Slashdot Mirror
Writer: How My Mom Got Hacked
HughPickens.com writes Alina Simone writes in the NYT that her mother received a ransom note on the Tuesday before Thanksgiving.."Your files are encrypted," it announced. "To get the key to decrypt files you have to pay 500 USD." If she failed to pay within a week, the price would go up to $1,000. After that, her decryption key would be destroyed and any chance of accessing the 5,726 files on her PC — all of her data would be lost forever. "By the time my mom called to ask for my help, it was already Day 6 and the clock was ticking," writes Simone. "My father had already spent all week trying to convince her that losing six months of files wasn't the end of the world (she had last backed up her computer in May). It was pointless to argue with her. She had thought through all of her options; she wanted to pay." Simone found that it appears to be technologically impossible for anyone to decrypt your files once CryptoWall 2.0 has locked them and so she eventually helped her mother through the process of making a cash deposit to the Bitcoin "wallet" provided by her ransomers and she was able to decrypt her files. "From what we can tell, they almost always honor what they say because they want word to get around that they're trustworthy criminals who'll give you your files back," says Chester Wisniewski.
The peddlers of ransomware are clearly businesspeople who have skillfully tested the market with prices as low as $100 and as high as $800,000, which the city of Detroit refused to pay. They are appropriating all the tools of e-commerce and their operations are part of "a very mature, well-oiled capitalist machine" says Wisniewski. "I think they like the idea they don't have to pretend they're not criminals. By using the fact that they're criminals to scare you, it's just a lot easier on them."
The peddlers of ransomware are clearly businesspeople who have skillfully tested the market with prices as low as $100 and as high as $800,000, which the city of Detroit refused to pay. They are appropriating all the tools of e-commerce and their operations are part of "a very mature, well-oiled capitalist machine" says Wisniewski. "I think they like the idea they don't have to pretend they're not criminals. By using the fact that they're criminals to scare you, it's just a lot easier on them."
The obvious "correct" answer is not one cent; however most people will not put up the united front required to make these people go away.
Too bad the bitcoin group can't get their act together and make those wallets used dead-ends by blocking all transactions out again. Two of the largest mining pools combined would have enough to say "NO!" to these guys forever.
When will people learn not to give in to extortion? The criminals want word to get around that they're trustworthy? How about we want word to get around that there's no point in extorting money because people don't pay up!
Backup your data, and rent "Ransom".
You should have lied. You should have written that they just stole the $500. Now, see, everybody who gets hit by them and saw your article will also feel compelled to pay them.
I bet they get hacked again within the month now that they've been marked as fucking idiots.
News for the clueless? Stuff we already know about?
Your Mom's system was wide open. Every hacker I know has been in there.
Hugh Pickens up in that ass!
And yes, the first thing it does it does is purge all VSS (shadow copies) and encrypt data from local and mapped drives PRIOR to notifying you've been had. That malware is the only thing that stands between you and your now encrypted data. Purge the malware or slave the drive to another host, and you won't get your data base.
Let me put it to you this way. Crytowall is very well engineered ransomware. It doesn't fuck around.
Be sure to keep a set of backups not connected to your PC/Network using the Grandfather-father-son backup scheme. Rotate media according (weekly, monthly, and yearly).
Life is not for the lazy.
Take your average computer worm, add this profitable payload, and this makes the bad guys rich. How does this work? What exploit are they using to install the payload?
Regular backups should have been made. However i would have bitten the bullet and lost data rather than paying them.
This is who the NSA should be tracking down and breaking the legs of...
why not just teach your mom to not click on and install everything?
You know who else got hacked? MY MOM!
- In Soviet Korea, only old people loose all their bases to Natalie Portman's petrified hot grits overlords.
Context, man!
The "Don't blame the victim" notion comes in response to this kind of (boiled down) common claim:
"It was her fault that we exploited her! It was impossible for us to choose to not exploit her. We take no responsibility for our own actions!"
Which is the way psychopaths operate. They're always blameless or their actions are 100% forgivable in their eyes.
Her ignorance and subsequent choices were on her; she could have protected herself better, but the crime is not her fault and the perps should get zero slack because of it.
We get screwed every day by criminals. $800 USD is pittance compared to what I had to spend just to settle a patent lawsuit for example for which I was merely a small seller of goods- brand name goods you can walk into any major retail store and buy. I spent $5,000 USD or so just on legal fees to settle a lawsuit for under $1000 USD.
The point I'm trying to make is if we're going to advocate capitalism I'd say these are exactly the types I'd want to look up to. They're at least not pretending to be innocent or pretending to be my friend. I'd rather pay $800 to a “criminal” than $5000 to a lawyer and another $1000 to another lawyer with bogus patents.
Or for that matter some industry association or similar which wants to drag me in to court for supposed copyright infringement- for content they won't distribute in a format my computer can actually play (ie due to digital restrictions)-or is restricted because of my location.
And lets not even go into the governments theft, kidnapping and incarceration of children (public educational system), insurance companies, or similar.
Lock pup the idiots who pay the ransom! They are a business, put the customers in jail to shut them down.
I found it interesting that these criminals made a point of honouring their promise to provide the tools to decrypt the encrypted data.
At first, this didn't make sense to me. They are criminals; why do they have to honour anything?
But thinking about it some more, it works in their favour. Say I am a desperate person looking to get my files back, and I ask around if anyone has had any success with paying the ransom. If get responses saying "yes", then of course I am more likely to pay too, and this works in favour of the criminals' bottom line.
In addition, it dosn't cost the criminals much to provide the decryption tools, unlike if this was a kidnapping of a real person where there is the risk of the kidnapper getting caught during a hostage exchange.
Deal with reality - the world as it is - rather than ideality - the world as you would like it to be.
Best options for a Mac user would be to use the Mac OS X File Vault and Time Machine. Then these guys would have no way to hack your files, they still might delete your File Vault files but they couldn't decrypt your files and your Time Machine backup would just restore them after the deadline. Time Machine has saved my a$$ a few times when I accidentially deleted a file or over-wrote a file. For a Windows machine I don't know what is comparable but there might be.
This is exactly the sort of crime that the government should be able to solve, there are so many fingerprints left, double that with the bitcoins (which aren't actually anonymous).
Granted, the $500 itself might not be worth much attention, but over and over and it adds up to a lot.
Plus this is the sort of nonsense that your government is supposed to do something about. If not stopped now, the problem just grows.
These criminals do this because there is low risk of getting caught and if caught, the punishment isn't likely to be high.
If I were in charge, I'd task the NSA with catching them, then publicly execute them on TV. While some people will say, "oh, that is overkill and not fair", I'd say, "yea, but it sure will give these criminals pause in the future, won't it?"
...and hire hit men pour encourager les autres.
Our company also got hacked. Management sent everyone home, restored from backups. Then we spent a bunch of time figuring out what files were modified in the last 36 hours, and redoing that work over. Note that the hackers target only certain file types, eg. .doc, and .pdf, but not .xls, so were talking mostly about documentation. Unfortunately, our PC's are now limping along because the virus scanner is running all the time now, and so chews up resources.
Our company is Windows-centric for everything except code development (which is Linux using a VM under Windows), and this is a clear example of why Linux is more secure than Windows. Not necessarily inherently, but because Windows desktops are the "mainstream". And hackers target the mainstream!
To wit, I switched to Windows for a year, but subsequently, every search I did to fix Windows problems required putting "Windows" in the search box. This inevitably led to ever more heinously cunning hacker/virus/spyware results which had to be waded through. Try as you might to avoid them, eventually one of them ends up getting you. It ends up being about as much fun as a potato-sack race through a mine-field.
Find the hackers, kill them in public, and move on. A low life deserves nothing more.
The victim is to blame for ignorance; the criminals are to blame for maliciousness. There's enough blame for everyone.
Hopefully you had checked for shadow copies of your files before you paid. http://www.techrepublic.com/bl...
Important stuff: back it up. Burn to DVD early and often. DVDs are dirt cheap, and your data is priceless. It takes a handful of minutes to back it up. Criminals or no, people who don't back their stuff up are setting themselves up for loss.
And this isn't a hard concept to understand. It is both easy to understand why it is important, and easy to do. Nothing but sheer sloth (and outright stupidity) prevent people from doing this.
In my case, I have two separate computers; one for all my gaming and web browsing, and a separate one for all things important (and on which I *NEVER* browse the web. When I do use the web browser it is only for direct access to well-vetted sites that I need for doing business). Even with this setup, I back up my data often and run a DVD out to my safe deposit box every year.
