Will LoveLetter Ultimately Do Any Good?

Gary C. Kessler
May 2000

This article appeared in the SECURITY PERSPECTIVES portion of Security Wire Digest, Vol. 2, No. 18, May 15, 2000 (An on-line publication of Information Security Magazine).

The rear door of 727 aircraft cannot be opened during flight because of D.B. Cooper. Medicine bottles are in tamper-proof packaging today because of the Tylenol deaths in 1982. A stoplight is put up after enough people are killed or injured at a dangerous intersection.

I was thinking about these things in the aftermath of the VBS.LoveLetter. Even as I helped colleagues and clients clean up last week, I had to wonder why this virus spread so quickly and did so much damage.

I don't believe that LoveLetter is a harbinger of things to come. LoveLetter is The Thing that has come. Most of the reports about LoveLetter have compared it to Melissa, which hit in March 1999. Actually, Melissa was pretty tame compared to what it might have been, since it was more annoying than destructive. In addition, the actual worldwide monetary damage of Melissa was somewhere between $93 million and $385 million, according to ICSA.net. Compare that to the damage of LoveLetter, which is expected to exceed $1 billion once the dust settles.

Will there be more such viruses? Probably. LoveLetter, at least, was distributed in a script file that could be read with a text editor, so many of us could start preparing our own fixes. The next viruses will not be so easy.

Microsoft products continue to be the software-of-choice for distributing viruses--and generally wrecking havoc. The Outlook preview function can execute code before the user gets a chance to look at it, which makes no sense in today's environment. A new virus strain can affect users if they merely have the latest version of Internet Explorer on their system (using the default security settings)--whether or not they open the attachment, and regardless of which e-mail client they use. Too many software products default to a mode in which they automatically execute macros and scripts in the name of convenience; and while the vendors all claim that these features can be disabled, they hardly go out of their way to suggest this to their customers.

Microsoft's response to LoveLetter has been noteworthy. Rather than seize this opportunity to educate users about how to balance convenience and protection, they instead minimized the security impact of viruses by declaring them a "social phenomenon." They have also made the disingenuous claim that breaking up their company will result in software that will be even harder to protect against viruses.

This is, of course, horse hockey. Why? The answer is biodiversity. It is the same reason that forests populated with a single species of tree are wiped out by a single bug while diverse forests are much hardier. It is the same reason that we usually do not purchase our firewall, router, proxy server and antivirus software from a single vendor.

While the antivirus software vendors responded quickly to LoveLetter, they continue to be in a largely reactive mode. New viruses, then, will always take them by surprise when first released in the wild. Are antivirus products no closer to a rules-based mechanism that will "detect" virus activity patterns (through so-called heuristical scanning), even in the absence of a known signature? What about mail servers that are smart enough to screen out active content and/or sound an alarm when large numbers of the same file attachment appear at once?

In the final analysis, individual users must accept the responsibility for spreading viruses. Why? Because we have the most to lose. Why are people opening attached files they are not expecting? Aren't users the least bit suspicious when they see 23 e-mail messages with the same subject line and attached file? How many users are aware of the inherent security risks of their software and take adequate steps to protect themselves?

This comes back to local security policies, and our responsibility to help users understand that the Internet has many similarities to the real world, but is much more extreme. Users cannot depend solely upon others to protect them, but must be vigilant themselves. Organizations need to teach and demonstrate the correct behavior to their users, and users have to be held accountable. How many companies "punish" users who repeatedly forward viruses because they don't use the tools that are made available? How many companies reward users who proactively detect and report viruses or other suspicious activity?

There's been a lot of hand-wringing and pontification since LoveLetter came out. What there's been little of is anyone standing up and accepting the responsibility to affect some change. Opinions about this incident have been all over the map, from anger and outrage, to insulting the virus' author as a poor programmer, to decrying viruses as the spawn of the devil. None of this is a solution. As with other aspects of security, halting the spread of viruses requires a combination of technology, policy and user education to build the cyber-equivalent of antibiotics and basic hygiene. Prevention continues to be the best medicine.

Gary Kessler (kumquat@sover.net) is a contributing writer for Information Security Magazine. More information about Gary can be found at www.garykessler.net.