Trojan HorseAuthored by: Fred Morgan, CTO, DocuSend, powered by MTI. Posted on January 12, 2018
Is that online service, game, or print driver safe?
Everybody likes the selection of tempting apps, add-ins, and utilities we see on the internet nowadays, especially when it’s free or very cheap. One example of a utility could be a macro that helps you write in Word, Excel, etc. But have you ever noticed that downloaded Word files don't enable macros? Now, why would that be? Read on.
The software you want to download seems so innocent. A new game that you can play. A streaming service so you can watch a movie, or a funny clip about cats. It might be, as I said, a handy macro, or a print driver (more on that later). In fact, this is what has made the PC so successful. Anyone can write a helpful program, then either give it away free or charge a small fee. This has unleashed a storm of developers who have benefited, and so have we as users. But unfortunately, it has resulted in some people taking advantage of the system to get what doesn't belong to them.
Programs that come onto your computer for one purpose, but unknown to you are doing something else, are called Trojans.
Why is it called a Trojan, you ask?
In Greek mythology, a war was fought over a woman named Helen, who was stolen from her husband, the king of Sparta, by a man from Troy. For ten years the Greeks besieged Troy to capture her back. The Trojans were able to fight them off, until one day, the invaders packed up and left, leaving behind a huge wooden horse as a peace offering. The Trojans thought, how nice, they left us a trophy, and they wheeled it triumphantly into their city. Unfortunately for the Trojans, the horse was hollow and filled with elite solders, who opened the gates to the city in the middle of the night. The Greeks had only pretended to leave, and they came in and sacked the city, looting their golden treasures.
You probably can figure out now why they call some software Trojans. You brought in a nice little utility or app because it was useful or perhaps merely entertaining, and it proceeded to hack into your system to gain access to everything that could be used to get your credit card information, passwords, etc. That Word file I mentioned earlier, the one with the fascinating title, may have an embedded macro that will run as soon as you open the file, creeping through your computer and snooping around. This is exactly how so much identity theft occurs.
This is one gift horse you want to look in the mouth.
Windows 10 will stop any new program on your system from accessing the internet, but you can allow it to. If you don't know a company well and haven’t checked them out thoroughly, you should not take their "free" offers. Every unknown piece of software added increases the risk to your system.
A few things are indicators for me that I don't want something. If it is a service offered, is the site secure? How to know if the website is secure: look at the first letters of the address bar. For example: https://www.docusend.biz is secure because it starts with https:// but http://www.go2mti.com/ is not secure, because it doesn't have the 's.' A site not being secure is not a problem if the site is merely informational, but any site that accepts your money should be secure.
No worries, I know this site and it's legit, you may be thinking…
Even if the website is legitimate, if it is not secure, a hacker can come in and swap out something you are about to download for an infected copy. Maybe ten of your friends have been using the software and it was fine, but you could be the unlucky one who downloads it right after the hack occurs, before the site owner is alerted to the problem.
Most people are aware that some major sites like Yahoo and Equifax have been hacked, losing customer data, passwords, etc. You might wonder why such large sites can be hacked, and if they can, what chance does the smaller business have of being safe.
Actually, larger companies can be in more danger. Telling a few people to watch what they download and enforcing that rule is much easier than getting every employee in a large company on board. Oddly enough, sometimes the hardest people to get to not take chances are upper management. (I speak from years of experience.)
How Service Providers Protect Themselves and You
Even the most trustworthy people slip up at times, so instead of trying to enforce total employee compliance, the easiest solution is to have an outside company do your security testing—at DocuSend we use https://www.securitymetrics.com/, who frequently runs a rather extensive test on our system. Trust me, I cringe any time I know they are about to test us. The reason? The dark forces are always seeking to find holes—and because of that, programming languages, operating systems, and platforms are constantly being updated to fix holes that hackers are attempting to exploit. Just in the last year, we had to completely upgrade our main server to protect against this, although the server was only four years old. We upgraded the operating system, web server, TLS (Transport Layer Security, which encrypts the customer data we send and receive so no one can eavesdrop on it), language, database—pretty much everything. I am hoping it will be at least a year before we have to do it again!
How YOU Can Protect Yourself
First, a disclaimer: If you saw that heading and hoped I was going to tell you a sure-fire way to know whether a software program is safe, your best protection is just not to download anything, or at least have someone with experience check it for you first.
For the rest of you, you can usually find reviews for the type of software you're considering. A search on “best what-it-does software” or “what-it-does software reviews” should turn some up. Just as (I hope) you don’t put as much weight on medical advice that doesn’t come from a trusted medical reference site like those of the CDC, the FDA, or Mayo Clinic, you should consider some software reviewers more reliable than others. Look for the ones from a major software magazine or other source whose reputation is on the line. Above all, “A matter must be established by the testimony of two or three witnesses.” See if two or three reputable reviewers agree that the software you want to download is OK. If the software is open source, SourceForge.net is a good place to start.
Does the website that's offering the software look professional, or does it seem fly-by-night? Is it carelessly written, with grammatical errors and cheap-looking graphics? Is there significant content or just a page or two?
What you are looking for is a serious investment. The website—is it theirs, or did they clone someone else’s site so they can get you to download their software? That's pretty suspicious. If they stole content from someone, why wouldn’t they rip you off as well? At the very least, the copycat has put no effort into creating a website, which is an indication of how they might approach security issues and customer support.
So, how can you know who copied whom?
You can see when the domain name was registered by going to a website like https://www.networksolutions.com/whois/index.jsp and typing in the web address. Even if you don't see two sites that mirror each other, it's not a bad idea to find out how long the site you're considering using has been around.
Don't Let Them Loot You
Especially beware of any software that wants the ability to move things from your system to another. Many of us are using software like that; for example, Google Drive and One Drive both move files from your system to the cloud, and there is nothing wrong with that. In fact, it's great, since it gives you off-site backup. What isn't great is if you were to download Fred's pretty good cloud backup, from a person you don't know, just because it looks useful.
This is why, when we developed the DocuSend cloud-based mailroom, we wanted people to upload their files to us, instead of giving them a program that would do it for them. Writing a print driver isn't very hard, especially one to create PDF files. Most of them use Ghostscript underneath (which is open source). Having a PDF print driver on your system is not a problem, since what it produces stays on your system. For those of you who did not know, a print driver converts what would be displayed on the screen to a printer. They are part of how modern operating systems work. A PDF print driver creates an electronic image of the text and graphics in your document and saves it as a PDF. So, if you create a mail merge document in Word using the Start Mail Merge command in the Mailings tab, print it to a print driver like CutePDF, my personal favorite http://www.cutepdf.com/, and then upload the resulting file to us, you have complete control over what is leaving your system.
But if you download a print driver that is going to do all of that for you, you have to KNOW that all they are sending is the file you want them to send, because you have let in a potential Trojan that can unlock your computer and everything on it to a hacker.
So, what's the upshot?
We at DocuSend consider financial documents very important and very private, which is why we are constantly working at ensuring only you and your customers see what you mail them. We have 25 years' experience in mailing financial documents. We know this business.