74 countries hit by NSA-powered WannaCrypt ransomware backdoor: Emergency fixes emitted by Microsoft for WinXP+ The WannaCrypt ransomware worm, aka WanaCrypt, WannaCry or Wcry, today exploded across 74 countries, infecting hospitals, businesses including Fedex, rail stations, universities, at least one national telco, and more organizations. In response, Microsoft has released emergency security patches to defend against the malware for …
one source suggests that it spreads by accessing port 445, potentially from the internet.
https://www.hackbusters.com/news/stories/1532486-player-3-has-entered-the-game-say-hello-to-wannacry
and an e-mail attachment payload would give it access to your LAN. yeah, not good.
Accessing Windows devices by file sharing ports (tcp/139 and tcp/445) has been a commonly used worm path for years (i.e. Sircam/Minda in 2001, more recently most cryptoware has targeted file shares) - don't open it to the Internet ever and block it outbound to the Internet to stop potentially infecting others.
Within networks where default firewall rules allow Windows file sharing, its a little harder to control (block windows file sharing between most PC's by default and centralise your file shares, ensure that central file shares have virus protection on write and security is limited to specified users/domain users to reduce the risk from "guest" devices).
Which leaves the e-mail side - most of these worms/virus infections are initially introduced via e-mail. On stand-alone PC's, ensure you have an adequate AV solution (i.e. scans temporary files and compressed files) and don't disable the default protections around executables. If you don't wish to manage AV, most of the big e-mail providers include pretty decent AV offerings as part of their service (i.e. all the big free email providers, EOP (was FOPE) for Office365 etc).
Finally, read some of the cases around organisations hit by worms/viruses that include details of entry and how the outbreak evolved. Most of the issues that caused an initial infection to become an outbreak come from relying on a single method of protection that was found to not be working correctly. A little "defense in depth" goes a long way in limiting/controlling the damage.
Oh...and assume that telling people to not open or click on "X" will result in at least 1% doing exactly that.
BTW People make a big thing about XP but this SMB stuff is in all versions of Windows.
Remember when MS claimed they'd spent $Bn training their devs to not write insecure code and totally re-written the code base to eliminate these flaws?
How do you know when you're dealing with a monopoly?
Simple. When s**t this serious still does not force CTO level management to think "Maybe I should think about running something else on the desktop?"
>>BTW People make a big thing about XP but this SMB stuff is in all versions of Windows.
Yes, and patched automatically in all supported versions before this happened. The reason people make a big deal about XP is because nobody should be using this 2001 OS in 2017. If you're running Windows 7 / 10 then unless you've somehow prevented it updating it's not vulnerable to this. You make it sound as if all versions are.
"Yes, and patched automatically in all supported versions before this happened. "
I would be surprised if MS is actually fixing bugs in SMBv1. Windows 7+ and Windows 2008+ support SMBv1, but default to SMBv2. So they don't use the protocol unless the remote forces them to downgrade. The 'fix' that has been around for a while is registry setting to turn off the SMBv1 protocol. Just like we did for SSLv3 (and now the lower TLS versions). Anyone who has done PCI scans has seen this working through the system for a while.
When s**t this serious still does not force CTO level management to think "Maybe I should think about running something else on the desktop?"
Just curious, what's the alternative?
...and don't say linux because we all know that's not going to happen.
Mac OS? Maybe, but that going to be a costly desktop refresh.
Still say more secure OS is costly, after the ransom demands? I'm surprised any "mission critical" [expensive to fix] ops aren't running a *nix OS instead of amateur hour MS.
My kids run Linux just for email & browsing - with only "user" privileges. Oh, and it's free. Where did I go wrong, not buying MS?
If they jumped to Mac Mini's , which are the cheapest Mac , it might actually be cheaper in the long run, as Apple dont charge for MacOS unlike Microsoft who do for Windows which for something the size of the NHS must be an eye watering bill for MS Licences. No doubt they have software that is Windows only though.
I am sure last time i went to my local NHS they were running Linux on the consultants PC, as the interface did not look like the usual Windows controls.
Patching Windows in the NHS must be a right pain, they dont go home at 5pm , they run 24/7 in hospitals so rebooting clients at anytime will be painful.
>Just curious, what's the alternative?
>...and don't say linux because we all know that's not going to happen.
Linux.
