Critical flaws in embedded TCP/IP library impact millions of IoT devices across industries

The memory corruption flaws exist in a wide range of commercial and consumer devices, and can allow full takeover of them.

Millions of devices, from consumer products like printers and IP cameras to specialized devices used across organizations such as video conferencing systems and industrial control systems, are at risk due to critical vulnerabilities found in an embedded TCP/IP library. Some of the flaws allow for remote code execution over the network and can lead to a full compromise of the affected device.

The vulnerabilities were found by an Israeli company called JSOF that specializes in the security of IoT and embedded devices. They affect a proprietary implementation of network protocols developed by a company called Treck. The researchers found 19 flaws, several of which are rated critical, and have dubbed them Ripple20 because they were reported in 2020 and have a ripple effect across the embedded supply chain.

JSOF worked with researchers from IoT security and visibility firm Forescout to identify potentially affected products by using TCP/IP network signatures in its large knowledgebase of embedded devices. The researchers also worked with ICS-CERT, the critical infrastructure arm of the US Cybersecurity and Infrastructure Security Agency (CISA), to notify and confirm affected products and vendors.

So far, products from 11 vendors have been confirmed as vulnerable, including infusion pumps, printers, UPS systems, networking equipment, point-of-sale devices, IP cameras, video conferencing systems, building automation devices, and ICS devices, but the researchers believe the flaws could impact millions of devices from over 100 vendors.

Memory corruption vulnerabilities

All the vulnerabilities are memory corruption issues that stem from errors in the handling of packets sent over the network using different protocols, including IPv4, ICMPv4, IPv6, IPv6OverIPv4, TCP, UDP, ARP, DHCP, DNS or the Ethernet Link Layer. Two vulnerabilities are rated 10 in the Common Vulnerabilities Scoring System (CVSS), which is the highest possible severity score. One can result in remote code execution and one in an out-of-bounds write. Two other flaws are rated above 9, meaning they’re also critical and can result in remote code execution or the exposure of sensitive information.

Even if rated lower, the remaining vulnerabilities might be serious, as CVSS scores don’t always reflect the risk to actual deployments based on the type of devices. For example, in a critical infrastructure or healthcare setting, a denial-of-service vulnerability that prevents a device from performing its vital function can be seen as critical and could have disastrous consequences.

When it comes to critical infrastructure the CIA triad of security properties—confidentiality, integrity and availability–is reversed and you worry about availability more because operations need to be running, for example, at a railway, at a gas pipeline or in a manufacturing plant, Daniel dos Santos, a research manager at Forescout, tells CSO.

“The reason why a denial-of-service issue would still not be considered critical in critical infrastructure is that there are simply too many of them,” Shlomi Oberman, the CEO of JSOF, tells CSO. “There are all sorts of resource consumption issues that are not being solved, and we have a long way to go and a big fight to fight until we get there. We’re still trying to reach a state where everybody at least fixes their remote code executions.”

Supply chain complexity

The Ripple20 flaws highlight the difficulty of understanding the scope of security vulnerabilities in the IoT and embedded device world due to the complex supply chain and a lack of a software bill of materials in the development process. Some affected vendors were not even aware they had this TCP/IP library in their products, because it was actually used by a third-party hardware module or component that was part of their devices.

An example of that are medical devices from Baxter, which are vulnerable because they use hardware modules from Digi International, a large system-on-module (SoM) manufacturer, which uses the Treck library in its components.

Most operating systems have their own networking stacks, but this is not always true in the embedded world, where a hardware component might not run a full operating system yet could still have network connectivity built in.

Treck is one of a few independent developers of low-level network protocols for embedded devices with implementation of ICMPv6, IPv6, TCP, UDP, ICMPv4, IPv4, ARP, Ethernet, DHCP, DNS and more. Its TCP/IP stack has been around for around 20 years and the complex supply chain relationships have created a fragmentation problem. Different versions of the library ended up in a variety of products, some directly, some indirectly through a component supplier.

Some suppliers might have long gone out of business, were acquired by other companies, or ended their production of those components. Some of the affected products might have reached end-of-support or are hard to patch because they don’t have easy update mechanisms. Others might be serving critical functions in factories and industrial installations and can’t easily be taken offline to be updated.

The JSOF researchers said a few of the issues they found exist only in older versions of the Treck TCP/IP stack and have disappeared over the years due to code rewrites. However, those code changes were not necessarily intentional security fixes, so customers did not treat them as security updates. Vulnerable and old versions of the library are still used by devices in the wild.

Most of the vulnerabilities, though, including the critical ones, were zero-days when they were discovered, meaning they affected even the latest version of the library, so affected vendors should update their products, which is not always an easy process. Treck has developed patches for all the vulnerabilities, but not all affected vendors had support contracts with the company, so they had to renew their contracts, Shlomi Oberman tells CSO.

Total number of affected vendors unknown

That’s only for the big vendors who were able to confirm they are affected. Many others were not even able to confirm that they are affected. Just like with the URGENT/11 vulnerabilities that were disclosed last year in the IPnet TCP/IP stack of VxWorks, a widely used embedded real-time operating system (RTOS), Oberman expects more vendors will confirm that they are vulnerable to Ripple20 as time goes on. “There is a list of around 100 potentially affected vendors and only about 15 have confirmed so far,” he says. “We estimate that hundreds of millions of devices are affected.”

The confirmed vendors include HP, which uses the library in some of its printers; Hewlett Packard Enterprise (HPE); Intel, which uses the stack in the AMT out-of-band management firmware for Intel vPro-enabled systems; Schneider Electric, which uses Treck in its uninterruptible power supply (UPS) devices and potentially other products; Rockwell Automation; medical device manufacturers Baxter and B. Braun; construction and mining equipment manufacturer Caterpillar; IT services firm HCL Technologies; and component manufacturer Digi International.

To exacerbate the supply chain problems, a separate variant of the Treck TCP/IP stack called KASAGO is commercialized in the Asian marker by a company called Elmic. That, too, likely has many of the same vulnerabilities and adds to the supply chain complexity.

