Cyber Security – The problem with Malware

A friend of mine was in Las Vegas at the beginning of 2013—last stopover before flying home to Australia.  She had had a brilliant time in America seeing all the sights and shopping, and was enjoying herself, as you do in Vegas.  Returning to her hotel after seeing a show in another casino, she was walking across the car park when she stopped to pick up a USB drive that looked like it had been dropped accidentally.  It was new and had a Boeing insignia and logo on the front of it.

Instead of taking it to reception, she took it back to her room and plugged it into her laptop to see if there was any information that might tell her who it belonged to so she could return it. 

As the robot used to say—”Warning, Warning, Danger Will Robinson, Danger!”  She did what I have been trying to bang into everyone’s head for the last eight years not to do.  She opened it and looked at the contents.  On the drive was a large number of old photos (scanned black and white ones from the 40’s and 50’s—mainly planes and airports) along with an application that said “secret.exe.” 

I can see you cringing from here.  She ran the secret.exe file, and when it asked for elevated permissions to install, she just said yes.  That was the last time that she was able to use the laptop before she got home to Australia and we looked at it.  Lucky for her, she had a backup of all of her data, and we rebuilt the computer and restored everything.  (To err on the side of safety and caution, whenever a computer or smart device gets infected with any type of malicious code, the best thing to do is rebuild the computer and restore your information.  You can never be sure that you have removed all of the malicious code.)

Why did she do that?

No, she is not stupid.  In fact, she understands computers and information better than a lot of people.  What the bad guys had done was increase her trust while lulling her into a false sense of security.  They had left a USB drive in a spot that looked accidental, and was bound to arouse curiosity.  They had used the Boeing logo to build trust, they had used innocent-looking old photos to reinforce that trust, and because she made that leap of trust she was compelled to open the application.  This decision-making process was done unconsciously. 

So what happened?

The executable file was malware, with a definite payload aimed at infiltrating the casino.  It was designed to do a few things at the most basic level: to record keystrokes and report back to the command and control centre.  This is one of the ways that the criminals get you to willingly infect your computer.  There are many more. 

It is a lot easier for the bad guys to do the USB trick than to try to batter down the front door, the internet-facing system, the firewall.  The human target is a lot easier to compromise.  This attack vector is believed to be how the Stuxnet worm was delivered to the Iranian government’s secret nuclear plants.

This is how the bad guys work.  They use our weaknesses against us.  They build trust with their actions so that they can politely ask us to be stupid.  Our humanness is our downfall.  I have had a number of experiences over the last couple of years where I have been amazed that the bad guys would stoop to a level not considered human.  They include scam websites and e-mails taking advantage of the Fukushima nuclear catastrophe—using human willingness to help others as a way to rip them off.

When we encounter new information, we are curious—as a friend of mine says, “look, shiny!”—and with that, we click whenever we feel like it.  That is why there is one main concept that I try to emphasise when it comes to using computers, smart devices and the internet. 

The bad guys are out to get you all the time—so be paranoid!  No matter how good the situation, and how much trust they have built, always use common sense.  No one willingly gives you money, software, music and films.  Even the opportunity to help other people can be illusory.  Whether you’re getting information, hit songs or warm fuzzy feelings, the bad guys will always want something in return, usually something that you don’t want to give them.

Roger Smith, is an educator. Teaching students at ADFA (UNSW) and showing them how vulnerable they are to cybercrime.

He is also CEO at R & I ICT Consulting Services Pty Ltd, an Amazon #1 author on Cybercrime and founder of the SME Security Framework. He is a Consultant who specialises in inexpensive and highly effective security strategies for small and medium businesses and not for profit organisations.

He has developed and authored the SME Security Framework and the Security Policy Training Course which are considered to be the definitive guides to helping SME's protect their organisation using the principles of Technology, Management, Adaptability and Compliance.