back to article Wannacry: Everything you still need to know because there were so many unanswered Qs

It has been a week since the Wannacry ransomware burst onto the world's computers – and security researchers think they have figured out how it all started. Many assumed the nasty code made its way into organizations via email – either spammed out, or tailored for specific individuals – using infected attachments. Once …

Silver badge
Happy

This sure beats reading newspapers

Keep it up El Reg.

58
0
Silver badge

Re: This sure beats reading newspapers

First rule: the early reports are mostly wrong on major details.

Second rule: the regular media is clueless and will latch on to any meme that they can hype- NORKS, Russian, Chinese, etc. did it.

Third rule: good security and update practices across the board will block most exploits harming you.

Fourth rule: avoid sites that are known to be sources of malware infections.

If you follow these rules and most malware will not be a problem. You still will be vulnerable to 0-day exploits for your OS.

38
0
Silver badge

Re: This sure beats reading newspapers

@ a_yank_lurker

Good set of rules. First time I was infected my son was in primary school. (He brought home the first Word macro virus). Second time he had a LAN party and disinfestation was moderately painful. It was his last LAN party at home. The Gitling's now 32 years of age.

My AV warns of malware infested websites and it's often surprising.

Best insurance against zero-day is backups. One of the reasons I like Linux/gparted. Makes such a breeze.

12
0
Bronze badge
Megaphone

Re: This sure beats reading newspapers

Indeed, all the "experts" using this as an excuse to bash the NHS are looking pretty silly right now. Even if the NHS had spent many millions eradicated every single XP machine from every dusty corner of the organisation, it would have made bugger all difference. The real issue here was the speed they didnt apply patches.

They clearly quarantined critical security patches for far to long (2+ months), so if anyone needs to be to blame, it's not the NHS, it's not government funding, it's not some other hidden political agenda, it's solely on who is responsible for timely patch deployment.

5
7
Anonymous Coward

Re: This sure beats reading newspapers

Fifth rule - never listen to the Reg commenters who believe Win7 is the end-all of computing, and who actively oppose allowing MS updates on their precious gaming rigs.

12
10
Anonymous Coward

Re: This sure beats reading newspapers

> Indeed, all the "experts" using this as an excuse to bash the NHS

... and don't forget all the politicos busy weaponizing the NHS were inistent that it must be a targetted attack on the sainted NHS.

6
0
Silver badge

Re: This sure beats reading newspapers

@Andy Prough - My basic take is all OSes are vulnerable to attack. Some are harder to break than others. And all require some TLC including patching and updates. From view the argument that Bloat 7 or Bloat 10 is more secure is somewhat pointless as Slurp is not known for producing the most secure OSes available. It is sort of like arguing over how leaky on collander is compare to another.

9
1
Silver badge
Linux

Re: This sure beats reading newspapers

Fifth rule - never listen to the Reg commenters who believe Win7 is the end-all of computing,

The end-all of Windows computing, at most. Which it is.

And who the zarking fardwarks exposes SMB ports to the Greater Internet?

13
0
Happy

Great analysis - thanks

So the question is - why have you got several thousand W7 desktops unpatched?

While I understand that the servers will need to be a variety of VMs I would just use a standard image of NHSbuntu [ www.nhsbuntu.org ] for the sheep as I can lock it down tighter than a duck's chuff, and it has secure email, an office suite, web-browsing and that is all I want them to have.

3
0
Silver badge

Re: This sure beats reading newspapers

Ditto to that. This Saturday's edition of the Wall Street Journal had a column on how to attach a cradle to the back of your cellphone so you could cradle it between your ear and your shoulder. They consider that a technical column and the "solution" a "life hack". Sigh. Their coverage of WannaCry wasn't much better.

0
0
Terminator

Re: Great analysis - thanks

So the question is - why have you got several thousand W7 desktops unpatched?

