So, you've installed a reputable anti-virus package on the family computer, cranked up the security on your wifi router, adopted a smart strategy to keep track of your passwords, and educated the whole family on how to recognize phishing and harpoon scams.Your network and computer systems are now secure, and you can sit back and rest easy, right? RIGHT?
Sadly, computer security is an ongoing cat and mouse game between the hackers and the hackees, and you have to be ever vigilant. All it takes is one momentary lapse of judgment and your system can be infiltrated. As a case in point, consider the subtle approach Netragard, a security firm, recently used on behalf of a client. Netragard published the complete details of their tactics on their blog:
The blog goes on to discuss Netragard's diabolical solution, which was to MacGyver up a couple of Logitech mice with a hidden USB memory stick containing a custom autorun payload. The mice and a convincing cover letter were then mailed to selected employees, and it was only a matter of time until the city of Troy fell to the Trojan Mouse. Or, in the words of the Netragard guys:
Cool, but scary, right? Admittedly this is an extreme case, and your average script kiddie is not about to start mailing out mice or thumbdrives to thousands of potential targets. Still, physically connecting anything to a computer presents some risk. Another example of the potential for harm relates to the USB charging kiosks that have started to appear in airports, malls, and other public locations. A posting over at the Krebs security blog discusses how such a kiosk was hacked up at DefCon to educate attendees about the perils such charging stations present:
In keeping with their goal of educating, rather than exploiting attendees, the kiosk flashed a red warning message when a user plugged-in a device:
So, what did we learn from all of this? Well, we learned that IT security is non-trivial, and that if someone really wants into your systems, you face a real challenge to keep them out. The risks you face can come from rogue websites, script kiddies, email scammers, social engineers, or even hacked USB hardware. There are no guarantees, but reasonable precautions are better than blissful ignorance.
As the security guys like to say, security is an ongoing journey, not a destination. You have to keep up to date with the evolving risks, and continue to evolve your defenses accordingly. It's not exactly fun, but there's enough at stake that you can't afford to get lazy or sloppy-- ever.
If you're interested in the full stories mentioned above, check out the Netragard blog posting or the Krebs posting.