Slashdot Mirror

← Back to Stories (view on slashdot.org)

PCs Connected To the Internet Will Get Infected With WanaDecrypt0r In Minutes (bleepingcomputer.com)

Posted by EditorDavid on from the search-and-destroy dept.

An anonymous reader writes: "The Wana Decrypt0r ransomware -- also known as WCry, WannaCry, WannaCrypt, and WanaCrypt0r -- infected a honeypot server made to look like a vulnerable Windows computer six times in the span of 90 minutes, according to an experiment carried out by a French security researcher that goes online by the name of Benkow," reports BleepingComputer. "During one of those infections, Wana Decrypt0r infected the honeypot in a mere three minutes after it was reset, showing the aggressive nature of the ransomware's scanning module, which helps it spread to new victims... Three minutes is about the same amount of time IoT malware will infect a vulnerable home router left connected to the Internet without patches."

The article also highlights the fact that the group behind this threat is possibly made of inexperienced coders, who just stumbled upon a way to weaponize an NSA exploit. Their three previous WanaDecrypt0r campaigns were mundane, and one researcher called their code "utter [expletive]." This is because WanaDecrypt0r is actually made of two main modules, the ransomware itself, and the SMB worm (based on the NSA exploit). While the SMB worm is top-shelf code, the ransomware itself is quite unsophisticated, making a lot of operational errors, including using only 3 Bitcoin wallets to handle payments, instead of one per infected user, as most top-shelf ransomware does. This makes it difficult to tell which victims paid and who didn't, as anyone could claim "x" transaction is theirs, even if they didn't pay.

47 of 82 comments (clear)

  1. How does it work? by Caesar+Tjalbo · · Score: 1

    How does it work? I've installed Windows 7 last week, my first Windows install in more than a decade and I'm not infected yet. I've been on-line for hours!

    --
    "I'm not much interested in interoperability. I want substitutability. I want to be able to throw your software out."
    1. Re:How does it work? by The+MAZZTer · · Score: 3, Informative

      You would probably have to directly plug your PC into your ISP's connection as opposed to using a router of which any decent model should block unsolicited incoming traffic by default.

    2. Re:How does it work? by Anonymous Coward · · Score: 3, Informative

      It's been a good practice to not expose SMB ports (445, 139 etc.) to the open Internet for two decades at least, IMHO. I remember than in 1996 (if I remember correctly) I accidentally exposed a NT3.51 machine and my ISP called to warn me.

    3. Re:How does it work? by benjymouse · · Score: 2

      Since Windows Vista (may even XP with SP3?) Windows comes with a firewall automatically enabled.

      The firewall has multiple profiles: Work, private and public. On "public" networks it is far more strict than on a "work" network. A work network is a network with a domain controller to which the PC is domain-joined. The private network is somewhere in between.

      So if you have not explicitly commanded Windows to be "discoverable" across the Internet (a bad idea) you will not become infected.

      The worm capabilities is really only effective on corporate networks. First the virus needs to get inside via email+social engineering+other exploits. Once it has taken over one computer on a corporate (domain controlled) network, it can use the SMB attack vector to spread to unpatched computers.

      Only pre-sp2 XP computers are vulnerable to infection across the Internet. And only if they are not behind some other form of firewall.

      --
      Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
    4. Re:How does it work? by benjymouse · · Score: 3, Informative

      You would probably have to directly plug your PC into your ISP's connection as opposed to using a router of which any decent model should block unsolicited incoming traffic by default.

      Not only that. Since it's Windows 7 he would also need to either switch off the built-in firewall or allow "sharing of resources" across "public networks". The latter will issue a number of warning dialogs before exposing the SMB port.

      --
      Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
    5. Re:How does it work? by TWX · · Score: 1

      I like to take it a step further, I disallow all outgoing connections except to those destination ports that are legitimate Internet services that I use, and obviously unsolicited incoming traffic is dropped at the firewall. My goal is not only to try to prevent infections from being brought in to my network, but should an infection somehow end up on a node on my network, to deny it the ability to communicate with command and control servers should it try to use nonstandard ports.

