Bet their disaster recovery plan gets dusted off and reevaluated. Backups aren't backups unless you test a full recovery.
Welcome to the FUTURE: Maine cops pay Bitcoin ransom to end office hostage drama
Blundering cops in Maine, US, have enriched malware masterminds by paying up to decrypt files held hostage by ransomware. Four city police departments and a sheriff's office in Lincoln County share a common computer network run by Burgess Computer, which hosts the plods' administrative files. Then one day the entire system …
COMMENTS
-
-
Monday 13th April 2015 23:50 GMT Steven Raith
Backup verification matters
Something that is often forgotten is that you don't test your backup system works, you test that your recovery system works.
Sadly, not many people actually do it - they just assume that because Backup Exec/Windows Backup/their cron'd rsync job/Backup2l reports a successful backup, they don't bother checking that they can actually pull data from it....
-
Tuesday 14th April 2015 12:22 GMT Syntax Error
Re: Backup verification matters
Well it does kind of defeat the object if you have to check your recovery backup to see if it works all the time. This should only need to be done when your recovery backup is set up, not as an ongoing checking process. Otherwise why would the report say the backup was successful if it wasn't?
-
This post has been deleted by its author
-
-
Tuesday 14th April 2015 19:40 GMT Anonymous Coward
Re: Backup verification matters
Acronis (I think not my job may have been other software) reported that all back ups were fine and dandy in the place I work for, for the past year it actually had backed up naff all.
That's why I also check how much time it takes, and I still do a restore test every two months (or earlier if anything has changed, but I run two separate backup systems so that I always have a test per month). I've been near enough to disaster not to take chances - for a small business, a RESTORE failure can basically close the shop.
-
-
Wednesday 15th April 2015 15:36 GMT Anonymous Coward
Re: Backup verification matters
@syntax error
And those backups take soooooo long but if all you want is a 'Backup Complete' entry in the logs then good news, I can make some incredible improvements to your backup speeds with just a few mouseclicks.
Tip, you can only say your backup was truly successful when you've restored data from it.
-
-
-
Monday 13th April 2015 21:21 GMT elDog
And why isn't the first word of advice to be
Backup?
And backup daily, or more frequently as needed.
Or even use VSS (assuming Windows) snapshots? Or even the Windows built-in versioning stuff?
There are so many ways to recover from data loss (and this is just one example) that the company (Burgess?) should be thrown into the lockdown and its private keys scrambled (ROT98765).
-
-
Tuesday 14th April 2015 10:04 GMT Alan Brown
Re: And why isn't the first word of advice to be
"but keep them available for months, then they ask for the ransom."
That all depends how long you keep your backups around for.
On most systems at $orkplace I can tell you what date any given file changed for the last 3 years AND offer to restore that version for you AND if there are other copies of the same file anywhere across the enterprise.
-
-
-
Monday 13th April 2015 21:37 GMT ZSn
GPO
Pardon an obvious question - but why weren't user space executables blocked by the GPO settings? Wouldn't that have stopped this in its tracks? I know thar it is a bit fiddly but it certainly easier than having all the files encrypted. Also didn't that have the backups checked every once in a while?
-
Monday 13th April 2015 21:55 GMT Little Mouse
Re: GPO
Except that users often need to, you know, use stuff.
Where I work we've been hit by this a few times, and nothing short of removing all user rights and access would have prevented it.
A fast response to isolate the offending machines, and good backups saved the day every time though.
-
Tuesday 14th April 2015 06:58 GMT RIBrsiq
Re: GPO
Users can use whatever they need to use, in a properly administered and controlled environment.
The basic policy is simple: users should not be able to execute anything from any parts of the filesystem they can write to (including optical discs and all sorts of removable storage), and should not be able to write to anywhere where executables reside.
There may be a need to layer some exceptions on top of this for known-good files. And there's probably a good case to be made for additionally enforcing a digital signature policy, in a slightly-more-secure environment such as law enforcement.
-
-
Tuesday 14th April 2015 14:03 GMT Peter2
Re: GPO
Actually, it doesn't fail that at all. "msword.exe" is an EXEcutable file, "randomfile.doc" is not. Even if it was an executable file, you'd simply remove it from the list of file types the poilcy applies to. You have to do this with links anyway, since the handling of them is outright idiotic.
