Unoffical empeg BBS

Quick Links: Empeg FAQ | Software | RioCar.Org | Hijack | jEmplode | emphatic
Repairs: Repairs | Addons: Eutronix | Cases

Topic Options
#370320 - 05/01/2018 18:22 Ransomware recovery
tahir
pooh-bah

Registered: 27/02/2004
Posts: 1734
Loc: London
We've had a ransomware attack on our Windows 2012 Server which is fine as we have backups of everything (I thought), unfortunately there's one folder which we don't have backups of and it contains the data files for our payroll data. They've all been encrypted with the following extension:

.id-E40940C2.[decrypthelp@qq.com].java

Data restore on everything else is going well, but is there any way of decrypting these files?


Edited by tahir (05/01/2018 18:23)

Top
#370321 - 05/01/2018 18:46 Re: Ransomware recovery [Re: tahir]
mlord
carpal tunnel

Registered: 29/08/2000
Posts: 13866
Loc: Canada
No data-recovery info here, but this link does discuss other things that need to be tidied up when getting rid of that flavour of ransomware:

http://www.virusresearch.org/black-mirrorqq-com-ransomware-virus-removal/

Top
#370322 - 05/01/2018 18:48 Re: Ransomware recovery [Re: tahir]
mlord
carpal tunnel

Registered: 29/08/2000
Posts: 13866
Loc: Canada
And this link appears to have the same kind of info, plus some hints/pointers to ways that might get the data back:

https://howtoremove.guide/how-to-decrypt-ransomware/

Top
#370323 - 05/01/2018 18:56 Re: Ransomware recovery [Re: tahir]
tahir
pooh-bah

Registered: 27/02/2004
Posts: 1734
Loc: London
Thanks

Top
#370361 - 09/01/2018 12:59 Re: Ransomware recovery [Re: tahir]
tahir
pooh-bah

Registered: 27/02/2004
Posts: 1734
Loc: London
Almost recovered everything now, it was a hacker that had logged into our system via rdp.

Top
#370362 - 09/01/2018 14:12 Re: Ransomware recovery [Re: tahir]
andy
carpal tunnel

Registered: 10/06/1999
Posts: 5746
Loc: Wivenhoe, Essex, UK
Did you have an insecure password or was it some sort of rdp vulnerability ?
_________________________
Remind me to change my signature to something more interesting someday

Top
#370363 - 09/01/2018 15:38 Re: Ransomware recovery [Re: tahir]
tahir
pooh-bah

Registered: 27/02/2004
Posts: 1734
Loc: London
Insecure password, will be looking at all our options now

Top
#370364 - 09/01/2018 17:43 Re: Ransomware recovery [Re: tahir]
tanstaafl.
carpal tunnel

Registered: 08/07/1999
Posts: 5356
Loc: Ajijic, Mexico
Originally Posted By: tahir
Insecure password, will be looking at all our options now
In your world, what constitutes an insecure password?

I know of two schools of thought about password security. I use LastPass generated passwords like 95Gd33#tWzM6 that are supposedly secure. Others say that a password like "This is my new password for my bank account and nobody will ever figure it out!" is actually more secure against a brute-force attack, with (counting upper/lower case, numbers, and special characters) something like 72 to the 79th power possible solutions. (79 characters, each with 72 possibilities).

I imagine you have been giving considerable thought to password security lately, what are your thoughts on this?

tanstaafl.
_________________________
"There Ain't No Such Thing As A Free Lunch"

Top
#370366 - 09/01/2018 18:00 Re: Ransomware recovery [Re: tahir]
andy
carpal tunnel

Registered: 10/06/1999
Posts: 5746
Loc: Wivenhoe, Essex, UK
The word one would be potentially more secure, if it actually used random words and the exclamation point was at a random location.

