Melissa: Have We Learned Anything Yet?
Fred Avolio
Over the past few weeks Melissa replaced Monica in the news headlines. Reports on network news programs containing factual errors had some people afraid to open their e-mail, even people who did not have Microsoft Word! E-mail backed up at mail gateways of large and small corporations as content screening was initiated or e-mail gateways were simply turned off.
What have we learned? What can we learn? First, we have to remember, “It has all been done before. There is nothing new under the sun.” These words, written by King Solomon, quoted by many including Sherlock Holmes (in A STUDY IN SCARLET), restate a truism of network and computer security.
This was true in the case of Melissa. Did we know that Microsoft Word had the ability to interpret Visual Basic programs? Yes. Did we know that programs could open, read, and close files on the local disk? Yes. Did we know that it was easy to do these things? Yes. Did we suspect that in its zeal to provide powerful tools to users, Microsoft might have overlooked some security mechanisms? Well… yes.
Although we did not learn anything new in these areas, there are some interesting aspects of the Melissa virus (or worm) that give us important reminders.
1. Use Anti-virus (AV) software. AV software must be used by anyone with a PC or Macintosh. Up-to-date AV software detects and stops the Melissa virus. AV software must be kept up to date. Periodically, and at the first notification of a new computer virus, AV software should be updated. Most products have an option for updates over the Internet or over a dialup connection. AV software is needed on all computers: servers, desktop computers, and notebook PCs.Well-publicized “events” like Melissa can be a pain in the neck to an organization that gets infected. For the rest of us, these events are useful tools to remind our users and ourselves about the rules of the game, as we play against opponents who have no rules.2. Know whom you can trust. We are too trusting and we don’t understand what trust means. Do we trust e-mail communications? Even though we know how easy it is to send e-mail making it look like it is from someone else? When someone sends us an attachment do we open it without thinking? The individual sender may be worthy of our trust, but do we trust them to run AV software? Do we trust them to run a computer that is virus-free? We may trust their integrity, trust them to keep a promise, and trust them when we are sharing company secrets with them. We may also be aware that they are not good about keeping security software up to date, and sometimes they even disable their AV software.
3. Get your information from a trusted source (your corporate security officer?) and read it or listen to it carefully. There were people who were panicked about Melissa who didn’t run Word 97 or Word 2000. There were others who didn’t know it could potentially affect them.
4. Do not believe what you read just because you read it on a computer. We believe computers too easily. Start treating e-mail with attachments as if it might contain a letter bomb. It might. Ask, “Why would I get a Word document from so-and-so? He’s never sent me one before.” If you receive something that says something like “Here is that document you asked for … don’t show it to anyone else ;-)” in the body of the message, ask yourself if that message makes sense. Did you ask for a document? Does this person usually send you e-mail that you shouldn’t show to anyone else? For goodness sake, at least be a little suspicious.
5. Take media reports, especially regarding high technology, with a grain of salt. I received an e-mail message from someone reporting on the virus. He had heard a report on a network morning news program. They recommended not opening e-mail from any unknown sources. They said, he said, even just reading the e-mail would infect a machine. (That’s another thing to keep in mind… how quickly details break down as they are passed from person to person.) After I corrected him, he insisted that another network that night said specifically that it would infect your machine just by reading the e-mail. Who will you believe? As I said above, have a trusted source of information.
6. This sort of attack is possible because of the way vendors (in this case Microsoft) design software. What business is it for a word processor to run Basic programs? Maybe it seemed like a good idea at the time. Learn to turn off such features. You can always turn them back on if you need them. Turn off automatic macro execution in Word (in 97 and later you do this by turning on “Macro Virus Protection.”) Turn off Java and JavaScript in your Web browser. You can always turn them back on if you really need them.