JSOF and Forescout have worked to develop signatures based on traffic patterns that could be used to identify potentially vulnerable devices. On top of that, they did a lot of open-source intelligence gathering by analyzing legal and copyright documentation for products, looking for mentions of Treck in stack traces and debugging symbols during firmware analysis or discovered business relationships between the library developer and various vendors on LinkedIn.

Forescout added the detection capability to its own IoT visibility and management products and JSOF plans to release some of the information so that businesses can develop scanning and monitoring capabilities for their own networks to identify devices that might contain the affected Treck library and isolate them. Devices that are exposed directly to the internet are at immediate risk, but these vulnerabilities can also be exploited for lateral movement through networks and the compromised devices could serve as a persistent foothold for attackers.

A Shodan search for 37 affected device models from 18 vendors performed by Forescout, revealed around 15,000 devices that are directly connected to the internet and could be potentially compromised by anyone.

The idea of having a software bill of materials for all technology products similar to the labels on food products could be interesting, but so far it doesn’t exist in the real world, dos Santos says. “So, what you can do is to have a sort of network monitoring approach like the one we did at scale, but for your organization to see in your group, what devices you have and what devices are potentially impacted by using traffic patterns and signatures and so on like the ones that JSOF developed.”

The JSOF report contains additional mitigation advice.

This story, “Critical flaws in embedded TCP/IP library impact millions of IoT devices across industries” was originally published by CSO.

Lucian Constantin is a senior writer at CSO, covering information security, privacy, and data protection.

What is cryptojacking? How to prevent, detect, and recover from it

Criminals are using ransomware-like tactics and poisoned websites to get your employees’ computers to mine cryptocurrencies. Here’s what you can do to stop it.

Cryptojacking definition

Cryptojacking is the unauthorized use of someone else’s computer to mine cryptocurrency. Hackers do this by either getting the victim to click on a malicious link in an email that loads cryptomining code on the computer, or by infecting a website or online ad with JavaScript code that auto-executes once loaded in the victim’s browser.

Either way, the cryptomining code then works in the background as unsuspecting victims use their computers normally. The only sign they might notice is slower performance or lags in execution.
How cryptojacking works

Hackers have two primary ways to get a victim’s computer to secretly mine cryptocurrencies. One is to trick victims into loading cryptomining code onto their computers. This is done through phishing-like tactics: Victims receive a legitimate-looking email that encourages them to click on a link. The link runs code that places the cryptomining script on the computer. The script then runs in the background as the victim works.

The other method is to inject a script on a website or an ad that is delivered to multiple websites. Once victims visit the website or the infected ad pops up in their browsers, the script automatically executes. No code is stored on the victims’ computers. Whichever method is used, the code runs complex mathematical problems on the victims’ computers and sends the results to a server that the hacker controls.

Hackers often will use both methods to maximize their return. “Attacks use old malware tricks to deliver more reliable and persistent software [to the victims’ computers] as a fall back,” says Alex Vaystikh, CTO and cofounder of SecBI. For example, of 100 devices mining cryptocurrencies for a hacker, 10% might be generating income from code on the victims’ machines, while 90% do so through their web browsers.

Some cryptomining scripts have worming capabilities that allow them to infect other devices and servers on a network. It also makes them harder to find and remove; maintaining persistence on a network is in the cryptojacker’s best financial interest.

To increase their ability to spread across a network, cryptomining code might include multiple versions to account for different architectures on the network. In one example described in an AT&T Alien Labs blog post, the cryptomining code simply downloads the implants for each architecture until one works.

The scripts might also check to see if the device is already infected by competing cryptomining malware. If another cryptominer is detected, the script disables it. A cryptominer might also have a kill prevention mechanism that executes every few minutes, as the AT&T Alien Lab post notes.

Unlike most other types of malware, cryptojacking scripts do no damage to computers or victims’ data. They do steal CPU processing resources. For individual users, slower computer performance might be just an annoyance. Organization with many cryptojacked systems can incur real costs in terms of help desk and IT time spent tracking down performance issues and replacing components or systems in the hope of solving the problem.
Why cryptojacking is popular

No one knows for certain how much cryptocurrency is mined through cryptojacking, but there’s no question that the practice is rampant. Browser-based cryptojacking grew fast at first, but seems to be tapering off, likely because of cryptocurrency volatility and the closing of Coinhive, the most popular JavaScript miner that was also used for legitimate cryptomining activity, in March 2019. The 2020 SonicWall Cyber Threat Report reveals that the volume of cryptojacking attackes fell 78% in the second half of 2019 as a result of the Coinhive closure.

The decline began earlier, however. Positive Technology’s Cybersecurity Threatscape Q1 2019 report shows that cryptomining now accounts for only 7% of all attacks, down from 23% in early 2018. The report suggests that cybercriminals have shifted more to ransomware, which is seen as more profitable.

“Cryptomining is in its infancy. There’s a lot of room for growth and evolution,” says Marc Laliberte, threat analyst at network security solutions provider WatchGuard Technologies.

In January 2018, researchers discovered the Smominru cryptomining botnet, which infected more than a half-million machines, mostly in Russia, India, and Taiwan. The botnet targeted Windows servers to mine Monero, and cybersecurity firm Proofpoint estimated that it had generated as much as $3.6 million in value as of the end of January.

Cryptojacking doesn’t even require significant technical skills. According to the report, The New Gold Rush Cryptocurrencies Are the New Frontier of Fraud, from Digital Shadows, cryptojacking kits are available on the dark web for as little as $30.

The simple reason why cryptojacking is becoming more popular with hackers is more money for less risk. “Hackers see cryptojacking as a cheaper, more profitable alternative to ransomware,” says Vaystikh. WIth ransomware, a hacker might get three people to pay for every 100 computers infected, he explains. With cryptojacking, all 100 of those infected machines work for the hacker to mine cryptocurrency. “[The hacker] might make the same as those three ransomware payments, but cryptomining continuously generates money,” he says.

