Naavi.org

One of the Counter terrorism strategies is to choke a terrorist organization of the money supply. This holds good not only for terrorists in Kashmir or elsewhere and to the Naxalites, but also to organized cyber criminals.

If we look at the recent developments on the growth of “Ransomware”, there is no doubt that the collection of ransom through “Bitcoins” has become one of the hurdles for law enforcement. Though some brave people suggest that Bitcoins can also be tracked and they may be right to some extent, it is definitely not easy to locate the owner of the Bitcoin wallets in the anonymized world and zero in on the recipients of the bitcoins.

Just like Bitcoin is used for laundering legacy currency, bitcoin itself is laundered to make it less and less identifiable. Like spoofing an IP address, the recipients of Bitcoins break it up into sub units, jumble up and then distribute it before finally converting it into legacy currency at which point of time there could be a possibility of identification.

At present FBI thinks that it has the technology to track Bitcoins because it has a few successes in the past. But in India, I am not sure if we have the forensic capability to track a Bitcoin transaction. So would be many other countries. hence Bitcoin continues to be the Currency of Convenience to the Cyber Criminals.

Now that WannaCry storm has blown over, it is anticipated that more such ransomwear attacks may be coming up in the coming days. The news that WannaCry has emanated from North Korea may not be correct as of now.

But it is likely that terrorists in Pakistan as well as the North Korean dictator would definitely get the idea and will soon send out a ransomware in the guise of Jaff Ransomware  or Uiwix Ransomware or by any other name and either use it as a weapon to destabilize the economy or to fund their nefarious activities.

Since India is one of the most affected countries both in terms of Cyber Crimes and Cyber Terrorism, we need to take the lead to run a global campaign to fight this “Cyber Financial Terrorism” called Ransomware.

We should therefore move the world forum such as United Nations to immediately declare Bitcoins as a “Banned Possession” across the globe without exception and stop its circulation.

This will ensure that Bitcoin holders will not be able to make profitable use of their holdings and hence it will cease to be a valuable currency for criminals.

Just as in the case of “Demonetization”, one time offer can be given to genuine Bitcoin holders to exchange their holding to legacy currency after they provide proof of its acquisition through proper accounted money.

I request Mr Arun Jaitely to take a lead in this direction. This will put an effective curb on the ransom writers to give up this means of extortion on the community.

I look forward to a response from Mr Arun Jaitely as well as Mr Ravi Shankar Prasad in this regard.

Naavi

ALSO READ

Anonymize Bitcoins

How we got busted…

Bitcoins are easier to track than you think

Using Bitcoins anonymously

Uiwix, yet another ransomware like WannaCry – only more dangerous

Jaff Ransomware Family Emerges In Force

The WannaCry ransomware seems to have targetted the health sector more, probably for the reason that most of the systems used in the industry were using unpatched or old windows systems and also their employees were not as well informed as those in IT industry as to the social engineering and phishing mail threats.

Just as ATMs in the Banking sector run on old Windows XP systems, it is possible that an industry like Health Care that depends on many equipments with computerised support systems may be working in the background on windows XP.

We already have evidence that some ATMs in India have been hit by WannaCry but the damage has not been felt because the closure of ATMs was some thing people got used to in the last few months and a few more did not matter. ATMs did not contain sensitive data in itself and hence could be easily reset.

However, when an ATM was found to have been affected, there is a suspicion that the back end system also must have been affected. Firstly the infection cannot originate in the ATM except in the case when an ATM maintenance is undertaken with a USB. Mostly ATMs are updated remotely and hence are the nodes for a back end server. If therefore the local memory of the ATM has been affected, there is every reason to believe that the back end server has already been compromised. The Back end server ultimately connects to the Core Banking server.

One reason that many of the Indian organizations seems to have escaped the vortex of the attack is that most of the servers could be running on Linux and not on Windows. This could have been the reason that even when parts of the network were affected, some parts have remained safe.

