We Left the Internet Vulnerable to Hackers. Now We’re Paying the Price.

By | IT Blog, news, Security | No Comments

On the day (perhaps not long from now) when the entire internet crashes, no one will be able to say that we didn’t see it coming. The denial-of-service attack on the morning of Oct. 21—which shut down Twitter, Spotify, Netflix, and a dozen other websites—offers a preview, in miniature and against relatively trivial targets, of how the day of doom might unfold.
Fred Kaplan Fred Kaplan

Fred Kaplan is the author of Dark Territory: The Secret History of Cyber War.

In the attack, someone (identity as yet unknown) flooded Dyn DNS—a New Hampshire–based firm that operates as the internet’s switchboard—with so many online messages that its circuits overloaded, shutting down not only its own services but those of the other sites as well, at least for several hours.

The weapons amassed for this attack were, literally, toys—baby monitors, music servers, web cameras, and other home devices that connect to one another, automatically sending and receiving data through the internet. Hence the name of this emerging network—the Internet of Things. The saboteur had hacked into hundreds of thousands of these devices and infected them with malware, so that, at a designated moment, all them sent messages to the real target—in this case, Dyn DNS—and shut it down.

The malware was simple: a program called Mirai, which, in the words of an alert sent out by the Department of Homeland Security, “uses a short list of 62 common default usernames and passwords to scan for vulnerable devices.”
Get Slate in your inbox.

This is what few consumers have understood about the Internet of Things: All of these nifty devices are computers with, in some cases, quite powerful data processors. And, like all computers, their operating systems are preprogrammed with usernames and passwords. The default usernames and passwords tend to be obvious: 12345, username, password—more than covered by the 62 words on Mirai’s scan-list.

However, unlike most computers, the Internet of Things devices are on all the time, and there’s no user interface for even tech-savvy consumers to monitor the machines’ activities. As one Silicon Valley technologist (who requested anonymity because he works for a firm that makes some of these devices) put it, “My TiVo needs an internet link only to download TV guide metadata every fortnight, but as far as I know it’s also working overtime serving viruses or DNS attacks.”

The technologist went on: “Who’s to know what’s running on your interlinked Nest thermostat or your refrigerator? Borderline impossible. And all that stuff is interconnected to websites and accounts with credit cards and other attractive targets for hackers. Given the radical increase in traffic that these devices generate, it will get easier to hide malicious streams of network traffic in the noise.”

There are now about 10 billion IoT devices in the world. (The estimates range from 6.4 billion to 17.6 billion, depending how the term is defined.) Some estimate that, by 2020, the figure will climb to 50 billion. That’s a lot of bots that a hacker can enslave for an attack.

Back in 1996, Matt Devost, Brian Houghton, and Neal Pollard wrote an eerily prescient paper called “Information Terrorism: Can You Trust Your Toaster?” They foresaw an era when household appliances would all be wired to the internet. Life would be more convenient, time would be saved—and everything you own would be vulnerable to hacking.

Devost, who went on to run Red Team operations in NATO war games and is now managing director of Accenture Security, says that, if anything, he understated the threat. He saw the phenomenon—and people today continue to see the Internet of Things—as posing “microthreats”: hackers messing with our personal stuff, turning our lives upside down, possibly even killing us. See, for instance, the experiment, just last year, when a former National Security Agency employee named Charlie Miller hacked into the onboard networks of a Jeep Cherokee and commandeered its steering wheel, accelerator, brakes—everything in the vehicle.

But in their paper of 20 years ago, Devost and his co-authors did not foresee “macrothreats”: hackers aggregating “smart” devices to mess with society. “Imagine it’s one of those mid-August days,” Devost said, “100 degrees with roaming brown-outs. What if a hacker ordered the IoT devices in a few large commercial buildings to turn up their air conditioners to max level? He could do real damage to the power grid.” And even this scenario is minor compared to the sort of attack presaged in last week’s incident—a hacker enslaving hundreds of thousands (or even millions or billions) of IoT devices to launch a massive denial-of-services attack that shut down, say, a whole city’s power generators or some other facility in the nation’s critical infrastructure.

That phrase “critical infrastructure” came into vogue in the late 1990s—to refer to power grids, banking and finance, oil and gas, transportation, water, emergency services, and other sectors on which a modern society depends—when a presidentially appointed panel, known as the Marsh Commission, discovered that all of those sectors were vulnerable to hackers.

Over the previous decade, the private corporations controlling these sectors all started to realize the enormous savings involved in hooking up their control systems to this new thing called the internet. Money transfers, energy flows, train switches, dam controls—they could all be monitored and managed swiftly, automatically, efficiently. No one considered the possibility that bad guys could hack into those networks and route the money, energy, trains, or water for criminal or destructive purposes.

The dangers should have been clear even then. As far back as 1967, at the very dawn of the internet, when its military precursor known as the ARPANET was about to roll out, a man named Willis Ware—head of the Rand Corporation’s computer science department and member of the NSA’s scientific advisory board—wrote a paper warning of its implications. Once you put information on a network—once you make it accessible online from multiple, unsecure locations—you create inherent vulnerabilities, Ware concluded. You won’t be able to keep secrets anymore.

