nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

back to article
Police anti-ransomware warning is hotlinked to 'ransomware.pdf'

Did they BCC or CC?? If CC, then

Reply All: TAKE ME OFF THIS LIST RANSOMWARE ATTACHED

15
0
Silver badge

Ah, the NHS approach to DDoS.

9
0
Silver badge
Flame

That email

Its just lazy, I would view that as spam and do a StrongBad from HomeStarRunner.com and shout DELETED

4
0
Silver badge

a downloaded file might have a name or icon that makes it appear to be a document or media file (such as a PDF, MP3, or JPEG), when it is actually a malicious application. A malicious application disguised in this manner is known as a "Trojan".

Lots of people argued when the first OS X public beta came out that filename extensions shouldn't be used (they never had been before OS X) because then OS X could have the same malware problems as Windows. Apple ignored them.

2
3
LDS
Silver badge

If you don't use filename extension, you need to use filesystem metadata (which are an issue to transfer across file systems not understanding them, or across network transmission), or specific extensions to the file format (i.e the resource fork), but they can still be spoofed, and may require a file type registrations somewhere.

Maybe OS could become a little more clever and try to understand when "uncommon" (or better, common attempts to deceive users) are present. I.e. the .doc.exe or .pdf.exe extensions, and maybe adding an overlay icon to any executable file, regardless of the file icon. Not resolutive solutions, but better than blindly displaying everything...

7
2
Silver badge

"Maybe OS could become a little more clever"

As in https://linux.die.net/man/1/file and https://linux.die.net/man/5/magic both of which are long time inhabitants of the Unix world.

9
1

I dislike having file extensions as the control given that a user today deleted several old .pdf files assuming they were documents when in fact they were Payroll Data Files*.

It was probably time to test the backups anyway!

*Quite why the payroll software uses this extension, and why they store user generated files in the same directory as the system data files is another matter.

14
0
LDS
Silver badge

You need to manually run magic, it's a utility, not an OS feature - I would like an OS checking automatically if a file attempts to pretend to be something else - using the magic library, or something alike.

3
0
Silver badge

It's just a presentation/Finder problem. For files written by software, the file type could be stored with the file an xattr. For mail attachments, the file type could be sent/received as a content type ignoring file extensions completely. If no file type is available (e.g. external drive/network) then magic could be automatically run when Finder first sees the file and the result saved as an xattr. If magic guessed wrong then the user can change it in get info.

1
0
Silver badge
Windows

I can't remember the application name but on my Apricot the Printer Definition Files were quite important!

Then again, deleting them was not so easy as it would mean finding the floppy disk, sticking a bit of tape over the notch, and then deleting them so although it could still be done, it would be harder to make it look like an accident.

2
0
Silver badge

"checking automatically if a file attempts to pretend to be something else"

I do 3D modelling and use STL (stereolithography) files a lot. Windows seems convinced they should be certificate trust list files (and certificate doesn't even start with a S!).

5
0
Anonymous Coward

Could have been worse, could have been called "ransomware.pdf.exe"

Are they really that incompetent? I suppose the pdf also tells you not to click links or open pdf's from unknown sources. Unless when you do open it then it comes up in big letters "You Stupid!" and explains why. That would be a good idea and is a good idea for anyone that wants to see if people in their own organisation would open files that they shouldn't. Set up logging to the file on the network to see who accesses it then disable their email and internet forever.

17
0
Black Helicopters

Are they really that incompetent?

It's the Police...

32
1
Silver badge

And what's the betting that the PDF contained absolutely nothing that couldn't have be written in plain text in the email, just with pretty pictures and logos?

My all-time greatest example of this stupidity was an email with an attached doc, that consisted of little except an embedded URL, which you clicked to reach a webpage that could have been an HTML email.

9
0
Silver badge

Are they really that incompetent?

Yes, this is nothing.

3
0
Silver badge
Facepalm

Are they really that incompetent?

See icon... only response I can up with... my flabber is gasted.

0
0
Bronze badge
Coat

It's the Police...

So it's a Sting?

4
0
Silver badge

As you can see, we clicked the link – and after routing through some standard email marketing click tracker stuff, it hotlinks to a file titled "Ransomware.pdf". We chose not to let it open in our VM.

And you didn't try the file link from a Mac or Linux box?

For shame...

14
0
Bronze badge
Terminator

Watching this whole WannaCrypt debacle, it's like being stuck in the bubonic plague epidemic in the Dark Ages armed with a supply of antibiotics. All the while the natives wilfully ignore the cure and keep trying the old ineffective remedies, such as rubbing chopped-up onions on the infections. But it's a bacterium you cry and there is a cure. Not so says the natives, it's the wrath of God because we're not been saying our prayers.

11
1

I didn't see any mention of the OS they were using?

Or is this an extension of the Mac's Dont get Trojans thing?

1
0

That's shrewd!

