In an increasingly technological world it is easy to forget that social engineering attacks will always be bigger and more damaging than the latest 0-days. The best hacks are the ones that have significant "people" components. That's why it is surprising that both Microsoft and SecurityFocus seem taken aback by a relatively unknown piece of spyware being so successfully deployed using social engineering. It is well-known that most intrusions are insider (aka people) attacks. In the days before Outlook flaws, e-mail viruses had to trick users into running attachments. There will always be an occasional vulnerability that will have the security people scrambling, but there will always be users who run things they shouldn't be running.
The idea that the unsophisticated consumer will be able to protect their information is not one that is valid in the light of the amount of accounts that are compromised. Phishing is a great example. There would be little to no phishing if people couldn't be tricked into ponying up their information.
There are two ways to solve this problem and both are required. The first is security education which will help but won't solve the problem. Consumers have more on their minds than to dedicate their entire time to learning system hardening. They need to take some basic steps like patching, anti-virus, and anti-spyware but that won't be enough. The other component is finding ways to do business that take into account that consumer PCs are not trustworthy for data that shouldn't be for public consumption. Ways must be devised to treat the PC (much like the Internet in general is treated) as a hostile medium for information and protect the data accordingly.
John Bambenek // bambenek -at - gmail -dot- com
University of Illinois
Apr 4th 2006
1 decade ago