When I was researching my book Dark Territory: The Secret History of Cyber War, I asked Stephen Lukasik, the person running the ARPANET program at the Pentagon’s Advanced Research Projects Agency, whether he’d read Ware’s paper. Sure, Lukasik told me. He told me that he took the paper to his team members, who also read it and begged him not to saddle them with a security requirement. It would be like telling the Wright brothers that their first plane at Kitty Hawk had to fly 50 miles while carrying 20 passengers. Let’s do this step by step, they said. It had been hard enough to get the system to work. Besides, the Russians wouldn’t be able to build something like this for decades.

It did take decades—about three decades—but, by then, vast systems and networks had sprouted up in the United States and much of the world with no provision for security. This was the bitten apple in the digital Garden of Eden. The sin was built into the system from its conception.

Corrections could have been made, security provisions could have been built in, once the utilities started hooking up the nation’s critical infrastructure to the internet—or, if they’d known of the risks, they might have decided not to get wired in the first place. And now, with the Internet of Things, we’ve begun to extend the mistake into our homes, into the stuff of our everyday lives.

Some remedies have been taken even since this past Friday. The Chinese firm Hangzhou Xiongmai Technology Co., Ltd., which makes components for some of the surveillance cameras hacked in last week’s denial-of-service attack, announced that it was recalling products from the United States. Dahua Technology, another Chinese company, offered firmware updates on its websites for customers who had bought its cameras and video recorders. But these are small measures, not likely to have much effect even on these specific products, much less those made in the past several years or in the years to come.

In the late 1990s, when the utilities’ vulnerabilities first came to light, Richard Clarke, then the White House counterterrorism chief, proposed imposing mandatory cybersecurity requirements on all industries connected to critical infrastructure. The companies lobbied against his plan, as did President Bill Clinton’s economic advisers, who warned that the measures would cripple these companies’ competitiveness in the global market. Clarke also suggested putting the government and critical-infrastructure

industries on a parallel internet, which would be wired to certain agencies that could detect intrusions. This plan was leaked and denounced as “Orwellian.”

“If we could go back 30 years, we would probably do things differently,” Matt Devost reflected. We shouldn’t wait till it’s too late, he added, to put some limits on the Internet of Things. For instance, he suggested, the United States should impose regulations requiring all IoT devices to come with locks, so that consumers can’t activate them without first changing the default password—and maybe requiring the new password to be sufficiently long and complex to make it resist simple password-scanning malware, like Mirai.

When companies started putting power grids on the internet, the net itself was new and the art of hacking hadn’t spread. Maybe a few hundred people in the world knew how to exploit its vulnerabilities; now a few million do.

It’s important to understand that much more is at stake than a brief shutdown of Twitter. As Bruce Schneier, a prominent cybersecurity analyst, put it in a blog post that he published in September, a month before this recent attack, “Someone is learning how to take down the Internet.”

He noted that several attacks of precisely this sort—but smaller, the kind of incidents that specialists see but that elude mainstream notice—have been occurring in the past couple years. This probably isn’t the work of criminals or mischievous researchers; they wouldn’t be interested in the targets or capable of mounting attacks of such scope. Rather, Scheier wrote, the whole trend “feels like a nation’s military cyber-command trying to calibrate its weaponry in the case of cyberwar. It reminds me of the U.S.’s Cold War program of flying high-altitude planes over the Soviet Union to force their air-defense systems to turn on,” so the U.S. Air Force could map the capabilities of Soviet radars and figure out how to elude them.

Is that what’s happening now? Is some nation-state figuring out how many IoT devices it takes to shut down larger chunks of the internet, and thus our society, as a whole? It sounds like paranoid science fiction from the 1960s, but the writers of that stuff were trying to scan the future as an extension of what was happening at the time, and in this case, they might have been on target.

Artificial Intelligence part of the new G Suite (Google Apps)

By | Google, IT Blog | No Comments

Artificial intelligence is central to Google’s cloud productivity apps, recently rebranded as G Suite. Likewise, Microsoft is infusing Office 365 with AI.

Google has something of a penchant for changing the names of its products, and the latest one to be given a new moniker is Google Apps for Work. From now on – or until the next name change, at least – the collection of cloud-based productivity applications which includes Gmail, Docs, Drive, Calendar and Hangouts will be known as G Suite.
What Is in a G Suite Name

According to Kelly Campbell, senior director of G Suite marketing, Google Cloud, the new name is intended to reflect Google Apps for Work’s mission: “to help people everywhere work and innovate together, so businesses can move faster and go bigger.”

The “G” part obviously refers to Google, while the “Suite” part emphasizes the fact that the apps are designed to work together (like Lotus SmartSuite, the venerable group of productivity applications that IBM discontinued in 2013). There’s also a pun on c-suite, the term that refers to a large company’s top executives.

