Five Years After LoveLetter, Are We Smarter or Safer?

It’s been five years since the LoveLetter worm hit the Internet, becoming

one of the first global malware outbreaks and one of the costliest.

The question is, though, are we any smarter today than we were back then?

And are we any safer?

Some security experts and industry watchers say we simply are not.

”For the average user, the answer is that they are not any smarter or

any safer,” says Steve Sundermeier, a vice president at Central Command,

an anti-virus company based in Medina, Ohio. ”May’s Sober and Mytob

variants are all mass-mailing attacks that appeal to people’s curiosity.

Five years ago we learned about this social engineering tactic, so today

you’d think lessons would be learned, but obviously they haven’t been.”

According to some estimates, the LoveLetter worm, also widely known as the I Love You worm, caused about $8.8

billion in damages and lost productivity. The malware used what was then

a new form of online trickery — social engineering. Arriving in users’

inboxes appearing to be from family and friends, it used the enticing

subject line ‘I Love You’. Eager to receive such sweet tidings, millions

of users were duped into opening the dangerous email, infecting their

computers.

After LoveLetter came many more viruses and worms that used social

engineering to trick people into opening executables and downloading

malicious code. Teaching employees to beware of these schemes became a

key part of IT’s job.

But the tricks are still coming, and we’re all still falling for them,

according to Sundermeier.

”I would say it’s five years later and home users are just as dumb,” he

adds. ”For corporate users, it’s better, but we still need more user

education. There are always different vectors for infections. IM software

is becoming a problem… People are downloading file sharing programs and

worms are entering there… When employees go home, they go online with

their work laptops and they bring viruses back to the office.”

Andrew Jaquith, a senior analyst at the Yankee Group, an industry analyst

firm based in Boston, says corporate IT managers are using a lot more

tools and technologies to safeguard their companies, but that doesn’t

mean they’re a whole lot safer.

”When car makers put anti-lock brakes on cars, people started driving

faster,” says Jaquith. ”It’s called the security compensation theory. I

think a lot of the controls we put in place are helping, but they’re not

necessarily making us more secure because the threats are spreading

elsewhere or we’re changing our behaviors — for the worse — because we

feel more secure.”

And Jaquith says the tried-and-true social engineering tricks are working

just as well today as they were at the beginning.

”If you send a clever enough subject line, like ‘the memo you requested’

or ‘Britney Spears naked’, some people are still going to open that

email,” he notes. ”We’re largely a little smarter than that now. People

generally know that promises of Britney Spears unveiled aren’t what they

appear to be. We tell our kids, ‘Don’t accept rides from strangers’. We

should tell our workers, ‘Don’t accept emails from strangers’.”

But Ken Dunham, director of malicious code at iDefense, Inc., a security

and anti-virus company, says it’s unfair to compare today’s security to

what we had back in the year 2000. As security levels increase, so does

the maturity of the attackers. IT and security administrators may be

trying harder and using more and better technology, but they’re also up

against a bigger and more aggressive foe today.

Where we’re not advancing is with improving user interaction and use

training, he says. ”People are people and you can train all you want.

There’s no magic bullet.”

Jaquith says company users are the big problem when it comes to security

a network, adding that most users would probably give up their password

to a stranger for a piece of chocolate.

”P.T. Barnum had it all wrong,” he says. ”There are dozens of suckers

born every minute.”