SMB -- Ugh
How long have the warnings been coming, more than a decade? When ya gonna learn? The low hanging fruit in your walled garden are up for grabs.
Miscreants have developed the first strain of ransomware worm capable of infecting legacy systems, such as Windows XP and 2003. The infamous WannaCry outbreak, which severely affected the UK's NHS, showed just how much damage ransomware can do. ransomware 74 countries hit by NSA-powered WannaCrypt ransomware backdoor: …
I think it's less a case of "when ya gonna learn" and more a case of "when are your managers going to allocate the funds to get you out of that hellhole" - and the answer to some cases is replacing a MRI machine that cost millions with another one that costs millions.
I've got a hunch those bastards that made the nasty are going to make WannaCry look like a walk in the park.
I think it's less a case of "when ya gonna learn" and more a case of "when are your managers going to allocate the funds to get you out of that hellhole" - and the answer to some cases is replacing a MRI machine that cost millions with another one that costs millions.
No one said they have to replace them. Also no one said it was a good idea to connect those mission critical machines to the internet to watch po*n, while disregarding 'backups'. It is still a "when they gonna learn" case.
"Which part of "needs no internet connection" did you miss?"
I may have missed something here. Is the author implying that previous ransomwares needed an internet connection to operate? if so why?
Viruses in the old days managed just fine without an internet connection.
Also I think what that AC was getting at was that if you dont connect it to the internet , it wont get the malware in the first place. Not without a herculean effort from some idiot to download it and put it on a usb stick or something.
@DropBear, you're obviously getting it (voted up), but I thought I'd clarify my intended meaning for others. Air gapping is one of those things that has been done as an excuse, err..., a mitigation for garbbage technology (i.e. "low hanging fruit"), but now that's just not enough.
Simply blocking ports 445, 137 and 138 using a firewall would help.
Help, maybe, but that should be done anyway for your network perimeter and doesn't do much good for local network use given what those ports are used for. Once this thing gets past the hard outer shell of a network, it will be able to feast on the soft parts unimpeded. As the implementation allows it to spread to air-gapped systems (per the article), I wouldn't think concentrating on perimeter security is going to do too much good.
"Being able to spread without internet access and impacting legacy XP and 2003 systems suggests some older environments may end up at risk where there is poor security practice – e.g. no working antivirus software"
Poor security practice like running obsolete and unsupported operating systems, for example?
I think Microsoft should just be honest... if your system has XP anywhere on it, in any configuration, even as a VM, the rest of the network's security is pointless and cannot be guaranteed. Give it up, stop developing, testing and shipping software for it, let it on the kerb.
Until you do that, people will just keep running it forever and think that just because there's some ancient version of Sophos on it that it's somehow magically "secure" now.
"I think Microsoft should just be honest... if your system has XP anywhere on it, in any configuration, even as a VM, the rest of the network's security is pointless and cannot be guaranteed"
That wouldn't be honest, though (except insofar as any network's security can never be guaranteed regardless).
It is entirely possible to run an old, insecure operating system on a machine in such a way that the rest of the network is protected. It takes a bit of work and know-how, but it's certainly doable.
It is entirely possible to run an old, insecure operating system on a machine in such a way that the rest of the network is protected. It takes a bit of work and know-how, but it's certainly doable.
I remember being taught how to do this a long time ago.
1. Sever all cables as close to the device as possible. == Limit communication.
2. Embed it in concrete. == Limit unauthorised access
3. Drop into the Mariana Trench. == Remove future access
Simples!
I think Microsoft should just be honest... if your system has XP anywhere on it, in any configuration, even as a VM, the rest of the network's security is pointless and cannot be guaranteed.
I do believe that XP fits the "security by obscurity" model. In this case, outdated but still in use.
Usually. It definitely includes disabling, by force if necessary, wifi, bluetooth, and ethernet. However, depending on the use case, some airgapped systems may need USB or similar for reading or writing data. For example, a machine might include access to systems that analyze data securely. This can't be infected, but it does need to read data from somewhere. If there is too much data to enter manually, it might be brought in on a USB disk or optical disk, either of which could be infected. Security of airgapped machines is thus also very important.
" The nasty no longer needs a command-and-control server, meaning it can operate in air-gapped environments"
Big whoop. In the old days all malware did this. Why did previous versions need a server?
The things job is:
Poke around the network
Encrypt stuff
Display notice saying send $$ to bitcoin wallet.
Maybe also display long guid type string so the bad guys can provide working unique decrypt key.
so why did old versions need a server?
