Aractus

Blog of Daniel Baxter, now secure! :)

Free SSL from Let's Encrypt!

Archive for May, 2017

What you weren’t told about WannaCry

I pride myself on providing you, the humble visitor, with good information. Not always perfect because, well, I’m not a security expert. You can think of this post as an afterthought if you like to my previous post, what I am aiming to do here is complete the picture.

Is Microsoft to blame?

The US Government and their spy agency the NSA are the main guilty parties in this instance. The ShadowBrokers who hacked the NSA and then publicly released the weaponised exploit are also to blame. And yes, Microsoft absolutely shares some of the culpability. Here is the thing you haven’t been told anywhere on the internet… some systems don’t update even when configured to do so. You want evidence? Here are screenshots I took earlier this week on a friend’s PC:

update-1

update-2

When I manually checked for updates it just spent hours on this screen:

update-3

And no, that system is not patched. I was unable to fix the problem. WHAT THE FUCK MICROSOFT?! My solution for that system will be to re-install Windows. Nothing worked – and I did try. This page contains most of the fixes I tried. The owner of that PC had no idea the system wasn’t up to date. How many other Windows installations have this same problem?

And probably the most misreported fact on the internet “windows doesn’t support XP anymore”… WRONG! They do. They only provide support to those who pay for it though, and according to some the latest pricing for this privilege is about USD 1000 per year per desktop Windows XP installation. For the ordinary home user, you can still get Windows XP updates until 2019, and possibly longer. To achieve this you simply tweak a registry setting that tells Microsoft that it’s an Embedded system. XP was embedded into all kinds of hardware that is impossible to upgrade – speciality hospital equipment like MRI scanners, ATMs, etc. And they still receive security updates to this day.

People were surprised when Windows released a patch for this vulnerability for Windows XP. But they shouldn’t be – the patch would have been rolled out for XP Embedded at the same time as Windows 7/8/8.1. The only difference is that they waited until after the worm appeared before pushing the patch to non-embedded XP systems.

Why was there a kill switch?

The original version of WannaCry attempted to connect to iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com and then terminated if successful. Other variants then emerged with hex edited domains, or with that section hex-edited out entirely. But why was it there? It could just be a bit of unfinished code. It might be intended as an anti-detection measure, but it’s been pointed out that it doesn’t just do a DNS lookup it expects to create a TCP connection to the domain too. If there’s no TCP connection then WannaCry will execute the payload anyway. It could just be the hacker’s way of “having fun” with their malware – let people think it’s stopped and then push out the variants. Who knows?

How much has been paid out in ransom?

Not very much. So far over 200,000 people have been infected, and only 292 (or less?) have paid the ransom. That’s 0.1%. The three wallets are: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw, 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94, and 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn. About $109,000 or USD 81,000 has been paid in total so far. At 292 people though that averages at significantly less than USD 300 per ransom – going by the actual dollar figure only 270 people or less have paid up at the time of writing.

Is it a State actor?

Possibly. You will have heard that North Korea has been identified as a possible culprit. The problem though is that any competent hacker can make their code look like it came from North Korea, China, Russia, the USA, whomever they want.

So what’s their motivation?

You might think that the crypto-ransomware developers are simply highly motivated to be paid hefty ransoms. Well, most professionals don’t believe that to be a huge motivation. Just look at the program for a start: it encrypts types of documents that are important and valuable to their owners. They could steal sensitive documents actually if they had wanted to, but they didn’t. So you heard about the NHS in the UK having patient information encrypted – that’s a huge problem for them – but can you imagine how much worse it would have been if the malware developers had stolen millions of confidential medical files, and then ran a real extortion racket like was run against Ashley Madison?

Then, they provide you with all the information you’ll need to get your files back, assuming you pay up. They give detailed instructions on how to use Bitcoin, they helpfully put the decryption program everywhere on your system so you can always find it, and they give you a wall-paper in case your antivirus removes the decryption program. And the program is translated into 28 languages as well to ensure that you can read it:

wana-decrypt0r-2

Their set-up is not particularly well designed to receive payments, which is why they’ve received so little. Plus they have to manually verify payments on their end because they didn’t put in an automated system (ie unique bitcoin identifiers) to make it easy for them to verify. And it’s not exactly going to be easy for them to get their bitcoins. But here’s the thing, malware has been around for a very long time before the concept of ransomware. So they are unlikely to care much about actually getting paid, in fact they tell you explicitly if you’re so poor you can’t afford the ransom there will be a chance to get your in six months.

