PCs Connected To the Internet Will Get Infected With WanaDecrypt0r In Minutes

An anonymous reader writes: "The Wana Decrypt0r ransomware -- also known as WCry, WannaCry, WannaCrypt, and WanaCrypt0r -- infected a honeypot server made to look like a vulnerable Windows computer six times in the span of 90 minutes, according to an experiment carried out by a French security researcher that goes online by the name of Benkow," reports BleepingComputer. "During one of those infections, Wana Decrypt0r infected the honeypot in a mere three minutes after it was reset, showing the aggressive nature of the ransomware's scanning module, which helps it spread to new victims... Three minutes is about the same amount of time IoT malware will infect a vulnerable home router left connected to the Internet without patches."

The article also highlights the fact that the group behind this threat is possibly made of inexperienced coders, who just stumbled upon a way to weaponize an NSA exploit. Their three previous WanaDecrypt0r campaigns were mundane, and one researcher called their code "utter [expletive]." This is because WanaDecrypt0r is actually made of two main modules, the ransomware itself, and the SMB worm (based on the NSA exploit). While the SMB worm is top-shelf code, the ransomware itself is quite unsophisticated, making a lot of operational errors, including using only 3 Bitcoin wallets to handle payments, instead of one per infected user, as most top-shelf ransomware does. This makes it difficult to tell which victims paid and who didn't, as anyone could claim "x" transaction is theirs, even if they didn't pay.

How does it work?

[Caesar+Tjalbo]

How does it work? I've installed Windows 7 last week, my first Windows install in more than a decade and I'm not infected yet. I've been on-line for hours!

Re:How does it work?

I guess an exposed SMB port (port 445).

Re:How does it work?

[The+MAZZTer]

You would probably have to directly plug your PC into your ISP's connection as opposed to using a router of which any decent model should block unsolicited incoming traffic by default.

Re:How does it work?

It's been a good practice to not expose SMB ports (445, 139 etc.) to the open Internet for two decades at least, IMHO. I remember than in 1996 (if I remember correctly) I accidentally exposed a NT3.51 machine and my ISP called to warn me.

Re:How does it work?

[benjymouse]

Since Windows Vista (may even XP with SP3?) Windows comes with a firewall automatically enabled.

The firewall has multiple profiles: Work, private and public. On "public" networks it is far more strict than on a "work" network. A work network is a network with a domain controller to which the PC is domain-joined. The private network is somewhere in between.

So if you have not explicitly commanded Windows to be "discoverable" across the Internet (a bad idea) you will not become infected.

The worm capabilities is really only effective on corporate networks. First the virus needs to get inside via email+social engineering+other exploits. Once it has taken over one computer on a corporate (domain controlled) network, it can use the SMB attack vector to spread to unpatched computers.

Only pre-sp2 XP computers are vulnerable to infection across the Internet. And only if they are not behind some other form of firewall.

Re:How does it work?

[benjymouse]

You would probably have to directly plug your PC into your ISP's connection as opposed to using a router of which any decent model should block unsolicited incoming traffic by default.

Not only that. Since it's Windows 7 he would also need to either switch off the built-in firewall or allow "sharing of resources" across "public networks". The latter will issue a number of warning dialogs before exposing the SMB port.

Re:How does it work?

[TWX]

I like to take it a step further, I disallow all outgoing connections except to those destination ports that are legitimate Internet services that I use, and obviously unsolicited incoming traffic is dropped at the firewall. My goal is not only to try to prevent infections from being brought in to my network, but should an infection somehow end up on a node on my network, to deny it the ability to communicate with command and control servers should it try to use nonstandard ports.

Obviously if a piece of malware is using HTTP or HTTPS to a conventional port then this won't necessarily work, but so far it seems to work well enough.

Re:How does it work?

[roc97007]

You would probably have to directly plug your PC into your ISP's connection as opposed to using a router of which any decent model should block unsolicited incoming traffic by default.

I was somewhat shocked to find that some ISPs just install a cable modem and plug the victim's... sorry, customer's PC directly into the raw internet. Happened to my mother-in-law. Fortunately, she was on the phone to me when he was doing the install, because she didn't fully trust him, and was giving me a running description of what he was doing. When I heard that it was a modem not a router, (she had asked about wifi and he said she'd need to buy a router for that) I yelled "Unplug it! Unplug it now!" and drove over there with a spare router and did the rest of the install myself. I mean geeze, it's like some ISPs are in collusion with the ransomware people.

Back in the days of DSL, before cable modem or fiber were available in my area, I happily plugged my computer into the DSL modem, ran the included Verizon CD, and got pwned in the first half hour. Reformat, reinstall, try it again, and was pwned inside of 15 minutes. I thought at first that there was a virus on the CD. A little investigation led me to software firewalls... (what was it called, firedoor?) and later to hardware routers.

But, I'm a geek. What do regular people do?

So the question is...

