Ransomware attack ‘like having a Tomahawk missile stolen’, says Microsoft boss

Brad Smith says Wannacry attack that locked up to 200,000 computers in 150 countries is a wake-up call amid fears more will be hit as week begins

The massive ransomware attack that caused damage across the globe over the weekend should be a wake-up call for governments, the president of Microsoft has said.

Security officials around the world are scrambling to find who was behind the attack which affected 200,000 computer users and closed factories, hospitals and schools by using malicious software that believed to have been stolen from the US National Security Agency.

Europol, the pan-European Union crime-fighting agency, said the threat was escalating and predicted the number of ransomware victims was likely to grow across the private and public sectors as people returned to work on Monday.

But Brad Smith, Microsoft presidents and chief legal officer, said on Sunday that it was the latest example of why the stockpiling of vulnerabilities by governments was such a problem.

Smith, whose companys older system software such as Windows XP was exploited by the ransomware, wrote in a blog post : The governments of the world should treat this attack as a wake-up call, Smith wrote. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits.

An equivalent scenario with conventional weapons would be the US military having some of its Tomahawk missiles stolen.

Cyber security experts said the spread of the virus dubbed WannaCry had slowed but that the respite might only be brief amid fears it could cause new havoc on Monday when employees return to work.

New versions of the worm are expected, they said, and the extent and economic cost of the damage from Fridays attack were unclear.

Its going to be big, but its too early to say how much its going to cost because we still dont know the magnitude of the attacks, said Mark Weatherford, an security executive whose previous jobs included a senior cyber post with the US Department of Homeland Security.

The investigations into the attack were in the early stages, and attribution for cyber attacks is notoriously difficult.

US President Donald Trump on Friday night ordered his homeland security adviser, Tom Bossert, to convene an emergency meeting to assess the threat posed by the global attack, a senior administration official told Reuters.

Senior US security officials held another meeting in the White House situation room on Saturday, and the FBI and the National Security Agency were working to help mitigate damage and identify the perpetrators of the attack, said the official, who spoke on condition of anonymity to discuss internal deliberations.

The NSA is widely believed to have developed the hacking tool that was leaked online in April and used as a catalyst for the ransomware attack.

The original attack lost momentum late on Friday after a security researcher inadvertently took control of a server connected to the outbreak, which crippled a feature that caused the malware to rapidly spread across infected networks.

Infected computers appear to largely be out-of-date devices that organisations deemed not worth the price of upgrading or, in some cases, machines involved in manufacturing or hospital functions that proved too difficult to patch without possibly disrupting crucial operations, security experts said.

Marin Ivezic, cyber security partner at PwC, said that some clients had been working around the clock since the story broke to restore systems and install software updates, or patches, or restore systems from backups.

Microsoft released patches last month and on Friday to fix a vulnerability that allowed the worm to spread across networks, a rare and powerful feature that caused infections to surge on Friday.

Code for exploiting that bug, which is known as Eternal Blue, was released on the internet in March by a hacking group known as the Shadow Brokers. The group said it was stolen from a repository of NSA hacking tools. The agency has not responded to requests for comment.

Hong Kong-based Ivezic said that the ransomware was forcing some more mature clients affected by the worm to abandon their usual cautious testing of patches to do unscheduled downtime and urgent patching, which is causing some inconvenience.

He declined to identify clients that had been affected.

The head of the European Union police agency said on Sunday the cyber assault hit 200,000 victims in at least 150 countries and that number would grow when people return to work on Monday.

At the moment, we are in the face of an escalating threat. The numbers are going up, I am worried about how the numbers will continue to grow when people go to work and turn (on) their machines on Monday morning, Europol director Rob Wainwright told Britains ITV.

Monday was expected to be a busy day, especially in Asia which may not have seen the worst of the impact yet, as companies and organisations turned on their computers.

Expect to hear a lot more about this tomorrow morning when users are back in their offices and might fall for phishing emails or other as yet unconfirmed ways the worm may propagate, said Christian Karam, a Singapore-based security researcher.