      Obviously if a piece of malware is using HTTP or HTTPS to a conventional port then this won't necessarily work, but so far it seems to work well enough.

      --
      Do not look into laser with remaining eye.
    6. Re:How does it work? by roc97007 · · Score: 2

      You would probably have to directly plug your PC into your ISP's connection as opposed to using a router of which any decent model should block unsolicited incoming traffic by default.

      I was somewhat shocked to find that some ISPs just install a cable modem and plug the victim's... sorry, customer's PC directly into the raw internet. Happened to my mother-in-law. Fortunately, she was on the phone to me when he was doing the install, because she didn't fully trust him, and was giving me a running description of what he was doing. When I heard that it was a modem not a router, (she had asked about wifi and he said she'd need to buy a router for that) I yelled "Unplug it! Unplug it now!" and drove over there with a spare router and did the rest of the install myself. I mean geeze, it's like some ISPs are in collusion with the ransomware people.

      Back in the days of DSL, before cable modem or fiber were available in my area, I happily plugged my computer into the DSL modem, ran the included Verizon CD, and got pwned in the first half hour. Reformat, reinstall, try it again, and was pwned inside of 15 minutes. I thought at first that there was a virus on the CD. A little investigation led me to software firewalls... (what was it called, firedoor?) and later to hardware routers.

      But, I'm a geek. What do regular people do?

      --
      Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
  2. It was only 15 years ago or so by future+assassin · · Score: 2

    when you couldn't connect a new XP install to the internet to get updates unless you installed firewall and virus software before hand. It was pretty cool, tested it a few times on my then 1mbit ADSL line. Install XP, connect to internet and within minutes you'd get infected. I can't remember the name of the virus off hand.

    --
    by TheSpoom (715771) Uncaring Linux user here. I have nothing to add to this but please continue. *munches popcorn*
    1. Re:It was only 15 years ago or so by someoneOtherThanMe · · Score: 1

      Blaster?

    2. Re: It was only 15 years ago or so by npetrov · · Score: 1

      There was another big one 15 years ago - NIMDA

    3. Re:It was only 15 years ago or so by AmiMoJo · · Score: 1

      It was only 13 years ago that the problem was fixed. Service Pack 2 for Windows XP enabled the firewall by default, and made it safe to connect to update.microsoft.com for initial patches.

      Of course, if you had a router with NAT based firewall you were safe anyway unless there were already infected machines on your LAN. A lot of the crapware provided by ISPs to set up and dial in your modem did enable the firewall too, and of course PC manufacturers loved to include a shovelware firewall in the base install. You actually had to try fairly hard to fall victim to worm-based infection, even in 2002.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  3. Ports 445 exposed to the internet by Okian+Warrior · · Score: 4, Informative

    You can get it either by a) exposing port 445 to the internet, or b) exposing port 445 to a computer on your local subnet that's infected.

    If you have no other computers running windows on your local net, and if your network connection doesn't allow port 445 through, you should be safe.

    ...it's a good idea to patch the system, though. Get the patch here.

    Port 445 is SMB ("samba" over in linux world), which is used to mount remote disks and printers (and some other things). There's really no need for a user to expose this port to the internet unless you want to mount a disk remotely over the internet, which is not something a user would ordinarily need.

    1. Re:Ports 445 exposed to the internet by nctritech · · Score: 1

      Windows 7 (and 2008 R2) patches aren't listed there, they'll be here instead.

    2. Re:Ports 445 exposed to the internet by dreamchaser · · Score: 2

      It is not a default. File sharing needs to be turned on manually.

  4. TFA slightly overblown by Anonymous Coward · · Score: 5, Informative

    SMB not allowed thru windows firewall by default
    Most users behind NAT/SPI
    All rational ISPs block SMB

    SMB worms are quite useful for spreading laterally within local networks after some mental giant (e.g. C-level exec) in your organization clicks the wrong email.

    Pretty much DOA elsewhere where your just whacking clueless outliers.

