This sounds familiar

Waaaay back in the early days of the #WeekendWisdom series, back at number 3, I talked about updates. I’ll have a link to that video somewhere on the social media post associated with this video.

The events of the last week has brought it back to me that this really is an important topic that we all need to be aware of.

What happened this last week?

Apple, earlier this week, released updates to its iPhones and Mac computers and watches that plugged a vulnerability which was being exploited by a surveillance software maker which literally all they had to do if they wanted to take control of somebody’s iPhone we’ll say, all they need to do is send a message to that phone and just when the phone receives the message, they now have control of it. The user of the phone did not have to do anything. So that’s pretty scary.

Also there was the vulnerability that I talked about in last week’s #WeekendWisdom. Microsoft have issued updates for that this week. So again, it’s really critical that if you have updates waiting on your Windows computer to apply them.

This is the reason why updates are important

You see the problem here is that when the likes of Apple or Microsoft issue updates, criminals go and take those updates, they look at them and they find out what exactly has been fixed in Windows or in the iPhones or whatever. Then they can figure out how they can exploit that, that vulnerability that was there that was fixed. If people don’t do the updates, the criminals can now exploit them, for those people who don’t, because there are quite a lot of people who don’t apply updates.

But it’s really important that you do.

So that’s it for this week. Lets be careful out there and we’ll talk to you again next week.

The post #WeekendWisdom 095 Why Updates are Important appeared first on L2 Cyber Security Solutions Ltd..

WannaCry is still circulating and affecting machines, but thanks to the kill switch discovered by @MalwareTechBlog, it is more or less neutralised now. Those machines still being affected must not be able to “see” the kill switch domain.

Here’s an interesting tidbit – Windows XP was NOT badly affected by WannaCry. There is a bug in it that meant it could not worm its way out of a WinXP box. Windows 7 was the biggest spreader of it, at 98% of the machines impacted, according to this graphic from Kaspersky:

So all of the furore about limited budgets causing legacy applications to be kept going, long beyond the Operating System support end-dates was something of a red herring. 

There were also rumours hyped by Heimdal Security last week about a kill switch free version of WannaCry (which was called Uiwix) that was going to be the end of times for the internet. It seems that they slightly over egged that pudding as only a single trace of it was found.

Despite what experts in large security firms might still be saying, WannaCry did not spread through e-mail as an attachment or a link. They were probably confused by the fact that just the day before WannaCry hit, a new Ransomware variant called Jaff came out, which did use e-mail as a vector. WannaCry was a worm and it did all the infecting all by itself.

Finally, the evil doers haven’t made much in the way of Ransom money. It seems that so far they’ve only made a little over $90,000.

Here a short video from myself with some tips on how you can protect yourself from Ransomware. Enjoy.

Of course these tips are included in our Ten Commandments.

The post WannaCry no more. At least for now. appeared first on L2 Cyber Security Solutions Ltd..

This story is going to disappear from the news headlines fairly quickly, as there is nothing massively new or worrying coming out for the moment, so we’ll probably be back to normal by next week.

What is Ransomware?

Ransomware has been around for a good few years. Earlier versions were fairly rudimentary, as they only prevented the victim from using their PC and were easily mitigated. The term itself comes from the techie habit to combining words and in this case it is a combination of Ransom Software.

It normally spreads by e-mail attachment/link or a poisoned web page/online ad. If you open the attachment or click on a poisoned ad, a little piece of computer code executes, which downloads the actual  ransom software from the internet. This software then generates an extremely complicated “key”, which is used to scramble the data contained in your files (documents, spreadsheets, photos, videos, databases, etc.). It will carry out the scrambling on any drive that the PC running it can see (so hard drives, network drives, external drives, USB sticks, cloud drives, etc.).

A screen is popped up advising the victim about what has happened and provides instructions for how they can pay the ransom in order to get the “key” to unlock and recover their scrambled files. In some cases the “key” is stored on the evil doers servers, so if the victim does pay, they will be given the key and will be able to get their files back. There may even be a helpdesk telephone number which you can call to get assistance on how you can pay. This is usually because not everyone knows how to go through the cumbersome process of acquiring BitCoin … “Ah here! WTF is BitCoin?” I hear you cry! ? Basically BitCoin is a virtual currency, which is untraceable and that’s why the bad guys like it.

If the victim does get their files back, there is a good chance that the crooks will leave behind a “present”, which will wait a few weeks, then execute on it’s own and scramble the files again. The victim paid once, so there is a good chance they will do it again. However there is also a high probability that paying the ransom won’t mean you get your data back, as you might never get the key from the bad guys.

So that’s a very brief outline of what Ransomware is. In the last 2 years, it has become extremely prevalent. Over 50% of evil email contains some form of Ransomware.

What was special about WannaCry?

What made WannaCry special was the fact that it spread all by itself. It did not require anybody to click on a link or open an attachment. This is what technical types call a “worm”. What it does is it finds a machine on the internet that has a specific vulnerability which it exploits and loads itself into that machine, scrambles the data and then looks for more machines to infect on the local network, as well as on the internet.

