Prudish Microsoft response to Kama Sutra worm

[Bob Crabtree]

Microsoft recently joined the chorus of voices warning to protect yourself before Friday against an email-borne worm that could bring down your PC completely but it is doing so in such prudish terms that few will understand what it's saying.

Making doubly sure that it won't cause anyone any offence - even if its prudery could result in a whole bunch of totally non-working PCs - the [Microsoft] Security Advisory sums up the whole issue with the Kama Sutra worm by saying,

"The mass mailing malware tries to entice users through social engineering efforts into opening an attached file in an e-mail message".

Don't understand? No, us neither - and that's whole point.

Check out this HEXUS.headline

Then, if you would, please participation in our poll - so we can try to get an idea of the proportion of people (of differing levels of computer experience) that will or won't have understood the meaning of the term 'social engineering' in the context it was used by Microsoft.

Here, are two contrasting definitions, courtesy of Wikipedia:

Social engineering (political science)
Social engineering in political science refers to efforts to systematically manage popular attitudes and social behavior on a large scale, whether by governments or private groups.

The term has a negative connotation, and is sometimes used as an accusation against any who propose to use law, tax policy, or other kinds of state influence to accomplish social goals. For instance, political conservatives in the United States have accused their opponents of 'social engineering' through their promotion of political correctness, on the basis that political correctness is an attempt to change social attitudes by defining 'acceptable' and 'unacceptable' language.

Social engineering (computer security)
Social engineering (computer security), is the practice of obtaining confidential information by manipulation of legitimate users. A social engineer will commonly use the telephone or Internet to trick people into revealing sensitive information or getting them to do something that is against typical policies. By this method, social engineers exploit the natural tendency of a person to trust his or her word, rather than exploiting computer security holes. It is generally agreed upon that “users are the weak link” in security and this principle is what makes social engineering possible.

A contemporary example of a social engineering attack is the use of e-mail attachments that contain malicious payloads (that, for instance, use the victim's machine to send massive quantities of spam). After earlier malicious e-mails led software vendors to disable automatic execution of attachments, users now have to explicitly activate attachments for this to occur. Many users, however, will blindly click on any attachments they receive, thus allowing the attack to work.

[Bob Crabtree]

In case anyone does want to protect their PC against, viruses, worms, trojans and other sorts of malware, and doesn't have a lot of readies to throw at the problem before Friday (though the same nasty is supposed to strike every third day of the month), below are some of the free apps you can use - and with confidence, in my experience.

My current favourite anti-virus freebie is Grisoft's AVG Free.

Set it to update daily and to run directly afterwards.

Trojans are well dealt with by
Lavasoft's Ad-Aware SE Personal Edition 1.06.

and

Safer-networking's SpyBot Search & Destroy.

In my view you are better to have both of the last two installed and to run each of them at least once a week.

In addition, you should use Microsoft's own freebies (get them via Windows Update) and, if you are technically knowledgeable, also get Merijn's HiJack This but use it with EXTREME care.

To help you do that - but remember, any changes you make are down to you - there's a very useful auto-diagnostic tool here into which you can paste the log file that HiJack This produces.

Other folks' suggestions are most welcome.

[Funkstar]

i don't see what is so confusing about that sentance. Although it does sound like a standard response. This could be used to describe dozens of 'famous' worms over the last few years.

[PD HEXUS]

and here's a little something from Symantec which could prove helpful: W32.Blackmal@mm Removal Tool

cheers,

PD

[Bob Crabtree]

Nice one Paul - I forgot all about that.

But, people, do make sure you've got your antis in place - and keep them up-to-date and run them regularly; better not to get any nasties in the first place than to remove them after they've done their work.

[Bob Crabtree]

Originally Posted by Funkstar

i don't see what is so confusing about that sentance. Although it does sound like a standard response. This could be used to describe dozens of 'famous' worms over the last few years.

Ah, I understand your thinking - cos they've used geekish gibberish in the past, it's okay to use it now.

