Slashdot Mirror

← Back to Stories (view on slashdot.org)

Windows Remains Vulnerable To Serious 18-Year-Old SMB Security Flaw

Posted by samzenpus on from the protect-ya-neck dept.

Mark Wilson writes A serious security hole leaves millions of Windows users open to attack, making it possible to extract encrypted credentials from a target machine. Researchers at Cylance say the problem affects "any Windows PC, tablet or server" (including Windows 10) and is a slight progression of the Redirect to SMB attack discovered by Aaron Spangler way back in 1997. Redirect to SMB is essentially a man-in-the-middle attack which involves taking control of a network connection. As the name suggests, victims are then redirected to a malicious SMB server which can extract usernames, domains and passwords. Cylance also reports that software from companies such as Adobe, Oracle and Symantec — including security and antivirus tools — are affected.

96 of 171 comments (clear)

  1. used devastatingly already by circletimessquare · · Score: 5, Interesting

    apparently this is how sony got hacked

    --
    intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
    1. Re:used devastatingly already by ShaunC · · Score: 2

      I hadn't heard that for all the North Korea rabble-rousing and misdirection. Were there ever any real postmortem details? I remember seeing plenty of speculation, but none mentioning this attack; if the official report from Mandiant ever came out, it didn't cross my radar.

      --
      Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
    2. Re:used devastatingly already by PRMan · · Score: 2

      Does anyone have a link for this?

      --
      Peter predicted that you would "deliberately forget" creation 2000 years ago...
    3. Re:used devastatingly already by fuzzyf · · Score: 5, Interesting

      Man in the middle using SMB share. That requires someone to be on the local network to begin with.
      Could be used after pivoting, but not as a first foothold attack.

    4. Re:used devastatingly already by bloodhawk · · Score: 2

      So you are saying it wasn't north korea as the US government has been claiming and it was actually someone on their local lan? where did you find this information?

    5. Re:used devastatingly already by Billy+the+Mountain · · Score: 1

      Citation needed

      --
      That was the turning point of my life--I went from negative zero to positive zero.
    6. Re:used devastatingly already by cjb658 · · Score: 1

      They would just need a VPN login, easily obtainable through phishing.

    7. Re:used devastatingly already by circletimessquare · · Score: 1

      yes, they probably had inside help

      --
      intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
    8. Re:used devastatingly already by circletimessquare · · Score: 2

      there you go:

      http://www.securityweek.com/ha...

      --
      intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
    9. Re:used devastatingly already by circletimessquare · · Score: 2

      source:

      http://www.securityweek.com/ha...

      --
      intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
    10. Re:used devastatingly already by circletimessquare · · Score: 1

      i *think* they had inside help, that's my own personal opinion, no source

      i don't know all the details of the tool, maybe they didn't have inside help but just a little social engineering for a few hours one day. or maybe even the sony security was so rotten, they could set it all up from the outside

      here's the article that mentions the attack:

      http://www.securityweek.com/ha...

      --
      intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
    11. Re:used devastatingly already by dbIII · · Score: 1

      The North Korea distraction was late in the game and idiotic, but it did have the benefit that the stupid lie could be used as an excuse to get extra funding due to "cyberwar" threats instead of the normal criminal activity it very clearly was.
      If you fell for it and are not a source of funding for IT security then you are "collatoral damage".

    12. Re:used devastatingly already by cavreader · · Score: 1

      I think a lot of people have forgotten that Stuxnext required someone on the inside who had access to the Iranian centrifuge lab to kick off the party. Cultivating that inside asset was probably harder, and definitely more dangerous, than engineering the virus.

    13. Re:used devastatingly already by circletimessquare · · Score: 1

      yeah the technical aspects of an exploit are always interesting

      but a real devastating hack is always 90% boring and mundane social aspects

      --
      intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
    14. Re:used devastatingly already by circletimessquare · · Score: 1

      did you read the fucking article?

      follow the link moron:

      https://www.us-cert.gov/ncas/a...

      --
      intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
    15. Re:used devastatingly already by circletimessquare · · Score: 1

      the SMB worm doesn't use an SMB flaw genius?

      --
      intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
    16. Re:used devastatingly already by circletimessquare · · Score: 1

      an SMB worm uses an SMB flaw, but that has nothing to do with this topic

      got it

      thanks for setting me straight genius

      --
      intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
    17. Re:used devastatingly already by bloodhawk · · Score: 1

      Soooo what exactly does that article have to do with this vulnerability? it is not mentioned in their, nor does the SMB worm mentioned make use of such a vulnerability? So think you definitely still need a citation.