    1. Re:TFA slightly overblown by Luckyo · · Score: 2, Informative

      Pretty much this. The hysteria has been laughable. This hits the organisations with large intranets where some idiot gets infected, and functions as an initial infection source, while intranet that actually has SMB enabled to mount network disks and printers is an excellent vector. Home users overwhelmingly sitting behind their router NATs and firewalls have no exposed SMB port access for worm to propagate over.

    2. Re:TFA slightly overblown by Tetch · · Score: 4, Insightful

      Home users overwhelmingly sitting behind their router NATs and firewalls have no exposed SMB port access for worm to propagate over

      ... although .. after we've all finally moved onto IPv6 networking, and all our home systems (not just well-run geek systems but also all Joe Public's PCs running Windows 17) are sitting on publically routable real addresses and *not* behind NATs, the situation won't be as comfortable any more.

      http://www.networkworld.com/article/2228449/microsoft-subnet/ipv6-addressing--subnets--private-addresses.html:

      the whole concept of IPv6 is to be able to have IPv6 devices globally routable so that in the future, you want to have your IPv6 systems talk to other IPv6 systems directly without having to translate addresses

      So no NAT any more, and we have to hope that everybody's ISP-supplied "router" will contain an adequate firewall as a perimeter defence. People with home networks of Mom, Dad, Granny, Billy & Sue's PCs will be depending on their individual PCs' host firewalls having the SMB ports open in order to "share" their, er, "family vacation photos", or whatever the hell it is they share.

      --
      If you don't pray in my school, I won't think in your church.
    3. Re:TFA slightly overblown by David_Hart · · Score: 1

      Home users overwhelmingly sitting behind their router NATs and firewalls have no exposed SMB port access for worm to propagate over

      ... although .. after we've all finally moved onto IPv6 networking, and all our home systems (not just well-run geek systems but also all Joe Public's PCs running Windows 17) are sitting on publically routable real addresses and *not* behind NATs, the situation won't be as comfortable any more.

      http://www.networkworld.com/article/2228449/microsoft-subnet/ipv6-addressing--subnets--private-addresses.html:

      the whole concept of IPv6 is to be able to have IPv6 devices globally routable so that in the future, you want to have your IPv6 systems talk to other IPv6 systems directly without having to translate addresses

      So no NAT any more, and we have to hope that everybody's ISP-supplied "router" will contain an adequate firewall as a perimeter defence. People with home networks of Mom, Dad, Granny, Billy & Sue's PCs will be depending on their individual PCs' host firewalls having the SMB ports open in order to "share" their, er, "family vacation photos", or whatever the hell it is they share.

      Exactly. Having a firewall component on the ISP router will take the place of the basic security that NAT provides (i.e. deny inbound sessions by default). Yes, Windows Firewall does have some protections. The problem with it is that if you open up file sharing internally between other home PCs and devices, it would also open it up to internet traffic.

    4. Re:TFA slightly overblown by knorthern+knight · · Score: 2, Funny

      > ... although .. after we've all finally moved onto IPv6 networking, and
      > all our home systems (not just well-run geek systems but also all Joe Public's
      > PCs running Windows 17) are sitting on publically routable real addresses and
      > *not* behind NATs, the situation won't be as comfortable any more.

      That effing stupid setup is the brainchild of some braindead internet hippies...

      1) If your ISP goes down for maintenace or a "backhoe incident", two machines at home won't be able to communicate.

      2) I may have a fast router at home, and 2 PC's, all with gigabit ethernet. But if it goes over my 7 mbit down / 1 mbit up ADSL connection, copying files over will take forever.

      3) Copying over a few hundred gigabytes of data from my old PC to a new replacement PC would destroy my monthly bandwidth quota.

      4) I do *NOT* want my ISP to know what data I have on my PCs.

      The way to go is to use link-local IPV6 addresses for all machines as per http://www.brocade.com/content... e.g. and I quote

      > To override a link-local address that is automatically computed for an
      > interface with a manually configured address, enter commands such as the following.
      >
      > device(config)#interface ethernet 3/1
      > device(config-if-e1000-3/1)#ipv6 address
      > FE80::240:D0FF:FE48:4672 link-local
      >
      > These commands explicitly configure the link-local address FE80::240:D0FF:FE48:4672 for Ethernet interface 3/1.