Backups. They work. No excuses, just do it.
That's a lot of fucking use in the real world Captain Asshat
Pick anything but Windows!
Most people don't have more than a few DVDRs' worth of personal data, just burn it to DVDRs and then it's safe - at least, safer than on your hard drive. Can't be hacked. Can't be changed. Use M-Discs as well. I have about maybe 50GB of personal data - stuff I've created, and it's all backed up to DVDRs, and I write a new disc every week, if I've created anything new.
THIS is what the article's author should be teaching his mum.
The headline says how but the article only speculates. WTF?
Pussies, that's who.
If you have WinX, and you aren't using tar+netcat to do backups, you deserve to be hacked.
Crowdsourcing their good reputations as criminals. "By using the fact that they're criminals to scare you, it's just a lot easier on them." - and that sounds like the CIA.
But that's just a sentiment.
Once you're in their jaws, I suspect that your feelings may vary - and not as if any of us are going to reward her for towing the unified line
Actually, that's maybe the solution - you cough up your own cash to reward those that "say no to extortion" - It's not a massive leap, the majority of our governments already do this with our taxes already. Sure, it costs more in the long run (those SAS/SEAL raids where everybody ends up dead and poorer) - but it's nice to take a principled stand in the abstract (when your loved one isn't going to die as a hostage, nor as a soldier sent to rescue them).
The French - they mainly just seem to pay up, and walk away with their hostages unharmed.
Now I'm sure there may be some objections to this (I've got some myself) - but our governments seem to have managed to overlook their scruples and the urge to teach lessons when a few banks asked for a bit of cash (or we'd have all descended into anarchy, seemingly).
My point, I'm not sure. It's vaguely around the point that we don't 'pay when extorted' - and yet we all pretty much do. What's interesting is the type of extortion your government buckles and pays for.
This thing is ridiculous. A website subcontracts ads to an ad-service, and the ad-service allows ads from anoynymous people to be shown in the website. If the ad is a virus, only the anonymous guy is legally responsible, but he is anonymous so you can't get to him. I absolutely loathe the fact there is no "guaranteed eponymous" area of the internet, and a switch to block all sites that are behind anynoymous registrars or serve ads by anonymous ad peddlers. As long as we have anoynymous websites, anonymous advertizers and anonymous everything, creating a web inside the web which no site or ad peddler is anoynymous and hence is responsible for his actions is the only way clueless people can surf.
This is happening to individuals - nobodies.
Let some bigshot (like a Senator) or corporation like SONY get this and then the FBI will be all over this.
Until then citizen, bend over and take it because our government isn't for the people.
... set up an automatic backup system for all your systems, now. Every system on your network should back itself up automatically daily, not only for this possibility but for all of the platform-agnostic ones such as hardware failure. If her system did nightly backups the criminals wold only have a few hours worth of files and she could have almost certainly safely told them to go fuck themselves.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
Hmm, she has 1 more day... Nope.. Sorry mom, you lost it all, time to restore from backup. I'll have your system ready by tomorrow.
I would really hate to have all my files encrypted and inaccessible. I'd probably just pay the $500 with much begrudge.
That being said, as soon as I would get the encryption key and get my files back, I would post everywhere that the hackers did NOT give me the key after I paid the $500.
It's kind of like game theory. If enough people do the same, then fewer people would actually pay up, or the price would drop lower, thus proving an advantage for the victims.
Posting in the damn NYT that the hackers are true to their word assures that they have credibility, and just torpedoes the strategy above. In the same way that it's valuable for them to get the word out that they are (kinda) honest, it would be valuable for the victims to get the word out that they are crooked. Being the marketing and pricing geniuses they seem to be, they would surely lower the price if they had bad publicity. So in the name of future victims, I would like to sarcastically thank you Alina for giving those fuckers ammo. They'll probably raise their price now.
Smug dbag mac/linux user, check.
Maybe when your OSes are worth a fuck, they'll target them. Oh wait, they do. NSA is all up in your shit loser.
Cryptowall encrypts the data it has access to. It does not need admin rights to do shitloads of damage. This means that Cryptowall could work just as well under Linux / MacOS or any other OS out there.
No one has pointed out that this purely a Windows problem /. word = 'trolled' :)
because of its inherently poor design allowing just about anything
to run - so freakin' insecure. Bill should be in jail for visiting the
world with such insecure software. Has everyone forgotten that
Bill said that security is not Microsoft's problem...?
And disable popups for sure!
___________________________
https://www.indiegogo.com/projects/resurrect-flappy-bird-with-an-alternate-gameplay
At least the NSA doesn't encrypt my files, they just copy them.
That means the NSA is an unofficial BACKUP SERVICE.
Enjoy losing access to all your files, bitch.
Yes, because Macs are magical and a user space process on them can't encrypt files that the use has access too... because magic.
You zealots are hilarious.
-- "So they told me that using the download page to download something was not something they anticipated." - Bill Gates
but it doesn't.
kthx.
next up is them rebating her some money back for their "Victim get a Victim" refferal program.
You could easily imagine something like this being the next step, having them say "We'll decrypt your files for $500, but if you send this attachment to ten friends you can decrypt for $250".
You could easily see that working really, really well... and creating a massive increase in infection.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Maybe we should start a Kickstarter project to get Blackwater or whatever their name is these days to go in and apprehend these fellows. I'm sure these ransomeware guys will be heavily armed and the Blackwater guys will have to defend themselves.
I feel bad for the victims of these vile bastards, but at the same time I think that if that doesn't get them into the habit of regularly backing up their files, then NOTHING will. Also a good motivator to get the hell off Windows.
This is the thing that makes Time Machine such a great asset to the Mac for non-technical users. The Mac in theory is not that much less hackable, but an attacker (a) will generally not be able to encrypt all the files in the system, only ones for that user and (b) the user will simply be able to go back through the TM backup and recover un-encrypted files.
I think TM plays a really a big part in the Mac still not having many (any?) exploits in the wild, because easiest ways to extract money, Mac users are protected against.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
She shouldn't have dressed her computer so provocatively!
#DeleteChrome
Thanks to articles like this one, people will think, "Do I want to run the risk of having this same thing happen to me (when I don't really think it will) and paying a one-time fee of $500 to undo it, or do I want to pay the price in hassle and backup service/media to constantly insure myself against being held ransom?" For a lot of middle-class and higher, low-skill computer users, that's a pretty even comparison.
I block ads, do frequent backups and system scans, stay away from the seedier corners of the intertubes, etc., but it's just as much an act of principle (largely because I've been using pcs since before the IBM PC was introduced, so it's burned into my DNA) as it is a desire to protect my digital assets.
my big questions - what did your mother download that she got infected with that virus.
Also why didnt your parents PC has anti-virus - most ISP has anti-virus FREE to download
why isn't her PC/laptop has anti-virus running with the latest patch
out of ordinary criminal gang with some newfangled tools, likely bought on the open black market.
That's like saying: "Oh, H5N1 is only dangerous to birds, we mammals don't need to worry at all."
The mechanisms of Cryptowall work under any OS. Stupid answer of yours. Oh, well, you are an Anonymous Coward after all.
Oh wait I forgot - you can't blame the victim ever no matter how much of a stupid fucking idiot they are!
I blame our industry for being as you put it "stupid fucking idiots". The most common attack vector for this particular malware and many like it is email attachments.
It's 2015 anyone in the world can still send an email with file attachments to anyone using whatever FROM address they'd like without any prior trust relationship, vetting or authorization by receiver. Most mail clients let users execute it in the same security context as the user without so much as a peep.
It isn't the users fault they don't fully understand the depths to which the technology they are using is completely broken and wholly unsuitable for purposes for which it is used by countless millions on a daily basis.
It is *our* fault for installing AV software and going back to picking our noses. *MILLIONS* of people are being exploited using the same attack vectors with malware and spyware... this business of calling everyone "fucking idiots" is getting old.
you say that as if the other major operating systems didn't have that feature for years
Come on, I am not saying that in any way. I'm saying that Time Machine is a system that really is so easy to enable that real, nontechnical people ACTUALLY USE IT, and that the features it has makes malware like this a non-starter.
Yes, all of us technical folk have been using various things to backup stuff forever. But Time Machine brings versioned backup to the everyday user (an important aspect of the protection is keeping older versions since a simpler mirroring backup means a users files could still easily all be lost on next backup that overwrites the mirror).