Whatever their motivations are, it’s not money. At least not primarily. It’s been pointed out that leaked NSA cyberweapons have been used to turn computers into large botnets to mine bitcoins, and that was far more lucrative strategy for cybercriminals than this method. But what we can say is that they have put a lot of effort into their program – they want to get their name out, I don’t think they care whether people pay the ransom or not, they will probably give out the master key after a few months.

Did people click malicious links in emails?

This is the most misreported aspect of WannaCry. It is able to spread itself directly though the internet to any vulnerable computer that it finds. We don’t know how the NHS in the UK got infected, but it is possible that the worm spread across the internet by connecting to just one vulnerable PC or internet server across port 445, and then once it got on the network it can infect all the vulnerable PCs it finds on the ethernet. And that’s actually a larger problem for organisations than it is for home users, because it will be trying to connect through your IP address which is assigned to your router, but organisations often assign public IPs to computers. And they have to for servers. So yeah, we don’t know, but we do know that the this crypto-malware spreads directly across the internet without people needing to click any links if their system is vulnerable. That’s how bad this exploit is! Again though, if you’re behind a home router you’re probably safe.

Is it really the worst ransomware attack yet?

Yes. I chose my words carefully, it’s not necessarily the worst cyber attack, but it is the worst ransomware attack. What has made it so bad is that people on vulnerable networks do not have to click any links, as the malware spreads laterally as a worm. If you have this on your computer it will eventually try connecting directly to every single public IP in the internet – starting at 0.0.0.0 and ending at 255.255.255.255. Obviously that’s a simplified explanation, it randomises its IP selection, but yes every computer with the worm – all 200-300,000 of them – will eventually try to connect to every single IP on the internet. And it wouldn’t take that long either, as there’s only 4 billion IPs to try.

So it’s not an understatement at all to put the blame squarely on the US Government/NSA. And this is just the beginning – the ShadowBrokers (the hackers that hacked the NSA and released their cyber weapons) said they have yet more cyber weapons to release.

World’s worst ransomware attack yet

The recent WannaCry ransomware attack has been described as being the worst attack yet. The cybercriminals who created it have quickly become the world’s most wanted cyber criminals… but let’s talk about who’s responsible here, because the cyber criminals were armed whether intentionally or not by the NSA.

fbi-most-wanted-hannibal

By the way, I have been working on a little project that is nearing completion, here’s a little preview of it that I made very quickly using Microsoft GIF Animator:

ubobanpreview

I highly recommend installing uBlock Origin, that will provide you with some protection again an infection through malvertising.

The NSA developed an arsenal of cyber weapons. One of these weaponisd exploits is called EternalBlue. The NSA’s entire arsenal of cyber weapons was both leaked and sold to third parties, including to hacking groups. Recently, a different arsenal of cyberweapons developed separately by the CIA was leaked to Wikileaks (known as Vault 7) who proceeded with responsible disclosure. Responsible disclosure means giving broad information to the public, while giving specific information to affected software and hardware vendors so that vulnerabilities can be patched, and then later full disclosure. In the case of the NSA’s arsenal of cyber weapons, it fell into the hands of a hacking group called The Shadow Brokers, and they do not believe in responsible disclosure so they promptly dumped the cyber weapons directly into the hands of the masses. The Shadow Brokers claim they hacked the NSA and stole the weapons, but however they came to obtain them is irrelevant.

The reason this is the worst ever malware attack is that it has crippled critical infrastructure. This is what every security expert has been worried about. It leverages EternalBlue (and EsteemAudit for older OS’s) to spread across computing networks. How ordinary users becomes infected though has not yet come to light, but I suspect Malvertising may be one culprit.

wana-decrypt0r

Ransomware works by encrypting your data using RSA encryption. What you need to know about RSA is that it’s the same principle behind SSL/TLS internet security. It is an asymmetric encryption – there are two keys, let’s call them Key A and Key B. If data is encrypted with Key A, then it can only be decrypted with Key B. If it’s encrypted with Key B, it can only be decrypted with Key A. Ransomware generally generates a unique key pair for each and every infection, and it can be remotely generated on a server far away. What that means is that an infected user has no way of obtaining their decryption key – it can’t be brute-forced, it can’t be extracted from the program, the only way to get it is from the cybercriminals who have it.

If you’re infected- should you pay up? Well, if your data is worth more to you than $400 – yes you should. Some reports have suggested you have no guarantee or receiving a decryption key… well that’s true, but generally speaking operators of ransomware do provide the decryption keys when payments are made. The situation where that might not be true is if you manage to get infected with an older malware by a group that’s no longer active, then I would agree you would be chancing it if you pay up.

