Do you know people who simply must have the latest and greatest software, even if that means running beta code? The number of people who fit that description is properly staggering. There's nothing wrong with wanting to run better or newer software, but people who let an emotional urge overpower their common sense and caution are open to social engineering exploits. Enter one "MSN Messenger 8.0 Beta."
Last week, a Trojan horse program that alleged to be a copy of a leaked MSN Messenger beta began to spread. The "leaked beta" supposedly boasts many new features, all of which are designed to entice people into downloading it. But no such beta exists. People who downloaded and installed the file infected their systems with a Trojan horse, which then sent IM messages to other MSN Messenger users trying to coax them into installing the program. The Trojan horse program includes a proxy and remote command shell capabilities, can perform Denial of Service (DoS) attacks, connects the system to a botnet, and more. In short, it's a disaster on any computer.
Another security problem also became known last week. A severe vulnerability that can be used to execute arbitrary code on an affected system was discovered in Windows Graphic Rendering Engine. You can read more about that problem in the news story "Windows Graphics Rendering Vulnerability Leaves Countless Computers Unprotected."
Exploits are of course circulating on the Internet, and no patch is available. Many of these try to coax users into visiting malicious Web sites, which can infect their systems even if they don't download any files. Other exploits might arrive via email, IM clients, or other inroads. A number of exploits related to this and other vulnerabilities rely on social engineering--which is a nice way of saying that they rely on the ignorance of computer users.
Last week, I wrote about three areas (least-privileged user accounts, root kits, and backups) that will most likely be major focus areas for security administrators in 2006. If I had to pick an additional item to add to that list, I'd say computer user education. Security tools are getting better with each passing month, but these tools will never replace the need for user education (which hopefully promotes common sense and caution). User education might minimize the need for some security tools. But more frequently, user education could help you shift the focus of your security work from reactive mode to proactive mode. If computer users become savvy enough to sense when they're being baited, they won't fall victim to attacks as often. As a result, your security-related work could become less hectic.
In 2006, consider investing in end user security education, particularly in regard to increasing users' awareness of predatory mindsets. If you can make that one of your priorities, you'll likely see returns sooner rather than later.