The reason why this is possible is again a combination of hardware and software - Time Machine as software alone is not nearly so powerful as it is combined with a unit that doubles as a WiFi router and backup disk, which is recognized as such by the system. Literally my mom can set it up and actually use it. I cannot imagine the countless disasters this has averted for people without technical family members to help them with issues.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Ug. In a way, by passing on this "success" story, the writer of this article has played right in to the hands of these criminals. This is exactly the kind of press they want.
One always should assume that once their systems are infected that there files are GONE. Don't treat it any differently than a fatal hard drive crash. If you didn't have backup, then what were you going to do when your hard drive crashes anyway?
You should also question if giving these criminals money doesn't also indirectly make YOU a criminal. (And to any pedantics who might drop in to counter that: fuck you)
Anything you think you might have recovered should always be suspect. How do really know they haven't hidden more crap elsewhere? Worse yet, you should also assume these criminals now have copies of potentially important information.
Liar.
Ha ha. Yet why are people not using such things in real life compared to them using Time Machine?
Most people don't want (a) to put a whole computer drive replicated in the cloud (they would not wait for the time it took to upload 100+ GB of data), (b) bother to attach local media for backup more than every six months (as per the article), (c) have other computers they consider a backup destination.
Time Machine is something that is backing up stuff EVERY HOUR. Even better, it's versioned so when the next backup happens and the now-encrypted files get pushed to the backup, you can still recover what was encrypted before. Not all of the things you list have that property, and for the topic UNDER DISCUSSION that is key to recovery of recent, or any, data. I myself manage my own backups by cloning hard drives and keeping offsite backups, yet I also have Time Machine enabled and running and I have to say there have been several occasions where is has saved me where the other forms of backup failed.
It's such a shame that you flippantly just point out backup software exists for Windows (duh) without going into a deep discussion of why Time Machine actually works for users while it's failing many people on Windows. Then we would all learn something instead of you simply feeling momentarily clever.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
or just don't fucking use windows, how about that?
That's easy to say if you make a living delivering pizzas.
All the power with none of the knowledge never works, and trying to make it work is futile, which is why nobody does it. THAT is why the PC is dead and walled gardens with cloud storage are springing up everywhere: Managed systems for people who type web addresses into Google search.
> Hint: they existed in ostensibly "communist" countries and in socialist countries as well. There is nothing "capitalist" about it.
What does that have to do with anything? In a communist country, my dog would be communist?
Ah, yes. I get it. If everyone is communist then I can attack them, including their dogs... no need to have a conscience.
_You_ leave the propaganda out next time.
The most common attack vector for this particular malware and many like it is email attachments.
That was true 4-6 years ago, but not today. Now we're seeing most of this stuff getting installed via zero-day exploits in browsers and plugins like Java and Flash, and distributed via third-party advertising networks. It's a lot harder to blame someone for getting compromised via a browser plugin they didn't even know they had.
The best protection these days is still to block all advertising, run with limited permissions, and have automated external backups with versioning. If the user is capable, blocking all third-party scripting is also incredibly effective.
It's 2015 anyone in the world can still send an email with file attachments to anyone using whatever FROM address they'd like without any prior trust relationship, vetting or authorization by receiver.
You just listed some of the best features of email.
It is *our* fault for installing AV software and going back to picking our noses
Now this is true. Antivirus software has been a joke for a decade.
"What do you despise? By this are you truly known." --Princess Irulan, Manual of Muad'Dib
/)
Ok, so I've done all this stuff. I unfortunately have to use Windows for a lot of things (eg. work), but I have full sets of redundant backups, and always at least one giant backup drive offsite. But there are always going to be gaps in the schedule where I'll potentially lose a couple days. With the pain of full system restores, and losing some continuity, however small, it would be far better to protect against this kind of thing. I'm pretty safe about blocking ads, turning off scripting, not clicking on evil things, but I'm wondering if there's more I can do? What about something like Sandboxie, or doing my web surfing from a VM? Anybody have any advice on best practices?
The "Don't blame the victim" notion comes in response to this kind of (boiled down) common claim:
No, it doesn't, at least not any more. These days it's used as an automatic response to anybody who dares point out behavior which was careless, foolish, or ignorant.
but the crime is not her fault and the perps should get zero slack because of it.
Pointing out mistakes or foolish/careless behavior on the part of the victim in no way gives the perp any "slack". This is an assumption that the reader of the statement is intentionally misreading, usually in order to distract from any real discussion regarding an issue. You will also see a more aggressive version of this used, whereby the person will continue on to further call the other person an "apologist".
Most of the time you see this line of argument used by people who want to be able to do something without any regard to caution, and any attempt to bring the discussion back to Reality is met with hostility and bitterness.
It is *our* fault for installing AV software and going back to picking our noses. *MILLIONS* of people are being exploited using the same attack vectors with malware and spyware... this business of calling everyone "fucking idiots" is getting old.
Amen. The fault lies entirely with the security "industry", which is unfortunately not as mature as it would like to be.
Assorted stuff I do sometimes: Lemuria.org
Slashdot should surely know the difference between getting "hacked" and unintentionally downloading and executing a trojan horse.
It is pitch black. You are likely to be eaten by a grue.
TFA and the abstract clearly DO NOT show how the mom was hacked, it only describes the pain of having been.
Click bait?
A puff piece on criminals with malware? Don't pay these scum because even if it does work they'll add you to a list of soft targets to hit for more cash again. It's worth putting up with a bit of pain and treat it as a learning experience about offline backups instead of feeding such parsites.
I though this place had hit rock bottom with bitcoin worship but now these compliments for malware extortionists?
Just wait 10-20 years and commercial quantum-computers will be common enough that the key can be re-created and the data recovered. So if you have been hit by "ransomware," clone the disk and put both copies in a closet somewhere. Every year or two, copy the disk again.
In 5-10 years police agencies will admit to having such technology and people who committed serious crimes since the "Five Eyes" started sucking down as much of the Internet as they can and who have successfully evaded detection due to strong encryption may find themselves getting that "knock on the door."
Criminals who are very high-profile targets (think: Terrorism, top drug lords, etc.), they national police agencies either already have the ability to go back and decrypt all past recorded traffic and previously-seized computers or they will have it within a year or two, assuming the encryption is the kind that is in common use today (e.g. https: or PGP-like encryption with reasonable, not super-long key lengths). As to whether the police will admit to having this capability before the decade is out is an open question. If they don't, they'll either have to delay arresting people or cook up some form of parallel construction to make their case.
By the way, watch your national governments - if they haven't done so already they will try to eliminate or greatly extend statutes of limitation for the kinds of crimes associated with encryption, starting with those that are most scary to the public such as anything related to terrorism, high-level drug trafficking, and human trafficking. Or, instead of trying to generally extend/eliminate the statute of limitations, they may change the law to suspend the clock when encryption is used, so the time it takes from the day the evidence is seized or sniffed to the day it is decrypted doesn't "count."
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Precisely this. PRECISELY!
So I get an email from UPS that says my package (that I never sent) won't make it to destination until I correct something in the attached file.
I double-click the attachment and see that there's an .exe in there and I'm thinking, "No."
We can't get a dumbfuck computer to do what I just did?
--
I search for something, anything, and I am redirected to a site with malicious code.
It tells me I have to update Flash or something. I was not expecting a goddam download, so I back out.
We can't get a dumbfuck computer to do what I just did?
It little behooves the best of us to comment on the rest of us.
Comment removed based on user account deletion
Now this is true. Antivirus software has been a joke for a decade.
Stuff no longer needs to come to us in an infected floppy. Worldwide broadband internet and multi-computer home LANs happened. ActiveX-friendly IE6 dominating-for-nearly-a-decade happened. Third party Flash / Java Ads happened. Social networks happened... in other words: Eternal september moved from your campus to your grandma's home (gotta get those cute cursors and Facebook "smileys" that everyone in my friendlist is talking about!)
Norton AV didn't even mention subscriptions in 1994. Your home had a single computer (with maybe a modem calling out a scant few hours per day). Daily virus definitions have won over good heuristics. Ship today/patch next week is the norm, and subpar AV is here to stay. If your don't use IE in Windows, do yourself a favor and turn all security settings to highest, run minecraft only on linux so you won't need to justify its risky Java dependency. Disable flash and fake your browser UA strings to iPad so video sites will try to give you h264 video.
