Mike's Mostly Tech blog

CryptoLocker news

Okay folks, here we go again. More ransomware is spreading and it can hit you. [Ransomware comprises a class of malware which restricts access to the computer system that it infects, and demands a ransom paid to the creator of the malware in order for the restriction to be removed. Some forms of ransomware encrypt files on the system’s hard drive (cryptoviral extortion), while some may simply lock the system and display messages intended to coax the user into paying.]

Ransomware/Malware that encrypts your data and tries to sell it back to you, or else, is not new. In fact, one of the earliest pieces of malware that was written specifically to make money, rather than simply to prove a point, was the AIDS Information Trojan of 1989. That Trojan scrambled your hard disk after 90 days, and instructed you to send $378 to an accommodation address in Panama.

Enter the latest Menace – CryptoLocker. If you have become seriously infected and do not take IMMEDIATE remedial steps, there is, sadly, not much you can do [unless you have full ‘offline’ backups as I am always ranting about] but pay up!

This is getting some recent much needed attention by the press. Here is a recent short article. A Google search will turn up hundreds more.

The endgame is the same in all cases: if you have a reliable and recent backup, you’ll have a good chance of recovering without too much trouble.

Prevention, in this case, is significantly better than cure:

Stay patched. Keep your operating system and software up to date.
Make sure your anti-virus is active and up to date.
Avoid opening attachments you weren’t expecting, or from people you don’t know well.
Make regular backups, and store them somewhere safe, preferably offline.

Don’t forget that services that automatically synchronise your data changes with other servers, for example in the cloud, don’t count as backup!!

They may be extremely useful, but they tend to propagate errors rather than to defend against them.

What is CryptoLocker

CryptoLocker is a ransomware program that was released around the beginning of September 2013 that targets all versions of Windows including Windows XP, Windows Vista, Windows 7, and Windows 8. This ransomware will encrypt certain files using a mixture of RSA & AES encryption. When it has finished encrypting your files, it will display a CryptoLocker payment program that prompts you to send a ransom of either $100 or $300 in order to decrypt the files. This screen will also display a timer stating that you have 72 hours, or 4 days, to pay the ransom or it will delete your encryption key and you will not have any way to decrypt your files. This ransom must be paid using MoneyPak vouchers or Bitcoins. Once you send the payment and it is verified, the program will decrypt the files that it encrypted.

How do you become infected with CryptoLocker

This infection is typically spread through emails sent to company email addresses that pretend to be customer support related issues from Fedex, UPS, DHS, etc. An unsuspecting computer user will either get an email purporting to be from their bank, friends, Facebook or a host of other fake senders or be asked to click on a pop up in a Website. The person thinks it’s legitimate, clicks on it and before they know it the virus is installed on their computer which encrypts their data. The person will be given a time period, for instance 72 hours, to make a payment in exchange for the key to decrypt all the data. Refuse and the data on the hard drive will be gone forever.

These emails would contain a zip attachment that when opened would infect the computer. These zip files contain executables that are disguised as PDF files as they have a PDF icon and are typically named something like FORM_101513.exe or FORM_101513.pdf.exe. Since Microsoft does not show extensions by default, they look like normal PDF files and people open them.

Please make sure that your antivirus/malware software and systems are up to date. And for Pete’s sake do NOT open attachments from the likes of those listed. IF you think you need to track something go to the ‘front door’ of the shipping company or bank and login/track there.

Once YOU infect yourself (yes, it is an action taken by the user that starts the infection!!) [Like any other piece of malware, common sense goes a long way. The critical thing is it’s not going to install files by itself. You have to initiate some action.] you will soon probably see a screen that looks like this:

Examples of known CryptoLocker email subjects include:

USPS – Your package is available for pickup ( Parcel 173145820507 )	USPS – Missed package delivery ("USPS Express Services" <service-notification@usps.com>)
USPS – Missed package delivery	FW: Invoice <random number>
ADP payroll: Account Charge Alert	ACH Notification ("ADP Payroll" <*@adp.com>)
ADP Reference #09903824430	Payroll Received by Intuit
Important – attached form	FW: Last Month Remit
McAfee Always On Protection Reactivation	Scanned Image from a Xerox WorkCentre
Scan from a Xerox WorkCentre	scanned from Xerox
Annual Form – Authorization to Use Privately Owned Vehicle on State Business	Fwd: IMG01041_6706015_m.zip
My resume	New Voicemail Message
Voice Message from Unknown (675-685-3476)	Voice Message from Unknown Caller (344-846-4458)
Important – New Outlook Settings	Scan Data
FW: Payment Advice – Advice Ref:[GB293037313703] / ACH credits / Customer Ref:[pay run 14/11/13]	Payment Advice – Advice Ref:[GB2198767]
New contract agreement.	Important Notice – Incoming Money Transfer
Notice of underreported income	Notice of unreported income – Last months reports
Payment Overdue – Please respond	FW: Check copy
Payroll Invoice	USBANK
Corporate eFax message from "random phone #" – 8 pages (random phone # & number of pages)	past due invoices
FW: Case FH74D23GST58NQS	Symantec Endpoint Protection: Important System Update – requires immediate action

What should you do when you discover your computer is infected with CryptoLocker

When you discover that a computer is infected with CryptoLocker, the first thing you should do is disconnect it from your wireless or wired network. This will prevent it from further encrypting any files. Some people have reported that once the network connection is disconnected, it will display the CryptoLocker screen.

Users who are infected with the malware should IMMEDIATELY consult with a reputable security expert to assist in removing the malware. And should NOT attempt to mitigate or in anyway try to ‘fix’ the issue themselves – this will only insure the loss of data!!

It is not advised that you remove the infection from the %AppData% folder until you decide if you want to pay the ransom. If you do not need to pay the ransom, simply delete the Registry values and files and the program will not load anymore. You can then restore your data via other methods.

It is important to note that the CryptoLocker infection spawns two processes of itself. If you only terminate one process, the other process will automatically launch the second one again. Instead use a program like Process Explorer and right click on the first process and select Kill Tree. This will terminate both at the same time.

Is it possible to decrypt files encrypted by CryptoLocker?

Unfortunately at this time there is no way to retrieve the private key that can be used to decrypt your files without paying the ransom. Brute forcing the decryption key is not realistic due to the length of time required to break the key. Also any decryption tools that have been released by various companies will not work with this infection. The only method you have of restoring your files is from a backup or Shadow Volume Copies if you have System Restore enabled. Newer variants of CryptoLocker attempt to delete the Shadow Copies, but it is not always successful. There are methods that can/may be used to recovery you ‘Shadow Copies’, but this often times requires an expert.

If you do not have System Restore enabled on your computer or reliable backups, then you will need to pay the ransom in order to get your files back.

So to summarize the very first line of defense is to have good computing common sense and usage. Second if my usual mantra FULL IMAGE BACKUPS ON A REGULAR BASIS TO EXTERNAL/REMOVABLE MEDIA. I can’t say this enough. And I’m sure to get the calls from folks who are screwed. I sympathize, a little anyways.

Okay end rant. Be safe. Peace all.

Terrifying new Ransomware

This is here some scary sh%t.
I know I sound like this guy

about backing up your entire systems to ‘offline/removable’ media but I’ll keep on saying it.

This nasty is spreading fast on corporate networks. Scary thing is it still uses social engineering and poor user training/safety methods to launch/install. It usually arrives as an email attached archived zip file with an executable inside that should have been a dead giveaway that this message was malicious and was in no way legitimate. But sadly most people have not been properly educated on computer safety or are just plain lazy and don’t think to look at what they are doing. But once installed it can wreck havoc on a company.

Please develop and use some kind of offline full system backup plan for your personal and especially your business.

Do not think or rely on ‘cloud based’ backup system to protect you from this type of attack. Think about it, your now encrypted files would be uploaded to the cloud and overwrite your original/good ones.

I’ve written so many times about the need for offline backups you can just look through my blog and find more info about that.

Be safe folks!

Adobe Hacked (again)

Yay another security hack. 🙁

If you have an Adobe Account Please login to their site and change your Password. You may have already received notice to reset them, if so please do!

I’d suggest if you have any payment information associated with any Adobe account/login you remove it! You can read from Adobe about it here. And some more (and scarier) details from some other tech sites like this one or this one.

Get even more Dropbox space right now.

I use Dropbox to synch some files between computers, devices and the web. Nothing very sensitive but it’s great for photos, tech documents and files and other items. It’s also great for sharing items with others; I can upload something, share it (Dropbox gives a link to ‘share’) I then send that link to those I wish. Pretty cool.

