Tuesday, 9 June 2015

Protecting against ransomware - is this possibly a different way of thinking about it in the SOHO space?

Recently my folks got an email from their ISP (Westnet) scaring them, thinking they'd been hacked (it turns out an old Westnet user database had been compromised, along with cleartext usernames and passwords... oopsies?).

Before I figured out what it was, I was thinking suspicious activity had been detected on their accounts and was worried about whether or not they'd backed up recently... then my thoughts turned to cryptoware and how it basically spreads out to whatever it touches and encrypts everything (had someone else hit by a bug recently - and I'm moving them and their formerly Windows XP computer to Lubuntu as they only need Windowsish looking email, web browsing and printing).

Anyway.. long setup aside, I was thinking, that perhaps the best way to deal with backups and cryptoware, was to have the system that needed to be backed up make itself available to an authorised backup storage provider by some restricted and secured means (over a LAN or encrypted link). That backup storage provider could be prodded by the client system to perform a pull, but the client would never have direct, unrestricted access to the backup server's archives.
Most cryptoware, when it's in its initial stages, will, when beginning to encrypt everything, transparently decrypt it on request such that the user doesn't know it's happening until the encryption is complete and the software can hit the user up for ransom.

Arguably speaking, that transparent decryption would cover any application accessing user data, including the backup system pushing the data out over the network or whatever connectivity means (I mean, presumably ransomware isn't going to stop someone emailing something, so unless it could identify the backup software..).

Then, as a means of detecting whether or not a given system has been attacked, a "canary file" or files, nominated by the user, but not in any way "configured" on the client, and backed up along with all the user's other files. Something like a Word document, or a text document, or an Excel document.. whatever.. The backup system, separately, would be instructed to check this file every time a backup runs, and if it's been touched or corrupted (perhaps, it might be a file check, or a spell check, or just a checksum to see if any change), and if it has, to alert the user by alternate means (email, SMS etc.), ensuring that any backup rotations/data deduplication maintains at least the last snapshot prior to the alert until the data's been verified. One could also randomly sample backed up files, to check that if they're known data formats, that they still comply with that document format.

I'm thinking, some linux based system could easily play the server..  presenting a web based interface of some sort or being remotely managed as a service or being a cloud service.. perhaps managed from someone's phone (arguably separate to their desktop and these days not always tethered to their computer, but connected via cloud services for syncing). Lord knows I have enough old iron floating about my garage to whip up something suitable for at least my folks :) ... and this could easily be added to the more intelligent SOHO NAS units out there (provided the security was done right - there's the kicker).

I wonder.. surely.. there's gotta be stuff out there like this already?  Eg. Backup dropboxes ... perhaps the "canary" element is new?

Has anyone ever implemented something like this?

No comments:

Post a Comment