Some time ago I was reading about the Counterfeit banknote detector pen. This pen basically writes in yellow on genuine money but in black or grey on fake money. So I thought, great but doesn’t that mean that if a counterfeiter defeats the pen he will likely have an easier life laundering his fake money? A Quick search on Google quickly showed it is in fact the case. Not only that but I also came across a story where the conmen where actually selling fake pens to shops and then laundering money in those shops knowing they would not be caught.
This brings us to today’s article about trust. Trust can actually be the element that turns our security system into our own enemy. What happens when a user on a corporate network receives a suspicious email with a questionable attachment? Will he play it safe and delete it or will he quickly opening think that since it went through the corporate security system it must be harmless? What about the user who downloads a tool off the internet without worrying about its source? Will he worry that it might contain viruses or Trojans knowing that his system is protected by the corporate anti virus solution or will he feel safe believe the anti virus will protect him from any possible malware?
Hopefully the answer to these questions is that people will still be responsible but alas I think the truth is more close to the Shop keeper using his fake banknote counterfeit detector pen. The pen says it is okay so I don’t need to look closely at bank note and verify the other security systems implemented in money! This is yet another threat to security one needs to keep in mind.
The problem doesn’t end there either. A lot of things can easily be spoofed, mobile numbers in text messages, telephone numbers in VoIP gateways, from field in an email address, hyperlinks and more. Each of these things can make the target implicitly trust the source. Even us who work in security, do we ever check the route of an email? Or do we simply rely on the from field to decide who sent it? The only time we check the route of an email is if it looks suspicious. What is worst still is people will most often trust the source more then the contents of the message. If one were to receive a spoofed text message, changed to look like its coming from a spouse and the message contains a message like: hey a friend of mine is coming to collect $200 I owe him, please give it to him as I will be busy in a meeting, will obviously pay you back. I will contact you later when I finish as I need to run right now. There is a good chance such a scam will work easily. Would it work just as well if such a message would be received from an unknown number? Most likely not but why? It’s the same message isn’t it? The reason is in the first instance we have the trust of the source so we automatically trust the message.
Mitigating these scenarios is not easy. In the case were employees trust too much in the corporate malware protection could be mitigated using Policy and education but some will still believe that since they are protected by an antivirus then they can safely run whatever they want knowing the antivirus will protect them. From a systems point of view the best option is probably not to rely on any one system. Having multiple ant viruses can help mitigate the problem a little but even employing this doesn’t guarantee 100% security, obviously nothing really does.
The second scenario is even worst. Mitigating against social engineering attacks that manage to effectively make the target believe they are coming from a legitimate trustworthy source is even more difficult. Unless the message is very suspicious it’s very likely that it will have the desired effect that the attacker intended. There is no effective way to protect against it either. The only option is educating users that these fields can easily be manipulated and if a message says it is coming from person x this is not necessarily so. As a technology solution the only option that I can think of is maybe disallowing emails with the local domain in their from field when they are received inbound but this might have a detrimental effect in that it might be the case that such an email is legitimate sent by an employee from his laptop while being offsite. There is no solution and education is most likely the only effective weapon.