Gallery

Security by numbers

Posted on 16 Jun 2008 at 11:06

This month, Davey Winder sets the security standard, reveals how humans can be hacked and doesn't get caught on video naked...

The problem is that quality is given a high priority during the software development process, but security vulnerabilities are given a much lower priority. "Priority is often given to delivering application features and business benefits, without the understanding of fundamental coding errors that lead to security issues," says Schmidt. "Cybercriminals are targeting applications to steal money and information, and they know all too well how to exploit vulnerabilities not only in commercial software, but are also very adept in finding security holes in applications that are developed in-house."

A question of stupidity

Just how stupid is the average internet user? That's a serious question, provoked by the fact that a piece of spam-based malware doing the rounds at the moment is proving rather successful by all accounts. The spam in question comes with a subject line that says something along the lines of "we have caught you naked and have the video to prove it", and even includes your name in there to reinforce the lie. Go to the message body and sure enough it provides you with a link to the video in question, so you can see for yourself.

This is where I have a real problem getting my grey matter to credit the stupidity factor. For one thing I know I haven't been caught naked, and suspect that I'd remember being in any situation where such a thing were even remotely possible. Secondly, if I had been caught in such a circumstance then I really wouldn't want to look at a video of myself do it. And lastly, it isn't even as if there's any point in going to look at this non-existent footage, because there's no suggestion of blackmail or reward for doing so, no temptation other than that of seeing yourself naked, in what one has to assume is a compromising position or three. Yet people in their droves have been doing just that, failing to realise that the only naked thing is the truth that they've just been infected with some malware that will quietly absorb them into the Srizbi botnet.

It's estimated that Srizbi accounts for some 45% of all the spam travelling across the Marshal labs networks alone, and other spam-filtering systems probably see similar figures. This is because Srizbi is currently the world's biggest botnet, comprising more than 300,000 bots and growing by the week, sending out some 60 billion spam emails every day. The moral of this story? Nobody wants to see you naked, you link-clicking idiot...

How do they do that?

Forget about the complexity of cracking passwords or exploiting software code: for many of the most successful modern hackers, the key to getting access to the data they're after is the good old human factor. Social engineering, hacking humans if you prefer, has become the darkest of the hackers' arts. Understanding how social engineers work their cons is therefore crucial to properly defending yourself and your business against such attacks, so I thought I'd start a regular feature within this Online Security column devoted to uncovering some of the often surprising tactics that are being deployed (a bit like The Real Hustle for spam).

I'll start it rolling with the practice called "tailgating". A successful social engineer is nothing more, when all is said and done, than a really good confidence trickster who infiltrates a target organisation in order to gain access to its network by posing as an employee, an IT support worker or someone else who might have a genuine reason to ask an unsuspecting secretary for a login. Heck, logins aren't even always required, since sometimes it can just be a matter of finding an empty meeting room and plugging your laptop right into the network, or rifling around an unmanned desk for the inevitable sticky note password vault.

Download a year of Davey Winder's Online Security columns by heading to our Free Downloads site