Grace Hopper: Computer bugs & the language of programming

So, the story goes something like this. In 1947, in Virginia, US, an error was spotted on the Harvard Mark II, one of the first programmable computers in the world. A team went to investigate, discovering that a moth had been caught between a relay in a machine. It was subsequently removed and taped to a logbook, with the following message accompanying it: “First actual case of bug being found.”

US Navy Rear Admiral Grace Hopper, who worked on this machine, was so fond of this story that she would often recount it to friends, colleagues and acquaintances, so much so that over the years she became inextricably linked to the idea of computer bugs, debugging and bugs in the machine. And so, in addition to being one the foremost pioneers of the computer age, she’s also coined one (or some) of the most well-known phrases.

Except she didn’t. In what is one of the greatest misattributions in computing (programming, in particular), the actual use of bug to “describe a technical problem” precedes Hopper’s use considerably.

This “moth myth”, as Fred R. Shapiro described it in his 1987 Etymology of the Computer Bug: History and Folklore, “is rapidly becoming the most popular item of etymological folklore of our time”. While Shapiro didn’t discount the discovery of an actual moth in 1947, he believes the language of debugging was in use even as far back as 1889 (attributed to the American inventor Thomas Edison).

“I had a running compiler and nobody would touch it, because, they carefully told me, computers could only do arithmetic.”

Whatever you believe about this particular story, what is certain is Hopper’s innovative efforts in computing. She was, for example, instrumental in developing the first compiler, which is a program that transforms code into a language that can be understood and executed by a computer.

Of this, she is quoted as saying: ”Compiling in ’51, nobody believed that … I had a running compiler and nobody would touch it, because, they carefully told me, computers could only do arithmetic, they could not write programs. It was a selling job to get people to try it.”

Further innovations from Hopper, who in 1934 became the first woman to be awarded a PhD in maths in Yale University’s 233-year history – for her thesis New Types of Irreducibility Criteria –  included writing the groundbreaking FLOW-MATIC. This was a programming language that helped take computing away from its mathematical roots (and limitations) and into a more complex and human environment. Basically, she helped computers understand English.

This was a precursor to COBOL (Common Business-Oriented Language), a transformative and subsequently ubiquitous computing language that drastically advanced on the groundwork delivered by FLOW-MATIC. As with computer bugs, Hopper is wrongly credited with developing COBOL. However, she was certainly instrumental in making a business case for it and so, accordingly, while she is often referred to as the “mother of COBOL”, the “grandmother of COBOL” is more apt.

There is much more to Hopper than this – her legacy reaches far and wide, beyond just computing. As the team behind an upcoming documentary on the programming pioneer see it – provisionally entitled Born with Curiosity – her life coincided with and contributed to “birth of the modern technology industry and the evolution of women’s roles in American society”.

One offshoot of this is the annual Grace Hopper Celebration, which has been active since it was founded in 1994 by Dr. Anita Borg and Dr. Telle Whitney. It is now the largest technical conference of its kind in the world today, designed to bring together women technologists to “learn, exchange ideas and be inspired”.

“With the help of her incredible drive, passion, and creativity, she drastically changed the world of technology as we know it.”

“The thing that impresses me most about Grace Hopper is that time and time again, she could have been turned away from the path she took,” ESET’s security researcher Lysa Myers reflects. “She grew up in a time when women were specifically restricted from doing much of what she wanted to do, and she was too slight to enlist without special permission. But she was undaunted. With the help of her incredible drive, passion, and creativity, she drastically changed the world of technology as we know it.”

This inquisitive character, needless to say, is also a key aspect of her legacy. As a seven-year-old child, so another popular story goes, she was intrigued by mechanics of an alarm clock. So, curiosity piqued, she started to dismantle seven of them to figure out what on earth was going on underneath the timepieces. What could she learn? What could see understand about clocks? What would she change? These questions would later be applied to other challenges she faced across her personal and professional life.

“Humans are allergic to change,” she once remarked. “They love to say, ‘We’ve always done it this way.’ I try to fight that. That’s why I have a clock on my wall that runs counter-clockwise.” As she demonstrated with FLOW-MATIC, and later COBOL, nothing is impossible so long as you put your mind to it.