...who wrote the SMB worm that exploits ETERNALBLUE, and how long before they sell it to someone who can write much more damaging code than the Wanacry guy? Wana has earned its author a measly $38K that he'll never be able to touch because every intelligence and law enforcement agency is watching those wallets. With no profitability in worldwide ransomware it seems like the next logical step would be launching something that fucks shit up for the hell of it, mass bricking of devices or whatever.

Re:So the question is...

> $38K that he'll never be able to touch because every intelligence and law enforcement agency is watching those wallets

Until the 38k goes out from Wallet A1 to Wallet B1. Meanwhile, Wallets B2....200 send 89.21% of that 38k to wallets A2....200. There's a possibility that will be pieced together, and now the initial criminal A has about 90% of what he extorted, and subsequent money laundering criminal B has accepted the risk for those more closely monitored bitcoins (presumably he believes he can fool the government permanently on this- he may even be correct, but even if he is wrong, there's still no tracing him back to criminal A).

It was only 15 years ago or so

[future+assassin]

when you couldn't connect a new XP install to the internet to get updates unless you installed firewall and virus software before hand. It was pretty cool, tested it a few times on my then 1mbit ADSL line. Install XP, connect to internet and within minutes you'd get infected. I can't remember the name of the virus off hand.

Re: It was only 15 years ago or so

Blaster. It was shutting down your PC constantly. Same kind of exploit.

Re:It was only 15 years ago or so

Maybe it was Blaster. You'd turn on your PC and have lsass.exe crash the party within minutes.

Re:It was only 15 years ago or so

[someoneOtherThanMe]

Blaster?

Re: It was only 15 years ago or so

[npetrov]

There was another big one 15 years ago - NIMDA

Re:It was only 15 years ago or so

[AmiMoJo]

It was only 13 years ago that the problem was fixed. Service Pack 2 for Windows XP enabled the firewall by default, and made it safe to connect to update.microsoft.com for initial patches.

Of course, if you had a router with NAT based firewall you were safe anyway unless there were already infected machines on your LAN. A lot of the crapware provided by ISPs to set up and dial in your modem did enable the firewall too, and of course PC manufacturers loved to include a shovelware firewall in the base install. You actually had to try fairly hard to fall victim to worm-based infection, even in 2002.

Re: It was only 15 years ago or so

Same thing happened to me with MyDoom or whatever its name was. Got infected while downloading firewall software for a new install. Kept restarting every five minutes. I got around it :-D

Re:It was only 15 years ago or so

a lot of people got infected by blaster, and had nothing to do with them exposing those ports because they wouldnt even know how to do it

my home router had those ports accesible and i did not touch anything, i hadnt patched so i got one computer infected that afternoon, but it was ME not patching that got me infected, xp had no default firewall by then, any installation of xp with the ethernet cable on and the router not blocking 445 (and i believe 139 too) would get you infected. I had a cd with windows xp and right next to it another cd with the fix. I would install xp without the ethernet cable, patch with the other cd, and finally update windows. A lot of other people were doing the exact same thing. Then they did service1 and the firewall was on while installing so it was no longer needed

also, people with just one machine were seriously fucked because most times they did not have the time to download the patch before the computer rebooted (there was a bug in the worm that made the computer reboot, it even had a countdown or something like that)

if someone makes a worm like blaster today, one that the only thing you really did wrong to catch it was not patching the system, and then the worm does the hijack thingy with your data, shit will get REAL.
The blaster vuln was, if i remember correctly, like 4 months old, something like that, and since then i always patch, until microsoft decided to fuck around with windows 10

so yes, microsoft are YUGE fagliolioliolis, wether people actually patch or not, what they did with windows 10 has contributed to this FOR SURE

Re:It was only 15 years ago or so

if you had a router with NAT based firewall you were safe anyway

Yet another person who does not understand how firewalls work. If you said "a firewall that denied new connections on the WAN", then you'd be correct. "NAT based" firewalls don't necessary deny new connections from the WAN. The fact that they seemingly "block" new incoming connections is an undefined behavior. Many routers implement NAT in such a way that an external device can punch a hole from the WAN to the LAN without a device from the LAN first contacting them.

Ports 445 exposed to the internet

[Okian+Warrior]

You can get it either by a) exposing port 445 to the internet, or b) exposing port 445 to a computer on your local subnet that's infected.

If you have no other computers running windows on your local net, and if your network connection doesn't allow port 445 through, you should be safe.

...it's a good idea to patch the system, though. Get the patch here.

Port 445 is SMB ("samba" over in linux world), which is used to mount remote disks and printers (and some other things). There's really no need for a user to expose this port to the internet unless you want to mount a disk remotely over the internet, which is not something a user would ordinarily need.

Re:Ports 445 exposed to the internet

> There's really no need for a user to expose this port to the internet unless you want to mount a disk remotely over the internet

There's no fucking reason to expose this port to the LAN unless you want to mount a disk remotely over the LAN. That's a more common use case than over the internet, but not like, VASTLY more common or anything. It's a stupid default, is the point.

