Equifax Dumpster Fire

Brian Krebs called it a dumpster fire, and I agree. I can’t add any facts to Krebs’ report on the Equifax breach. It happened, and it is bad. The current number of people said to be affected is 176 million and I doubt that number is final. Equifax’s response has not been good.

Self-dealing response

First, there was a long delay between discovery of the breach and informing the public. The delay gave several Equifax insiders an opportunity to dump shares before the inevitable fall in Equifax stock prices. More on that below.

Second, the response has been weak and possibly self-dealing. Equifax is offering a free year of credit monitoring. Many experts, including Krebs and myself, feel that an individual can do a better job of monitoring their own credit than any service if they are willing to make the effort. Credit monitoring is simply watching your accounts for unexpected activity. The services use algorithms to detect unexpected activity, but you know what is happening on your accounts better than any algorithm and you are more likely to catch something out of order than the service. But you have to review account activity frequently— daily is great, weekly is good, monthly at a bare minimum.

The nasty part of the Equifax response is that it is only for a year. The data that was stolen will be useful to crooks for years, perhaps decades. The offer, at least at this writing, is only for a year and they will start to bill you when the year is up. Yes, Equifax’s credit monitoring service may have a windfall of new paying customers a year from now.

Just a bit self-serving, wouldn’t you say?

Potential for mayhem

The credit reporting services (Equifax, TransUnion, Experian, and Innovis) collect data on credit activity and assign individuals credit ratings that your creditors use to decide risks and rates for extending credit to you. If you have a credit card, buy on credit, or have a mortgage, you have a credit rating with the reporting services and they have your data. You don’t send the information to the service, your creditors do. An individual has little control of the data collected by these services. To protect yourself, you should request a credit report at least once a year and check it for accuracy. You might find, for example, that your credit rating has been dinged because a creditor neglected to report that you paid your bill. Honest mistakes happen, and it is up to you to get them corrected.

The point here is that the data is collected without your approval. Credit ratings are not “opt in.” In fact, you can’t opt out. In my opinion, that places extra responsibility on the credit reporting services to keep the data accurate and private, although credit reporting services are largely unregulated. From the reports I have seen on the breach, Equifax was not following best security practices and I am not surprised that hackers got in. That is bad. I will not expect the picture of extent of the breach to be complete for weeks or even months to come.

This breach could force the entire credit industry to change its practices. Certainly, this is a warning shot across the bow to the other credit reporting services. The data that was stolen, names, addresses, phone numbers, credit card numbers, and driver’s license and social security numbers are everything a criminal needs to steal your identity, rack up phony credit purchases, and file a fake tax return in your name. Who knows what other damages the dark side will hatch from this treasure trove. The potential for mayhem is staggering, and the public outcry could equal that over the Enron debacle or the junk mortgage bubble, both of which inspired new regulations that changed corporate governance.

Insider trading and Sarbanes-Oxley

Now back to accusations of insider trading. I have no idea what the insiders knew or did not know, but I have some familiarity with the Sarbanes-Oxley Act which assigns criminal liability to corporate executives and officers who neglect critical security controls. The act, often called SOX, was in response to the Enron collapse of 2001. One of the security controls that SOX often demands is rapid notification of executive management of critical security lapses. If SOX applies, the corporate insiders who dumped their stock could face jail time for not knowing about the breach as soon as it was detected. If they knew about the breach, they are guilty of insider trading. If they didn’t know, they are in violation of SOX. This is something for the SEC to sort out. I find it hard to believe that they were that benighted, but the possibilities for negligence surrounding this event are goggling.

Advice

Krebs recommends that everyone should put a security freeze on their credit reports from each of the big four. I agree, but I also caution that a security freeze is a hassle; you must temporarily unfreeze and refreeze whenever you want to get a loan or open a new line of credit, but it does stop some of the most devastating attacks. Nevertheless, a freeze is not complete protection. You still must keep a hawk eye on your accounts, get your tax returns in early, and monitor your credit rating reports. That does not guarantee you won’t be hit, but it will make you safer than most.

Ransomware– You Don’t Have To Pay!

Monday, 3/28/16, what appears to be a ransomware attack forced a hospital in Maryland and Washington D.C. to shut down their network. Ransomware attacks on hospitals have been increasing. Attacks on individuals are also on the rise.