The risk of being caught and identified is also much less than with ransomware. The cryptomining code runs surreptitiously and can go undetected for a long time. Once discovered, it’s very hard to trace back to the source, and the victims have little incentive to do so since nothing was stolen or encrypted. Hackers tend to prefer anonymous cryptocurrencies like Monero and Zcash over the more popular Bitcoin because it is harder to track the illegal activity back to them.
Real-world cryptojacking examples

Cryptojackers are a clever lot, and they’ve devised a number of schemes to get other peoples’ computers to mine cryptocurrency. Most are not new; cryptomining delivery methods are often derived from those used for other types of malware such as ransomware or adware. “You’re starting to see a lot of the traditional things mal-authors have done in the past,” says Travis Farral, director of security strategy at Anomali. “Instead of delivering ransomware or a Trojan, they are retooling that to deliver crypto-mining modules or components.”

Here are some real-world examples:
Spear-fishing PowerGhost steals Windows credentials

The Cyber Threat Alliance’s (CTA’s) The Illicit Cryptocurrency Mining Threat report describes PowerGhost, first analyzed by Fortinet, as stealthy malware that can avoid detection in a number of ways. It first uses spear phishing to gain a foothold on a system, and it then steals Windows credentials and leverages Windows Management Instrumentation and the EternalBlue exploit to spread. It then tries to disable antivirus software and competing cryptominers.
Graboid, a cryptominder worm spread using containers

In October, Palo Alto Networks released a report describing a cryptojacking botnet with self-spreading capabilities. Graboid, as they named it, is the first known cryptomining worm. It spreads by finding Docker Engine deployments that are exposed to the internet without authentication. Palo Alto Networks estimated that Graboid had infected more than 2,000 Docker deployments.
Malicious Docker Hub accounts mine Monero

In June 2020, Palo Alto Networks identified a cryptojacking scheme that used Docker images on the Docker Hub network to deliver cryptomining software to victims’ systems. Placing the cryptomining code within a Docker image helps avoid detection. The infected images were accessed more then two million times, and Palo Alto estimates that the cryptojackers realized $36,000 in ill-gotten gains.
MinerGate variant suspends execution when victim’s computer is in use

According to the CTA report, Palo Alto Networks has analyzed a variant of the MinerGate malware family and found an interesting feature. It can detect mouse movement and suspend mining activities. This avoids tipping off the victim, who might otherwise notice a drop in performance.
BadShell uses Windows processes to do its dirty work

A few months ago, Comodo Cybersecurity found malware on a client’s system that used legitimate Windows processes to mine cryptocurrency. Dubbed BadShell it used:

PowerShell to execute commands--a PowerShell script injects the malware code into an existing running process.
Task Scheduler to ensure persistence
Registry to hold the malware's binary code

You can find more details on how BadShell works in Comodo’s Global Threat Report Q2 2018 Edition.
Rogue employee commandeers company systems

At the EmTech Digital conference earlier this year, Darktrace told the story of a client, a European bank, that was experiencing some unusual traffic patterns on its servers. Night-time processes were running slowly, and the bank’s diagnostic tools didn’t discover anything. Darktrace discovered that new servers were coming online during that time—servers that the bank said didn’t exist. A physical inspection of the data center revealed that a rogue staffer had set up a cryptomining system under the floorboards.
Serving cryptominers through GitHub

In March, Avast Software reported that cryptojackers were using GitHub as a host for cryptomining malware. They find legitimate projects from which they create a forked project. The malware is then hidden in the directory structure of that forked project. Using a phishing scheme, the cryptojackers lure people to download that malware through, for example, a warning to update their Flash player or the promise of an adult content gaming site.
Exploiting an rTorrent vulnerability

Cryptojackers have discovered an rTorrent misconfiguration vulnerability that leaves some rTorrent clients accessible without authentication for XML-RPC communication. They scan the internet for exposed clients and then deploy a Monero cryptominer on them. F5 Networks reported this vulnerability in February, and advises rTorrent users to make sure their clients do not accept outside connections.
Facexworm: Malicious Chrome extension

This malware, first discovered by Kaspersky Labs in 2017, is a Google Chrome extension that uses Facebook Messenger to infect users’ computers. Initially Facexworm delivered adware. Earlier this year, Trend Micro found a variety of Facexworm that targeted cryptocurrency exchanges and was capabile of delivering cryptomining code. It still uses infected Facebook accounts to deliver malicious links, but can also steal web accounts and credentials, which allows it to inject cryptojacking code into those web pages.
WinstarNssmMiner: Scorched earth policy

In May, 360 Total Security identified a cryptominer that spread quickly and proved effective for cryptojackers. Dubbed WinstarNssmMiner, this malware also has a nasty surprise for anyone who tried to remove it: It crashes the victim’s computer. WinstarNssmMiner does this by first launching an svchost.exe process and injecting code into it and setting the spawned process’s attribute to CriticalProcess. Since the computer sees as a critical process, it crashes once the process is removed.
CoinMiner seeks out and destroys competitors

Cryptojacking has become prevalent enough that hackers are designing their malware to find and kill already-running cryptominers on systems they infect. CoinMiner is one example.

According to Comodo, CoinMiner checks for the presence of an AMDDriver64 process on Windows systems. Within the CoinMiner malware are two lists, $malwares and $malwares2, which contain the names of processes known to be part of other cryptominers. It then kills those processes.
Compromised MikroTik routers spread cryptominers

Bad Packets reported in September last year that it had been monitoring over 80 cryptojacking campaigns that targeted MikroTik routers, providing evidence that hundreds of thousands of devices were compromised. The campaigns exploited a known vulnerability (CVE-2018-14847) for which MikroTik had provided a patch. Not all owners had applied it, however. Since MikroTik produces carrier-grade routers, the cryptojacking perpetrators had broad access to systems that could be infected.
How to prevent cryptojacking

Follow these steps to minimize the risk of your organization falling prey to cryptojacking:

Incorporate the cryptojacking threat into your security awareness training, focusing on phishing-type attempts to load scripts onto users’ computers. “Training will help protect you when technical solutions might fail,” says Laliberte. He believes phishing will continue to be the primary method to deliver malware of all types.

