Human attacks are the problem, not technical attacks

It’s amazing how people can be influenced by a convincing speaker who makes points with conviction, but who happens to be behind the curve in terms of technological developments. I talked to somebody recently who was of the opinion that technical attacks are how people have their identity stolen. The speaker who’d influenced her had said modern operating system security was to blame.

Had he been speaking 3 years ago, I think I’d have been on-side. But look at the situation today. Put yourself in the shoes of the “CEO” of an organised crime syndicate. Looking at the return-on-investment what would you do? The choices are to perform a technical attack (on the machine or its connection to say, a banking website) or a human attack (set up a phishing web site).

Technical attacks: you need to acquire the skills. You’re never going to break in to modern secure connection (say an SSL connection between your victim’s computer and their banking website). The cost of the computing power is too immense and would be too slow to render anything useful. So you have to try and get some of your malicious software on to the victim’s machine. 2 ways: authenticated and unauthenticated. Things like worms exploit weaknesses in the operating system where certain facilities don’t require credentials. In other words, you don’t need a username/password to get your code to execute on somebody’s computer. Authenticated access – you do need a username and password to get it to execute. So you create malicious software and use some form of subterfuge to get the user to download it on to their machine and execute it. That way, they’ve already used their username and password to log on in the first place. Let’s call this scam lovebug.vbs and put it in an email titled “I Love you” for example.

But let’s have a look at that. Is that a technical attack? No. Your computer will execute the instructions embedded in to the software you run on it. The question is, how did the lovebug (or keylogger) get on to your machine in the first place? That was subterfuge wasn’t it? That’s a human attack. It has nothing to do with operating system security. So we’re back to unauthenticated attacks again.

The thing that has got in the way of unauthenticated attacks in the past few years has been the personal firewall. In the case of Windows XP, Vista and Windows 7, built-in software that doesn’t permit data to enter your machine unless you initiated its download. So for example, requesting a web page would be permitted because you initiated the request, but if somebody tried to send some data to your machine it wouldn’t work because you never initiated it in the first place.

It’s not only Windows, many Linux distributions and the Mac either use built-in versions, or computer owners are going to the computer store to buy personal firewall software.

Also, security patches are released so quickly when defects are discovered that these attacks never get the stranglehold they once did.

So the next thing might be to create a dangerous activeX control (that’s just a fancy way of saying software) that does something not in your best interests. You put it on a website and encourage your victims to download it. Perhaps the controls searches every file on your hard disk looking for the string “password”. When it finds it, the file gets copied to the fraudster’s website, where they later examine it in detail hoping to extract a useful site/user-id/password combination. Hopefully, it’s your banking website.

But how do you encourage your victims to download the control? Especially these days where the default behaviour for most browsers is not to download controls. Well, I guess you put some instructions that say something like “You will receive a warning about this control. Ignore the warning and click OK”. If anybody falls for that, it’s a human attack not a technical attack. Again, they got some software on your machine and got you to execute it.

Microsoft introduced features like User Account Control (UAC), where weird stuff happens when you do something that has all the hallmarks of a dangerous activity. A dialogue box pops up, the background goes dark and you can do nothing other than answer the dialogue. Even with all this weirdness happening, there are people who will go right ahead, ignore the weirdness and click OK to install the software. They have usually been foxed by a clever message describing exactly what will happen and encouraging them click OK. It’s a human attack.

The vast majority of the attacks that are performed on computers take place in the last 60cm of the connection from the web server to the human being. The 60 cm between the screen and the user.

The classic phishing attack does this. You receive an email that says it’s from your bank. You have apparently made a large withdrawal and they encourage you to log in to your site here. In a panic you go right ahead and click here to reveal what looks like your banking website. It asks for your account number and password and so you dutifully type the secret you’d not even tell your best friend. Now the criminals have your account number and password you are doomed. According to, 54 hours later, the bogus web site will have disappeared off the face of the earth – with your money.

But that’s not a technical attack. It’s a human attack. It used subterfuge to fool a human in to doing something that’s against their best interests. Why does it work? Because as humans we’ve become conditioned to 2 things. We type our passwords in to web pages. We expect every web page we ever see to ask for our username in a different way. It’s a tragic weakness of the web that it allows stunning creativity. Each site likes to show off its individuality.

