It has been 20 years since cybercrims woke up to social engineering with an intriguing little email titled 'ILOVEYOU' Twenty years have passed since cybercrooks demonstrated the role exploiting human psychology could play in spreading malware. Remember "ILOVEYOU"? Back in 2000, Windows XP had yet to be a thing (and it would take until 2004 for Microsoft to plug its more gaping security holes with Service Pack 2) and the computing world was a …
I remember SCA fondly, one day, just after booting my A500.
I was like, WTF ??? Actually, I think the wikipedia article is slightly wrong.
From memory the msg said "It is infected by a VIRUS" without (of course) referring to the vector itself, for added trauma.
The virus was contained into a file (can't remember the name) which, in AmigaOS, was auto-executed every time you inserted a floppy. What could go wrong, eh ?
Nice memories
Well that's just it isn't it... We always assume that the latest software and patches are reasonable, we did 20 years ago too.
What worries me is - what is this kind of article going to look like in another 20 years? Will the security threats of 2020 be seen as quaint? Will the attack surface always continue to expand, or will a point ever be reached where the problem of reliable computer security has effectively been solved? Answers on a postcard, or preferably in a flash embedded object in an .xls file...
what is this kind of article going to look like in another 20 years?
My guess is that at some point in the next two decades, some collection of crackpots like Donald the Useless and his cronies will sufficiently aggravate some pariah nation state like NK, Iran, or Cuba, that cyber hostilities will break out. The resulting chaos as electronic payment systems fail, power grids go into hibernation, travel becomes next to impossible, communication is temporarily reduced to hand written notes, etc, etc, etc. may change the way we do things. I don't think the cyber world of 2040 will be much, if any, more secure. But it may well be less dependent on digital communication for critical infrastructure.
Visual BASIC scripting reigned supreme in the Microsoft world.
Is there anyone/anything suggesting it does not currently reign supreme in any world, sublimely and quite surreally? And to be able to prove such Visual BASIC scripting wrong would be quite something else, and most worthy of being seen, methinks. :-) ...... for its a Titanic Missile of a Weapon for SMARTR AI Applications ...... in Almightily Advanced IntelAIgent Missions.
You can be sure though, surely, that Microsoft have that base covered with some spooky skunkworks stuff going on somewhere connecting to headquarters ‽ .To not have, would have executive administrations easily charged for a conviction of gross negligence and abject dereliction of fiduciary duty.
Tell me. please, that they, the above named, realise that is a Systemic Colossal Vulnerability to Exploit for Export/Fine Tune for Leisurely Pleasurable Foreign Sale? And they are able to do something remarkable ..... which may be just anything .... with it to prevent it being sold off to others with massive great chunks of Virtually ACTive Proprietary Intellectual Property Already Engaged and Streaming.
Vive la différence .... you too are to die for too.
I was with a major financial institution when this hit, with 40,000 emails users in 42 countries the spread was broad and rapid. There were some 26 variants in the first 24 hours.
Apart from the morons who responded to why they opened the attachment "I just had to know who loved me.." was a favorite. One of the later variants was I have billed your credit card for $$$ (cant recall the amount) for an airline ticket.
Scarier still was the inability of AV software to come up with a signature that would catch it. Those variants all shared common code.. yet S$ couldn't come up with a decent signature file for nearly a week.
Scroll forward 20 years and I was dealing with a different set of morons opening an attachment that allowed a hack of a major multi-national organization. Complete shutdown and sanitize of all the servers and systems and a month of 24x7 care.
Some people never learn..
BvB
I guess if we say phishing instead of social engineering then yeah maybe 20 years.
Although just about every film with hacking as an element of it since the mid 80's has involved social engineering (war games, hackers, sneakers, the matrix, existenz, oceans 11 etc.) , and that's not even including all the film noir/detective/crime films which involve impersonation to obtain desired plot outcomes, could be argued that the Italian job is 90mins of social engineering wrapped in a car chase and they hack the traffic lights!!
It is still the default in a distressing number of GUIs. Mac OS does it. Some Linux desktop environments' file managers do it. Many Android file browsers do it. Why did this nightmare get so popular in conjunction with automatically opening files based on their extension. The latter makes sense, but if you're going to do it, you have to be really careful.
I feel duty bound to alert people to the subtle changes miscreants have recently made when sending out such vile spam. They tend to have dispensed with the subject line "I Love You" and replaced it with "LOL" (Lots Of Love). As somebody who likes to keep up-to-date with the very latest trends and always with an ear towards the social medias, I just thought I should pass that on to everyone. No need to thank me.
<insert sarcastic jokey thingamyjig>
When the lovebug was released I was working for a large UK gov outsourcer who shall remain nameless. However just after I was made redundant and went to work for a UK email security company who's early fame revolved around them preventing any of their customers from being impacted by this threat. Made them real famous at the time but I can let you into a secret which is that the love bug wasn't original. There had been a previous version (I keep thinking bubbleboy?) which used the same VBscript and whilst it was revolutionary at the time it wasn't technically very hard to build a database with content rules / regexes in it for things like VB scripts which read the windows address book and sent each recipient an email....
