War Games is 25 years old...
War Games the movie (http://www.imdb.com/title/tt0086567/), is 25 years old this year! Remember that movie? It was released in 1983 but it's lessons are more relevant today then they were then. If you haven't seen it, I think you will appreciate the lessons it offers. It stars Matthew Broderick as a high school student, and co-stars Ally Sheedy as his class-mate. It's interesting to see things that were identified as risks 25 years ago are still significant risks today. So you're thinking... "War Dialing now a days? I removed the modems from my machines long ago because of the Internet". But these days, "modems" have been replaced by cable and DSL modems the network card. Now our computers are always "online". Yes there are scanners that scan the Internet for vulnerable machines. If you don't have a firewall on your local machine and you are connected directly to the Internet, your just asking for trouble. For this discussion, I'm more focused on the social engineering aspect of the movie. Matthew Broderick was a high school student who didn't have to work hard for his grades because he could break into the school mainframe and change them whenever he wanted. This is the piece of the movie that is still just as relevant today as it was then.
Here's my point: In the movie, Matthew Broderick knew where the secretaries kept their current computer passwords. With these passwords, he had access to his grades anytime he wanted them. Twenty-five years ago this movie demonstrated the risks of writing down your passwords. How many passwords are our people still writing down today? He was also able to purchase airline tickets without paying for them. Why? Because he figured out how the people using these systems could be manipulated into sharing information that they should not be sharing.
I went to college with a person that scammed the phone company out of hundreds of dollars in overseas long distance charges just by socially engineering the international operators! No one knew anything about what he was doing until after he was caught by the phone company, and at that time, the phone company was more interested in understanding how he took advantage of their system than they were about punishing him. The phone company interviewed him to learn how he was exploiting their people so they could educate their people (security awareness?) to prevent that type of deception again. He told me that he took advantage of the phone company by talking nicely to each operator he spoke to. Since he was making an international operator assisted call, he had to talk to multiple operators to connect his call. As each operator would ask for payment, he would tell them that he paid the last operator and they would take his word for it. They trusted him. The same principle applies today. How do we win someone's trust and cause them to share information with us that they shouldn't be sharing? These days, the malicious users have been able to automate a lot of these social engineering attacks. Phishing (pronounced "Fishing") is a form of social engineering. It makes you think that someone you trust is asking you for information that you think they need. A good example is the emails that tell you your log on information to your bank account has been compromised. Your account wasn't really compromised, but once you click on the link they provide and change your information, now the bad guys do have your account information.
Back to the movie; as the movie progresses, Matthew Broderick demonstrates the skills needed to socially engineer any target he desires. Later in the movie he researched personal information about the developer of a confidential computer system just so he could figure out the back door to that computer. Twenty-five years ago we were talking about back doors and how we could learn more information about our potential victims in an attempt to steal additional information. This was Twenty-five years ago and we still have people dumpster diving, researching our personal history, and trying to trick us into disclosing personal information about ourselves. Of course these tactics are still working! If they weren't, do you think so many malicious people would still be using them? This malicious technology has become "smarter", the new attacks are coming in the form of Phishing, Spear Phishing and even E-mail Hoaxes as a way to separate us from our private information. We, as computer professionals, must continue to educate our users about these risks and how they can reduce their exposure.
I'm not saying that all of our users have to be security experts, but we MUST ensure that people are educated well enough to fend off these social engineering attacks. What is Social Engineering? Here is a link on Microsoft.com that does a pretty good job of describing social engineering:(http://www.microsoft.com/protect/yourself/phishing/engineering.mspx). This article discusses Phishing, Spear Phishing, and E-mail hoaxes. This link also includes information about some of our solutions that will help deter these types of attacks, but we can only go so far with technology. We must continue to educate our user community.
People, Process, and Technology. It takes focused effort in all three areas to ensure we protect what needs to be protected. I'm not advocating a computer certification before a user is allowed to use a computer, but we must find a happy medium. A computer is a tool; look at how many tools, and other skill sets encourage or even require some level of training or certification. Back to the movie; I agree this is a bit of a stretch, but in the movie, Matthew Broderick almost starts World War III because of his quest to hack into a computer to learn about a new computer game. He could have killed more people than any hand gun. These days you have to have a background check before you can buy a gun, but a computer could be capable of doing more harm than a single gun... Right? Like I said, I agree this is an extreme, but something we need to be conscience of.
I believe that there are subtle things we in this industry can do to incrementally educate our users about security awareness. I've been asked to talk about the new version of SBS at a computer conference later this summer. As I described my background, I told the organizer that no matter what subjects he wants me to discuss, I'll find a way of weaving some level of security into the content. I'm not trying to "brain wash" anyone, but I feel that we need to keep security, and especially, social engineering as a part of all discussions.
Security is a passion for me. It's not about selling products, it's about ensuring that your private information stays private unless you choose otherwise. If you have any questions, or need some help raising the security awareness of your user community, please feel free to ping me and we'll see what we can put together.
Until next time!
Rob