Compare this with the way you log in to an operating system like Windows. The Windows weakness is that the login experience is different between each version of windows. But if you are logging in to say Windows 7 at your employer. It doesn’t matter if you log in to your own machine, your friend’s machine or a machine on the 5th floor owned by somebody else – you will be prompted for your secret credentials in exactly the same way. Every time. Absolute consistency. So much so that if the screen looked different, if the experience was different, if it simply wasn’t “right”, you’d be suspicious that something had gone wrong. This consistency doesn’t exist and is certainly not expected on the internet. It’s one of the reasons why a phishing site doesn’t actually have to be that faithful a reproduction of its genuine counterpart. In many cases if the brand colour is approximately right and the correct logo appears on the site somewhere, that’s good enough. So we can say it’s the lack of consistency that is the biggest aid in fooling the human being. I was a little taken aback when this lady suggested it is this very lack of consistency that is protecting us from these attacks. She argued that if all the sites use a different technology, it makes it harder to compromise the “entire system”. But of course, she’s talking about technical attacks, not human attacks. As I said earlier, not very many criminals perform technical attacks. They can’t recruit the mind-numbingly cerebral skills required, and they can’t acquire enough computer power. They write simple software that logs keystrokes or searches your hard drive for plain text passwords and they use human attacks to try to get you to execute them. I only talked to her for about 40 minutes, on the telephone and she left the conversation still convinced the problem is technology.



Comments (5)

  1. Mary Attenborough says:

    What about the Gumblar virus? This is installed by visiting an infected website and was very widespread. It did not require any social engineering. I think that it is safer to say that attacks  often involve 'human error' ,using social engineering, but purely technical attacks also remain a major problem.

  2. ...Planky says:

    Isn't that the one where you opened a PDF document? So somebody had to use some kind of subterfuge to get you to open the document…

    True once opened the virus exploited a vulnerability, but you gotta get people to open it. The greatest weakness is with the human being. As you say – technical attacks also remain a major problem. I'd rephrase that to say "technical attacks remain a problem, but human attacks are the major problem". How about that as a compromise? 🙂

    I think these days, the humans are a bigger problem than the technlogy. That's not to say the technology is 100% safe – evil code always exploits some kind of vulnerability. But you typically have to get a human to do something not in their best interests. Unfortunately that's pretty easy to do on the Internet.

  3. Exolon says:

    Indeed, the human factor is often the weakest link in the security chain, but I think you've understated the prevalence of technical attacks. They have by no means been eradicated – on the contrary, more and more content – often dynamic and executable in nature – is being read by the browser in everyday use. We're seeing frequent reports of JS and Flash exploits, buffer-overflows with specially-crafted PNG/JAR/etc files, all allowing arbitrary code to be executed by an attacker when the user simply browses a web page. Viewing a web page that exploits these bugs is not a "human" attack, since we're carrying out actions we had reasonably assumed to be safe (e.g. viewing a PNG image, which people associate with data and not code execution) and browsers do not warn that such basic browsing actions are unsafe since it would have to warn us practically every webpage we ever visit.

    Almost nobody surfs the web with images turned off completely or with a browser security warning popping up before images are rendered.

    Yes, human attacks are the problem, but technical attacks are still the problem. If you can abuse a PNG-parsing bug to execute arbitrary code, then you don't need to break SSL. There is a hierarchy of technical components in the chain from user to secured resource, and if the weakest of them can be broken, then the rest can be bypassed.

  4. DaleLB says:

    Planky – Although you make a good point I disagree.  I think the line between human based attacks and technology based attacks has become blurred.  I think that's directly due to two factors:  media exposure and end-user maturation via the ubiquity of computers in society.

    Over the past several years I've seen a marked decrease in subterfuge based attacks.  However these type attacks bave become more sophisticated and more complex.  That has required a significant increase in the techniogical prowess of the attacker.

    Either way the end game is still the same – separate the naive from thier assets.


  5. WhyDontWeRed says:

    The best-kept secret in the fight against viruses and keyloggers is a company called HonorPC! They feature one-key recovery that leaves your documents, music, pictures, videos, and favorites intact! It works even if you have a problem that won’t allow Windows to start. I have done online banking on my HonorPC for almost three years and have never installed antivirus. I bought my HonorPC for $1,000, which included a 22” LG monitor and laser mouse. I recently got a Windows 7 upgrade from HonorPC and I’m very happy with it. Their web site is and they have their phone number right on the home page. You should check them out before they are bought out by a big computer company and banished from the face of the earth!

Skip to main content