104

5 ESECURITY

5 eSecurity

Before starting this chapter you should:

+ be familiar with the terms ‘encryption’, ‘data packet’, ‘anti-virus

software’, ‘firewall’, ‘hacking’, ‘Uniform Resource Locator (URL)’ and

‘internet service provider (ISP)’.

5.1 Personal data

One useful definition of personal data is provided by the European Union’s

website. It defines personal data as follows:

Personal data is any information that relates to an identified or identifiable living

individual. Different pieces of information, which collected together can lead to

the identification of a particular person, also constitute personal data.

It means that any data that can be used to identify or recognise somebody is

classed as personal data. Sometimes the data has been manipulated so that it

does not allow an individual to be identified. The EU’s definition goes on

to suggest that any data which can be reconstituted so that it does enable an

individual to be identified can also be classed as personal data. So, even if

personal data has been de-identified, encrypted or pseudonymised, it is still

classed as personal data.

De-identification is a common strategy when trying to prevent a person’s

identity from being revealed. Items of personal data might be removed from a

record, such as the individual’s name. If the person could still be recognised

from the remaining data it would be possible to re-identify the data and add the

removed data, for example the name, back in.

Encryption was covered in Chapter 1; it is used to make data unidentifiable.

However, the problem with encryption is that data can be decrypted and so

become personal data again.

Pseudonymised data is when, instead of removing the personal items of data,

they are replaced with a temporary ID. This means instead of seeing the person’s

name, you would see an ID which would mean nothing to you. The problem is

that if, similar to de-identification, somebody can recognise that individual from

the rest of the record, they can replace the ID with the individual’s name.

In this chapter you will learn:

+ what personal data is

+ whypersonaldatashouldbekept

confidential

+ how personal data can be kept confidential

+ the methods used by unauthorised persons

to gather personal data

+ howtoevaluatethemethodsofprevention

+ thetypesandusesofmalware

+ the consequences of malware for

organisations and individuals

+ how to prevent malware from entering

computers

105

5.1 Personal data

If, however, the data has been amended to make it appear anonymous in such a

way that it is impossible to recognise the individual, then it is no longer classed

as personal data. For this to be the case the anonymisation of the record must

be irreversible.

The EU, like many areas of the world, has a set of rules governing the

protection of data. These are together called the

General Data Protection

Regulation (GDPR). The GDPR promotes both the pseudonymisation and

anonymisation of personal data. Organisations with personal data should use

one or other of these methods to reduce the risk.

Examples of personal data as outlined by the EU are:

a name and surname

» a home address

» an email address, such as name.surname@company.com

» an identification card number

» location data (for example from the location data function on a mobile phone)

» an IP address

» a cookie ID

» the advertising identifier of your phone

» data held by a hospital or doctor, which could be a symbol that uniquely

identifies a person.

5.1.1 Keeping personal data confidential

Computers are used by organisations and companies to store large amounts of

personal information. The question might arise: why do we need to keep data

confidential? The answer is, if it were to fall into the wrong hands, the data

could be used for

identity theft or to withdraw huge sums of money from bank

accounts. Identity theft is when a fraudster pretends to be another individual

online by using that individual’s personal information. Fraudsters who have

accessed an individual’s personal data can use their login details to access their

bank accounts or commit other types of fraud, while pretending to be that

individual. They can take your banking information and make unauthorised

withdrawals and purchases, and transfer money between accounts. If burglars

obtain personal data such as addresses and information about when a person is at

work, then they can burgle that person’s house. Therefore, people should not post

information about their holiday or vacation plans on social media.

Organisations and businesses can take certain measures to ensure the

confidentiality of data. It is essential that personal information should only be

seen by those people who are authorised to see it. Keeping data confidential is

an essential part of an organisation’s responsibilities. Encryption is the main

IT technique used to ensure the confidentiality of data in online systems.

Anybody illegally accessing this data will not be able to understand it. They can

still perform malicious actions, like deleting the data, but they cannot gain any

information from it. Data protection acts, which are the rules organisations must

stick to in order to protect data, exist in most countries. A number of workers in

organisations need to look at the personal data of other individuals as part of their

job. It is important that these workers maintain the confidentiality of the personal

data. Organisations can encourage workers to be aware of their responsibilities.

Workers who deal with confidential information about other individuals have a

duty of confidence, both to the individual and their employer. They must not tell

anybody or use the information for any reason except with the permission of the

person who gave it. Should they attempt to do so, the person whose data it is can

take out a legal injunction preventing them.

106

5 ESECURITY

So that a duty of confidence can exist, the worker must be asked to treat the

information as confidential or it must be obvious to them that the information

is given in confidence. In order for this to happen workers are often asked by

their employers to sign an agreement to this, which is called a confidentiality

agreement.

