Please run windows update now
This looks like a major worm that is going global Please run windows update as soon as possible and spread the word It may be worth also closing down ports 445 / 139 / 3389 http://www.npr.org/sections/thetwo-way/2017/05/12/528119808/large-cyber-atta...
Hail backups, and whoever keeps those ports accessible to the outside without a decent ACL in the firewall, or restricting it to (IPsec) VPN's should be shot on sight anyways. On Fri, May 12, 2017 7:35 pm, Ca By wrote:
This looks like a major worm that is going global
Please run windows update as soon as possible and spread the word
It may be worth also closing down ports 445 / 139 / 3389
http://www.npr.org/sections/thetwo-way/2017/05/12/528119808/large-cyber-atta...
My $0.02, for people doing internal/private triage: - If your use of IPv4 space is sparse by routes, dump your internal routing table and convert to summarized CIDR. - Feed your CIDRs to masscan [1] to scan for internal port 445 (masscan randomizes targets, so destination office WAN links won't saturate, but local/intermediate might if you're not careful, so tune): sudo masscan -p445 --rate=[packets-per-second safe for your network] -iL routes.list -oG masscan-445.out - Use https://github.com/RiskSense-Ops/MS17-010/tree/master/scanners (the python2 one, or the Metasploit one if you can use that internally) to detect vuln. the python one is not* a parallelized script, so consider breaking it into multiple parallel runners if you have a lot of scale. - If you're using SCCM/other, verify that MS17-010 was applied - but be mindful of Windows-based appliances not centrally patched, etc. Trust but verify. - In parallel, consider investigating low-hanging fruit by OU (workstations?) to disable SMBv1 entirely. Royce 1. https://github.com/robertdavidgraham/masscan On Fri, May 12, 2017 at 10:02 AM, Alexander Maassen <outsider@scarynet.org> wrote:
Hail backups, and whoever keeps those ports accessible to the outside without a decent ACL in the firewall, or restricting it to (IPsec) VPN's should be shot on sight anyways.
On Fri, May 12, 2017 7:35 pm, Ca By wrote:
This looks like a major worm that is going global
Please run windows update as soon as possible and spread the word
It may be worth also closing down ports 445 / 139 / 3389
http://www.npr.org/sections/thetwo-way/2017/05/12/ 528119808/large-cyber-attack-hits-englands-nhs-hospital- system-ransoms-demanded
On Fri, 2017-05-12 at 10:30 -0800, Royce Williams wrote:
- In parallel, consider investigating low-hanging fruit by OU (workstations?) to disable SMBv1 entirely.
Kaspersky reckons the exploit applies to SMBv2 as well: https://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in -widespread-attacks-all-over-the-world/ I thought it was a typo in para 2 and the table, but they emailed back saying nope, SMBv2 is (was) also broken. However, they also say (same page) that the MS patch released in March this year fixes it. Assuming they are right, I wonder why Microsoft didn't mention SMBv2? Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@biplane.com.au) http://www.biplane.com.au/kauer http://twitter.com/kauer389 GPG fingerprint: A52E F6B9 708B 51C4 85E6 1634 0571 ADF9 3C1C 6A3A Old fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B
The SMBv1 issue was disclosed a year or two ago and never patched. Anyone who was paying attention would already have disabled SMBv1. Thus is the danger and utter stupidity of "overloading" the function of service listeners with unassociated road-apples. Wait until the bad guys figure out that you can access the same "services" via a connection to the DNS port (UDP and TCP 53) on windows machines ... -- ˙uʍop-ǝpısdn sı ɹoʇıuoɯ ɹnoʎ 'sıɥʇ pɐǝɹ uɐɔ noʎ ɟı
-----Original Message----- From: NANOG [mailto:nanog-bounces+kmedcalf=dessus.com@nanog.org] On Behalf Of Karl Auer Sent: Friday, 12 May, 2017 18:58 To: nanog@nanog.org Subject: Re: Please run windows update now
On Fri, 2017-05-12 at 10:30 -0800, Royce Williams wrote:
- In parallel, consider investigating low-hanging fruit by OU (workstations?) to disable SMBv1 entirely.
Kaspersky reckons the exploit applies to SMBv2 as well:
https://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in -widespread-attacks-all-over-the-world/
I thought it was a typo in para 2 and the table, but they emailed back saying nope, SMBv2 is (was) also broken. However, they also say (same page) that the MS patch released in March this year fixes it.
Assuming they are right, I wonder why Microsoft didn't mention SMBv2?
Regards, K.
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@biplane.com.au) http://www.biplane.com.au/kauer http://twitter.com/kauer389
GPG fingerprint: A52E F6B9 708B 51C4 85E6 1634 0571 ADF9 3C1C 6A3A Old fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B
Well it was patched by Microsoft of March 14th, just clearly people running large amounts of probably Windows XP have been owned. Largely in Russia. Nathan Brookfield Chief Executive Officer Simtronic Technologies Pty Ltd http://www.simtronic.com.au On 13 May 2017, at 14:47, Keith Medcalf <kmedcalf@dessus.com> wrote: The SMBv1 issue was disclosed a year or two ago and never patched. Anyone who was paying attention would already have disabled SMBv1. Thus is the danger and utter stupidity of "overloading" the function of service listeners with unassociated road-apples. Wait until the bad guys figure out that you can access the same "services" via a connection to the DNS port (UDP and TCP 53) on windows machines ... -- ˙uʍop-ǝpısdn sı ɹoʇıuoɯ ɹnoʎ 'sıɥʇ pɐǝɹ uɐɔ noʎ ɟı
-----Original Message----- From: NANOG [mailto:nanog-bounces+kmedcalf=dessus.com@nanog.org] On Behalf Of Karl Auer Sent: Friday, 12 May, 2017 18:58 To: nanog@nanog.org Subject: Re: Please run windows update now
On Fri, 2017-05-12 at 10:30 -0800, Royce Williams wrote: - In parallel, consider investigating low-hanging fruit by OU (workstations?) to disable SMBv1 entirely.
Kaspersky reckons the exploit applies to SMBv2 as well:
https://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in -widespread-attacks-all-over-the-world/
I thought it was a typo in para 2 and the table, but they emailed back saying nope, SMBv2 is (was) also broken. However, they also say (same page) that the MS patch released in March this year fixes it.
Assuming they are right, I wonder why Microsoft didn't mention SMBv2?
Regards, K.
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@biplane.com.au) http://www.biplane.com.au/kauer http://twitter.com/kauer389
GPG fingerprint: A52E F6B9 708B 51C4 85E6 1634 0571 ADF9 3C1C 6A3A Old fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B
Well, this one was patched (or more accurately, undone). Perhaps. Maybe. How many other "paid defects" do you estimate there are in Microsoft Windows waiting to be exploited when discovered (or disclosed) by someone other than the "Security Agency" buying the defect? Almost certainly more than just this one ... and almost certainly there is more than a single "payor agency" independently purchasing the deliberate introduction of code defects. -- ˙uʍop-ǝpısdn sı ɹoʇıuoɯ ɹnoʎ 'sıɥʇ pɐǝɹ uɐɔ noʎ ɟı
-----Original Message----- From: Nathan Brookfield [mailto:Nathan.Brookfield@simtronic.com.au] Sent: Friday, 12 May, 2017 22:48 To: Keith Medcalf Cc: nanog@nanog.org Subject: Re: Please run windows update now
Well it was patched by Microsoft of March 14th, just clearly people running large amounts of probably Windows XP have been owned.
Largely in Russia.
Nathan Brookfield Chief Executive Officer
Simtronic Technologies Pty Ltd http://www.simtronic.com.au
On 13 May 2017, at 14:47, Keith Medcalf <kmedcalf@dessus.com> wrote:
The SMBv1 issue was disclosed a year or two ago and never patched. Anyone who was paying attention would already have disabled SMBv1.
Thus is the danger and utter stupidity of "overloading" the function of service listeners with unassociated road-apples. Wait until the bad guys figure out that you can access the same "services" via a connection to the DNS port (UDP and TCP 53) on windows machines ...
-- ˙uʍop-ǝpısdn sı ɹoʇıuoɯ ɹnoʎ 'sıɥʇ pɐǝɹ uɐɔ noʎ ɟı
-----Original Message----- From: NANOG [mailto:nanog-bounces+kmedcalf=dessus.com@nanog.org] On Behalf Of Karl Auer Sent: Friday, 12 May, 2017 18:58 To: nanog@nanog.org Subject: Re: Please run windows update now
On Fri, 2017-05-12 at 10:30 -0800, Royce Williams wrote: - In parallel, consider investigating low-hanging fruit by OU (workstations?) to disable SMBv1 entirely.
