Figures of Speech HOME

Home

2018

2017

Scrapbook 12

Windsors

What is time?

Heinrich Böll

UK Strategic goals

Martin Schulz

Swiss Brexit

Brexit

Ocean plastic

Solar in December

One sauce

Saint Lucy

Saint Barbara

RWE

Scrapbook 11

Richard North

Normals

Steinmeier

COP23

Germans

Propertius

Mr Climate

Sheer uselessness

Discussion group

Edward Evans

The month 10

Scrapbook 10

The Airsoft menace

The 'Unfinished'

Edward Evans

Mrs Pericles

The month 09

Scrapbook 09

NHS

Luddites

AfD

Bundestagswahl

Still on your own

Theresa in Florence

Goethe's Gotthard [3]

The month 08

Scrapbook 08

Moral money

Gratitude

Rupert Brooke

Ernest Dowson

The Gotthard

The month 07

Scrapbook 07

Stephen Hawking

Mr Climate

Winston's paintmaker

The German connection

Tom Bombadil

The month 06

Scrapbook 06

Herd management

Happiness

Austrian Economics

Ransomware

UK sovereignty

Maria Theresia

Churchill, the film

Swinglish

Heidenröslein

Scrapbook 05

WannaCry

French

Swiss energy

Schubart in prison [10]

Greatest Hits

Scrapbook 04

Stolberg

Johann Senn [7]

Kant 23.04.1787

Scrapbook 03

On your own

Lessing's loss

Lenin's journey

Educating Schubert

The month 02

Scrapbook 02

Wind in the Willows

Schubert mugshots

In proportion

Finding Trumpy

Alistair Cooke

The media

The month 01

Scrapbook 01

Discussion group

Bedlam

Goethe's fear

Climate scientists

Pie-in-the-sky charts

We'll do it our way

Franz Peter's family

Charlie

Blacking up

Anthem

The fact era

2016

2015


Updated content

Contents list

Site search

Blogroll

About


Schubert collection

Home | 2017

Ransomware: the never-ending story

Posted by Austin Morris on UTC 2017-06-16 11:21.

Another day, another ransomware attack. This time not WannaCry and not spread through publicly exposed file-sharing ports. Just a web page, possibly with a click-away popup that executed the malicious code on the user's machine, or possibly just a link to that page in an email. The situation is not completely clear at the time of writing.

The victims are not just any users, either, but the great brains in University College London (UCL), which also happens to host one of the leading computer science faculties in the UK.

It was thought at first that around mid-day on Wednesday 14 June a number of people in UCL each opened an email and triggered the ransomware payload carried in an attachment. The infection spread from there and encrypted a number of local and network drives.

It now turns out that the infection was started by one or more users visiting a website that had been compromised; just visiting the site may have been enough, or visitors may have had to click on a link or dismiss a popup. The link to this website seems to have been distributed via email.

Fortunately the sysadmins seem to have been quick off the mark and shut down the system, thus preventing a catastrophic spread and enabling an orderly recovery (although some data will have been lost). Despite the apparent rapid response by UCL, the consequences of the attack were not trivial. They are still being tackled two days later.

We can only assume that UCL has top people running its system and that it has state-of-the-art virus detection that would be expected to block the execution of a malware package, whether from an email attachment or a browser. How did this happen, then?

Either because of simple incompetence – the antivirus system was not loaded with the latest definitions – or the malware was as yet unknown to the antivirus system, in which case it will pass all checks. This phase of initial ignorance is the Achilles heel of all antivirus software. Only after the malware has spread to enough victims and has been identified by the producers as a threat, analysed and its 'signature' put on the blacklist used by the antivirus software are users finally protected – assuming, of course, that they have kept their anti-virus sofware up to date.

The UCL report on the incident suggests the latter, of course, but goes on to talk darkly of a 'zero-day attack'. The very use by UCL of such nonsensical terminology points us back to incompetence as the reason for the failure.

A 'zero-day' exploit or vulnerability is a security weakness in a software that has just been discovered but not yet fixed. From the moment of its discovery the clock is ticking for the authors of the software to issue a patch that removes the vulnerability. We might change the rather peculiar term 'zero-day vulnerability' into 'known but unpatched vulnerability', to make it completely clear.

What the incompetents at UCL really mean is '[t]he virus checkers did not show any suspicious activity', which has nothing really to do with zero-day attacks. The infection is just a malware mutant with a new signature that was invisible to their virus checkers. If this really were a 'zero-day attack' alarm bells should be ringing throughout the computer world.

Such muddled thinking means that our assumption that UCL has top people running its system seems to be wrong.

Lessons learned

Time to repeat the key lessons from our piece on WannaCry:

  1. Back up your data to offline storage frequently. That is your only serious form of protection.
  2. Don't rely on anti-virus software: it protects you against historical malware, not new attackers.
  3. Be suspicious of all emails and extremely suspicious if the email contains links (any links at all) and/or attachments.

Website-launched malware

If you surf on the wild side of the web you are at great risk from malicious websites. But even legitimate websites can be compromised without their owners' knowledge. You don't necessarily need to do anything specific to be infected.

If there is the slightest doubt, before you click on a link hover over it and check the real destination, usually shown in the browser's status bar. Surely every browser user knows by now that the text of the link displayed on the screen has no necessary relationship to the destination of the link.

Never click on a link that runs a JavaScript program. About 20 years ago web designers liked to show how smart they were by handling links and navigation with JavaScript code. A few idiots and some elderly websites still do this, though.

There is a current plague of displaying popups that nag users to subscribe to emails, sign up as a registered user or buy t-shirts or coffee mugs, particularly on US websites. This practice is not just annoying but foolishly dangerous.

Except for the most credible popups, never assume that the cancel button or even the X at the top right will do what they are supposed to. Some wicked sites even display the popup as a modal window, which means that nothing more can be done in the browser until you have clicked the response. The only escape is to open Task Manager by right-clicking on the taskbar then terminating the browser completely. Task Manager is your friend.

An up-to-date antivirus program may save you, but don't bank on it. The only reliable solutions are the three listed above.