So much conflict...
Backdoor. For good. Head explody want much.
A software developer whose example encryption code was used by a strain of ransomware has released the decryption keys for the malware. The unnamed software nasty scrambles users' files on compromised Windows PCs using the AES algorithm. It appends the .locked extension to the ciphered documents before demanding that victims …
Before you hand him kudos, how many legitimate uses for this code has he now exposed to attack now?
And how many private systems has Utku Sen had access to that he shouldn't have had access to! It's not so much clean cut when it's "Turkish Hacker backdoored Crypto..." is it?
And has anyone actually verified any of this? i.e. that he isn't also the malware provider doing a self promotion? I'm always suspicious when two things coincide,.... i.e. malware Y uses crypto from X, X also happens to analyse malware Y and finds his code.
Or just coding a "try this to get a code" and not releasing the fact that it had a backdoor. That way it merely looks like you have cracked their private key rather than levering another route. Still obfuscation but it would mean the scammers would be in the dark a little longer.
"Backdoor. For good. Head explody want much.
It's not necessarily all good. Backdoors are easily removed from source code, especially now that everyone knows there is one there...
Perhaps instead of writing and publishing nearly-functional code to show how these things work, what would have been wrong with a PDF presentation? That would have been far harder to convert to a nearly workable ransomware.
What he's done is a like leaving a mostly complete bomb lacking only a battery outside a battery shop with a sign on it saying "hey everyone, this is how a bomb is made, help yourself". And when someone's taken it he's got onto the local radio station and broadcast "it needs two AAs".
We'd all certainly wonder at the intelligence of someone who did that... There's no point making it that easy for the bad guys.
I also publish relatively weak encryption code. That's because I teach the subject, and the code is deliberately made simple to enable students to obtain a more complete understanding of the _principles_ concerning how it works. You wouldn't use my code for a security system any more than you'd use Minix for a practical production operating system. But that's not the purpose of "proof of principle" simplest possible teaching aids. Removing implementation weaknesses results in more complex code which is more difficult to create and understand. Anyone who uses my teaching purposed code to implement a security system without reading the documentation accompanying it deserves what they get. You can't have more secure systems without enough engineers being educated concerning how security works. If someone used my code to implement easily overcome extortion malware then I'd consider this highly amusing.
Yup, got an email today, pretending to have come come from myself.
Mmmm ..... "Y'know, I don't remember sending this an hour or so ago to myself when I was driving home ... looks a bit phishy to me ...."
Turned out to be a blank email with an attachment. Said attachment turned out to be zip file containing something .js
I was tinted somewhat suspicious.
Ironically I attended a presentation on ransomware this week, much useful information was learned.
Namely never, ever pay them and ensure your backups are 3-2-1 including cold storage which can't be overwritten or changed.
Tapes are all very well until someone decides to take them home as mememtos because they have failed the self test, resulting in 3 heavies + Fuzz turning up to the old geezer's house because their online backups got trashed by a cascading database fail.
hint: the data was recovered from that one lonely tape, fortunately saving the business.
Unfortunately that's far from the first ransomware based on eda2, including one trying to teach utku that you don't post a fully functional ransomware online and expect nothing to happen:
Biting the hand that feeds IT © 1998–2019