randombio.com | computer notes
Sunday, May 14, 2017

How to protect yourself against ransomware

Some advice from a guy in the trenches, for whatever it's worth.


I used to run a small network and kept it safe for many years. After I left, cost-cutting and lack of maintenance became the norm. They removed most of the security features I had added. They let their infrastructure deteriorate. Eventually their server was destroyed by malware and years of data were lost forever. To create a secure computer ecosystem, all three layers of computer security—developers, managers, and end users—must work together.

End users

  1. Install updates! This might not be so easy in a corporate or hospital environment, where access to Microsoft Update is often blocked. If you're stuck in such a place, whine and complain!
  2. Never let your computer store passwords, and never mount a drive from another computer. Make Windows ask for the password each time.
  3. Don't let your software do things it's not intended to do. Disable those features if possible. If it's not, don't use them: don't use email to share files. Talk to your administrator and demand that they install an independent, secure way of sharing files. They exist!
  4. If using Windows, adjust your settings not to hide file extensions. A common attack is to name malicious file myimage.jpg.exe. By default, Windows will hide the ‘exe’ part.
  5. Never click on links in an email without confirming the URL is correct.
  6. Don't rely on files continuing to exist. Back them up. Don't rely on the backups continuing to exist, either: backup drives crash too. As Ronald Reagan said: Доверяй, но проверяй. Trust but verify. Except don't trust. Verify that you can retrieve them yourself.
  7. Never store files on the same device that you used to create them. We had one guy who stored his data on a piece of lab equipment that ran Windows. (We had no choice: the manufacturer designed it that way). No one else knew it was there. The hard drive eventually crashed and six months of data were permanently lost. This sort of thing happens a lot in Windows, but all computers will eventually become unbootable.
  8. Software should only do one single task. If your email client allows you to open links, download software, or start programs (like a word processor), it is fundamentally flawed. There's little to stop it from running something harmful. No matter how conscientious you are, sooner or later you'll be tired or careless and click on a link. Then it's game over.

    People always tell you never to run as administrator, because that allows rogue software to trash your system. But an OS can be re-installed. Your data files are irreplaceable.
  9. Never connect a computer running an old OS like XP to the Internet. There are lots of expensive machines, like mass specs and MRI machines, running software that's dependent on old operating system. These have to be air-gapped so that there's no possibility of anything from the Internet reaching them. As Darth Vader used to say: Never underestimate the power of the floppy disk!
  10. Finally, the best advice: Stay the hell off the Internet! If you must browse, tie your hands behind your back and wear a blindfold. Trust me, you won't miss much.

Administrators and managers

Computer sysadmins probably know most of the above stuff, but there are some things they might forget.

Some people think the solution is to block everything that moves. But users only care about getting their work done. If you block everything, IT will rightly be seen as a threat to their jobs. They won't cooperate, and they'll find a way around it.

  1. Keep write permissions to a minimum. Keep backups read-only and test them routinely. These days, tar, zip, and rsync are just additional points of failure. Keep a copy of the individual files and encourage end users to verify their integrity.
  2. Don't allow executable files to exist in tmp directories.
  3. If you've got a cable router or WAP, congratulations: you're an administrator. These devices all have default passwords. Make sure you change them and set up their firewall before connecting them to the Internet.
  4. This one is for managers: either run a server securely or don't run one at all. Many small companies try to fly under the radar, thinking they're small enough not to be a target. There's value in having local control, but even a small server requires constant attention: intrusion detection systems must be installed, logs must be monitored daily, and security notices must be monitored and understood. Cutting costs here is like running a building with no fire extinguishers and no sprinklers: one mistake and you're toast.

Developers

  1. Stop adding features! Image files should never contain executable content. Email clients should never be able to install software. All software should keep its configuration in text files. System software, user-installed software, and user data should all be independent (and preferably on different partitions).

On the Internet, no one can tell whether you're a dolphin or a porpoise
may 14 2017

back

to top

Copyright 2017 T. J. Nelson