Jaya Baloo, CISO of KPN, the Netherlands’ leading telecommunications provider, talks to Mike Mimoso about the WannaCry ransomware outbreak and how large network providers and enterprises must contend with advanced attacks. Baloo will be speaking at the upcoming Borderless Cyber USA conference in New York. Threatpost is a media partner of the event and readers now can use the code “Threat” to get $100 off the corporate registration fee. Download: Jaya_Baloo_on_WannaCry_and_Defending_Against_Advanced_Attacks.mp3 Music by Chris Gonsalves The post Jaya Baloo on WannaCry and Defending Against Advanced Attacks appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/jaya-baloo-on-wannacry-and-defending-against-advanced-attacks/
0 Comments
Antivirus software to protect corporate systems from malware is like a flu shot. You should have it, but it won’t likely protect you from every strain of the flu. “Antivirus is great for blocking known threats, but the issue has grown past viruses,” said Ryan O’Leary, vice president of the Threat Research Center at WhiteHat Security. “Malware and vulnerabilities in the network or application can lead to far greater compromise.” Worse yet, new threats are being crafted faster than traditional antivirus can keep up. “We as an industry need to recognize that defaulting to an antivirus and firewall mentality is leaving yourself wide open to compromise,” O’Leary said. “Companies need to take a more holistic approach to their security program and start looking at application, network and malware issues that could compromise their entire company.” The post For enterprise protection, antivirus software is no longer enough appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/for-enterprise-protection-antivirus-software-is-no-longer-enough/ Thanks to Kaspersky, we now know that 98% of the Windows machines infected by WannaCry/WannaCrypt were running Windows 7. Since, once it gets a foothold, the malware can infect an entire network, most of the attention was focused on LAN based attacks. My previous blog was about using the Windows firewall as a defensive measure. But any malware can spread in multiple ways so there is always a need for anti-malware software on Windows PCs. The May 12th blog post, Customer Guidance for WannaCrypt attacks, in which Microsoft announced the release of a bug fix for Windows XP, mentioned that
Problem is, the term “Windows Defender” has two meanings. When dealing with Windows 8.1 and 10, it refers a program that defends against all types of malicious software. When dealing with Windows 7, it refers to software that only protects against spyware. Microsoft offers Windows 7 users companion software, their Security Essentials, for dealing with other types of malware. So, when Microsoft touts Windows Defender as protecting against WannaCry/WannaCrypt, how does that apply to Windows 7 users? Not at all. ![]() Microsoft Security Essentials on Windows 7 Sources close to company tell me that Windows 7 users who want to be protected from WannaCry, need to install Microsoft Security Essentials. Or, of course, a third party anti-virus program. If you search for Microsoft Security Essentials with your favorite search engine, you may end up at this download page which forces you to chose between an amd64 version and an x86 version without explaining what the terms mean. You are far better off downloading it from this page, which offers multiple languages and clear choices between 32 and 64 bit. Considering recent events, a full scan with Security Essentials is probably called for. Expect it to take quite a while. ![]() Microsoft Security Essentials found a Medium level threat I had no experience with MSE on Windows 7, and the first time I ran a full scan with it, there was a false positive (above). I am a big fan of the free, portable software provided by Nir Sofer at nirsoft.net. One of his programs, Mailpassview, was detected by Security Essentials as a medium level threat. MSE is not the first anti-malware program to object to software from Mr. Sofer. With other programs, it was a trivial thing to whitelist the Nirsoft software. Not with Security Essentials. Not only was “Quarantine” the recommended action, it was the only action. Security Essentials wasn’t interested in my opinion at all. ![]() Security Essentials experienced an error during or after quarantining a EXE file Adding insult to injury, when I did quarantine the program, there was an 80508023 error (above). What does that mean? Use some other anti-malware software. FEEDBACK Get in touch with me privately by email at my full name at Gmail. Public comments can be directed to me on twitter at @defensivecomput The post Windows Defender does not defend Windows 7 against WannaCry appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/windows-defender-does-not-defend-windows-7-against-wannacry/
‘Know your enemy’ – understanding what to prepare for
While ransomware isn’t new, this once-simple criminal hacker tactic has morphed into a devastatingly effective weapon wielded by more advanced cyber-criminals — as seen with the recent Wannacry outbreack. These sophisticated attackers are highly motivated by the profitable nature of their efforts. Dan Larson, technical director at CrowdStrike, looks at the current state of ransomware, why organizations should take threats seriously and how to build a strong defense. ![]()
What’s at stake – compliance and reputation
Businesses now retain sensitive information that they are required by law to protect. If an organization falls victim to a ransomware attack that lets senstive data be stolen, they must inform customers and partners. Not only can that mean substantial fines if regulations are compromised, but customer trust is compromised. Costs can be significant. In addition to harming a company’s reputation, customer information is gone, intellectual property stolen, and the time needed to clean up the aftermath adds up. ![]()
Preparing for the worst
Ransomware has left many organizations scrambling to protect themselves against what’s coming or to prevent a repeat attack. Typically, ransomware finds its way in through an infected document or link; once a user clicks, a ransom note appears, demanding payment. By then, files have been encrypted, and backups deleted. The first step in fighting back is to enable any protections available in antivirus software. Some firms disconnect network drives to limit damage; others revisit backup plans to recover files. Others are even starting to purchase Bitcoin so that a ransom can be paid quickly, minimizing business disruption. But paying up only reinforces the actions of an attacker. Many report that, even after paying, they never get their files back. ![]()
Why preparation hasn’t solved the problem
Because ransomware has been so profitable, attackers seek out new variants that can circumvent traditional antivirus protection and avoid detection. Some ransomware developers are even offering ransomware-as-a-service. This increases the number of would-be attackers, which, in turn, increases the number of potential targets. ![]()
Paying the ransom – stuck between a rock and a hard place
If you’re reading a ransom note, you’re already in trouble. IT and security teams usually don’t have the key to decrypt files. In some cases, decryptors have been offered up by security experts, but they’re rare and shouldn’t be relied on. Having clean backups available is key, but ransomware has been known to wait patiently until backups have been restored and then resurface. ![]()
Ransomware’s evolving targets
Initially, it was enough for the attackers to focus on a single system or victim, looking to collect a few hundred dollars per hit. The next obvious targets were larger, reaching beyond files and file servers to web servers and other victims — demanding larger ransoms. Many strains of ransomware have adapted to search for connected network shares, putting an entire organization’s valuable information at risk. When security practitioners adapted, and removed network drives from systems, so did the ransomware. ![]()
Web servers in the cross hairs
Web servers have become a popular target, encrypting web pages until the page owner (or those hosting the page) pay up. These attacks can cause huge disruptions in businesses. Recently, there was a widespread attack on poorly configured, vulnerable Mongo DB servers. In January, it was reported that between 27,000 and 33,000 Mongo DB servers had been attacked. Their data was being deleted unless a ransom of 0.2 to 1 Bitcoin was paid, an amount equal to approximately $200 to $1000. ![]()
Changing the attack surface
The attacks on Mongo DB and the use of CryptoFortress are good examples of attackers expanding the attack surface to accomplish their objectives. In the past, this type of data would have been stolen and sold on the dark web for pennies on the dollar. Hackers recognize that this data has more value to the owners than anyone on a secondary market — ransomware is a way to maximize profits. ![]()
Knives to a gun fight
Historically, once a threat has been discovered, a signature is written and an environment becomes protected from that threat. That protection worked because the file identifier or hash, seldom changed. But today a file hash is easily altered by adding, removing or slightly changing the underlying code; often, that’s all it takes to evade existing security controls. In addition to altering files, there’s even a file-less ransomware, where malicious code is either embedded in a native scripting language or written straight to memory using legitimate administrative tools such as PowerShell, without being written to disk. The combo of outdated protection techniques, an expanding attack surface and file-less malware leads to damaging attacks. ![]()
Catch them in the act
