why complacency is malware’s best friend

January 21, 2013 — 3 Comments

bad idea

Recently, computers at two power plants were found to have been infected by three viruses that came from compromised USBs, all three easily detectable by up to date anti-virus software, and both infections were easily preventable if the plant operators followed the simplest cybersecurity procedures. If our infrastructure was ever to be the victim of a powerful cyberattack, the exploits’ success wouldn’t be so much a testament to the skills of the hackers as much as they would be indictments of the shoddy practices by those who simply don’t understand how to secure critical systems and don’t care to learn. Very few attacks we see out in the wild are truly brand new and very sophisticated like Stuxnet, Duqu, Flame, Gauss, and Red October. Most target unpatched, poorly secured systems with easily exploitable administrator accounts or out of date servers and database engines, attacks on which have been all but automated by simple PHP scripts. If you’re wondering how Anonymous can topple site after site during an op, now you know.

For example, take the pillaging of Stratfor. How did Anons get into their system? By using easily crackable default passwords and reading databses that were never encrypted. What about the huge data leak from Sony in which hundreds of thousands of accounts were compromised? An unpatched server provided a back door. Periodic leaks of credit card numbers from point of sale systems you find at local bars and restaurants? Out of date operating systems exposing admin accounts to external systems as is a typical industry practice. The ability to get into AT&T users’ account just by typing the right URL? Total absence of security checks on the company’s sites, checks that should’ve been tested before the sites ever went live. I think you get the point. Keep up with the virus definitions, patches, updates, test your software, don’t let external systems run as administrators on your network, and don’t stick random USBs into mission critical computers. If you don’t follow these elementary practices, you, quite frankly, are begging to be infected and hacked, and considering that we basically live on the web today, that’s just reckless.

  • http://www.facebook.com/liesl.mitchell.1 Liesl Mitchell

    I think … you spelled complacency wrong ….

  • TheBrett

    Agreed, and I’ve noticed that a lot of companies tend to drag their feet in making security-minded upgrades that might require additional modifications to their own proprietary set-ups. The company I work for has done that with upgrading out of Internet Explorer 8, although that’s a bit understandable (it requires upgrading to Windows 7 too), and they did at least upgrade to fix some of Java’s recurring nightmare vulnerabilities. Remember how many companies had to be dragged kicking and screaming into updating out of Internet Explorer 6?

    Man, in Stratfor’s case, it’s especially egregious. If you want to sell yourself as a big hotshot intelligence-selling company, don’t make yourself look like an idiot by getting hacked due to your failure to keep up with security updates.

  • gfish3000

    Impossible! No way! I never spell things wro… ah, well I’ll be, made a typo. Fixed. Thanks for letting me know.