In recent years another new term has emerged to describe yet more malicious software that attacks users. This one is called ransomware.
So what does ransomware do?
When a computer become infected with this software, all the files on the computer get encrypted. The user is then notified and offered an option of paying a ransom to get the secret decryption key in order to recover the files. If the user refuses to pay up all the encrypted files are lost.
There has been a large increase in ransomware attacks worldwide in recent months. The Information Security Office team is seeing large numbers of spam emails being intercepted here at Otago that are connect to ransomware attacks.
A recent attack
Many staff recently received an email claiming to be from a lawyer that suggested the user had breached copyright on some material. This spam was deliberately sent during the weekend so that users would not have the usual support channels available (Alarm bell #1). This email was sent to many other Universities.
An analysis from another institution of the email revealed that some interesting things.
- The email had a zip file attached (Alarm bell #2)
- The zip file attached to the email contained a pdf that had a script in it.(Alarm bell #3)
- This script requested the user to install a special font in order to read the pdf (Alarm bell #4)
- If the user (or their IT support person) finds the font and installs it then the ransomware is installed and immediately starts encrypting all the user’s files INCLUDING those on file shares.
Targeted spam attacks are getting more sophisticated. They use real companies and individual’s names. They are sent outside normal work hours, i.e. during weekends or holidays, or overnight. They often appear to be relevant to the target people, i.e. copyright issues for academics, or account information for financial staff.
Things to do (or not do)
- Do not respond to unexpected emails outside work hours (It really isn’t that urgent)
- Do not respond to requests to “take an action” (It truely is not that urgent)
- Check with IT staff or colleagues if you get an unusual email. Chances are it will be a known attack, or it will alert staff of a new one under way
- Be prepared. Make sure all your data files are properly backed up. Some of the ransomware attacks are now targeting backups as well as file shares so backups should not be accessible to the attack
For more information or assistance, contact the ITS ServiceDesk or the Information Security Office.
TrueCrypt is dead
We used to recommend TrueCrypt as an effective file encryption solution, suitable for exchanging data sets over untrusted networks as well as for medium-term offline storage or backups.
Unfortunately, over the last few weeks it has become clear that the TrueCrypt authors have withdrawn their support for the product; and while the source code is available (and is actively being audited), it is not Open Source licensed, and should not be used in the future. TrueCrypt is effectively dead.
What should I do?
What does this mean for people who are currently using TrueCrypt? I’d recommend that you migrate your data out of TrueCrypt and into some other format; not in a rush, because there are no currently-known attacks or vulnerabilities in the product, but in a well-planned way. You should not start any new storage schemes using TrueCrypt.
What alternatives are there?
There doesn’t seem to be any useable and “free” software that does everything that TrueCrypt did, but most people we talk to don’t actually need all of those features at the same time anyway.
We are currently recommending the 7z archive format with AES encyption as a solution to :-
- Cross-platform support
- Protection in transit (email, dropbox, etc); sharing
- Medium-term storage on untrusted media
Please be aware that University-owned data should always be accessible by the University itself; so if the only copy of your data is encrypted in this way, the passphrase used as the key needs to be made (securely) available to the appropriate people (usually your employment line management).
7z is the file format originally implemented by the Open Source 7-Zip file archiver, it is publicly described and there are now multiple software implementations available. It is currently regarded as the ‘best’ performing compression software available. Read more on the Wikipedia entry. Command-line users might like the p7zip implementation, packaged in Debian and the EPEL repository for RedHat.
7z applications usually do not use encryption by default; make sure that you select this option for secure storage.
Screenshot of the takedown notice on megaupload.com
Update: Megaupload lawyers report that user data may be destroyed by the end of this week (30 Jan – 5 Feb 2012)
This isn’t a post about copyright infringement. This is a post about backing up your data.
Popular file-sharing site Megaupload was shut down on 19 January 2012, and it’s owners arrested. Of course, all the servers have been seized as evidence, and therefore all uploaded content, including non-infringing files that are not under investigation, is unavailable indefinitely.
Understandably, people whose only copies of important files were on Megaupload are slightly miffed.
- Always keep backups of important files
- Cloud storage can fail
- You are always responsible for your data.
Spideroak and Wuala offer secure storage (you hold the only copies of the encryption keys), and the free storage space is enough for most people if you prioritize important files.
Disclaimer: I use Spideroak (the free version) and I’m very happy with it. I’m not endorsing them, just informing you that they exist. I have not used Wuala, but their security mechanism appears to be very similar.