In the health Care segment, the hospitals are using a large number of diagnostic equipments some of which are used as critical equipments for support of surgeries and any infection of these machines would cause a “Denial Of Access” situation in the hospital.

One of the doubts that health care segment is confronted with in the case of a ransomware attack is whether the attack needs to be reported as a “Data Breach” to the HHS ?. In the case of a Business Associate, the doubt is whether the attack has to be reported to the upstream data supplier?

In the case of a “Ransomware attack”, it is presumed that the nature of compromise is that “Data remains where it is but gets encrypted”. Hence data does not go out of the system and it is not a conventional data theft case.

However, data may become “Unusable” even by the “Authorized users” and in case there is a request of data from the data subject, the request cannot be met. Hence there is a disruption of activities and breach of contractual obligations without data loss.

Hopefully, data may be recovered after some time and processes may continue. However equipments need to be re-calibrated and tested before it is back to normal use.

HHS may not impose heavy penalties but reporting is a necessity.

Hence users of these compromised and rectified equipments need to first create an evidence (In India the evidence should be certified under Section 65B of Indian Evidence Act as explained in www.ceac.in) that they have been adversely affected in this Global storm and hence their systems have been disrupted. They need to simultaneously notify their principals about the disruption because “Denial of Service” is also a “Data Security Breach”.

The attack is a confirmation that the organization is perhaps using systems that are running on unpatched or unpatchable systems which will remain vulnerable unless further action is taken. Hence a post incident audit report has to be obtained where the cause of the breach is determined and necessary preventive measures are taken. In certain cases where the equipments are controlled by embedded systems which are not meddled with by the hospital administration, the equipment manufacturers need to be notified and rectification demanded on an emergent basis. Some of these equipments may be “imported” and quick servicing may not be easy.

I pity the IT administrators of such systems because there may be no easy solution to their problem. While the CISO s may say, keep the equipments quarantined until they are disinfected and vaccinated, the business requirements may force reinduction of the equipments before a thorough check is done and systems upgraded.

If so, they need to be alert of the possibility of a second wave of attack from a mutated virus may hit them again. To avoid any adverse impact on the patients, the hospitals which are dependent on such compromised IT systems need to reduce their dependence on IT and double check their results produced by IT systems manually.

For those who have taken the Cyber Insurance policies, it is time to check the clauses. In this incident, there is no data loss but there could be expenses involved in recovery of systems and data. The ransom payment if any is an illegal expense and I am not sure if Cyber Insurance companies should cover this. But I am told that some Cyber Insurance companies may cover this expenditure also, and if so, it is fine. We know that when multiple systems are affected, the decryption key has to be bought for each such machine and hence the actual ransom may not be $ 300 for an organization but several times more and go beyond the “Minimum Loss Clause” in the insurance contract.

If however an Insurance company takes a stand that the attack was facilitated by the negligence of the user in not patching its systems or by an employee negligence in clicking on a phishing mail attachment etc., they will have some justification to reject the claims. This needs to be settled on the basis of relationship between the Insurer and the Insured on whether the negligence amounted to being “Grossly Negligent” or ” Below Average Negligent”. This may depend on the policies and procedures adopted and documented and the manpower training undertaken in the past. If the organization has not previously undertaken effective measures to meet such contingencies, it would amount to “Negligence of the Organization” and not “Negligence of an Employee” and hence the Cyber Insurance cover may be rejected.

It is time for every organization to review their past actions on Cyber Security to that in future when such attacks recur they are better equipped.

In the meantime, we may keep our fingers crossed and wait for the after effects of the WannaCry storm to pass over..

Naavi

Also refer:

WannaCry: After worldwide ransomware hack, governments and cyber experts brace for more attacks

Insurance companies may face the brunt of botched tech after WannaCry

Cyber insurance market expected to grow after WannaCry attack

After WannaCry, ex-NSA director defends agencies holding exploits

India third worst hit nation by ransomware Wannacry; over 40,000 computers affected 

Today, the 15th May 2017, Indian corporates, including Banks will be switching on their computers with a prayer in their lips hoping that they would not see the dreaded “Your files are encrypted” screen.

