Ransomware scum have already unleashed kill-switch-free WannaCrypt variant Miscreants have launched a ransomware worm variant that abuses the same vulnerability as the infamous WannaCrypt malware. Danish firm Heimdal Security warned on Sunday that the new Uiwix strain doesn't include a kill-switch domain, like the one that proved instrumental in minimising the harm caused by WannaCrypt last week, …
If back doors ever become a reality and the key is ever stolen (it will be), there will be no need for "ransomware". The crims will simply help themselves to your bank account or whatever else they want. You won't have to open a dodgy email or click a bad link. Best yet it won't matter what OS you use. And then, goat farming in the hills begins to look attractive.
The present"back door" would be through compromise of Apple's (or Microsoft's) code signing key(s) or use of the keys to sign bogus software. Is there really reason to suppose that their security protections are fundamentally superior to those at the NSA? Would they not be subject in a similar way to vulnerability from disloyal or planted employees or accidents that expose them in environments less protected than planned.
Don't blame the NSA - anyone could have discovered this issue and weaponized it. Certainly the NSA should have reported it to Microsoft but they apparently didn't ... who knows.
The real issue here is that Microsoft stopped has patching XP and Vista systems in an attempt to force users to upgrade - that's where the real money is in these vulnerabilities. So who's going to make out like a bandit from WannaCry et al? Expect Microsoft Win 10 share to increase over the next few months - they are the real winners here.
Yes. If they're selling their operating system to clients for use in everything from medical equipment to warships and that equipment has an expected lifetime of decades, then the operating system should be supported for that lifetime.
Microsoft have made billions upon billions from the taxpayers. Supporting the stuff they have sold isn't much to ask. No-one is asking for new features or upgrades, only critical security updates.
Debian derivatives are used in dozens of pieces of equipment around my office -- when there is a flaw who is the one responsible for getting all of the that equipment updated? Should Public Interest be blamed for a unpatched hole in a 10 year old router and expected to fix it -- even when newer versions that fixed the flaw have already been shipped? Of course not.
So why should Microsoft be blamed for the same situation? They sold operating system, but they aren't the one putting it in medical equipment. That was done by the manufacturer of the equipment, which, by the way, as an OEM assumed all ongoing support. The end-of-life date on the OS was well known before it was installed. It is the equipment manufacturer that screwed you over, not Microsoft.
The systems integrator that put Windows on Warships is the one who made the claim of fitness for purpose, not Microsoft. THEY are the one who should be held accountable. If that integrator needs to go back and pay Microsoft for ongoing support that's their problem -- they made the choice to integrate Microsoft and they have the live with the results of their decisions.
Don Bly, The Ian bloke from the name Deb-Ian died. Apparently committed suicide. That's how spooks die. Don't be so sure they don't have a backdoor into Linux. The FreeBSD people think Linux is not hardcore enough which is why it's not very popular. If you want cool things in Linux it's going to have backdoors.
Sure, I'm blaming them - I know that the way of the world here is that when you buy stuff these days it's actually supported for a year or so ... and then it's junk?
The next time you take a journey, check the age of the aircraft, train, car, bike etc. - if it's 13 years old then maybe it will crash and the manufacturer will tell you that it's your fault?
The fact is that Microsoft actually had a fix for this vulnerability but they were only releasing it if you had a continuing support contract - sure, Windows isn't very secure but why? Because it's not built for security, it's built to be cheap and disposable.
It's designed to be required to be replaced because that's where the money is - and this applies to whatever ever of Windows you are running today - it's going to be vulnerable tomorrow.
Implying that Windows (H)8, and Windows X are better than an unmaintained Windows XP SP3 Installation. Which can still do it's job. Probably better than those other Two numbskull OSs. Assuming Microsoft were kind enough to continue supporting it. But, alas that way only madness lay. As XP does not contain Tracker's, and (Cr)App Stores to take your Moneyz.
Last night on BBC Radio 4 news I head that the NHS IT organisation warned trusts of the risks if they did not deploy the patch to protect them against this very thing; they were arned, but why the hell are people still opening attachments and clicking on links? My mother made this mistake once, in 1998, and has not done so since. If someone of her age can be immune so can NHS staff.
When said OS is used with systems that cannot be upgraded, yes.
(because it would make expensive hardware unusable.)
But also the people who made and OKed the decision to purchase such unsuitable systems should be held to account.
Why would anyone buy a jack of all trades system, with a life of a decade or so to run expensive equipment meant to last thirty years with a specific requirement?
"Why would anyone buy a jack of all trades system, with a life of a decade or so to run expensive equipment meant to last thirty years with a specific requirement?"No alternative. Hospitals use hundreds of devices "monitoring equipment, alarms, compounders, radiology, things of those nature" that were designed to specifically run with XP. There are zero or close to zero that run on other OSs. You can't purchase what doesn't exist.