The idea behind the use of an SRP is that you prevent *.exe, *.bat, *.vbs, *.etc files from running outside of %programfiles%, and optionally any network locations required. This means that if a user receives an email with a virus then they literially cannot actually run it.
These days a single AV product catches around a third of stuff coming in. Simply saying "I have AV installed, that's secure enough" is no longer good enough. It was adequately effective in a low threat enviroment in 2005, but it simply doesn't work in 2015. I have 3 seperate AV scanners running on my network (Firewall at the gateway, the anti spam system has it's own AV and then the mailserver/desktop AV) and the three combined don't catch enough for me to be happy relying on the users as to which executable files received by email they can run. We are an office, not a programmers. They have no business need to run executables received by email, so they have no ability to.
SRP's alone aren't enough as a security measure because they don't block macro viruses sent in office documents, though these are easily eliminated with another GPO. I've largely dropped Adobe reader for a reader that doesn't understand the concept of embedded files, and the remaining installations have javascript disabled through a GPO to harden them against PDF viruses as much as is possible and I simply don't install Flash installed on my machines due to a lack of any requirement for it and the fact that exploits for it exist when it's embedded in office files. (though to be fair EMET ought to prevent such things from working)
The time required to manage this lot is *zero*, if you exclude the extra line on the New PC checklist for installing and configuring EMET. The only time the users ever notice is when they insert a CD they received in the post and then manually attempt to run the launcher. (which the business agreed that there is no business requirement for)
Otherwise, the relatively extensive set of measures emplaced to protect them goes utterly unnoticed by both the users and support, save for our annual review of security threats and our countermeasures. That, and when I feel a burning need to correct comments about how impossible it is to harden a windows network to the point of being near impervious. It is neither impossible or difficult. You can get 90% of the way there with half an hour editing GPO's to fit your enviroment, with zero impact to your users.
-
-
-
-
-
This post has been deleted by its author
-
Tuesday 14th April 2015 08:41 GMT Mayhem
The key is offline backups - ransomware can spread and corrupt your online ones, at which point you turn and go "why did we stop using tape again".
Fire, flood, theft - these all affect one site only, and a mirror set, hot site or live backup will quickly restore data.
Accidental deletion is usually reported relatively rapidly.
What this style of malware does is deliberate corruption of all your data, and if it happens at the end of the day just before your file sync kicks off ... you're screwed.
-
-
Monday 13th April 2015 21:50 GMT Crazy Operations Guy
So if they were that sloppy with backups..
How sloppy are they with evidence? And what about case files and other sensitive information? A good lawyer can now point to this incident and get every case thrown out due to evidence tampering (Its on the police to prove that the evidence remained valid and wasn't damaged).
I've always thought that there should be some kind of central "Police Cloud" that is connected only to Justice Department and Police department computers that have all been air-gapped. It would hold arrest records, booking information, and copies of legally obtained evidence. Each set of files would be encrypted with a key specific to each case and can only be decrypted by a police captain and the police working on the case before it goes to trial, afterwards it would only be accessible by the judge, the prosecutor, and the defense. After the case has concluded, it would be re-encrypted and would require a court-order to open up again.
As it is now, some lowly clerk at the court house could be 'convinced' to hand over some very sensitive information (such as names of anonymous witnesses, names of underage victims; interview details, evidence, etc...). OR if a police station catches fire, the local justice system grinds to a halt. Or if a case is moved to a new jurisdiction, all that data needs to be transported in a safe manner by way of squad car or armored vehicle...
-
Monday 13th April 2015 22:05 GMT Crazy Operations Guy
Wouldn't fly in my office
Where I work, any sensitive documents or anything that the business depends on must be stored on one of the files servers, if this isn't done and a disaster happens and wipes that data, the individual worker is on the hook to repay the company for lost profits directly related to that missing document. Local systems are locked down to prevent use of external media and were only given a 64 GB SSD.
After the first worker disobeyed this and ended up on the hook for $1.5 Million, everyone else decided that to follow the rules to a 't' (Don't worry about the guy, he was the Sales Director and only ended up getting his pay docked for 5 years to cover the bill).
The file servers themselves have a hot-backup replica as well as an offline replica that is updated and populated by way of the backup media (This server is continuously wiped and rebuilt from the backups, also lets us test the durability of our disks, and our imaging process)
-
-
Monday 13th April 2015 23:26 GMT Crazy Operations Guy
Re: Eddie lives, somewhere in time
When we restore the files in the backup test, we run a scan on to check that certain files are there and readable. These sentinel files are located in each of the users' directories as well as scattered in random folders. Our backup strategy is incremental everyday, full on Saturday as well as test of incrementals, and Sunday is a test of the full backups.
