Could localised pattern recognition solve the password crisis?
Getting answers nearly right could be a way to detect unauthorised access. Security shibboleths can detect the right, and wrong people.
In The Great Escape, a Gestapo officer wishes Gordon Jackson’s character “good luck” in English as he attempts to board a bus. In A Book About a Thousand Things, George Stimpson says that during WWII, US guards used the word “lollapalooza” to spot Japanese spies amongst Filipino allies.
One problem with the internet is that anyone can set themselves up as an expert. There’s money to be made from convenient messages. Examples abound in nutrition and health, as well as many other areas.
Despite widespread public ridicule, such sites thrive and make their owners rich because they play into what people already believe. The tendency being exploited is called confirmation bias, and it can even exert enough power over us to compromise the online safety of entire nations.
Anti-Virus Conspiracy
Take this post from the Above Top Secret forum from 2008. The author began with the hunch that the biggest beneficiaries of malware are the anti-virus (AV) companies themselves. However, Google only returned stories explaining why this view on an anti-virus conspiracy was incorrect.
This raised the author’s suspicions. Did anyone else have any information?
The ensuing nine pages of comments were a tour de force of ideas, theories and claims, but a recurring theme was distrust. Many commenters simply don’t trust what they don’t understand, and they don’t understand computers or AV.
It took a few seconds to find similar examples from other forums, some dating back to 2005 and even 2002. There are many more and they usually cover the same ideas, but a common theme is still distrust. Compounding this, some commenters vaguely remember something about John McAfee once claiming to have written viruses to create demand for his first AV product, which of course proves everything.
That was a decade or more ago, but with phishing and ransomware now firmly in the public eye, the benefit of online protection will be obvious, right? Not necessarily.
Detection issues
In August 2016, the Daily Mail reported that some AV products can fail to adequately secure your computer. The research being reported actually identified the potential for man-in-the-middle certificate attacks. It’s something our own Simon Edwards wrote about in a more general context in his own blog over 18 months earlier.
As usual, the comment section of the Daily Mail’s report was far more revealing than the article:
And so on. Perhaps what’s most disturbing is that despite living in a world now publicly trying to cope with a grand cybercrime epidemic, such uninformed views are so mainstream. There’s even a certain pride to some of them.
The McAfee virus-writing story is also still doing the rounds. Mr McAfee hasn’t helped matters by claiming to have planted keyloggers in laptops he then gave away to government officials in Belize. But did he really write malware to create demand for his own AV software?
John McAfee, virus author?
In March 2014, McAfee went on the Alex Jones show to talk conspiracies (what else?). A caller asked if he was indeed responsible for writing early malware. Despite Jones talking over portions of his answer, this was the nub of his reply:
“There were at the time thousands of computer viruses,“ he said. “We could barely keep up with the viruses that were out there, so we certainly had no time to build new ones. It would just be a senseless thing to do. So I can categorically say, and you can talk to any of the McAfee employees that were there are the time, that thought never crossed anyone’s mind.“
Indeed, in his book Computer Viruses and Malware, John Aycock of the University of Calgary in Canada also points out that if AV companies really are writing malware and yet simultaneously failing to detect some of it, then what’s the point in all that effort being expended for zero gain? The anti-virus conspiracy is starting to look less likely…
So, how do you protect the distrustful, the misinformed, and even the downright cynical online? One solution is to do it automatically, but this demands that governments, their intelligence agencies, and the ISPs become involved in actively blocking malicious content. Public reaction to any such suggestion is predictably very bad.
So, we’re at an impasse. Despite their poor reputations, governments and the intelligence agencies they run are the only entities with the authority and capabilities to attempt to protect entire nations online. However, the tools they use are by their very nature shadowy, double-edged and closed to scrutiny. The public at large worries that policing cyberspace means the erosion of freedom and privacy. Nothing will convince us that this isn’t the start of a dictatorship or a new world order. Too much evidence of past lies and misdeeds confirms this deep-seated bias.
If the public won’t listen to the government, who will it listen to? Who is it listening to?
Something about the caller who asked John McAfee if he wrote early viruses keeps coming back to me. He seemed to remember being told something by “some old OSS guy“. This idea of an unnamed source vaguely remembered is a common feature of discussions where facts are scarce and conjecture runs free. It’s a feature of the threads I referenced above about the anti-virus conspiracy.
