Stand and deliver – your money or your (computer) life

28 03 2016

Ransomware. It’s been around for a few years now but in the last 6 months or so it’s really hit the mainstream press, and therefore entered the consciousness of the ‘ordinary person’. Recent high profile cases include a couple of hospitals in the US, a police station and a local authority in the UK.

Before I go into the details and explore what you can, or more likely can’t, do to protect yourself, I think it’s worth taking a step back and looking at the so called ‘underground economy’ of cyber crime.

Back in the day, the bad guys in the computer world were generally loners who did what they did for kicks and credibility amongst their peers. Very irritating, occasionally brilliant and generally disorganised.

That changed once it became clear that there was money to be made from what has come to be known as cybercrime. The professionals moved in as organised crime saw it as another lucrative string to their bow, promising low risk and high returns. Along with the increased organisation and the massive amounts of money, came demands for structure, specialists, quality control and co-ordination as well as the incessant demand for more and better products.

Nowadays a complete ecosystem is in place that is at least as organised as the mainstream legitimate economy. There are market places for the sale and exchange of everything from software to stolen credit cards. Code comes with money back guarantees, free trials, help manuals and even help desks. Every aspect of the economy has specialists who only focus on what they do best and hand on to the next person in the chain when their part is complete.

Into this mix comes ransomware.

Ransomware is, to put it in simple terms, a piece of computer code that you inadvertantly download to your PC. It might infect your PC via an email attachment, a website or even from an advert you click on. However it gets in, it has one purpose, to encrypt your files, and once those files are encrypted they will stay encrypted unless you can obtain the decryption key. And here’s the clever bit, in exchange for a fee usually in bit coins the bad guys will send you the decryption key.

The first you will probably know about it is a screen that will pop up on your computer looking something like this which is from Cryptolocker,


but they are all pretty much the same. At that point you have three choices:

  1. Restore your files from the backup (you do have backups don’t you?)
  2. Pay the fee
  3. Accept you have lost the files for ever and just move on.

Option 1 is fine as long as the backups are not accessible from the PC and the ransomware has not already found them and encrypted them as well. Assuming they are OK you simply need to disinfect your PC by running up to date antivirus software (the av software usually runs a day or so behind new ransomware so it might not work immediately – check online), delete the encrypted files and restore from your backups.

Option 2 is not ideal for a couple of reasons. Firstly the current fee is around 4 Bit Coins, which at time of press is about $700. For a company, that might be a small price to pay, for the audience of this blog it’s a not inconsiderable amount. Secondly, whilst it’s in the interest of the bad guys to make the process work, there are a number of reasons why it could fail. There might be an error in their code, there might be a problem with their use of encryption or law enforcement may have found them and taken the website down that’s hosting the decryption key. But as I said previously, this is a business and they are keen to maintain their reputation, and anecdotal evidence suggests that paying the fee will result in you receiving the decryption key.

Option 3 depends on you knowing what’s on your PC and whether you care about it. You still need to disinfect your PC but that’s about it.

So what can you do to protect yourself from ransomware? To be honest, beyond the normal good practice of regularly applying security updates and running up to date antivirus software not a lot. The age old advice of avoiding ‘dodgy’ websites, whilst still valid is not sufficient as many mainstream websites are infected these days (often via their advertisers’ sites). Not clicking on unexpected email attachments or following unknown links in emails is also fundamental good practice but is no guarantee that you’ll be safe.

One thing you might want to consider is to remove the admin rights from your normal account and create a separate account that you only use for admin type things (such as installing software). Some of the ransomware relies on being the Administrator on the box, so if you are logged in as a ‘normal’ user then it won’t work, or at least will only work on those files you control. Not perfect, but something.

The bottom line is that you are in the same position as the rest of us in the Commercial world. You have to expect the attack and then plan your response and try and mitigate the impact.

What stuff on your PC do you care about? Unless you are running a business, it probably boils down to photos and music, with a few personal letters thrown in.

You should make sure that you have backup copies of these important things. My previous blog about the Cloud gives some suggestions, but you could also consider offline backups on USB drives, SD cards or whatever. The main thing is to have them somewhere that is not immediately accessible from your PC, so that if bad stuff happens you’ve still got those photos of great aunt Daisy’s 100th birthday.

So that’s it I’m afraid. Ransomware is here to stay and will get more effective and more prevalent as time passes. Using the Internet gets more like Russian roulette every day, bad stuff is out there and it’s likely to get you at some point. All you can do is do the basics right (many of which I’ve covered in previous blog entries), and know what you are going to do when it’s your turn to get hit.

Depressing? Probably, but like everything else, until the general public really cares about something, governments and business won’t pay attention and get the problems fixed. Internet security is bubbling to the surface but at the moment there is more lip service than customer service being paid to solving the problem. Whilst software companies can get away with writing poor code, ISPs can get away with not caring about what they are hosting and Joe Public continues to do stupid things Internet crime will continue on an upwards tick that shows no sign of flattening out anytime soon.


