Stupid is as stupid does.” Thats what my mama always said to me.
One example of folks who werent being too smart about their computers happened over there in London not too long ago. These fellas from an IT training group called The Training Camp decided to do a test to see if people there were being smart about computer security.
People from The Training Camp handed out what they were callin Valentines Day CDs. They passed these silvery discs to workers as they headed into their offices in the morning.
These CD thingies werent really no Valentines. The Training Camp fellas were using them to see if any of these fancy-pants people with the funny accents would be daffy enough to stick a CD from a stranger into their PCs. Sure enough, a whole bunch of these London workers went ahead and stuck these CDs into their computers at work, including some folks at banks and other such places.
Now, these people definitely werent being smart about security. They shoulda known that you dont take a CD from a stranger and just load it into a PC—at work or at home.
But the stupidness aint just on the side of the workers. Their employers werent being too smart, either. After all, if theyd been listening to some of the nice folks over at eWeek Labs, theyda known that they shoulda been—what they call it?—lockin down their employee computers so they couldnt just load software from any ol CD or even download it off that there info highway.
While Im sure those companies werent too happy with their employees loadin those outside CDs, they should probably be careful bout who theyre callin stupid.
Course, while a lot of those security-type problems can be avoided by people being just a tiny bit smarter about how they use their computers, e-mail and the Internet, some of those bad seeds out there are gettin smarter about how they try to trick folks. So even those who aint being too dumb can be fooled into clickin on the wrong sites and givin up their credit cards numbers and other info.
Take the case of this phishing trick that came up not too long ago. Naw, I aint talking bout when you grab your pole and some crawlers and try to catch some catfish. Im talking bout this Internet thing where bad guys try to make an e-mail and a Web site look just like one from a real-live bank or credit card company.
As the smart fellas over at The SANS Institute tell it (isc.sans.org/diary.php?storyid=1118), some pretty smart bad guys came up with a phishing attack that would trick even a lot of really smart Internet-using folks.
These bad phishers made the e-mail look like it knew some folks credit card numbers, so it looked all personallike. Even worse, they were able to trick the company that makes secure Web site technology into making their fake site look legit to users Web browsin tools.
It wouldnt be quite right to call folks who fell for this kind of trickery stupid. Lots of people who followed all the advice from the smart security people would still end up gettin tricked by this here scam.
Course, there are ways to tell that this phishing e-mail aint quite right. The biggest is that it dont have the users name there in the e-mail—it just says, “Dear customer.” Now, anyone who gets these e-mail letters from banks and such knows that they always use your real name in the part that says hello. (Whats that called? The salutation?)
With any e-mail like this, if it aint usin your name upfront, then something might be up with that there e-mail. (Although its probably only a matter of time till some smart bad guy comes up with a way to put the names in a phishing letter.)
So, remember, theres a whole lotta different types of stupid out there. Sometimes users dont do the smart thing. Sometimes the companies arent bein smart enough to protect against users who are being kinda dumb. And, sometimes, the bad guys are so slick they can trip up folks who are doin their best to be smart.
Labs Director Jim Rapoza can be reached at [email protected]