This past week, I’ve started receiving messages from eFax telling me that I’ve received a fax, and to click on a link to download my document. As a heavy eFax user, this seemed perfectly normal… until I clicked one of the links. It took me to some malware site. Fortunately, the site seemed to be designed to target Windows computers, and simply froze on my Mac’s browser.
The faux eFax messages were incredibly well designed, had clean headers, and made it through my e-mail service provider’s malware filters.
Since then, six of those malicious messages have appeared. I have to look carefully at the embedded link to distinguish those from genuine eFax messages, which have links to genuine faxes.
The cybercrime wars continue unabated, with no end in sight.
Malicious e-mail, whether it’s phishing, a “419”-style confidence scam, or an attempt to add your computers to someone’s botnet, is only one type of cybercrime. Most of the time, as software developers, we’re not focusing on bad e-mails, unless we’re trying to protect our own e-mail account, or worrying about the design of e-mails sent into automated systems. SQL Injection delivered by e-mail? That’s nothing I want to see.
Most of the attacks that we have to contend with are more directly against our software, or the platforms that they are built upon. Some of those attacks come from outside; some from inside.
Some attacks are successful because of our carelessness in coding, testing, installing or configuring our systems.
Other attacks succeed despite everything we try to do, because there are vulnerabilities we don’t know about, or don’t know how to defend against.
And sometimes we don’t even know that a successful attack occurred, and that data or intellectual property has been stolen.
We need to think long and hard about software security. SD Times has run numerous articles about the need to train developers and tester to learn secure coding techniques. We’ve written about tools that provided automated scanning of both source code and binaries. We’ve talked about fuzz testers, penetration tests, you name it.
What we generally don’t talk about is the backstory—the who and the why. Frankly, we generally don’t care why someone is trying to hack our systems; it’s our job to protect our systems, not sleuth out perpetrators.
That said, I’d like to invite you to read a story by SD Times editor Suzanne Kattau, “Cybercrime: How organizations can protect themselves,” where she interviewed Steve Durbin, for the Information Security Forum. It’s interesting to see this perspective on the broader problem. After all, we’re all soldiers in the cybercrime wars, whether we like it or not.
Alan Zeichick is editorial director of SD Times. Read his blog at ztrek.blogspot.com.