That being the case, maybe it’s down to us, as infosec professionals, to be those sources in future. Maybe it’s down to us to engage friends and family, to explain how cybercrime works, how it relies on them not protecting themselves, and what to do about it.
Block malicious scripts from running on your computer
Back in the salad days of early summer, JavaScript was usually employed to download ransomware payloads. Now, however, JavaScript is the ransomware. The reason is the direct nature of the attack. There’s no connection to a suspicious subdomain, no payload to download and no relying on the user to run a suspicious “upgrade“ to a Windows component. Simply open the email attachment promising unexpected riches and, to misquote the 1980s game Zero Wing, “All your file are belong to us“.
Block malicious scripts
By hiding the true nature of the file with a second, benign extension, JavaScript attachment attacks become even more likely to detonate. Spew millions of such emails from a rented botnet for a few days at a time, and then simply wait for the Bitcoins to come rolling in. It’s little wonder that ransomware gangs are setting up customer helplines for bemused punters queuing up to get their files back.
But surely your browser’s sandbox should contain any malicious JavaScript? Sadly, this is not so for JavaScript email attachments. JavaScript downloaded as part of a browsed web page is run in the browser. Email attachments are nothing to do with a web page. Double click them and they’re passed to the Windows Based Script Host, which is obviously outside the browser’s authority and control.
Open with a safe app
It is, however, very simple for you as an end user to stop JavaScript email attachments from automatically being accidentally run. Simply open notepad and create a new file. Save it as dummy.js. Notepad will complain about the extension, but continue anyway. Next, right click the .js file and select “Open With…“. As you can see from the image below, by default Windows will open all such files with Windows Based Script Host, which is what we need to prevent.
To do so, first click “More Apps“ and select Notepad from the list. Tick the check box for “Always use this app to open .js files“ and click OK. Now, whenever you absent-mindedly click on a JavaScript email attachment it will safely open in Notepad and display its bad self.
You can also selectively prevent the JavaScript downloaded as part of a web page from running in your browser. This gives you more control over your browsing experience and can speed up web page loading.
For Firefox, the go-to solution here is the NoScript plugin (which is the one I’m most familiar with). By default, NoScript blocks everything on a domain-by-domain basis. It’s easy and quick to unblock trusted domains as you go, while leaving all others (including those called by the primary domain) securely blocked. This not only serves as an extra line of defence, but also prevents some adverts from being displayed without sites accusing you of using an ad blocker. It’s also very interesting, and sometimes worrying, to see just how many secondary domains some of your favourite web sites rely on to deliver content.
How can we spread the word to users and stop the spread of ransomware?
According to a recent Herjavec Group report, profits from ransomware will spiral this year to over $1bn, and next year will see further explosive growth. The main vector for ransomware is always email. The reason is simple: Ignorance of the risks equals fat profits. It’s that obvious. The solution is to stop users clicking dodgy attachments, but how?
For the seeds of a possible answer, cast your mind back in the mid-1980s. As the AIDS epidemic hit the UK, the government’s response was a huge public awareness campaign. Everyone who was around at the time remembers “AIDS: Don’t Die of Ignorance“. There were TV and radio adverts, cinema and press adverts, and every home received a frank leaflet explaining everything. Cool new condom brands popped up almost overnight (pun intended). OK, since then, infection rates have risen, but the point is it seemed to help at the time, as the sharp dip in infection rates around that time implies.
Ransomware impact
Back to 2016, and according to Get Safe Online in the year to March cybercrime cost UK businesses over £1bn. The total figure will be much higher in the coming year due to ransomware. A recent Malwarebytes report claims that over half of all UK businesses have already been hit by ransomware. 9% were completely unable to function after the attack. Only 40% of those affected didn’t pay the ransom, so a whopping 60% decided to cough up.
If this is blindingly obvious to the cybersecurity industry, and to the pundits surrounding it, it should be equally apparent to the UK government and its advisors. But where are the hard-hitting TV and adverts and the leaflet campaigns aimed at the end user? After all, it’s the end user putting themselves and the companies they work for at risk.
Stopping the spread of ransomware
Ransomware awareness campaigns are happening, but they can be limited in scope. They tend to be targeted at individual sectors, and at C-level executives, rather than end users. Until public awareness changes fundamentally, ransomware will charge ahead at full speed, and so will the otherwise avoidable financial losses.