      And then use a hosts file to give simple aliases like "mom", "dad", "billy", or "sue" to each machine. Bonus points for a DD/WRT variant, or ip6tables ruleset on a Raspberry Pi that consolidates all the internal link-local addresses into one external IPv6 address as far as the outside world is concerned. Repeat after me... IPv6 NAT.

      --

      I'm not repeating myself
      I'm an X window user; I'm an ex-Windows user
    5. Re:TFA slightly overblown by Anonymous Coward · · Score: 1

      NAT was never actually meant to be a security feature - it was meant to overcome / limit the impact of address space exhaustion.

      While there are many individuals and even organizations that rely on it as a "security feature" - it is not one. It is not a replacement for a packet filter.

    6. Re:TFA slightly overblown by AvitarX · · Score: 1

      Except now adays it will be easier to share via the cloud than learn about firewalls and computer addresses.

      Especially with drop box, google, one drive, facebook (for photos) being established ways to share files with people.

      --
      Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
    7. Re:TFA slightly overblown by tepples · · Score: 1

      An ISP has no business blocking ANYTHING (other than excessive traffic) without an explicit request from the recipient.

      An ISP would claim that blocking "excessive traffic" includes blocking traffic meeting patterns that closely resemble those associated with propagation of malware that causes "excessive traffic".

    8. Re:TFA slightly overblown by WaffleMonster · · Score: 1

      although .. after we've all finally moved onto IPv6 networking, and all our home systems (not just well-run geek systems but also all Joe Public's PCs running Windows 17) are sitting on publically routable real addresses and *not* behind NATs, the situation won't be as comfortable any more.

      Nothing changes with deployment of IPv6.

      - All customer IPv6 capable routers on the market provide SPI making them more secure than existing packet mangling IPv4 NAT routers... The baseline requirement for SPI isn't going away.

      - Windows firewall works just the same over also IPv6 blocking SMB by default.

      - ISPs block SMB over IPv6 the same as they do over IPv4.

      So no NAT any more, and we have to hope that everybody's ISP-supplied "router" will contain an adequate firewall as a perimeter defence. People with home networks of Mom, Dad, Granny, Billy & Sue's PCs will be depending on their individual PCs' host firewalls having the SMB ports open in order to "share" their, er, "family vacation photos", or whatever the hell it is they share.

      The reality is only thing that changes for end users is ease at which connections between peers can be primed using IPv6 SPI vs IPv4 NAT.

      For example if two parties want to have a video or voice conversation or play an interactive game and both using IPv6 behind SPIs then they need only use a common server to trivially "prime" SPI associations. From then on all data is direct communication between peers. This is because TCP/UDP port space maps cleanly 1:1 across using IPv6 SPI. With IPv4 even if there is compatible port space at all between CGN/NAT implementations it generally does not map cleanly across so your left either giving up and routing through other servers which sucks for all concerned (server and bandwidth costs, increased latency) or crossing your fingers and firing off some kind of brute force/birthday paradox scheme to establish a viable association.

    9. Re: TFA slightly overblown by Brockmire · · Score: 1

      Were you born yesterday? That is some real junior stupidity. Or just inexperienced. It is the ISP's responsibility to prevent shares from being accessed by my neighbour and vice versa. This was settled 20 years ago.

  5. Re:So the question is... by Anonymous Coward · · Score: 1

    > $38K that he'll never be able to touch because every intelligence and law enforcement agency is watching those wallets

    Until the 38k goes out from Wallet A1 to Wallet B1. Meanwhile, Wallets B2....200 send 89.21% of that 38k to wallets A2....200. There's a possibility that will be pieced together, and now the initial criminal A has about 90% of what he extorted, and subsequent money laundering criminal B has accepted the risk for those more closely monitored bitcoins (presumably he believes he can fool the government permanently on this- he may even be correct, but even if he is wrong, there's still no tracing him back to criminal A).

  6. See? by Anonymous Coward · · Score: 1

    3 Bitcoin wallets to handle payments, instead of one per infected user, as most top-shelf ransomware does. This makes it difficult to tell which victims paid and who didn't, as anyone could claim "x" transaction is theirs, even if they didn't pay.