Backup media is only reused after 18 months and is destroyed after 4 uses.
-
Tuesday 14th April 2015 18:16 GMT Alan Brown
Re: Eddie lives, somewhere in time
"What if you start backing up the encrypted files? Can it tell?"
Did you ever hear the story of the telephone exchange which turned out to have corrupted images onboard? Didn't matter until it was rebooted.
At that point it was discovered that the backup system had been backing up corrupted images for at least 2 years.
Do you have any idea how long it takes to restore a 3 year old backup, then all the incremental database updates since that point? Do you have any idea how much disruption it can cause when your phone numbers start ringing on the other side of town for 6 weeks?
-
Tuesday 14th April 2015 09:11 GMT Peter Gathercole
Re: Wouldn't fly in my office @Crazy
Um. How would this have helped in this case?
Presumably, all the users must have access to the file servers in order to copy the files there. And I'm guessing that these shares are mapped all the time.
So the malware follows every path it has access to, and encrypts all of the files it finds. This includes the files on the hot file server.
How is this the fault of any individual (apart from the person clicking the link)?
Having on-line copies on permanently mounted shares is no protection from this type of malware unless one of the following is true:
1. The copy is made by a high-privilege task that puts the copies in an area of the file servers that general users who may run the malware cannot write to.
2. The copy is made to worm devices, which do not allow files to be overwritten or deleted, just new versions created.
Even having the backups done by a high privilege task is not perfect unless there are some form of multiple versions kept, as it may be overwriting good data with bad. You've still not prevented the problem, and you've said as well as an (singular) offline replica, and the server is continuously wiped and rebuilt from the backups, which would imply that if the problem goes undetected, one backup and restore cycle later, you're still screwed.
It strikes me that there is a general failure of file sharing in many organisations. There ought to be a much finer granular permissions system, where a user only has permission to write to the parts of the file store that they need to for their job. This would prevent wholesale encryption of the data, but would not completely solve the problem.
Couple this with a proper off-line backup system (where the malware cannot overwrite the media, because it's not writeable by ordinary processes, either by permission or because the media is physically unavailable), which keeps copies of various ages (daily kept for a week, 1 copy per week for 6 weeks, 1 copy per month kept for an extended period, for example). Or use a managed backup solution with offline media that keeps multiple versions (TSM, Arcserve, Amanda etc.)
In the medium and large systems environment, this is a well established process. I'm sure I preaching to the converted here, but the lesson just does not seem to sink in to some SAs.
I know that the amount of data that kept is now quite huge, even for relatively small organisations, but it seems to me that the current some of the current IT world have totally ignored the best practices of previous generations.
This may be, of course, because the Management and bean counters are allowed to squash the required good practice because of cost, and over-ride any suggestions from their experienced technical administrators (or engineer them out of the company), in which case they (the management) should be held entirely responsible.
Oh. And seriously control the ability of the users to run any code, trusted or untrusted directly from web-pages or emails. At least make it a two stage process where they have to download it first, and then explicitly execute it. It's not much protection, but it will prevent casual click attacks, and as it's an explicit action, means that it is easier to discipline the culprit. This should extend to scripts in any language.
-
Tuesday 14th April 2015 10:36 GMT Doctor Syntax
Re: Wouldn't fly in my office @Crazy
"How is this the fault of any individual (apart from the person clicking the link)?"
Quite. You've answered your own question.
"At least make it a two stage process where they have to download it first, and then explicitly execute it."
The problem here is the file which looks like something else but which is, in fact, executable in disguise such as PDFs taking advantage of exploits in the reader.
-
Tuesday 14th April 2015 11:04 GMT lorisarvendu
Re: Wouldn't fly in my office @Crazy
Of course the absolute nightmare scenario is that two (or more) users connected to the same shared drive get the same mail and both install the exe. Both of them trundle their way through the share, encrypting files with particular extensions as they go, and because the extensions and filenames don't change, one will quite happily encrypt a file that the other one has already mangled.
So potentially each file is encrypted twice by each user's particular malware (using its own unique key), and not necessarily in the exact same order (depending on the speed of access of the individual workstation).
Even paying twice may not get you your data back, since each file will have to be decrypted in the correct order.