In my experience with embedded systems there is nothing particularly fancy about the way the PC talks to the special hardware. There is nothing that says it can't be upgraded to say 32 bit Windows 7 or even rewritten for Linux. Much of the code is written in C or Delphi. It would take a bit of work but not impossible.
The problem is that like Microsoft the manufacturers have moved on. They are playing with their next big thing and have forgotten about that old stuff.
What is needed is a commitment from the manufacturers to either support the gear for 30 years or share the code and the schematics. Obviously a consideration would be required from the buyer, I don't see why they should do that for free.
The easiest thing would be to keep XP going and Microsoft will do that if you pay them. The next thing would be to fit each XP system with a hardware firewall. Don't expect XP to protect itself, put a packet sniffing firewall in between.
The easiest thing would be to keep XP going and Microsoft will do that if you pay them. The next thing would be to fit each XP system with a hardware firewall. Don't expect XP to protect itself, put a packet sniffing firewall in between.
Firstly, from the way MS behaved around the time of XP's EOL, it was clear they had zero intention of keeping XP going - MS wanted to make a break with the past, even if that break could hurt them commercially. Additionally, given the size of payments they received from user organisations, such as the UK government, for the extended support service MS reluctantly did offer, I suspect given MS were already committed to maintaining XP POS until 2019, it received sufficient monies to more than cover the costs of maintaining the XP support team for 10 years; extending XP's EOL to 2024; yet they haven't.
Secondly, how would a hardware packet sniffing firewall given any protection against WannaCrypt, given the initial infection vector was believed to have been a poisoned email attachment and if you were running SMB the relevant ports would be open.
"blaming a commercial company for not patching a 13 year"
I think blaming and criticising a company that sold you buggy vulnerable crap and refuses to fix bugs because someone else didn't find and advise them of them soon enough is entirely justified.
I have some compilers from a company with a policy that finding a bug in an obsolete unsupported version of the compiler entitles you to a free upgrade to a current supported version. That would be the policy of a decent company (which Microsoft clearly isn't). Of course Microsoft's current supported version being a piece of shit that no one wants would stymie such a policy.
Actually technically they haven't stopped. (Vista yes).
BUT THE PATCHING IS NEARLY IRRELEVANT!
Like most other spam borne "attacks" this would be totally mitigated by
1) User training and common sense.
2) Better configured systems.
XP use by NHS is a red herring.
Even if EVERYONE used Linux* and it was updated daily, it will NOT stop this until the USERs are better trained and use email properly.
[*Because all the spam based attacks would be aimed at Linux]
@Version 1.0:
If the NSA/GCHQ/etc. really want to read what's on your computer, they will. Don't kid yourself otherwise. This has been the case since you got that first 33.6 kbps dialup modem.
But they're unlikely to encrypt the contents and demand bitcoin from you. That's not their MO. Far too revealing, for one thing.
* Microsoft realised that the security in XP was grossly inadequate, so recruited crackers and other experienced security staff for a new OS, re-built for security, thus the poor 1st attempt in Vista, and the usable 2nd attempt in Windows 7.
* The version of SMB (Windows Networking) supported by XP has pathetic security, especially with increasing computer processing power, and I was shocked to see the pathetic default Samba client levels in Mint and no GUI to fix this easily!!!
* Microsoft provided ample advance warning of EOL for XP/2003, and only offered escalating cost post-EOL support as a _temporary_ stop-gap, because XP is not worth supporting for security reasons, so organisations have no excuses to still be using it, especially on the Internet!
* Yes, the NSA is criminal for making these immoral and unlawful cyber weapons, but crackers were already attacking the inadequately secured XP.
* The public leak of these cyber weapons at least makes most of the threats publicly known so that they can be combated en-mass now, including by Microsoft, rather than the much harder work to identify/combat hidden black hat criminal uses.
* Organisation and other users of XP, and suppliers of equipment requiring XP which have not already implemented/provided an upgrade to at least Window 7 are frankly negligent and should be humiliated/sued; they don't deserve any sympathy.
The Swift (inter-bank payments service) must also be heavily-pressured/humiliated/sued to get its act together, because it reportedly still requires the only slightly less dated Vista version of Windows to run their client software in banks, which is probably one reason why several Swift client banks have been virtually bank robbed! Swift should really be using a secure *BSD OS for this, let-alone any version of Windows!
Your Comment: "Yes, the NSA is criminal for making these immoral and unlawful cyber weapons..."
Unlawful? By what law, specifically? (NOTE: Title 10 and Title 50 authorities directly - and legally - trump certain US laws.) As an analogy - It's not "illegal" for a policeman to speed to catch up to a criminal. It's not "illegal" for the NSA to create tools to compromise computers.
