Melissa: Have We Learned Anything Yet?
Over the past few weeks Melissa replaced
Monica in the news headlines. Reports on network news programs containing
factual errors had some people afraid to open their e-mail, even people
who did not have Microsoft Word! E-mail backed up at mail gateways of large
and small corporations as content screening was initiated or e-mail gateways
were simply turned off.
What have we learned? What can we learn?
First, we have to remember, "It has all been done before. There is nothing
new under the sun." These words, written by King Solomon, quoted by many
including Sherlock Holmes (in A STUDY IN SCARLET), restate a truism of
network and computer security.
This was true in the case of Melissa.
Did we know that Microsoft Word had the ability to interpret Visual Basic
programs? Yes. Did we know that programs could open, read, and close files
on the local disk? Yes. Did we know that it was easy to do these things?
Yes. Did we suspect that in its zeal to provide powerful tools to users,
Microsoft might have overlooked some security mechanisms? Well… yes.
Although we did not learn anything
new in these areas, there are some interesting aspects of the Melissa virus
(or worm) that give us important reminders.
1. Use Anti-virus (AV) software.
AV software must be used by anyone with a PC or Macintosh. Up-to-date AV
software detects and stops the Melissa virus. AV software must be kept
up to date. Periodically, and at the first notification of a new computer
virus, AV software should be updated. Most products have an option for
updates over the Internet or over a dialup connection. AV software is needed
on all computers: servers, desktop computers, and notebook PCs.
Well-publicized "events" like Melissa
can be a pain in the neck to an organization that gets infected. For the
rest of us, these events are useful tools to remind our users and ourselves
about the rules of the game, as we play against opponents who have no rules.
2. Know whom you can trust. We are
too trusting and we don't understand what trust means. Do we trust e-mail
communications? Even though we know how easy it is to send e-mail making
it look like it is from someone else? When someone sends us an attachment
do we open it without thinking? The individual sender may be worthy of
our trust, but do we trust them to run AV software? Do we trust them to
run a computer that is virus-free? We may trust their integrity, trust
them to keep a promise, and trust them when we are sharing company secrets
with them. We may also be aware that they are not good about keeping security
software up to date, and sometimes they even disable their AV software.
3. Get your information from a trusted
source (your corporate security officer?) and read it or listen to it carefully.
There were people who were panicked about Melissa who didn't run Word 97
or Word 2000. There were others who didn't know it could potentially affect
4. Do not believe what you read just
because you read it on a computer. We believe computers too easily. Start
treating e-mail with attachments as if it might contain a letter bomb.
It might. Ask, "Why would I get a Word document from so-and-so? He's never
sent me one before." If you receive something that says something like
"Here is that document you asked for … don't show it to anyone else ;-)"
in the body of the message, ask yourself if that message makes sense. Did
you ask for a document? Does this person usually send you e-mail that you
shouldn't show to anyone else? For goodness sake, at least be a little
5. Take media reports, especially regarding
high technology, with a grain of salt. I received an e-mail message from
someone reporting on the virus. He had heard a report on a network morning
news program. They recommended not opening e-mail from any unknown sources.
They said, he said, even just reading the e-mail would infect a machine.
(That's another thing to keep in mind… how quickly details break down as
they are passed from person to person.) After I corrected him, he insisted
that another network that night said specifically that it would infect
your machine just by reading the e-mail. Who will you believe? As I said
above, have a trusted source of information.
6. This sort of attack is possible
because of the way vendors (in this case Microsoft) design software. What
business is it for a word processor to run Basic programs? Maybe it seemed
like a good idea at the time. Learn to turn off such features. You can
always turn them back on if you need them. Turn off automatic macro execution
in Word (in 97 and later you do this by turning on "Macro Virus Protection.")
back on if you really need them.