Ransomware’s Achille’s Heel

This is a post series on cybercrime. For more posts click here or the cybercrime tag below.

Apparently the French police have realized the vulnerability of ransomware,  the fact that the extortionists have to communicate with their victims and since the French do not have the vested interest in maintaining the TOR network they went for the actual TOR hardware.

WannaCry communicates with a command and control server hosted on the Dark Web, on a .onion address. Aeris suspects his servers were used as first hops in this connection, hence the reason police seized his property, hosted via French hosting provider Online SAS.

Most Tor servers are configured to log very few details, such as uptime and status metrics, so to safeguard the privacy of its users. Unless Aeris made customizations to default configs, French police have no chance of finding any useful information on the seized servers.

Tens of Tor servers disappeared on the same weekend

In the media storm caused by the wave of WannaCry attacks, this small incident went unreported outside of French media. Aeris also confirmed the seizing of his servers on Twitter.

The investigation is led by France’s cyber-crime investigation unit OCLCTIC (L’Office Central de Lutte contre la Criminalité liée aux Technologies de l’Information et de la Communication).

The activist pointed out that tens of other Tor nodes in France disappeared over the same weekend. In a private conversation with Bleeping Computer, the activist shared a list of 30 servers he is currently investigating regarding these mysterious disappearances.

https://www.bleepingcomputer.com/news/security/french-police-seize-two-tor-relays-in-wannacry-investigation/

As the Bleeping Computer article pointed out, seizing the hardware isn’t going to do the French much good once the servers are cut from the TOR network.  On the other hand, with 30 odd nodes gone just in France, and the possibility that the French could go after other nodes in the EU, it could be that the TOR network in the EU will be essentially shut down.

http://thehackernews.com/2017/06/wannacry-ransomware-tor-relay.html

The people at TOR have taken a “we’re not responsible” take on ransomware and attempted to hide behind common carrier laws to prevent the decriminalization and exposure of the people using the network for criminal means.  It may be that the Wannacry attack was the last straw for many law enforcement agencies.

For anybody wanting to know how to catch people on TOR.

Here’s the week in ransomware.

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-june-9th-2017-jaff-spectre-and-macransom/

 

The Fragility Of Systems And The Need For Backups

DSC_2283As system get more complex they get more fragile.  That is definitely the case when it comes to computer and information systems.  I found that out again last Friday.  Now as of now, I don’t know if what happened to my main computer is a hard drive failure or a corrupted update.  At this point it’s hard to tell and it’s going to be some work to figure out what.  My big mistake this time was not making a Windows 10 boot disk.

https://www.xtremerain.com/fix-bad-system-config-info/

System failure can also be caused by malware and viruses though this has been less common as the security people have dealt with this sort of thing and if the data and files themselves are not wrecked, using a boot disk can get things running and work around the malware until things are running, anyway, here’s the week in ransomware.

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-april-28th-2017-cerber-mordor-and-cve-2017-0199/

Getting A Cybersecurity Education From The Cloud

This is a post series on cybercrime. For more posts click here or the cybercrime tag below.

With the constant new threats and the expanding consequences of those threats there is a growing need for people to handle cybersecurity situations.

The IEEE has a paper on setting up a program that is cloud based.

 Cybersecurity needs for the government, businesses and other parts of society are constantly growing, making cybersecurity training and education a vital need. There is a distinct lack of skilled and trained workers in this specialty area. “Teaching Cybersecurity Using the Cloud”, a technical paper from the IEEE Xplore® Digital Library, explores a solution to this problem that utilizes a cloud computing system to conduct a course for students on cybersecurity.

Teaching students about cybersecurity involves more than reading from a textbook and learning about theories. Students must also have practical and hands-on experiences dealing with cybersecurity threats. The article authors used cloud computing through Amazon Web Services to teach a senior course on cybersecurity across two campuses in a virtual classroom with live audio and video. They studied how cloud-based laboratory exercises could teach students the skills they would need to pursue a career in cybersecurity.

The goal of the course was to expose students to modern network security issues, protocols and technologies, as well as analyzing security solutions and countermeasures. The students were able to learn and perform lab activities all within the cloud. This cloud model of learning can enable students to gain invaluable cybersecurity skills, without having to be at a specific location. In turn, this way of teaching can help to educate more students, without the need for a traditional classroom and lab setup, leading to a growing workforce of cybersecurity experts.

http://transmitter.ieee.org/growing-cybersecurity-workforce-using-cloud-education/

The ongoing evolution of malware means that cybersecurity training has to be an evolutionary and constantly adapting process as well. The techniques learned today are going to be obsolete as the vectors and damage that malware creates changes.  yesterday it was system blockers, until people realized that the data was still there and all you had to was reinstall the operating system. A lengthy process, but not fatal. Now we have ransomware, which encrypts the data.  The problem with that is if the data is encrypted with the intent to recover after the ransom is paid the public key has to be available and it only takes one file to get the other key and decrypt everything. Along with that, ransomware is probably doing good business for the backup people.  So there will come another threat that will need to be addressed.

So cybersecurity education needs to be updated and adaptive. Hopefully the educator understand and keep up with the requirements that will always be changing because the people creating the malware are always looking for a new way to get paid.

http://ieeexplore.ieee.org/document/7089256/

 

The week in ransomware.

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-march-31st-2017-sanctions-android-and-creepy-skulls/