Wednesday, October 16, 2013

Bad guys just keep winning


The number of incidents I am seeing of people being infected with the Cryptolocker continues to escalate. Now before I launch into this rant here is information about the nasty:
http://blog.malwarebytes.org/intelligence/2013/10/cryptolocker-ransomware-what-you-need-to-know/
so you have been warned.
But how the hell can this be happening? How the hell can these sorts of things still get through and cause mayhem and destruction? Having lived through Nimda, Code Red, Melissa, Conficker and more, why is this all happening over and over again? Simple, technology is making it easier for the bad guys not harder. Am I the only one who acknowledges this fact?
I have written many, many times about how vulnerable society has become by creating such a dependence on technology. For example:
here - http://blog.ciaops.com/2013/03/a-gift-for-hackers.html
here - http://blog.ciaops.com/2008/07/why-bad-guys-will-always-win.html
here - http://blog.ciaops.com/2008/08/the-bad-guys-win-again.html
and here - http://blog.ciaops.com/2009/08/bad-guys-win-again-part-iv.html
but to name just a few.
And yet, the world seems to be again brought to its knees by a clever piece of code that is able to slip past all the ‘so-called’ filters, scanners, protection mechanisms and what not that are supposedly put in place. How is that? How can people still be clicking links and attachments they know nothing about? And why is everyone paying so much for what seems like so little protection? Is all this supposed ‘security’ actually making things worse by providing people with a false sense of security?
Simple, the weakest link is the wet-ware behind the keyboard (i.e the human being). People simple don’t have any concept of the security risk they face on ANY device that is connected to the Internet or that receives email. And you know what? That is just about every single technology device we have today. EVERY SINGLE ONE. What is being to educate people about IT security. Not much from what I can see. That is the REAL problem here.
The modern world continues to place its unmitigated faith in the march of technology, obvious to the underlying risks and fragility it is creating. It also lives with this naive assumption that whatever is done on the Internet is also anonymous. They likewise jump up and down when they find out that the NSA is monitoring email traffic. Like DUH, emails have ALWAYS been sent in the clear so ANYONE could read them, DUH. It demonstrates how removed from technology the average person is. They happily use technology but have no IDEA how it works. That is always a dangerous recipe.
It makes NO difference where your information is. In your Office or in the cloud, if you are connected to the Internet you are vulnerable, full stop. The problem is others are also on the Internet so if you get infected then there’s a chance you’ll infect them. We are now more than ever all connected together and what happens in one place can have a huge impact thousands of miles away INSTANTANEOULSY.
To me most of this anti virus software and filtering is a complete and utter waste of time. Don’t get me wrong, I have a certain set of tools and programs I use but my main weapon to remain secure is to concentrate on scaring the crap out of everyone I know (especially my family), constantly reinforcing what maladies will befall them if they click on something they shouldn't. Does that make them paranoid? You bet it does, but you know what? I am pretty sure none of them are going to get infected with this latest virus because they are more scared of me than this virus. Sometimes that’s what you gotta do keep people secure.
So what’s the point of this post? Firstly, it is to express my utter disbelieve in the existing security ‘industry’ that charges users billions of dollars every year and yet somehow fails to protect them. Is the problem the software or those charged with maintaining them? Hmmm… I could go on but secondly, it is to say that these problems are only going to continue because we are not dealing with the root cause - the idiots who click on unknown attachments and files sent to them. Here’s my golden IT security rules for idiots that MUST be followed under pain of death:
1. Backup, backup, backup. That’s not being repetitive it means back your stuff up at least 3 times.
2. If it seems too good to be true then it is. That means, that if there is any doubt then there should be no doubt.
3. If you don’t know, then ask.
I long for the day when society takes IT security seriously and develops solutions to EDUCATE people on how they vulnerable they really are every time they access the Internet. Am I being paranoid, I sure am, because you know why? Only the paranoid survive when it comes to security. I’m paranoid and I’m proud of it. That is why the machines I look after don’t get infected. Sure, there is never 100% surety when it comes to dealing with human beings but you know what? Paranoia goes a lot further in my books than most of this other ‘so called’ protection I see out there today.