Ransomware scum: 'I believe I'm a good fit. See attachments' Criminals are posing as job applicants to drop ransomware into human resources departments. The ransomware vector contains two attachments. One is a harmless PDF cover letter designed to convince the human resources operative that the criminal's email exchange is legitimate. A second Excel spreadsheet attachment contains the …
Macros have been a security problem since the start of the web. That is a bit of functionality that needs to be replaced for those situations where they might actually be useful. I can not see why any HR department needs to enable macros for any documents. In fact, outside some bean counters I seriously doubt that macros are necessary. Even for the bean counters I would recommend learning how to avoid using macros.
Excel macros can be kept in their own workbook - independent of any data. The data to be processed by the macros is then loaded as separate workbooks.
Therefore you only enable macros for the loading of that trusted macro workbook***. Any data file that wants macros enabling is thus still flagged as a risk.
***It is assumed that MS Office still allows selective enabling of specific workbooks. Which is remembered to avoid users getting "click happy" on enable prompts.
Any executable code has been a security problem since well before the internet, and it isn't just HR and bean counters that uses Excel.
I write macros because the things I need to calculate are either difficult, cumbersome or impossible to express in terms of the built in functions of Excel, but translate rather elegantly into VBA.
I write macros because the things I need to calculate are either difficult, cumbersome or impossible to express in terms of the built in functions of Excel, but translate rather elegantly into VBA.
That's me too. In some of my spreadsheets it's more than just mere 'macros' but properly constructed code and I would say that 99% of the stuff I write code for just isn't practical or possible with the front end of Excel.
Sometimes I use the COM interface to get the data out but quite often it's better to have the code within Excel and run it there. It also has the advantage that I can give the sheet to someone else and ask them if they can see the Date/Time in a certain cell. If they can then I know that it's "installed correctly" and it will run without having to go through endless installation routines and the like.
Anyway, as far as I am concerned macros isn't the same as VBA: it's not even in the same league and this morning I was working on a circular linked list with three sets of pointers and try doing that and what it's used for by anything via the Ribbon.
The real problem with Microsoft Security is that it’s just shifting the blame. If you disable macros, it won’t work. If you enable them, it’s your fault when things fall apart.
I haven’t worked with Microsoft products for some years now, which is why my sanity is slowly returning to me.
When Microsoft first released VBA for their applications, they enabled the first cross-platform viruses (Mac & Windows running the same evil code). Their solution was not to fix the problem, but simply to ask your permission to run the code.
One thing Microsoft has never understood is the concept of sandboxing macros. The majority of VBA I have developed is solely to enhance functionality within the document, and has no need to gain access outside of it. With Microsoft security, if you write a macro to automate adding a new worksheet, you need to grant permissions to interact with the whole operating system.
I mean, what were these guys snorting when they implemented this and called it Security? The correct solution is to enable two levels of enabling macros: sandboxed and superuser.
"The majority of VBA I have developed is solely to enhance functionality within the document, [...]"
My Excel VBA macros live in their own workbook. They operate on data in a separate set of master workbooks to control the extensive processing and creation of hundreds of workbooks and Word documents. The current main run also uses Selenium/Chrome to enable the Excel macros to browse hundreds of web pages to extract raw data from them.
That latter step is the one that could introduce malware into the PC - but that is the weakness of the browser not the Excel macro system.
Can't macro security options be locked down through GPOs? If a company needs to deploy its own macro, can't it sign them?
Also, if those big mail providers are so good at identifying ransomware (probably just after it hit enough users), why don't they publish hashes or the like in a public backlist? Or are they just trying to use it to lure more customers into their cloud services?
Word macros can be really useful. I used to use them to format documents for publication, they saved countless hours of gruntwork there.
But on the other hand, any applicant who wants me to enable macros in a document they sent to me - well, let's just say they're not likely to be a good fit, on the grounds that they're an idiot. Anyone who's sophisticated enough to use macros has no excuse for not knowing why that's a dumb idea.
~ Talk about relentless and creative. They're the ones winning the data wars...
~ Politicians don't get it. Too old / Don't own necessary tech to see the problems.
~ Corporations sleep walk us to the Power of Nightmares (IoT Edition). ...
~ Regulators lack enforcement powers and when they do they don't know what to do.
~ Mass media remains blissfully ignorant in a US style election coma.
~ At this rate, scammers will soon run the entire net, forget ICANN...
Again? sh?t...
So this is why the only applicants we find are those who can survive two hours bending to the will of the Applicant Tracking System, Taleo, without blowing their brains out in frustration.
"What was your favorite color in high-school?"
All that time spent pimping the formatting on our MSWord resumes is waaasted. Waaaysted, I tell you.
Indeed. When I applied for a job at Dyson, they wanted my CV to be in plain text, pasted into a web form. Seemed sensible enough. Also, it meant no applicant required a Word licence, or would have to cross their fingers that Libre Office formatting would be rendered correctly at the recipient's end.
If I had needed to send them photographs of my work, I could have just included a link to a reputable designer's portfolio hosting site.
"These services have gotten very good at quickly identifying new ransomware campaigns and sending the offending emails to the junk folder."
From experience I'd say there's a very effective way of getting spam through Microsoft's filters: pretend it came from them.
Identifying stuff quickly still leaves an interval during which a good number will get through.
Of course I don't condone this and those asshats should be taken care off by law enforcement.
But on the other hand I also couldn't help grin a little bit: "Here's hoping those Enterprise bosses didn't outsource their IT departments". Because that is in my opinion the other side of the medal.
It is definitely no excuse, but yeah...
.....consumer webmail providers like Google and Microsoft tweaked spam filters to filter out much of the inbound menace.
I can't help thinking that if they did that outbound as well, it would do rather more good.
A quick change in the law to make the bastards jointly liable with the sender for any damage caused by shit disseminated via their services ought to do the trick.
I keep my CV in OpenOffice and send PDF's, no need to send office documents, if they require Word documents, no need to apply, I don't want to work for idiots.
The good thing about PDF is that is as vulnerable as Office with Macros ... how many PDF 0-days in 2016 ? Precisely. Most HR systems have not been patched for those discovered in 2012, let alone 2013 ...
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2023