Modern endpoint protection tools employ new techniques like machine learning and behavioral analytics to stop ransomware. These techniques are necessary because legacy techniques – antivirus using signatures and file-reputation lookups – are failing. Instead of relying on traditional protections, newer techniques identify file attributes and unusual behavior associated with ransomware. These methods don’t rely on someone getting infected before a signature can be created. It also means that changing the attack vector from a file target to a database or web server — or using file-less ransomware — won’t matter. The post The ransomware epidemic: How to prep for a shakedown appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/the-ransomware-epidemic-how-to-prep-for-a-shakedown/ The relatively new Terror exploit kit is bucking the downward trend in the EK market, and is steadily evolving into more of a threat. Researchers at Cisco Talos said Terror has abandoned an early strategy that included “carpet-bombing” a target’s browser to one that now uses exploits that precisely target a victim’s particular browser configuration. It’s also equipped with anti-detection features. The kit is one of several new players that surfaced after the market consolidated last year, according to Cisco. “When Angler and friends disappeared, new EKs started to try their luck. Many of them were far from Angler’s quality. One of these was Terror EK,” wrote Holger Unterbrink and Emmanuel Tacheau, researchers at Cisco who posted their research Thursday. Over the past several months, researchers say they have seen a “fast evolution up to the latest version” of Terror. “We identified a potentially compromised legitimate website acting as a malware gate, redirecting visitors initially to a RIG exploit kit landing page, then switching to Terror exploit kit one day later,” they wrote. To Cisco, this is an indicator that criminals behind Angler, RIG and Terror are likely sharing resources or pirating the others’ means of distribution and attack tools. As to Terror’s biggest improvements, researchers said the exploit kit now has the capability to evaluate a victim’s user environment (operating system, patch level, browser version and installed plugins) and use only the most potentially successful exploits against the victim. This makes it harder for an investigator to fully uncover which exploits they have, Unterbrink and Tacheau wrote. Terror is also using cookie-based authentication in its attack chain. “This prevents anyone from downloading the exploits directly. Someone who did not follow the full attack chain may be a competitive cyber criminal who is trying to steal the exploits or a forensic investigator,” researchers wrote. The exploits Terror is using aren’t new, just new to Terror, said Nick Biasini in an interview with Threatpost. “In the past, Terror would send a wide array of exploits at the end system hoping that one would compromise the system. Today, Terror is more selective and leverages the information gained from the landing page to deliver exploits to which the system is potentially vulnerable,” Biasini said. The attack chain observed by Cisco begins with a compromised website that redirects the victim to the Terror landing page using an “HTTP 302 Moved Temporarily response.” The landing page is filled with random “Lorem Ipsum” text and also some obfuscated JavaScript code to evaluate the target’s browser environment and plugins in use such as ActiveX, Flash, PDF reader, Java, Silverlight and QuickTime, researchers wrote. “The POST request generated by this page is answered with an HTML page including a JavaScript and a VBScript. These scripts include the URL pointing to the CVEs they are going to exploit,” Unterbrink and Tacheau wrote. After assessing and exploiting a browser’s vulnerability, attackers then attempt to download the final malware. In one instance observed by Cisco, a JavaScript file exploited a use-after-free vulnerability in Microsoft Internet Explorer 6-10 vulnerability (CVE 2013-2551). “After exploitation, it generates another JScript file, writes it to disk and executes it via command line,” researchers explain. “This script downloads the encrypted binary stream from the EK website, decodes it, saves it to disk with a random name and finally executes it.” The executable used was a variant of the Terdot.A/Zloader malware downloader, Cisco said. Researchers say they have observed similar behavior while monitoring the Sundown exploit kit, which also drops the Zlaoader malware. “Terror EK is known for using exploits used by Sundown, so it seems to be they also use payloads from Sundown,” researcher said. The post Terror Exploit Kit Evolves Into Larger Threat appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/terror-exploit-kit-evolves-into-larger-threat/ Threat actors are moving beyond basic data theft and finding new ways to wreak havoc on users and organizations, such as data manipulation, according to Juniper Networks’ Kevin Walker. Walker, security chief technology and strategy officer at Juniper Networks Inc., based in Sunnyvale, Calif., said most cybercriminals are only scratching the surface of what can be done with sensitive enterprise and user data, but warned that some are becoming more creative and sophisticated with their attacks. And one such method Walker said he’s started to see is manipulating data in small, easy-to-miss, yet crucial instances for strategic or financial gain. Walker spoke with SearchSecurity at RSA Conference 2017 about a number of topics, from software-defined networking security to a new threat leveraging the internet of things (IoT). In part one of the conversation, Walker discussed