"[Police] insisted that the Massachusetts police systems were now clear of infection, and that essential operational computers were not affected, nor was there any data stolen."
According to every article I've read on the Internet, you can't steal data, only copy it. It's not stealing if the owner is not deprived of the original copy. Therefore, it's correct to say that no data was stolen.
I know i am replying to a troll comment, but here it is.
It is very easy to steal data. Copy the data, and then delete the original. However, the goal of this malware is to neither delete nor copy the data. It simply sabotage the data, after which the computer user has to pay in order for getting the data restored.
It is kind of ridiculous how the police manage to damage their computers. As people in positions of power, they really need better training on security and handling equipment. I've seen Toughbooks with severe physical damage... and those things are REALLY hard to damage. At the very least, they need to be taught not to open email attachments from people they don't know.
Cryptolocker spreads with a really stupid email message, and an attachment you have to extract and then execute. You have to be incredibly technically inept to get hit with it.
So lets say you have to be so inept with computers that literally 98% of the population is more competent on them than you. If you hire 40 people, you have a better than 50% chance of getting someone that inept.
This is only true if your hiring method is "select people at random and draft them into working for you". Suppose I chose any 40 people who were currently developing software for Microsoft. What are my chances of getting one person among those who is at or below the 2nd percentile of computer literacy?
Followup questions:
How does Microsoft avoid hiring people below the 2nd percentile in computer literacy? They have way more than 50 developers.
Should the police force screen applicants in any way?
Is using a computer part of a police officer's job?
Are the police even able to compel randomly-chosen people to work for them? If not, the premise of your numbers is fatally flawed.
it's true, my numbers are flawed. Though I would ask, flawed in what way?
Is it more or less likely? The police don't hire on technical skill, presumably people of high skill in this area end up in different careers?
The accuracy of the numbers is, frankly, unimportant. What I was illustrating was the multiplicative effect, which remains relevant. I freely admit the numbers themselves were made up.
Well, you're right about how independent probabilities combine. But the situation you describe has so little relationship to hiring that I don't see how it's relevant to anything. In general, I don't expect to see someone at the 2nd percentile of ability holding down a job at all. Even very basic screening will keep them away with great reliability, because they're so far out of the norm. So I don't see this as a case of "sure, I made up figures that might be off by a factor of 10-100", I see this as you describing a situation utterly unrelated to any aspect of reality I'm familiar with. You can't just make some numeric tweaks to the model; the whole thing is fundamentally at odds with what you're trying to describe.
But if it were true, phishing would be largely a nonissue for workforces (other than the police, who often do set ultra-low thresholds for their screening).
>But if it were true, phishing would be largely a nonissue for workforces (other than the police, who often do set ultra-low thresholds for their screening).
I think you and I are on the same page.
I am curious on why you think I'm off the mark, even if people under the 2nd percentile are less likely to get hired, it doesn't really change the math, it's the same as saying: "but it's only people under the first percentile!"
Side note: I feel that 150 million people are employable in professions that don't require a competency with computers. At the very least I'm grateful that same property doesn't apply to carpentry or construction. As I'm easily in the first percentile for these trades, I'd NEVER get a job. I can't even hang a picture! Why does it always go wrong? T.T
I thought it was spreading with HMRC notices and fake invoice corrections?
The ones I've seen are pretty good, all the lingo is correct. They're pushing all the right buttons in the email which would immediately get an accountant or business owner to open it immediately to find out what was wrong.
The only obvious warning sign is the zip attachment.
Compression can obfuscate the virus from being easy to detect and therefore is more likely to arrive at its destination. There are tricks which can crash anti-virus applications that try to open specially crafted zips once it is on the user's computer.
> It is kind of ridiculous how the police manage to damage their computers. As people in positions of power, they really need better training on security and handling equipment. I've seen Toughbooks with severe physical damage
They probably just don't care because they're not paying for it themselves. A construction manager told me once that the rate at which his workers' phones were breaking dropped significantly when the workers were made to pay for the new phones themselves.
This is actually the first report of Cryptolocker where "Windows" was mentioned. I find it strange that most reports of malware I ever read never mention Windows.
I worked with a company which was affected. They opened a phishing email which claimed to be within the company. We didn't pay any ransom because we recovered from Crashplan backups.
Isn't opening an email attachment a standard, right thing to do? Aren't email attachments supposed to be the main ways to send someone a non-text file, by design? If so, blaming people for doing it is wrong. It is Windows that is wrong. It is the way that Windows lets these executables run and do these things that is wrong.
Considering the Cryptolocker executable does absolutely nothing to elevate itself to admin or exploit the system in any other way, it sounds you're arguing in favor of a walled garden system where only preapproved binaries may run.
Not even preapproved binaries. No binaries at all should run by opening them from an email. It's simply a usability design decision by the developers of the email reader.
If I download a binary from the GMail web interface, the enterprise Outlook web interface, etc., how does Windows know the difference between that binary and a legitimate download received from my web browser? Sure, you get the "This program was downloaded from the Internet" popup (just like OSX), and group policy could dictate that no binaries from the Internet may run, but how is Windows supposed to tell the difference between an email web client and any other file downloaded from the web?
I just saved an attachment from GMail. When I go into the Get Info box (OSX), I can see what URL it came from. I'm sure that Windows attaches similar metadata when it saves attachments.
Maybe something like this could serve as a basis for what you propose. The attachment I saved came from https:///mail-attachment.googleusercontent.com. Maybe the solution is as simple as webmail providers putting some standard hostname in their attachment URL that identifies it as an email attachment.
Unfortunately though, there are legitimate reasons to circumvent this (have you ever emailed yourself something so you could run it on another computer?), so it would only be a matter of time for attackers to figure out the social engineering required to convince people to jump through those hoops.
anyone find it funny that the article warns about opening email attachments and at the bottom of the page is a signup form for a "zip file email." poor wording choice.
How the hell would they even know?