#370320 - 05/01/2018 18:22
Ransomware recovery
|
pooh-bah
Registered: 27/02/2004
Posts: 1919
Loc: London
|
We've had a ransomware attack on our Windows 2012 Server which is fine as we have backups of everything (I thought), unfortunately there's one folder which we don't have backups of and it contains the data files for our payroll data. They've all been encrypted with the following extension: .id-E40940C2.[ [email protected]].java Data restore on everything else is going well, but is there any way of decrypting these files?
Edited by tahir (05/01/2018 18:23)
|
Top
|
|
|
|
#370323 - 05/01/2018 18:56
Re: Ransomware recovery
[Re: tahir]
|
pooh-bah
Registered: 27/02/2004
Posts: 1919
Loc: London
|
|
Top
|
|
|
|
#370361 - 09/01/2018 12:59
Re: Ransomware recovery
[Re: tahir]
|
pooh-bah
Registered: 27/02/2004
Posts: 1919
Loc: London
|
Almost recovered everything now, it was a hacker that had logged into our system via rdp.
|
Top
|
|
|
|
#370362 - 09/01/2018 14:12
Re: Ransomware recovery
[Re: tahir]
|
carpal tunnel
Registered: 10/06/1999
Posts: 5916
Loc: Wivenhoe, Essex, UK
|
Did you have an insecure password or was it some sort of rdp vulnerability ?
_________________________
Remind me to change my signature to something more interesting someday
|
Top
|
|
|
|
#370363 - 09/01/2018 15:38
Re: Ransomware recovery
[Re: tahir]
|
pooh-bah
Registered: 27/02/2004
Posts: 1919
Loc: London
|
Insecure password, will be looking at all our options now
|
Top
|
|
|
|
#370364 - 09/01/2018 17:43
Re: Ransomware recovery
[Re: tahir]
|
carpal tunnel
Registered: 08/07/1999
Posts: 5549
Loc: Ajijic, Mexico
|
Insecure password, will be looking at all our options now In your world, what constitutes an insecure password? I know of two schools of thought about password security. I use LastPass generated passwords like 95Gd33#tWzM6 that are supposedly secure. Others say that a password like " This is my new password for my bank account and nobody will ever figure it out!" is actually more secure against a brute-force attack, with (counting upper/lower case, numbers, and special characters) something like 72 to the 79th power possible solutions. (79 characters, each with 72 possibilities). I imagine you have been giving considerable thought to password security lately, what are your thoughts on this? tanstaafl.
_________________________
"There Ain't No Such Thing As A Free Lunch"
|
Top
|
|
|
|
#370366 - 09/01/2018 18:00
Re: Ransomware recovery
[Re: tahir]
|
carpal tunnel
Registered: 10/06/1999
Posts: 5916
Loc: Wivenhoe, Essex, UK
|
The word one would be potentially more secure, if it actually used random words and the exclamation point was at a random location.
When word based passwords are recommended as being secure, they don’t mean English sentences. Google diceware
_________________________
Remind me to change my signature to something more interesting someday
|
Top
|
|
|
|
#370368 - 09/01/2018 18:01
Re: Ransomware recovery
[Re: tanstaafl.]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31600
Loc: Seattle, WA
|
|
Top
|
|
|
|
#370369 - 09/01/2018 18:01
Re: Ransomware recovery
[Re: tahir]
|
carpal tunnel
Registered: 10/06/1999
Posts: 5916
Loc: Wivenhoe, Essex, UK
|
But the random gibberish password manager ones are very secure, if they are long. You really want 20 characters or so to plan for the future.
_________________________
Remind me to change my signature to something more interesting someday
|
Top
|
|
|
|
#370372 - 09/01/2018 18:14
Re: Ransomware recovery
[Re: andy]
|
carpal tunnel
Registered: 10/06/1999
Posts: 5916
Loc: Wivenhoe, Essex, UK
|
If you are going for word based passwords your passwords need to look more like:
rhode-newsman!compel-pulse-facedown-Burnout
I use passwords like that for my Apple ID, 1Password and Dropbox passwords. Then everything else is 20 random character stored on DropBox and accessed via 1Password.