    It's bad customer service. The finest, bestest, top-self ransomware have good customer service. After paying, rate them low because of it.

    1. Re:See? by gnasher719 · · Score: 4, Insightful

      Actually, if they have only three wallets and therefore cannot know who has paid and who hasn't paid, that means clearly that they are not going to unlock anything, no matter whether someone pays a ransom or not.

      I suggest a million dollar reward to find the bastards, and then send the SAS around.

  7. Re:Did (s)he really talk like that? by Anonymous Coward · · Score: 1

    Must've been Linus.

  8. IPv6 : *firewall* by DrYak · · Score: 2

    ... although .. after we've all finally moved onto IPv6 networking, and all our home systems (not just well-run geek systems but also all Joe Public's PCs running Windows 17) are sitting on publically routable real addresses and *not* behind NATs, the situation won't be as comfortable any more.

    For the record, the reason why PC are currently secure under IPv4 is because of the router functionnality inside the xDSL modem.
    The modem runs some sort of firewall - i.e.: packets are inspected and filtered.
    The fact that the addresses are masquaraded from/translated to non-routable local IP ranges is just icing on the cake.
    The core of the cake is that the router *does filter*...

    It would work just as well if publicly addressable addresses where used behind the router.
    (NAT just makes the router function mandatory, because you could not achieve the same simply with a network hub/switch and a dumb-modem).

    So no NAT any more, and we have to hope that everybody's ISP-supplied "router" will contain an adequate firewall as a perimeter defence.

    Again, NAT isn't necessary per se. You don't need to remap all the addresses into some fdxx:: prefix to make the network secure. What you need is actually DOING filtering, even if the in-network IPv6 addresses are publicly routable.

    And in practice that's exactly what I'm seeing in all local ISP IPv6 deployement : their stantard modem is a modem/router combo. It has filtering capabilities.
    By default, there's no inbound access. It *happens* that they also do NAT on IPv4 because they only get a single IP.
    But it's mainly functioning as a firewall, on both IPv4 and IPv6.

    In 2017, nobody sane is using dumb-modems+switches, so stop agitating this IPv6 strawman.

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
    1. Re:IPv6 : *firewall* by ceoyoyo · · Score: 1

      NAT routers don't filter.* Any incoming traffic
      is addressed to the router. If you happen to have instructed the router to pass particular types of traffic to a specific machine, it does this. Otherwise it responds, or doesn't, to traffic addressed to it, just like any other machine would.

      * some also filter, but that's not really part of NAT

  9. Cannot Reproduce Claim by Anonymous Coward · · Score: 1

    I put a Windows 7 PC directly on the Internet last night after reading this story and it still has not been infected.

    So, this morning, I replicated 16 Windows 7 VMs and placed them all on the Internet, and not one of them has been infected in the 3 or so hours they have been connected.

    I call this claim bullshit.

    1. Re: Cannot Reproduce Claim by Brockmire · · Score: 1

      16+ public IPV4 addresses just for testing? Nice.

  10. How the fuck do I safely update Windows? by ShamblerBishop · · Score: 1

    I'm a sitting duck here, running a Windows 7 install that hasn't been updated in ages, on a LAN that I can reasonably assume will eventually be infected - how do I update Windows 7 safely, without risking an install of Microsoft's latest malware (Windows 10), or other privacy invading updates from Microsoft? Is there any safe way for me to install only necessary updates, without all of the above shite installing as well?

    1. Re:How the fuck do I safely update Windows? by e432776 · · Score: 1

      you can try this: http://download.wsusoffline.ne... its worked for me before. Good luck!

  11. Re:Top Shelf Code by tepples · · Score: 1

    The best code for malware is code that when disassembled sends the researcher (copyright violator) mad.

    What copyright violator? Intermediate copies created in the course of reverse engineering to discover a computer program's method of operation are not infringing. Sega Enterprises Ltd. v. Accolade, Inc., 977 F.2d 1510 (9th Cir. 1992).

