cyber security

Installing software updates may make us WannaCry, but it must be done to stay safe online

People don’t want to endure the interruptions and inconveniences of keeping their computer software up to date.

The global ransomware attack called “WannaCry,” which began last week and continues today, could have been avoided, or at least made much less serious, if people (and companies) kept their computer software up to date. The attack’s spread demonstrates how hundreds of thousands of computers in more than 150 countries are running outdated software that leaves them vulnerable. The victims include Britain’s National Health Service, logistics giant FedEx, Spanish telecom powerhouse Telefonica and even the Russian Interior Ministry.

The security flaw that allowed the attack to occur was fixed by Microsoft in March. But only people who keep their computers updated were protected. Details of the flaw were revealed to the public in April by the Shadow Brokers, a group of hackers who said they had stolen the information from the US National Security Agency.

Attackers got into computers through that weakness and encrypted users’ data, demanding a ransom from anyone who wanted the data made usable again. But they didn’t win the race to exploit the flaw as much as people and computer companies collectively lost it. Our human tendencies and corporate policies worked against us. Research, including my own, tells us why, and offers some suggestions for how to fix it before the inevitable next attack.

Updating is a pain

All people had to do to stay safe from WannaCry was update their software. But people often don’t, for a number of specific reasons. In 2016, researchers from the University of Edinburgh and Indiana University asked 307 people to discuss their experiences of installing software updates.

Nearly half of them said they had been frustrated updating software; just 21% had a positive story to tell. Researchers highlighted the response of one participant who noted that Windows updates are available frequently – always the second Tuesday of every month, and occasionally in between those regular changes. The updates can take a long time. But even short updates can interrupt people’s regular workflow, so that study participant – and doubtless many others – avoids installing updates for “as long as possible”.

Some people may also be concerned that updating software could cause problems with programmes they rely on regularly. This is a particular concern for companies with large numbers of computers running specialised software.

Is it necessary?

It can also be very hard to tell whether a new update is truly necessary. The software that fixed the WannaCry vulnerability came out in a regular second-Tuesday update, which may have made it seem more routine. Research tells us that people ignore repeated security warning messages. Consequently, these monthly updates may be especially easy to ignore.

The companies putting out the updates don’t always help much, either. Of the 18 updates Microsoft released on March 14, including the WannaCry fix, half were rated “critical,” and the rest were labelled “important.” That leaves users with little information they could use to prioritise their own updates. If, for example, it was clear that skipping a particular update would leave users vulnerable to a dangerous ransomware attack, people might agree to interrupt their work to protect themselves.

Even security experts struggle to prioritise. The day the fix was released, Microsoft watcher Chris Goettel suggested prioritising four of the 18 updates – but not the one fixing WannaCry. Security company Qualys also failed to include that specific update in its list of the most important March updates.

Security pros, and everyone else

The Conversation US CC-BY-ND
The Conversation US CC-BY-ND

The most common recommendation is to update everything immediately. People just don’t do that, though. A 2015 survey by Google found that more than one-third of security professionals don’t keep their systems current. Only 64% of security experts update their software automatically or immediately upon being notified a new version is available. Even fewer – just 38% – of regular users do the same.

Another research project analysed software-update records from 8.4 million computers and found that people with some expertise in computer science tend to update more quickly than non-experts. But it’s still slow: from the time an update is released, it takes an average of 24 days before half of the computers belonging to software engineers are updated. Regular users took nearly twice as long, with 45 days passing before half of them had completed the same update.

Making updates easier

Experts might be quicker at updating because they understand better the potential vulnerabilities updates might fix. Therefore, they might be more willing to suffer the annoyances of interrupted work and multiple restarts.

Software companies are working on making updates more seamless and less disruptive. Google’s Chrome web browser, for example, installs updates silently and automatically – downloading new information in the background and making the changes when a user quits and then reopens the programme. The goal is for the user not to know an update even happened.

That’s not the right choice for all kinds of updates, though. For example, the Windows update needed to protect against the WannaCry attack requires the computer to restart. Users won’t tolerate their computers shutting down and restarting with no warning.

Getting the message out

So computer companies must try to convince us – and we must convince ourselves – that updates are important. My own research focuses on doing just this, by producing and evaluating entertaining and informative videos about computer security.