Organisations must be held responsible for their decisions to pass on

information. Good practice is to make sure that only the least amount of

information that could identify an individual is passed on. Online services,

particularly online banking and shopping, allow organisations to have access to

private data such as names, addresses, phone numbers, financial records and so

on. This information should not be passed from organisation to organisation

without authorisation from the individual. Another action a company could take

is to anonymise information. In its simplest form,

anonymised information

is simply not mentioning a person by name. However, we know that other

information could enable the individual concerned to be identified, so this must

be removed as well. Organisations should leave out as many personal details

as possible.

Aggregated information is another way of preventing individuals

from being identified. This is where the personal details of a number of people

are combined to provide information without individually identifying anybody.

However, this may not always safeguard details adequately. An example could

be a hospital which analyses data of its patients (without identifying individuals)

who have a particular illness or disease. However, there may be only one patient

with a particular disease and so it becomes obvious who that person is.

Individuals can keep their data confidential by not putting too much personal

data on social media. Most employers do background checks on potential

employees, which nowadays include looking at social media profiles. Personal

information that might persuade a prospective employer not to employ an

individual should not be posted. Insurance companies in many countries

around the world often use the same approach and might charge much higher

premiums (monthly payments) depending on the customer’s lifestyle and in

addition may use this as evidence when deciding not to pay out on a claim.

The photos and videos people take with their smartphone contain information,

known as metadata, including the time and place they were taken (geotag). If

these photos are intercepted, the individual’s address or where they work can be

discovered. However, smartphones do have software which can be used to either

delete the geotag from images or disable them so they are not tagged.

5.1.2 Keeping personal data secure

There are a number of different precautions that can be taken in order to keep

personal data secure. Some of these are described below.

Firewall

Firewalls are designed to prevent unauthorised network access. Organisations

which store personal data tend to have several computers that form networks,

many of which are connected to the internet. Without a firewall, these

computers can be accessed by unauthorised users through the internet. Firewalls

examine data coming into the network to see if it is allowable. It examines data

packets and breaks them down into smaller pieces of information such as the

IP address they came from. An IP (internet protocol) address is a combination

of numbers that identifies each computer in a network. If it is an IP address

that is not allowed, the firewall can block that traffic. It can prevent certain

computers from gaining access to the network.

107

5.1 Personal data

Firewalls do not always prevent hackers from accessing networks, however.

Although a hacker’s computer is prevented from accessing the network, the

hacker could physically steal a computer that is permitted to access the network.

More likely, they can use software which can change the IP address of their

computer to one which is acceptable to the firewall.

Penetration testing

A penetration test, sometimes referred to as a ‘pen test’, is when companies

employ somebody to deliberately attack their computer network. They do this

so that the authorised ‘hacker’ will identify the weaknesses in their system’s

security and the company can then take measures to improve it if necessary.

Basically, it is a way to find out how easy it is to access a computer network

and how well the measures being taken to protect the data are working and, if

necessary, improve them. The purpose of doing this is to enable the company to

secure personal data from illegal hackers who will attempt to gain unauthorised

access to the system.

Authentication techniques

In order to prevent hackers accessing a computer network, users are required to

log on. This means that they have to identify themselves to the system, so that it

can be sure it is not a hacker trying to gain access. This is called ‘authentication’.

There are many ways in which a person can prove to a computer system that

they are who they say they are:

» Typing in a user ID and password which only the user knows

» Inserting or swiping a smart card which belongs to the user

» Using biometric data which relates to a unique physical characteristic of the user.

Biometrics can involve the use of iris or fingerprint scanning, as these are

both felt to be the best at providing unique data. Although quite expensive,

iris scanners tend to be more effective as the scanner does not require as much

cleaning after use and it also is more accurate since fingerprints can be affected

by grease and dirt.

If only one of these methods is used, it would suggest that the system is not

totally secure; at least two should be used when accessing personal data. For

example, when somebody withdraws money from an ATM, they have to use

something that belongs to them (their bank card) and something only they

know (their PIN). Although many small transactions can be carried out with

just a contactless card, for any transaction involving a lot of money a PIN has

to be used as well. This is called twin- or two-factor authentication, sometimes

referred to as multi-factor authentication, as it involves more than one method.

When using online banking, additional information such as the user’s date of

birth is often required. When a customer carries out certain transactions using

a smartphone, some banks will send a one-time PIN or password in a text

message for them to enter as part of the authentication process.

During the login process, keyboard presses can be detected by

spyware and so

drop-down options are often used for dates or PINs to be entered.

Levels of access

If hackers do gain access to a network, their ability to retrieve personal data can

be limited by network settings created by a network manager. Different groups

of users can be granted different levels of access to the data on the network.

This is particularly the case with hospitals, for example, where doctors may

108

5 ESECURITY

be able to see the illnesses and diagnoses of their patients but administration

staff may only be able to find out other, not health-related, information about

patients. Often, the level of access granted to a user is related to their user ID,

but some systems enable all users of the network to log on to the system. They

then require the use of a particular smart card to access certain data.

