It's still 2015, and your Windows PC can still be pwned by a webpage Microsoft has today released patches for 56 security vulnerabilities in its products. People should apply the updates as soon as possible because miscreants are actively exploiting at least two of the holes – and likely more by the time you read this. The September patch batch includes critical fixes for Internet Explorer and …
just had two colleagues family Windows PCs hit (unfortunately, successfully) by Crypto Locker style virus very recently. That implies very deep penetration, in terms of numbers, of criminal malware
do you seriously want ALL your important files to be 2048 bit ransom-ware hashed to
family.photos.jpg.ABC
myThesis.doc.ABC
businessPlan.xls.ABC. . . perhaps the private key can be bought back for $500/$1K?
PATCH, but remember to ensure keep everything 'valuable' updated on an unmounted remote drive too.
I think my separate h/w sandbox idea to only read S/MIME email on an £30-RPi2, with WWW access defeated; and only browse WWW on a Mint/Mac - without mail - is better than patching winstuff, but that's just my opinion!
"PATCH, but remember to ensure keep everything 'valuable' updated on an unmounted remote drive too."
In my experience Cryptolocker is delivered via email attachments, usually as a fake CV.exe or similar, and the only good remedy is either to educate people or lock the PC down. The latter option requires supervision if the users want this and that program installed and who's gonna provide it? And as even well educated people have fallen to Nigerian scam, well...
If the Cryptolocker was available to Macs and Linux systems (is it?) the stupid users would happily click away each warning and type their SU passwords when asked for.
Patching and backuping as you say is of course sound recommendation. Most (home) users just don't know how or otherwise just couldn't care less...
Hmm, we think one of the Crypto Locker attacks came from a fake microsoft "to view this video you need to update your version of Silverlight" pop-up, which was accepted by the user*, and a few minutes later they were presented with two text files, a list of the user files that had been ransomed and the TOR addresses to send the bitcoin payment to.
(*)The 'stupid' user, in this case the wife of a radio-ham and experienced computer user, accepted without question the "microsoft" update pop-up. Luckily, their home is a heterogeneous computing environment and many family documents on the networked Macintosh were unaffected by this version of the ransomware. (although versions can even encrypt Windows mounted drives - even in the Cloud!) Of course, there exist many zero-day exploits and backdoors even on the *nix OS's, but I haven't seen this urgent level of ransomware yet in the wild on these other OS's.
the S/MIME separated email handled by a Raspberry Pi2, was tested as an experiment and functioned very well, even using end-to-end encryption over gmail, would easily handle your suggestion that most attacks are by mail.
Why in 2015 should a (home) user who doesn't know how - risk losing all their digital heritage, online rights and perhaps £15K from a bank a/c , resulting from a single false click on a plausible phish attack email? I can assure you that they do care!
remove email from the desktop - bring back the Amstrad email phone - just DIY with an Rpi
Disk space is so cheap it amazes me that there isn't a popular OS or FS with built-in version-control that only be purged by the administrator. It would not only prevent friends and family coming to me with cryptolocker problems, but also with accidental deletions (usually done by overwriting).
"If the Cryptolocker was available to Macs and Linux systems (is it?) "
Yep - a lot of Synology NAS systems got hit a while back.
"the stupid users would happily click away each warning and type their SU passwords when asked for."
No password was required. Not even any user interaction was required, unlike the vast majority of Windows exploits.
Have you also patched your BIOS, hard discs' firmware and everything else? No? Go and do that now first and then come back and worry about OS patches.
Start at the bottom and outside and work up and in. That applies to all your gear. Actually, just be systematic and cover the lot: APs, routers, switches, PCs, NASs, VMware clusters, err iSCSI SANs and all the other usual home gear.
At work you'll already be doing this anyway ...
>>"Isn't the point of UEFI to make it extremely hard for the end user to do something like patching it?"
Really? I've found sticking a firmware file on any old USB drive and reading it off from inside the UEFI interface easier than the hassles I used to have updating BIOS. I also like the way it lets me back itself up and easily revert if there's a problem.
What part of updating it precisely are you having trouble with?
"Really? I've found sticking a firmware file on any old USB drive and reading it off from inside the UEFI interface easier than the hassles I used to have updating BIOS."
My old non-UEFI BIOS used to do both of these things. I'd have been surprised if UEFI didn't. BIOS updates have been safe for almost a decade - my BIOSs on 2 separate LGA775 motherboards (purchased ~2007) took a copy of the BIOS before writing the new one, and after a failed boot would restore it automatically.
It did the same with settings, if you changed something that borked it (overclocking), a secondary BIOS would realise it can't boot and revert the settings back to the last successful boot, no more whipping the case off and messing with jumpers.
Isn't the point of UEFI to make it extremely hard for the end user to do something like patching it?
No, its only real point is to make it harder to stick anything but Microsoft Windows on a PC. I am not aware of more than cursory examination of any other UEFI functionality. It was not hard to guess either: every time Microsoft starts to bang the "security" drum, it is a sure bet they're trying to hide something else they're doing, and the end user is unlikely to be the beneficiary of that something else.
I well understand that wait from Hell. "Is it done yet?" The 500 GB 5400 RPM HD just failed in my (way) out of warranty laptop. Replaced it with a very fast indeed SSD (was going into JBOD 12 TB array) and Windows 8.1U1 is not quite as maddening and the dual-core i3 is zipping along at far higher utilisation than before. A lot of rejigging the tiles and it's now a not very bright Winstep Xtreme in affect (sp intentional).
If I'd bothered to look, I could have replaced it long ago. Asus didn't have any factory seals anywhere. And wonder of wonders, I like it. This was my last ditch, meteor took out Fresno machine. Amazing in some ways what we're willing to toerate in our lappies. Seriously thinking about Winstep on it now as well as the 7 ult machine.
nothing new there. move along quietly and join the borg.
Actually if got google for KB3083324 you will see that it is the latest attempt to get Telemetry working and sending god knows what back to Borg Central. Oh, and it also targets Server 2012 systems so you server Admins out there have better be on your toes with your WSUS setup.
Perhaps we need someone to do something like what that letter that Taylor Swift wrote to Apple in order to get some action from MS?
Yes but I still have trust in that the updates too Libre/Open Office, Debian, and perhaps to a lesser degree Firefox, aren't out to sell my soul to the lowest bidder. With MicroSoft this is very much escalating to that point. I could care less about how they plan to address such updates from Windows 10 on. But, if continual use of Windows 7 is to become a game of chicken, or whack (the spyware), mole, with no end in sight. Then MicroSoft will have succeeded in removing me from Windows 7, and by that proxy 99.999℅ of the rest of their warez as well.
I really hope MicroSoft doesn't let it come to that....
Installed MS Windows 7 some time ago and all the problems I had with it were fixed once I disabled the security suite. It runs flawlessly without any anti-virus, firewalls or for that matter updates and patches.
Though I must confess, I have never ever allowed it to connect to anything, be it a USB stick, a network or the internet.
56 patches and another million easy instalments before it becomes fit for any other purpose than playing off-line, single player games.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
