Difference between revisions of "Malware/Meeting Notes 2017-06-12"

From SOBAC Wiki
Jump to navigation Jump to search
(Added meeting notes)
(Formatting)
Line 2: Line 2:
 
-----
 
-----
  
[[File:Virus-noises.jpg|thumb|100px]]
+
==== Guest: Scott Smith ====
 +
* [https://tekkshare.com/ Tekkshare] demonstration by guest Scott Smith
 +
** A Goods-and-Services marketplace for technical stuff based on [https://www.sharetribe.com/ Sharetribe]
 +
** Invitation for KWNPSA members to sign up, will waive commission for first year
  
* Video on encryption in WannaCrypt ransomware: [https://www.youtube.com/watch?v=pLluFxHrc30 How WanaCrypt Encrypts Your Files - Computerphile]
 
  
* Tekkshare demonstration by guest Scott
+
==== Malware experiences ====
  
* Malware stories
+
* from the days of floppy drives
** from the days of floppy drives
 
  
* WannaCry ransomware seemed to be more prevalent on Win7, not so much WinXP
+
* WannaCry ransomware  
 +
**seemed to be more prevalent on Win7, not so much WinXP
 +
** Video on encryption in WannaCrypt ransomware: [https://www.youtube.com/watch?v=pLluFxHrc30 How WanaCrypt Encrypts Your Files - Computerphile]
 +
 
 +
* Malware vulnerability assessments
 
** https://www.spacelabshealthcare.com/wp-content/uploads/2017/05/WannaCry-Malware-Assessment-and-Compatibility-Statement_23_May_2017.pdf
 
** https://www.spacelabshealthcare.com/wp-content/uploads/2017/05/WannaCry-Malware-Assessment-and-Compatibility-Statement_23_May_2017.pdf
 
** https://www.sans.org/ has vulnerability reports
 
** https://www.sans.org/ has vulnerability reports
  
** Apple malware, adware
+
==== Platforms ====
*** Nothing super malicious, but affects the browser, user libraries inc. user preferences
+
* Apple malware, adware
*** Backup with TimeMachine, but that takes malware with it
+
** Nothing super malicious, but affects the browser, user libraries inc. user preferences
*** Free TV websites and proxy sites seem to be sources of malware
+
** Backup with TimeMachine, but that takes malware with it
*** Manual restore (not Time Machine) to restore each file individually
+
** Free TV websites and proxy sites seem to be sources of malware
*** AdAware bought by MalwareBytes, good for Apple platform, free for home use
+
** Manual restore (not Time Machine) to restore each file individually
 +
** AdAware bought by MalwareBytes, good for Apple platform, free for home use
  
** Android  
+
* Android  
*** Large platform, biggest vulnerability
+
** Large platform, biggest vulnerability
*** Old, refurbished phones may be vulnerable, they don't get updates
+
** Old, refurbished phones may be vulnerable, they don't get updates
*** Same for routers, security cams
+
** Same for routers, security cams
*** Fragmentation in market, but providers (Samsung, Verizon) don't provide updates after a year or two
+
** Fragmentation in market, but providers (Samsung, Verizon) don't provide updates after a year or two
*** Reluctance to update phones because it takes too long (10 minutes!)
+
** Reluctance to update phones because it takes too long (10 minutes!)
*** People are more likely to replace a device than upgrade it
+
** People are more likely to replace a device than upgrade it
**** Both desktop and mobile devices
+
*** Both on desktop and mobile devices
*** Change is scary, can't even deal with a moved icon on the desktop
+
** Change is scary, some people can't even deal with a moved icon on the desktop
*** SysAdmins are not able to meet the expectations of clients
+
** SysAdmins are not able to meet the expectations of clients
*** Google is taking heat for lack of Android updates
+
** Google is taking heat for lack of Android updates
**** THought it might have been like GNU/Linux distros (stable, testing, Sid), didn't work out that way
+
*** Thought it might have been like GNU/Linux distros (stable, testing, Sid), didn't work out that way
**** Proprietary applications contribute to this, only Google can upgrade their apps
+
*** Proprietary applications contribute to this, only Google can upgrade their apps
**** CopperheadOS tried to address this with a secure Android OS, but constantly battles Google and vendors
+
*** CopperheadOS tried to address this with a secure Android OS, but constantly battles Google and vendors
*** People believe things are secure because they've paid the vendor lots of money, they don't pay the vendor lots of money because the products are secure
 
