Charles Arthur On Technology

Consenting to be conned
Click to follow

So, there you are trawling a file-sharing network, looking perhaps for a favourite Simpsons episode, when you come across a promising-looking Windows Media Video (.wmv) file. Great. But when you double-click on it, you get a Windows box headed "License Acquisition", which says "Media Player Update". It goes on: "To help protect your security, Internet Explorer needs to install an ActiveX control on your computer." Then there's a couple of buttons: "Install" and "Don't Install". Assuming you have Windows XP SP2 installed - because you're taking security seriously - "Don't Install" will be the default. You have to choose to install it.

So, there you are trawling a file-sharing network, looking perhaps for a favourite Simpsons episode, when you come across a promising-looking Windows Media Video (.wmv) file. Great. But when you double-click on it, you get a Windows box headed "License Acquisition", which says "Media Player Update". It goes on: "To help protect your security, Internet Explorer needs to install an ActiveX control on your computer." Then there's a couple of buttons: "Install" and "Don't Install". Assuming you have Windows XP SP2 installed - because you're taking security seriously - "Don't Install" will be the default. You have to choose to install it.

So, with your antivirus humming away in the background, you're confident you're protected - and that even if you make a mistake, the software you've chosen so carefully will act as a backstop. So what would you do? Most people, I'm sure, will happily click on "Install".

That's what the people who developed this spyware expect. For if you do click it, a piece of software will be installed that, rather than updating Windows Media Player, will throw up pornographic pop-up ads on your machine.

This exploit (which is discussed in great depth by Ed Bott on his blog at www.edbott.com/weblog/archives/000340.html) is a classic example of a new form of "social engineering" - which is a polite and upmarket term for "conning people". Social engineering is how a lot of malicious (and harmless) hacking gets done. Its essence is to get the targeted person to abandon caution in favour of a less complicated, or better-paid, existence. When that information box comes up in the situation above, you could follow the links to get a long, legal explanation of what will be installed on your computer. You could, but most people won't. It's too much hassle.

By the way, if you want to begin protecting yourself against such adware and spyware, Microsoft is now beta-testing its own anti-spyware product. First reports are good. Go to g.microsoft.com/mh_mshp/787 or look at "popular downloads" on the Microsoft front page.

But even the best anti-spyware product can't warn you when you're about to do something foolish. Social engineering is used most effectively by those who really do need your help, because they don't have the necessary powers or permissions to do the things they want to. The people behind those pop-up ads can't make their software appear on your computer; they have to get you to install it. Short of finding out where you live and burgling your house or stealing your post, someone who wants your bank details has to get you to hand them over. The technique is all around you on the net. Before the net became so widespread, social engineering was a much more personal business. About 30 years ago, a journalist friend was challenged by the boss of a company to hack into its database, which he felt sure was impregnable. He gave her one week. On the first day, she came to the office clutching a stack of computer print-outs, asked to be shown to the computer room and stood outside looking helpless until someone let her in. She then sat at a spare terminal and asked aloud what the password for the day was. Someone replied. And so she won her bet.

Nowadays, the scammers are faceless, but the techniques much the same. The commonest example now is "phishing" scams, which masquerade as security warnings from banks or sites such as eBay saying that your account has been locked and so you must follow this link to verify your details. You're laughing. But lots of people, with millions in the bank, do.

More commonly, though, social engineering doesn't involve money directly; instead, our innate willingness to trust others, or to cut through what seems like red tape, is used in order to steal some of our resources. Many of the viruses which overwhelmed the net last year came as password-protected "zipped" files, because the virus-writers knew that anti-virus scanners can't look inside such files.

Now, how many legitimate password-protected file attachments have you received? I'd wager for most people it's zero. Yet by putting the password in the body of the e-mail, the virus-writers got tens of thousands of people to open the file and infect their own machines. The social engineering element worked. The latest example is a virus discovered on Monday that poses as a tsunami disaster donation plea: if you click on the attachment, your machine gets infected.

Similarly, many people have had their machines infected by pop-up generators and even software classed as a "worm" (which sends copies of itself to other machines) after receiving apparently legitimate e-mails with links to "screensaver download" or "greetings card" sites. Before the screensaver could be downloaded, or the card displayed, one had to accept a license agreement. You know the sort of thing, a million lines of verbose rubbish. And like the children desperate to get into Willy Wonka's Chocolate Factory, we just sign - or click - at the bottom so that we can get to the fun stuff. The sites touting those products could legitimately claim that nobody installed it without being told what would happen. At least, that's the legal position. But the social engineering aspect to it remains the same: get the person in charge of the computer to help you.

It's telling that one of the best hackers of the 1990s, Kevin Mitnick, was an expert in social engineering. As a teenager, he had little chance of pretending to be in charge; he had to manipulate his targets to get them to help him. His book, The Art of Deception, published in 2002, remains a classic description of many social engineering techniques. The title recalls a rather older classic, Sun Tzu's The Art of War. Arm yourself with the Mitnick book; it's still current. And try reading any license agreements you come across and ask yourself: do I know what I'm permitting these people to do to my machine?

* I'm going to hold off reviewing Apple's new Mac mini, announced last week, until I've managed to test one properly. If you can't wait to buy or order one, my advice is to get the most Ram, the faster processor, and the larger hard-drive if you can. Buy extra Ram in preference to the others

www.charlesarthur.com/blog

Comments