My most avid readers ? will remember back in a March post, I discussed the Microsoft Patch Tuesday was a double month, because there had been none in February. Then in an April post, we found out why there was secrecy around the previous month’s patching. The US’ National Security Agency (NSA) had their hacking toolkit released to the internet and Microsoft had spent February urgently patching vulnerabilities that the NSA toolkit exploited.

Which brings us neatly to WannaCry. The evil doers used one of the NSA tools to have their ransomware scan for machines that are vulnerable to a specific exploit and then infect any such machines it finds. Microsoft has issued the patch for this vulnerability in March however it was only issued for the versions of Windows that they still support (Windows Vista, 7, 8.1 and 10 as well as a bunch of server operating systems). Anybody running a Windows XP or 8.0 machine would be vulnerable. The British NHS still has a lot of Windows XP machines and these were the ones that got all of the attention when thousands of them became infected causing surgeries, diagnostic procedures and clinics to be cancelled as a result. In fairness to Microsoft they did subsequently release the patch for the unsupported versions of Windows, which will prevent this attack vector being used in future.

It started circulating on Friday 12th May, and by Saturday it was very widespread, so much so that it grabbed a lot of media attention. This is where it get my first problem – advice from newspaper “Tech” journalists. I’ll possibly get stick for this, but most of them are nothing more than shiny gadget reviewers. They don’t actually truly understand the underlying technology and just parrot “don’t click links”, “patch your software”, etc. While that is good advice, I then see them giving inaccurate reportage like “this was spread by somebody clicking on a link”. No it wasn’t! That’s not how a worm works!!! ? … On a related matter, which I think is hilarious … the shiny gadget reviewer on Ireland AM on TV3 gave better advice than any “Tech” journalist I’ve read this week. ?

My second problem was advice from “Experts” from larger cyber security firms. In the last few days I’ve heard two such experts (from different unnamed companies) say the same thing as the “Tech” journalists, except they made it worse by saying “this worm was spread by somebody opening an attachment.” THAT IS NOT HOW A WORM WORKS FFS!!! ?

My third problem is with technology vendors that try to capitalise on the fear, uncertainty and doubt (FUD) that was present in businesses across the globe on Monday morning. Coming out with nonsense like, “Our Whizz-Bang product will fully protect you from WannaCry.” as Mrs. Brown is known to say “That’s nice.” See below for some simple steps on how you can protect yourself, that is available for free and for nothing.

There are a lot of small to medium-sized, independent security consultancy firms out there that have been giving excellent, accurate and timely advice. These are the ones you should be listening too. They are staffed by people who actually truly know what is happening. I’d like to think I’m also in that category as I don’t state something unless I know it to be a fact. If I don’t know something, I will say so and will go and educate myself.

The spread of WannaCry was stanched by a Cyber Security blogger in the UK (@MalwareTechBlog) who discovered that if a certain internet domain name was registered and active, the worm would not carry out it’s scrambling and scanning function. This was a great help to the world, which has led the young man to be hounded by tabloid newspapers. There you go – no good deed goes unpunished. ?

There is one aspect about this, that I’ve only seen mentioned once. What if the culprits behind this didn’t use Ransomware as the payload? They used the NSA tools to scan the internet for the vulnerability that allowed them execute something on hundreds of thousands of PCs. They chose Ransomware, which kinda gets in your face when it has done it’s dirty deed. What if they chose keyloggers (software that logs all key presses – used for stealing passwords) or other surreptitious, stealthy, spying software? We might never have realised there was something afoot. ?

There’s talk that it was the North Korean’s what did it! Is that interesting? … Maybe. I would have thought they might have preferred the stealth route, but their leader might have had other ideas.

How do I protect myself?

This is the insanely easy bit, believe it or not. All you have to do is follow 4 of my 10 commandments:

• Commandment 1 Keep all software up-to-date with automatic patching/updating
• Commandment 2 Use and keep up-to-date Anti-Virus software
• Commandment 4 Take regular backups of all your data and test that you can restore.
• Commandment 5 Ignore email from strangers and be careful of email from friends, family, co-workers.

Do those few things and you shouldn’t have to pay any ransom to anybody, because if 1, 2 and 5 fail you (for whatever reason), then 4 will recover you. ?

Let’s be careful out there!

The post Do you WannaCry? I didn’t think so. appeared first on L2 Cyber Security Solutions Ltd..

Well for the most part§ it turned into “not much to see here, move along”. Yes, these NSA hacking tools were released to the internet for anybody with evil intentions to use them on the innocent. Yes, they are highly effective. Yes, they can let hackers break into your computer.

But you follow my first commandment don’t you? You keep your Windows (and other software) automatically updated, don’t you? If so, then you’ll be fine … nothing to see here, move along … these NSA hacking tools are nothing to concern yourself with.