This quest, to go above and beyond, is how we’ve been able to get from a 51-foot long, eight-foot high, five-ton construct – the IBM Automatic Sequence Controlled Calculator (ASCC) – to something that you can put “on a little, tiny corner of a chip”. It’s remarkable, to say the least.

Hopper may not have discovered the first computer bug, coined debugging or write COBOL, but she did discover a real moth nonetheless and make this yarn what we remember it to be. She also made COBOL a possibility, laying new foundations for programming. Add to that her enthusiasm for programming, her aspirations to make the language of computing accessible, it’s easy to see why she is regarded as one of the greats of the computer age.

“A ship in port is safe,” she once said. “But that’s not what ships are built for.”

http://www.welivesecurity.com/2016/09/09/grace-hopper-computer-bugs-language-programming/?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+eset%2Fblog+%28ESET+Blog%3A+We+Live+Security%29

Business security: Securing your data weak points

By Mark James

One of the biggest problems to overcome for business security is trying to work out what areas you need to secure: there is no manual to download or “one model fits all”. Securing your business is simply a case of looking at your potential areas for data loss and looking at the attack vectors that may apply to you, finding those weak points and then getting advice on the best ways to plug those gaps.

So where do I start? There are core tenets that will end up being repeated but here a few essential points to consider.

Knowledge is power

There is a wealth of knowledge available to you. Security experts and specialists are available in all shapes and sizes and exist in almost every corner of the globe. Getting advice is easy, but make sure that where possible you seek that advice from more than one source. Also bear in mind that the world of IT evolves at a huge rate, so keeping up with the latest techniques may be a challenge all in itself.

Education makes a difference

In a business environment the weakest link is the end user; the good thing is it’s also your strongest asset. Utilizing your staff in the fight against cybercrime is not as daunting as it seems: using education to teach your staff the current threats and how they are delivered may make the difference in someone accidentally clicking that phishing link or visiting a compromised website from a spam email. Making them feel an integral part of the business security is an important aspect in keeping the whole business safe.

Being proactive is essential

Securing your hardware and software is an ongoing task. Looking at the way data moves into, within and out of your company will give you an indication of the areas to secure. Also make sure that there is a set documented procedure when something new is added to the infrastructure, change any default passwords, update firmware’s and make sure the latest updates are installed and regularly updated. Multi-layered security software is a must, installed on every endpoint and server.

Flexible working comes with risks

Letting your employees work on the road or at home means that accessing your network from all over the world has become increasingly easier and virtually a necessity. With that ease comes the potential for opening up your network to abuse, lost credentials, insecure Wi-Fi connections and/or social media account hacking, which could put your company at risk.

All data is valuable and desirable

Virtualization is so simple these days – ergo having a multitude of servers is easier than ever. If you’re going to host your servers in house make sure you’re using secure server operating systems and that the latest software installed on them is patched and up to date. These are in effect the open gateways to the rest of the world and will be at significant risk from attacks (possibly on a daily basis): don’t be fooled into thinking your data is insignificant or of no use to anyone else, all data including yours has a value.

Regular backups are essential

“Ransomware is one of the most destructive pieces of malware around today.”

Ransomware is one of the most destructive pieces of malware around today, therefore it’s very important you consider and plan your backup regime correctly. Take into account the need for point-in-time backups, the frequency and location of those stored backups are all very important, and again professional help is readily available and should be utilized if you’re unsure about anything.

Tick all the right boxes

It’s easy to read this and think that securing your business is complicated and expensive – and in some cases it may well be – but as with most things in business it’s just a case of working through and ticking all your boxes. Once you have a plan in place, utilize the internet to test what you have done: there are many options for penetration testing to see where you’re vulnerable, test it, fix it, and test again. If you save money by doing nothing it will only be a matter of time before that approach ends up costing you tenfold of what you thought you had saved in the beginning.

Business security topics will be addressed in more details at the Gartner Security & Risk Management Summit in London, UK, September 12–13, 2016. You can find more information about ESET @ Gartner summit with up-to-date content on our special web page. Among the attendees will be ESET chief research officer Juraj Malcho and Palo Balaj, head of ESET EMEA business development.

http://www.welivesecurity.com/2016/09/08/business-security-securing-data-weak-points/?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+eset%2Fblog+%28ESET+Blog%3A+We+Live+Security%29

The economics of ransomware recovery

By David Harley

Sometimes, the easy way out is the road to ruin.

