Stand and deliver – your money or your (computer) life

28 03 2016

Ransomware. It’s been around for a few years now but in the last 6 months or so it’s really hit the mainstream press, and therefore entered the consciousness of the ‘ordinary person’. Recent high profile cases include a couple of hospitals in the US, a police station and a local authority in the UK.

Before I go into the details and explore what you can, or more likely can’t, do to protect yourself, I think it’s worth taking a step back and looking at the so called ‘underground economy’ of cyber crime.

Back in the day, the bad guys in the computer world were generally loners who did what they did for kicks and credibility amongst their peers. Very irritating, occasionally brilliant and generally disorganised.

That changed once it became clear that there was money to be made from what has come to be known as cybercrime. The professionals moved in as organised crime saw it as another lucrative string to their bow, promising low risk and high returns. Along with the increased organisation and the massive amounts of money, came demands for structure, specialists, quality control and co-ordination as well as the incessant demand for more and better products.

Nowadays a complete ecosystem is in place that is at least as organised as the mainstream legitimate economy. There are market places for the sale and exchange of everything from software to stolen credit cards. Code comes with money back guarantees, free trials, help manuals and even help desks. Every aspect of the economy has specialists who only focus on what they do best and hand on to the next person in the chain when their part is complete.

Into this mix comes ransomware.

Ransomware is, to put it in simple terms, a piece of computer code that you inadvertantly download to your PC. It might infect your PC via an email attachment, a website or even from an advert you click on. However it gets in, it has one purpose, to encrypt your files, and once those files are encrypted they will stay encrypted unless you can obtain the decryption key. And here’s the clever bit, in exchange for a fee usually in bit coins the bad guys will send you the decryption key.

The first you will probably know about it is a screen that will pop up on your computer looking something like this which is from Cryptolocker,

blog-cryptolocker

but they are all pretty much the same. At that point you have three choices:

  1. Restore your files from the backup (you do have backups don’t you?)
  2. Pay the fee
  3. Accept you have lost the files for ever and just move on.

Option 1 is fine as long as the backups are not accessible from the PC and the ransomware has not already found them and encrypted them as well. Assuming they are OK you simply need to disinfect your PC by running up to date antivirus software (the av software usually runs a day or so behind new ransomware so it might not work immediately – check online), delete the encrypted files and restore from your backups.

Option 2 is not ideal for a couple of reasons. Firstly the current fee is around 4 Bit Coins, which at time of press is about $700. For a company, that might be a small price to pay, for the audience of this blog it’s a not inconsiderable amount. Secondly, whilst it’s in the interest of the bad guys to make the process work, there are a number of reasons why it could fail. There might be an error in their code, there might be a problem with their use of encryption or law enforcement may have found them and taken the website down that’s hosting the decryption key. But as I said previously, this is a business and they are keen to maintain their reputation, and anecdotal evidence suggests that paying the fee will result in you receiving the decryption key.

Option 3 depends on you knowing what’s on your PC and whether you care about it. You still need to disinfect your PC but that’s about it.

So what can you do to protect yourself from ransomware? To be honest, beyond the normal good practice of regularly applying security updates and running up to date antivirus software not a lot. The age old advice of avoiding ‘dodgy’ websites, whilst still valid is not sufficient as many mainstream websites are infected these days (often via their advertisers’ sites). Not clicking on unexpected email attachments or following unknown links in emails is also fundamental good practice but is no guarantee that you’ll be safe.

One thing you might want to consider is to remove the admin rights from your normal account and create a separate account that you only use for admin type things (such as installing software). Some of the ransomware relies on being the Administrator on the box, so if you are logged in as a ‘normal’ user then it won’t work, or at least will only work on those files you control. Not perfect, but something.

The bottom line is that you are in the same position as the rest of us in the Commercial world. You have to expect the attack and then plan your response and try and mitigate the impact.

What stuff on your PC do you care about? Unless you are running a business, it probably boils down to photos and music, with a few personal letters thrown in.

You should make sure that you have backup copies of these important things. My previous blog about the Cloud gives some suggestions, but you could also consider offline backups on USB drives, SD cards or whatever. The main thing is to have them somewhere that is not immediately accessible from your PC, so that if bad stuff happens you’ve still got those photos of great aunt Daisy’s 100th birthday.

So that’s it I’m afraid. Ransomware is here to stay and will get more effective and more prevalent as time passes. Using the Internet gets more like Russian roulette every day, bad stuff is out there and it’s likely to get you at some point. All you can do is do the basics right (many of which I’ve covered in previous blog entries), and know what you are going to do when it’s your turn to get hit.

Depressing? Probably, but like everything else, until the general public really cares about something, governments and business won’t pay attention and get the problems fixed. Internet security is bubbling to the surface but at the moment there is more lip service than customer service being paid to solving the problem. Whilst software companies can get away with writing poor code, ISPs can get away with not caring about what they are hosting and Joe Public continues to do stupid things Internet crime will continue on an upwards tick that shows no sign of flattening out anytime soon.

