return to ICG Spaces home    ICG Risk Blog    discussions    newsletters    login    

ICG Risk Blog - [ Homo boobus and social engineering: When the nut behind the wheel is loose ]

Homo boobus and social engineering: When the nut behind the wheel is loose


Homo boobus is one of my favorite creations, the person for whom Murphy's Law was made and whose more spectacular appearances are usually preceded by "Hey, watch this!" The most audacious members of the specie go on to posthumously win the Darwin Award.

He or she is also the person that sysadmins have seen who "click the email attachments (when they KNEW it was a virus) "just to see what it would do"." In the future you may have the opportunity to know them much better as the family of socially engineered attacks commence with "Drag-and-infect."

Drag-and-infect is a case of drag-and-drop that allows an "attacker [to use the flaw to] install a program on a victim's computer after convincing the person to visit a malicious Web site and click on a graphic." The malicious website would be set up to lure homo boobus to actually drop a program into the victim's startup folder which would then execute when the PC was restarted.

I do not agree with Microsoft's position that the flaw "did not pose a serious risk to users because it requires an attacker to trick people into visiting a Web site and taking some action at the site." Just think how a virus, as opposed to a worm, propagates; a user has to do something, has to intervene, which they do with regularity. It is believed that drag-and-infect can be reduced to a single click, thereby making the exploit much more prevalent.

I very much agrees with the comment of the flaw's discoverer who embedded a general compliment to Microsoft in saying, "The patch [for XP] really does lock down the machine nicely, and whatever anyone finds now will be completely different to the previous year's findings."

Enter the age of Homo boobus. If and when software providers do make their apps more robust, hackers and crackers will shift to the weakest link and they will do it quickly and in novel ways that sail past the constructs meant to stop them.

Consider the novel manner in which spammers have gotten around the use of a graphic with combinations of ornate letters and numbers that is used to defeat spambots and so insure that the replier is a person: the graphic is trapped and sent to sites where visitors can gain access to erotic materials by entering the correct alphanumeric string for the spammer to use. With the meter running, homo boobus translates one graphic after another to gain more access.

For the geeks among readers, go here and here for evidence of spambot evolution.

A discussion has commenced regarding the responsibility of a vendor such as Microsoft to insulate any and all users from such threats. It is interesting that some of the early SP2 XP flaws are seen as requiring "so much social engineering that holding Microsoft responsible was an "unrealistic expectation."" I do not think that the limit will hold for long, given the creativity of hackers and the propensity of homo boobus to click on anything -- and without that understanding, the responsibility discussion may not go far enough.

Secunia rates this flaw as "highly critical," its second-highest rating of vulnerability threats. I agree and believe that as apps become more robust, hackers will exploit this class sooner than later.

Earlier appearances of Homo boobus:

Drag-and-drop flaw mars Microsoft's latest update
By Robert Lemos
August 20, 2004, 1:04 PM PT

IE flaw under SP2: User’s problem or Microsoft’s?
Posted by david.berlind @ 9:18 am (PDT)
Monday, August 23 2004

The Fastest Man on Earth (Overview and Index)
Why Everything You Know About Murphy’s Law is Wrong
by Nick T. Spark and
Los Angeles, California

Online porn often leads high-tech way
By Jon Swartz
March 9, 2004

Gordon Housworth

Cybersecurity Public  InfoT Public  


  discuss this article

<<  |  July 2020  |  >>
view our rss feed