Right now, and I don’t know if it’s a fluke or not, you can get up to 50GB of space just by doing a few things! If you have an account log into it and go here [get space] or create an account, go through the walkthrough (they’ll add space just for doing that) then go to the ‘get space’ link.

Tell them why you like Dropbox.
Let them tweet about you.
Tweet about them.

Just doing these three things got my storage size to 52GB!!

I don’t really tweet much except for tech posts, so I could give a rip about them tweeting to my feed. You may care, I don’t. Also, for my personal ID security and safety, all my login credentials are very different and not connected in anyway for every online service I use.

I do also use other cloud services too (Google Drive, Skydrive etc.) but I’ve posted before about those already too.

Well hope you get your space while the getting is good.

Using Google’s Two Step Verification

If you don’t know what 2-Step Verification is here is a simple explanation: The two-step system uses both a password and a numerical code tied to your mobile phone, which can be sent by Google via SMS or generated by a smartphone app. Either way, it means a prospective hacker would need to obtain both your password and your phone to access your account.

I’ve been aware of Google’s two-step verification system for some time, but I felt my very strong password, the fact that I don’t use that password anywhere else and that it could not be ascertained by usual social engineering methods, was more than adequate protection. I was also concerned the system might be a hassle to use since I routinely sign in from so many different computers and locations. I already do use a password manager (KeePass) that requires not only a master password but I also use a key file too. [There are other very effective password managers out there I suggest you use one. Ars has a good article about that here.]
But with the massive increase in hacking and high jacking of information and the advancement of brute force cracking technologies and techniques I felt it was time to get onto the 2-step wagon.

Also I suggest that if you use Yahoo mail for anything you migrate towards Gmail or some other ISP. Yahoo has one of the worst records for email security. They are hacked all the time! One recent article is here.
And for petesake please do NOT ‘link’ your Facebook account with Yahoo – that too is a major source of hacked Facebook account activity. If you currently have it linked I suggest you separate it. You can read how here and here.

So here is a brief explanation of how to enable 2-step verification. I will also link to some other resources on how to enable and use it at the bottom. If you find this too complicated or too much of a hassle you can always disable it very easily.

So let’s get started. Login to your account and go to Account then. Security

In the Security list you’ll see 2-step verification. This is where you can ‘turn it on’ and edit the settings.

Printable backup codes. Warning: If your phone is unavailable, these codes will be the only way to sign in to your account. Keep them someplace accessible, like your wallet, desk drawer or other safe place. Printable backup codes.

Here click on ‘Show backup Codes’

I printed out a set and put them someplace safe. I also saved them to a text file and imported and copied that text file of codes into my Password management application – KeePass.

If you click on the Application Specific Passwords you can create them for you other applications like Outlook, iMail, ThunderBird etc. Just give it some useful name, click on ‘Generate Password’ and then make sure to copy (or right down) that password – it is only shown once! I just copied each one to a text file so I could then paste them into the proper field (password) on my Outlook/configuration setups.

Some other links and info.

Here’s Google’s info page. And more here.

Setting up Mac Mail.

Setting up Outlook.

One more thing to consider if you’re a paranoid guy like me. I have all my browsers set to delete Internet history, cache and cookies when I close my Browsers AND I also run CCleaner many times a day to clean out temp files. Doing this will clear out the 2-Step ‘security token’ so you must manually enter some specific cookies to NOT be deleted in your browser and/or CCleaner.

To create ‘safe cookies’ in Firefox here is a good article. For Chrome go here and read the ‘Make exceptions for cookies for specific websites. The method is just about the same for InternetExplorer and Safari.

For CCleaner you can add the cookies to keep manually. Read here.

The actual cookie names you need to keep are here:

accounts.google.com
accounts.youtube.com
google.com
mail.google.com
apis.google.com
0.docs.google.com
docs.google.com

Hope this helps some. Peace out.

Java update April 2013

If you haven’t installed Oracle’s most recent Java patch, you should do so now!

Nefarious folks are hacking those that have not patched their systems.
You can find the latest Java here for Mac OSX, Windows or Linux.

I know many folks have taken to removing or disabling Java all together over security concerns. While that may be a solution to some, it is not for all of us. Especially those of us in IT that rely on application/tools that require Java.

