 jeisenbergNew Year's Eve
join:2001-07-06
Windsor, ON | Users will always be the weakest link A few years ago, I hosted a luncheon presentation about computer security. Each participant was treated to a light meal and a short presentation. At each participant's place setting, there was a sealed business envelop, and a CD. The envelop was marked "Do Not Open". The CD was marked "Virus - Do not install".
If you held up the envelop to the light, it was evident that there was a powdery substance inside. Of the ten envelops handed out, nine were opened during the meal.
The CD contained a "virus" program. Upon inserting the disk, a standard InstallShield message came up, telling the user that the disc contained a virus, and that the user was urged not to continue installation. If the user continued, a second message appeared, indicating that the user's address book had already been copied and sent off to an offsite location, and that the user should abort installation immediately. If the user continued, the "virus" payload was installed and the user was informed that the virus had now been installed.
Finally, if the user attempted to re-install the CD, a message would pop up saying that there was no need to repeat the experiment, as the computer had already been infected.
Of the ten CD's taken home by the participants, I received confirmation that six users had gone all the way through the various prompts (including re-trying the procedure and receiving the message that the virus had already been installed).
Curiosity and the possibility of adventure will almost always trump common sense.
Lest any of you think this example is not relevant because a "real" virus would have tripped an anti-virus alert, what about zero-day viruses? |
|
| Now that's just funny. Or sad. Or both.
But not surprising. |
|
|
|
davePremium,MVM
join:2000-05-04
not in ohio
kudos:8 | reply to jeisenberg
Yeah, I would have likely installed the CD too. Here's the reasoning: I got the CD from a presentation about computer security. Therefore, it is not likely to be an actual virus. It clearly announces that it is a virus. Therefore, it is not likely to be an actual virus.
Of course, I would have installed it in a throwaway system instance. Just in case.
The powdery substance seemed like a cheap stunt, unless your participants truly believe that a hosted luncheon is an effective way for someone to disperse anthrax-riddled letters. And besides, they presumably have your name to hand over to the FBI?
In both cases, CD and envelope, my threat-plausibility detectors would have read 'not a threat'. Unless there's more to it than repeated here. |
|
Xzar
join:2003-02-16
Yaphank, NY | reply to jeisenberg
yea, not sure if thats funny as heck...or just sad.
Seems the common user, just does understand computers 101. |
|
jeisenbergNew Year's Eve
join:2001-07-06
Windsor, ON | reply to dave
said by dave:It clearly announces that it is a virus. Therefore, it is not likely to be an actual virus. That's not a very good assumption. These (and other) security forums host discussions of real-life viruses. Users (though probably not uneducated ones) often will attach a file which they suspect of being infected, and ask whether anyone else has run into it.
Here, you have a forum where your threat-plausibility detectors should read "possible threat", yet I'd venture a guess that more than a few people will STILL take a look at the infected file - just to see if THEIR anti-virus system will block it. |
|
davePremium,MVM
join:2000-05-04
not in ohio
kudos:8 | As I understood you, the virus installation kit itself says "Hi, I am a virus". I've never heard of a real-world virus doing that, except to prove "users will install anything".
That's rather different from a naive user saying "here, I have a virus". |
|
 beckPremium,MVM
join:2002-01-29
On The Road
kudos:1
 ·Stablehost.com
| reply to jeisenberg
That is sad and stupid. Could you please post a list of these people so that we never help them get rid of their nasties on their computers?
Such people should not breed. There are enough stupid people in the world.
--
Some people are like slinkies - not really good for much.
But they bring a smile to your face when pushed down the stairs. |
|
| reply to jeisenberg
Ive been in a similar situation but nothing was actually labelled or anything. We were all given cds to go with our introduction to the class package which had all your usual stuff from your typical first day to a class.
The cd had a single binary on it with a autorun. I didnt know too much about reverseengineering binaries at the time; but I opened the binary in notepad and it had an email address(an isp given one which had the prof's name) and icq #.
I sent an email to the said email saying that I was part of some government agency and that the malware was detected on a government computer and that once the warrants are cleared that the professor in question will be arrested.
The next day the prof walks in with a smile as wide as can be. Everyone except me infected themselves. Somehow he had figured out that the email was BS but he played on saying that his boss will find a replacement for him and such; he explained the cds were infected and that everyone fell for it but one of us infected a government computer and now he's going to be arrested for it. I eventually start laughing because he was really playing the emotional innocent prank. He then asks me if I had sent him the fake email. I said yes and he said well played in a sense, that for a moment he was actually concerned.
--
--
if (value == 0)
return value;
else
return 0; |
|
jeisenbergNew Year's Eve
join:2001-07-06
Windsor, ON | reply to dave
said by dave:As I understood you, the virus installation kit itself says "Hi, I am a virus". I've never heard of a real-world virus doing that, except to prove "users will install anything". That's rather different from a naive user saying "here, I have a virus". That IS what I was trying to prove... that users will install anything - even if they are warned not to.