Edited by andy (09/01/2018 18:15)
_________________________
Remind me to change my signature to something more interesting someday
|
Top
|
|
|
|
#370373 - 09/01/2018 18:16
Re: Ransomware recovery
[Re: tfabris]
|
pooh-bah
Registered: 27/02/2004
Posts: 1919
Loc: London
|
Thanks Tony
|
Top
|
|
|
|
#370374 - 09/01/2018 18:19
Re: Ransomware recovery
[Re: andy]
|
pooh-bah
Registered: 27/02/2004
Posts: 1919
Loc: London
|
If you are going for word based passwords your passwords need to look more like:
rhode-newsman!compel-pulse-facedown-Burnout
I use passwords like that for my Apple ID, 1Password and Dropbox passwords. Then everything else is 20 random character stored on DropBox and accessed via 1Password. Yes, trouble is getting users to remember them without emailing themselves an email with subject "Password". We've stopped all external access to the server for now and when we reinstate it'll probably be through a VPN. Passwords are tricky, will have to think of a sensible way. Maybe two random words with a random character in between?
|
Top
|
|
|
|
#370375 - 09/01/2018 18:48
Re: Ransomware recovery
[Re: tanstaafl.]
|
journeyman
Registered: 08/11/2017
Posts: 69
|
Insecure password, will be looking at all our options now In your world, what constitutes an insecure password? The existence of a password constitutes an insecure one. Brute force methods have been pretty easy for a while now if one has the hashed/secured copy, and continue to grow in power as GPUs and other tech continues to advance. And with flaws like Meltdown and Spectre leaking the clear text password possibly via Javascript, and, yeah... The world needs to really move on beyond passwords as any form of security. The one work environment that was all X.509 certificate based, even for SSH, was pretty nice. I'm just glad I wasn't the security person setting it up though
|
Top
|
|
|
|
#370380 - 09/01/2018 23:03
Re: Ransomware recovery
[Re: tfabris]
|
carpal tunnel
Registered: 08/07/1999
Posts: 5549
Loc: Ajijic, Mexico
|
That is exactly where I originally got the idea that a secure password doesn't have to be un-memorizable gibberish. tanstaafl.
_________________________
"There Ain't No Such Thing As A Free Lunch"
|
Top
|
|
|
|
#370383 - 10/01/2018 03:28
Re: Ransomware recovery
[Re: andy]
|
carpal tunnel
Registered: 08/03/2000
Posts: 12341
Loc: Sterling, VA
|
That is exactly where I originally got the idea that a secure password doesn't have to be un-memorizable gibberish. But it also shouldn't be a totally normal phrase or sentence. But the random gibberish password manager ones are very secure, if they are long. You really want 20 characters or so to plan for the future. I always pisses me off when I generate a password that length via Lastpass, and the site comes back and says something like "passwords can only be 6-12 characters long." SERIOUSLY?
_________________________
Matt
|
Top
|
|
|
|
#370387 - 10/01/2018 10:17
Re: Ransomware recovery
[Re: Faolan]
|
pooh-bah
Registered: 27/02/2004
Posts: 1919
Loc: London
|
The existence of a password constitutes an insecure one. Brute force methods have been pretty easy for a while now if one has the hashed/secured copy, and continue to grow in power as GPUs and other tech continues to advance. And with flaws like Meltdown and Spectre leaking the clear text password possibly via Javascript, and, yeah... The world needs to really move on beyond passwords as any form of security. The one work environment that was all X.509 certificate based, even for SSH, was pretty nice. I'm just glad I wasn't the security person setting it up though I agree with what you're saying, but how do you change? I have my personal bank account, mortgage account, credit card account, plus 6 business accounts that I need to remember creds for, plus of course apple, amazon, ebay and my network login. It's overload, and how secure is it really? Is there a USB card/dongle based login solution?