Another example is the use of online shopping websites that require a login;

customers will only see data that is relevant to them. However, if programmers

employed by the company access the customer database, they will be able to

view all the accounts. This is because they will have been given a higher level

of access than the customers. With social networks, it is the owner of the data

that can grant different levels of access. It is possible for individuals to amend

settings so that only ‘friends’ are allowed to see their data, or they could allow

both ‘friends’ and ‘friends of friends’ to see their data. On the other hand, if the

setting is ‘public’, the data can be seen by everyone. Allocating different access

levels to different groups limits the information that the different groups can see

and the actions they are allowed to take.

Network policies

Network policies are sets of rules that allow companies to choose who is

allowed to access their computer network and control their use of the network

once they have gained access. Most companies now use the internet to carry

out their business transactions, and as a consequence their computer networks

have become vulnerable to attack. These attacks can allow competitors to

gain knowledge of their operations; they can result in data being destroyed or

provide access to any personal data that is stored. When workers join a company,

they are normally required to sign an agreement, such as an acceptable use

policy. This specifies what type of use is acceptable and what is not. They have

to agree not to use the network for illegal, unethical or distracting non-work-

related activities, such as downloading copyrighted material or spending time

on social networking sites to communicate with friends. While not necessarily

preventing hackers from outside the organisation attacking the network, it does

help to limit what employees might be tempted to do with personal data.

Software updates

As well as being vital for updating a computer’s operating system, software

updates are often made available for different types of application software.

Although these updates are useful in eliminating bugs and making the software

easier to use, probably their most useful function is when they eliminate

specific security weaknesses. If weaknesses are present in an operating system,

hackers can take advantage of these in order to access the computer system. As

soon as any major software company is made aware of vulnerabilities (security

weaknesses), they produce updates which eliminate that risk. It is important

for users to install updates as soon as possible in order to limit the amount of

time hackers have to find and exploit these weaknesses. If a system or app is

left without updating for a long time, more hackers may become aware of any

vulnerabilities and use that information to gain access to personal information

stored on the system or app. Operating systems and anti-virus software tend

to be the main types of software that need regular updating. Certain types of

application software will also need regular updating.

Other measures

There are other measures which can be taken to increase network security.

Encryption has already been discussed in terms of the fact that data, even when

109

5.1 Personal data

illegally accessed, will not be understandable. The use of digital certificates was

described in detail in Chapter 1. One other method relates to mobile networks

and concerns the remote deletion of mobile (cell) phone or tablet data. If a

device is lost or stolen, the owner can send a command to it using another

phone that will completely remove any data, such as personal data, from it. Any

of the individual’s data that is not backed up on the cloud will be lost forever

but it does mean that the person who has stolen the phone will be unable to

see any of the owner’s personal data. In order to receive the command to erase

all the data, the device has to be turned on and connected to the internet. If a

device is lost at an airport or a rail station, for example, the task of wiping the

data may be straightforward. However, if whoever has stolen it wants to stop

the data from being removed from the device, all they have to do is turn it off,

remove the SIM card and switch it back on again and any personal data stored

on the phone is now available. In order to send the command, the app has to be

downloaded on to the phone being used to contact the stolen phone. The app

allows the user to get the stolen phone to ring loudly for five minutes just in

case it has just been mislaid rather than stolen.

Activity 5a

Write a sentence about each of five different methods of keeping personal data

secure.

5.1.3Preventingmisuseofpersonaldata

Before considering how to prevent the misuse of personal data, it is important to

consider how personal data can be gathered by people who are not supposed to have

access to it. Many students think that hacking into a computer in order to copy,

delete or change data is very easy. It is not. With all the security measures outlined

above, it is very difficult. However, there are other ways in which the personal

data of individuals can be gathered by unauthorised persons. The most common

methods, with the corresponding ways of preventing them, are outlined below.

Pharming

Computers connected to the internet all have a file called the hosts file. This

is a basic text file which contains the name and the IP address of a number

of URLs. When a user types a URL into a web browser, the computer first

looks in the hosts file to find that URL. It then looks up the corresponding IP

address and seeks to connect to the computer with that IP address. If it cannot

find the URL in the hosts file it connects to the DNS server and looks for it

there and uses the IP address to access the appropriate computer.

Pharming begins with a user downloading malicious software (malware)

without realising they have done so. This software then corrupts the hosts file

by adding URLs of banks, for example, to the hosts file and corresponding IP

addresses which will take the user to a fake website when they enter that URL.

The user then proceeds to type their bank details into this fake website, giving

the fraudster all the information he or she needs to access that user’s bank

account by logging on to the real bank. Another type of pharming is when the

fraudster hacks into the DNS server and corrupts the file on that computer,

again causing the user to be redirected to a fake website. In both cases, the

user will not realise that they have been tricked, since they will have typed in

the correct URL and if they look in the browser URL window, they will see

nothing out of the ordinary.