Safe surfing








Of Passwords and PINS (1)

25 08 2012

In the world of Information Security, few things generate more debate and argument than how to authenticate a user.
Authentication is one of the two pillars of access, the other being authorisation. One to prove who you are, the other to control what you are allowed to do. You can have authorisation without authentication (for example anyone can use Google to search for something on the web) and you can have authentication without authorisation (“you may well be David, but you aren’t getting in here my son!”).
The most common authentication mechanism around is the good old userid/password combination. The biggest problem with this is that the userid is often easy to guess (or may even be made public intentionally), so it really falls back to the password on its own and for a password to be acceptable the party who owns what is to be accessed has to trust that the person who presents the password is actually the person who is meant to know it. We’ve all seen the films where the bad guys find out the secret password for entry to the castle and then massacre everyone inside. If you rely on a password as the authentication method then you have to rely on the person who knows it keeping it secret, and that it is pretty hard to guess!
Therein lies the problem. If you only have to remember one userid/password combination then it’s not beyond the wit of man to make it complex and keep it safe in your head, however a very quick count will show that you have lots of accounts which require you to authenticate yourself before you are granted access. Actually, let’s just take a few minutes to do just that. Count up all of the different computer accounts you have; at work, at home, with your bank(s?), e-mail accounts, Facebook, Twitter, don’t forget your phone, laptop, car(?) etc. etc. Passed 20 yet? Thirty, Forty, One Hundred? OK, now think how many DIFFERENT passwords you use across those accounts, is it one for all of them or a different one for each?
This is where the real world and ‘best practice’ collide, and where I will disagree with many of my colleagues. ‘Best practice’ for account management will offer you the following rules: 1. Have a different password for each account; 2. Never write your password down; 3. Change your password frequently; 4. Make your password hard to guess but easy to remember; 5. Never share your password with anyone.
4 and 5 I’ll go along with, and there are lots of places you can go to help you with the first part of 4, however the challenge can be achieving the second part at the same time. R&h(0kl.!B may well be a very strong password, but you’ll be hard pressed to remember it. I’ll come back to how to achieve both parts of (4) in the next post. To my mind 5 is a no brainer, but (and there is always a but), I’m sure you can think of situations where you want to share because it’s easier, and that is where Corporate rules and Personal choice can collide. Your employer may make it a disciplinary offence to share the password to your company account with a colleague, but you may choose to share your personal e-mail password with your partner (only you can decide if that is a good idea!!).
So let’s have a look at 1,2 and 3.
1. Have a different password for each account. Are you serious?? It’s hard enough to remember the separate accounts without having to remember all those passwords.
2. Never write your password down. You’ve just told me to have 50 different passwords, and now you expect me to remember them all? Dream on!
3. Change your password frequently. So, not only do I have to remember 50 separate, complex passwords, without writing them down, I’ve now got to change them every month or so.
And we wonder why users get upset with us.
So what can you do? This may not work for you, but it’s my solution and it seems to have kept me safe for a few years.
First step is to separate your accounts into their relative importance (perform a risk assessment if you will). Ask yourself how much pain you will suffer if someone else can use the account that you are protecting. If it’s your online bank account, then you want it pretty secure, other things you may care less about. For the ones I really care about, as there are not many of them and it’s not a massive overhead, I apply rules 1-5 in full. I then temper the rules as the risk decreases, to the point where I have a couple of passwords that I use for all of the unimportant accounts (insurance quotes, or brochure sites which feel obliged to force you to log in for some reason). Rules 4 and 5 still apply to these though.
So lets look at Rule 1. You may also decide to have one password to cover a particular group of accounts (e.g. your e-mail accounts, or your social media accounts), this has the advantage that you only have to remember one password and when it comes to changing it you only have to think up one new value. It does of course have the disadvantage that if it is compromised then all of those accounts could be at risk, so as soon as you think someone knows your password CHANGE IT! Hence the risk assessment.
On to Rule 2. If you are going to write your passwords down, then don’t write the password next to the account name it belongs to. As I said in an earlier posting, Information Security is basically common sense, and that would be plain stupid. Think of a clever way of making the relationship obvious to you, but impossible to guess for someone else. If you don’t need to carry them with you (and let’s be honest you probably don’t), then store them in a file on your computer (and don’t name it ‘my passwords’), which you could always protect with another password!
Finally Rule 3. When it comes to changing passwords, other than your Corporate accounts, I’m pretty sure that none will ever remind you, and most will never expire. Two tips here; one – if you hear about a company you have an account with being ‘hacked’ (such as the recent stories about Sony, LinkedIn and World of Warcraft), then change your passwords immediately, and 2 – never change your password in a hurry or when your mind is on something else. You WILL have forgotten it the next time you log in!

So, that’s a first toe-dip into the world of authentication. Lots more to cover in later postings, but in the meantime, as always, keep safe online, and remember –
Just because you’re paranoid it doesn’t mean they’re not out to get you!


%d bloggers like this: