Entries in Cryptography (3)

Tuesday
Aug042015

Yet Another Encryption Scam

DateTuesday, August 4, 2015 at 10:26AM

ZDNet reports that another encryption scheme has arisen to rear its ugly head using Windows 10 upgrade as the teaser. Hackers are targeting users attempting to upgrade to Windows 10 with ransomeware malware that encrypts files until a ransom is paid. The "bad guys" appear to be impersonating Microsoft in and an attempt to grab your money. 

Emails are being sent out tempting the email recipient with an attachment that is an installer that will allow them to get the new Windows 10 operating system sooner. What is making this scheme work is the fact that Microsoft is making users wait in queue for their turn to upgrade their systems. Impatience on the part of waiting users is causing plenty of heartache for those that succomb to the tempation of running the installer.

Once you download and open the attached executable file, the malware payload opens, and begins encypting data on the affected computer and locking you out of those files.

Typically you are required to pay the ransom using bitcoin which is much harder to track. And to make it even harder to track the bad guys, they are usually using the TOR network which makes it nearly impossible to trace.

Cisco research Nick Biasini said the malware payload, called CTB-Locker, is being delivered at a "high rate." "The functionality is standard however, using asymmetric encryption that allows the adversaries to encrypt the user's files without having the decryption key reside on the infected system." 

Ransomeware attacks have been on an increase since 2014 and is a quick and easy near-untraceable way to generate a lot of money in a very short time. So hackers are going to keep coming up with new ways to attack your systems. So beware of what you are clicking on and accepting, you may their very next victim!

AuthorBob Appleby | CommentPost a Comment |
in , , , , , , , ,
Wednesday
Jul152015

CryptoWall ransomware cost US victims at least $18 million, FBI says

DateWednesday, July 15, 2015 at 12:31PM

by John Zorabedian on June 25, 2015

 

ransomware-note-1200Malware that encrypts all of a victim's files and holds them for ransom - what's commonly called crypto-ransomware or cryptoware - continues to be hugely successful in making money for the criminal gangs who perpetuate it.

According to a public service announcement from the FBI's Internet Crime Complaint Center (IC3), the CryptoWall variant of crypto-ransomware cost US businesses and consumers at least $18 million between April 2014 and June 2015.

That figure is based on complaints from 992 CryptoWall victims, and includes related damages such as the cost of network mitigation, loss of productivity, legal fees, IT services and credit monitoring services.

It's not clear how much of the $18 million was paid out in ransom fees to the CryptoWall criminals, but the FBI said that the ransom demanded typically ranged from $200 to $10,000.

The FBI called CryptoWall the "most current and significant ransomware threat" in the US.

Although the FBI's report of financial damages caused by CryptoWall is significant, it's likely those figures represent only a tiny minority of the cost to victims worldwide.

It's difficult to determine the exact number of crypto-ransomware victims, in part because many businesses caught in the ransomware trap don't want to come out and say so (public sector organizations like police departmentshaven't had the same luxury).

Equally hard is figuring out how much money the crooks have hauled in from their ransomware enterprises.

What we do know is that crypto-ransomware is highly effective, and lucrative enough for criminals to keep coming up with new forms of it - one survey found that 3% of UK citizens had been victims, and 40% of those had paid the ransom.

CryptoWall's predecessor, CryptoLocker, was extremely successful - the crew behind CryptoLocker raked in an estimated $27 million in the first two months after it was unleashed in September 2013.

Although CryptoLocker was fatally damaged by a law enforcement take-down of its server infrastructure in May 2014, cybercriminals soon began spreading other dangerous forms of ransomware based on CryptoLocker's successful model.

We began seeing CryptoWall in April 2014, along with another similar variant called CryptoDefense.

Since then, other copycats have emerged that have proved to be just as dangerous, some even borrowing the CryptoLocker name.

Recently we even saw crypto-ransomware that borrowed themes and imagery from the popular television series "Breaking Bad."

The crooks have figured out some fiendish ways to get people to pay up: by making their illicit software "consumer-friendly" with easy-to-follow instructions on how to pay with bitcoins or other forms of untraceable e-payment, and offering "user support."

Crypto-ransomware crooks have also figured out that they can earn their victim's trust (more or less) by offering to decrypt one file for "free" - so you'll know the crooks will follow through on their promise to decrypt the rest of your files once you pay them.

If the crooks have implemented the encryption process properly - and they often have - you're left with a choice of losing your files, or paying for a copy of the decryption key.

It presents an ethical dilemma - one which Sophos security expert and fellow Naked Security writer Paul Ducklin captured well in his excellent post "Ransomware - should you pay?"

