Slashdot Mirror
Cyberattacks From WannaCry Ransomware Slow But Fears Remain (bbc.com)
WannaCry ransomware, which has spread across 150 countries, appears to be slowing down with few reports of fresh attacks in Asia and Europe on Monday. A report on BBC adds: However staff beginning the working week have been told to be careful. The WannaCry ransomware started taking over users' files on Friday, demanding $300 to restore access. Hundreds of thousands of computers have been affected so far. Computer giant Microsoft said the attack should serve as a wake-up call. BBC analysis of three accounts linked to the ransom demands suggests only about $38,000 had been paid by Monday morning.
:(
The first 2 steps are the most important. The second one alone should protect you.
Microsoft was whining about this earlier, and they are absolutely right to do so. There is no such thing as 'NOBUS'. There are far more smart people working outside $ORG than inside it and it is hubris to believe that $ORG is the only one smart enough to find any particular exploit.
With that said, Microsoft made a part of this shit sandwich by refusing to patch older, but still active operating systems until their feet were to the fire. Sure, no one should be running XP any longer, but once on a vendor lock-in treadmill it can be very hard and expensive to get off.
because we're smart enough to not run Windows anywhere.
Ransomware has been around for ages now. Surely someone can come up with an OS defense rather than tit for tat patches and upgrades. File versioning going back in history that you can't edit, only recover from? Every file modification makes a new file. Sure, disk space gets eaten up very fast but with large Tb drives that should surely give companies some breathing room, and home users too. Why isn't this an easy option to switch on in windows?
Not too long ago you didn't need to worry about viruses at all unless you actively ran something with a .EXE .COM or .BAT extension, then through the expansions of javascript, flash, and even html, now you can get infected in dozens of ways without your even knowing it happened or what website did it. This should never have been allowed, but someone wanted it to happen, and this is where we are now thanks mostly to Microsoft.
This was spread by ad networks.
Plus the fact that Microsoft pushed people into not updating by turning their fix-the-bug patch update system into a shill-the-hell-out-of-windows-10 advert delivery system.
----------------------------------- My Other Sig Is Hilarious -----------------------------------
The trouble is there are perfectly valid reasons for using the older operating systems especially in the cases like hospitals.
Let's say, as an example, there is an ultrasound machine that was based around Windows XP. I know is sounds odd but there is a case to be made for taking an existing laptop motherboard design and tweaking it to add the special hardware needed for the ultrasound. Especially as the images can be sent to a central file server.
Now, 4 years later, update the OS.
Can you guarantee that the drivers for that hardware are available? Can you - as a user - update the OS on that hardware? Can the IT guys? Does the company support that hardware any more or will an update require buying a new machine?
If Killary Klinton were in office, we'd all be buried under 50' of glass by now.
Much easier to buy stuff online at the moment, servers are snappier and delivery slots abundant, there is always a silver lining, you just have to look for it.
Yea, I have at least two pieces of perfectly good hardware that I can't use except on an XP machine due to the manufacturers using some XP code (browser?). The HP scanner isn't that big a deal, more annoying. But the Sony Handycam means I can't get old recordings off of the tapes without XP.
[John]
Shit better not happen!
Let's say, as an example, there is an ultrasound machine that was based around Windows XP.
Medical devices should be kept on a separate VLAN behind an ACL with a no access to the Internet and a dedicated update server. Exposure to the General VLAN can cause problems. From what I read about the British hospital, there network isn't highly structured.
Good point, this probably as big a part as the failure to patch older systems.
Remember a couple of years ago when Microsoft was going over all their code and removing all security holes.
They missed this terribly serious worm infestation. Did they fix anything at all ?
http://www.extremetech.com/extreme/58352-microsoft-promises-to-improve-security-again
Your first point is 100% wrong. You do not need an executable file to get infected. A little over a month ago, a zero-day exploit did not even require a Word document to have macros enabled to get you infected.
I remember of PDF files that could have you pwned. I remember of Flash files that could get you pwned. All this by opening not-executable files using a supposedly safe executable file.
I say that ANYTHING looking even a little fishy should raise suspicion. As much as humanly possible, when you receive an unexpected file, confirm with a phone call or a reply to the known email address of the sender.
>..Microsoft pushed people into not updating by turning their... update system... into a... windows-10 advert delivery system.
THIS!