Associated Press and Reuters contributed to this story

Read more: https://www.theguardian.com/technology/2017/may/15/ransomware-attack-like-having-a-tomahawk-missile-stolen-says-microsoft-boss


12 ways to hack-proof your smartphone

Protect your privacy, data and peace of mind with this guide to beating thieves, whether theyre online or on the street

As weve recently seen from leaked CIA documents, no one is immune to hacking attacks. Heres how to protect yourself against them, whether they come from opportunist thieves or state-sponsored spies.

1. Keep up to date and dont open up holes yourself

When it comes to protecting yourself against hackers, step one is always to install software updates as soon as they become available: thats as true on smartphones as it is on computers. Yes, updating can be a tiresome and intrusive process, and it sometimes brings annoying changes to the interface that youre used to. All the same, a huge proportion of successfulhacks exploit vulnerabilities that have already been patched; exposing yourself unnecessarily is justdaft.

Id also strongly advise against using unofficial tools to root your phone (known as jailbreaking on iOS), unless you know exactly what youre doing. On a rooted phone, technical safeguards can be defeated, allowing apps to perform all sorts of actions that are normally prohibited and that can include snooping on your personaldata.

2. Be careful of what you install

When you install a smartphone app, you may be asked to grant it various permissions, including the ability to read your files, access your camera or listen in to your microphone. There are legitimate uses for these capabilities, but theyre potentially open to abuse: think before you approve the request. That applies especially to Android users, as Googles app-vetting process isnt as strict as Apples, and there have been reports of malicious apps spending months on the Play Store before being spotted and taken down.

Android also lets you install apps from third-party sources: this allows services such as Amazons competing Appstore to operate, but it also provides an easy way for rogue apps to get onto your phone. Id strongly advise against installing anything from an unfamiliar website.

3. Review whats already on your phone

Even if the apps on your phone seemed simple and safe when you installed them, subsequent updates could have turned them into something more sinister. Take two minutes to review all the apps on your smartphone, and see which permissions theyre using: on iOS, youll find lots of relevant information under Settings > Privacy.

On Android, its harder to get an overview of which apps have which permissions, but there are plenty of security apps that help here, including free packages from Avast and McAfee. These tools can also jump in and alert you if youre trying to install an app thats known to be malicious, and warn you if a phishing attack is trying to trick you into entering a password into an untrusted app orwebpage.

4. Make it hard for intruders to get in

If a thief gets physical access to your phone, they can cause all sorts of trouble. For a start, your email app probably contains a trove of personal information. Make sure your phone is locked when not in use: both Android and iOS can be set to require a six-digit passcode. Your device may offer other options too, like fingerprints or facial recognition. Such methods arent perfect a really determined hacker could copy your fingerprints from a drinking glass, or trick a camera with a photograph of you but theyre a lot better than nothing.

And be wary of smart unlock features, which automatically unlock your phone when youre at home, or when your smartwatch is near; these could let a thief bypass your unlock code altogether.

5. Be prepared to track and lock your phone

Plan ahead, so even if your phone is stolen, you know your data is safe. One option is to set your phone to automatically erase itself after a certain number of incorrect attempts to enter the passcode.

If that seems a bit drastic, dont forget that both Apple and Google operate find my device services that can locate your phone on a map, and remotely lock or erase it. For Apple users, this is accessed through the iCloud website you can check its enabled on the phone in Settings > iCloud > Find My iPhone. Android users can access Googles service at google.co.uk/android/devicemanager. You can also make a missing phone ring helpful for drawing attention to the thief, or tracking down a handsetthatsbeen merely mislaid.

6. Dont leave online services unlocked

Auto-login is a very convenient feature, especially since a virtual keyboard can make typing passwords a chore. Its also a huge liability: an intruder simply needs to open your browser to gain access to all your online accounts.

