back to article Wannacry: Everything you still need to know because there were so many unanswered Qs

It has been a week since the Wannacry ransomware burst onto the world's computers – and security researchers think they have figured out how it all started. Many assumed the nasty code made its way into organizations via email – either spammed out, or tailored for specific individuals – using infected attachments. Once …

Gold badge
Unhappy

"Most..ordinary sysadmins probably have a clause in their contract..specific permission in writing "

If you work for the sort of outfit that has such a clause written into your contract and an actual "security bod" to deal with this then perhaps they should do the port scan?

I'd suggest an outside scan of your network, and a review of the results, should be a standard part of network maintenance procedures.

I'm not saying any open port is a bad port (although I think the fewer the better) but why it's open should be well understood and documented, if only to stop the next PFY hired from noticing it and (on the principle "all open ports are bad") closing it, naturally without telling anyone.

2
0
Silver badge

Re: Wasn't "But we had to have SMB for our internal shares on the network" the NHS problem?

Unless your contract clearly states you are responsible for pen testing, you *need* to get written sign off before you do it. Or be the person who owns the kit. You usually have to write the letter yourself, and get the boss to sign it, since they won't care *unless* it goes horribly wrong.

And yes, it's a sensible and reasonable thing to do, but like anything where you're crossing a legal boundary for work, get it in writing. Then you have a clear defense if you get accused of computer crimes. Same as if you're repairing a machine, get the client to sign off on what is happening, so if you find dodgy stuff you won't get in trouble for illegally accessing it.

It's the difference between being a general worker who checks that a secure door is locked by trying the handle (which is OK), versus someone hired to do a security audit attempting to force the door open, attempting to pick the lock etc.

0
0
Gold badge
Unhappy

"the difference between..a general worker..checks that a secure door is locked by trying the handle"

Actually I would have described a port scan as exactly like trying the doors on a building you work in.

Not attempting to enter (by your analogy), just test to see if it's open to begin with.

However if you're writing your own authorization letter you should probably include a clause to allow repeat scans whenever there is a significant change in the system, with "significant" being loosely or tightly defined on how awkward your boss is likely to be.

2
0
Silver badge

Re: Wasn't "But we had to have SMB for our internal shares on the network" the NHS problem?

I think sysadmins don't like to do port scans from outside their network as the can't see the point looking for something they know isn't there.

I'll add one word to the start of your sentance: "incompetent sysadmins"..

(We pay an external organisation to regularly run pentests against us - both internally and externally. And the results are treated seriously.)

0
0
Silver badge

Re: Android could become a vulnerability here

" I wonder when we will see the first hybrid malware:"

IIRC, we already saw that exact scenario a couple of years ago; an SMS virus targeting 'droids which then dumped a payload onto Windows machines once it was connected to them. It's not actually that effective a vector, though.

0
0
Silver badge
Windows

Oh, the irony!

Windows 7 machines most affected after so-called "experts" advised switching off updates to avoid Windows 10 upgrade notifications?

14
12
Silver badge
Unhappy

Re: Oh, the irony!

"Windows 7 machines most affected after so-called "experts" advised switching off updates to avoid Windows 10 upgrade notifications"

and the spyware as well.

At least in 7 you can pick/choose which updates to install. Knowing the proper KB means you can download it and apply the patch manually, last I checked...

11
3
Silver badge

Re: Oh, the irony!

"Windows 7 machines most affected after so-called "experts" advised switching off updates to avoid Windows 10 upgrade notifications?"
FFS J J! We were blocking malware from MS.

26
2
Silver badge

Re: Oh, the irony!

Updates to W7 also got switched off because it was taking until the heat death of the Universe or the arrival of WannaCry before the updates ran. There are still posts here from people complaining about that and even I, a non-Windows bod, know that there's a specific update to be downloaded and applied individually that fixes it.

13
5
Silver badge

Re: Oh, the irony!

@ Doctor Syntax

Not forgetting the update that caused svchost.exe to consume 95% of cpu cycles leading to my recommending Linux Mint to so many of my friends...

16
3
Anonymous Coward

Re: Oh, the irony!

Win7 or 8? Unfortunately the patch to patch the patcher is patchy.

6
0

Re: Oh, the irony!

Even the best advice in the world can become bad advice if the situation changes. Just because they are wrong now doesn't mean it was wrong then.

3
1
Anonymous Coward

Re: Oh, the irony!

Internet facing system with no security updates? It's the definition of "wrong".

2
1
Silver badge

Re: Oh, the irony!

Which is exactly why perverting the patch process with the pushed Windows 10 upgrades was a mind bogglingly stupid and irresponsible thing for Microsoft to do.

20
0
Silver badge

Re: Oh, the irony!

"... you can pick/choose which updates to install."

Those who turn off automatic security patch application do need to actually choose and apply the important patches. A patch for a remotely exploitable vulnerability that allows execution of arbitrary code (e. g., MS17-010), NVD severity 8.7 if I recall correctly, is an Important Patch by any standard. Anyone clued in and attentive enough to have taken over patch management should have applied it within a couple of weeks from issue.

1
0
Silver badge

Re: Oh, the irony!

It'll tell you what's more ironic - 1) MS sending out non-security updates as security updates so people's only recourse is to turn the whole thing off and 2) Windows Update being so badly designed that turning it off and going for a few months without installing everything means when you turn it back on to automatic it can't find updates, it just gets stuck in a loop.

12
1
Bronze badge
Paris Hilton

Re: Oh, the irony!

I notice you didn't mention updates taking forever with the windows standalone installer "searching for updates on this computer". What the hell is it actually doing for those endless hours running that lovely green band L-R ?

Paris, has better ideas for how to spend endless hours.

(So have I, btw.)

1
0
Silver badge

Re: Oh, the irony!

Every business I've worked for switches off updates and most have policies that prevent the users from running it.

0
1
Silver badge

Re: Oh, the irony!

From Ars Techica: "The Kaspersky figures are illuminating because they show Windows 7 x64 Edition, which is widely used by large organizations, being infected close to twice as much as Windows 7 versions mostly used in homes and small offices. It's not clear if that means enterprises are less likely to patch or if there are other explanations."

I'd say homes and small offices have auto-updates turned on, big businesses don't.

Glad I'm not on that team at work.

1
0
Anonymous Coward

Re: Oh, the irony!

I wonder if Windows 7 Enterprise Edition was targeted, leaving home and small businesses largely unaffected.

0
1
Silver badge

Re: Oh, the irony!

It's not clear if that means enterprises are less likely to patch or if there are other explanations."

No - it means that corporate patch cycles are longer than most home users because history teaches us that MIcrosoft updates will break things and so they have to be tested[1] first..

[1] And not just on the testers PC.

0
0
Black Helicopters

Re: Oh, the irony!

Windows 7 machines most affected after so-called "experts" advised switching off updates to avoid Windows 10 upgrade notifications?

See my earlier comment. If Microsoft hadn't tried so hard to insert spyware into some of their patches for W7 then people would have not even suggested switching off updates. Well, some might have done but nobody would have listened to them.

Having said that, pointing fingers at users for not patching doesn't really escape the fact that the hole was there, it was exploited by the NSA, it was then stolen and somebody else used that same exploit to try to extract money. How many more holes are there in Windows, current version included, that the NSA knows about and keeps under wraps, even from Microsoft?

Or MacOS? Or Linux? I know where I'm pointing and it isn't at any specific end users.

0
0
Anonymous Coward

Re: Oh, the irony!

@JimC - "Which is exactly why perverting the patch process with the pushed Windows 10 upgrades was a mind bogglingly stupid and irresponsible thing for Microsoft to do."

So? Switch the network interfaces to "metered connection", thereby shutting off auto-update. No one can help people who only want to complain and refuse to learn how to run their system. Just stamping their feet and yelling, "but it doesn't run like Windows 7 did!!!" is kind of pointless at this late date.

0
0
Silver badge
Devil

hunts down vulnerable public facing SMB ports

this is what I thought, from reading the El Reg articles and other (supporting) articles that I found online, ones linked to from El Reg and other independent articles.

Although I had also heard about possible e-mail vectors, the primary vector appeared to be port 445 facing the intarwebs, which everyone with any kind of IT experience recognizes as being *VERY* *VERY* *BAD*.

thanks for the final confirmation on that. [it was in the 'teccy' El Reg article, too, but you had to look for it]

Seeing as those first articles were posted on a friday evening way after "beer o'clock", I'm glad they were more or less right on with nearly complete information.

7
0
Silver badge

Re: hunts down vulnerable public facing SMB ports

"the primary vector appeared to be port 445 facing the intarwebs, which everyone with any kind of IT experience recognizes as being *VERY* *VERY* *BAD*."
But Shirley you have all ports closed except those you explicitly need to be open. Or am I missing something? Why would you want port 445 open?

4
0
Silver badge

Re: hunts down vulnerable public facing SMB ports

and even if you wanted it open, why open it to the world?

This smacks of 'I want to be able to file share my hospital data anywhere in the world on my totally insecure laptop'.

