Shields Up: Get Your Malware Shots
How reporters can prepare for malicious software
Computers are fragile things. You have to take care of them. When you don’t, their powers can be borrowed or stolen.
Malware lets an unauthorized third party access or take control of your device. In practice, it’s become a catch-all term for a huge variety of malicious software. That could include software that hijacks computing resources, lets an attacker monitor your screen, keystrokes, and microphone, or effectively turns your device into an expensive brick.
Many types of malware are designed to evade detection, while others make their presence quite clear. Just as you wash your hands to minimize health risks, the good news is that we can adopt some basic habits to minimize security risk before they become problems. We can think of these habits as routine security hygiene.
Vaccinate Your Computer
In early 2017, security engineers at Microsoft saw something in the distance, lighting up the sky. A fire. A security dumpster fire. And they were going to put a stop to it.
Back in March, Microsoft released a security update for this particular flaming receptacle, but many users didn’t install the updates, leaving them vulnerable to a nasty piece of malware we now call WannaCry.
WannaCry encrypted over 200,000 web-connected Windows machines in dozens of countries, making their files unreadable to users. The malware demanded a $300–600 ransom for the release of victims’ files, to be paid in the electronic currency, Bitcoin. Luckily, it came with a helpful interface.
WannaCry was designed to worm itself through the web, searching for vulnerable ports that allow us to transfer data to and from devices. If the ports were open and you had an unpatched device, you might’ve gotten a lesson in sending Bitcoin to strangers.
Warning for Monday: If you turn on a system without the MS17-010 patch and TCP port 445 open, your system can be ransomwared.— MalwareTech (@MalwareTechBlog) May 15, 2017
Now, if you’re not familiar with the inner workings of your network router, that’s okay. You didn’t have to tinker with network ports to avoid the WannaCry attack. You didn’t have to know about the Server Message Block, Bitcoin, or any of this stuff. If you patched Windows immediately, you were fine.
As soon as security teams at Microsoft, Google, Apple, and other organizations notice vulnerabilities in their recent operating systems, they’re scrambling to make corresponding software updates. The same is true for the software that runs on top of the operating system.
The malicious software ecosystem is an evolving game of cat and mouse. Both benevolent security researchers and less-friendly hackers discover new vulnerabilities and develop new exploits. They also reengineer old malware into new variants, and companies patch in turn. Over and over again.
With the growing scale of these attacks, news orgs will inevitably be hit. At least one already has been: shortly after the WannaCry outbreak, a Bay Area public radio station fell victim to a separate ransomware attack.
As the ransomware crawled its way through their network, targeting other connected devices, it encrypted the station’s hard drives, knocked their email server offline, and wiped their pre-recorded segments.
Your computer is propped up by an ecosystem of humans who work hard to protect it from regularly-mutating attacks. Updates are our strongest defense.
Antivirus Won’t Save You
There’s a common misperception that antivirus software solves your malware problems.
In a 2015 study, researchers examined what experts and ordinary users considered the most important security practices.
Experts were far more likely than non-experts to prioritize installing software updates, while non-experts were more likely to prioritize antivirus.
Antivirus is somewhat controversial in the security community for a couple of reasons. Antivirus is quite good at two things: stopping known malicious files, and stopping files containing code known to do malicious stuff.
One of the ways that virus scanners work is by comparing a file’s hash to another hash for a known, malicious file. A hash is made of letters and numbers that correspond to the file’s composition. For example, the file petwrap.dll might have a hash like this:
You can look it up on a site like VirusTotal for analyses from dozens of antivirus tools.
The problem is that changing a tiny bit of the code will change the hash, allowing malicious files to bypass scans. We therefore see huge variation in the design of malware. In fact, on Windows, about 96% of fresh malware files have never been seen before.
If the malicious file’s behavior looks very similar to a previously known malicious file, that’s also a flag.
In other words, antivirus is good at catching familiar files and code, but it only takes a somewhat unique-looking piece of software to bypass.
The second reason security friends sometimes argue about antivirus is that it requires extraordinary privileges over your machine, and automatically scans incoming files. These features help antivirus tools do their job, but also make antivirus an interesting target.
Antivirus must be held to a higher standard than other types of software, but there’s a lot of room for growth.
For example, last year Tavis Ormandy, a security researcher at Google, found several serious holes across Symantec’s suite of antivirus products, some of which allowed remote code execution on the victim’s computer.