Ideally, therefore, you shouldnt use auto-login features at all. If you must, use a password manager app that requires you to regularly re-enter a master password. And dont use the same password for more than one app or service: if that one password gets found out, it can be used to access a whole range of private information. This applies even if youre perfectly scrupulous about keeping your smartphone secure: hackers regularly break into online services to steal user credentials, which they then try out on other sites.

7. Adopt an alter ego

If youve followed this advice so far, it should be very difficult for anyone to get into your phone. However, some major hacks have been pulled off without any access to the victim at all. If someone can find out (for example) your date of birth, home town and mothers maiden name all stuff that can be easily picked up from a site like Facebook thats often all they need to reset a password and start breaking into your accounts. You can see off such attacks by fictionalising your past with details that are unlikely to be guessed; perhaps, for the purposes of security, you were born in 1999 to MrsVictoriaBeckham, ne Adams.Just remember what you claimed, or you could end up locking yourself out.

Personal information can easily be gleaned from sites such as Facebook.

8. Beware open wifi

We all know theres a risk involved in using an open wireless network. But you may not realise how severe it is: anyone in the vicinity can snoop on what youre doing online. This sort of attack demands specialist software and skills, so its unlikely to be a hazard in your local cafe, but its not a danger that can be ignored.

If youre at all doubtful about a wireless network, dont connect stick with your phones mobile internet connection. Or use a VPN tool such as CyberGhost or TunnelBear (both available free for Android and iOS). These tools route your traffic through a private encrypted channel, so even if someone is monitoring your traffic they wont be able to see what youre up to.

9. Dont let lockscreen notifications give the game away

Lots of apps pop up messages and notifications on your phones lockscreen. Its worth thinking about what these notifications may reveal. If you work for a big banking company, for example, a visible email from a work colleague or a meeting remindertells a thief that this might be a particularly interesting phone tosteal.

On iOS, also consider disabling access to Siri from the lockscreen. Siri isnt supposed to give away personal information before you enter your passcode to unlock the iPhone, but past hacks have let intruders use Siri to unlock the device, access details of contacts and view photos. Its safest to shut the feature off entirely: youll find the option under Settings > Touch ID & Passcode > Disable Siri on theLockscreen.

10. Lock individual apps

A strong passcode helps keep thieves out of your phone, but what if a stranger snatches your phone while youre using it? Or asks to borrow it to check a website, then bolts off down the street?

On Android, as a second line of defence, you can lock individual apps, so even if someone can get past your lockscreen, they cant open your email or banking app without a second password. This capability isnt built into the OS, but there are plenty of free apps that provide it, such as AVG AntiVirus Free. iOS users cant directly lock individual apps, but check out Folder Lock free on the App Store which can password-protect your documents and folders, reducing the amount of information a thief canaccess.

11. Get a warning when your phone goes walkies

If youre on the fence about investing in a smartwatch, heres a little-known feature that could swing it: Apple Watch and Android Wear devices can warn you immediately if they lose Bluetooth contact with your phone. If you get this notification while youre in a public place, theres a good chance someones just picked your pocket, and is currently making off with yourphone.

The device will normally be less than 50 metres away when the connection drops, so the warning gives you a chance to ring the phone right away, hopefully drawing attention to the thief and prompting them to jettison it. Failing that, you can lock it before the culprit has a chance to starttryingtobreak in and steal yourdata.

12. Keep an eye on things behind the scenes

No matter how cautious you are, you cant completely eradicate the danger of your phone being hacked not unless you refuse to install any apps or visit any websites. What you can do is supplement your on-device security measures with an online service. LogDog available for both Android and iOS is an app that monitors your identity on sites such as Gmail, Dropbox and Facebook. It alerts you to suspicious activity, such as logins from unfamiliar places, giving you a chance to step in and change your credentials before serious harm can be done. As a bonus, LogDog will also scan your email and highlight messages containing sensitive data such as credit card details and passwords, which you can then purge to ensure they dont fall into the wrong hands.

Read more: https://www.theguardian.com/technology/2017/mar/26/12-ways-to-hack-proof-your-smartphone-privacy-data-thieves