[At the end of this are pointers to other, new, on-line columns I have recently written. And, yes I did skip #4 in numbering these. No there is no significance. No I am not getting — what’s that word again, when you grow forgetful?]

NetSec Letter #6, 14 March 2001: Virus Hoaxes, A Plea and a Plan

This is not strictly about network security, although there is a tie-in to digital signatures in here to make it legitimate. Bear with me this month.

What They Are

I believe that everyone reading this had at one time or another — and if you are like me, it is more than one time — received e-mail warning you about a terrible new virus. The e-mail message quotes well known sources (Microsoft, CNN, IBM, AOL, Intel). Invariably, the virus described “will erase everything on your hard drive,” or “remove all dynamic link libraries from your computer.” The e-mail always says that there is no remedy (usually “NO remedy”). It is the worse that AOL/IBM/whoever has ever seen. Sometimes the warning is full of technical information (“… the reformat function from Norton Utilities causing it to completely erase … to work with Netscape Navigator and Microsoft Internet Explorer”). You are always told in some way to ” Pass this warning along to EVERYONE in your address book and please share it with all your online friends ASAP.”

 Why Do People (Do We) Believe Them?

People believe what they read on computers. They just do. The especially believe them when it comes from someone they know. Recently, my wife received a bogus virus warning, to which her friend had noted, “I have not had time to check to see if this is true, but it comes from a trustworthy source.” Of course, attached was something that clearly had been forwarded through e-mail at least 5 if not 50 times.

Also, people want to be helpful. They receive a warning that sounds dire and they care enough to warn other people.

As I mentioned, and as you’ve seen, the messages always mention trustworthy, well-known names (AOL, IBM) and sometimes someone we don’t know at all. “This is one of those viruses Cynthia has been warning us about.” The personal touch.

What’s the Problem?

The problem is more than one of mere annoyance. It doesn’t take long to just delete the message. Aside from clogging e-mail servers — and I would like to hear from you if it has happened to your company, it could tend to make people ignore any real warnings they might receive along the lines of “The Boy Who Cried Wolf.” It takes attention away from real vulnerabilities, and frustrates people who are somewhat scared of the Internet to begin with.

How to Stop Them

First, do not immediately forward such warnings. Stop. Think. Use your head. Does it sound genuine? Would Intel Corporation “spread the word” by asking people to send e-mail to everyone they know? And why is Intel warning anyone about viruses anyway (okay, that one takes too much industry knowledge, granted).

If after going through the checklist below, you are still not sure if it is real or not, go to the web page of your antivirus software company or one of the sites listed below and look for the alleged virus by name. Even if you don’t find it there, use your favorite search engine to look for its name. Every time I have received one of these warnings I have found the “virus” mentioned as a hoax in less than 2 minutes.

Again, use your head. Does the warning claim supernatural powers for the virus? I remember one that warned the virus would travel along electric lines and, so, infect other computers in the same room. “Unplug your computer immediately!” Another warned “just typing certain word (sic) will send this insidious thing along to others.” Again, that takes more clue than the average user probably has.

It is an instance where digitally signed messages would help. If you got a warning from Microsoft a bout vulnerability, and it was digitally signed, you could verify that it really came from Microsoft (or whoever) and act accordingly. In fact, Microsoft does digitally sign its security alerts.

Checklist and Next Steps

Be very suspicious if:

Educate your friends and your correspondents. Encourage them to use their heads before their keyboards, and to check with one of the sites below before passing on such warnings, no matter how urgent it seems. And most importantly, PASS THIS WARNING ALONG TO EVERYONE IN YOUR ADDRESS BOOK AND PLEASE SHARE IT WITH ALL YOUR ONLINE FRIENDS ASAP.

Yes, I am joking about that part. But feel free to forward a pointer to this to anyone who sends you a hoax warning. (http://www.avolio.com/columns/virus_hoaxes.html)

Links of Interest:

TruSecure Corporation has a site called “Hype or Hot”. They say, “New Vulnerabilities and threats are reported every day. The hard part is not reporting them, but figuring out which ones matter and what to do about them. Hype or Hot tells you what you need to know, based on the continuous intelligence and analysis of our Information Security Recon Team.” The current location is http://www.trusecure.com/html/tspub/hypeorhot/index.shtml.

Most makers of antivirus software have web pages to keep track of hoaxes. Check your vendor. Here are a few I know about.

http://www.symantec.com/avcenter/hoax.html

http://www.mcafee.com/anti-virus/ and click the “Virus Hoaxes” button.

http://www.antivirus.com/vinfo/ and follow the “Hoaxes” button.

Self-promotions:

I have a letter to the editor re: “Security Through Obscurity” at http://www.infosecuritymag.com/articles/february01/departments_viewpoint.shtml

I’ved reprinted a couple of my WatchGuard columns “One Size Never Fits All” (http://www.avolio.com/columns/onesize.html) and “Network Applications: A Security Guy’s Wish List” (http://www.avolio.com/columns/wishlist.html).

A transcript of my recent “web cast” at searchSecurity.com is at this ugly URL: http://searchsecurity.techtarget.com/Online_Events/searchSecurity_Online_Events_Transcript_Page/0,287095,522021,00.html

And a new column about e-mail server security is at searchSecurity.com at another ugly URL (be careful if you cut and paste to get it all): http://searchsecurity.techtarget.com/Tips/searchSecurity_Tips_Single_Listing_Page/1,286550,528799,00.html

You can get “Executive Security Briefings,” written by me and others via e-mail by subscribing on the searchSecurity.com site.