Social engineering in the latest crop of viruses has people jumping through hoops to open malicious attachments. How do we change the pattern?
Six months ago, zip files were the most reliable way to get MS-Word documents, batch files, and other potentially harmful file types through filtering gateways. Zip files are now regarded as rats carrying the plague.
Ask the average Internet user about security for their computer, and they either look blankly at you, or mumble something about anti-virus and firewalls, most often without any real idea of what these things are or what they do. In fact, many of the people who have these products installed on their computer still open strange email attachments promising pictures of celebrities undressed, or some mysterious information not asked for. Talk about installing the door locks and window bars but inviting strange looking men with baseball bats into the house for a cup of coffee. What's the missing piece?
Zip no more.
I have been watching the latest crop of viruses, including the MyDoom, Netsky, and Beagle virus families and it has caused me to really examine a fundamental belief of mine. Call me an optimist, but I had always believed that if we, as information security professionals, could present one or two simple rules for security and explain why they matter, the average user could begin to recognize social engineering when it appears in viruses, phishing or some other scheme. These latest viruses have eroded that belief.
Some of these mass-mailing viruses require that users:
1. open an email message
2. open a picture to determine a word used as a password
3. open a zip file
4. enter the password when prompted
5. and then run what is included in the zip file
The virus authors have people jumping through more hoops than a circus seal, and all for what, a glimpse of a naked celebrity?
Some commentators from the IT industry seem to take a bit of glee at pointing out how users almost have to work at getting infected by these viruses, or in other words that they are morons. While I don't agree with the moron statement, it would be misleading to say that these users aren't aware of the potential risk. The media has picked up on many of the successful versions of these mass mailing viruses and written stories warning about opening attachments. In some cases, they will get infected multiple times and they will do it knowingly. If they aren't morons, and they know the risk of virus, where does the problem lie?
Some of the blame for this latest crop of viruses does lay with us as security professionals. For years we have said that zip files are the safest and best way to transfer files. This safety in zip is no longer the case. It is time to retreat, move the line of engagement with the viruses further back, and rethink the defense.
Technology can certainly help or hinder the process. MS-Windows' reliance on hidden file extensions to enable this behavior combined with the ability to change the icons of files, certainly make social engineering easier. How does a user differentiate between my_vacation.jpg and my_vacation.jpg.exe if they can't see the file extension? What rule can be given?
How do we change the social pattern?
I believe the question of how to change this pattern doesn't have a technological answer. Reactionary systems like anti-virus (desktop or mail server) certainly have their place, but a fast spreading virus is often able to penetrate into organizations prior to signatures being made available, despite the speed that signatures are written and shipped by all the anti-virus firms. I still remember when signature updates arrived semi-annually on a floppy disk.
Attachment filtering isn't the answer. We have slowly added more and more attachment types to the list to be blocked. In fact we are almost back at the point where plain text email is the only option to get through gateways. Six months ago, zip files were the most reliable way to get MS-Word documents, batch files, and other potentially harmful file types through filtering gateways. Zip files are now regarded as rats carrying the plague.
How about dumping SMTP mail all together? Won't that be an advancement, after all, everyone knows that viruses don't spread through Web downloads, Peer-to-Peer file sharing systems, IM file transfers or IRC DCC connections. So much for the argument that the weakness is because SMTP never being designed for file transfer. PGP encryption would just prompt the user to type their passphrase; there is always a way to fool the people. Changing the technology used won't stop social engineering because any technology can be subverted if decisions are put in the hands of the end user. Fool the user, fool the technology.
Human nature and security: natural enemies?
Security is hard work. Human nature is to look for the easy way, the quick way, in other words, to be efficient. Watching the mass-mailing virus circus lately, I find myself wondering how western society made the move over time to start installing locks on the door? After all, locks are not conducive to efficient living: you have to carry keys, you misplace your keys and the lock is now a significant obstacle to efficient living. The only reason that people started locking their doors decades ago is they felt a threat to their person or possessions.
The unfortunate reality is that until Internet society views running a virus, trojan, or back door as a threat to person (identity) or possession (all the information on their computer), they will continue to jump through the hoops that virus authors make for them and behave in all manner of unsafe ways. Once the realization hits that there are personal consequences for certain behaviors, people will begin to consider what might happen if they open this weirdly named file. I fear what will happen to make users realize the threat.
For proof of the change of behavior that happens after someone feels threatened, just watch someone after their house is broken into. It's time for bigger locks, bars on windows, and that call to the security company who keeps sending that annoying pimple-faced kid to promising you 6 months free alarm system monitoring.