I can think of a couple of reasons. The first isn't that unusual; as many have noticed, even Microsoft, there are always those that plead incapable when it comes to computers. The question here is whether such users should be allowed access; consider that these people can cause all sorts of problems for other users by not being up to the task of handling their system responsibly.

The other is a little more sinister. Since just before the release of Windows 10 there have been increasing amounts of concern about Microsoft's patching habits. The biggest concern has been that Microsoft have spent a lot of time and effort trying to integrate spyware into their products (see the Register article "Mud sticks: Microsoft, Windows 10 and reputational damage") to the extent that some people have stopped patching. While originally it was easy to spot the spyware patches and avoid them, the current regime of rollups makes this all but impossible to do.

So if finger pointing is really necessary, and before we charge headlong into a fit of blaming unpatched users or the people that perpetrated this problem, let us also consider Microsoft's role in this.

11
2
Silver badge

Re: This sure beats reading newspapers

@Pompous Git

Best insurance against zero-day is backups.

I entirely agree. Unfortunately, having gone in to my Win 10 lappie, and turned off SMB1, my Netgear NAS (for backups) no longer works! I need to do a bit of digging...

1
0
Silver badge

Re: This sure beats reading newspapers

@a_yank_lurker

It is sort of like arguing over how leaky on collander is compare to another.

Not quite - the whole point about a collander is that it is designed to let fluid through: the size and number of holes defining the rate and what doesn't get through. It's not a 'leak' - it's what it's intended to do.

We could argue for ages about whether MS operating system holes are there for a reason...

1
0
Silver badge

Re: This sure beats reading newspapers

"Indeed, all the "experts" using this as an excuse to bash the NHS are looking pretty silly right now"

I don't think I am. I asked:

"As we discovered last time the NHS had a ransomware attack - which must have been all of a few months ago - everyone has full permission on everything at an SMB level.

If this turns out to be spread via SMB or anything below layer then someone needs to explain how the network was configured so badly."

It still seems a perfectly reasonable question.

3
0

Re: Great analysis - thanks

> So the question is - why have you got several thousand W7 desktops unpatched?

Well I for one stopped allowing my Win 7 box to auto patch when Microsoft started fucking about with what was included in updates and to avoid being automatically "upgraded" to Win 10. MS have destroyed the trust that was placed in Windows Update to only update and fix problems, not push malware at us that installs OSes we don't want!!!

8
2

Re: Great analysis - thanks

The vast majority of affected systems were corporate, not personal systems. These end up being maintained by corporate IT departments, which usually don't automatically patch the desktops.

This is usually because they need to ensure that any patches released will not prevent software used by the company from working. They'd want to regression test it before rolling out the updates.

This all sounds reasonable to a degree, but you get cost saving measures whereby corporate IT department's use a static patch deployment cycle of their own (maybe every 6 months) rather than every time an update is released. As such, security updates can go many months waiting to be deployed in corporate networks, increasing the level of vulnerability to pretty much every type of Malware.

The solution of this is for corporations to change their procedures. Interim security patches like the March patch doesn't require batch regression testing as they might when a large feature patch is released.

2
0
Silver badge

Re: This sure beats reading newspapers

And who the zarking fardwarks exposes SMB ports to the Greater Internet?

4 classes of people:

1 - Malware researchers (what's how the original off-switch domain was discovered)

2 - Home users who just plug their Windows PC directly (wired or wirelessly) into their ISP-supplied routers and imagine that the ISP has configured the router to be secure[1]. They then turn on SMB sharing because they want to get stuff transferred from an older computer and forget to turn it off.

3 - Small businesses that just use IT without having Someoe Of Clue[2] to look after it - either on a contract or regular basis.

4 - IT admins in public bodies, underpaid and overworked (or clueless[3] - I've met both varieties) who are being screamed at by someone higher in the organisation to do stuff that is fundamentally unsafe (in data protection & security terms). They do something that destroys security[4] without understanding why it's a bad idea and have no clue about how to fix it.

