Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Other security for Windows, Mac, Linux
Cross-Platform Hash Comparison to Detect Ransomware - Backup Software Hole?
Message
<blockquote data-quote="MacDefender" data-source="post: 978234" data-attributes="member: 83059"><p>The problem is you can’t easily mount those encrypted volumes from Linux. BitLocker uses the TPM and the TPM keys are derived from secure boot measurements of the windows boot loader and kernel. If you boot into a different OS like Linux, the TPM is unable to give you the OS specific key and you cannot unlock the volume. </p><p></p><p>On top of that, this would require a long interruption to the user’s activity to boot into a different OS and most of the times this wouldn’t be well tolerated. </p><p></p><p>The attacker can still use features like volume shadow copies and NTFS junction points to create encrypted copies of all your files or upload them to a remote server, such that you don’t see any on disk changes that matter, and then suddenly delete all of your original files one day. </p><p></p><p></p><p>Well how do you scale this to, say, a company of Microsoft’s size? Are you hiring humans to look at modified files in backups? What about formats like SQLite databases or health records which are harder to inspect for changes?</p><p></p><p></p><p>Ransomware operators are good at avoiding protection mechanisms that their targets use. It’s not that the software is losing, it’s that all of these techniques are challenged when a group of 500+ qualified engineers in Russia are hell bent on compromising your data. </p><p></p><p>There’s nothing that would stop ransomware from disabling or modifying your software from verifying backups or subtly creating a bunch of false positives by adding a ton of harmless changes until your verifier gets exhausted of false positives and then it deletes the original files. </p><p></p><p>The biggest problem is not that ransomware is somehow impossible to detect or stop. It’s more that the cost and effort budget of real world IT departments is quite limited and over time, everyone lets their guard down. Most postmortems of big ransomware breaches have shown that there were obvious and preventable problems that led to the attack (particularly failing to patch exploitable vulnerabilities in a reasonable amount of time)</p></blockquote><p></p>
[QUOTE="MacDefender, post: 978234, member: 83059"] The problem is you can’t easily mount those encrypted volumes from Linux. BitLocker uses the TPM and the TPM keys are derived from secure boot measurements of the windows boot loader and kernel. If you boot into a different OS like Linux, the TPM is unable to give you the OS specific key and you cannot unlock the volume. On top of that, this would require a long interruption to the user’s activity to boot into a different OS and most of the times this wouldn’t be well tolerated. The attacker can still use features like volume shadow copies and NTFS junction points to create encrypted copies of all your files or upload them to a remote server, such that you don’t see any on disk changes that matter, and then suddenly delete all of your original files one day. Well how do you scale this to, say, a company of Microsoft’s size? Are you hiring humans to look at modified files in backups? What about formats like SQLite databases or health records which are harder to inspect for changes? Ransomware operators are good at avoiding protection mechanisms that their targets use. It’s not that the software is losing, it’s that all of these techniques are challenged when a group of 500+ qualified engineers in Russia are hell bent on compromising your data. There’s nothing that would stop ransomware from disabling or modifying your software from verifying backups or subtly creating a bunch of false positives by adding a ton of harmless changes until your verifier gets exhausted of false positives and then it deletes the original files. The biggest problem is not that ransomware is somehow impossible to detect or stop. It’s more that the cost and effort budget of real world IT departments is quite limited and over time, everyone lets their guard down. Most postmortems of big ransomware breaches have shown that there were obvious and preventable problems that led to the attack (particularly failing to patch exploitable vulnerabilities in a reasonable amount of time) [/QUOTE]
Insert quotes…
Verification
Post reply
Top