My IT guys say 99% sure that if you were running as a user, NOT administrator as is so common for Windows, the encryption would not have been able to run.
You could either lock down the Internet so much that it loses all usefulness, or allow enough freedom for the strong to prey on the weak. To allow any un-monitored interaction between individuals is guaranteeing that the age old tricks of crime will be easily employable and profitable.
Troll is not a replacement for I disagree.
Oh no, not those damn capitalist criminals.
Troll is not a replacement for I disagree.
These ransomware threats are not a world ending problem. Sure, its a huge pain in the ass having to recover your PC, but its a shitload better than paying $500 or more.
Just wipe the HDD, reinstall your OS and restore your important files from your backups. Problem solved.
You have backups right? lol, of COURSE you do, only an idiot doesnt backup their important data, and im not going to presume you are an idiot.
If you ARE a complete idiot and have no backups, well then you deserve it. Ransomware or HDD failure, your data is not 100% safe. Only an idiot has no backups of their important data.
The computer doesn't know that you didn't send a UPS package, and it doesn't know that you're not keen on getting executable files through email. The computer doesn't know that you were not "expecting a goddam download". Computers aren't magic. That's why there is no "do what I mean" key. Arguably people would still get infected if there were such a key and it did exactly what it says. People turn off antivirus if that's what they think is standing between them and getting what they want.
This was not about how she got cracked. It was about their response to the criminals
I prefer the "u" in honour as it seems to be missing these days.
TFA, which I read on the NYT site a couple of days ago, was NOT intended to be a fucking Yahoo! answers article about avoiding ransomware. It was about the experience of being held up by ransomware. This was an Op-Ed piece, NOT a goddam NYT Technology column.
/. poster, but while the original article's title was ambiguous, it was not click bait. The NYT op-ed pieces are mostly about experience, and what it means to humans, not a technical manual, so don't blame the Times for continuing to be what it has been since 1851.
I can't speak for the
Now go back to reading whatever it is nerds read so they have the latest tech info at the ready (for me, it was PC Week, some 30 years ago, but I got over it.).
Seriously, when was the last time you received a program by email where that program was legitimate and you expected to receive it? Why can't an email client default to making the user jump through warnings and hoops in order to run a program that arrives in their email box? The GP poster's point is exceptionally valid.
What changed under Obama? Nothing Good
How about refusing to allow money to be transferred over the internet. That would quickly sink all this stuff back to the "give me a cookie" level. Of course, for many people money is all the internet is about. Oops.
FWIW, my wife insists on having Adobe Flash installed, even though I warn her that its dangerous. Actually, its worse than dangerous, as Adobe doesn't keep the Linux version up to date. And they are (or were) pushing some advanced version that there just isn't a Linux version for. I may end up losing her to Apple because of this. (That will be unpleasant. I've read the Apple EULA [well, not this decade] and that was why I originally switched to Linux. I won't agree to their EULAs, but she can't install software and dislikes keeping her system up to date, because they keep breaking something.)
I don't actually hate proprietary software in principle, but I do hate the EULAs they inflict on everyone, and I hate the way they manage their software. Reading an Apple EULA before every security upgrade was shear torture, and not having that problem was one of the really nice things about switching to Linux. There are also details about the implementation (of proprietary) that I really hate. Copy protected disks with no backup is high on the list, but not even having the originals to reinstall with is much worse.
I think we've pushed this "anyone can grow up to be president" thing too far.
The mechanisms of Cryptowall work under any OS.
Except, as the AC said, it doesn't presently work under OS X. I've been reading for 20+ years how "Macs are just as vulnerable as Windows," and yet, somehow, that malware parity never seems to happen. Sure, every now and then there's a headline about Mac malware, but when you read the article it's either a theoretical vulnerability or, at worst, something that happened to a handful of people. You can claim it's because malware authors don't want to bother with Macs or whatever, but the end result is the same: Windows users are always dealing with more malware than Mac users, and, I'll bet, always will. So the modded-down-to-oblivion poster above is not wrong: getting a Mac would have prevented this attack, and many others.
Q: What does the "B." in Benoit B. Mandelbrot stand for? A: Benoit B. Mandelbrot
This happened to a friend with a laptop running Windows 8. The laptop had a recovery partition with the Windows 8 install on it but that was also locked and unavailable. The only way to recover (other than pay the ransom) was to...yes...buy a Windows 8 install disk and reformat. Of course, the data was lost (but restored from a recent backup) but at least the laptop was usable again. Since many/most new computers running Windows are sold without any media, this scenario has likely happened before. How many of those multitudes of Windows 8.1 buyers are second-time buyers just trying to reinstall what they have already paid for once? Also, this type of thing drives people away from laptops and desktop computers in general and towards less-vulnerable mobile devices.
I run a small business with an address on a web page. Every single day I get notices from banks saying I need to re register my information. I don't use these banks. I get things from other departments of my business, asking for auto reimbursements, etc. There are no other departments. I once got a notice from my email provider asking me to re-up my acct. They didn't send it. All of this nonsense has exe, zip, html, and a few other files attached. I never open the attachments, and usually delete the emails without opening them either (no active x here, ad and flash block in use). Somehow, I ended up on a hacker list....which I saw from one submission with an unredacted cc list. I do, however, read the full header. The fakes are easy to spot. If you aren't tech, if you use it as an appliance, they will get you eventually..... If I were retired, I'd be a 409 eater
They already have access to the machine, address book, etc. so they don't even need to offer the rebate for that
They have the email so they can send the attachment through he same system that most email systems will filter out...
But a person sending an attachment from their OWN email account is far more likely to get the attachment opened by a friend, more likely to make it through whitelists and so on, also going to have wording written by the person sending it and not the same bulk text going to 1million+ recipients. That's what makes it so powerful, especially if you can embed a zero-day exploit in a PDF that most virus scanners will not see.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
What is going to stop the Mac port of CryptoWall (or whatever it will be called) from encrypting your Time Machine volume as well as everything else?
Most user accounts will not have access to the TM volume without entering a password, while the TM process can continue to use it.
This is a good reason to use the networked Time Capsule (or network drive) rather than just use an attached disk.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
This story fails to say anything about her hardware, what OS she was using, what browser she typically used or any antivirus software that was running. The title of How My Mom Got Hacked isnt really a good title for this story. More like My Mom Got A Virus.
First, was she using IE ? That probably accounts for a 75% chance of how her machine got infected in the first place. Just running firefox or chrome with an ad blocker plugin will filter out a majority of the malware scripts and sites. Then since its not tied into the OS there is less chance of anything being able to get in to cuase damage. Then keep flash and java updated, if its installed.
These people are animals. Several months ago I had to deal with a situation like this, however it was a family friend's computer. The family a year or two before went through the horrible loss of losing a teenage son. All their photos and documents of their son were all saved on that computer, unfortunately with no backup. All the files were encrypted. Whatever variant I had, it had a different key and random amount in the text file for each folder. It would have been $10,000's to recover everything. THANK GOD someone had the bright idea of storage a old hard drive that was going bad in a drawer and I was able to get through the bad sectors and copy off the year and a half or so old information off it which had the most important documents on it, but they still lost some documents from his funeral, and friends photos that were given to them, and the archive of his Facebook profile they saved before they removed it. I would LOVE for these animals to meet this family face to face and explain to them that it was "Just business".
We've stopped using PCs for Flash-key situations after it eats too many flash keys.
The keys are fine, they work in Android devices, they can be read in an Asus Transformer that the sales reps use, but put it into a Windows 7 PC and boom, they are unusable.
There comes a point where its time to ditch this crap.
I've been reading for 20+ years how "Macs are just as vulnerable as Windows," and yet, somehow, that malware parity never seems to happen. Sure, every now and then there's a headline about Mac malware, but when you read the article it's either a theoretical vulnerability or, at worst, something that happened to a handful of people.
I've been reading for 20+ years about these things called Macs that are far safer than Windows, and yet, somehow, nobody actually uses them.
Thieves will always go for max reward for minimum risk. Sure, they hit lots of mom and pop computers running Windows, but I imagine the real money is in medium-sized businesses. How many organizations do you know that could be persuaded to maybe pay a $300k ransom but they store all that data on OSX, or even on Linux?
If medium-sized companies tended to run OSX, you'd see Cryptolocker for OSX. No, you won't see it anytime soon, because those businesses aren't going to switch to OSX anytime soon.
