? Indefinitely? Not with an ORWL, because it wipes its keys after six months without power (or so I am given to understand).

That's quite a basis for a convincing Seppuku Pledge, really. We'll go to jail for six months rather than give up our customers' data.
It certainly makes sense if you are running a business that has any kind of confidentiality clause.

Little Ms. πOctober 4, 2016 9:11 AM

Also
@Peter A.


What could it really achieve that an encrypted volume wouldn't -- in terms of protecting data? (That is discounting the Darth Vader look).

I find your lack of faith... disturbing.

Yeah. That's what I meant to say.

Who?October 4, 2016 1:57 PM

@Little Ms. π

ZRTP sounds good, it is in the process of becoming an Internet standard. However the fundamental problem persists―it is a secure phone that runs an unsecure operating system, an operating system whose security track is horrible.

Joanna Rutkowska is doing a nice security-related work and I had been tracking her work for years with great interest (even if most times it sounds like an unreal theoretical approach to computer security), but I think she is wrong here:

She is asking for the datasheet for the secure microcontroller to be made public. Releasing the datasheet does not assure the microcontroller has no hidden functionality. Am I wrong? How can we assure a datasheet outlines a complete set of features?

She is asking all firmware sources to be published. A good goal, indeed, but I fear no one will audit the source code for a device that is not being widely deployed. Look at the firmware of the Lemote Yeeloong netbook, how many improvements came from the users community in the last years? A better question would be: is there firmware whose code is not public inside the ORWL? Why are these proprietary devices being used on it? Is there no alternative?

She is asking for the toolchain to build the firmware to be available. How can we trust the toolchain itself? Do we know for sure the toolchain is building non-backdoored firmware binaries? The toolchain source code means nothing.

I agree, any build process should be reproducible. It makes no sense building binaries whose checksums depends on, we say, the build time. It is not only about firmware, it is a reasonable goal for any software project. Building binaries should be a reproducible process.

Being able to dump/flash firmware using JTAG ports makes a lot of sense to me. However even if no device programmer hardware is part of the ORWL computer the ability of extracting the flash chip to reprogram it "off-line" is sensible and should be enough.

Don't know the price of an ORWL computer, but I guess it is expensive enough to consider the possibility of including a programming hardware on it. But I think the most sensible approach is allowing the firmware flash chip to be easily extracted and reprogrammed on one of these cheap chinese burners. I would certainly prefer flashing the firmware of a compromised device out of it. To me is a better choice using an external programmer if I suspect a device firmware has been altered in an unwanted way.

Don't know enough about the ORWL computer to say if this process will expose the encryption keys, though.

PaulOctober 4, 2016 2:42 PM

@Little Ms. π

To address the core of your query, it seems to be predicated on the assumption that people do not have up to date rolling backups. That in itself is really, really strange, when you look at it. In a perfect world, backups should be continuous and distributed (and encrypted), and you shouldn't even have to think about the concept "backup".

This wasn't a conscious assumption. My own backups are automated and redundant. I was thinking more about what justified the additional security of the ORWL. I could see the value to a person wanting to secure evidence that would see them jailed but diminishing returns (and added risks) would surely kick in for most people without extraordinary reasons to secure the data with such seemingly extreme measures. After all, encryption works.

I already take fairly robust measures to protect my own data, incl redundant RAID systems with ZFS. It's not foolproof, because nothing ever is. But these measures, despite their sophistication, didn't require buying and using unusual non-consumer hardware.

All I'm saying is I'm not personally convinced and you've questioned an assumption rather than shown that the measures are proportionate. I realise we all have different appetites for risk!

Little Ms. πOctober 4, 2016 3:25 PM

@Paul


All I'm saying is I'm not personally convinced and you've questioned an assumption rather than shown that the measures are proportionate.

I did give an example of ensuring total confidentiality, though.
Surely that's a use case that should apply to medical records (and criminal records).

And remember, just because you can use encryption doesn't mean it is easy for an organisation to ensure that ALL machines are encrypted. People are lazy and cheat (password written on post-it stuck to the monitor, anyone?), and this little machine enforces not only encryption, but total access control of data (long as you have the key on you).

That's zero effort, complete information control made as simple as possible.
If you don't see the advantages inherent in such a setup, I think maybe you just haven't thought it through yet.

ab praeceptisOctober 4, 2016 11:36 PM

Who?

"Joanna Rutkowska" - I also like her research since quite a while.

Btw, you are right, a chips datasheet doesn't protect you from hidden functionality. But: It gives you at least a lot of insight into the working of the beast; it's just so much better than half a page of a companies sales blurb.

Summarizing somewhat brutally the rest of what you said: You are right to a large degree, but: While having the sources does not auto-translate to them being properly checked, it at least opens the opportunity to do so. This is even more important when considering the progress that as been made in formal tools. I bet that even quite primitive tools like splint or cpachecker will vomitt quite a lot on quite a lot of firmware code.

Being at that: It's almost frightening what Rutkowska shows. What concerns me the most is the basic paradigm, particularly in x86 systems: They made many gross decisions in the beginning and rather than thnking and designing peoperly at least now tey simply keep on adding more cludges to compensate the problems they created with yesterdays cludges. It's one big zoo of unpleasant beasts and a very fertile one breeding new beasts at an increasing rate.

Which leads me to another IMO very important value of Rutkowskas work. Fulfilling her (well justified) demands would open a door for others to rethink the x86 mess and to look for ways to stay largely compatible but at the same time to unwind some of the mess intel has created.
And, of course, it would make the lifes of nsa, gchq, and diverse other state or non-state criminal players a lot harder - and the life of billions of people a lot better.

Clive RobinsonOctober 6, 2016 11:28 AM

@ vas pup,

th regards the BBC link you give, there are three telling facts.

The first "the million aday" new malware.

The second the "one in 113" emails that have malware.

But thirdly and perhaps most importantly for most users,

    Others asked how they could possibly be expected to stay safe when massive corporations that spent huge sums on security were regularly caught out.

It kind of puts things in perspective.

The first two are why I stopped doing personal EMail quite some time ago. Even when set for 7Bit ASCII text only by the user, many mail programs will still download and process attachments in the background before you the user get any kind of control, which is way to late for some malware...

vas pupOctober 7, 2016 8:55 AM

@Clive: Thank you for responding.
That is another recent article related to psychology and risk taking:

http://www.bbc.com/future/story/20161006-how-a-few-words-can-make-people-hand-over-millions

A subsequent analysis of the legislation in 18 countries found that the introduction of seatbelts had resulted in either no change or a net increase in road accident deaths. The counter-intuitive effect has been attributed to “risk compensation”; people typically change their behavior in response to the perceived level of risk. When the risk is low, people are more reckless.

In the real world, our actions are a minefield of hidden motivations and psychological quirks. “We used to think that people take into account all of the available information and then weigh up the costs and benefits of different options. And there’s increasing evidence from the last 40 years that that’s not correct,” says Hallsworth.

Enter “wise psychological interventions”, popularly known as “nudges”; techniques to bump people’s decision-making in the right direction by unlocking how we really think.

…“loss aversion”, or the tendency to feel losses more keenly than gains. It has plagued public policy for years: citizens who stand to lose $100 as a result of new legislation are likely to be disproportionately more vocal than those who stand to gain $100.

The next set aimed to trigger the citizen’s deep, in-built fear of being different, known as conformity bias. It’s thought to stem from the desire to avoid being rejected by our social group – a factor which had life-or-death significance in our evolutionary past.

“What’s new about this approach is not just the knowledge of human psychology but it’s that it’s evidence-based policy making,” says List.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.