After discovering a new and improved virus that encrypts important files on infected machines, researchers from Kaspersky are calling on fellow security professionals to lend a hand in cracking the massive key needed to liberate the ensnared data. The call to arms posted Friday comes two days after the antivirus provider …
Kaspersky, why not
set things up like they do with folding@home? Then you could get the whole world involved. With things set up, millions of computers will be ready each time the key changes.
seems rather obvious why not
all the baddies would have to do is 'process' the real key and send in a negative result. Or flood the system with positive results.
Dead vulture, because the scene is dead.
It's just so easy to do
If you have the clear text and the encrypted text, the key shouldn't be too hard to crack. Just use your backups. You do have backups, right? Oh well, I wonder just how much the ransom is.
Like the one used in, like, most SSL certs? I think I'd be worried if they could actually crack this, as it would basically crack *any* SSL cert.
Bye bye HTTPS!!!
I think you missed this news from 2002 http://www.networkcomputing.com/buzzcut/020412bc.html , citation "Some cryptographic experts feel that already 1024-bit keys are too weak for certain kinds of sensitive data". That was 6 years ago.
Re: Dillon Pyron: Not so easy
"If you have the clear text and the encrypted text, the key shouldn't be too hard to crack. Just use your backups. You do have backups, right? Oh well, I wonder just how much the ransom is."
That is explicitly what sort of attack modern day encryption algorithms are designed to withstand.
Not to mention that the data is probably symmetrically encrypted with a random key, and this is the only data encrypted with RSA.
The best part is of course, if you have backups, there is no need to get the wallet out. yay.
Uh why not just pay once to get the unencrpytion utility and extract the keys from that. It seems clear they're using the same two keys so...
brute-forcing the key is not the solution
Go after the key-holder
What's wrong with sleaze and guile?
Umm, if it's making up a different private key each time then the fifteen million years of compute work are required once per infected machine, which is clearly absurd; and if not, then all Kaspersky has to do is pay the ransom once then disassemble the code they receive and publish the private key that it contains.
Breaking a 1024-bit RSA key is not impractical because you need fifteen million years of sieving, it's impractical because there's a stage at the end of the operation which requires a computer with some tens of terabytes of uniformly-accessible memory.
Here's how it will go
(One year of brute force cracking)
(5 minutes later)
Ransomware using new key!
Doesn't cracking the encryption fall under the "cannot do's" of the DMCA? Can virus writers sue people for modifying their software?
So PAY THE RANSOM
Aren't these people supposed to be smart? Just pay the ransom and they'll have to hand you the key to decrypt said files. I'm sure the security industry could put together a pool - the price can't be THAT high or the conversion rate would be nil (because the only entities that could afford it would be the ones that make backups)
Some botnets already get used for somewhat steam driven distributed processing- it's possible that the biggest computing resource in the world is now a botnet rather than the NSA.
Still, though, brute forcing a 1024 bit key needs a lot of power, would need a colossal number of cycles on a general-purpose CPU. Better to look for cryptographic attacks based on poor implementation, poor PRNGs, maybe even to use honeypots to get some known plain files to assist the attack. This one is beyond brute force and ignorance, I fear :)
(Paris because, well, none of the other icons fit, and she's nicer to look at than Bill or Steve)
Hey Goodin, when Gpcode first made the rounds two years ago...
Did anyone track down the crooks? Having antivirus software stop the malware from being installed is great, but catching the bad guys is an even greater deterrent. The biggest weakness in ransom crimes is the bad guy has to get his payment in order to be successful. Even with dead drops, the bad guy does have to expose himself (or a cutout) electronically or in person in order to collect that payment.
I thought the NSA did own the Botnets :)
Simple way to stop this style of cracking is to find these people and hire them.
Stick them on a military base, ply them with tech treats, pizza, and whatever food gets them going, bring in some hookers from time to time, make sure all drugs were freely available and keep them there building a cyber arsenal.
If one of them breaks into an unauthorized system shoot 'em.
Funnily enough this would probably work.
Go after the plain text
The first rule of cryptography, go after the plain text. Pay the key, and get a bunch of people to kick the crap out of whoever collects the money.
Black helicopters because that's the way to deal with this sort of crap.
Umm, silly question
If you pay someone you have at some point a connection to them or the funds won't get where they need to be. Isn't that a nice opportunity to nail the sods?
No? That's what you get with watching too many US movies, I guess. Get Jason Bourne. NOW!
Store valuable files like documents etc on removable flash drives. So much easier to restore a file than re-create it because some numb-nut is holding a copy on the pc to ransom.
Or even better, have a pc not connected to the internet or a network for these type of sensitive files.
Who needs to brute force a decryption key when all you need to use are your brains for a change???
A bounty equal to the ransom either for the key or the chaps who wrote this thing. Then you still have to pay, but the money doesn't go to the perpetrators.
I keep all my collection of (pron) sensitive files in a computer which is ofline!
Mine is the green coat because it's cold outside the internet.
