Human Security, Relearning How to Act on the Internet

lock-broken

Security is a huge issue and has always been one ever since the first person decided they wanted to protect what they owned. Through the centuries the art of security has evolved and a multitude of inventions have blossomed on the scene to help us keep our property safe and secure. Once the data age started we had new concerns and our fertile minds came up with new and more creative ways to protect our new digital property. These two separate (yet dependent) fields are broken down into physical and digital security. The problem is that neither of these are effective unless we apply human security. This is the practice of securing people (humans) against being the largest security hole in any network or location.

If you were to look at the 360+ breaches last year, and some of the high-profile ones from this year, you will see that a large number of them involve malware being installed on systems to enable greater access. In some cases a small one-way attack is used to get the payload onto a server which allows for the more extensive penetration into the network, but these are not the norm. Instead the most common method for getting first-stage malware into a network is though social engineering. This technique involved tricking us into installing malware by exploiting know internet habits. I have watched as people click on links claiming to be from Facebook despite the fact that the email account they are on is not connected to Facebook. Our almost narcissistic need to find out what someone says about us, or which picture we are featured in is a lure that most cannot resist.

In the six year breach at QinetiQ Malware was found on servers and workstations that helped to keep the doors open for hackers. When the Onion was hacked it was through the use of phishing emails which pointed to fake Gmail Login pages. The same thing happened to the Financial Times using the same patter and phishing emails. How can this continue to be effective time and time again? The reason is simply; people do not think or look at the links they click on when it appears to come from a trusted source.

This is not a new phenomenon though. In the “I Love You” Worm was released in 2000 and infected millions of systems before it was stopped. It exploited two items, Microsoft’s insistence on hiding file extensions (which they still do) and our trust that no one we know would send us anything bad. The worm was usually embedded in a file named “LOVE-LETTER-FOR-YOU.txt.vbs”. It was a Visual Basic Script file, but because of the way the Microsoft hide extensions it only showed up as a .txt file. It then spread by sending itself to the first 50 addresses in the victim’s address list in Outlook. Another virus that followed this pattern was “My Resume” which was a variant of the Melissa Virus. Melissa was first seen in 1999 and again followed the same pattern of using our trust to spread through email. A potential victim would get an email with the subject line that followed the pattern My Resume or Check Out My Resume.  From there a .doc file with malicious macros embedded in it would wreak havoc on a system and also sent itself on using the victims address book.

These efforts were 13 years ago and the tactic is still working. Now the target is not messing up individual PCs, it is getting into large networks and finding the prize inside. In some cases the prize if being able to deface a site or post garbage on connected Twitter and Facebook accounts. In other cases the target is secret data or our money.

Back around 2002 I was working for a small mortgage company as the network manager and while walking the building I saw one employee with her debit card out and she was busy tying numbers into a website. I stopped and asked her what she was doing (shopping using company computers was a no no) and was told that she was responding to an email that claimed her account information was corrupted. I quickly stopped her from finishing what she was doing and showed her why that site was not real (it was disguised to look like her bank). She was shocked that someone would do this and had never thought of it being a way to steal from her. Now in 2013 if I do not get a phishing email at least once per day I feel like I am missing something.

As I enjoy the psychological side of technology I decided to do another experiment. I drafted the email shown below.

"You guys have to try this,
You know how you can sometimes smell something when you turn your monitor on? Well it turns out that this is due to the frequency of electricity used to push the light to your screen. You can feel this electricity when you run your hand across the monitor. There is a way to make this electricity create different smells. By embedding the right code into a link and clicking it rapidly you can get this to work.
I have created one here and it should smell like blueberries. To get it to work move your mouse pointer up and down over the lick while rapidly clicking on it. You will need to get your nose close to the screen when you do this, but it is awesome!"

After I sent it I walked from my office to the work area. I was shocked to see how many people were trying this. Well over half of the people in the work area had their noses pressed against the glass doing what I told them to do even though it was impossible. The funny part is that they all knew it was not possible, but they tried it anyway. If I had been a malicious person (some may claim I am because I pulled that prank) I could have installed all kinds of malware with little effort. Most people would not open their front doors without looking through the peephole so why do they get click happy at the slightest invitation?

In the end it is simple steps that can protect us from these types of attacks and lessen the impact of phishing attacks. When you get a link claiming that you have been tagged in a picture or port, or that someone wants you to join their network you can go to the sight first instead of clicking on that link. You can also check the link by hovering over it; if the preview link does not match where the original link says it is then don’t click it. Spam filters, Anti-Malware applications and other protections can only do so much, we have to relearn how to behave on the internet or breaches will continue no matter how much money we throw at security.

Tell us what you think in our Forum

No comments

Leave your comment

In reply to Some User