This Week in Security: Ransomware, Badges, and OpenVPN

A Ransom That Would Make Anyone WannaCry

A South Korean web hosting company, Nayana, was attacked earlier this month by hackers who initially demanded 550 Bitcoins (~$1.4 million USD) in exchange for decrypting their files. Nayana operates a fleet of outdated Linux servers including Linux kernel 2.6.24.2 (2008), Apache 1.3.36 (2006) and PHP 5.1.4 (2006), leaving them vulnerable to a plethora of public exploits.

The attackers took advantage of the situation and ported the Erebus ransomware to run on Linux which encrypted Nayana’s 153 webservers which hosted over 3,400 websites. Nayana negotiated the ransom down to 397.6 Bitcoins (~$1 million USD), but a $1 million ransom is probably enough to make any C-level executive WannaCry.

On a related note, as part of an ongoing effort to increase security, Microsoft will disable SMBv1 in future releases of the Windows operating system. SMBv1 is the protocol abused by the WannaCry ransomware to spread across internal networks.

For those of you looking to keep your systems secure and your wallet full, take the following steps:

  • Disable SMBv1 on your Windows devices
  • Backup your important data to an offline device (external hard drive) or cloud service
  • Test the restoration functionality of your backups
  • Keep your software up to date

Cybersecurity? There’s a Badge for That

Businesses are competing for an increasingly limited pool of cybersecurity talent and that leaves them exposed for months on end when it takes them six months to fill a cybersecurity position.

Ryan Barrett identifies three systemic issues for the cybersecurity skills gap:

  1. Students graduating from post-secondary schools aren’t fully prepared
  2. Companies don’t know what to look for in a professional
  3. Skilled professionals are overworked to the point where they can’t keep up with the hyper pace of security

Luckily for us, the Girl Scouts are joining the fray with the introduction of 18 cybersecurity badges in an effort to push young women into the science, technology, engineering, and math (STEM) field.

They’re just in time as a group of contractors were caught hacking a vending machine to steal over $3,000 worth of snacks. The vending machines relied on an electronic payment system, FreedomPay, which the attackers would disrupt by disconnecting the network cable and use unfunded payment cards.

If you’re having issues filling your cybersecurity position, consider hiring for passion, not prestige.

Crouching Bug, Hidden Vulnerability

Earlier this year, the OpenVPN project underwent two separate security audits which uncovered numerous bugs which were fixed. Version 2.4.2 was released as a “technically sound” release.

Unfortunately, security is never that easy. Security researcher Guido Vranken took an alternative route to examine the security of the codebase and chose to fuzz it rather than manually audit the code. The end result? Four security vulnerabilities that were not discovered in the manual audits, one of which (CVE-2017-7521) could lead to remote code execution.

Moral of the story: security is a never-ending process, keep your software updated.