Re:Ports 445 exposed to the internet

Even if you need to mount a remote share or drive over SMB, you do it via a tunnel to the other network. A naked 445 port has no place on a hostile internet.

Re:Ports 445 exposed to the internet

[nctritech]

Windows 7 (and 2008 R2) patches aren't listed there, they'll be here instead.

Re:Ports 445 exposed to the internet

[dreamchaser]

It is not a default. File sharing needs to be turned on manually.

Re:Ports 445 exposed to the internet

See you read apk's post yesterday that predates yours to make your post into a +5 biting off his ideas https://yro.slashdot.org/comments.pl?sid=10610467&cid=54416195/ apk's security guide covers Server/Workstation services, Client for Microsoft Networks,, File or Printer Sharing and NetBIOS over TCP/IP that create port 445/smb solicitation listeners. He turns them off, no problem on a single system with no LAN and his guide long predates your post by more than a decade too.

Re:Ports 445 exposed to the internet

Port 445 is SMB ("samba" over in linux world)

Or Super Mario Bros in the Nintendo world. I don't know what the big deal is; It's clearly not as dangerous as everybody keeps saying. Well the Hammer Bros are if you don't have the flower.

TFA slightly overblown

SMB not allowed thru windows firewall by default
Most users behind NAT/SPI
All rational ISPs block SMB

SMB worms are quite useful for spreading laterally within local networks after some mental giant (e.g. C-level exec) in your organization clicks the wrong email.

Pretty much DOA elsewhere where your just whacking clueless outliers.

Re:TFA slightly overblown

[Luckyo]

Pretty much this. The hysteria has been laughable. This hits the organisations with large intranets where some idiot gets infected, and functions as an initial infection source, while intranet that actually has SMB enabled to mount network disks and printers is an excellent vector. Home users overwhelmingly sitting behind their router NATs and firewalls have no exposed SMB port access for worm to propagate over.

Re:TFA slightly overblown

[Tetch]

Home users overwhelmingly sitting behind their router NATs and firewalls have no exposed SMB port access for worm to propagate over

... although .. after we've all finally moved onto IPv6 networking, and all our home systems (not just well-run geek systems but also all Joe Public's PCs running Windows 17) are sitting on publically routable real addresses and *not* behind NATs, the situation won't be as comfortable any more.

http://www.networkworld.com/article/2228449/microsoft-subnet/ipv6-addressing--subnets--private-addresses.html:

the whole concept of IPv6 is to be able to have IPv6 devices globally routable so that in the future, you want to have your IPv6 systems talk to other IPv6 systems directly without having to translate addresses

So no NAT any more, and we have to hope that everybody's ISP-supplied "router" will contain an adequate firewall as a perimeter defence. People with home networks of Mom, Dad, Granny, Billy & Sue's PCs will be depending on their individual PCs' host firewalls having the SMB ports open in order to "share" their, er, "family vacation photos", or whatever the hell it is they share.

Re:TFA slightly overblown

you still have to get past the default firewall settings which surprise surprise even with Windows 7 would already block this by default, you would have to be in an enterprise type scenario or at least a home network where you are disabling a lot of the defaults and setting up shares.

Re:TFA slightly overblown

[David_Hart]

Home users overwhelmingly sitting behind their router NATs and firewalls have no exposed SMB port access for worm to propagate over

... although .. after we've all finally moved onto IPv6 networking, and all our home systems (not just well-run geek systems but also all Joe Public's PCs running Windows 17) are sitting on publically routable real addresses and *not* behind NATs, the situation won't be as comfortable any more.

http://www.networkworld.com/article/2228449/microsoft-subnet/ipv6-addressing--subnets--private-addresses.html:

the whole concept of IPv6 is to be able to have IPv6 devices globally routable so that in the future, you want to have your IPv6 systems talk to other IPv6 systems directly without having to translate addresses

So no NAT any more, and we have to hope that everybody's ISP-supplied "router" will contain an adequate firewall as a perimeter defence. People with home networks of Mom, Dad, Granny, Billy & Sue's PCs will be depending on their individual PCs' host firewalls having the SMB ports open in order to "share" their, er, "family vacation photos", or whatever the hell it is they share.

Exactly. Having a firewall component on the ISP router will take the place of the basic security that NAT provides (i.e. deny inbound sessions by default). Yes, Windows Firewall does have some protections. The problem with it is that if you open up file sharing internally between other home PCs and devices, it would also open it up to internet traffic.

Re:TFA slightly overblown

[knorthern+knight]

> ... although .. after we've all finally moved onto IPv6 networking, and
> all our home systems (not just well-run geek systems but also all Joe Public's
> PCs running Windows 17) are sitting on publically routable real addresses and
> *not* behind NATs, the situation won't be as comfortable any more.

That effing stupid setup is the brainchild of some braindead internet hippies...

1) If your ISP goes down for maintenace or a "backhoe incident", two machines at home won't be able to communicate.