[1] Ha ha. Like the ISPs care. Any more than they care about SMTP traffic that ignores SPF domain validation.

[2] "My nephew can do it - he plays a lot of online games".. (yes - I've had that one).

[3] Sometimes all 3. In the days I had to deal with Trust IT departments it was a real, mixed bag. Some were really brilliant, professional teams, others were staffed by students, people who would never be able to get a job in a professional IT department and time-serving wasters.

[4] Like bridge between N3 and the Internet. Back when I had anything to do with it, N3 seemed to have an implicit trust model - traffic on the N3 side was assumed to be trusted and not requiring firewalling... That may well have changed now.

0
0
Silver badge

Re: Great analysis - thanks

So the question is - why have you got several thousand W7 desktops unpatched?

Because you are running custom software that's incredibly picky about OS versions[1] and patches? Because you don't have anyone that knows about WSUS or SCCM? Becuase your CxO doesn't give you any budget for anything other than getting their team the latest and greatest and certainly not for wasting time fiddling about with servers?

Been there, done that.

[1] Yes - in one job we had a hardware card supporting some custom machinery that caused us a lot of grief. If you put it in anything faster than a 386 the card would run for about 5 minutes before locking up. That's why we stockpiled old Compac 386 parts and spares to keep the machines it was running on going. Oh - and for extra delight, the driver we had for the card only worked under Win 3.11.

And this was in the mid 2000's.

0
0
Silver badge

Re: Great analysis - thanks

Because you are running custom software that's incredibly picky about OS versions[1] and patches? Because you don't have anyone that knows about WSUS or SCCM? Becuase your CxO doesn't give you any budget for anything other than getting their team the latest and greatest and certainly not for wasting time fiddling about with servers?

All of those are valid explanations why an individual techie working at an afflicted organization might not have applied the fix that would have prevented this.

None of them are valid explanations as to why an organization allows their technology to be so poorly maintained. None of them explain why CTOs across the country are not getting canned for failing to ensure business continuity.

I've no problem with people getting paid big money for CxO roles, but together with the money comes the responsibility; if you are the CTO of a hospital trust, and your policies on patching desktops led to surgeries getting cancelled, you should be cancelled.

0
1
Silver badge

Re: This sure beats reading newspapers

"Indeed, all the "experts" using this as an excuse to bash the NHS are looking pretty silly right now. "

Oh really? That would be the NHS which left port 445 open to the world instead of firewalling it on the border routers?

0
0
Anonymous Coward

SMB shares

SMB shares exposed to the internet. Just....... Why?

37
0

Re: SMB shares

It boggles the mind. Large organisations, with (supposedly) clued-up IT departments. Using SMB shares exposed to the internet. I don't even know where to start ...

15
0
Silver badge

Re: SMB shares

Why? Gpod alone knows.

Most 'amateur' connections are via NAT routers. Which need explicit configuration to actually accept incoming connections.

One can only posit a very very poorly set up leased line system, in which intersite working was done simply by opening ports onto full publicly addressable IP spaces as 'the quickest way to get the job done'

You have to work quite hard to be this insecure.

17
0
Silver badge

Re: SMB shares

Why? I guess they use TCP/IP protocols. MSFT have made obsolete the old Netbui protocol.

Windows NT in its day used to mention that Netbui could be used for machines you did not want to be visible on the Internet.

4
1
Silver badge

Re: SMB shares

Why am I not surprised that Telefonica had Internet-facing SMB ports open, and SMB1 at that.

4
0
Silver badge

I blame Microsoft

Yes yes, no one should have an SMB port open to the internet, but poorly configured DMZs or small branch offices that are supposed to get their internet from the main office but improperly add their own 'business internet' connection from the local ISP because it is faster are probably more common than anyone cares to admit.