Are you one of those people who says shit in meetings like "well it would be nice to do stuff that way, but that's not the way we do it".
So what you are saying is, tell me the answer but I'm going to disregard the answer if it is the one I don't want you to give, yet think would actually solve the problem.
"Remember when MS claimed they'd spent $Bn training their devs to not write insecure code and totally re-written the code base to eliminate these flaws?"
Never claimed to have rewritten the codebase. Everyone was made to own, and responsible for reviewing, part of the old crufty code, some of which was years old. So someone's name it on this. But these 16/32/64 confusions, and (especially) the byte/char confusion when moving from the ASCII to the Unicode days, are incredibly difficult to spot. During the NIMDA (I think) attack, their security bods posted the offending code and even then most people couldn't see it until it was explained.
"On stand-alone PC's, ensure you have an adequate AV solution"
The problem with this is that the signature for any new malware won't be available until the target has been released, infected systems and been reported. When something spreads as fast as this has done that will be much too late.
"On stand-alone PC's, ensure you have an adequate AV solution"
The problem with this is that the signature for any new malware won't be available until the target has been released
and this:
http://www.theregister.co.uk/2017/05/09/microsoft_windows_defender_security_hole/
where having "Defender" running to scan things is likely to create MORE problems than it solves...
This post has been deleted by its author
This post has been deleted by its author
>>Or they're simply wary of being "upgraded" to Windows 10 with the next automatic update, that curiously lacks a "No, I don't want to upgrade" button - and interprets the closure of the popup as "Yes, please upgrade me to Windows 10", even in violation of previous documented configuration policies that expressed a customer's desire to stay with their current OS.
I see you've already been modded up twice for your reply to my post. But we are talking Enterprise Windows licences here. You have control over updates in Enterprise licences and they also don't suddenly randomly upgrade themselves to Windows 10, either. The rest of your many paragraphs all follow from not being aware that Enterprise Windows functions differently from Home and Professional licences. There is no excuse for being two months behind on updates marked Critical or for using Windows XP which is four versions out of date of the current. Neither have anything to do with home users being updated to Windows 10 making Sysadmins reluctant to apply updates. The idea is nonsense.
@h4m0ny: Neither have anything to do with home users being updated to Windows 10 making Sysadmins reluctant to apply updates. The idea is nonsense.
Exactly. Enterprise users have long had the ability to control updates. It's weird that some people prefer to ignore this fact.
In any event, it's trivial to add a registry key to prevent an upgrade, or prompt to upgrade, on all versions of Windows 7 or 8/8.1
For instance:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Gwx]
"DisableGwx"=dword:00000001
This post has been deleted by its author
"What isn't being discussed is WHY so many people are not enabling automatic updates"
Well in my case Automatic Updates were enabled on boot of my Win 7 Home Ed. laptop, but WU did nothing but spin taking up 51% of the cpu for about a year. Any time I needed to do real work I was forced to shut down the service. WU started "working" a few weeks ago when the massive Windows 10 update was rolled out.
I just built a new Win 7 pro machine, finally managed to get the "Security Rollup" update to install after MUCH fucking about and once again I am looking at a 51% WU cpu usage for no actual gain.
So, for me (and I suspect a nation or 74 of others) the simple fact is Windows Update has become unresponsive through no fault of the user.
I will await the shirtstorm of victim blaming coming my way.
"Say what you will about newer versions of Windows automatically installing updates, but it's functionality that exists for a reason."
Which would all be well and good, if the damn morons in charge of making corporate policy didn't hijack the security update process with marketing. I don't allow automatic updates because I don't want to deal with upgrade nag-ware or compatibility scanners digging through every file on my system for an 'upgrade' I haven't determined I even want. Automatic updates have to come from a TRUSTED source.
Damn right. Microsoft is not a trusted update source. A lot of their updates contain adverts, or simply switch defaults back to unreliable settings.
Now that they've released a patch for XP, does this mean that people will relax and think "it's ok, microsoft IS keeping XP updated after all"? Will complacency set in?
"Say what you will about newer versions of Windows automatically installing updates, but it's functionality that exists for a reason."
And the list of places infected in this current outbreak can safely assume that every patch issued by MS is safe and won't break anything? Or maybe they test patches before deploying them so as not to break crucial applications.
That's not a correction. A patch for this was issued in March. If you are two months behind on your patches that would be a problem for GNU/Linux systems as well. Or do you leave your systems unpatched for that long as well? If so, you're not fit for a job as a sysadmin.
