I’ve written before about social engineering as a method of subverting network security. This is a tactic that relies on a weakness of the people rather than a weakness of the technology. Many times when I’m conducting security audits I find it much easier to socially engineer my way in than it is to try to get through a firewall.
McAfee’s Avert Labs uncovered a fascinating piece of social engineering and blogged about it in early March. They received an email with an attachment that was a suspicious CHM file containing nintenn photos from a National Geographic article by Tolstoy Ilia, titled “Across Tibet from India to China.” The also received another CHM file containing images of Tsering Chungtak who was crowned Miss Tibet 2006.
From the McAfee blog:
Just to clarify: a CHM file is a compiled and compressed Microsoft HTML Help file that can contain formatted text but also documents, scripts and executable files. When a CHM file is opened, the HTML Help viewer, called hh.exe and located in the Windows directory, extracts the compressed files and executes them, that’s why CHM files are sometimes used maliciously.
The entry goes on to describe that the CHM file plants a Trojan which captures usernames and passwords and reports them to a server located somewhere on the ‘net. Bad, bad stuff.
One simple way around this is to keep a tip in mind – if someone is sending you photos then they should be in a photo format like jpg or gif. There is no reason photos should be in a Word or Powerpoint document, let alone a zip, exe or chm. If you don’t know what it is then don’t open it. There are other places to see photos from Tibet.
The good news is that social engineering can be beaten. Users can be educated (really, then can!) and taught not to download attachments from strangers. You don’t take candy from strangers, so why attachments? Don’t visit suspicious sites on the web and don’t give away any personally identifying information. Never. No one will ever ask for your password legitimately, so don’t give it out. If you have to do risky things, then do them at home where you are only endangering yourself and not the business.
Education can go a long way towards preventing security leaks. Talk to your users. Monitor their activity and point out their dangerous actions to them. Explain the risks to them.
Yes, photos of Tibet are worth looking at, but not when they require downloading an attachment from a stranger. That’s one of the cardinal sins of safe computing.