So the name encompasses Google, integration between applications and large companies, and that’s the real message Google is trying to get across with the rebranding, said TJ Keitt, a senior analyst at Forrester Research. “Google wants people to look at its product as a suite rather than a loose assemblage of disparate apps. And it wants to pivot from selling consumer technology to enterprises and draw attention to applications that have been developed specifically for the enterprise market.”
G Suite Has AI Inside

At the heart of this pivot to the enterprise market is the infusion of a healthy dose of Google’s artificial intelligence (AI) technology into the various components of G Suite, explained Prabhakar Raghavan, Google Cloud’s vice president, Apps, in a blog post.
Airwatch Support for Office 365
Download Now

“A year ago, Smart Reply launched, offering auto-generated replies for emails that only need a quick response. Now, more than 10 percent of all replies on mobile are sent using Smart Reply. The reception has been so strong that we’re continuing to apply machine intelligence across our suite to solve customer problems,” Raghavan wrote.
Related Articles

Another example of this is Quick Access in Drive on Android, a feature which selects what it thinks are the most relevant files to the work you are doing so they are easily accessible when Drive is opened. It chooses files based on interactions with colleagues, recurring meetings and other activity in Drive.

“Machine intelligence helps Drive understand the rhythm of your workday and offers the files you need before you even ask,” said Raghavan. “Our customer research shows that Quick Access saves about 50 percent of the time an employee would usually spend finding a file.”

Yet another example is the intelligence that has been implanted into Google Calendar to help find a time when multiple invitees to a meeting are free and to suggest rooms based on previous room bookings.
G Suite vs. Microsoft Office 365

One question mark over G Suite’s acceptance as an enterprise product is its ability to appeal to enterprises in which usage of Microsoft productivity tools is nearly ubiquitous. Most people have trained or grown up with Microsoft’s Office products, and in the cloud its Office 365 service is a direct competitor to G Suite. Microsoft has also been adding AI into its productivity suite – in the form of Office Graph and Delve, for example.

And IBM, the other significant player in the enterprise cloud productivity app game, can include Watson’s AI in its offerings.

“The question really comes down to this: Which parts of the market do Google and Microsoft compete evenly in, and where does Microsoft have a big advantage?” Keitt said. “In big organizations, Microsoft has an advantage because it is more flexible. Microsoft has on-premise offerings and single-tenancy offerings, but Google insists on multi-tenancy so it makes it hard for some companies to adopt it. But in the smaller enterprise market Google can compete.”

While Keitt is doubtful that Google would ever move toward a dedicated hosting model to boost its appeal to larger enterprises, the company has made some concessions, he pointed out. “They have, for example, disaggregated their services so that you can have Google Drive separately, but they won’t stray too far unless there is a specific market opportunity like the U.S. federal sector,” he said.

Given that Google is unwilling to compete head-on with Microsoft in the large enterprise space, it is worth considering why it bothers getting involved in the enterprise market at all. Can it possibly be worthwhile to run an offering like G Suite?

“Everything that Google does which is not advertising is miniscule,” Keitt said. “It’s about business diversification. They see something that could disrupt their advertising revenue and they get involved.”

But he also believes that Google is involved in business apps — and many other activities — simply because of the nature of the beast. “Google is an engineering business so it tinkers with things, and it happened to discover an opportunity. Now it is hard to extract itself from it because it has made federal deals; extracting itself from those would be damaging.”

In fact G-Suite is aligned with Goggle’s founding principle of making information more accessible to people and usable to them, Keitt said. “Every business it gets involved in is about information: mapping, email, content distribution … So the proposition to business is how to make it easier to locate expertise and information in the organization, and Google can do this using its apps and its AI technology.”

Paul Rubens has been covering enterprise technology for over 20 years. In that time he has written for leading UK and international publications including The Economist, The Times, Financial Times, the BBC, Computing and ServerWatch.

Russian AntiVirus Firm Kaspersky Upset Over Reports of KGB Ties

By | news, Security | No Comments

Eugene Kaspersky, head of Russia-based security software supplier Kaspersky Lab, is fighting allegations that his company has “close ties” to Russian spies.

eugene-kaspersky

Last week, Bloomberg Business published an article accusing Kaspersky Lab of excluding Russia from reports examining electronic espionage by the United States, Israel, and the United Kingdom.

Bloomberg traced an alleged change in focus at the anti-virus shop back to 2012, when high-level managers began exiting the company and being replaced by what the news service claimed were “people with closer ties to Russia’s military or intelligence services.”

“Some of these people actively aid criminal investigations by the FSB, the KGB’s successor, using data from some of the 400 million customers who rely on Kaspersky Lab’s software,” Bloomberg said, citing current and former employees who went unnamed in the article.

“This closeness starts at the top,” Bloomberg continued. “Unless [CEO] Kaspersky is traveling, he rarely missed a weekly banya (sauna) night with a group of about five to 10 that usually includes Russian intelligence officials.”

While the chief did not deny the social gatherings, he did assert that they are not conspiratorial, and that the presence of spies was purely coincidental.

