NEWS AT SEI

You probably receive lots of mail each day, much of it unsolicited and containing unfamiliar but plausible return addresses. Some of this mail uses social engineering to tell you of a contest that you may have won or the details of a product that you might like. The senders are trying to encourage you to open the letter, read its contents, and interact with them in some way that is financially beneficial--to them. Even today, many of us open letters to learn what we've won or what fantastic deal awaits us. Since there are few consequences, there's no harm in opening them.

Email-borne viruses and worms operate much the same way, except that there are consequences, sometimes significant ones. Malicious email often contains a return address of someone we know and often has a provocative subject line. This is social engineering at its finest--something we want to read from someone we know.

Email viruses and worms are common. If you've not received one, chances are you will. Here are steps you can use to help you decide what to do with every email message with an attachment that you receive. You should only read a message that passes all of these tests.

1. The Know test: Is the email from someone that you know?
2. The Received test: Have you received email from this sender before?
3. The Expect test: Were you expecting email with an attachment from this sender?
4. The Sense test: Does email from the sender with the contents as described in the Subject line and the name of the attachment(s) make sense? For example, would you expect the sender--let's say your mother--to send you an email message with the subject line "Here you have, ;o)" that contains a message with attachment--let's say AnnaKournikova.jpg.vbs? A message like that probably doesn't make sense. In fact, it happens to be an instance of the Anna Kournikova worm, and reading it can damage your system.
5. The Virus test: Does this email contain a virus? To determine this, you need to install and use an anti-virus program. That task is described in Task 1, “Install and Use Anti-Virus Programs,” of Home Computer Security.

You should apply these five tests--KRESV--to every piece of email with an attachment that you receive. If any test fails, toss that email. If they all pass, you still need to exercise care and watch for unexpected results as you read it.

Now, given the KRESV tests, imagine that you want to send email with an attachment to someone with whom you've never corresponded. What should you do? Here's a set of steps to follow to begin an email dialogue with someone.

1. Since the recipient doesn't already Know you, you need to send him or her an introductory email. It must not contain an attachment. Basically, you're introducing yourself and asking permission to send email with an attachment that the person may otherwise be suspicious of. Tell the recipient who you are and what you'd like to do, and ask for permission to continue.
2. This introductory email qualifies as the mail Received from you.
3. If the recipient responds, honor his or her wishes. If he or she chooses not to receive email with an attachment from you, don't send one. If you don’t hear from the recipient, try your introductory email one more time.
4. If the recipient accepts your offer to receive email with an attachment, you are free to send it. The recipient now Knows you and has Received email from you before. He or she will also Expect this email with an attachment, so you've satisfied the first three requirements of the KRESV tests.
5. Whatever you send should make Sense to the recipient. Don't use a provocative subject line or any other social engineering practice to encourage the person to read your email.
6. Check your attachment for Viruses before sending it. Having gained the trust of the recipient, you don’t want to destroy it by inadvertently sending a contaminated attachment.

The KRESV tests help you focus on the most important issues when sending and receiving email with attachments. Use it every time you send email, but be aware that there is no foolproof scheme for working with email, or security in general. You still need to exercise care. While an anti-virus program alerts you to many viruses that may find their way to your computer, there will always be a lag between when a virus is discovered and when anti-virus program vendors provide the new virus signature. This means that you shouldn't rely entirely on your anti-virus programs. You must continue to exercise care when reading email.

Use the checklist from Home Computer Security to help you make decisions about opening email attachments.

---

Social engineering is the art and science of getting people to comply with your wishes. It is not a method of mind control, it will not enable you to get people to perform tasks wildly outside of their normal behavior, and it is far from foolproof. (From http://packetstormsecurity.nl/docs/social-engineering/aaatalk.html.)

About the Author

Lawrence R. Rogers is a senior member of the technical staff in the Networked Systems Survivability Program at the Software Engineering Institute (SEI). The CERT Coordination Center is a part of this program. Rogers’s primary focus is analyzing system and network vulnerabilities and helping to transition security technology into production use. His professional interests are in the areas of the administering systems in a secure fashion and software tools and techniques for creating new systems being deployed on the Internet. Rogers also works as a trainer of system administrators, authoring and delivering courseware. Before joining the SEI, Rogers worked for 10 years at Princeton University. Rogers co-authored the Advanced Programmer’s Guide to UNIX Systems V with Rebecca Thomas and Jean Yates. He received a BS in systems analysis from Miami University in 1976 and an MA in computer engineering in 1978 from Case Western Reserve University.

This and other columns by Larry Rogers, along with extensive information about computer and network security, can be found at http://www.cert.org.

The views expressed in this article are the author's only and do not represent directly or imply any official position or view of the Software Engineering Institute or Carnegie Mellon University. This article is intended to stimulate further discussion about this topic.