======================================================================== SECURITY ADVISER: P.J. CONNOLLY http://www.infoworld.com ======================================================================== Thursday, November 11, 2004
Network protection commentary by: P.J. Connolly A PROBLEM TECHNOLOGY CAN'T FIX By P.J. Connolly Posted November 05, 2004 3:00 PM Pacific Time As distractions go, there's nothing like the first good head cold of the season to take the wind out of one's sails. I've been huffing VapoRub for so many days that I'm approaching the point of substance dependency. Although the reduced flow of oxygen to my brain is making me feel a little dopey, I haven't taken complete leave of my senses. ADVERTISEMENT -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- The RSA(R) Conference is the most prestigious information security event of the year! This is the authoritative source for uncovering new ways to thwart cyber-criminals. RSA Conference 2005 takes place February 14 to 18, 2005 in San Francisco. Register early for special discounts. http://newsletter.infoworld.com/t?ctl=9E1D9E:2B910B2 -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- So when I read a Gartner representative's claims that social engineering is more of an IT security threat than traditional cracking and hacking, all I could do was nod my head and agree. That's because I've been taking a good look at the spam in my inboxes. Most of this stuff is trying to get me to click on a link or open an attachment and assumes that I'm either greedy or gullible enough to disregard the consequences. Some of these traps don't even bother to disguise themselves. Not that it's necessary -- I bet that more than a few people would click on a link that clearly states they're headed to "Iwill0wnyoursystem.com" if a free iPod, Rolex, or Viagra sample was offered up. I had an upfront view of this behavior last weekend as I was preparing a laptop for an install of Windows XP Service Pack 2. The machine in question belongs to a college student who works in my lab during the summer, playing Jim Fowler to my Marlon Perkins. In other words, he wrestles alligators while I sit in the tent drinking Scotch and complaining about the heat. Having flushed out the tracking cookies and other spyware that had accumulated during the first months of the school year, we found ourselves in an online chat with Dell support, seeking a BIOS password. Long story short, that wasn't going to happen until Monday; Jim decided to catch up on e-mail, download some homework, and play a few games. Therein lies the rub. I'm not too sure of the provenance of some of the games he plays because, after sorting out the BIOS issue on Monday, I launched a grand final spyware sweep and found a bunch of stuff that could only have appeared on the system during the few hours Jim was using it. Whatever the intentions were, somebody's infiltration plan proved effective. The solution to social-engineering attacks is not to blame the user; after all, acquisitiveness and curiosity are two characteristics that define the human being. The smarter move is to mitigate the potential damage. Virtual systems are one way to sandbox the problem user -- or more precisely, problem code -- but they're not always practical solutions. One thing I know for sure: Human nature is one problem technology can't fix. P.J. Connolly is a senior analyst at the InfoWorld Test Center. ======================================================================== Ever wonder how others keep up with web services? Your peers will tell you, although your competitors probably won't. This is how more than 63,000 people keep up with the fast-moving news about web services: the Web Services Report newsletter. Scan its quick summaries of the week's biggest news in web services, then move on or click through for the full story. It may not be the only way to keep up with web services, but it's the easiest. Subscribe at http://newsletter.infoworld.com/t?ctl=9E1D9A:2B910B2 ADVERTISE ======================================================================== For information on advertising, contact [EMAIL PROTECTED] UNSUBSCRIBE/MANAGE NEWSLETTERS ======================================================================== To subscribe, unsubscribe or change your e-mail address for any of InfoWorld's e-mail newsletters, go to: http://newsletter.infoworld.com/t?ctl=9E1D9B:2B910B2 To subscribe to InfoWorld.com, or InfoWorld Print, or both, or to renew or correct a problem with any InfoWorld subscription, go to http://newsletter.infoworld.com/t?ctl=9E1D9D:2B910B2 To view InfoWorld's privacy policy, visit: http://newsletter.infoworld.com/t?ctl=9E1D9C:2B910B2 Copyright (C) 2004 InfoWorld Media Group, 501 Second St., San Francisco, CA 94107 This message was sent to: [EMAIL PROTECTED]
