NBC News seems to think that "regular" users visiting the Sochi Winter Olympics go out of their way to ignore software updates, disregard security patches, and actively engage in unsafe online behavior. Some users may be slower to patch, or to allow software to update, but they would first have had to actively choose different default settings as Windows and most common software wants to automatically download and install updates. If that is the case, the attacks could successfully happen anywhere. Does that describe a "regular" user?
"The U.S. State Department has told Americans coming to Sochi that they should have 'no expectation of privacy,' even in their hotel rooms," began a story in which NBC News chief foreign correspondent Richard Engel showed how visitors to the Sochi Winter Olympics would be "hacked within minutes" of arriving at Sochi. Errata Security's Robert Graham called the NBC story "100% fraudulent." In fact, the video segment was so highly criticized by security experts, that NBC issued a statement to defend it.
Trend Micro's senior threat researcher Kyle Wilhoit, who was the security expert assisting NBC News, explained technical details edited out of the video and also released a white paper about the "honeypot environment and three devices used in the experiment."
"First, all the attacks required some kind of user interaction. Whether to execute 'applications' or to open a Microsoft Word document, all the attacks shown required user interaction in order to compromise the device," Wilhoit explained on the Trend Micro blog. "Second, these attacks could happen anywhere. ...Third, the infections occurred on newly unboxed hardware. Had basic security precautions such as updating the operating system or not opening emails from unrecognized sources been done, these attacks could have been prevented."
Wilhoit's white paper, From Russia with Love: Behind the Trend Micro-NBC News Honeypots [pdf] gives technical details of setting up the honeypot and Engel's fake information, and the three brand new devices used by Engel for the story. "NBC News wanted the experiment to be performed on new gadgets with no security or software updates." Although NBC News thinks "regular" users would take no basic precautions like security or software updates, they did allow lifestyle and productivity apps to be installed, such as the most recent version of Flash and Java, Adobe, and an older version of Microsoft Office.
Perhaps it's gotten to the point where I don't know any "regular" users, who would actively go out of their way to avoid and ignore security. But because NBC News spun the story to scare the snot out of Sochi visitors, I think it's important to look at the facts presented by Wilhoit in the white paper.
Sign up for CIO Asia eNewsletters.