This short module opens with a short introduction to malware with a video, followed by slides with a few examples of malware targeting journalists, and finally, opening up to a discussion of how students understand the likelihood of this happening in their work, and what they should do in response.

Prerequisites

Threat modeling

Estimated time

25-30 minutes

Objectives

• Upon successful completion of this lesson, students will be able to identify common functions and techniques for distributing malware.
• Students will be able to construct a risk minimization strategy.

Why this matters

Some of the most commonly used files that journalists open every day (e.g., .pdf, .docx files) are also some of the most common vectors for introducing malware into systems. Because journalists are among the most common targets of malware in the world, it's important to understand what malware is capable of, and common ways may be introduced into a system. In addition, by seeing how the success of most malware depends on unpatched software, students can see in concrete terms why security updates should be viewed as an asset, rather than a burden.

Homework

(Before class)

• Watch this short video introducing Remote Access Trojans: "Trojans and RATs - CompTIA Security+"
• Read this report from Citizen Lab, tracking the use of Pegasus malware by state attackers against remote journalists working with U.S. news organizations: "Stopping the Press: New York Times Journalist Targeted by Saudi-linked Pegasus Spyware Operator"
• Read about KQED newroom's response to ransomware attack: "The Crippling Ransomware Attack on a San Francisco NPR Member Station"
• Read this, from Freedom of the Press Foundation on the limitations of antivirus: "What about antivirus?"

Sample slides

Malware (Google Slides)

Activities

Watch this short video introducing malicious software: "Malware - Security Awareness Video"

Questions for discussion

• When was the last time you clicked a link from a text message?
• How realistic do you think a Pegasus-like attack is against you? How about your colleagues?
• Remember: Jamal Khashoggi's phone was not the one Citizen Lab found was hit with Pegasus malware, but instead, his associate's phone. How might the individuals who you work with influence your likelihood of receiving malware?
  
  Note: Our hope is to get students to think about the specific circumstances; the real answer is it depends on your threat model as individuals and as a group.

Other related resources

• Check out the Electronic Frontier Foundation's malware handout.