If this is a war, then the sky is black with metaphorical bombers. Can you imagine the outcry if, during WWII in Britain, people were unaware that they should not open their blackout curtains to look at the planes going over? Equate this to opening dodgy attachments to see what they are, and you begin to see the scale and seriousness of the problem.
Ransomware is a nasty category of attack that we’ve seen dominating the so-called ‘threat landscape’ in recent months. It can affect every type of computer user including home users, small businesses and even extremely large enterprises.
Anyone who stores valuable data on a computer is at risk of this digital extortion racket, which encrypts data files and offers the key to recovery for a hefty price.
Ransomware is a serious problem but protecting your data can be simple and inexpensive – if you choose your cloud storage provider carefully…
I know, I know. You were tired at the time and not really concentrating. You double-clicked an infected attachment and the world suddenly became a very hostile place.
Your files might as well be in Swahili. A ransom note, with a grasp of English you’d normally find endearing, is mocking you for your bad luck. If you don’t figure out what a Bitcoin is, and how to send one to a person whom you’d very much like to die a slow and painful death, you’ll lose everything forever. Or will you?
Ways to react
You could try to identify the exact strain of the exact family of infection, and see if a kindly anti-virus company or independent researcher has managed to figure out how to decrypt your precious files. If they haven’t, what then?
By now, any computer expert worth their salt should be saying, “Wipe the machine and restore last night’s backup.” Of course, the backups! Cloud storage will save us! But there could be a problem…
If your cloud backup service re-uses space, and has over-written previous backups with the newly encrypted files (which, after all, look just like a bunch of freshly updated documents that need to be backed-up), then technically there is no backup. So, Bitcoins and a seedy alley on the dark web it is.
If you’re busy, on the move, or have “non-technical” users to look after, you need backups that will both protect you from ransomware and take care of themselves. For safety from fire and theft, those backups also need to be stored off-site, which is why cloud backup services are ideal.
Defeat ransomware: track your files
However, rather than continuously and efficiently updating a single archive, the ransomware threat means that you really need a service that keeps previous versions of everything.
There are many online backup services that offer file versioning, and to the best of my knowledge, the following all provide it on their free plans.
Blaucloud includes a versioning app that will keep old versions of files until you run out of space.
CrashPlan allows you to set backup frequency and versioning frequency.
Cubby contains versioning as standard in the free plan.
Ransomware is a 21st century plague, fuelled by greed. How you respond to it is paramount, because not paying the ransom is possibly the only way that will cause it to fall from favour with criminals. Versioning online backups are one way of helping that happy day come sooner.
Why does software seem so insecure? Massive software companies seem incapable of fixing their products for any length of time. Is it their fault, or are they fighting a battle they can’t win?
At its core, Windows is the result of several decades of constant development. Despite this, Microsoft is still obliged to observe Patch Tuesday each month, when users receive the latest fixes to installed products. A large number of these updates fix security vulnerabilities.
Patching for security
This month, for example, Patch Tuesday includes 16 security update bundles covering in excess of 40 new security holes found in products as diverse as IIS, Microsoft’s web server, and the supposedly secure Edge browser. How can it be that this monthly ritual is still required? After all, it’s not like Microsoft is a small company caught out by sudden success, while trying to manage a huge ball of undocumented code. On the contrary, it is literally one of the biggest, best funded tech companies in the history of the planet.
Let’s take another case. Adobe’s Flash and Reader products are also mature, stable software. Yet black hat hackers love them as the gifts that keep on giving. This week brought news of yet another critical Flash vulnerability, which is already being exploited in the wild.
Complexity breeds bugs
The complexity of some software, despite its maturity, makes it vulnerable. It needs to be all things to all (wo)men at all times. In the case of Adobe Reader, every PDF document it loads must display perfectly, regardless of its complexity or the limitations of the software used to create it. Anything not explicitly forbidden is, therefore, permissible. Reader will always try to render the file you give it.
Such complexity leads neatly to a fundamental question: If companies such as Adobe and Microsoft can’t find all the exploitable bugs in their code, how come private researchers and black hats can?
Fuzzing for answers
The answer lies in a technique called fuzz testing, or fuzzing.
In his presentation to CodenomiCON 2010 , Charlie Miller showed that with a little thought, a few lines of Python code and some time, it’s possible to use fuzzing, in the form of completely random mutations to a file, to find a number of hitherto unreported and potentially exploitable crashes in Adobe Reader.
He took 80,000 PDFs from the internet and reduced that total to just over 1,500 based on their uniqueness from each other. From these files, he generated 3 million variations containing random mutations.
Sign up to our monthly business and personal security newsletters.
When loaded into Reader, these corrupted files caused crashes in over 2,500 cases. Miller showed that several crashes revealed exploitable situations, some of which were subsequently found, reported and patched by Adobe, but others were new.
Given that there are a total of 2 ^ NUMBER_OF_BITS theoretical mutations that can be made to a PDF, and the ease with which each mutation can be automatically evaluated, PDF readers alone should remain a goldmine for new exploits for some time. Meanwhile, there are many other programs and file types that can be also attacked with various fuzzing methods.
Tracking flaws
Bugtraq has been highlighting software vulnerabilities for years
Take a look at the Bugtraq mailing list archive and you’ll see what I mean. Every day brings a new crop of reports and proofs of concept for all kinds of software. In fact, another six were added while I wrote this blog post. Buried amongst the plethora of obscure libraries and applications are often complete howlers in major products. How are these bugs being found? In the case of closed source software, fuzzing techniques can be the primary tools.
Fuzzing comes in many forms, with some methods and frameworks being more intelligent and guided than others, but the aim is always to automate the discovery of exploitable bugs by finding situations for which complex software either hasn’t been tested or cannot be tested.
Death by fuzzing
You may be wondering why, with their wealth and resources, major software manufacturers don’t fuzz their products to death, as well as performing more traditional testing. The short answer is that they do, but due to the sheer number of possibilities and the time required, all they can do is fuzz as much as possible before the release deadline. The overwhelming majority of possible tests may still remain to be run by other, potentially malicious individuals and groups.
Security holes in software are not going away any time soon, so ensure that the security software you run is capable of protecting you. How? Checking out good anti-malware reviews that include exploit attacks such as ours would be a good start.
PayPal communicates with customers all over the world. But sometimes people pretending to be PayPal try to trick you. Luckily they don’t always do such a great job…
The FBI’s Joseph Bonavolonta had some shocking news about ransomware for Boston’s Cyber Security Summit last October. “To be honest,” he said, “we often advise people to just pay the ransom.”
Cyber-security blogs everywhere exploded at the advice, but a lot has changed in the past six months. A constantly-evolving array of ransomware campaigns roam free, “taxing” online life. One big problem is that there’s no way of knowing what the ransom payments are being used for.
Is the money funding a criminal’s easy life? The development of even worse malware? ISIS, perhaps? After further thinking the FBI is now telling people, “don’t pay the ransom”.
The question for most of us is, what happens if you don’t pay the ransom? To find out, we infected a specially-prepared Windows test system.
Infection time
When we test anti-malware products we find the latest threats that we believe affect most people. These are often automatic ‘drive-by’ attacks, that use exploits to install malware such as ransomware on victims’ computers without requiring user interaction. You just have to visit the site and the attack starts and runs to completion. No clicking required.
For this demonstration we exposed our target, which was not running anti-malware software, to an infected website. After a few minutes of apparent inactivity a pop-up message explained that svchost.exe needed to be installed. We clicked to accept the change and… Bingo! An infection swiftly ensued, turning all of our important files to gibberish and leaving them sporting the dreaded .crypt file extension.
In the background the malware also scanned the local subnet for any other unprotected file shares. This being a test network, there were none, but in a real situation every file you can access on your local network can also potentially be accessed by ransomware. Your movie collections or business files stored on a Network Attached Storage (NAS) device are definitely at risk.
This knowledge is vital when assessing the extent of an attack. If your smartphone is plugged in, it could be at risk. Your carefully curated media server could also be affected, as could your cloud storage.
Reboot!
Rebooting revealed the full horror of the machine’s plight. As soon as the Desktop appeared, so did a pop-up unexpectedly asking us to run an installation package. Running, cancelling or dismissing the installation always led to the same result: a ransom note displayed in both the web browser and Windows Photo Viewer. The note explained what had happened and threatened what will happen if we didn’t do exactly as instructed (spoiler: the price goes up!). It also contained a set of links to the data-nappers’ web site to read detailed instructions for how to pay.
Assessing the damage
The object of the exercise was to find out what would happen if I were to simply ignore the ransom note and carry on using the machine, so it was time to take stock.
All of our files had been turned to cryptographic porridge. However, the operating system still seemed to be running smoothly. Screen dumps of the ransom note could still be saved and read, as could the other documents we created, implying that there was nothing in the background encrypting newly-created files. The kidnapping part of the ransom operation was seemingly over.
Of course, there may have been a rootkit lurking somewhere, ready to spring into life if no ransom was paid after a certain date. To test this hypothesis, we set the system clock forwards several weeks and rebooted. Nothing new happened, but without running some forensic tests we’d never be sure. All that seemed to be left was the demand for money, triggered from the Startup menu every time we logged in. Deleting the relevant Startup entries stopped the ransom note from appearing, but that still left us with no way to access any of the encrypted files, and we couldn’t truly trust the operating system any more. Ransomware doesn’t have to hang around causing more trouble for its hapless victim. It’s done its foul work and the criminals behind the campaign simply had to wait for the Bitcoins to come rolling in.
Other than paying up, our only hope would be that a researcher or anti-malware company has developed a decryption tool for our particular infestation. The development of decryption tools, however, is causing some ransomware developers to revert to locking the entire computer rather than allowing you to see the locked files for yourself.
Don’t pay the ransom
The FBI is right to change its stance on ransomware. Paying up fuels the epidemic and the easy money is attracting criminals like flies around you-know-what. There are other reasons too. Don’t pay the ransom or risk breaking the law. You don’t know who the criminals are, and where they live. You could break sanctions laws.
The number of ransomware domains, according to reports, increased by 3,500% in Q1 of 2016 alone and the situation looks like getting worse. For example, in the past few days Microsoft announced the existence of a ‘ransomworm’ called ZCryptor. Its payload is contained within emailed Microsoft Office documents. Once delivered, it also installs itself on any USB devices it finds plugged into the victim’s computer and alters the autorun information on the device. It will then try to infect any system into which the USB drive is subsequently plugged.
10 ways to stay safe
As usual with online security, prevention is far better than trying to find a cure, but such measures only make sense if you take steps before the fact:
Install a good anti-virus product. Our reports show which are the most effective for businesses and home users. Our work is independent and we only test against current threats, which we catch ourselves in-house.
Educate yourself to treat everything in your inbox as a lie. Even if the sender is known to you, double-check with them before opening attachments.
Switch on automatic updates for all software, including Windows, your antivirus software, your browser, Java, Adobe products, etc.
Regularly download a boot-able rescue disk from your chosen anti-malware provider and let it run overnight to thoroughly examine your computer. Most rescue disks will boot from USB.
Never install ‘updates’ just because a website tells you to. This type of trickery is a very common infection vector for ransomware.
Consider installing a browser plug-in such as the excellent NoScript for Firefox to prevent JavaScript from automatically running from unknown domains without your explicit say-so. And consider disabling Java in your browser.
Don’t download cracked copies of commercial software, ebooks or media. Again, this is a very common infection vector.
Never use a USB drive you find in a public place. You simply can’t trust them or their content.
Ransomware will try to infect every share to which it can write. Only mount shares as and when needed, and always protect them with passwords. If you don’t need write access, mount as read only.
Above all, get into the habit of performing regular backups to removable media. For a home user, a backup is as simple as dragging and dropping a folder structure (and ejecting afterwards!) onto a freshly quick-formatted USB drive. Use two USB drives and swap between them.
I’ve seen a few ‘how to build your own security testing lab’ documents in the past, but many have struck me as being ‘what I would do’ rather than ‘what I did’. Here you can follow us building a security lab (literally).
Having gone through the process myself at least three times over the last 15 years I thought some people might be interested in seeing a series of photos on our new blog, taken while we were literally building SE Labs from scratch.
Archive of security product and service test results
Cyber Security DE:CODED Podcast
All of our podcast episodes and related content
About
SE Labs Ltd is a private, independently-owned and run testing company that assesses security products and services. The main laboratory is located in Wimbledon, South London. It has excellent local and international travel connections. The lab is open for prearranged client visits.