From an OS security standpoint, there really isn't anything in OSX or Linux that would prevent something from Cryptolocker from working. Neither does security beyond the user-level by default, and typically the browser (which is what tends to get exploited) has access to all user data.
Everyone is stupid.
I'm stupid. You're stupid. We're all ignorant of something.
Malice gets 100% of the blame.
To use knowledge of something to abuse and transgress against another who does not, is a crime. The only crime. And all of the blame
Analogy: if you leave a $100 bill on your front porch, yeah, that's fucking stupid.
But someone has to go on property they have no permission to, and take something that is not there's. That's 100% of the blame. The moral person will not steal that $100 bill. In fact, they'll ring the doorbell and educate the stupid person, that they should be careful and not leave money on their front porch.
You don't punish stupid, you educate it. You punish malice.
Unfortunately, we punish stupidity too much in this world, our anger is always in full rage and pointed at the dumb. And we let the truly malicious off, because our hate goes towards the stupid, and in the meantime, the malicious gets away. Or we have no more anger left for them.
It's some sort of fundamental weakness with human nature, that we do this: punish the stupid and ignore the malicious. When we should be educating the stupid and punishing the malicious.
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Turns out, when Microsoft tried this, they really annoyed a lot of their customers and took an awful lot of stick for it. Even from people who would consider themselves fairly technical. Users don't want you to put hoops between them and what they (think they) want to do.
Typical user scenario:
Clicks malware.exe email attachment.
Email client: Email attachments of this type this type are dangerous. Are you sure you want to run it?
*yes*
MSE/Windows defender: Virus detected. Quarantine file?
*nah... seems legit*
Windows: Filez from teh internetz can be dangerous. Continue?
*Yes. How dare you question me Bill Gates!?!*
UAC: File malware.exe from some dude on the internet wants admin access to your computer. Allow?
*Stop getting in my way stupid computer*
Windows: Install unsigned drivers? Guidance: Basically no unless your plugging in exotic or old hardware.
*Get the **** out of my way piece of *** I bet that *** Bill Gates thinks he knows better than me*
MSE/Windows defender: ***DEFCON1DEFCON1***
*whatevs. I need those novelty smileys and cool web search*
Malware: Mwhahahaha installs pop ups, steals bank details, encrypts files emails child pr0ns to the police etc. etc.
*Wah.... f***cking stupid Bill Gates your software's **** I hate Microsoft. Plus whenever I want to do something it asks me questions like I'm stupid and it knows better*
They hate the dialogues etc. and just click through them. Don't get me wrong I'm all for warning dialogues, but they exist already and they don't help a large proportion of "average users".
And, before some smartypants points it out, I know MS have since said that UAC was designed to annoy users to encourage developers to write apps that don't require admin privileges. A good warning system *should* be annoying though, and hopefully fairly infrequently triggered by innocent actions (as it is now that UAC has been around for a while and developers have fixed their apps (and MS have tweaked it a little)).
I've been reading for 20+ years about these things called Macs that are far safer than Windows, and yet, somehow, nobody actually uses them.
"Nobody"? Even in the enterprise?
The rest of your comment misses my point: Perhaps in theory, OS X is "just an vulnerable," and maybe the OS X market share means malware authors don't bother. But whatever the causes, in the real world today, the results are undeniable: less malware on Macs.
Q: What does the "B." in Benoit B. Mandelbrot stand for? A: Benoit B. Mandelbrot
Don't you mean the OS vendor shouldn't allow internet connection for an OS with more holes than swiss cheese?
This is why I NEVER run Windows on my personal systems, and if I do need to run Windows it is in a virtual machine so if it gets infected (that has happened before) I can just revert to the last known good snapshot - voila, no more virus and my files (up to the snapshot) are still there. Of course, in these cases I never keep anything I will need permanently on the virtual machine! Those I keep on the hardened host (an enterprise-class Linux system, on both workstation/server and laptop).
I was under the impression that you could cause Dropbox to purge backups by filling your Dropbox folder, as free accounts have about 2 GB. Or are backups not counted in the quota?
Oh wait I forgot - you can't blame the victim ever no matter how much of a stupid fucking idiot they are!
I blame our industry for being as you put it "stupid fucking idiots". The most common attack vector for this particular malware and many like it is email attachments.
It's 2015 anyone in the world can still send an email with file attachments to anyone using whatever FROM address they'd like without any prior trust relationship, vetting or authorization by receiver. Most mail clients let users execute it in the same security context as the user without so much as a peep.
It isn't the users fault they don't fully understand the depths to which the technology they are using is completely broken and wholly unsuitable for purposes for which it is used by countless millions on a daily basis.
It is *our* fault for installing AV software and going back to picking our noses. *MILLIONS* of people are being exploited using the same attack vectors with malware and spyware... this business of calling everyone "fucking idiots" is getting old.
You nailed it. There is some kind of blindness among geeks to how much otherwise worthless knowledge is actually needed to properly operate a computer, all in the name of convenience for the elite who feel they earned the right to look down on everybody else. General purpose computing is just filled to the brim with self-created problems. I'm always seeing this sort of attitude displayed that computers are to serve "computer users"... not pilots, accountants, doctors, lawyers, general contractors, etc. It feels like work created by computers vs. work saved is a much higher ratio than necessary.
And calling for the government to implement this policy?
Let's hope you never ever get into a position of power. It's small dicked dictators such as yourself that are the real problem.
Since data files (for casual users) often take up a modest amount of space, why not have the operating system write them as read-only (in some enforceable manner)? Sure, you might wind up with 20 or 40 versions by the time you're done with a document, but that could be managed. If you had a CD-writer, you could do your own version of this; I could also picture a cloud version. Done right, this could eliminate the threat of ransom-ware scrambling existing copies of older documents. (Although malware may still be able to get in and scramble new documents ...)
They have full access to the machine already, they can send them from the persons OWN email account.
With the same text and wording that gets other spam messages bounced. The point is the user sending a real message makes the message unique in a way that will get past more spam filters, and more important to the reader sounds like it's really from their friend (which it is). There ALREADY exists malware that sends from the users own email, but in case you hadn't noticed it's not likely to fool anyone. The same malware ALREADY sent to everyone on the contact list, mailing people that make no sense and revealing ill intent though volume and timing.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
The NSA actually did help develop the SELinux module prevalent in several Linux distros. Its intent is to improve security, though, and it has been open-sourced.
you do realize you yourself are stupid
and that you, many times a year, make bad mistakes that hurt you. i know this because we all do
let's assume you are a programmer, top of your field. no one can top your knowledge and wisdom. now you move into management, and you make dumbfuck mistakes 1, 2, 3 that noobs of management always make. should we make this painful for you? should we mock you?
you're starting a new job: there's a dozen things you will fuck up that your coworkers already know. are they supposed to laugh at you?
you do something in your house that creates a $2,000 repair. the plumber or contractor sees it all the time. should he yell at you?
your ignorance of your own essential weakness makes you perhaps much more stupid than the people you mock who don't know trifling technical things but have a much better attitude. you're ignorant of something that many of us realize in grade school. the irony
should i make it painful for you? should i kick you in the face for your ignorance of basic human weakness?
arrogance. hubris. and the worst kind of ignorance: prideful ignorance. that's you. you're what is wrong with the world
we all fuck up out of ignorance throughout our entire life. show some fucking humility and adjust your shitty smug attitude
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
It's really not that complicated.
In theory Macs and Linux could be just as overrun with viruses and malware as Windows boxes but in practice both platforms are nearly perfectly immune to these sorts of attacks for a variety of reasons, including technical things (Macs warn the hell out of you before letting you run unsigned code downloaded from the internet, and nearly all Macs are running very recent versions of OS X) and cultural things (Macs and Linux users have no culture of randomly clicking on executable attachments--that's not part of the non-Windows zeitgeist).
The Mac would have warned the hell out of you about running unsigned code downloaded from the Internet--you have to jump through several hoops (no just click & go). Mac Applications on the App Store are vetted and run sandboxed and users are naturally wary of any Application that isn't downloaded from the App Store--it's just not part of the Mac culture (even for nontechnical users) to click on random crap.
There are trivial backup solutions for Mac (Time Machine + Time Capsule/NAS, or iCloud) which make this sort of problem trivial to clean up after. On my Macs it would be a simple matter of running Time Machine and turning the date back a few days--I could literally do it one handed while yawning.