|
Top
|
|
|
|
#370388 - 10/01/2018 11:57
Re: Ransomware recovery
[Re: tahir]
|
carpal tunnel
Registered: 10/06/1999
Posts: 5916
Loc: Wivenhoe, Essex, UK
|
Using a dongle isn't really any more secure than using a pure software based password manager. Even with something with some hardware involved, with the current system of usernames and passwords, the plain text password needs to exist and be entered in the browser at some point in the process. Just use Lastpass or 1Password. Until the world as a whole adopts* a non password based authentication system, we are stuck with storing away big random passwords. * people have suggested such systems in the past and people are working on some now ( https://www.grc.com/sqrl/sqrl.htm ), but it doesn't seem likely that any such system will be widely used in the near future
_________________________
Remind me to change my signature to something more interesting someday
|
Top
|
|
|
|
#370391 - 10/01/2018 14:05
Re: Ransomware recovery
[Re: andy]
|
old hand
Registered: 29/05/2002
Posts: 798
Loc: near Toronto, Ontario, Canada
|
Using a dongle isn't really any more secure than using a pure software based password manager. Even with something with some hardware involved, with the current system of usernames and passwords, the plain text password needs to exist and be entered in the browser at some point in the process. ... Are you including the algorithmic devices that compute a response to a server’s challenge prompt? Such as an online banking ‘calculator’ that renders a numeric response to a numeric challenge, and is time coded, one time use?
|
Top
|
|
|
|
#370392 - 10/01/2018 14:29
Re: Ransomware recovery
[Re: tahir]
|
carpal tunnel
Registered: 29/08/2000
Posts: 14496
Loc: Canada
|
How quaint. I though that smart cards had replaced those things years ago -- getting rid of the need for display and keypad (and human errors) ?
|
Top
|
|
|
|
#370393 - 10/01/2018 14:30
Re: Ransomware recovery
[Re: K447]
|
carpal tunnel
Registered: 10/06/1999
Posts: 5916
Loc: Wivenhoe, Essex, UK
|
They can only really be a second factor in the login process. The problem is they can be stolen/lost.
The general rule for secure 2 factor authentication is "something you have, something you know". That HSBC device (and the devices that you insert your debit/credit card into) serves as the "something you have", you still need a password for the "something you know" side.
Devices like that protect your account (in theory*) if someone has got your password, but they can't be the only authentication factor.
* there have been plenty of cases where accounts have been protected by two factor authentication, but the account has still been hijacked because the service protected by the password provides a "call a human in a call centre and beg" fallback mechanism which can then fall victim to social engineering
_________________________
Remind me to change my signature to something more interesting someday
|
Top
|
|
|
|
#370394 - 10/01/2018 14:33
Re: Ransomware recovery
[Re: mlord]
|
carpal tunnel
Registered: 10/06/1999
Posts: 5916
Loc: Wivenhoe, Essex, UK
|
How does a smart card help you when you are sat in front of a computer trying to log into your internet banking site ? There is no smart card slot on my computers.
I have a related device for logging into my bank, which you insert your smart card into. But that has a display, keypad and the related human error...
_________________________
Remind me to change my signature to something more interesting someday
|
Top
|
|
|
|
#370395 - 10/01/2018 14:34
Re: Ransomware recovery
[Re: tahir]
|
carpal tunnel
Registered: 29/08/2000
Posts: 14496
Loc: Canada
|
Ah, okay. Several of the computers here have smartcard slots. And those that don't could use USB-connected slots.