Kaspersky reckons the exploit applies to SMBv2 as well:
https://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in -widespread-attacks-all-over-the-world/
I thought it was a typo in para 2 and the table, but they emailed back saying nope, SMBv2 is (was) also broken. However, they also say (same page) that the MS patch released in March this year fixes it.
Assuming they are right, I wonder why Microsoft didn't mention SMBv2?
Regards, K.
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@biplane.com.au) http://www.biplane.com.au/kauer http://twitter.com/kauer389
GPG fingerprint: A52E F6B9 708B 51C4 85E6 1634 0571 ADF9 3C1C 6A3A Old fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B
One word. Linux. After this we'll probably see (yet more) additional processes running on windows boxes safe guarding against issues like this, forcing windoze users to upgrade memory/processor/disk space. I, for one, am not looking at Windoze 10 S as it locks too many applications needed for work to the Windoze store. Getting kind of ridiculous if you ask me. -Joe On Fri, May 12, 2017 at 11:56 PM, Keith Medcalf <kmedcalf@dessus.com> wrote:
Well, this one was patched (or more accurately, undone). Perhaps. Maybe.
How many other "paid defects" do you estimate there are in Microsoft Windows waiting to be exploited when discovered (or disclosed) by someone other than the "Security Agency" buying the defect?
Almost certainly more than just this one ... and almost certainly there is more than a single "payor agency" independently purchasing the deliberate introduction of code defects.
-- ˙uʍop-ǝpısdn sı ɹoʇıuoɯ ɹnoʎ 'sıɥʇ pɐǝɹ uɐɔ noʎ ɟı
-----Original Message----- From: Nathan Brookfield [mailto:Nathan.Brookfield@simtronic.com.au] Sent: Friday, 12 May, 2017 22:48 To: Keith Medcalf Cc: nanog@nanog.org Subject: Re: Please run windows update now
Well it was patched by Microsoft of March 14th, just clearly people running large amounts of probably Windows XP have been owned.
Largely in Russia.
Nathan Brookfield Chief Executive Officer
Simtronic Technologies Pty Ltd http://www.simtronic.com.au
On 13 May 2017, at 14:47, Keith Medcalf <kmedcalf@dessus.com> wrote:
The SMBv1 issue was disclosed a year or two ago and never patched. Anyone who was paying attention would already have disabled SMBv1.
Thus is the danger and utter stupidity of "overloading" the function of service listeners with unassociated road-apples. Wait until the bad guys figure out that you can access the same "services" via a connection to the DNS port (UDP and TCP 53) on windows machines ...
-- ˙uʍop-ǝpısdn sı ɹoʇıuoɯ ɹnoʎ 'sıɥʇ pɐǝɹ uɐɔ noʎ ɟı
-----Original Message----- From: NANOG [mailto:nanog-bounces+kmedcalf=dessus.com@nanog.org] On Behalf Of Karl Auer Sent: Friday, 12 May, 2017 18:58 To: nanog@nanog.org Subject: Re: Please run windows update now
On Fri, 2017-05-12 at 10:30 -0800, Royce Williams wrote: - In parallel, consider investigating low-hanging fruit by OU (workstations?) to disable SMBv1 entirely.
Kaspersky reckons the exploit applies to SMBv2 as well:
https://securelist.com/blog/incidents/78351/wannacry- ransomware-used-in -widespread-attacks-all-over-the-world/
I thought it was a typo in para 2 and the table, but they emailed back saying nope, SMBv2 is (was) also broken. However, they also say (same page) that the MS patch released in March this year fixes it.
Assuming they are right, I wonder why Microsoft didn't mention SMBv2?
Regards, K.
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > Karl Auer (kauer@biplane.com.au) > > http://www.biplane.com.au/kauer > > http://twitter.com/kauer389 > > > > GPG fingerprint: A52E F6B9 708B 51C4 85E6 1634 0571 ADF9 3C1C 6A3A > > Old fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B > > > > >
Not to mention of course that the version of Windows 10 that actually has all Microsoft's wonder-dunder-touted-all-and-fro security features is the one that most mere mortals cannot buy. I wunder. When there are these wunderful fluffings of the security of Windows 10, should one be suing Microsoft for not explicitly stating in the opening sentence that the features touted do not apply to any version of Windows that can be purchased at whim (ie, retail) and only applies to the "Enterprise" version which is *only* available with a minimum purchase quantity and the selling of the first (and second) born to Microsoft, and at that only after entering into a really nasty contract with Microsoft? Or should one be suing all the "security fools and newsfrothers" that promulgate the story without specifying that the emperors "new secure clothing" is only available to "Enterprise" customers with special contracts to Microsoft and failing to warn that Microsoft has deliberately left everyone else "naked and unprotected"? Or should one simply sue them all and let God (or a judge) sort it out? -- ˙uʍop-ǝpısdn sı ɹoʇıuoɯ ɹnoʎ 'sıɥʇ pɐǝɹ uɐɔ noʎ ɟı
-----Original Message----- From: Joe [mailto:jbfixurpc@gmail.com] Sent: Friday, 12 May, 2017 23:08 To: Keith Medcalf Cc: nanog@nanog.org Subject: Re: Please run windows update now
One word. Linux.
After this we'll probably see (yet more) additional processes running on windows boxes safe guarding against issues like this, forcing windoze users to upgrade memory/processor/disk space. I, for one, am not looking at Windoze 10 S as it locks too many applications needed for work to the Windoze store.
Getting kind of ridiculous if you ask me.
-Joe
On Fri, May 12, 2017 at 11:56 PM, Keith Medcalf <kmedcalf@dessus.com> wrote:
Well, this one was patched (or more accurately, undone). Perhaps. Maybe.
How many other "paid defects" do you estimate there are in Microsoft Windows waiting to be exploited when discovered (or disclosed) by someone other than the "Security Agency" buying the defect?
Almost certainly more than just this one ... and almost certainly there is more than a single "payor agency" independently purchasing the deliberate introduction of code defects.
-- ˙uʍop-ǝpısdn sı ɹoʇıuoɯ ɹnoʎ 'sıɥʇ pɐǝɹ uɐɔ noʎ ɟı
-----Original Message----- From: Nathan Brookfield [mailto:Nathan.Brookfield@simtronic.com.au <mailto:Nathan.Brookfield@simtronic.com.au> ] Sent: Friday, 12 May, 2017 22:48 To: Keith Medcalf Cc: nanog@nanog.org Subject: Re: Please run windows update now
Well it was patched by Microsoft of March 14th, just clearly people running large amounts of probably Windows XP have been owned.
Largely in Russia.
Nathan Brookfield Chief Executive Officer
Simtronic Technologies Pty Ltd http://www.simtronic.com.au
On 13 May 2017, at 14:47, Keith Medcalf <kmedcalf@dessus.com> wrote:
The SMBv1 issue was disclosed a year or two ago and never patched. Anyone who was paying attention would already have disabled SMBv1.
Thus is the danger and utter stupidity of "overloading" the function of service listeners with unassociated road-apples. Wait until the bad guys figure out that you can access the same "services" via a connection to the DNS port (UDP and TCP 53) on windows machines ...
-- ˙uʍop-ǝpısdn sı ɹoʇıuoɯ ɹnoʎ 'sıɥʇ pɐǝɹ uɐɔ noʎ ɟı
-----Original Message----- From: NANOG [mailto:nanog-bounces+kmedcalf <mailto:nanog- bounces%2Bkmedcalf> =dessus.com@nanog.org] On Behalf Of Karl Auer Sent: Friday, 12 May, 2017 18:58 To: nanog@nanog.org Subject: Re: Please run windows update now
On Fri, 2017-05-12 at 10:30 -0800, Royce Williams wrote: - In parallel, consider investigating low-hanging fruit by OU (workstations?) to disable SMBv1 entirely.
Kaspersky reckons the exploit applies to SMBv2 as well:
https://securelist.com/blog/incidents/78351/wannacry-ransomware- used-in <https://securelist.com/blog/incidents/78351/wannacry-ransomware- used-in> -widespread-attacks-all-over-the-world/
I thought it was a typo in para 2 and the table, but they emailed back saying nope, SMBv2 is (was) also broken. However, they also say (same page) that the MS patch released in March this year fixes it.
Assuming they are right, I wonder why Microsoft didn't mention SMBv2?
Regards, K.
--
> > Karl Auer (kauer@biplane.com.au) > > http://www.biplane.com.au/kauer <http://www.biplane.com.au/kauer> > > http://twitter.com/kauer389 > > > > GPG fingerprint: A52E F6B9 708B 51C4 85E6 1634 0571 ADF9 3C1C 6A3A > > Old fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B > > > > >
On Sat, May 13, 2017 at 12:07:39AM -0500, Joe wrote:
One word. Linux.
