The Dark Side of the Moon.

03/09/2007 Written by tripwire

 Lat­est reports indi­cate that in the first half of 2007 spam reached 59% of all the mon­i­tored email traf­fic, a sub­stan­tial increase com­pared to the 54% of q4-​2006.

A scar­ing 0,68% of these emails had a secu­rity threat­en­ing pay­load, in the form of a mali­cious attach­ment, which cor­re­sponds to a malware-​based attack every 140 spam mes­sages sent.

Since a few years now, crack­ers and crim­i­nal orga­ni­za­tions that oper­ate in the dig­i­tal domain have been using a mix of social engi­neer­ing and soft­ware exploit­ing techniques.

This mix has become more and more effec­tive, aggres­sive and dan­ger­ous over time, and very lucra­tive too, so that we now see a flour­ish­ing global mar­ket of pre-​made mal­ware and crime-​dedicated tools, grow­ing stronger every day.

Send­ing mali­cious attach­ments by email is by large the most com­mon vec­tor of infec­tion, since it’s quite easy to exploit the weak­nesses of the most spread email clients, and also because the end-​users are not coop­er­at­ing, seem­ing inca­pable of pre­vent­ing and man­ag­ing these kind of attacks.

In the last months, sta­tis­tics showed the grow­ing dif­fu­sion of mod­i­fied PDF attach­ments used as a vec­tor to exe­cute and deploy tro­jan horses: these attacks were quite suc­cess­ful, over­all, due to the over­lap­ping and rein­forc­ing con­se­quences of dif­fer­ent causes:

– acro­bat reader is typ­i­cally con­sid­ered a harm­less and nec­es­sary appli­ca­tion , there­fore it’s allowed by default even on cor­po­rate PCs

– acro­bat reader is exploited by tak­ing advan­tage of vul­ner­a­bilies which are usu­ally 0-​day, undis­closed, or unpatched by the vendor

– users “believe” in PDF files, and are so used to them, com­ing from trustable sources all the time, that eas­ily fall vic­tim of the “PDF = good, offi­cial stuff” impression

– a PDF based attack can also exploit the users on a seman­tic level, and can rein­force a social engi­neer­ing based scam, because of the trust that peo­ple have in them, espe­cially when they look offi­cial (well writ­ten, pro­fes­sion­ally look­ing doc­u­ments, dis­cussing seri­ous /​inter­est­ing topics)

Pro­tec­tion against these kind of attacks can be obtained and enforced only if, or bet­ter when, end users will become part of the secu­rity chain, actively coop­er­at­ing in all the coun­ter­mea­sures, from pre­ven­tion to reac­tion. The only way to achieve this goal is to make them respon­si­ble in some way if some­thing bad hap­pens, or could have hap­pened because of their wrong behaviour.

If we want to rise the secu­rity bar sub­stan­tially, we must go beyond the obso­lete idea that the end users are dummy, help­less, pas­sive mem­bers of their orga­ni­za­tions. Like every car dri­ver knows, it doesn’t take to be a mechanic to be able to drive safely: by respect­ing some basic rules which can save money, lives, and trou­bles, every­one behaves in a safer way, for his/​her own interest.

So it’s nec­es­sary to trans­fer some costs and respon­s­abil­i­ties of the secu­rity process toward the end-​user, by intro­duc­ing proper reg­u­la­tions, sanc­tions, and rein­forc­ing their per­sonal inter­est in the secure flow of oper­a­tions, at every level. ICT Secu­rity will never achieve bet­ter secu­rity than we already have, if we do not actively involve the end users in the loop. Prob­lems arise not because of a lack of aware­ness and edu­ca­tion, but because of a lack of involve­ment and responsability.

It’s a huge, del­i­cate, hot topic, which will be debated for years, so that we can just bring it to your atten­tion for fur­ther dis­cus­sion: but deny­ing it would be like deny­ing the exis­tence of the dark side of the moon.

Share this content: