Browsed by
Category: Malware



You have probably seen news of businesses and institutions being attacked by ransomware, and having to pay tens of thousands of dollars to get rid of it. Names like CryptoLocker, Fusob and WannaCry have floated by. But, what is ransomware? How does it work? How can I avoid being stung?

Simply defined, ransomware is a specific type of malware that denies its victims the use of their data until a ransom is paid.

Ransomware attacks typically operate as follows:

  • The trojan is installed on the victim computer system
  • It collects a list of the files it can access that it will encrypt
  • It contacts a central server, operated by the attacker
  • The server generates a unique encryption key for that victim, which will be stored on the server and sent to the trojan program on the victim machine
  • The trojan encrypts the targeted files using that key. In modern examples, this encryption is quite strong
  • Once the encryption is complete the trojan destroys its local copy of the key
  • The trojan then communicates to the victim that the files have been encrypted,
  • It offers to provide decryption after a payment is made, usually within a fairly narrow time window.

Ransomware gains access to victim machines through the usual malware routes: users click on dodgy links in email, or open malicious file attachments. Web pages or banner ads that have been compromised can provide “drive-by” downloads of all kinds of malware. Whereas other malware may join victim computers to botnets, get them to start mining cryptocurrency, or participate in distributed denial-of-service attacks, ransomware has the simple goal to get money to its operators immediately.

The files that ransomware encrypts are usually documents and spreadsheets, images, music and video files, HTML and source code files, and ZIP archives. Ransomware does not typically attack the other software on the system. Thus, a victim’s copy of Office and Photoshop may be undamaged, but all their work in those systems will be unusable. Also of note: most ransomware encrypts files on all available network shares as well as the local disk. So a small office can be wiped out from just one infected computer, since small offices often only have a single hierarchy of file shares and everyone can get to them.

If implemented well — and it frequently is — the server-to-trojan protocol of generating a key, encrypting with it and then discarding the local copy of that key is extremely difficult to crack. When a business confronts a ransom demand, often the cheapest way to get back into operation is to pay the attacker. Despite all the larger reasons that this is a horrible idea, the equation of paying $X to get the decryption key against a possible $X00 to $X000 to recreate all the data makes the decision to pay a no-brainer. The sole glimmer of good news here is this: the vast majority of attackers, when paid, actually provide the key and allow recovery of the data. In some cases, they have even provided technical support to assist “customers” having difficulty doing the decryption. Why? If they do not keep up a reputation for providing what is paid for, the “market” will stop paying them and seek alternate means of recovery. And they just want the money.

There is one strong defense against ransomware: backups. The backups should be as current as is practical. Real-time backups are ideal but not always feasible. But if a business is only facing the prospect of recreating one or two days of data as opposed to weeks or years, then a decision not to pay off criminals becomes much more reasonable. To be safe from the encryption of a ransomware attack, backups should be stored somewhere that is not constantly connected to the main systems, or in any case not accessible as a normal file share. So if you run a backup system in the office that places all the backups on a server, do not also use that server to host file shares.

With good recent backups in hand, the strategy for responding to a ransomware attack is much less stressful: clean or re-image the machines affected, restore the data, get back to work. As I am fond of saying, security, done correctly, is almost boring.

Ads Just Keep Getting Worse

Ads Just Keep Getting Worse

“Relevant” is the ad industry’s current excuse for all the spying, tracking and intruding on our lives that they are currently tormenting us with.

Good NYTimes article through here – click!

They “need” to suck down every aspect of our personal lives and habits and idle thoughts… so they can show us better sneaker ads. Sneaker ads that creepily show up the minute we register to run in a 5K. Or walk past a Foot Locker.

This is why I block all ads, everywhere on the Internet. I was reading the descriptions of what it’s like for people experiencing this kind of ad stalking and I have to admit: I can’t relate. I experience exactly none of it. And I’m glad.

When media websites grouse at me for running an ad-blocker, I mentally respond, well, make the ad experience less hideous. Make it less of a personal violation. Wipe out the malware. But these things, they will not do. Instead, they scold and threaten. So if a site still won’t allow me to proceed without white-listing it in my ad blocker, fine. I move on with life.

And oh yeah… if you think it’s not getting worse… the New York Times article linked above mentions ad-blocking as a possible course of action. Not too long ago, that was a glaring omission.

And the creepiest of all, the mother lode of creepy, is Facebook. #DeleteFacebook!

Anyway. Get uBlock Origin for all your PC browsers. Brave for mobile, and add Better Blocker for iOS. The mobile solutions aren’t as comprehensive as the PC, but they are the best I’ve found so far.

What’s Missing?

What’s Missing?

What’s missing from this pretty-good article?  Give it a read, but the TL;DR is that a NY Times cyber-security writer tells us what she does to make herself safer online.

