Cyberattacks From WannaCry Ransomware Slow But Fears Remain

WannaCry ransomware, which has spread across 150 countries, appears to be slowing down with few reports of fresh attacks in Asia and Europe on Monday. A report on BBC adds: However staff beginning the working week have been told to be careful. The WannaCry ransomware started taking over users' files on Friday, demanding $300 to restore access. Hundreds of thousands of computers have been affected so far. Computer giant Microsoft said the attack should serve as a wake-up call. BBC analysis of three accounts linked to the ransom demands suggests only about $38,000 had been paid by Monday morning.

Re: i wanna cry

[thundercattt]

Here's my Smug face on my #Debian https://encrypted-tbn0.gstatic... [gstatic.com]

Simple steps to protect from this crap

[courteaudotbiz]

• - Update your freakin Windows install
• - Do not expose SMB ports to the Internet (TCP/UDP 445, TCP/UDP 137-139)
• - Do not open emails with suspicious attachments
• - Have an updated antivirus scanning your files on-access

The first 2 steps are the most important. The second one alone should protect you.

Re:

[MrKaos]

The biggest problem is you can't fix stupid.

Re:

[gweihir]

Indeed. And you cannot fix even more stupid, in particular the people who paid.

Re:

[MrKaos]

True that, which probably increases the amount of ransomware we will see in the future. It would seem the sensitive little snowflakes that can't face reality would rather call that a troll than 'calling it as it is seen'.

Re:

[gweihir]

People like to ignore what they cannot fix, instead to learn how to fix it. And then they try to convince others that ignoring it is the right strategy in order to get emotional confirmation. I guess quite a few tribes and larger groups of people have failed due to that in history. Of course, this approach is anathema to any good engineer, because if we screw up, things break, sometimes spectacularly. Unfortunately, IT is not a proper engineering field today and many people working in it do not qualify as e

Re:

[MrKaos]

People like to ignore what they cannot fix, instead to learn how to fix it. And then they try to convince others that ignoring it is the right strategy in order to get emotional confirmation.

I couldn't help laughing when I read this as it is so often my experience, especially when people know what you do with technology and they still try to rope you into their illusions so they have a tacit appeal to authority. I gave up trying to help people and just shrugged and let people have their comfort now at the expense of some future disaster that I won't get involved in.

Unfortunately, IT is not a proper engineering field today and many people working in it do not qualify as engineers from their mind-set and skills. I also support giving engineering degrees to people that can prove good skill and understanding what it means to be an engineer in their field, with some additional qualification required if needed.

I started very young and just loved electronics and coding. So I think I was in that category for a good portion of my career until

Re:

[gweihir]

Inevitably, how this dictates the type of people that get into computing is it currently attracts people comfortable with high levels of uncertainty, something engineers are not. My brother is as Nuclear Physicist, he likes to joke that for him, point A and point B are enough to define a straight line, but an engineer needs more data.

That captures it well really. I mostly work as an engineer (I am also a scientist, but part-time only), and when I do engineering, I not only want these two points, I want two more in addition so I have generous redundancy and _still_ have redundancy left even if one of the point fails. When doing Science, I am perfectly fine with using only two points ;-)

Re:

[courteaudotbiz]

Your first point is 100% wrong. You do not need an executable file to get infected. A little over a month ago, a zero-day exploit did not even require a Word document to have macros enabled to get you infected. [helpnetsecurity.com]

I remember of PDF files that could have you pwned. I remember of Flash files that could get you pwned. All this by opening not-executable files using a supposedly safe executable file.

I say that ANYTHING looking even a little fishy should raise suspicion. As much as humanly possible, when you rec

PDF and Flash are executable

[raymorris]

PDF and Flash are executable code. Because that may not be obvious, perhaps "don't open attachments" is a good idea.

There has also been at least one jpeg vulnerability. Jpegs aren't supposed to contain executable code

Re:

[gweihir]

The sub-set of Postscript used in PDF has Turing-power. All it needs is permissions and you can do with it whatever you want. Displaying stuff is just what it has default-permissions to do. This means you do only need a privilege escalation, and not the code execution vulnerability malware in non-executable formats needs.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Anubis IV]

The second one alone should protect you.

I may be mistaken, but I believe that's not the case. It's also using SMB to spread behind firewalls after someone fails to follow Step 3 that you provided. As such, both Steps 2 and 3 are necessary and must be practiced by everyone behind your firewall, otherwise you may still get infected.

