Security & Privacy: Who’s to Blame for Viruses, Malware, & Ransomware like WannaCry?
Security and Privacy are two vitally important components of any successful society. Today’s connected world, where we carry computers in our pockets and share all our details on social networks, makes them even more so.
This section of Pocketnow is devoted to why security and privacy are important, how you can protect yourself in today’s connected world, and pitfalls to be aware of and avoid – with the objective of helping you and your loved ones stay safe in an ever-changing world.
If you haven’t heard, there’s a particularly nasty “ransomware” infection going around, it goes by the name “WannaCry” or “WannaCrypt”. Ransomware is a type of malware (“malicious software”) that infects a machine and holds your data hostage. To “unlock” it, or get it back, you have to pay a fee to whoever orchestrated the attack.
Many times that ransom must be paid using Bitcoin or some other type of “cryptocurrency”. If you don’t have any Bitcoin, no problem, you can convert some of your own currency into Bitcoin to pay them off – through a service which they recommend – which is probably fraudulent, and now has your credit card or (worse) your bank account ACH information.
Who, What, and Where?
Where does malicious software come from, what can you do to keep yourself safe, and who shares in taking the blame for it?
The most recent example of ransomware is with the WannaCry (WannaCrypt) exploit which is being spread to extort US$300 from people who have had their systems infected and want to get their data back. Ransomware is just like any other software you install on a digital device: it’s code that is written by someone to do something. In the case of WannaCry, the “who” is somewhat frightening.
“The WannaCrypt exploits used in the attack were drawn from the exploits stolen from the National Security Agency.” – Microsoft President and Chief Legal Officer Brad Smith
That’s right, according to Microsoft, we can thank the National Security Agency of the United States of America for doing the legwork. Sure, some scoundrels got ahold of the NSA code and used it for nefarious purposes – but the NSA code itself is nefarious! How bad is it? Smith went on to say that when the NSA lost control of the software behind the cyber attack, it was like “the U.S. military having some of its Tomahawk missiles stolen”, except instead of being able to blow up your house, bad guys can break into your computer and steal your data. Thankfully they only want money this time around.
Does the NSA share part of the blame? Absolutely. The agency should never have had that sort of code in the first place. It violates the Fourth Amendment Right to privacy and the agency’s policies circumvent the Warrant requirement found in the Bill of Rights. But the bad guys still hold the lion’s share of the blame.
Operating system and application developers write code which has bugs in it. As a software developer myself, it’s all but impossible to write code without bugs. Apps are built using libraries which are built upon other libraries, which… well, you get the picture.
Thankfully, that particular exploit didn’t hit our smartphones – but another one like it could.
WannaCry: So what’s a tech-savvy person to do?
First of all, don’t do risky things. Web sites or software which offer stuff for free, or let you download pirated music or movies usually come at a cost – and that cost is malware. Avoiding doing that one thing can protect you more than almost anything else.
Next, keep your apps updated. Yes, that means more data from your data plan, a bit of babysitting, and everything that goes along with making sure you’re running the latest version of all of your apps. When you only install them through the built-in app store, it’s not that difficult – but sideloading adds extra legwork to what you have to do to keep things updated.
Most importantly – and this is easier said than done – keep your operating system up-to-date. The latest version of Android, for example, is 7.1.2. If you’re not running a Nexus or Pixel, chances are that you’re not on the latest version of Android – which means you may not be running with the latest security patches and may have known exploits in the code you’re using every day. That’s a problem – and the presumed hole through which WannaCry was spread.
According to sources, the attack vector for WannaCry is identified at “EternalBlue” which exploits vulnerability MS17-010 in Microsoft’s implementation of the Server Message Block (SMB) protocol. Microsoft released a patch to plug the vulnerability which fixed several workstation versions of the Microsoft Windows operating system, including Windows Vista and Windows 8.1, as well as server and embedded versions such as Windows Server 2008 and Windows Embedded POSReady 2009 respectively, but not the older Windows XP.
Google knows that the current methods which OEMs use to build devices around the Android Operating System are unsustainable in their current implementation.
Right now, OEMs build their “vendor” modifications around the Android Operating system. Updates to Android have to be reworked into these modifications – which slows down deployment, and makes customers vulnerable to exploits.
To address this, Google is drawing a line between the Android OS layers and the vendor layer, calling it “Treble”. By cleanly separating the two, Google hopes updates to the underlying Android OS can be deployed faster – based on its name, perhaps three times faster.
There is a lot that we, as end-users, can do to minimize our risk. Operating system vendors and OEMs play their part, too. In the meantime, we need to put pressure on our elected officials, letting them know that developing and hoarding hacks, exploits, backdoors, and other software which are the tools of cyber-terrorists have no place in our society and should be shunned at all levels of government around the globe.
A government’s job is to protect the Rights of its citizens, first and foremost. Privacy being paramount among them.