WannaCry

Finally, something that warrants blogging about!  You’ve heard about the WannaCry ransomware attack.  To refresh your memory, it was international, attacked hospitals, governments, business both large and small, and, of course, individuals.  The attack exploited a known vulnerability in Windows XP!!!

The ransomware consisted of a sophisticated worm that travels from computer to computer and is based on code-breaking programs stolen from the NSA, and a far-less spohisticated effort to extort funds if payment in bitcoins was not provided by a certain date in order to remove unwanted encryption from your computer unless you paid in Bitcoins.  Since there were two parts to the ransomware attack, there are two issues that must be addressed by you, and by any organization that was either attacked or vulnerable.

The effort to extort funds is the easiest to defend against and so I’ll discuss it first.  It’s simple – back up your data, either remotely on a cloud server or locally.  This removes the potential loss of all your precious data.  I use Apple Airport Extreme and the Apple Time Machine utility for local backups, but there are many alternatives for Apple Macintoshes, Windows PCs, and Linux computers.  At worst, your system is down for an hour or so while you reinstall software and download your own saved data.  That time lag is a disaster for a hospital, but they shouldn’t be running any form of Windows XP and should be under careful cyber management.

Why don’t people or organizations update their old computer’s operating system software automatically?  Here are a few reasons:

  1. Laziness
  2. Cost
  3. Loss of productive working time
  4. Upgraded operating systems may not work well, or even not at all, with specialized software.

The worm is the scarier of the two.  It was stopped by a single cyber security expert who noticed that the worm checked on a specific URL.  If the worm got a response from that URL when it “pinged” with an “are you there” message, the worm’s software acted as if it could go on to infect other computers, because the worm was free to act and not confined to a “sandbox.”  The specific URL was not registered with one of the major reputable registration services; instead it was a set of four integers in the range 0 to 255 that was a valid Internet address not associated with a legitimate site.  By simply registering that dark web site, a small amount of programming allowed the worm to be confined to its current set of infected computers and not spread.

This type of worm is likely to recur.  Let’s hope that cyber security experts can stop it next time.  It is highly unlikely that ransomware was the main goal of this attack.  It is far more likely that the goal was to infect millions of computers, waiting for the next time.  Infected computers, or zombies, are often used as hosts for future distributed denial-of-service attacks.

Here are your action items:

  • Update your operating system.
  • If no updates are generally available, replace the OS, even if you have to buy a more powerful computer.
  • Back up your data at least daily.
  • Have your organization have better, much better, security practices.
  • Watch what you download, watch what you click on.
  • Don’t assume that computers running Microsoft Windows are the only ones vulnerable.  All operating  have known vulnerabilities.