Windows Remains Vulnerable To Serious 18-Year-Old SMB Security Flaw

← Back to Stories (view on slashdot.org)

Windows Remains Vulnerable To Serious 18-Year-Old SMB Security Flaw

Posted by samzenpus on Monday April 13, 2015 @08:40AM from the protect-ya-neck dept.

Mark Wilson writes A serious security hole leaves millions of Windows users open to attack, making it possible to extract encrypted credentials from a target machine. Researchers at Cylance say the problem affects "any Windows PC, tablet or server" (including Windows 10) and is a slight progression of the Redirect to SMB attack discovered by Aaron Spangler way back in 1997. Redirect to SMB is essentially a man-in-the-middle attack which involves taking control of a network connection. As the name suggests, victims are then redirected to a malicious SMB server which can extract usernames, domains and passwords. Cylance also reports that software from companies such as Adobe, Oracle and Symantec — including security and antivirus tools — are affected.

171 comments

Min score:

Reason:

Sort:

used devastatingly already by circletimessquare · 2015-04-13 08:56 · Score: 5, Interesting

apparently this is how sony got hacked

--
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
1. Re:used devastatingly already by ShaunC · 2015-04-13 09:12 · Score: 2
  
  I hadn't heard that for all the North Korea rabble-rousing and misdirection. Were there ever any real postmortem details? I remember seeing plenty of speculation, but none mentioning this attack; if the official report from Mandiant ever came out, it didn't cross my radar.
  
  --
  Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
2. Re:used devastatingly already by PRMan · 2015-04-13 09:19 · Score: 2
  
  Does anyone have a link for this?
  
  --
  Peter predicted that you would "deliberately forget" creation 2000 years ago...
3. Re:used devastatingly already by fuzzyf · 2015-04-13 09:50 · Score: 5, Interesting
  
  Man in the middle using SMB share. That requires someone to be on the local network to begin with.
  Could be used after pivoting, but not as a first foothold attack.
4. Re:used devastatingly already by bloodhawk · 2015-04-13 09:54 · Score: 2
  
  So you are saying it wasn't north korea as the US government has been claiming and it was actually someone on their local lan? where did you find this information?
5. Re:used devastatingly already by Billy+the+Mountain · 2015-04-13 10:07 · Score: 1
  
  Citation needed
  
  --
  That was the turning point of my life--I went from negative zero to positive zero.
6. Re:used devastatingly already by cjb658 · 2015-04-13 10:40 · Score: 1
  
  They would just need a VPN login, easily obtainable through phishing.
7. Re:used devastatingly already by Anonymous Coward · 2015-04-13 11:26 · Score: 0
  
  No they wouldn't that wouldn't give them access to traffic between a client and server which this vulnerability requires. It would also means it WASN'T a hack from this vulnerability.
8. Re:used devastatingly already by circletimessquare · 2015-04-13 14:07 · Score: 1
  
  yes, they probably had inside help
  
  --
  intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
9. Re:used devastatingly already by circletimessquare · 2015-04-13 14:08 · Score: 2
  
  there you go:
  http://www.securityweek.com/ha...
  
  --
  intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
10. Re:used devastatingly already by circletimessquare · 2015-04-13 14:09 · Score: 2
  
  source:
  http://www.securityweek.com/ha...
  
  --
  intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
11. Re:used devastatingly already by circletimessquare · 2015-04-13 14:10 · Score: 0
  
  citation given
  http://www.securityweek.com/ha...
  
  --
  intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
12. Re:used devastatingly already by circletimessquare · 2015-04-13 14:12 · Score: 1
  
  i *think* they had inside help, that's my own personal opinion, no source
  i don't know all the details of the tool, maybe they didn't have inside help but just a little social engineering for a few hours one day. or maybe even the sony security was so rotten, they could set it all up from the outside
  here's the article that mentions the attack:
  http://www.securityweek.com/ha...
  
  --
  intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
13. Re:used devastatingly already by dbIII · 2015-04-13 14:30 · Score: 1
  
  The North Korea distraction was late in the game and idiotic, but it did have the benefit that the stupid lie could be used as an excuse to get extra funding due to "cyberwar" threats instead of the normal criminal activity it very clearly was.
  If you fell for it and are not a source of funding for IT security then you are "collatoral damage".
14. Re:used devastatingly already by cavreader · 2015-04-13 16:00 · Score: 1
  
  I think a lot of people have forgotten that Stuxnext required someone on the inside who had access to the Iranian centrifuge lab to kick off the party. Cultivating that inside asset was probably harder, and definitely more dangerous, than engineering the virus.
15. Re:used devastatingly already by Anonymous Coward · 2015-04-13 16:24 · Score: 0
  
  Ahhh so we have gone from "apparently this is how sony got hacked" to "I am pulling shit out of my arse and making stuff up because I think this could have happened". That article also doesn't say this is how they got hacked, they claim the potential use of the SMB worm tool which still has to be planted in the environment and hence it ISN'T how they got hacked.
16. Re:used devastatingly already by circletimessquare · 2015-04-13 16:52 · Score: 1
  
  yeah the technical aspects of an exploit are always interesting
  but a real devastating hack is always 90% boring and mundane social aspects
  
  --
  intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
17. Re:used devastatingly already by circletimessquare · 2015-04-13 16:54 · Score: 1
  
  did you read the fucking article?
  follow the link moron:
  https://www.us-cert.gov/ncas/a...
  
  --
  intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
18. Re:used devastatingly already by Anonymous Coward · 2015-04-13 17:29 · Score: 0
  
  you are a fucking moron. report states:
  "The SMB worm propagates throughout an infected network via brute-force authentication attacks"
  That isn't this attack.
19. Re:used devastatingly already by Anonymous Coward · 2015-04-13 17:42 · Score: 0
  
  hey moron that is NOT the same as this vulnerability. It is a tool that does brute force attacks on SMB to propagate not a man in the middle attack to redirect auth. If you are too much of a retard to understand this stuff then don't comment on it.
20. Re:used devastatingly already by circletimessquare · 2015-04-13 17:43 · Score: 1
  
  the SMB worm doesn't use an SMB flaw genius?
  
  --
  intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
21. Re:used devastatingly already by circletimessquare · 2015-04-13 17:44 · Score: 1
  
  an SMB worm uses an SMB flaw, but that has nothing to do with this topic
  got it
  thanks for setting me straight genius
  
  --
  intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
22. Re:used devastatingly already by Anonymous Coward · 2015-04-13 18:16 · Score: 0
  
  no retard, the SMB worm doesn't use a vulnerability, it uses a brute force attack. The vulnerability is about redirecting the file handler to make SMB connect to a "fake/compromised" server so the credentials can be harvested. As I stated, if you don't understand what you are reading then don't comment on it.
23. Re:used devastatingly already by bloodhawk · 2015-04-13 18:37 · Score: 1
  
  Soooo what exactly does that article have to do with this vulnerability? it is not mentioned in their, nor does the SMB worm mentioned make use of such a vulnerability? So think you definitely still need a citation.
24. Re:used devastatingly already by Bert64 · 2015-04-13 18:45 · Score: 1
  
  With a VPN login, you can start looking for hosts on the internal network to attack... Chances are on a network of any significant size there will be at least one box which is vulnerable to something, either unpatched vulnerability or weak password.
  If you look at an internet facing network, there are generally few exploitable things visible because exposure to the internet ensures that all the low hanging fruit has already been picked, but on an internal network there is all manner of easy stuff. Once you have one machine, you can easily spread from there including using attacks like those described in the article.
  
  --
  http://spamdecoy.net - free throwaway anonymous email - avoid spam!
25. Re:used devastatingly already by Anonymous Coward · 2015-04-13 18:46 · Score: 0
  
  NO, nothing in that article relates to this vulnerability, why did you get modded up. You still haven't provided a source.
26. Re:used devastatingly already by bloodhawk · 2015-04-13 18:53 · Score: 1
  
  no it doesn't
27. Re:used devastatingly already by fuzzyf · 2015-04-13 19:08 · Score: 1
  
  I would love to see some details about this.
  One would think that basic credential traversal would be the preferred method once inside. MITM redirection of SMB traffic would probably set of a few IDS alerts.
28. Re:used devastatingly already by dave420 · 2015-04-13 19:49 · Score: 1
  
  Just because it mentions SMB does not mean it's talking about the exact same thing. It might help you to not keep repeatedly posting the same nonsense, unless you want to be the new APK :-P
29. Re:used devastatingly already by Anonymous Coward · 2015-04-13 20:27 · Score: 0
  
  You must be feeling pretty dumb spamming the same link everywhere when it refutes your claim. NO the SMB worm DOESN'T use an SMB flaw. It brute forces it, you seem to have ignored every attempt to explain this too you. What I don't get is what is someone that doesn't have a clue about computers and security even doing reading security week in the first place, it must be like looking at Egyptian text to you.
30. Re:used devastatingly already by Anonymous Coward · 2015-04-13 20:40 · Score: 0
  
  how the hell do people get marked insightful for making shit up? this site gets sader by the day.
31. Re:used devastatingly already by Anonymous Coward · 2015-04-13 21:14 · Score: 0
  
  It was another SQL injection - the third they got caught with; the others being in 2008 and the infamous 2011 incident that resulted in the PSN being down for a month.
32. Re:used devastatingly already by Anonymous Coward · 2015-04-13 23:46 · Score: 0
  
  Ox[], please look up the definition of "brute force" related to computer security.
33. Re:used devastatingly already by Anonymous Coward · 2015-04-14 00:09 · Score: 0
  
  look how he never came back, hmmmm
34. Re:used devastatingly already by Anonymous Coward · 2015-04-14 01:45 · Score: 0
  
  you're such an imbecile
35. Re: used devastatingly already by Anonymous Coward · 2015-04-17 02:54 · Score: 0
  
  Go read about arp poison
Grammar by Anonymous Coward · 2015-04-13 08:56 · Score: 1

"Software...are affected"? Has samzenpus ever heard of a mass noun?
1. Re:Grammar by jabberw0k · 2015-04-13 09:11 · Score: 1
  
  Be thankful it wasn't (cringe) "softwares" at least.
2. Re:Grammar by CaptainDork · 2015-04-13 09:11 · Score: 0
  
  It's a mass muon, you ass.
  
  --
  It little behooves the best of us to comment on the rest of us.
3. Re:Grammar by Anonymous Coward · 2015-04-13 09:58 · Score: 0
  
  MUON - noun
  : an unstable lepton that is common in the cosmic radiation near the earth's surface, has a mass about 207 times the mass of the electron, and exists in negative and positive forms
  
  What the hell's that have to do with anything?
  
  A different AC
4. Re:Grammar by Anonymous Coward · 2015-04-13 14:35 · Score: 0
  
  Yeah, why you lepton him?
5. Re:Grammar by CaptainDork · 2015-04-13 14:55 · Score: 1
  
  LMBO
  
  --
  It little behooves the best of us to comment on the rest of us.
6. Re:Grammar by Anonymous Coward · 2015-04-13 18:58 · Score: 0
  
  Well, muons do have quite a lot of mass.
Wow, this *IS* old... by rickb928 · 2015-04-13 08:57 · Score: 5, Insightful

IIRC, we discussed this in MSE classes, the same ones where the instructor assured us we need not register a domain name for our internal network (!), and agreed that despite the lack of information from Microsoft, It was worth it to block SMB ports from the public networks. As well as others, such as SQL Server (1433/1434 at a minimum), AD (135,389,5722, and the list goes on), and other services we need not expose to nor listen on for external traffic, we rapidly got to the point where the reasonably responsible admin blocked by default, opened only what was necessary, and then directed these to the proper hosts inside the network.
This is slightly older than the Y2K bug. And still not really fixed? Microsoft's choices here have always come back to haunt them. NetDDE, OLE, the HTML viewers, and this, all making Outlook once the premier distribution method for viruses and all form of malware,
Interprocess friendliness has its cost. Ease of use goes both ways. The crooks are happy to take advantage of your features.

--
deleting the extra space after periods so i can stay relevant, yeah.
1. Re:Wow, this *IS* old... by mmell · 2015-04-13 09:02 · Score: 2, Interesting
  
  Yeah, but . . .
  Are there any Windows Administrators out there with I.Q.'s > 90 that knowingly and intentionally leave ports 137, 138, 139 and/or 445 open to the Intartubes?
2. Re:Wow, this *IS* old... by ageoffri · 2015-04-13 09:07 · Score: 2
  
  I'm sure there are Windows Administrators who would leave those ports open. Hopefully you have Network Administrators who know enough to block by default and require justification to open ports.
  
  --
  -- Slashdot, making the Left look conservative since 1997.
3. Re:Wow, this *IS* old... by dAzED1 · 2015-04-13 09:07 · Score: 1
  
  they should be able to - if Windows was worth the security targets it has bought.
4. Re:Wow, this *IS* old... by David_Hart · 2015-04-13 09:13 · Score: 2
  
  Yeah, but . . .
  Are there any Windows Administrators out there with I.Q.'s > 90 that knowingly and intentionally leave ports 137, 138, 139 and/or 445 open to the Intartubes?
  If your Windows Admins are managing your firewalls, then you are in trouble... Usually it's either the network engineers or firewall Admins.
  This has been a non-issue for the simple fact that no one opens these ports to the Internet...
5. Re:Wow, this *IS* old... by Anonymous Coward · 2015-04-13 09:13 · Score: 0
  
  These day not opening these ports to the internet is not enought. These attack can easely be used for escalation. Especialy if you have an admin right account that logs to shares for backups or automated tasks.
  Never forget, the world is out to get you. It's not paranoia.
6. Re:Wow, this *IS* old... by X0563511 · 2015-04-13 09:14 · Score: 1
  
  "Should" is pretty distinct from "is."
  
  --
  For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
7. Re:Wow, this *IS* old... by Anonymous Coward · 2015-04-13 09:18 · Score: 0
  
  The ones who run honeypots.
8. Re:Wow, this *IS* old... by Anonymous Coward · 2015-04-13 09:22 · Score: 0
  
  Hey, I'm a.. crap, my IQ is only 89. Dammit!
9. Re:Wow, this *IS* old... by holostarr · 2015-04-13 09:23 · Score: 2, Insightful
  
  Yes there are! I personally know one at my company who is as a matter of fact very good at what he does and incredibly knowledgeable. Your assumption that Microsoft products somehow attracts idiots more than other products is stupid.
10. Re:Wow, this *IS* old... by XanC · 2015-04-13 09:23 · Score: 2
  
  Last year I signed up for a dedicated server, and discovered that the provider's VPN server and their control panel server had Windows file sharing and remote desktop ports open to the world! And they wouldn't give me a refund. Losses cut and lesson learned...
11. Re:Wow, this *IS* old... by XanC · 2015-04-13 09:25 · Score: 1
  
  Oh I should also point out that they didn't use HTTPS for anything. Logging in to your account and everything was entirely HTTP. "Reliable Site" my ass...
12. Re:Wow, this *IS* old... by Anonymous Coward · 2015-04-13 09:54 · Score: 0
  
  And why would you register a domain name for an internal network? Because you're a fuckwit, that's why.
13. Re:Wow, this *IS* old... by Anonymous Coward · 2015-04-13 10:39 · Score: 0
  
  Well that's just mean ... why not mention their name?
14. Re:Wow, this *IS* old... by Anonymous Coward · 2015-04-13 10:45 · Score: 0
  
  Yeah, but . . .
  Are there any Windows Administrators out there with I.Q.'s > 90 that knowingly and intentionally leave ports 137, 138, 139 and/or 445 open to the Intartubes?
  If your Windows Admins are managing your firewalls, then you are in trouble... Usually it's either the network engineers or firewall Admins.
  This has been a non-issue for the simple fact that no one opens these ports to the Internet...
  Well.. almost no one. I've seen some really bad network management in my day.
15. Re:Wow, this *IS* old... by Anonymous Coward · 2015-04-13 11:33 · Score: 0
  
  No. You shouldn't leave those ports open. Linux or Windows. Or anything else.
16. Re:Wow, this *IS* old... by dbIII · 2015-04-13 14:36 · Score: 1
  
  and other services we need not expose to nor listen on
  That's *nix (or any other) firewalling 101. The instructor was probably not addressing any individual known threat but the general idea that you don't let the outside world touch ports for internal use just in case something can get in some day.
17. Re:Wow, this *IS* old... by Gumbercules!! · 2015-04-13 15:07 · Score: 2, Interesting
  
  Yeah sadly, there's heaps of them. People who connect their Windows machine to the internet by establishing the PPPoE session from the machine, for one. People who rent a VM from a cloud provider and just get a straight up Windows box with no firewall, for two. If you think there's not a lot of those, believe me, there are. We run a cloud computing company and we frequently (ok, by frequently I mean a few times a year, I suppose - but we're just one company) get requests for people to have a Windows box with no firewall (other than the Windows one) because "it gets in the way", etc.
  
  As a service provider, I am not sure how to handle this because, technically, it's "their server". I mean, I can provide them all the advice I want but making them listen is another thing altogether.
  
  In one case, I showed the guy that I could map a drive to his server, over the public internet and that he needed to deny all ports other than the one he needed open (443) but it's like speaking to a child. They don't understand why it's a problem and they just want what they think they want and they want it, now.
  
  So I am not really sure how to handle this. Wherever I can, I don't give them the choice - I just enforce an upstream firewall but at the end of the day, if someone wants to pay money to own a VM and they're not (yet) causing any problems for anyone other than themselves...I can't be in business if I keep saying no to everyone. So yeah - there are plenty of Windows people out there who expose everything to the world.
18. Re: Wow, this *IS* old... by rickb928 · 2015-04-13 15:46 · Score: 1
  
  I shouldn't have left the impression that this instructor taught us to block but default. At that time MCSE didn't teach that. And he didn't either. We all discussed it over coffee among other things, like the stupidity of naming your intranet 'msft.net'. That was taught at one time.
  
  --
  deleting the extra space after periods so i can stay relevant, yeah.
19. Re:Wow, this *IS* old... by Black+Copter+Control · 2015-04-13 15:53 · Score: 1
  
  I'm sure that the crackers who took over those machines found them to be very reliable.
  
  --
  OS Software is like love: The best way to make it grow is to give it away.
20. Re: Wow, this *IS* old... by dbIII · 2015-04-13 18:46 · Score: 1
  
  Fair enough. I've been known to block the ports listening to SMB stuff at various points in internal networks just to make sure that the wrong thing doesn't answer when called. Printing stuff out three buildings away on a different subnet is funny the first time but then gets a bit old.
  "If it's not expecting traffic on that port on that interface then block it" always seemed like a simple way to start to me.
21. Re:Wow, this *IS* old... by Bert64 · 2015-04-13 18:49 · Score: 1
  
  The problem is poor design and inertia... It's not like a simple bug which can be fixed without changing how the software works, there are many design flaws in the protocol itself and fixing them would require incompatible changes. If you're going to drop current windows versions and go to an incompatible system, might as well go straight to linux.
  
  --
  http://spamdecoy.net - free throwaway anonymous email - avoid spam!
22. Re:Wow, this *IS* old... by Bert64 · 2015-04-13 18:53 · Score: 1
  
  Requiring a firewall is another poor design decision... You should be able to turn all these services off, but windows makes it extremely difficult to disable the default listening services and the recommendation is to hide them behind a firewall... If the system still runs with the services hidden so that noone can connect to them, then why exactly do they need to be listening at all?
  
  --
  http://spamdecoy.net - free throwaway anonymous email - avoid spam!
23. Re: Wow, this *IS* old... by Anonymous Coward · 2015-04-13 19:04 · Score: 0
  
  Hahahaha
24. Re:Wow, this *IS* old... by Macfox · 2015-04-13 20:06 · Score: 1
  
  If you insist on the dumb idea of using a public TLD internally for your Windows domain. This is why MS defaults to append .local. (http://en.wikipedia.org/wiki/.local)
  
  --
  Area51 - We are watching...
25. Re:Wow, this *IS* old... by greggman · 2015-04-13 21:50 · Score: 1
  
  Guest: Hey, what's your wifi password?
  Me: It's "foobarmoo"
  App on guest's phone: "All your base are belong to us!"
  (or any other cheap IP camera, network TV, network TV dongle, XBox/Playstation game, app on your computer or anything else on your local network :( ) ...yes I have a guest wifi but I haven't gone to the trouble to isolate every other piece of hardware on my local network from my Windows box from which they are streaming stuff.
26. Re: Wow, this *IS* old... by rickb928 · 2015-04-13 23:33 · Score: 1
  
  That's a permissions problem. Users in one building shouldn't have permission to use printers in another.
  Groups are your friend.
  
  --
  deleting the extra space after periods so i can stay relevant, yeah.
27. Re:Wow, this *IS* old... by RavenLrD20k · 2015-04-13 23:57 · Score: 1
  
  I agree with the AC. When a webhost does this type of thing they need to be named and shamed so those of us currently in search of a good managed dedicated server for a client can mark these guys off our list. Also, how much money are you out? Did you pay for a whole year for a new host, or did you do the smarter route and only did month to month for the first year or two as you verified their security and stability?
28. Re:Wow, this *IS* old... by Anonymous Coward · 2015-04-14 01:07 · Score: 0
  
  Are you serious? Just yesterday I had to explain to our network administrator that his test desktop would not be able to get out without a valid default route. He responded "What do you mean, 0.0.0.0 is the default route!" O_o
  I cant count on networking to do anything right. Hell, telling them they need to lock the port to 100/full for the old ILO's gets a confused look from them.
29. Re:Wow, this *IS* old... by Anonymous Coward · 2015-04-14 01:19 · Score: 0
  
  LOL, ok microsoft suggested it for small business.
  You would not believe the havoc it causes on a corporate network of over 10,000 users. I have to deal with it daily, all because some idiot decided to use .local.
  It works ok if you have a 100% Microsoft network. When you start adding Mac, Linux, appliances, non-windows DNS servers, etc, etc, you have all kinds of problems. That is why Microsoft has waffled back and forth on the suggestion.
  If you want to do it right, configure a split horizon DNS server for .com then use location based sub domains for all internal stuff. For example: NewYork.company.com, Chicago.company.com, sandiego.company.com. Place respective servers/clients/equipment on the dns for there location, and dont provide DNS for those sub-domains on the Internet.
30. Re:Wow, this *IS* old... by mvdwege · 2015-04-14 01:21 · Score: 1
  
  As a service provider, I am not sure how to handle this because, technically, it's "their server".
  On the other hand 'their' server has to share a network with other servers. If they refuse to use best current security practices, their server will start interfering with other servers.
  So the answer is: don't sell them unsecured VMs. If they can't take the above argument and insist, at least charge them more based on the fact that you will have to clean up the mess eventually. And if you have many such customers, invest in some monitoring solution that can detect hacked boxen.
  
  --
  "I know I will be modded down for this": where's the option '-1, Asking for it'?
31. Re: Wow, this *IS* old... by dbIII · 2015-04-14 01:26 · Score: 1
  
  Yes I know that and I also had users that moved about the campus and logged on in machines sitting in other buildings. Limiting by location of machine is a better friend :)
32. Re: Wow, this *IS* old... by rickb928 · 2015-04-14 02:56 · Score: 1
  
  That's group membership that matters. Machines do move however, so location-based membership is next. My current computers are all notebooks or tablets. Even at work.
  
  --
  deleting the extra space after periods so i can stay relevant, yeah.
33. Re:Wow, this *IS* old... by Gob+Gob · 2015-04-17 10:03 · Score: 1
  
  If your Windows Admins are managing your firewalls, then you are in trouble... Usually it's either the network engineers or firewall Admins.
  It always strikes me as odd that people assume businesses have the resources to deploy "best practices" ~ aka having one specialist team member for every IT position (Net, Admin, DBA, analyst, help desk, etc). Most businesses (ie small / medium ones) can only scrape together the means to employ one person (if any) and hope they have the skills to keep the business applications running ~ pretty much _everything_ else is secondary.
  Does this "best practice" mantra attempt to coach SME's to do the right thing or is it just arrogance that people pontificate that the default assumption is that every business has the resources of the Enterprise?
34. Re:Wow, this *IS* old... by RockDoctor · 2015-04-17 15:18 · Score: 1
  
  Name and shame.
  
  --
  Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"
35. Re:Wow, this *IS* old... by XanC · 2015-04-17 15:36 · Score: 1
  
  It was ReliableSite.net. I tried to name them earlier but was too subtle. :-)
  I was only out a month's worth, fortunately.
36. Re:Wow, this *IS* old... by XanC · 2015-04-17 15:48 · Score: 1
  
  Done; see above
So if your network is also from 1997 by silas_moeckel · 2015-04-13 09:09 · Score: 2

It requires a man in the middle attack on traffic that should never go across the internet outside a vpn. Yes it's a problem but not exactly a significant one for a well put together network.

--
No sir I dont like it.
1. Re:So if your network is also from 1997 by Anonymous Coward · 2015-04-13 09:27 · Score: 0
  
  >implying it is not common to use free hot-spots nowadays, that can easily be a man-in-the-middle
  >implying NSA is not one big man-in-black-in-the-middle
  being this blind
2. Re:So if your network is also from 1997 by Anonymous Coward · 2015-04-13 09:32 · Score: 0
  
  Gb2 /g/.
3. Re:So if your network is also from 1997 by LordLimecat · 2015-04-13 09:38 · Score: 1
  
  >having no idea what you're talking about
  >throwing out NSA and MITM like theyre relevant here
4. Re:So if your network is also from 1997 by The-Ixian · 2015-04-13 09:43 · Score: 2
  
  My understanding is that this exploit simply requires you to have outbound SMB ports open.
  
  In my experience, most firewall setups (especially those in companies who don't have dedicated IT staff) allow unrestricted outbound communications.
  
  --
  My eyes reflect the stars and a smile lights up my face.
5. Re:So if your network is also from 1997 by Anonymous Coward · 2015-04-13 09:50 · Score: 0
  
  with open wifi you can get infected by carrying your laptop around in public with you
6. Re:So if your network is also from 1997 by silas_moeckel · 2015-04-13 10:34 · Score: 1
  
  If your laptop is connecting to any random open wifi and does not have a strict firewall, it should get a STI aka Stupid Transmitted Infection.
  
  --
  No sir I dont like it.
7. Re:So if your network is also from 1997 by silas_moeckel · 2015-04-13 10:36 · Score: 1
  
  Why on earth would any competent IT staff have SMB open outbound? If at all possible desktops should not be allowed to make direct connections to anything outside in a corp network.
  
  --
  No sir I dont like it.
8. Re:So if your network is also from 1997 by Gr8Apes · 2015-04-13 10:48 · Score: 1
  
  The better question is why would any competent IT staff have any SMB services installed or allowed?
  
  --
  The cesspool just got a check and balance.
9. Re:So if your network is also from 1997 by blue9steel · 2015-04-13 10:59 · Score: 1
  
  Perhaps because it's standard for both Windows and OSX workstations? In a multi-platform network SMB is often the best choice for filesharing. If it's setup properly (NTLMv2 only, SSL encrypted, SMB message signing turned on) it's actually pretty reasonable security wise.
10. Re:So if your network is also from 1997 by Anonymous Coward · 2015-04-13 11:02 · Score: 0
  
  If you think there is such a thing as a trustworthy network, then you are the one with the 90s mindset. The network is hostile, no matter which side of a firewall, VPN server or proxy it is on. If you need to use a network protocol, you need it to be secure, or it will bite you in the ass eventually.
11. Re:So if your network is also from 1997 by LinuxIsGarbage · 2015-04-13 11:11 · Score: 2
  
  If your laptop is connecting to any random open wifi and does not have a strict firewall, it should get a STI aka Stupid Transmitted Infection.
  I was going to say "Even Windows is smart enough". Looking at the Windows 7 Firewall profile, even under "Public Network" profile (Coffee Shop, Airport, or directly connected to internet), SMB is allowed for the local subnet, which would limit attack surface on the Internet, at a Wifi hotspot could be deadly. Which I guess is why some hotspots disallow local traffic between peers.
12. Re:So if your network is also from 1997 by Anonymous Coward · 2015-04-13 18:41 · Score: 0
  
  > It requires a man in the middle attack on traffic that should never go across the internet outside a vpn
  I just can't believe someone is still able to think "if my network periphery is OK, then my whole network is OK".
  In these days, your network is *chock full* of agents randomly downloading stuff from the internet and *executing it whithin the network*. The most common example of it is the web browser: yeah, I know about sandboxing and that, but...
  (If you don't believe just how much one can do with the browser *without* even have to resort to some vuln, just look up the DDOS trick the Chinese pulled off lately by injecting javascript into Baidu's replies).
  There are others. Printers phoning home and ready to boot any image offered to them. PBXes. Word processors ready to excute anything handed them by some obscure mail client. All held together by duct tape so old that it's showing cracks and made shiny with some snake oil.
  No, the enemy is *whithin* your network these days. Even if the folks working there are 100% trustworthy.
  (Captcha was "paranoia". Go figure).
13. Re:So if your network is also from 1997 by Bert64 · 2015-04-13 18:56 · Score: 1
  
  The problem is that SMB is not just a filesharing protocol, it provides access to whole heaps of other functionality at least on windows. If all you want to do is file sharing then SMB is a terrible choice.
  
  --
  http://spamdecoy.net - free throwaway anonymous email - avoid spam!
14. Re:So if your network is also from 1997 by blue9steel · 2015-04-14 03:35 · Score: 1
  
  Well AFP is horrible and NFS isn't exactly fully supported cross platform, that doesn't leave a lot of options.
15. Re:So if your network is also from 1997 by Gr8Apes · 2015-04-14 07:02 · Score: 1
  
  try scp or rsync sometime: fully supported by all operating systems that try to be secure. Oh, you meant "GUI" access, in that case, use a web based service that allows directory views and uploads. Or use some dropbox like enterprise solution. In any case SMB is a terrible terrible solution. None of my *nix based boxes run it.
  Disclaimer: I use scp and rsync - I have not used any of the other solutions.
  
  --
  The cesspool just got a check and balance.
16. Re:So if your network is also from 1997 by blue9steel · 2015-04-14 07:48 · Score: 1
  
  SCP and rsync are file transfer protocols not file sharing protocols, they don't work nearly the same. Perhaps your solution works for a single developer's workstation or a small technology startup but it's not going to scale to a large business with many employees, most of whom do not work in IT.
17. Re:So if your network is also from 1997 by Gr8Apes · 2015-04-14 10:39 · Score: 1
  
  Hence the reference to an enterprise solution, one that is targeted to windows even. Pretty much everything is better than the insecure disaster known as SMB.... and if you think those alternatives are "bad", then blame MS for foisting the horrors of insecure and crappy SMB on the masses.
  I believe "Just because you can doesn't mean you should" applies to all facets of SMB like playing with frightened skunks (with similar results for those slow on the relationship)
  
  --
  The cesspool just got a check and balance.
18. Re:So if your network is also from 1997 by jp10558 · 2015-04-15 01:24 · Score: 1
  
  I'd love to know the better solution for Mac, Windows and Linux access to network shares, and the network shares have to be performant, local (i.e no cloud sync), not require paid software, and support several tens of terabytes per shared filesystem. Oh, and use Active Directory permissions...
  
  --
  Opera, Proxomitron-Grypen,GPG 0x0A1C6EE3
19. Re:So if your network is also from 1997 by Gr8Apes · 2015-04-15 03:16 · Score: 1
  
  So there's your problem - you want this polished turd because it's all shiny, but it's still a turd. You never wondered why it's free? You will have to pay to get one of the secure ones if the host of other free solutions are not to your liking.
  The real question with disk space being so damn cheap is why would you want a "performant, local" network share anyways with AD permissions to boot on 10s of TBs per FS? That sounds more like a content management system that you've co-opted SMB to do, and it is wholly unsuited to that task. I'll bet it keeps your Win admins hopping though. This just screams "Just because you can, doesn't mean you should" and "You get what you pay for". (You're paying, just not a software vendor)
  
  --
  The cesspool just got a check and balance.
20. Re:So if your network is also from 1997 by jp10558 · 2015-04-15 10:19 · Score: 1
  
  Honestly, I'm not sure if you're a troll, or just someone who strongly believes if you don't do it your way, you're wrong.
  I'm working in a research institution. We have limited funding from grants. We are doing X-Ray research, with detectors that output data on the order of 30GB a run, and there can be more than one run a day. This data, once generated, needs to be accessible by compute nodes, without hitting the acquisition disk. There isn't reliable down time between acquisitions, so rsyncs are hard to schedule. We also need to schedule backups, which is easier on central storage, as these acquisition machines move around, and aren't always up.
  Laptops have trouble carrying around 30TB for analysis, and desktops aren't cost effective with that storage load. I could also go into the issue with data walking out the door, which may be prohibited, or desired depending on the situation.
  On top of binary research data, there's all the program source, program binaries, infrastructure data, standard office documents etc.
  I'm not sure about a content management system - we have a Wiki which is great, and SVN which is great, and Vault for Inventor source control, which is also great. For office documents, the closest thing I'm aware of is Sharepoint, which doesn't seem like anything I want to touch with a 10 ft pole. What else should I be looking at?
  And how does it work for users who barely understand "save to this network folder"?
  
  --
  Opera, Proxomitron-Grypen,GPG 0x0A1C6EE3
21. Re:So if your network is also from 1997 by Gr8Apes · 2015-04-16 15:23 · Score: 1
  
  Honestly, I'm not sure if you're a troll, or just someone who strongly believes if you don't do it your way, you're wrong.
  Fortunately, I'm neither. I will, however, point out when something's just "wrong". (I know, it's easy to be a critic)
  
  I'm working in a research institution. We have limited funding from grants. We are doing X-Ray research, with detectors that output data on the order of 30GB a run, and there can be more than one run a day....
  So you have bounded the binary data problem, 30GB data sets with multiple sets generated a day. You also state that the acquisition disks cannot be hit while it's running. You don't state whether you can use a SAN, which would be your best technical option, although does cost some money but allows for processing, redundancy, backups, and offloading. The next best option would be a NAS system, as that would offload your acquisition system(s) data load. These systems can also feed your compute nodes easily, as well as give access to your users, if you wish.
  For the remainder, it sounds like you have what you need for your use cases, except for the SMB network share issue. Given your domain, you'd expect the people working within it to be able to follow the simplest of instructions to access and save their data. If not, perhaps new people are in order. If you can't work the machines.... But seriously, offloading the binary data implies, from your statements, that your new use case for sharing is significantly simplified, and potentially whatever you choose for the better binary store also works for whatever needs you have left.
  
  --
  The cesspool just got a check and balance.
22. Re:So if your network is also from 1997 by jp10558 · 2015-04-16 23:01 · Score: 1
  
  Well, there's the experimental data, and then the administrative data. Those word docs need to be shared, backed up, etc. The various matlab and labview files need to be accessible from Sun Grid Engine nodes and local Windows, Scientific Linux and Mac OSX workstations.
  We currently use a RedHat HA cluster that provides NFS and CIFS / SMB access to disk stored on iSCSI devices. So sort of a home build SAN I guess. We looked into better known commercial offerings, but basically they were 10x our budget. Unlikely to happen. One of the "Wins" we got was budgeting to buy actual 1U servers with IPMI and the like. Even build your own costs a good chunk of IT budget for 5 years.
  Scientists and Professors are a bit unreasonable I guess - they want high performance, reliability, and all that without having to spend a lot of money or change their workflow at all. They also flat out don't read documentation about stuff that's unimportant to their research, and to them, computers should be like mains power - it's unimportant how it works, and it should magically "do the right thing"...
  If they have to know more than "plug it in", there's likely to be trouble. IT certainly can't ask any user to ... stop being a user because they don't know what a network share is, or what a computer power button is. They user is a world class scientist here to do important research - they don't have time for "unnecessarily complicated" systems. Sadly, this is of course why we have jobs. But it does generally keep us to the lowest common denominator for software and solutions.
  
  --
  Opera, Proxomitron-Grypen,GPG 0x0A1C6EE3
23. Re:So if your network is also from 1997 by Gr8Apes · 2015-04-17 01:41 · Score: 1
  So your problem is really 2-fold:
  
  You are being asked to deliver diamond jewelry with a glass budget
  
  You cannot change anything about your users
  
  I'd state the second is false, as you're forcing them into a windows environment, and, unless things have changed, many of those folks have used *nix flavors as well. Of course, you're stuck with the MS Office disease, which probably still has 10 years left before it clears up.
  Given your constraints and situation and where you are, I don't believe any obviously solid suggestions are really possible. I'd look into some document storage ECM / CMS (Enterprise Content Management / Content Management System) solutions that are free / low-cost, including programs that may be free for you specifically. Those will add versioning capabilities to your documents and a solid permissions system that should be easier to administer over an AD based system while hopefully using your existing hardware base. And that's only if you need that functionality.
  --
  The cesspool just got a check and balance.
24. Re:So if your network is also from 1997 by jp10558 · 2015-04-17 09:51 · Score: 1
  
  Oh, I'm not forcing anyone into a Windows environment. I strongly push them towards Linux and tell them it's the preferred environment at the lab, and all our infrastructure is Linux based. We just wanted to set up a data download station, and suggested Linux, but were told the external users aren't familar with Linux (I don't know how they run the experiment, where lots of it is based on Linux, but hey, not something I get to change), and will need Windows there.
  We have plenty of Labview stuff which I'm told by staff must use Windows, as well as some Matlab stuff, even though I'm pretty sure quite a lot of it runs on Linux, I don't get to override them.
  And then there are the Mac users who insisted on using onenote for logging on a separate Windows computer, when their experiment controls were all Linux and their laptops are Macs, but why not use a Windows only program for this note-taking? Because it's easier than a web based logging tool to copy pictures into. (This was 2008ish, carries forward to now, though there now is a Mac OneNote client, it's still not to my knowledge multi user or runable on Linux)...
  Most of the insanity comes from people who *don't care* about the technical reality and substitute their own. And are apparently OK with a lot of cluged together solutions. At least I get a job out of it.
  
  --
  Opera, Proxomitron-Grypen,GPG 0x0A1C6EE3
Microsoft has eradicated buffer overflows? by Anonymous Coward · 2015-04-13 09:11 · Score: 0

"Microsoft has eradicated buffer overflows with Windows XP", Jim Allchin aug 2001

"My son, seven years old, runs Windows Vista, and, honestly, he doesn't have an antivirus system on his machine", Jim Allchin Nov 2006
1. Re:Microsoft has eradicated buffer overflows? by harryjohnston · 2015-04-13 15:19 · Score: 1
  
  This isn't a buffer overflow bug. In fact, it isn't a bug at all, but a design weakness.
2. Re:Microsoft has eradicated buffer overflows? by TheGratefulNet · 2015-04-13 17:51 · Score: 1
  
  its as if someone had been coding samba ... in the rain!
  (GOML)
  
  --
  
  --
  "It is now safe to switch off your computer."
3. Re:Microsoft has eradicated buffer overflows? by harryjohnston · 2015-04-14 10:49 · Score: 1
  
  It's as if someone had been coding Samba ... in 1987!
Funny by Anonymous Coward · 2015-04-13 09:35 · Score: 0

Read the article but replace "SMB" with "Super Mario Bros."
1. Re:Funny by Anonymous Coward · 2015-04-13 19:29 · Score: 0
  
  That is funny
2. Re:Funny by Anonymous Coward · 2015-04-13 23:58 · Score: 0
  
  SMB works through a series of tubes.
Many eyes... by Imagix · 2015-04-13 09:35 · Score: 0, Troll

But... this is software that people were _paid_ to write. That means that these sorts of security holes can't happen! Not that open source thing of "many eyes makes all bugs shallow", they have the _right_ people reading the code thus these things can't happen. Right? Right?! (And if your sarcasm detector isn't going off the scale, you really need a new sarcasm detector....)
1. Re:Many eyes... by viperidaenz · 2015-04-13 14:24 · Score: 1
  
  Heartbleed was around for 2 years before it was discovered.
2. Re:Many eyes... by Anonymous Coward · 2015-04-13 15:57 · Score: 0
  
  Your point is? This has been around for 18 years AFTER its discovery.
Because everyone uses their WinPC direct-connect.. by Anonymous Coward · 2015-04-13 09:39 · Score: 0

BUT IT'S MICRO$HAFT!!!!11 Common sense and real-world risk doesn't apply when it's about these LO$ERS!
Fuck M$ in their antitrust asses!
if your employees drink coffee by Anonymous Coward · 2015-04-13 09:46 · Score: 0

did you bother to RTFA?
one of them will bring a laptop into a starbucks, get infected, bring it into work where it gets connected to the internal network
or perhaps the employees at your company are forbidden to drink coffee?
1. Re:if your employees drink coffee by Anonymous Coward · 2015-04-13 09:57 · Score: 0
  
  I guess if you answer the question "what kind of network is this" when you're at Starbucks incorrectly, maybe.
Windows File-Sharing by Etherwalk · 2015-04-13 09:48 · Score: 1, Troll

Windows file-sharing on home machines has pretty much always been terrible. It's like a bunch of monkeys put it together. I am guessing they tasked one or two guys to add it to home machines when the bulk of a group was working on corporate file sharing (which is at least a bit more reliable), and the result was just a really bad design and code that has been sitting around the kernel forever. Getting two machines to talk to each other over an Ethernet cable has always been much harder than in linux. (I was going to say and less secure, but I remember the telnet and ftp days...)
1. Re:Windows File-Sharing by Anonymous Coward · 2015-04-13 10:47 · Score: 0
  
  Try sharing a printer on a windows 7 PC to a Linux PC or anything else on the LAN, absolute fail. Works fine the other way around.
2. Re:Windows File-Sharing by Anonymous Coward · 2015-04-13 11:05 · Score: 0
  
  Getting two machines to talk to each other over an Ethernet cable has always been much harder than in linux.
  Can you prove this?
  Please describe the typical workflows of getting two machines to talk over Ethernet cable under Windows and under Linux.
3. Re:Windows File-Sharing by Anonymous Coward · 2015-04-13 15:34 · Score: 0
  
  Getting two machines to talk to each other over an Ethernet cable has always been much harder than in linux.
  Are you talking about using a crossover cable? Who the hell uses those anymore?
4. Re:Windows File-Sharing by Anonymous Coward · 2015-04-13 22:49 · Score: 0
  
  Windows file-sharing on home machines has pretty much always been terrible.
  I'd agree with that, but I'd also add that all file sharing on home machines has pretty much always been terrible. I've never found a quick, easy way to share stuff locally that doesn't leave lots of vulnerabilities.
  Back when I was running win2k, I just gave up and ran an ftp server, for local machines only.
  AC because I've modded.
5. Re:Windows File-Sharing by Anonymous Coward · 2015-04-14 01:04 · Score: 0
  
  Try doing it by IP Address instead vs. paths (UNC //servername/target) no fail. It works.
And who is running SMB on an open Internet connect by Anonymous Coward · 2015-04-13 09:49 · Score: 0

Really.. I'm astonished by this Shocking revelation... :-o
A enterprise worry more then users? by Anonymous Coward · 2015-04-13 09:50 · Score: 0

Is this bug more of a enterprise issue then anything? Someone mentioned Sony was hacked this way. These days the bad guys to me are winning but are mostly after bigger fish then singular users on one PC. Not saying individuals are not targets but certainly they probably are targeted through other means. Some writer was bragging about the new Chromebook Pixel and how great it is not to be subject to all those thousands of Windows malware. I thought, he's probably right that the Chrome OS is safer, but then I ask myself how does he know anything about his Chrome OS. I have yet seen a tangible security scanner for Chrome OS. I suppose you could "trust" Google to patch any security issues. I run both Windows and Mac's and I would find either one to be safe and to back that up I rarely come across anything more then spyware on any PC's and mostly Windows based attacks on my Mac's. I am on the assumption any OS can be compromised. As one security person said, just because you live in a quiet neighborhood does not mean nobody can get into your house.
original paper here by Anonymous Coward · 2015-04-13 09:58 · Score: 3, Informative

original paper here: http://cdn2.hubspot.net/hubfs/270968/SPEAR/RedirectToSMB_public_whitepaper.pdf
How hard is it to mandate any submission contain the source instead of some shill article?
Ceterum censeo by TeknoHog · 2015-04-13 10:05 · Score: 3, Funny

I remain vulnerable to serious 18 year olds, if you catch my drift.

--
Escher was the first MC and Giger invented the HR department.
1. Re:Ceterum censeo by BronsCon · 2015-04-13 11:53 · Score: 1
  
  But do you exploit them?
  
  --
  APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
2. Re:Ceterum censeo by Anonymous Coward · 2015-04-13 15:34 · Score: 0
  
  If they are holy...
3. Re:Ceterum censeo by Anonymous Coward · 2015-04-13 20:08 · Score: 0
  
  Only through the back door
Wish this were new or news by WaffleMonster · 2015-04-13 10:23 · Score: 2

I don't know how or why it came to this. The world is hooked on insecure authentication protocols. NTLMv2, Kerberos, plaintext, plaintext over encrypted tunnel protected by group secrets (sigh..) or certificates and dull thud of every flawed permutation of a challenge handshake system imaginable.
These things are employed virtually everywhere and the consequences are visible everywhere.
Haha I tricked you or your computer into connecting to my file system or my fake bank or my fake web site and because of that I now have your credentials and your f*****d.
Living with consequences has become so routine and institutionalized some find it difficult to see the problem at all ... instead resorting to blaming failure of a castle defense or operating in an unsafe environment rather than notice the root cause of the problem - broken authentication systems.
When the most widely deployed use of a secure authentication protocol is protecting an online role playing game I have no interest in Microsoft's (And all other vendors) lame excuses for not fixing these problems decades ago.
1. Re:Wish this were new or news by Anonymous Coward · 2015-04-13 10:29 · Score: 0
  
  Why do you lump Kerberos in there? Kerberos afaik is fine security wise.
2. Re:Wish this were new or news by WaffleMonster · 2015-04-13 10:36 · Score: 1
  
  Why do you lump Kerberos in there? Kerberos afaik is fine security wise.
  Kerberos client authentication is subject to offline dictionary attack.
3. Re:Wish this were new or news by Anonymous Coward · 2015-04-13 11:20 · Score: 0
  
  Ok.
  Do you have an opinion of a relatively common method that is better? My issue with many is that it jusst sends the password to the server for verification, trusting that TLS will protect it. Given that it's exceedingly common for clients to not verify the certs, this is also fraught with risk.
  It seems in practice it's either something like Kerberos which goes to lengths to avoid actually transmitting the password without TLS, or taking the TLS situation for granted and sending a password.
  Public key can help greatly, but getting arbitrary people able to access it..
4. Re:Wish this were new or news by WaffleMonster · 2015-04-13 12:02 · Score: 1
  
  Do you have an opinion of a relatively common method that is better? My issue with many is that it jusst sends the password to the server for verification, trusting that TLS will protect it. Given that it's exceedingly common for clients to not verify the certs, this is also fraught with risk.
  Recommend looking into a PAKE algorithm. The advantage they are able to provide mutual proof of possession of a common secret without leaking knowledge that may be used to determine what that secret is. These systems are not vulnerable to offline attack and provide keying to encrypt the network session such that you can carry on a secure conversation post authentication.
  TLS-SRP is currently my favorite option. Currently shipping with many commonly used SSL toolkits. Supported by Apache and CURL but still quite sparse in terms of application support.
  Anything you can put a TLS wrapper around you can probably hack to support TLS-SRP authentication without a terrible amount of effort.
Article one giant spew of hyperbole by laughingskeptic · 2015-04-13 10:24 · Score: 5, Informative

The article states "the encryption method used was devised in 1998 and is weak by today’s standards ... Microsoft has yet to release a patch to fix the Redirect to SMB vulnerability" as if Microsoft must remove the feature in order for Cylance to consider this resolved. Instead a number of improvements have been made to SMB since 1998 include support for HMAC-SHA256 (v2.0) and AES-CMAC (v3.0) hashing. http://www.windowsecurity.com/.... You are going need a little more than "$3000 worth of GPUs" to forward brute force the AES-CMAC hashed passwords.
1. Re:Article one giant spew of hyperbole by Tablizer · 2015-04-13 10:51 · Score: 1
  
  There may be a good reason MS left some of it in place. Anybody want to offer speculation?
  
  --
  Table-ized A.I.
2. Re:Article one giant spew of hyperbole by Anonymous Coward · 2015-04-13 11:14 · Score: 0
  
  Legacy support.
  Some specialized and disturbingly expensive equipment (see medical, aerospace, and manufacturing) that are more or less irreplaceable also run ancient software. For Microsoft to drop support for those legacy devices forces businesses that depend on them to drop Microsoft.
3. Re:Article one giant spew of hyperbole by Tablizer · 2015-04-13 12:21 · Score: 1
  
  Couldn't they switch off the related feature or service by default in the newer OS versions, and only organizations with specialized equipment would need to switch them on? True, many orgs probably wouldn't know about the change or their reliance on an old feature, and be surprised. But generally a major OS upgrade will have changes like that, and should be tested for before production. But it's not always easy to fully test something that relies on multiple servers and services.
  
  --
  Table-ized A.I.
4. Re:Article one giant spew of hyperbole by WaffleMonster · 2015-04-13 12:39 · Score: 1
  
  The article states "the encryption method used was devised in 1998 and is weak by todayâ(TM)s standards ... Microsoft has yet to release a patch to fix the Redirect to SMB vulnerability" as if Microsoft must remove the feature in order for Cylance to consider this resolved. Instead a number of improvements have been made to SMB since 1998 include support for HMAC-SHA256 (v2.0) and AES-CMAC (v3.0) hashing.
  When faced with claims of security it is necessary to fully understand the underlying basis of trust without which security is a mirage.
  What is the mechanism by which one system or user authenticates the identity of another system or user and why is this process trustworthy?
  Without secure authentication and proper binding encryption by itself is useless.
  