At best, antivirus represents a modest defense. There’s no replacement for thoughtful hygiene.
Wash Your Hands
Because journalists are special, news organizations are common targets for digital attacks, typically delivered through messages in email and elsewhere. One of the most common ways that malware ends up on your device is packaged inside of normal-looking files, such as PDFs and Office documents.
Guess what file formats internet strangers like to send reporters? PDFs and Office documents.
You can't tell journalists "just don't open attachments." They will ignore you. Journos open attachments from strangers for a living.— Eva (@evacide) September 12, 2016
We’re still going to need to open files from friends, colleagues, and internet strangers. What we can do is develop a stronger sense of caution when dealing with files from iffy places, and attempt to minimize risk.
What “Caution” Looks Like
Reporters get a lot of odd messages and noise in their inboxes.
Cultivating a sixth sense for shifty files demands we notice places where we normalize odd behavior. When opening your email, consider: you might trust an email’s human sender, that doesn’t necessarily mean we should trust their device or their email account.
Even when you think you know them, consider looking out for people using unexpected phrasing, with unexpected timing (e.g., after you haven’t spoken for years), or they’re contacting you from an unexpected source (e.g., an unrecognized email address).
Maybe you got an email from your office scanner, order confirmation, or a package delivery alert with an attachment or link. If you didn’t expect this, maybe it doesn’t make sense to launch the attached file.
Consider avoiding unexpected file types. An installer (e.g., .exe, .jar, .dmg) is a pretty big red flag. Ordinary-looking files are not necessarily safe either. For example, PDFs and Office documents both introduce serious vulnerabilities.
But when we get shifty files, sometimes we still need to investigate.
Rather than opening a document directly on your computer, consider a few ways to open it more safely.
Mobile operating systems such as iOS and Android were built to launch apps in their own sandbox—an environment that restricts how files interact with the system and other apps. As Matthew Green describes in detail, this and a variety of anti-exploitation techniques make iOS devices especially resistant to malicious applications. If you have one, consider investigating shifty files on an iPhone or iPad.
Instead of launching PDFs in an external viewer, consider opening PDFs in Chrome Browser to take advantage of built-in sandboxing. (Full disclosure: I work on Google Chrome!)
Office files can be risky because they support the powerful ability to automate tasks with macros. This ability can also be used to launch unwanted code on your computer. Unless you explicitly need them, consider reading this helpful primer for double checking that macros are turned off.
If you are okay with a third-party service having access to the file, open the file in Google Docs, rather than executing it on your device. If it doesn’t render, there’s probably something wrong with the file.
We’re always told to be careful with USB thumb drives, and yet most of us have amassed a collection of USB devices handed to us by strangers with conference goodie bags.
We don’t need to use our personal devices for investigating and sanitizing USB devices.
For a slightly more adventurous option, the Computer Incident Response Center Luxembourg created CIRCLean, a modified Raspberry Pi for examining untrusted USB devices, then making a “clean” copy on a second USB device. News nerds who feel comfortable with the terminal and writing images to external storage can build a newsroom USB sanitizer.
Have an escape plan. Consider taking advantage of automated backups (e.g., using an external drive, or private cloud service) to roll back your computer to a snapshot before a breach. Some types of ransomware are designed to also encrypt backup devices, so having multiple backup methods is a good insurance policy.
Finally, for those willing to put in a little extra effort, consider reading Micah Lee’s introduction to virtual machines to learn how to launch files or examine iffy websites in relative safety.
Humans Are Waiting to Help You
While the above tips focus on hygiene, people suffering targeted attacks should work with a professional who can help understand specific concerns. Depending on what kind of resources the attacker has (e.g., time, money, legal, technical resources), your defenses should change.
If you believe you have been the victim of a targeted attack, consider contacting security researchers at the Electronic Frontier Foundation, or the Citizen Lab. It makes a difference: these kinds of disclosures help researchers track down malware targeting journalists and human rights defenders around the globe. Likewise, Security Without Borders invites journalists to request assistance on a broad range of security threats.
Between teams supporting software updates, and teams supporting journalists with targeted concerns, you are not alone. Take advantage of resources for helping to minimize risk for you, and the fragile machine in front of you.
Martin Shelton is a user researcher working with at-risk groups and the press on digital security hygiene.