Ransomware

My wife and I recently took a vacation in Nevada so we could hike trails in parks surrounding Las Vegas.  To get a sense of what we did on vacation you can check out the pictures on my hiking blog by clicking here (I lined up the post dates to be the date when we visited each park).  This article is not about the fun we had on our vacation.  This is about a ransomware attack that occurred while I was on vacation.

I’m a software engineer.  That means that I know how to hack a computer and I also know how to protect myself from hackers.  But I’m not immune to making mistakes.  The mistake I made was that I have passwords that I haven’t changed in forever.  Like all large companies, Apple had been hacked about a year ago and their entire database of passwords were obtained and distributed throughout the hacking community (yeah, “community”, that’s what they are).  The Apple hack involved their cloud service, which I didn’t pay much attention to, because I don’t use their cloud storage.  What I didn’t pay attention to was that their cloud services play a part in some of the iPhone and iPad security.

If you clicked the link above and started looking through my pictures, you’ll notice that the first place we visited was Death Valley.  I discovered that it was supposed to be a record 120 degrees that day and I wanted to know what it would feel like to stand outside in 120 degree weather!  Yeah, I’m crazy like that.  As it turned out it got up to 123 degrees according to the thermometer built into the Jeep that we rented.  Dry heat or not, 123 degrees was HOT!

I use my Canon Rebel xti for the photos that I post on my hiking blog, but I also take pictures with my iPhone in order to get something on my Facebook account as well as get a few panoramas.  When we arrived at the sand dunes it was just before noon local time or before 3PM Eastern time.  My photos indicate they were taken around 2:07, but the camera time is off by more than an hour and the camera is on Eastern time.

I took a few pictures of the dunes and then I pulled out my iPhone and was about to take pictures when I got a warning that my phone is locked and I need to send an email to get instructions on how to pay for access to my iPhone.  So I used my usual pin number to unlock my iPhone and it worked correctly.  I was annoyed, but I moved on.  I thought it was some “clever” advertisement or spam notification.

When we returned to the resort, I sat down on the couch and started to use my iPad to do some reading.  My iPad had the same message on the front and a pin number was set up.  Unfortunately, for me, I never set a pin number on my iPad because I only use it at home to surf the web, read a book and maybe play a game.  What the hackers did was setup a pin number on my iPad.  What an annoyance.  Ransomware on any of my devices is no more worrisome than a rainy day.  It’s more of an irritation than anything.  I have off-site backups for my desktop machine and I know how to restore the entire machine in a few hours.  Hacking my iPad while I was on vacation (and the second day of vacation to boot), was really annoying.  Primarily because I don’t have access to all of my adapters, computers and tools.  My wife has a tiny laptop that we use for minor stuff.  It has a grand total of 64 gigabytes of storage space.  So she installed iTunes on it (with some difficulty) and we restored the iPad and got everything back to normal.

After returning from vacation, I cleaned out all of my spam emails for the past couple of weeks and discovered these emails:

It appears that someone manually logged into my iCloud account, enabled lost mode and put in a message, for both of my devices.  The iPhone was first, which was locked by pin number, so they couldn’t change that.  The iPad, however, was not setup with a pin number, so they went in and set their own.  Or so I assumed, when I saw it was asking for a 6-digit pin.  Apparently, the pin that shows up is the pin that is set when the device is first setup.  My pin was not the same for the iPad as I used on my iPhone (which was what I tried when I first saw it appear).

My wife and I changed the password on our iCloud accounts when we were at the resort and she set the two-factor on for the iCloud.  Of course, that is a bit of a problem if I lose my iPhone, but it prevents anyone from hacking my iCloud account.

One thing that makes me wonder… how was Apple storing my password?  Are the passwords stored in clear text?  Are they encrypted with an algorithm that allows the password to be decrypted?  That seems foolish.  Maybe Apple was using something like a weak MD5 hash and the hacked database was decrypted using a brute force method like this: 25-GPU cluster cracks every standard Windows password in <6 hours.  I know that the correct password was used to login to the iCloud using a browser.  The notification sent to my email account proves it.

How to Protect Yourself

The first level of protection that I have is that I assume I will get hacked.  From that assumption, I have plans in place to reduce any damages that can occur.  First, I have an off-site backup system that backs up everything I can’t replace on my desktop computer.  Pictures, documents, etc.  They are all backed up.  Some of my software is on GitHub so I don’t worry about backing up my local repository directory.  I have backup systems in place on my blogs and my website.

Next in line is the two-factor system.  This is probably one of the best ways to protect yourself.  Use your phone as your second factor and protect your phone from theft.  If someone steals your phone, they probably don’t have your passwords.  If someone has your passwords, they don’t have your phone.  If you see messages arrive at your phone with a second factor pin number, then you need to change the password for the account that requested it.

Next, you should turn on notifications of when someone logs into your account (if the feature is available).  Like the notifications about my iCloud being used in the emails above, I can see that someone accessed my account when I wasn’t around.  If someone is silently logging into your account, a lot more damage can be done before you figure out what is going on.

If you’re using email as your second factor, you need to protect your email account as though it was made of gold.  Change your email password often, in case the provider has been hacked.  Your email account is most likely used as a method of resetting your password on other sites.  So if a hacker gets into your email account, they can guess at other sites that you might have accounts and reset your password to get in.  I have my own urls and hosts so I create and maintain my own email system.  If my email system gets hacked it’s 100% my fault.

Disable unused accounts.  If you’re like me, you have hundreds of web accounts for stores and sites that you signed up for.  Hey, they were “free” right?  Unfortunately, your passwords are out there and any one site can get hacked.  You can’t keep track of which sites got hacked last week.  Keep a list of sites that you have accounts on.  Review that list at least annually and delete accounts on sites you no longer use.  If the site doesn’t allow you to delete your account, then go in and change the password to something that is completely random and long (like 20 characters or more depending on what the site will allow).

Use a long password if possible.  Just because the minimum password is 8 characters doesn’t mean you need to come up with an 8 character password.  If sites allow you to use 30 characters, then make something up.  There is an excellent XKCD comic demonstrating password strengths: click here.  For companies providing websites with security, I would recommend you allow at least 256 characters for passwords.  Allow your customers to create a really strong password.  Storage is cheap.  Stolen information is expensive.

Don’t use the same password for everything.  That’s a bit obvious, but people do crazy things all the time.  The problem with one password for all is that any site that gets hacked means a hacker can get into everything you have access to.  It also means you need to change all of your passwords.  If you use different passwords or some sort of theme (don’t make the theme obvious), then you can change your most important passwords often and the passwords to useless sites less often.

Last but not Least…

Don’t pay the ransom!  If you pay money, what happens if you don’t get the unlock key?  What happens if you unlock your computer and it gets re-ransomed again?  Plan for this contingency now.  Paying ransom only funds a criminal organization.  The more money they make performing these “services” the more likely they will continue the practice.  I like to think of these people as telemarketers, if nobody paid, then they would all be out of work.  Since telemarketing continues to this day, someone, somewhere is buying something.  Don’t keep the ransomware cycle going.