It is still not clear what would be the extent of damage that the ransomware could cause. The first version was killed. But it is reported that a modified version which does not have the kill switch is now in circulation. It could spread like a worm in a networked computer, self replicate and execute an encryption code remotely. Most major anti virus manufacturers have claimed to have included a ransomware protection tool either as part of their end-point security software or separately.

The first task for all IT users particularly those who are using Windows systems is to check if they have installed the patches provided for Windows and the Anti Virus software that they are using. They should not open their computers to internet before this task is accomplished. In this process, it is expected that most ATMs in the country will remain shut off today and create a mini cash crisis for Indian citizens who are running around. Consequently there will be a more than normal crowd in the Banks also where also the servers may run slow. We therefore may find some confusion in the financial market.

Unconfirmed reports are suggesting that many Banks including Syndicate bank, Union Bank, SBI, Karnataka Bank have been affected by the ransomware. Even HCL is reported to have been affected. I hope this report is not true as otherwise there would be chaos in the Banking industry today which will extend to the stock markets by the afternoon.

CERT-IN has announced a webcast to make companies aware of the issue which those interested may attend. The webcast may be available at webcast.gov.in. It may be difficult to access in view of the network related issues but it is worth trying.

CCN-CERT of China has issued a prevention tool which may be available here which security professionals can check.

Amidst all the confusion it is necessary to note that one of the reports indicate that India is one of the countries with the highest number of infections.

Initially the breakout was observed in UK and Europe where there is a large number of infections particularly in the heath care sector. Indian impact may be yet to unfold. If the above report is true then nearly 10% of the infections are in India and we will come to know about the impact some time during this week.

We are concerned that the GST systems and UIDAI systems may also need to watch out.

The UIDAI system may not get affected since it’s design may prevent infection if normal precautions are in place. But the fact that the Iranian nuclear systems which were “Air gapped” and operating hundreds of feet below ground under utmost military security could be affected by Stuxnet means that no system is really safe as long as there are employees who are ignorant and negligent.

We may recall that the Stuxnet which was perhaps developed by US/Israel to attack Iranian Nuclear program also infected (Reportedly) the Rare Earth Minerals near Mysore, in Karnataka, India. Similarly WannaCry may also ultimately reach the GST systems and UIDAI. GST is yet to start but some testing is on. It is good if they take special steps to secure this nationally critical information system.

What is tragic is to note that “Shadow Brokers”, the group which released the weaponized cyber exploitation tools developed by NSA, a couple of which have been used in the creation of WannaCry have released further exploits from the hacked NSA stable in the last few days which may result in newer attacks.

Thus the source of all the chaos that is occurring in the Cyber world today is NSA. The speed with which the ransomware spread in Europe and the fact that US itself has not been affected as much as other countries indicate that most probably the infections had taken place earlier than when shadow brokers leaked the information and exploitation occurred now. It is possible that US had already infected systems in Europe and other countries as a part of its “Cyber Military Exercise” and when the exploits were used by the criminals, the victims had no defense. It is like a Military exercise preparation for which a stock pile of weapons were kept ready and terrorists took over the stockpile of weapons and used it for their own gains. It is a replay of a typical movie plot. Unfortunately we donot have a James Bond to enter in time to destroy the terror infrastructure before the real damage is done.

The Government of India and other affected countries need to take up the issue with the UN and question the US intentions. Is this in any way linked to discrediting Mr Trump? . Is it linked to the change in the FBI Director in US? …etc are also questions that bug our mind.

If US wants to stockpile Cyber weapons, it is their duty to secure them and not let hackers hack into their stockpile and endanger other countries. US should therefore take up a part of the liability for this Cyber attack and I request India to raise this issue in the appropriate forum.

For the time being we keep our fingers crossed and wait to see how the impact of the ransomware unfolds in India.

