It’s been five years since the LoveLetter worm hit the Internet, becoming
one of the first global malware outbreaks and one of the costliest.
The question is, though, are we any smarter today than we were back then?
And are we any safer?
Some security experts and industry watchers say we simply are not.
”For the average user, the answer is that they are not any smarter or
any safer,” says Steve Sundermeier, a vice president at Central Command,
an anti-virus company based in Medina, Ohio. ”May’s Sober and Mytob
variants are all mass-mailing attacks that appeal to people’s curiosity.
Five years ago we learned about this social engineering tactic, so today
you’d think lessons would be learned, but obviously they haven’t been.”
According to some estimates, the LoveLetter worm, also widely known as the I Love You worm, caused about $8.8
billion in damages and lost productivity. The malware used what was then
a new form of online trickery — social engineering. Arriving in users’
inboxes appearing to be from family and friends, it used the enticing
subject line ‘I Love You’. Eager to receive such sweet tidings, millions
of users were duped into opening the dangerous email, infecting their
computers.
After LoveLetter came many more viruses and worms that used social
engineering to trick people into opening executables and downloading
malicious code. Teaching employees to beware of these schemes became a
key part of IT’s job.
But the tricks are still coming, and we’re all still falling for them,
according to Sundermeier.
”I would say it’s five years later and home users are just as dumb,” he
adds. ”For corporate users, it’s better, but we still need more user
education. There are always different vectors for infections. IM software
is becoming a problem… People are downloading file sharing programs and
worms are entering there… When employees go home, they go online with
their work laptops and they bring viruses back to the office.”
Andrew Jaquith, a senior analyst at the Yankee Group, an industry analyst
firm based in Boston, says corporate IT managers are using a lot more
tools and technologies to safeguard their companies, but that doesn’t
mean they’re a whole lot safer.
”When car makers put anti-lock brakes on cars, people started driving
faster,” says Jaquith. ”It’s called the security compensation theory. I
think a lot of the controls we put in place are helping, but they’re not
necessarily making us more secure because the threats are spreading
elsewhere or we’re changing our behaviors — for the worse — because we
feel more secure.”
And Jaquith says the tried-and-true social engineering tricks are working
just as well today as they were at the beginning.
”If you send a clever enough subject line, like ‘the memo you requested’
or ‘Britney Spears naked’, some people are still going to open that
email,” he notes. ”We’re largely a little smarter than that now. People
generally know that promises of Britney Spears unveiled aren’t what they
appear to be. We tell our kids, ‘Don’t accept rides from strangers’. We
should tell our workers, ‘Don’t accept emails from strangers’.”
But Ken Dunham, director of malicious code at iDefense, Inc., a security
and anti-virus company, says it’s unfair to compare today’s security to
what we had back in the year 2000. As security levels increase, so does
the maturity of the attackers. IT and security administrators may be
trying harder and using more and better technology, but they’re also up
against a bigger and more aggressive foe today.
Where we’re not advancing is with improving user interaction and use
training, he says. ”People are people and you can train all you want.
There’s no magic bullet.”
Jaquith says company users are the big problem when it comes to security
a network, adding that most users would probably give up their password
to a stranger for a piece of chocolate.
”P.T. Barnum had it all wrong,” he says. ”There are dozens of suckers
born every minute.”