The police in the UK are playing a clever game:

Step 1: Get journalists to install ransomware

Step 2: Demand that any interesting targets (El Reg hacks who keep annoyingly revealing Gov's snoop fetish) reveal the passwords/encryption keys to the files they have in their possession

Step 3: Lock 'em up

That is how this works, right?

16
0
Silver badge

You know, when I see the Police doing mad stupid shit like this, it makes me wonder how on the ball they are when they're spying on everyone's communications?

Criminal: "You got any of that plastic stuff left over? Need it for a job tomorrow. It's a big one."

Copper: "Plastic stuff? A job tomorrow? Probably construction. Nothing to worry about."

----

Ordinary Joe: "Have you seen that big bomb in Aston mate? It's going to go off shortly?"

Copper: "TERRORIST! TERRORIST!!!!!"

17
0
Bronze badge

If you drive along a road at 21 mph, or steal something from a supermarket, they know how to deal with it. Anything more complicated, and they are completely out of their depths.

15
1
Silver badge

"You know, when I see the Police doing mad stupid shit like this, it makes me wonder how on the ball they are when they're spying on everyone's communications?"

They are terrible at it, mostly because that's someone else's job.

1
0
Silver badge

Frankly, yes.

But that's probably how it should be. Most people want a 999 call for somebody breaking in late at night answered by big burly chaps with lots of training in using handcuffs, a truncheon and little hesitation in using both rather than an a nervous accountant/IT type. Not a new issue!

Basically, to go with basic physical enforcement of the law the powers that be came to the conclusion in 1854 that they needed people with more subtle detective skills, hence CID. What we need now is a separate department to deal with IT issues, and drawing in people from the rank and file police is largely a waste of time.

Simple solution, create a department called Crime (IT) and then just hire enough people who can do "magic bits" (like resolving IP addresses) and explaining bits to police officers who are happy with going out with handcuffs.

9
0
Silver badge
Facepalm

"like resolving IP addresses"

with a GUI written in VB?

3
0
Anonymous Coward

Clueless Plods

If you drive along a road at 21 mph

They can't even get that right. The Plods routinely hand-hold their speed guns, thereby invalidating any readings. They also forget to calibrate them (has to be done daily to make their measurements valid) and when challenged to produce the Calibration Certificate bluster about it being "lost". If you get nicked by means of a speed gun, ALWAYS challenge it.

The clueless Plods will always be forced to back down and in many cases have had to pay substantial damages to the persecuted motorists. My last settlement from Thames Valley Plod was £8250 plus expenses of £4728 (I had to fly in from Canada to defend the case).

AC for obvious reasons!

1
0
Silver badge
Trollface

Why?

You have a vm, just open the damn link and be ready to nuke your vm should anything interesting come of it?

You have a pic, but what happened?

6
0
Bronze badge

Re: Why?

There is VM-escape malware out there - i.e. Malware that can break out of a VM and infect the hypervisor and all VMs running under that hypervisor.

0
0

McAfee sent a very similar email out...

Dear McAfee Customer,

Be careful what you click on. This malware was distributed by phising

emails. You should only click on emails that you are sure came from a

trusted source. <ul>Click here</ul> to learn more about phising emails.

13
0

Mmmm

"Always use caution when opening (such as by double-clicking) files that come from someone you do not know,..."

My advice:

Always delete emails without reading or opening attachments when they come from someone you don't know. Always treat with caution email attachments from those you do know.

11
0

Re: Mmmm

..and make sure that mail preview windows are DISABLED - because they open attachments automatically.

0
3
Silver badge

Re: Mmmm

"Always use caution when opening (such as by double-clicking) files"

And what do you do if you have double click disabled?

I don't think they've thought this through.

0
0
Bronze badge
WTF?

Re: Mmmm

"..and make sure that mail preview windows are DISABLED - because they open attachments automatically."

I've never seen a preview window open any attachment automatically. Care to cite your source or name the software?

Unless you're referring to displaying inline images, which is a different matter. Excepting rendering bugs, they are not executable or exploitable.

4
0
Silver badge

Re: Mmmm

"Coming from someone you know" is a pretty low hurdle to clear. Was a useless rule for dealing with last week's attack.

And seriously, preview panes opening attachments automatically? That hasn't happened in at least 10 years, probably longer. By default, most email clients don't even download linked web content such as images, much less execute anything.

3
0
Silver badge

Re: Mmmm

Unless you're referring to displaying inline images, which is a different matter

And in most (certainly the competent ones) mail UI programmes, you have to explicitly allow remote images..

1
0
Silver badge
Facepalm

How things have changed

The advice about e-mail safety these days is very different from what it used to be back when I first got on the net (dinosaurs still walked the earth in those days).

In the early days of the intertoobz, people were told it was perfectly safe to open attachments that were images, it was only executables they had to worry about.

It wasn't so long before that advice was rescinded, thanks to Microsoft "helpfully" hiding file extensions. So that "x.gif.exe" was described as "x.gif" (but had a strange icon). The advice became "make sure it's really an image before you open it."

