Google Translate poses a security risk.

Posted on November 11, 2019
Filed Under Technology | Leave a Comment

There are plenty of articles to be found detailing why it’s not safe to translate sensitive internal business documents using Google Translate.  Most of these articles discuss accuracy and confidentiality.  But Google translate is also dangerous because it acts as a proxy by design, creating a security issue.  That means you can plug in a URL in any language, including English and Google will display the contents of the site.  This undermines any corporate security measures put in place to keep employees away from blocked or compromised sites.  The answer is a translation service from Google or a competitor built for business.  This would allow for administrative and user authentication logging what sites are translated and monitoring documents uploaded for translation.   It’s also a revenue generator for the first service to come up with such an administrative translation control.

Can I decrypt files encrypted by RYUK? Is it possible to decrypt .ryk files?

Posted on October 29, 2019
Filed Under Technology | Leave a Comment

No.  There is no decryptor for RYUK at the time of this post.  If you need the file(s) and don’t have a backup you will need to reach out and pay the ransom for a decryption key.

Details of a ransomware attack and a way to thwart the ransom. Don’t plan to pay. Plan to recover.

Posted on July 9, 2019
Filed Under Technology | Leave a Comment

Here are the basic steps included in a ransomware attack and how vulnerable people and ports are used to accommodate the attacker.  Conditions must be met.

  1. The attacker relies on stolen credentials.  The credentials are harvested by viruses delivering malware.  Specifically in recent attacks Emotet as the delivery agent for the Trickbot trojan.  All too easy with users susceptible to social engineering.
  2. Trickbot moves laterally across systems, relying on SMB to navigate the network as it steals passwords, mail files, registry keys and more.  It communicates the stolen material back to the bad actor, the Black Hat.
  3. Next Trickbot might launch the Empire Powershell backdoor and download the Ryuk virus upon the black hat’s command.  Armed with harvested credentials, the black hat is now ready to execute Ryuk and encrypt files at will.
  4. The black hat scans for any vulnerable port of entry on an external interface.

┌─[blackhat@parrot]─[~]

└──╼ $nmap -Pn -p 8443 xxx.123.xxx.456
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-09 16:47 EDT
Nmap scan report for system.contoso.com (xxx.123.xxx.456)
Host is up (0.029s latency).
PORT     STATE SERVICE
8443/tcp open  https-alt

Once a port of entry is found, in this case a very common and vulnerable port used as a remote access interface, the black hat can use the stolen credentials to log in to the network and rely on protocols such as SMB and RDP to access and exploit systems on the network, launching Ryuk to encrypt files on select systems, typically all of them.  Azure?  Too bad, encrypted.  Active directory authenticated AWS?  Ouch.ryk, every file owned.  Once the damage is found you’ll need to recover.

So how can you protect systems and most importantly backups so that rapid recovery, the best response to a live attack, remains possible?

Note: I did not specify anything related to archiving and compliance backups because while essential for certain industries and disaster situations they are not specific to rapid recovery in the event of any malicious disaster in which physical hardware assets are not compromised.  

Once you are able to quickly restore a virtual machine or physical system from a recent snapshot or bare metal recover file copies of data files and database backups can be moved into place for restoration to the most current backup set.  Daily is usually the best most small to medium “enterprises” can achieve.  With added expense in resources and configuration backups can be run with more frequency.   Unfortunately even hourly database log shipping won’t save a database from an encryption attack.  As my last point emphasized, unless log files are being off loaded in hourly increments to storage appliances that are not connected with domain level authentication they aren’t safe.  As always, the question of investment becomes: How much can you afford to lose?

The best defense against Ransomware is a good offence in the form of rapid recovery.  Since these exploits rely on social engineering (gullible people) you can never pretend your network is free of any vulnerability.  Don’t just design your backup and recovery environment in case something happens.  Make sure it’s tested it for when it happens.

 

First to choose seats for Avengers End Game.

Posted on April 25, 2019
Filed Under General | Leave a Comment

View this post on Instagram

A post shared by Todd Singleton (@citizen782) on

Chicago Riverfront

Posted on April 15, 2019
Filed Under General | Leave a Comment

View this post on Instagram

A post shared by Todd Singleton (@citizen782) on

Chicago Architecture

Posted on April 15, 2019
Filed Under General | Leave a Comment

View this post on Instagram

A post shared by Todd Singleton (@citizen782) on

Chicago Architecture

Posted on April 15, 2019
Filed Under General | Leave a Comment

View this post on Instagram

A post shared by Todd Singleton (@citizen782) on

I can’t get tired of big cities. Love em.

Posted on April 15, 2019
Filed Under General | Leave a Comment

View this post on Instagram

A post shared by Todd Singleton (@citizen782) on

Big Damn Tiger

Posted on March 1, 2019
Filed Under General | Leave a Comment

View this post on Instagram

A post shared by Todd Singleton (@citizen782) on

Silver Sand Bar King

Posted on March 1, 2019
Filed Under General | Leave a Comment

View this post on Instagram

A post shared by Todd Singleton (@citizen782) on

keep looking »

Recent Stuff


Archives