Microsoft firewalls off most ports by default, but leaves port 445 wide open. Why? Surely it would make more sense to have it open to ONLY the PC's local subnet, since that will suffice for 99% of home/small business installs! Require a configuration change by the admin to open it up wider - i.e. if your company uses 10.x.x.x internally open it up to 10.0.0.0/8, and pop a warning before allowing someone to disable it entirely.

2
2
Gold badge

Re: SMB shares

Perhaps those large organisations allow VPN access. Then you could have non-internet-facing SMB shares exposed to a box that might (for some other reason) have been internet-facing at some point in the recent past. For example, a GP's surgery might have an old Win2k8R2 server that has been mis-configured and no-one is really paying attention, but it probably does have access to the interior of the NHS network.

0
0
Anonymous Coward

Re: SMB shares

NetBEUI can't be routed so cannot be exposed to the internet. It was great for really small networks on a single broadcast domain as it required no configuration. You just turned it on and machines could communicate.

However, anyone using TCP/IP should be configuring their firewall with a default block any/any rule, then justifying any exceptions. In any org I have worked in, you would normally only expose ports to machines in a DMZ to the internet. You would need an extremely strong justification to open any ports to the internal network and have to demonstrate that there was no alternative. Anyone suggesting opening SMB to the internal network would probably be told to go sit in the corner with a dunce cap on their head.

1
0
Anonymous Coward

Re: I blame Microsoft

@DougS

I don't. I blame the network administrator.

SMB is not normally open at all unless you enable file sharing. I would have to check what the default is on recent versions of Windows, but most ports opened by default are not open to the public network. You can't even ping a Windows machine now as ICMP is blocked off default.

However, in a corporate world you shouldn't be accepting any default ruleset anyway. Just look at what your org requires and push out the rules you want with group policy.

Yes, in the past default configurations of Windows were wide open to enable ease of use. This is less the case now. If you put in the effort though you can lock down Windows very easily. You can block off any port you want and only allow permitted applications to run. You can do all this centrally with group policy so there really is no excuse. Start from a model that no user can do anything or access any resource unless specifically allowed by a group membership.

Of course you are still open to zero days and some things just can't be anticipated. This is why you also make sure you have tested backups and a recovery plan. Preferably multiple independent backups to different media using different backup products.

Prevent what you can, limit the damage of anything you cant prevent, then make sure you can recover from any damage. Learn from any incident to improve your future prevention, damage control and recovery.

4
1
Silver badge

SMB shares exposed to the internet. Just....... Why?

They don't have to have been exposed to the internet globally, just exposed to one external machine that itself is compromised. Management says give X access or its your ass, you lock down access so it is literally just to machine X, but if X gets hit then you're hit. It really is a case of just one weak link is enough. But management will never understand why security wants to be so doctrinaire and inflexible when its 'obvious' that one little exception, properly managed, will be OK... Really.

3
0
Anonymous Coward

Re: SMB shares exposed to the internet. Just....... Why?

"Management says give X access or its your ass,"

Have had that, configured X, and then discovered a few weeks later that same manager brought in personal (actually, iirc it was his son's) laptop as the corporate one was too difficult to use, with loads of things that needed him to click (security updates that needed to be accepted before he could access anything). He then plugged it in to the network, which got him nowhere as unused switch ports were disabled, and screamed at his PA to get the "IT guys to fix it or get fired" (words to that effect).

Same guy, few years later ... director at NHS IT.

2
0
Anonymous Coward

Re: SMB shares exposed to the internet. Just....... Why?

Rumour has it this was spread over the NHS N3 network, hence the wide spread infection for the NHS. Hence why SMB might have been more open for sharing data, as N3 is supposed to be a secure network (Still no excuse I agree!). However it must have got in somewhere initially. Again, rumour has it the telco was at fault. AC as I'm speculating.....

0
0
Silver badge
Mushroom

Re: SMB shares

I don't even know where to start ...