I remember one of my staff doing a security audit for a major company. He realted te conversation...

'so how secure is our firewall?'

'well your firewall is fine, but the IT directors PC with the modem in auto answer mode on his DDI line is a bit of a problem'

7
0
Silver badge
Facepalm

Re: hunts down vulnerable public facing SMB ports

Did the malware initially launch through its own efforts or did it just use a handy list of open SMB ports published by one of those scanning companies, whose primary function seems to be the provision of information that is of great use to malware spreaders?

+/- 'allegedly' etc...

0
0

Re: hunts down vulnerable public facing SMB ports

"why?"

Well there are no technical reasons, but when there is pressure to save money it can happen by accident, or because a senior manger over-rules the Technical staff and says that it MUST be done other wise you will be dismissed. Of course once the sensible ones have been dismissed.....

... the other factor may be the abolition of the Primary Care Trusts which again resulted in huge disruption to local IT services....

... lastly every local government office has to undergo penetration testing every 2 years. Why doesn't this apply to the NHs. Shouldn't GCHQ be doing this and warning people of unsafe practices...

4
0
Silver badge
Meh

Re: hunts down vulnerable public facing SMB ports

Why would you want port 445 open?

You might not have reason to open it, but maybe something you're running (probably malicious, but not necessarily so) opens it via universal plug 'n' pwn.

4
0
Gold badge
Unhappy

"But Shirley you have all ports closed except those you explicitly need to be open. "

People seem to be saying "So I can share files and printers with the network as I'm a contractor"

Seems excessive to me and asking for trouble in these day of large capacity flash drives. How big a specialist toolset/database do you need to take into work?

3
0
Silver badge

Re: hunts down vulnerable public facing SMB ports

"You might not have reason to open it, but maybe something you're running (probably malicious, but not necessarily so) opens it via universal plug 'n' pwn."
Which is why I periodically run Steve Gibson's Shields Up.

5
0

Infection via SMB fits

I think this would make sense much better than infection over email. The time frame just didn't make sense for infection via email. We've had this type of malware in one form or another for several years now. Time wise, the infections have been spread at varying levels over months and years. To get a (seemingly) synchronised attack going over a single day, just relying on people in hundreds of organisations all over the world all opening infected attachments at once in such a short window of time seemed from the beginning an unlikely explanation.

8
0
Silver badge

Opinion sought

As I continue strongly advocating better file management, storage and backup as the key* defence against ransomware, I'm very interested to hear from people who think this is the wrong approach.

Also, what do people consider the current state of the art with respect to internet facing file stores? So far I've got certifcate-based sftp on a non-standard port with fail2ban or similar, all other ports firewalled.

* emphatically not underplaying the importance of up-to-date FW, AV and OS.

2
0
Anonymous Coward

Re: Opinion sought

Start off with a default deny mindset. I configure all resources with their own resource groups. I then create role groups which are members of the appropriate resource groups. Until users are added to any of these roles they have access to nothing. They can't even log on. I can also see exactly what any user can access by just looking at the roles they are a member of. Use the AGDLP principle https://en.wikipedia.org/wiki/AGDLP)

Use minimum privilege for access to anything. Only grant the minimum required access for each role. This will limit any user can cause if that get malware.

If you can, implement applocker or some other application whitelisting solution. Use FSRM to watch for known crypto malware (see here: https://fsrm.experiant.ca/).

If you have a firewall or webfilter that categorises websites, block access to uncategorised sites. This can stop phish mails that try to pull malware down from the web. Block executables in email using your mail filter.

It is all about putting as many layers in the way to stop the malware to minimise risk. At the end though assume you can't block everything so have tested backups and a recovery plan.

If possible have independent backup solutions backing up up to different media (Veeam to NAS, Arcserve to tape for example). That way if one fails or is compromised, you still have a backup. Better to have lots of backups you don't need than no backups that you do need.

1
0

It's still a bit confusing

If we are taking about dimwits that have exposed SMB (which was a bad idea in the 1990's FFS...), there are a few issues with the theory as it stands;

By default, Windows will only allow file share access when in private firewall mode.

Consumer grade modems don't have any port forwarding enabled (again, by default) - even that flawed facility, UPnP, didn't tend to dynamically allow it.

A large number of ISP's will automatically block such ports for their subscribers (unless you request them to be open).

Very, very, very badly configured VPN's or shockingly bad gateways seem to be the most likely vector. If you had, or still have a private network with internal DNS, SMB, NMB etc. exposed, then I suggest you change careers voluntarily, before​ you are lynched...

