As the resident computer “guru emeritus” in our family, I often get questions from family members about computers, particularly computer security. I’m not a Windows expert by any means, though I was briefly a Windows NT sysadmin in the mid 1990s and the Unix and GNU/Linux systems for which I was responsible had to coexist with, but independent from, Windows Server Active Directory domains throughout the first decade of this century. As the latest hacker disaster to befall the Windows world sweeps across the planet, I got this request from a cousin:
I was wondering whether you had any advice for us Microsoft PC users and the cyber attack which they predict is rolling our way. We don’t do online banking or bill-paying. We do have a lot of pictures and documents. Most of the pictures I have on a flash drive. Do you think they will only hit the institutions? Sounds like Europe was not prepared and was operating on an old system. Hopefully our country has a “heads up” to protect our government institutions, airports and banks.
We haven’t fired up our two Windows 10 instances since the news (one is Judy’s new laptop, which runs Linux from a thumb drive “all the time,” the other is a refurbished desktop we only use for TurboTax). But, when we do, the first thing will be to grab the security patches from M$FT.
1) Always install Microsoft updates as soon as they are released.
2) Any machine that is directly connected to the Internet (i.e., plugged into your DSL or cable modem instead of wifi or a router) is in immediate danger. So is any machine for which the router firewall is turned off or for which port forwarding is turned on for vulnerable ports. The “bad guys” use bots that scan the entire Internet looking for open ports to penetrate. The machine that handles our webcam has port 8080 (redirect to 80 internally) and 22 (secure login for me to access our systems remotely) open: the logs show hundreds of break-in attempts every day. Naturally, we limit access to accounts that present known secret encryption keys, and don’t write web applications vulnerable to code injection. Once an attack has gained access to an internal network through any machine, all the machines behind the firewall are vulnerable. We got hacked last year because I reinstalled the system and didn’t disable the default accounts before putting it back on the network. It only needs a few minutes exposure to be compromised, with the observed rate of attacks.
3) Downloaded programs, including mislabeled email attachments or web links, can deliver malware that will corrupt your machine: the ransomware currently in the news can get in through an open port without any help from the user, but also through “Trojans” (files that look like something you want or look innocent but aren’t). A firewall won’t help if you invite them in. The most common attacks are notices that appear to be from your bank or credit card company or utility provider that require you to open an attachment or click on a link to see the notice or respond. Since modern email apps and web browsers tend to hide the full header or complex URL it is very difficult to tell which ones are fake–misspellings and vague, non-explicit wording in the text are tell-tale, but the safe way to address these is to login to your account through the browser instead of the link in the message to check if it is legitimate.
4) Linux, OS/X, and IOS are much less vulnerable, as they are inherently more secure and a minority target (except for servers and routers, which is why our Linux gateway gets attacked so much). Security upgrades are much more promptly distributed, as well. Android devices, which are Linux-based, but tend not to be updated regularly, have become vulnerable. Older routers may also be vulnerable: make sure that external login/configuration is disabled. Newer routers may be configured for automatic upgrades, but still should not allow external login.
5) As always, good passwords are essential. Don’t use non-HTTPS web sites from a public wifi access or one that uses a web-page login rather than a wifi connection password. Anything that is convenient or intuitive is probably not safe. [See #9 below for more detail]
6) If you must use Windows, do keep up your virus protection subscriptions, even though the worst attacks may be undetectable.
7) If you don’t already do so, buy a USB hard drive larger than your computer hard drive and back up your computer regularly, or subscribe to a cloud service for your important files–photos and documents. Even if you don’t get hacked, hard drives have a half-life of about 3-5 years and fail with alarming frequency. Fans die and fry your machine, too: even if the hard drive is still OK, professional file recovery is expensive (an external drive dock compatible with your hard drives is a good investment if you know how to use it). Keep in mind that laptop hard drives are probably encrypted, so can’t be recovered easily if removed from the computer.
8) Just say “no” to Microsoft… I know, almost impossible. We use iOS (iPad, iPhone) and Linux exclusively for Internet use, but still need to fire up Windows now and then and put them on the Internet for Microsoft and other vendor updates, and file taxes, so we share the same dread as everyone else, plus the other burdens of keeping servers and web apps secure.
9) As the WannaCry ransomware plague becomes better revealed, it appears that the primary attack is through the file-sharing protocol used by Microsoft, SMB, or Server Message Block. If you have enabled file sharing between computers or inadvertently have the service running even if you don’t connect with other computers on your network, you are vulnerable until patched. Even if your network is secure, i.e., you connect through a router and the firewall is turned on, using a laptop at a public access site can expose you. Needless to say, your own WiFi router needs to have a strong WPA2 password. If you have old equipment that uses WEP or no security, upgrade or reconfigure your network now. Even if guest networks (motels, restaurants, coffee shops, businesses, etc) have WPA2, you may be exposed to attack by other users (or compromised equipment) on the network. If in doubt, use your smartphone’s data plan on the cellular network instead of your laptop or wifi on your hand-held.
10) The latest information on computer exploits, although technical, is always available on http://www.US-CERT.gov, the United States Computer Emergency Readiness Team, a branch of Homeland Security. This site will have information on severity, what systems are affected, and links to security fixes.
Lastly, if you are hacked, the only recourse is to wipe the disk, reformat, and reinstall the operating system and restore your backed-up data files. In the event you don’t have a backup, it may be possible for a file recovery service technician to boot your machine into a safe operating system (like Linux) from an external USB drive, mount the drive as data only and recover your data files (if the drive is not corrupted or encrypted by the attack), but it is generally not possible to reliably remove the attacker’s files and restore the operating system without a complete wipe/reinstall. If the attack is ransomware, the data is not recoverable without the attacker’s decryption key. Even if you pay the ransom, you may recover your data, but the disk needs to be wiped and reformatted and not placed back on a network until the security fixes have been applied.
If you are curious about the concept of ransomware, hacking in general, and enjoy a good read, check out Neal Stephenson’s novel “REAMDE,” a techno-thriller about ransomware that attacks users of an on-line multi-user game. The characters include a credit-card thief (briefly), the game designer, Russian mafia, the Chinese hacker, and a Polish white-hat hacker, and the action flows from Seattle to China, Canada, and Montana. Warning: heavy on computer and gaming cultural references. Neal knows his stuff–it’s all realistic tech, if fantastic and wacky.