It is possible this happened once in our organisation, since the access stamps on the encrypted files pointed to two different users. However we do have good backups so luckily we didn't get to test this out.
It's also worth pointing out that Cloud solutions like OneDrive, GoogleDrive or DropBox won't help you here, since each time they detect a file change they will immediately sync it up to the cloud, overwriting your files with the encrypted ones.
-
Tuesday 14th April 2015 16:24 GMT psychonaut
Re: Wouldn't fly in my office @Crazy
actually, dropbox keeps the last 5 file versions. although a roll back with that would be a pain in the arse one file by one file.
i use carbonite, which keeps the last 5 versions. too, but additionally, if someone gets hit with crypto, carbonite have a dedicated team.
they can tell when the infection hit (by a massive spike in uploaded files ...as they are encrypted, they change, and carbonite dutifully uploads it). they can then roll the backup back to before it happened. then you download your clean data.
its £42 per year. its peanuts. its really really worth it. (ok, so server versions are more expensive but its only a few hundred quid a year).
-
-
Tuesday 14th April 2015 14:02 GMT Crazy Operations Guy
Re: Wouldn't fly in my office @Crazy
"and you've said as well as an (singular) offline replica, and the server is continuously wiped and rebuilt from the backups,"
The offline backup is an air-gapped system that can be plugged into the network as temporary replacement (Its actually the old file server that the current one replaced, but had its hard disks swapped for low-speed 2 TB SATA disks rather than the SAS disks in the prod box). We use tapes to copy the information off of the production file servers and restore it on the backup system, we then run a verification program on all of the files (Looking for sentinel files as well as running hashes on each file and counting how many discrepancies there are). We keep 2 sets of 18-months worth of weekly backups (One in a secure storage facility, the other on-site), and each year, we make one full backup that gets kept for 5+ years.
-
-
Tuesday 14th April 2015 12:57 GMT Alan Brown
Re: Wouldn't fly in my office
"if this isn't done and a disaster happens and wipes that data, the individual worker is on the hook to repay the company for lost profits directly related to that missing document."
In most countries this kind of "fine" is completely illegal. The most you can do is sack the worker.
In any case, for the situation described the whole "desktop" and "fileserver" paradigm is a nasty kludge anyway. Thin clients, centralised everything solves the discipline issues at a single pass.
-
Tuesday 14th April 2015 13:53 GMT Crazy Operations Guy
Re: Wouldn't fly in my office
"In most countries this kind of "fine" is completely illegal". He could have left the company, but try finding a job elsewhere with that on your record... Besides, it wasn't so much a 'fine' as it was a settlement for a breach of contract (we have some top-notch lawyers working for us)
"Thin clients, centralised everything solves the discipline issues at a single pass." No argument here, we tried thin clients at one point, but they ended up placing far to big of a burden on the network (Network admin was incompetent) and management is a firm believer in "Once Bitten, twice shy" no matter what the real cause was.
-
-
-
-
-
Tuesday 14th April 2015 01:17 GMT Anonymous Coward
Re: Oh, Neal Stephenson
As a great admirer of Neal Stephenson, I will admit that Reamde was disappointing. However, I feel that it's not Mr. Stephenson's fault, for you see, it's hard to write about the future when the future has already arrived.
Consider this - there's currently a guy in jail because he earned millions in some virtual currency making a virtual and illegal market, his hybrid electric car built by robots was confiscated, and all the while Russian cyber-gangsters unleash invisible, intelligent, electronic viruses against brick and mortar banks to extract electronically stored paper currency.
Who needs cyberpunk anymore? The future has arrived.
I don't think we've heard the last of Stephenson, despite that little issue with Kickstarter - we may presently find that we are all participating in some virtual experiment of his own design, where we must pay him monthly fees to maintain our existence.
-
-
-
Tuesday 14th April 2015 00:23 GMT Anonymous Coward
This should not happen
I think they need a new IT support company.
In an event such as this we would have 3 ways to restore the files. In order of preference they would be:
1. Restore from shadow copies on the file server
2. Restore from backup to disk
3. Restore from tape
However to prevent it happening in the first place we have mitigations in place. These are:
1. GPOs which only allow specific executables to run on end user PCs.
2. FSRM rules that change the file server shares to read only and send alerts if they detect certain files being written to the server. This will stop known crypto malware. We are also looking at ways to trigger this lockdown if the rate of files changing on the server exceed a threshold to catch future variants with different file name patterns. This is still a work in progress.