110

5 ESECURITY

There are a number of ways that users can limit the chances of pharming, though

none of these will completely prevent it. Using up-to-date anti-virus software is

one way to prevent the downloading of software which changes the hosts file.

Users need to make sure they install the latest software updates. An up-to-date

browser can cause an alert to be raised that a fake website has been loaded. It

is sensible to use a trusted, legitimate

internet service provider (ISP). Digital

certificates can be checked to make sure that the site is legitimate. Any site that

requires the entry of personal data should begin with HTTPS. If it does not, it

may well be a fake site, particularly if it has not got a coloured padlock icon next

to it. It may be useful to check that the URL is indeed correct for that site. The

actual fake website may have tell-tale signs such as poor grammar or spelling and

this should alert a user that it may be a fake site.

Phishing

Phishing is when fraudsters try to obtain personal banking details such as

usernames, passwords, and credit or debit card details using email. They

pretend to be an official of the bank and leave a message which often directs

users to enter personal information into a fake website which looks just like

the legitimate site. It involves the use of an email in an attempt to get people

to disclose their personal information. The email often includes a link to

the fake website (a URL) inviting the receiver to go to that site. Some more

primitive emails just ask the recipient to simply type in their bank details in a

reply to the email. Others are more subtle than this, with the email containing

something that instantly grabs the recipient’s attention and requires them to

take immediate action. It can be a message that tells them they have won the

lottery but need to send personal information in order to claim the prize. The

message usually contains a link to an email address where they must send this

information. In addition to giving out their personal information (which could

lead to identity theft), the recipient is then asked to send some money to cover

the sender’s fees and then they will receive their winnings. After they send the

money to cover the fees, either they hear nothing from the sender ever again

or they may even be asked to send extra sums of money!

Another type of phishing email informs the recipient that their account has been

closed or blocked and they need to log on to unblock the account. An example

is shown here of what happens after the website link is clicked on. The person

has been told that their account has been frozen and they need to log on to

change their settings so that the account can be unblocked.

V Figure 5.1 Fake website login

111

5.1 Personal data

Here, the recipient has clicked on the link but for the purposes of this example,

a fake email address has been typed in. Normally, an individual would be

expected to type in their email address and password, allowing the fraudsters

to gain access to the account. The URL is called a ‘spoofed URL’ as the hacker

has given the site a name which is deliberately spelt in a way that is close to the

name of an authentic site.

In order to avoid falling victim to these phishing scams, there are several things

a computer user can do. It is important to use anti-phishing software on a

computer connected to the internet. This identifies any content which could

be interpreted as phishing contained in websites or emails. It can block the

content and usually provides the user with a warning. It is often found within

web browsers or email software. Not all web browsers provide this facility,

however, so it is important to use one that does. It is a good idea to always have

anti-virus and anti-spyware software running on a computer, and to update it

at regular intervals. Phishing emails often contain grammatical and/or spelling

mistakes, so it is important for users to look out for these. Users should never

trust emails that come from people whose names they do not recognise. If an

email looks suspicious, it is best practice to just delete it. Reputable companies

or organisations will never ask for personal information, so that is usually a sign

that it is a phishing email and, again, should not be trusted; the best action to

take is probably deletion. If an email starts ‘Dear customer’ rather than using

the receiver’s name, it should also be treated with caution, as should emails

asking the recipient to confirm their personal or financial information. Personal

and financial information should never be sent in an email. If the email contains

a message that the receiver has won a large amount of money or some other

reason why they will benefit financially, it is likely to be a fake. Links placed

within the email that are shorter than normal are used to hide the real URL

and the best way of checking this is for the user to place the mouse cursor over

the shortened link. This reveals the actual URL and the user can see straight

away if it is suspicious. The best policy is never to click on such links.

Smishing

Smishing is a variation of phishing. The major difference is that it uses SMS

(text messages) rather than email to send the message. The number of smishing

attempts has increased since the introduction of smartphones, as it is so easy to

activate a link within a text message. Just as with phishing, the main intention is

to get the recipient to reveal their personal details.

There is a perception among most people that smartphones are more secure

than laptops or PCs. However, this is not the case when it comes to smishing.

In fact, the reason why there has been an increase in this type of scam is

that people tend to be more vulnerable on their phones. They think there is

less likelihood of being attacked on a phone than on a computer and so are

more likely to respond to a smishing request. Some fraudsters are using text

messages to get users to download an attachment which contains malware

which, in turn, feeds personal data from the phone back to the fraudster. A

smishing message is similar to a phishing message in that it often includes a

link to the fake website, or it can just ask the recipient to simply type in their

bank details in a reply to the text. The message usually contains a link to an

email address where they must send this information. It can ask them to take

immediate action. It can be a message that tells them they are entitled to a

financial reward. Sometimes it contains a phone number asking the recipient

to phone the bank or organisation using that number. When they phone, they

are then asked for their personal details.

