Yes, it’s a cheap trick and not even close to original. But the lesson here is that even obvious social engineering tricks can get people to click on a link. We can’t help ourselves. We love to click. Clicking on links and attachments that are accompanied by just the slightest bit of social engineering appears to be a basic human need. I expect it to show up in a revision of Maslow’s Hierarchy of Human Needs any day now—behind love, but certainly ahead of safety.
I do have a point to all this. Two actually. As we compiled the Security Trends to Watch in 2010, what occurred to me is that the people who most needed to read this information never will. At least not without some social engineering on my part. And since social engineering plays such a prominent role in future trends, it seemed appropriate. So I’ve decided to use this little trick to get people to...
The Security Response team has compiled the top security trends of 2009. We pulled data from the Global Intelligence Network and the experiences of the thousands of analysts and security experts at Symantec to come up with the top trends for the year. While none of these trends will be a surprise to anyone even casually following the threat landscape, when compiled and summarized, it is clear that the breadth of security problems in the past year was pretty stunning.
For example:
• Toolkits and threat recycling have made malware easier to create than ever
• Polymorphic technology is being applied to make threats harder to catch
• Botnets, large and small, are used as the foundation of attacks making most attacks complex
• All major news events are used for social engineering
• Major brands are being appropriated by cybercriminals...
In the 80’s I lived in NYC. At the time, enterprising hustlers had re-introduced the old Three Card Monte con game to NYC streets. Like wide ties and frozen yogurt shops, Three Card Monte always seemed to come back into fashion. Before you knew it, the streets were full of grifters running games. Whole blocks would be lined with these low-rent con men, standing behind cardboard boxes, tossing cards and asking the suckers to put their money on the red queen.
How could there be that many bad guys running Three Card Monte scams at one time? Well, there was plenty of money to be made, and it drew the criminal element like flies to honey. Grifters were making a lot of money at the con and every two-bit chiseler wanted their own piece of the action. Plus, there was very little needed to get in on the scam. The barrier to entry was low. You only need three playing cards, a couple of cardboard boxes for a...
It’s nice to pretend, but I’m under no illusions—I am not famous. Not even on the D-list. There are no paparazzo camped outside my house. If you asked my neighbor two doors down who I was, he probably wouldn’t know. And I have never, ever been hired as a celebrity endorser.
I woke up in the morning on the day after April Fool’s Day (seemingly unscathed), got my cup of coffee, and sat down to read the Symantec Security Response Blog. To my horror I was featured in the first blog post. Now, I didn’t write the article and I wasn’t named for my contribution to the research. I was part of the scam it discussed.
I’ve seen George Clooney’s name used to sell things in spam email (you’ll have to guess...
Melissa was an exotic dancer and David L. Smith was obsessed with her and also with writing viruses. The virus he named after Melissa and released to the world on March 26th, 1999, kicked off a period of high-profile threats that rocked the Internet between 1999 and 2005. I like to think of it as the “Virus & Worm World Tour.”
It must have seemed like a good idea at the time. Automatically launch a program that’s been discovered by the computer. You don’t have to waste a bunch of mouse clicks to get your music CD or movie DVD to play. Well, the bad guys think AutoPlay is a good idea, too. Actually they think it’s a great idea and they take advantage of it a lot more than you and I do. Sality, Silly, and even Downadup are all examples of threats that leverage the AutoPlay feature. Ben Nahorney has written about this in the past.
Of course, it’s not the CDs or DVDs that are carrying the threats. It’s USB drives. Banning USB drives seems like a solution, but it’s not practical. I’m not going to stop using mine and I suspect you won’t give up yours, either. So it’s kind of...
Security professionals understand the risks of social networks better than anyone. So, given the concerns they may have, do they actually use social networks? Earlier this year we surveyed 87 security administrators from companies in North America and Europe, from both large companies and small, in order to find out.
Our first discovery was that security administrators are not much different than anyone else-they do use social networks. In our survey, only 30% say they do not use social networks; however, they are cautious about them. They are concerned about the ability to separate work and private friends (60%). They want to make sure that "coworkers don't see my personal contacts." Some only use business related sites. Or, as once security admin put it: "I never mix anything like serious work and my social network."
It is not surprising that the vast majority will refuse an invitation they receive on a social network (70%). Why do they refuse a...
I just signed up for a MySpace page. I’vebecome very interested in social networking and it was time to join thefun. Once you create an account the next step is to add some friends toyour network. So the first thing I decided to do was send an invite myfriend Bill Gates. (Now I don’t expect you to believe that Bill Gatesand I are friends. I admit that I’ve never met the man, but I'm tryingto make a bigger point, so bear with me.)
A quick search on MySpace for Bill or William Gates returned 192pages of search results. They couldn’t all be my Bill. I narrowed mysearch. I know what Bill looks like, so I searched just for profilesthat contained a picture. I gave up after finding over a 100 profileswith a picture of Bill Gates and I had only reviewed half the profilepictures. I will say that the number of profiles with Bill in a sweaterwere about even with those of him in a suit. Only a few choose to dragup that old mug shot of him from his teenage years.
Comparing security software is a difficultproposition. How do you know if a vendor does a good job catchingviruses? Every once in a while I’m approached by someone who wantsadvice on doing some virus testing. What I tell them is “Don't do it!”Please leave it to the professionals. There are a number of really goodreasons for this:
1. Third-party testers focus on malware that is relevant (like whatis in the wild). To make a collection on your own from the Web can bevery random. Organizations like VB100 do an excellent job of findingwhat viruses are “in the wild” and testing security products againstthis list.
2. Third-party testers can create test environments that mirror thereal world; for instance, you can run a file scan to see if thescanning software finds malware lying dormant on a disk. But today goodsecurity products come with IPS, firewall, and heuristic protection.You'll need active attacks and infections to test these technologiesand you’ll...
Last week, we talked about the year inreview. And now, everyone wants to know what will happen next. Well, Idon't claim to be a clairvoyant, but it’s safe to say that thefollowing areas will be interesting to watch in the coming year:
o Election Campaigns – As political candidates increasingly turn to the Internet, it is important to understand the associated IT security risksof increased dependence and interdependence on technology in theelection process. These risks include, among others, the diversion ofonline campaign donations; dissemination of misinformation; fraud;phishing; and the invasion of privacy.
o Bot Evolution – We expect bots to diversify andevolve in their behavior. For example, we may see things like phishingsites hosted by bot zombies.
It’s the time of year when we begin to lookback and take stock of the events of the last twelve months. Newspapersand magazines will soon be publishing their list of top movies,records, and books. Symantec is publishing a top 10 list, too. Whilenot as fun, in many cases this collection of security trends confirmsthe predicted evolution of cybercrime becoming more professional andcommercial. Two words come to mind when I look at the list: "topical"and "trust." Attackers are exploiting current events and trusted brandsto trick computer users in an effort to make money. And securitycompanies like Symantec continue to block their efforts.
Here, in no particular order, are the top 10 Internet security trends of 2007:
1. Data Breaches – High-profile data breaches underscored the importance of data loss prevention technologies and strategies.
2. Vista Introduction – Microsoft Vista made itsdebut and quickly...