Re:

[courteaudotbiz]

If [ step1 is applied ]
then
-- you are pretty safe from this shit
elif [ step1 is applied && step2 is applied ]
then
-- you are safer from this shit
else
-- you will never be safe from this shit. Points 3 and 4 are general purpose self defense advice.
fi

My 2 cents pseudocode.

Don't let the $THREE_LETTER_GOV_ORG hoard exploits

[bulled]

Microsoft was whining about this earlier, and they are absolutely right to do so. There is no such thing as 'NOBUS'. There are far more smart people working outside $ORG than inside it and it is hubris to believe that $ORG is the only one smart enough to find any particular exploit.

With that said, Microsoft made a part of this shit sandwich by refusing to patch older, but still active operating systems until their feet were to the fire. Sure, no one should be running XP any longer, but once on a vendor lock-in treadmill it can be very hard and expensive to get off.

Re:Don't let the $THREE_LETTER_GOV_ORG hoard explo

[clickety6]

Plus the fact that Microsoft pushed people into not updating by turning their fix-the-bug patch update system into a shill-the-hell-out-of-windows-10 advert delivery system.

Re:

[bulled]

Good point, this probably as big a part as the failure to patch older systems.

Re:

[UnixUnix]

I too am wary of running a patch from MS but they do offer a manual alternative which I used on a Win 7 machine: Create Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Registry entry: SMB1 REG_DWORD: 0 = Disabled --from https://support.microsoft.com/... [microsoft.com] and keep your fingers crossed

Re:

[prunus.avium]

The trouble is there are perfectly valid reasons for using the older operating systems especially in the cases like hospitals.

Let's say, as an example, there is an ultrasound machine that was based around Windows XP. I know is sounds odd but there is a case to be made for taking an existing laptop motherboard design and tweaking it to add the special hardware needed for the ultrasound. Especially as the images can be sent to a central file server.

Now, 4 years later, update the OS.

Can you guarantee that th

Re:

[Bigbutt]

Yea, I have at least two pieces of perfectly good hardware that I can't use except on an XP machine due to the manufacturers using some XP code (browser?). The HP scanner isn't that big a deal, more annoying. But the Sony Handycam means I can't get old recordings off of the tapes without XP.

[John]

Re:Don't let the $THREE_LETTER_GOV_ORG hoard explo

[__aaclcg7560]

Let's say, as an example, there is an ultrasound machine that was based around Windows XP.

Medical devices should be kept on a separate VLAN behind an ACL with a no access to the Internet and a dedicated update server. Exposure to the General VLAN can cause problems. From what I read about the British hospital, there network isn't highly structured.

Re:

[Ed Tice]

An ultrasound machine should not be running an SMB server either! Nor should it be hosting any data. And it should be possible to return the thing to a default state. Also you should not be using it to browse email and open attachments!

Re:

[prunus.avium]

Sure. Those of us who have worked in network security long enough know that, but given a design requirement of "Share the diagnostic images with other servers on the network" and an OS that has a built in network sharing protocol, there's a very large incentive to just use what the OS provides.

Can a Windows XP machine use the SMB client protocol without allowing inbound packets? I don't remember. It's been too long. And I haven't gone over the SMB vulnerability in detail to know exactly how it worked.

Re:

[__aaclcg7560]

Can a Windows XP machine use the SMB client protocol without allowing inbound packets?

Windows XP has SMB 1, which less secure than SMB 2 or 3 (found on Windows Vista or later and Windows 2008 or later).

Re:

[Solandri]

The problem with worms is that one infected device momentarily connected can spread the infection. So someone plugs in a USB flash drive to a computer on your restricted VLAN to copy some MP3s they want to listen to, spreads that infection to that computer, which then spreads it to the rest of the devices on the VLAN. The strength of your security is determined by your weakest link - in this case the dumbest person with physical access to your secure network.

Re:

[__aaclcg7560]

So someone plugs in a USB flash drive to a computer on your restricted VLAN to copy some MP3s they want to listen to, spreads that infection to that computer, which then spreads it to the rest of the devices on the VLAN.

If you plugged a USB stick into a workstation at my job, the USB port would shut down and security will stop by in five minutes to confiscate the USB stick. Authorized USB sticks have built-in hardware encryption and are registered with an authentication server.

Re:

[prunus.avium]

I'm guessing you work at a company that is IT related. I could be wrong but in my experience most companies that are not in the IT field see IT as a loss generator. As such, the lower the cost and inconvenience to users, the better.

And when it's the CEO that wants to share his daughter's Christmas choir video with the whole company - no I'm not kidding - that USB stick gets greenlit.

Re:

[__aaclcg7560]

I'm guessing you work at a company that is IT related.

