The Art of Deception_ Controlling the Human Element of Security - Kevin D. Mitnick [107]
Shortly before I began writing the spyware story in this book, the person who receives email for me (because I’m not allowed to use the Internet) found a spam email message advertising a group of spyware products. One of the items offered was described like this:
FAVORITE! MUST HAVE: This powerful monitoring and spy program secretly captures all keystrokes and the time and title of all active windows to a text file, while running hidden in the background. Logs can be encrypted and automatically sent to a specified email address, or just recorded on the hard drive. Access to the program is password protected and it can be hidden from the CTRL+ALT+DEL menu.
Use it to monitor typed URLs, chat sessions, emails and many other things (even passwords ;-)).
Install without detection on ANY PC and email yourself the logs!!!!!!
Antivirus Gap?
Antivirus software doesn’t detect commercial spyware, thereby treating the software as not malicious even though the intent is to spy on other people. So the computer equivalent of wiretapping goes unnoticed, creating the risk that each of us might be under illegal surveillance at any time. Of course, the antivirus software manufacturers may argue that spyware can be used for legitimate purposes, and therefore should not be treated as malicious. But the developers of certain tools once used by the hacking community, which are now being freely distributed or sold as security-related software, are nonetheless treated as malicious code. There’s a double standard here, and I’m left wondering why.
Another item offered in the same email promised to capture screen shots of the user’s computer, just like having a video camera looking over his shoulder. Some of these software products do not even require physical access to the victim’s computer. Just install and configure the application remotely, and you have an instant computer wiretap! The FBI must love technology.
With spyware so readily available, your enterprise needs to establish two levels of protection. You should install spyware-detection software such as SpyCop (available from www.spycop.com) on all workstations, and you should require that employees initiate periodic scans. In addition, you must train employees against the danger of being deceived into downloading a program, or opening an email attachment that could install malicious software.
In addition to preventing spyware from being installed while an employee is away from his desk for a coffee break, lunch, or a meeting, a policy mandating that all employees lock their computer systems with a screen saver password or similar method will substantially mitigate the risk of an unauthorized person being able to access a worker’s computer. No one slipping into the person’s cubicle or office will be able to access any of their files, read their email, or install spyware or other malicious software. The resources necessary to enable the screensaver password are nil, and the benefit of protecting employee workstations is substantial. The cost-benefit analysis in this circumstance should be a no-brainer.
chapter 13
Clever Cons
By now you’ve figured out that when a stranger calls with a request for sensitive information or something that could be of value to an attacker, the person receiving the call must be trained to get the caller’s phone number, and call back to verify that the person is really who he claims to be—a company employee, or an employee of a business partner, or a