Is ransomware attack on ReadyNAS possible?

Of course nothing in life is risk-free, so what you really need to do is manage your risk.

Hi StephenB

Just want to clarify a couple of points with you:

You said:

nothing in life is risk-free

That, without a doubt, is so very true but how many people understand that when they use a computer on the internet the risks they are taking? And even worse (or unknown), how can that risk be quantified?

You also said:

what you really need to do is manage your risk

Well, how can you manage something that is "unknown"?

You see, if the technical boffins that designed and build the IT kits we use are unaware of or did not consider the emerging security threats that are out there and build in the necessary protection utilities then how can (home) users understand enough to protect themselves.

The main problem is that whenever anything computer enhanced is sold security of that equipment is a poor secondary afterthought.

UK Bob

Managing risk is about :
- reducing the odds
- reducing the duration (if applicable)
- reducing the impact (the gravity)
- reducing the affected devices (the zone)

A risk can be defined as a potential threat (a threat that could become reality). Your job is to list and patch every possible threat to reduce the risks.

As for quantifying unknown risks, that's really hard, most people use statistics, but with no historical basis you can't have reliable approximations. Risk management methods rely on some kind of multiplication of the factor I quoted above. Quantifying known risks is easier as you already know, how often the risk occurs, if it's recurrent, if it affects specific targets (phishing works because people don't know how to identify it, add "this is an attempt to steal your money" in the mail title, only idiots will clic, therefore IT guy are less likely to fall in the trap than a 80 years old grand mother that just got her first computer).
As for your question on how many people know exactly how much risk they take going on internet, the answer is only a few specialists (if anyone at all). I'm a computer scientist and I can assure you that I don't know half the risks of the internet. All I know is how to avoid common threats and when to be suspicious. Internet is too big to know it all. Knowing everything that could happen would be like knowing all the potential poisons, allergens, interactions with meds, potential side effect of all possible food (& drink) that exist (or will exist) for a nutritionist.

When something is unknown, you prepare for the worst possible scenario, and for all the other scenarios that cross your mind.
A well designed information system takes everything into account. You will always forget something but since you audit your security every six months and upgrade it every year, at some point the vulnerability will be patched mechanically (sometimes after being exploited, unfortunately).
Security can be considered as a onion because it uses layers.

If you pass from internet directly to your NAS, you are exposed and rely on the NAS security only. If you add a decent firewall then you block some attacks before they get to the NAS. Then add another firewall from another brand with other technologies, then even if one of the firewalls can be bypassed, the second one should do its job. Then choose to block all unauthorized IP addresses, attacks won't come from blocked addresses. Then use an antivirus (or 10 different), virus should have trouble to get through... Each layer is susceptible to failure, but all the layers simultaneously, if well thought, should not fail easily. They will fail to a well trained attacker if he is given enough resources and time (it could be hours our centuries depending on your security level). Ultimately you security will always fail you, but the goal is to update it before it does.
Security also includes physical security. if your NAS is overprotected by softwares but if it sits in an open locked in a train station, anyone can figure out how to reset the password and how to steal the NAS...

hope this is clearer for you.

ukbobboy wrote:
You said: nothing in life is risk-free That, without a doubt, is so very true but how many people understand that when they use a computer on the internet the risks they are taking? And even worse (or unknown), how can that risk be quantified?

I'm sure there are metrics out there. I'm not sure they are that helpful though. I don't research the odds when I am trying to decide whether to fasten my seat belt. I just fasten it.

ukbobboy wrote:
You also said: what you really need to do is manage your risk Well, how can you manage something that is "unknown"?

The root cause for future attacks is not known to be sure. But the risk itself (that your data could be stolen, or hijacked for ransom, or just trashed) is known. One can manage it in a variety of ways. Making a backup to a USB drive, and putting it in a safety deposit box is one. Encrypting sensitive files can protect against stolen data/identify theft, but not hijacking or trashing... The way you manage this is to think about the consequences of stolen or lost data, and take some precautions.

ukbobboy wrote:
The main problem is that whenever anything computer enhanced is sold security of that equipment is a poor secondary afterthought.

