Earlier this year I blogged about how our education system needs to be an important part of our defenses against a growing risk of cyber attack. I highlighted the fact that we all need to understand enough about computers and the internet to ensure that we don’t leave the virtual door open to our private property for anyone who wants to come along and misuse it. We can’t merely rely on our software to protect us from problems, because there is a small army of hackers who will always be trying to exploit any weaknesses in our software systems.
As a society we have a responsibility to provide people with the knowledge and understanding to protect themselves, and as individuals we must take responsibility for doing our bit to protect ourselves and our families, because no system will ever be completely bullet proof.
The ransomware behind the cyberattack that caused cancelled hospital operations, prevented doctors from accessing patient records and much more damage last week is just the latest of a whole range of essentially rudimentary tools that are being used to cause harm by unscrupulous individuals and groups. This ‘souped-up’ hack attack was able to take advantage of ‘holes’ in insecure software systems to ‘leap’ from shared file to shared file within and beyond a host of organizations, encrypting the information in these files so that those who needed to use them were ‘locked out’ unless they paid a specified ransom. Of course those sensible people who had backed up their information were saved the need to pay up, but they would still have been significantly inconvenienced.
The aptly named WannaCry malware behind last week’s attack is merely the tip of the iceberg when it comes to our vulnerability to hacking attacks. For example, Darren Thomson, chief technology officer for the cyber security firm Symantec told the Financial Times of a 36% increase year-on-year in this sort of attack, and the existence of more than 100 families of ransomware online. (FT, behind paywall)
When malware such as WannaCry is inadvertently downloaded onto a machine, usually via an email, it does not normally cause such widespread problems. However, on this occasion the malware was able to spread across an organization’s network of machines by scanning its systems for software flaws and using another piece of software called Eternal Blue (originally developed by US spies) to attack the Windows XP file sharing software. This situation is particularly problematic for many public sector organizations in the UK (and globally), because the Windows XP operating system is still commonly used in these organisations, but has been unsupported by Microsoft since April 2014. It therefore leaves these organizations very vulnerable, because there are no regular updates to maintain the integrity of their software.
Eternal Blue was amongst a bundle of software that was made available by an organisation called the Shadow Brokers in April (FT, behind paywall). At the time of writing this blog, the identity of the Shadow Brokers is unknown, but they are one of a growing band of groups who not only provide software to help people launch cyberattacks, but also offer support to help cyber attackers get their software hacks to work effectively.
For me the name ‘Shadow Brokers’ conjures up an image of some bright, sci-fi enthusiastic entrepreneurial teenagers working away in their bedrooms to supplement their pocket money or help pay for their tuition fees. The work is smart, but not sophisticated, and we must therefore recognise the likelihood of more and more such attacks and make sure that we are prepared. I therefore suggest a few basic actions we should all apply now to help protect ourselves:
- Backup all your data in a secure manner that does not merely save any existing malware for future activation. See here and here for examples of reviews of back up options.
- Update your system with any security updates as soon as you can;
- Change the default settings of all your devices;
- Project all your accounts and their settings with strong passwords that you can remember and that you do not record anywhere. For help with choosing passwords that you can remember try word association for each of your accounts. For example, for your work email choose a word you personally associate with your work starting with an uppercase character e.g. ‘Toil’, then add some personally meaningful associated numbers, such as the month or year when you started the job e.g. 2006 and then add your favourite symbol e.g. *. For added security alternate each of these components: T2o0i0l6*;
- Learn about the basics of your technology and about how all your devices connect to each other and to the internet and make sure that all devices and all connections are protected. See for example, here.
- Think before you share files and limit write access as a default;
- Do not open any email attachments that are executable or zipped without scanning them, in fact do not open any attachments unless you recognize the sender or they are known to be safe – if in doubt check them out.
These simple rules are not magic and they will not protect everyone from every threat BUT they will go a long way to helping you reduce the damage that malware can cause to you and your colleagues, employees and loved ones: share and care.
Photo by EFF Photos via creative commons