Play

In our first experiment evaluating the video, we conducted a month-long study to compare our video with an article of advice from security firm McAfee. The video was effective for more of our participants than the McAfee article was. Our video was also equally or more effective, overall, at improving people’s updating practices. Trying new approaches to teaching security behaviours such as our edutainment video, or even security comics, may be a first step toward helping us stay safer online.

Elissa Redmiles, PhD student in Computer Science, University of Maryland.

This article first appeared on The Conversation.

We welcome your comments at letters@scroll.in.
Sponsored Content BY 

Virat Kohli and Ola come together to improve Delhi's air quality

The onus of curbing air-pollution is on citizens as well

A recent study by The Lancet Journal revealed that outdoor pollution was responsible for 6% of the total disease burden in India in 2016. As a thick smog hangs low over Delhi, leaving its residents gasping for air, the pressure is on the government to implement SOS measures to curb the issue as well as introduce long-term measures to improve the air quality of the state. Other major cities like Mumbai, Pune and Kolkata should also acknowledge the gravitas of the situation.

The urgency of the air-pollution crisis in the country’s capital is being reflected on social media as well. A recent tweet by Virat Kohli, Captain of the Indian Cricket Team, urged his fans to do their bit in helping the city fight pollution. Along with the tweet, Kohli shared a video in which he emphasized that curbing pollution is everyone’s responsibility. Apart from advocating collective effort, Virat Kohli’s tweet also urged people to use buses, metros and Ola share to help reduce the number of vehicles on the road.

In the spirit of sharing the responsibility, ride sharing app Ola responded with the following tweet.

To demonstrate its commitment to fight the problem of vehicular pollution and congestion, Ola is launching #ShareWednesdays : For every ​new user who switches to #OlaShare in Delhi, their ride will be free. The offer by Ola that encourages people to share resources serves as an example of mobility solutions that can reduce the damage done by vehicular pollution. This is the fourth leg of Ola’s year-long campaign, #FarakPadtaHai, to raise awareness for congestion and pollution issues and encourage the uptake of shared mobility.

In 2016, WHO disclosed 10 Indian cities that made it on the list of worlds’ most polluted. The situation necessitates us to draw from experiences and best practices around the world to keep a check on air-pollution. For instance, a system of congestion fees which drivers have to pay when entering central urban areas was introduced in Singapore, Oslo and London and has been effective in reducing vehicular-pollution. The concept of “high occupancy vehicle” or car-pool lane, implemented extensively across the US, functions on the principle of moving more people in fewer cars, thereby reducing congestion. The use of public transport to reduce air-pollution is another widely accepted solution resulting in fewer vehicles on the road. Many communities across the world are embracing a culture of sustainable transportation by investing in bike lanes and maintenance of public transport. Even large corporations are doing their bit to reduce vehicular pollution. For instance, as a participant of the Voluntary Traffic Demand Management project in Beijing, Lenovo encourages its employees to adopt green commuting like biking, carpooling or even working from home. 18 companies in Sao Paulo executed a pilot program aimed at reducing congestion by helping people explore options such as staggering their hours, telecommuting or carpooling. After the pilot, drive-alone rates dropped from 45-51% to 27-35%.

It’s the government’s responsibility to ensure that the growth of a country doesn’t compromise the natural environment that sustains it, however, a substantial amount of responsibility also lies on each citizen to lead an environment-friendly lifestyle. Simple lifestyle changes such as being cautious about usage of electricity, using public transport, or choosing locally sourced food can help reduce your carbon footprint, the collective impact of which is great for the environment.

Ola is committed to reducing the impact of vehicular pollution on the environment by enabling and encouraging shared rides and greener mobility. They have also created flat fare zones across Delhi-NCR on Ola Share to make more environment friendly shared rides also more pocket-friendly. To ensure a larger impact, the company also took up initiatives with City Traffic Police departments, colleges, corporate parks and metro rail stations.

Join the fight against air-pollution by using the hashtag #FarakPadtaHai and download Ola to share your next ride.

This article was produced by the Scroll marketing team on behalf of Ola and not by the Scroll editorial team.