You can't create a software patch for human nature.
Social engineering is not a major at MIT. It's the enemy of security professionals and end users alike.
Social engineering is a set of tactics and psychological tricks used by hackers on computer users in order to gain entry to computer systems, according to Rick Tims of the Sans Institute. Examples of social engineering range from impersonating an employee to gain entry to a company's offices and systems; dumpster diving, or looking through a person's or organization's garbage for important documents that might give a hacker clues on how to break into a network; spam mailing and e-mail hoaxes; and hidden e-mail attachments like viruses.
Hackers also use social engineering and computer viruses to manipulate everyone with an e-mail address. Alluring e-mails with subject lines like "I Love You" or "NakedWife" work their way into hundreds of thousands of e-mail boxes, wreaking havoc on e-mail servers and in some cases, causing service outages.
So why do we fall for e-mails that promise love, attention or even pornography?
"It's a combination of gullibility and curiosity. A lot of people tend to want to see what they shouldn't want to see," said G. Mark Hardy, managing director of Guardent, Inc. a Waltham, Massachusetts-based company specializing in security consulting and services.
Clever e-mail subject lines like 'NakedWife' might appeal to the appetite of an e-mail user who just can't resist a nude photo, but according to a Charles A. Lowe, the head of the University of Connecticut's department of psychology, there is little empirical evidence to speculate on this sort of "deviant behavior" as being more likely in a certain type of individual.
The text of the 'NakedWife' virus reads: "My wife never look like that! ;-)." But upon opening the attached file, NakedWife.exe, the unsuspecting user is met with a virus that rapidly attempts to delete several types of files on their hard drive while simultaneously e-mailing itself to anyone listed in the Windows Address Book using Outlook. Outlook is the principal e-mail program carrying most of today's viruses.
The thing that seems to reassure victims into opening this type of e-mail attachment seems to be the origin of the e-mail. The sender, who already has unwittingly opened the virus, is often a friend, coworker or a relative.
Another example of a socially engineered subject line, and one that has gained much attention in the news, is the AnnaKournikova virus, named for the 19-year-old Russian blonde bombshell tennis star. Like the 'NakedWife' virus, Kournikova forwards a copy of itself to everyone in the Outlook e-mail address book.
Other, similar e-mail viruses that prey upon the human psyche like 'NewLove', 'Pretty', 'Fun Love', and the perennial favorite 'Melissa' are examples of social engineering at work. Each arouses curiosity in the mind of the end user.
To err is human
When asked why people open e-mail attachments against security policies, warnings and better judgment, Carole Fennelly, a partner in the security firm Wizard's Key Corp., said "While a person may be smart, people are stupid."
"It's human nature to be lazy and not consider consequences of one's actions. To be fair though, people are only human and are bound to make mistakes. I've known some top security people who have inadvertently opened a virus and forwarded it," said Fennelly.
A recent searchSecurity news poll indicates that security fears revolve around socially engineered e-mail attachments; 34% of respondents fear manipulative e-mail attachments while 33% are skittish of weak passwords. Phone scams and dumpster diving were low on the social engineering worry list coming in at 23% and 10%, respectively.
The increased frequency of virus attacks can be attributed to the Internet population explosion. It has created an ever-growing crop of new targets for virus writers, which in an age where businesses heavily rely on online transactions and the Internet, makes these authors of ill will all the more dangerous, according to Guardent's Hardy.
"The number of people who use the Net is growing exponentially. It's no longer safe to leave your system up and running just as its no longer safe to leave your keys under the mat of your car," said Hardy.
According to the Computer Industry Almanac, Inc., there were more than 400 million Internet users worldwide at the end of 2000 ? up from less than 200 million uses two years ago. The Almanac is projecting that the number of Internet users will top 1 billion in 2005.
Hardy says the growth of the Internet brings with it some dangerous side effects. The average experience level of the common user has been steadily dropping while the number of people with the technical ability to write destructive code is on the rise.
"You can't prevent gullibility and human curiosity. These types of attacks will always have some degree of success. To new users this is a new experience, there's no technology that can fix the ignorant user," said Hardy.
Infections rage in variants
Along with the increase in virus authors the number of malicious viruses, those that damage files, is multiplying rapidly. "In the past [viruses] like 'Melissa' and 'I Love You', the first iterations were pretty benign. There was no nasty payload. They were only designed to reproduce. Where you begin to see the real evil is in the emerging variants. Programmers are changing the payload to delete files and even operating systems," Hardy said.
Sophos, Inc., an anti-virus software developer, detected 867 new viruses last month. Sophos said notable new viruses in March included Magistr, Naked Wife and two new Linux viruses, Lion and Lindose, also known as the Winux worms.
According to Hardy people should be skeptical about anything that looks too good to be true. Keeping anti-virus definitions updated and tight security policies should also be standard practice.
Fennelly said that education is a must, but be prepared for the reality that people will do stupid things.
"Companies should have an aggressive program and policy toward educating their people about social engineering techniques. The best defense, she says, is to be aware of the threats and be prepared to deal with them."
Let us know what you think about the story, e-mail Kevin Komiega, assistant news editor
For more information:
Dig Deeper on Secure software development