Naavi

Related Articles

MeitY reaches out to RBI, others against Wanna Cry ransomware

Cyber experts working round the clock to protect India from the ‘biggest ransomware’ attack

Revealed: The mysterious case of ‘Shadow Brokers’ and NHS hacking

Seriously, Beware the Shadow Brokers

U.S. Government Fears a Monday Explosion of the Ransomware Plague It Helped Create

Wannasmile… a quick tool

China and Japan wake up to the Attack…

How To Remove…Symantec

Update at 8.52 AM

The new infection map in the last 24 hours given below indicate that a large number of Indian computers are infected. Even US is now getting affected probably because we are dealing with a Worm that travels across the network and today US systems are also connected worldwide.

The WannaCry ransomware attack across 100+ countries attracted a huge attention of the media yesterday. It continues to be the main story in print media today. The developments on the ransomware has been fast and furious with security experts all over the world joining hands to find a remedy for Wannacry.

A few hours into yesterday, CERT IN joined in sending out its advisory but the advisory was a little too late to be of any practical help. But by that time most of the Anti Virus and anti malware companies had put out their advisories and it had been circulated by most security professionals and in discussions over social media including Naavi.org. Nevertheless this was one of the few occasions when CERT In did respond with an advisory within a short time and hopefully the trend will continue and improve in future.

One of the reasons stated for the delay is that CERT In has to wait  for secondary confirmations before an advisory is sent. But there is no use in locking the stable after the horses had bolted. Keeping the nature of the organization which is CERT-In, I suggest that CERT-In should develop an “Incident Alert” which could go out as an “Intelligence Advisory” even when a security threat is not fully confirmed to the satisfaction of a Government Agency like CERT-IN and then follow it up with a full scale advisory. This will meet the needs of the market and preserve the conservative outlook on advisories to be held out by the Agency.

For the sake of records, we have given below some links which provide an excellent analysis of the Version 1 of the WannaCry ransomware.

This was “Accidentally” halted yesterday through an activation of the “Kill Switch” when a security professional analysing the malware code found that the encryption is activated only if the malware cannot connect to a particular website named in the code. The URL named was http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/

Out of curiosity he checked the domain and found that it remained unregistered. He registered the same and it acted as a “Kill Switch” for the malware.

The person has admitted that when he registered the domain he was not aware that it would act like a kill switch but since the domain looked strange, he tested if it was available and went on to register it.

The kill switch doesn’t help devices WannaCry has already infected. But by registering the domain, and then directing the traffic to it into a server environment meant to capture and hold malicious traffic (“sinkhole”) some time has been bought for systems.

Additionally some security specialists advised disabling of the SMB 1 in windows features which comes activated by default. In fact even as back as an year, a security specialist categorically stated (Refer here) that this “Server Block Messaging Protocol” had outlived its utility and has no place in the modern world of malicious hackers. It can be easily disabled by going into “Turn off/on windows features” and unchecking the feature.

I am not sure if CERT-In had observed this opinion and converted it into an “Advisory”. It is this sort of advisory that would be useful to the people.

In the meantime, the ego of the hackers who introduced the WannaCry version 1 with a kill switch which was decyphered quickly has been hurt and we already have a notice that a new version of the malware has been released without the kill switch.

In view of this, the need to implement the security measures including applying the patch provided by Microsoft and disabling SMB1.0 becomes critical. Additionally, avoiding clicking on phishing mails and attachments also become necessary to be reiterated.

Some of the protective measures that people may try are as follows:

(Kindly beware that there would be phishing and fake sites offering such solutions which may themselves infect your company. Check if you are on a genuine site before proceeding further.)

1. CERT Advisory from Cyber Swachcha kendra
2. Kasparesky System Watcher: (Works on Endpoint Security)
3. Guide at PCRISK.com
4. Malware Bytes
5. Bitdefender solution
6. Sophos Solution
7. TrendMicro solution

The best solution for “Ransomware”  however remains to keep an off network data backup and complete segregation of critical systems from e-mail and internet threats. Ensure that the backup is accessed and operated in a secure environment so that the backups would not be infected during the process of updation or retrieval.

