Lessons from spyware: Social engineering takes advantage of human nature As distractions go, there’s nothing like the first good head cold of the season to take the wind out of one’s sails. I’ve been huffing VapoRub for so many days that I’m approaching the point of substance dependency. Although the reduced flow of oxygen to my brain is making me feel a little dopey, I haven’t taken complete leave of my senses.So when I read a Gartner representative’s claims that social engineering is more of an IT security threat than traditional cracking and hacking, all I could do was nod my head and agree. That’s because I’ve been taking a good look at the spam in my inboxes.Most of this stuff is trying to get me to click on a link or open an attachment and assumes that I’m either greedy or gullible enough to disregard the consequences. Some of these traps don’t even bother to disguise themselves. Not that it’s necessary — I bet that more than a few people would click on a link that clearly states they’re headed to “Iwill0wnyoursystem.com” if a free iPod, Rolex, or Viagra sample was offered up. I had an upfront view of this behavior last weekend as I was preparing a laptop for an install of Windows XP Service Pack 2. The machine in question belongs to a college student who works in my lab during the summer, playing Jim Fowler to my Marlon Perkins. In other words, he wrestles alligators while I sit in the tent drinking Scotch and complaining about the heat.Having flushed out the tracking cookies and other spyware that had accumulated during the first months of the school year, we found ourselves in an online chat with Dell support, seeking a BIOS password. Long story short, that wasn’t going to happen until Monday; Jim decided to catch up on e-mail, download some homework, and play a few games.Therein lies the rub. I’m not too sure of the provenance of some of the games he plays because, after sorting out the BIOS issue on Monday, I launched a grand final spyware sweep and found a bunch of stuff that could only have appeared on the system during the few hours Jim was using it. Whatever the intentions were, somebody’s infiltration plan proved effective. The solution to social-engineering attacks is not to blame the user; after all, acquisitiveness and curiosity are two characteristics that define the human being. The smarter move is to mitigate the potential damage. Virtual systems are one way to sandbox the problem user — or more precisely, problem code — but they’re not always practical solutions. One thing I know for sure: Human nature is one problem technology can’t fix. SecurityMalwareCareers