Or BSD, or anything but Windows. Anyone running Microsoft products is quite clearly an unprofessional, unethical moron and fully deserves all the pain they get -- including being sued into oblivion by their customers and clients for their obvious incompetence and negligence. ---rsk
On Mon, 15 May 2017 02:12:27 -0400, Rich Kulawiec said:
Or BSD, or anything but Windows. Anyone running Microsoft products is quite clearly an unprofessional, unethical moron and fully deserves all the pain they get
Tell you what. Go over to http://line6.com/software/ - You convince them to produce a Linux version of the software for their musician's gear, and I'll get rid of the Toshiba laptop running Windows. Alternatively, find me an OSX laptop that costs anywhere near the $400 I paid for the Toshiba Satellite. (And yes, I already tried running their software in a VM, neither VirtualBox or VMWare does a good enough job of emulating MIDI-over-USB2 to let the drivers in the VM connect to my Pod HD, so don't bother suggesting that). You want to repeat your claim that I'm an unprofessional, unethical moron because I have a fully patched Windows 10 laptop that's backed up on a regular basis because there's no realistic alternative?
Calling someone who uses Windows un-professional would be a "gossip" style phrase. This is a piece of software which can be tested and compared to others. Would Android be better then windows only because it is based on the Linux kernel or since it's based on the full engineering it was invested from the bottom up? So from my point of view on things: Windows is good Linux is good BSD is good Mac is good Others, good... But depends on what you need. If you need to work with a system that has a specific compatibility or usability levels then this is what you need. If it works for me it doesn't mean that it's either good or bad for me and others! I love Linux based systems but they all need some "magic hands" on them to convert them from Linux to "something better". So with this in mind: If you are a magician and Linux feels good for you it doesn't mean that everybody should be magicians! All The Bests, Eliezer ---- Eliezer Croitoru Linux System Administrator Mobile: +972-5-28704261 Email: eliezer@ngtech.co.il -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of valdis.kletnieks@vt.edu Sent: Monday, May 15, 2017 10:47 AM To: Rich Kulawiec <rsk@gsp.org> Cc: nanog@nanog.org Subject: Re: Please run windows update now On Mon, 15 May 2017 02:12:27 -0400, Rich Kulawiec said:
Or BSD, or anything but Windows. Anyone running Microsoft products is quite clearly an unprofessional, unethical moron and fully deserves all the pain they get
Tell you what. Go over to http://line6.com/software/ - You convince them to produce a Linux version of the software for their musician's gear, and I'll get rid of the Toshiba laptop running Windows. Alternatively, find me an OSX laptop that costs anywhere near the $400 I paid for the Toshiba Satellite. (And yes, I already tried running their software in a VM, neither VirtualBox or VMWare does a good enough job of emulating MIDI-over-USB2 to let the drivers in the VM connect to my Pod HD, so don't bother suggesting that). You want to repeat your claim that I'm an unprofessional, unethical moron because I have a fully patched Windows 10 laptop that's backed up on a regular basis because there's no realistic alternative?
Or BSD, or anything but Windows. Anyone running Microsoft products is quite clearly an unprofessional, unethical moron and fully deserves all the pain they get -- including being sued into oblivion by their customers and clients for their obvious incompetence and negligence.
aside from being grossly rude, hyperbolic, and uninteligent, this rant ignores reality enough to make you a viable presidential candidate. 80% of desk/laptops run windows. get over it. windows is embedded in many systems which will be hard to update in an hour or 100 hours. and rude ranting is not doing one micron to help deal with it. embedded systems are very hard to update, think special drivers, kinky mods, ... aside from the long softdev time, how much time do you think QA will take for moving a piece of medical equipment from xp to win10, let alone bsd? and the state of the bsd update process is not something to describe in polite company. we have a vulnerable chain from weak software (which is improving, and msoft has been in the lead there for a decade), to nsa/cia not disclosing, to people choosing or having to run old versions (of whatever (and linux/bsd are not immune) for financial or technical reasons, to the conservative or lazy logistics of patching. we can try to improve things at each link. but this is gonna be slow. though this ransomware attack is not really that much larger than other attacks in the past (and the future is not cheering), at least it has reached the front pages and maybe people will patch more and vendors will issue more/better updates. but, as @zeynep says, the lack of liability along the chain above allows bad practices to continue. in the meantime, backup, backup and take it offline so it does not get encrypted for you, patch, turn off unnecessary services/options, rinse repeat. and try to promote prudent use among friends, family, and workplace. randy
You make some excellent points: but I grow very, very tired of having to spend my time and my energy -- note timestamp on my message -- dealing with the fallout. It should be painfully clear to everyone that there is no such thing as a secure Windows system. [1] It should have been painfully clear after Code Red, after the rise of bots, and after a hundred other incidents before/since of varying severity and duration. But apparently it's not and so despite the impact of this current one -- including large-scale disruption of healthcare in the UK -- this will keep happening over and over again. And even those of us who have the good judgment to never use Microsoft products have to pay the price for the poor decision-making of others. Again. And again. It's getting old. Just like all the other things that people do (many of which have been discussed here at great length) that cause problems for others who are making an earnest attempt to do things right. How bad do things have to get before the people who are stubbornly clinging to this finally let go? Does someone have to die? Because -- again, see healthcare provider impact in the UK -- we're not that far from it. ---rsk [1] There may be no such thing as a secure system, period. But it would be better to deploy things that may have a fighting chance instead of things that have long since proven to have none at all.
fyi, current opinion in the security community seems to be that win10 is better secured than linuxes, bsds, ... see http://cyber-itl.org/; still pretty sparse, but getting flushed out. randy
Since everyone else is bloviating I may as well also... The underlying problem is that Microsoft tried to produce basically one operating system for both servers and end-users and most anything in between. Putting some lipstick on them and names such as "server 2008" doesn't negate that. Ok so did everyone, sort of (does Apple even make servers? ok ok I know the response, cylindrical things.) But others, which means the un*x sphere, at least had the excuse that they were practically unfunded with a few notable exceptions (but Sun is gone no sense beating the dead.) MS has about $100B cash on hand and has generally been a quite profitable enterprise for longer than probably most people on this list have been alive. So for example why does a client OS produced with that much money available even allow things like wholesale encryption of files without at least popping up one of those warnings to confirm that you really meant to run a program on $THRESHOLD files, opening them for update etc, not just read? Even backup doesn't do that. I suppose update does but that and similar could be handled specially. Why? Because it would be annoying to their server customers if they interfered and it seems that's how decisions are made. Over and over. And over. What we really have is the end result of a company spending as little as possible on their product and optimizing their bottom line because no one has any power to make them produce anything better. One code base to rule them all, One code base to sell them, One code base to bring them all, And in their darkness bind them. That's what MS needs to be held accountable for, sucking literally hundreds of billions from companies and consumers (that is, no lack of money) and passing the pain of an inferior product to those consumers much like the car industry did until Ralph Nader ("Unsafe At Any Speed") and others began pointing this out in the 1960s and action was taken and we got some omg seat belts and attention paid to how easily a car of that era could roll over on a turn at 25mph, etc. I think making feelgood comments like one has to be an idiot to run Windows is a huge waste of time at this point. That horse is out of the barn, has sailed, the barn door is still wide open, and it's become too way late to fret over saving nine except forward. -- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
On Mon, 15 May 2017 15:45:26 -0400, bzs@theworld.com said:
So for example why does a client OS produced with that much money available even allow things like wholesale encryption of files without at least popping up one of those warnings to confirm that you really meant to run a program on $THRESHOLD files, opening them for update etc, not just read?
Well Barry, I can tell you why, with examples from the Unix world. for i in *; do encrypt < $i > $i.new; mv $i.new $i; done How do you throw a pop-up warning for that? Pre-run it and see how many > might get executed? And how do you tell that the sequence ends up destroying the file rather than creating a new one? OK. How about this one? cat > ./wombat << EOF ##!/bin/bash encrypt < $1 > $1.new; mv $1.new $1 EOF chmod +x ./wombat for i in *; do ./wombat $i; done Now convert that to C and bury that whole thing inside a binary. How does the operating system detect that and throw a pop-up *before* that executes? It's a lot harder problem than you think. Hint: Fred Cohen's PhD thesis showed that detecting malware is isomorphic to the Turing Halting Problem.
On May 15, 2017, at 21:17, valdis.kletnieks@vt.edu wrote:
So for example why does[n’t] a client OS confirm that you really meant to run a program on $THRESHOLD files…
How does the operating system detect that and throw a pop-up *before* that executes?
It's a lot harder problem than you think. Hint: Fred Cohen's PhD thesis showed that detecting malware is isomorphic to the Turing Halting Problem.