Naavi

Related Articles

Technical Analysis

Marcus Huchins, the hero  who saved many from wannaCry

[P.S: Though the Karnan episode is not a Cyber Law related issue, in the interest of fighting for the supremacy of the Supreme Court, it has become necessary to express our opinion in the matter since there is a lobby out there to support his actions which we consider as not conducive to national interests. Please ignore these discussions if you belong to Karnan camp. Let us honourably agree to disagree…. Naavi]

According to the statement attributed to the “Legal Aide” of Justice Karnan, Mr Karnan may be in Nepal or Bangladesh. This was a report put out by Hindustan Times on 11th May 2017. But on the same day another lawyer was able to meet him in Chennai and Mr Karnan was able to give an “Affidavit” sworn before a “Notary” to file a review petition in Supreme Court to withdraw the earlier arrest order issued. How?..Who is lying?.. is a question in my mind and probably in the minds of many.

Now we are aware that the review petition has not been accepted on an urgent basis by the Supreme Court and may have to wait the end of the Court vacation to be taken up for consideration.

It is not clear on what grounds the Supreme Court would agree to hear the petition on behalf of a fugitive who refuses to surrender before the Court and plead his case. In the past, Courts have told such fugitives applying for anticipatory bail to first surrender and then only the Court will admit the petition. A similar approach needs to be applied to Mr Karnan Case unless he is considered as “Not a Common Man but a VIP” for whatever reason.

If the Court departs from this procedure, it will provide an excuse for other convicts and accused to keep themselves underground unless the Court relents and accepts their demand. This will create a bad precedent that the Court should avoid.

The question which media including Mr Arnab Goswami and others are not asking but the “Nation wants to Know” are

1. How is that the lawyer and the notary can meet Mr Karnan on the same day in Chennai when another legal aide (Ramesh Kumar, an advocate of Chennai) says he is in Nepal or Bangladesh?
   1. Is it a false statement made out to mislead the media and the Supreme Court?
   2. Is he being sheltered in some secret location by some people or organizations who also donot recognize the authority of the Indian Supreme Court?
2. What does the legal aide mean when he says that he wants President of India to take up Karnan’s case in International Court of Justice with a plea like in the case of Kulbhushan Jhadav?…..
   1. Does Mr Ramesh Kumar mean that Mr Karnan is not getting justice from the Indian Supreme Court just as Kulbhushan did not get the justice from the Pakistan Military Court and wants the International Court of Justice to intervene?
   2. Is Mr Ramesh Kumar equating the Indian Supreme Court with a 7 member bench to be same as the Pakistani Military Court which is completely opaque about its procedures?
   3. Is Mr Ramesh Kumar aware of the damage he is causing to the Indian democratic system by such irresponsible statements?
3. Why is that the Police in Kolkata allow Mr Karnan to travel to Chennai?
   1. Were they too embarassed to arrest the former judge?
   2. Did they also not want to cooperate with the Supreme Court?
4. Why is Police in Chennai are unable to locate him?
   1. Are our police so incompetent?
   2. Are they also trying to prove that if Police donot cooperate, Supreme Court is powerless?

It appears that we are seeing a power game going on in which different actors are showing off their mutual powers and taking sides. It is unfortunate that the casualty in this process is the reputation of India as a democratic country and the Indian Judiciary as an effective pillar of our democracy.

It is interesting to note that Police are normally very efficient in tracking down fugitive criminals in most challenging circumstances. Hence tracking Mr Karnan is child’s play for the Police. if therefore Police are saying that they have not been able to locate him, it is only an indication that they are playing their part in the drama directed by Mr Karnan.

The point of suspicion naturally falls on the TN Government since Police only follow the diktats of their political bosses and as a rule, the efficiency of the Police in any State is directly proportional to the wishes of the Home/Chief Minister.

I am aware that TN Police are very efficient and by this time they would definitely know the whereabouts of Mr Karnan. They may be waiting for directions from their Political bosses to take their next step.

