Earlier this week an NBC New report showed that it was very easy for all of your computing devices to get hacked in Russia. It seemed to show a phone, a PC laptop and a MacBook that were hacked almost instantly upon being turned on.
Most people took this at face value and assumed that hacking and malware are endemic in Russia. But computer experts noticed that the report lacked any details about what happened. Now we have an updated report from NBC News that sheds some light on what went on. And the truth is very far from what most people assumed.
These devices were not “instantly” hacked. There was actually no hacking even involved. In all three cases a security expert purposely downloaded malware and installed it on the device.
The first device was an Android phone. The security expert used the browser in the phone to go to a specific address of an APK file, an Android app. They would have then had to OK the installation of that app on to the phone.
You could use the analogy that this is like leaving your door unlocked and then being surprised that someone robbed you. But that would not be correct. This is like leaving the door unlocked, then driving to the bad part of town, finding a known criminal, giving them a ride back to your house and walking them through the door.
The second compromise was on the Windows 7 laptop. For some reason, it is running Microsoft Office 2007, not 2010 or 2013. So I assume that it also doesn’t include any of the Office 2007 security updates. I’m sure there were dozens since 2007, and probably they would have prevented this exploit.
In this case the security expert sent an email to the computer. It wasn’t a Russian hacker, or some malware that made the email appear. The expert had to purposely send the email.
Then they had to open the email and then open the attachment included with that email. They don’t say any more about it, but I can assume that it probably contained a macro program of some sort. In that case, they should have gotten a warning about that too, and had to decide to continue. So, again, far from being instantly hacked.
The third device was a MacBook. In that case they had to browse to a web page. Then they had to click on an advertisement of some sort for free anti-virus software. Then they had to install it, clicking through warning dialogs to do so.
So just like with the Android phone, the malware had to be invited in. There was no instant hacking.
Saying this was instant hacking is like saying that your phone instantly broke. Then later revealing that you actually put the phone on the ground and swung a sledgehammer at it.
So a few things to note. First, there was no “hacking.” That poor word gets overused and people have that idea that hacking is a bad thing. Hacking implies that some human is on the other end taking action, doing the work.
But in all three cases here, all that happened was that they intentionally installed some malware that was sitting somewhere. There was no “hacker” working on the other end to compromise these machines. A malicious person wrote the malware, but they weren’t targeting anyone specifically and they aren’t even aware that these devices were being infected.
Second, this whole thing has nothing to do with Russia. They could have sat in an office in New York City and gone to the same web sites and received that same email message.
Third, there is nothing new here. All of these methods for compromising phones and computers have been around for some time. Likewise, all of the basic, simple precautions that would prevent them have been around just as long.
As I’ve written before, all you need to do is follow three rules. First, keep your software updated. Second, don’t download software from sources you don’t trust. Third, stay informed.