Anyway... the only reason for this long rambling comment is that it brought back to me that I've been working with the same email security technology for 20 YEARS..... where does the time go?
Our email servers didn't notice that the same email was sent to 4000 users
It didn't notice that the from address claimed to be from our own IT dept but it came from "dodgy-relay.mafia.russia.cn"
It had an attached x86 executable that had the extension .pdf
Our email client is defaulted to open attachments for previewing
But we blamed the users for opening the email
I remember when the ILOVEYOU virus came out. I was working for the local phone company at the time. My workgroup was immune to infection due to the simple fact that we didn't have Windows PCs, but Sun Workstations. I think the very first (or one of the very first) computer viruses was called Cookie because it would randomly ask for a cookie (The user had to type cookie to continue using the program). That was almost 50 years ago. As for social engineering, let me introduce you to the master of social engineering: Kevin Mitnik. He wrote a book called The Art of Deception. Needless to say, it's a real eye opener which goes to show that no matter how secure you make a system, the weakest link is always the human who uses it.
I used to think I was smart. As I get older, I realize that most of the time I was lucky. Like when, I avoided the love bug. In order to run my lab, I had become the unofficial Access/VBA guru of the company and was fairly proficient in coding useful time saving procedures. Seeing the value in this, several people would pop in from time to time wanting to “learn code and make a db” such as Steve, our purchasing agent. Meantime, I had learned to set the Office “file contains macros” warning. A few days later, I received an email from Steve with an Excel file attached concerning pricing or something. When attempting to open it, I received the warning that the file contained macros. At this point, I stopped to think things over. It had only been a few days since we spoke with no follow ups. Plus, we were talking about Access not Excel. I decided something wasn’t right and didn’t open the file which, of course, contained the love bug. Within a few moments everyone in the office was freaking out and our fledgling IT dept. was running around like crazy. It took two or three days to clean up the mess as I smugly watched from the lab. Ah, foolish youth. I still haven’t been bit yet but I now know it could happen to anyone, even if you’re careful.
I remember logging in one day that May and seeing the first I LOVE YOU message come in - from the engineering VP I reported to. I thought: "Cute, but seriously out of character for him. Then all the other engineering VPs and senior VPs, then the VPs and senior VPs of sales and support, etc. After the 30th email I decided it was getting a bit creepy (didn't open the attachments). It got into the lab test and research systems and kept breaking out because people refused to install updated malware protection despite my explaining to IT and Senior management what should be done.
Until the CEO got a flood of I LOVE YOU messages and sent out a response so scorching people got radiation burns. It was very amusing watching the subsequent scramble to protect all the Windows PCs and servers.
I remember teaching a security class a short while after this. One of the students was an Army officer, he said they got clobbered good and hard. The first strike was on the general, all the brass got an email from the main man and promptly opened it and it cascaded downwards.
Our IT dept sent out a test message to everyone with a deliberate phishing link, the only clue was that the sender address was IT@not-securitry.companydomain.com
We then all had to do security training: which involved clicking on a bit.ly link on our corporate interweb that went to some external training course that then asked for our name, company email and employee ID to generate the training record
Our corporate email system was being transitioned from HP's OpenMail to MS Exchange. One of the operators on an OpenMail server saw a spike in the queue lengths & called the duty admin who saw all these messages on queue, guessed it was a problem, added a rule to ban them, deleted them all from the queues and propagated the changes to all the our servers around the world. Not much of a problem. It started in the Far Eastern shift and was all cleaned out before the EMEA or America's day started.
The exchange servers? well that was a different story :-) ROFL
Don't know whether the same sort of solution was possible there & just those admins didn't have the experience.
The funny thing about "I Love You" is that the first time around, it was a HOAX, and flooded the mail system with massive quantities of people passing along a phony message. IT staff all over the world spent a good deal of time reassuring their users that it was fake, and that there was nothing to worry about.
The message in the email was "don't open or pass along anything with "I Love You" in the Subject line, it's a virus that will send your CPU into an n-dimensional loop that'll burn out your computer" or some such bullshit. The subject line invariably contained the string "I Love You". AOL was hit particularly hard with the hoax, their tech support group (anybody remember "tech live"?) was flooded with questions about it, and people forwarding the phony warning to all and sundry crashed the AOL email system.
It was the first non-threat email that I wrote nuke-on-sight filters for and built them right into Sendmail in what we would now call a milter. In the first weekend that I went live with it (at a couple Unis and six or eight companies), it was rejecting almost 60% of all email with no false positives. That's pretty good penetration, for a hoax with no payload that relied solely on social engineering to propagate.
The real virus came along around a year later. The name came about because the authors were mocking the people who had passed along the hoax. And remember all those AOL users? They were quite confident that it was a hoax, because the AOL tech folks had said so the year before. So naturally, they opened the attachment. I fixed over 300 household computers in and around Silly Con Valley after that one ... at $150 per. The impact on corporations varied with the cluefulness of the folks in charge of the email system.
I remember that too - back then I was working helpdesk, and trying to get people to understand that the email was a hoax was really hard. But at that point we'd still say "you can't get a virus from an email".
A year later, when "I Love You" started spreading, I was email sysadmin at an ISP. That was... not fun.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
