Social Engineering and Fruit Smoothies
It has been said that the biggest securityproblem for computers and networks is the user. Every black hat worththeir salt knows that the best way to get information from a targetcomputer or network is to manipulate its user or users. The user setsthe password, knows what’s on the computer, and often knows how toconnect to it from outside of the organization. A little socialengineering by an attacker and then blammo!—the user and theirorganization are compromised.
Simple social engineeringcan go a long way, but the existence of certain vulnerabilities canmake the lives of these social-engineering black hats a whole loteasier. Enter the Microsoft HLINK.DLL Link Memory Corruption Vulnerability,which is a critical flaw in the Microsoft Office Excel application.Using this vulnerability, an attacker could take control of a computerby simply downloading the publicly available exploit and emailing it tothe target user. Everyone should be very wary of opening any type offile attached to an email or downloaded from the Web, even filesassociated with familiar applications such as Excel. As if to drive thepoint home, the Microsoft HLINK.DLL Link Memory CorruptionVulnerability had appeared in the wake of another vulnerability inMicrosoft Excel. The Microsoft Excel Unspecified Remote Code Execution Vulnerability wasused in a targeted attack aimed at breaking into the network of anorganization. A mixture of a social engineering framework and avulnerability such as this one could spell disaster for a largeorganization (or any size of organization that stores personalinformation of any kind, for that matter). I am sure that even theemail address book of the target alone would justify the attack, if theattacker found the right buyer.
Aside from the same old black hat tactics, we have another real-lifeexample of the change in focus of the average hacker. The MicrosoftExcel Unspecified Remote Code Execution Vulnerability was a zero-dayvulnerability that was being exploited before it was disclosed, and itwas being used for the specific purpose of breaking into a particularorganization. Long gone are the days when black hats and virus writerssought fame and fun; the criminals seeking fortune have moved in tocyberspace. So, move over “Zero Cool” and “Acid Burn”; Tony Soprano isliving next door and he doesn’t abide by (and probably hasn’t evenread) the hacker code.
In my opinion, education is the key to avoid becoming a statistic.If computer users know the dangers and what they can do to avoid them,then the problem will wane. In most organizations the bottom line isoften all that counts; so, training on Internet and computer use oftengoes by the wayside. I remember when I had my crash course in networksecurity while working at a government institution; it consisted ofapproximately three minutes of informal discussions about being carefulnot to download and execute applications sent as email attachments. Ofcourse, I vaguely recall receiving droves of nameless IT emails thatfirst read “Please do not respond to this message…” and then proceededto tell me to take some precaution or another, but how important can itbe if they don’t let me know in person?
So, I’ll say it again. Training, training, and more training; do itnow, do it again, and do it often! It reminds me of the old sayingabout an ounce of prevention being better than a pound of cure. Ishould also mention that if you want training to be well attended besure to provide free coffee, donuts, fruit smoothies, and whatever elsemight draw the crowds. The extra expense will be well worth it when thecyberspace neighborhood becomes a safer place to live.