    18. Re:used devastatingly already by Bert64 · · Score: 1

      With a VPN login, you can start looking for hosts on the internal network to attack... Chances are on a network of any significant size there will be at least one box which is vulnerable to something, either unpatched vulnerability or weak password.
      If you look at an internet facing network, there are generally few exploitable things visible because exposure to the internet ensures that all the low hanging fruit has already been picked, but on an internal network there is all manner of easy stuff. Once you have one machine, you can easily spread from there including using attacks like those described in the article.

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    19. Re:used devastatingly already by bloodhawk · · Score: 1

      no it doesn't

    20. Re:used devastatingly already by fuzzyf · · Score: 1

      I would love to see some details about this.
      One would think that basic credential traversal would be the preferred method once inside. MITM redirection of SMB traffic would probably set of a few IDS alerts.

    21. Re:used devastatingly already by dave420 · · Score: 1

      Just because it mentions SMB does not mean it's talking about the exact same thing. It might help you to not keep repeatedly posting the same nonsense, unless you want to be the new APK :-P

  2. Grammar by Anonymous Coward · · Score: 1

    "Software...are affected"? Has samzenpus ever heard of a mass noun?

    1. Re:Grammar by jabberw0k · · Score: 1

      Be thankful it wasn't (cringe) "softwares" at least.

    2. Re:Grammar by CaptainDork · · Score: 1

      LMBO

      --
      It little behooves the best of us to comment on the rest of us.
  3. Wow, this *IS* old... by rickb928 · · Score: 5, Insightful

    IIRC, we discussed this in MSE classes, the same ones where the instructor assured us we need not register a domain name for our internal network (!), and agreed that despite the lack of information from Microsoft, It was worth it to block SMB ports from the public networks. As well as others, such as SQL Server (1433/1434 at a minimum), AD (135,389,5722, and the list goes on), and other services we need not expose to nor listen on for external traffic, we rapidly got to the point where the reasonably responsible admin blocked by default, opened only what was necessary, and then directed these to the proper hosts inside the network.

    This is slightly older than the Y2K bug. And still not really fixed? Microsoft's choices here have always come back to haunt them. NetDDE, OLE, the HTML viewers, and this, all making Outlook once the premier distribution method for viruses and all form of malware,

    Interprocess friendliness has its cost. Ease of use goes both ways. The crooks are happy to take advantage of your features.

    --
    deleting the extra space after periods so i can stay relevant, yeah.
    1. Re:Wow, this *IS* old... by mmell · · Score: 2, Interesting
      Yeah, but . . .

      Are there any Windows Administrators out there with I.Q.'s > 90 that knowingly and intentionally leave ports 137, 138, 139 and/or 445 open to the Intartubes?

    2. Re:Wow, this *IS* old... by ageoffri · · Score: 2

      I'm sure there are Windows Administrators who would leave those ports open. Hopefully you have Network Administrators who know enough to block by default and require justification to open ports.

      --
      -- Slashdot, making the Left look conservative since 1997.
    3. Re:Wow, this *IS* old... by dAzED1 · · Score: 1

      they should be able to - if Windows was worth the security targets it has bought.

    4. Re:Wow, this *IS* old... by David_Hart · · Score: 2

      Yeah, but . . .

      Are there any Windows Administrators out there with I.Q.'s > 90 that knowingly and intentionally leave ports 137, 138, 139 and/or 445 open to the Intartubes?

      If your Windows Admins are managing your firewalls, then you are in trouble... Usually it's either the network engineers or firewall Admins.

      This has been a non-issue for the simple fact that no one opens these ports to the Internet...

    5. Re:Wow, this *IS* old... by X0563511 · · Score: 1

      "Should" is pretty distinct from "is."

      --
      For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
    6. Re:Wow, this *IS* old... by holostarr · · Score: 2, Insightful

      Yes there are! I personally know one at my company who is as a matter of fact very good at what he does and incredibly knowledgeable. Your assumption that Microsoft products somehow attracts idiots more than other products is stupid.

    7. Re:Wow, this *IS* old... by XanC · · Score: 2

      Last year I signed up for a dedicated server, and discovered that the provider's VPN server and their control panel server had Windows file sharing and remote desktop ports open to the world! And they wouldn't give me a refund. Losses cut and lesson learned...

    8. Re:Wow, this *IS* old... by XanC · · Score: 1

      Oh I should also point out that they didn't use HTTPS for anything. Logging in to your account and everything was entirely HTTP. "Reliable Site" my ass...

    9. Re:Wow, this *IS* old... by dbIII · · Score: 1

      and other services we need not expose to nor listen on

      That's *nix (or any other) firewalling 101. The instructor was probably not addressing any individual known threat but the general idea that you don't let the outside world touch ports for internal use just in case something can get in some day.