How long will it take to kill this thing? Last year (yes, it was 2017), a client reported some problems with some machines they had, complaining that they were running slowly. This company needed cheap machines whose entire purpose was to run a web application for some people who had to fill out some stuff. Nothing else. So what did they use? Raspberry pis? Old chromebooks? The recycled machines of any self-respecting business for the past five years? No. They used dell tower machines from 2003, rocking a 2.53ghz celeron and a wonderful 256mb ram. They were right about their being slow, that's for sure.
Of course, when I recommended rather strongly that we get rid of them, my supervisor told me the policy was that any machine that could run windows 7 would be supported. In the following conversation, my instinct to yell "Processor clock speeds don't work like that. I don't care that windows 7 will run on a 1 GHZ processor, a 2.53 GHZ celeron from 2003 is not fast enough" was tempered with difficulty. Eventually I was able to get them scrapped by resorting to the machines not having enough ram. Still, you'd expect any IT company to know that already.
Anonymous because they did really stupid things at that company.
I was serving my country when XP was introduced. My workstation ran MS-DOS to manage our logistics, complete with transmitting data via a dial-up connection. For the really sensitive things, we had to physically transport the data on a 3.5 floppy. I was assigned to an air defense unit, and the missile system fixers were showing me their diagnostic kit. It was a hardened briefcase laptop thingie running Windows 3.1! Granted, that OS was only creeping up on 10yrs old at the time, but that was my first experience with people "sticking with what works."
I've supported more than a few machines like that as well. Here's one which was run by a small graphics company and print shop.
An RIP and controller box running proprietary software on Windows 3.1. The RIP software controlled an imagesetter for printing films for the printing industry. The PC hardware was an old EISA based system with a 486 DX-50 and 512 MB of RAM. 512MB hard disk, and a 3-Com Ethlink card with a Thin-net connector.
On top of Windows 3.1 was Microsoft's network add-on and then on that was COPS-Talk. COPS-Talk, aka Cooperative Printing Solutions network software provided the AppleTalk drivers to support the output device so the RIP could "publish" the printer as an Apple-compatible printer on the network as a Linotronics 330, although it really was an ECRM VR-30.
The VR-30 its self was connected to a proprietary SCSI card, which needed the EISA bus. Since I haven't seen this setup in about 6 years, I've forgotten what the SCSI spec was, but it was some powered SCSI line with the VR-30 being terminated internally.
I was, and I am still amazed today, that this setup even worked. By the time all the software loaded, there was less than 720K of RAM left for any processing.
This hardware was bought new in 1992 and was still in operation as far as I know in 2012!
"How long will it take to kill this thing?"
When I worked in a hospital a while back, there was still a BBC-B in use in the records department (it held the filing system for the microfiche). People worrying that an OS and PCs from this millennium are still in use always make me smile. How long will it take to kill XP? Ask me again in 30 years.
Hey, smarty pants Register people - you never say what will happen if the XP machine has been kept updated with the POS hack.
Well, what about it? If updated, vulnerable to this mosquito?
And what about FollishIT's CryptoPrevent? Does it work?
You're totally right, they should have written something like:
Systems should be updated to run MS17-010, a patch for Windows XP and Windows Server 2003
Oh wait, that's exactly what was written in the article.
As for Cryptoprevent, that appears to only be written to prevent cryptolocker, so no, it's doubtful it will work. It certainly won't block the SMB vuln.
Most medical devices and systems are running highly customised versions of Windows for embeded Systems 2009 which is not end of support until january
https://support.microsoft.com/en-gb/lifecycle/search?alpha=Windows%20Embedded%20Standard%202009
2009 is an uprated version of XPe with some of the vista security features ported in, because MS couldnt be bothered to componentise Vista
"It is entirely possible to run an old, insecure operating system on a machine in such a way that the rest of the network is protected. It takes a bit of work and know-how, but it's certainly doable."
Yes doable. But also leading to the assumption that "you only have to invest once to run any software system" which is the mother of all fuck-ups. Any automated system needs lots of funds during its life-time to operate secure and according to expectation of the (end) users.
Isolating the lack of proper funding will leave you eventually with a spaghetti of total unmanageble systems and a total stand-still of changebility of all the organisation. Because organisations change and the expectations change. For example that stand alone MRI scanner one day will be connected to the other systems, al be it for monitoring, input for patient files, etc, etc. Bye, bye air-gap.
>But also leading to the assumption that "you only have to invest once to run any software system" which is the mother of all fuck-ups.But also leading to the assumption that "you only have to invest once to run any software system" which is the mother of all fuck-ups.
I suspect the real cause of that style of thinking is Capex and Opex, witht the move to subscriptions costs are also moving from Capex to Opex, which will influence thinking..