After WeLiveSecurity published the article Ransomware: To pay or not to pay?, SC Computing’s Bradley Barth picked up on a point I made there, where I said that we hear of instances where organizations pay ransomware even though they have backups because it’s cheaper.

No defence versus insufficient defence

Just to be clear, I didn’t say that they don’t implement defences at all. I can’t say that never happens, but it’s far more common for companies to implement inadequate defences because they aren’t security-savvy enough to plug all the holes, than it is for them to ignore security altogether.

No policy, no consistency

Bradley Barth was particularly interested in specific research, examples, data, or anecdotal evidence. I wasn’t prepared to give specific examples, because I couldn’t do so without tripping over confidentiality issues. However, my friend and colleague Stephen Cobb provided a generic but appropriate example:

I spoke on a panel at a conference recently where several members of the audience – about 300 Managed Service Providers, each of whom works with multiple client firms – said they knew of specific instances where system administrators had paid ransoms even though recovery from backups would have been possible. The risks of doing this extend beyond not getting the data back despite paying. They include, and again, there was actual knowledge of this: getting hit again because you are seen as a soft target.

In none of those cases were there any rules/policies in place to guide to limit the sysadmin response to a ransom demand. Also recent: I helped conduct a table top exercise for about 60 disaster recovery professionals and it was clear that most organizations had not yet addressed the handling of ransom demands in their policy manuals or incident response playbooks.

Human firewalls

Regrettably, defending against ransomware is not simply a matter of plugging in some sort of anti-malware package using the default settings and relying on it to defend you. Mainstream security programs are good at detecting known ransomware, and much better than you might think at detecting unknown ransomware by monitoring its behavior (behavior analysis). However, there’s no such thing as 100% detection, even with security software set at its most paranoid, and it’s not unknown for staff members (not necessarily deliberately) to give an attacker a way in by some incautious action. Education and policy are often effective ways of making the end-user part of the defensive masonry rather than a flaw in the brickwork.

Porosity and Perimeters

Regrettably, defending against ransomware is not simply a matter of plugging in some sort of anti-malware package If ransomware gets the chance to execute, the amount of damage it can do is limited by access restrictions in the environment in which it is executed. Unfortunately, if backup systems are set for convenience rather than ransomware-specific security, backups may also be compromised by the malware, even if they’re outside the organization’s perimeter.

Paying your way out of trouble?

If there are organizations that are missing out steps that would help them survive such circumstances, in the expectation that they can always pay the ransom, they could be in more trouble than they realize. Paying the ransom doesn’t always guarantee the recovery of the data. I was taken to task in a comment to that previous article by someone who asserted that ransomware gangs:

“WILL decrypt your files because:

A) It’s their business money, AKA, it’s how they make money. If they didn’t decrypt the files after the payment, no one would pay the ransom.

B) Ironically, their support is amazing, way better than most corporations.”

Well, he’s not completely wrong, though those are pretty sweeping statements. In fact, it’s not unusual for criminal organizations to have fairly effective ‘customer support’ for victims of ransomware and other kinds of malware. ‘Better than most corporations’ is, I think, a bit of an exaggeration, though in nearly 7 decades I’ve met with some pretty atrocious support from legitimate companies over the years. I’ll save those war stories for another blog, though. Going back to his more convincing argument, I’ll agree that as far as I can see, most gangs will provide a decryption key to victims who pay up, because (of course) if they never did, there would be no point in anyone paying up.

Trust me, I’m a criminal

However, some gangs (or individuals) have no intention or means of getting the data back for companies or individuals that pay. Consider, for instance, the appalling Hitler ransomware, which demands a ransom of 25 Euros but can’t help you decrypt your files, because they were never encrypted, but simply deleted. Lawrence Abrams, for Bleeping Computer, asserted in his description of this particular malware that ‘It looks like file deletion is becoming a standard tactic in new ransomware applications created by less skilled ransomware developers.’ Similarly, it’s far from clear at the time of writing whether the ‘FairWare’ attackers are actually keeping copies of the data they remove from compromised servers, or are simply deleting them. Since the attackers state that ‘Questions such as: “can i see files first?” will be ignored’, I’m not inclined to be optimistic.

