Tuesday, 29 March 2016

Early detection of CryptoLocker

In one of our previous posts we explained how to set up Software Restriction Policies - settings designed to stop unwanted software (such as CryptoLocker) from running. While extremely effective they're not the one-stop solution, and not compatible with some poorly-written vendor software. Plus, malware/CryptoLocker can get a foothold another way - via software exploits in programs such as Flash Player and Java.

It's at this point that defense in depth becomes more compelling. Some document management systems leave their underlying file stores completely open to users - the infection of one person has the potentially to encrypt the entire store. So what else can we do besides waiting until someone notices that they can't open any documents and your document management store full of thousands of files has become encrypted?

When a CryptoLocker-style program runs, it (generally) encrypts the files, and then drops another file that contains instructions on how the user can pay the ransom and obtain the decryption key. So if we keep a watch for those 'helpful' files, we can spot when an infection occurs, and respond to it before it spreads too far.

Windows Server 2008 R2 and newer have a feature that can detect and notify us of when files matching certain criteria are accessed. If we tell it we want to know when the helpful ransom information files are detected, then we can detect and hopefully terminate an active CryptoLocker infection.

All that is required to set this up is Windows Server 2008 R2 (or newer), with the File Services Resource Manager role installed. A great guide to setting this up can be found here:

If you are using Windows Server 2012 R2 we have uploaded a PowerShell command to assist in creating the file group, however you may want to check the link above to see if any additions or changes need to be made.

Friday, 11 March 2016

Cloud Computing - 50 Years Young?

With the passing or Ray Tomlinson - credited with inventing e-mail in its current form using the "@" symbol - there have been many articles published covering the history of e-mail.  I won't try a re-write when, using the power of hyperlinks, I can link to a good one:

Rather, I was reminded that my family had a very small part in the very early days.  In the mid 1960s it became apparent that either a "time-share" terminal (ie a terminal remotely connected to one computer) or a file transfer between two remote computers was really all that was needed for a viable messaging system the British Post Office decided to intervene.

It is hard to imagine today the importance of the Post Office in days before e-mail and mobile phone.  In those, pre-British Telecom times, the Post Office had a monopoly in both telephone and letter communications.  My father*, as a director of GE Information Services UK (part of General Electric), was summoned to a meeting with the Postmaster General, then a cabinet position, held by one Anthony Wedgwood Benn**.  During the meeting the issue of the Post Office's monopoly was raised, but no action was taken (I can't see, even looking back from today, what could have been done to stop messages being sent in this way).  GE were involved in a "time-share" joint venture with MIT and were, as I described above, using terminals to send "messages" across the Atlantic.

Where does the "Cloud" come in to this?  Well, what is "time-sharing" if not shared access to a centralised computer?  Cloud computing by another name.  What's new about it?

* It wasn't a case of following in father's footsteps working in ICT.  Dennis has done a lot of things in his life and was pretty much finished in time share by the time I came along.
** Tony Benn, who died in 2014, was for a long time one of the most well know politicians in the UK.  Apparently, after the meeting he invited the GE visitors to attend a Post Office children's prize giving where he sat on the edge of stage and spoke eloquently without notes, and seemingly without preparation, for 20 minutes to a group of children.