    The U.S. DMCA has explicit exceptions for law enforcement and security testing. Title 17, United States Code, section 1201, subsections (e) and (j).

  12. You mean to write that WINDOWS PCs will... by chaoskitty · · Score: 1

    PCs are personal computers. There are plenty of PCs which don't run Windows. The original article doesn't have this glaring mistake, and a Slashdot poster should know better.

  13. No shit? by ilsaloving · · Score: 1

    At this point, anyone who connects a PC directly to the internet is begging to be hacked. This has been shockingly bad practise for literally *decades* now, and people absolutely should know better. This isn't even a Windows-specific thing, even though Windows machines are overwhelmingly affected.

    Important things about the internet today:
    -Keep your machine behind a router
    -Don't open attachments that you weren't expecting, especially if it's from someone you don't recognize.
    -Don't share your passwords with anyone.

    The internet has been a dangerous wild west for a long time now, and people have no choice but to learn basic safety precautions. It's no less critical than "look both ways before crossing the street" or "use a condom". This is just how it is now.

    Ilsa

    1. Re:No shit? by rahvin112 · · Score: 1

      I have all kinds of direct internet connected PC's, they are not running windows and have adequate software firewall's running that protect them. I'm neither begging to be hacked nor doing anything stupid. I would be foolish to make blanket assumptions about things you have no experience with, your windows experience does not translate to my FreeBSD and Linux machines.

    2. Re:No shit? by ilsaloving · · Score: 1

      Wow, that's a lovely bunch of assumptions you're making.

      If you honestly think that people arn't trying to hack you... if you think that Linux and FreeBSD are completely perfect and exploit free... then you as inexperienced and foolish as you're accusing me of being, so maybe you should learn a little humility, hmmm?

      Security isn't an on-off/yes-no concept. Security has nothing to do with what operating system you use. Security is a *mindset*. Best practise security means using several defences in conjunction, so that should one fail, you're systems arn't instantly exposed. The only question that remains is "how much is enough?" and that all depends on risk assessment and mitigation.

      Even if there's no easily accessible exploits, all it takes is for you to make one single mistake with your firewall or some other config and you're now ripe for the picking. You're probably saying to yourself, "I would never do something that stupid." And yeah, that's very easy to say.... right up until it actually happens. It's not a failure in your skills... It's simply a fact of life that shit happens for countless reasons.

      Oh, and FYI, I'm an IT Manager and sysadmin, managing large fleets of servers that use everything from Mac, Windows, various flavours of linux, freebsd, XenServer, VMWare ESXi, etc etc. If you were under me and I found out you were needlessly risking servers by dumping them onto the open net without at *least* having a cisco or other flavour of hardware firewall in front of them, I'd fire your ass so fast you would have no idea how you ended up head over teakettle on the curb.

    3. Re:No shit? by ilsaloving · · Score: 1

      Does it now? Then I guess you'll have no difficulty finding someone to refute what I said.

      After all, the Appeal to Authority fallacy only means that you should not assume what I said is true just because I claim authority. It says nothing about the validity of the argument itself.

      So please, if I'm wrong, correct me. Having correct information is critical when managing infrastructure, and I want to do the best job I can.

      If, on the other hand, your *only* argument is "You made a logical fallacy so therefore you are wrong", then you yourself are making a logical fallacy and we have nothing further to discuss.

    4. Re:No shit? by chaoskitty · · Score: 1

      You know, you're not contributing to the discussion by trying to assert that Windows and any other OS are equivalent. Microsoft is the outlier. Mac OS X, the BSDs, and most GNU/Linuxes (I say most because many distros are sprinting towards being as Windows-like as possible) do not launch daemons that listen on public interfaces by default, nor do BeOS (Haiku), AmigaOS, QNX or others.

      Windows comes insecure out of the box, and that's without turning on any services. Updates are painful and confusing. Do you know which patch fixes this issue just by looking at Microsoft's Windows Update list of updates? Didn't think so.

      If you were my boss and insisted without discussion that putting a BSD machine on a public IP without a firewall was insecure, I'd insist that you'd be taken out of your position because you don't understand security at all.

