Humans are the weakest link in the chain of security. Humans forget to apply critical security patches, they introduce exploitable bugs, they misconfigure software in vulnerable ways. There is even an entire genre of attacks based on tricking people, called social engineering.

Classic social engineering attacks tend to be labor-intensive, and don't scale well. Some classic ploys include:

• Impersonation. An attacker can pretend to be someone else to extract information from a target. For example, a "helpless user" role may convince the target to divulge some useful information about system access; an "important user" role may demand information from the target.

• Dumpster diving. Fishing through garbage for useful information. "Useful" is a broad term, and could include discarded computer hard drives and backups with valuable data, or company organization charts suitable for assuming identities. Identity theft is another use for such information.

• Shoulder surfing. Discovering someone's password by watching them over their shoulder as they enter it in.

These classic attacks have limited application to malware. Even impersonation, which doesn't require the attacker to have a physical presence, works much better on the phone or in person.

Technology-based social engineering attacks useful for malware must be amenable to the automation of both information gathering and the use of gathered information. For example, usemames and passwords can be automatically used by malware to gain initial access to a system.

They can be collected automatically with social engineering:

• Phony pop-up boxes, asking the user to re-enter their username and password.

• Fake email about winning contests, directing users to an attacker's web site. There, the user must create an account to register for their "prize" by providing a username and password.

People tend to re-use usernames and passwords to reduce the amount they must remember, so there is a high probability that the information entered into the attacker's web site will yield some real authentication information.

The same principle can be used to lure people to an attacker's website to foist drive-by downloads on them. The website can exploit bugs in a user's web browser to execute arbitrary code on their machine, using the technical weaknesses described earlier.

• Phishing attacks send email which tricks recipients into visiting the attacker's web site and entering information. For example, a phishing email might threaten to close a user's account unless they update their account information.

The attacker's web site, meanwhile, is designed to look exactly like the legitimate web site normally visited to update account information. The user enters their username and password, and possibly some other personal information useful for identity theft or credit card fraud, thus giving all this information to the attacker. Malware can use phishing to harvest usernames and passwords.

User education is the best defense against known and unknown social engineering attacks of this kind. Establishing security policies, and teaching users what information has value, gives users guidelines as to the handling of sensitive information like their usemames and passwords.

Social engineering may also be used by malware to spread, by tricking people into propagating the malware along. And, one special form of "malware" that involves no code uses social engineering extensively: virus hoaxes.

Virus Hoaxes

A virus hoax is essentially the same as a chain letter, but contains "information" about some fictitious piece of malware. A virus hoax doesn't do damage itself, but consumes resources - human and computer - as the hoax gets propagated.

Some hoaxes may do damage through humans, advising a user to make modifications to their system which could damage it, or render it vulnerable to a later attack. There are three parts to a typical hoax email :

1. The hook. This is something that grabs the hoax recipient's attention.
2. The threat. Some dire warning about damage to the recipient's computer caused by the alleged virus, which may be enhanced with confusing "technobabble" to make the hoax sound more convincing.
3. The request. An action for the recipient to perform. This will usually include forwarding the hoax to others, but may also include modifying the system.

Why does a virus hoax work?

It relies on some of the same persuasion factors as social engineering:

• A good hook elicits a sense of excitement, in the same way that a committee meeting doesn't. Hooks may claim some authority, like IBM, as their information source; this is an attempt to exploit the recipient's trust in authority.

• The sense of excitement is enhanced by the hoax's threat. Overloading the recipient with technical-sounding details, in combination with excitement, creates an enhanced emotional state that detracts from critical thinking. Consequently, this means that the hoax may be subjected to less scrutiny and skepticism than it might otherwise receive.

• The request, especially the request to forward the hoax, may be complied with simply because the hoax was persuasive enough. There may be other factors involved, though. A recipient may want to feel important, may want to ingratiate themselves to other users, or may genuinely want to warn others.

A hidden agenda may be present, too - a recipient may pass the hoax around, perceiving the purported threat as a way to justify an increase in the computer security budget.

Virus hoaxes seem to be on the decline, possibly because they are extremely vulnerable to spam filtering. Even in the absence of technical solutions, education is effective.

Users can be taught to verify a suspected virus hoax against anti-virus vendors' databases before sending it along; if the mail is a hoax, the chances are excellent that others have received and reported the hoax already.