Employee training won’t help with auto-executing cryptojacking from visiting legitimate websites. “Training is less effective for cryptojacking because you can’t tell users which websites not to go to,” says Vaystikh.

Install an ad-blocking or anti-cryptomining extension on web browsers. Since cryptojacking scripts are often delivered through web ads, installing an ad blocker can be an effective means of stopping them. Some ad blockers like Ad Blocker Plus have some capability to detect cryptomining scripts. Laliberte recommends extensions like No Coin and MinerBlock, which are designed to detect and block cryptomining scripts.

By Michael Nadeau

Senior Editor, CSO | July 9, 2020

Windows 10 is on track to reach 85% by mid-2021

It’s not unusual for Windows 10 use to rise as Windows 7’s use falls, which is what happened (again) in June. One continuing surprise: it was the third straight month where Linux saw gains.

Windows 10 recorded strong growth again in June as the five-year-old operating system added more than a percentage point in share just as the now-obsolete Windows 7 retreated by almost as much.

According to metrics vendor Net Applications, Windows 10 grew by 1.1 percentage points to reach 58.9% of global OS share last month, which represented 68% of all Windows’ editions. Both numbers were again records for Windows 10, with the latter putting the operating system on track for reaching a 70% share of Windows within 60 days.

Windows 10’s percentage of only Windows PCs was significantly larger than the percentage of all personal computers because Windows does not power every system. In June, Windows was the OS of 86.7% of the world’s personal computers, the same fraction as in May and like that month, a record low for Microsoft’s operating system. Of the remaining 13.3%, all but a puny seven-hundredths of a point ran macOS, Linux or Chrome OS.

As Windows 10 went up, so Windows 7 went down.

For the second straight month, Windows 7 lost share, parting in June with nine-tenths of a percentage point, dropping to 23.4% of all PCs and to 26.9% of just Windows. Windows 7 hadn’t been at a share level that low since January 2011, more than nine years ago and only 15 months after its launch.
Back to normal? Windows, maybe … the world, not so much

This two-month run of Windows share normalcy – Windows 7 loses share, Windows 10 picks it up, plus some – was in contrast to earlier this year, when the reverse was the case. Computerworld has tried to explain the odd turnabout as caused, at least partially, by the coronavirus pandemic and the chaos it generated when millions were sent home to work from there.

In those explanations, the historic work-at-home numbers and the abandonment of the usual workplaces meant a downturn in Windows 7-to-Windows 10 migrations – accounting for the March-April rise of the former and fall of the latter. Then, in May, when some parts of the country took steps to reopen commerce and companies called employees back to their normal work-day haunts, the tide reversed, with Windows 7 falling and 10 climbing.

Frankly, while that thinking may be true, the upside-down, inside-out of COVID-19’s impact makes it all guesswork. For although some parts of the world – Europe comes to mind – have made solid strides in restarting economies, other swaths – the U.S., for example – are in such disarray that one state relaxes restrictions even as another restores lockdown.

Short version? At least something is normal, more or less. Be happy with that.

The June upswing shifted the Computerworld forecasts for both Windows 7 and Windows 10. The former should slide under 20% of all Windows not long after 2020’s end; a year from now, Windows 7 will dip to around 13%. Meanwhile, Windows 10 will pass 70% (of Windows only) by the end of August and within a year, reach nearly 85%.

Elsewhere in Net Applications’ numbers, June saw a third straight unexplained upswell by Linux. The category, which lumps together all distributions, added four-tenths of a percentage point, putting the open-source OS at a record 3.6%. The almost-identical decline of macOS fed the increase of Linux, again illustrating the zero-sum nature of share. Unless one operating system suffers, others cannot rejoice.

Ubuntu again was behind Linux’s gain; Canonical’s OS accounted for all of the increase, ending June at 2.6%. Currently, Net Applications pegs Linux at a share more than a third of Apple’s macOS.

Net Applications calculates operating system share by detecting the agent strings of the browsers used to reach the websites of Net Applications’ clients. The firm tallies visitor sessions of those browsers to measure global operating system activity.

Original story by Gregg Keizer Senior Reporter, Computerworld | Jul 7, 2020

Windows 10: The best tricks, tips, and tweaks

Windows 10 is chock-full of handy, hidden new features worth exploring. Check out the best tips and tricks here.

Windows 10’s constantly evolving nature means fresh features arrive twice per year, most recently via the big May 2020 Update. With all the new goodies come a legion of new tweaks and tricks—some of which unlock powerful functionality hidden to everyday users. Others simply let you mold the Windows 10 experience into the shape you see fit. Here are some of the most useful tweaks, tricks, and tips we’ve found over Windows 10’s many iterations.

Be warned: Some of these may break as the operating system evolves given Microsoft’s new “Windows as a service” mentality. The Cortana digital assistant served as a cornerstone for the operating system since Windows 10’s inception, for example, but relegated to lowly app status in the May 2020 Update. We’ve updated this article over time to reflect the OS’s current status. 

The leveled-up Game Bar

If you’re into playing around on your PC, Windows 10’s Game Bar—summoned by pressing Windows + G in-game—holds all sorts of nifty extras. It’s always been able to take screenshots or videos of gameplay clips, but it also offers easy-peasy Beam game streaming and the intriguing Game Mode. Better yet, the May 2019 Update transformed it into a full blown overlay that does stuff no rivals offer. The now-customizable interface packs a performance widget, an audio widget with system-wide and per-app controls, a Discord-like interface for Xbox Live friends, a photo gallery, and even full Spotify integration. It’s great, and the May 2020 Update added more helpful features in the form of a frame rate counter and GPU temperature monitoring.

The Game Bar’s handy even if you don’t actually play, as it can be used to record video of any app—not just games. Windows 10 also has a dedicated Gaming section in its Start menu Settings to let you tinker with options, including Xbox networking and parental controls. 

Windows Timeline

Timeline helps you pick up where you left off. Clicking the Task View button in the taskbar or pressing Windows Key + Tab summons the feature, which displays a—you guessed it—time line of your activity in supported apps, stretching back over the past. Even more handily, Microsoft lets you group related apps together into “Activities” in Timeline, so that when you open that week-old budget document, for example, the presentations and websites you referenced at the time can be easily summoned as well. This even syncs across devices, so it could be especially useful if you use multiple PCs.

The fly in the ointment: Only a limited number of apps work with Timeline currently, though Microsoft offers tools for developers to bake in support. That includes Office, Adobe’s Creative Cloud, and native Windows 10 apps like News and Maps, but Microsoft Edge is the only compatible browser. Bummer. You can deactivate Timeline by heading to Settings > Privacy > Activity History.

Tie your phone to Windows

Want to tie your phone and PC closer together? With the right combination of phone and PC, the Your Phone app on Windows can now show recent photos shot with the phone, view and send SMS messages, be alerted with the phone’s notifications, see the phone’s battery life, view and interact with the phone screen and apps, and even make calls.

You’ll need the Your Phone app for Android as well, of course. There’s also an iPhone app but it’s much more limited. Check out our Your Phone tutorial for everything you need to know.

Cloud Clipboard

Windows 10’s copy and paste functionality has been hit and miss for years, but now you can deploy that bugginess across multiple PCs with cloud clipboard—a genuinely useful feature introduced in the October 2018 Update. Head to Start > Settings > System > Clipboard and enable “Sync across devices” to start copying data on one PC and pasting it on another PC.

While you’re in this menu, enabling “Clipboard history” lets you save multiple items to the clipboard so you can use them again later. Nifty stuff.

Linux in Windows

It started with the simple Bash shell, but over the years, Microsoft’s built up its Windows Subsystem for Linux (WSL) into a surprisingly robust feature for developers. The latest iteration, dubbed WSL2, now runs Linux on its own kernel in what’s essentially a virtual machine, improving performance. You can even store files within the Linux root file system, then access them via Windows File Explorer inside the Linux virtual hard disk. You’ll need to enable the optional Linux compatibility and download a Linux distro from the Microsoft Store to use it, though. Several distros are available, including Ubuntu, Debian, OpenSUSE, and Kali.

You can hack a graphical interface into existence, but WSL2’s intended as a command line-style interface, and it pairs very well with Microsoft’s awesome Terminal text editor, pictured above, which lets you manage Linux, PowerShell, and command line tools simultaneously.

Windows sandbox

Introduced in the Windows 10 May 2019 Update, Windows Sandbox makes it easy to test unknown software and websites in a safe environment. The feature basically creates a virtualized second copy of Windows within Windows where you can run untrusted tasks, firewalled from your main installation. If things go pear-shaped, just nuke the virtual PC and start anew. Easy-peasy! And if a file checks out, you can move it out of quarantine and copy it over to Windows 10 proper. The May 2020 Update adds the ability to enable networking and your PC’s GPU within Sandbox, and even a shared folder between Sandbox and your PC’s desktop, if you don’t mind the increased threat risk.

The one downside to Windows Sandbox: It’s only available in Windows 10 Pro. Our Windows Sandbox guide explains everything you need to know.

Emoji and Kaomoji Keyboard

You may not know it, but Windows 10 matches the capabilities of mobile operating systems via a handy-dandy integrated virtual emoji keyboard, and one-ups phones by including support of ASCII-made kaomoji, too! (⌐■_■)

To summon it, simply press the Windows key and ; simultaneously on your keyboard while you’re inputting text. The selection is only getting better too, as Microsoft has been adding more emoji and kaomoji with each major Windows 10 feature update.

Snip and Sketch

The firmly entrenched Snipping Tool within Windows is finally getting replaced and upgraded. The October 2018 Update added Snip & Sketch, a new tool that lets you select a portion of the screen to copy when you press Windows + Shift + S. After doing so, the selected screenshot will be copied to your clipboard, so you can paste it into any image editing software—including the standalone Snip & Sketch app, which lets you annotate and share your marked-up images.

Near Share

Near Share makes it easy to share files and URLs with local PCs over the air, negating the need for flash drives or chat apps to pass something along. If you open the Share interface in Microsoft Edge or File Explorer, you’ll see PCs with Nearby Sharing enabled appear as an option if you have the April 2018 Update installed. Recipients receive a pop-up notification when something is sent. Think of it as an alternative to Apple’s Airdrop, albeit one without any mobile support.

To use Near Share, your computer needs both Bluetooth and Wi-Fi working, and you’ll have to enable the Nearby Sharing option in Settings before you can start using it. Transfer speeds were pretty slow and Bluetooth-like in our tests, so you may still want to resort to alternative means to pass especially large files around. Microsoft says the feature automatically chooses to use Wi-Fi or Bluetooth depending on what’s available, and what’s faster.

Ransomware protection

Ransomware is a growing (and damned nasty) problem. It infects PCs, encrypts your files, and holds everything hostage until you pay a ransom—hence the name. The best defense against ransomware is frequent backups and strong security software, but Windows 10 now includes basic protection right in your operating system.

Controlled Folder Access “protects your files and folders from unauthorized changes by unfriendly applications.” Your Documents, Pictures, Movies, and Desktop folders are protected by default, though you can block other folders manually or whitelist trusted software to access your locked-down info. You can tweak Controlled Folder Access by opening the Windows Security app (formerly Windows Defender), heading to the Virus & threat protection tab, and clicking the “Manage ransomware protection” link at the bottom. 

Dark Theme

If you love dark themes, you love dark themes. Light themes sear your eyeballs. Fortunately, Windows 10 now supports a dark theme. Head to Start > Settings > Personalization > Color and select the “dark” option under “Choose your default app mode.” The Windows 10 October 2018 Update extended the dark theme to include File Explorer, too. Enjoy!

Ransomware explained: How it works and how to remove it

Despite a recent decline, ransomware is still a serious threat. Here’s everything you need to know about the file-encrypting malware and how it works.

Ransomware definition

Ransomware is a form of malware that encrypts a victim’s files. The attacker then demands a ransom from the victim to restore access to the data upon payment.