Kaspersky (pictured) spoke out late last week, writing in a blog entry that Bloomberg’s piece is nothing more than sensationalism.

“Exploiting paranoia is always a great tool for increasing readership,” he said, adding that, “It’s been a long time since I read an article so inaccurate from the get-go—literally from the title and the article’s subheading.”

As security expert Graham Cluley pointed out, Bloomberg’s story was published just two days after Kaspersky revealed more details about the long-running “Crouching Yeti” attacks, which target a number of countries—but not Russia.

The nation’s absence may seem odd, Cluley said, until you read that, according to Kaspersky, the authors of Crouching Yeti were likely Russian speakers.

“Clearly Bloomberg missed that piece of information,” Cluley said.

Investigating state-sponsored attacks can be awkward for any company: Silicon Valley-based FireEye CEO Dave DeWalt told The Wall Street Journal that he would think twice before publicizing a hacking campaign by government-backed Americans.

Kaspersky has indeed probed attacks attributed to Russian cyber-spies, including Red October, CloudAtlas, CosmicDuke, and Epic Turla.

“I must have said this a million times, but we do not care who’s behind the cyber-campaigns we expose,” Kaspersky wrote in his blog. “There is cyber-evil and we fight it. If a customer comes and shows us a problem we investigate it. And once we take the genie out of the bottle, there’s no way we can put it back.”

He continued to pick apart the Bloomberg article line-by-line, responding to a number of allegations and attempting to set the record straight.

Meanwhile, Kaspersky alluded to dealing with mistrust as a Russian company when he tweeted last week that the company’s next research conference will provide better accommodations.

“It’s very hard for a company with Russian roots to become successful in the U.S., European, and other markets. Nobody trusts us—by default,” Kaspersky said. “Our only strategy is to be 100 percent transparent and honest. It took years to explain who we are. Many people attempted to find ‘dirt’ on us—and failed. Because we’ve nothing to hide.”

 

Apple Sales News

By | Apple, news | No Comments
Apple Sales News U.S. Sales
MacBook

Shipping April 10

MacBook on Apple.com

The New MacBook

At just 2 pounds and 13.1 mm thin, the new MacBook is Apple’s thinnest and lightest notebook.

It features a stunning 12-inch Retina display, new Apple-designed keyboard, all-new Force Touch trackpad, fifth-generation Intel Core M processors, fast PCIe-based flash storage, and all-day battery life. And it’s available in three gorgeous metal finishes—Gold, Space Gray, and Silver.

The new MacBook is designed for a wireless world and is the ideal notebook for customers looking for the complete Mac experience in Apple’s most portable notebook ever.

Mac

Now available

Mac on Apple.com

Updates to Mac notebooks

13-inch MacBook Pro with Retina display
The 13-inch MacBook Pro with Retina display now features the all-new Force Touch trackpad, fifth-generation Intel Core processors, next-generation Intel Iris Graphics 6100, and ultrafast PCIe-based flash storage. It’s the ideal notebook for enthusiasts and professionals looking for fast performance in an incredibly compact and light design.

MacBook Air
The MacBook Air line now features fifth-generation Intel Core processors, next-generation Intel HD Graphics 6000, and a Thunderbolt 2 port. And with all-day battery life, MacBook Air will go with you and stay with you the entire day.

Watch

Available April 24

Apple Watch on Apple.com

Apple Watch – Coming in April

Apple Watch will be available on Friday, April 24 to customers in Australia, Canada, China, France, Germany, Hong Kong, Japan, the UK, and the U.S.

On Friday, April 10, Apple Watch will be available for pre-order through the Apple Online Store. And Apple Retail Stores and select department store shop-in-shops will begin offering customers the chance to preview their choice of Apple Watch and try it on.

For more details, see the press release.

ResearchKit ResearchKit on Apple.com

ResearchKit introduced

Apple has created ResearchKit, an open source software framework designed for medical and health research to help doctors and scientists gather data more frequently and more accurately from participants using iPhone apps.

Several world-class research institutions have already developed apps with ResearchKit for studies on asthma, breast cancer, cardiovascular disease, diabetes, and Parkinson’s disease. These apps are available on the App Store in the U.S. today, and will be available in more countries in the future.

ResearchKit will be released in April. See the press release and website for more details.

HBO Now

Available April 2015
(U.S. only)

Apple TV on Apple.com

HBO NOW on Apple TV, iPad, and iPhone

With HBO NOW, Apple customers have an incredible new way to watch many of their favorite HBO programs. They can subscribe to HBO right from an Apple TV or iOS device—no cable or satellite subscription required—and get instant access to every episode of every season of HBO’s award-winning original shows and Hollywood blockbusters.

HBO NOW will be available for just $14.99 a month with no long-term contract or commitment. Customers can sign up on Apple TV, iPad, iPhone, or iPod touch, and get the first month for free.

Recycle your old computer or display with Sims zero-landfill policy.

By | New Orleans, news | No Comments

If all you want is to dispose of your unwanted equipment — regardless of brand — we can help you do that.   Just drop off your old computer or display at our office and we will ship your old electronics to Sims Recycling Solutions…for free.

We’ll make sure that your product is safely recycled at one of Sims Recycling Solutions domestic processing facilities where a zero-landfill policy and proven sustainability give you peace of mind in knowing that your electronics will be managed responsibly.

Sims Recycling Solutions responsibly recycles computers and displays from any manufacturer.

Does Internet Usage Rewire the Human Brain?

By | news | No Comments

Co-authored by Lakshmi,

Going by prehistory, where, the dawn of tool usage among human ancestors coincided with a remarkable increase in brain size, it is natural to expect that new digital activity can cause rewiring in the cerebral circuitry. The brain is a neuroplastic organ that is constantly changing in response to external stimuli. Given the enormity of the stimulus caused by the Internet, it seems logical that it can cause significant cerebral adaptations. Or is the digital era too recent to be able to cause evolutionary changes in brain structure yet?

On one hand are neuroscientists such as Susan Greenfield, who believe that the digital era could be detrimental to the human brain. Greenfield argues that the prefrontal cortex would be damaged, underdeveloped or underactive in technology addicts, just as it is in gamblers, schizophrenics or the obese. Researchers from Xidian University, China have recently suggested that long-term Internet addiction does result in brain structural alterations, which could contribute to chronic dysfunction in subjects with Internet Addiction Disorder.

There are others who differ. Jeff Jarvis, author of “Public Parts: How Sharing in the Digital Age Improves the Way We Work and Live,” believes that technology will not change our brains and how we are “wired,” but affects and changes how we cognate and navigate our world, which could in fact, be beneficial. A study by Gary Small at UCLA in 2008 showed that Internet browsing activities triggered key centers in the brain that control decision-making and complex reasoning. It is little wonder then that digital natives are better at snap decisions and juggling sensory input than digital immigrants. This could indicate that technology and gadgets do possibly rewire the brain to function better, especially during adolescence, which is considered a sensitive period for cognitive developments. Studies have also demonstrated that playing action video games can enhance visual attention and improve decision making skills for youth and the aged alike. It is the content of the video games, e.g., the amount of violence and/or inappropriate, unethical scenarios that could adversely affect the player’s psych.

Sparrow and co-workers of Columbia University recently studied the memory of college students vis à vis Internet use and found an interesting pattern. While extensive users of Internet (search engines, in particular) could not recall information itself, they could easily and accurately recall where to find that information online. Thus, the Internet has become an external or transactive memory, where information is stored collectively outside us. But this in and of itself is not a new concept. The notion of “transactive memory” proposed by Wegner has been around since 1985 (“no need to remember birthdays, just remember that the wife does”) and the Internet merely subscribes to this form of memory.

Gary Small and co-workers have also reported that Internet searching engages more neural circuitry than, say, reading text pages. Thus, among middle-aged and older adults, Internet use may favorably alter the neural circuits controlling short term memory. However, since our brains use information stored in the long-term memory to facilitate critical thinking, there may be a certain loss in this area upon extensive Internet usage.

There have also been studies on the connection between brain and technology-induced multitasking. Multitasking does not mean “performing multiple tasks at the same time,” which is not possible, but “switching between tasks at an extreme rate of more than four switches per minute.” Kaiser Family Foundation reports that 8- to 18-year-old youths carry out extensive “media multitasking” and the compulsive need to rapidly switch between multiple media has led to the belief that there may be a greater incidence of ADHD-type disorders among youth. There is also the school of thought that given the brain’s limits to the ”cognitive load” it can handle, multitasking leads to loss of efficiency. Switching attention across tasks occurs in the prefrontal cortex, the region of the brain that is one of the last regions to mature in children and one of the first to decline with aging. However, Carrier and co-workers of California State University, Carson, did not find any relationship, positive or otherwise, between brain function and media multitasking.

Kep Kee Loh and Ryota Kanai of the University of Sussex report differently. They have demonstrated that brain structure CAN be altered upon prolonged exposure to novel environments and experience. They have confirmed through MRI studies that people who extensively media-multitasked had smaller gray matter density in the anterior cingulate cortex of the brain. This could possibly result in decreased cognitive control performance and socio-emotional regulation in heavy media-multitaskers. However, the researchers also disclaim that it is not yet clear if media-multitasking causes changes in the brain or whether people with less dense gray matter are attracted to media-multitasking in the first place — a classic chicken-egg scenario.

The digital era has, since its conception, continuously elicited various types of moral panic that have engaged scientists, psychologists, sociologists, educators, policy makers and most importantly, media. The anxiety around technology and Internet has provoked intense debate on its effects on the biology of the brain. ”Neuroplasticity” has been a powerful word in arguments both for and against the effect of technology on the brain. Studies in neuroscience have supported and challenged the proposed negative effects, thus leading to neuro-alarmism and neuro-enthusiasm respectively. But the real situation lies probably somewhere in the middle. Before succumbing to media frenzy in denouncing or hailing technology/Internet as bane or boon in terms of human evolution and brain conditioning, it is important to remember that the human cognition is distributed across brain, body and the tool (digital or otherwise) and is not a standalone quality, but one that is critically influenced by the surrounding as much as by the system itself.

