Cybersecurity Awareness Month: 10th anniversary, 10 topical tales

library
crime | hacking | security

October 2013 marks the tenth anniversary of the USA’s annual Cybersecurity Awareness Month (CSAM).

So we thought we’d have some fun, and come up with ten topics, in vaguely chronological order, that have burst into our collective security concerns at various times in the last decade.

We’ve been eclectic, wandering from the hand-wavingly general to the pointedly specific, but it’s all in a good cause.

We hope the list will encourage you to think more critically about cybersecurity, and to ask yourself, “Why does this matter?” when you come across a new issue.

→ Have no fear. We aim to convince you that cybersecurity matters without falling back on grandstanding terminology like “cyberwar” or “advanced persistent threat.” You’ll hear those words here only, simply to hear that you aren’t going to hear them again.

Here goes.

1. Warhol Worms

Viruses like CodeRed (2001), Slammer (2003) and Blaster (2003) caused havoc. They spread automatically over the internet, breaking into other computers and networks without human intervention.

Some speculated that the internet might simply implode under the ongoing load of these “Warhol Worms”, so called because they’d be limited to 15 minutes of fame, after which everybody in the world would be infected.

Many of us began to make at least some effort at patching, and of removing servers from the internet that didn’t need to be there; Warhol Worms never happened.

The internet survived.

2. Spam

At the start of the 2000s, spam was heading out of control. Some even suggested that it would kill email for ever.

Most of us adopted spam filters, including reputation filtering, a technique that aims to drop connections from spam sending computers before they even begin to deliver any messages.

Email lives on.

3. Phishing

Tricking users into giving away their usernames and passwords through bogus login screens is an ancient pastime, but in 2001, crooks successfully turned the technique against online payment company e-gold.

From then, it was Game On for the cybercriminals.

Fake logins still trap the unwary into giving away online account credentials, but we’re learning to be more careful when we login.

We’re also learning to avoid using (and not to send out) links in emails that lead to sign-in screens.

Returns for the crooks are diminishing.

4. Botnets

Downloading instructions from a central server to your PC for distributed computing tasks was all the rage in the 1990s, as a fun way for the community to solve problems such as cryptographic cracking.

The crooks quickly copied this approach for their own ends, notably to boost their spam volumes by bringing a raft of innocent bystanders on board as email senders.

Bots, or zombies as they’re also known, are still a huge threat – even high-profile US credit bureaux are known to have been infiltrated.

In most cases, a scan-and-clean with an up-to-date anti-virus can work wonders.

Don’t delay. Do it today.

5. Fake anti-virus

In the 1990s, anti-virus companies were routinely accused of writing all the viruses in order to charge for cleaning them up.

It wasn’t true, but the claim gave 21st century cybercrooks an idea: charge people for *not* cleaning up viruses! Just pretend they’re infected, take their cash, and then pretend they’re clean.

Easy counterploy: if the scan is free but the cleanup suddenly costs money, you know it’s a ripoff.

6. Social networking

We’ll be honest. When we say “social networking,” we really mean, “Facebook.”

It’s changed our lives, but has made many people very casual about privacy, since part of the fun is to make “friends” online, and to share things with them that perhaps you ought not to.

If in doubt, don’t give it out.

7. Metasploit

The first open source version appeared in 2003; the product hit the mainstream in 2009 when it was bought by a commercial company.

To be blunt: it’s a toolkit that helps you break into other people’s computers using pre-packaged exploits.

But it’s also a great penetration testing and quality assurance tool, since it makes it easy to validate (assuming you have permission!) that patches and fixes really have worked as intended.

Anyway, like many computer security tools, it’s a double-edged sword that’s here to stay, so you may as well learn to stop worrying and love this sort of software.

8. Bring Your Own Device (BYOD)

You’ve bought a new-fangled smartphone or tablet with your own after-tax earnings. You like it more than the device that work issued to you – much more!

You don’t want to carry two devices everywhere, so you’ll do an hour of extra work each day, for free, if only the company will let you get at your email, or your sales leads, on your iPad or your Android.

Should your IT guys agree?

Make it easy for them: if you expect IT to give up its “thou shalt not pass” attitude and say “Yes,” then be prepared to meet them half way and give them joint control over your personal device.

9. Lulzsec

Perhaps the only hacking group in history dedicated to stealing and revealing your data simply to try to put the fun back into security.

Some in the security industry grudgingly suggested that they’d done us a favour by reminding us how permeable our online database portals were.

But law enforcement didn’t see it that way. Several of the members have been identified, convicted and sent to prison.

10. Surveillance

We’ve spent the past five years or so willingly giving away as much about ourselves as we can via social networking, so our friends can keep track of us online.

And now we’ve been told that, all through that time, intelligence services from the US and its allies have been making a serious effort to keep track of us online.

Many of us seem surprised. (And some of us can’t see the irony, either.)

Where to for CSAM’s 20th anniversary?

Cybersecurity matters because there is a whole underweb of cybercriminals waiting to take money out of our economy if we give them half a chance.

So let’s make an effort to give them less than half a chance.

As we’ve said before, treat Cybersecurity Awareness Month as an incentive to change your digital lifestyle for the better, on a long term basis.