Top Security News |
Collaborative Information Security Next?
Have anyone ever been on the phone with a client after the job, where the client wants more information, needs a copy of the report, or just wants to spend some time discussing the implications of the report that the company generated for them? The files are...
EBay Launches Web Smart Guide For Safety
According to a recent survey, a lot of Australians feel the online world is becoming a safer place to shop - 76 percent, to be exact. A significant portion - 58 percent - "did not think the industry was doing enough to educate people about security online," though. eBay is trying to change this perception by launching a new...
RSS Exposes Users to Attack
ZDNet reports from the Black Hat conference in Las Vegas that security experts are increasingly concerned about the potential for malicious attacks perpetrated through web feeds. SPI Dynamics examined a number of online and offline applications used to read RSS...
RFID Technology Vulnerable To Malware
RFID tags may become commonplace in the future, but not a lot of people are looking forward to widespread implementation. There was already concern that these "smart barcodes" would allow consumers' habits to be more easily tracked, and that the technology could facilitate identity theft. It turns out that RFID...
NSA Eyes Social Networking Sites
It was revealed last month that the National Security Agency has been tracking the phone calls of millions of Americans. Now, according to Newscientist.com, it looks like the agency has plans to expand the program to include the monitoring of social network sites such as MySpace. Individuals often give out all sorts...
Root Kit Hunter
I had a strange problem with one of my own RedHat machines the other day. Very simply, I couldn't su to root, and I couldn't even login at the console as root. I hadn't forgotten the password, but the system just wouldn't let me in. As it happened, I didn't have time...
|
|
|
12.06.06
Computer Security Still Damaged By Social Engineering
 By
Dan Morrill
Interesting article out of CIO magazine about Vista, and that while it is a highly secure operating system, with some neat things it can do, it still is not invulnerable to those programs that require social engineering to get the user to do something.
For as long as there have been people, there have been people who will do crazy things. PT Barnum stated that "there is a sucker born every minute" and the social engineering aspects of cyber crime are not something that is so easily dismissed. Is there any operating system out there that is invulnerable to the person sitting behind the keyboard?
We joke about the end user, ID-10-T errors. However the reality is that social engineering works, and works really well.
People, including experienced information security folks will click on that link, fall for a phishing scam, and not look to make sure that the web site they are dealing with is really the one that they need to be dealing with.
"Remarkably, with the new operating system (Vista) just released to business, the software giant said in effect that there is nothing it can do about the threats in question -- Stratio-Zip, Netsky-D and MyDoom-O -- because they rely on social engineering to invade systems. The three threats together account for 39.7 percent of currently circulating malware, according to Sophos. "Based on our initial investigation, Microsoft can confirm that these variants do not take advantage of a security vulnerability, rather they rely on social engineering to infect a user's system," Microsoft said in a statement". (CIO Magazine).
Acknowledging the human condition, and our ability to be fooled, we still have an up hill road to work with in the longer run. While we must love our users, the issue is that point of human frailty when someone we know clicks on something we know that they shouldn't have.
While we develop more secure operating systems, more secure web applications, and in general learn how to develop software so that it is harder to shatter, we are still rounding on the same issue that we have had for many years.
We still need to educate our users, if not annually then quarterly on the dynamics of social engineering, and while it is ok to trust, no one should be trusted equally on the internet.
The answer is still no, you did not win the European Lottery that you didn't enter, you do not have an unknown relative who lives in Nigeria with 10 million dollars to send you, you did not win any prize, there is no reward, no, people do not really send you random love notes, and if someone wants you to cash their payroll check for them, you should really be wary of that.
About the Author:
Dan Morrill has been in the information security field for 18 years, both
civilian and military, and is currently working on his Doctor of Management.
Dan shares his insights on the important security issues of today through
his blog, Managing
Intellectual Property & IT Security, and is an active participant in the
ITtoolbox blogging community.
|