Crypto Locker Decryption Assistance

By | news, Security | No Comments

Ransomware is a particularly nasty piece of malware that takes infected machines hostage. CryptoLocker was successful at garnering  multi-millions in ransom payments the first two months of CryptoLocker’s distribution, according to a recent blog by FireEye regarding the takeover of CryptoLocker infrastructure – Operation Tovar.

Operation Tovar helped tear down the infrastructure used by attackers, but there are still many instances where users are still being infected with ransomware. After the success of Operation Tovar, there were few resources available to help decrypt files that were still encrypted with the attacker’s private key.

While not particularly innovative, CryptoLocker was successful because it encrypts the files of computers it infected and then demanded a ransom for a private key to decrypt those files. The harsh reality of a situation like this is, not many people back up their data. In some cases, the backups would be encrypted if mounted to an infected machine. As a result, many of the victims felt helpless at this point, and paid the ransom – typically around $300. A simple description of the way that CryptoLocker works can be found below:

  1. CryptoLocker arrives on a victim’s machine through a variety of techniques such as spear-phishing emails or watering hole attacks.
  2. CryptoLocker then connects to randomly generated domain (via DGAs) to download a specific RSA public key.
  3. At that point, an AES-256 key is created for each file on the system.
  4. CryptoLocker then encrypts all of the supported files using the generated key from step 3.
  5. The generated key is then encrypted with the downloaded RSA public key from step 2.
  6. And finally, the AES-key is written to the beginning of the encrypted files, thus requiring the private key to decrypt.
crypto1

Figure 1: Screenshot of victim machine infected with CryptoLocker

Not all CryptoLocker variants are created equal. There are several copycats and hybrid versions of Crytpolocker that exist, ranging from programs like CryptoDefense, PowerLocker, TorLocker and CryptorBit, to variants that are not necessarily named but have modified functionality, such as using Yahoo Messenger as a propagation technique.

Decryption Assistance

To help solve the problem of victims’ files still being encrypted, we leveraged our close partnership with Fox-IT. We developed a decryption assistance website and corresponding tool designed to help those afflicted with the original CryptoLocker malware. Through various partnerships and reverse engineering engagements, Fox-IT and FireEye have ascertained many of the private keys associated with CryptoLocker.  Having these private keys allows for decryption of files that are encrypted by CryptoLocker.

FireEye and Fox IT have created a webpage, https://www.decryptcryptolocker.com, where a user can upload an encrypted CryptoLocker file.  Based on this upload, the user will be provided with the option to download a private key that should decrypt their affected files. The site also provides instructions on how to apply this key to the files encrypted by CryptoLocker to decrypt those files.

To use the site, simply upload an encrypted file without any confidential information. (Please keep in mind, we will not permanently store, view, or modify your file in any fashion.) Enter your email address, to ensure the private key associated with the file is sent to the correct individual. Ensure you enter the correct number or phrase in the Captcha entry field.

crypto2

Figure 2: Screenshot of https://www.DecryptCryptoLocker.com

After clicking “Decrypt It!”, you will be presented with instructions to download the Decryptolocker.exe tool from https://www.decryptCryptoLocker.com (Figure 3). In addition, your private key will be sent to the email addresses specified.

crypto32

Figure 3: DecryptCryptoLocker decryption result page

After receiving the email (Figure 4), you will then select the key and utilize it in conjunction with Decryptolocker.exe.

crypto4

Figure 4: Email containing private key

At this point, the user opens a Windows Command Prompt, and browses to the directory of the Decryptolocker.exe tool and the locked file.  (Please note that the directory of the locked file must be specified if the file is not local to the tool’s directory.) The user must enter the command exactly as specified on the successful decryption page. The command structure should be used as the following:

Decryptolocker.exe –key “<key>” <Lockedfile.doc>

Upon successful execution of the tool, the user should be presented with a prompt indicating decryption was successful (Figure 5).

crypto5

Figure 5: Successful decryption of File1-1.doc

Conclusion

Operation Tovar made a clear impact on the distribution of and infection of machines by CryptoLocker. However, there have been no known avenues available designed to help users get their encrypted files back without making significant payments to those responsible for infecting machines in the first place. While the remediation of infected machines can be somewhat difficult, hopefully with the help of https://www.decryptCryptoLocker.com and Decryptolocker.exe, we can help you get back some of the valuable files that may still be encrypted.

As always, to help prevent a threat like this from affecting you and your data, ensure you backup your data. Ideally, this would be done in at least two locations: One would be on premises (such as an external hard drive), and the other would be off premises (such as cloud storage).

View the free, on-demand webinar DeCryptoLocker: Relief for CryptoLocker Victims for additional information.

FAQ

Are all encrypted files afflicted with CryptoLocker decryptable with this tool?

