Five Years After LoveLetter, Are We Smarter or Safer?

It's been five years since the LoveLetter worm hit, becoming one of the first global malware outbreaks and one of the costliest. The question is, though, are we any smarter today than we were back then?
It's been five years since the LoveLetter worm hit the Internet, becoming one of the first global malware outbreaks and one of the costliest.

The question is, though, are we any smarter today than we were back then? And are we any safer?

Some security experts and industry watchers say we simply are not.

''For the average user, the answer is that they are not any smarter or any safer,'' says Steve Sundermeier, a vice president at Central Command, an anti-virus company based in Medina, Ohio. ''May's Sober and Mytob variants are all mass-mailing attacks that appeal to people's curiosity. Five years ago we learned about this social engineering tactic, so today you'd think lessons would be learned, but obviously they haven't been.''

According to some estimates, the LoveLetter worm, also widely known as the I Love You worm, caused about $8.8 billion in damages and lost productivity. The malware used what was then a new form of online trickery -- social engineering. Arriving in users' inboxes appearing to be from family and friends, it used the enticing subject line 'I Love You'. Eager to receive such sweet tidings, millions of users were duped into opening the dangerous email, infecting their computers.

After LoveLetter came many more viruses and worms that used social engineering to trick people into opening executables and downloading malicious code. Teaching employees to beware of these schemes became a key part of IT's job.

But the tricks are still coming, and we're all still falling for them, according to Sundermeier.

''I would say it's five years later and home users are just as dumb,'' he adds. ''For corporate users, it's better, but we still need more user education. There are always different vectors for infections. IM software is becoming a problem... People are downloading file sharing programs and worms are entering there... When employees go home, they go online with their work laptops and they bring viruses back to the office.''

Andrew Jaquith, a senior analyst at the Yankee Group, an industry analyst firm based in Boston, says corporate IT managers are using a lot more tools and technologies to safeguard their companies, but that doesn't mean they're a whole lot safer.

''When car makers put anti-lock brakes on cars, people started driving faster,'' says Jaquith. ''It's called the security compensation theory. I think a lot of the controls we put in place are helping, but they're not necessarily making us more secure because the threats are spreading elsewhere or we're changing our behaviors -- for the worse -- because we feel more secure.''

And Jaquith says the tried-and-true social engineering tricks are working just as well today as they were at the beginning.

''If you send a clever enough subject line, like 'the memo you requested' or 'Britney Spears naked', some people are still going to open that email,'' he notes. ''We're largely a little smarter than that now. People generally know that promises of Britney Spears unveiled aren't what they appear to be. We tell our kids, 'Don't accept rides from strangers'. We should tell our workers, 'Don't accept emails from strangers'.''

But Ken Dunham, director of malicious code at iDefense, Inc., a security and anti-virus company, says it's unfair to compare today's security to what we had back in the year 2000. As security levels increase, so does the maturity of the attackers. IT and security administrators may be trying harder and using more and better technology, but they're also up against a bigger and more aggressive foe today.

Where we're not advancing is with improving user interaction and use training, he says. ''People are people and you can train all you want. There's no magic bullet.''

Jaquith says company users are the big problem when it comes to security a network, adding that most users would probably give up their password to a stranger for a piece of chocolate.

''P.T. Barnum had it all wrong,'' he says. ''There are dozens of suckers born every minute.''

0 Comments (click to add your comment)
Comment and Contribute


(Maximum characters: 1200). You have characters left.