We also know that Mr Karnan was once an AIADMK member and also a Poll Agent for AIADMK. It is now difficult to know whether his leanings are to the EPS camp or the OPS camp. But he would definitely have his political connections in Tamil Nadu which will go upto Mr EPS.

In this context it is interesting to note that there is a rumour floating around that the current EPS faction of AIADMK is trying to align itself with BJP. This may appear to be good for BJP for the Presidential elections but will in the long run be morally unsustainable.

The fact that Mr Karnan has contacted Mr Modi with his complaint against corruption of 20 judges indicate that he hopes to get his support. In the normal course he could have contacted either the CJI or the Speaker of the Loksabha requesting for impeachment proceedings against the accused judges. He could also have lodged a formal complaint with the CBI like what Mr Kapil Mishra did against Arvind Kejriwal.

Mr Karnan did not do any sensible things which a prudent whistleblower does but his supporters still consider him as a whistleblower against corruption. He has not given any evidence and just shot out a letter which is now in public domain raising complaints against a group of 20 judges.

I however doubt very much that the PM will fall prey to the bait. Now the legal aide is trying to draw the President into the picture. Knowing the maturity of Mr Pranab Kumar Mukherjee, he is too seasoned to accept the bait himself.

Hence neither the PM nor the President is likely to come to Mr Karnan’s help and now that the Supreme Court has rejected an urgent hearing of the review petition, Police are left to decide how long they will wait to arrest Mr Karnan before the public starts questioning their integrity. It is possible that they may simply sit tight until they are forced to act.

It is therefore left to the media to take up the cudgels and expose the hypocrisy of the players.

When a complaint of corruption like what Karnan has made is against a single Judge, it becomes a case of defamation. But when it is made collectively on 20 judges followed by bizarre orders of arrest etc against 7 other Supreme Court judges including the CJI, it is no longer a defamation of the individual judges but a collective defamation and destabilization of the Indian judiciary.

Hence the Supreme Court was left with no option but to immediately immobilize him with an arrest order though the Police are not cooperating in execution of this order. Even if the Supreme Court had suo-moto considered the collective action as a conspiracy to destabilize Indian democracy, there would have been justification. The Court has been lenient because Mr Karnan has been part of the judicial family and is not an Aam Admi.

At this point, I would like to state that if Mr Karnan’s allegations of corruption are true, there should be measures to address it. Naavi.org supports transparency in Judge’s selection as well as video streaming of Court proceedings to public or a section of the public acting as a “Watch dog” for which norms can be devised. But Naavi.org does not support the undermining of the Supreme Court’s authority the way Mr Karnan and his supporters are doing.

But first things first. We need to preserve the reputation of the Judiciary before we expect the same judiciary to take action against the accused.

To be honest, I think Mr Karnan’s attempt is an act that destabilizes the Country’s democracy. Today there is a news that Karnan’s supporters in India are mobilizing support of international associations of Ambedkarites as if this is a “Dalit Vs Non Dalit issue” as Mr Karnan wants to make it out to be.

It is for the same reason that I strongly oppose his move as similar to what Mr V.P.Singh did in the past with the Mandal politics. Now Karnan may cause a national and international divide of Indian citizens on the caste lines and destroy the fabric of harmony of India. We also take note that Mr Karnan has not stopped at his Dalit Card and in the past invoked Hindu Vs Muslim and Christians to further his cause. He can therefore be expected to use all divisive strategies so that his post retirement political career is built up. In the end India is going to be made “Tukde”.. “Tukde”…

I want all right thinking persons to join me in protesting against Mr Karnan and his friends who are trying to project him as a hero. Donot let the cancer of caste divide to spread. Soon Modi baiters like Arvind Kejriwal and Rahul Gandhi along with the communist leaders like Raja, and TMC leaders like Mamata Bannerjee will join the bandwagon of supporters of Mr Karnan and just like the EVM, he will be a rallying point for the opposition to grind their axes.