The general problem might well be that hard, I don’t know, it seems plausible. However Barry’s suggestion doesn’t seem impossible. One strategy is as follows. Have a counter in the kernel about writes to files. Have some sort of log-structured filesystem with checkpoints or whatever. When the counter goes too fast, show Barry’s dialog box and if the user says no, roll back the filesystem to the time just before the process (or its parent, or its parent’s parent, …) started. There are details to be ironed out, of course, but there’s no reason in principle that it couldn’t be done like this. The reason that you don’t have to make the operating system solve the halting problem is because you ask the user. William Waites Laboratory for Foundations of Computer Science School of Informatics, University of Edinburgh Informatics Forum 5.38, 10 Crichton St. Edinburgh, EH8 9AB, Scotland The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336.
On May 15, 2017 at 16:17 valdis.kletnieks@vt.edu (valdis.kletnieks@vt.edu) wrote:
On Mon, 15 May 2017 15:45:26 -0400, bzs@theworld.com said:
So for example why does a client OS produced with that much money available even allow things like wholesale encryption of files without at least popping up one of those warnings to confirm that you really meant to run a program on $THRESHOLD files, opening them for update etc, not just read?
Well Barry, I can tell you why, with examples from the Unix world.
for i in *; do encrypt < $i > $i.new; mv $i.new $i; done
Oh great a design review! Hello Valdis, I am Barry Shein. I've done decades of internals and kernel work. Ever use any Windows since about Vista? It throws up those warning pop-ups when you're about to do something it decides needs confirmation? That was almost certainly my invention. I described the idea on an anti-spam list and two Microsoft engineers contacted me to discuss whether this is feasible etc. Never got a thank you tho.
How do you throw a pop-up warning for that? Pre-run it and see how many > might get executed? And how do you tell that the sequence ends up destroying the file rather than creating a new one?
You count the number of destructive opens in the kernel and if it exceeds a threshold (for example) you stop it and pop up a warning. For example. As I said this is the sort of thing which is suitable for an end-user OS and no doubt annoying in a server OS.
OK. How about this one?
cat > ./wombat << EOF ##!/bin/bash encrypt < $1 > $1.new; mv $1.new $1 EOF chmod +x ./wombat for i in *; do ./wombat $i; done
Now convert that to C and bury that whole thing inside a binary. How does the operating system detect that and throw a pop-up *before* that executes?
It's a lot harder problem than you think. Hint: Fred Cohen's PhD thesis showed that detecting malware is isomorphic to the Turing Halting Problem.
x[DELETED ATTACHMENT <no suggested filename>, application/pgp-signature]
You don't seem to understand how OS's work which surprises me in your case. -- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
On Mon, 15 May 2017, bzs@theworld.com wrote:
Oh great a design review!
Hello Valdis, I am Barry Shein. I've done decades of internals and kernel work.
Ever use any Windows since about Vista? It throws up those warning pop-ups when you're about to do something it decides needs confirmation?
That was almost certainly my invention.
I described the idea on an anti-spam list and two Microsoft engineers contacted me to discuss whether this is feasible etc.
Never got a thank you tho.
How do you throw a pop-up warning for that? Pre-run it and see how many > might get executed? And how do you tell that the sequence ends up destroying the file rather than creating a new one?
You count the number of destructive opens in the kernel and if it exceeds a threshold (for example) you stop it and pop up a warning.
For example.
As I said this is the sort of thing which is suitable for an end-user OS and no doubt annoying in a server OS.
*popcorn* ... What was the original thread about? Because once upon a time as a proof of concept for "undetectable" viruses on *nix, (was for a competition where I was not allowed to be play post disclosure of PoC), anyway, I created a really really bad mechanism to negatively impact ALL BSDs, Solaris, Linux, it was *nix agnostic. Bigger takeaway, malware/scumware/whateverware authors target Windows because there are more users. For someone dealing with security 24x7x365, I can state MS has come a very long way from what they were, including dealing with MSRC and other departments. Do you have any idea how difficult it is to deal with certain *nix projects? Freshmeat? Github, hobby... Apples and oranges. And I CAN COUNT the number of destructive opens read, and write on any nix system, so perhaps we should kill this thread before it becomes: my NetBSD toaster is better than your windows powered refrigetor. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM "Where ignorance is our master, there is no possibility of real peace" - Dalai Lama 0B23 595C F07C 6092 8AEB 074B FC83 7AF5 9D8A 4463 https://pgp.mit.edu/pks/lookup?op=get&search=0xFC837AF59D8A4463
On Mon, May 15, 2017 at 2:48 PM, J. Oquendo <joquendo@e-fensive.net> wrote:
On Mon, 15 May 2017, bzs@theworld.com wrote:
You count the number of destructive opens in the kernel and if it exceeds a threshold (for example) you stop it and pop up a warning.
That's basically what I did. I got tired of users constantly opening any attachment that came at them through e-mail and encrypting all the files on their systems and other network systems....so...I installed a Linux box running Samba backed by a ZFS file store. Samba spits out syslog records on file writes. Combine that with fail2ban. When one user has more than 60 writes in 60 seconds *or* a write contains a well-known cryptolocker name (i.e. *DECRYPT_INSTRUCT*) it immediately blocks their IP on the server, looks up their MAC address, scans the switch for their MAC, and disables the switch port. Then I have a list of files in syslog that were encrypted and ZFS snapshots I can restore from. Additionally, some of the workstations were PXE or iSCSI booted from the NAS so it was as simple as "Hold down the power button to turn off your computer. Ok, let me 'zfs rollback' your machine image...ok, now turn your computer back on. All set." Plus adding new workstations was as easy as getting the MAC address and doing a 'zfs clone' of a clean machine image. Upgrades are easy too--boot a VM, install the latest version of WIndows, update drivers, install software packages, then shutdown, snapshot and clone. Tell the user to reboot their PC and they are now running the newer OS. Windows isn't hard if you have Linux and Unix running underneath, behind, and between everything. ;) -A
On Mon, 15 May 2017 16:19:37 -0700, "Aaron C. de Bruyn via NANOG" said:
Combine that with fail2ban. When one user has more than 60 writes in 60 seconds *or* a write contains a well-known cryptolocker name (i.e. *DECRYPT_INSTRUCT*)
Oddly enough, we've seen *lots* of spammers that are *totally* able to auto-tune their spew rate to whatever you set the knob to. Set it to 3,293, and it will quickly adjust to 3,250 or so. Knock the knob down to 67, it will tune down to 65. There's no reason to expect that the same methods won't be used again. If it's an entire network of vulnerable systems, it's perfectly reasonable for malware to pick one system (the one with the least number of likely-valuable files) as a sacrificial goat and burn it down, just to see where you've set the knobs, and then fly under the radar for the rest of the network. If malware waits till 5:01PM Friday or whenever it detects the user has left for the weekend, and does a careful search of file extensions for files most likely to be valuable enough to make the victim pay the ransom, and does them at 3 per minute, how bad is the situation Monday morning? So you restrict file change rate to 1 per hour or something draconian when the user isn't at the keyboard. What is the likely amount of time the malware can get away with doing 3 files a minute in the background while the user *is* using the system, before they hit an encrypted file and realize there's a problem (hint - avoid files modified in the last few days and target more static files)? What is the likely amount of time you can restrict the user to 2 files per minute before they come looking for you with an ax? Remember - the first rule of designing security is that if you haven't already thought through the first several iterations of blatantly obvious ways to work around your proposal, and dealt with them, it's guaranteed that the bad guys will do so for you. Remember this as well - the entire reason why Snowden walked away with so many files was because the NSA was not using all the available security features *because it put too much of a crimp in legitimate analyst activity*. It's also why almost nobody outside military and spook systems actually deploys MLS/MCS security. Given that we've been at this for well over 4 decades now, and we *still* can't actually do it right, you should be *very* suspicious of any proposal that says "Just count the number of opens, tie it to fail2ban, handwave yadda yadda handwave *SECURE*".
Microsoft aren't stupid. They have learned lessons from the days in the 90s and early 2000s when they were a laughing stock in terms of security, and since then Windows security has improved enormously. OK, so it's not perfect, but what software is? Dirty Cow, Shellshock and Heartbleed for example weren't exactly minor flaws, but the world moved on. What's key is that administrators need to know how to secure their estates. If they've failed to apply the patch, that's their failure, not Microsoft's, but patching was not the only way to have curtailed this weekend's outbreak. Admins may have had their reasons for not patching - maybe to do so would have invalidated some kind of certification on an embedded system for example - but there should have been other controls in place to limit the spread of this outbreak or others like it. Something that's puzzled me about events this weekend is that hardly anyone is mentioning firewalling. Servers generally need ports 135-139/445 to be accessible in order to act as, well, servers - but workstations don't. Why aren't people - even cash-starved organisations like the NHS - using the Windows firewall to protect at least their workstations on an ongoing basis? How did this infection spread between organisations without being stopped by a border firewall at any point? Was nothing learned from the Blaster days? (I don't have the answer.) Although the malware was probably injected into multiple organisations in numerous countries via multiple phishing attacks, the spread as reported seemed too fast between organisations and countries for it to have been driven by phishing attacks alone, and I haven't seen any reports showing people how to spot the phishing attempts. So I'm guessing a lot of the propagation even between orgs was by MS17-010. It would be interesting to find out if anyone saw unusual spikes in SMB traffic over the weekend? Or if there are insights into any of the semi-rhetorical questions I posed above? Cheers, Jon
On May 15, 2017, at 4:31 PM, Jonathan Roach <jonathan.roach@oracle.com> wrote:
What's key is that administrators need to know how to secure their estates. If they've failed to apply the patch, that's their failure, not Microsoft's, but patching was not the only way to have curtailed this weekend's outbreak.
