Getting tricked into playing social roulette

Some years ago, I saw a film called 13 in which the plot was essentially a Russian roulette tournament in which the last man standing takes a load of cash.

There was a reason why the desperate men in 13 took a chance and pulled the trigger -- they needed the prize money.

Imagine there’s no such award on offer, but lots of people unknowingly accept a gun and pull the trigger without realising.

You couldn't convince people to do it, but in cyber attacks, miscreants use social engineering to thwart unwitting people every day.

The nirvana for digital miscreants is to automatically compromise machines in large numbers without engaging users. That way the chance of detection is less and the success rate tends to be higher.

But if a user’s interaction is required to infect their machine, that's not so much a problem because many users will happily execute any old code at the click of a mouse.

Take the Masque Attack bug in iOS that permits attackers to replace existing, genuine apps with their own data stealing malware - it relies on people being tricked into installing what they think is legitimate software.

This week, Kaspersky detailed the "Darkhotel" spying campaign. Allegedly a Korean development, Darkhotel targets corporate executives staying in expensive hotels.

The group relies on social engineering by injecting a backdoor onto the travellers' systems via a compromised wi-fi network - people are asked to download a welcome package for the hotel, which in turn gives attackers access to their systems for further information stealing and malware infection.

Businesses of all kinds are threatened by social engineering-delivered malware. Pizza Hut franchisees' point of sales systems were infected with the ZeroAccess rootkit for a year before being eradicated. ZeroAccess is spread mainly through social engineering, and in some cases, by asking users to click on advertisements.

These are timely reminders of the power of social engineering, which continues to trick people into harming their work and personal computers.

Social engineering is hard to defend against, as it relies on users thinking their behaviour is safe, and trusting IT.  

This expansive trust can result in people clicking away warnings which they don't understand - or on the flip side, to actively attempt to figure out how to bypass system restrictions applied by administrators.

In some locked-down environments employees will find a workaround. That makes sense - if people are hired to do a job, and your security solutions get in the way, guess which one takes precedence?

Don't assume your users are stupid because they fall for the tricks. Sure, some attempts are painfully obvious and you're left wondering why so many people walked into the trap with their eyes open.

However, IT isn't always users' core competency, nor is professional paranoia and security. Don't expect them to figure out what's bad and what isn't, especially when the phishing email could be disguised as instructions from superiors.

When a supposedly skilled geek like Gottfrid "Anakata" Warg, one of The Pirate Bay founders, ended up with a three and a half year prison sentence because someone allegedly accessed his computer and used it as a springboard for a hacking spree, then what chance do normal users have of filtering out the nasties that are planted by seemingly trustworthy sources?

Countless guides from security vendors and consultants have been written on the topic. Many are from years back, but despite the good advice, social engineering today remains a massive threat.

I did hear of one unique solution - the local office of a large software vendor that shall remain nameless had a strict policy of making people fix the problem on their own systems.

That is, if you walked into a mess, it was your job to reimage the machine in question. Doesn't matter if it had to be done after hours or over the weekend, you did nothing else until the system was cleaned up.

After a few cases of detect and repair, there was an atmosphere of being careful and listening to the sage advice on passwords and operational security from the IT staffers.

I'm not saying this is the right approach for all organisations, especially ones with less techie users, but people tend to be responsive to and keen to get rid of things that stop them doing their work. 

Oh, and as for 13... don't bother. It was just depressing.