Cheers
|
Top
|
|
|
|
#370396 - 10/01/2018 14:39
Re: Ransomware recovery
[Re: mlord]
|
carpal tunnel
Registered: 29/08/2000
Posts: 14496
Loc: Canada
|
Ah, okay. Several of the computers here have smartcard slots. Mmm.. but none of the smartphones do, and I suppose that going forward those will become increasingly dominant. So any solution here probably needs to be efficient for use with such devices. [EDIT] BLE equipped smartcards, anyone? Or is that pretty much the same functionality as NFC? [/EDIT]
Edited by mlord (10/01/2018 14:40)
|
Top
|
|
|
|
#370397 - 10/01/2018 14:41
Re: Ransomware recovery
[Re: mlord]
|
carpal tunnel
Registered: 10/06/1999
Posts: 5916
Loc: Wivenhoe, Essex, UK
|
I suspect USB connected smart card reader would give the banks far more support headaches over and above just handing out these standalone readers that they currently use:
_________________________
Remind me to change my signature to something more interesting someday
|
Top
|
|
|
|
#370398 - 10/01/2018 14:46
Re: Ransomware recovery
[Re: mlord]
|
carpal tunnel
Registered: 10/06/1999
Posts: 5916
Loc: Wivenhoe, Essex, UK
|
The UK banks seem to be slowly stepping away from all of these devices.
For example you don't need one to install the NatWest banking mobile app on a new device (they use the sadly exploitable route of SMS verification).
From the app I can now do pretty much everything I can do on their online banking site. The app is protected by just a 6 digit numeric PIN.
_________________________
Remind me to change my signature to something more interesting someday
|
Top
|
|
|
|
#370401 - 10/01/2018 19:26
Re: Ransomware recovery
[Re: andy]
|
journeyman
Registered: 08/11/2017
Posts: 69
|
I wonder how many other US folks here are looking at the smartcard discussion in wonder. It's really a shame credit cards here stuck to magnetic stripes for so long. Seems like the usage of smartcards for payments also helped spur a lot more security advancement efforts in general. I think the only place I've seen widespread smartcard usage outside payments is the military and their chipped ID badges. Still a shame we "upgraded" to Chip and Signature, and even though we have, my card has been swiped through a magnetic reader more then 10 times this year *sigh*. Banks have a lot of influence on the security field, for better or worse. Telecoms seem to be the other commercial part of the market pushing from time to time. I've been hearing some interesting possibilities from newer markets that lack the legacy infrastructure and are starting fresh on mobile first solutions. I agree with what you're saying, but how do you change? Find ways to make changing things easier. Almost every environment I've worked in has tried something, only to see it fail later for some reason. The environments agile enough to change and try something new always had a leg up on the ones that had to throw the issue into the unpaid tech debt column.
|
Top
|
|
|
|
#370413 - 11/01/2018 13:36
Re: Ransomware recovery
[Re: tahir]
|
carpal tunnel
Registered: 30/04/2000
Posts: 3810
|
Google has been pushing Fido U2F alongside their Advanced Protection scheme. I was a beta tester of this stuff years ago and I'm generally impressed. The ten-second summary is that the U2F gadget interacts with your browser and does some sort of public key crypto on a per-website basis, so there's no credential that one web site can get that's useful for attacking you on another website. The banking world hasn't adopted it at all, so far as I can tell, but they really should.
|
Top
|
|
|
|
#370415 - 11/01/2018 15:27
Re: Ransomware recovery
[Re: andy]
|
pooh-bah
Registered: 27/02/2004
Posts: 1919
Loc: London
|
The general rule for secure 2 factor authentication is "something you have, something you know". That HSBC device (and the devices that you insert your debit/credit card into) serves as the "something you have", you still need a password for the "something you know" side.
Devices like that protect your account (in theory*) if someone has got your password, but they can't be the only authentication factor. Yes, we use 3 banks and all have a combo of pwd/device there have been plenty of cases where accounts have been protected by two factor authentication, but the account has still been hijacked because the service protected by the password provides a "call a human in a call centre and beg" fallback mechanism which can then fall victim to social engineering Call centre and beg has never worked for me.
|
Top
|
|
|
|
|
|