2) I may have a fast router at home, and 2 PC's, all with gigabit ethernet. But if it goes over my 7 mbit down / 1 mbit up ADSL connection, copying files over will take forever.

3) Copying over a few hundred gigabytes of data from my old PC to a new replacement PC would destroy my monthly bandwidth quota.

4) I do *NOT* want my ISP to know what data I have on my PCs.

The way to go is to use link-local IPV6 addresses for all machines as per http://www.brocade.com/content... e.g. and I quote

> To override a link-local address that is automatically computed for an
> interface with a manually configured address, enter commands such as the following.
>
> device(config)#interface ethernet 3/1
> device(config-if-e1000-3/1)#ipv6 address
> FE80::240:D0FF:FE48:4672 link-local
>
> These commands explicitly configure the link-local address FE80::240:D0FF:FE48:4672 for Ethernet interface 3/1.

And then use a hosts file to give simple aliases like "mom", "dad", "billy", or "sue" to each machine. Bonus points for a DD/WRT variant, or ip6tables ruleset on a Raspberry Pi that consolidates all the internal link-local addresses into one external IPv6 address as far as the outside world is concerned. Repeat after me... IPv6 NAT.

Re:TFA slightly overblown

NAT was never actually meant to be a security feature - it was meant to overcome / limit the impact of address space exhaustion.

While there are many individuals and even organizations that rely on it as a "security feature" - it is not one. It is not a replacement for a packet filter.

Re: TFA slightly overblown

Scanning the whole address range will take more time though ðY

More seriously, as ugly as it may be (because it mixes layers) NAT is unlikely to go anywhere ...

Re: TFA slightly overblown

The basic windows firewall actually asks if you're connected to an internet cafe / untrusted network and disables services like SMB.

Additionally, many people already have IPv6 routers. You know, these people who make this stuff aren't THAT stupid. The router still blocks any port coming through as if it were NATed

Re:TFA slightly overblown

[AvitarX]

Except now adays it will be easier to share via the cloud than learn about firewalls and computer addresses.

Especially with drop box, google, one drive, facebook (for photos) being established ways to share files with people.

Re:TFA slightly overblown

after we've all finally moved onto IPv6 networking

It will never happen that way. Internal networks will still use IPv4 and NAT only.
IPv6 will be restricted to the perimeter.

Re:TFA slightly overblown

You seem to have no idea how routing works. None of your 4 points is true. Your subnet is your subnet. It being publicly routable and not NATed doesn't mean LAN traffic goes through your ISP. This is already deployed and working on hundreds of ISPs, it's not theory. Go read up on how IPv6 works (and IPv4 for that matter). NAT is retarded in the IPv6 world and needs to die. If you want to block incoming traffic, use a firewall, not NAT.

Re:TFA slightly overblown

People say "NAT is not a security feature" as though 99.9% or more of devices that NAT aren't also firewalls that block inbound traffic by default. Nothing in that regard will be magically changed by IPv6 - the only difference is routability of your internal address space.

Re:TFA slightly overblown

All rational ISPs block SMB

Fuck you, Jack. We don't need any more assholes pushing that obnoxious attitude.

An ISP has no business blocking ANYTHING (other than excessive traffic) without an explicit request from the recipient. If the customer gets pwned, that is the customer's problem. If the infrastructure can't deal with pwned customers, that's because the ISPs and their vendors have been too lazy and stupid to be bothered to do anything smarter than port blocking.

Re:TFA slightly overblown

[tepples]

An ISP has no business blocking ANYTHING (other than excessive traffic) without an explicit request from the recipient.

An ISP would claim that blocking "excessive traffic" includes blocking traffic meeting patterns that closely resemble those associated with propagation of malware that causes "excessive traffic".

Re: TFA slightly overblown

What the hell are you talking about?

Re:TFA slightly overblown

[WaffleMonster]

although .. after we've all finally moved onto IPv6 networking, and all our home systems (not just well-run geek systems but also all Joe Public's PCs running Windows 17) are sitting on publically routable real addresses and *not* behind NATs, the situation won't be as comfortable any more.

Nothing changes with deployment of IPv6.

- All customer IPv6 capable routers on the market provide SPI making them more secure than existing packet mangling IPv4 NAT routers... The baseline requirement for SPI isn't going away.

- Windows firewall works just the same over also IPv6 blocking SMB by default.

- ISPs block SMB over IPv6 the same as they do over IPv4.

So no NAT any more, and we have to hope that everybody's ISP-supplied "router" will contain an adequate firewall as a perimeter defence. People with home networks of Mom, Dad, Granny, Billy & Sue's PCs will be depending on their individual PCs' host firewalls having the SMB ports open in order to "share" their, er, "family vacation photos", or whatever the hell it is they share.

The reality is only thing that changes for end users is ease at which connections between peers can be primed using IPv6 SPI vs IPv4 NAT.

