Threat Geek

Regular readers of this blog may have noticed the occasional appearance of "Aunt Susie." She's my model for the ordinary mortal, one of the two billion Internet users who don't happen to be IT security experts. 

One of the people who typifies my experience of Aunt Susie called me while I was on vacation last week (hey, did I miss anything?). Someone from Microsoft was on the phone, she said, and had scary things to say about a botnet infection allegedly involving her computer. (It's a well-documented scam: they get you to open the Windows "eventvwr" log display application, show you some cryptic, scary-looking errors, get you to install a remote access application so they can "fix" the "problems," and then they pwn you.) My friend literally had the scammer in one ear and me in the other as I advised her on how to handle the call. Eventually at my urging she reverted to a broken record: "tell me how to get back in touch with you and I might call you back." Above all what surprised me about the encounter was the persistence of the scammer (25 minutes!), even after knowing that his target had phoned a skeptical friend. She told me that the background noise sounded like a call center. How many people are out there dialing for dollars like this?

Lots, in fact. After the call was over I related this story to the folks I was traveling with. One reported that her mom had recently been targeted in the very same way. This, together with the volume of comments to the story linked above, suggests a staggering number of targets. In the same way that spam e-mail arose as a cost effective way to make money (most people don't bite, but you can cheaply cast a wide net with gadzillions of e-mails), this scam is made cost effective by the fact that you can staff up an overseas call center with squads of affordable, English-speaking "support reps" equipped with robodialing and VoIP technologies that cost a minuscule fraction of the long distance bills that would have made such a model unworkable just a few years ago. 

What makes this problem more challenging? How can we improve Aunt Susie's lot?

Computers are still intimidating, mysterious black boxes to most of the people who use them. Can the computing experience ever be friendly and secure enough that error logs like those in the Windows Event Viewer or the OSX Console are less amenable to being exploited by an attack like this? Or is there no escape to the sentiment expressed in the T-Shirt we see year after year at hacker conferences? "Social Engineering Expert/Because there is no patch for human stupidity." 

I have a colleague who feels strongly that Aunt Susie simply shouldn't be permitted to operate a general purpose PC as a privileged user without "adult" supervision.  iPads and Gatekeeper equipped Macs for them only, I suppose (or maybe just i-Openers?) . My colleague, quite naturally, would expect to be exempt from such draconian restrictions: I smirk to wonder if he ever disables DEP on his Windows boxes.

It's helpful that Microsoft has a page about this sort of scam. There's some good general guidance reminding folks that Microsoft doesn't go around calling customers and asking for their credit card numbers. On the other hand, the very same page makes reference to the fact that Microsoft has, in fact, contacted customers directly during campaigns to take down botnets when warranted. How is Aunt Susie to know for sure when it's Microsoft on the line and not a scammer? Microsoft misses an opportunity to provide clearer guidance on how to authenticate a genuine Microsoft representative (an admittedly sticky wicket, but I'll wager they have enough smart folks on hand to work something out). 

And the "let me call you back" approach we eventually took is no guarantee of a solution either: they may give you a toll number to call back and simply linger on the phone with you while you unwittingly pay them handsomely for the privilege. 

Aside from improving on the basics (better user awareness, better endpoint vulnerability management, more robust trust relationships) I don't know if there's a solution to the challenge of keeping Aunt Susie safer on the Internet. But I do believe the task of finding it is an important one even if there is no way to keep an epic hack like the one involving Mat Honan from ever happening again. We expend significant resources in the development and deployment of technologies and processes for defending corporations against smart teams of foreign adversaries; why not do more to help their employees at home?    

-Will Irace