Malware, Measles, and Misinformation

The security world is an interesting one to live in. It’s fraught with ever-growing connectivity constantly being plagued by “digital pathogens” or “digital diseases” that our industry must regularly grapple with to prevent everything from melting down into a hot mess. It is not at all unlike the way things were around a century or two ago, when people got sick and eventually sicker, and then everyone was sick, and things just kept getting worse as plagues affected massive populations. It took some time, but eventually doctors and scientists figured out a few interesting methods to prevent and control illness, and things got a lot better, at least for large portions of the world.

Amid the pressing desires for cures, misinformation ran rampant. People came up with all kinds of ideas to cure illness. Some worked, some did not work, and some made people even sicker than they were before. There was a lot of “I told you so” going on back then, and since most people did not know any better, they went with whatever story was most convincing.

Fast forward to modern times, where many of the plagues of the past seem to be mostly under control in many part of the world and misinformation is called out with better accuracy and frequency, but we still have to manage things to keep it that way. For example, groups highlighting concerns over vaccinations have led to a decrease in kids getting vaccinated against some of the world’s mostly controlled illnesses and some of the once nearly eradicated diseases are coming back with a surge in reported cases. I am in my 50s and just got another measles vaccination because it has come back to haunt us. Misinformation will do that.

Security misinformation

Recently WhatsApp, the famous voice and text messaging application, was hacked. It fell victim to a buffer overflow attack, which installed a piece of malware. What surprised me, however, is that some reports spoke of end-to-end encryption not addressing this, and in a manner which a less savvy person might consider as a sign that end-to-end encryption was a waste of time and effort, since it could not stop the current buffer overflow attack. This is rather silly. It is as if I was driving home from getting my measles vaccine and someone rammed into me, causing a car accident, and someone said that the measles vaccine was no help. Of course it wasn’t! It was an entirely different type of attack.
While any security professional can see this, most people who read such articles are not security professionals and may easily be swayed into thinking end-to-end encryption is not necessarily a good use of budget. This idea would potentially open the application up to another threat vector, and perhaps one even more insidious. End-to-end encryption is one of many necessary pieces of the security puzzle, but it is not a panacea. Nothing is.

What this means to all of us is that we really need to pay attention to what is going on in a world where media seems to love controversy, and we need to better educate others to understand this as well. We have all the technology necessary to manage security, but what we really need is for people to understand how these technologies deliver security and in what circumstances. We all need to do a better job educating the non-security world about security, and that is perhaps the toughest challenge a security professional will ever face. But, educate we must to better address the world of digital illness and seek a healthier global digital climate.

I am certainly up to the challenge.