15 years ago that was perhaps true. But it certainly isn't true now. Microsoft, Apple, Google are all very serious about security threats, and it certainly is not an afterthought for any of them. IoS and Android both have a security framework that is in place. Netgear and Synology also clearly take it seriously, and routinely release security updates.

What is happening is that the attacks change over time. Years ago it was the OS itself. From there it shifted to Office, then to browser plugins. Now it has shifted again to commonly used open source. Viruses mostly gave way to phishing, and more recently we are seeing automated botnet 0-day attacks launched by compromised PCs.

But overall, internet security is much better than it was 10-15 years ago, even though the internet is much bigger. Back then virus attacks frequently shut down large corporations for days, sometimes several times a year. That is not to say that there is no need to be concerned, or that everything is safe. But security is not an afterthought, and attacks now generally don't have the massive impact they had years back.

Having said that, part of the problem is that the original network protocols that the internet is built on were designed in a very different world than today - and they are not secure. Lots of people are looking at that, especially in the context of Snowden. However, there are limits to what can be done, given the scale the internet has reached.

I entirely agree with you. It was a time that the youngest of us (including me) never knew when internet was using text only, when HTTPS didn't exist and when sending your credit card number on the internet was like signing a blank check.
Then usage changed, research was financed to exploit the potential of the internet, then there were some well known hackers, Kevin Mitnick being one of the most famous one, along with Steven Wosniak (aka Woz the magician, aka Apple co-founder).
Check Kevin Mitnick story, you will see that he hacked most of what could be hacked, nowadays this would require a tremendous amount of people an resources. Woz created a free phone box in a MacGyver like style, I dare you to use a trick as simple to avoid the phone bill nowadays, I would be really surprised if anyone could do it (of course more sophisticated attacks will do the job, but not as simply). Security is taken very seriously.

It's like in war time, in Irak several US soldiers died. Do you really think that US soldier take security lightly ? It's not because you fail at doing something that you didn't try really hard to do it. I know this goes against the Obama slogan (it was "Yes we can !" I think, non-US here), the american dream and those common proverbs (to a valiant heart, nothing is impossible for example), at least if you don't try enough times.
Manufacturers often fail to secure their products for various reasons. But there are also other manufacturers whose job is to secure you. Look at Checkpoint, Palo Alto networks, Sophos, Trend Micro, Kaspersky, AVG... The only thing they sell you is security (or at least the feeling of being secured).
OpenBSD is an highly secure OS, you could use it but its hardware support is limited, its configuration is hard and its software is outdated (because they check for bugs before publishing the software). At some point you have to choose between security and flexibility, that's where many manufacturers fail.
You can make sure nobody hacks you from internet, you just have to cancel you internet subscription and physically cut the wire and you'll be fine. But that's not practical, so you find some other ways to secure yourself. Some firewall give you alerts each time a software tries to get to internet FROM your computer. Most of the time you end up says "yes to all", that's not we don't have the tools but most of the time we don't use them properly.

More over like I said before, security uses layers, any manufacturer can't do all the job for you. If you want that, you want to externalize, and even then if you look at your contract you will see a few lines saying that the provider can't be hold responsible for some things if he did its best.
Google is a good indicator for subject interest, security returned me 559 000 000 results.

For metrics, there are a few guys doing some. There are plenty others of course (including every antivirus brand out there) but here are some examples.
CLUSIF (those who did MEHARI risk management toolbox), my favorite security report but in french (didn't find english version) : http://www.clusif.asso.fr/fr/production ... t-2014.pdf
CISCO : http://www.cisco.com/web/offers/lp/midy ... ode=502656
Checkpoint : http://www.checkpoint.com/campaigns/201 ... ty-report/
And of course Gartner always has something interesting : http://www.gartner.com/technology/resea ... anagement/

Here's an interesting read: http://arstechnica.com/security/2014/08/whitehats-recover-victims-keys-to-cryptolocker-ransomware/

Doesn't work with Synolocker, but it does show that these kinds of hacks can be countered.

For the hack to raise money for the hacker there needs to be a fairly automated way to decrypt the files which means there likely is a way it can be reverse engineered.

Still even if files could be decrypted I'd have concerns.

Backups are important and so is security.