    10. Re:Wow, this *IS* old... by Gumbercules!! · · Score: 2, Interesting

      Yeah sadly, there's heaps of them. People who connect their Windows machine to the internet by establishing the PPPoE session from the machine, for one. People who rent a VM from a cloud provider and just get a straight up Windows box with no firewall, for two. If you think there's not a lot of those, believe me, there are. We run a cloud computing company and we frequently (ok, by frequently I mean a few times a year, I suppose - but we're just one company) get requests for people to have a Windows box with no firewall (other than the Windows one) because "it gets in the way", etc.

      As a service provider, I am not sure how to handle this because, technically, it's "their server". I mean, I can provide them all the advice I want but making them listen is another thing altogether.

      In one case, I showed the guy that I could map a drive to his server, over the public internet and that he needed to deny all ports other than the one he needed open (443) but it's like speaking to a child. They don't understand why it's a problem and they just want what they think they want and they want it, now.

      So I am not really sure how to handle this. Wherever I can, I don't give them the choice - I just enforce an upstream firewall but at the end of the day, if someone wants to pay money to own a VM and they're not (yet) causing any problems for anyone other than themselves...I can't be in business if I keep saying no to everyone. So yeah - there are plenty of Windows people out there who expose everything to the world.

    11. Re: Wow, this *IS* old... by rickb928 · · Score: 1

      I shouldn't have left the impression that this instructor taught us to block but default. At that time MCSE didn't teach that. And he didn't either. We all discussed it over coffee among other things, like the stupidity of naming your intranet 'msft.net'. That was taught at one time.

      --
      deleting the extra space after periods so i can stay relevant, yeah.
    12. Re:Wow, this *IS* old... by Black+Copter+Control · · Score: 1

      I'm sure that the crackers who took over those machines found them to be very reliable.

      --
      OS Software is like love: The best way to make it grow is to give it away.
    13. Re: Wow, this *IS* old... by dbIII · · Score: 1

      Fair enough. I've been known to block the ports listening to SMB stuff at various points in internal networks just to make sure that the wrong thing doesn't answer when called. Printing stuff out three buildings away on a different subnet is funny the first time but then gets a bit old.
      "If it's not expecting traffic on that port on that interface then block it" always seemed like a simple way to start to me.

    14. Re:Wow, this *IS* old... by Bert64 · · Score: 1

      The problem is poor design and inertia... It's not like a simple bug which can be fixed without changing how the software works, there are many design flaws in the protocol itself and fixing them would require incompatible changes. If you're going to drop current windows versions and go to an incompatible system, might as well go straight to linux.

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    15. Re:Wow, this *IS* old... by Bert64 · · Score: 1

      Requiring a firewall is another poor design decision... You should be able to turn all these services off, but windows makes it extremely difficult to disable the default listening services and the recommendation is to hide them behind a firewall... If the system still runs with the services hidden so that noone can connect to them, then why exactly do they need to be listening at all?

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    16. Re:Wow, this *IS* old... by Macfox · · Score: 1

      If you insist on the dumb idea of using a public TLD internally for your Windows domain. This is why MS defaults to append .local. (http://en.wikipedia.org/wiki/.local)

      --
      Area51 - We are watching...
    17. Re:Wow, this *IS* old... by greggman · · Score: 1

      Guest: Hey, what's your wifi password?

      Me: It's "foobarmoo"

      App on guest's phone: "All your base are belong to us!"

      (or any other cheap IP camera, network TV, network TV dongle, XBox/Playstation game, app on your computer or anything else on your local network :( ) ...yes I have a guest wifi but I haven't gone to the trouble to isolate every other piece of hardware on my local network from my Windows box from which they are streaming stuff.

    18. Re: Wow, this *IS* old... by rickb928 · · Score: 1

      That's a permissions problem. Users in one building shouldn't have permission to use printers in another.

      Groups are your friend.

      --
      deleting the extra space after periods so i can stay relevant, yeah.
    19. Re:Wow, this *IS* old... by RavenLrD20k · · Score: 1

      I agree with the AC. When a webhost does this type of thing they need to be named and shamed so those of us currently in search of a good managed dedicated server for a client can mark these guys off our list. Also, how much money are you out? Did you pay for a whole year for a new host, or did you do the smarter route and only did month to month for the first year or two as you verified their security and stability?

    20. Re:Wow, this *IS* old... by mvdwege · · Score: 1

      As a service provider, I am not sure how to handle this because, technically, it's "their server".

      On the other hand 'their' server has to share a network with other servers. If they refuse to use best current security practices, their server will start interfering with other servers.