Users are shown instructions for how to pay a fee to get the decryption key. The costs can range from a few hundred dollars to thousands, payable to cybercriminals in Bitcoin.
How ransomware works

There are a number of vectors ransomware can take to access a computer. One of the most common delivery systems is phishing spam — attachments that come to the victim in an email, masquerading as a file they should trust. Once they’re downloaded and opened, they can take over the victim’s computer, especially if they have built-in social engineering tools that trick users into allowing administrative access. Some other, more aggressive forms of ransomware, like NotPetya, exploit security holes to infect computers without needing to trick users.

[ Read our blue team’s guide for ransomware prevention, protection and recovery. | Get the latest from CSO by signing up for our newsletters. ]

There are several things the malware might do once it’s taken over the victim’s computer, but by far the most common action is to encrypt some or all of the user’s files. If you want the technical details, the Infosec Institute has a great in-depth look at how several flavors of ransomware encrypt files. But the most important thing to know is that at the end of the process, the files cannot be decrypted without a mathematical key known only by the attacker. The user is presented with a message explaining that their files are now are now inaccessible and will only be decrypted if the victim sends an untraceable Bitcoin payment to the attacker.

In some forms of malware, the attacker might claim to be a law enforcement agency shutting down the victim’s computer due to the presence of pornography or pirated software on it, and demanding the payment of a “fine,” perhaps to make victims less likely to report the attack to authorities. But most attacks don’t bother with this pretense. There is also a variation, called leakware or doxware, in which the attacker threatens to publicize sensitive data on the victim’s hard drive unless a ransom is paid. But because finding and extracting such information is a very tricky proposition for attackers, encryption ransomware is by far the most common type.
Who is a target for ransomware?

There are several different ways attackers choose the organizations they target with ransomware. Sometimes it’s a matter of opportunity: for instance, attackers might target universities because they tend to have smaller security teams and a disparate user base that does a lot of file sharing, making it easier to penetrate their defenses.

On the other hand, some organizations are tempting targets because they seem more likely to pay a ransom quickly. For instance, government agencies or medical facilities often need immediate access to their files. Law firms and other organizations with sensitive data may be willing to pay to keep news of a compromise quiet — and these organizations may be uniquely sensitive to leakware attacks.

But don’t feel like you’re safe if you don’t fit these categories: as we noted, some ransomware spreads automatically and indiscriminately across the internet.
How to prevent ransomware

There are a number of defensive steps you can take to prevent ransomware infection. These steps are a of course good security practices in general, so following them improves your defenses from all sorts of attacks:

Keep your operating system patched and up-to-date to ensure you have fewer vulnerabilities to exploit.
Don't install software or give it administrative privileges unless you know exactly what it is and what it does.
Install antivirus software, which detects malicious programs like ransomware as they arrive, and whitelisting software, which prevents unauthorized applications from executing in the first place.
And, of course, back up your files, frequently and automatically! That won't stop a malware attack, but it can make the damage caused by one much less significant.

Ransomware removal

If your computer has been infected with ransomware, you’ll need to regain control of your machine. CSO’s Steve Ragan has a great video demonstrating how to do this on a Windows 10 machine:

But here’s the important thing to keep in mind: while walking through these steps can remove the malware from your computer and restore it to your control, it won’t decrypt your files. Their transformation into unreadability has already happened, and if the malware is at all sophisticated, it will be mathematically impossible for anyone to decrypt them without access to the key that the attacker holds. In fact, by removing the malware, you’ve precluded the possibility of restoring your files by paying the attackers the ransom they’ve asked for.
Ransomware facts and figures

Ransomware is big business. There’s a lot of money in ransomware, and the market expanded rapidly from the beginning of the decade. In 2017, ransomware resulted in $5 billion in losses, both in terms of ransoms paid and spending and lost time in recovering from attacks. That’s up 15 times from 2015. In the first quarter of 2018, just one kind of ransomware software, SamSam, collected a $1 million in ransom money.

Some markets are particularly prone to ransomware—and to paying the ransom. Many high-profile ransomware attacks have occurred in hospitals or other medical organizations, which make tempting targets: attackers know that, with lives literally in the balance, these enterprises are more likely to simply pay a relatively low ransom to make a problem go away. It’s estimated that 45 percent of ransomware attacks target healthcare orgs, and, conversely, that 85 percent of malware infections at healthcare orgs are ransomware. Another tempting industry? The financial services sector, which is, as Willie Sutton famously remarked, where the money is. It’s estimated that 90 percent of financial institutions were targeted by a ransomware attack in 2017.

Your anti-malware software won’t necessarily protect you. Ransomware is constantly being written and tweaked by its developers, and so its signatures are often not caught by typical anti-virus programs. In fact, as many as 75 percent of companies that fall victim to ransomware were running up-to-date endpoint protection on the infected machines.

Ransomware isn’t as prevalent as it used to be. If you want a bit of good news, it’s this: the number of ransomware attacks, after exploding in the mid ’10s, has gone into a decline, though the initial numbers were high enough that it’s still. But in the first quarter of 2017, ransomware attacks made up 60 percent of malware payloads; now it’s down to 5 percent.
Ransomware on the decline?

What’s behind this big dip? In many ways it’s an economic decision based on the cybercriminal’s currency of choice: bitcoin. Extracting a ransom from a victim has always been hit or miss; they might not decide to pay, or even if they want to, they might not be familiar enough with bitcoin to figure out how to actually do so.

As Kaspersky points out, the decline in ransomware has been matched by a rise in so-called cryptomining malware, which infects the victim computer and uses its computing power to create (or mine, in cryptocurrency parlance) bitcoin without the owner knowing. This is a neat route to using someone else’s resources to get bitcoin that bypasses most of the difficulties in scoring a ransom, and it has only gotten more attractive as a cyberattack as the price of bitcoin spiked in late 2017.

That doesn’t mean the threat is over, however. Barkly explains that there are two different kinds of ransomware attackers: “commodity” attacks that try to infect computers indiscriminately by sheer volume and include so-called “ransomware as a service” platforms that criminals can rent; and targeted groups that focus on particularly vulnerable market segments and organizations. You should be on guard if you’re in the latter category, no matter if the big ransomware boom has passed.