  
** Best defence: Make our purchasing decisions based on public data of vulnerabilities
+
People believe things are secure because they've paid the vendor lots of money, they don't pay the vendor lots of money because the products are secure.
  
https://www.cisco.com/c/en/us/products/security/threat-grid/index.html
+
Best defence: Make our purchasing decisions based on public data of vulnerabilities
  
https://www.entrust.com/certification-authority-authorization/
+
* More security resources:
 +
** https://www.cisco.com/c/en/us/products/security/threat-grid/index.html
 +
** https://www.entrust.com/certification-authority-authorization/
  
  
* Mitigation:
+
==== Mitigation ====
Software available from http://www.techsoupcanada.ca/en/directory/352
+
* Software for Non-profit organizations available from TechSoup: [http://www.techsoupcanada.ca/en/directory/352 Server & Security Software | TechSoup Canada]
** Treat the end-user as an adversary
+
 
 +
* Treat the end-user as an adversary
 
** Focus on recovery instead of avoidance
 
** Focus on recovery instead of avoidance
 
** But should we treat people as adversaries? Technical solutions are not a panacea
 
** But should we treat people as adversaries? Technical solutions are not a panacea
** '''Backups!!!'''
+
* '''Backups!!!'''
*** Risk management -- given enough time, the probability of being affected approaches one
+
* Risk management -- given enough time, the probability of being affected approaches one
*** Training is necessary, but not sufficient
+
* Training is necessary, but not sufficient
** Defence in Depth
+
 
*** Backups, backup rotation, offsite backup
+
===== Defence in Depth =====
*** Training
+
* Backups, backup rotation, offsite backup
*** Updates
+
* Training
*** Offsite storage (Cloud), store deleted files for 90 days (version control)
+
* Updates
**** But privacy issues with out-of-country routing and storage
+
* Offsite storage (Cloud), store deleted files for 90 days (version control)
*** Buy-in from management to provide enough resources (money)
+
** But privacy issues with out-of-country routing and storage
*** Honeypot, canary - let SysAdmin know when certain files are being touched
+
* Buy-in from management to provide enough resources (money)
Staff needs to know this DiD is being done
+
* Honeypot, canary - let SysAdmin know when certain files are being touched
 +
 
 +
Staff needs to know this Defence-in-Depth is being done, and when
  
* Recovery
+
 
** Some people don't care about their data, just re-image the computer
+
==== Recovery ====
** Shadowcopy in Window -- only Administrator has access, can't be encrypted by ransomware
+
* Some people don't care about their data, just re-image the computer
*** But malware knows Shadowcopy is a good idea, and will try to bypass
+
* Shadowcopy in Window -- only Administrator has access, can't be encrypted by ransomware
 +
** But malware knows Shadowcopy is a good idea, and will try to bypass
 
   
 
   
How can you tell your files are encrypted?
+
* How can you tell your files are encrypted?
* Applications can't open their data files
+
** Applications can't open their data files
* Some malware leaves messages "This folder is encrypted"
+
** Some malware leaves messages "This folder is encrypted"
 
 
* Stiller software to identify
 
  
 +
* Stiller software (c. 1995) to identify modified files with checksum appended to all files; won't open or execute compromised files
  
 +
==== Meeting Administration ====
 
* Time limits? 8:30pm
 
* Time limits? 8:30pm
 
** Stay on topic
 
** Stay on topic
Line 80: Line 91:
  
 
[[Category:NPSA]]
 