We also of course scan for executables at the network border and have restrictive permissions on the file servers to limit the damage a user can do to only the files they need to access.
We had one user get hit with cryptolocker before we put the mitigations in place. They were sent a convincing looking Australia Post link. They clicked it as they are responsible for accepting deliveries. Unfortunately the web filter didn't pick it up and was set to allow access to un-categorised websites. This has since been changed.
The PC needed re-imaging, but we had their files back on the file server inside 20 minutes from that mornings most recent shadow copy.
-
Tuesday 14th April 2015 00:36 GMT SQL God
No Police Response
Scary that the Cops get ripped off and not one wants to get serious about going after the perpetrators. No one even wants to even wank about it except me. The US has the most extensive IT network for tracing and following financial transactions in the world. We give foreign aid and support to just about every country in the world that harbors terrorists and hackers. We also have the juice to twist arms in Switzerland--if we want. (I'm not saying this is right, it's just that the US is an 800 lb. gorilla.) So why can't we get justice against the scumbags that do this kind of crap?
I'm embarrassed that my country considers computer crime, (and the companies that fight it) as just another economic industry that should be nurtured and grown. Does GB want this old American as an immigrant? Or are you guys seeing the same problem in your government.
-
Tuesday 14th April 2015 00:46 GMT Anonymous Coward
Welcome to our world, cops!
Cops
"Paying a ransom - let's say it goes against the grain," Sheriff Todd Brackett told The Register. "We tried to find a way around it, but in the end our IT guys and Burgess recommended just paying the ransom."
Joe Sixpack
Paying that bullshit speeding ticket - let's say it goes against the grain. I tried to find a way around it, but in the end my lawyer recommended just paying the ticket, to avoid having my car impounded and spending 30 days in jail.
-
-
Tuesday 14th April 2015 02:52 GMT SQL God
Re: $300
$300 is just their way of saying that if the FBI or the CIA got interested in chasing them down, they'd be an easy find. As it is, it's gotta be huge dollars or they have to attack a Senator or a Congressman for anything to be done about it.
These guys are making billions in volume, so at $300 a pop, they're getting quite rich.
The new mantra on crime in the United States, is it's the VICTIM's fault NOT the CRIMINAL's. Notice that all the other comments just talk about how dumb the cops are for not better protecting their systems? No one cares about going after criminals.
-
Tuesday 14th April 2015 03:24 GMT Anonymous Coward
Re: $300
I don't think people are saying that the perps shouldn't get nailed to a tree, but you need to find them first. In the meantime, we know this stuff is out there and should try to prevent it affecting our systems. At the very least, ensure your backups are working.
It seems that the IT support company involved here have been criminally negligent. Taking the crypto malware out of the picture, how did these clowns plan to recover from a disaster or even just restore files after an accidental data loss or corruption?
-
Tuesday 14th April 2015 10:14 GMT Alan Brown
Re: $300
> Notice that all the other comments just talk about how dumb the cops are for not better protecting their systems?
They are, but that's normal practice and not different to the users who refuse to pay for their systems to be covered by the sitewide backup system, then come screaming to us demanding instant repairs when a disk goes tits-up (this _has_ happened and @ $2k per recovery it adds up fast)
> No one cares about going after criminals.
I'd love to go after the criminals. Unfortunately that's not my job.
-
-
Tuesday 14th April 2015 03:14 GMT Mark 85
Re: $300
By keeping the dollar value low, it doesn't keep them off the radar, it keeps them under the prosecution level. In most places $300 is barely a felony much less Grand Theft. To track down the perpetrators would involve money on the police side. Then to extradite would cost a small fortune. Unless the Feds get involved, there's no way a small town or even some bigger towns would have the expertise or the funding to go after these guys/gals.
Yeah.. it's a crock. The perps should be drug out of hiding and strung by their ankles from the highest yardarm, tree, or lamppost.
-
Tuesday 14th April 2015 10:44 GMT Anonymous Coward
Re: $300
every little helps, said the old hacker pissing on a pile of 300$ a-piece money orders from around the world.
p.s. I wonder how many governmental and law enforcement agencies around the world have already paid up for similar fails, quickly and quietly (unlike their usual fashion).
-
-
-
Tuesday 14th April 2015 11:31 GMT Afernie
Re: I'll bet money...
"I'll bet money that the perps are caught and sent to prison for a long time, as they should be."
