Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Mon 23 Oct 2017, 06:22
All times are UTC - 4
 Forum index » Off-Topic Area » Security
Ransomware dangers increasing
Post new topic   Reply to topic View previous topic :: View next topic
Page 2 of 2 [27 Posts]   Goto page: Previous 1, 2
Author Message
musher0


Joined: 04 Jan 2009
Posts: 10987
Location: Gatineau (Qc), Canada

PostPosted: Fri 14 Apr 2017, 01:10    Post subject:  

Hello again, guys.

This keeps bugging me about the safety of systems.

Greengeek, I don't suppose you recall the type of language used to penetrate
your system. I'm thinking css, since you mentioned the gateway appeared to
be the browser, but I'm probably wrong. (I know nothing about css, BTW.)

We wouldn't have to do complex back-ups if we had a good "bouncer". Yeah,
like in bars! Some drunk kiddo comes in to make trouble, back out he goes!
Or he's put in a padded room until the cops arrive. You get the analogy, I'm
sure.

gcmartin I think had found a program like that perhaps 2 years ago. Except I
didn't have the knowledge to use it properly. (I probably still don't!)

When it discovered an unwanted URL on your system, it turned the tables on
the originator, and started sending fairy tales to that URL.

That would be like switching from defensive to retaliation.

Other safety measures discussed in earlier threads: (jogging my memory!)
Using "700" permissions (or "user only") on all possible files. An outsider can't
change a file he doesn't see.

Manual probing of unwanted connections with < lsof -i -r x >. (An x seconds
interval)

User jafadmin had a trick for locking files or somthing like it? (Not fresh in my
memory, have to look it up again.)

If you have any other interesting safety knowledge, please contribute. TIA.

BFN.