So who should foot the bill for this? I believe the US government should be held to account, and made to pay out the ransoms. They’re the assholes that developed this cyberweapon. This is exactly the reason why the security industry hates the so-called intelligence industry. The correct thing to do when you find a security vulnerability is to do exactly what Wikileaks did with Vault 7: engage in responsible disclosure so that the vulnerabilities can be patched. Think about it this way, the NSA is a foreign intelligence agency that we would classify the same way as any other cyber criminal organisation. If they develop a weapon, then you can bet that someone else – whether in China, in Russia, in India, or elsewhere has also developed it. And even if they haven’t, as we’ve seen time and time again these inevitably get leaked/stolen.

And WannaCry has crippled critical infrastructure – that’s one of the worst possible outcomes of a cyber attack. Hospitals, schools, and telecommunications were taken out with this purely as a side-effect of its original intention. Had the cyber criminals wanted to though they could have specifically launched a far more vicious attack specifically aimed to take out critical infrastructure, and if that was done there could have been thousands of deaths as a consequence: rioting could have happened in cities across the world if power grids were taken off-line for example.

You may have heard that a security researcher that calls himself MalwareTech “accidentally” stopped WannaCry from spreading further. Well, that’s a half-truth. He did a write up on his blog about it actually. In a nutshell, the malware checks for the existence of a “random” domain that doesn’t exit. If an IP address is returned then it assumes it’s being run in a sandbox and shuts down its operations – this is a tactic it uses to try and evade malware detection by anti-malware software executing the program in a sandbox. It effectively is a kill-switch, but not intentionally so. But to say that it was accidental is not true, as stated clearly on the blog it’s standard practise to register domains found within malware as it gives researchers a way to track malware as much as anything else.

Alien: Covenant review (spoiler free)

Alien (1979) is a seminal film. It is one of the rare horror films of its time to be made by a film director who was later welcome to produce films outside of the horror genre. This can not be understated – working in the horror genre at that time was literally the kiss of death for your career as an actor, or as a director. The prejudice against the horror genre permeated so deeply that many great movie ideas were simply never made. And many great directors like the late Wes Craven were never welcome to make movies outside of the horror genre. The late David Hess talked about the prejudice against him for playing villains in horror films. So making Alien was a huge risk for Ridley Scott’s career and for Sigorney Weaver and the rest of the cast.

Now you might think that’s where the story ends – no. We move to Aliens, and I can’t say why, but Aliens is a pure action film with no horror elements to it. Some people use the word “thriller”, but I think thriller can be split into two genres – there are action thrillers, which is what Aliens is, and there are drama thrillers which is what Silence of the Lambs, and Alien 3 are for example. So with Aliens we had a director that basically didn’t take chances. He didn’t want to advance the story, he just wanted to make a generic action based story in the Alien universe. Aliens works very well as an action film, and is actually quite a fine sequel.

Alien 3 brought the series back to its drama-thriller roots. It’s a good film, but it failed to live up to quality of the original. And many people were expecting another action film to follow Aliens, and didn’t want the film back in the horror genre. But it did have a strong cast, and a coherent story.  Alien Resurrection is a generic action film with few redeeming qualities. Disappointingly, Resurrection tries to re-make specific scenes from the first two Alien films with varying degrees of success. Winona Ryder as Resurrection’s android Annalee Call was bland, unconvincing, and uninteresting.

Finally we came to Prometheus. Prometheus restructured the narrative of the Alien universe. It brought the revelation that life on Earth was created by Engineers. Many critics scoffed at this, which I think is a mistake because these films are science fiction and need to have room to define their own rules. Many also didn’t like its unanswered questions, but I think those were fine. Prometheus brought the series full circle back to its roots. It’s true roots that is – including the exploration of unknown outer space. The film is not perfect and could have been improved by showing a bit more constraint and spreading the narrative elements so it unfolds more organically. Guy Pearce was completely miscast as Peter Weyland, and the make-up was unconvincing. However Michael Fassbender is absolutely amazing as the film’s android David, and Noomi Rapace was a very strong lead.

Alien: Covenant was fucking great! I am struggling to find some negative points to make about this film. The only negative I can say is it’s a bit formulaic, but I won’t hold that against it as it’s easier to see that in retrospect. Michael Fassbender is amazing, this time playing two androids – the original David, and Walter. Some incorrect reports have said they’re the same model, that’s not true – Walter is a newer model but looks the same. The very real problem in AI development of how do we realistically implement safeguards into AI so that we remain in control has not been solved to this day. This is the same premise behind Terminator, and the Matrix, and of course the original Alien where Ash was willing to obey orders above the safety, welfare, or interests of the crew. Remember though, even though Walter and David are very different, they are not as advanced as Ash – and Ash was happy to follow his orders and let the entire crew die to the Xenomorph.