I do. And it involves copious amounts of most of the stuff reviewed in "Things I Won't Work With"

0
0
Anonymous Coward

Re: SMB shares

Organisation that spent 2 long days helping, last weekend was infected from a BYOD over VPN, owned and used by a very senior person in the org.

The same senior person that had ensured that well over 100 machines were still on XP, at least 75 of which were infected when I turned them off and disconnected them from the network as stage 1 of recovery.

FYI

Stage 2 was boot from op system CD, and reformat HD. Shut down.

Stage 3 was use system recovery disk for machine to install backup/restore software. Disable SMBv1 Shut down.

Stage 4 reconnect network cable and re-boot, map backup drive, restore full disk image and incrementals from server, reboot.

Network scripts were in place to disable SMBv1 and apply patch on connecting to the network

0
0
Silver badge

Re: SMB shares exposed to the internet. Just....... Why?

Hence why SMB might have been more open for sharing data, as N3 is supposed to be a secure network

Still doesn't excuse having it open. Medical espablishments *should* understand the principles of infection control..

0
1
Silver badge

Re: I blame Microsoft

"I don't. I blame the network administrator."

This. Or whichever idiot overruled him.

Blaming Microsoft for someone else failing to secure the product and failing to install patches that were released months before the outbreak Is like blaming a door manufacturer for a break-in because you failed to engage the lock. Saying 'But the door was unlocked when it was delivered!' is not going to win you any court cases.

2
0
Silver badge

Re: SMB shares

"Organisation that spent 2 long days helping, last weekend was infected from a BYOD over VPN, owned and used by a very senior person in the org."

You don't have to help if they're sabotaging themselves from within. In fact I'd hold up my hands at that point and tell them any further work is chargable.

0
0
Silver badge

Re: I blame Microsoft

"I don't. I blame the network administrator."

This. Or whichever idiot overruled him.

Having dealt with NHS "network administrators" - who told me "You're very arrogant and you're talking gobbledygoook about viruses and IP addresses which I don't understand, I refuse to deal with you." and "I'm the administrator here, I know what I'm doing" - about a machine which was spewing crap all over the Internet. (And the boss, who sympathised but had no power to overrule the administrator), I'll say that a good chunk of the issue lays with the matter of adequate training coupled with Dunning-Kruger writ large.

Another similar discussion was had with a "NHS administrator" about a webserver used for GP patient bookings which was firewalling out around 2/3 of TalkTalk's entire UK ADSL IP allocations. "It works fine for me, you're making it up"

0
0
Anonymous Coward

Ransomware doesn't work

Everyone has perfect backups, so encrypting data is all for nothing.

11
4

Re: Ransomware doesn't work

Can I come to live in your world?

7
0
Gold badge
Unhappy

Wasn't "But we had to have SMB for our internal shares on the network" the NHS problem?

So why is it enabled on internet facing PC's as well?

Is that an actual method of working for any organization?

Don't feel too bad. Port scanning to find a port that shouldn't be open (but was) is exactly how Gary McKinon got into the Pentagon.

In 2002.

I think sysadmins don't like to do port scans from outside their network as the can't see the point looking for something they know isn't there.

Except of course when they are wrong and someone has left ports open.

10
0
Silver badge
Boffin

Re: Wasn't "But we had to have SMB for our internal shares on the network" the NHS problem?

Home user with badly configured PC. Gets infected.

Connects to work over VPN - SMB shares correctly configured, but infection spreads from PC.

Surely a familar scenario for many remote workers?

11
2

Re: Wasn't "But we had to have SMB for our internal shares on the network" the NHS problem?

Why would a home user connect to work's VPN using his own machine (I assume that is what is implied above)? Unless we are talking about the lunacy called BYOD.

13
3
Law

Re: Wasn't "But we had to have SMB for our internal shares on the network" the NHS problem?

"Surely a familar scenario for many remote workers?"

