Leader: What the security 'stitch-up' should teach us
'People are stupid', obviously, but we must learn more from it than what we already knew
You may have seen the news today about the stunt which set up City workers with a bogus special offer on CDs distributed to commuters arriving in the square mile.
You may even have been one of the unwitting guinea pigs. We're not looking for confessions.
The idea was that the CDs purported to offer a Valentine's-themed competition but in fact contained little more than some code which reported when the CD had been put into a PC and activated.
There was no malicious intent here, the code was benign but the idea was it would show how willing staff would be to accept a CD from a stranger and put it into their PC. Some of those who fell for this were logging on within banks and insurers – where any unapproved third party software should be a definite no-no.
That is a serious cause for concern, because the CDs could have contained anything. This situation could easily be replicated to get spyware onto machines and if you're a criminal handing out enough infected CDs in the City you're getting to strike gold sooner rather than later. You only have to look at the near-miss at Sumitomo Mitsui Bank – where spyware almost enabled a £220m robbery - to realise how damaging this could potentially be.
But is it a fair experiment? It's unusual, we'll say that of this effort from The Training Camp.
Some will question whether criminals would really act in this way but if it gets code through the front door and bypasses the firewall and other security measures, then why shouldn't they?
Nobody knew The Training Camp from Adam when they set up this stunt. They literally could have been anybody – irrespective of who they said they were and for that reason it's a worthwhile experiment if only because it shows simple social engineering – either online of offline – can still immediately make pretty savvy employees take leave of their senses.
Alarmingly one recipient of the CD didn't access it until 10:00(CET) – in Rome. At no point in the 14 or so hours since he was given the CD did it dawn on him that whatever was on that CD might not be something he wanted.
We may not be able to condone those sleepy employees whose minds on Tuesday morning were on roses and chocolates being duped into accepting and accessing a Valentine's-themed CD. But 14 hours thinking time and still falling for it, that's ridiculous.
Even innocent third parties make mistakes or ship a CD with something potentially damaging on. Just ask Sony.
So the message has to be clear – educate your staff and yourself about the dangers of double clicking on anything where you cannot vouch for the source, the reason you need to click and the contents you are expecting to see.
In 2006 we really shouldn't still be telling people this.