This movie stayed on track from the first act to the final scene. It didn’t deviate or present unnecessary hyperbole to advance the plot and get its point across. It does still rely on people making stupid decisions though. David’s evolution from the curious android in Prometheus who distrusts humans to his new home where he has used the Engineers to continue his agenda progresses his character flawlessly. Walter rightly does not trust David, but perhaps perplexity he fails to alert his crew to his suspicions – he is after all only synthetic. The interesting reverence David has for Elizabeth is also worth an honourable mention, he holds nothing but love and admiration for her and it’s very clear why this is so, yet it’s a selfish love that he holds and he does not reciprocate it. I only wish that these nuances could have been teased out a bit further. Great films leaves you wanting a bit more in places, and these cognitive limitations that androids in the Alien universe are fascinating, and attest to the film’s ability to draw us into its world so deeply we want to find out more!

The film was not afraid to continue developing the new ideas presented in Prometheus. It would have been a great shame to see these ideas abandoned in favour of only pursuing the original Xenomorph and face-hugger. Even though there were some issues with Prometheus, expanding the Alien universe to include the Engineers and goo was genius. A very well made film and a fine addition to the Alien filmography.

5 Stars

Trump and Turnbull

Watch this:


Video: White House

I love this video. This video sums up everything that’s wrong with Turnbull. Here he is sitting across from one of the most ridiculous first-world State leaders in our generation, and he’s listening to him spew his bullshit. To bring my international readers up-to-speed, Turnbull is well educated, highly intelligent, and knows a lot about history. All the things Trump knows nothing about.

The expression on his face says everything. It says “I can’t believe I have to sit here and listen to this man’s bullshit… I’ll just smile and nod”. You can see he just wants to shake his head, roll his eyes and walk out. Grow some fucking balls Turnbull. The only reason that people aren’t going to lampoon you for being as blissfully uninformed as Trump is because we know you’re smarter than that – why not fucking tell Trump to his face when he spews out bullshit?

Trump: “We’ve been allies for 99 years”

Turnbull: “Yep”

Trump: “Can you imagine that? 99 years”

What the fuck Turnbull? Perhaps he was stunned by Trump’s blatant stupidity? We’ve been formal allies, counting the ANZUS Treaty as the start, for 65 years. And it’s an archaic outdated alliance anyway. More Australians have a negative view of the US than have a positive view. Because the US is a fucking inhumane disgrace of a country that practices the death penalty, criminalises prostitution, and has worse gun violence than any other first world country.

Trump: “Right now we have a failing healthcare … you have better healthcare than we do”

Well – maybe. I think it’s funny that people seem to claim to know whether one country’s healthcare system is “better” than another, and it’s really difficult to objectively measure. The World Health Organization last ranked countries in 2000 – that’s 17 years ago. What is true however, is that the US healthcare  system is grossly overpriced – the US spends greater than 18% of GDP on healthcare services, whereas the rest of the industrialised world spends 9-12%. I don’t see how you can possibly implement a universal healthcare system in the US in a single term of government and not expect to see a huge recession. Reducing healthcare spending from 18% to 12% would result in a lot of job losses, and also many doctors, surgeons, and nurses would have to face pay cuts and/or stagnant wages. That’s a reality because governments and insurers pay less for health services than private citizens do – and you can check that fact if you want. It’s similar in Australia with GPs that bulk-bill vs those that charge a consultation fee, except that in the US there are just many more health services. For example if you need heart surgery and you are covered by an insurance policy in the US, then the insurer will pay out a set amount to the hospital for the service. A private citizen however might be charged much more because he’ll be dealing with a surgeon that charges whatever he wants and doesn’t perform surgeries for insurance companies.

The issue in the US isn’t the quality per se of the healthcare, it’s the accessibility for essential health services, affordability, and the fact that people have to rely on insurance policies. The failure of the US health system is that it doesn’t cover everyone, and (prior to Obamacare) insurance companies didn’t have to cover “high risk patients” (those that had pre-existing health conditions), or could charge people with pre-existing health conditions more than people without. Obama of course lied when he claimed premiums wouldn’t go up – you can’t cover all the high-risk patents and expect premiums to stay the same!! Now, don’t get me wrong, the US absolutely should bring in universal healthcare. But it won’t be a purely straightforward process.

Anyway, Turnbull grow some fucking balls and tell the man that his healthcare plan is fucking atrocious.