How much money are you planning to bet? If they are in fact from Russia (for example) the current spectacularly icy relations between the CIS and the US Government, combined with the Russian Constitution forbidding extradition guarantees that it will be a cold day in Hell before they receive cooperation.
-
Tuesday 14th April 2015 21:58 GMT Michael Wojcik
Re: I'll bet money...
If they are in fact from Russia
Frankly, I doubt there's much chance they'll be identified - much less successfully prosecuted - if they're from Maine, never mind Russia. It's not hard for even the s'kiddies to mount these sorts of attacks in ways that are damn near untraceable.
Generic malware, email through a compromised account or open relay, Bitcoin payment... and it's not like anyone's putting any real resources (i.e., a competent IT forensics team, and all the affected hardware seized as soon as the attack was discovered) into tracking them down. I'd like to hear how the OP thinks they're going to be caught.
Life ain't like NCIS - in the real world, we have only one white-hat per keyboard, and the vast majority of perps never suffer so much as the wrong end of a steely gaze.
-
-
-
Tuesday 14th April 2015 11:27 GMT DavCrav
Police did the right thing
It sounds wrong, but they did the right thing, from a rational perspective.
Not paying $300 isn't going to really stop these people doing it. If everyone stopped it, then maybe, but one organization not giving in won't make any difference.
Malware like this will (probably) hit online backups as well, so only an offline backup will work. These, by their very nature, cannot take place continuously, so suppose it is done daily. (The more often it is done the more likely you get hit with the malware while the connection is open.)
The cost in terms of time of recovering the offline backup, plus the cost of having everyone redo their on-average half day's work must far exceed $300.
-
Tuesday 14th April 2015 12:20 GMT Anonymous Coward
Crookcoin, they should ban this shit.
With any other form of currency there is an audit trail and you could convict the people responsible. Only with this virtual currency can you lose the cash and nobody will ever get arrested.
It's all very well talking about it being good for supporting those who are trying to secure our digital freedom, but it's also being used for masses of crimes and probably terrorism for all we know.
-
Tuesday 14th April 2015 22:00 GMT Michael Wojcik
With any other form of currency there is an audit trail and you could convict the people responsible.
Yes, which is precisely what happened with every ransomware attack before Bitcoin came along.
Oh, no, wait - it didn't, at all.
I have no interest in Bitcoin (except academic), but your claim is utter rubbish.
Nice deployment of the terrorism card, though. Perhaps you should mention sexual predators as well? And goblins - goblins are trouble, no doubt about it.
-
-
-
Tuesday 14th April 2015 14:10 GMT Paul Crawford
Re: How hard can it be?
Firstly it was most likely a Windows system.
Secondly while you thought you were being smart, you just gave yourself a false sense of security - what about /tmp /var/tmp (probable some others under /var as well), and /run/shm which are by default world-writeable and support execution?
-
-
Tuesday 14th April 2015 22:21 GMT Dick Emery
Why do people still have access...
Why do companies still allow access to the main server network anyhow? Surely user access should be in VM's with limited access to run exe's outside on live server data (maybe sandbox the users from the data)? I think this is another case of Microsoft methodology of running the OS on every system (I use Windows exclusively BTW before you accuse me of being a *nix know it all). Companies with important data and especially government and law enforcement really need to rethink how they allow their users to access data and work on their backup strategies. Educating users on protective measures just isn't enough. People will continue to make mistakes.
-
Wednesday 15th April 2015 09:34 GMT (AMPC) Anonymous and mostly paranoid coward
Plus ca change,
"In the meantime, never, ever execute an attachment or download from an untrusted source."
This is a lesson taught in email security 101 and has been for years.
I am flabbergasted that a police station (or anyone else) would use a messaging system/provider that does not filter out and quarantine executable email attachments.
In our shop, we allowed PDF, Text and signed Office files and even those still carried some security risks. But letting people mail executables around is terminally stupid. Clicking on one is just the fruit of ignorance.
I hope they learn from this exercise and beef up the perimeter. There ought to be a law.
-
Wednesday 15th April 2015 18:21 GMT Conundrum1885
Re. There ought to be a law
The problem isn't just EXEs, there are variants of C-L that hide in drivers and also proprietry tools such as one you might download to update a media drive's firmware.
In some cases the site owners might not even know the wrapper has been added to the download as it can be linked to IP address range or something equally devious.