Ending Ransomware | TechSNAP 275

Ending Ransomware | TechSNAP 275

A potential solution to Ransomware, the 15 year bug that cost CitiGroup $7 Million dollars, Dropbox’s new middle out compression & another flaw that affects all versions of Windows.

Plus your questions, our answers, a packed roundup & more!

Thanks to:




Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:


Show Notes:

CitiGroup hit with $7 million fine over software bug dating back to 1999

  • CitiGroup, a large US Financial institution, is being fined for failing to properly report to the US Securities and Exchange Commission (SEC)
  • According to the SEC, the error [PDF] resulted in the financial regulator being sent incomplete “blue sheet” information for a remarkable 15 years – from May 1999 to April 2014.
  • The bank was required to send details of all stock transactions, and due to a bug, a number of branches were never included in those reports
  • The details are quite amusing
  • “The mistake was discovered by Citigroup itself when it was asked to send a large but precise chunk of trading data to the SEC in April 2014 and asked its technical support team to help identify which internal ID numbers they should run a request on.”
  • “That team quickly noticed that some branches’ trades were not being included in the automated system and alerted those above them. Four days later a patch was in place, but it wasn’t until eight months later that the company received a formal report noting that the error had affected SEC reports going back more than a decade. The next month, January 2015, Citigroup fessed up to the SEC.”
  • “It turned out that the error was a result of how the company introduced new alphanumeric branch codes. When the system was introduced in the mid-1990s, the program code filtered out any transactions that were given three-digit branch codes from 089 to 100 and used those prefixes for testing purposes.”
  • So any transaction with a branch code in that range, was considered test data, and not reported to the government
  • “But in 1998, the company started using alphanumeric branch codes as it expanded its business. Among them were the codes 10B, 10C and so on, which the system treated as being within the excluded range, and so their transactions were removed from any reports sent to the SEC.”
  • “The SEC routinely sends requests to financial institutions asking them to send all details on transactions between specific dates as a way of checking that nothing untoward is going on. The coding error had resulted in Citigroup failing to send information on 26,810 transactions in over 2,300 such requests.”
  • “The SEC was not impressed and said in a statement announcing the fine that the “failure to discover the coding error and to produce the missing data for many years potentially impacted numerous Commission investigations.””
  • “Broker-dealers have a core responsibility to promptly provide the SEC with accurate and complete trading data for us to analyze during enforcement investigations,” said Robert Cohen, co-chief of the SEC enforcement division’s market abuse unit. “Citigroup did not live up to that responsibility for an inexcusably long period of time, and it must pay the largest penalty to date for blue sheet violations.”
  • 7 Million seems like a relatively small fine for such a large screw up, but it does not appear to have been malicious.

New system to detect ransomware by looking at filesystem patterns

  • “Our system is more of an early-warning system. It doesn’t prevent the ransomware from starting … it prevents the ransomware from completing its task … so you lose only a couple of pictures or a couple of documents rather than everything that’s on your hard drive, and it relieves you of the burden of having to pay the ransom,” said Nolen Scaife, a UF doctoral student and founding member of UF’s Florida Institute for Cybersecurity Research.
  • “Attacks most often show up in the form of an email that appears to be from someone familiar. The recipient clicks on a link in the email and unknowingly unleashes malware that encrypts his or her data. The next thing to appear is a message demanding the ransom, typically anywhere from a few hundred to a few thousand dollars.”
  • “It’s an incredibly easy way to monetize a bad use of software,” said Patrick Traynor, an associate professor in UF’s department of computer and information science and engineering at UF and also a member of the Florida Institute for Cybersecurity Research. He and Scaife worked together on developing CryptoDrop.
  • “We ran our detector against several hundred ransomware samples that were live,” Scaife said, “and in those case it detected 100 percent of those malware samples and it did so after only a median of 10 files were encrypted.”
  • “About one-tenth of 1 percent of the files were lost,” Traynor said, “but the advantage is that it’s flexible. We don’t have to wait for that anti-virus update. If you have a new version of your ransomware, our system can detect that.”
  • Video – Extortion extinction: Ransomware
  • It seems like it would be fairly trivial to detect the pattern that ransomware uses. I imagine most ransomware creates a new file, named original.ext.locked and then encrypts the contents of the original file, then removes the original
  • It is possible newer ransomware could use new patterns, like renaming files and overwriting in place, or encrypting files in random order instead of walking the directory tree to make it harder to detect
  • Additional Coveragge: Phys.org

Dropbox open sources Lepton image compression algorithm, save 22% by losslessly compressing JPEGs