When word based passwords are recommended as being secure, they don’t mean English sentences. Google diceware
_________________________
Remind me to change my signature to something more interesting someday

Top
#370368 - 09/01/2018 18:01 Re: Ransomware recovery [Re: tanstaafl.]
tfabris
carpal tunnel

Registered: 20/12/1999
Posts: 31149
Loc: Seattle, WA
You've seen this, right?
_________________________
Tony Fabris

Top
#370369 - 09/01/2018 18:01 Re: Ransomware recovery [Re: tahir]
andy
carpal tunnel

Registered: 10/06/1999
Posts: 5746
Loc: Wivenhoe, Essex, UK
But the random gibberish password manager ones are very secure, if they are long. You really want 20 characters or so to plan for the future.
_________________________
Remind me to change my signature to something more interesting someday

Top
#370372 - 09/01/2018 18:14 Re: Ransomware recovery [Re: andy]
andy
carpal tunnel

Registered: 10/06/1999
Posts: 5746
Loc: Wivenhoe, Essex, UK
If you are going for word based passwords your passwords need to look more like:

rhode-newsman!compel-pulse-facedown-Burnout

I use passwords like that for my Apple ID, 1Password and Dropbox passwords. Then everything else is 20 random character stored on DropBox and accessed via 1Password.


Edited by andy (09/01/2018 18:15)
_________________________
Remind me to change my signature to something more interesting someday

Top
#370373 - 09/01/2018 18:16 Re: Ransomware recovery [Re: tfabris]
tahir
pooh-bah

Registered: 27/02/2004
Posts: 1734
Loc: London
Originally Posted By: tfabris
You've seen this, right?


Thanks Tony smile

Top
#370374 - 09/01/2018 18:19 Re: Ransomware recovery [Re: andy]
tahir
pooh-bah

Registered: 27/02/2004
Posts: 1734
Loc: London
Originally Posted By: andy
If you are going for word based passwords your passwords need to look more like:

rhode-newsman!compel-pulse-facedown-Burnout

I use passwords like that for my Apple ID, 1Password and Dropbox passwords. Then everything else is 20 random character stored on DropBox and accessed via 1Password.


Yes, trouble is getting users to remember them without emailing themselves an email with subject "Password".

We've stopped all external access to the server for now and when we reinstate it'll probably be through a VPN.

Passwords are tricky, will have to think of a sensible way. Maybe two random words with a random character in between?

Top
#370375 - 09/01/2018 18:48 Re: Ransomware recovery [Re: tanstaafl.]
Faolan
journeyman

Registered: 08/11/2017
Posts: 61
Originally Posted By: tanstaafl.
Originally Posted By: tahir
Insecure password, will be looking at all our options now
In your world, what constitutes an insecure password?

The existence of a password constitutes an insecure one. Brute force methods have been pretty easy for a while now if one has the hashed/secured copy, and continue to grow in power as GPUs and other tech continues to advance. And with flaws like Meltdown and Spectre leaking the clear text password possibly via Javascript, and, yeah...

The world needs to really move on beyond passwords as any form of security. The one work environment that was all X.509 certificate based, even for SSH, was pretty nice. I'm just glad I wasn't the security person setting it up though smile
_________________________
Break the Silence, Stand Up, Join Us

Top
#370380 - 09/01/2018 23:03 Re: Ransomware recovery [Re: tfabris]
tanstaafl.
carpal tunnel

Registered: 08/07/1999
Posts: 5356
Loc: Ajijic, Mexico
Originally Posted By: tfabris
You've seen this, right?
That is exactly where I originally got the idea that a secure password doesn't have to be un-memorizable gibberish.

tanstaafl.
_________________________
"There Ain't No Such Thing As A Free Lunch"

Top
#370383 - 10/01/2018 03:28 Re: Ransomware recovery [Re: andy]
Dignan
carpal tunnel

Registered: 08/03/2000
Posts: 12021
Loc: Sterling, VA
Originally Posted By: tanstaafl.
Originally Posted By: tfabris
You've seen this, right?
That is exactly where I originally got the idea that a secure password doesn't have to be un-memorizable gibberish.

But it also shouldn't be a totally normal phrase or sentence.

Originally Posted By: andy
But the random gibberish password manager ones are very secure, if they are long. You really want 20 characters or so to plan for the future.

I always pisses me off when I generate a password that length via Lastpass, and the site comes back and says something like "passwords can only be 6-12 characters long."