But their failure leads to further intrusions elsewhere. Their failure has consequences beyond their own borders. IMO, this is a herd immunity problem that Microsoft needs to get better at. The analogy I would make here is the German versus the American approaches to road fatalities. In the German approach, if there are significant road fatalities in a given location, then that implies there is a failure with the way the road system is engineered, and it needs to be fixed so that the number of fatalities is brought down. No blame is automatically assumed on the part of the drivers who failed at that location. In the American approach, if there are a significant number of road fatalities, then it's the drivers own fault and they should have taken more care. They are automatically to blame for their own failure. But if you're one of the other drivers out there who might be impacted by the lack of due diligence practiced by another driver on the road, which approach are you going to want to see implemented? -- Brad Knowles <brad@shub-internet.org>
On Tue, May 16, 2017 at 8:33 AM, Brad Knowles <brad@shub-internet.org> wrote:
On May 15, 2017, at 4:31 PM, Jonathan Roach <jonathan.roach@oracle.com> wrote:
What's key is that administrators need to know how to secure their estates. If they've failed to apply the patch, that's their failure, not Microsoft's, but patching was not the only way to have curtailed this weekend's outbreak.
But their failure leads to further intrusions elsewhere. Their failure has consequences beyond their own borders.
IMO, this is a herd immunity problem that Microsoft needs to get better at.
The analogy I would make here is the German versus the American approaches to road fatalities.
In the German approach, if there are significant road fatalities in a given location, then that implies there is a failure with the way the road system is engineered, and it needs to be fixed so that the number of fatalities is brought down. No blame is automatically assumed on the part of the drivers who failed at that location.
In the American approach, if there are a significant number of road fatalities, then it's the drivers own fault and they should have taken more care. They are automatically to blame for their own failure.
But if you're one of the other drivers out there who might be impacted by the lack of due diligence practiced by another driver on the road, which approach are you going to want to see implemented?
LOL. I think that is a really bad example and I see many facilities in it, including a hasty generalization, as intersections, and roads for that matter, in America have been resigned to improve safety. Isn't it true, with any tech product, the more complex features, the less secure it is? Ask yourself why this is the case, and I believe the true issue with tech lays there. If a country must build a China Wall duplicate in 300 days (for some reason, to save money lets say), unless the team can pull it off and depending upon how long it must be, the wall you end up with will probably have some holes in it or pieces of it may collapse at later dates. I don't know. It is hard to imagine a professional IT nowadays, seriously blaming Microsoft for every bad thing out there. What would be more of an interesting discussion, to me, would be why doesn't Microsoft know about these hoarding of vulnerabilities by State actors and plug them up? Are they really that clever of vulnerabilities? Does Microsoft not have the resources? Is Windows like the ocean, where there are just hundreds of new species awaiting to be discovered? Did Microsoft at least know of the NSA vulnerabilities, for example, and kept it classified until NSA told them to plug them up? -- Later, Joe
On May 16, 2017, at 11:40 AM, JoeSox <joesox@gmail.com> wrote:
LOL. I think that is a really bad example and I see many facilities in it, including a hasty generalization, as intersections, and roads for that matter, in America have been resigned to improve safety.
So, if you want to talk about roads in the US, the first thing you have to do is look at the budgets. There are trillions of dollars worth of road improvements that should have been made over the past decades, but which haven't. You'd have to ask the politicians as to what they think the real reasons are, but my guess is that they were unwilling to make long-term investment on critical infrastructure, because it was seen as being too expensive in the short-term. And I definitely see a strong analogy there with what Microsoft has/has not done.
Isn't it true, with any tech product, the more complex features, the less secure it is? Ask yourself why this is the case, and I believe the true issue with tech lays there.
To a degree, this is true. But there are more iOS devices out there than there are Windows boxes, and while iOS certainly isn't perfect, it definitely has a much better security posture. So, there is at least one other company out there that can do the job. I have to believe that there is more than just one.
I don't know. It is hard to imagine a professional IT nowadays, seriously blaming Microsoft for every bad thing out there.
I don't blame Microsoft for every bad thing out there. I do think they are, by far, the worst of the Fortune 25. But there are 24 other companies on that list who all have their own part to play -- including Apple.
What would be more of an interesting discussion, to me, would be why doesn't Microsoft know about these hoarding of vulnerabilities by State actors and plug them up?
Well, this one is actually an old vulnerability, right? One that Microsoft supposedly fixed years ago? So, why didn't they fix it properly back then?
Are they really that clever of vulnerabilities? Does Microsoft not have the resources? Is Windows like the ocean, where there are just hundreds of new species awaiting to be discovered? Did Microsoft at least know of the NSA vulnerabilities, for example, and kept it classified until NSA told them to plug them up?
Good conspiracy questions to ask. But frankly, I don't care that Microsoft wants to blame the NSA for hoarding vulnerabilities. If Microsoft had spent more time/money/effort to get their crap right the first time, then we wouldn't have this mess. We might have a different mess, but we wouldn't have this one. -- Brad Knowles <brad@shub-internet.org>
On Tue, 16 May 2017 12:23:36 -0500, Brad Knowles said:
On May 16, 2017, at 11:40 AM, JoeSox <joesox@gmail.com> wrote:
Isn't it true, with any tech product, the more complex features, the less secure it is? Ask yourself why this is the case, and I believe the true issue with tech lays there.
To a degree, this is true. But there are more iOS devices out there than there are Windows boxes, and while iOS certainly isn't perfect, it definitely has a much better security posture.
Note that most of iOS's improved security posture is due to its design as a launcher of apps from a tightly controlled source that tightly control the user experience. It's pretty damned easy to harden Windows as well, if you're going to hobble it into being a canned app launcher. Of course, that will piss off everybody who's using Windows as a base for a generalized computing environment rather than an app-launching kiosk,
On Tue, 16 May 2017 09:40:50 -0700, JoeSox said:
What would be more of an interesting discussion, to me, would be why doesn't Microsoft know about these hoarding of vulnerabilities by State actors and plug them up?
It's pretty hard for Microsoft to know about an exploit the NSA is sitting on, until Shadow Brokers or similar spills the beans.
Are they really that clever of vulnerabilities? Does Microsoft not have the resources?
The talent pool for top-flight hackers is not all that large. And even if you acquire a large skilled team, there is *zero* guarantee that some other talented team won't find a hole that your team didn't spot. In fact, there's a lot of good reason to believe that exact situation happens *all the time*.
Is Windows like the ocean, where there are just hundreds of new species awaiting to be discovered?
Find statistics on average number of bugs per thousand lines of code. Find estimate of how many 10s of millions of lines of code ships as part of Windows. Do the math - and have alcohol handy for the almost certain drinking binge that the answer will inspire.
Did Microsoft at least know of the NSA vulnerabilities, for example, and kept it classified until NSA told them to plug them up?
There's lots of informed speculation on that one, but I can almost guarantee that you'll never get a definitive answer from somebody who actually know.
What would be more of an interesting discussion, to me, would be why doesn't Microsoft know about these hoarding of vulnerabilities by State actors and plug them up?
Some state actors they do know. They custom write the security flaws on the state actors request.
Are they really that clever of vulnerabilities? Does Microsoft not have the resources? Is Windows like the ocean, where there are just hundreds of new species awaiting to be discovered? Did Microsoft at least know of the NSA vulnerabilities, for example, and kept it classified until NSA told them to plug them up?
Of course Microsoft knew, since they wrote in the backdoor in the first place. That is why when informed by their employers that the backdoor was going to be made public, they could undo the changes they had introduced so rapidly.
On Tue, 16 May 2017 16:41:36 -0600, "Keith Medcalf" said:
Of course Microsoft knew, since they wrote in the backdoor in the first place. That is why when informed by their employers that the backdoor was going to be made public, they could undo the changes they had introduced so rapidly.
Do you have any actual evidence or citations that in fact, this was an intentionally inserted backdoor?