    5. Re:No shit? by ilsaloving · · Score: 1

      If you think I don't understand security, then you obviously didn't read my post, nor do *you* understand security.

      Yes, Windows is far more problematic than Mac, which is more problematic than Linux, than BSD, etc etc blah blah blah. That is well known and not even a matter for discussion. The horse is so dead that it's already decomposed. Would you stop flogging it already?

      That does NOT mean that *BSD is completely impervious. It just means that they've done a better job keeping their default attack surface down, and people haven't cared enough to seriously try to exploit it. It also does not mean that the software running ON the operating system doesn't have a hole waiting to be exploited. It ALSO does not mean that the person administering the box won't accidentally fatfinger something and leave a gaping hole purely by accident.

      Quite plainly, choosing your favourite operating system is not the start and finish of security. Just because that concept hurts your misplaced pride, doesn't make it less true.

      I mean, holy fucking christ, how hard is it for people like you to understand that *shit* *happens*? It does. We do not live in a perfect world. An administrator may be called upon to make a configuration change when they happened to not have a good night sleep, and then accidentally make a mistake without realizing it?

      There are freaking encyclopedias worth of best practises available, free for the reading (eg: NIST) that detail all the various things one should do to help improve security of their infrastructure.

      But people like you think you know everything, and know better than everybody else, and that's why infosec in general is going down the toilet around the world, because people like you and that other guy would rather sit in your little Dunning-Kruger cave with your fingers in your ears.

  14. NAT filtering by DrYak · · Score: 1

    NAT routers don't filter.* Any incoming traffic
    * some also filter, but that's not really part of NAT

    (Note: I was using "filter" in a very liberal way. Basically: they don't just pass blindly ethernet packets around as a hub/switch would.
    Technically, yes, NAT router don't pay as much attention to the source IP as they pay to the destination port, so the applied rules are a bit unusual).

    But most modem with NAT I've seen have their router set to drop most their inbound connection, unless addressed to a port that was white-listed :
    - ...manually by the modem webinterface (forward port "6992" to the machine running bittorrent)
    - ...ask by a machine over UPnP (skype running on a laptop asks router to have a port forwarded to the laptop)
    - ...answering the port of an out-bound UDP request (so either a live video chat, or as part of a STUN firewall whole punching instead of classic UPnP)
    - ...as part of an out-going TCP request (the answer of a HTTP request)
    - ...as requested by a special protocol (as part of the in-bound TCP data channel in an FTP session, as specified in the port command)

    Such modem systematically check any incoming packet for the destination port, and will block or forward it depending on the destination port.
    (= so they look pretty close to the filtering work done by a classic firewall, except for the "not having to care the destination IP" part)
    and in addition will remap the IP addresses (that's the extra part that NAT adds to the top of a regular firewall).

    But again, the security brought by modern modems comes from the fact that they decide to drop or allow inbound traffic based on rules.
    The IP remapping is additional mumbo-jumbo necessary to circumvent the limited amound of public IPs.

    TL;DR: it's secure because the Modem's embed Linux' iptables. The fact that you can use a private IP range is just bonus.

    Otherwise it responds, or doesn't, to traffic addressed to it, just like any other machine would.

    I haven't seen a modern modem that responds to traffic it self by default.
    All I've seen have: drop or forward rules (some forward rules built on the fly other manually set as mentioned above)
    It usually takes special settings to actually have the router itself respond to external traffic. (usually to allow the ISP to administer it).

    Or in other words : all the inbound traffic gets into the modem's embed Linux' iptables ruleset, from that point onward it's either sent to other machine or dropped, but under normal circumstances (i.e.: default settings) it never reaches the embed Linux' network socket layer.
    The only exceptions are stuff like DHCPv4, RA for IPv6 and much more seldom telnet)

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
    1. Re:NAT filtering by ceoyoyo · · Score: 1

      I guess you can look at it that way. Really what happens is that a NAT router drops any packet that it can't figure out a destination for. It's kind of like the post office... they don't deliver mail for which they can't figure out the destination address.