Honey, I shrunk the decryptor

Some of those developers towards the script-kiddie end of the market may intend to get the data back but have screwed up with the decryption mechanism. Even the more professional gangs can make that sort of mistake. Yet another report from Bleeping Computer indicated that CryptXXX version 3.0 not only prevented Kaspersky’s RannohDecryptor from enabling victims to decrypt their files for free, but also had the (presumably unintended) effect of breaking the criminals’ own decryption key, so that paying the ransom didn’t, at that time of writing, guarantee that the victim would get a working decryptor. As I remarked at the time, when a ransomware gang screws up, it doesn’t always work to the benefit of the victim. And sometimes security measures may actually kick in and interfere with the recovery process. If your files are already encrypted, then removing the malware doesn’t usually reverse the encryption.

Data recovery is not all about ransomware

I don’t say these scenarios are common, but they do raise the stakes. And, of course, the risk of ransomware is not the only issue that needs to be addressed by a sound backup strategy. What if your data are lost or corrupted because of issues that have nothing to do with ransomware? You can’t just cough up a few bitcoins in that case, and even expensive data recovery specialists may not be able to come up with a fix.

Paying for protection and paying for protection rackets

The scenarios Stephen describes, where organizations are insufficiently prepared for attacks they probably don’t fully understand, are much more typical.

As it happens, I heard recently of an academic institution that was asked for $100 to get its data back. Presumably this was an instance of a bottom-feeder aiming to profit from individuals rather than a gang deliberated targeting a large organization. In a case like that, I can see that there might have been a temptation to pay up. Of course, that might depend on how difficult it might be perceived as being to recover all the compromised data, which in turn would depend on how much data had become inaccessible and how fast and easily they could be recovered from backups. However, in this case the institution concerned chose not to take that route, happily. But, as Stephen suggests, sometimes an organization does take the easy way out. Furthermore, many individuals also pay up (and who can blame them?) And that’s what is keeping the gangs in business. Do I expect every victim to take the moral high ground? Of course not. But in a protection racket, everyone who pays up is keeping the racket alive.

The commenter quoted above also said:

Regarding backup strategies and specialized IT security personnel that everyone keeps talking about, it’s obvious you’re out of touch of the real world…

Well, what is obvious is not always true. Before I was assimilated into the security industry, I spent decades working (mostly) in security as a support engineer, systems administrator, security analyst, and as a security manager. And sure, I could cite examples of misconceived short-termism and cost-cutting that actually multiplied long-term costs to the organizations concerned. But to dismiss all ‘CEOs and their respective bean counters’ as idiots who only commit resources to security after the fact, and then only by applying sticking plaster, is just crass. The security decisions made at C-level are all-too-often wrong. But it’s not often that the people at the head of an organization pay for security practitioners with the express intention of ignoring them.

You can find Bradley Barth’s article here: Ransomware locks experts in debate over ethics of paying.

School ransomware: A threat to be aware of

By Lysa Myers

It can often feel like every day brings news stories about ransomware attacks on businesses, particularly at hospitals and schools. While the life-or-death nature of hospital data might force some healthcare organizations to accede to criminals’ demands in hopes of restoring access to that data as quickly as possible, some schools are also falling prey to these demands.

Paying criminals is never a good idea, even when it seems expedient. Ransomware authors are under no obligation to actually give you what you pay for, and there have been plenty of cases where either the decryption key did not work or the ransom note never even appeared. Suffice it to say that cybercriminals are not generally renowned for their excellent software testing or devotion to quality customer service.

There are plenty of things that you can do now that will help you avoid a school ransomware problem entirely, and there are even a few things you can do that might help repair the damage so you don’t have to fork over ransom money.

What makes schools unique?

In a way, schools are like small cities: they often have healthcare clinics, stores, restaurants, sometimes even banks, plus they have accountants, administrators, etc. They have various types of company and personal financial data, healthcare information, student and staff records – all of which are very sensitive and thus very lucrative to criminals.

Ransomware is a special situation within malware, where data are not necessarily exfiltrated from a victim’s system (as with other kinds of modern malware). Instead, access to that data is interrupted. If you’ve ever had to deal with the disquiet of a student or teacher under deadline, you know that while timely access may be less a matter of life and death than in a hospital, it’s still absolutely crucial in a school.