The greater problem here is agencies such as the NSA instructing companies to leave vulnerabilities available such as in the case of the Intel AMT bug which according to Semi-Accurate was almost certainly left in by request. What we're really seeing here is a highly visible example of why we shouldn't be allowing the government to mandate backdoors into systems such as Theresa May and Amber "we must know the necessary hashtags to combat terrorism" Rudd want us to create.
Seriously - an unpatched OS is a security risk. Using an OS written sixteen years ago and STILL refusing to upgrade it - that's on Jeremy Hunt and his ilk. Don't try to deflect the blame elsewhere.
Are we sure that the Reg is correct about Jeremy Hunt cancelling WIndows XP Extended Support in 2015? According to this article in 2014 it would have only lasted a single year anyway.
https://www.theguardian.com/technology/2014/apr/07/uk-government-microsoft-windows-xp-public-sector
Having said that, if they continue to run XP after all patch support has well and truly gone, then yes they are asking for it.
This post has been deleted by its author
The point is that despite bad / stupid behaviour on the part of users the root of the problem is companies like M$ (and so many others - watch for the flash!) that despite enormous resources produce flawed software consistently. And in M$ case the update mechanism has been odd for years - how is granny supposed to deal with this?
Go back a little and try to remember how the world and dog crucified the Heartbleed fellow - be fair and go after M$ in the same fashion now.
"Using an OS written sixteen years ago and STILL refusing to upgrade it"
Presumably it's running on some hardware that can't handle later OSs, and has some software that only runs under XP (typically drivers). Why MS can't support it at a reasonable cost is beyond me. One could easily build a large team around supporting XP for the amount of money available, but MS takes the extortionate XP support money and obviously spends it elsewhere. Greed and stupidity in the long run (MS's fading reputation).
Not only is using Windows a known risk (and not only technical, but also legal as the friendly Microsoft Auditor drops by), it is also often *completely* unnecessary.
And in scenarios where machinery is embedded, not updated often, mobile, or runs special software it is also reckless.
Let me correct you.
Using a computer is a KNOWN risk (do not even think of trying to tell me Linux is 100% secure - would only prove your own incompetence)
Using an OS where the manufacturer has stated "No more patches" is more of a risk than using an OS where the OS says "Patches available ASAP". Anyone choosing to use an unsupported OS should accept the responsibility of doing so.Thats was my point. (Why did you have to drop to the daft level of slagging of Windows?)
FTFY
Laughing right now at the "experts" that still continue to spread myths like it was so that it was NHS using xp that caused this. This is totally untrue.
A) it affects all versions of Windows right upto windows 10
B) the myth the NHS runs so came from a report that said 90% of NHS computers rum xp. Drill into details and it actually meant that out of the trust's that responded to the freedom of information act, 90% of the trust's had 1 or more computers running xp. That could just be 9 xp computers. My experience iless than 1% are running xp and 100% of these are not on the network. Anyone trotting gout the 90% figure is a clickbait joker.
"Simple."
The word you're looking for is "simplistic".
As has already been pointed out all unpatched versions of Windows are vulnerable. Patching itself introduces risks - patches have been known to break things and now that MS are rolling multiple patches together those risks are increased. So patching also involves testing and testing takes time.
The specific risk for XP is that it doesn't get patches. But, again, the issues with XP aren't simple. In many cases it will have been retained because something mission-critical depends on it and replacing whatever that is may require major expenditure and further risks. If your MRI scanner, for instance, relies on a no-longer maintained piece of XP-only software do you simply put your hand in your pocket for a few million to replace it, commission a rewrite and take the risk that it may fail in some respect to emulate the existing product or do you keep using XP?
These sorts of issues are not easily solved. Of course they only exist in the real world so please feel free to keep helping with your advice.
If your MRI scanner, for instance, relies on a no-longer maintained piece of XP-only software do you simply put your hand in your pocket for a few million to replace it, commission a rewrite and take the risk that it may fail in some respect to emulate the existing product or do you keep using XP?
And there you have hit the nail solidly on the head.
In the real world MS did a wonderful PR selling job to get people to use their OS which was inferior to OS/2 at the time and quite a lot of industrial equipment control systems were converted from OS/2 to XP. In my book that makes MS responsible to keep their OS 'safe' as long as said equipment is kept in use or pay the full cost of upgrading the equipment to allow it to use their newer OS.