It includes everything I do, and a few things I don’t.  But there’s one crucial item missing.


It’s not hard to figure out why ad-blocking is left out of a NY Times online article.  But I will say that until the publications who pay for it exert some pressure on the ad networks to clean up their act, I will continue to block ads 100%.

If they refuse to let me visit, I will gladly go elsewhere.

I predict that the publications will never do this, because the cost of ad-borne malware is a complete externality to them.  They never feel the tiniest pinch.  They leave that to us.


Why I Block Ads. Everywhere.

Why I Block Ads. Everywhere.

Advertising supports a lot of the content you enjoy on the Internet.  The economics of it should be simple.  An advertiser pays a certain amount to get a commercial message in front of many readers or viewers.  Some percentage of those viewers make a purchase.  When enough revenue comes back to the advertiser, the ad is a good investment: returning more in margin to the business than it cost to produce and place.  In practice it’s a lot more complex than I state here, but the backbone of advertising remains just that simple.

This simple idea has recently started to create problems of the sort that show up in the Safer Computing inbox.  Advertisers realized that a digital advertising message can be a lot more than a picture with words or a short film to watch.  This means you can experience web pages with ads that are mini-games, ads that follow you around a page as you scroll, ads that follow you from page to page as you browse, and more.  

You may also be aware that ads make and store all sorts of inferences about you — inferences they gather from what goes on in your browser and on the rest of your computer.  These inferred personal profiles are scooped up by data brokers and packaged to be resold to other marketers.  That’s supposed to be done in enough volume to make each individual profile impossible to identify.  But recent research has shown that, with so many different data points being collected, working backward from a large “anonymized” data set to reliably identifying individuals is far easier than anyone suspected.  Yet, without enough different data points, the package is not attractive to marketers.  It will not find a buyer.

Another very disturbing trend in advertising is the enormous number of computer virus and Trojan infections that the ad networks now make possible.  Remember that the ads are more than just pictures or films, they have all kinds of sparkly interactive features.  They dance, they sing, they explore the bleeding of edge of being so annoying that you want to throw the computer out the window and go for a walk instead.  And how do they accomplish these things?  

Every one of those ads is a small program that you have half-consciously invited to run on your computer.  Your browser was instructed to bring these programs along with the content you wanted to see.  The intent of these programs appears to be delivery of a commercial message — but other functions are often hidden there.  Viruses delivered within web ads have infected hundreds of millions of computers around the world with everything from botnet spam clients to ransomware.  The websites that deliver these ads don’t often know what they are sending out; they simply allow ad networks to deliver whatever they like within broad guidelines and accept the payments for what is passed along.  The networks that aggregate and place these ads do not have the resources to check out all the ads they deliver, from what may be thousands of sources.  What’s worse, they don’t have the incentive.  With enough layers of middlemen, there’s nowhere for liability to land.

With all that to consider, I decided a while ago that I would block ads everywhere I could.  There are two counter-arguments to blocking ads I did consider.  One is, how will I support the websites whose content I am enjoying?  Simple: I actually become a paid member or supporter of any sites I read frequently enough.  Some sites I visit for the first time, say they won’t serve me content unless I disable my ad-blocker.  Fair enough, I say, and click away to find a similar item elsewhere.  

The other counter-argument is, how will I learn of cool new products or services I might want to try?  Since I was never one to find such things through ads, I consider this a small loss if any.  But the truth is, I check out new things that are any larger than tiny impulse buys at recommendation sites like Wirecutter, Sweet Home or Consumer Reports.  I prefer unbiased comparative reviews to advertising content, for decisions to purchase.

My current ad-blocker of choice is uBlock Origin by Raymond Hill.  It’s a very low-profile browser add-on for Firefox, Chrome or Opera. I say “current” because my choice has changed a few times recently.  Other ad-blocker providers have gradually been seduced by money and become ad networks in themselves, serving what they call “safe” or “white-listed” ads.  Their users have had varying levels of choice about this, from “a little” to “none.”  With uBlock Origin, so far so good.  If things change, I will add an updated recommendation in this space.

This article first appeared in The Empty Closet.

WannaCry Defense

WannaCry Defense

As with all ransomware, the defense is simple:  Backup, backup, backup.  The fresher your backups are, the less work it will be to reconstruct your data and the less temptation you will feel to pay the criminals.

Backup, backup, backup.

Microsoft is blaming the NSA, and the NSA is blaming Microsoft.  A pox on both their houses.

Backup, backup, backup.

Anti-virus can’t help you until they catch up, and can’t help you again once it starts to mutate.

Backup, backup, backup.

Someone found a “kill switch”. By accident.  Uh-huh.
Trust that, do you?

Backup, backup, backup.