Yesterday I provided some examples of how malicious code writers will use social engineering or behavioral psychology to get us to do pretty much whatever they want us to do. I also promised to provide an example of how even the mighty may fall. Here are two:
Near the end of 1999, a virus written as a simple, basic programming script made the rounds on the internet using a very simple social engineering tactic. It was called “Melissa”.
In early February 2000, I was just about finished with the training for becoming a Microsoft Windows 2000 Professional tech support agent. We (about 300 support agents) were being trained by some highly skilled engineers from Microsoft that had worked on either the operating system itself or one of the many programs that came bundled with it. These men were a mixture of programmers, designers, developers and project managers at Microsoft. We referred to them as “Partner Tech Leads”.
One day I (along with everybody else in training) received an email from one of these men with the subject “I Love You!” There was nothing in the body of the email, but there was an attachment:
A plain text file will usually have the “.txt” file extension, or possibly no extension at all. A small program that is written in visual basic has a “.vbs” extension. Visual Basic is how Microsoft Office 97 applications were able to create and make use of macros. This macro, or program, copied itself to his computer’s hard drive, then emailed itself to the first fifty people in his email contact list via Outlook.
This PTL knew his trade very well. He was an accomplished and talented programmer with years of experience and extensive knowledge of the core of the Windows operating system. According to the other trainers, he knew how to write code in several programming languages, including basic. But he is, of course, human and succumbed to this clever trick.
Exactly what the original author of the virus was counting on: social engineering in action.
Example two: When Microsoft first decided to include the macro capability in it’s popular Office suite of applications, one of the developers on the project approached his project manager with a concern. It had occurred to him that the ability to create a macro in Word or Excel required using a programming language. If one had extensive enough knowledge of the application environment, one could, in effect create a “Macro Virus” and infect any system running any version of Microsoft Office that had the ability to run macros.
The project manager at the time dismissed the likelihood of that ever happening. He claimed that the developer was making too much of a highly improbable scenario and that the user base as a whole would see nothing but good coming from the ability to create and use their own macros.
That night the developer went home and wrote the world’s first macro virus. Any system infected with it would pop up a windows message box containing the message “This is a macro virus” and an “OK” button. The next day it started to infect systems at Microsoft. While the “virus” in this case was not malicious and did no real harm to any of the systems infected by it, the developer in question was alleviated of his burden of writing code for Microsoft. This was approximately 3 years prior to the release of the above mentioned “Melissa” infection that hit millions of systems worldwide.
In both of these examples the infections spread quickly and very thoroughly because they were new concepts to the world of computing. People were unfamiliar with the concept of a computer virus and so were not set to guard against infection.
Today is a completely different world. There is an entire generation of people entering the job market that have never known a world without internet access. And they have never known a world without computer viruses or malware.
But they are also being given the same information that we have been handed for years. You can be secure online so long as you follow the basic steps of computer security.
Computer security concepts need to make a huge leap forward just to try and bridge the gap between current computer usage habits and the advanced tactics of the truly inventive and nefarious designers of modern malware and the methods they employ to infect systems and steal information.
Of course, the old concepts still apply. Continue doing these and you’ll definitely improve your chances of keeping a grip on your online identity:
- Manufacturer updates. Install them, but make sure they are actually from the manufacturer. Run your computer’s update tool and become familiar with the look and feel of it. If an update pops up that doesn’t look quite right, close it and then run your computer’s update tool to see if it is there.
- Anti-Malware. Viruses aren’t the only game in town when it comes to wreaking havoc with your computer. There are key loggers, unwanted advertising programs like the one already mentioned, spy-ware that tracks your computer usage and reports it back to its owners and a whole bunch of other programs designed to steal your information, identity, money or just plain ruin your day. All of it is referred to as Malware. You will want an application that is designed to detect all of these types of programs and remove them, not just viruses.
- Data Redundancy. Any information that you have on your computer that you think is critical or important needs to be kept somewhere other than just on your computer. USB thumb drives, external hard drives, burned CDs or DVDs are just one set of options. Now there are also cloud storage services that will hold onto your important info, but there are risks with those as well. Right now, your best bet is to use some sort of external media that you can keep control of and lock up somewhere safe.
- Email. Unless you specifically asked for it, do not open attachments in emails, even from people you know. The above mentioned “Melissa” macro virus came from someone in that person’s contact list. Then it came to me from him, someone in my contact list. Simply opening the file installs the virus and sets it to work on your system. Also, learn how to check the destination of a link in an email by hovering your mouse arrow over the link and checking the bottom of the email window for the destination URL. A link can be displayed as just about anything, including an address other than the one that it actually points to.
- Physical security. This one is possibly the easiest, but the least often adhered to. Don’t leave your computer sitting open, powered on and logged in while you head off to the bathroom or anywhere else out of sight of your computer. Either take the time to pack it up and take it with you, or simply just lock the screen, put it to sleep or shut it down. If you have a cable lock, even better. Don’t wait to come back from wherever and find it gone to realize how little a cable lock costs compared to how much replacing your computer and everything that was on it will cost. And I’m not just talking about dollars.
- Limited rights login. This one I don’t see too often because it can be a bit cumbersome to someone not used to it. The basic idea is to have two user accounts on your computer. One account has full control over every aspect of the computer, from installing new programs to changing system settings. The second account has little to no control over the computer. Just basic usage rights. This user can run a program that is already installed, connect to the internet, send and receive emails and things like that. The second user is the one that is used for almost everything you use the computer for. The first is only used to install new programs, remove old programs, install new devices (printer, scanner, camera, etc.) and make whatever changes to the computer need to be made.
I will point out here that the last measure listed above is something I have never seen used outside of a corporate environment. The inconvenience of having to logout and log back in with a different user account, combined with having to remember two different usernames and passwords, keeps just about everyone from taking advantage of this very effective security measure.
The problem is in the word “inconvenience.” Any security measure that is perceived as a hindrance or obstruction to using a computer (or even just doing one’s job) will be circumnavigated. This is why people write down a list of their favorite passwords and tape them to their monitor, the bottom of their keyboard or stick them in a drawer.
I know I’m only scratching the surface with the above list, because the focus of this piece is to bring to the forefront the use of trickery, guile and deceit to get you to give up your information willingly.
So, what security measures do you use? More importantly, what security measures do you consider more hindrance than protection?