112

5 ESECURITY

There are plenty of methods of prevention. Many digital security companies

produce mobile protection software which users should have running in their

smartphone. Users should also look out for all the same signs as in a phishing

attempt, that is, spelling and grammatical errors, messages requiring immediate

action or offering financial rewards, ‘sign up now’, or other pushy and too-

good-to-be-true offers. They should never reply to such messages. Good practice

is to open the sender’s website itself rather than replying to a text with personal

information included in it. A sensible action is to check the sender’s phone

number against the phone number of the company they claim to represent.

Users should never type in personal or banking information, other than when

using an organisation’s official website. Receivers of a text should not click on

links from senders they do not recognise. They should not click on any links in

a text message since it is far safer to type the URL into a browser. They should

also not phone any number contained in the text message.

Vishing

The word ‘vishing’ is a combination of the words ‘voice’ and ‘phishing’. As its

name implies, it is the practice of making a phone call in order to get someone

to divulge their personal or banking details. Vishing can take several forms;

for example a fraudster, claiming to be from the bank, phones a customer

telling them that their bank account has been accessed by a hacker and they

need to change their password and that they will help them to do this. By

giving the caller their account number and password, they have now allowed

this fraudster access to their account. Even if the customer is not at home, the

fraudster will leave a message requiring them to phone a particular number,

which is actually the fraudster’s. Often this phone number goes through to an

answerphone message asking the customer to leave their account number and

other personal details. An alternative is for the phone call to notify the receiver

they have won some money or that they have won a prize. In both cases, the

fraudsters charge a handling or redemption fee which they invite the person to

pay by using their credit card number over the phone. Sometimes the fraudster

will ask the customer to hang up and phone the bank to confirm, in an effort

to convince the customer that the call really is from the bank. Meanwhile

the fraudster has not disconnected the call so when the customer thinks they

are phoning the bank they are actually still connected to the fraudster. They

talk the customer through the process of logging on to the bank’s website

and the customer then enters their details in order to transfer money to their

new account which has been set up by the bank. This account tends to be the

fraudster’s own bank account.

In order to avoid being a victim of vishing, it is good practice to use another

phone to call the bank and ask to speak with the person who has just made the

call. The main thing is not to give out login information over the phone, as a

legitimate bank would never ask for it. The same goes for account information.

The basic thing for customers to remember is to never give out any personal

information over the phone. Banks will never ask for PINs or passwords.

Customers should hang up, ignore them and block their number. These are all

physical methods but smartphones have software included that can perform

the blocking of numbers. There are also a variety of apps available which

go beyond merely blocking the calls and keep a file containing the blocked

numbers for all phone owners using the app. Users can browse through the

file to see which numbers are blocked. One software solution is employed by

large organisations whereby the software can filter numbers according to the

likelihood that scams are being attempted.

113

5.2 Malware

It is important that you should be able to evaluate the prevention methods

described above. You need to be able to judge the importance of each method

and how likely it is to be successful. As has been mentioned earlier, there

are very few effective methods of preventing pharming, but methods of

preventing phishing can be very effective and the same can be said of vishing

and smishing.

Activity 5b

1 Briefly describe the two different ways pharming attacks can be carried out.

2 Describe four methods of preventing smishing.

5.2 Malware

Malware is short for malicious software. It is the general term for computer

programs which have been created with the deliberate intention of causing damage

or disruption, or gaining access to a computer without the owner’s permission.

5.2.1 Types of malware

The term malware covers all the different types of threats to computer security

such as viruses, Trojan horses, worms, spyware, adware,

rootkits, malicious

bots, ransomware, as well as others.

Virus

A computer virus is a type of malware that is designed to spread from one

computer to another, usually by means of the internet, causing changes in the

way each computer operates as it spreads. They have the ability to replicate

themselves, just like real viruses. Some types of virus delete the data on the disk

or just corrupt or change the data. They insert themselves or attach themselves

to another computer program. They often then lie dormant or inactive until a

situation arises which causes the computer to execute its code. This situation,

or event, can be a particular time or date. Symptoms that can indicate a virus

is present are that popup windows suddenly start appearing frequently, the

user’s homepage is changed so that it is different to what it is normally, or their

password is different, preventing the user from being able to log on. Viruses

can cause large numbers of emails to be sent from the user’s email account. The

computer may frequently crash or its processing speed can noticeably

slow down.

Trojan horse

Often shortened to ‘Trojan’, a Trojan horse is a malicious computer program

which is used to hack into a computer. It enables the person who created it

to take control of the computer it has infected. The name Trojan horse is a

reference to the ancient Greek story, in which Greek soldiers laying siege to the

city of Troy hid inside a wooden horse and deceived the Trojans into thinking

that it was a peace offering. When the Trojans took the horse inside the city

walls, the Greek soldiers let themselves out and attacked. Here it is the user

who is deceived into thinking they have downloaded genuine software. Unlike

computer viruses and worms, Trojans generally do not attempt to infect other

files or replicate themselves. Instead, they are used for a number of purposes,

the main one being simply to gain access to a computer so that the controller

can discover the personal data of the owner. Another purpose is to delete files

from the hard disk and Trojans can also be used simply to corrupt the data.