_________________
musher0
~~~~~~~~~~
"Logical entities must not be multiplied beyond necessity." | |
« Il ne faut pas multiplier les entités logiques sans nécessité. » (Ockham)
Back to top
View user's profile Send private message 
greengeek


Joined: 20 Jul 2010
Posts: 4662
Location: Republic of Novo Zelande

PostPosted: Fri 14 Apr 2017, 03:26    Post subject:  

musher0 wrote:
I don't suppose you recall the type of language used to penetrate your system. I'm thinking css, since you mentioned the gateway appeared to be the browser, but I'm probably wrong. (I know nothing about css, BTW.)
As I recall there was a large dialog box (something like a yafsplash notification) in the middle of the screen and i was unable to move the mouse or get any response from keyboard. I really don't know what code/language was driving the dialog.

The dialog advised me that all of my files were in the process of encryption and I would have to contact a specific website to obtain the unlock key and it would only be provided upon payment of a certain ransom.

The inability to regain control of my system sent me into a panic and pulling the power was the only option.

My gut feeling was that if they had a technique to lock me out then they could equally have a method to access my system and potentially even be able to run kernel commands (mount, etc) and do real damage.

Of course it may be that their code could only run on Windows - but in any case it was a nasty feeling that their code locked me out (or maybe some browser issue locked me out because their bad non-Linux code was enough to put the browser into a tail spin...)

The one good thing that came out of it was that I had confidence that dropping power on my system would not corrupt my puppy - for the reasons that rufwoof and others have often stated - that personal sfs files are more sturdy than savefiles.
Back to top
View user's profile Send private message 
greengeek


Joined: 20 Jul 2010
Posts: 4662
Location: Republic of Novo Zelande

PostPosted: Fri 14 Apr 2017, 03:39    Post subject:  

rufwoof wrote:
I've been experimenting some more with a documents layered filesystem arrangement that could add some additional protections against ransomware ...
I wonder if it would be possible to have a puppy set up so all the system files are effectively readonly (the usual personal sfs style...) but any documents/pics/personal files etc were locked up in a layer protected by "Spot" user or else by your own form of encryption lock, or else mounted as readonly but with some form of "write lock" which allows you to modify the files only when you enter a personal password or similar.

Like a sandbox layer for personal stuff (switchable readonly / writable)
Back to top
View user's profile Send private message 
greengeek


Joined: 20 Jul 2010
Posts: 4662
Location: Republic of Novo Zelande

PostPosted: Fri 14 Apr 2017, 05:57    Post subject:  

Sailor Enceladus wrote:
I'm curious, what is changed in your Slacko 5.6 derivative, and is it available for download anywhere?
I used a technique I learnt from forum member jrb - you can change the initrd.gz "DISTRO SPECS" file in such a way that it swaps the main puppy sfs and a "personal sfs" (being used as a zdrv).

This allows your personal changes (captured in an sfs) to override the basic "main" puppy sfs. It also makes your puppy read only so that your personalisations are not kept in a read/write savefile - they are encapsulated in a readonly sfs so that every boot is pristine - exactly as you set it up originally - despite what may have happened in the previous session.

This makes it robust so that you can fiddle to your hearts content - try whatever software you want - and it will not adversely affect your puppy. Even if you did catch malware from a bad website it will not be retained or hang around to do any damage next time you boot.

I have just uploaded my latest variant which is quite big at 459MB as it incorporates LibreCad, LibreOffice, Firefox, Google Chrome and various other tidbits that make it just right as my complete daily puppy.

You just boot the generic version, add whatever personalisations you want, then click the "impersonator" icon and it will burn you a new iso to CD, DVD or will build you a new personal sfs for use in a frugal installation.

If you want to try it see second half of this post here:
http://www.murga-linux.com/puppy/viewtopic.php?p=813675#813675
Back to top
View user's profile Send private message 
rufwoof

Joined: 24 Feb 2014
Posts: 2148

PostPosted: Fri 14 Apr 2017, 06:54    Post subject:  

musher0 wrote:
Interesting approach. Although implementing it sounds like a lot of time and trouble.

I still think archiving the pupsave with a quick archiver such as lzop or lz4
is a simpler way.

