[VIDEO PLAYBACK] - Hello world. This is CS50 Live and I'm here on location in beautiful sun-- SPEAKER 1: I don't think this is going to work. DOUG LLOYD: Yeah, this isn't going to work. This is CS50 Live. I'm Doug Lloyd filling in this week for David. And we are coming to you live from CS50 Live's beautiful new studio. Well, actually we're coming to you live from CS50 Live's beautiful former studio, Hauser Studio at Harvard University where scenes like this from the very first episode of CS50 Live may be familiar. But just like any other episode, we're going to talk about some of the latest stories and news you might be interested in and take a little bit of a look underneath the hood. And this week we're going to start by talking about malware and unfortunately some malware attacks that have befallen Windows users. The biggest one of these is known as WannaCry. And WannaCry started to attack users about a week ago on May 12th. Now WannaCry is based on some exploits that were leaked from the National Security Agency by a group called Shadow Brokers. And the names of these two exploits are EternalBlue and DoublePulsar, I'll get back to those in just a second. But what happened to victims of these attacks were they would see screens like this suddenly pop up on their Windows computers. Basically what's happening here is the ransomware is saying all your files have been encrypted, you need to pay us $300 in Bitcoin in a couple of days, or in a couple of days we're going to say you have to pay us $600 in Bitcoin, and after that we're just going to delete your files. Now, that's not exactly a trivial amount of money. And getting a hold of Bitcoin is also not necessarily the easiest thing to do. Right now one Bitcoin, at the time of this filming, is worth about $1,800. So getting your hands on one in order to pay this ransom can definitely be no small feat. Now how these attacks work is taking advantage of an exploit in SMB 1.0. I know what you're thinking. No, SMB 1.0 is not Super Mario Brothers one, the classic game from my childhood. But actually SMB 1.0 is Microsoft's earliest version of Microsoft's file sharing protocol. And a user might experience using this protocol if, for example, they're in an organization that has a networked file server where many different users terminals are connecting to that file server or other network shared drives, they're probably using SMB. Now, there have been several versions of SMB since 1.0, I think they're up to 3.1 or something now. But it is 1.0 that is attacked by these EternalBlue and DoublePulsar exploits. Now this is actually not even the first time we've heard of SMB being part of a malware attack. You may recall a couple of years ago that Sony Pictures in November of 2014 was also the victim of a malware attack whereby users who exploited SMB, in a different way than what we're talking about today, were able to get a hold of Sony's employee roster and their home addresses and Social Security numbers, bank information, stuff you really don't want hackers to get a hold of, and tried to extort Sony to pay up to prevent that information from being leaked. Now, we heard about the current attack, the first large scale victim of this appeared to be Britain's National Health Service. And the reason that this seemed to gain a lot of traction around the NHS was they're a very large organization and apparently they were running a lot of legacy versions of Windows, which were using the SMB 1.0 protocol, which allowed this to spread very quickly through their system. Now, fortunately this week there was some good news. A security researcher found a kill switch, basically a way to just stop the virus from spreading or the ransomware from spreading. And the way they were able to find this actually cost them less than $11, which is pretty amazing. All the security researcher had to do was register these two URLs. They don't exactly seem like obvious URLs, they're pretty long, this random string of letters and numbers. But by registering those URLs, the security researcher was able to stop the spread of the ransomware. Now as it turns out, WannaCry is written in Visual C++, which looks pretty similar to C, which means we can actually take a look at the segment of code involved in this so-called kill switch that stopped the spread of the ransomware and see just how it worked. So the first thing we see here is a function called to memcpy, which copies information that the user is supplying into a location in memory. Here, URL is just a substitute for that really long string, I didn't want to type it out here again. But we're just copying that URL into memory so that it can be used later on. A couple of lines of code followed that weren't that important. But then WannaCry tried to open two internet connections. The first one, v4, is just checking to see whether the user is using a proxy server. So that one is not super important here. But v5 is the key to what allowed this kill switch to work. So what's trying to happen here is we are calling a function called internet open URL. And that is trying to open an internet connection to the URL that is stored in szurl, which is one of those really long alphanumeric strings. If it succeeds, so if v5, which means if I was able to establish an internet connection, as in that site exists, we just close both of the internet connections we have tried we just tried to open and we don't do anything else. But if that second one did not succeed, if v5 failed because that long URL didn't exist, so you can't go to that domain name, then it would close both the handles. And then it would execute this function, sub_408090. Apparently sub408090 is where the code that would then encrypt all of the user's files and then put up that big red ransom screen lived. So just by registering those domain names, which did not exist before, when the code went to check to see whether it could establish an internet connection, it succeeded. And so this subroutine would no longer execute. Now the bad news here is that after this news of this got out, the hackers took that kill switch out. And so now there is another version of WannaCry out there that is not going to be shut off by that kill switch any further. Now Microsoft back in March actually released a security update for currently supported versions of the Windows operating system for SMB. And the reason that they released this update was that the most severe of the vulnerabilities that they're patching here could allow remote code execution if the attackers sends specifically crafted messages to an SMB Version 1 server. So clearly they did not want this to happen. They released a security patch for any currently supported versions of Windows. Unfortunately, you know it is not currently supported version of Windows? Windows XP. And despite that, Windows XP is actually still used by about 7% of computers on the planet, which makes it the third most popular operating system still in use on the planet and that's despite XP having been officially deprecated by Microsoft in April of 2014. But Microsoft realized that this patch was affecting too many people, excuse me, this exploit was affecting too many people, they had to patch it. And so they actually released an emergency patch for unsupported versions of Windows in response to this particular attack. Now, if you were using any of these versions of Windows here, and you had automatic updates turned on or at least critical security updates turned on for automatic download and install, you were likely safe from this attack all along. If you're using any of these versions of Windows though, which are officially unsupported, and you haven't been subjected to this attack yet, which is good, head to the Microsoft website, download that patch. And maybe consider upgrading to a different version of the Windows operating system so that you will be more protected in case of things like this happening again. For more on this attack and how Microsoft recommends customers respond to it, head to this URL here. But never forget the importance of backing up your files. SPEAKER 2: Backup systems. If you're in the habit, as you should be, of backing up all of your files your software might be using Shaw 1 in order to ensure that your file is indeed correctly backed up. DOUG LLOYD: Now in addition to WannaCry, there was a similar piece of malware called Adylkuzz. And where WannaCry was trying to basically extort users to get Bitcoin, Adylkuzz is using their systems to generate Monero, which is a different kind of cryptocurrency. It's not taking the user's files hostage. What it's actually doing is just using their computer to mine for this cryptocurrency. It is making their computer constantly work hard and be busy and it really slows the user down. Now we're not going to get into how cryptocurrencies work, but if you're curious about why this particular attack would generate money for somebody who created this ransomware, you could head to this URL here, which explains how cryptocurrencies work and how they can be used to generate money. Now previously on CS50 Live we talked about a frighteningly effective Gmail scam, which was affecting a lot of people. And what would happen in this scam was that a user receive an email that looks like this, pretty innocuous, looks like a basic email with an attachment, except that this was not an attachment. It was actually an image that looked identical to Google's little box when you have an attachment attached to an email and you want to download it. And when you clicked on this image, it would bring you to a Google sign in page, which again looks completely innocuous. But if you provided your email and other login credentials to this form, that information wasn't being sent to Google it was being sent to a hacker. Google quickly responded, took care of that attack, but unfortunately a similar attack happened in Google Docs a couple of weeks ago. So I woke up on May 3rd with a bunch of emails that looked like this in my inbox. A lot of people suddenly wanted to share documents with me on Google Docs. Now a couple of things tipped me off here immediately. First of all, I was BCC'd on this email and second of all, I have no idea whose email address this is. So I was a little nervous about this. I didn't click on this link, but unfortunately some people did. And when they clicked on this link they were brought here, to a screen that, again, looked really similar to what we just saw. Google Docs is asking for permission to do certain things with your computer and it seems reasonable to allow Google to do this if you want to access this document. Unfortunately, this thing that says it's Google Docs was really more like Google Docs in air quotes. You may have heard, for example, something called email spoofing, which basically means I send an email from me that looks like it's being sent from somebody else. And the way this works is that email is sent using the SMTP, or simple mail transfer protocol. And in addition to the message that's being sent, the SMTP protocol includes a number of metadata or headers that include information such as who it's being sent to, who it's being sent from, where it's being sent from, where replies should go, what time zone, and so on and so on. So if I'm spoofing, for example, I might send an email that appears to be from say your HR department. And it's an email that asks for your direct deposit information, your banking information so that I can make a direct deposit. But though the email appears to be coming from your HR department, because that's what from header says, I could change the reply to, which is a different field that's usually invisible, to actually reply to me. So that you send the email thinking it's going to your HR department, but really it's going to me because I've pretended to be your HR department. This is really similar to what's happening here. This app called Google Docs is really just pretending to be Google Docs. And if you hover over the permissions page, that Google Docs there, you'll see this information here. And that information does not appear to be legitimate Google Docs. And in fact, if you submitted your login credentials here, it would go to this person and that page there. Now Google Docs responded very swiftly, again, to this, just as they did a couple of weeks ago. They, within an hour or so of the announcement of the attack really started to hit a lot of people, they posted this on their Twitter page. And less than 3 hours later they had addressed the issue, they had taken steps, they had updated safe browsing notifications, and they also updated in-email email notifications to warn users that an attack like this, similar messages to this were being used to attack people. So use extra caution and make sure you know the user before clicking on that link. Now, changing gears entirely. Oh, excuse me. Actually, if you want more information about this attack head to this URL here. Now switching gears entirely. You may recall that at the end of every fall semester we have the CS50 Fair, an epic display of students' final projects where they come and show the staff all the work that they did over the course of the fall semester. Well in the spring semester we run CS50 as well through Harvard Extension School for students both local to Cambridge and around the world. And this year we were very fortunate to have about a dozen students, who happen to be local, come and show our projects to the course's staff, their teaching fellows and course assistants, to David, and, of course, to their fellow students to delight in their project. So congratulations to everybody. It was great to meet you and great to see your projects. We also had a very special visitor, Sandy Shea, who came all the way from Taiwan to visit us at the CS50 Fair this year. And she proudly earned her, I took CS50 shirt. And that wasn't the only special visitor we had this week in the CS50 office. So pictured here is team Pochi Ma Buoni, sorry about the Italian there, who was one of the winning teams for CS50X puzzle day in 2016. And pictured at right here is Luigi Morelli who's also very active in the CS50X forums online. And Luigi actually came all the way from Rome to visit us in the CS50 office as well. Luigi it was great to meet you. Thanks so much for coming. I hope you enjoyed your stay in Cambridge. Well that's it for live this week. Thanks so much to Dan, and Scully, and Ian, Patrick, Tara, Marina, Christian, the Hoff. David, sorry I cut you off earlier. We'll see you next time. And until then, no vertical videos. [MUSIC PLAYING]