And while hospitals are fairly limited as to which devices are approved to enter the network, schools generally encourage their users to bring their own devices. This brings a higher level of challenge, as an untold number of unmanaged machines are connecting to the network each day.

What can you do about it school ransomware

Let’s start with the things you can do in advance to help prevent malware from getting on your system in the first place, and to minimize damage if it does happen.

Back up your data

The single most important thing you can do to prepare for emergencies, including being affected by ransomware, is having a regularly updated and secured backups. Many ransomware variants will encrypt files on drives that are mapped. This includes any external drives such as a USB thumb drive, as well as any network or cloud file stores to which you have assigned a drive letter. So your backup needs to be on an external drive or backup service, one that is not assigned a drive letter, and that is disconnected from your systems and network when not in use.

Keep your software up to date

Malware authors frequently rely on people running outdated software with known vulnerabilities, which they can exploit to get onto your system unobserved. It can significantly decrease the potential for malware infection if you make a practice of updating your software often. Enable automatic updates if you can, update through the software’s internal update process, or go directly to the software vendor’s website. Malware authors sometimes disguise their creations as software update notifications, so by going to known-good software repositories you can increase the odds of getting clean, vetted updates. On Windows, you may wish to double-check that old – and potentially vulnerable – versions of the software are removed, by looking in Add/Remove Software within the Control Panel.

Use a reputable security suite

It is always a good idea to have both anti-malware software and a software firewall to help you identify threats or suspicious behavior. Malware authors frequently update their creations to try to avoid detection, so it is important to have both layers of protection. If you run across a ransomware variant that is so new that it gets past anti-malware software, it might still be caught by a firewall when it attempts to connect with its Command and Control (C&C) server to receive instructions for encrypting your files.

Use the Principle of Least Privilege

The Principle of Least Privilege says that no users or systems should have more access than is necessary to complete tasks that are legitimately within the scope of their work. As a general rule, most users should not have administrative rights on their machines, and should be limited in their ability to access resources outside of their own purview. Students should have different access levels than teachers, who should have different access than administrators. Personal devices brought from home should also be treated differently from machines that always remain within the school network. If appropriate barriers are in place, you can slow or halt the spread of malware.

Educate your users

While accidents do happen, it is important for all of your users to understand what acceptable use of school resources entails. This is something that should not just be done once at the beginning of the year and forgotten by the time midterms come around, but is an exercise that is revisited frequently. Posters or other educational materials can be displayed prominently, wherever public computers or internet connections are available. It is also imperative to encourage your users to let you know when an accident has occurred, so that damage can be limited by quick corrective action. Rewarding safer security behavior, including pointing out problems, can help you to foster that encouraging environment.

The next few tips are to help you deal with the methods that current ransomware variants have been using – these tips may not help in every case, but they are inexpensive and minimally intrusive ways to cut off access routes used by a variety of malware families.

Disable macros in Microsoft Office files

Most people may not be aware that Microsoft Office Files are like a file-system within a file system, which includes the ability to use a powerful scripting language to automate almost any action you could perform with a full executable file. By disabling macros in Office files, you deactivate the use of this scripting language.

Show hidden file-extensions

One popular method malware uses to appear innocent, is to name files with double extensions, such as “.PDF.EXE”. This takes advantage of default behavior within Windows and OS X of hiding known file-extensions., Malware takes advantage of this behavior to make a file appear to be one that would commonly be exchanged. If you enable the ability to see the full file-extension, it can be easier to spot suspicious file types.

Filter EXEs in email

If your gateway mail scanner has the ability to filter files by extension, you may wish to deny mails that arrive with “.EXE” files, or to deny mails sent with files that have two file extensions, the last one being executable (For example, “Filename.PDF.EXE”). If you do legitimately need to exchange executable files within your environment and are denying emails with “.EXE” files, you can send them within ZIP files or via cloud services. Sending in ZIP files can also give you an extra layer of assurance, as it allows you to choose an official, universal password for use within the company, which can help you identify unofficial files.

Continued on :

http://www.welivesecurity.com/2016/09/06/school-ransomware-threat-aware/?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+eset%2Fblog+%28ESET+Blog%3A+We+Live+Security%29