We believe we recovered everything the from the CryptoLocker database. However, we are aware that there could be a limited data chunk that could be missing which is related to either the takedown or interruptions of the CryptoLocker backend infrastructure. As a result, certain files may not be decryptable. Also, new variants of CryptoLocker may be released at any time, and the tools we discuss here or have made available may not be able to decrypt files infected with these more recent variants.

Does this tool work against CryptoLocker variants?

There are several variants of CryptoLocker, all functioning in different ways. While these variants do appear similar to CryptoLocker, this tool may not be successful in all decryption processes because of code and functionality variances.

Does any of our data get stored by FireEye or Fox-IT?

Under no circumstances does personal data get stored, processed or examined by FireEye or Fox-IT when using this tool.

Is this service free?

The Decryptolocker.exe tool is available at no cost via the website to anyone that has been compromised with CryptoLocker.

How can I use the Decryptolocker.exe tool?

The Decryptolocker.exe tool is designed to perform a few different types of functions.  Here are some examples of various prompts you can enter, depending on the result you would like to obtain.

1) If you would like to test a file if it is encrypted with CryptoLocker, you can enter:

Decryptolocker.exe –find File1.doc

2) If you would like to find all files encrypted with CryptoLocker in a directory, you can enter:

Decryptolocker.exe –find -r “C:\FolderName”

Note: Remember to include the “-r”

3) If you would like to decrypt a file encrypted with CryptoLocker, you can enter:

Decryptolocker.exe –key “<your private key provided in email>” File1.doc

4) If you would like to decrypt all files in a folder, you can enter:

Decryptolocker.exe –key “<your private key provided in email>” C:\FolderName\*

Note: Remember to include the “*” at the end

5) If you would like to decrypt all the files in a folder or drive recursively, you can enter:

Decryptolocker.exe –key  “<your private key provided in email>” -r C:\

Note: Decryptolocker.exe creates a backup of all encrypted files in the same directory before writing the decrypted file. If you do not have enough space for these files, then the prompt may not execute, and your computer may run more slowly.  Ensure you have sufficient file space before proceeding.

 

Disclaimers

There are several variants of CryptoLocker, all functioning in different ways. While these variants do appear similar to CryptoLocker, the tools discussed here may not successfully decrypt files encrypted by every variant because of differences in the programs or for other reasons. Also, while we have many unlocking keys, there is a possibility that we will be unable to decrypt your files.

1 in 30 have been hit by CryptoLocker and 40% pay the ransom, says study

By | news, Security | No Comments

An annual survey on computer security issues run by a UK university was published last week. Its stats on the prevalence of ransomware, and how many people give in to the crooks and pay the ransom, raised some eyebrows.

The University of Kent’s 2014 Survey on Cyber Security found that 1 in 30 has had their system hit by CryptoLocker, and 40% of those paid up.

CryptoWall

The figure for ransomware as a whole seems even more eye-opening, with almost 1 in 10 reporting having fallen victim.

The survey was organised by the University of Kent’s Interdisciplinary Research Centre in Cyber Security, by a team composed of both computer scientists and psychologists, and conducted using Google’s Consumer Surveys platform.

As the authors of the report caution their readers, the survey covered a relatively small number of people – just over 1,500 UK adults. That leaves it open to inaccuracies for all sorts of reasons, including sampling bias due to the kinds of people drawn to responding to online surveys, but the results seem dramatic enough to be more than just an anomaly.

Other data picked up by the survey seems fairly predictable. Around two-thirds of us feel at risk from cybercrime, just over 1 in 4 have been the victim of some sort of “cyber-dependent crime” in the last year, with malware (11.9%) and phishing (7.3%) the main culprits. 1 in 10 has been exposed to online bullying, harassment or stalking.

If the rate of malware infections seems a little higher than we normally see in surveys of this nature, that could well be down to the high levels of CryptoLocker and other ransomware included in those figures.

9.7% of people claimed they had been infected by ransomware of some kind, with CryptoLocker specifically named in the survey question and making up around a third of all reported infections.

Proving a negative

Survey data always has a problem in that it’s only as accurate as the knowledge (and honesty) of the people being surveyed.

Malware, for the most part, aims to avoid revealing its presence to its victims, sometimes going to great lengths to do so.

So when you ask someone if they have ever been hit by malware, and their response is a strong and definite “no”, that answer should always be viewed sceptically. How can they possibly know?

Proving a negative is not easy in the best of circumstances, and being certain something hasn’t happened simply because you haven’t noticed it happen is particularly difficult when the thing you haven’t noticed is specifically designed to be secretive and stealthy.

Have you ever been spied on from a distant rooftop? No? Can you really be sure of that?

Unlike most malware though, CryptoLocker and other ransomware attacks make no secret of their presence, indeed their main intention is to make it very plain to their victims that they have been infected.

So it could be that what we’re seeing here is not a change in the total level of malware going around, simply a change in the visibility of it to the general public.

Only a third have firewalls

And perhaps that is no bad thing. Other details emerging from this same survey include less than half of respondents using up-to-date anti-malware, just over a third implementing firewalls, and a little less than that exercising sensible password hygiene.