Once you have a system set up the way you like it you might not be running with a save at all i.e. a remastered puppy configured exactly how you like it booted each time, no saves performed, all data/docs being stored outside of puppy. Using the aufs layering of those docs could then be useful. Basically instead of the actual docs folders/directories you use a sfs of those docs and mounted the way I described (couple of lines in startup) all changes are recorded in the changes folder, not to the actual files. A good thing is that the changes are being recorded/preserved instantly without having to run a save.

Quite simple/easy to implement and once established just a matter of something like
mount -o ro,loop docs1.sfs mountpoint
mount -t aufs -o br:changes-dir=rw,br:1=ro none aufs-dir
being included in the startup

Can become complex depending upon how you want to manage the layered docs files. Docs/data files are used to create a docs.sfs which when mounted as described has a changes-docs folder containing all changes to those docs ... how do you manage that once changes-docs (in effect a docs save file) becomes large. Do you 'remaster' it into a new docs.sfs (leaving a empty changes-doc 'save folder'). Or perhaps just manually copy changed files across to the master docs/data folders/files and recreate a new docs.sfs from that ... Or what. The manual copy seems a nice choice as you're in effect manually validating each and every changed file before putting it into the 'safe' (main docs/data files/folders that is/was used to create docs.sfs). You could make things as complicated as you liked, for instance have multiple layers of changes.sfs ... one for each day perhaps so that you could roll back to historic snapshots of data/docs.

For example in my case I use a pure-debian (main repository only) choice to create a frugal installation. So create that from fresh, set it all up as you like and then lock that down as a read only (remastered like) version that is booted the exact same every time (read only, no saves). Only remastering that to perhaps apply updates periodically. If that were lost/corrupted by a virus/whatever ... no big deal, just means having to install from fresh (debian repositories) again. For more valuable data (birth/wedding photos etc.), instead of working on that data itself you'd be running using copies of those data, along with a changes folder of any additions/changes. Ideally with the originals locked away in a physical safe, out of harms way. Comprised of a data.sfs (sfs read only copy of the data files) and changes-dir ... running in the background, and a aufs-dir that you use to access those data/docs i.e. perhaps sym linked into your home directory/folder (likely with a better name such as MyDocs or whatever), where all changes are recorded instantly without having to perform a save.
Back to top
View user's profile Send private message 
Moose On The Loose


Joined: 24 Feb 2011
Posts: 773

PostPosted: Fri 14 Apr 2017, 15:48    Post subject:  

A few thoughts:

1) A machine in virtual box can be backed up easily by the host.

2) The encryption is usually done by a Windows virus.

3) Anything you store "on the cloud" can be lost if you get the virus, the hosting outfit gets the virus or if someone else with access to your cloud account gets the virus. This includes Putin and the NSA

4) I don't think "fly paper" will work well on these criminals because they are not actually after your data.

5) Spain just arrested a major internet criminal at the FBI's request. Once scammer down only about 7 Zillion more to go. It may, however, make the criminals want not to get noticed for a while.

6) If your data is in some companies proprietary format that only their software can work with, you are a victim of ransomware already. You have to pay them to use their software or your data is not accessible.
Back to top
View user's profile Send private message 
musher0


Joined: 04 Jan 2009
Posts: 10987
Location: Gatineau (Qc), Canada

PostPosted: Fri 14 Apr 2017, 17:00    Post subject:  

Moose On The Loose wrote:
A few thoughts:(...)
3) Anything you store "on the cloud" can be lost if you get the virus, the
hosting outfit gets the virus or if someone else with access to your cloud
account gets the virus. This includes Putin and the NSA(...)

Hi, Moose On The Loose.

Hmm... I think you forgot to add an Laughing to that one!

Here's an idea inspired by your #3 :

Laughing We deliberately store something with a ransomware virus in The
Cloud. We tell the NSA or the CCSE (Canadian Communications Security
Establishment; Canadian equivalent of NSA) or whatever your national
electronics spying agency is to come and get it. And we give them the
key only when they pay up! Laughing

(Nah. That's wishful thinking! But it's a fun thought!)

BFN.

