Sunday, April 18, 2004
Contrary to past beliefs, no file type appears to be safe.
WASHINGTON POST
Surely most people have gotten the news by now. E-mail attachments can be bad stuff. Click on the wrong file and you could be installing a bug that crashes your system, makes your financial information available to some guy in Russia or commandeers your computer for an attack on some company's Web site.
Still, people sometimes have a hard time resisting the urge to click when that strange or unexpected file-bearing e-mail arrives -- even the folks who should know better.
"As a computer professional, I know that the attachment is likely a virus, yet my curiosity wants to look inside and see what makes it tick," Ira Bland, a programmer in Ashburn, Va., wrote in an e-mail. "It takes considerable effort to put on my logical hat and just delete the thing."
He's not alone. David Perry, global director of education at Trend Micro Inc., often gives talks at local computer user groups, which are mostly populated by tech-savvy types. Whenever he gets to the part of his standard presentation where the bad software shows up attached to an e-mail in his inbox, "people in the audience shout, 'Click on it! Click on the virus. We want to see what happens!'" he said.
Nothing's safe
For anyone still wondering whether there is such a thing as an entirely safe or trustworthy file type, the answer seems to be a simple no. A year ago, for example, security experts generally thought zip files were safe, but recent attacks using the format have turned this once-trusted format into a rising security risk.
What's more, file types have become somewhat irrelevant as hackers have gotten better at disguising dangerous ".exe" or executable files in Windows as file types that are perceived to be less risky, such as text or Word documents.
In its default mode, for example, Windows XP presents files with the name "readme.txt.exe" as "readme.txt" -- hiding the ".exe." and making even a reasonably alert computer user think the file is probably a harmless text file.
To protect from getting duped by such disguised executable files, some computer security experts recommend Windows XP users turn off a "hide extensions" option that is turned on by default in the operating system. To do so, click the "My Computer" button in Windows XP, choose "Tools" then "Folder Options." Choose the "View" tab and uncheck the option marked "Hide extensions for known file types."
Fooling users
Though Microsoft is a frequent target of criticism for the security practices in its products, computer experts generally caution that there's no way to make the computing world 100 percent safe. Computer security firms can put up more roadblocks and safeguards, but sometimes users get fooled in new ways.
These days, computer users have to ignore a growing range of e-mail trickery, from e-mails that look as if they were sent by somebody familiar to e-mails that convincingly disguise themselves as bounced e-mail. As a result, computer security experts flatly counsel against clicking on any attachment that a user wasn't expecting.
As for the unexpected e-mail attachment that appears to come from a friendly source, Alfred Huger, senior director of engineering with computer security firm Symantec Corp., said recipients should verify that the file is legit by e-mailing or calling the sender before clicking on it.
But the most successful cons or hacks tend to play off a sense that someone will lose something if they don't click or respond, said ex-hacker Kevin Mitnick, author of a book on the subject, "The Art of Deception: Controlling the Human Element of Security."