His spot-on and simple advice is summed up here:

  1. Don't pay if you can possibly avoid it, even if it means some personal hassle.
  2. Take precautions today (e.g., backups, proactive anti-virus, web and email filtering) so that you avoid getting into a position where you ever need to pay.
AuthorBob Appleby | CommentPost a Comment |
in , , , ,
Wednesday
Jun242015

Practical IT: What is encryption and how can I use it to protect my corporate data?

DateWednesday, June 24, 2015 at 1:29PM

by Ross McKerchar on May 21, 2015    from nakedscurity

There’s been a lot of talk about encryption in the media lately.

You hear about who uses encryption, and who doesn’t (lots of companies don’t, to their own detriment).

And you hear about who wants to be able to bypass encryption (some law enforcement and national security agencies), and who doesn’t (Google, Apple, privacy advocates, etc.).

The encryption debate is important, but unfortunately, encryption is complex and the discussion can be hard to follow for people outside of the security community.

Businesses often don't realise why encryption is important, and how they can use it to protect their data.

In this article I will seek to answer some common questions about encryption by covering two areas: 1) a very brief explanation of encryption, and 2) a couple of the most common use-cases which business needs to be aware of.

What is encryption?

Encryption is a method of scrambling messages in a format that is unreadable by unauthorised users - it is, simply put, the best way to keep data secure from spies, thieves or accidental exposure. (Not to be confused with steganography, which is all about hiding messages, rather than making them unreadable).

Cryptography - the art and science behind encryption - uses algorithms to turn readable data (plaintext) into unreadable format (ciphertext).

Without getting too deep into the details, it's helpful to think about it like this: when you encrypt data you are storing it like you would money in a safe - you need a key to unlock the safe to get the money out (my apologies to any cryptographers reading this for the gross over-simplification!).

(If you want to learn more, I recommend my fellow Naked Security writer Paul Ducklin's great explanation of public-private key encryption.)

There are loads of ways to use encryption, but for organisations concerned about data loss, two very important areas to understand are full-disk encryption and file-level encryption.

Full-disk encryption vs. file-level encryption

Encryption can be used in many different ways.

Say your employee accidentally loses a USB drive with valuable data on a train, or their laptop gets stolen when they leave it alone in a coffee shop while they go to the bathroom (it happens).

The physical kit can be replaced, but the data on them could end up in the wrong hands and cause considerable harm - you might face financial penalties (depending on your local laws and industry regulations).

Or you might lose customers when word gets out that their personal data was leaked. You may very well be legally obliged to tell them. Of course, morally, telling them is always the right thing to do, regardless of legality.

However, if the laptop or USB drive was strongly encrypted, the data is unreadable to someone without they key and you likely won’t have legal issues to worry about.

Laptops, USB drives, and even smartphones can be encrypted using what is known as full-disk encryption. That means the entire hard drive of the device and everything on it is protected by encryption - from the operating system to program files all the way down to temporary files.

Full-disk encryption is also relatively simple to implement - laptops and smartphones now come with the capability built in, what’s called native encryption.

However, full-disk encryption can only keep your stuff secure when it's on the device. The second anything leaves the encrypted device, it is "magically" decrypted and readable by all. This has important implications for your backups or files you've uploaded to a cloud service or attached to an email.

If you think about the analogy of money in a safe, the encrypted disk is the safe, and the money is your data. Once you take your money out of the safe it is no longer protected.

Conversely, if you have file-level encryption, every file has a "padlock."

With file-level encryption, your data is protected when it is in transit, or stored somewhere in the cloud.

But there is a downside - file-level encryption is harder to manage than full-disk encryption, because whenever you want to access the data, you need the key. As you may want access from many devices and many places, this requires careful key management.

When and how should you use encryption?

Full-disk encryption barely affects system performance at all, but if you try to encrypt everything at the file level, it will quickly become unmanageable.

You need to think a bit more about what data you want to encrypt and why. You'll likely want to focus on file-level encryption for sensitive data and/or data that you copy to other places - for example, documents you want to access on your phone as well as your desktop, or from a service like Dropbox.

It's important to understand that file-level encryption doesn't replace full-disk encryption. They complement each other. If you only encrypt your own files and not the full disk then it's very easy to miss something. Chances are your computer stores copies of your data in all sorts of places you didn't think about.

Most companies will also want the IT department to carefully manage the encryption keys across various devices. Without this central management, data could easily be lost if a person leaves the company or loses their decryption password. Unlike passwords used for access, passwords used for encryption can't simply be reset by a sysadmin if they're forgotten.

A smart company will make sure the master decryption keys are very well protected. Even smarter companies will ensure that no single person has full access to the powerful key. One way of doing this is designing a system such that two or more people need to contribute towards the decryption process (segregation of duties).

Good encryption software will have capabilities to make key management and segregation of duties relatively simple.

AuthorBob Appleby | CommentPost a Comment |
in , , ,