      So the answer is: don't sell them unsecured VMs. If they can't take the above argument and insist, at least charge them more based on the fact that you will have to clean up the mess eventually. And if you have many such customers, invest in some monitoring solution that can detect hacked boxen.

      --
      "I know I will be modded down for this": where's the option '-1, Asking for it'?
    21. Re: Wow, this *IS* old... by dbIII · · Score: 1

      Yes I know that and I also had users that moved about the campus and logged on in machines sitting in other buildings. Limiting by location of machine is a better friend :)

    22. Re: Wow, this *IS* old... by rickb928 · · Score: 1

      That's group membership that matters. Machines do move however, so location-based membership is next. My current computers are all notebooks or tablets. Even at work.

      --
      deleting the extra space after periods so i can stay relevant, yeah.
    23. Re:Wow, this *IS* old... by Gob+Gob · · Score: 1

      If your Windows Admins are managing your firewalls, then you are in trouble... Usually it's either the network engineers or firewall Admins.

      It always strikes me as odd that people assume businesses have the resources to deploy "best practices" ~ aka having one specialist team member for every IT position (Net, Admin, DBA, analyst, help desk, etc). Most businesses (ie small / medium ones) can only scrape together the means to employ one person (if any) and hope they have the skills to keep the business applications running ~ pretty much _everything_ else is secondary.

      Does this "best practice" mantra attempt to coach SME's to do the right thing or is it just arrogance that people pontificate that the default assumption is that every business has the resources of the Enterprise?

    24. Re:Wow, this *IS* old... by RockDoctor · · Score: 1

      Name and shame.

      --
      Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"
    25. Re:Wow, this *IS* old... by XanC · · Score: 1

      It was ReliableSite.net. I tried to name them earlier but was too subtle. :-)

      I was only out a month's worth, fortunately.

    26. Re:Wow, this *IS* old... by XanC · · Score: 1

      Done; see above

  4. So if your network is also from 1997 by silas_moeckel · · Score: 2

    It requires a man in the middle attack on traffic that should never go across the internet outside a vpn. Yes it's a problem but not exactly a significant one for a well put together network.

    --
    No sir I dont like it.
    1. Re:So if your network is also from 1997 by LordLimecat · · Score: 1

      >having no idea what you're talking about
      >throwing out NSA and MITM like theyre relevant here

    2. Re:So if your network is also from 1997 by The-Ixian · · Score: 2

      My understanding is that this exploit simply requires you to have outbound SMB ports open.
       
      In my experience, most firewall setups (especially those in companies who don't have dedicated IT staff) allow unrestricted outbound communications.

      --
      My eyes reflect the stars and a smile lights up my face.
    3. Re:So if your network is also from 1997 by silas_moeckel · · Score: 1

      If your laptop is connecting to any random open wifi and does not have a strict firewall, it should get a STI aka Stupid Transmitted Infection.

      --
      No sir I dont like it.
    4. Re:So if your network is also from 1997 by silas_moeckel · · Score: 1

      Why on earth would any competent IT staff have SMB open outbound? If at all possible desktops should not be allowed to make direct connections to anything outside in a corp network.

      --
      No sir I dont like it.
    5. Re:So if your network is also from 1997 by Gr8Apes · · Score: 1

      The better question is why would any competent IT staff have any SMB services installed or allowed?

      --
      The cesspool just got a check and balance.
    6. Re:So if your network is also from 1997 by blue9steel · · Score: 1

      Perhaps because it's standard for both Windows and OSX workstations? In a multi-platform network SMB is often the best choice for filesharing. If it's setup properly (NTLMv2 only, SSL encrypted, SMB message signing turned on) it's actually pretty reasonable security wise.

    7. Re:So if your network is also from 1997 by LinuxIsGarbage · · Score: 2

      If your laptop is connecting to any random open wifi and does not have a strict firewall, it should get a STI aka Stupid Transmitted Infection.

      I was going to say "Even Windows is smart enough". Looking at the Windows 7 Firewall profile, even under "Public Network" profile (Coffee Shop, Airport, or directly connected to internet), SMB is allowed for the local subnet, which would limit attack surface on the Internet, at a Wifi hotspot could be deadly. Which I guess is why some hotspots disallow local traffic between peers.

    8. Re:So if your network is also from 1997 by Bert64 · · Score: 1

      The problem is that SMB is not just a filesharing protocol, it provides access to whole heaps of other functionality at least on windows. If all you want to do is file sharing then SMB is a terrible choice.

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    9. Re:So if your network is also from 1997 by blue9steel · · Score: 1

      Well AFP is horrible and NFS isn't exactly fully supported cross platform, that doesn't leave a lot of options.

    10. Re:So if your network is also from 1997 by Gr8Apes · · Score: 1

      try scp or rsync sometime: fully supported by all operating systems that try to be secure. Oh, you meant "GUI" access, in that case, use a web based service that allows directory views and uploads. Or use some dropbox like enterprise solution. In any case SMB is a terrible terrible solution. None of my *nix based boxes run it.

      Disclaimer: I use scp and rsync - I have not used any of the other solutions.

      --
      The cesspool just got a check and balance.
    11. Re:So if your network is also from 1997 by blue9steel · · Score: 1

      SCP and rsync are file transfer protocols not file sharing protocols, they don't work nearly the same. Perhaps your solution works for a single developer's workstation or a small technology startup but it's not going to scale to a large business with many employees, most of whom do not work in IT.

    12. Re:So if your network is also from 1997 by Gr8Apes · · Score: 1

      Hence the reference to an enterprise solution, one that is targeted to windows even. Pretty much everything is better than the insecure disaster known as SMB.... and if you think those alternatives are "bad", then blame MS for foisting the horrors of insecure and crappy SMB on the masses.

      I believe "Just because you can doesn't mean you should" applies to all facets of SMB like playing with frightened skunks (with similar results for those slow on the relationship)

      --
      The cesspool just got a check and balance.
    13. Re:So if your network is also from 1997 by jp10558 · · Score: 1

      I'd love to know the better solution for Mac, Windows and Linux access to network shares, and the network shares have to be performant, local (i.e no cloud sync), not require paid software, and support several tens of terabytes per shared filesystem. Oh, and use Active Directory permissions...

      --
      Opera, Proxomitron-Grypen,GPG 0x0A1C6EE3
    14. Re:So if your network is also from 1997 by Gr8Apes · · Score: 1

      So there's your problem - you want this polished turd because it's all shiny, but it's still a turd. You never wondered why it's free? You will have to pay to get one of the secure ones if the host of other free solutions are not to your liking.

      The real question with disk space being so damn cheap is why would you want a "performant, local" network share anyways with AD permissions to boot on 10s of TBs per FS? That sounds more like a content management system that you've co-opted SMB to do, and it is wholly unsuited to that task. I'll bet it keeps your Win admins hopping though. This just screams "Just because you can, doesn't mean you should" and "You get what you pay for". (You're paying, just not a software vendor)

      --
      The cesspool just got a check and balance.
    15. Re:So if your network is also from 1997 by jp10558 · · Score: 1

      Honestly, I'm not sure if you're a troll, or just someone who strongly believes if you don't do it your way, you're wrong.

      I'm working in a research institution. We have limited funding from grants. We are doing X-Ray research, with detectors that output data on the order of 30GB a run, and there can be more than one run a day. This data, once generated, needs to be accessible by compute nodes, without hitting the acquisition disk. There isn't reliable down time between acquisitions, so rsyncs are hard to schedule. We also need to schedule backups, which is easier on central storage, as these acquisition machines move around, and aren't always up.

      Laptops have trouble carrying around 30TB for analysis, and desktops aren't cost effective with that storage load. I could also go into the issue with data walking out the door, which may be prohibited, or desired depending on the situation.

      On top of binary research data, there's all the program source, program binaries, infrastructure data, standard office documents etc.

      I'm not sure about a content management system - we have a Wiki which is great, and SVN which is great, and Vault for Inventor source control, which is also great. For office documents, the closest thing I'm aware of is Sharepoint, which doesn't seem like anything I want to touch with a 10 ft pole. What else should I be looking at?

      And how does it work for users who barely understand "save to this network folder"?

      --
      Opera, Proxomitron-Grypen,GPG 0x0A1C6EE3
    16. Re:So if your network is also from 1997 by Gr8Apes · · Score: 1

      Honestly, I'm not sure if you're a troll, or just someone who strongly believes if you don't do it your way, you're wrong.

      Fortunately, I'm neither. I will, however, point out when something's just "wrong". (I know, it's easy to be a critic)

      I'm working in a research institution. We have limited funding from grants. We are doing X-Ray research, with detectors that output data on the order of 30GB a run, and there can be more than one run a day....

      So you have bounded the binary data problem, 30GB data sets with multiple sets generated a day. You also state that the acquisition disks cannot be hit while it's running. You don't state whether you can use a SAN, which would be your best technical option, although does cost some money but allows for processing, redundancy, backups, and offloading. The next best option would be a NAS system, as that would offload your acquisition system(s) data load. These systems can also feed your compute nodes easily, as well as give access to your users, if you wish.

      For the remainder, it sounds like you have what you need for your use cases, except for the SMB network share issue. Given your domain, you'd expect the people working within it to be able to follow the simplest of instructions to access and save their data. If not, perhaps new people are in order. If you can't work the machines.... But seriously, offloading the binary data implies, from your statements, that your new use case for sharing is significantly simplified, and potentially whatever you choose for the better binary store also works for whatever needs you have left.

      --
      The cesspool just got a check and balance.
    17. Re:So if your network is also from 1997 by jp10558 · · Score: 1

      Well, there's the experimental data, and then the administrative data. Those word docs need to be shared, backed up, etc. The various matlab and labview files need to be accessible from Sun Grid Engine nodes and local Windows, Scientific Linux and Mac OSX workstations.

      We currently use a RedHat HA cluster that provides NFS and CIFS / SMB access to disk stored on iSCSI devices. So sort of a home build SAN I guess. We looked into better known commercial offerings, but basically they were 10x our budget. Unlikely to happen. One of the "Wins" we got was budgeting to buy actual 1U servers with IPMI and the like. Even build your own costs a good chunk of IT budget for 5 years.

      Scientists and Professors are a bit unreasonable I guess - they want high performance, reliability, and all that without having to spend a lot of money or change their workflow at all. They also flat out don't read documentation about stuff that's unimportant to their research, and to them, computers should be like mains power - it's unimportant how it works, and it should magically "do the right thing"...

      If they have to know more than "plug it in", there's likely to be trouble. IT certainly can't ask any user to ... stop being a user because they don't know what a network share is, or what a computer power button is. They user is a world class scientist here to do important research - they don't have time for "unnecessarily complicated" systems. Sadly, this is of course why we have jobs. But it does generally keep us to the lowest common denominator for software and solutions.

      --
      Opera, Proxomitron-Grypen,GPG 0x0A1C6EE3
    18. Re:So if your network is also from 1997 by Gr8Apes · · Score: 1
      So your problem is really 2-fold:
      • You are being asked to deliver diamond jewelry with a glass budget
      • You cannot change anything about your users

      I'd state the second is false, as you're forcing them into a windows environment, and, unless things have changed, many of those folks have used *nix flavors as well. Of course, you're stuck with the MS Office disease, which probably still has 10 years left before it clears up.

      Given your constraints and situation and where you are, I don't believe any obviously solid suggestions are really possible. I'd look into some document storage ECM / CMS (Enterprise Content Management / Content Management System) solutions that are free / low-cost, including programs that may be free for you specifically. Those will add versioning capabilities to your documents and a solid permissions system that should be easier to administer over an AD based system while hopefully using your existing hardware base. And that's only if you need that functionality.

      --
      The cesspool just got a check and balance.
    19. Re:So if your network is also from 1997 by jp10558 · · Score: 1

      Oh, I'm not forcing anyone into a Windows environment. I strongly push them towards Linux and tell them it's the preferred environment at the lab, and all our infrastructure is Linux based. We just wanted to set up a data download station, and suggested Linux, but were told the external users aren't familar with Linux (I don't know how they run the experiment, where lots of it is based on Linux, but hey, not something I get to change), and will need Windows there.

      We have plenty of Labview stuff which I'm told by staff must use Windows, as well as some Matlab stuff, even though I'm pretty sure quite a lot of it runs on Linux, I don't get to override them.

      And then there are the Mac users who insisted on using onenote for logging on a separate Windows computer, when their experiment controls were all Linux and their laptops are Macs, but why not use a Windows only program for this note-taking? Because it's easier than a web based logging tool to copy pictures into. (This was 2008ish, carries forward to now, though there now is a Mac OneNote client, it's still not to my knowledge multi user or runable on Linux)...

      Most of the insanity comes from people who *don't care* about the technical reality and substitute their own. And are apparently OK with a lot of cluged together solutions. At least I get a job out of it.

      --
      Opera, Proxomitron-Grypen,GPG 0x0A1C6EE3
  5. Windows File-Sharing by Etherwalk · · Score: 1, Troll

    Windows file-sharing on home machines has pretty much always been terrible. It's like a bunch of monkeys put it together. I am guessing they tasked one or two guys to add it to home machines when the bulk of a group was working on corporate file sharing (which is at least a bit more reliable), and the result was just a really bad design and code that has been sitting around the kernel forever. Getting two machines to talk to each other over an Ethernet cable has always been much harder than in linux. (I was going to say and less secure, but I remember the telnet and ftp days...)

  6. original paper here by Anonymous Coward · · Score: 3, Informative

    original paper here: http://cdn2.hubspot.net/hubfs/270968/SPEAR/RedirectToSMB_public_whitepaper.pdf

    How hard is it to mandate any submission contain the source instead of some shill article?

  7. Ceterum censeo by TeknoHog · · Score: 3, Funny

    I remain vulnerable to serious 18 year olds, if you catch my drift.

    --
    Escher was the first MC and Giger invented the HR department.
    1. Re:Ceterum censeo by BronsCon · · Score: 1

      But do you exploit them?

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
  8. Wish this were new or news by WaffleMonster · · Score: 2

    I don't know how or why it came to this. The world is hooked on insecure authentication protocols. NTLMv2, Kerberos, plaintext, plaintext over encrypted tunnel protected by group secrets (sigh..) or certificates and dull thud of every flawed permutation of a challenge handshake system imaginable.

    These things are employed virtually everywhere and the consequences are visible everywhere.

    Haha I tricked you or your computer into connecting to my file system or my fake bank or my fake web site and because of that I now have your credentials and your f*****d.

    Living with consequences has become so routine and institutionalized some find it difficult to see the problem at all ... instead resorting to blaming failure of a castle defense or operating in an unsafe environment rather than notice the root cause of the problem - broken authentication systems.

    When the most widely deployed use of a secure authentication protocol is protecting an online role playing game I have no interest in Microsoft's (And all other vendors) lame excuses for not fixing these problems decades ago.

    1. Re:Wish this were new or news by WaffleMonster · · Score: 1

      Why do you lump Kerberos in there? Kerberos afaik is fine security wise.

      Kerberos client authentication is subject to offline dictionary attack.

    2. Re:Wish this were new or news by WaffleMonster · · Score: 1

      Do you have an opinion of a relatively common method that is better? My issue with many is that it jusst sends the password to the server for verification, trusting that TLS will protect it. Given that it's exceedingly common for clients to not verify the certs, this is also fraught with risk.

      Recommend looking into a PAKE algorithm. The advantage they are able to provide mutual proof of possession of a common secret without leaking knowledge that may be used to determine what that secret is. These systems are not vulnerable to offline attack and provide keying to encrypt the network session such that you can carry on a secure conversation post authentication.

      TLS-SRP is currently my favorite option. Currently shipping with many commonly used SSL toolkits. Supported by Apache and CURL but still quite sparse in terms of application support.

      Anything you can put a TLS wrapper around you can probably hack to support TLS-SRP authentication without a terrible amount of effort.

  9. Article one giant spew of hyperbole by laughingskeptic · · Score: 5, Informative

    The article states "the encryption method used was devised in 1998 and is weak by today’s standards ... Microsoft has yet to release a patch to fix the Redirect to SMB vulnerability" as if Microsoft must remove the feature in order for Cylance to consider this resolved. Instead a number of improvements have been made to SMB since 1998 include support for HMAC-SHA256 (v2.0) and AES-CMAC (v3.0) hashing. http://www.windowsecurity.com/.... You are going need a little more than "$3000 worth of GPUs" to forward brute force the AES-CMAC hashed passwords.

    1. Re:Article one giant spew of hyperbole by Tablizer · · Score: 1

      There may be a good reason MS left some of it in place. Anybody want to offer speculation?

      --
      Table-ized A.I.
    2. Re:Article one giant spew of hyperbole by Tablizer · · Score: 1

      Couldn't they switch off the related feature or service by default in the newer OS versions, and only organizations with specialized equipment would need to switch them on? True, many orgs probably wouldn't know about the change or their reliance on an old feature, and be surprised. But generally a major OS upgrade will have changes like that, and should be tested for before production. But it's not always easy to fully test something that relies on multiple servers and services.

      --
      Table-ized A.I.
    3. Re:Article one giant spew of hyperbole by WaffleMonster · · Score: 1

      The article states "the encryption method used was devised in 1998 and is weak by todayâ(TM)s standards ... Microsoft has yet to release a patch to fix the Redirect to SMB vulnerability" as if Microsoft must remove the feature in order for Cylance to consider this resolved. Instead a number of improvements have been made to SMB since 1998 include support for HMAC-SHA256 (v2.0) and AES-CMAC (v3.0) hashing.

      When faced with claims of security it is necessary to fully understand the underlying basis of trust without which security is a mirage.

      What is the mechanism by which one system or user authenticates the identity of another system or user and why is this process trustworthy?

      Without secure authentication and proper binding encryption by itself is useless.

      You are going need a little more than "$3000 worth of GPUs" to forward brute force the AES-CMAC hashed passwords.

      How are the key parameters to AES and HMACs derived? If an attacker can figure that out then a whopping $0 worth of GPUs will suffice.

      So how about it... where does this magical session key for admittedly very substantial and well engineered SMB3 encryption come from?