With the price of bitcoin dropping over the course of 2018, the cost-benefit analysis for attackers might shift back. Ultimately, using ransomware or cryptomining malware is a business decision for attackers, says Steve Grobman, chief technology officer at McAfee. “As cryptocurrency prices drop, it’s natural to see a shift back [to ransomware].”
Should you pay the ransom?

If your system has been infected with malware, and you’ve lost vital data that you can’t restore from backup, should you pay the ransom?

When speaking theoretically, most law enforcement agencies urge you not to pay ransomware attackers, on the logic that doing so only encourages hackers to create more ransomware. That said, many organizations that find themselves afflicted by malware quickly stop thinking in terms of the “greater good” and start doing a cost-benefit analysis, weighing the price of the ransom against the value of the encrypted data. According to research from Trend Micro, while 66 percent of companies say they would never pay a ransom as a point of principle, in practice 65 percent actually do pay the ransom when they get hit.

Ransomware attackers keep prices relatively low — usually between $700 and $1,300, an amount companies can usually afford to pay on short notice. Some particularly sophisticated malware will detect the country where the infected computer is running and adjust the ransom to match that nation’s economy, demanding more from companies in rich countries and less from those in poor regions.

There are often discounts offered for acting fast, so as to encourage victims to pay quickly before thinking too much about it. In general, the price point is set so that it’s high enough to be worth the criminal’s while, but low enough that it’s often cheaper than what the victim would have to pay to restore their computer or reconstruct the lost data. With that in mind, some companies are beginning to build the potential need to pay ransom into their security plans: for instance, some large UK companies who are otherwise uninvolved with cryptocurrency are holding some Bitcoin in reserve specifically for ransom payments.

There are a couple of tricky things to remember here, keeping in mind that the people you’re dealing with are, of course, criminals. First, what looks like ransomware may not have actually encrypted your data at all; make sure you aren’t dealing with so-called “scareware” before you send any money to anybody. And second, paying the attackers doesn’t guarantee that you’ll get your files back. Sometimes the criminals just take the money and run, and may not have even built decryption functionality into the malware. But any such malware will quickly get a reputation and won’t generate revenue, so in most cases — Gary Sockrider, principal security technologist at Arbor Networks, estimates around 65 to 70 percent of the time — the crooks come through and your data is restored.

While ransomware has technically been around since the ’90s, it’s only taken off in the past five years or so, largely because of the availability of untraceable payment methods like Bitcoin. Some of the worst offenders have been:

Which Internet providers are lifting data caps during the coronavirus, and which aren’t

While some ISPs have simply pledged not to cut off customers who can’t pay their bills, others are going further.

As American businesses are forced to shut down because of COVID-19 (the novel coronavirus), customers are anxious about their bill for Internet access. Data caps, an annoyance in the best of times, suddenly can mean paying additional fees if a family sheltering in place goes over their limit.

Think of it: you’re working from home, videoconferencing over Skype or Zoom, while your kids are playing games and chatting with friends. There’s streamed movies to watch in the evenings. Disney+ and Netflix may be in constant rotation, adding to the bandwidth strain. That’s a lot of data!

In response, some ISPs and cellular service providers are providing relief for customers. Some are merely adhering to the FCC’s Keep Americans Connected Pledge (PDF), which asks the signees not to terminate a customer’s service for non-payment. Others are removing data caps and lowering bills in response to COVID-19.

And others, as you will see in our list below, are doing nothing at all.

All AT&T home Internet Wireline customers, as well as Fixed Wireless Internet customers, can use unlimited data. AT&T will continue to offer $10/mo Access from AT&T service for qualifying customers. AT&T Prepaid has also added a new $15/mo offer for 2GB of data.

For the next 60 days, AT&T also pledged not to terminate the service of any customer who can’t pay their bill, and will waive the fees associated with late payments. (Waivers can be applied for here.) It will also waive domestic postpaid wireless plan overage charges for data, voice or text for residential or small business wireless customers. AT&T will keep its public Wi-Fi hotspots open to everyone, and has automatically increased hotspot data by 15GB per month per line.

Effective April 8, AT&T waived Guam-based international roaming charges for AT&T Mobility accounts through April 30 and retroactively to April 1. New AT&T TV/DirectTV customers will receive a free year of HBO. An AT&T “Summer Camp” collection of content has been added, and AT&T also added a number of free channels to those customers who didn’t already have them.

For the next 60 days, CenturyLink said it has committed to waive late fees and to not terminate a residential or small business customer’s service due to financial circumstances associated with COVID-19. The company is also suspending data usage limits for consumer customers during this time period due to COVID-19. It has committed to the FCC’s Keeping Americans Connected Pledge.
Consolidated Communications

Consolidated has posted a coronavirus response page that doesn’t go beyond a statement to “focus on ensuring stability of services and network performance for our customers.” Customers will receive additional free channels “through April or the end of May at the latest.”

On March 13, Comcast said that it would pause enforcement of its data caps for 60 days, essentially giving all of its customers unlimited data for that period. (Comcast normally gives its Xfinity customers two “grace” months for every 12, allowing them to exceed their data cap without penalty.) New subscribers to Comcast’s $9.95/month Internet Essentials plan will receive two months free, and speeds were increased to 25Mbps down and 3Mbps up. Comcast said on June 19 that the “two months free” introductory offer for Internet Essentials will be extended through the rest of the year.

Comcast is also making its Xfinity WiFi service free for everyone, regardless of whether you’re a Comcast subscriber or not. (Here’s a map of Xfinity WiFi hotspots.)

Cox said on March 16 that it is eliminating data usage overages for the next 60 days. Customers with a 500GB or existing Unlimited plan will receive credits. New subscribers to the Cox Starter Internet plan will be able to sign up without an annual contract and receive 50Mbps download speeds.

Cox previously said that it would not terminate service for any residential or small business customers, and would open its Cox WiFi hotspot network to keep the public connected. That will be extended through June 30.