And nearly every Mac is running a recent version of OS X because Apple makes upgrading cheap, simple, and non-destructive. Any new vulnerability doesn't last very long before it is annihilated from nearly every Mac on the planet. For all these reasons virus authors just don't bother targeting Macs for the most part.
1. Why arent EXE files blocked by mail servers? Even inside zip files? If you really need to send an exe file by email you need to look at your process.
2. Why are exe files allowed to run from temp directories by default? Microsoft, you need to make it a "chore" to download and run executable files from a mail client. You have to jump through hoops to run executables from a browser, but browsers arent really the hijack vector anymore.
3. Backups.
4. Backups.
5. Backup your machine. Your computer is about to break soon. If you have that mentality you will be good to go. Treat your computer like a tool thats about to break. Keep your backups ready to go.
We got infected by the virus. There are couple of ways to go round it:
It does not delete properly the files after encryption, hence running something like recovermyfiles will work and it did.
We also used shaedowexplorer for volume copy. In some cases, it does not encrypt/delete properly the shadow.
refer to these this article which gave us a headway.
Regards
http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information
What am i, but stardust
and now they rewarded malice.
and that's fucking stupid.
so there.
world was created 5 seconds before this post as it is.
Clueless stupid person gets hit by virus. News at 11.
Now if you, as a knowledgeable person, want to help your clueless friends/relatives avoid this fate, install adware / adblockpro / flashblock on their computers. Nuke the ad system.
All good ideas.
So besides that, it SERIOUSLY should be illegal to pay these ransoms. All they have to do is pass a law that says you can't hand money over to criminals or terrorists or whoever they might be and selfish people like this wouldn't pay the ransoms. If nobody pays, they stop doing it! So anyone who gets hit by this should realize they're morons who should have had a backup and shouldn't click links in clearly fake e-mails and they'll just have to deal with the consequences.
I sideline on PC repair, and I've fixed any number of systems. There may be very infrequent cases where a drive-by hijack occurred, generally when visiting dubious sites, but the most common by far are still plain ol' "clicked on a bad email", "installed file from some sketchy torrent" or even "trusted that guy on the phone who called from Microsoft" (the latter coming out in force again lately, but still not as common as email).
The third most common is ads posing as real software, e.g. when you Google X and the first couple links are sketchy versions of Y pretending to be X, or when you get to the actual download page but the big green "Download" link is actually an ad which downloads some BS executable. I think there needs to be a reckoning for ad-peddlers that let that last one through, as they're becoming more prevalent, and there is absolutely ZERO legitimate case for a big download-only link to unknown software. Some of these seem to be Google ads, and I'd love to see them take more heat for their part in this.
Sounds to me like you're smarting over something unfair which happened to you personally or through some situation close to you.
Be that as it may, it doesn't make all cases (or even most cases) of blaming the victim universally acceptable regardless of whatever your personal experience may be.
The characteristics of psychopathy and predatorial behavior don't change and understanding them remains a valuable tool for navigating reality. The devil is in the details.
"Will somebody please think about the children?!?!?!?!?!?!!!!!!!!!"
Two women paid then one wrote a five star review for the extortionists. Act stupid and play the victim card. If this was a man and his son the either would not pay, or at least been smart enough to keep quiet about it.
Sure, no problem. My work email server discards incoming and outgoing exe email attachments. And zip files. And MS Office documents. It's an irritation for those of us who can tar.gz things. Must be a royal PITA for the Windows folk.
Yes.
I fully expect to be made fun of for shit I fuck up. BECAUSE THAT IS HOW PEOPLE LEARN.
I work in IT it is my job to put out fires and clean up messes. Over and over again the same people make the same mistakes because of soft management bullshit like that.
If you make a mistake and there is no cost why would someone spend the 10-20 hours learning how to do something the right way.
If I step outside my area of expertise I either get a contractor to do it or learn. I'm so tired of entitled little shits wanting hand-holding through their entire job.
Seems like a sensible approach not to use the same OS as all those lucrative targets then.
I know macs do one thing that would have helped. Time machine is built into the OS and makes regular backups. If you plug an external drive into an airport, the backup volume isn't mounted except when the backup is happening.
Seriously, it's 2015. I literally have better shit to do than go to the store during the same hours I'm fucking stuck at work, to get waffles, milk, cheese, bread, ice cream, yogurt, beef, chicken, turkey and bison. I would literally hire my local milkman if I wasn't too far, for literally all of this shit. And if he could finish my grocery list, "and then some." Seriously, Jesus fucking Christ, how is it I'm in 2015 and I'm still dependent on European half-ancestors to get this through people's heads that I like basics like fish and bread and will pay a subscription for it? Is America _really_ this backwards? Are we really this Bed, Bath and Beyond comprehension? Fuuuck me in the goat ass...
Furries make the internet go.
Is it actually legal to pay the money?
Chrome has got pepper. It's a tailored flash. It works in linux.
Moderated already in this story, so am posting anon.
I can't let this one pass. Adobe may be many evil things, and they are no longer adding features to the Linux version, but they ARE releasing security updates.
positive reinforcement works better than negative punishment for long term learning. you use the negative in dire circumstances
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Everyone is stupid.
I'm stupid. You're stupid. We're all ignorant of something.
I think we should distinguish between ignorant and stupid. Ignorance is a lack of insight and can be improved, often quite easily, whereas stupidity is a skill. The stupid person has learned to selectively avoid gaining new insight, if this insight would lead to them changing their mind on a sensitive issue; a stupid person makes the wrong decisions despite being well-educated enough that they ought to know better.
But I agree - this 'blame the victim' mindset is obviously wrong; otherwise we should be punishing children for enticing paedophiles etc. It is clearly in society's interest to protect the vulnerable, not least since we could all end up being exactly that. I think it is also worth noting that this attitude - that victims are just 'suckers that deserve what they get' - is something that lies at the basis of far too much of what is called 'capitalism' nowadays, and that is very much what drives the current, growing trends towards anti-capitalism and anti-globalisation.
It is also likely to become an ever weightier argument against the unbridled internet that everybody on /. appear to feel so strongly about. The big question is, do people feel strongly enough to go and actually start sorting out these problems?
pot meet kettle
or just don't fucking use windows, how about that?
That's easy to say if you make a living delivering pizzas.
i make a living developing gnu/linux-based operating systems for one of the TOP-50 tech companies in the world.
now get the fuck off my lawn, i do not want any pizza.
Well, getting hacked wasn't her fault. But for paying I'd slap her. You don't pay danegeld. Too much danes around.
Well said sir. Well said
Software is like sex. It's best when it's free.
so what. blame is irrelevant. fact is big fish eats little fish, and that's the reality our world boils down while some continue living in an illusion of morality or justice. the financial system has destroyed millions of lives because it could, because there were dollars to be made and it doesn't give a fuck. entire nations are thrown into misery and scores of people get killed for the same reason. the same mom in the story is responsible for the death and ordeal of some kids in africa just for possessing a first world cheap electronic appliance (aka computer). who is to blame? we all are, in our stupidity. does it even make sense to blame someone, when there is no justice? our civilization is totally amoral beneath a tiny crust of hypocrisy. duh, i think i need a cup of tea.
Malice gets 100% of the blame.
The pregnant school-girl can't deny responsibility because she didn't have sex education or condoms. Although, she probably should under your scheme. The inaction of her teachers, parents and lovers had predictable and negative consequences, making their neglect a malicious act.
A better example: A drunk driver can't claim he didn't know alcohol made him such a bad driver. His intention and emotion while drunk-driving is irrelevant. The law also doesn't excuse ignorance of drunkeness. The law demands that one always have good judgement and competent control when using a vehicle. And the law demands this is determined before using a vehicle.
Much of society is built on the premise of "Ignorance of the law is no excuse" and society frequently applies it to moral dilemmas too.
You don't punish stupid, you educate it.
That creates a moral dilemma: If there's no punishment for stupidity, there's no reward for education. Any argument for 'unrewarded' education is weak and irrelevant. Is that $100 on the porch because laziness prevents the tenant opening the door and collecting it? Then a "moral person" not stealing that $100 teaches the tenant to be lazy and become lazier.
Agreed. You've equated preventing stupidity with good intentions (IE. a moral person). Both are admirable and necessary goals but one is not equal to the other. To use an aphorism, "The road to hell ...".