114

5 ESECURITY

Worm

Worms are similar to viruses in that they replicate themselves. A worm will often

exploit security holes in networks in order to spread throughout the network.

Sometimes, their main purpose seems to be to continually replicate themselves

and in so doing to occupy more and more disk space until the disk is full and

can no longer function. They do not attach themselves to other programs or

files and in that sense are said to be standalone programs. They are designed

to spread by sending many copies to other computers in a network. This results

in slowing down the traffic in a network. Some worms do not try to change

the computers they are moving through but are designed simply to occupy

more and more bandwidth in their attempt to slow down a network. When

worms repeatedly replicate themselves, they start to use up the free space on

a computer. One symptom on a computer with a worm is that the speed and

performance are reduced. Another is that the amount of free storage space on

the computer is noticeably reduced. Files going missing or new files suddenly

appearing is another good indication that a worm is present.

Spyware

Spyware is malicious software that is designed to collect information about a

computer user’s activities without their knowledge. Data such as web browsing

habits, email messages, usernames and passwords, and credit card information

are passed to the hacker without the user having any idea what is happening.

A keylogger is often used; this is a type of spyware which works by collecting a

record of the user’s keystrokes and results in the hacker receiving information

about the user’s credit card numbers and other sensitive or personal data. It

does not replicate like a virus or worm but is just there to ‘spy’ on the computer.

The only real indication that the user might notice that there is spyware on the

computer is a reduction in processing power and bandwidth, since these are

used by the spyware to communicate the information back to the hacker.

Adware

Malicious adware is software whose main purpose is to generate income for

the originator or creator of the software. It is normally downloaded with

free software, without the user’s knowledge. It automatically generates

advertisements. When the software is opened, advertisements may appear in the

interface used by the software. It often keeps track of the internet sites the user

visits and matches its advertisements to the types of goods or services that the

user appears to be interested in. It often causes unrequested advertisements to

be displayed in the browser when a user accesses the internet. Alternatively, the

advertisements appear in popups. Generally, it is regarded as more of a nuisance

than dangerous, but there has been a tendency in recent times for the adware to

be linked to spyware. Symptoms can be unnoticeable, but some types of adware

can slow down the performance of a computer and there tends to be a larger

number than usual of popups.

Rootkit

Rootkit is a type of malicious software that is designed to install a set of tools

in a computer which allows the attacker to have remote access to that computer

continuously. It gives the attacker continuous privileged access to a computer

and hides its presence deep within the operating system; the user is completely

unaware that their computer has been infected. The different tools enable the

attacker to discover the user’s passwords and credit card details. The ‘root’ in

rootkit is taken from the word used in Unix and Linux systems to signify the

administrator account or somebody who has administrator privileges. It can be

115

5.2 Malware

downloaded in a similar way to phishing by clicking on a link within an email,

or a hacker could gain administrator privileges and install it remotely. The

rootkit can change any security software such as an anti-virus to convince it that

it is not there. It is also capable of removing the anti-virus software.

Malicious bots

Bot is short for internet robot and, as its name suggests, it performs tasks that

are normally undertaken by a human. When used to gather information over

the internet, bots are referred to as web crawlers. Without them, the smooth

running of search engines, for example, would not be as efficient.

Unfortunately, there are many malicious bots. Like a worm, a malicious bot can

replicate itself and is designed to feed back to a server; this is called a

botnet,

because it is in control of a network of infected computers. The botnet can

then gather email addresses and from them generate spam to those and other

addresses. They are capable of gathering information from different websites,

such as date of birth from one site, health insurance details from another site,

and address from another. They are extremely difficult to detect on a computer.

Because of the increased use of the IoT, botnets are becoming a grave concern

because they can control networks which consist of many different devices. This

is largely because some of the devices in the IoT are relatively easy to hack into

and susceptible to spreading bots.

Ransomware

Ransomware is a type of malware that blocks access to the user’s data until a

ransom is paid. An alternative approach is for the hacker to threaten to publish

the user’s data unless a ransom is paid. One of the most common ways of

downloading ransomware is, again, a phishing email. The receiver clicks on

what appears to be a link to a trusted file, but once it is opened the software,

which can take the form of a worm or a Trojan horse, can take control of the

user’s computer. Among the many actions the software can perform once it

has taken over the computer, the most common is to encrypt the user’s files

and send a message to the user demanding a ransom payment before it will

decrypt them back.

Other types of malware

There are a number of other types of malware in addition to those described

above. Two types are fileless malware and scareware.