For example if two parties want to have a video or voice conversation or play an interactive game and both using IPv6 behind SPIs then they need only use a common server to trivially "prime" SPI associations. From then on all data is direct communication between peers. This is because TCP/UDP port space maps cleanly 1:1 across using IPv6 SPI. With IPv4 even if there is compatible port space at all between CGN/NAT implementations it generally does not map cleanly across so your left either giving up and routing through other servers which sucks for all concerned (server and bandwidth costs, increased latency) or crossing your fingers and firing off some kind of brute force/birthday paradox scheme to establish a viable association.

Re:TFA slightly overblown

I'm guessing you've never used Windows Firewall? Like any firewall that's actually worthy of the name, it allows more nuance than "open port" or "blocked port". It is trivial to create filters that allow access only from certain IP ranges.

Re: TFA slightly overblown

[Brockmire]

Were you born yesterday? That is some real junior stupidity. Or just inexperienced. It is the ISP's responsibility to prevent shares from being accessed by my neighbour and vice versa. This was settled 20 years ago.

Re:TFA slightly overblown

NAT was not meant to be a security feature, but it is: it inhibits an external process to directly contact an internal machine.

Packet filtering is a different area, a parallel defence.

See?

3 Bitcoin wallets to handle payments, instead of one per infected user, as most top-shelf ransomware does. This makes it difficult to tell which victims paid and who didn't, as anyone could claim "x" transaction is theirs, even if they didn't pay.

It's bad customer service. The finest, bestest, top-self ransomware have good customer service. After paying, rate them low because of it.

Re:See?

[gnasher719]

Actually, if they have only three wallets and therefore cannot know who has paid and who hasn't paid, that means clearly that they are not going to unlock anything, no matter whether someone pays a ransom or not.

I suggest a million dollar reward to find the bastards, and then send the SAS around.

Re:See?

I suggest a million dollar reward to find the bastards, and then send the SAS around.

Mel Gibson, is that you?

pr0n?

[Hognoxious]

While the SMB worm is top-shelf code

It's full of porn and adverts for premium rate phone lines?

Did (s)he really talk like that?

Did the researcher really say "utter [expletive]"? Square brackets and all?

(Yah, NSA guy here, desperately trying to derail the discussion)

Re:Did (s)he really talk like that?

Must've been Linus.

Re: Did (s)he really talk like that?

[Brockmire]

Have you met ANY developer, ever?

The solution

1. Open command prompt
2. net stop browser
3. net stop server
4. Connect to internet, install updates and whatever you like. problem solved.

IPv6 : *firewall*

[DrYak]

... although .. after we've all finally moved onto IPv6 networking, and all our home systems (not just well-run geek systems but also all Joe Public's PCs running Windows 17) are sitting on publically routable real addresses and *not* behind NATs, the situation won't be as comfortable any more.

For the record, the reason why PC are currently secure under IPv4 is because of the router functionnality inside the xDSL modem.
The modem runs some sort of firewall - i.e.: packets are inspected and filtered.
The fact that the addresses are masquaraded from/translated to non-routable local IP ranges is just icing on the cake.
The core of the cake is that the router *does filter*...

It would work just as well if publicly addressable addresses where used behind the router.
(NAT just makes the router function mandatory, because you could not achieve the same simply with a network hub/switch and a dumb-modem).

So no NAT any more, and we have to hope that everybody's ISP-supplied "router" will contain an adequate firewall as a perimeter defence.

Again, NAT isn't necessary per se. You don't need to remap all the addresses into some fdxx:: prefix to make the network secure. What you need is actually DOING filtering, even if the in-network IPv6 addresses are publicly routable.

And in practice that's exactly what I'm seeing in all local ISP IPv6 deployement : their stantard modem is a modem/router combo. It has filtering capabilities.
By default, there's no inbound access. It *happens* that they also do NAT on IPv4 because they only get a single IP.
But it's mainly functioning as a firewall, on both IPv4 and IPv6.

In 2017, nobody sane is using dumb-modems+switches, so stop agitating this IPv6 strawman.

Re:IPv6 : *firewall*

[ceoyoyo]

NAT routers don't filter.* Any incoming traffic
is addressed to the router. If you happen to have instructed the router to pass particular types of traffic to a specific machine, it does this. Otherwise it responds, or doesn't, to traffic addressed to it, just like any other machine would.

* some also filter, but that's not really part of NAT

Break into song

Oooh... oo oh, you're in the (bot) army now!

Cannot Reproduce Claim

I put a Windows 7 PC directly on the Internet last night after reading this story and it still has not been infected.

So, this morning, I replicated 16 Windows 7 VMs and placed them all on the Internet, and not one of them has been infected in the 3 or so hours they have been connected.

I call this claim bullshit.

Re:Cannot Reproduce Claim

You know, I have been trying to get infected all morning on a VM and I also have been unsuccessful. I even made sure I didn't have the security patches, and disabled all security features and the firewall, and still... crickets.

I think this is probably being overblown by TPTB to justify some new cybersecurity bill they're cooking up in Congress... will probably require government monitoring of our PCs to make sure we have all security updates, you know, for our own protection.