Well, the absolute bottom line - in my view - is that Microsoft has a duty to communicate in such a way that ordinary mortals can understand what it's trying to tell them, especially if that's something that requires them to take some appropriate action.

By mentioning NOTHING specific about the possible subject lines and contents of the body of the email, MS has done people no favours at all - and the only reasons I can think it has copped out are either prudishness somewhere in the decision-making hierachy or the fact that the people who write such stuff are so cut off from the real world that they don't realise they are using gibberish.

It could, of course, be a combination of both.

It's also my belief that were you to take a straw poll of normal computer users - ordinary people who don't live and die computers - a large majority, if they even knew what social engineering meant, would think of it in the context of political science, rather than computer security.

But, perhaps, better that I test that theory by adding a poll to this thread [now done].

Here, though, are two contrasting definitions, courtesy of Wikipedia:

Social engineering (political science)
Social engineering in political science refers to efforts to systematically manage popular attitudes and social behavior on a large scale, whether by governments or private groups.

The term has a negative connotation, and is sometimes used as an accusation against any who propose to use law, tax policy, or other kinds of state influence to accomplish social goals. For instance, political conservatives in the United States have accused their opponents of 'social engineering' through their promotion of political correctness, on the basis that political correctness is an attempt to change social attitudes by defining 'acceptable' and 'unacceptable' language.

Social engineering (computer security)
Social engineering (computer security), is the practice of obtaining confidential information by manipulation of legitimate users. A social engineer will commonly use the telephone or Internet to trick people into revealing sensitive information or getting them to do something that is against typical policies. By this method, social engineers exploit the natural tendency of a person to trust his or her word, rather than exploiting computer security holes. It is generally agreed upon that “users are the weak link” in security and this principle is what makes social engineering possible.

A contemporary example of a social engineering attack is the use of e-mail attachments that contain malicious payloads (that, for instance, use the victim's machine to send massive quantities of spam). After earlier malicious e-mails led software vendors to disable automatic execution of attachments, users now have to explicitly activate attachments for this to occur. Many users, however, will blindly click on any attachments they receive, thus allowing the attack to work.

[TheAnimus]

or, just not open attachments on strange sounding emails?

Which is easyer? Resisting the temptation to get some free porn which why would someone you don't know like that email you? Or having to deal with the consiquences of an infection..... Hmmm.......

[alsenior]

Originally Posted by TheAnimus

or, just not open attachments on strange sounding emails?

Which is easyer? Resisting the temptation to get some free porn which why would someone you don't know like that email you? Or having to deal with the consiquences of an infection..... Hmmm.......

sounds alot like real life

[ayembee]

i don't see the missing "not" in that last paragraph that the author makes such a song and dance about. am i going mad?

what it looks like the author was expecting to see was a standard "Customers who are not using the most recent and updated antivirus software are at risk...", but of course what it actually says is that "Customers who are using the most recent and updated antivirus software could be at a reduced risk of infection...", which is fine... meh. life goes on...

[Bob Crabtree]

Originally Posted by ayembee

i don't see the missing "not" in that last paragraph that the author makes such a song and dance about. am i going mad?

what it looks like the author was expecting to see was a standard "Customers who are not using the most recent and updated antivirus software are at risk...", but of course what it actually says is that "Customers who are using the most recent and updated antivirus software could be at a reduced risk of infection...", which is fine... meh. life goes on...

No, you're not going mad (at least, judging from the above post, anyway).

You are quite right in your observation and I was quite wrong in mine.

That being so, I was going to change that section to correct my error.

Then I read the original again and realised that what I was actually highlighting wasn't an error in what was written but a densely written sentence the meaning of which wasn't clear on the first or subsequent read-throughs by myself - someone whose daily life is spent juggling with words.

Or am I just clutching at straws here?

Debate, please.

Bob

[ayembee]

oh, i certainly agree it's badly written, and worth a mild chastisement on those grounds alone, i just didn't think it was technically wrong... maybe one for the Plain English campaign