no comments

The Government Relies on Motherhood Statements to Deal with Ransomware

http://flowfm.com.au/wp-content/uploads/2015

From a general business perspective, the concept of having your data held for ransom is absolutely terrifying and potentially lethal, totally apart from the ruinous personal implications.

So it is somewhat unnerving when a government official states that the victim should not consider paying the ransom.

It’s easy for bureaucrats to say that: they have a secure income and, should the government’s data be compromised, they suffer no personal loss as a private business does.

On the government’s Australian Cyber Security Centres (ACSC) website we find the following handy hints including updates on the impact of the Petya ransomware campaign: June 29 2017 10:55AM: “We are aware of media reports regarding three allegedly affected companies in Australia and have reached out to offer assistance. Computer Emergency Response Team (CERT) Australia has made contact with all of these organisations.”

The common approach from all three victims seems to be: don’t panic, have a cup of tea and patch your IT system.

The problem with that approach is it will not change much and the next attack is going to be just as devastating because nothing has fundamentally changed.

It seems obvious that we are not solving problems but are treating symptoms.

Reports from the international CERT community indicate that only a relatively small number of victims have been impacted globally.

However many of the affected organisations are large, multinational companies and the impact on them has been severe, with the effects being seen in multiple countries.

The ransomware leverages publically known vulnerabilities in Microsoft Windows as well as common lateral movement techniques utilising administrative tools.

Microsoft published patches to mitigate these vulnerabilities in March 2017.

Telling people to apply patches is a classic example of a motherhood response: for people without much technical know-how it can give rise to a false sense of security since subsequent malware

can easily avoid the patches.

Public reporting has identified a possible ‘vaccine’ mechanism.

There are conflicting reports on the effectiveness of and technical detail about this alleged vaccine.

Even if it provides protection against Petya it is highly unlikely that it would be effective against any other form of ransomware.

The motherhood story then continues on the topic of Activity: “Once infected, the malware creates a scheduled task to sleep between 10 and 60 minutes before a reboot is triggered.

“The malware clears system logs to make further analysis more difficult.

“When the malware has completed the reboot, it encrypts files on the computer.

“The malware also encrypts the master boot record (MBR) to prevent offline tampering or file recovery and adds a custom boot code.

This code prevents users from loading anything on the computer beyond the ransom screen message.”

To date the government’s response has been as follows: “The Australian Cyber Security Centre has advised that, if you are affected by the Petya ransomware incident, you should contact your service provider immediately.

Small businesses can contact ACORN (Australian Cybercrime Online Reporting Network).

Large organisations are advised to follow their normal procedures and report to the Australian Cyber Security Centre (ACSC).

“We continue to monitor the situation closely for any impact and will provide updates as necessary.”

As you can see from the notice, we are looking at advice that can be helpful but in most cases is too late and not very practical to implement.

If it was, most victims would have already done so.

The sad truth is that, despite lots of regulations, the Microsoft quasi monopoly has not managed to create an operating system that is able to be protected from even medium level cyber criminals.

While this generates revenue for online security companies it leads to enormous loss of productivity that goes uncompensated.

The internet should be subject to sovereign controls and cyber audits of routers and servers, like a physical highway.

Such measures would reduce a lot of cyber incidence, more so than compulsory data and meta-data storage, that helps at best after the cyber horse has bolted.

Roger Hausmann

Subscribe to Inside Canberra