| Abstract [eng] |
As more and more data is stored online and the number of internet users is constantly increasing, creators of malicious software are persistently looking for some innovative ways to acquire valuable confidential information. When recent malware, spyware, ransomware and other digital attacks were disclosed publicly and attracted a lot of attention, common trust in online information decreased notably. It is a commendable general practice to use an antivirus solution, do not open suspicious links or give your confidential data to an untrusted source. However, one attack vector is often forgotten. Digital world is no longer imaginable without countless number of various software. Almost all of it asks the user to accept the end-user license agreement (EULA) before the start of an installation process. Following part is frequently overlooked by most of the users, even though real security threats might be hidden there. This work analyses the concept of EULA and its drawbacks. Users trust in the information found online is tested with a software, which is made for this experiment and has a specifically designed EULA text. Obtained results enable identification of the problem scope and propose actions, which could help in closing this security gap. EULA is a legal contract between a software application author or publisher and the user of that application. It is often criticized because of its length (on average, it reaches 3000 words) and difficult legal terminology. Even well-known companies use EULA with potentially harmful terms for the end-user. It is still a shortage of court decisions related to the discussed document not only in Lithuania, but also in the EU, however in the US, statistics are in favor of EULA and some widely-publicized trials ended in supporting this document and thus strengthened its legal power even more. Only few researches could be found regarding this document and its impact to confidential information or IT infrastructure. Also, there are just a few solutions to evaluate and automatically guard yourself against potential threats written in EULA. The experiment of users trust in EULA was performed at the end of 2016. 653 first year students of Informatics faculty of Kaunas University of Technology were selected for this investigation. Experiment was carried out in the form of knowledge testing application for a specific university course. When user wanted to install the testing application on either Windows operating system machine or Android mobile device, it prompted the EULA to be accepted otherwise installation will be canceled. If users accepted the specifically modified EULA document, the installed software not only performed expected and visible functions, but also collected and sent some data from the machine it was running in. Specific EULA text was developed for this experiment that mimic the standard agreement as close as possible, but also has multiple statements indicating its unusual purpose. In addition, applications for Windows and Android operating systems for the testing program “Quizza” were created. Together with expected functionality both solutions used standard Java libraries to collect information about memory devices and third party email client Gmail to send data to the mailbox prepared for this experiment. Also, a bogus website quizza.tk was created as a distribution environment for these applications. Each link visit in that website was monitored and later analyzed as a part of the experiment results. The conducted experiment confirmed that users tend to skip the EULA and agree with any text written in it. Nobody has read this license agreement and thus shared their confidential data with the author. In addition, this experiment showed more alarming IT security trends. More than 60% of data received came within the first 24 hours from the start of the experiment. This tendency favors zero-day exploits or new fraud schemas and as it was visible no home antivirus solutions provide sufficient protection against data theft. Also, home users do not benefit by virtualization technology to increase their systems security and in many instances connected external USB flash drives were detected when user installed this untrusted application thus allowing easy spread of the malware. |
