Cyber Attack

My advice is the same as the pundits.. keep operating systems ( on all major platforms, Linux, Windows, OSX, iOS, Android) updated with security fixes, use virus / malware detection software where available, don't click on hyper text links within emails unless you are 100% sure they are a valid and appropriate, be wary of unsolicited emails with links ... don't run any executable over the web unless it's via a 100% trusted, secure and encrypted with a valid certificate link... if in doubt don't.

if you get an unsolicited email suggesting it's from a service you have requesting you click on it for some reason or other.. DONT. Log onto the service and your account separately via your browser using favourites or search engine like Google. If there is some action to do you will be informed here.

If you see any invalid certificate key information on your browser with a web site.. Stop. Close the browser down and avoid using that site until their security issue is resolved.

if you go onto a web site and many pop ups usually with adverts appear, with various options to clear them presented... don't... close your browser down / restart your browser and avoid/blacklist that web site.

Given the above your web/internet hygiene should be good, however there will always be the occasional issue... and your protected operating system should then be your last line of defence... if all else fails be prepared to restore from regular backups....but this should be very very unlikely.

Simon

Simon has said all important things.

A thing I'd like to add: I've changed all configurations on my internet provider's modem / router: wireless is off, most ports are closed as much as my work allows. Then there is a utp cable going to my internal router which serves us internally and has ports needed for upnp, minimserver etc ... etc ... open.

I write this mainly because it seems that on this forum audio quality of routers / cables / power supplied is raised as a topic often, but relatively seldom the security aspects of the internet.

I would not be surprised that many audiophiles have very week security.

Now, how do I manage my kids internet usage ...

Ardbeg10y posted:

Now, how do I manage my kids internet usage ...

Remove all computers from the bedrooms and place them in an open "family" area.  Tablets, etc. are left there at bedtime to charge.

Solves a lot of problems!

But then I'm a draconian luddite  :-)

isn't there also an issue about running an operating system that is still in support and has all the latest updates for it? lLstening to the TV reports on the NHS problem I think I heard that some trusts were still running Windows XP. That's very old now. My employer moved off that platform years ago and if I remember correctly part of the reason was that Microsoft said they were going to stop supporting it (forcing customers to upgrade is a nice revenue earner of course).  

In respect of shutting down browsers when suspicious activity is detected, it's possible to link execution of code to the normal shutdown action of a browser, so when suspicious activity is detected the browser application should be killed not just shut down,

The point about keeping firewall ports closed where possible is a good one: if you're having network problems, absolutely definitely don't 'open up all the ports just to make sure'.

Lastly for those of us running a NAS I have a solution to the problem of Ransom Ware:

Using two disks on the NAS (one can be external) ensure that only one disk is visible from the network, the other needs to be accessible only by a user account that exists only on the NAS itself (the password for this account shouldn't be on any of the PCs).
Keep all important files primarily held on your computer(s) backed up on the NAS.
Keep a copy of all the files primarily held on the NAS backed up on a computer.
Backup the NAS to the second drive (the one that's not visible from the network.

How this works:
If a ransom ware virus attacks a computer on your network it will encrypt the files on the primary storage of the NAS, but won't be able to encrypt the backup as that's not visible to it.
If a ransom ware virus attacks the NAS it will be able to encrypt the backup files on the NAS but won't be able to encrypt the backup files on the computer.

The great thing about this scheme is that it can be made to run automatically and doesn't depend on any outside service or slow internet connections.

An organisation for whom I used to work had an interesting incident at a remote location.  When their comms went down, a set of BT engineers came in and removed the server that was causing the problem.  Neither the engineers nor the server were seen again.

A refresh of the security keys ensured that that server was no longer able to log onto the WAN, so the damage was fairly limited.  However removing a sever that weights >45kg on a hydraulic lift trolley was quite an enterprising theft!

Huge posted:

An organisation for whom I used to work had an interesting incident at a remote location.  When their comms went down, a set of BT engineers came in and removed the server that was causing the problem.  Neither the engineers nor the server were seen again.

A refresh of the security keys ensured that that server was no longer able to log onto the WAN, so the damage was fairly limited.  However removing a sever that weights >45kg on a hydraulic lift trolley was quite an enterprising theft!

This reminds me of a company where I was installing some software in my early field engineering days where all IT guys were in a sad mood. They just got to know that the CIO hired a company specialized in security audits and that security company managed to steal a server from the rack during working hours. Good CIO.

I still feel attracted by IT security, but specialized myself in performance.

Class!

The trouble with working in computer security is that security is that it's hard work but, it should never be seen felt or heard until someone tries to do something they shouldn't, so it's never appreciated.  Even management just see it as an overhead and often have 'do we really need it that much' and 'it's a waste of money' attitude.

Then, if it is noticed by someone inside the organisation, you get blamed for preventing them doing what they wanted to do (even if they shouldn't be doing it!).

I also forgot to mention,..

Don't expose your NAS to the 'net unless you really need to.

