Welcome back to the second part in our series of short blogs from Twitter chats we have had to mark the 14th National Cybersecurity Awareness Month (NCSAM). The National Cyber Security Alliance (@NatlCyberSecAlliance) is once again hosting a series of Twitter chats every Thursday in October using the hashtag #ChatSTC (moderated by @STOPTHNKCONNECT), in which ESET researchers are once again participating.
In the first part of our series we addressed issues such as the role an everyday internet user has in making the internet a safer place, and ID theft. The second part of the Twitter chat continues with the theme of Simple Steps to Online Safety.
Simple Steps to Online Safety: Thursday, Oct. 5, 2017, 3:00-4:00 p.m. EDT/12:00-1:00 p.m. PDT
Q4a: What exactly is ransomware, and what are the potential consequences of falling victim to this type of attack?
Bruce P. Burrell: Ransomware is what it sounds like: it's software that takes something hostage and demands a ransom. That could be the whole computer -- won't boot until the ransom is paid (or the machine is wiped) – or some subset of objects on the computer (usually end-user data, like business documents, images, videos, etc). Usually, the attack swath is broad – it's much more compelling to the victim to have to pay if almost everything is inaccessible than if it's only "pictures you took at 5PM last Wednesday."
Consequences? Well, it depends. For example, some ransomware is pretty easy to defeat. Either a general purpose antimalware suite may be able to repair the damage, or standalone tools may be able to restore access.
Since a lot of ransomware encrypts the host data, it depends on how good the encryption algorithm is.
Let's consider the worst case: the data have been encrypted with a strong algorithm (that, via brute force, might take a billion years to decrypt on today's fastest computers), and backups do not exist. Then the victim might face bankruptcy if a business, and loss of all those cat-and-hamster videos if an end user. Both, obviously, untenable situations.
On the business side, there are other repercussions as well. Customers might move to a competitor; there could be imposing legal costs; there's the hit to the reputation and the stock price.
Of course, paying a ransom has no guarantee of success. Indeed, we've even seen cases where there's no way to pay the ransom in the first place, or where the attackers didn’t get the decryption key … so if you pay, not only are you funding criminal enterprise, you have no assurance of getting your data back.
Aryeh Goretsky: It is denying someone use of their PC until a ransom has been paid and paying the ransom does not guarantee you'll get use back.
David Harley: Depriving you of your data, use of your computer or other device, until you pay the ransom.
Closely related are some kinds of Denial of Service attack, and support scams that involve real damage to a victim's system.
Lysa Myers: Most common type is “Crypto-ransomware” which garbles files so they can’t be used.
Q4b: What can people and businesses do to protect themselves from ransomware and/or recover their files?
Bruce P. Burrell: Of course, having a properly-configured antivirus suite like one of ESET's current offerings (for Home or Business markets) will help a lot, but there are things that can be done in addition. Make backups, test them, and KEEP AT LEAST SOME OF THOSE BACKUPS OFFLINE. Make sure that you keep patched (OS, apps) and that unneeded services are disabled or, better yet, uninstalled. RDP is an important example of something that's better to remove, if possible; if it must be kept installed, it's really important to configure it very carefully.
Aryeh Goretsky: Backups, keep OS and apps patched, run security software, + backups (they are so important I mentioned them twice)
David Harley: Did anyone mention backups? ;) Don't rely completely on security software, or assume that you'll be able to 'buy' recovery from the crooks.
Lysa Myers: Backup, backup, backup. With regular, tested backups ransomware becomes a nuisance rather than a catastrophe. The usual malware-prevention advice also holds: use layers of protection to minimize risk. Best to prevent rather than pay.
Do not pay the criminals if at all possible. There’s no guarantee that decryptor will work & you’ll have ID'd yourself as an easy mark.
Q5: What does the growing Internet of Things (IoT) mean for our personal info? What should we do before connecting things to the internet?
Bruce P. Burrell: Just Say No. I have; so should you. :-p Or you can say yes, and give your PII to the attackers. Your call.
David Harley: IoT = devices you don't think of as computers, but also computers that don't need to be connected yet are. They may be unsafe by default.