With regard to what I said about your threat-plausibility detectors, I meant that if a visitor to a virus forum attaches or links to a suspected virus file, there are still people who will open the file to see if it really is a virus, or whether that virus is capable of penetrating their own virus defenses.
How do I protect my clients from doing something that reckless? If I was in charge of their IT departments, I would lock down their permissions and not allow individuals to install software. However, for my clients, who call me only after something goes wrong, I don't have the answers.
Even after they install software they've been warned not to install, they wonder how they could possibly get infected! |
|
OmagicQPosting in a thread near you
join:2003-10-23
Bakersfield, CA
kudos:1 | reply to jeisenberg
This is just like those running gags about "Don't push the red button" or "Don't pull on this rope". I hope none of those people live near an electrified fence.
--
THERE IS AS YET INSUFFICIENT DATA FOR A MEANINGFUL ANSWER. |
|
 JahntassaWhat, I can have feathersPremium
join:2006-04-14
Conway, SC
kudos:4 | reply to dave
said by dave:As I understood you, the virus installation kit itself says "Hi, I am a virus". I've never heard of a real-world virus doing that, except to prove "users will install anything". Careful, you never know. The next step is to start sending out unsolicited discs to random people and seeing what happens. |
|
davePremium,MVM
join:2000-05-04
not in ohio
kudos:8
1 edit | said by Jahntassa:said by dave:As I understood you, the virus installation kit itself says "Hi, I am a virus". I've never heard of a real-world virus doing that, except to prove "users will install anything". Careful, you never know. The next step is to start sending out unsolicited discs to random people and seeing what happens. But that's different, and has been done more-or-less with the 'USB sticks dropped in parking lot' approach.
My point seems to be not getting across. There's a whole heap of difference between 'disc of unknown provenance' and 'disc handed to every attendee at a security conference hosted by a known person'.
Suppose I *had* installed the disc from jeisenberg  and suppose it had done something bad. I know how to contact the FBI, I'm sure jeisenberg knows I know that, etc. Based on such considerations, including the fact that this hypothetical me would have been able to assess jeisenberg up close prior to install, I declare 'unlikely to be a threat'.
(Of course, I'd *look* at the do-not-install CD before actually running the installer, but that seems self-evident. I always do that, mostly because I want to know how much crap is coming along with the software I want).
said by jeisenberg:Even after they install software they've been warned not to install, they wonder how they could possibly get infected! But if this is still referring to the seminar CD, then it's not a credible warning. You handed out a CD and said "do not install this CD". Obviously, if you really wanted them to not install the CD, you would simply not have distributed the CD in the first place.
So, there are two overt and conflicting messages, which should make it obvious that it's an intellectual game of some kind. |
|
2 edits | reply to jeisenberg
Thanks for those good posts jeisenberg and munky99999. I assume the presenters didn't push the CDs to be installed, they were just there.
In one sense the users may have considered the source and may have accepted the CDs at face value, however I am surprised no-one queried the purpose or necessity of the CDs.
Even given this though, I am not surprised users do such things.
Yet even I get surprised by how many people click links in social network/forums etc, especially with url shortening.
Just on url shortening, there are addons to show the ultimate destination of such urls (for those who might not know).
Thanks for sharing your experiences and dave for his input too. Great insights.
--
My PC is not obsolete, I haven't even switched it on yet! |
|
 BlitzenZeusBurnt Out CynicPremium
join:2000-01-13
kudos:2
 ·Frontier FiOS
| reply to jeisenberg
They need to do tests like this when hiring people, and those who fail need to be released immediately. Consider it a honesty, and common sense test. Just don't let them know this was the reason. If they can't follow simple common sense instructions, and/or try to do get away with something then they are unable to perform the task at hand, it's truly that simple. You don't need these idiots in your company, and while these people may not look mentally retarded on the outside, they sure mentally retarded. I'm sorry, I've offended the mentally challenged people who wouldn't do it either.
It's amazing the stupidity some people will try to get away with.
--
My hourly rates:
$25 per hour.
$35 per hour if you want to watch.
$45 per hour if you want to help.
$75 per hour if you tried to fix it, and failed.
