Today law enforcement agencies warned the public about the Dridex malware that has been targeting customer of online banks for the last year or so.
Interestingly, Dridex doesn’t rely upon any vulnerabilities or sneaky shortcuts in its quest to infect your Windows PC. Instead, the malicious hackers spam out their attacks as email attachments using social engineering lures to trick potential victims into opening, say, a poisoned Word document and enabling macros to allow the malicious code to run.
In other words, you allowed your computer to become infected by Dridex by opening an unsolicited email attachment, and then perhaps gave its malicious macro to run.
How are you going to “patch the bug in your brain” that so many internet attacks rely upon?
Check out my latest video entitled “YOU are the computer security problem”, and leave a comment with your thoughts.
If you enjoy the video, please consider subscribing to my YouTube channel and I’ll make some more.
Absolutely correct. I also like to remind people that administrators, developers, designers, and everyone else – all are users. Besides the fact humans are far from imperfect, there is this other little problem – being more tired than you actually believe you are[1]. Or being distracted or sidetracked for even a moment[1]. One mistake is all it takes to increase the chance you will be compromised but also it could cause a service (or a system install) to fail, data loss, and any number of other things. Which is why awareness is only part of the battle (though it is a very important part of the battle).
Edit:
[1] That’s another reason being logged in as root (or for others: administrator) for everything is a big mistake. Even if you aren’t logged on strictly under the normal account, if you have the privileges of that account (or some privileges that matter), you are still at risk.
Unfortunately the problems will never be resolved. New users to the internet are unaware of the issues & some users simply cannot be educated . I post warnings almost daily but I cannot force anyone to read them let alone act on them.
Well said, sir.
This blog is a helpful way to patch the brain.
Not as good as sutures. And even then, there comes a point where all the medical care won't help, either. I'm afraid that mistakes can be bad enough where all the medical capabilities we have, still won't help. That is all obviously literally and figuratively true. The problem: mistakes are inevitable. On the other hand, Graham's site is good in that it raises awareness in an entertaining, educational way (it is an art to be able to do this and actually get points across to almost everyone – and he does this quite well) which is really important. It might limit the impact of (some mistakes) to some degree but it still won't patch human mistakes (in comparison to patching a flaw in an operating system component, for example).
Liked the video about "we are the problem". For those of us who are not terribly Internet wise how about a video discussing some of the basic mistakes many of us make and what to do if we are unsure or suspicious of a situation or action that could jeopardize our security.
It's true, the problems are nearly always (99.9%) PICNIC problems. Rarely is the problem not in some way attributable to an action you took.
My father is an excellent example; a guy who just doesn't think that an email is anything other than a message, that there is no harm in just opening a message…. he just can't get his head around it being "dangerous" to open an email or an attachment (even when they come from a bank, he's never heard of, banked with or had anything to do with…ever…). He clicks on links like a machine gun going off…. and then wonders why his computer is infected, or slow, or just plain dead in one case….. This is what malware and cryptoransomware makers etc. rely on.
Why are we always picking on the end user? Because we did such a wonderful job in every other aspect?
Users are supposed to interact with technology, they are supposed to click and run stuff.
Let's stop talking about "The Problem", "The weakest link". Yes, user behavior is important but let's deal with it as one of the many risks we need to address and not to give the false impressions that if we somehow magically were able to address that all our worries would disappear specially that we know that security controls do fail.
Mr. Cluely:
I see Password Boss is an advertiser on your site. What do you think of them?I realize this could be a conflict of interest. PC mag rates dashlane 4 as a 5 star (circles actually) password manager. However Password Boss is so darned cheap right now. What should I do? I figure with your vast experience Password Boss is good. We have a local store, Cyber Express and they are very good. I'll ceck with them, too. If you hear the same thing over and over again from many different sources, it must be true. (Our local mall developer.)
PS Cyber Express reccommended Sticky Password. However, a review of PWM suggested it could become Consumer Affairs #1 Reco.
Hey! How the Duck do I get Password Boss to accept my payment?