If by any chance, Tamil Nadu BJP gets involved and Mr Modi is even remotely identified as sympathizing with the cause of Mr Karnan, this will become an explosive political issue. I request Mr Modi to take care that he remains as far away from the controversy as possible and also request Mr Amit Shah to ensure that BJP also keeps itself far away from the controversy. This is a lose-lose situation and both sides who involve in the controversy will be losers in the end.

It is possible that Naavi.org will also face the wrath of atleast the trolls on the internet and social media but when even Arnab Goswami remains tight lipped there is need for some body to step in unmindful of the risks and embarrassment.

We believe that What the nation deserves to gain is much more than what we may lose in the process of expressing our opposition to Mr Karnan’s antics.

The silent majority which allows the vocal minority to create a wrong public perception needs to wake up and support this cause. We welcome your support with comments.

Naavi

Also Read:

Justice Karnan maybe in Nepal or Bangladesh, we want President to appeal to ICJ: Legal aide

A ransomware attack which crippled many hospitals in UK is now creating waves of alarm by spreading into other countries. According to one researcher, more than 45000 attacks have already been flagged in 74 countries of having been caused by a ransomware by name WanCry or WCry.

The ransom demand is reported to have begun with around $300 to be paid in the form of Bitcoins.  In an related development the Bitcoin exchange rate has spiked to US $1850 on May 12 and is presently hovering around US$ 1650. The ransom demand says that the ransom will double if not paid within 3 days and the encrypted files will become unrecoverable after a week.

Though no report of largescale infection has yet been reported from India, the infection map indicates that India has also been affected. The map shows infected computers that attempted to communicate with the server between 11 a.m. and 6 p.m. Eastern time on Friday according to NY Times.

It is stated by experts that the ransomware exploits a vulnerability which was identified and used by National Security Agency (NSA) of USA to infect user’s computers as a part of its intelligence activities. Recently in April, a bunch of such Cyber Tools used by NSA were leaked by the underworld and it has now been exploited.

It appears that the exploit has hurt companies which have not applied one of the latest Windows patches. Also some anti virus companies are claiming that they already have the exploit covered in their product and hence the lack of adequate security measures by the users may be one of the main reasons why the attack has succeeded in the current proportions.

According to Kasparesky, “It’s important to understand that while unpatched Windows computers exposing their SMB services can be remotely attacked with the “EternalBlue” exploit and infected by the WannaCry ransomware, the lack of existence of this vulnerability doesn’t really prevent the ransomware component from working. Nevertheless, the presence of this vulnerability appears to be the most significant factor that caused the outbreak.”

Naavi.org had warned the IT users that Ransomware attacks are nothing but “Cyber Terrorism” and we need to guard against such attacks through various means including keeping an “Off Network Back Up”. Kasparesky advocates use of its “System Watcher Component” and other prominent Malware detection softwares also have suggested some added security features to be subscribed.

It is essential for all IT users to explore the feasibility of protecting their computers and the data through appropriate measures suitable to them.

Issues Raised By this Incident

The incident raises at least two main ethical issues that the society needs to address. First is that if NSA was aware of this vulnerability got some time, should it not have disclosed it and helped the safeguarding of the society rather than keeping it to themselves as a tool to watch terrorists. it is like the security agency having intelligence of a bomb attack but keeps the information itself until the citizens suffer by the execution of the attack while the agency was only trying to gather more information from its informers.

The attacks have now affected hospitals and must have caused even death of individual citizens. It has caused economic loss which is not limited to US$ 300 per infection (estimated total equal to US $ 30 million (Rs 210 crores) and the follow up costs.

Should this have been prevented by NSA by getting the vulnerability patched? Did they do it selectively to critical sectors?, Did they share the information with security agencies of other countries? are questions which will never be answered. NSA may however defend their position that in the larger interest of a need to watch the terrorist actions such as what happens in Syria or Pakistan, it is necessary to hold available Cyber tools as secret weapons to be used by the State only. Unfortunately the tools were not secured and was therefore used by exploiters. This is a typical scenario like terrorists of ISIS getting hold of Pakistani Nuclear weapons and causing damage to others.

