Riverbank Ruminations: Why Me?

In a security awareness class I was recently teaching, I was asked “Why do they do this?”, referring to malware and phishing. The simple answer is: money. If the bad guys can persuade you (phishing) or force you (ransomware) to give them money, they will. Studies show that 1 in 10 people will respond in some fashion to a phishing email. Let’s assume that only 1 in 10 of those will go past the first exchange and that only 1 in 10 actually give money, there is a lot to be had from careless, uninformed or gullible people. These days, botnets can consist of hundreds of thousands of devices. These can be a computer, a security camera or any of a host of IoT devices. Millions of spam emails can be sent with the intent of parting you from your money. Even a hit rate of one in 10,000 can be profitable, considering how inexpensive it is to run these scams.

TVs?  Cameras?  They Can Be Compromised, Too

I thought that seeing ransomware on a television set was strange, but devices infected with ransomware span a wide spectrum. One that recently caught my attention was one that affects Canon cameras. As with many devices not thought of as network devices, there is software on the camera that has no security. The malware goes from the PC to the camera. Imagine you are a wedding photographer and you have just finished shooting a wedding and all the pictures for your client are on the camera. You see the lock screen on your camera stating that, for a price, you can have your pictures back. That would be bad, and it would put you in a position where you might consider paying the ransom.

Financial Gain Isn’t The Only Reason

While financial gain certainly is the most prevalent reason for malware attacks, it’s not the sole reason. As stated in this article:
“Most hackers are criminals; they are after quick payoffs, not the destruction of hardware. Usually, it’s something that can be easily monetized like Bitcoin or credit card numbers.” For hackers, there’s not a lot to gain by expending many resources to try to destroy one person’s computer or even an office network.
However, there are other reasons to distribute malware. You may have heard about attacks on Iran’s nuclear program. The malware distributed there caused enough physical damage to the facilities (by causing equipment to malfunction) to essentially stop the work completely. That physical destruction was the goal of the malware. Sometimes there is physical destruction as a side effect.

Cryptomining Gains Popularity

Back in 2017, crypto-mining malware started making the rounds on phones. One article on the Loapi Trojan stated;  But the worst aspect of Loapi is the way it uses handsets to mine Monero. After just two days of exploiting a phone’s electricity and hardware, researchers found the constant load had caused the device’s battery to bulge and deform the cover. “We’ve never seen such a ‘jack of all trades’ before,” said Kaspersky Lab’s researchers. “The only thing missing is user espionage, but the modular architecture of this Trojan means it’s possible to add this functionality at any time.”  Damage to a physical plant through manipulation of control systems is not far fetched, as this article explains. This type of damage could expose a business to extortion if the network is compromised, which brings us back to financial gain as a motive.

Even The Innocuous Are at Risk

There are some other motives for malware. Malicious ex-spouses, business partners, etc. have been known to go to great lengths to ‘punish’ someone they feel has wronged them. This could lead to hacking home networks and setting thermostats, smart bulbs, etc. One might be mad enough to harm someone physically.
Even something as innocuous as a speaker can be weaponized with malware. While this was only done by a researcher, it is possible, and it won’t be long before it becomes something in the wild. As mentioned in the article: “We are currently in the undesirable situation where a member of the public can purchase a $20 device that can be used to expose another human to sound pressure levels… in excess of the maximum permissible levels for public exposure,” Timothy Leighton, a researcher at the University of Southampton wrote in the October issue of The Journal of the Acoustical Society of America. Is there any way to protect against this threat? From the same article: Crucially, manufacturers could physically limit the frequency range of speakers so they’re not capable of emitting inaudible sounds. Desktop and mobile operating systems could alert users when their speakers are in use or issue alerts when applications request permission to control speaker volume.

Manufacturers Need to Step Up

Essentially, manufacturers need to build in some level of security. This is true of all Internet of Things (IoT) devices: your computer, phone, etc. If it has good security, set it up and use it. If you are connecting to the internet, you need to do as much as you can to secure your connection and your data. Most importantly, we need to be our own security team or get someone who can do it for us. Otherwise, the answer to “Why me?” will be ‘It’s your own fault’.  To learn more about security awareness training for you team, give the Ashton team a call at 216 397-4080.