Social engineering

How the way we think makes us more vulnerable

The last couple of weeks have seen the re-emergence of an old friend, the Sober worm. At one point it was responsible for nearly five percent of all internet traffic.

It works like this: you get an email promising free tickets to the 2006 World Cup. You click on the attachment. It infects your computer, switches off your firewall and starts spamming everyone in your address book with copies of itself.

It does not attack the following types of users:

The last point is the most remarkable. It's the oldest trick in the book and yet people fall for it again and again. Manipulating people into doing things like this that are not in their best interest is social engineering. And it's on the rise.

Target: Instant Messaging

The newest arena for social engineering is Instant Messaging (IM). This includes programs like MSN Messenger, AOL Instant Messenger, Windows Messenger and Yahoo! Messenger.

Threats that exploit IM have tripled in the first three months of this year, according to IMlogic, a company that specialises in securing IM. Most of them use social engineering techniques. For example, some worms pretend to chat to users before infecting them.

As with the Sober.p emails, most IM attacks require users to click on something to initiate the infection.

One level, it's easy to understand how people fall victim to social engineering. Who doesn't like the idea of getting something for free? Fear, guilt and greed are powerful motivators, easily capable of overriding rationality. But in a larger sense, it is simply unbelievable that people fall for such low-level scams as the Sober.p worm.

I have a suspicion why this keeps happening. I recently observed two focus groups where eight users discussed their attitudes to security. At the beginning they were all asked how they competent they thought they were at dealing with security issues. Almost all of them gave themselves seven or eight out of ten.

Behaviour

As the discussion went one, it became clear that the best of them was a five, and the majority knew even less. They thought they were better informed, better protected and savvier than they actually were.

It wasn't that they were stupid, it's just that they underestimated the risks and overestimated their chances of avoiding them. If you knew all the speed cameras were switched off, wouldn't you be tempted to drive a little faster?

As Woody Allen once said, I'd like to leave you on a positive note, but would two negative ones do instead? This week has convinced me that the biggest security problem is in people's brains. Unless behaviour starts to change, we're going to see a lot more "free world cup tickets" in future. Quite simply, when it comes to geeks bearing gifts, it pays to be paranoid.

Matthew Stibbe writes a new column every fortnight. Sign up to our security bulletin to read them.