Ransomware is the most direct route from a victim’s wallet to a hacker’s pocket. The hacker infects a computer, tablet, or phone with malware that makes a threat and demands a ransom. Extortion. Pure, simple, and lucrative. Ransomware has extorted hundreds of millions of dollars from innocent victims during the last few years. Despite some notable busts, the number of assaults has increased each year for several years.

The Course of an Assault

An assault follows a predictable course. The initial infection comes from executing an attachment from a malicious phony email, or clicking a web site that is a drive-by infector. Then comes the threat and demand—the choke and puke, as it is called. The victim is ordered to pay, usually in bitcoins.

Threats

Sometimes the threat is idle. The victim might click on a dodgy site that promises salacious celebrity photos. Shortly thereafter a realistic image pops up that looks like it came from the FBI, the county prosecutor, or whoever. The pop up accuses the victim of downloading something illegal. Send money and the charges will be dropped. Another variant pops a message saying that the victim’s computer is infected with a deadly virus. Buy this expensive software to clean it up or suffer the consequences. In most cases, threats like these are entirely bogus. A good anti-virus scan will probably take care of the infection.

File Encryption Threats

There is another type of ransomware that is a more serious threat. These infections disable the victim’s computer by encrypting the victim’s files. The encryption is strong and nearly impossible to decrypt without the key, which the hackers will gladly supply, for a ransom, usually between three hundred and eight hundred dollars for an individual. Businesses are hit for larger ransoms.

These criminals are ruthless and heartless. Lately, hospitals have become a favored target, no doubt because the threat to patients ups the urgency. A hospital in the Los Angeles area recently paid out $17,000 to get their files back. Around a dozen other hospitals have been hit.

Solutions

This threat is so effective, on at least one occasion, the FBI recommended paying the ransom, but you don’t have to fall victim to these file encryption attacks.

First, follow basic cyber hygiene. Don’t open email attachments unless you are absolutely certain the email is from a trusted source. Don’t visit dodgy web sites. Use an anti-virus and run scans regularly. Keep your system and anti-virus up to date. These steps will protect you from infection in most cases.

If your defenses don’t protect you, a good backup will still keep your data safe. What makes a good backup? It must be kept current, either by frequent runs or continuous backup. Most ransomware will encrypt any drive that is accessible to the infected computer, so your backup must not be connected directly. The easiest way to do this is with a reputable cloud backup service, not a cloud storage service. Cloud storage services, such as Dropbox or OneDrive, will not provide a full restore. They can help, but a regular backup is more likely to completely restore your system.

Using backups, Methodist Hospital in Kentucky was able to recover from a ransomware attack that put the hospital into an internal state of emergency for four days. They did not pay the demanded ransom.

In a Pig’s Eye

If you have a reliable backup, when the ransom demand appears, raise your right hand in a fist and shout out “in a pig’s eye,” completely reinstall your OS to get rid of the malware, restore your data files from your backup, and return to normal. You might not need to completely reinstall, but reinstalling is a sure way to remove all malware. You will have to update and patch the system. That will probably be automatic, but you should check.

Memory On the Task List

Memory usage is another column on the task list that can help you understand what is happening under the hood of your computer. In my last blog, I wrote about CPU usage. Memory is similar to CPU in that it is a critical resource that affects computer performance and it can help evaluate malware on your system.

The Role of Memory

Without memory, often called RAM, your computer has Alzheimer’s. It may have the fastest processor in the world and the coolest programs, but it won’t do anything unless it can keep track of where it is at. The processor pulls an instruction from memory, executes it, and puts the result back into memory to use later. Without memory, a processor doesn’t know what to do next or what it has already done; it is nearly useless.

Memory vs Storage

Memory has to be as fast as the processor or the processor has to wait for data and instructions to be fetched from memory and results to be stored in memory for later use. Using present technology, the fastest memory is volatile. By volatile, I don’t mean memory is liable to fly off the handle and jet to Maui without provocation. Instead, data stored in volatile memory flys to Maui, as far as I know, when the electricity is switched off. In any case, it disappears.

Speed and volatility make memory different from storage. Data that stays around between computing sessions resides in storage, which is useful, but not when speed is the main consideration. Usually storage is on a hard disk. Hard disks are much slower than memory chips, but they store more data at less expense and they are not volatile. In other words, powering down does not affect data stored on a disk.