      The answer is NTLMv2 or Kerberos. This is a "bad deal". NTLMv2 credentials can be stolen and replayed with impunity by launching offline brute force attacks against captured challenge response. Ditto for Kerberos. Game over.

    4. Re:Article one giant spew of hyperbole by altonius · · Score: 1

      Although SMB has been improved to now include AES-CMAC (on Win8/2012) the underlying hashing algorithm used for authentication is still based on LM, NTLMv1, or NTLMv2. Whilst the channel between a client and a server can be encrypted, if you can man-in-the-middle a HTTP connection and redirect it to SMB you are able to set the version of SMB and encryption level used and obtain the authentication details.

    5. Re:Article one giant spew of hyperbole by atamido · · Score: 1

      Although SMB has been improved to now include AES-CMAC (on Win8/2012) the underlying hashing algorithm used for authentication is still based on LM, NTLMv1, or NTLMv2.

      Only Windows Server 2003 and below will accept LM/NTLMv1 by default, which means as far as supported systems only 2003, and it is EOL July 14, 2015. You'd have to be desperate to still be running any 2003, and if you were you can disable LM/NTLMv1 via GPO. Vista/2008 and above will only accept NTLMv2 responses.

    6. Re:Article one giant spew of hyperbole by WaffleMonster · · Score: 1

      Only Windows Server 2003 and below will accept LM/NTLMv1 by default, which means as far as supported systems only 2003, and it is EOL July 14, 2015. You'd have to be desperate to still be running any 2003, and if you were you can disable LM/NTLMv1 via GPO. Vista/2008 and above will only accept NTLMv2 responses.

      NTLMv2 is broke too.

    7. Re:Article one giant spew of hyperbole by atamido · · Score: 1

      NTLMv2 is broke too.

      NTLMv2 isn't broken, but it definitely isn't as good (secure or featureful) as Kerberos, which is why Windows uses Kerberos by default. If you're in a domain, then Windows will only fall back to NTLMv2 for SMB if you do something that would prevent a Kerberos ticket from being verified (like access an SMB share by IP instead of name). It's really just a simpler fallback mechanism now. You could prevent that by requiring signing for all SMB connections, which I believe is only enabled by default on domain controllers.

    8. Re:Article one giant spew of hyperbole by WaffleMonster · · Score: 1

      NTLMv2 isn't broken, but it definitely isn't as good which is why Windows uses Kerberos by default.

      Both NTLMv2 and Kerberos are broken because an attacker is able to conduct offline brute force attacks against credentials simply by observing challenge/response communication between client and server.

      This constitutes an unacceptable risk because the vast majority of users do not use passwords with sufficient entropy to withstand an offline as attack conducted by modern, distributed and specialized hardware. In the end your looking at an easy >90% success rate against most targets vs guaranteed 100% rate with NTLMv1.

      I wish MS would finally get off its ass and switch to a zero knowledge key agreement protocol.

  10. You misunderstood me. by mmell · · Score: 1
    Re-read and try again. Better still, make yourself feel better and just remove the word "Windows" from the S/A description. The statement still works both as written and as intended (because there are sysadmins out there with I.Q.'s below 90, and not all of them are Windows admins).

    Feel better?

  11. Re:Many eyes... by viperidaenz · · Score: 1

    Heartbleed was around for 2 years before it was discovered.

  12. Those 6575 day attacks are the worst! by Gumbercules!! · · Score: 1

    Forget those 0 day attacks you've heard so much about. the 6575 day attacks are the real problem!

  13. Re:Microsoft has eradicated buffer overflows? by harryjohnston · · Score: 1

    This isn't a buffer overflow bug. In fact, it isn't a bug at all, but a design weakness.

  14. Probably unfixable ... by harryjohnston · · Score: 1

    ... on the Windows side. Too much stuff would break if you had to approve every server connection.

    The applications that are providing the attack vector might be fixable. It isn't really a good thing for a remote attacker to be able to get your machine to try to open a file, especially a remote one. The main problem, from the sounds of it, is the sheer number of applications affected.

    Reminiscent of DLL hijacking attacks, really.

  15. Re:Microsoft has eradicated buffer overflows? by TheGratefulNet · · Score: 1

    its as if someone had been coding samba ... in the rain!

    (GOML)

    --

    --
    "It is now safe to switch off your computer."
  16. Re:2 ways to fix it on a client endpoint... apk by harryjohnston · · Score: 1

    You would need to disable the Workstation service, not just the Server service.

  17. Re:Microsoft has eradicated buffer overflows? by harryjohnston · · Score: 1

    It's as if someone had been coding Samba ... in 1987!