By Richard Bray
The hacker community’s biggest problem has always been getting malicious code from their computers onto everyone else’s. Before most computers were attached to the Internet, they typically planted their viruses inside programs or batch files and hoped they would be passed along on diskette or downloaded from dial-up systems. Today, e-mail provides a direct path into corporate networks and the person who usually opens the door is Joe Keyboard, the average user.
The dark art of getting people to override their workplace training, better judgment and natural suspicion and do something really stupid is called social engineering. Maybe it’s a phone call from “IT support,” asking for a password. Or it could be a Web site whose attractions prove fatal. But all too often, it’s an e-mail attachment that apparently comes from a trusted source.
Electronic mail messages are the number one method for attacking a computer network, through Denial of Service (DoS) attacks, viruses, scripts or infected Office documents. MessageLabs reports that one out of every 215 e-mail messages contains a virus.
The most recent poisoned fruit – and a good example of the kind – is a message purporting to be from Microsoft and containing, ironically enough, a critical security software patch. Not knowing that Microsoft never sends patches or programs to individuals, the unwary user opens the attachment and unleashes an anti-Microsoft diatribe along with a storm of troubles: Windows systems files are deleted, Task Manager and other programs are disabled, and the worm e-mails itself to everyone in the user’s address book.
Social engineering takes full advantage of human weakness. The Melissa virus was one of the first to exploit cheerful subject lines over messages that seemingly came from familiar e-mail addresses. No matter what the source of the attachment, users have grown accustomed to clicking on all kinds of attachments. It is the rare individual who can look at messages with plausible subject lines from well-known correspondents and still set every one aside until their validity has been confirmed.
There’s a wide variety of bait on the e-mail hook. One subject line that caused great havoc read simply, “Here is the information you requested,” and the sender was usually someone familiar to the recipient. Other subject lines and attachments, like “Anna Kournikova” or “World Cup,” appeal to other interests.
Within three decades, e-mail has gone from nerd’s novelty to basic necessity, both in and outside the workplace. It was just a little more than 30 years ago that an engineer named Ray Tomlinson modified an existing program called SNDMSG to send messages to users on a network instead of just to those logged on to a single computer.
With that, and Tomlinson’s choice of the symbol @ to designate a remote user, the world changed. Within a few years, in the public domain, proprietary systems such as CompuServe and Delphi allowed users to exchange messages. A few years later, they reluctantly allowed their users to connect outside their enclosed systems, to communicate with an exploding population of users on the Internet.
E-mail now reaches from outer space to the depths of the ocean and everywhere in between, allowing almost instant communication between hundreds of millions of computer users around the world. In theory, with the latest cellular telephone technology, a single e-mail message could reach more than a billion users. Today, IDC estimates more than 30-billion e-mails are sent each year, a number that will double by 2006.
Like the Internet itself, the high utility and low cost of e-mail means that it swiftly outpaced effective control and management. Its low cost, wide availability and ease of use give practically anyone the ability to send, forward, modify, forge or fabricate a message, or millions of messages, to anyone else.
Writer John Dvorak recently set out an e-mail wish list that would be hard to improve: Along with a common addressing system, he would like a way to confirm delivery of an e-mail; a systematic means of forwarding e-mails when an address changes; a way to positively identify the real sender of a message; absolute privacy of e-mail messages through encryption; and, perhaps most important, built-in anti-virus protection.
Those changes, if implemented widely and soon, could be enough to preserve the benefits of e-mail, by eliminating some of its growing disadvantages.
Richard Bray is an Ottawa journalist who specializes in high technology. A former reporter and producer with the CBC, he is also a former editor of Ottawa Computes. He may be reached at [email protected].