SERIOUSLY?
_________________________
Matt

Top
#370387 - 10/01/2018 10:17 Re: Ransomware recovery [Re: Faolan]
tahir
pooh-bah

Registered: 27/02/2004
Posts: 1734
Loc: London
Originally Posted By: Faolan
The existence of a password constitutes an insecure one. Brute force methods have been pretty easy for a while now if one has the hashed/secured copy, and continue to grow in power as GPUs and other tech continues to advance. And with flaws like Meltdown and Spectre leaking the clear text password possibly via Javascript, and, yeah...

The world needs to really move on beyond passwords as any form of security. The one work environment that was all X.509 certificate based, even for SSH, was pretty nice. I'm just glad I wasn't the security person setting it up though smile


I agree with what you're saying, but how do you change?

I have my personal bank account, mortgage account, credit card account, plus 6 business accounts that I need to remember creds for, plus of course apple, amazon, ebay and my network login.

It's overload, and how secure is it really?

Is there a USB card/dongle based login solution?

Top
#370388 - 10/01/2018 11:57 Re: Ransomware recovery [Re: tahir]
andy
carpal tunnel

Registered: 10/06/1999
Posts: 5746
Loc: Wivenhoe, Essex, UK
Using a dongle isn't really any more secure than using a pure software based password manager. Even with something with some hardware involved, with the current system of usernames and passwords, the plain text password needs to exist and be entered in the browser at some point in the process.

Just use Lastpass or 1Password. Until the world as a whole adopts* a non password based authentication system, we are stuck with storing away big random passwords.

* people have suggested such systems in the past and people are working on some now ( https://www.grc.com/sqrl/sqrl.htm ), but it doesn't seem likely that any such system will be widely used in the near future
_________________________
Remind me to change my signature to something more interesting someday

Top
#370391 - 10/01/2018 14:05 Re: Ransomware recovery [Re: andy]
K447
addict

Registered: 29/05/2002
Posts: 673
Loc: Toronto, Ontario, Canada
Originally Posted By: andy
Using a dongle isn't really any more secure than using a pure software based password manager. Even with something with some hardware involved, with the current system of usernames and passwords, the plain text password needs to exist and be entered in the browser at some point in the process.
...
Are you including the algorithmic devices that compute a response to a server’s challenge prompt? Such as an online banking ‘calculator’ that renders a numeric response to a numeric challenge, and is time coded, one time use?


Top
#370392 - 10/01/2018 14:29 Re: Ransomware recovery [Re: tahir]
mlord
carpal tunnel

Registered: 29/08/2000
Posts: 13866
Loc: Canada
How quaint. smile I though that smart cards had replaced those things years ago -- getting rid of the need for display and keypad (and human errors) ?

Top
#370393 - 10/01/2018 14:30 Re: Ransomware recovery [Re: K447]
andy
carpal tunnel

Registered: 10/06/1999
Posts: 5746
Loc: Wivenhoe, Essex, UK
They can only really be a second factor in the login process. The problem is they can be stolen/lost.

The general rule for secure 2 factor authentication is "something you have, something you know". That HSBC device (and the devices that you insert your debit/credit card into) serves as the "something you have", you still need a password for the "something you know" side.

Devices like that protect your account (in theory*) if someone has got your password, but they can't be the only authentication factor.

* there have been plenty of cases where accounts have been protected by two factor authentication, but the account has still been hijacked because the service protected by the password provides a "call a human in a call centre and beg" fallback mechanism which can then fall victim to social engineering
_________________________
Remind me to change my signature to something more interesting someday

Top
#370394 - 10/01/2018 14:33 Re: Ransomware recovery [Re: mlord]
andy
carpal tunnel

Registered: 10/06/1999
Posts: 5746
Loc: Wivenhoe, Essex, UK
How does a smart card help you when you are sat in front of a computer trying to log into your internet banking site ? There is no smart card slot on my computers.

I have a related device for logging into my bank, which you insert your smart card into. But that has a display, keypad and the related human error...
_________________________
Remind me to change my signature to something more interesting someday

Top
#370395 - 10/01/2018 14:34 Re: Ransomware recovery [Re: tahir]
mlord
carpal tunnel

Registered: 29/08/2000
Posts: 13866
Loc: Canada
Ah, okay. Several of the computers here have smartcard slots. And those that don't could use USB-connected slots.

