14 DAY TRIAL // Microsoft has been beating the old drum of Windows Vista as the most secure Windows operating system on the market since it hit the selves. Similarly, Mac OS X 10.5 Leopard, the successor of Mac OS X 10.4 Tiger is applauded for taking on the legacy of a high standard for security synonymous with the Apple brand. But at the same time, both operating systems are virtually impotent against social engineering. And there is little that Microsoft and Apple can do about this. Neither of the companies can produce a patch, or set up a mitigation against social engineering attacks. This because social engineering relies on exploiting the end user and not a vulnerability or a bug in the software.
"So where is the weak point in your network? I think there's a common expression used to describe it - the problem exists between keyboard and chair. Lately, more attacks have relied upon social engineering to infect users rather than automated exploitation of vulnerabilities in network services. Social engineering is nothing new, but the sophistication of some of these attacks has been increasing. Three prime examples of this come to mind," explained Marc Fossi, Symantec Security Response Engineer.
Fossi gave three examples of attacks in 2007 that focused on the users rather than on the software. The MPack kit was at the epicenter of attacks earlier this year, via a consistent volume of otherwise legitimate websites that had been compromised and malformed to redirect users and point them to a malicious server. Because the websites were genuinely legitimate, there was little to alert the visitors of the foul play.
More recently, Alicia Keys's MySpace was also hacked and modified to redirect visitors to a website that sold fake security solutions. But while Windows is the traditional target-platform for attacks because of its ubiquity, malware authors have also started noticing the growing Mac OS X. Almost concomitantly with the launch of Leopard, a Trojan horse was offered to OS X users, masquerading as a codec.
"In all three of these examples, users were tricked by exploiting their trust or being presented with something they're used to seeing. Secure policies along with good endpoint and network security will protect users from most threats, but adding a good dose of knowledge and education is vital. If something seems suspicious there is probably good reason for it. While complete paranoia isn't the answer, neither is blind trust", Fossi revealed.