@Ivan 4: "In my book that makes MS responsible to keep their OS 'safe' as long as said equipment is kept in use or pay the full cost of upgrading the equipment to allow it to use their newer OS."
Sorry, I don't follow your logic. Should my local supermarket restock my fridge every week once I run out of food? Or should a car manufacturer replace your clapped-out 13-year-old car with a new one?
Can you explain to me, with consideration for any contractual terms one might agree to in the EULA, how that proposal would work?
The hypothetical MRI scanner spoken of earlier wouldn't be built by Microsoft, but rather GE or Siemens or whoever, and would normally be covered by some type of service contract which MS would not be a party to. But lets not allow that to get in the way of your hysteria.
"Can you explain to me, with consideration for any contractual terms one might agree to in the EULA, how that proposal would work?"
It transpires that MS were very quickly able to knock out a patch for this vulnerability. They must finally have realised that they had responsibilities. So they question arises - was this EoLed because it wasn't feasible to continue maintenance or because they wanted to herd those who could be herded into upgrading?
I agree, to a point, but people are going to want to set the blame path, and it lies with the manufacturer of the MRI machine, or CT scanner, or whatever, and then quite clearly to me, with Microsoft. They put together a piece of equipment with potential vulnerabilities. Did the hospitals' risk assessments say "The MRI scanner is running code written by Microsoft which will probably have security holes revealed one day so it should be replaced within 5 years. Maybe 6. Maybe 4. Maybe 10."?
The problem is that software "goes bad" - because the world around it changes. And to my mind at least, the problem is that a home operating system like XP, or 7 or 8 or even 10 is NOT suitable for life-critical systems like CT scanners etc. It's a question of using the right tool for the job. Windows computers cost peanuts compared to medical equipment, and people want the latest features, so something like Windows XP was ideal. It more or less did the job, it was flexible, and by the time it was unsupported by Microsoft, many of the machines were at end of life anyway. It was a simple matter to replace the computer with a new one running Windows 10 or whatever. In 15 years' time, Windows 10 will be obsolete, and those computers will definitely need to be replaced. But medical equipment costs a LOT more, and should therefore last longer. It's no use building a piece of hardware that'll last 25 years if the software goes out of date and can no longer be updated in 5 or 10 years.
The point I'm trying to make is that systems like that need a different OS to run under. One that is really locked down, much less flexible and therefore MUCH more secure. In other words an OS that will still be usable in 25 years. Our problem is that Microsoft thinks their OS is suitable for everything, when it quite plainly is not. And people think that progress can be made by sticking to what they use at home and in the office.
Seriously, the hospitals need to do a proper risk assessment, one involving keeping equipment going for more than a few years. Maybe this will be a wakeup call to persuade the manufacturers of machinery needing embedded systems to rethink their OS choice.
Would you fly on a plane where the systems were all running Windows?
"Can you explain to me, with consideration for any contractual terms one might agree to in the EULA, how that proposal would work?"
Well, it's was clearly a fault in the product at the point of purchase and in most civilised jurisdictions that trumps the EULA, especially when the manufacturer has a long term process in place for issuing fixes.
Sorry, OS/2 could have been a competitor to Win 3.1, 95 and NT in 1994-1995 (when I was using it), but by the time XP/2003 came in early 2000, it had already lost. One issue was also the availability of development tools, it was far easier and quicker to develop GUI applications under Windows with one of the RAD tools available, than using one of the few C/C++ compiler under OS/2.
Also, remember that SMB is an IBM-born protocol, not a Microsoft one... <G>.
"it was far easier and quicker to develop GUI applications under Windows with one of the RAD tools available, than using one of the few C/C++ compiler under OS/2."
So what. Development tools are for developers. Why does the deployment environment have to be identical with the development environment, when the deployment environment is (in many cases) subject to radically different constraints? "Cost" is demonstrably no longer a valid answer.
Look who's paying the price now for the stupidity of the "one size fits all" culture. Not the IT department, not MS and their dependents, but the rest of us., who just want to see systems that are delivered on time, to budget, and work reliably.
"If your MRI scanner, for instance, relies on a no-longer maintained piece of XP-only software do you simply put your hand in your pocket for a few million to replace it, commission a rewrite and take the risk that it may fail in some respect to emulate the existing product or do you keep using XP?"
