Monthly Archives: January 2018

Ransomware

Ransomware has a nice scary name, which is good, because it can be really scary. It’s how the bad guys hold your computer hostage until you pay a ransom. If you don’t pay, you can lose everything on your computer.

How does it work? Well, first of all, it encrypts your computer. There’s two kinds of encryption, one way and two way. One way encryption is where your stuff is encrypted, but there’s no way back from it. Once it’s done, it’s done. Passwords are usually one-way encrypted, that way no one can reverse them and find out what your password is.

The other method of encryption is two way. I can encrypt something and turn around and un-ecrypt it (also known as decrypt). Two-way encryption uses a key to decrypt the encrypted string. If you don’t know the key, you can’t decrypt and your data stays encrypted forever. Unless you can figure out the key.

An Encryption Key

An Encryption Key

The hard part is you don’t know how long the key is, what is in the key, what isn’t in the key, you could spend the rest of your life trying to decrypt it by trying every possible string you can come up with… and still never do it.

Ransomware takes advantage of that. They encrypt your system and then demand a ransom so that they’ll give you the key. Pay them or… no more pictures, no more computer code, you lose everything on your computer, never to be seen again.

How do you get attacked? Well, the usual method is by spam. Despite what they show on tv or the movies, you generally have to let the bad guys in.

Click on that link in the spam or download a strange attachment or even find yourself surfing in a dangerous part of the Internet and you can be attacked too. Try not to let it happen! Don’t click on the link or download anything unless you’re absolutely sure it’s safe.

Spear-phishing

Fred goes spearfishing when he wants to catch that one particular fish. He picks up his spear and dives into the water and goes after that one fish for dinner. Similarly, a bad guy goes spear-phishing when they want to catch that one particular person.

Most phishing is spam.  It’s sent to as many people as possible in hopes of getting people to click on those links and get their information. It’s like what fishers do when they put nets down in the water and try for as many fish at once.

A net for fish (not phish)

A net for fish (not phish)

The phishers (those guys sending out the emails) are after any kind of person, rich people, poor people, they aren’t going to be picky. They just want the login credentials so they can steal as much as they can.

Sometimes, though, there’s that one person the bad guy wants to go after. The head of a corporation, an Admiral, a General, someone with lots of power and access to information. Sending a wild ‘click on this link, give me your banking information!’ doesn’t get the bad guy access to that information the good guy has. It just gets them the banking information. So, they craft emails to send to these people and entice them to either click on a link in the email or download an attachment.

Once they click on the link or download the attachment, they’re infected with malware and then it can go to town. It can replicate itself, spread itself around, and generally be a nuisance. Like Ultron did.

The Ultron Threat

The Ultron Threat

It wants to hang around as long as possible and steal as much information as it can. These are Advanced Persistent Threats, which isn’t a really exciting name, is it. I think we should go for the Ultron Threat, but they never asked me.

Protecting yourself from spear-phishing is similar to protecting yourself from phishing.  Don’t click on any links (even if they promise you your very own Iron Man!) and don’t download any attachments (even if they claim to be the code that Tony Stark uses to operate Iron Man).

Phishing

If I want to catch a fish, then I go fishing. If I want to use social engineering and catch a user in my web of deceit, I go phishing.

 

A Fish not a Phish

A Fish not a Phish

In both cases I set out bait and hope for a bite.

Before I go further, let’s talk about what social engineering is. TV shows like to show the hacker sitting at their keyboard, clicking away and the magic occurs. They’re in the system and causing trouble.

It doesn’t always happen like that. What happens more often is that the hacker tricks the person (not the computer) into doing something that gives the attack an edge into hacking into the system. This is social engineering. It isn’t nearly as cool as the hacker sitting at the keyboard and clicking away, but it’s more effective.

In phishing, the hacker sends emails that have URLs in them they want you to click. So they have to bait you into clicking them. A common email is they pretend to be your bank and send you an email saying ‘You must log into your account because if you don’t, all the gerbils will eat your money!’ (That’s not exactly what they say, but they do give you a scary reason why you should do it). Then there’s a helpful URL in the email that you can click to log in.

A vicious money eating gerbil

A vicious money eating gerbil

This is where the attack happens. The URL may look like your bank, the page it sends you to may look like your bank, but it probably isn’t your bank. Especially if the email talks about gerbils. Once you go to that page and try to log in, you’ll probably get a ‘oops, something went wrong, bye!’ message. Or it might even send you to your real bank page and tell you to try again. Or it might just go away.

Now the bad guys have your information on how to log into your bank account, and there’s nothing stopping them from using that information to steal money from you. They didn’t even have to break into your computer to do it, they just stole it all.

How can you protect yourself? If you get an email that claims to be from your bank and wants you to do something, never ever click on any URL in the email. Or if it wants you to log into an account of any type, don’t click on that email either. If you want to check if it’s true, call your bank and ask. Or, you can type in the URL for your bank at your keyboard (NOT using the one in the email) and log in that way.