 

Safe surfing

 

David

 

 

 

 

Advertisements




Cloudy security

24 02 2016

“Cloud computing” two words guaranteed to generate a multitude of reactions, from confusion to fear and much in between. Most have heard of it, many talk about it and some even understand it, but what has it got to do with Joe or Jane Public and should you care?

In this post I’m going to try to blow away some of the fog about Cloud, but as it’s only a blog entry and not a book I’m not going to have the space to address all of the issues, opportunities and plain BS that the topic encompasses.

This is not written for the expert, although I welcome your feedback and comments, it’s written for the man or woman in the street who is wittingly or unwittingly putting their personal information and precious photos out there in Cloud Land. Why write a blog post on something that has been around for years? Well I’m finding that as people become more adept at using technology the less they understand it. This is for those people.

So first things first, what (or even where) is the Cloud?

As is so often the case there is no simple answer, or even total agreement on what the answer is. One thing you can be sure about is that it’s not a cloud, or even ‘the internet’.

The Cloud can best be thought of as computing infrastructure that is run by other people where you can store your electronic files or do computing stuff.

Cloud breaks down into three main types, public (anyone can use it), private (only you can use it) or hybrid (a bit of both), and the services offered break down into PaaS (Platform as a Service), SaaS (Software as a Service) or IaaS (Infrastructure as a Service). There is also FOaaS but I’ll let you Google that one.

For most of us we could not care less if it’s a P an I or an S, or even if it’s public or private (but trust me it will usually be public), all we care about is that we have somewhere to store our pictures or music or whatever and we can access them from our phone, tablet or desktop from anywhere in the world, and share them with anyone we want to at any time, ideally with the minimum of fuss.

I’m not not going to touch on Office 365 or Dropbox, or how those of you running your own businesses might want to make use of the Cloud (maybe that’s a topic for another blog), just the ‘in your face’ ones that almost everyone is using by default.

iCloud (Apple), OneDrive (Microsoft), Google Drive (Google) to name but a few, all give you free storage ranging from 5Gb to 25Gb with the option to buy more if you want it, and they are all linked to your vendor account (Apple-id, Outlook or Google etc) so are (theoretically) secure. These are all public clouds in that it’s a ‘one size fits all’ model – no tailoring of the service allowed, with access available to anyone who wants it (albeit with access to your bit restricted to you and (hopefully) blocked to everyone else (apart from those people listed below and those you’ve chosen to share it with)).

So far so hunky dory. Loads of storage, easily accessible and free, what’s not to love?

Well, to¬† be honest, if you don’t care where your stuff is stored (Europe, America, Asia, under the Atlantic (well maybe not yet but watch this space)), and you don’t care how many employees, contractors, third parties or other relations of your chosen supplier can access your stuff in the spirit of ‘system management’, and you don’t know or care who they can share it with, then not much. But therein lies the rub, with most of the free cloud storage, and quite a bit of the not so free, you have no control over any of this. When you sign up for your cloud storage you agree to all manner of things in the Terms and Conditions (Apple’s runs to over 20,000 words), and unless you hit “I Agree” you can’t use the service. No discussion, no negotiation just a simple “accept or go elsewhere”.

When you put your music collection, precious photos or critical documents “into the Cloud”, what are you actually expecting to happen? How long do you think they will be there, are they backed up, can you transfer them somewhere else (such as if you decide to move from Apple to Android)? The bottom line is you don’t know because you never asked. You just blindly went with the flow because it was there and it was free.

Will Apple stop offering i-Cloud or Microsoft OneDrive? Will they change the T&C and start to charge you for the storage? Will they decide that as part of the free deal they can use your stuff for their own purposes (as Instagram tried to do when they suddenly announced they were going to sell YOUR photos for THEIR benefit – and only backed down after they started to lose market share)? The bottom line is you don’t know, and you can’t know because you don’t have any say in the infrastructure. You’ve given everything to someone else to store in their datacentres and you aren’t even paying them for the privilege.

I’m not saying don’t use the Cloud, what I am saying though use it with your eyes open and consider spreading the risk. Think about what you are uploading and how much it matters to you. If it’s your photo collection then upload them to more than one Cloud provider¬†after all they’re free and it would be rude not to take advantage (I have mine in both Google and OneDrive, just in case one of them has a problem, and there’s always the copy on my own devices).

The same for documents that are not sensitive. But if they are sensitive (for whatever reason) just remember that whilst your strong password (see a previous blog) will stop miscreants cracking into your account and reading your stuff, the Cloud provider’s staff will have access for perfectly valid reasons such as keeping the systems running, and unless the data is encrypted (which is unlikely) they will be able to read it. Now, are they going to target your files out of the Petabytes of data they are holding, well it depends on who you are, but the fact is they could, and if that bothers you, maybe the Cloud is not the right place for you and your data.

So in summary. The Cloud is the perfect Martini solution (Google it if you’re under 35) for your electronic information. But in exchange for the ease of use and free storage you are giving control over the security of your stuff to someone else. If you don’t care, then fill your boots as they say. If you do then maybe you need to be more selective.

As Mr Wordsworth said “I wandered lonely as a cloud, That floats on high o’er vales and hills” it’s just that you have no idea where those vales and hills may be.

Happy surfing

David








%d bloggers like this: