Christian Hallqvist celebrates 25 years with ETH

Congratulations to Christian Hallqvist, ITS employee with ITS Network Security, ICT Networks

You can read about what led up to his 20-year anniversary in the post “20 years with ETH”. In the last five years, however, even more has happened – with some highs and lows.

WannaCry incident

To get an idea of how things can sometimes go, I’ll use the example of the WannaCry case from May 2017. It all started with a phone call on Saturday, 13 May 2017. I was informed that ransomware was making the rounds and the ETH network had to be checked.

We worked through the weekend – from morning to night

Through our collaboration with SWITCH, among other things, we quickly found a secure and efficient method of finding suspicious cases. Our source was the local DNS logs. We were also able to monitor outgoing DNS queries through IDS. The method gave us practically no false negatives.

We were lucky to have so many curious and adventurous students at ETH who also followed this wave. Their experiments and tests generated multiple false messages in our logs, known as false positives.

We did, however, go through every single message.

Naturally it was easy, since those affected by ransomware need to make very little effort to confirm or deny an attack. Anyone who was affected could clearly see whether or not their device was a victim of ransomware. Loss of data as a result of ransomware is clearly visible, for example with the following text: “All of your data has been encrypted. Transfer so much money to this Bitcoin account and you will receive the decryption code.”

We went through each potential case one after the other and once the wave had finally subsided we discovered to our astonishment that our ETH network had not been affected by WannaCry at all. There was not a single true positive.

This exercise taught us a lot, and we are unbelievably happy at how resistant our ETH network actually is, thanks to well-patched modern systems.

False positive

An alarm message that doesn’t actually mean an alarm:
Like, for example, when someone triggers a fire alarm for no reason or out of boredom.

True positive

An alarm message that in reality actually is an alarm:
Like, for example, when someone triggers a fire alarm because of a fire.

False negative

When no alarm message is generated although it clearly should have been:
Like, for example, when a fire breaks out and no one reports it. Everyone runs from the building in panic without sounding the fire alarm.

Posted on
in IT-SEC,News Tags: ,,,

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.