Another change in attacks I should have mentioned above is the intent. 15 years ago it was mostly done by people who wanted to wreak havoc for its own sake. Now its about money (and in some cases agendas to target specific sites).

mdgm wrote:
For the hack to raise money for the hacker there needs to be a fairly automated way to decrypt the files which means there likely is a way it can be reverse engineered.

Reverse engineering the malware doesn't necessarily mean the decryption keys can be recovered. I think in this case the white hats were able to locate and hack into the servers that held the decryption keys. Even if that is not the case in this instance - if I were a hacker, my malware wouldn't know the decryption key. It is certainly possible to structure it that way.

Also, the hacker can make some money even if they don't decrypt the files after receiving the ransom. Just not as much.

But ransoming does require a way to receive the payment, and in principle you can trace the payment trail to the hacker. In the Synology case, they are counting on TOR to conceal their location. That might not be enough - governments have been able to locate TOR sites and shut them down, and perhaps others with less resources could locate them as well.

mdgm wrote:
Still even if files could be decrypted I'd have concerns.

Me too. I'd want to do a factory reset here, just to make sure there was nothing left behind in the OS (a root kit perhaps).

Hi xeltros and StephenB

First of all, I must say that I have found both your replies to be comprehensive, informative and above all very enjoyable (you guys probably weren't going for "enjoyment" but I liked them anyway).

Xeltros

As you are a computer scientist it is obvious that you can see and understand the IT world far better than I ever could, being a humble home user, and all I can really look at and try to understand is the end product.

That said, I would just like to run over a few points with you (sorry if they seem silly):

You said:

Managing risk is about : - reducing the odds - reducing the duration (if applicable) - reducing the impact (the gravity) - reducing the affected devices (the zone)

That I understand, and for my part, I now practice very limited "explorative/inquisitive Internet surfing", much less than I used to do a few years ago.

However, the average (home) user, when he gets his new computer, just wants to get out there on the Internet and explore, maybe even download anything and everything that can be downloaded, which can be disastrous for the end user and can propagate the spread of malware.

I guess my point is that risk assessment is performed by the professional and the knowledgeable, home users get no warning, not even a cautionary leaflet, about the potential problems they may face when they start to use they're shiny new toy.

Here's an 8example, when I got my ReadyNAS Duo v2 in December 2012 I also got the necessary extras to make the thing work, i.e. cables, software etc., but there was nothing about security. Now, I presume that my NAT table, in my router, and network aware firewall and AV will keep my NAS safe but I cannot be sure because information on this point is very scarce.

As you know, Netgear has introduced an AV add-on for NAS products running firmware 6.x but nothing for those of us running firmware 5.x. This to me shows that Netgear is aware of a security problem with NAS devices but did not think that the thousands of 5.x users should have this facility, i.e not even qualifying as an afterthought.

So once again, if the producers of IT kit will not or choose not to mention anything about security, or offer new facilities when available, then how is the end user suppose to know what to do.

However, I do personally realise that in order to keep my IT kit safe I have to go through a certain amount of self-education and self-control (curbing my enthusiasm). But it would still be a good idea if the Netgear boffins and/or real NAS enthusiasts could have online a "do's and don'ts" of NAS security.

Again, what I am saying is that most home users (not enthusiasts) cannot on their own understand or appreciate Internet security problems, they tend to be dependant on the built-in utilities that come with the product. Therefore, if security features are not added then most users will just get on with the items that came with their new toy, and as you can appreciate that just continues the spread of malware throughout the net.

StephenB

I'll just say two things:-

1) I agree with you when you said:

I don't research the odds when I am trying to decide whether to fasten my seat belt. I just fasten it.

Metrics, statistics, etc. mean very little to most people, so when crossing the road, fastening your seat belt or even getting out of bed in the morning is not something you spend hours calculating you just do it. Unfortunately, for home users IT security is not second nature it is something that has to be given serious thought, which is something most users do not do.

2) And yes, I totally agree that the Internet is not the same animal it was 15 years ago and that is why most users today need help, whether they realise it or not, because unless IT equipment manufacturers start to include security/self defence utilities with their kit the Internet will continue to be flooded with malware.