MS's use of the update engine to spoon-feed W10 and/or telemetry is EXACTLY why I stopped updating. And thank goodness too! Since then, I've learned how to patch individual concerns manually. These schmucks shot themselves in the foot- but really don't care, as the pain was worth it to them, (which was very little pain by the way. The consumers' pain was greater).
Computer giant Microsoft said the attack should serve as a wake-up call.
Why do you still use the software of a company you don't trust any more?
If you trust Microsoft, you should have installed every patch as soon as they release it, immediately instead of waiting months to see if it causes problems to others.
An ultrasound machine should not be running an SMB server either! Nor should it be hosting any data. And it should be possible to return the thing to a default state. Also you should not be using it to browse email and open attachments!
The problem with worms is that one infected device momentarily connected can spread the infection. So someone plugs in a USB flash drive to a computer on your restricted VLAN to copy some MP3s they want to listen to, spreads that infection to that computer, which then spreads it to the rest of the devices on the VLAN. The strength of your security is determined by your weakest link - in this case the dumbest person with physical access to your secure network.
Absolutely. The impact could have been lessened with proper security on the network but the people yelling "Get the latest OS!" are starting to get annoying. It's not all about desktop PCs, laptops and servers.
And I say "lessened," since I haven't gone in to the SMB vulnerability in depth. Any file server to which these devices attach may have been vulnerable since these devices couldn't communicate with a patched OS...but that's purely speculation on my part.
But too many people still think that security at the border is enough. If we keep the baddies out, we don't need internal security. The downside is if there is a breach, the whole network is screwed. Another example of this was the laptop that could shut down systems on a moving vehicle. That exploit went through the media center in the console and had full access to the rest of the vehicle's systems.
We need USB drives (mimicking a SAN) with physical switches to put them into one of four states:
* normal operation
* write-only until full, then read-only until physically reconfigured. Basic info like free space can be read, but that's all. Otherwise, it's a lockbox.
* write-mostly until full, then read-only until physically reconfigured
* a hybrid of the second & third modes... everything is encrypted using a random key printed on the label. Without the key, it acts like write-only. With the key, it acts like WORM. The idea is that the local PC might effectively see it as write-only, but an admin with the key could examine it more closely.
Then, we could have background backups as changes get made, secure in the knowledge that ransomware can't fuck with the backups *themselves* (the way they can NOW).
People might still get stuck having to buy a new $150-200 backup drive if malware filled their current one (since even after reinstalling Windows, you'd have to be crazy to erase your one good backup copy until you had a new backup AND "enough" time elapsed without incident), and specific computers might still be rendered unusable for extended periods of time (since even with gigabit ethernet or usb 3, it takes hours to shovel terabytes of files around), but it would still beat losing everything in an instant (possibly, due to the actions of somebody ELSE doing something stupid/careless on your LAN, or one of the endless exploits in routers, modems, IoT devices, or operating systems (Linux has malware too... it's just mostly ignored by hackers because there aren't as many naive users running Firefox as root as there are naive users with unpatched old versions of Windows). If you can't protect YOURSELF 100% from the effects of ransomware, at least you could buffer yourself against their primary vector of harm.
So someone plugs in a USB flash drive to a computer on your restricted VLAN to copy some MP3s they want to listen to, spreads that infection to that computer, which then spreads it to the rest of the devices on the VLAN.
If you plugged a USB stick into a workstation at my job, the USB port would shut down and security will stop by in five minutes to confiscate the USB stick. Authorized USB sticks have built-in hardware encryption and are registered with an authentication server.
Sure. Those of us who have worked in network security long enough know that, but given a design requirement of "Share the diagnostic images with other servers on the network" and an OS that has a built in network sharing protocol, there's a very large incentive to just use what the OS provides.
Can a Windows XP machine use the SMB client protocol without allowing inbound packets? I don't remember. It's been too long. And I haven't gone over the SMB vulnerability in detail to know exactly how it worked.
APK Hosts File Engine 9.0++ SR-7 32/64-bit https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22APK+Hosts+File+Engine%22+and+%22start64%22&btnG=Google+Search&gbv=1/
Ads/script & malware rob speed/security/privacy
Hosts add speed (via hardcodes/adblocks), security (vs. bad sites/malware/poisoned dns), reliability (vs. dns down), & anonymity (vs. dns requestlogs/trackers).
Less power/cpu/ram + IO use vs. DNS/routers/addons/antivirus + less security bugs/complexity & faster vs. addons/routers/remote dns!
