The BDR

The
Broadcasters' Desktop Resource

... edited by Barry Mishkind - the Eclectic Engineer    

ERI

Doing IT Right
Recovering From a Ransomware - or any - Disaster


10/22/14 - Many things can happen to cause broadcast station to go "dark." Some can be predicted and planned for: power outages, for example. Others are sometimes harder to assess: floods, hurricanes, tornadoes, etc. And, added to that, we now have cyber-attacks.

We have known about viruses and malware, in general, for some time. But as computers continue to be more and more important in daily broadcast operations, bad actors continue to evolve more attacks which can cripple users. Ransomware is one of the worst, and it is real. Bad people want your money - and do not care what they destroy to get it.

By having a plan in place now to protect your systems, you can reduce the potential for disaster from malware - or any of the natural disasters that could disrupt business.

A PROBLEM FACED BY MOST EVERYONE

In a modern radio studio, there are many reasons to connect a computer network to the Internet, from program acquisition to EAS reception from the IPAWS CAP site to the remote control of consoles, automation systems, and more.

But, at the same time, caution must be taken, and doubly so with the advent of ransomeware.

RANSOMWARE

What is ransomware? Ransomeware is malware that does two very nasty things to your computer: First it encrypts your files (especially the data files) with a RSA standard encryption key and, secondly, demands that the user pay a sum of money before a timer runs out and the decryption key is discarded. As a variation, the longer the user waits, the ransom amount is increased.

When this happens, you are not just slowed down or find some files corrupted. The entire computer essentially is locked down, useless. Worse, like a highly contagious disease, it spreads fast, taking down entire networks. Unless you pay, your only option is pretty much a complete new install.

Many companies and individuals have paid - millions of dollars - to hackers usually hidden behind many layers of anonymity somewhere around the world. Police often point to Eastern Europe as the source, but and infection can come from anywhere in the world. Others have resolutely refused to pay, even if it meant total loss of everything on their machines.

AM I REALLY AT RISK?

As noted, any computer that is on a network where there is a connection to the Internet has some risk. This is not, as some have claimed, a Windows XP issue. Nevertheless, even if an individual computer cannot access the Internet directly, if there is a shared drive letter with a computer that does have access, there is risk.


ERI


Here is how simple - and sad - for an infection to kill your computers: All it takes is one person clicking on an infected email, or hitting an infected page when browsing.

The ransomware - currently CryptoWall is one of the most prevalent - then looks for files to encrypt on the infected machine and any other shared machine with a drive letter. This is the real danger - no matter how careful one person may be, a careless co-worker with a compromised computer can bring down an entire facility.

In mid-October, three stations in Louisiana reported being shut down and facing a demand for payment. These stations, and another one in Arkansas, declined to pay and started the long process of rebuilding - apparently there was no viable backup.

WHAT CAN I DO TO PROTECT MYSELF?

Various web sites offer information on how to prevent problems and what to do if you do get hit - mostly some explanations of what ransomware is about, help in seeking useful backups (you do regular backups, right?), or commiserating with you about the loss of your system due to the encryption.

Because the danger comes from different directions: USB flash drives, poisoned email, various kinds of malware downloads, infected web sites, etc, a lot depends upon safe practices by your staff.

  • up-to-date virus/malware protection should be used on your network
  • a carefully installed firewall should be between your network and the Internet
  • individual access to the Internet should be controlled carefully
  • do not hide file extensions - that is often how somefile.pdf.exe gets run
  • instruct staff on professional conduct and remind them how easy it is to become infected
  • sanction staff that insists on visiting dangerous websites, etc.
  • control room computers with Internet access should be isolated from the network as much as possible, even to the point of using separate routers

Yes, you can run your system carefully without anti-virus/maware on one network. But here is the problem, even for very careful folks: there are hundreds, if not thousands of hackers trying every day to penetrate computers via spam, trojans, or direct attacks on servers. All it takes is one mistake or lapse of attention - or with no fault of your own, you visit a web site that has been hacked and poisoned - and your computer may become a doorstop.

WHAT CAN BE DONE?

First, educate yourself. Understand what the issues are. Either take staps to prevent problems or hire a qualified IT person to do so for you.

Above all, institute a backup policy to ensure you will survive in of case of a ransomware attack - or any other disaster, natural or manmade. Saving your key data files can take as little as one DVD. Do it regularly. If something happens, you can install your files on any available, clean desktop or laptop.