On Tue, May 16, 2017 at 08:12:41PM -0400, valdis.kletnieks@vt.edu wrote:
On Tue, 16 May 2017 16:41:36 -0600, "Keith Medcalf" said:
Of course Microsoft knew, since they wrote in the backdoor in the first place. That is why when informed by their employers that the backdoor was going to be made public, they could undo the changes they had introduced so rapidly.
Do you have any actual evidence or citations that in fact, this was an intentionally inserted backdoor?
You'll have to speak up, he can't hear you over the rustling of the tin foil. - Matt
On Wed, 17 May 2017, Matt Palmer wrote:
Do you have any actual evidence or citations that in fact, this was an intentionally inserted backdoor?
You'll have to speak up, he can't hear you over the rustling of the tin foil.
- Matt
Pretty low blow considering if I saw "greys" in my yard, I'd be all: "OMGF illuminati!" -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM "Where ignorance is our master, there is no possibility of real peace" - Dalai Lama 0B23 595C F07C 6092 8AEB 074B FC83 7AF5 9D8A 4463 https://pgp.mit.edu/pks/lookup?op=get&search=0xFC837AF59D8A4463
On Tuesday, 16 May, 2017 18:13, Valdis Kletnieks <valdis@vt.edu> wrote:
On Tue, 16 May 2017 16:41:36 -0600, "Keith Medcalf" said:
Of course Microsoft knew, since they wrote in the backdoor in the first place. That is why when informed by their employers that the backdoor was going to be made public, they could undo the changes they had introduced so rapidly.
Do you have any actual evidence or citations that in fact, this was an intentionally inserted backdoor?
Equal in quantity and quality to the evidence to the contrary.
On Tue, 16 May 2017 20:55:37 -0600, "Keith Medcalf" said:
On Tuesday, 16 May, 2017 18:13, Valdis Kletnieks <valdis@vt.edu> wrote:
On Tue, 16 May 2017 16:41:36 -0600, "Keith Medcalf" said:
Of course Microsoft knew, since they wrote in the backdoor in the first place. That is why when informed by their employers that the backdoor was going to be made public, they could undo the changes they had introduced so rapidly.
Do you have any actual evidence or citations that in fact, this was an intentionally inserted backdoor?
Equal in quantity and quality to the evidence to the contrary.
In that case, "Of course Microsoft didn't know" is equally probable. In fact, it's *more* probable, because if it was intentional, they'd have to have ways in place to make sure that if some random programmer managed to find it and report it, the bug wouldn't get fixed - and the fact that there was a long-standing bug not fixed didn't get noticed by the QA team and the rest. After all, once some TLA paid good money to get that backdoor installed, the *last* thing you want happening is the sentence, "What do you mean, you accidentally fixed it?" Plus, since "Microsoft didn't intentionally put the MS17-010 bug in as a backdoor" is the null hypothesis, it requires zero evidence, and it's your job to bring positive evidence for the non-null hypothesis.
Can we end this thread? I think the original intent has come and gone. Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On May 16, 2017 11:40 PM, <valdis.kletnieks@vt.edu> wrote:
On Tue, 16 May 2017 20:55:37 -0600, "Keith Medcalf" said:
On Tuesday, 16 May, 2017 18:13, Valdis Kletnieks <valdis@vt.edu> wrote:
On Tue, 16 May 2017 16:41:36 -0600, "Keith Medcalf" said:
Of course Microsoft knew, since they wrote in the backdoor in the
first
place. That is why when informed by their employers that the backdoor was going to be made public, they could undo the changes they had introduced so rapidly.
Do you have any actual evidence or citations that in fact, this was an intentionally inserted backdoor?
Equal in quantity and quality to the evidence to the contrary.
In that case, "Of course Microsoft didn't know" is equally probable.
In fact, it's *more* probable, because if it was intentional, they'd have to have ways in place to make sure that if some random programmer managed to find it and report it, the bug wouldn't get fixed - and the fact that there was a long-standing bug not fixed didn't get noticed by the QA team and the rest. After all, once some TLA paid good money to get that backdoor installed, the *last* thing you want happening is the sentence, "What do you mean, you accidentally fixed it?"
Plus, since "Microsoft didn't intentionally put the MS17-010 bug in as a backdoor" is the null hypothesis, it requires zero evidence, and it's your job to bring positive evidence for the non-null hypothesis.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Tue, 2017-05-16 at 10:33 -0500, Brad Knowles wrote:
In the American approach, if there are a significant number of road fatalities, then it's the drivers own fault and they should have taken more care. They are automatically to blame for their own failure.
Not in all parts of America. Highway 18 here just got a full metal barrier separating the opposing traffic in much of the 4 lane section. 55 mph limit, lots of tight curves, about 18 inches separation between the opposing traffic, and a bunch of drivers that don't know how to drive around a curve. Someone got tired of all the head on crashes, so they "fixed" the road. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) iEYEAREKAAYFAlkb1NQACgkQL6j7milTFsESFwCfY956WrGCswGc2CNPt1nHhGF0 WGYAnRsj+MZ937fiKjEbfNvCEiyUBx8o =T1L3 -----END PGP SIGNATURE-----
In article <m2lgpycpjr.wl-randy@psg.com> you write:
fyi, current opinion in the security community seems to be that win10 is better secured than linuxes, bsds, ... see http://cyber-itl.org/; still pretty sparse, but getting flushed out.
Not against Microsoft. R's, John
On May 15, 2017, at 5:37 AM, Rich Kulawiec <rsk@gsp.org> wrote:
[1] There may be no such thing as a secure system, period. But it would be better to deploy things that may have a fighting chance instead of things that have long since proven to have none at all.
As much as I hate, loathe, and despise Microsoft, there's always going to be someone/something out there that is "the worst". Eliminate the current "worst", and there will be another one right behind them. I do believe that Microsoft is directly responsible for trillions of dollars/euros of damage done to economies worldwide, due to their lax security practices over the years. Their advances have only come at the cost of great pain on the part of others, and they have been kicking and screaming all the while being dragged into the modern world. The rest of us will continue to bear the pain and anguish that they create. That's just the way things are. Not the way they should be, but the way they are. -- Brad Knowles <brad@shub-internet.org>
On Mon, 15 May 2017, Brad Knowles wrote:
As much as I hate, loathe, and despise Microsoft, there's always going to be someone/something out there that is "the worst". Eliminate the current "worst", and there will be another one right behind them.
I do believe that Microsoft is directly responsible for trillions of dollars/euros of damage done to economies worldwide, due to their lax security practices over the years. Their advances have only come at the cost of great pain on the part of others, and they have been kicking and screaming all the while being dragged into the modern world.
The rest of us will continue to bear the pain and anguish that they create. That's just the way things are. Not the way they should be, but the way they are.
-- Brad Knowles <brad@shub-internet.org>
Spot on. Shame on Microsoft for releasing patches and not forcing the installation versus letting security managers open up ISC^, and other nonsensical frameworks to do things like "change/patch management" tasks. I mean, who cares if one little patch knocks a business out of existence. I do believe Microsoft is directly responsible for making people such daft "To patch or not to patch" admins. Force feed patches on everyone! Then your next message will be: "I believe Microsoft is responsible for trillions of dollars by pushing out patches forcefully and negatively impacting businesses worldwide." Pain and anguish? I'm smiling and drinking coffee. I adore when security shenanigas occur. That is the sound of a cash register to me. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM "Where ignorance is our master, there is no possibility of real peace" - Dalai Lama 0B23 595C F07C 6092 8AEB 074B FC83 7AF5 9D8A 4463 https://pgp.mit.edu/pks/lookup?op=get&search=0xFC837AF59D8A4463
On May 15, 2017, at 10:08 AM, J. Oquendo <joquendo@e-fensive.net> wrote:
Spot on. Shame on Microsoft for releasing patches and not forcing the installation versus letting security managers open up ISC^, and other nonsensical frameworks to do things like "change/patch management" tasks. I mean, who cares if one little patch knocks a business out of existence.
If Microsoft didn't open the security hole in the first place, then there wouldn't be a need to patch it afterwards. Of course, there will always be patches that need to be applied, and people do have to decide what is a sane patching process. But if a patch can be completely avoided because they were more careful and rigorous in their development to begin with, then as a whole the world would be better off.
I do believe Microsoft is directly responsible for making people such daft "To patch or not to patch" admins. Force feed patches on everyone! Then your next message will be: "I believe Microsoft is responsible for trillions of dollars by pushing out patches forcefully and negatively impacting businesses worldwide."
An ounce of prevention on their part would prevent a pound of cure having to be applied by everyone else in the world. But then Microsoft couldn't extract their value from selling that pound of cure, so that would be another problem.
Pain and anguish? I'm smiling and drinking coffee. I adore when security shenanigas occur. That is the sound of a cash register to me.