Juniper’s Software-Defined Secure Network (SDSN) platform and the growing role of machine learning in security. In part two, he talked about today’s threat landscape and the risk of more mature ransomware and data manipulation attacks. For the audio version of the interview, listen to this episode of the Risk & Repeat podcast. Editor’s note: This interview has been edited for clarity and length. On the subject of threats, what are you seeing today, not just with SDSN, but the entire landscape? What is at the top of the priority list right now? Kevin Walker: That’s hard to say, because, again, I’m looking at it industrywide. Obviously, we’ve heard waves of ransomware are continuing to increase. They’re very, very difficult to prevent, but we’re getting better because the malware detection’s getting more deliberate for ransomware. So, that’s the one at the top of the list. But with ransomware, are you finding examples of where it’s spreading across an entire organization, or is it still very localized to a small set of users or individual users? Walker: No, it’s not spreading across entire companies, but this is the trick. It usually happens at the consumer level. But then, the consumer becomes an employee and brings it into the organization. And here’s the thing that I’m more concerned about: We’re starting to see more evidence of this now — not widespread, but more evidence of manipulation of data, rather than theft of data. We’re starting to see more of that now. And it’s one that’s serious because we trust in the bits. I’ll use this as an example because it’s one that knows this threat well: [secure payment vendor] Infintech. All I need to do is change a decimal — not even a decimal; I just need to change a digit. It’s simple as that. It doesn’t have to be a gross case of data manipulation where anyone will see it. In fact, it’s just the opposite. It’s often extraordinarily subtle. But I, as the attacker who knows that, I can make decisions based on that manipulated data and monetize it. That’s a scary proposition. Now, the other, more theoretical extreme is one where medical records are intentionally corrupted. Why? There are lots of reasons. It could be political, it could be espionage, or it could be for some type of later monetization where the attacker says, ‘I’ll undo it if you keep paying me.’ Those are things that scare me. And I’ve been saying this for probably 15 years publicly. That’s what scares me more about cybersecurity — not malware. It’s that kind of data manipulation, because we put an over-index on trust in some of our data without really validating that data. Recently, there’s been research about ransomware attacks sort of evolving into extortion attacks. Instead of encrypting and holding data hostage, the attackers threaten to expose the data and demand continuous payments to keep the data private. It’s not the same thing as data manipulation, but it’s a different approach. Walker: Let’s talk about that for a second. I don’t think ransomware, as an attack mechanism, has matured. If you are hit with ransomware, who knows where epoch was? In other words, when did I, the attacker, first have you? When you go back to your backup, it may also be equally infected. And so, we don’t know because you don’t know when that epoch was with the infection. It goes back to my original point of the integrity of the data to begin with. How do you know the data hasn’t been manipulated? The scary part of ransomware is when they get mature. Then, it becomes, ‘You’re [going to] pay me monthly to unlock you. Not once.’ If you think about it, they have a very great Opex [operating expense] model there if it’s done well. I think, at the end of the day, we have to take a planetwide view analogy a lot, because if I can see that in Jakarta, for example, a new variant of ransomware, now, I can just let my entire community know. Not with an alert, not with an update, not with an email — their ecosystem is automatically updated like antivirus software typically is. Then, I think we have a much better fighting chance. And we can also reduce the noise level, so we can actually hear the real hard problems, like the true APTs [advanced persistent threats] and the zero-days. But if you’re a large enterprise that’s a high-value target, you can’t get to all of them, can you? Walker: My position on that is to kind of bifurcate it. If there is an entity that is committed to getting to you, they are going get to you. They’re just going to. There are so many different avenues they can use. But that attack against that entity doesn’t scale [to other businesses]. That’s the good news. That’s something that we have to rely upon. If we can figure out enough variance or differences in our network, if you will, then it’s a benefit. But right now, we can’t do that for all the other noise. That’s the rationale in getting the noise down. And so we have more to work with, and it makes it easier to find emerging threats. What about the malicious activity we’re seeing with IoT devices? From your perspective as a networking company, how big of an issue is that? And what do you do about it? Walker: It’s interesting. I live in the South Bay [San Francisco]. I spent time with venture capitalists, as well as hedge funds, and I have friends in that community. And at least once every week or two, there’s a conversation next to me about some security IoT startup ideas. And I say, ‘Just shut up.’ Now, that’s me speaking, not Juniper. They’re missing the point. It’s an upstream problem. It’s a consumer SMB problem, which is massive, because that’s where all these [compromised] devices are. But to detect IoT malware is an inflow problem, in my perspective. And the other aspect is the C&Cs [command and control] could have been easily intercepted and dropped from the routing tables because we already have peer-reviewed tables. On that point, if you’re a service provider, and you see this surge of traffic coming in, which you should see, and it’s coming from strange IP addresses… Walker: Well, what’s strange? That’s the problem. If you’re an ISP [internet service provider], then all traffic is just in the mix. But I think you’re on to something. There’s no silver bullet here. That’s why I said I think it’s bifurcated, at least — maybe even four or five different ways. I think it still goes down to the payload. In this case, Dyn attack was partly attributed to Mirai, which, by the way, was well-known. It was extraordinarily well-known. So, it goes back to our SDSN stories. We’re saying, ‘If you see this [activity] in the wires, just drop it.’ There’s no positive reason for having Conficker or Mirai traffic. There’s no reason for having any of those on your network, unless you’re a research organization. And then it’s in a quarantine area anyway. Last question: Are you concerned about potential government intervention or regulation for IoT devices to prevent these sort of widespread threats? Walker: As far as the industry at large goes, it’s not so much concern as it is acceptance of the reality that there will probably be some legislative actions. Well, there are already legislative activities in play. And I don’t know where the needle is on that. But government regulation still won’t solve the problem. Strong passwords — and these are my final words — do not solve the problem, because they can be scraped anyway. The post Q&A: Juniper's Kevin Walker on data manipulation, ransomware threats appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/qs-kevin-walker-on-data-manipulation-ransomware-threats/ Tools are beginning to emerge that can be used to start the process of recovering files encrypted by WannaCry on some Windows systems. This takes on extra urgency because today marks one week from the initial outbreak, and files encrypted during that first wave are on the clock and close to being lost forever. Adrien Guinet, of Quarkslab, yesterday released a tool to the public called Wannakey that tries to recover one prime number from memory used to factor the RSA public key stored by the malware on the local drive. Once the public key is retrieved, it can be used to rebuild the private key and eventually, with a decryptor, recover encrypted files. Guinet said he had some luck once he’d recovered the private key to decrypt files from an infected XP machine using Benjamin Delpy’s WanaDecrypt tool. “I actually tried the Wanadecrypt tool. It works pretty well once you’ve got the private RSA key,” Guinet told Threatpost. It should be noted as well that these tools put victims on the road to recovering only from the WannaCry ransomware, and that the exploit used last week to spread the malware requires the MS17-010 patch from Microsoft. WannaCry may be spread by a number of different means aside from the EternalBlue NSA exploit, including phishing emails and exploit kits. Wannakey has some limitations to it given that it was only able work on Windows XP machines since the prime numbers are overwritten in memory on later versions of the Microsoft OS. Delpy overcame those limitations with his Wanakiwi tool that works on Windows XP and Windows 7 machines, with the implication being that it would work on all Windows versions including Windows Server 2003, Windows Vista, Windows 8 and Windows Server 8 R2, researcher Matt Suiche said. The available tools try to recover the prime numbers of WannaCry’s RSA private key, by searching for them in the wcry executable dropped by the ransomware. Guinet said this is the process that generates the RSA private key. The prime numbers are available, he said, because the CryptReleaseContext function available through the Windows Crypto API in later versions of Windows overwrites memory wiping out the prime numbers. In XP, Guinet said, the function does not clean up memory. Guinet admitted there is a bit of good fortune involved in recovering the prime numbers, first and foremost that the associated memory has been erased and that they’re still in memory. “His tool is very ingenious as it does not look for the actual key but the prime numbers in memory to recompute the key itself,” Suiche said of Wannakey. “In short, his technique is totally bad ass and super smart.” Suiche stresses that victims should not reboot their infected machines if they haven’t already. Suiche, who did a breakdown of the crypto implementation of WannaCry