~~~~~~~~~
Note to Sergeant Preston of the RCMP, Yukon Division:
In case you didn't get it, the above is a joke ! Very Happy

_________________
musher0
~~~~~~~~~~
"Logical entities must not be multiplied beyond necessity." | |
« Il ne faut pas multiplier les entités logiques sans nécessité. » (Ockham)
Back to top
View user's profile Send private message 
rufwoof

Joined: 24 Feb 2014
Posts: 2148

PostPosted: Fri 14 Apr 2017, 18:31    Post subject:  

I have that aufs overlaid docs system up and running now. Appears to be working well. I've also dropped evolution into that (mail, calendar, events, memos ...etc).

One downside is if you apply a change to all files command, such as chgrp user * ... as all files in the docs.sfs are then replicated into the changes folder ... which can take a while if your docs folder content is large. But for more common usage - single files at a time - it works fine.

The code I have in a script that runs at startup is ...
Code:
# if frugally booted then aufs mount our docs sfs
if [ -d /lib/live/mount/persistence/sda1/live/DOCS-aufs ]; then
  cd /lib/live/mount/persistence/sda1/live/DOCS-aufs
  mkdir docssfsmntpoint
  mkdir doc-changes
  mkdir DOCS-LAYERED
  mount -o ro,loop docs.sfs docssfsmntpoint
  mount -t aufs -o br:doc-changes=rw,br:docssfsmntpoint=ro none DOCS-LAYERED
fi

and where I have DOCS-LAYERED sym linked into my HOME folder (and where evolution folder is a sym link into a folder within that).

As the main filesystem is compressed (SFS) and now most of the doc files are also compressed (docs.sfs), makes using mksquashfs backups a lot quicker as you can use no compression (mksquashfs /mnt/sda1 backupxxx.sfs -noX -noI -noD -noF) that runs through in around a minute in my case to backup or restore (unsquashfs -f -d /mnt/sda1 backupxxx.sfs)
Back to top
View user's profile Send private message 
Moose On The Loose


Joined: 24 Feb 2011
Posts: 773

PostPosted: Sun 16 Apr 2017, 13:10    Post subject:  

musher0 wrote:
Moose On The Loose wrote:
A few thoughts:(...)
3) Anything you store "on the cloud" can be lost if you get the virus, the
hosting outfit gets the virus or if someone else with access to your cloud
account gets the virus. This includes Putin and the NSA(...)

Hi, Moose On The Loose.

Hmm... I think you forgot to add an Laughing to that one!



I always figure that a joke that needs to be pointed out isn't funny enough.

I have heard of companies only discovering that they can't restore from the backups they have been faithfully making after the data is lost. A file server based on a layered file system could be made so that the backup is always there as a read only. This would make it a lot harder for the ransom virus to destroy the data. I worry more about lost data than stolen data on most things. There is some data that I worry a lot about the theft of but that isn't on this computer.

Quote:


Here's an idea inspired by your #3 :

Laughing We deliberately store something with a ransomware virus in The
Cloud. We tell the NSA or the CCSE (Canadian Communications Security
Establishment; Canadian equivalent of NSA) or whatever your national
electronics spying agency is to come and get it. And we give them the
key only when they pay up! Laughing

(Nah. That's wishful thinking! But it's a fun thought!)



Your idea may actually work if instead of telling the NSA to come get it, you commented that there was no way the NSA would ever get that data in some public places.
Back to top
View user's profile Send private message 
purple379

Joined: 04 Oct 2014
Posts: 69

PostPosted: Sat 22 Apr 2017, 15:31    Post subject: If you get Ransom ware  

If you get RansomWare, my first comment is not the throw away, or format over the drive.

My reasoning being that some companies, have found ways to decrypt some of these RansomWare Encrypted drives for Windows, like Eset has a number of programs for older Ransom encrypted models.

Even if those who do RansomWare have a new encryption model, likely in the near future you may be able get a free decryption program.

From what I have read about RansomWare, it can expand to other drives, cloud, backups on a system. Treat the infected drive like it has Ebola.

BackUp software tends to fail when you really need it. Which is no excuse for not trying to back up, but think about how you are doing the backup, and the consequences of how a hiccup might make it impossible to do a back up.

I would prefer to do complete clones of things I want to keep, but that is too expensive. Never trust the helpful back up programs supplied by - say computer manufacturers (OK, that was Windows.) One never is told the consequences of one option over another option. Just you found it it did not work when you needed it.
Back to top
View user's profile Send private message 
greengeek


Joined: 20 Jul 2010
Posts: 4662
Location: Republic of Novo Zelande

PostPosted: Wed 26 Apr 2017, 03:59    Post subject:  

Here is another article about a specific variant of ransomware which seems to be wrapped in both Word format and PDF format:
https://nakedsecurity.sophos.com/2017/04/24/ransomware-hidden-inside-a-word-document-thats-hidden-inside-a-pdf
Back to top
View user's profile Send private message 
d4p


Joined: 12 Mar 2007
Posts: 426

PostPosted: Thu 27 Apr 2017, 22:39    Post subject:  

DECRYPTION TOOLS:
https://www.nomoreransom.org/decryption-tools.html

“1980s-mode.”
https://nakedsecurity.sophos.com/2016/04/04/new-ransomware-with-an-old-trick-petya-parties-like-its-1989/
Back to top
View user's profile Send private message 
Display posts from previous:   Sort by:   
Page 2 of 2 [27 Posts]   Goto page: Previous 1, 2
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Off-Topic Area » Security
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0663s ][ Queries: 13 (0.0092s) ][ GZIP on ]