Cox is offering free support calls and the first month free to its low-cost Internet service, Connect2Compete. (It will be free through July 15, Cox added.) Customers on its Essential plan will see their speeds increased from 30Mbps to 50Mbps, and Starter, StraightUp Internet and Connect2Compete packages will be automatically upgraded to speeds of 50 Mbps as well.
Charter (Spectrum)

Charter Communications’ Spectrum services do not have data caps, and will not terminate service for home or small business users who can’t pay because of the coronavirus pandemic. Charter said that it will offer free Spectrum broadband and Wi-Fi for 60 days if that household has K-12 students or college students who do not already have a Spectrum broadband subscription. (That offer was extended until April 30. ) Charter also said it will open its Wi-Fi hotspots for public use.

This week, Charter also said that Spectrum TV customers will be given free Showtime and EPIX through Sunday, April 19. They’ll also be given Disney Junior, Disney XD, Game Show Network and UPtv through May. All of Charter’s existing HBO subscribers, including subscribers in its Spectrum Silver and Gold video packages, will automatically be given access to HBO Max for no additional charge.

Earthlink is also participating in the Keep Americans Connected Pledge, and has pledged (as of March 16, 2020) to not terminate the service of any residential or small business customer because of their inability to pay their bill due to disruptions caused by the coronavirus pandemic, as well as not charge late payment fees a residential or small business customer may incur because of economic hardship related to the coronavirus pandemic. (That page has disappeared as of June 19.)

Earthlink does not offer data caps on its residential service.
Frontier Communications

Frontier does not have data caps, and this will continue through the COVID-19 pandemic, the company said. It also plans to increase its capacity.

“Google Fi has joined the Keep Americans Connected Pledge,” according to a company spokesman, who has not said to which date it will be effective. Google Fi is also temporarily increasing its limits for full speed data to 30GB per user, for both Flexible and Unlimited Plans as of April 1. After the 30GB limit is reached, a user can pay $10/GB to return to full-speed data for the remainder of the billing cycle.

Google is also extending its billing grace period to 60 days beyond the billing date, effective March 1. All of these measures are effective as of May 1, Google said.
Mediacom Communications

Mediacom has paused monthly data allowances through June 30 across all broadband service tiers, it said on April 30. New customers who sign up for Mediacom’s Access Internet 60 broadband service can do so for $19.99/mo for 12 months, rather than $29.99/mo. Mediacom’s Connect2Compete service is raising its speeds from 10Mbps down/1Mbps up to 25Mbps down/3Mbps up, and it will be free for the first 60 days. It has also made its Wi-Fi hotspot network publicly accessible, for free, for 60 days.

Through June 30, Mediacom will not disconnect service or assess late fees to any customer who calls and informs the company that they cannot pay their bill.
Sparklight (formerly Cable One)

Sparklight said on March 13 that it would make unlimited data available on all Internet plans for 30 days, while waiving late fees for 60 days. Customers who call the company can also negotiate deferrals of their payments. On March 16, the company said it would make its hotspots, accessible in its office parking lots, available for free public use, and added a a 15 Mbps internet plan for $10 per month for the next 60 days. On April 28, the company said that it would extend this through June 30.

Sparklight extended unlimited data through May 12.

(As of April 1, Sprint has completed its merger with T-Mobile.)

Sprint said on March 13 that it has extended its network to include T-Mobile’s network as well for the next 60 days. Sprint has also signed the Keep Americans Connected Pledge and will waive fees and not terminate services if customers are unable to pay because of the coronavirus for the next 60 days. Customers with metered data plans will now receive unlimited data for 60 days. They will also receive an additional 20GB of hotspot data for the same period.

Customers will be able to place free international calls to CDC-designated Level 3 countries.


Wireless broadband ISP Starry has made Starry Connect, a broadband program for public and affordable housing owners, free through May. Normally, the program, which provides 30Mbps symmetrical speeds, is $15/mo. Starry has also agreed to suspend cancellation of service due to nonpayment due to the coronavirus. It already does not charge additional fees or late fees. Starry’s service does not include data caps, either.

TDS said on March 16 that it will be providing free broadband access to customer households with K-12 or college students. (Proof will be required.) Other than that, TDS is adhering to the FCC’s “Keep Americans Connected” pledge only by agreeing not to disconnect customers who can’t pay their bills for the next 60 days, through June 30. TDS has also opened its Wi-Fi hotspots for the next 60 days to the public, for free.

All current T-Mobile plans with data will be granted free unlimited data through June 30, excluding roaming. T-Mobile and Metro by T-Mobile customers will be given an additional 20GB of mobile hotspot and tethering services through June 30 as well. Lifeline customers will be given an extra 5GB of data per month for the next two months.

“We do not have an offer available for 60 days of free service and encourage consumers to be cautious of social media posts that may include fraudulent numbers,” T-Mobile added. The company has also posted resources to help protect customers from scammers.

T-Mobile is extending its commitment to the FCC pledge through June 30, continuing to offer support for postpaid wireless, residential and small business customers impacted by the COVID-19 pandemic.

Verizon will waive late fees and keep residential and small business customers connected if negatively impacted by the global crisis, the company said on March 13. Verizon now says on a new, consolidated COVID-19 response page that that its waiver plan will run until June 30, it added.

Verizon is also upgrading the data plan on its Verizon Innovative Learning program for Title 1 middle schools from 10GB/month to 30GB/month for the next two months, effective March 16. There are no data caps on Verizon home Internet subscribers, a company representative said.

On March 23, Verizon updated its coronavirus relief plans, noting that it will waive overage charges, upgrade fees and activation fees. Verizon has also pledged to not terminate service and waive late fees. Verizon is also adding 15GB of 4G LTE data to consumer and small business plans for free, and adding some free overseas calls to some countries. Verizon will waive the next two months of billing cycles on its Lifeline plan. On April 3, Verizon will launch a new broadband discount program; customers may select any Verizon Fios speed in its Mix & Match plans and receive a $20 discount per month.
Windstream (Kinetic)

Windstream has not announced any relief for customers affected by the coronavirus. The service does not implement data caps, however.

Updated on June 19 with additional news from Comcast Communications, Mediacom, Sparklight, T-Mobile, and others.

This story, “Which Internet providers are lifting data caps during the coronavirus, and which aren’t” was originally published by PCWorld.