during a webinar with Kaspersky Lab this week, said today that the killswitch domain he registered is still recording infection attempts, including a spike of almost 5,000 last night from Malaysia. [embedded content] In the meantime, Guinet said that WannaCry authors properly use the Windows Crypto API, and the fact the prime numbers are recoverable are more on Microsoft than an implementation error. “I think the overall cryptographic scheme is good. It could have been done differently, but it works in theory,” Guinet said. “When you look at the part of the codes that handle cryptography, care has been taken so that what we are trying to do does not actually work. The ‘issue’ is that the MS Crypto API does not cleanup memory, and there’s not much the authors could have done against that, apart from using another cryptographic library that takes care of these issues. So, IMHO, on the cryptographic part, they made a decent job.” The post Available Tools Making Dent in WannaCry Encryption appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/available-tools-making-dent-in-wannacry-encryption/ VMware fixed two bugs in its VMware Workstation late Thursday night, including an insecure library loading vulnerability and a NULL pointer dereference vulnerability. The virtualization software company warned of the issues Thursday night in a security advisory VMSA-2017-0009. Jann Horn, a security researcher for Google Project Zero who’s previously uncovered bugs in Xen’s hypervisor and the Linux kernel, found the library loading vulnerability in VMware’s Workstation Pro/Player product. The vulnerability (CVE-2017-4915) is tied to the loading of Advanced Linux Sound Architecture (ALSA) files. ALSA, a software framework and part of the Linux kernel, facilitates APIs for sound card driver files. If an attacker exploited the issue successfully they could be able to escalate their privileges to root in a Linux host machine, the advisory warns. The update also fixes a NULL pointer dereference vulnerability (CVE-2017-4916) in a virtual storage volume driver, vstor2. If exploited the bug, discovered by Borja Merino, a security researcher based in Spain, could allow host users with normal user privileges to trigger a denial of service in a Windows host machine. VMware is urging customers to update to the most recent version, 12.5.6, to mitigate both issues. It’s the ninth security advisory VMware has issued this year. Last month the company fixed a remote code execution vulnerability in its vCenter Server platform that could have been exploited via BlazeDS. It also fixed several critical vulnerabilities in its Unified Access Gateway, Horizon View and Workstation products. Most of those vulnerabilities stemmed from issues in Cortado ThinPrint, a protocol that compresses print data and exists in VMware’s Workstation and Horizon Client platforms. Attackers could have exploited the bugs via integer overflow and out of bounds read/write vulnerabilities in JPEG2000 and TrueType fonts. The post VMware Patches Multiple Security Issues in Workstation appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/vmware-patches-multiple-security-issues-in-workstation/ Despite all the attention currently focused on Windows computers being infected with WannaCry ransomware, a defensive strategy has been overlooked. This being a Defensive Computing blog, I feel the need to point it out. The story being told everywhere else is simplistic and incomplete. Basically, the story is that Windows computers without the appropriate bug fix are getting infected over the network by WannaCry ransomware and the Adylkuzz cryptocurrency miner. We are accustomed to this story. Bugs in software need patches. WannaCry exploits a bug in Windows, so we need to install the patch. For a couple days, I too, ascribed to this knee-jerk theme. But there is a gap in this simplistic take on the issue. Let me explain. The bug has to do with input data being processed incorrectly. If a Windows computer, that supports version 1 of the Server Message Block (SMB) file sharing protocol, is listening on the network, bad guys can send it specially crafted malicious data packets that an un-patched copy of Windows does not handle correctly. This mistake allows bad guys to run a program of their choosing on the computer. As security flaws go, this is as bad as it gets. If one computer in an organization gets infected, the malware can propagate itself to vulnerable computers on the same network. Overlooked is that every Windows computer that uses version 1 of the SMB protocol does not have to accept unsolicited incoming packets of data. And those that don’t, are safe from network based infection. Not only are they protected from WannaCry and Adylkuzz, but also from any other malicious software looking to exploit the same flaw. If unsolicited incoming SMB v1 data packets are not processed, the Windows computer is safe from network based attack – patch or no patch. The patch is a good thing, but it’s not the only defense. To make an analogy, consider a castle. The bug is that the wooden front door of the castle is weak and easily broken down with a battering ram. The patch hardens the front