Over the years, we have tried and succeeded in using a number of different methods to educate people on computer security problems and issues: posters, videos, courses, presentations, monthly reports, and Bulletin articles. We would now like to step up a level and introduce haptic feedback for unsecure user actions. Enter: the “Digital Feedback Keyboard” (DFK).
Today, using a computer does not come without risks. Browsing to the wrong webpage, opening a malicious attachment or downloading a bad plugin or software can quickly infect your computer, destroy its inherent defences and render you, your work, your data and subsequently CERN completely naked and unprotected (see for example “Drive Bye” or “One click and boom”). An attacker “owning“ your computer in such a way also owns your computing account as, usually, such attackers install malware on your computer which will log any keystroke you make (including your account’s password), enable your webcam and microphone to spy on you, search through your hard disk for juicy documents and, if there is nothing better, try to extort some money from you (“Ransomware - when it is too late...").
It is generally very difficult to spot those risky actions. “Stop, think, do not click!” does not always enter into our minds promptly. Hence, with these new DF keyboards, a user will get direct feedback from unsecure actions through a series of small electrodes integrated into the keys. These electrodes will distribute a short spike of a few volts for potentially dangerous actions like opening an infected attachment, typing your CERN password into a non-CERN-owned webpage or browsing to a malicious webpage. Higher voltages can be expected when opening applications which directly violate CERN’s Computing Rules or are illegal, such as software using pirated licenses (“Do you have 30 kCHF pocket money?”) or violating copyright (“Protect CERN --- Respect Copyrights”). After a while, such electric feedback will help you subconsciously to practice “Stop, think, do not click!”. “It is basically like teaching cows not to touch the fence by using electric wires,” says Chris Lloyd from the IT procurement team.
A first pilot phase will start on 1 April, with about 100 users randomly selected from among all members of the personnel. As other CERN services have already expressed their interest for their particular use cases (e.g. for eLearning, MERIT appraisals, expensive purchasing), the pilot might quickly be expanded throughout CERN. The CERN procurement team and IT department are currently investigating how to efficiently roll out and distribute DF keyboards to every single user. If you prefer not to join this pilot phase for now, just start to practice “Stop, think, do not click!” now. Please beware of strange e-mails sent to you – learn how to identify malicious e-mails – and do not click on random links just because you find them appealing. Better think first and refrain from clicking.
Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report. For further information, questions or help, visit our website or contact us at Computer.Security@cern.ch.