We Have Met the Enemy, and It Is Us

You are your enemy.



The “internal threat” to a company used to be a disgruntled employee. Fire someone with technical knowledge, and watch out.

Now you have to be equally worried about the well-meaning, trusted and too-trusting employee.

“Social engineering” now takes place on users’ screens. No more sweet-talking office workers for their passwords.

The on-screen approach is to send a piece of e-mail that looks like it comes from your company’s help desk. “If you don’t update your user name and password, your e-mail privileges will be discontinued,” it might say; a message sent to workers for the San Francisco Giants threatened to revoke privileges because of alleged “improper use” of e-mail. You’re the miscreant, unless you prove otherwise.

You open the e-mail, click on a link that takes you to a Web page that looks remarkably official, and bang, it’s over. You unleash and pass along a virus in the process. Your identity gets used for someone to send personal e-mail to scores of trusting, unsuspecting souls.

The tactic, generally known as phishing, is getting more sophisticated, says Bill Schlough, vice president and chief information officer of the Giants. A couple of months ago, he saw an e-mail come in that asked his crew to install a network security patch. The message looked like it came from Microsoft. And it even took the user to Microsoft’s home page—before popping up its own window.

Thankfully, Schlough has antivirus software in place and has added fraudulence detection software from MailFrontier. The Giants’ systems automatically scan all incoming e-mail for attachments that can be self-launching, such as .exe files, and strip them away before they get to a recipient.

But one sleepy soul can undo all that. MailFrontier even maintains a Phishing Index, which calculates how often individuals get duped. The index watches what happens when users review what’s in a “junk” folder. If they press the “unjunk” button on a piece of fraudulent mail, a dupe has taken place. CEO Pavni Diwanji says the best digital deceptions will fool one in 10 users.

That’s way too many. “It only takes one [dupe] to keep these guys in business,” says Schlough.

Such “enterprise fraud” is escalating, including programs that don’t even bear the imprint of viruses or spam. You may call them “spyware.” This stuff watches what you do, for the benefit of marketers. It was pioneered by the folks who brought you file-sharing services. There really is no such thing as free music.

Spyware isn’t just watching what Web sites you surf. What miscreants want to do is log your keystrokes. Imagine what happens if your assistant treasurer gets an official-looking e-mail purporting to be from your company’s technology department. What if he’s told his network access is going to get cut off if he doesn’t immediately update his log-in information? And it’s the close of the month, when he’s trying to get sales figures finalized?

All of a sudden, access to strategic documents and financial files is given away. Think it can’t happen? Think espionage isn’t already happening this way? Think again.

A 25-year-old consultant was arrested about a year ago for having installed keystroke-logging software on computers in 13 Kinko’s, grabbing personal information from 450 victims, reminds Tim Sheahan of Webroot Software. Last October, a hacker took advantage via e-mail of the developer at Valve Software who was working on Half-Life 2, the follow-up to its popular interactive game. Keystroke recorders captured enough code that the release of the game was delayed until April so a third of the program could be rewritten. Arrests in the case were finally made last month. Half-Life 2 has still to make it to market.

So, load up on protective software. Think this way: Everyone is on your technology staff as of today. Everyone has to be trained in fraud detection and prevention.

The level of around-the-clock skepticism has to be raised. It’s your project to see that no unsuspecting soul is left in your company. Anywhere.