Not everyone licks their chops and thinks "fresh meat" when they see worldwide panic that results from a massive security hole like this. Some of us just want to get regular work done. -- Brad Knowles <brad@shub-internet.org>
On Mon, 15 May 2017, Brad Knowles wrote:
If Microsoft didn't open the security hole in the first place, then there wouldn't be a need to patch it afterwards.
You are very correct. Microsoft opened the hole because they had nothing better to do. Or, could it be that these things happen, akin to a car having to perform a recall. I am sure (with the exception of Volkswagen's clusterf^W) no vendor in any vertical wants to put out subpar products (call me a dreamer.)
Of course, there will always be patches that need to be applied, and people do have to decide what is a sane patching process. But if a patch can be completely avoided because they were more careful and rigorous in their development to begin with, then as a whole the world would be better off.
Rigorous in development means little. Go pick an RFC and you will find that over time, even the foundations have at some point or another been broken/circumvented. I have a mental running joke "Blame Paul Vixie!!!" (Sorry Paul :)) When the world lost their ability to use common sense, anything related to DNS became a blame Paul for writing BIND. No... Old saying: "Any time you point the finger, remember, there are more of your fingers pointing back at you." Organizations do perform testing, and some don't. Just because some don't does not mean the industry as a whole won't, or doesn't do it. The fact MS went out of their way to make patches for systems they SPECIFICALLY stated they would not support no more gives them kudos across the board.
An ounce of prevention on their part would prevent a pound of cure having to be applied by everyone else in the world.
With 20/20 vision, should that mean I should be expected to see someone throwing a 100MPH fastball at me from my back? Would my pound of cure be ESP for seeing the future?
But then Microsoft couldn't extract their value from selling that pound of cure, so that would be another problem.
Sorry to tell you this, that comment makes little sense. I didn't know Microsft sold that pound of cure (patch).
Not everyone licks their chops and thinks "fresh meat" when they see worldwide panic that results from a massive security hole like this.
Jump in the security space, where we may gladly trade our cats and dogs for Porsche Panameras
Some of us just want to get regular work done.
And some of us find that life goes on. This is no different than Nimda, and other minor fiascos that occur every once in a while. With the exception of Morris. No one, not even the worms in the dirt like him. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM "Where ignorance is our master, there is no possibility of real peace" - Dalai Lama 0B23 595C F07C 6092 8AEB 074B FC83 7AF5 9D8A 4463 https://pgp.mit.edu/pks/lookup?op=get&search=0xFC837AF59D8A4463
On May 15, 2017, at 11:21 AM, J. Oquendo <joquendo@e-fensive.net> wrote:
Not everyone licks their chops and thinks "fresh meat" when they see worldwide panic that results from a massive security hole like this.
Jump in the security space, where we may gladly trade our cats and dogs for Porsche Panameras
Thanks, but no. I am already forced to do much more in the security space than I would like. And I love my little miracle kitty very much. I wouldn't trade her for any kind of vehicle in this world. I am rather less materialistic than that. -- Brad Knowles <brad@shub-internet.org>
You, sir, are to be congratulated! I have been on this list for many years - mainly to keep in the loop. Up until today the list went to a catch-all account as I have never felt the need to post. Today, though, I felt the need to create the mailbox just so I could reply since your posts have been the most irritating I have ever seen on this list. The complete ineptness in any of the points you shared was astonishing. If you are on this list you are most likely in some business associated with the Internet so if you are like some of those that "just want to get some regular work done" let me remind you that this _is_ regular work. Get it done. Microsoft isn't to blame here. It's the people who refuse to upgrade their Operating Systems or patch religiously who are (read: IT departments here too). A lot more of the world use Microsoft products than you seem to think - it is the dominant and it's not going away. If this causes you more work than the random scripts you google on the Internet to run on your *nix boxes perhaps your time in the business is up. I too prefer and enjoy running all sorts of flavors of unix/Linux and sometimes you will find that I bash the occasional Windows user for being less than diligent but there is a limit to this bashing and you, Rich, have well exceeded that IMO. For those of you on this list that feel that this post was not necessary, I am sorry and would normally agree with you and I hardly think it will happen again. Phillip White -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Rich Kulawiec Sent: Monday, May 15, 2017 4:37 AM To: nanog@nanog.org Subject: Re: Please run windows update now You make some excellent points: but I grow very, very tired of having to spend my time and my energy -- note timestamp on my message -- dealing with the fallout. It should be painfully clear to everyone that there is no such thing as a secure Windows system. [1] It should have been painfully clear after Code Red, after the rise of bots, and after a hundred other incidents before/since of varying severity and duration. But apparently it's not and so despite the impact of this current one -- including large-scale disruption of healthcare in the UK -- this will keep happening over and over again. And even those of us who have the good judgment to never use Microsoft products have to pay the price for the poor decision-making of others. Again. And again. It's getting old. Just like all the other things that people do (many of which have been discussed here at great length) that cause problems for others who are making an earnest attempt to do things right. How bad do things have to get before the people who are stubbornly clinging to this finally let go? Does someone have to die? Because -- again, see healthcare provider impact in the UK -- we're not that far from it. ---rsk [1] There may be no such thing as a secure system, period. But it would be better to deploy things that may have a fighting chance instead of things that have long since proven to have none at all.
YOU WENT THERE (ignores enough to run for president) On May 15, 2017 1:48:51 AM PDT, Randy Bush <randy@psg.com> wrote:
Or BSD, or anything but Windows. Anyone running Microsoft products is quite clearly an unprofessional, unethical moron and fully deserves all the pain they get -- including being sued into oblivion by their customers and clients for their obvious incompetence and negligence.
aside from being grossly rude, hyperbolic, and uninteligent, this rant ignores reality enough to make you a viable presidential candidate.
80% of desk/laptops run windows. get over it. windows is embedded in many systems which will be hard to update in an hour or 100 hours. and rude ranting is not doing one micron to help deal with it.
embedded systems are very hard to update, think special drivers, kinky mods, ... aside from the long softdev time, how much time do you think QA will take for moving a piece of medical equipment from xp to win10, let alone bsd? and the state of the bsd update process is not something to describe in polite company.
we have a vulnerable chain from weak software (which is improving, and msoft has been in the lead there for a decade), to nsa/cia not disclosing, to people choosing or having to run old versions (of whatever (and linux/bsd are not immune) for financial or technical reasons, to the conservative or lazy logistics of patching. we can try to improve things at each link. but this is gonna be slow.
though this ransomware attack is not really that much larger than other attacks in the past (and the future is not cheering), at least it has reached the front pages and maybe people will patch more and vendors will issue more/better updates. but, as @zeynep says, the lack of liability along the chain above allows bad practices to continue.
in the meantime, backup, backup and take it offline so it does not get encrypted for you, patch, turn off unnecessary services/options, rinse repeat. and try to promote prudent use among friends, family, and workplace.
randy
-- Sent from my Android device with K-9 Mail. Please excuse my brevity.
With that kind of attitude and disconnect from reality I wonder who is the unprofessional moron... - Jorge (mobile)
On May 15, 2017, at 1:12 AM, Rich Kulawiec <rsk@gsp.org> wrote:
On Sat, May 13, 2017 at 12:07:39AM -0500, Joe wrote: One word. Linux.
Or BSD, or anything but Windows. Anyone running Microsoft products is quite clearly an unprofessional, unethical moron and fully deserves all the pain they get -- including being sued into oblivion by their customers and clients for their obvious incompetence and negligence.
---rsk
On Fri, May 12, 2017 at 10:30 AM, Royce Williams <royce@techsolvency.com> wrote:
My $0.02, for people doing internal/private triage:
- If your use of IPv4 space is sparse by routes, dump your internal routing table and convert to summarized CIDR.
- Feed your CIDRs to masscan [1] to scan for internal port 445 (masscan randomizes targets, so destination office WAN links won't saturate, but local/intermediate might if you're not careful, so tune):
sudo masscan -p445 --rate=[packets-per-second safe for your network] -iL routes.list -oG masscan-445.out
- Use https://github.com/RiskSense-Ops/MS17-010/tree/master/scanners (the python2 one, or the Metasploit one if you can use that internally) to detect vuln. the python one is not* a parallelized script, so consider breaking it into multiple parallel runners if you have a lot of scale.
Note - I've learned that the detection rate for the Python script above is *much* lower than this nmap script. I recommend using the nmap script instead: https://github.com/cldrn/nmap-nse-scripts/blob/master/scripts/smb-vuln-ms17-...
- If you're using SCCM/other, verify that MS17-010 was applied - but be mindful of Windows-based appliances not centrally patched, etc. Trust but verify.
- In parallel, consider investigating low-hanging fruit by OU (workstations?) to disable SMBv1 entirely.
