Global Cyber Attack 

Yesterday, May 12th 2017 saw a mass global cyber attack launched with impeccable timing just before the weekend. Over 75000 machines were affected in around 100 countries – so far. 

It is believed that a hacking group called Shadow Crew is behind the attack. This is the same group that hacked the CIA in the USA and a couple of months ago released hacking tools developed by that agency and the NSA.

The effect was for many businesses and government departments to be hit with Ransomware (which I’ll cover on here soon). This encrypted files and could only be removed by paying a ransom in a virtual currency called Bitcoin. 

Once the ransom is paid the bad guys may or may not decrypt the files – there are no guarantees. 

I said it was good timing because the Ransomware gives users 3 days to pay the fine. Many users will have started their weekend already (and in much of the Middle East the weekend is Friday and Saturday) so there’s a good chance that some users will not get to their devices in time and will have to pay – or trash their machines and rebuild them.

Many businesses and government agencies such as the NHS simply shut all systems down in order to prevent them being infected. This is one reason why the impact has been so huge.

No doubt the plan is that once the fix is known (for devices which are infected) then it will be applied to machines individually as they are restarted. 

It’s also worth mentioning that at present this doesn’t look like any kind of data breach. Files have been encrypted so the data is inaccessible, but the data hasn’t been accessed or copied – as far as we can tell at the moment. 

That’s what happened, so how do you protect yourself and your business? The answer is surprising straightforward. 

  1. Install the MS-17-010 patch on all Microsoft Windows devices. This Critical patch was released by Microsoft on 14 March this year, and the Ransomware takes advantage of a vulnerability which the patch fixes. If your machine has been set to apply updates automatically, then assuming you’ve rebooted your machine since the update was applied you should be safe. If you don’t have Auto Update enabled – manually search for updates and install them now. 
  2. If you’re on a network, make sure that your network administrators have disabled the SMB protocol on all devices that don’t need it. This is how the Ransomware spreads on an internal network.  
  3. Make sure your antivirus software is up to date and running 
  4. Be extra careful when clicking on links you don’t recognise and on unsolicited documents.
  5. Make sure any devices you use for backing up your data are not physically connected to your computer – if they are, then chances are your backups could get infected too. 

That’s all you need to do. It’s clear from this outbreak that the things I’ve been talking about – patching, antivirus, backups, phishing awareness etc – which are all simple things to do but often neglected, are all really good protection against even global attacks. 

I’ll be releasing a podcast about this later today, so keep your eyes peeled for that! 

Email safety

In one of my previous posts, I talked about Phishing and Whaling, and I realised that I haven’t really talked about email itself yet.  Email is ubiquitous, it’s everywhere, and yet it’s not that long since we started using it.  My first “public”email address was a Compuserve account back in 1995, and I very quickly created an AOL or Hotmail address soon after that. But that’s only just over 20 years ago – and look how far we’ve come since then!  

In all that time though, some bad habits have appeared amongst us all, and I thought it would be helpful to highlight a few here.  I’m going to assume that you have an active and up-to-date anti-malware program installed on your machine: that’s a pre-requisite before connecting to the internet, in my book.  

The first point I’d make is that you should be very careful when opening email.  If it’s from someone you don’t know, if it’s got attachments you’re not expecting, if it’s got hyperlinks (you know, those web addresses which, when you click on them, take you to a website) which you can’t see the destination of, should all raise little red flags in your head.  As a rule of thumb, don’t click on links, don’t open documents and don’t even open the email if they’re unexpected or you don’t know the sender.  

Second, don’t just hit Reply To All when responding.  There was an item of news last year when an email was inadvertently sent to 800 000 people in the NHS, which was bad enough.   They system crashed with the number of people hitting Reply To All and saying “please stop replying to all”.  Unbelievable, right? But it happens, and I’ve seen it at other companies. As a rough rule of thumb, Reply only to the person who sent the mail (and possibly the other people in the To part of the address) if at all possible.

Third, when forwarding mail, look at the message(s) you’re forwarding.  Are there lots of other email addresses in the message somewhere? If so – delete them before hitting send.  It’s another source of information that hackers can use to gather email addresses to target in phishing campaigns. 

When sending a new message, or forwarding a message, think about who you’re sending it to.  If you’re sending it to several people, and they don’t know each other, use the BCC (Blind Carbon Copy) feature.  This means that none of the recipients will be able to see who else the message was sent to, and it reduces the risk of long lists of email addresses being made available to the bad guys.  

At the end of the day, keep things simple, be alert, and for the most part you’ll be OK.  

Certified Ethical Hacker

In spring 2013 I attended a Certified Ethical Hacker (CEH) training course with Firebrand in Wyboston, England. It was a week long bootcamp, with classes starting on the Sunday evening, 12 hour days in the classroom and a 3 hour exam on the Friday morning.

The classes were made up of a mixture of theory and practical work. All attendees had a number of virtual environments to work in, and we were able to use a number of the tools we’d talked about in a safe environment. After class we had two to three hours reading every night, to read the courseware, so we spent roughly 15 hours a day on the topic.

As you can imagine, this kind of intense training crams a lot in and leaves you pretty drained at the end, but it was worth it. The course “only” gives the background, and it is then down to the individual to keep their education up by reading more on the topic, by trying the tools out and by carrying out this kind of work.

While I don’t currently do any kind of hacking as part of my job, the course gave a very good understanding of the techniques and methods used, and the risks and potential impact that each kind of attack could bring to an organisation. From that perspective, it meant I was well prepared for writing policies and standards to help counteract the threats from this angle.

Recertification takes place every three years, and in that time you have to be able to demonstrate completion of at least 120 hours of Continuing Professional Education (CPE) in related topics. I have recently completed my first recertification and am therefore entitled to use the CEH designation, approved by the EC-Council, until 2019.