Lysa Myers: Stop & Think before Connecting “smart” devices. Do you really need a “connected” fork? Thermometer? Washing Machine? If you’ve connected an IoT device, protect it as best you can. Secure it at the router, change default password at minimum.
Q6: What should someone do if they think they’ve fallen victim to cybercrime?
Bruce P. Burrell: Report it to law enforcement – it appears that LE is not fully aware of the magnitude of the problem. While your report may not get your issue addressed, overall it may help increase funding and hence long-term improved LE response.
Report it to your antivirus provider: maybe they can help to prevent similar events in the future, either by helping you have more appropriate settings, or by fixing their software to handle new attacks.
And, cautiously, report it to your close acquaintances, particularly if it's a "lessons learned" scenario. But be careful not to spread rumors and innuendo; get your facts straight first! [Ask your local tech geek for assistance in putting together your text, if possible.]
Aryeh Goretsky: File a report with local police and IC3.GOV.
David Harley: All good advice, but don't expect too much from law enforcement. Even if they realize the range of problems, they're probably under-resourced for 'small' cases.
(To which Bruce responded by pointing out that "Even if reporting it doesn't get the attacker arrested or my money/files/whatever back, it may help make the world a better place overall, and I benefit in that as well.")
Lysa Myers: Depends on specifics of the crime, but an oft-overlooked step is to report it so we can gather stats. https://www.ic3.gov/default.aspx
Q7: What are a few simple, core tips anyone can follow this month to be safer & more secure #online?
Bruce P. Burrell: Not just this month. ANY month.
- "Never open attachments or click on links in unsolicited email, IMs, FB posts, tweets, etc., even when they appear to be from those you know and trust." If you feel you must open/click, contact the apparent sender via other means – e.g., if it was an email, then contact by phone, etc. – and ask if s/he sent that message. If not, surely it's bogus; if so, then ask what it is. While that still might get you into hot water, at least you'll know who your true friends are.
- Make backups often, test them, and keep at least one backup offline.
- If it looks too good to be true, it IS too good to be true – that is, it's false. [Once in a very blue moon, this maxim will fail, but you're far better off using it as your default.]
- And of course, keep your OS and your apps patched, and spend as much time as you can afford keeping up with security developments, from sources you trust. [Ideally, we'd like you to consider WLS (and ESET, and USRT – the ESET US Research Team – in particular) trusted sources, but of course trust is earned, so check us out and make your own decision.]
Aryeh Goretsky: Test your backups. Make sure all your OSes + software are up to date. Scan your PC for threats.
David Harley: Unlimited trust is a luxury, and costs accordingly. Trust but verify.
(Quite) a few more tips: https://www.welivesecurity.com/2015/03/13/heimdal-blog-19-experts-50-security-tips/
Lysa Myers: Add another layer of protection to what you already have: Enable 2FA. Encrypt your data. Make & test backups. [2FA = two-factor authentication]
Q8: What resources do you recommend for internet users looking to connect in a safer & more secure way?
Bruce P. Burrell: WLS, ESET Customer Care/Tech Support. Graham Cluley and Brian Krebs. And other reputable security vendors – but the point is, as I said elsewhere, that trust is earned. So read carefully and use your noodle; see what sounds right and, if experience bears it out, add a few trust points to that resource. And if they get it wrong, at least for you? Subtract a few.
Once the total gets high – or low – enough, then consider trusting (or distrusting) more or less implicitly. And remember that while everybody makes a mistake now and then, it's different if someone tries to deceive: in that case: it's probably harsh, but personally I go for
"Distrust everything from that source thereafter, unless or until proven true by subsequent, external sources. But never trust that source again without corroboration from a trusted source."
Oh: and if there is a route to make contact (as we provide on WLS with AskESET), please ask when you have questions! Can't guarantee you'll get a reply, or that we know the answer(s) … but we certainly can't answer if you don't ask!
Aryeh Goretsky: www.securingourecity.org + www.welivesecurity.com
Lysa Myers: WeLiveSecurity, obviously.
We encourage you to check out the chats on Twitter and other events, and take advantage of the commentary and advice offered by other players in the security industry. We also encourage you to check out a page put up by ESET offering lots of free cybersecurity resources to help you become more #CyberAware.
WeLiveSecurity will have more blogs relating to the events coming next week so keep and eye out for them.