MSN Messenger users will recognize the title of this post. Throughout last week, millions of MSN messenger users lost their smiles to a Trojan (a malicious program that masquerades under another name) that infected their computers using the guise “Mona Lisa wants her smile back.pif”.
Officially named W32.Serflog.A, it spread across the globe through messenger and other network access programs. Serflog was a medium threat Trojan. One of the hundreds (if not more) of its kind that are appear on the Internet every week.
What calls for attention though, is the manner in which Serflog spread. Within hours, it had spanned continents and infected networks – using one of the biggest loopholes in any security system – humans. Everyone in the security business (whether making it or breaking it) knows the tenet - “The weakest link in a security system is the human link”. The spreading of Serflog is a classic example.
Consider this. It is 10:30, Monday morning. You have just entered office and connected your laptop to the Internet. As you log on to MSN messenger, you receive a request from your spouse/friend/colleague’s MSN contact to download a file titled “my topless image in skirt.pif”. You don’t think twice before accepting the request. Your antivirus tool pops umpteen warnings; your antispyware tool starts blinking. You ignore all of them and continue. Five minutes later your hard disk has crashed. Whose fault was it? Who compromised the system? Was it smart code or smart mind reading on the hacker’s part?
Social Engineering is an old term in the hacker community. Experienced hackers and security pros will tell you that the best way to enter a system and steal information or create damage is not by writing smart code. It is by fooling the users of the system. If you can enter the user’s mind, you can enter their systems.
From a 120 Rs/hr luxury, today the Internet has become a part of our personal and work lives. This has tremendous privacy and security implications. The internet is an immensely powerful tool. And like all powerful tools its use can be potentially dangerous, if we don’t understand what we are doing.
I have a friend who is an avid blogger. His blog, apart from being a sensual and intellectual treat for visitors, is also a hacker’s delight. It’s full of little interesting details and insights into his personal life that if carefully pieced together can create a complete psychological picture of the man. Using this picture, it is theoretically possible to narrow down the kind of passwords that this guy is probable to use for anything online. When I told him this, he scoffed at me and asked me to stop reading sci-fi books. You can choose to think like may friend too.
But look at where technology is headed. Every single word that you type on the Internet is being tracked and archived by numerous Web Crawlers and search spiders. Storage technology has evolved to the point where it is virtually costless to store terabytes of data for some future undefined use. Intelligent search bots - software that can read and piece together disjointed information from disparate sources, and consolidate it for humans – is under development. Every time you go onto the Internet, you are throwing open a dozen odd doors and windows for people to listen and see your private world, without your even realizing it.
If you aren’t already, you should start worrying. Because it’s a war out there. And it’s being taken directly into your homes and your personal lives. It is impossible to predict the exact threat and information breach possibilities of the future. But the fact that immense possibilities exist, cannot be denied.
While you are leaving seemingly harmless, small tidbits of information all over the web – your age-group on one website, an email id at another, gender and nationality at a third place and your personal thoughts and problems on a blog - a web spider is scanning and archiving all this into a database somewhere. Someday someone might be interested and resourceful enough to pull out all that information put it together and use it against you.
Antivirus companies, law-makers and security professionals are fighting a losing battle. For one, it is difficult to account for all the permutations that software provides hackers. Second, misinformed, ignorant or careless users render all attempts at security and privacy protection virtually useless. Most users think that the Internet is completely anonymous, impersonal domain. The truth is that there was never a technology that is capable of being plugged into your personal life as much as the Internet.
The problem is much more acute in countries like India. We have an ever-increasing net-user population, a majority of which uses the internet like the television or the telephone. For them it’s another new entertainment and communication tool. With very little clue of what it is all about, they are sitting ducks for hackers and cyber-terrorists.
The problem is aggravated because most of us are using pirated software and have little or no security measures in place. With users out of the security network of software companies and hackers loose, thanks to little or no legislation, India is set for a major cyber-tsunami to strike it. As with all large scale catastrophes and emergencies in the past, the government, media and people in general will be caught napping.
The result will be a series of knee-jerk reactions, ad-hoc legislation, mass-scale paranoia and finger pointing. Apart from the financial, personal or physical damage of a mass-scale cyber attack on our networks, the freedom, trust and openness of the Internet will probably be lost forever.
It is time netizens realized the power and impact of the Internet and gave serious thought to security implications. Its time we started learning basic Internet security guidelines, essential protection methods and implications of specific actions on the internet. Apart from your favorite blogs, online journals, mail accounts and shopping sites, start paying visits to security sites. Subscribe to newsletters on security. And think about making allocations in your budget to buy legal software. We need to realize that we can no longer depend on the family geek for maintaining our PC. That’s as much our job as servicing the car. We need to educate ourselves and people around us. Education and awareness is the only long term protection that we will ever have in this war.
Revolutions bring freedom. But they also bring responsibilities. The internet is mankind’s biggest revolution after the wheel and the fire. It’s our responsibility to protect it from being hijacked and abused. Much as you would like to think, your PC is no longer an impersonal box that sits on a table in the corner. It is now an important part of your life, and by protecting it you are doing your bit to protect your own and the Internet’s future. The internet is an information superhighway. Driving blindly at 180 kmph is going to get you killed one day. Open your eyes before it’s too late.
No comments:
Post a Comment