Why E-Mail Trojans Work So Well - The "Homer Simpson Syndrome"

[William Knowles <wk () C4I ORG>]

Forwarded by: Richard F. Forno <rforno () taoiw org>


Why E-Mail Trojans Work So Well - The "Homer Simpson Syndrome"

Richard F. Forno rforno () taoiw org

Essay 2000-03

5 May 2000

It's been rather busy at the office these days, and as a result, this
will be a very short commentary. I will not go into a lengthy
discourse about why having one giant software company's
excruciatingly-insecure e-mail software running (or disrupting) our
world organizations is a bad thing. I will not go into details about
why Visual Basic Scripts are a very bad thing for IT staff, and I will
not go into details about why in God's name we as seasoned computer
professionals continue to march like lemmings towards a single-source
IT environment that is proven time and again to be unstable, insecure,
and as we've seen all-too-often, very easy to exploit for malicious
purposes.

Outside of mass chaos, the result of these ILOVEYOU events makes the
security vendors smile as their stock prices rise while they scramble
to sell and deploy knee-jerk "solutions" to futilely-attempt to
correct what I believe is a fundamental and technology-enhanced flaw
in the human condition.

Having said that...

Let me ask a simple question. Do you receive tons of unsolicited
postal mail every year? I am talking about stuff ranging from
un-marked white envelopes addressed to "Resident" to the jazzy "You've
Been Pre-Approved!" credit card letters to the infamous Publishers'
Sweepstakes entry forms with all the flourishes and pomp of a
well-deserved certificate of achievement. How many of these envelopes
do you open when you receive them? I often tear them up and toss them
in the trash. As far as I am concerned, most of the people and
organizations that I want to correspond with provide me full names and
addresses on the envelope, and don't try to trick me into opening the
envelope through clever logos, messages, or official-looking (but
totally bogus) stamps, seals, or stickers.

Let me ask another question. Didn't our parents tell us not to talk to
strangers? So, why are we doing the exact opposite in cyberspace? We
get a message from someone we may or may not know claiming that the
SENDER LOVES YOU. Okaaaaay...if it's from someone I know in my office,
why didn't they engage me in small-talk in the hallway, cast a playful
eye in the kitchen, or 'accidentally' bump into me at the last holiday
party? Why would this person chose to send me an email message saying
they love me when it is such a cold, impersonal medium to get a
romantic point across? And, if this note came from someone I have
never heard of, why should I give it more than a passing glance as I
push the "delete" key as I scanned the subject line? Why should I have
the need to open the message to see what else this person is talking
about? Sadly, my experience as an IT professional is that people
assume the glare of the monitor in front of them somehow 'protects'
them from falling victim to cyber-pranks like Melissa or ILOVEYOU.
Given that assumption, the human brain slowly shuts its common-sense
areas off to conserve bandwidth. The end results are evident in the
Melissa, RingZero, ILOVEYOU, and the Next Great E-Mail Incident. I
dread how quickly this next Incident will travel - ILOVEYOU spread
around the world like wildfire, and made our current benchmark for
incident response - the Morris Worm - look like a kindergarden prank.

Don't our systems administrator repeatedly tell us to never, EVER open
e-mail attachments from folks we don't know or are not expecting? But
we do. We want to see what's inside that this person sent to us. As
humans, we all love to get mail - it makes us feel important and not
as ordinary and insignificant as we really are in the Grand Scheme of
The World. So, we click the attachment and open/run/execute the latest
Visual Basic Script and watch out -- some very great/weird/odd (insert
your adjective here) things or events soon follows, often with
catastrophic results.

Given that, I must concede that the average computer user is a lot
like the FOX cartoon character Homer Simpson. I mean, we all KNOW not
to talk to strangers. We are WARNED almost weekly by our IT staff and
the media not to open e-mail attachments we are not expecting, not to
download programs from the Internet before scanning them for virii,
never plug modems into networks behind the firewall...and we fully
UNDERSTAND why such actions are bad for us. But we still do it. This
brings to mind the classic Simpsons episode where Homer - slouched on
his couch watching television - keeps trying to eat a potato chip.
Every time he raises his hand to his mouth, a dog snatches the chip
from him; Homer boorishly exclaims "doh!" and tries again. Rather than
stand or move to a place where the dog can not get to him to steal the
chip (e.g., learn from the errors in the procedure he eats his chips),
he complacently stays in his sofa and keeps trying to ("doh!") keep
the ("doh!") chip away from the ("doh!") dog but the ("doh!") dog
keeps snatching the ("doh!") chip from poor Homer's hands until the
box of chips is empty.

Like Homer and the dog, we will never be able to easily facilitate a
change in our ways, even on the side of caution, since such change is
often inconvienient, uncomfortable and often requires us to THINK. We
still ride (not walk) our bikes across the busy intersection, run with
scissors, and eat our meals too quickly. Software "features" aside, we
will continue to have ILOVEYOU-types of events because as people we
want to read the next email sent to us...it makes us feel "needed" in
this allegedly "protective" world behind our monitor's addictive
glare. It's in our nature to strive toward community interaction -
often without a second thought. And that will be our technological
undoing.


Article (c) 2000 Richard Forno. All Rights Reserved. Author and Book
Information available at www.infowarrior.org. Contact the author at
rforno () taoiw org. Reference to Homer and The Simpsons (c) by FOX.

ISN is sponsored by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".