Lessons from the Melissa mess

http://www.bagu.cc/
By Frank Hayes
　　04/05/99
　　Hurricane Melissa whipped through IT shops worldwide last week. By the time you read this, the worst of Melissa's effects — from floods of virus-laden e-mail to gale-force gusts from professional windbags — should have passed. Now that we're through the mail-strom, all that's left is the mopping up. And maybe, if we're lucky, the learning of some lessons.
　　After all, e-mailed macro viruses are nothing new, and Melissa won't be the last. Until now, nobody's taken them very seriously.
　　They were kid stuff, just annoying little scripts that only bothered users at the desktop, right? But nobody thinks they're kid stuff any more — not with hundreds of thousands, maybe even millions of corporate users affected by Melissa. Now is the time to start recognizing some realities in the wake of a virus crisis.
　　The desktop will always be corporate information technology's Achilles' heel. Desktop PCs give users the greatest power to wreak havoc, corrupt data and introduce security problems — and they're furthest from the IT shop's fanatical focus on security and data integrity. That means we've got a choice: Either we stay close to users, making sure they understand the importance of being careful about risks such as e-mail viruses — or we let them drag us straight down the tubes when they screw up.
　　IT shops respond faster than antivirus vendors, who respond faster than Microsoft. We wish it weren't so. We count on vendors to stay on top of bugs, problems and risks so we don't have to. But when trouble comes fast, we find out about it first — and we're the ones who have to deal with it.
　　Antivirus software isn't bad, but it isn't enough. Vendors can't see the future, and they can't stop stupid user tricks such as opening Word documents attached to e-mail messages.
　　Automatic macro execution isn't worth it. Shut it off. It turns any Word or Excel document into a grenade — and you don't even know it's a grenade until it blows up in a user's face.
　　Word documents attached to e-mail aren't worth it, either — but good luck getting rid of them.
　　If you want to spread a virus, sex is the way to go. Melissa was reportedly launched from the alt.sex newsgroup. A related virus called Papa probably got its start in alt.bondage. Now you know where corporate America spends its spare time. If these viruses had been posted in alt.business.internal-audit, we might not have heard about Melissa and Papa until the year 3000.
　　Bad guys read the papers and respond. As soon as reports hit the news that a security patch would block any mail with Melissa's distinctive, "Important Message From" subject line, someone created a new version of Melissa — with the subject line left blank. When the papers reported Papa had a programming error that rendered it "sterile," some helpful soul corrected the bug and released the repaired virus. For people concerned with security, antivirus experts sure do have loose lips.
　　Users read the papers and get embarrassed. By last Monday or Tuesday they knew they shouldn't open e-mailed Word documents. If they did — and infected (or reinfected) their PCs — do you think they'd admit it?
　　Of course not. They'd just hope nobody noticed. Sure, they're idiots. But be sympathetic and offer embarrassment-free help — or you'll never get them to tell you about the problem. And you'll be mopping up after Melissa forever.
　　Hayes, Computerworld's staff columnist, has covered IT for 20 years. His e-mail address is [email protected].