[[Category:NPSA]]
 +
[[Category:Evengs]]

Revision as of 02:59, 13 June 2017

Malware

Date
Monday, 12 June 2017 from 7:00pm to 9:00pm
Event Announcement
https://www.meetup.com/NetSquared-Kitchener-Waterloo/events/239940239/
Location
Communitech Jelly Bean Room 1st Floor, 151 Charles Street West, Kitchener, Ontario Map

Breaking News: Dozens of countries affected by ransomware cyberattack (CBC News, 12 May 2017)

Are you protected from malware? On your desktop computers? On your servers? Does your staff have malware protection at home? Is anti-virus software enough? What's "ransomware"? What's the difference between a virus, a trojan, and a phishing attack? Does it matter? How do you protect yourself from malware? What's the best way to react to a malware outbreak? How do you recover from a malware attack?

We'll share our experiences in a round table discussion, and perhaps have a guest from the industry to provide some of the answers.

--Marc Paré and Bob Jonkman



Guest: Scott Smith

  • Tekkshare demonstration by guest Scott Smith
    • A Goods-and-Services marketplace for technical stuff based on Sharetribe
    • Invitation for KWNPSA members to sign up, will waive commission for first year


Malware experiences

  • from the days of floppy drives

Platforms

  • Apple malware, adware
    • Nothing super malicious, but affects the browser, user libraries inc. user preferences
    • Backup with TimeMachine, but that takes malware with it
    • Free TV websites and proxy sites seem to be sources of malware
    • Manual restore (not Time Machine) to restore each file individually
    • AdAware bought by MalwareBytes, good for Apple platform, free for home use
  • Android
    • Large platform, biggest vulnerability
    • Old, refurbished phones may be vulnerable, they don't get updates
    • Same for routers, security cams
    • Fragmentation in market, but providers (Samsung, Verizon) don't provide updates after a year or two
    • Reluctance to update phones because it takes too long (10 minutes!)
    • People are more likely to replace a device than upgrade it
      • Both on desktop and mobile devices
    • Change is scary, some people can't even deal with a moved icon on the desktop
    • SysAdmins are not able to meet the expectations of clients
    • Google is taking heat for lack of Android updates
      • Thought it might have been like GNU/Linux distros (stable, testing, Sid), didn't work out that way
      • Proprietary applications contribute to this, only Google can upgrade their apps
      • CopperheadOS tried to address this with a secure Android OS, but constantly battles Google and vendors

People believe things are secure because they've paid the vendor lots of money, they don't pay the vendor lots of money because the products are secure.

Best defence: Make our purchasing decisions based on public data of vulnerabilities


Mitigation

  • Treat the end-user as an adversary
    • Focus on recovery instead of avoidance
    • But should we treat people as adversaries? Technical solutions are not a panacea
  • Backups!!!
  • Risk management -- given enough time, the probability of being affected approaches one
  • Training is necessary, but not sufficient
Defence in Depth
  • Backups, backup rotation, offsite backup
  • Training
  • Updates
  • Offsite storage (Cloud), store deleted files for 90 days (version control)
    • But privacy issues with out-of-country routing and storage
  • Buy-in from management to provide enough resources (money)
  • Honeypot, canary - let SysAdmin know when certain files are being touched

Staff needs to know this Defence-in-Depth is being done, and when


Recovery

  • Some people don't care about their data, just re-image the computer
  • Shadowcopy in Window -- only Administrator has access, can't be encrypted by ransomware
    • But malware knows Shadowcopy is a good idea, and will try to bypass
  • How can you tell your files are encrypted?
    • Applications can't open their data files
    • Some malware leaves messages "This folder is encrypted"
  • Stiller software (c. 1995) to identify modified files with checksum appended to all files; won't open or execute compromised files

Meeting Administration

  • Time limits? 8:30pm
    • Stay on topic
    • May start at 6:30pm? Consensus, not...