Re: Cannot Reproduce Claim

Probably not in Congress. The greatest impacts have been in places that don't have Congress. Given the things May has been suggesting, I'd expect them to be the ones who capitalize on this the most. For the most part, the US just sighed and watched a baseball game or a car race.

Though, I guess you could be right and they could be still trying to drive hype.

Re: Cannot Reproduce Claim

[Brockmire]

16+ public IPV4 addresses just for testing? Nice.

Another great reason

To not use Windows in the first place, or to sandbox it with virtualization. This is nothing new: ANY Windows computer will get infected sooner or later y something by simple virtue of being networked, this has been the case for decades. What, you thought that all left with Ballmer? :P

How the fuck do I safely update Windows?

[ShamblerBishop]

I'm a sitting duck here, running a Windows 7 install that hasn't been updated in ages, on a LAN that I can reasonably assume will eventually be infected - how do I update Windows 7 safely, without risking an install of Microsoft's latest malware (Windows 10), or other privacy invading updates from Microsoft? Is there any safe way for me to install only necessary updates, without all of the above shite installing as well?

Re:How the fuck do I safely update Windows?

Tronscript

Re:How the fuck do I safely update Windows?

[e432776]

you can try this: http://download.wsusoffline.ne... its worked for me before. Good luck!

Re:How the fuck do I safely update Windows?

March security rollup:
http://www.catalog.update.microsoft.com/search.aspx?q=4012215

Not mine (no SMB/port 445 solicitors)

See subject: Wana can't get to a setup w/ no SMB/port 445 access secured via CIS Tool (highly esteemed & took fixes from "yours truly" too) & does only SMB2 or better + I don't run Server or Workstation services OR Client for Microsoft Networks (any AD stuff too), File or Printer Sharing OR NetBIOS over TCP/IP soliciting connections (wastes for me - no home LAN/network) which automatically protects me right there 2 ways:

1.) Nothing to get a 'handle' on to connect to via a port 445 listener in the 1st place & EVEN IF it did?

2.) I am SMB2++ secured.

* FOR SINGLE SYSTEMS NOT ON A NETWORK @ HOME (no LAN)? It works.

"I AM LEGEND" immune here.

APK

P.S.=> It's ALL here how to do it FROM 11++ yrs. ago too no less "A look @ the future - & the FUTURE was THEN" + got me paid too, will wonders NEVER cease https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&btnG=Google+Search&gbv=1/ ... apk

Top Shelf Code

I do fancy myself a bit of this 'top shelf code', it sounds positively dirty - can I get it in moist :)

The best code for malware is code that when disassembled sends the researcher (copyright violator) mad. That is how I would judge the validity of malware code, they got an expletive, so part of the way there.

Perhaps crackers will start to include copyright notices, and licenses of use with their malware.

Re:Top Shelf Code

[tepples]

The best code for malware is code that when disassembled sends the researcher (copyright violator) mad.

What copyright violator? Intermediate copies created in the course of reverse engineering to discover a computer program's method of operation are not infringing. Sega Enterprises Ltd. v. Accolade, Inc., 977 F.2d 1510 (9th Cir. 1992).

The U.S. DMCA has explicit exceptions for law enforcement and security testing. Title 17, United States Code, section 1201, subsections (e) and (j).

You mean to write that WINDOWS PCs will...

[chaoskitty]

PCs are personal computers. There are plenty of PCs which don't run Windows. The original article doesn't have this glaring mistake, and a Slashdot poster should know better.

No shit?

[ilsaloving]

At this point, anyone who connects a PC directly to the internet is begging to be hacked. This has been shockingly bad practise for literally *decades* now, and people absolutely should know better. This isn't even a Windows-specific thing, even though Windows machines are overwhelmingly affected.

Important things about the internet today:
-Keep your machine behind a router
-Don't open attachments that you weren't expecting, especially if it's from someone you don't recognize.
-Don't share your passwords with anyone.

The internet has been a dangerous wild west for a long time now, and people have no choice but to learn basic safety precautions. It's no less critical than "look both ways before crossing the street" or "use a condom". This is just how it is now.

Ilsa

Re:No shit?

[rahvin112]

I have all kinds of direct internet connected PC's, they are not running windows and have adequate software firewall's running that protect them. I'm neither begging to be hacked nor doing anything stupid. I would be foolish to make blanket assumptions about things you have no experience with, your windows experience does not translate to my FreeBSD and Linux machines.

Re:No shit?

[ilsaloving]

Wow, that's a lovely bunch of assumptions you're making.

If you honestly think that people arn't trying to hack you... if you think that Linux and FreeBSD are completely perfect and exploit free... then you as inexperienced and foolish as you're accusing me of being, so maybe you should learn a little humility, hmmm?

Security isn't an on-off/yes-no concept. Security has nothing to do with what operating system you use. Security is a *mindset*. Best practise security means using several defences in conjunction, so that should one fail, you're systems arn't instantly exposed. The only question that remains is "how much is enough?" and that all depends on risk assessment and mitigation.

