Lessons Learned from the ILOVEYOU Virus/Worm
May 9th, 2000 - Chuck Flink (Feedback Appreciated!)
First lesson: make sure your software is up to date! In several articles over the past few months, I've repeated pointed out that technology is evolving so rapidly that software is no longer really a product. It is a service that you subscribe to when you buy and install software on your computer. Remember: you only bought the right to use that software. It still belongs to whoever licensed it to you. Read the End-User-License-Agreement. You are entitled to free updates and bug fixes! In the case of Microsoft, this update process is highly automated via Windows Update and Office Update. All software and many hardware vendors have similar tools to ensure that you have the latest possible fixes in your software. Besides throwing away part of your investment when you fail to keep software up-to-date, you forfeit much of your right to complain when things go wrong!
You cannot honestly complain about weaknesses in the vendor's software when you fall prey to a 2nd email virus if you never bothered to update your software after the 1st! Of course, I'm referring to the Melissa virus that lead to many updates being released over the last 9 months, most last fall.
As a student of Information Security, I assure you that the only reasonable defense is an active defense. We cannot now and probably never will design perfectly secure software. The only real defense today is to detect and respond to attacks ASAP. A very large part of that is the ability to field a security fix as quickly as possible. Hence, programs like Windows Update, IBM Connection, Oil Change, and many similar tools are very important for security, let alone reliability, feature and ease-of-use improvements.
It is very justifiable to be suspicious of bug fixes. There is a history of bug fixes that introduce more bugs than they fix. This is especially true when you "mix-and-match" updates. You may very well think you should only apply fixes that you clearly need. This was a good recommendation back when change was limited by what you and your users did. Now users are visiting websites at home and at work that teach them to do ever more complex things with their computers, exercising software in those systems in ways you'd never see in the old days when user only knew the commands that the IT department taught them! Now there is much more diversity in both the way the computers are used and the programs stored in them. The reality is that folks in your vendor's shop and in the leading users world-wide are testing with all the latest fixes installed. And the vendors releasing those fixes are generally testing with only the top applications installed on their test systems. The combinations of N products, each with M possible updates, configurable in L different ways quickly leads to a probability that you find your site's setup is totally unique and untested. This is especially true if you only install "some" fixes to "some" products. You are asking for trouble if you don't keep in sync with the vendors.
The right answer for individual computer owners is to be no more than a month or two behind. Protect yourself from "bad" bug fixes by giving any new update a week or two "on the net" before you install it. (Of course, this depends upon the popularity of the product. The most popular products will be shaken down by the user community faster than the rarely used products.) For corporate sites of sufficient size and dependence on software quality, your IT organization should have a "test configuration" modeled after the configurations fielded company-wide and and test suites that exercise the software by performing the operations typical of your users. Updates should be applied and tested quickly after they become available on the net. Firmware (BIOS and devices), operating systems and application updates should be tracked for all systems in your corporation. IE's "subscription" feature is a nice way to have yourself notified (by a "highlight" in your Favorites list) when a vendor site updates it's download page with new patches. Windows Update and Office Update also lets you check each PC to see exactly what Windows and Office patches have been applied.
Now I know some readers will interpret the recommendations above as preaching Microsoft's monopolistic garbage. Let me assure you I'm only talking reality here. In an Ideal world, I'd prefer: a) all software would be perfect; b) all vendors have an equal shot at the market; c) all components should be interchangeable. Reality, however, is there are natural monopolies that influence our choices. Fish swim in schools for very practical reasons. If you read the above recommendations carefully, you'll note that my comments apply to ALL operating systems, applications and firmware. All are subject to security flaws and all are in need of maintenance. If your idealism calls for greater diversity in your platforms, I recommend you structure your diversity so that whatever platforms you choose, and on each type of platform, try to keep up with bug fixes! If you think none are needed because you never hear about problems with your vendor's software, be assured your time will come or your vendor will go out of business. Be prepared.
Second lesson: Informed and warned users didn't fall for this spoof. True, the virus took advantage of weaknesses of human nature and a little knowledge about computers: a) we trust our friends and this message appeared to be from someone we knew; b) it had to do with love during the month of May; c) we ignore icons and believe that anything that appears to end in TXT has to be a "safe" file to open. I could have added that we get in the habit of ignoring warning messages because we get far too many of them.
The well trained corporate computer user knows that the workplace is not the place to play with joke and "love message" email. Would any insurance inspector be happy to see cartoons and jokes plastered all over the lathe or milling machine in the plant? The inspector would quickly point out that these distractions were interfering with the safe and efficient operation of the equipment. Cartoons, jokes and such belong on the bulletin board in the break room, not on the shop floor. Your corporate desktop is the information workers' shop floor! Safety first!
Third lesson: Slow down! It is amazing to me how many users set their email readers to send outgoing email immediately. I highly recommend the option changes detailed last Thursday. I've worked with these settings for most of a week now and prefer the added control these options offer. Now my mail does not leave my PC until I've prepared several outgoing message and I'm ready to look for new mail. I've twice used the opportunity to pull a message out of my outbox and make improvements! Ah! No more email regret! And as explained in that article, any future email virus I catch will not propagate before I see its children in my outbox!
Correction... of sorts: In a previous article I suggested that it was possible to spoof the icon displayed in association with a given file, causing the icon to differ from the icon assigned to the file type. Microsoft Security, however, assures me that the association cannot be spoofed on a per file or per attachment basis. Only Internet shortcuts have the property of supporting local redefinition of the icon displayed. They argue that the users should have noticed that the file 'LOVE-LETTER-FOR-YOU.TXT' (with the .VBS hidden) was marked with a VBS icon, not a TXT icon. Hence they claim it is not necessary to turn off the hiding of extensions as I recommended.
I'll accept them on their word about per-file icon associations, but remind everyone that Windows 98SE and lesser systems do not support file protections. Hence, a Trojan Horse could modify the registry or systems files so that ANY icon could be associated with ALL files of the VBS type. Hence all VBS files would look like TXT files but execute as VBS files. Likewise with EXE and any other executable file on your system. Further, people simply cannot see icons all that well and certainly don't enjoy memorizing all the possible icons!
I still believe hiding file extensions is far too dangerous for what you gain by having 4 less characters in your file names. So when push comes to shove, I still recommend NOT hiding file extensions since icons are only reliable in NT or better systems. I also believe commercial-grade usage requires Windows NT/2000 (with NTFS, proper setup and administration, etc.)
But everyone knows I'm biased in favor of security, so go ahead and discount my opinion. Every CIO would rather save a few hundred bucks per PC by ignoring his/her information security advisors until after the virus strikes. Then he/she can request emergency funding and blame the crisis on the vendor, the Internet, hackers, etc. Warning! Worse viruses are on the way. The day when blaming others lets you keep your job is going to pass. If your business depends on computers connected to the Internet, invest in proper security!