Security Blog

Some advice from TrendLabs on avoiding Cryptolocker….

An infection with CryptoLocker starts as spam email which carries a Trojan (a downloader).    The spam might promise a ‘free way to unlock software’ its success depends on the social engineering lures used in the spam message and how people respond to it.

These are the safe computing practices to consider when opening emails and file attachments:

• Always check who the email sender is. If the email is supposedly coming from a bank, verify with your bank if the received message is legitimate. If from a personal contact, confirm if they sent the message. Do not rely solely on trust by virtue of relationship, as your friend or family member may be a victim of spammers as well.
• Double-check the content of the message. There may be obvious factual errors, spelling mistakes or discrepancies that you can spot.   There may be a claim from a bank or a friend that they have received something from you (go to your recently sent items to double-check their claim).
• Refrain from clicking links in email. In general, clicking on links in email should be avoided. It is safer to visit any site mentioned in email directly. If you have to click on a link in email, make sure your browser uses web reputation to check the link.
• Always ensure your software is up-to-date. Regularly updating installed software provides another layer of security against many attacks.
• Backup important data. Unfortunately, there is no known tool to decrypt the files encrypted by CryptoLocker.   One good safe computing practice is to ensure you have accurate back-ups of your files. The 3-2-1 principle should be in play: three copies, two different media, one separate location.

Many laptops these days come equipped with web cams – just look closely at the top of the screen and see if you can see a small hole there – and there has always been concern about malware that might enable your web cam and record your activities.

This could include determining what you are typing if the microphone is turned on and/or the web cam has a large enough field of view!

Normally when a web cam is turned on, there is a warning light next to it that comes on as well. And that warning light has in fact been known to reveal unauthorised spying.

Of course there have been rumours for years that governments can secretly turn the web cam on without the warning light coming on. But now researchers have demonstrated the possibility meaning the warning light may now be a thing of the past.

I guess it is time to resort to the blank masking tape method.

Nearly all of us use accounts on numerous web sites. Hopefully we are all paying attention to best practices as far as security goes and have a different password on each site – no I don’t always do that either!

Over time there has been numerous account leaks from web sites whose security measures have not always been as it should. Whilst some of us try to keep up with the news on such matters, it is hardly surprising that people may not be aware that their long forgotten account credentials on a web site have been disclosed.

The easy way of checking is to use a site like http://haveibeenpwned.com/ which allows you to enter an email address and find out whether it has had a password disclosed in the past.

What If My Account Was Compromised ?

The first thing to do is try and produce a list of sites whose password is likely to be the same as that of the compromised web sites. If you are anything like me, you may well have no idea on what those sites may be, so you may have to resort to producing a list of web sites whose account passwords may be the same as that of the compromised site.

Once you have that list, work through it and change the password for each one.

It is probably a good idea to :-

1. Change the account password on every web site you use at least every 2 years. With any luck your appreciation of what makes a strong password will improve over time.
2. Review the importance of each web site account you use. Sometimes people may set a weak password on an account they believe isn’t too important … and the importance of an account may well change over time.
3. For web accounts that you no longer use, it is still worth changing their password. Set it to something insanely difficult (and store it in a password store such as KeePass).

In recent years there has been a new trend amongst malware authors – the introduction of so-called “ransomware” where a criminal demands money to unlock your PC. As this trend is continuing, and as we have seen an instance or two of such infections at the University, it is time to explain what it is and what to do about it.

Ransomware works by demanding that you pay those who caused the infection to not harm your PC. The usual method is to encrypt your files on the hard disk, and transparently decrypt them. At a certain point the ransomware will pop up a demand saying that you will lose access to your files after a certain date. Unless you stump up the ransom.

In some cases ransomware heightens the threat by claiming it has discovered evidence of illegal activities and that if you don’t pay up, the police come knocking.

Encryption?

To clarify what ransomware does to your files, it uses strong encryption on as many of “your” files that it can reach as possible. Once encrypted, the only way of accessing the contents of the files is with the co-operation of the ransomware, or knowledge of the “private key” used.

To emphasise: Your files will be scrambled in a way that only the people behind the ransomware can unscramble them.

There have been cases where the encryption has been weak enough that anti-virus vendors have been able to release tools to unscramble the encrypted files, but newer ransomware uses very strong encryption.

To Pay or Not To Pay?

As an ethical organisation, the only advice IS can issue is not to pay the ransom and live with the consequences. Criminals should not be rewarded.

And whilst restoring from backups is tedious, it does at least test that your backup mechanism is working.

In most cases, the payment of a ransom will result in your files being unscrambled (it is in the criminal’s interest to be “honest” in this regard), but there are new reports that certain law enforcement groups are getting sufficiently pro-active that they have closed down payment channels used by the ransomware.

Without a means to pay the criminals, your files will remain scrambled.

Cryptolocker

Cryptolocker is the current type of ransomware that is getting the most attention. Indeed it is gathering more attention than previous ransomware types, and that is because it is a particularly effective form. Cryptolocker :-

• Uses very strong encryption so there is very little likelihood that anyone other than those who have the private keys will be able to unscramble encrypted files.
• Is very blatant about what it does – it is very specific about it being ransomware when it notifies you.
• Gives you only a very small time window to pay the ransom to unlock your files – 72 hours.

For some reason it has caught the attention of main stream media, so there could be a great deal of news coming from that direction (not always 100% accurate!).

How Do People Get Infected?