Yes we do. Because it difficult to judge stupidity. How does one measure stupidity? How much can be excused? How is more stupidity stopped? These are circular questions for any legal and moral code. The legal and moral codes in use, recognize and understand a person having intention and emotion; not stupidity. The truth tortures and disfigures good intentions but stupidity destroys them and spreads more stupidity.
It is *our* fault for installing AV software and going back to picking our noses.
No - it's the propensity of the average punter to fully believe that the "operating system" that came "free" with their computer is the only option open to them. Most of them aren't aware that there even might be an alternative....
"From an OS security standpoint, there really isn't anything in OSX or Linux that would prevent something from Cryptolocker from working. Neither does security beyond the user-level by default, and typically the browser (which is what tends to get exploited) has access to all user data."
Yes there is: time machine.
The best protection these days is still to block all advertising, run with limited permissions, and have automated external backups with versioning. If the user is capable, blocking all third-party scripting is also incredibly effective.
Nope - the best protection is not to use the most easily compromised, most deliberately under-secured, and most expensive "operating system" out there..... The stupidity of the average user is astonishing. They ALLOW themselves to get into this ridiculous situation, without back-ups, with a Swiss-cheese "operating system" and with worthless, snake-oil "anti-malware" rubbish.....
The police dept in my relatively small town got hit by this (or similar) last year. They paid the two BC ransom and decrypted their files.
doorbell rings. it's a handsome smiling man in worker suit, says something about plumbing, but you didn't call him, so you consider that if you let him in he might steal your cookies/rape your dog/kill you with an ice pick, so you don't.
we can't get a dumbfuck door to do what you just did?
no, we can't. it's just a dumbfuck door, you dumbfuck (no offense, just for the pun)
As a programmer that also has to provide first line in-house support for a proprietary program our company before calls are made to the vendor, I am consistently getting calls from support about the same group of users having the same issues over and over. The particular issue is always PEBCAK, and these people have been through software training several times over these issues. Management refuses to hold them accountable using the excuse "they're not computer people," and consistently reward them for completing yet another training class with a roughly $500 bonus each time. So, tell me again how positive reinforcement works?
The dumbass let his mother pay them? It's because people pay these idiots that they keep doing things like this....
should have considered it a lesson learned and to backup more often (Backblaze, Carbonite, etc).
In fairness, security is frequently hampered by management that refuses to understand how critical infosec is. The Home Depot hack? Take a look at this:
http://www.businessweek.com/articles/2014-09-18/home-depot-hacked-wide-open
Security staff had urged that a feature of their malware protection systems be turned on, for months.
As it turns out, that manager was a criminal: http://arstechnica.com/security/2014/09/home-depots-former-security-architect-had-history-of-techno-sabotage/ He's also the source of the infamous "We sell hammers" quote. So management was not only deliberately hindering security measures, they had a manager who eventually got convicted for deliberately destroying equipment and data at a previous job. It doesn't appear that HD fired him when the accusations came to light.
Never underestimate the power of stupid people in large groups.
You do realize, fuckwit, that in his second line he states that he was stupid.
Though, based on your reply, not as stupid as you.
It seems Microsoft could fix the problem just by inserting a signed DLL that "records" every encryption key used to encrypt data "in escrow" with a key that can only be uploaded and accessed by Microsoft.. aka the activation key.
If i understand it right, they always use the crypto.dll that comes on the system, so that the malware "benefits" from patches and updates, and the efficiency of having access to all files without user account firewalls between profiles.
If they are that dumb..lazy.. err "creative?"
Then the malware itself is vulnerable.. even to the point of reversing the contact chain and crawling back upo into their C&C tools... but I digress.
Microsoft could then offer am "escrow" service to recover the system "escrow decryption" key and get back every key ever used to encrypt data using their DLL. For a small fee of course. .. basically squeeze out the middleman.. embrace and extend
I worked at an MSP a while ago. We were a reseller of Datto backup devices. We had many clients who used them and were quite happy with them.
But some clients just didn't think there was a value in spending $100 a month to make sure they were fully backed up.
One client in particular rejected every backup proposal we offered. Then he got nailed with Cryptolocker which encrypted everything he had on his network. Out of desperation he paid the $500 and never heard back.
The next month we had installed a Datto and as luck would have it he got nailed by Cryptolocker AGAIN. This time we just rebuilt everything from the latest backup and he was up and running again within 2 hours. He was a perfect example of a business owner who learned the importance of his network and data the hard way and we were able to use him as an example to other clients who just weren't seeing the big picture.
You're nothing; like me.
What makes you think that this actually happens?, I've seen many many many many many people accepting whatever popup appears without even reading what it means.
So this lady works for you and yet she got stung? How do you explain that?
It little behooves the best of us to comment on the rest of us.
If your system skills are as effective as working on a door, that explains your problem ... not hers.
It little behooves the best of us to comment on the rest of us.
should we make this painful for you? should we mock you?
We should do something that makes the combined result of following mistakes and successes more desirable. Pain and mocking are options.
Next one?
Second time in a day I've re-read a post I was replying to and realise I missed the point of the parent. No more /. for me until I've properly woken up in the mornings!
security is frequently hampered by management that
...did not receive useful information about information security.
Fixed that for you. I know the frustration, I've been there many times. I do agree that management decisions can affect information security dramatically. However, I don't think it's management stupidity. Or rather: A different kind.
I believe there are two kinds of companies. Those that understand information security and those that don't. You can spot them by one simple thing: Those that do have a position - the CISO or similar - whose job it is to translate between management and information security. Those that don't have nobody and suffer from a management and an information security that speak different languages.
As it turns out, that manager was a criminal:
You're right, there are three kinds of companies. There are also the criminally incompetent.
Assorted stuff I do sometimes: Lemuria.org
"Or, instead of trying to generally extend/eliminate the statute of limitations, they may change the law to suspend the clock when encryption is used, so the time it takes from the day the evidence is seized or sniffed to the day it is decrypted doesn't "count.""
As part of the 2015 Intelligence Authorization Act (believe that was the right name), the NSA's agents in the House and Senate inserted language into the bill (the President signed it shortly thereafter so its law now) at the last minute basically legalizing the U.S. government to vacuum up all electronic communications (i.e. all the stuff they've been doing clandestinely) and if its of interest to the intelligence establishment or it is encrypted (it specifically mentions it) then they can keep it forever (no time limits).
https://www.techdirt.com/artic...
So you're willing to wait 20 years to find how much money is in your pension fund, bank account,
Actually, I was thinking of the family photo collection. Those baby pictures of your kids will still be valuable by the time you have grandchildren.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
1. Lots of Windows users never upgraded past XP (>15%) and have no UAC at all
2. Lots of Windows users have disabled UAC prompting because it's so annoying (seriously, do a Google search for UAC and the top results are about how to disable it)
3. Nobody uses the Windows backup options
4. Malware can't delete a Time Machine backups
Theoretically Macs could be at just as much risk as PCs, but in practice it isn't anywhere close. There are well over 50 millions Mac users in the world, and they have plenty of money, but for some reason they are nowhere near as infected as PCs.
Windows still holds over 90% of the market, while OS X has actually lost share so far this year.
Brilliance without wisdom, power without conscience. Ours is a world of nuclear giants and ethical infants.
I use Qubes. I don't have to worry about this stuff :P
Whose fault is this? I'm going to have to side with Taylor Swift on this one.
I grabbed an open box hp laptop at bestbuy the saturday after xmas. Being lazy, I just started using it, browsing with IE instead of loading firefox and noscript. I got ransomware in less than 3 hours. Machine was completely locked up, no safe boot anymore, completely hosed. I returned it to bestbuy the same day.
Got the same thing running my mac a few days later. Only difference is, all I had to do was force quit Safari and hold down the shift key while restarting Safari to get my browser window back. The computer was not affected at all. I don't know if this was Cryptoware 2.0, they only wanted $300 to release my files.....
While at bestbuy, I bought a new windows 8.1 laptop, loaded firefox and noscript and mvps hosts. I've been using it for a week with no problems at all. For giggles, I sometimes run XP in virtualbox on this machine just to be extra safe.
Install XP (or 7, if you must) in virtualbox on a Linux host. It might take Mom a few extra minutes to boot up, but you can always replace the locked "system" with a clean copy of the VDI. Shame on her if she doesn't back up her files now (or save them to the Linux host).
run rsync nightly with the -b flag set - YMMV but in many contexts most big files (images, videos, etc) never get modified. Text documents do but given the cost of storage these days, keeping multiple backups of a Word file as it gets changed over time is trivial.