  • “Lepton achieves a 22% savings reduction for existing JPEG images, by predicting coefficients in JPEG blocks and feeding those predictions as context into an arithmetic coder. Lepton preserves the original file bit-for-bit perfectly. It compresses JPEG files at a rate of 5 megabytes per second and decodes them back to the original bits at 15 megabytes per second, securely, deterministically, and in under 24 megabytes of memory.”
  • Speed seems very slow, compression is 5 MB/s, and decompression is 15 MB/s
  • It is not clear if the encoding can be multithreaded across many cores to increase speed, like xz can do. Even without that, in most cases you would be dealing with many image files at once, but even compressing many files at once, that is quite slow
  • “We have used Lepton to encode 16 billion images saved to Dropbox, and are rapidly recoding our older images. Lepton has already saved Dropbox multiple petabytes of space.”
  • The article has a very good description of how JPEG encoding works
  • “The DC coefficient (brightness in each 8×8 block) takes up a lot of room (over 8%) in a typical iPhone photograph so it’s important to compress it well. Most image formats put the DC coefficients before any AC coefficients in the file format. Lepton gets a compression advantage by coding the DC as the last value in each block. Since the DCs are serialized last, there is a wealth of information from the AC coefficients available to predict the DC coefficient. By defining a good and reproducible prediction, we can subtract the actual DC coefficient from the predicted DC coefficient, and only encode the delta. Then in the future we can use the prediction along with the saved delta to get the original DC coefficient. In almost all cases, this technique results in a significantly reduced number of symbols to feed into our arithmetic coder.”
  • “Lepton can decompress significantly faster than line-speed for typical consumer and business connections. Lepton is a fully streamable format, meaning the decompression can be applied to any file as that file is being transferred over the network. Hence, streaming overlaps the computational work of the decompression with the file transfer itself, hiding latency from the user.”
  • Because it can be streamed, this means that mobile devices could work via a proxy, that compresses all JPEG content before transmitting it to the mobile device, then an application on the mobile device could decompression it and display the resulting JPEG

Flaw in Windows Printing subsystem affects all versions of Windows

  • “A remote code execution vulnerability exists when the Windows Print Spooler service does not properly validate print drivers while installing a printer from servers. An attacker who successfully exploited this vulnerability could use it to execute arbitrary code and take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”
  • “Most organizations try to apply the principle of least privilege to the devices in their networks. This works pretty well for things like laptops or desktops since the hardware they use doesn’t change that often. However printers are a bit different. While they still need drivers, printers need to support virtually any user that wants to connect to them. As end-users move through a building, they naturally want to use the printer closest to them. Mobile users expect to be able to easily connect and use a printer when they come into the office. In addition, most organizations don’t standardize on a single printer, and will have multiple models and manufacturers often within a single network.”
  • “So instead of having system administrators push all possible printer drivers to all workstations in the network, the solution was to develop a way to deliver the driver to a user device right before the printer is used. And this is where Point-and-Print showed up. This approach stores a shared driver on the printer or print server, and only the users of that printer receive the driver that they need. At first glance, this is a practical and simple solution to driver deployment. The user gets access to the printer driver they need without requiring an administrator – a nice win-win.”
  • “By default, in corporate networks, network admins allow printers to deliver the necessary drivers to workstations connected to the network. These drivers are silently installed without any user interaction and run under the SYSTEM user, with all the available privileges.”
  • The researchers managed to dissect a firmware update for an existing printer, and modify it to infect Windows clients that load its driver with malware
  • The malware allowed them access to the target Windows client, as the SYSTEM user
  • They detail a number of other ways this vulnerability could be exploited:
  • Watering hole attacks:
  • Backdooring an existing printer or printer server.
  • Microsoft print server: driver path: c:\windows\system32\spool\drivers*\3...
  • Linux/BSD cups server: check for share driver print$ in the configuration.
  • Multiple vendors support Point-and-Print on the printer itself
  • Re-flash printer with backdoored drivers.
  • Create a fake print server and broadcast with auto discovery.
  • Privilege escalation:
  • Use the add printer as a privileged escalation mechanism to get system access.
  • Mitm attack to the printer and inject the backdoored driver instead of the real one.
  • Going more global with IPP and Webpnp. Send users email with a link, when clicked, it attempts to connect to the (fake?) printer in question, and results in the driver being installed on the target computer
  • There is more detail in the blog post about infecting a computer remotely
  • Researcher blog post
  • Microsoft released a fix for this vulnerability as part of the July patch Tuesday
  • Official Microsoft Bulletin
  • Additional Coverage: softpedia


Round Up:

Question? Comments? Contact us here!