      It seems like a pedantic point, but it becomes important when you talk about IPv6. Computers behind NAT are protected because they don't actually exist on the Internet. They can only be reached via special tricks, and those tricks have to be implemented for the thing to work.

      On the other hand, a device with an IPv6 address DOES exist on the internet. Unfortunately, protecting the IPv6 devices isn't as simple as just building routers that use the same filter as NAT routers do, because NAT routers don't use a filter. You could build an IPv6 router that imitates what a NAT router does, but you'd have to specifically include a stateful packet inspection system to do so (and you'd break everybody's fancy IoT devices). Want to bet most manufacturers don't bother?

  15. Most modem run Linux by DrYak · · Score: 1

    Really what happens is that a NAT router drops any packet that it can't figure out a destination for.

    Nope.
    They drop any packet, because that's the default rule in the iptables (sidenote: anyone with a modern modem that uses netfilter ?)
    loaded into the linux kernel that runs on the MIPS (mostlikely) inside your modem/router.
    The rest are exceptions.
    On a NAT router the rules will be in the form 'if destination port is "6992", then replace destination ip with "192.168.2.13" and keep the packet'.
    On a regular IPv6 router the rules will be in the fromo 'if destination IP is ":81a6:3d0f:5025:9243:5660" and destition port is "6692" then keep the packet'.
    But the rest, on any sane modem implementation doesn't even leave the iptables rules.

    It's kind of like the post office... they don't deliver mail for which they can't figure out the destination address.

    Nope.
    To keep the metaphore :
    - security works because you have a post-office to begin with (filtering capabilities, thanks to iptables).
    - the default for that post-office is to burn with a flamethrower anything that doesn't match known names and/or street numbers.
    - the question of whether the destination address exists or not will never come, because most of the mail will have already been burnt before hand, on the grounds on not being on the list of allowed name or allowed street numbers. They never reach the postman's backpack / they're never scheduled for delivery.

    It seems like a pedantic point, but it becomes important when you talk about IPv6. Computers behind NAT are protected because they don't actually exist on the Internet.

    Nope.
    They are protected because the metaphorical post office is trained to burn mail my default. Any sane router drops incoming traffic by default.
    Even if they had public addresses, that could be reached from anywhere on the internet, they would be still protected because the default rules is to drop any packet that didn't get authorised by another rule.
    The fact that the address needs to be rewritten is just icing on the cake.

    They can only be reached via special tricks, and those tricks have to be implemented for the thing to work.

    Those "special tricks" are just "yet another entry in the iptables".
    In the very special sub-case of IPv4 behind a NAT, it happens that the rule also needs to rewrite the destination address. But that's about it.
    Aside from that smal detail, everything is the same, including with IPv4 and public addresses. Including IPv6 and public addresses.
    You could even imagine including IPv6 and private addresses, but it's not worth the hassle.

    On the other hand, a device with an IPv6 address DOES exist on the internet.

    Again : so what ?
    The question of whether the IP is publicly addressable or not is completely perpendicular to the quesiton of whether the current ruleset will allow the packet through, or not.
    (by default : it's not)

    Unfortunately, protecting the IPv6 devices isn't as simple as just building routers that use the same filter as NAT routers do,

    Yes, it is, as proven by nearly any modern sane router (random example : AVM's Fritz routers).

    because NAT routers don't use a filter.

    Wha.... ?
    Here's an incredible surprise for you : nearly every modern modem/router runs a Linux kernel.
    iptables are default feature of the linux kernel
    iptables are necessarily present in modem/routers.
    iptables ARE USED because you need it to put the default "masquarade out-going traffic rule".
    iptables ARE USED because you need them to put additional port-forwarding rules.

    You could build an IPv6 router that imitates what a NAT router does,

    Manufacturer DO ALREADY build IPv6 routers that do what NAT router do and drop by default anything incoming, exce

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
  16. Progress by McFortner · · Score: 1

    F.U.D. (fear, uncertainty, doubt) isn't just for IBM anymore.

    --
    Beware of Sales Reps bearing gifts.
  17. Re: Did (s)he really talk like that? by Brockmire · · Score: 1

    Have you met ANY developer, ever?