door. But, this ignores the moat outside the castle walls. If the moat is drained, the weak front door is indeed a big problem. But, if the moat is filled with water and alligators, then the enemy can’t get to the front door in the first place. The Windows firewall is the moat. All we need to do is block TCP port 445. Like Rodney Dangerfield, the Windows firewall gets no respect. GOING AGAINST THE GRAIN It is monumentally disappointing that no one else has suggested the Windows firewall as a defensive tactic. That the mainstream media gets things wrong when it comes to computers is old news. I blogged about this back in March (Computers in the news — how much can we trust what we read?). When much of the advice offered by the New York Times, in How to Protect Yourself From Ransomware Attacks, comes from a marketing person for a VPN company it fits a pattern. Many computer articles in the Times are written by someone without a technical background. The advice in that article could have been written in the 1990s: update software, install an antivirus program, be wary of suspicious emails and pop-ups, yada yada yada. But even technical sources covering WannaCry, said nothing about the Windows firewall. For example, the National Cyber Security Centre in England offered standard boiler plate advice: install the patch, run antivirus software and make file backups. Ars Technica focused on the patch, the whole patch and nothing but the patch. A ZDNet article devoted solely to defense said to install the patch, update Windows Defender and turn off SMB version 1. Steve Gibson devoted the May 16th episode of his Security Now podcast to WannaCry and never mentioned a firewall. Even Microsoft neglected their own firewall. Phillip Misner’s Customer Guidance for WannaCrypt attacks says nothing about a firewall. A few day later, Anshuman Mansingh’s Security Guidance – WannaCrypt Ransomware (and Adylkuzz) suggested installing the patch, running Windows Defender and blocking SMB version 1. TESTING WINDOWS XP Since I seem to be the only person to suggest a firewall defense, it occurred to me that perhaps blocking the SMB file sharing ports interferes with sharing files. So, I ran a test. The most vulnerable computers run Windows XP. Version 1 of the SMB protocol is all XP knows. Vista and later versions of Windows can do file sharing with version 2 and/or version 3 of the protocol. By all accounts, WannaCry spreads using TCP port 445. A port is somewhat analogous to an apartment in an apartment building. The address of the building corresponds an IP address. Communication on the Internet between computers may appear to be between IP addresses/buildings, but it is actually between apartments/ports. Some specific apartments/ports are used for dedicated purposes. This website lives at apartment/port 80. The website of the EFF, because it’s secure, lives at apartment/port 443. Some articles also mentioned that ports 137 and 139 play a part in Windows file and printer sharing. Rather than pick and chose ports, I tested under the harshest conditions: all ports were blocked. To be clear, firewalls can block data traveling in either direction. As a rule, the firewall on a computer, and in a router, only blocks unsolicited incoming data. To anyone interested in Defensive Computing, blocking unsolicited incoming packets is standard operating procedure. The default configuration, which can be modified of course, is to allow everything outbound. My test XP machine was doing just that. The firewall was blocking all unsolicited incoming data packets (in XP lingo, it was not allowing any exceptions) and allowing anything that wanted to leave the machine to do so. The XP machine shared a network with a Network Attached Storage (NAS) device that was doing its normal job, sharing files and folders on the LAN. I verified that cranking up the firewall to its most defensive setting did not hinder file sharing. The XP machine was able to read and write files on the NAS drive. The patch from Microsoft lets Windows safely expose port 445 to unsolicited input. But, for many, if not most Windows machines, there is no need to expose port 445 at all. I am no expert on Windows file sharing, but it is likely that the only Windows machines that need the WannaCryp patch are those functioning as file servers. Windows XP machines that don’t do file sharing, can further be protected by disabling that feature in the operating system. Specifically, disable four services: Computer Browser, TCP/IP NetBIOS Helper, Server and Workstation. To do so, go to the Control Panel, then Administrative Tools, then Services while logged on as an Administrator. And, if that’s still not enough protection, get the properties of the network connection and turn off the check-boxes for “File and Printer Sharing for Microsoft Networks” and “Client for Microsoft Networks.” CONFIRMATION A pessimist might argue that without access to the malware itself, I can’t be 100% sure that blocking port 445 is a sufficient defense. But, while writing this article, there was third party confirmation. Security company Proofpoint, discovered other malware, Adylkuzz, with an interesting side effect.