Yes - do the calculation...!
"...all the baddies would have to do is 'process' the real key and send in a negative result. Or flood the system with positive results...."
Actually, the BOINC architecture which handles Folding, and SETI, and all the other calculations already has countermeasures specifically designed to deal with persons uploading dodgy results.
This IS the biggest computing resource in the world, and if they released a geek calculation like this, I guess it would increase by an order of magnitude. Could be a good way of solving the problem.
Alternatively, let NSA and GCHQ earn their taxpayers funding for once.....
find these guys,
and then encrypt their DNA with a 1024 bit rsa key. See how they'lll like that !
> Aren't these people supposed to be smart?
The virus creates a random key, encrypts your files using the random key, then encrypts the random key itself using the public half of a public-private key pair.
If you pay the ransom then presumably they will decode your random key for you, such that you can get back only your files and no-one else's. (Of course they might just take the money and run!)
If they build houses like 'computers' .. :)
Of course no need to ask what innovative piece of crapware this virus runs on. If the housing industry operated like the Windows ecosystem, then we would all be knee deep in sewage and all the construction company can do is offer to sell you a bilge pump ..
I was thinking the same thing. I can't for a moment believe that the law makers at the time were sensible enough to put a clause in for situations such as this.
Show the key, not the cards
NSA should crack the key and release a decryption tool, anonymously. They can't reveal their ability to do this, but they can still do something good for the world incognito. And while they're at it, they can put some backdoors in the software to assist warrantless surveillance.
Geeks not morons
These guys are geeks not morons so paying them is not going to be a question of leaving a sack of money in a waste bin somewhere that you can stake out and then shoot the guy who collects the money from it. There are lots of interesting ways of wiring the money to a place where it will be accessible to baddies without having to provide a physical presence and numbered accounts are not only available in Switzerland or the Caymans either. Cracking it is the only answer. Then track em down and shoot them before they do it again.
Why not use the distributed computing power simlar to SETI@Home
I wonder if the plods would accept that this virus encrypted your files, and as such, there's no way you can give them the necessary decryption key?
Now, when you've all finished laughing...
Re: brute-forcing the key is not the solution
"Go after the key-holder"
Absolutely. Don't these people know *anything* about cryptanalysis? (http://en.wikipedia.org/wiki/Rubber-hose_cryptanalysis)
What has this got to do with Windows? There's no technical reason why MacOS X and Linux aren't equally as vulnerable to such an attack.
If they built houses like Macs, they'd cost 4 times as much, look really fancy, but it would have special sockets so that you can only use a certain type of appliance, and if something breaks you have to get approved plumbers or electricians who charge 4 times as much for their service. It's got voice activated lights and you can operate the TV just by thinking about it, but if you actually want to watch TV you can only watch ITV3.
If they built houses like Linux you'd get fifty locks on the door, but he interior would be a single room, decorated with brown paper. You can do everything you need, except watch telly, because the voltage is wrong on the sockets for your make of TV.
Stop storing your files in /Documents and Settings
Less vulnerable OS's might be an alternative too.
@Ian & Shakje
Permissions. All OS are not alike in this respect, and it's the single element that makes Windows so much more vulnerable than any other OS. While, technically, there is no reason why a Posix system could not get infected with Posix malware, the infection would not be anywhere near as robust nor would it be easily able to spread itself around if it were to find its way into a Posix system. Windows has nothing in these regards, unfortunately.
And Shakje, you owe it to yourself to check out any of the latest releases from any of the major Linux distributors ... Ubuntu 8.04 is awesome and Fedora 9 is spectacular ... You can only bash Linux for so long before you start to look like a luddite. A more appropriate simile might be:
"If they built houses like Linux, the single lock on the door would open into a different house for each key holder, each of whom would have no idea that there was anyone else living there. As they entered, their music would begin, their cocktail(s) would arrive, perfectly mixed, and they could look forward to an evening of relaxing engagements that they, themselves, define, rather that being forced to address a stack of chores that the house came up with while they were away."
If it wasn't Windows, it would be...
If any other distribution of an OS other than Windows was the most widely used in the world, it would be the most widely vulnerable, too.
I feed the penguin because he is good to me.
Do Any Of You -
Have a feeling that anybody actually paying these scum money would result in them getting anything useful in return? Honestly? Really?
(This was written on a Mac/BSD Unix workstation.)
More Excuses ...lets help ....NOT
just another excuse to use others to develop a way to crack
PKI used in many areas .....lets all help them .......NOT
- Product round-up Coming clean: Ten cordless vacuum cleaners
- Something for the Weekend, Sir? I need a password to BRAKE? What? No! STOP! Aaaargh!
- Episode 13 BOFH: WHERE did this 'fax-enabled' printer UPGRADE come from?
- Vulture at the Wheel Ford's B-Max: Fiesta-based runaround that goes THUNK
- Worstall @ the Weekend BIG FAT Lies: Porky Pies about obesity