Avoids DNSChangers in routers/IP settings & dns redirects (99.999% of ISP DNS != patched vs. it) + lightens DNS load & resolves faster from local system RAM!
* Via what u NATIVELY have in the IP stack in FASTER kernelmode!
APK
P.S. - Safe https://www.virustotal.com/en/file/e01211ca36aa02e923f20adee0a3c4f5d5187dc65bdf1c997b3da3c2b0745425/analysis/1433430542/
Can a Windows XP machine use the SMB client protocol without allowing inbound packets?
Windows XP has SMB 1, which less secure than SMB 2 or 3 (found on Windows Vista or later and Windows 2008 or later).
I'm guessing you work at a company that is IT related. I could be wrong but in my experience most companies that are not in the IT field see IT as a loss generator. As such, the lower the cost and inconvenience to users, the better.
And when it's the CEO that wants to share his daughter's Christmas choir video with the whole company - no I'm not kidding - that USB stick gets greenlit.
Make commercial software authors/companies legally liable.
I'm guessing you work at a company that is IT related.
I worked in government IT. The three-letter agency I work for is definitely not IT-related. I've gotten blowback from friends who think I work for the NSA (I can neither confirm nor deny) and was responsible for what happened this weekend.
Ah. Governmental IT. The government has been bitten a few times already about security so they take it a bit more seriously.
Just to clarify, I'm not arguing about the best practices. I'm just playing devil's advocate as to how this situation could have happened. I do contract development work. The shortcuts taken to fit the work into the budget are scary.
This is also why the concept of IoT scares the living shit out of me.
PDF and Flash are executable code. Because that may not be obvious, perhaps "don't open attachments" is a good idea.
There has also been at least one jpeg vulnerability. Jpegs aren't supposed to contain executable code
I too am wary of running a patch from MS but they do offer a manual alternative which I used on a Win 7 machine: Create Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Registry entry: SMB1 REG_DWORD: 0 = Disabled --from https://support.microsoft.com/... and keep your fingers crossed
Wow, self-aggrandize much? 1) You don't have friends. 2) If you did, they'd know you aren't anywhere close enough to the real stuff to have caused anything. Maybe if you forgot to change the bog rolls in the men's room you could have caused 5 minutes of annoyance for one person. Once.
I guess that $50k a year is worth selling out your soul and sitting on 0day exploits until they become available to the public by means of illegal hacking. Then you guys send it out in the wild to see how good it works, because why not, it's been patched.
Wow, self-aggrandize much?
This is Slashdot. You must be new around here.
If you did, they'd know you aren't anywhere close enough to the real stuff to have caused anything.
Since people assume the worse about me, I have no trouble letting them think that I work for the NSA, CIA or FBI. Silicon Valley has a long history of government skunkwork projects. If the media, whistle blowers and political extremists contact me, I can simply brush them off.
I guess that $50k a year is worth selling out your soul and sitting on 0day exploits until they become available to the public by means of illegal hacking.
My job is to aggressively patch workstations. This outbreak had zero impact at where I work.
Then you guys send it out in the wild to see how good it works, because why not, it's been patched.
It's unwise for any intelligence agency to reveal their bag of tricks. Although the Russians got burned pretty good this time around.
See subject: Wana can't get to a setup w/ no SMB/port 445 access secured via CIS Tool (highly esteemed & took fixes from "yours truly" too) & does only SMB2 or better + I don't run Server or Workstation services, Client for Microsoft Networks (any AD stuff too), File or Printer Sharing OR NetBIOS over TCP/IP soliciting connections (wastes for me - no home LAN/network) saving CPU/RAM (& other I/O wasted along w/ longer networking packet train data) which automatically protects me right there 2 ways:
1.) Nothing to get a 'handle' on to connect to via a port 445 listener in the 1st place & EVEN IF it did?
2.) I am SMB2++ secured.
* FOR SINGLE SYSTEMS NOT ON A NETWORK @ HOME (no LAN)? It works.
Yes - "I AM LEGEND" immune here.
APK
P.S.=> It's ALL here how to do it FROM 11++ yrs. ago - "A look @ the future - & the FUTURE was THEN" + got me paid too, will wonders NEVER cease https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&btnG=Google+Search&gbv=1/ ... apk
Can someone please clear this up:
Is this malware attacking -all- Windows XP machines, or just machines setup as Servers?