  You are going need a little more than "$3000 worth of GPUs" to forward brute force the AES-CMAC hashed passwords.
  How are the key parameters to AES and HMACs derived? If an attacker can figure that out then a whopping $0 worth of GPUs will suffice.
  So how about it... where does this magical session key for admittedly very substantial and well engineered SMB3 encryption come from?
  The answer is NTLMv2 or Kerberos. This is a "bad deal". NTLMv2 credentials can be stolen and replayed with impunity by launching offline brute force attacks against captured challenge response. Ditto for Kerberos. Game over.
5. Re:Article one giant spew of hyperbole by Anonymous Coward · 2015-04-13 12:51 · Score: 0
  
  I honestly have not read up on what the default is. Given what experiences I have had with Microsoft it is probably a foolish on/hybrid dichotomy. On being vulnerable all the time, hybrid being only vulnerable when something connects that does not support better standards as such is vulnerable anyway.
  That is some low hanging fruit for security researchers right now. Force a system to make itself vulnerable by connecting with the least-secure option, then leverage the advantage.
6. Re:Article one giant spew of hyperbole by altonius · 2015-04-13 14:40 · Score: 1
  
  Although SMB has been improved to now include AES-CMAC (on Win8/2012) the underlying hashing algorithm used for authentication is still based on LM, NTLMv1, or NTLMv2. Whilst the channel between a client and a server can be encrypted, if you can man-in-the-middle a HTTP connection and redirect it to SMB you are able to set the version of SMB and encryption level used and obtain the authentication details.
7. Re:Article one giant spew of hyperbole by atamido · 2015-04-13 18:10 · Score: 1
  
  Although SMB has been improved to now include AES-CMAC (on Win8/2012) the underlying hashing algorithm used for authentication is still based on LM, NTLMv1, or NTLMv2.
  Only Windows Server 2003 and below will accept LM/NTLMv1 by default, which means as far as supported systems only 2003, and it is EOL July 14, 2015. You'd have to be desperate to still be running any 2003, and if you were you can disable LM/NTLMv1 via GPO. Vista/2008 and above will only accept NTLMv2 responses.
8. Re:Article one giant spew of hyperbole by WaffleMonster · 2015-04-14 04:44 · Score: 1
  
  Only Windows Server 2003 and below will accept LM/NTLMv1 by default, which means as far as supported systems only 2003, and it is EOL July 14, 2015. You'd have to be desperate to still be running any 2003, and if you were you can disable LM/NTLMv1 via GPO. Vista/2008 and above will only accept NTLMv2 responses.
  NTLMv2 is broke too.
9. Re:Article one giant spew of hyperbole by atamido · 2015-04-14 05:27 · Score: 1
  
  NTLMv2 is broke too.
  NTLMv2 isn't broken, but it definitely isn't as good (secure or featureful) as Kerberos, which is why Windows uses Kerberos by default. If you're in a domain, then Windows will only fall back to NTLMv2 for SMB if you do something that would prevent a Kerberos ticket from being verified (like access an SMB share by IP instead of name). It's really just a simpler fallback mechanism now. You could prevent that by requiring signing for all SMB connections, which I believe is only enabled by default on domain controllers.
10. Re:Article one giant spew of hyperbole by WaffleMonster · 2015-04-15 07:21 · Score: 1
  
  NTLMv2 isn't broken, but it definitely isn't as good which is why Windows uses Kerberos by default.
  Both NTLMv2 and Kerberos are broken because an attacker is able to conduct offline brute force attacks against credentials simply by observing challenge/response communication between client and server.
  This constitutes an unacceptable risk because the vast majority of users do not use passwords with sufficient entropy to withstand an offline as attack conducted by modern, distributed and specialized hardware. In the end your looking at an easy >90% success rate against most targets vs guaranteed 100% rate with NTLMv1.
  I wish MS would finally get off its ass and switch to a zero knowledge key agreement protocol.
Run Windows! Virtual Machines by Anonymous Coward · 2015-04-13 10:34 · Score: 0

I have no problem running windows. I just run it inside a tightly controlled virtual machine, with very limited network access. That way. it can't damage my hardware, corrupt my software, or muck with my critical files. There are safe ways to run Windows.
You misunderstood me. by mmell · 2015-04-13 10:38 · Score: 1

Re-read and try again. Better still, make yourself feel better and just remove the word "Windows" from the S/A description. The statement still works both as written and as intended (because there are sysadmins out there with I.Q.'s below 90, and not all of them are Windows admins).
Feel better?
Fuck unix permissions! by Anonymous Coward · 2015-04-13 10:48 · Score: 0

Systemd/Kits/logind brining this crap to a linux near your
Re:And they complain about Open Source flaws? by Anonymous Coward · 2015-04-13 12:49 · Score: 0

a dumb post considering the windows if anything has had less vulnerabilities the last few years than OSX or Linux.
Those 6575 day attacks are the worst! by Gumbercules!! · 2015-04-13 14:58 · Score: 1

Forget those 0 day attacks you've heard so much about. the 6575 day attacks are the real problem!
Probably unfixable ... by harryjohnston · 2015-04-13 15:24 · Score: 1

... on the Windows side. Too much stuff would break if you had to approve every server connection.
The applications that are providing the attack vector might be fixable. It isn't really a good thing for a remote attacker to be able to get your machine to try to open a file, especially a remote one. The main problem, from the sounds of it, is the sheer number of applications affected.
Reminiscent of DLL hijacking attacks, really.
Stay Safe by Anonymous Coward · 2015-04-14 01:16 · Score: 0

Use Windows Starter.
2 ways to fix it on a client endpoint... apk by Anonymous Coward · 2015-04-14 03:22 · Score: 0

IF you're on a stand-alone single user system cut server service (useless in that situation anyhow) using services.msc, or use Port 139 & 445 blocks via your Windows firewall for BOTH inbound + outbound UDP & TCP packets...
* Either SHOULD "do the job" in that situation...
APK
P.S.=> Server-wise, as I *think* you're specifically leading to WILL be as you said though - patch time is the only REAL 'save' since MS' networking depends on 139 & 445 ports to work properly... apk
1. Re:2 ways to fix it on a client endpoint... apk by harryjohnston · 2015-04-14 10:32 · Score: 1
  
  You would need to disable the Workstation service, not just the Server service.
Good point (especially for single user rig)... apk by Anonymous Coward · 2015-04-14 23:08 · Score: 0

I've recommended BOTH in security guides for years https://www.google.com/search?... (9/10 of the top results are those guides written by "yours truly")...
APK
P.S.=> The less services you run, in *ANY* event, means the more cpu cycles, RAM, + other forms of I/O you have available for the processes you DO want to run too, so "double-bonus"... apk
Re:Windows doesn't need to be secure by Anonymous Coward · 2015-04-15 04:01 · Score: 0

-1 for truth. Nice.
Speaking of old security protocols... by Anonymous Coward · 2015-04-17 03:42 · Score: 0

Let's see a formal statement from MS that we can shut off NetBIOS and it won't break any MS apps. (Not third party apps, just MS apps).