Why it's Okay to Be an Idiot (Occasionally)

Chris Cassell, Technical Team

Category:

  • Security Blog

We all do it sometimes.

People make mistakes. I do, you do, every person you‘ve ever laid your eyes on has made a mistake before and they will again. Normally these mistakes are minor; not doing your shoe laces up properly, forgetting to pack your power lead for your laptop in your work bag or pulling out at a junction and getting beeped at by someone gesticulating suggestions you do something anatomically unlikely.

Generally from these little faux pas, we move on, we live, we hopefully learn and if all goes well, we get to be better people for it.

However, sometimes the mistakes are more serious; you actually hit another vehicle when you pull out accidentally, you forget to order some medication that is vital to your health or ,most seriously of all, you put the milk in before the tea.

In these far more serious incidents it's important to tell other people to ensure the situation is contained. Your insurance company or a medical professional in the above examples - no one can help you with the tea problem, that's all on you.

By sharing this problem and by taking appropriate action, you stop the problem getting worse and contain the consequences. Your insurance company will start to arrange repair or replacement of your vehicle, medical cover for anyone injured or legal cover to protect you from being sued. A doctor can get you an emergency prescription and start sorting out your supply of urgently needed medication. In each instance, sharing the problem allows others to take action you cannot, benefitting you and everyone else involved.

In the world of computing and security, the idea is very much the same.

They are out to get you

It's a damning indictment of the modern age, but we are at more risk of crime now than we have ever been. While violent crime is falling slowly in a world with more and more state monitoring and increasingly advanced forensic science, financial and cyber crime is growing all the time. The truth is that the internet is as much a bane as a boon when it comes to keeping us safe.

As I write this, there are in excess of 100 types of ransomware alone. Ransomware is software designed to stop you being able to access the files on your own laptop by encrypting them so you can‘t read them. It's designed to attack everyone, but it's particularly effective against home users who are perhaps not very technically literate and who don‘t know what else to do other than pay the fee the bad people demand to return their files.

These people feel powerless, so they feel they have no choice but to pay up, because what else can they do?

Actually, quite a lot. Most ransomware is bought by people who aren‘t very technically literate either and it's not very good. In fact, a large proportion of modern ransomware is broken within weeks of it being released and ways to fix the problem (for free) is all over the internet soon after. So with a little patience and by asking a more technical friend, you could get your beloved cat photos and half finished existential poetry back for free.

Hell, some of the cheaper ransomware don‘t actually do anything at all. They say they have, but without some help, people assume it must be true and pay. A more capable eye would be able to spot this and again say, “Don‘t worry its fine”. Problem shared, problem halved.

That is just one type of bad program and there are many more out there. Still, the common factor is, in most cases, sharing the problem can help. I can‘t promise you‘ll win every time but the bad people will keep at it as long as people pay or give away their banking details or take their infected machine in to work and infect there as well. So it's time to fight back, and the key step in fighting back? Well that's to admit that you made a mistake.

No one person has all the answers

Criminals are generally feckless, cowardly, lazy and a little bit stupid. However like any pool of humanity, buried among the great deal of rough are a few diamonds, people who are capable of thinking outside the box. These are the people who in recent years have started pulling parts of the cybercrime fraternity together. They have started forming groups, combining resources, sharing infrastructure, taking what works from their various enterprises and combining them to become better. Crime is evolving and it's doing this because they realise that it's better to share, better to take that 50% of something than the 100% of nothing that working alone might offer.

Yet while criminals are starting to work together, we as their victims still continue to stand alone far too much of the time, and that gives the advantage to the bad guys. When someone pays a ransomware bill. When someone fails to report their machine acting slow and weird. When someone plugs in the wrong USB drive which they know they shouldn‘t do but it's alright because nothing happened, right?

In each of those instances we hand power to the criminals, we stand alone against people who count on that very fact to get away with their crimes.

We should stop that, don‘t you think?

We all do it sometimes.Making the world a more secure place is everyone's duty (yes even yours)

If you ask me it's about time we started fighting back, each and every one of us. I‘m not saying each person on the planet needs to become a cyber security expert but everyone has their part to play.

There are basic things everyone can and should learn to protect themselves; use a virus scanner, keep it up to date, don‘t open up unexpected e-mails, don‘t plug random devices in to your personal computers, don‘t use the same passwords all over the place, don‘t tell anyone your password ever (even if they ask really nicely).

Still, you can do all these things and more and still be vulnerable, because each and every day the criminals are spending a whole lot of time and effort to think of new ways to attack you. They are crafty, and those diamonds in the rough are clever and work tirelessly to make it impossible for any one person to fight them. So don‘t fight them alone.

How will this work?

So you did something daft. You opened an attachment on an e-mail from someone you didn‘t know and it run something. You don‘t know what it did but it all seems fine, so you don‘t report it because, well, it's embarrassing to admit you did something silly like that right?

Frankly yes it is but that's because we as a culture are looking at this in the wrong way.

You‘re not a fool for accidentally opening that e-mail attachment! You‘re a pioneer! You‘ve taken one for the team, you‘ve put yourself at risk so that others don‘t have to. Frankly you are a hero (provided you don‘t do it every week).

So report it. If it's your home PC, report it to the correct authorities (Action Fraud if you‘re in the UK for example). Report it to your IT team if it's your work machine or e-mail. Get the word out there, so they can look into that problem for you. Am I promising that doing so makes you safe? No. Am I promising they can fix your problem immediatly? No.

It certainly increases the odds though. The more information that the security people have to work from, the sooner they can pin down the problem and make a fix for it. The sooner it's fixed, the less damage it can do to you and everyone else.

Let's expand that theory out shall we? Say you report a problem, it's too late, and you lost money from your bank account as someone steals your details. Well, you‘ve reported it to the authorities and you‘ll report it to your bank. And guess what? They‘ll give you that money back as you‘ve got a reference number from the appropriate authority and banks have fraud protection.

So you suffer a little pain, but in the process, you‘ve tipped off the right people to the problem and they‘ll fix it. Soon everyone will be immune to that problem, the sooner that process starts, the sooner that fix occurs. You have just saved a lot of other people that same heartache.

Let's zoom out again, what if everyone started doing that. What if every time a criminal tried to exploit someone, whether they made a mistake to let it happen or not, they reported it and the problem was fixed quickly and efficiently. We didn‘t work alone, in silence, but we all pulled together to fight back. Sure, one day it might be you that suffers a little unpleasantness until it's fixed. Still, what are the odds of it being you next time?

If a few billion people admitted to their mistakes and worked towards a solution together, we might be on to a winner.

Leave a comment




Comments (0)

Latest News

  • Cyber Best Practice and the CNI

    The importance of information sharing to support the development of cyber security best practice across the critical national infrastructure. ...Read more

    18/03/2017

  • Measured Boot & Measured Execution for Device Health

    Using Measured Boot & Measured Execution with Remote Attestation to measure Device Health with Paradox OS ...Read more

    18/03/2017

  • Debate Security

    The first Debate Security briefing took place on 26th February 2019 in Canary Wharf in London, bringing together senior executives across multiple industries to spark a cyber-risk discussion that compared and contrasted approaches between government and the private sector. ...Read more

    18/03/2017