Two great e-mails came in last month, from both ends of the country. One contained a photograph from snowbound Halifax showing a doorway so packed with snow it was used to chill beer. The second, from Vancouver Island, depicted “West Coast Storm Damage;” it showed a cedar deck sprinkled with raindrops and one plastic chair blown over backwards.
Both e-mails were funny. They brought a little lift to the day. Each, in its own little way, helped to support the sense that we are one great country, with a shared sense of humour.
They were also a complete waste of time in terms of bandwidth and computing resources.
Perhaps worst of all, they encourage an attitude of complacency about e-mail attachments. “Feel good” messages aren’t just wasteful, they’re dangerous. Hackers use e-mail messages to spread trojans, viruses and worms. The conventional wisdom used to be: “Only click on attachments from people you know and trust.” Those days are gone. Someday soon, it is safe to bet, the new security message will be: never click on any e-mail attachment, anytime, under any circumstances, until it is scanned for potential threats, like luggage at an airport.
E-mail-based threats are becoming more sophisticated, and they are carrying more virulent payloads. E-mail users, on the other hand, do not seem to be learning. In fact, one IT security commentator recently traced four curves on a sheet of paper:
• The first rising line showed that the number of e-mail-capable devices attached to the Internet is steadily rising.
• The second, parallel curve showed the increase in the number of e-mail-based viruses.
• The third line, also rising from right to left, showed the increase in spam messages.
• The single downward line showed a steady decrease in the average level of technical sophistication and security awareness among new e-mail users.
Where the lines intersect, e-mail will probably cease to be an effective business tool.
Whenever someone decides to send out the latest joke, cartoon or recipe to their entire mailing list, a message should come up in their minds — if not on their monitors — asking, “Is this really necessary?”
It remains to be seen whether new antispam legislation in the United States will stem the flood of junk e-mail. In March, four of the world’s largest ISPs — Microsoft, Yahoo, AOL and EarthLink — filed lawsuits against hundreds of mailers under that legislation. While the cases are crawling through the courts, it is probably safe to assume nuisance mailers will find new ways to carry on. Meanwhile, spammers and virus writers seem to be building an unholy alliance in which hijacked computers are used to send out spam – which contains viruses to hijack more computers.
Because variants of malicious code have been released so quickly in recent months, some analysts suspect that hackers are releasing source code so others can quickly write their own slightly modified versions. While it only takes a little effort to create and release a new version, antivirus companies must still do a complete analysis to develop and distribute updated signatures to their customers. Their customers, in turn, must roll those new signatures out to their organizations quickly and completely. This may be a deliberate war of attrition.
Increasingly, the motivation seems to be changing from ego-driven vandalism to profit.
At least one trojan sits on an infected computer until the addresses of well-known banks and financial institutions are typed into a browser. It captures the ensuing keystrokes — presumably user name, password and transaction details — and e-mails it back to the hackers. What happens next happens quickly.
The LDPinch-G Trojan not only gathers detailed information about an infected computer, it grabs passwords and other confidential information from the system’s Protected Storage as well as passwords and usernames for e-mail and FTP. The latter is particularly problematic because many organizations that have banned or limited e-mail attachments now depend on FTP.
Many years ago, when federal civil servants picked up their Government of Canada pencils they saw a little message: “Misuse is abuse.” That message should be on every public-sector computer terminal today, because the price of careless e-mail use is becoming much too high. It is time to create workplace e-mail policies that ban personal attachments completely and reduce personal traffic to a minimum. The alternatives are certain: wasted time and money in the present and possible compromised data in the future. Neither is acceptable.
Richard Bray ([email protected]) is an Ottawa-based freelance journalist specializing in technology and security issues.