Beware of Geeks
bearing Gifts
The UK’s National Crime Agency has warned people have just two weeks to protect themselves against the Cryptolocker ransomware and a strain of the ZeuS password-slurping malware – before both return from the dead. The alert comes after the cops "disrupted" the systems remotely controlling the software nasties – which could …
If it's CryptoLocker it'll be able to infect any Windows system running Win2k+. I believe there's a less prevalent OSX version floating around too, but don't quote me on that.
CryptoLocker is nasty. Someone here has a virus on their home computer that has been sending out malicious emails containing it to their entire contact list (so about 50 or 60 of our users) a couple times a week for the last couple months. Everyone's wise to it now thanks to liberal use of a metaphorical cluebat*, but we must have had 15 CryptoLocker infections the first couple weeks as people fell for it and opened the "account summery" (sic) or "scanned document" that came in with them. Seriously, I had to pull the same files from backups 7 times in two weeks because of Cryptolocker infections, and that was just me (I'm not the only backup administrator) and for just one network share.
*They won't let me use my literal cluebat.
Now, I'm probably going to risk downvotes here but ... I firmly believe you should be able to click a link without worrying. Otherwise what is the point of QR codes? URL shorteners? The reason why clicking some links causes problems is because there are still far too many vulnerabilities in browsers.
I should be able to point a pdf reader, graphics program, word processor or *browser* at any input whatsoever in perfect safety. The fact that I cannot tells me that software writers have been pissing away their time tweaking the interfaces and adding nice-to-have features rather than addressing the real purpose of these programs.
"QR codes are like telephone numbers.
You might not like what you hear when you call them - but it shouldn't be able to blow up your phone"
Sorry, but QR codes aren't really like telephone numbers. You can read a telephone number before you dial it. See that nice poster advertising a thing you are interested in? Just... check that QR code isn't a sticker taking you to a hijack site with the real QR code from the advertiser hidden under it.
Better yet, don't use 'em.
"Are you saying you don't look at the URL you get from a QR code before following the link?!"
No, I'm not, I'm saying I don't use them. Are you saying your superpower is automatically knowing what the URL was supposed to be? There are plenty of advertising types who'd use http://bit.ly/1ilCEh5 instead of http://www.theregister.co.uk.
Suspicious enough, and in possession of the time and the resources to safely probe that short cut on your phone? Good for you, but basic common sense should tell you that Joe Punter, will point, click and browse without a moments thought. And given the 'instant gratification' intent of QR codes, what would be the bloody point?
"No, on the rare occasions I scan a QR code I look at the resultant URL and decide if I want to hit "go" or "delete"."
And again, the point remains. There are probably a sizeable minority (maybe even a sizeable majority) of people outside the IT world who'd use a Smartphone as a QR reader despite not knowing what an URL is, never mind whether it 'looks' safe or not.
That is why they are a problem.
"I can see a QR code before I use it. I don't see how reading the phone number in digits rather than seeing it as an image has anything to do with whether it will blow up my phone."
You don't? Ignoring the issue of it being a metaphor, I'd venture you're the sort of chap who'd favour a leisurely stroll about town the day after a full-scale nuclear exchange. "Well... I can't see anything that might harm me"...
How?
Some QR apps just load the destination without a confirmatory URL display.
The QR code may be a link shortening service.
Most users get Malware because they always click on "OK" on dialog boxes.
I agree one should be able to click on anything safely. But today you can't. If a link doesn't have expected domain for the context the likely situation is that it leads to evil. So I don't Click.
Number of virus infections / Trojans etc on my own computers since 1979 = Zero.
I do check with specialist tools that I'm as clean as I think.
one good one is at silentrunners.org
"The fact that I cannot tells me that software writers have been pissing away their time tweaking the interfaces and adding nice-to-have features rather than addressing the real purpose of these programs."
It also tells you that governments have consistently refused to enforce normal rules of "fitness for purpose" to software and users have consistently kept buying crapware that has a long track record of failure. So the free market delivers what the free market always delivers: a de facto monopoly churning out low grade product for huge profits.
@gazthejourno:
Except we all know that that's Fantasy Capitalism (tm) Gaz. Otherwise we wouldn't have had the Comodo or DigiNotar hacks, the RSA hack, the endless list of (often Blue Chip) companies threatening infosec researchers with legal action rather than engaging in public interest disclosure and fixing their "premium" crapware, an so on ad nauseum.
On the contrary while Open Source is no more free of security flaws there are far fewer of the commercial imperatives to behave badly when these are discovered. So no, it's not hard, when you disengage your prejudices and use your brain.
If it was a monster then this two week window would make some sense: "We've put it to sleep - quick! run for safety while you can! it will wake up soon!" But it isn't - Cryptolocker doesn't wait for you to try to uninstall it, then try to ask the mothership "the user is coming after me! should I scramble the files now?" The moment it starts executing it does whatever harm it can, so while running an instance now might be safer (presuming it does lie dormant if it can't get a key from the C&C server, rather than generating a local one anyway and mailing it to a collection of backup email addresses), late May was also a very good time to update protective software and July will be an awesome month for running the browser from a low capability browser-only user account, and so on.
The "monster" in this case is the owners of the botnet. They'll be working right now to establish a new command and control server so they can start receiving keys and funds from Cryptolocker.
Right now their money making system is offline with the main server seized. But they'll have other channels of communication to get the infected systems communicating with a new server. Soon as they do that, the game's back on.
hang on havent we been told for the last 18 years that we should be carefull of what we click and always check that you know the sender and you are expecting this email. last virus i got was on the amiga. last malware was just the usual stuff thats detected by avg free and malwarebytes. i think this is just a ruse to make you not look into the NSA or GCHQ revelations. i think our hardware has a better chance of hiding the main threat to privacy and online safety and probably is. paranoia rules.
You should have heard the 10 o'clock news. I really thought I had been transported back almost 2 decades. All over simplified explanations and making it sound new and scary; very little on how this threat isn't new although the scale may or may not be; and nothing on how to actually protect your stuff or how the attack is going to be held off for two weeks.
On the plus side, I've now remembered why I don't watch TV news :)
we should be carefull of what we click and always check that you know the sender and you are expecting this email.
We have a user here who got hit by someone last week. It came from a user he knew. It said it was a government GMail account and a document had been shared. Document title looked appropriate for an ongoing discussion he's having with the sender. Clicked on the link and ....
Not sure how the security incident is being resolved because I'm not part of it. But users talk, especially when they get hit while doing everything the IT Security Training courses tell them to do. Could he have picked up the phone and confirmed the document was actually sent by the user? Sure. But in your standard office environment, is it reasonable to expect every user to call the sender each time they receive a document? Because sending an earlier email saying you are about to send a document won't necessarily help in this instance.
With 90+% market share, it's the same thing.
I don't see people mention specifically Windows when they release other kinds of software - it's just "PC"; same with mobile software, should they list the operating systems if it turns out they don't support Windows Phone?
But no, don't let that stop with your tin-foil-hat conspiracy theory.
we've been beating this one off (as it were) since September last year.
get crypto prevent (free from foolishit - yes really) and protect your users. for you corporate types, yes, you already have gpols in place to prevent things executing from temp locations and zip files. for us in the sole trader/sme world who dont have the ability to lock down customers pc's to that extent, this easily sets gpols for them at the click of a button. and its free.
also,as im sure you already know, make sure they have a versioning backup system. carbonite works a treat and they have a dedicated backup team who will help you roll back the infection till before it happened.