October 21, 2007Who(m) Do You Trust?
I'm showing my age here, but before Johnny Carson owned (yeah, that's how they used to spell "pwned") the Tonight Show, he had a daytime game show called Who Do You Trust? That title isn't grammatically correct, and I remember there were even commercials for the program highlighting that fact (a tongue-in-cheek discussion between Johnny and Ed McMahon). I bring up this bit of ancient television history simply to cover my ass with pickers of nit with respect to the title of this piece.
We now return to our regularly scheduled program here in the 21st century.
The issue of trust is a huge deal in the realm of computer security—a subject probably worthy of an entire book (but not by me). Tests for trust occur on numerous levels, many of which are out of view of the average personal computer user. For example, most large ISPs/email providers support one or more systems intended to assure that an incoming message's sender not only identifies herself accurately, but that the sender's address is authorized to send email from the stated domain. In other words, the sending and receiving email servers undergo a test of trust between them—long before the recipient ever sees the message. At the user level are trust elements such as believing that when you enter http://spamwars.com into your browser's address box, that you'll reach the real spamwars.com web site to read my wonderful prose.
I believe that most everyday computer users blindly grant entirely too much trust to their computers and the things they see and do on the Internet. It's precisely this uncritical trust that crooks use as the gateway to grabbing personal identity information, financial account passwords, corporate network access, and even command-and-control of the personal computer, itself.
Computers and software are complex beasts (yes, I'm including Macs here, too). In an effort to make them more user friendly and protective, computer and software designers have coddled us with all kinds of "wizards" and automatic updaters—so many, in fact, that they may become more intrusive than seems worth the effort. In the past week, for instance, I've had at least three updater notifications on my little-used Windows PC—for Firefox, Java (which no one ever sees running), and Windows, each one requiring a restart of either a program or the entire computer. Fortunately, my antivirus software installs its daily patches without requiring me to restart this or that.
The problem with all these updaters and wizards is that most users think nothing of them anymore, even if they're not quite sure that every one is legitimate. When presented with an alert saying that something needs to be installed, a quick click of the Install button gets rid of that pesky dialog box. "How was I supposed to know that the video codec (whatever that is) needed to view smiling kitten pictures was actually a trojan that loaded a program to steal my banking passwords?"
It can get even nastier.
The SANS Internet Storm Center is running a month-long article series to coincide with October's Cyber Security Awareness month. Although most of the great work of the ISC is aimed at network administrators, a sentence from the 21 October article makes a frightening point that users should know:
The trojans are now so advanced as to render what you see through your browser as totally unbelievable.
This notion hit home the other day with a report about an eBay user's computer supposedly infected with a chillingly devious piece of malware. To understand how the trick works, it helps to know that every personal computer has a file that is a kind of lookup table for accessing locations on the Internet. By and large, your web browser and email program use an external lookup table—the Domain Name System (DNS)—for general Internet access. But this local file can be modified to redirect traffic intended for one location to go someplace else, including a "location" on your own computer. Malware that disables antivirus software, for instance, modifies this file so that attempts to access antivirus software sites are instead redirected to an empty location on the PC.
Now imagine if your computer had its own hidden web server running in the background, complete with replica pages of popular sites you know and (normally) trust. That's what apparently happened to one eBay Motors bidder who wanted to buy a vehicle, but eventually found herself redirected to a sham auction replica, including phony replicas of third-party sites that provided false information about the history of the vehicle. She won the "auction," and whisked US$8,650 to the scammer. Because the transaction occurred outside of real eBay channels, there is no recourse for the buyer. Adios dineros.
According to the article, the scammee claims that the infection came by way of an attachment to a message that arrived via eBay's My Messages section. Hmmm. I'm not so sure about that because in my experience, that system does not support sending message attachments. In lieu of seeing the actual material, I suspect that she received a real-looking, but phony email message in her regular email inbox, complete with attachment promising more photos of the vehicle. EBay offers an option that lets you receive copies of My Messages mail in your regular email. I use that option to let me know when such messages arrive, but I then act on those messages exclusively in the My Messages section of the eBay site (and click the option to hide my email address from any response).
The extra bummer to this story is that the victim used a popular antivirus program and kept it updated. Unfortunately, the program did not consider the infected attachment to be a threat because it was a new variant of existing malware.
Let's face it: Scammers are working a lot harder to attack than typical users are working to defend. Not only can't technology shield users from every possible attack, the technology can encourage a massively false sense of security that puts unaware users at a greater risk than if they felt the need to be wary. Although I genuinely empathize with the fears and frustrations of everyday users with these infernal machines, I also believe the bulk of them need a "whack upside the head" with an awareness stick. Crooks are using variations of schemes practiced for years. Awareness of these fundamental tricks can head off future variations.
Whom do I trust? Sadly, although the Internet gets bigger every day, my list seems to get shorter. It has come down to a twist on the adage, "Trust, but verify." On the Internet, it's "Verify, then trust."Posted on October 21, 2007 at 01:28 PM