Maybe a little more visibility will finally make the general public start sitting up and paying more attention to the risks of malware and other online threats.

At the moment, it seems like we’re still mostly either ignorant or in denial, right up until something nasty infects our machine and nabs our data, or encrypts it and demands a ransom.

That so many people pay up is not much of a surprise either. Like other security basics, it looks like proper backing up of sensitive or precious files is a rare thing.

Victims forced to pay up include police departments and law firms, with ransomware threats clearly targeting small businesses where proper security practices such as backups are more likely to be lacking.

These shortcomings may have been hidden in the past, but now they are being forced into the spotlight, and the shock may just jolt people into giving the right priority to their security needs.

Amazon customizes low-cost instances for remote desktops & databases

By | news | No Comments
AmazonAmazon Web Service has launched a type of instance to reduce costs for hosted remote desktops and small databases that don’t consistently use high levels of CPU power, but every now and then need better performance.

The T2 instances offer organizations an assured but throttled performance level combined with the ability to automatically scale up when applications need more compute power.

The instances are available in micro, small, and medium sizes with on-demand prices starting at US$0.013 per hour, which equals $9.50 per month. The micro instance can also be accessed via Amazon’s free tier, the company said Tuesday.

For example, a small T2 instance has access to 20 percent of a single core of an Intel Xeon processor running at 2.5GHz at all times. When the instance is idle, so-called “CPU credits” accumulate and are stored for up to 24 hours. The small instance gets 12 credits per hour, which can be spent when more performance is needed. Each credit equals the performance of a full CPU core for one minute.

If an instance has an empty CPU credit balance, performance will remain at the baseline. And when an instance’s balance approaches zero, performance will be lowered to the baseline over a 15-minute interval. IT staff can track the credit balance for each instance using the CloudWatch tool.

In many of these cases, remote desktops, development environments (including build servers), low traffic websites and small databases use long periods of low CPU utilization, but occasionally they need bursts of full-throttle processing, according to Amazon. This makes them a good fit for the T2 instances.

Replacing Amazon’s previous generation of instances with the equivalent T2 instances will give enterprises significantly better performance at under half the cost, according to the company. However, they are not for everyone; applications such as video encoding, high-volume websites or HPC applications work better with regular instances that offer fixed performance, it said.

Cryptolocker Ransomware: What You Need To Know

By | IT Blog, Microsoft, news, Security | No Comments

Antivirus companies have discovered new ransomware known as Cryptolocker.

This ransomware is particularly nasty because infected users are in danger of losing their files forever.

cryptolocker

Spread through email attachments, this ransomware has been seen targeting companies through phishing attacks.

Cryptolocker will encrypt users’ files using asymmetric encryption, which requires both a public and private key.

The public key is used to encrypt and verify data, while private key is used for decryption, each the inverse of the other.

Below is an image from Microsoft depicting the process of asymmetric encryption.

assemcrypto

The bad news is decryption is impossible unless a user has the private key stored on the cybercriminals’ server.

Currently, infected users are instructed to pay $300 USD to receive this private key.

Infected users also have a time limit to send the payment. If this time elapses, the private key is destroyed, and your files may be lost forever.

Files targeted are those commonly found on most PCs today; a list of file extensions for targeted files include:
3fr, accdb, ai, arw, bay, cdr, cer, cr2, crt, crw, dbf, dcr, der, dng, doc, docm, docx, dwg, dxf, dxg, eps, erf, indd, jpe, jpg, kdc, mdb, mdf, mef, mrw, nef, nrw, odb, odm, odp, ods, odt, orf, p12, p7b, p7c, pdd, pef, pem, pfx, ppt, pptm, pptx, psd, pst, ptx, r3d, raf, raw, rtf, rw2, rwl, srf, srw, wb2, wpd, wps, xlk, xls, xlsb, xlsm, xlsx

In some cases, it may be possible to recover previous versions of the encrypted files using System Restore or other recovery software used to obtain “shadow copies” of files. The folks at BleepingComputer have some additional insight on this found here.

Removal:

Although CryptoLocker itself is readily removed, files remain encrypted in a way which researchers have considered infeasible to break.   Payment often, but not always, has been followed by files being decrypted.

Prevention:

New Orleans Technology Services has already installed a plug-in on each user workstation that will help prevent Crypto Locker from accessing user files once downloaded but we cannot guarantee the virus will not be successful.

The biggest defense may also be the easiest to apply.  If you get an email from somebody you do not know, especially if it’s got attachments, don’t open anything with it, just delete the email.  If you don’t know who is sending that email or if the subject is foreign to you, simply click delete.
Additionally, Google Mail, Google Apps for Business and Microsoft Hosted Exchange Services are currently blocking emails that contains the virus.  Unfortunately free services like Yahoo, AOL, and other free email hosting services included with Wed Site hosting like JustHost, BlueHost and HostGator are not.    If your organization uses or allows access to email not blocking the virus, you should consider this virus to be extremely high risk.