In other words, Adylkuzz closed TCP port 445 after it infected a Windows computer, and this blocked the computer from being infected by WannaCry. Mashable covered this, writing “Since Adylkuzz only attacks older, unpatched versions of Windows, all you need to do is install the latest security updates.” The familiar theme, yet again. Finally, to put this in perspective, LAN based infection may have been the most common way machines were infected by WannaCry and Adylkuzz, but it is not the only way. Defending the network with a firewall, does nothing against other types of attacks, such as malicious email messages. The post The Windows firewall is the overlooked defense against WannaCry and Adylkuzz appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/the-windows-firewall-is-the-overlooked-defense-against-wannacry-and-adylkuzz/ Bipartisan bill wants to stave off another WannaCryTwo US senators have proposed a law limiting American intelligence agencies’ secret stockpiles of vulnerabilities found in products. The Protecting our Ability To Counter Hacking (PATCH) Act [PDF] would set up a board chaired by an Department of Homeland Security (DHS) official to assess security flaws spies have found in code and hardware, and decide if manufacturers should be alerted to the bugs so they can be fixed for everyone. Right now, as you probably know, the NSA et al discover exploitable programming and design blunders in computers and networking gear, and keep a bunch of the bugs to themselves so they can be used to infect and spy on intelligence targets. This means they’re not patched, leaving the flaws for miscreants and rival snoops to find and attack. This latest draft legislation was introduced today into the Senate by the chairman of the Senate Homeland Security and Governmental Affairs Committee, Senator Ron Johnson (R-WI), and Senator Brian Schatz (D-HI). It’s designed to force the US intelligence agencies to pass on vulnerabilities to developers and hardware makers if there is evidence other people are exploiting them. “Striking the balance between US national security and general cybersecurity is critical, but it’s not easy. This bill strikes that balance,” said Senator Schatz. “Codifying a framework for the relevant agencies to review and disclose vulnerabilities will improve cybersecurity and transparency to the benefit of the public, while also ensuring that the federal government has the tools it needs to protect national security.” The bill is a response to last week’s WannaCry ransomware outbreak, which used stolen and subsequently publicly leaked NSA cyber-weapons – EternalBlue and DoublePulsar – to spread fast, knocking out hospitals, railways, ATMs, universities, telcos, the Russian government, and more. The exploits were released by the Shadow Brokers hacking group in April. The same team is now promising more revelations. President Obama did institute an informal process for assessing vulnerabilities and deciding if they should be patched, but it wasn’t a binding system. Under the proposed legislation, the DHS would chair a committee of experts, including representatives from the NSA and the National Institute of Standards and Technology. “As we’ve seen in recent days with the worldwide ransomware attack, the continued threat of cyberattacks means that we need to combine public and private efforts to maintain the security of America’s networks and information,” said Senator Johnson. “It is essential that government agencies make zero-day vulnerabilities known to vendors whenever possible, and the PATCH Act requires the government to swiftly balance the need to disclose vulnerabilities with other national security interests, while increasing transparency and accountability to maintain public trust in the process.” The proposed act is still in its infancy; as usual, it has many hurdles to jump and committees to impress before it can become law. ® Sponsored: The post Proposed PATCH Act Forces US Snoops To Quit Hoarding Code Exploits appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/proposed-patch-act-forces-us-snoops-to-quit-hoarding-code-exploits/ |
ABOUT USFree, secure collections for I.T recycling and CESG approved data erasure for individuals, businesses and large-scale projects. I.T Asset Disposal | Computer Recycling | Re-marketing & Cashback | Secure Data Erasure. Archives
May 2017
Categories |