A complete backup of a mission critical system may take a lot of space but will let you recover much faster than any other method. One fairly simple approach is to have a spare computer (or two) not unlike the "deep backup" transmitter at some sites. Regularly mirror your mission critical computer. Then remove all wiring, network and electrical.

A complete backup may also take a lot of time and effort. This is not a chore to ignore, assign to someone who is not dependable, or to be done "when there is time." It really is important, like having insurance.

With such an approach, you may lose a few minutes of airtime after a disaster while powering up and connecting the computer (WATCH OUT that your do not attach your mirror to an infected network!) but you will be back with minimal damage.

RESOURCES

Did we remind you to back up your computers and files? The level of what and how you backup will prove invaluable if the unexpected happens.

As the article linked above notes, there are many backup programs and protocols available, some are even free. If your IT person does not have one in place, there are many available by searching the Internet (please do this carefully - there are programs offered free that are really scams that are little more than infections waiting to harm you).

For more information, we would like to share a few sites that discuss ransomware and recovery.

For example, these sites have been useful to some in explaining the current dangers and/or safe practices:
        http://www.techrepublic.com/


        http://www.infoworld.com/

        http://www.bleepingcomputer.com/

From Andy Lynch:
The free version of OpenDNS blocks the user from reaching the bad site (the sites that distribute these parasites).  Here's more information-- http://www.opendns.com/enterprise-security/solutions/network-security/

If you are familiar with your IP setup and the DHCP, then changing your DNS to OpenDNS is a snap.

You can test if you've successfully deployed OpenDNS at this site--
http://welcome.opendns.com

From Art Reed:
One of my favorite free protections is the use of this free download of a "hosts" file.
http://winhelp2002.mvps.org/hosts.htm

Installing this alternate hosts file on a windows computer prevents your browsers from accessing any of a list of hundreds of known malware/advertising/tracking sites. They can't get to you, if your browser won't go there in the first place.

From Jeff Carter:
I bet it's common knowledge, this is a sophisticated bunch.  For years, I've been blocking ad networks at the application layer via
altering the HOSTS file on both Linux and Windows machines.

I usually get updates for that from here: http://winhelp2002.mvps.org/hosts.htm  Instructions are there as well for those who need them.

For DNS, there's a little bit more involved, but you can read this same HOSTS file into zones with a script.  That is more than I would advise a newbie to attempt, because the HOSTS file is doing the same thing.

The only reason to do it via DNS is when you have multiple machines and don't want to touch every single one at every HOSTS update, or if you have video or game machines that you can't easily alter.  By pointing them to an ad or malware-blocked DNS, you're doing the same thing.  You also have to be running your own DNS, which is really easy but not something I'd want to try to explain to my father (my role model of computer ineptitude).

And from Sid Schweiger:
As a general principle, program automation should always run on a separate, non-routable subnet, with each machine having a static IP.  But the trick is:  Connect that subnet to your firewall, on a port which will have a static IP address in the automation subnet, but keep all ports facing the Internet closed to start with.  As you build out your system and apps, you allow access to that subnet ONLY on certain ports...you do the cross-connection inside the firewall from another subnet which has Internet access, either your "business" subnet or an outside (routable) IP address.  You allow that cross-connection only on the ports needed for, say, the remote-control software.  It's always a good idea to change the port which faces the Internet and use the firewall to translate that port to the correct one on the inside.  Just as is the case with many home routers and their passwords, the bad guys know all the standard ports for network-connected software.
 
For example:  One of the most often used pieces of R/C software is TightVNC, which normally operates on port 5900.  Take a non-standard port and forward that port in the firewall to the correct port on the TightVNC host.  So, if your outside address is X.X.X.X and the machine you need to control is at Y.Y.Y.Y, install the TightVNC host on Y.Y.Y.Y and select a non-standard port (in this example, we'll use TCP port 63241) to face the outside.  Configure your firewall to forward X.X.X.X:63241 to Y.Y.Y.Y:5900.  (And, of course, you have a nice, lengthy, hard-to-crack password on the host computer.)  There are 65,536 ports.  The first 1024 are reserved for use with common protocols (80 for HTTP, 443 for HTTPS, etc.), but otherwise you have plenty of choices.  (The full list can be found at http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml .)  You can also change the host's port if you wish.

 

If you have some useful suggestions to help others, please let us know at the contact link below.

 

 

Home - Opt-in Newsletter - Tech Mailing lists - Contact - Help