Bits from Bill

Technology thoughts leaking from the brain of "Bill Pytlovany"

Thursday, September 27, 2007

Biggest Security Hole Continues to be People

In the old days the easiest way to access a computer system was to go directly through a human. It wasn’t always done through the use of wargames dialer which dialed up phone numbers in search of computers with modems. Most time it was as easy as calling a secretary at the computer center and saying…

“Hi, this is Fred from IBM. We found a problem with the computer system and it appears most of your data has disappeared. I’m not sure if you’re responsible but we need your account and password to fix this problem.”

It may sound silly but it worked and the same methods are used today. They’re just a little more sophisticated.

When the storm Trojan was first detected I didn’t give it a lot of consideration. I even suggested that everyone was over reacting.

“Are attachments like this still getting through Email filters? Are people downloading attachments with names like, video.exe, full video.exe, Read More.exe, Full Text.exe or Full Clip.exe to see new stories? I say no. At least not to the extent deserving of this weekends attention.”

I’m willing to admit my evaluation at the time may have been shortsighted. When the attack is this large, it doesn’t take a huge percentage of victims for a problem to become serious.

It’s not as difficult as you might think to get folks to fall prey to a socially engineered attack. I’m sure a large number of intelligent people believed it when “Your family member has sent you an eCard” arrived in their Email.

The most effective attacks I’ve been tracing try to scare readers into taking an action when they think they’ve already had their account or machine compromised.

The following are other examples I’ve seen regularly in my Email. What would you do if you thought someone had purchased a new Dell computer using your PayPal account?


Paypah phish says you've purchased a Dell computer


And how bad would you feel if someone gave you a bad recommendation on eBay?


Phishing Email threatens your eBay reputation


I have a pretty good imagination and it didn’t take me long to think of other examples on my own. Here’s one that targets users in the U.S and I’m guessing it would trick a number of folks into granting full access even pass their firewall.


Example of how easy it could be to trick people into downloading new malware


Obviously, user education will never be 100% effective but don’t panic. A lot of folks like myself will continue to spend time coming up with new ideas on how to reduce and/or prevent damages.

In case you are interested, you really can receive Amber alerts on your computer or mobile device by signing up at http://www.amberalert.gov/



Labels: , , , ,

Share on Facebook


2 Comments:

Blogger Salar37_Shushan said...

I hadn't thought about those kinds of tricks. Thanks for the heads up!

Susan

2:23 PM  
Blogger Unknown said...

Thanks for the info. Bill!
After once downloading a file with virus in it many years ago. I am now vigilant. BUT I am embarased to say that I fell for the (need to update your credit card info because yours is going to expire soon.
I saved myself by stopping before I sent them my mothers maiden name and SSN & looked at the URL which didn't look like it was PayPal! I did have to change some passwords. I see now the danger of using the same password on different accounts. I had to change 3 and there are some don't remember today :-(

10:06 PM  

Post a Comment

<< Home