Cheers

Top
#370396 - 10/01/2018 14:39 Re: Ransomware recovery [Re: mlord]
mlord
carpal tunnel

Registered: 29/08/2000
Posts: 13866
Loc: Canada
Originally Posted By: mlord
Ah, okay. Several of the computers here have smartcard slots.

Mmm.. but none of the smartphones do, and I suppose that going forward those will become increasingly dominant. So any solution here probably needs to be efficient for use with such devices.

[EDIT]
BLE equipped smartcards, anyone?
Or is that pretty much the same functionality as NFC?
[/EDIT]


Edited by mlord (10/01/2018 14:40)

Top
#370397 - 10/01/2018 14:41 Re: Ransomware recovery [Re: mlord]
andy
carpal tunnel

Registered: 10/06/1999
Posts: 5746
Loc: Wivenhoe, Essex, UK
I suspect USB connected smart card reader would give the banks far more support headaches over and above just handing out these standalone readers that they currently use:

_________________________
Remind me to change my signature to something more interesting someday

Top
#370398 - 10/01/2018 14:46 Re: Ransomware recovery [Re: mlord]
andy
carpal tunnel

Registered: 10/06/1999
Posts: 5746
Loc: Wivenhoe, Essex, UK
The UK banks seem to be slowly stepping away from all of these devices.

For example you don't need one to install the NatWest banking mobile app on a new device (they use the sadly exploitable route of SMS verification).

From the app I can now do pretty much everything I can do on their online banking site. The app is protected by just a 6 digit numeric PIN.
_________________________
Remind me to change my signature to something more interesting someday

Top
#370401 - 10/01/2018 19:26 Re: Ransomware recovery [Re: andy]
Faolan
journeyman

Registered: 08/11/2017
Posts: 61
I wonder how many other US folks here are looking at the smartcard discussion in wonder. It's really a shame credit cards here stuck to magnetic stripes for so long. Seems like the usage of smartcards for payments also helped spur a lot more security advancement efforts in general. I think the only place I've seen widespread smartcard usage outside payments is the military and their chipped ID badges.

Still a shame we "upgraded" to Chip and Signature, and even though we have, my card has been swiped through a magnetic reader more then 10 times this year *sigh*. Banks have a lot of influence on the security field, for better or worse. Telecoms seem to be the other commercial part of the market pushing from time to time.

I've been hearing some interesting possibilities from newer markets that lack the legacy infrastructure and are starting fresh on mobile first solutions.

Originally Posted By: tahir
I agree with what you're saying, but how do you change?

Find ways to make changing things easier. Almost every environment I've worked in has tried something, only to see it fail later for some reason. The environments agile enough to change and try something new always had a leg up on the ones that had to throw the issue into the unpaid tech debt column.
_________________________
Break the Silence, Stand Up, Join Us

Top
#370413 - 11/01/2018 13:36 Re: Ransomware recovery [Re: tahir]
DWallach
carpal tunnel

Registered: 30/04/2000
Posts: 3714
Google has been pushing Fido U2F alongside their Advanced Protection scheme. I was a beta tester of this stuff years ago and I'm generally impressed. The ten-second summary is that the U2F gadget interacts with your browser and does some sort of public key crypto on a per-website basis, so there's no credential that one web site can get that's useful for attacking you on another website.

The banking world hasn't adopted it at all, so far as I can tell, but they really should.

Top
#370415 - 11/01/2018 15:27 Re: Ransomware recovery [Re: andy]
tahir
pooh-bah

Registered: 27/02/2004
Posts: 1734
Loc: London
Originally Posted By: andy
The general rule for secure 2 factor authentication is "something you have, something you know". That HSBC device (and the devices that you insert your debit/credit card into) serves as the "something you have", you still need a password for the "something you know" side.

Devices like that protect your account (in theory*) if someone has got your password, but they can't be the only authentication factor.


Yes, we use 3 banks and all have a combo of pwd/device

Quote:
there have been plenty of cases where accounts have been protected by two factor authentication, but the account has still been hijacked because the service protected by the password provides a "call a human in a call centre and beg" fallback mechanism which can then fall victim to social engineering


Call centre and beg has never worked for me.

Top