Design Failure
An email arrives, you click on the contents and before you know it everyone in your address book has the same email from you. In the same motion your computer has become virus infected.
This is how the new VBMania attack vector works, but what’s interesting is we could be talking about the ‘I Love You’ virus from May 2000. Both emails require the end user to click on something, the email itself it benign. In both cases user action creates an email storm. The difference is ten years ago the payload was inside the email, today the payload was on a web server and the email simply linked to it. Technically that’s not as good because the web site hosting the malicious payload can simply be taken off the internet by DNS removal.
Once you are infected the results are as predictable as spring after winter. It disables your virus scanner, copies itself to network shares and removable media then emails your entire Outlook address book.
The extraordinary thing, astounding really, is the BBC reporting some corporations were “hit hard”, including well known names such as NASA, AIG, Disney, Proctor and Gamble and Wells Fargo. Shouldn’t we find that rather disturbing? These guys are large, well funded organisations faced with a ten year old threat profile. What kind of security to these guys have in place?
It seems as if as much as technology changes, people don’t.
The technique of enticing someone is as old as all history, raise a seed of doubt that rules matter and offer them something they want. Ten years of user education comes to nothing in face of human nature. I suppose it was always the easy way out for vendors to blame the end user - they shouldn’t have clicked on it. Microsoft pioneered the way here and it’s made our industry lazy. Was anyone naive enough to think user education would actually create the change required? I suspect it was an idea supported by PR people trying to move the blame for shoddy engineering, or at least share it around.
With this in mind it would be fascinating to know what kind of security systems these large organizations run and how much time and money they spent to create something so ineffectual. How did such a system get built? What kind of elaborate process was used in the design phase? Did they ignore human nature or rationalize it away with the assurances of the Microsoft PR crowd? Maybe the designer of such a system was long gone, leaving others to reap the rewards.
How do you justify the cost of a system that fails a ten year old hurdle?
Comments
Post new comment