Hard Light Productions Forums
Off-Topic Discussion => General Discussion => Topic started by: MP-Ryan on May 16, 2017, 07:30:16 pm
-
A.k.a. a demonstration of why intentionally running versions of an OS that no longer receive security updates or turning OFF automatic security updates is pure unadulterated stupidity.
https://arstechnica.com/security/2017/05/an-nsa-derived-ransomware-worm-is-shutting-down-computers-worldwide/
Here the NSA actually warned the vendor and a patch went out nearly two months ago, yet a large number of unpatched systems have recently been infected.
-
Oh yeah, I read about this general thing on Imgur a few days ago.
tl;dr Ransomware virus encrypts your stuff until you pay them to give it back, exploits an old hole, Microsoft patched it already, even on XP.
It seems that apparently, and to nobody's surprise, some people did not get that patch.
-
Reflexively blaming people for not patching their systems is too easy and simplistic. Plenty of fault lies with the NSA for developing the exploit software in the first place:
https://blogs.microsoft.com/on-the-issues/2017/05/14/need-urgent-collective-action-keep-people-safe-online-lessons-last-weeks-cyberattack/#sm.0000mpb068eggcqczh61fx32wtiui
Finally, this attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem. This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state action and organized criminal action.
Then there is the systemic complexity of managing patching:
https://www.eff.org/deeplinks/2017/05/why-patching-problem-makes-us-wannacry
The WannaCry ransomware attacks demonstrate that patching large, legacy systems is hard. For many kinds of systems, the existence of patches for a vulnerability is no guarantee that they will make their way to the affected devices in a timely manner. For example, many Internet of Things devices are unpatchable, a fact that was exploited by the Mirai Botnet. Additionally, the majority of Android devices are no longer supported by Google or the device manufacturers, leaving them open to exploitation by a "toxic hellstew" of known vulnerabilities.
Even for systems that can be patched, applying patches to large enterprise or government systems in a timely manner is notoriously difficult. Enterprise and government systems can rarely afford the potential downtime that goes along with a software patch or upgrade. As one researcher put it, "enterprises often face a stark choice with security patches: take the risk of being knocked of the air by hackers, or take the risk of knocking yourself off the air."
-
Plenty of fault lies with the NSA for developing the exploit software in the first place
Passing it around in an unencrypted zip file probably also didn't help.
-
Apparently the Bitcoin address they're using has only received about $50k in payments, which is pretty lol
-
Apparently the Bitcoin address they're using has only received about $50k in payments, which is pretty lol
See that is one thing about this that screams the hackers weren't smart. If your ransomware just locks down the computer, what stops someone from popping in the windows disk, reinstalling and uploading a backup from a cloud server or hard drive?
Almost sounds like someone threw this out there to grab what they could without much effort.
-
Reflexively blaming people for not patching their systems is too easy and simplistic. Plenty of fault lies with the NSA for developing the exploit software in the first place
While not understating the fact that the NSA discovered and sat on the vulnerability, that doesn't excuse the fact that they eventually revealed the exploit and the **** has only hit the fan with WannaCry in the days long after a patch was deployed. So I think its perfectly reasonable to blame individuals and systems administrators who have intentionally deployed and maintained obsolete operating systems without sufficient hardening against high-threat-level attacks. E.g. running XP, which is THREE YEARS out of security patches, in an enterprise environment is pure reckless stupidity - and the individuals who intentionally run it at home to this day because they don't like 7/8/10 are beyond saving.
-
See that is one thing about this that screams the hackers weren't smart. If your ransomware just locks down the computer, what stops someone from popping in the windows disk, reinstalling and uploading a backup from a cloud server or hard drive?
The fact that most people don't keep good backups. Ransomware in general is a profitable enterprise, what's notable is that this specific ransomware has apparently not done too well.
-
Yeah, you really have to analyze your prospective markets, otherwise you'll end up like the guys from Thundercrypt in Taiwan: https://twitter.com/fztalks/status/864852163230609408
-
Reflexively blaming people for not patching their systems is too easy and simplistic. Plenty of fault lies with the NSA for developing the exploit software in the first place
While not understating the fact that the NSA discovered and sat on the vulnerability, that doesn't excuse the fact that they eventually revealed the exploit and the **** has only hit the fan with WannaCry in the days long after a patch was deployed. So I think its perfectly reasonable to blame individuals and systems administrators who have intentionally deployed and maintained obsolete operating systems without sufficient hardening against high-threat-level attacks. E.g. running XP, which is THREE YEARS out of security patches, in an enterprise environment is pure reckless stupidity - and the individuals who intentionally run it at home to this day because they don't like 7/8/10 are beyond saving.
According to Kaspersky Labs (https://mobile.twitter.com/craiu/status/865562842149392384), most WannaCry infections actually hit .... Windows 7. As in, 96% of them. The next runner-up was Windows Server 2008 R2. MS017-010, the vulnerability behind this, was patched there months ago, so it's not overreliance on XP that's the issue here, but a reluctance to apply updates when they are available.
-
Reflexively blaming people for not patching their systems is too easy and simplistic. Plenty of fault lies with the NSA for developing the exploit software in the first place
While not understating the fact that the NSA discovered and sat on the vulnerability, that doesn't excuse the fact that they eventually revealed the exploit and the **** has only hit the fan with WannaCry in the days long after a patch was deployed. So I think its perfectly reasonable to blame individuals and systems administrators who have intentionally deployed and maintained obsolete operating systems without sufficient hardening against high-threat-level attacks. E.g. running XP, which is THREE YEARS out of security patches, in an enterprise environment is pure reckless stupidity - and the individuals who intentionally run it at home to this day because they don't like 7/8/10 are beyond saving.
https://www.bleepingcomputer.com/news/security/over-98-percent-of-all-wannacry-victims-were-using-windows-7/
EDIT: ninja'd
-
I believe I covered the idiocy of turning off security updates in the OP too :p
-
as far as security snafus go it's only a few shades behind installing firmware you found on random russian websites
-
I see what you did there, PH :rolleyes:
Anyways, relevant: https://www.schneier.com/blog/archives/2017/05/the_future_of_r.html#c6753132 (Apparently Windows 7 and its server equivalent were the only platforms targeted, despite the vulnerability being present on other platforms including Win XP, which would explain why Win 7 was the majority of infections - the graph is flawed, other OSes weren't targeted besides Server 2008 or whatever Win 7's server equiv is).