No - our VPN has security checks in place that won't let you connect fully until you've:

a - got the recent antivirus definitions

b - fully patched

c - had a recent scan

In the past, if you'd not logged in for more than a week it'd require you to go on site to get the updates... these days you get to update without being fully connected over vpn, so no trip required.

As a dev, I've mostly got control over the machine, but there are several group policies I don't have control over. Certain services are blocked, ports as well, and I can't disable security features like virus checker, or the software deployment software.

Being a remote worker isn't an excuse, or necessarily any riskier than on-site staff. Unsurprisingly we've not had any WannaCry infections in the multinational organisation of 10k people, with many remote workers.

4
0
Silver badge

Re: Wasn't "But we had to have SMB for our internal shares on the network" the NHS problem?

"our VPN has security checks in place that won't let you connect fully until you've:

a - got the recent antivirus definitions"

Which still won't protect against something new enough not to have got into the definitions.

13
1

Re: Wasn't "But we had to have SMB for our internal shares on the network" the NHS problem?

HMRC. If you are a 'contractor'' and not a "worker" or "employee", your contract may state you must provide your own IT equipment EXCEPT when working on site of Client. This is an established part of proving 'independence' under HMRC probe for IR35. Thus ,yes, there is a case where a contratcxor would connect to NHS via their own computers from home, for remote working.

10
0

Re: Wasn't "But we had to have SMB for our internal shares on the network" the NHS problem?

We are, and the lunacy is widespread and getting worse. For some reason companies who provide their employees office space, desks, telephones, pens, paper, and everything else they need to do their job, somehow think the single device they use and depend on more than any other is somehow exempt from their responsibility.

2
0
Silver badge

Re: Wasn't "But we had to have SMB for our internal shares on the network" the NHS problem?

"I think sysadmins don't like to do port scans from outside their network as the can't see the point looking for something they know isn't there."

Most plain ordinary sysadmins probably have a clause in their contract that they won't do something like that unless they have specific permission in writing from their security bods to do so.

I know I've had contracts that say that, and I believe I’m far from alone.

4
0
Silver badge

Android could become a vulnerability here

There are plenty of known Android attacks, some remotely via SMS/MMS. Obviously many devices will remain unpatched against these vulnerabilities for their lifetime, so I wonder when we will see the first hybrid malware:

stage 1: infect Android device using an Android vulnerability, and lie in wait

stage 2: when connected to a new wifi network, look for PCs to attack using Windows vulnerability

The Android malware could even 'update' itself by checking in at a master host (make to look like yet another advertising site, with traffic that could be triggered only when browsing so the no one is the wiser) which would allow it to upgrade the Windows vulnerabilities it is using over time as old ones get closed off and new ones are discovered.

I think one of the main reasons we haven't seen widespread Android infestations is because hackers are so mercenary these days. The time when they considered it good enough to print some message about being 'p0wned' are long gone, now they're at it to make money, and ransomware on PCs is where its at.

Being able to infect devices that far too many workplaces allow people to bring in and connect to their internal network (so they can get access to email, internal web sites, etc.) is an easy way to bypass the expensive firewalls and IDS systems companies put on their network perimeter.

Obviously the same could be done with iOS, but Apple gets fixes out too quickly and people apply them too quickly, making Android a far better carrier for such a hybrid malware strategy.

2
0
Silver badge

@eionmac

"This is an established part of proving 'independence' under HMRC probe for IR35"

Except when you work in the security field, there is no way you would be allowed to connect to the client with anything but a laptop built to their spec. I once even offered to buy my own laptop and have them build it for me to try and meet this rule (and also to bypass their shitty old tech that won't run my 3440*1440 widescreen at anything above 42Hz) but no cigar - it's their laptop or nothing.

It's a problem (re: IR35) which is why I take a lot more pains to ensure the working relationship is that of business-business etc. rather than employer-employee (much more important to IR35 imho)

1
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2017