2009 Sure-Thing Security Predictions: People Still Weakest Link
If one thing is sure not to change in 2009, it's the fact that attackers will likely be using more social engineering methods than ever before - and more socially-driven technologies than ever before - to find their prey. Why is this fact so certain? Well, that's easy, because, even if someone can technically exploit the entire underlying system of trust (SSL certs) on which Web security is built, or, on the flip side, even if our technological protections from attack are stronger and smarter than ever before, the truth remains that the most significant risk for any computer's security is the person sitting in a chair in front of it, and this will never change. Will the person look at the SSL info even if it is there and accurate? Most do not, myself included. Even worse, as we continue to grow even more enmeshed and dependent on technologies to do things like communicate with our colleagues and friends, we actually become even more prone to exposing ourselves to external threats, in particular those the play on our familiarity and comfort in using said tools. The more we embrace the technologies, the greater the risk of social engineering becomes. And hey, e-mail scams still work fantastically well if socially-engineered, a good decade after their invention. We've been saying this for years of course, but 2008 saw significantly more angles on social engineering - from threats carried out on social networking sites like Facebook to greater instances of targeted spear-phishing - than we've ever seen before. Why? Because people are easy to fool! Far more so than computers, and maybe even more so than ever before, it would seem, which is pretty scary to anyone who follows vulnerability research. So, it's not surprising to see that Trend Micro researchers are finding fake classmates.com invitations being used to suck people into downloading malware. "Since early November we have been observing the increasing occurrence of social networking malware, whose main modus operandi is to trick users into clicking a link which... scores much on credibility, because it often arrives via messages sent through social networking sites' internal messaging functionality," Trend researchers said in a summary. At the end of the day, IT security, and especially Web security, will only be as intelligent as we, the end users, can be. And at present, it would seem that, relatively speaking, we're still plenty dumb. But isn't that why scams have always worked? Happy New Year! Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com. |
Comments (2)
Ha, well, you know what they say...fool me once with a phishing scam, shame on you. Fool me twice with the same phishing scam but featuring a spanking new logo, shame on...you, again? Ok, maybe that's not the exact saying, but it seems like the general sentiment. And you're very right in suggesting that social media will be the next minefield; I think most scammers are moving beyond paypal, banking, and merchant scams because folks are getting slightly more hip to those hazards. From a social network site, though, where the interface changes on a seemingly daily business, it might be a different matter.
It's not like the IT world is just twiddling its thumbs, though. I've seen a few attempts to make sites more securely, notably extended validation SSL certs -- some sites are reluctant to adopt them for various reasons, but at the end of the day consumers need better indicators to tell the good from the bad. And from what I've read EV has yet to be "phished" or duplicated. After all, even if it's the sucker's fault, who is he gonna blame? Maybe Al Gore...
Posted by John Chinacki | January 2, 2009 4:50 PM
As someone in IT, who has to constantly deal with the results of people clicking on anything and everything they get in e-mail, I have to say that at some point users need to step up a bit. When credit cards and cash stations first came out, I'm sure there were plenty of scams around them designed to take advantage of the new technology and the general public's ignorance of it. But, eventually, people had to adapt and, heaven forbid, learn. The same is true of the current technology.
That being said, some of these cyber-crooks are pretty clever. I've seen windows pop open from malicious websites that almost fooled me into thinking I had a Windows error message! So I can only imagine how many regular users got suckered by these tactics.
Sooner or later, we'll reach a breaking point and have to both change how we interact on the Internet and develop more and better security measures. It's inevitable.
Posted by Network Geek | January 7, 2009 9:39 AM