You can argue all day as to whether it is illegal to DEPLOY tools, once created, against CERTAIN computers, but I don't think you have a leg to stand on calling the fact that NSA *creates* such a tool - if they even did create one themselves - in any way an illegal act.
Well in the UK, the police (and,bulance/fire tenders) can be prosecuted for their actions while speeding. It does not happen very often but not unknown. As to GCHQ, much of what they have done has been shown to be unlawful it is just that successive government have not pursued them (simply hangs legislation and given retrospective blessings.
"Don't blame the NSA - anyone could have discovered this issue and weaponized it. Certainly the NSA should have reported it to Microsoft but they apparently didn't ... who knows."
It's clear the NSA intended to not inform Microsoft at all as this was part or their arsenal, a secret tool on their version of a Bat Belt. We must blame the NSA as they developed it, hoarded it and then lost control of it when it got out. This should be an example of how such organisations should not be using such methods.
The only way Microsoft knew about this and patched this was because the NSA lost control of the code to ShadowBrokers who then reported it to Microsoft giving them enough time to roll out a patch before a public release.
As you correctly say, anyone could have developed code that exploits the flaw. But who detected that flaw first? So who should have the social responsibility to improve the "cyber" defense of at least their own nation by disclosing such a flaw?
The NSA found it. Kept it secret, then lost the code due to real humans making mistakes or breaking in who discover a pot of "hacker gold" runnable and mature from the fist double click.
For this very reason Apple, correctly, refused to create a version of iOS that could be installed on an iphone to weaken the pin entry screen to allow the FBI entry. Apple knew they could not simply trust that this hacked version of iOS could be kept under control.
Microsoft became aware of the particular vulnerability soon enough to develop and issue a remedial patch for the vulnerability more than five weeks before its first reported use in malware. The notion that ShadowBrokers reported the vulnerabilty to them is much less plausible than the more common presumption that the NSA did so. The patch was marked "critical" and that should have informed anyone paying attention of the need for prompt action. US DoD rules require deployment of these items within 10 days of availability, and while they do not always meet that, those who do not have to report often and in detail on the deployment until it is complete.
The firmware the FBI wanted from apple, contrary to repeated claims, was not installable on "an iphone" in the general sense. The order required it to be specific to the iPhone described in detail in the court order and required that it not be usable for other iPhones. That is something that Apple certainly could have ensured since the code would need to be signed by them. Apple certainly would have been ordered to provide similar firmware in other cases. However, if the cryptographic implementation was secure and Apple continued to control the signing process, release of any or all copies of such firmware would not have been able to compromise untargeted iPhones.
You could look at an event such as that of the last few days as the Internet's version of a wildfire. In the short run some damage is done but in the long run the fire's job is to clear out dead wood and enable the regrowth of a stronger, healthier ecosystem. Short term pain for long term gain.
Not really.
"We've installed the MS security patch, we've restored from back-up. Everything's OK now".
Papworth NHS Trust has had something like 16 of these ransomware attacks in the last 12 months, and hasn't done anything. It is going to take a lot more than this to change management attitudes.
No, because very few organisations and users will learn the real lessons.
Patching and AV inevitably often is bolting the stable door after horses gone for the first hit. Yet proper user training and proper IT configuration mitigates against almost all zero day exploits. I struggle to think of any since 1991.
Firewalls, routers, internal email servers (block anything doubtful), all superfluous services and applications removed, no adhoc sharing. users not administrators, and PROPER training of users.
In the short run some damage is done but in the long run the fire's job is to clear out dead wood
I wish! The idiots who think it's fine to run XP are paid ten times more than me and they'll still be in the same role this time next year. They'll be no getting rid of dead wood, just more winging it and forcing underpaid Techies to work more weekends after more screw ups.
> someone in Nigeria has been hit
Yes, my uncle. A Nigerian Prince desperately trying to get his money out of the country. With his computer out he is now looking for an honest soul who can help him for a 10% cut of the funds. Due to the nature of his finances the money can only be moved to a credit card account. If someone would be so kind as to send him theirs...
Its surely incredible that a lone pizza stuffed actor could get immediate access to the worm and spend a night before he spotted the 'call home' vector? Is that really that hard? And beat the best resourced detection agencies worldwide?
Surely every IT detective agency including GCHQ would have sandboxed it on first sight, thrown their best at it if only to beat their friends across the pond, to save Jeremy Hunt & Mother Theresa's bacon just ahead of a new funding opportunity (aka new government).
It all smells not only of pizza but planted news. And if it is genuine what on earth are we paying this organisation and every anti-virus firm for?
Not that surprising, I've been deleting WannaCry and it's ilk from the mail-server quarantine forever and in my younger days (at his age) all we had to disassemble were things like CP/M, BDS C, and Wordstar ... and I did it for fun. He sounds genuine to me - I can see myself in his shoes at that age.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