There are also a whole lot of interactive and multimedia Internet applications that also require Java.

So IF you have Java installed on your PC – be it Mac, Linux or Window, PLEASE update your system.

One thing I’d like to warn you about while doing this update.

WHILE GOING THROUGH THE INSTALL PROCESS – DO NOT INSTALL ANY TOOLBARS (LIKE ‘ASK TOOLBAR’ ETC.) OR ADDITIONAL SOFTWARE (FREE VIRUS SCANS, BROWSERS ETC.)!!

This whole SCAM of installing crapware, and worse, while simply trying to update plug-ins is getting WAY out of hand. I wish there were some way to stop it but it seems impossible. Seems virtually every plugin-addon tries to install more stuff than you need and should want. Very frustrating.

But if you’re diligent and careful you can keep yourself from being essentially tricked into installing crapware.

So be safe out there folks.

Acrobat Security Hole (again) and a fix

D#mn it Adobe! More serious security holes!! You can read their advisory here.

Please take the time and follow this How To to secure you Acrobat application. Well if you use Adobe Acrobat (and who doesn’t since it is a de facto format now).

Be safe y’all!

Critical February Security Patches

Microsoft’s Patch Tuesday is next week. And it’s going to be VERY important

Microsoft’s security patches are due to be released at 1:00pm EST on Tuesday 12th February. [Read more here from MS ]

The longer you take to update the security patches on your computer, the greater potential risk you could find yourself in!!

In all, 57 separate security flaws are waiting to be fixed.

According to Microsoft, every single version of Internet Explorer – from version 6 to version 10 – needs to be patched, as they are vulnerable to exploitation by drive-by attacks.

That means that simply visiting a booby-trapped webpage could silently infect your computer with malware – hijacking your PC for a hacker’s own ends.

According to an advisory from the software giant, five of the 12 security updates have been given Microsoft’s highest severity rating of “critical”.

Also note that Adobe has again released critical security patches to it’s Flash Player software. [read here]

Even if you are not on a Windows/Microsoft Operating System you should still make sure your Adobe Flash, Adobe Shockwave and Oracle’s Java software and Browser Plug-ins are up to date!

Be safe out there! MMm K.

Disable UPnP to Protect Yourself from New Security Hole Found in Wi-Fi Routers.

If you don’t know. And most of you probably don’t. There is a major security flaw that has been recently aggressively exploited. It could allow people with malicious intent access your system(s). Mac, Windows PC and Linux, all are vulnerable because this is NOT a OS flaw, but a router flaw! So please don’t think you are safe just because you by into the belief (very wrong by the way) that ‘your’ type of Operating System ‘doesn’t get infected…’. Scans from security companies have shown about 50 MILLION vulnerable access points already.

It is strongly suggest that end users, companies, and ISPs take immediate action to identify and disable any internet-exposed UPnP endpoints in their environments.
UPnP is pervasive – it is enabled by default on many home gateways, nearly all network printers, and devices ranging from IP cameras to network storage servers.

Rapid7.com has an online tool here that can check the external interface of your router and let you know if you are vulnerable.

To fix/resolve this issue all you need to disable UPnP on your wireless router.
Since each router is different, you’ll need to login to your wireless router’s admin panel (use the manual to figure that out), and then find the UPnP setting. This may require someone with more skills (like your teenager) or an IT professional (preferred method) to turn this off for you you. But however you do it, please do it.

Be safe. Smile

Security Update release for Java

Looks like Oracle has quickly released a patch to the serious Java security whole. But it also looks like they ‘poorly packaged’ it. So it may not install correctly on all Operating Systems.
First, verify you have the latest version of Java installed; go here.

If not, then get the latest version here.

The Linux and OS X versions seem to install without error. But…
For Windows users you may get an error “Error 1714. The older version of Java cannot be removed…”
This can be fixed by first ‘trying’ to uninstall all the Java applications you find.

Go to Control Panel>Programs and Features>Java.. then pressing uninstall for each Java application listed.

If that fails (and it has for me on two Windows systems) Grab Microsoft’s Uninstall Utility here, run it and choose ‘having problems uninstalling..’ and let it do it’s thing. You’ll be presented with a window showing what applications you wish to remove; choose Java 7 or what ever was giving the error.
Then after finished again try to install the latest Java again (the one you downloaded previously. (source)

Be safe out here. Peace