Even if there's no easily accessible exploits, all it takes is for you to make one single mistake with your firewall or some other config and you're now ripe for the picking. You're probably saying to yourself, "I would never do something that stupid." And yeah, that's very easy to say.... right up until it actually happens. It's not a failure in your skills... It's simply a fact of life that shit happens for countless reasons.

Oh, and FYI, I'm an IT Manager and sysadmin, managing large fleets of servers that use everything from Mac, Windows, various flavours of linux, freebsd, XenServer, VMWare ESXi, etc etc. If you were under me and I found out you were needlessly risking servers by dumping them onto the open net without at *least* having a cisco or other flavour of hardware firewall in front of them, I'd fire your ass so fast you would have no idea how you ended up head over teakettle on the curb.

Re:No shit?

Your appeal-to-authority argument renders the remainder of your argument irrelevant.

Re:No shit?

[ilsaloving]

Does it now? Then I guess you'll have no difficulty finding someone to refute what I said.

After all, the Appeal to Authority fallacy only means that you should not assume what I said is true just because I claim authority. It says nothing about the validity of the argument itself.

So please, if I'm wrong, correct me. Having correct information is critical when managing infrastructure, and I want to do the best job I can.

If, on the other hand, your *only* argument is "You made a logical fallacy so therefore you are wrong", then you yourself are making a logical fallacy and we have nothing further to discuss.

Re:No shit?

[chaoskitty]

You know, you're not contributing to the discussion by trying to assert that Windows and any other OS are equivalent. Microsoft is the outlier. Mac OS X, the BSDs, and most GNU/Linuxes (I say most because many distros are sprinting towards being as Windows-like as possible) do not launch daemons that listen on public interfaces by default, nor do BeOS (Haiku), AmigaOS, QNX or others.

Windows comes insecure out of the box, and that's without turning on any services. Updates are painful and confusing. Do you know which patch fixes this issue just by looking at Microsoft's Windows Update list of updates? Didn't think so.

If you were my boss and insisted without discussion that putting a BSD machine on a public IP without a firewall was insecure, I'd insist that you'd be taken out of your position because you don't understand security at all.

Re:No shit?

[ilsaloving]

If you think I don't understand security, then you obviously didn't read my post, nor do *you* understand security.

Yes, Windows is far more problematic than Mac, which is more problematic than Linux, than BSD, etc etc blah blah blah. That is well known and not even a matter for discussion. The horse is so dead that it's already decomposed. Would you stop flogging it already?

That does NOT mean that *BSD is completely impervious. It just means that they've done a better job keeping their default attack surface down, and people haven't cared enough to seriously try to exploit it. It also does not mean that the software running ON the operating system doesn't have a hole waiting to be exploited. It ALSO does not mean that the person administering the box won't accidentally fatfinger something and leave a gaping hole purely by accident.

Quite plainly, choosing your favourite operating system is not the start and finish of security. Just because that concept hurts your misplaced pride, doesn't make it less true.

I mean, holy fucking christ, how hard is it for people like you to understand that *shit* *happens*? It does. We do not live in a perfect world. An administrator may be called upon to make a configuration change when they happened to not have a good night sleep, and then accidentally make a mistake without realizing it?

There are freaking encyclopedias worth of best practises available, free for the reading (eg: NIST) that detail all the various things one should do to help improve security of their infrastructure.

But people like you think you know everything, and know better than everybody else, and that's why infosec in general is going down the toilet around the world, because people like you and that other guy would rather sit in your little Dunning-Kruger cave with your fingers in your ears.

NAT filtering

[DrYak]

NAT routers don't filter.* Any incoming traffic
* some also filter, but that's not really part of NAT

(Note: I was using "filter" in a very liberal way. Basically: they don't just pass blindly ethernet packets around as a hub/switch would.
Technically, yes, NAT router don't pay as much attention to the source IP as they pay to the destination port, so the applied rules are a bit unusual).

But most modem with NAT I've seen have their router set to drop most their inbound connection, unless addressed to a port that was white-listed :
- ...manually by the modem webinterface (forward port "6992" to the machine running bittorrent)
- ...ask by a machine over UPnP (skype running on a laptop asks router to have a port forwarded to the laptop)
- ...answering the port of an out-bound UDP request (so either a live video chat, or as part of a STUN firewall whole punching instead of classic UPnP)
- ...as part of an out-going TCP request (the answer of a HTTP request)
- ...as requested by a special protocol (as part of the in-bound TCP data channel in an FTP session, as specified in the port command)

Such modem systematically check any incoming packet for the destination port, and will block or forward it depending on the destination port.
(= so they look pretty close to the filtering work done by a classic firewall, except for the "not having to care the destination IP" part)
and in addition will remap the IP addresses (that's the extra part that NAT adds to the top of a regular firewall).