Security through obscurity is for the ignorant who don't deserve security. |
|
jeisenbergNew Year's Eve
join:2001-07-06
Windsor, ON | reply to dave
said by dave:Suppose I *had* installed the disc from jeisenberg and suppose it had done something bad. I know how to contact the FBI, I'm sure jeisenberg knows I know that, etc. Based on such considerations, including the fact that this hypothetical me would have been able to assess jeisenberg up close prior to install, I declare 'unlikely to be a threat'. The virus was real. It concealed itself on the user's system and did "phone home" to alert me to the identities of the attendees who were foolish enough to run the installation. It persisted on their machine, so that subsequent attempts to reinstall the virus would check for the presence of the virus before continuing the reinstallation. However, it's doubtful that the authorities would have done anything to me. All I would need to do in my own defense would be to give them a copy of the CD and show them that the users were given fair warning that something bad was going to happen if they proceeded, and they consciously chose to proceed (I hadn't previously mentioned that the default choice provided to the users was to abort installation - they needed to specifically choose to continue). In effect, they consented to the installation, knowing full well that a virus was going to be installed. No one was tricked or coerced.
The virus was not designed to propagate, nor was it designed to do any damage to the system. Furthermore, if the user at some future point chose to run a decent registry cleaning tool, the payload would have removed. |
|
KearnstdElf WizardPremium
join:2002-01-22
Mullica Hill, NJ
1 edit | reply to jeisenberg
its the example of the Yes Clicker, the typical user always clicks yes when presented with a question from their operating system. also enticing people with free stuff is another method of delivery of infection(A common one right now in the World of Warcraft community is telling people they are into the beta and need to login to a website with their account info. Even though Blizzard has openly stated that is not how they work for this. people still bite the bait)
Oh and as for those "Do not push the red button" things, I always wanted to setup something outside a supermarket. it would have one or two car batteries, a nozzle, a hookup to the hose faucet, and a solenoid valve. and a Netbook w/3G and a well hidden webcam. and finally a big red button that completes a circuit which opens the valve. when pushed the person gets squirted by multiple nozzles. and above the unit at eye level a sign "Do not push you will be soaked". I bet the system would count dozens of pushes in one half of the day. |
|
dogtem
join:2009-01-28
Simi Valley, CA | said by Kearnstd:Oh and as for those "Do not push the red button" things, I always wanted to setup something outside a supermarket. it would have one or two car batteries, a nozzle, a hookup to the hose faucet, and a solenoid valve. and a Netbook w/3G and a well hidden webcam. and finally a big red button that completes a circuit which opens the valve. when pushed the person gets squirted by multiple nozzles. and above the unit at eye level a sign "Do not push you will be soaked". I bet the system would count dozens of pushes in one half of the day. Hysterical and I would guess you're absolutely right.
As for the article/study/whatever - I'm amazed it's even still debated by some.
Especially when you consider SE (Social engineering). Then you have other things. I mean how long was it before the ancient phf bug in apache was patched by the majority of admins ? And how long was it before shadow password files were implemented in most systems ? I imagine some still do not have it (or rather I would not be surprised). And there's still open relays. Then there's other issues of course, like backdoors and other malignant software opening up holes. Even a badly configured firewall is worse than none at all, at times.
There's another part of it and I think is one of the main issues. Point clicking has really made things far too easy. Even the apache servers (or one server anyway) recently got compromised because of a XSS exploit and indeed because someone forgot they were logged in and clicked on a link.
It's instinct I think and when you work with gui's a lot, it's more likely to happen - not saying it will but more likely.
I would say that even I have done things or clicked on things I shouldn't have (and most of my work - be it programming or writing a text on something, is by way of the linux shell). Maybe not security related, but it's still in-line with the fact of the user is a huge source of the problem.
I said something maybe 11 years ago, it's in my email signature, my mom's whole office uses it now, and the sad fact is it's 100% true 99% of the time:
"The problem is that which is between the keyboard and chair."
I'm sure others have said similar, but this is what I observed years ago, and how I worded it, anyway. |
|
 AVDRespice, Adspice, ProspicePremium
join:2003-02-06
Onion, NJ
kudos:1 | reply to jeisenberg
said by jeisenberg:The virus was not designed to propagate, Then, it is not a virus.
--
standard disclaimers apply. |
|
KearnstdElf WizardPremium
join:2002-01-22
Mullica Hill, NJ | reply to jeisenberg
Social Engineering is something that will never be solved or curable because there will always be human interaction somewhere in the chain of security.
User education can only go so far, but social engineering has been working ever since some Trojans used a wooden horse.....
--
[65 Arcanist]Filan(High Elf) Zone: Broadband Reports |
|
AVDRespice, Adspice, ProspicePremium
join:2003-02-06
Onion, NJ
kudos:1 | said by Kearnstd:Social Engineering is something that will never be solved or curable because there will always be human interaction somewhere in the chain of security. User education can only go so far, but social engineering has been working ever since some Trojans used a wooden horse..... Would you give a dollar to a panhandler? Probably not, but enough do to make it worth the panhandler's while. Many more would click a link and yet some are so paranoid as not to do anything worthwhile with their computer. There is still room for the average user to become aware and get an instinct as to what is safe and what is not. I had hopes for the myspace/facebook generations, but now I have doubts.
--
standard disclaimers apply. |
|
