• United States



Senior Writer

Dear future victim, please panic

Mar 26, 20206 mins

Panic, my pretties, so that I can hack you all the better.

Dear Victim,

Please panic.

Cower in the corner under a toilet paper fort with a pile of ammo for a pillow. Meanwhile, I’m hacking your corporate network.

Work from home, they said. Self-isolate, they said. Avoid contagion, they said. They forgot about me, for I am a DORMANT CYBER PATHOGEN. Dormant no longer…

While you’re avoiding biological infection, I am quietly spreading my digital contagion throughout your organization, ready to flip the switch at just the right moment: RANSOM TIME!

God, I love the smell of ransomware in the morning. Nothing like the sweet, sweet aroma of bitcoin in the aftermath of a little bit of racketeering. A racketeering cyber pathogen–that’s me! Mixing metaphors like bleach and sulfuric acid, but it don’t matter cause at the end of the day it’s BLING BLING, CHING CHING TIME, when I count up my illicit Bitcoin gains and then fill a vast silo with the same number of gold coins so I can swim in my loot like Scrooge McDuck. (Don’t tell me you never wondered what that would be like.)

How did I rise to my current eminence, sitting Smaug-like on a load of loot? Simple. I waited for you to make mistakes. Errors because the boss said, “Just make it work!” You had 24 hours to set up work-from-home for an army of cubicle natives, unaccustomed to sweat shops hours of pajama productivity.

Some of my fave mistakes you make are also the easiest for you to fix. No wonder I’M KING OF THE WORLD!

Don’t use a VPN

For the love of the hot tub I’m planning to add to my yacht with the proceeds of crime, DON’T DEPLOY A VPN. Force your employees to directly connect to the tons of new internet-facing services you just put online cuz your boss said productivity is the number one priority.

We’ll see how much he likes productivity when I take his entire network for ransom.  Go ahead. Punch a hole through the corporate firewall and give RDP access to a bunch of employees–and to the entire internet!

Just to make sure I was doing this crime thing correctly, I caught up with Johnny Xmas, obviously not his real name (duh!), a senior researcher for the cybersecurity R&D firm GRIMM. He told me I was totally on the right track.

“The number of remote desktop servers (RDP) appearing on the internet as a whole is increasing substantially on the whole day by day,” Xmas tells CSO. “Do they all have MFA on them? Probably not. Why are we directly exposing them to the internet? Employees should VPN into the corporate network and then RDP into the machine.”

Trust me, I’m gonna love that unpatched Windows XP box covered in dust the IT department just gave the whole world access to. In fact, my only real problem will be keeping other attackers from partying with me–that’s my box! Bad APT! Bad APT! Take your advanced persistency and go threaten someone else!

I get very territorial when doing crimes. It’s a question of ethics. Only one racketeering play at a time. This Windows box ain’t big enough for the both of us. DRAW, STRANGER!

But I digress. Ever since escaping WestWorld things have been a bit strange. (Oops, now you know my secret, you won’t dob me in, will you? Please, guvnuh, can I have some more?)

Oh look, an employee working from a personal device!

Work from a personal laptop

I loves it when you do this. Access confidential business information from the unsecured personal laptop full of third-party software malware! So easy to pop. SNAP CRACKLE POP, I’M RANSOMWARE! TAA-DAHHH!

So when I send you my handcrafted, artisanal phishing emails linking to websites such as my freshly registered with an urgent subject line “Employee Health & Safety” from a spoofed email pretending to be the CEO, my RAT will out-CAT your consumer-grade anti-virus.

There’s never been a better time to go phishing. “When people get scared, they may not be as focused as they need to be, looking at these links and email addresses,” I once heard NetScout CSO Debby Briggs say. “If I’m the person trying to break in, I’m going after email, and I’m going to create fake websites.”

When your panic-addled brain sends an electrical impulse to your mouse-clicking fingers, then my malware will be coming down your fiber optic like a giant uncovered digital sneeze.

Here’s hoping COVID-19 doesn’t jump the meatspace-digital barrier and start infecting computers, I may be a dormant cyber pathogen awakening from my slumber, but compared to COVID-19, I’m an infectious amateur.

You’re l33t, bro. Yeah. I’m talking to you. You with the classy hacker handle: “COVID-19.” You may still be a teenager but mad respect for your skillz. Let’s get a little bro-mance going on here, between two infectious geeks. I know they say we can never be together, you a biological agent of doom, me a digital agent of doom, but look at how much we have in common: WE ARE BOTH AGENTS OF DOOM!

Think about it, bro boo. You call me. Yeah, I’m making that thumb and little finger gesture that looks nothing like a phone. I never thought I could fall for a virus I didn’t create myself, but that’s love for you, I guess.

Don’t enroll your employees in 2FA

For the love of my ill-gotten plunder, do not, I repeat, DO NOT enroll your employees in any kind of two-factor authentication program. Nothing bursts my bubble as a digital agent of doom than having to end-run around properly configured 2FA, especially you awful, horrible people who use U2F tokens like Yubikeys. See that cartoon steam pouring horizontally from both of my ears? That’s how I feel about 2FA, YOU WASCALLY WABBIT, YOU!

What? I’M the wascally wabbit? Wow. Looking in a mirror hurts.

Stop with the employee training

Embrace your cynicism and repeat after me: “If education is the solution to your security problem, you’ve already lost.”

Everything is lost! Give in to panic! Give in to hopelessness! What’s the point of living? Just accept my malware into your life, like the Gospel of badness it is!

Because in a pinch training can be quite effective, and we do NOT want any of that happening, now do we, my dears? “It’s not possible in a two-week period, much less 24 hours, to roll out a full MDM [Mobile Device Management] solution to enforce and monitor policies,” Xmas says. “So, it’s important to get the verbal policy out there, to train work staff on secure practices.”

“People won’t listen all the time when dealing with this emergency,” he adds, “but security is never all or nothing. We do what we can when we can and work towards building up to a perfect solution in the end.”

Remember, folks: The good is the enemy of the perfect. Strive for the impossible! Strive for true innovation! Meanwhile, I’ll be holding your network for ransom.

Now you’ll excuse me, I have a silo of gold coins to go swim in.

Senior Writer

J.M. Porup got his start in security working as a Linux sysadmin in 2002. Since then he's covered national security and information security for a variety of publications, and now calls CSO Online home. He previously reported from Colombia for four years, where he wrote travel guidebooks to Latin America, and speaks Spanish fluently with a hilarious gringo-Colombian accent. He holds a Masters degree in Information and Cybersecurity (MICS) from UC Berkeley.

More from this author