Fileless malware is a type of malware that does not rely on files and leaves no

evidence once it has been executed. It is very difficult for anti-malware software

to detect and remove. It only resides in the main memory (R AM). Fileless

malware does not perform any actions which affect the computer’s hard drive. It

ceases to work once the system is rebooted.

Scareware is a type of malware that tricks the computer user into thinking that

their computer has been infected with a virus. It appears as a popup and seems

to come from a genuine anti-virus provider. The user then pays the ‘provider’ to

download the anti-virus and then discovers, too late, that it is a scam.

Activity 5c

1 Describe the differences between ransomware and scareware.

2 Describe the differences between a Trojan horse and a worm.

116

5 ESECURITY

5.2.2Howmalwareisused

There are a number of ways that malware can be used to carry out illegal

activities. Three are described here.

Fraud

Computer fraud involves using a computer to take or alter electronic data, or

to gain unlawful use of a computer or system to illegally benefit financially.

Several different types of malware and general misuse of personal data have

been described. For example, spyware collects a user’s personal data, browsing

habits and keystrokes. This can lead to credit card fraud as well as identity

theft. Once fraudsters have gained a user’s personal and financial data, they

can either sell the information to other criminals or they can impersonate the

user. They can use the user’s financial data to ask the bank for a new PIN or

even an extra card. They can buy goods via the internet using the credit card

details they have obtained. They can also withdraw large sums of money from

the user’s bank account. Most credit card fraud victims are unaware of what

has happened until it is too late.

Scareware, as we have seen, is used to obtain money under false pretences.

Phishing, vishing, smishing and pharming are intended to get the user to

divulge their passwords, credit card numbers and bank account information so

that the fraudster can access the user’s account to withdraw money, make money

transfers and also use the details to shop over the internet.

Ransomware, as we have seen, is used to blackmail users into paying large sums

of money, usually in Bitcoin so that it cannot be traced.

Industrial espionage

One dictionary definition of industrial espionage is ‘spying directed towards

discovering the secrets of a rival manufacturer or other industrial company’. It

is usually the theft of business trade secrets. It used to be carried out by getting

an employee to work for a rival company and spy from the inside; it is now more

often carried out by hacking into databases or computer networks.

Malware has become a major tool in industrial cyber espionage, with

the purpose of stealing information in the form of company secrets. For

businesses, the internet has ceased to be a safe place. Malware is rapidly

increasing in scale and can be found throughout the internet. When company

employees go to a website or open an email, there is great risk of downloading

malware in one form or another.

Malware can be used to access an employee’s computer and the company

information it holds. Regardless of what type of malware is being used, each one

attempts to exploit weaknesses in software to gain access. There exists a form

of malware that is designed to target a specific computer and thus lends itself

to industrial espionage where a particular company is being spied on. Malware

which is produced in order to attack any computer with vulnerabilities would

serve no purpose to a hacker in this case, as they would get lots of information

from unnecessary sources.

Hostile actors are people who organise themselves into teams of hackers with

a collective aim. They include foreign states, criminals, groups of hackers with

a common goal, as well as terrorists. Foreign states are usually best placed to

conduct the most damaging cyber espionage and computer network attacks.

117

5.2 Malware

Cyber espionage can be conducted in order to hack into specific business

computer networks to steal large amounts of data without detection. This

could include intellectual property, research and development projects, or a

company’s merger and acquisition plans. In the past, companies employed

spies but now they are turning more and more to computer hackers to steal

these secrets.

Intellectual property theft in the USA alone is estimated to cost companies

hundreds of billions of dollars per year. Certain countries have been held

responsible for these activities, but more private companies are now getting

involved in this type of espionage. Groups of hackers are offering their services

for hire for millions of dollars. Some are actually hacking into company secrets

and offering the information they have gathered to the highest bidder. This

activity has been made easier by the development of the Dark Web, where an

auction-based marketplace exists. Most of the transactions are now taking

place using Bitcoin. It is a bit disconcerting for companies to realise that their

most confidential data may already be up for auction on the Dark Web. It is

imperative for large corporations to have their own counter-espionage operatives

and to make their IT systems secure. They need to investigate which of their

secrets have already been offered at auction.

Sabotage

The term computer sabotage refers to making deliberate attacks which are

intended to cause computers or networks to cease to function properly. The idea

is that businesses, education establishments and other organisations are attacked

in order that their normal operations are disrupted. It has been estimated that

billions of dollars in the USA alone have been spent on legal fees so that damages

could be paid out to victims of sabotage involving identity theft. A great deal of

money has been spent on repairing computer systems in hospitals and banks.

Computer sabotage within organisations is often carried out by disgruntled

employees intent on causing the organisation to lose money. Employees might

make unauthorised attempts to view, disclose, retrieve, delete or change

information by misusing the system privileges they have been granted. Some

acts of sabotage are committed by former employees, perhaps unhappy with

the way they lost their job. However, most attacks by employees or former

employees are carried out remotely.

It is clear to see that not all sabotage is the result of sending malware, but it can

consist of a virus being sent to a computer which prevents users from logging

on, and it can take the form of distributing malware to allow hackers to illegally

access an organisation’s network.

Organisations need to guard against computer sabotage by taking measures to

protect all their hardware and software. This will not only require a firewall and

use of anti-virus software, but must include guidelines about the use of separate

user IDs and passwords for each individual user of a computer, including advice

to change passwords regularly.

5.2.3 Consequences for organisations and individuals

Malware poses a major threat to any organisation. It can ruin the organisation’s

security arrangement regarding its computer network and systems. As a result,

it can disturb its business operations, leading to financial losses. Personal

information can be accessed, leading to identity theft on a massive scale, as well

as user IDs and passwords being compromised through the use of spyware.

118

5 ESECURITY

Some organisations, particularly banks, have had to pay out a great deal of

money in the form of compensation when personal data has been stolen.

The three main implications of malware for an organisation are the loss of data

and time and the costs it incurs. Keeping an organisation safe from viruses

is often very expensive. Because there is so much malware being transmitted

across the internet, it is important to plan ahead for any threats. An employee

unwittingly clicking on a link in an email can release a virus that could delete

all computer data stored on hard disk within an organisation, which would have

serious consequences for the company. If a virus has infected one computer

on a network, each computer has to be disconnected from the network and

cleaned by using anti-virus software to remove viruses. Each computer must be

clear of viruses before being reconnected to the network. Cleaning a computer

while it is still connected to the network leaves it open to further infection.

Disconnecting and cleaning each computer takes a lot of time and therefore

cost. In addition, the organisation’s IT department may not have the expertise

to cope with such a massive undertaking of cleaning each computer, so outside

experts may need to be hired to do the job, leading to further costs.

Looking at the impact on an individual and their personal computer or laptop,

malware enables hackers to gain valuable information such as bank details, date

of birth, email address and passwords. The hacker can then commit identity

fraud. We have also seen how scareware can be used to fool users into paying for

non-existent anti-virus software. The slowing down of their computer system

can be inconvenient to say the least for an individual. Pranksters may simply

want to see the havoc their programs can cause, whereas some hackers attack

PCs with malware to make their reputations within the hacker world.

Activity 5d

Briefly describe three ways that individuals might be affected by the use of

malware.

5.2.4Preventionofmalware

Use of prevention software

Anti-virus software must ensure all data is scanned for malicious code as

it enters the company’s network. (See Chapter 2 for more details on

anti-virus software.) A firewall, which filters incoming traffic and prevents

malicious software entering the system, should be used on all the external entry

points to the network.

Anti-virus software must be kept up to date, running all the time, with scans

scheduled to run at frequent intervals. Only one anti-virus program should be

run at a time, as two different programs may conflict with each other. Anti-

spyware software should be run as well if the anti-virus software does not

incorporate an anti-spyware module, but it should not be in conflict with the

anti-virus software. It is also a good idea to have a spam filter, particularly if the

email software used does not have one.

Anti-malware software can be used. This may be different to anti-virus software,

although these days the differences are becoming blurred. Anti-malware

software can protect networked computers in two ways: it can guard against

the entry of malware into a network and it can also remove malware that has

managed to get into the computer network system.

119

5.2 Malware

Physical methods of prevention

Companies are advised to develop and implement anti-malware policies and

ensure that they are consistently applied across the organisation. A record should

be kept of any known malicious websites, which should then be blocked by

the firewall from accessing the network. Dedicated stand-alone virus-checking

computers which are equipped with anti-virus software should be provided.

These must be capable of scanning any type of media. All employees should be

educated so that they understand the risks from malware and are aware of the

day-to-day procedures they can follow to help prevent malware infections. They

should be encouraged to stop and think before clicking on links, but if they do,

they need to inform the IT department as soon as possible. They should know

that they must not connect any removable media or personally owned device

to the network. They need to be aware that they must report any strange or

unexpected system behaviour to a technician or member of the IT department.

Good advice to both organisations and individuals is that operating systems and

browser software should always be kept up to date. Software that is no longer

used or old versions of application software should be removed. If software is

no longer supported by the software company, then it will be open to malware

attacks. Emails should be read with suspicion, since encouraging the user to

download malware only works if the user is not paying sufficient attention to

who sent the email and what it might be suggesting. In the phishing section,

the things to look out for were described in detail: sender address, spelling/

grammar errors, the true address of the link and so on. Strong passwords should

be used, that is ones that are unique, changed often and do not relate to the

owner’s personal information.

Websites should have an appropriate padlock next to the URL. Users should

always log off from their computers at the end of a session.

Examination-style questions

1 Describe three different items of personal data. [3]

Give three reasons why data should be kept confidential. [3]

Describe the different types of authentication techniques. [3]