The method of infection depends on what ransomware is being distributed, but most commonly :-

1. Email with an attachment containing some enticing document. The naive person will click on the attachment only to find out it is a normal Windows executable; it is possible for the attacker to hide the .EXE extension and make it appear more like a document with a fake .PDF extension.
2. Downloading content from the web. Perhaps it is advertised as an interesting document, but against turns out to be a Windows executable.
3. Drive-by infections via compromised advertising banners. Those ‘ad banners’ you find on web sites, can (and sometimes do) contain malware … including ransomware.
   

In theory anti-virus protection should prevent this sort of thing from happening, and it is still essential that you have an up to date anti-virus protection on your PC. But it is not a guarantee that you will not get infected.

In addition to avoiding getting infected, it is also helpful to ensure that you can recover if you do get infected – what we would call “defence in depth”. This is done mostly by ensuring you backup your documents and data :-

1. Make sure your documents and data is saved to the N: or K: drives which are backed up by IS.
2. If you use a Mac, then set up a backup using Time Machine and an external drive.
3. If you are using Windows or Linux, then set up some other sort of backup mechanism.

The later case is not really specific enough, but you should ensure that your backup media is not permanently connected (or if it is, a snapshot is created regularly), or you could find your backups being encrypted by ransomware.

Further Information

The following links contain further information on ransomeware, and cryptolocker specifically. Some links are very technical and others are intended to give the same sort of information as this blog posting :-

• http://nakedsecurity.sophos.com/2013/10/18/cryptolocker-ransomware-see-how-it-works-learn-about-prevention-cleanup-and-recovery/
• http://en.wikipedia.org/wiki/Ransomware_(malware)
• http://en.wikipedia.org/wiki/Cryptolocker
• http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information (This contains suggestions for a Group Policy to prevent Cryptolocker from running).
• http://www.computerworld.com/s/article/9243537/Cryptolocker_How_to_avoid_getting_infected_and_what_to_do_if_you_are_

Sophos have published a list of key things to do with your smartphone to keep it secure :-

http://nakedsecurity.sophos.com/2013/10/08/10-tips-for-securing-your-smartphone/

And now is a good time to review that list.

Most of us spend more and more time with our smartphones, and in turn they become more and more embedded into our lives with more and more personal information. Paying attention to security is admittedly tedious sometimes (at least the preventative kind), but it saves a great deal of anguish in the event of a smartphone being stolen.

There are policy restrictions in place to stop people from connecting unapproved devices (e.g. switches, routers, bridges) to the University network.   The reasons are explained below:

Wireless connectivity

The University wireless network is being extended into Halls, and is being carefully designed to avoid radio interference.    Most domestic routers come with a wireless access point which, if enabled in a densely populated area like student residences,  would have a catastrophic effect on  wireless performance for the whole building – and everyone in it.

Network Performance/Resilience

Plugging in a router to a university network will deliver a second rate service to that room, floor and building – and will affect other users who rely on network connectivity.   If you degrade that service, other students may be given the false impression that the Information Services department are responsible.

Unknown, unapproved equipment could affect the network in unpredictable ways.    For example, consider someone using wifi and a LAN port at the same time.   It’s easy for the LAN and wifi card to be bridged together, causing a routing loop, at worst a broadcast storm, which would drop all nodes on both network segments off the network.

Network Security

A router is essentially a “splitter” for a network connection.   It allows you to connect more than one computer to a network connection.  Many routers provide wireless capability, which anyone nearby can use if their computer has a wireless card.   So, by plugging in a router you create an uncontrolled, insecure wireless network which increases the risk of computer hacking, identity theft and malware proliferation.

Network Management.

What do you do if the service goes down or the router fails?  Or if the port is turned off?  Power brown-outs or black-outs will drop your connection, too.   Anyone connected via your router will have no connection and recourse!   There’s just too much scope for failure.

The Information Commissioner has released some statistics on the number of reported incidents.

The interesting thing about the statistics are :-

1. The overwhelming majority of incidents are caused by human error of one form or another. It might seem that security is a human problem not a technical one. However it should be remembered that the Information Commissioner is only interested in security incidents where personal data is involved; there are many other incidents. But it is still worth bearing in mind that the most expensive security incidents need solving with education.
2. Judging from the statistics, it would seem that the public sector has a much larger problem with data security than the private sector. However the datalossdb “largest incidents” list includes none that are public sector. Perhaps the Information Commissioner’s claim that public sector organisations have a self reporting rule over emphasises that sector?
3. These are just about incidents where personal data has leaked … there are plenty of other kinds of incidents.

Probably more amusing than useful, this table by Sophos is a table of where spam is inserted into the Internet mail system. This is not quite the same as where the spam comes from, because most spam is distributed via an infected host of some kind; such as your desktop PC (if it gets infected).

It is essentially a list of where the most infected PCs can be found. If you click through to the Sophos article itself, you get a longer explanation of what is going on here.

The Register reports today that the Japanese government has mistakenly left at least one Google Group open to the world to read where they discussed “secret” government work. Or more seriously, discussed the details of numerous people within the group.

There are a lot of possible aspects to this – not least that governments can completely fumble their own security – but there is one big lesson to learn from this.

Anyone who creates or manages a Google Group should be aware of the sharing settings, be aware of whether the Group should be public or private, and be aware of how to make changes if necessary.

Details on how to change the sharing settings will come later, but for now …

Public or Private?

It would be a shame if we were to be overly draconian and start insisting all Google Groups should be private, or even that they be configured as private by default. After all Google Groups are a great tool for public collaboration on research, or anything else.

But if a Google Group is intended for University business … or University business gets discussed on the list, then it should be private.