I am a product of the 1980s music genres and I enjoy 80s blasts-from-the-past as much as the next person. However, I must admit that I completely loath the Rick Astley song "Never Gonna Give You Up". The practice of Rickrolling has been around for many years now, but I must admit, it is funny. However, Rickrolling highlights a key area of web security issues where people indiscriminately click on links without knowing where they may lead.
The practice of Rickrolling hasn't faded into the ancient history of Internet memes. Recently, the video that was used for Rickrolling went missing but was then returned to the appreciation of many. There was also the recent Rickroll worm that targeted iPhone users. It changed the background of the jailbroken iPhone to a picture of Rick Astley containing the words "ikee is never going to give you up".
As attackers turn their attention to new forms of browser vulnerabilities, the iPhone is becoming an increasing target. I suspect that this year we will see more web vulnerabilities that target smartphones and netbooks.
The key security issue that is highlighted by Rickrolling is that people haven't got into the habit of inspecting hyperlinks before they click on them. The way that Rickrolling works is a person creates a link and sends it to their frenemies and when they click on the link they are redirected to the Astley video that immediately starts playing. The URL link that is sent to the unknowing user looks legitimate but it misleads the user and their web browser is misdirected to the awful video.
These web security issues are easily constructed using URL contraction services like TinyURL.com, bit.ly, and ow.ly. Browser add-ons that show the full URL are becoming available in response to these threats. For example, the "Long URL Mobile Expander" for Firefox can help show you where your browser will end up if you click on those shortened URLs.
These types of attacks have been highlighted by how social media sites have been used to spread malware. When someone gets a message from a friend, they are far more likely to click on the link because they have an implicit trust in their friends. This trust is easily exploited via e-mail and social networking sites. Recently the social media worm koobface used Facebook and Twitter to spread malware.
The past two years of CSI annual security reports indicated that most organizations spend less than 1% of the security budget (which is typically 5% to 8% of the total IT budget) on security awareness training. The CSI report also showed that the majority of security experts feel that amount is too little. It is important to teach end-users about each of these complicated security issues. Educating users about the dangers of indiscriminately clicking on every link can help them avoid these web threats. It is true that a little bit of security awareness training can go a long way.
Security awareness training doesn't have to cost a lot of money. There are many sources of free information and it doesn't cost anything to periodically send e-mails to the end-user population letting them know about the most-recent threats and enlist their cooperation in helping the organization remain secure. Security awareness training can comprise of CBTs, actual classes, videos, posters, e-mail reminders, new hire orientation, and continuing reminders. Employees should be trained on what is expected of them and what needs to be protected. We need to educate them on the security aspects of physical access, passwords, viruses, e-mail attachments, web browsing, hoaxes, social engineering, risks of information at rest and in transit. A good source of security awareness training information can be found within the NIST 800-50 and 800-16 guidelines. Security awareness training can cost very little but have large ROI.
Do you have an appropriate use policy that end users sign? Is it enforced as a condition of employment? The fact remains that some employees engage in risky behavior regardless of corporate policies. Need to make sure the employee knows this is not their computer but rather an asset of the company. Often times, users do not understand policies, procedures, standards and best practices. If they do understand them, they are violated because there are no consequences and the policies are not enforced.
Maybe we can leverage the practice of Rickrolling to help teach our users that they should be careful what they click on. If they click on the malicious like they are subjected to the video as punishment.