That was superseded by "Microsoft's buggy image-handling routines mean it's no longer safe to open image attachments even if they really are images."

Then spammed malware became common so advice was amended to include not opening attachments from unknown sources.

Then malware writers clued up and started going through the user's address books. So you'd get infected spam mail from people you knew. So only opening mail from known sources was no longer a defence.

But things have changed:

Always use caution when opening (such as by double-clicking) files that come from someone you do not know

There ya go. This problem has been solved without me realizing it. Something (I don't know what) now makes it perfectly safe to open attachments from people you know. It's only attachments from people you don't know that are unsafe.

Now I can open that mail from my mate Tom, the one titled "Look at these pics of what I got up to when I was drunk last Saturday." It's perfectly safe. It's not just El Reg telling me this, it's almost every news site on teh interwebz. New technology, released without announcement, now means it's perfectly safe to open attachments as long as they're from people you know.

Before everyone downthumbs me, I did see the bit about "or if you were not expecting them." The thing is, I often get unexpected mail from friends because they're eager to tell me about something I didn't even know happened. Such mail may contain attachments. And if the text is brief enough and generic enough, it will seem genuine to a large proportion of people.

So the real advice is "Don't open attachments. Ever." Oh, but there was that bug in some mail readers where merely opening the mail passed attachments through to rendering s/w so you could see a thumbnail of it, and the rendering s/w was flawed. So the real advice is "Don't read mail. Ever." Oh, but wasn't there a mail reader that would pre-generate the thumbnail before you opened the mail, and that had a flaw? So the real advice is "Don't fire up your mail reader. Ever."

Ob Hill Street Blues

22
0
Anonymous Coward

Re: How things have changed

Ah yes. The old file extension trick. The old ones are the best.

Please forward this message on and all your dreams will come true plus you'll get a blowjob and save 5 puppies from being thrown in a burning oil drum in front of starving African children who will also get a meal and clean water if you forward this on.

6
0
Silver badge

Re: How things have changed

The thing is, everyone knows this sort of advice doesn't really make anyone safer. It's just The Authorities covering their collective arse.

This way, when someone gets hit, they can throw up their hands and say "We told them!" And that means it's officially Not Their Problem any more.

If the gov't could designate someone whose problem it definitively is, then we might get something more useful. Until then, we're on our own.

2
0
Silver badge

Re: How things have changed

In the early days of the intertoobz, people were told it was perfectly safe to open attachments

In the old days, emails were 7-bit ascii and you didn't have to worry about complicated stuff like attachments. Because they didn't really happen..

Links to dodgy FTP or gopher sites.. well, yes. But they were generally of the "don't let your boss/SO/HR department see you open this" type of link..

Ahhh. The old days were the oldest!

0
0

Re: How things have changed

Plain text.

I send email in plain text PGP signed. I read in plain text.

All attachments are potentially unsafe and a plain text rendering of an email will indicate if any links contained within point to mycutekitty.org or iownyaass.com

0
0
Bronze badge
Linux

We chose not to open the PDF file

Have you tried booting from a Linux CD and then opening the file?

--

Microsoft, the company that made letters and numbers dangerous

7
0
Silver badge

Re: We chose not to open the PDF file

Have you tried booting from a Linux CD and then opening the file?

Is the almost-right answer.

Have you tried booting from a Linux CD, disconnecting the network, and then opening the file?

See, better!

7
0
Silver badge
Unhappy

Re: We chose not to open the PDF file

"Microsoft, the company that made letters and numbers dangerous"

They also gave us widespread use of the Arial font by dint of defaulting to the first font alphabetically.

It was a pleasant change from the previous choices of Times New Roman or Courier, but gave us a font in which capital I, lowercase L and the numeral 1 all look the same.

6
0
Silver badge

Re: We chose not to open the PDF file

Objection! The numeral 1 in Arial is quite distinctive, nothing like the lowercase L or capital I.

But Arial is also the venue of Microsoft's biggest crime against typography, and that is "zero thought put into kerning". Which means that in a lot of MS-derived software, it's impossible to tell the difference, visually, between 'd' and 'cl', or 'm' and 'rn'.

6
0
Bronze badge

Re: We chose not to open the PDF file

Have you tried booting from a Linux CD, disconnecting the network, and then opening the file?

Yes...but forgot to put it in the faraday cage.

4
0
Silver badge

Re: We chose not to open the PDF file

Yes...but forgot to put it in the faraday cage.

Oh no, you don't put it in the Faraday cage, that is what your tin-foil hat is for!

You do have one, don't you?

0
0
Bronze badge
Joke

Re: We chose not to open the PDF file

What is this keming of which you speak?

2
0
Silver badge
Go

Re: We chose not to open the PDF file

Kerning (and yes I saw what you did there) - there's an obligatory xkcd for that!

0
0

Oops

DOH !!!

0
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

The Register - Independent news and views for the tech community. Part of Situation Publishing