As processors get faster, memory must also get faster and speed is expensive. This makes memory a scarce and expensive commodity on computers. A laptop with 4 gigabytes of memory and a terabyte of storage has 400 times more storage than memory. At today’s prices, 1 gigabyte of memory costs about the same as 200 gigabytes of storage. Speed costs.

Performance and Memory

Memory is precious, but it performs. When developers have to make a process run faster, one way is to change the code to use memory instead of disk storage. If the developers go overboard and use more memory than the system has available, their optimization backfires. When the system starts to run out of memory, it moves data from memory to slower disk storage and the system begins to bog down as the processor waits for the slow moving data. The same thing happens when several heavy memory consuming processes run at the same time.

Memory Hogging

There are many reasons for heavy memory consumption. One I already mentioned— a process has been designed to consume more memory in order to perform well. Processes running above their designed capacity can also use extra memory. For example, a process designed to support ten simultaneous users might use much more memory if it is supporting a hundred users. Sometimes excess memory usage comes from defective code. A “memory leak” is a classic defect that causes processes to consume more and more memory the longer the process stays running.

Whatever the reason, when memory consumption reaches beyond the optimal level for your computing device, performance will slooooow. The cursor may get jerky. The keyboard will seem to hang, then spit out a clump of characters. When you attempt to start something new, there is a long pause. Nothing works right. Not pleasant. Not pleasant at all.

Memory Shortage Diagnostics

The task list is the first tool I use to determine if I have a memory shortage and what is causing it.

On Windows 10, a convenient way to get to the task list is to right click on the Windows icon in the lower left-hand corner of the screen. The task list will be below the line not too far from the center of the menu. Click on it.

You will get something like this.

In this snapshot, 55% of available fast memory is in use. That is a good number. When the percentage gets above 60%, into the 70s and 80s, your system will begin to suffer. Here, I’ve clicked on the memory column header to sort the processes by memory usage. In this case, I had Firefox up when I took this screen shot and it is the biggest memory consumer. Firefox uses a lot of memory so popping up a new screen is snappy. Therefore, I don’t mind that it is a big consumer. If one of the heavy hitters was an application that I was not using, I would shut it down to free up memory for a performance boost.

Memory Hogging Malware

If a memory-hogging process happens to be malware, it’s bad. You seldom know what the malware is doing. It could be generating spam or sending large quantities of messages to a server that the hacker is trying to overwhelm. It could, perish the thought, be encrypting your files, preparing to demand ransom for their return. Hogging memory is not the only way malware can slow your computer, but it is one way.

As I mentioned in my previous blog, I Google a process name if I am not familiar with it. Usually it is a Windows internal process I don’t know about, but sometimes it will show up as malware.

Emergency Measures

Now we get into some risky stuff that could force you to restore your system, but could also avoid restoring the system. You will have to decide for yourself how much risk you are willing to take, and own the results.

Removing the executable file of the malware can stop the malware’s damage. If you want to remove the file from the system, right click on the process name in the task list, the click on “open file location.” From there, you can delete the executable, but you should think about that before jumping in.

It is always better to remove an application through “Uninstall or change a program” in the Control Panel if you can. Removal is often more complicated that removing a single file. Sometimes configuration files and registries have to be modified and several files deleted. The uninstall in Control Panel is supposed to clean up everything, and, unless the author of the uninstall was sloppy, it always does.

For malware, there usually is no uninstall. If an anti-virus tool detects malware, it will do a better job of uninstalling than you can do manually. So try an anti-virus scan of the malware executable file. If scan finds and eradicates the malware, you win!

Manual Kill

However, if the scan fails and there is no uninstall, I delete any malware files I can find. Deleting the wrong file by mistake will not harm your hardware, but it could require reinstalling your operating system and restoring from a backup. (Highly unpleasant.) However, in my opinion, if your system is already damaged by malware, deleting will probably do no more damage than has already been done and may stop the damage. Therefore, when all else fails, I usually choose to delete immediately to limit the damage. This is a risk I am willing to take, but it is a risk.

If the malware is clever (bad!) it may regenerate the file you deleted. Also, deleting a file out from under a running process may not kill the process, so you will have to hit the end task button to kill it.

Manual Kill Checklist
  • Verify that the process is malware
  • Run a virus scan on the file and let the anti-virus take care of it
  • Check “Uninstall or change a program” in the Control Panel on the off chance you can uninstall it there
  • If all else fails, try killing it with the “End Task” button and deleting the file

Good luck! You could save the day for yourself. Or ruin it. I’ve seen it both ways.