Last week at work, I noticed some odd events in an event log, and when I investigated them, I found they were part of a failed ransomware attack. This got me thinking about how to prevent ransomware at home.
Ransomware, if you aren’t familiar, is an attack that encrypts your data and demands a ransom, usually around $300, in bitcoins, and you get a short deadline until it destroys your files. More often than not, paying the ransom is the only way to get the files back, so it’s much better to prevent it.
Last week Adobe issued an out-of-band Flash patch, and once again Brian Krebs urged people to ditch Flash, noting that he’s done so and hasn’t missed it.
We decided to try ditching Flash at work a few months ago, but it didn’t go quite so smoothly for us. I thought I’d share my experience.
I found a mention of a tool called Unchecky as a minor point in a story about something else entirely. Unchecky helps to solve the problem with downloaded programs including a bunch of extra junk you don’t want.
I won’t be running it myself. But the next time I fix a computer, I’ll probably install it on that one.
Bad things happen when security pros like me start asking our infrastructure brethren to patch Flash. We get better security, but the Flash upgrade fails enough of the time to cause extra workload, and it can be confusing. One of the problems is the question of Flash vs Shockwave.
Consequently, I see more Flash-related helpdesk tickets than I ever saw, even when I was doing desktop support long ago. Adobe doesn’t make it any easier by calling the plugin “Shockwave Flash.”
Adobe has patched Flash twice in two weeks now. The reason for this was due to Hacking Team, an Italian company that sells hacking tools to government agencies, getting hacked. Hacking Team, it turns out, knew of at least three unpatched vulnerabilities (also known as “zero-days” or “0days”) in Flash, and exploits for these vulnerabilities were among the things that got breached.
That’s why Adobe is having a bad month.
Monthly patches and upgrades don’t always go well, but getting them down is increasingly critical, especially for applications like Flash, Reader, and the major web browsers. This week I called it “the new firewall.”
Twenty years ago, home users almost never bothered with firewalls. My first employer didn’t bother with them either. That changed in the late 1990s, when worms exploiting weaknesses in Microsoft software devastated the nascent Internet. Firewalls soon became commonplace, along with some unfortunate hyperbole that led some people to believe firewalls make you invisible and invincible, a myth that persists in some circles even today.
For this reason I’m a bit hesitant to declare anything a new firewall, but firewalls are necessary. So is protecting key software.
I was talking breaches last week when a very high-up joined the conversation in mid-stream.
“Start over, Dave.”
“OK. I’m talking about breaches.”
“I know what you’re talking about,” he said, knowingly and very clearly interested.
I’ve grown used to being asked what unpatched vulnerability was used in the most recent breach, in an effort to make sure some other company is protected.
I appreciate the desire to learn from other companies’ mistakes and not repeat them. But there are several reasons why the answer to that question is complicated, and not necessarily helpful.
I’ve been seeing a lot of news this week about web browser plugins getting exploited to plant malware on computer systems. A lot of people know to keep Flash up to date, and to keep Java up to date or uninstall it–at least I hope so by now–but there are two targets that people generally forget about: Shockwave and Silverlight.
Because so many people have them installed and don’t know it, and therefore never update them, they are ripe targets for attack. Read more
“Oh, so you think you’re Mr. Genius Man,” the crackly voice said, drowned out by static caused by his cheap VOIP connection. “Enjoy your broken computer, Mr. Genius Man. Goodbye, Mr. Genius Man.”
So ended 23 minutes of my life that I’ll never get back, but I figure it’s 23 minutes he wasn’t spending scamming someone else. I don’t do it often, but my kids were playing nicely and we were all in the same room, so I guess I don’t regret it too much. Read more