Then if you get ransomware, everything is different, and when your backup runs it will not overwrite (it will try to duplicate everything as a new "version" of the file instead)
an external HDD plugged into a raspberry pi costs almost nothing, and is pretty easy to set up for anyone with even moderate scripting skills
I recently got a referral from an older couple that also got hit by CryptoWall 2.0. Credit to them: as soon as they noticed that something wasn't right with their PC, they copied the Documents folder to a USB drive and shut off the computer. CryptoWall 2.0 encrypts files rather slowly and they were able to save about half of their files. Fortunately for them, they had never had gotten into the practice of storing precious photos on their PC.
BTW, CrytoWall 2.0 also encrypts all external and network attach storage. Someone cracked CrytoWall 1.0, and there was help for decrypting the files but 2.0 hasn't been cracked.
She clearly knew how to do a back up but choose not to for 6 months. She could have just as easily had a hard disk failure. In which case the days loss would have been her fault for not backing up. The hackers relied on her lazyness to backup more than anything else.
the problem is that done blame to victim because its not their fault gets taken as the victim should have do nothing to protect themselves and is free to engage in any dangerous behavior they wish and you better not say they can't. We can even have a discussion about ways to mitigate these issues. I should be able to walk down the middle of Detroit wearing a suit made of $100 bills. that should be fine because no one has the right to take my suit from me. But should i stop and consider is that a good idea? If i tell someone may its a bit risky to do that am i blaming the victim. if they do it anyway and get robbed is it not ok for me to point out their mistake. After all i would be blaming the victim.
Thanks. Maybe then when she's gone for awhile I'll update here flash...of course that probably means I'll need to upgrade her entire install of Ubuntu, but I've got permission to do that as long as I do good backups, and a hard copy of here e-mail addresses first.
I think we've pushed this "anyone can grow up to be president" thing too far.
bad news: to use a computer in the open network safely you need to know a few things. there's no way around that.
ms or apple or google might tell otherwise, but it's just fake.
Seems like a sensible approach not to use the same OS as all those lucrative targets then.
I know macs do one thing that would have helped. Time machine is built into the OS and makes regular backups. If you plug an external drive into an airport, the backup volume isn't mounted except when the backup is happening.
The problem is that when the next timed backup fires off, it is mounted, and presumably the malware will target it. Also, I'd be shocked if somebody would write something like Cryptolocker for OSX and not address Time Machine.
I wouldn't trust local media to keep me safe. I'd prefer to have backups on some remote server whose software enforces history on the files that are stored, so that it would also need to be hacked to take out the backups. Most of the usual cloud storage services or backup services would be fine.
Security by obscurity does count for something, but I wouldn't use it as a substitute for backups.
Actually, there is a way around that. It's called good system design and maintenance. If you can't provide that, it's not your momma's fault.
It little behooves the best of us to comment on the rest of us.
"From an OS security standpoint, there really isn't anything in OSX or Linux that would prevent something from Cryptolocker from working. Neither does security beyond the user-level by default, and typically the browser (which is what tends to get exploited) has access to all user data."
Yes there is: time machine.
You mean that service that just stores all your data on a hard drive which gets plugged into the device that a Cryptolocker clone will be running on? Why wouldn't the virus take out your backups at the same time? I believe Cryptolocker already does this for Windows - if you use automatic external backups on Windows they WILL be hosed by Cryptolocker the next time you plug in the drive. Remember, the software runs in the background for days secretly encrypting all your stuff before calling attention to itself. You'd only be safe if you had data on an external hard drive that you didn't plug in for a few weeks most likely.
Time machine is great, but it doesn't protect against something like this.
That would require crypto locker to be specifically targeted to OS X. I highly doubt it does this. There are so many people who don't have adequate backups, or any backups, that it's probably not worth the effort to go after the ones who do, unless you're running a targeted attack.
Absolutely, an offline backup system is necessary for complete security. But for a home user protecting against non-targetted attacks, obscurity offers very good security, with minimal effort.
FYI: You have that backwards. Stupidity is involuntary. Ignorance is at least lazy, but often even deliberate. If you need a way to remember this, observe that ignorance is related to ignoring, i.e. not using information even though it is available to you.
You did however correctly point out the important distinction: It is not wrong to punish a person who has all the necessary information available to them but ignores it. But it is wrong to punish a person who would have had to go to undue lengths or was entirely unable to gain the necessary insights.
Same AC here.
Crashplan. Free for local backups, pay for cloud backups with 100 versions and unlimited retention for deleted files. Runs automatically in near real time or scheduled out once a week, your choice. There are TONS of choices for backups in windows that only require a few clicks to get running. I just bought my daughter a Dell desktop for Christmas. While powering it up the first time, I was asked three times to setup options for backups, all of which I declined (Dell, MS onedrive, and some other one I forget the name of). I declined them all. I installed Symantec Protection suite that Comcast pimps for free and it too asked about backups. I did set that up and the whole protection suite with firewall, spyware, malware, backups, and god knows what else went with a few clicks.
Windows is an OS. I'd much rather have a choice to install a backup that meets my needs and there are a ton of choices out there for Windows that are all very easy to install with only a few clicks.
Google Windows backup software and you will find them. Even windows help and an icon in the task bar gives links to remind you to install some type of backups.
care to name the actuall well designed and maintained system that would have saved poor mommy from herself?
yeah, thought so.
If you can't name it then you can't deliver it, and that's not your mommy's fault.
It little behooves the best of us to comment on the rest of us.
Theirs theirs theirs theirs...
Uh, I have heard this story a number of times today, and I have yet to learn HOW she got hacked. What did she access, what did she do? The stories I have heard, and my glance at this story - starts with the ransom note, so how she got black mailed might be a more accurate title. But, how did she stumble into the problem in the first place? (I am not going to read the story with a magnifying glass in hand, or read all of the comments - so if indeed the "how" is explained somewhere, then it is a question of editing the story).
By correcting your dumbfuck training to actually work.
Space Cadet
The only "businesses" I know using Macs are in their mom's basements, so not really the target of anyone looking to make money. No one wants to make a hipster sob their heart out on Youtube about how their new book "Organic Toenails Cutting" has been encrypted and lost forever. How about the 600,000 Mac bot net, not really theoretical vulnerability or a handful of people? Overall buying an over priced Mac simply so you don't get a this and that malware is stupid but people drive deep into it. As someone that repairs a lot of computer, I run into just about as many Macs as Windows and they have just as much problems. It just interesting how when I fix them there owners have to preach about how much better they are then windows. I have a Mac in my arsenal of tech but in the end it is just a computer with vulnerabilities like every other computer.
"a very mature, well-oiled capitalist machine"
which is inaccurate and only feeds the populist anti-capitalist sentiment that is too often conflated with anti free-market rhetoric. It would be far more accurate to call this a "protection racket" akin to the crime bosses in New York who send thugs into shops, said thugs' opening line then being something like "this is a nice little shop you got here, it would be a real shame if something were to happen to it, like maybe a fire".
"There is no god but allah" - well, they got it half right.
macs don't get many attacks because nobody doing anything serious with a computer uses macs, oh no you might mess up a poster layout or some shit.
Snowden and Manning are heroes.
Cryptolocker is prevalent on Linux machines, just about every consumer NAS on the planet uses it and it's been hit several times already. OSX is safe because no one uses it beyond a glorified pron browser and tweetdeck. Seeing as you are not legally allowed to use OSX on non Apple products, and no one uses Apple computers seriously, OSX is the safest thing around outside of proprietary OSes on big boxen like the i-series.
Punctuation - try it some time. People might bother reading the crap you post.
That would require crypto locker to be specifically targeted to OS X. I highly doubt it does this. There are so many people who don't have adequate backups, or any backups, that it's probably not worth the effort to go after the ones who do, unless you're running a targeted attack.
Absolutely, an offline backup system is necessary for complete security. But for a home user protecting against non-targetted attacks, obscurity offers very good security, with minimal effort.
Cryptolocker for Windows already targets backups and fileshares. I don't know why somebody would write Cryptolocker for OSX and not do the same.
The current Cryptolocker doesn't work at all on OSX - we're talking about a hypothetical clone written for OSX. It certainly is possible to do, but as long as they're making enough money on Windows users they may not bother with it.
Comment removed based on user account deletion