I hope I have got my point across and not repeated myself too many times.


UK Bob

ukbobboy wrote:
then how is the end user suppose to know what to do.

This can be more tricky than you might think, and it is a topic of discussion in security circles [I monitor some of them professionally but I am NOT an expert].

I get several security warnings whenever I install a new app (either android or apple). I have to say I don't read them as carefully as I should. If I want the app, I just accept.

A couple of weeks ago I was at a meeting discussing internet security and privacy - the same issue surfaced there, though expressed differently. "My mother searches on the internet, and finds a cat video. She clicks on the link, and her browser gives her a bunch of warnings. But its a cat video so she just has to see it". Cat videos trump security all the time. Security experts know this.

So from a security perspective, the human running the equipment is often the weakest link. They want to do what they want to do. You need to give them options, but it is hard to word the warnings so that users actually understand the risks they are facing.

I realize your question is a bit lower down - how does the person administering the NAS know what the best practices are? But it is related. There is definitely a catch-22 - for a lot of people if you give them too much information it just turns into another ignored click-through. If you make it too difficult, then you get user resistance (the cert warnings the browsers give you when you connect to the NAS being one example). But many people do want to know...

So I don't have a good answer, and I don't think the industry does either. Creating a good and secure cloud offering is part of it though. Having an easy to use, inexpensive (or free) and secure way to connecting to your NAS from all your devices anywhere would help a lot. A lot of NAS owners get into trouble because they are trying to figure out on their own how to do this. It would be nice if ReadyCLOUD was that - but right now its not.

Manufacturers expect people to fully understand the tech sheet of their products, if they don't, they should call pre-sales before buying and they are welcome to contact technical support after buying to help them get started (most manufactures provide 30-90 days free call support).
The end user is not supposed to know what to do, he is just supposed to know who to call, and you get support phone numbers with every product. IMO quick start guide is an error, you should only get the full guide.
I know most people don't even read the detailed tech sheets, so manual is an abstract thing for them (many don't read terms of use either by the way...).
So, yes the end user is expected to have a thoughtful approach in the first place, and unfortunately most people are left under the impression that numeric is not real and can be treated casually. They don't read contracts, they don't watch their words while posting on forums / mail, they give their bank information more easily than they would on phone, they forget that a machine can break and don't do backups, they click on everything (whereas most people are afraid to walk alone in dark streets)...

That said there are warning. Microsoft UAC is a known one, some firewalls alert you for both outgoing and incoming connections, the first time you use IE you have an alert too, you get alerts when certificates are not valid, when you first run the NAS you are asked for a new password...
As for the antivirus, 5.X were less powerful machines for most of them, my NAS has the option (RN104) but it is not able to handle it. More over updating a software for years takes time and money, what is used in there is not used for newer products. This means that research will slow down and may not be able to keep up with the dangers, resulting in 100% insecure device rate (or in 300% increase price for products). The choice has been made to support devices for a certain amount of time. Usually (depending on models and manufacturers) new features are developed for a short period (1 to 3 years) and then bug fix are released for another 2 to 5 years.
You have to understand manufacturers a little bit here. They need to pay people to update softwares, but consumers are pulling prices down. So they have to choose between having a bigger price point but a good support (works for professional stuff and Apple) or lower prices but to stay with a decent support (some even choose to drop the support to a legal minimum for that reason). Netgear would be really happy to provide you with lifetime warranty and updates but with the actual pricing they have it's not possible and I think they do a pretty good job. In IT you often get what you paid for, if not spent in hardware or software then the premium is support.

Your router with only NAT is secure enough for most people, but won't handle a direct attack if ports are forwarded (a forwarded port lets everything pass on consumer routers). Now the problem is not about being secure, but having a security adapted to your needs and skills. I have two enterprise class firewalls, they are very good at what they are doing, but lambda users will just be unable to use them and will get worse security with them than with a classic less powerful thing. Now if you only store family photos on your NAS, you are probably more worried about losing them than about them being stolen, so you should backup (and yes ReadyNAS having a backup function, that's obvious it's not here for fun, this should trigger questions from users). So in this case money would be better spent on another NAS or a cloud subscription than on an enterprise class firewall.