§Now, this is where the earlier reference to “for the most part” gets some clarity. If you are running Windows XP, then you are at extreme risk of probably every tool that was released by Shadow Brokers. Microsoft patched the vulnerabilities in their supported operating systems (so Windows 7, 8.1 and 10) that all of the hacking tools exploited, except for three. The tools that were named “EnglishmanDentist”, “EsteemAudit”, and “ExplodingCan” are the only ones that Microsoft didn’t bother with as they only affected earlier versions of Windows which Microsoft no longer support (Windows XP or Server 2003 anyone?).

So if you are still an XP/2003 user, you’ve got a pile of evil-doers, with access to at least 12 hacking tools which the NSA created and they can come and compromise your PC/Laptop/Server! ? It’s that simple, you really need to move off XP/2003 for your own good. If you can’t upgrade, then get the XP/2003 thing off the internet so you can’t be compromised. ?

Some of you may recall back in March, I talked about how Microsoft offered no patches in February and then here was a double lot in March. Microsoft were pretty tight lipped about why this happened and most of the speculation was around problems encountered with the way they were changing their method of delivering updates.

Welllllll … it would seem it was much more likely that is was to do with the NSA giving them a low-down on the vulnerabilities that they knew were about to be revealed and exploited by the bad guys and so Microsoft put the head down and got on with fixing these “secret” vulnerabilities. ?

There were also some tools released which enabled the NSA (the US National Security Agency) to monitor some service bureaus used by the SWIFT inter-bank payment network. This mainly targeted middle-east bureaus, but it’s possible this could be expanded. This is something for the SWIFT network to address and there is likely nothing you can do about this. ?

Let’s be careful out there!

The post Hackers released NSA hacking tools … World continues to turn ?. appeared first on L2 Cyber Security Solutions Ltd..

So what happens?

You get an e-mail from somebody with a Word document attachment (specifically a rich text format or RTF type document, but it has a .DOC file extension). If you open this file, there is something embedded in the it which causes Word to send a request to a remote server, which downloads some nasty program code to your machine. It then pops up a fake document for you to see, so you think nothing suspicious is going on. Meanwhile in the background the malware continues doing whatever evil work it’s creators have decided it should do to you. Quite likely it will execute Ransomware which will scramble all your files and charge you money to get them back.

If you didn’t follow Commandment 5 and opened the document (just out of curiosity of course ?), then I pray you at least adhered to Commandment 4 and had a good backup of your data which you can recover from.

This vulnerability affects all versions of Word up to and including Word 2016 running on all versions of Windows up to and include Windows 10.

So, it’s really quite simple. Please follow Commandment 5 and do not open attachments or click on links in e-mails from strangers. Also be very wary of e-mails from friends, family or co-workers that are, even slightly, out of the ordinary. Pick up the phone and ask them if they did send you that e-mail.

FireEye, a security company, had been working with Microsoft on this vulnerability, which may or may not be patched in tomorrow’s Patch Tuesday. However McAfee made the vulnerability public last Friday and so the cat is out of the bag. Some might say that it was reckless of McAfee to do this, but they noted that attacks have been occurring since January and if Microsoft were not to patch this bug tomorrow, then that could mean another month without a solution. So I’m inclined to leave them off with this on that basis.

So at the end of the day, have a read through my Ten Commandments of Cyber Security. If you follow even half of them, you will be a much more secure than following one or none of them.

The post Really – Don’t open that Word attachment! It is malware. appeared first on L2 Cyber Security Solutions Ltd..

Me? I was in my office and carrying on about my business as I always do, whether it’s Patch Tuesday or not. The fact that it is a regular occurrence, means that it has become a mundane and expected part of our daily digital existence. For this reason, and this reason alone, is why last month’s absence of a Patch Tuesday is of great concern to security professionals like myself.“I got updates on Windows last month!” I hear you cry. So did I, but it was only for that disgrace of a piece of software that is Adobe Flash Player.

What we were missing were a number of patches for Microsoft’s various software that we have installed on our desktops, laptops and servers. This was the first time in 14 years that they skipped a month and they did so without providing us with any indication of what the problem was.

So in March 2017 Microsoft fixed 135 vulnerabilities across their software estate, which is pretty freakin’ big. The number of vulnerabilities though is only a small part of the serious problem that us concerned security folk have with Microsoft. One of the critical vulnerabilities that was patched on the 14th of March was a flaw that was publicly disclosed on the 2nd of February. This meant that the evil doers would have been attempting to exploit the vulnerability for nearly 6 weeks … which is an aeon in a hacker’s world.

Now, we can’t take umbrage at the fact that Carnegie Mellon University revealed the existence of the vulnerability in February, which had been discovered last year. Microsoft were notified about it and so an expectation that they were going to fix it in February 2017 was reasonable. However, something went awry with the whole month-worth of patches and so a lot of people were exposed for a very long period of time, which is really inexcusable.

I preach to people, telling them they need to keep their software and devices up-to-date. Then M$FT go ahead and make a mockery of the arrangement.

The post Patch Tuesday on the double. appeared first on L2 Cyber Security Solutions Ltd..