Wednesday, October 16, 2013

CrypoLocker: When Good Encryption Goes Bad

There is a new ransomware trojan horse called CryptoLocker infecting computers with Windows operating systems. You might be thinking, "Hey great! Wait, what is ransomware, and what is a trojan?". So, before I dive into CryptoLocker let me offer a brief explanation of ransomware, encryption, and trojan horses.

Ransomware is a kind of computer infection that encrypts your computer files. This encryption takes place without your knowledge. At some point in the encryption process a message will appear on your computer screen alerting you to pay money to decrypt your files. Encryption scrambles the files so they can't be read by just anyone. You need a key to decipher it. Think "Enigma machine" from World War II and you'll understand that encryption is meant to disguise the real message. And, so it is with computer encryption. Computer file encryption is used to keep data secure and private. Only those who have the key can decode it.

Trojan Horses are a reference to the Greek's use of a wooden horse to gain entry to the city of Troy during the Trojan War. In technology a trojan horse (commonly referred to as just "trojan") is a program that looks legitimate, but in reality isn't. The Greeks are said to have built the wooden horse to hide in. They presented the horse as a gift, and then climbed out of the horse to slaughter the enemy. The term is fitting for computer malware because the hacker hides his nefarious code in software that looks to be safe. When you download, install, or run the software it infects your computer with some variant of malware.

CryptoLocker typically hides inside of an email attachment that may come from a seemingly legitimate source. When the attachment is opened the ransomware is unleashed and begins to randomly encrypt the files on the computer. This can include network drives and flash drives that are connected to the computer at the time encryption is taking place. Any drives that are attached to your computer using a drive letter such as (C:\) are susceptible to infection. You will know you have been infected with CryptoLocker when the message appears telling you your files are encrypted and it requests payment (in the ballpark of about $300 to $400 US dollars). The malware includes a timer that counts down. You need to pay the ransom before the timer expires or risk having your files encrypted forever. To add insult to injury it offers you "convenient" methods of payment. You can pay in US dollars, Euros, or Bitcoin through an anonymous prepaid cash voucher such as Ukash or MoneyPak. Once payment is received you will be given the key to decrypt your files. Interestingly, nearly half of all people infected choose to pay the ransom. From everything I have read, the Hackers are at least cordial enough to honor their end of the deal by handing over the key. I suppose that if word got around that they didn't honor their end fewer people would pay, and let's face it, they want your money not your files.

CryptoLocker is not too difficult to remove with standard anti-malware tools, though some can't detect it at all, and some detect it after the damage has already started. These tools also cannot decrypt your files. CryptoLocker uses the best practices of file encryption and is so strong that security experts have said that traditional brute force methods of trying to decrypt it don't work. Brute force attacks essentially try to guess what the key might be, and the strongest encryption could take years to break.

In extreme cases, such as this, having backups of your data are essential. If you are religious about backing up your data it may be possible to restore your files and not have to pay the ransom. I have to stress the word "may". Backups can get encrypted too if they are not kept "offline". In other words, if your backup drive is always connected to your computer, turned on, and has a designated drive letter it too could have been encrypted. If you are fortunate to have a backup, that predates the encryption, you can safely restore your files. Naturally, you would do this after you are confident you have successfully removed the malware.

It is a good idea to backup to a drive that you turn off, and/or disconnect from your computer once backup has completed. If you backup to the cloud be sure that your service does not treat your connection like a local drive, or require you to have a drive letter assigned to it. For more information on cloud services you can refer to my blog post: Today's Forecast: Cloudy with a Chance of Data.

Thursday, March 21, 2013

Browser Add-ons Part 5: Web Of Trust (WOT)

Social engineering is probably the biggest threat we are faced with in using technology because it takes advantage of our natural desire to trust those around us. There are so many ways in which we can be fooled into thinking something is safe that is not. In one short moment we can completely open ourselves to having our private information stolen. There is no end to the tricks that the bad guys use to look legitimate in order to perpetrate their crimes. So, what we have have to do is remain diligent and continually find new ways to protect ourselves. It's a never ending battle between good and evil.

That being said, it's been some time since I took a look at browser add-ons. And, before I continue, I must confess that one of my technology compatriots turned me on to this one. Web of Trust takes a different approach to determining the safety of the content we find on the Internet. Instead of dealing with safety from a solely technical position it leverages human interaction to assist in determining the safety of sites by maintaining a database built on millions of ratings provided by users and other "technical sources".

What makes this add-on great is its simplicity. Other browser add-ons that promote safety are certainly useful and have their place, but they rely on a user to understand more deeply the warnings being presented to them when the add-on flags potential danger. With WOT that element of difficulty is reduced because it simply tags a site as being safe, potentially unsafe, or deemed completely unsafe through the use of traffic signal-like icons. A green circle indicates a safe site, yellow indicates a site that is potentially unsafe, red indicates a site that cannot be trusted, and a grey icon with a question mark indicates a site that has no ratings provided by the WOT community of users. So, when you do an Internet search it will flag sites with one of these icons to give you a visual safety rating of that site. This is great because it helps reduce the chance of clicking on questionable links when searching.

This add-on is available for Safari, Chrome, Firefox, Internet Explorer and Opera browsers. Once you download and install the add-on it gives you some choices regarding the filtering of content including Basic, Light, and Parental Control. Parental Control attempts to block sites that are deemed unsafe for children while Basic merely gives you an indication of the safety value of the site. Optionally, you can sign up, or login to your Facebook account to use WOTs social features. The WOT add-on places an icon next to your web browser's address bar that let's you rate a site based on how safe you believe a site to be. By sharing your experiences with other users you help make the Internet safer for others. Ratings include: Trustworthiness, Vendor Reliability, Privacy, and Child Safety. In the WOT settings you can decide if you want to turn off Vendor Reliability, Privacy, and Child Safety. Trustworthiness is the base feature for this add-on so it cannot be disabled, which makes perfect sense, because without it the add-on would be pointless. Also, if you'd like to see the overall rating of a site you are currently visiting you can choose the "view scorecard for rating details". This will open another tab in your browser taking you to the WOT website. Here you will see the WOT community's overall grade for a site. Another nice feature is that you can even see the WOT community's grade even before you visit a site to see why it may have been rated poorly.

This is one more great add-on to consider having in your arsenal of malware fighting tools. To download this add-on visit: