It’s All About The Social Engineering, Baby!

I’ve said it a number of times, and at the risk of sounding like a complete cynic, I will say it again: The biggest threat to computer (and information) security is the people who use them. Or, more appropriately, people who use computers and information technologies in a significantly “unaware” state. To give you an idea what I mean, let’s take another fairly ubiquitous implement in our society, the automobile. Why are there so many accidents? It’s not the bank robbers or the murderers and rapists (in other words, “criminals”) causing them. They are caused by everyday people not paying attention to those around them, people who think that rules of the road don’t apply to them, and even, dare I say, people who just don’t give a damn about those around them. I mean, why is it that people can get into horrific accidents driving down a completely straight piece of highway, like I-25 here in Colorado? It’s because people jump in those 2,000 pound pieces of hardware and just blast off down the road as if they were the only ones on it, completely oblivious to anyone else who may be around. As long as they get where they are going, they don’t care how they got there, and as long as no one else causes them inconvenience, whatever they do is fine.

Well – our love of computers is the same way as our love of the automobile. Computers and communications devices (such as cell phones) are such a ubiquitous and necessary part of our daily lives, that to go without email or our phones for even one minute would be disastrous. And our ability to click on any Internet link we want, and forward every email joke we get had better not be impeded in any way. This idea is at the very heart of many cyber-attacks these days. The bad guys know that people can be duped into just about anything – spreading email here, clicking on a link there, giving out information over the phone. It is very easy for the bad guys to plant a very innocent looking email, spam it out to the whole world, and then sit back and watch as the ignorant masses of scurrying mice blindly follow the bread crumbs. This, in essence, is what “social engineering” is all about. Social engineering encompasses a wide variety of things, such as me pretending to be the help desk and calling you up to get you to give me your network account password. Or diving through your trash to find out what usernames and passwords you had scribbled down and unknowingly thrown away. Or, how about me the nosey passerby shoulder surfing while you arrogantly (and show-off-ishly) flaunted your laptop in a busy airport or coffee shop? You know, in all my journeys through airports, I have gathered more information from listening to people yell into their cell phones that, if I were a bad guy, could be used against them (and their companies). I sat waiting for a flight from Rochester, NY one time and listened to some guy give an entire performance review over his cell phone – he wasn’t discreet or quiet about it at all. Social engineering is what gets you to give up your social security number and birth date when you reply to some scam offering you a refund from the IRS or an online deal that you just can’t refuse.

The above are all examples of social engineering, and there are many more. The bad guys rely on egos and ignorance getting in the way of security awareness. Those that would attack you know that you are either trying to show off how important you are or that you are just plain ignorant of information security techniques. They will use a variety of very simple techniques against you to steal your data, launch code to wreck your computer, or turn your computer into a zombie to proliferate other attacks. The bad guys use clever emails and lures to malicious web sites to launch attacks more often these days than most any other types of attack. In fact as of this week, there is a new flaw in Internet Explorer, and according to this article at ZDNet, porn sites are already exploiting it. The really stupid and lazy attackers will just get you to do their work for them and simply tell you that there is a security vulnerability or virus on your computer, and tell you to delete certain files. They will then get you to email all your friends and tell them delete these same legitimate files (this is known as a virus hoax) which will then render all of your computers unusable the next time you reboot. Essentially, social engineering (in the bad sense) is all about getting people to do things that the attacker wants them to do.

If you were to look at the majority of the descriptions for most vulnerabilities that are fixed by recent patches, you would see that the patch itself fixes a vulnerability caused by a programming flaw, but that it is only exploited when the victim opens an infected email, opens an infected email attachment, or is lured to a malicious web site. In many cases, the exploit is not “WORMABLE” and simply relies on a cleverly crafted email, attachment, or image file getting onto the victim’s computer so that it can do its thing. The attackers know that they can get you to visit a web site or open an email, and that they can certainly rely on you to forward it to all your friends.

So lets talk about “good” social engineering. One of the greatest challenges facing IT security professionals is to get people to change their behavior and attitudes towards information security. To most people, the security people are just the Gestapo out to spoil their fun and keep them from doing their job. We are the source of inconvenience because it just doesn’t seem reasonable that the threats really are out there. It’s all a big myth. I’m here to tell you that the only myth is believing in the false sense of security because of the “it can’t happen to me” syndrome. When your IT support people or your friendly bloggists bombard you every day with hints and tips about locking your keyboard when you get up from your computer, telling you not to open email attachments, or not to write down your password on sticky notes – that is the form of social engineering we are trying to use to get you to change your habits a little. We aren’t trying to keep you from being productive. On the contrary, we are trying to keep you from becoming a victim.

Bottom line – the bad guys are trying to “social engineer” your behavior so that you will fall into their trap. They can then laugh at you while they point you out to all their friends (and get the news media attention they crave), telling them how they “stuck it to the man” and screwed up a bunch of computers. The IT security people are trying to “social engineer” your behavior so that you won’t make an ass of yourself, or worse yet destroy the company’s network or compromise proprietary information. If you get attacked at home because you were complacent about your own computer security, then it may take you awhile to get back your system up and running. And it might take awhile for you to get over the embarrassment that you feel because you unknowingly passed along the attack vehicle to your friends. But if you get attacked at work because you just didn't care to be bothered by computer security requirements and even spread the attack to the entire network, embarrassment will be the least of your problems. The security people have an obligation to keep you informed. You have an obligation to heed the warnings and do the right thing. In other words, you have an obligation to stop being ignorant and be as vigilant with your information technology as you should be while driving down the road in that 2,000 pound weapon of yours. Use some due diligence, as we call it, and be aware. Security is everyone’s business!