And even if security is taken care of, loads of IT work is done in India these days. Mgmt needs to realize that the blokes doing their work there have not only access to your system, but also your very competitor 'cause they are all using the same Hyderabad / Bangalore companies. And these guys switch companies quickly.

Security is becoming quite a joke on this planet.

Huge posted:

I also forgot to mention,..

Don't expose your NAS to the 'net unless you really need to.

Huge

I have a qnap NAS, I use it solely to back up music files that are on a PC, then stream from the NAS.

I haven’t setup or configured the NAS to be accessible over the internet, does that mean it isn’t accessible or do I need to take action to make it inaccessible.

I'd be interested in that too.

I'm not sure for QNAP as I use a Synology, but I expect that the default configuration won't allow access from the net.  It may be worth checking that UPnP is disabled on the NAS, however you may have to re-enable that if it also blocks the DLNA server.

UPnP is much wider than DLNA.  With the Synology, it works fine if UPnP is off and DLNA is on as then it only enables the bits of UPnP that are needed for DLNA and doesn't allow the automatic reconfiguration of it's firewall (which general UPnP will often allow).  It's also possible to write manually configured rules to do this.

This recommendation also applies to Router firewalls, with the same caveat about DLNA operation on the wireless network.  The router firewall can also prevent the NAS being exposed by not mapping its ports and services externally.

If you are making use of generic UPnP devices as well as DLNA servers, then you need to enable UPnP in the appropriate network devices!  

But for a definitive answer on this we really need Simon, I am a mere neophyte in respect of networks.

Oh, and don't worry about software updates from t'ininternet, typically they're digitally signed using a public / private key system (probably RSA) - almost impossible to fake.  If one is going to all the effort of breaking an RSA key system, then there's no point in going after a domestic NAS drive, go after an internet bank or an ATM network!

Thanks Huge.

Discover UPnP was enabled, it is now unenabled. I can still stream from the NAS, and buckup to the nAS from PC.

The tick box is located at Network Services/Service Discovery.

If anybody's performed a firmware update recently, it might be worth checking if the settings have changed. 

Thanks, I've now done that too. 

For those who use Synology NASes, when you do the setup, one option that is offered is something called QuickConnect. If you enable that and choose a name, then your NAS is accessible through the Synology website. It's worthchecking whether you set that up, it's not relevant to this particular exploit, but is a potential hole. (It takes you to the login prompt if DSM.)

I guess we need to be cautious also in simply disabling the UPnP IGD (RFC 6970) protocol. Its there for a reason. Especially in our predominately IPv4 world we need our broadband internet routers to sometimes map IP addresses from outside and inside and vica versa but by using a consistent port. A port is like an application address that sits on top of our IP addresses. So if UPnP IGD is disabled it may then be necessary for you to manually set up port forwarding on your router. There are multiple ways of setting port forwarding - and different applications may use different methods - but if an app uses UPnP IGD then you will need to manually enable those ports across the internal and external addresses on the router if UPnP IGD is disabled. So be advised some apps that use comms over the internet may stop working without manual intervention.

Simon-in-Suffolk posted:

I guess we need to be cautious also in simply disabling the UPnP IGD (RFC 6970) protocol. Its there for a reason. Especially in our predominately IPv4 world we need our broadband internet routers to sometimes map IP addresses from outside and inside and vica versa but by using a consistent port. A port is like an application address that sits on top of our IP addresses. So if UPnP IGD is disabled it may then be necessary for you to manually set up port forwarding on your router. There are multiple ways of setting port forwarding - and different applications may use different methods - but if an app uses UPnP IGD then you will need to manually enable those ports across the internal and external addresses on the router if UPnP IGD is disabled. So be advised some apps that use comms over the internet may stop working without manual intervention.

Simon, do you have an example of such an application? I've switched this off at my internet connected router too, and never found any limitation, but I'm - security consideration - using internet only for streaming and vpn for work. I could imagine that certain e.g. domotica apps suffer from it.

A couple of questions:

Do people pay these ransoms?

Do they get their data released back to them?

G

Sometimes yes.

And sometimes yes* (but sometimes no).

*  What they get is actually the public key required to decrypt the data.

The last figure I saw suggested that there were £30,000 worth of bitcoins, and the original ransom was set to £300 and then rose to £600, so it looks like about 100 people have paid up. (People are watching the bitcoin archive to see how big it is.)

It's hard to say what happens, most companies/people that pay up don't advertise the fact, but the usual experience seems to be that the decryption does happen, because the criminals don't want people to believe there's no point paying up.

I did read a report (I'm in IT including IT security) that suggested that there were about $200m of ransoms paid last year, but I couldn't see where they got their figures from, so take with an even bigger pinch of salt than normal.

Ardbeg10y, I believe various apps that use point to point communication apps like messaging, video services and gaming apps need to use IGD, or the Apple variant NAT-PMP.  So if you turn off UPnP IGD for protection, then you should turn off NAT-PMP as well if your router supports it.

Simon

Another issue in Cyber Security is Adobe Flash.  It's even older than Windows XP, and even more vulnerable.

This is useful info
http://www.online-tech-tips.co...e-specific-websites/