Lies, damn lies, and statistics

"A news release from McAfee about Brad Pitt, Beyonce Knowles and Justin Timberlake has got the goat of guest blogger Paul Ducklin, Sophos’s head of technology in Asia Pacific. Over to you Paul…"

Paul Ducklin

Someone at the McAfee anti-virus company seems to have convinced media writers of the factoid that “…fans searching for information and pictures of Pitt, or downloads, wallpaper and screen savers, have an 18 per cent chance of having their PCs infected with a virus, spyware, spam, phishing and adware…”

At least, that’s what Sydney’s Morning Herald and Melbourne’s The Age are urgently warning you about.

(I’m not sure if it says something about the supposed intellectual difference between Sydney and Melbourne that in Sydney the “Pitt of danger” is the leading online story, whereas in Melbourne it is at least relegated behind “Astronomers agog at circling planet.”)

Tut, tut, tut.

18 per cent chance

This sort of hyperbole about the dangers of cyberspace may fill column centimetres and attract casual readers, but it doesn’t actually help anyone. For a start, it simply isn’t true. If you go online and search for “Pitt”, you do NOT have a one-in-five chance of getting infected, and suggesting that you do is just spreading FUD (fear, uncertainty and doubt).

The two main pedagogical problems with this story are obvious. Firstly, users who do search for “Pitt”, and who do not get infected (which will be the very great majority) may get a false sense of security. After all, if you can routinely get away with it when you regularly search for apparently dangerous search terms, why should you worry at all about those parts of the web which aren’t considered particularly dangerous?

Secondly, this story seems to imply that if you steer clear of celebrities and stick to “safer” subjects, you will greatly improve your online health. But SophosLabs finds an average of about 16,000 newly-infected web pages per day, liberally distributed throughout cyberspace. Some of these are high-profile sites, with high-profile subjects, but the majority are otherwise unremarkable sites which are “chosen” by cybercriminals simply because they are there. Indeed, they are remarkable mainly for being unremarkable.

Another important flaw with this story is that it doesn’t bother to explain how you can search safely. Let’s say you really do want to search for “Pitt”. (Sydney alone, for rather obvious historical reasons, has numerous Streets, Roads, Lanes, a Town and even a Water which carry this name.) How do you avoid the alleged 20% “infection chance”?

The answer is that with the right precautions, and the right sensibilities, you can search in almost complete safety for almost anything you want. Here’s how to do it:

1. Use a spam filter. Scammers who have planted risky content on otherwise unremarkable websites regularly spam out links to these websites in the hope that you will be more inclined to click through to them. Getting rid of such spam reduces the number of risky links you will be tempted by, as well as freeing up your time to read useful stuff, not the spammers’ garbage.

2. Use a web filter. Products such as the Sophos Web Appliance have two chances to protect you: if you click on a link – no matter that it is legitimate or uncontroversial – which is already known to have been hacked, the connection will be blocked outright. And if you do visit a newly-infected page containing risky content, it will be analysed and blocked on the way back.

3. Use an anti-virus and keep it up-to-date. Most hacked web pages are only indirectly infectious. In other words, they try to provoke misbehaviour in your browser which causes the silent download of a virus, worm or Trojan. This sort of attack is called a “drive-by” install. A good anti-virus will block these downloads.

4. Use the security updates provided by your software vendors, especially those for the operating system itself and for your web browser. Many malware attacks succeed only if you have already been lax about security, so get yourself up-to-date today.

5. Use some form of network access control program (NAC). NAC software can analyse the files on your computer to make sure you are well-patched against the latest vulnerabilities, isolating you from the internet at large until you are safely patched. This, along with an anti-virus, greatly reduces your risk of a drive-by install, since it closes off the security holes commonly used by cybercriminals.

6. Use your common sense. When you search for a topic of interest, the results which come back from your search engine are advisory, not mandatory. You aren’t required to visit every one of them until something unexpected happens.

7. Don’t be credulous. Don’t believe everything you read in email. By now, everyone should know that you can’t win a lottery you didn’t enter. So why click through to web links you weren’t expecting? Why visit websites about subjects which don’t really interest you, or act on information which sounds too good to be true? (It is.)

8. Don’t fall for security hyperbole. Learn from the past (e.g. the Michelangelo virus in 1992, the Millennium “Bug” in 1999) and seek objective information, not scare stories, about how to stay secure online.