I worked in government IT. The three-letter agency I work for is definitely not IT-related. I've gotten blowback from friends who think I work for the NSA (I can neither confirm nor deny) and was responsible for what happened this weekend.

Re:

[prunus.avium]

Ah. Governmental IT. The government has been bitten a few times already about security so they take it a bit more seriously.

Just to clarify, I'm not arguing about the best practices. I'm just playing devil's advocate as to how this situation could have happened. I do contract development work. The shortcuts taken to fit the work into the budget are scary.

This is also why the concept of IoT scares the living shit out of me.

Re:

[__aaclcg7560]

Wow, self-aggrandize much?

This is Slashdot. You must be new around here.

If you did, they'd know you aren't anywhere close enough to the real stuff to have caused anything.

Since people assume the worse about me, I have no trouble letting them think that I work for the NSA, CIA or FBI. Silicon Valley has a long history of government skunkwork projects. If the media, whistle blowers and political extremists contact me, I can simply brush them off.

Re:

[__aaclcg7560]

I guess that $50k a year is worth selling out your soul and sitting on 0day exploits until they become available to the public by means of illegal hacking.

My job is to aggressively patch workstations. This outbreak had zero impact at where I work.

Then you guys send it out in the wild to see how good it works, because why not, it's been patched.

It's unwise for any intelligence agency to reveal their bag of tricks. Although the Russians got burned pretty good this time around.

Re:

[prunus.avium]

Absolutely. The impact could have been lessened with proper security on the network but the people yelling "Get the latest OS!" are starting to get annoying. It's not all about desktop PCs, laptops and servers.

And I say "lessened," since I haven't gone in to the SMB vulnerability in depth. Any file server to which these devices attach may have been vulnerable since these devices couldn't communicate with a patched OS...but that's purely speculation on my part.

But too many people still think that security

Really?

[Crookdotter]

Ransomware has been around for ages now. Surely someone can come up with an OS defense rather than tit for tat patches and upgrades. File versioning going back in history that you can't edit, only recover from? Every file modification makes a new file. Sure, disk space gets eaten up very fast but with large Tb drives that should surely give companies some breathing room, and home users too. Why isn't this an easy option to switch on in windows?

Re:

[swb]

File versioning going back in history that you can't edit, only recover from?

Regular backups, perhaps on some multiple-time-per-day schedule, stored in a security domain separate from the source backup domain seems like the most viable working solution now.

Too many of the exploits hit admin/root privileges and then attack the OS backup defenses and occasionally even backup systems running in the same security domain. You need backups not accessible by even top-level user IDs, and preferably offline.

Re:

[gweihir]

There are defenses that work. Just not on Windows. As usual, MS is far behind.

Vulnerabilities are by design

[Flentil]

Not too long ago you didn't need to worry about viruses at all unless you actively ran something with a .EXE .COM or .BAT extension, then through the expansions of javascript, flash, and even html, now you can get infected in dozens of ways without your even knowing it happened or what website did it. This should never have been allowed, but someone wanted it to happen, and this is where we are now thanks mostly to Microsoft.

Re:

[Applehu Akbar]

OR you could run a fundamentally safer operating system and don't run anything with a DMG extension unless you knowingly downloaded it from a known site.

Re:

[__aaclcg7560]

I haven't had an virus outbreak on my personal PCs in 10+ years. If you practice safe computing by keeping your PCs up to date, avoiding naughty bits on the Internet, and being careful not to click on links and/or attachments in email, you won't have any problems.

Re:

[Bigbutt]

Yep. Not even once (NB that I'm aware of). Add in an ad blocker of some sort and that my firewalls (iptables, pf, iptables again, and pfsense) over the years don't permit externally initiated access and I'm still clean. I do scan somewhat regularly, malwarebytes being my go to scanner, and catch an occasional sketchy cookie. The first time I ran it, several years back, it found several waiting viruses in my really old email backup of my work emails (work let us use our personal computers to VPN in, and Eudo

Re:

[__aaclcg7560]

Also, having a black MacBook will help.

Running the latest version of Linux Mint!

The REAL problem

[Miamicanes]

We need USB drives (mimicking a SAN) with physical switches to put them into one of four states:

* normal operation

* write-only until full, then read-only until physically reconfigured. Basic info like free space can be read, but that's all. Otherwise, it's a lockbox.

* write-mostly until full, then read-only until physically reconfigured

* a hybrid of the second & third modes... everything is encrypted using a random key printed on the label. Without the key, it acts like write-only. With the key, it acts