Microsoft is (Still) Not the Problem

Ahhhh - Fall is in the air and it is time to wrap up another summer! I want to start out this fine September by following up on an article I published on my main web site awhile ago. In that article, I mentioned that Microsoft was getting a lot of bad press because their products were always being attacked, and because they released so many patches. In following up and to set the stage for this article, I would just like to say that this has been a fairly interesting summer for Microsoft with the release of over thirty new patches for Windows, Internet Explorer, and Office products between June 2006 and August 2006 alone. All in all, we are up to numbered security patch MS06-051 (the 51st patch of 2006), plus several other patches that don’t fall under that numbering system. But let’s not forget that the folks at Firefox gave us at least two new releases this summer also, not to mention patches from Symantec, McAfee, and Intel (Intel/PRO Wireless Drivers). I’m not going to use today’s post as a forum to pit one browser against another or even one operating system against another. I just wanted to point out that there have been a lot of new patches all the way around, but that this high volume of new patches isn't necessarily the problem we are facing. In that previous article, I wrote that:

“Of all the people who regularly bash Microsoft for giving us an operating system with so many holes, I am probably one of the worst offenders. However, I recently had the opportunity to hear a talk by "Hacking Exposed" author Stuart McClure. He made a very interesting point - Microsoft is not the problem. There is so much talk about using the Linux operating system and alternative web browsers such as Mozilla FireFox. The point he made is that those systems also have security holes as do the Microsoft products.”

In spite of all these new patches this summer, I would like to say that I still believe that Microsoft is (still) not really the problem here. What I do see as the problem(s) are people who have too much time on their hands (the bad guys) and security unaware end users. The fact of the matter is that software code, no matter who writes it, is going to have flaws that are eventually discovered and exploited. It just so happens that Microsoft has the larger market share, so the bad guys are attacking where they know they can do the most widespread damage. So we know where the bad guys are presenting the problem – where they can do the most damage, and in doing so what will get them the most publicity.

So now let’s talk about the end user part of the equation. It’s a foregone conclusion that the software has flawed code, and always will. But let’s face it; Microsoft and other vendors find their flaws (or have the flaws reported to them), they fix the flaw and release a patch. It is now up to the end user (or the IT support structure in corporate environments) to make sure that the patches are getting applied in a timely manner. Are you setting your Automatic Updates to download and install your patches, or do you at least visit Microsoft Updates regularly to get them manually? How about your other (non-Microsoft) software – do you keep an eye on settings that will allow automatic updating for those as well? Since we’re on that subject, even if you do have your Automatic Updates set to auto/auto, when you have some down-time, why not visit the Windows Update site on your own. Check every once in awhile and make sure for yourself that you aren’t missing any critical updates. Just as you should be manually checking your antivirus and anti-malware definitions every so often to make sure your update engines are working properly and that your system is in fact getting the updates as it should be.

So what happens when a patch goes bad and breaks your computer or an application? Are you simply throwing up your hands immediately, screaming how %$#@& Microsoft is always breaking your computer? This is another example, in my opinion, where the end users are the weak links in this whole patching and updating game. Far too many people scream and curse at Microsoft when a patch goes bad on their system instead of taking a few moments to calmly find a solution to the problem. The solution, by the way, is as close as your telephone: 1-866-PCSAFETY. That is Microsoft’s hotline for solving patch related problems. If the problem is caused by a security patch, the call is free of charge. The problem may be isolated to just your particular configuration, and it may be a simple matter of uninstalling and reinstalling the patch. If enough people call with the same problem, then Microsoft knows that there is something wrong with the patch itself, and will quickly release a fix. But in order to do so, Microsoft has to know about it! They don’t read minds any better than I do – the end users that are seeing the problem have to report it so that something can be done about it.

I have been in the patching business quite awhile; I test and deploy patches that are applied to an enterprise of over 10,000 nodes, and I have yet to see consistent strings of patches that break computers. I do, however, see occasional problems come up on individual systems. I am telling you the same thing that I preach time and time again: Do some troubleshooting, find out if it is an isolated problem or a widespread problem, and call the Vendor and get the problem documented.

The other thing that I am absolutely sure has to be made clear is that the nature of the majority of the attacks in recent history rely on luring users to bad web sites or opening infected emails to expose themselves to the risk. Most of the time, you aren’t in danger of the flawed code on your computer being exploited unless you do what the attacker wants you to do to unleash the attack. The attackers have gotten too lazy to make their attacks “wormable” – and why should they? Why go to the trouble to write the type of code needed to make computers proliferate the attacks, when they can reply on security unaware users to do it for them? All those emails with attachments that you blindly pass on to all your friends, and all those emails with links that you blindly follow: did you ever once stop to think about whether or not they contain potentially harmful content? This is why, in my humble opinion that much of the blame for the proliferation of harmful code rests squarely on the shoulders of the people clicking the mouse buttons.

So to summarize – I will say it again: Given enough time, the bad guys will find and exploit flaws in anything. This problem is not limited to Microsoft. It is just that Microsoft has the largest market share and will earn the attacker the most press time. This summer, I have seen patches come out for Microsoft products, UltraVNC, Symantec antivirus, McAfee antivirus, Firefox (multiple), Intel/PRO wireless network card drivers, as well as a few other products. So don’t blame Microsoft – blame the bad guys, and blame yourself if you’re not keeping your systems patched. You can also give yourself a little of the blame if you are blindly clicking on the email “Forward” button or those links in your email when you don’t know what they are or where they came from.