I'm bored with this BS.
How much do you think an MRI scanner costs vs the cost of a replacement computer and replacement software, when amortised across a countrywide fleet of MRI scanners.
What if such systems had been based on open standards for device control, document interchange, etc? NB open standards .ne. open source so no religious arguments please. The replacement of any component subsystem could have been a near-transparent upgrade. In fact, do the relevant open standards already exist for healthcare imaging? HL7? DICOM? Etc. It's a long time since I looked.
Separately, judging by the number of Scanning as a Service HGV trailers I see parked outside hospitals and elsewhere, many organisations have outsourced imaging services of that nature to commercial 3rd party organisations, so the 3rd parties (not the trusts) would be the ones doing the necessary upgrade work. Joe Public would still pay in the end.
"These sorts of issues are not easily solved. Of course they only exist in the real world so please feel free to keep helping with your advice."
O'Really? I think a far more common situation is that the issue is *already* solved technically (open standards or whatever) but vested interests don't want to go that way, for whatever reason.
Well I used to write software for NMR and MRI scanners and it really isn't that easy with legacy kits.
Bear in mind that superconducting magnets have a lifespan of 10's of years and the RF kit is usually built to last forever. So you may well have something that works pretty well and does a very good job and would cost fortunes to replace. Also fold in the fact that one of the major historical manufactures no longer exists and things really are not that simple.
The biggest problem with an NMR/MRI setup is timing. The send receive has to operate with a degree of thiming precision in the MHz range - the less precise the timing is the greater the phase shifts and if these get too bad they are not correctible.
Timing is therefore usually handled by a single quasi autonomous card that is programmed in a unique language to trigger sequences of events. It will trigger the pulse generator, amplifier and receiver gating (if you don't gate the receiver you blast the highly sensitive circuit with 500W or so of RF and saturate the ADC. Again this is highly precise, if the gating/ungating is too slow precious sensitivity is lost.
The quasi autonomous card and the various other odds and end including frequency generator are fed their activity lists usually by an old school RISC card that is not doing anything else as you cannot afford to have multi tasking as this messes up the timing.
The old school RISC card then sends the data by ethernet to the PC (used to be SGI or SUN up tlll about 2000) which is where the issue actually is.
It really is not easy to get all these different computers talking to each other in a time critical environment. Many hours are spent in development puzzling over multi channel oscilloscopes as to why apparently correct commands and sequences of events are not replicated properly. It will have taken 10 PhD level scientists to get things to work properly and debug them over a period of a year plus.
I'm afraid plugging a new PC into the front of the things and praying won't work I mean really won't work and you could end up with some very expensive bricked hardware.
I'm afraid plugging a new PC into the front of the things and praying won't work I mean really won't work and you could end up with some very expensive bricked hardware.
Sorry, I have only one upvote to give.
I've been around at Philips Medical Systems in Best when they were building the first generation of these beasts, controlled by a VAX11/750 with a custom floating-point unit bolted on. Even though there usually were at least half a dozen units being assembled and tested, this was clearly not serial production. Of course there are dedicated test rigs for the various modules and sub-assemblies that can indicate that bit working right or needing adjustment, but when you see one unit looking like the exploded view that must be in one of several binders on a nearby desk, with several high-speed scopes and pulse generators and logic analysers hooked up, it's clear that you're not dealing with "connect blue wire to terminal D3" type assembly. Subsequent generations would probably have gotten more built-in calibration routines and diagnostics, but that doesn't take away the complexity of the underlying physics, which the electronics have to deal with one way or the other.
This post has been deleted by its author
I hope that most of us appreciate that many industries are stuck with legacy OSes, that's not unexpected. However the execution appears to be horrific. Your example of the MRI, if the machine is required to run in a fixed state then air gap it. Use portable media to copy data from it. If the controller is so time dependent, then you really don't want some SysAdmin running nmap on the network to bog down the controlling PC has it handles a network scan.
It's nowhere near the same level, but I have a CNC router. The G-code controller is also pretty time dependent (nothing like MHz, but...), so that machine is air gapped so it doesn't chose a bad time to start updating itself and destroy what I'm working on. Quite often setting up the job takes longer than the cutting time?
It's a pain, but what is better - losing your MRI for days on end (or if you say bricking is possible, longer) or having to copy data to removable media.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
