Watching kids growing up shows you some sobering stuff about learning. Probably the foremost one is that you usually have to get hurt before you REALLY learn.
There were two high-profile news stories in the last few days that emphasized some computer security concepts and nobody actually got hurt.
Story one: someone mailed a fake fraud alert to some small credit unions with two CDs of “training material” that were believed to contain malcode. The personnel who received them immediately did the right thing: notified the National Credit Union Administration, which quickly sent out a real fraud alert. The casual news reader learns: “Whoa! Bad guys can MAIL CDs with malware that can compromise networks or computers.”
Story two: the governor’s office in West Virginia received five HP laptop computers that they didn’t order. They checked with their IT staffs then called state police, suspecting the machines contained Trojans. The FBI is investigating that incident and similar ones in about 10 other states. The casual news reader learns: “Whoa! Bad guys can mail ENTIRE COMPUTERS that can compromise networks or computers.”
The first story turned out to be part of some penetration testing by a Columbus, Ohio, testing group checking the security at the credit unions. They found that security practices were good.
We have yet to learn what’s lurking on the laptops in the FBI’s possession besides Vista, Office 2007 and 20 Gb of crapware.
The point was made: malware can arrive in any storage media, not just via the Internet.
Story one here.
Story two here.