7
0
Silver badge

Way back one of the client's network guys had discovered that someone was persistently trying to probe the firewall. He then looked at the IP address and found the eejit was sharing his C: drive. If it had been me I'd have tried to mount the drive and see how much could be deleted from it before it all fell apart.

7
1

That's a bad idea

If it had been me I'd have tried to mount the drive and see how much could be deleted from it before it all fell apart.

If you're in the UK, that's a really bad idea. It counts as unauthorised access under the Computer Misuse Act, and gets you 12 months in prison and/or an unlimited fine.

5
0

It's possible the eejit probing, wasn't actually probing themselves*, but had been owned by malware and that was doing the probing.

* Nope. Stop that.

2
0
Silver badge

Re: That's a bad idea

"If it had been me I'd have tried to mount the drive and see how much could be deleted from it before it all fell apart.

If you're in the UK, that's a really bad idea. It counts as unauthorised access under the Computer Misuse Act, and gets you 12 months in prison and/or an unlimited fine."

Bah. Pikers. Here in the Gunshine (no, that is not a typo) State it's a five-year felony. Which means of course that were I to do such a dastardly thing (which, of course, I would not) I would not have done it from a network or a device which could be traced back to me.

of course, if I ate their boot volume they'd have one hell of time proving whodunit, now wouldn't they?

1
0
Anonymous Coward

Re: That's a bad idea

I'm sure you meant the eejit? That guy is using the network aiming for unauthorised access (probe firewall). The op is talking about if he/she was the "the client's network guy". How is the client's network guy at fault for touching things on his own network?

It's like if an IT guy sets up a router that disable all unauthorised device connected to the router. How it is the IT guy doing stuff with "unauthorised access" when it is his network?

0
0
Bronze badge
Holmes

No place to hide

From the Malwarebytes's video is seems that the only places for the criminals to hide are Antarctica and the DPRK.

2
0

Re: No place to hide

It would be a very bad idea for any government not to cooperate, though there are some good reasons not to hand people over to the USA for a trial. And we might not be much better But the scary prospect is for some government, absolutely sure of somebody's guilt, bypasses the legal process and arranges to push some hacker off the platform in front of a train.

Part of it is the thinking that we know, but cannot give away how we know.

This feeling that some governments are willing to mess around the system lies behind some aspects of the Julian Assange case. The people who worked on this malware may have killed somebody in the UK, and it might legally amount to manslaughter. They aren't innocents. But I would rather trust a court than a politician.

4
1

Finally...

Thank you for this. I was waiting for an explanation. And now I got all I need to know in one place and I can give people who ask me a link to this article.

THANK YOU!! :-)

5
0
Silver badge

Email

The boke from Spanish Telecom said that an email was the source for them and frankly I believe him.

I really don't believe that SMB shares are exposed on the internet.

Do you know of anyone that does that - expose their fileshares on t'tubes?

0
0
Anonymous Coward

Rule 1 back your shit up

Rule 2 back your shit up

0
0
Happy

Rule 1 back your shit up

Rule 2 back your shit up

Thanks, Bruce!

Mind you, last time I had a back up of shit, I had to call a plumber!

1
0

This post has been deleted by its author

Anonymous Coward

Russia's responce to ransomware changed?

Given that this attack is very handy for Microsoft (you can have our slurp or become vulnerable to attack, ah lookout here comes one just to prove our point) along with the previous ransomware mostly hitting the west then one wonders if perhaps this time around the attack has come drom a different source.

I would imagine that there are a lot of Western agents that had previous relied upon the bespoke back doors put into windows lately being worried that they might have to return to the bad old days, where they had to get out of their chairs. If everyone has a secure OS then I can see there jobs becoming much harder, well when it comes to spying upon their own populations anyway.

That Microsoft made obtaining updates without also taking their slurp increasingly difficult leading up to this attack might be also be suggestive.

Given that we know that both MS and the Western agencies were more than aware of this "vulnerability" and given their historic action it could not be seen to be out of character.

One thing is clear though, even limiting updates will not protect you since everyone really is out to get you, better to finally drop windows and go with something that doesn't come prepwned.

0
2
Anonymous Coward

s/wannacry/Windows 10/gi

You could replace 'wannacry' with 'Windows 10' throughout this entire article and it'd still be accurate.

1
2
Anonymous Coward

Microsoft are not entirely innocent here

I wonder how many infected Windows 7 users had turned off Windows Update (as I had) because last year Microsoft was using it to try to forcibly install Windows 10 on us?

After reading advice on this very site, I went with the option of turning off Windows Update, and trying to do important updates myself. (Very easy for casual users to get wrong, or forget.)

2
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2017