The second ethical issue is whether the Victims should pay the ransom? ..and use Bitcoins?… thereby emboldening the attackers further and legitimizing the Bitcoin as a currency?

It is difficult to preach the victim who may have only the short term selfish interest of recovering his data at $300 rather than spending more subsequently.

But we understand that some Cyber Insurance Companies are paying claims for such ransom payments which in our opinion both unethical and illegal. Cyber Insurance claim even if higher than $300 should be paid for recovery of the data without paying the ransom and not for paying the ransom.

I urge all Cyber Insurance companies not to encourage payment of the ransom than the higher data recovery cost in the long term interest of the society. Of course, they should encourage their insurance customers to adopt better security preparedness by not only using the available prevention tools but also an effective disaster recovery mechanism and upgrade of patches.

Also after April 14, 2017 when the hackers are reported to have published a suite of NSA exploits, it is interesting to know if any Cyber Insurance company advised their customers about the possible risks ahead. This alert generation is normally the role of a CERT. But I expect Cyber Insurance Companies to be CERTs for their own interest.

I also would like to know what action CERT IN took after April 14 when NSA exploits were available and now after May 12 when the UK attacks became public.

Other regulatory agencies like RBI should also start sending their own advisories to their subordinate stake holders.

Action To Be Taken

In the meantime it is the duty of each IT users big and small and more importantly the critical sectors like the Hospitals, Banks and Government to review their security measures today.

I expect all listed Companies who are stake holders to report to SEBI if they are holding an emergency Board Meeting today to assess their security positions. If not SEBI should itself advise the companies to disclose their vulnerabilities and action taken in the context of the knowledge of this Cyber attack now available.

The compliance requirements under different law require that when a “Knowledge of a Risk becomes known, appropriate remedial action needs to be initiated”. So all CISO s need to wake up and work over time this week end and ensure that the threat perceptions are updated for their management to take immediate action. Even if the Managements donot ask, CISO s should shoot out  an e-mail to the Board members to hear out an assessment presentation and take remedial action.

If necessary, simply forward the copy of this article to your CEO since bringing the risk to their knowledge is part of the “Due Diligence” of the CISO.

Naavi

Related Articles:

In Naavi.org: Start a War on Ransomware. It is Cyber Terrorism

Hackers Hit Dozens of Countries Exploiting Stolen N.S.A. Tool

Alarm grows over global ransomware attacks

WannaCry ransomware used in widespread attacks all over the world

NHS left reeling by cyber-attack: ‘We are literally unable to do any x-rays

UPDATE: 13th May 2017: 12.45

In an interesting development, one security researcher has found and executed a kill switch that seems to have stopped spread of the WannaCry ransomware. He found the hard coded code indicating that the ransomware would stop if a random domain name named therein becomes live. It is presumed that the code writer wanted to hold the power to stop the ransomware and had introduced this kill switch. This was identified by the security researcher who checked up the domain name and found that it was available for registration. He registered the domain name and the ransomware died.

See the report here: Accidental hero’ finds kill switch to stop spread of ransomware cyber-attack

Wish all cases of malware were solved so quickly. We must however congratulate the person responsible for killing the ransomware….may his tribe increase!

Update: 13th May 2017 : 1452

In a tweet the person who identified the kill switch says that he was not aware that the registration of the domain would act like a kill switch. It was therefore an accidental discovery.

This is interesting to note because if the domain name was indicated in the hard code and it was found to have been registered in the name of the security expert, he could have been connected with the writing of the ransom ware code. He had unknowingly created an incriminating evidence against himself. It was fortunate that it turned out to be a blessing in disguise.

CERT IN now issues an alert

It appears that CERT In has now issued an advisory which is a replica of what Kasparesky and others have given. Hopefully next time CERT IN will be quicker. RBI and SEBI also needs to issue an advisory of their own or link to CERT In.