But again, the security brought by modern modems comes from the fact that they decide to drop or allow inbound traffic based on rules.
The IP remapping is additional mumbo-jumbo necessary to circumvent the limited amound of public IPs.

TL;DR: it's secure because the Modem's embed Linux' iptables. The fact that you can use a private IP range is just bonus.

Otherwise it responds, or doesn't, to traffic addressed to it, just like any other machine would.

I haven't seen a modern modem that responds to traffic it self by default.
All I've seen have: drop or forward rules (some forward rules built on the fly other manually set as mentioned above)
It usually takes special settings to actually have the router itself respond to external traffic. (usually to allow the ISP to administer it).

Or in other words : all the inbound traffic gets into the modem's embed Linux' iptables ruleset, from that point onward it's either sent to other machine or dropped, but under normal circumstances (i.e.: default settings) it never reaches the embed Linux' network socket layer.
The only exceptions are stuff like DHCPv4, RA for IPv6 and much more seldom telnet)

Re:NAT filtering

[ceoyoyo]

I guess you can look at it that way. Really what happens is that a NAT router drops any packet that it can't figure out a destination for. It's kind of like the post office... they don't deliver mail for which they can't figure out the destination address.

It seems like a pedantic point, but it becomes important when you talk about IPv6. Computers behind NAT are protected because they don't actually exist on the Internet. They can only be reached via special tricks, and those tricks have to be implemented for the thing to work.

On the other hand, a device with an IPv6 address DOES exist on the internet. Unfortunately, protecting the IPv6 devices isn't as simple as just building routers that use the same filter as NAT routers do, because NAT routers don't use a filter. You could build an IPv6 router that imitates what a NAT router does, but you'd have to specifically include a stateful packet inspection system to do so (and you'd break everybody's fancy IoT devices). Want to bet most manufacturers don't bother?

Most modem run Linux

[DrYak]

Really what happens is that a NAT router drops any packet that it can't figure out a destination for.

Nope.
They drop any packet, because that's the default rule in the iptables (sidenote: anyone with a modern modem that uses netfilter ?)
loaded into the linux kernel that runs on the MIPS (mostlikely) inside your modem/router.
The rest are exceptions.
On a NAT router the rules will be in the form 'if destination port is "6992", then replace destination ip with "192.168.2.13" and keep the packet'.
On a regular IPv6 router the rules will be in the fromo 'if destination IP is ":81a6:3d0f:5025:9243:5660" and destition port is "6692" then keep the packet'.
But the rest, on any sane modem implementation doesn't even leave the iptables rules.

It's kind of like the post office... they don't deliver mail for which they can't figure out the destination address.

Nope.
To keep the metaphore :
- security works because you have a post-office to begin with (filtering capabilities, thanks to iptables).
- the default for that post-office is to burn with a flamethrower anything that doesn't match known names and/or street numbers.
- the question of whether the destination address exists or not will never come, because most of the mail will have already been burnt before hand, on the grounds on not being on the list of allowed name or allowed street numbers. They never reach the postman's backpack / they're never scheduled for delivery.

It seems like a pedantic point, but it becomes important when you talk about IPv6. Computers behind NAT are protected because they don't actually exist on the Internet.

Nope.
They are protected because the metaphorical post office is trained to burn mail my default. Any sane router drops incoming traffic by default.
Even if they had public addresses, that could be reached from anywhere on the internet, they would be still protected because the default rules is to drop any packet that didn't get authorised by another rule.
The fact that the address needs to be rewritten is just icing on the cake.

They can only be reached via special tricks, and those tricks have to be implemented for the thing to work.

Those "special tricks" are just "yet another entry in the iptables".
In the very special sub-case of IPv4 behind a NAT, it happens that the rule also needs to rewrite the destination address. But that's about it.
Aside from that smal detail, everything is the same, including with IPv4 and public addresses. Including IPv6 and public addresses.
You could even imagine including IPv6 and private addresses, but it's not worth the hassle.

On the other hand, a device with an IPv6 address DOES exist on the internet.

Again : so what ?
The question of whether the IP is publicly addressable or not is completely perpendicular to the quesiton of whether the current ruleset will allow the packet through, or not.
(by default : it's not)

Unfortunately, protecting the IPv6 devices isn't as simple as just building routers that use the same filter as NAT routers do,

Yes, it is, as proven by nearly any modern sane router (random example : AVM's Fritz routers).

because NAT routers don't use a filter.

Wha.... ?
Here's an incredible surprise for you : nearly every modern modem/router runs a Linux kernel.
iptables are default feature of the linux kernel
iptables are necessarily present in modem/routers.
iptables ARE USED because you need it to put the default "masquarade out-going traffic rule".
iptables ARE USED because you need them to put additional port-forwarding rules.

You could build an IPv6 router that imitates what a NAT router does,

Manufacturer DO ALREADY build IPv6 routers that do what NAT router do and drop by default anything incoming, exce

Progress

[McFortner]

F.U.D. (fear, uncertainty, doubt) isn't just for IBM anymore.