Royce
Thanks for the headsup but I would expect to see some references to the patches that need to be installed to block the vulnerability (Sorry for sounding like a jerk). We all know to update systems ASAP. -- Later, Joe On Fri, May 12, 2017 at 10:35 AM, Ca By <cb.list6@gmail.com> wrote:
This looks like a major worm that is going global
Please run windows update as soon as possible and spread the word
It may be worth also closing down ports 445 / 139 / 3389
http://www.npr.org/sections/thetwo-way/2017/05/12/ 528119808/large-cyber-attack-hits-englands-nhs-hospital- system-ransoms-demanded
MS17-010 https://technet.microsoft.com/en-us/library/security/ms17-010.aspx Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Fri, May 12, 2017 at 2:35 PM, JoeSox <joesox@gmail.com> wrote:
Thanks for the headsup but I would expect to see some references to the patches that need to be installed to block the vulnerability (Sorry for sounding like a jerk). We all know to update systems ASAP.
-- Later, Joe
On Fri, May 12, 2017 at 10:35 AM, Ca By <cb.list6@gmail.com> wrote:
This looks like a major worm that is going global
Please run windows update as soon as possible and spread the word
It may be worth also closing down ports 445 / 139 / 3389
http://www.npr.org/sections/thetwo-way/2017/05/12/ 528119808/large-cyber-attack-hits-englands-nhs-hospital- system-ransoms-demanded
Just a note folks that while this particular ransomware is using the MS17-010 exploit to help spread, it does not rely on it. This is still a regular piece of ransomware that if someone opens the malicious file, will encrypt files. SANS has some IoCs and more information: https://isc.sans.edu/forums/diary/Massive+wave+of+ransomware+ongoing/22412/ On Fri, 12 May 2017 at 11:45 Josh Luthman <josh@imaginenetworksllc.com> wrote:
MS17-010 https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
Josh Luthman Office: 937-552-2340 <(937)%20552-2340> Direct: 937-552-2343 <(937)%20552-2343> 1100 Wayne St Suite 1337 Troy, OH 45373
On Fri, May 12, 2017 at 2:35 PM, JoeSox <joesox@gmail.com> wrote:
Thanks for the headsup but I would expect to see some references to the patches that need to be installed to block the vulnerability (Sorry for sounding like a jerk). We all know to update systems ASAP.
-- Later, Joe
On Fri, May 12, 2017 at 10:35 AM, Ca By <cb.list6@gmail.com> wrote:
This looks like a major worm that is going global
Please run windows update as soon as possible and spread the word
It may be worth also closing down ports 445 / 139 / 3389
http://www.npr.org/sections/thetwo-way/2017/05/12/ 528119808/large-cyber-attack-hits-englands-nhs-hospital- system-ransoms-demanded
I show MS17-010 as already superseded in SCCM On Fri, May 12, 2017 at 1:44 PM, Josh Luthman <josh@imaginenetworksllc.com> wrote:
MS17-010 https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373
On Fri, May 12, 2017 at 2:35 PM, JoeSox <joesox@gmail.com> wrote:
Thanks for the headsup but I would expect to see some references to the patches that need to be installed to block the vulnerability (Sorry for sounding like a jerk). We all know to update systems ASAP.
-- Later, Joe
On Fri, May 12, 2017 at 10:35 AM, Ca By <cb.list6@gmail.com> wrote:
This looks like a major worm that is going global
Please run windows update as soon as possible and spread the word
It may be worth also closing down ports 445 / 139 / 3389
http://www.npr.org/sections/thetwo-way/2017/05/12/ 528119808/large-cyber-attack-hits-englands-nhs-hospital- system-ransoms-demanded
Link? I only posted it as reference to the vulnerability. Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Sat, May 13, 2017 at 2:07 AM, Nathan Fink <nefink@gmail.com> wrote:
I show MS17-010 as already superseded in SCCM
On Fri, May 12, 2017 at 1:44 PM, Josh Luthman <josh@imaginenetworksllc.com
wrote:
MS17-010 https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373
On Fri, May 12, 2017 at 2:35 PM, JoeSox <joesox@gmail.com> wrote:
Thanks for the headsup but I would expect to see some references to the patches that need to be installed to block the vulnerability (Sorry for sounding like a jerk). We all know to update systems ASAP.
-- Later, Joe
On Fri, May 12, 2017 at 10:35 AM, Ca By <cb.list6@gmail.com> wrote:
This looks like a major worm that is going global
Please run windows update as soon as possible and spread the word
It may be worth also closing down ports 445 / 139 / 3389
http://www.npr.org/sections/thetwo-way/2017/05/12/ 528119808/large-cyber-attack-hits-englands-nhs-hospital- system-ransoms-demanded
They even released updates for XP & 2003 http://www.catalog.update.microsoft.com/search.aspx?q=4012598 -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Josh Luthman Sent: Monday, May 15, 2017 10:45 AM To: Nathan Fink <nefink@gmail.com> Cc: nanog@nanog.org Subject: Re: Please run windows update now Link? I only posted it as reference to the vulnerability. Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Sat, May 13, 2017 at 2:07 AM, Nathan Fink <nefink@gmail.com> wrote:
I show MS17-010 as already superseded in SCCM
On Fri, May 12, 2017 at 1:44 PM, Josh Luthman <josh@imaginenetworksllc.com
wrote:
MS17-010 https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373
On Fri, May 12, 2017 at 2:35 PM, JoeSox <joesox@gmail.com> wrote:
Thanks for the headsup but I would expect to see some references to the patches that need to be installed to block the vulnerability (Sorry for sounding like a jerk). We all know to update systems ASAP.
-- Later, Joe
On Fri, May 12, 2017 at 10:35 AM, Ca By <cb.list6@gmail.com> wrote:
This looks like a major worm that is going global
Please run windows update as soon as possible and spread the word
It may be worth also closing down ports 445 / 139 / 3389
http://www.npr.org/sections/thetwo-way/2017/05/12/ 528119808/large-cyber-attack-hits-englands-nhs-hospital- system-ransoms-demanded
I should clarify, the link in my email below is only for windows versions that are considered unsupported. This one has links for the currently supported versions of windows https://support.microsoft.com/en-us/help/4013389/title -----Original Message----- From: timrutherford@c4.net [mailto:timrutherford@c4.net] Sent: Monday, May 15, 2017 11:12 AM To: 'Josh Luthman' <josh@imaginenetworksllc.com>; 'Nathan Fink' <nefink@gmail.com> Cc: 'nanog@nanog.org' <nanog@nanog.org> Subject: RE: Please run windows update now They even released updates for XP & 2003 http://www.catalog.update.microsoft.com/search.aspx?q=4012598 -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Josh Luthman Sent: Monday, May 15, 2017 10:45 AM To: Nathan Fink <nefink@gmail.com> Cc: nanog@nanog.org Subject: Re: Please run windows update now Link? I only posted it as reference to the vulnerability. Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Sat, May 13, 2017 at 2:07 AM, Nathan Fink <nefink@gmail.com> wrote:
I show MS17-010 as already superseded in SCCM
On Fri, May 12, 2017 at 1:44 PM, Josh Luthman <josh@imaginenetworksllc.com
wrote:
MS17-010 https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373
On Fri, May 12, 2017 at 2:35 PM, JoeSox <joesox@gmail.com> wrote:
Thanks for the headsup but I would expect to see some references to the patches that need to be installed to block the vulnerability (Sorry for sounding like a jerk). We all know to update systems ASAP.
-- Later, Joe
On Fri, May 12, 2017 at 10:35 AM, Ca By <cb.list6@gmail.com> wrote:
This looks like a major worm that is going global
Please run windows update as soon as possible and spread the word
It may be worth also closing down ports 445 / 139 / 3389
http://www.npr.org/sections/thetwo-way/2017/05/12/ 528119808/large-cyber-attack-hits-englands-nhs-hospital- system-ransoms-demanded
I do not see any links to actually download the actual patches. Just a bunch of text drivel. -- ˙uʍop-ǝpısdn sı ɹoʇıuoɯ ɹnoʎ 'sıɥʇ pɐǝɹ uɐɔ noʎ ɟı
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of timrutherford@c4.net Sent: Monday, 15 May, 2017 09:23 To: 'Josh Luthman'; 'Nathan Fink' Cc: nanog@nanog.org Subject: RE: Please run windows update now
I should clarify, the link in my email below is only for windows versions that are considered unsupported.
This one has links for the currently supported versions of windows
https://support.microsoft.com/en-us/help/4013389/title
-----Original Message----- From: timrutherford@c4.net [mailto:timrutherford@c4.net] Sent: Monday, May 15, 2017 11:12 AM To: 'Josh Luthman' <josh@imaginenetworksllc.com>; 'Nathan Fink' <nefink@gmail.com> Cc: 'nanog@nanog.org' <nanog@nanog.org> Subject: RE: Please run windows update now
They even released updates for XP & 2003
http://www.catalog.update.microsoft.com/search.aspx?q=4012598
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Josh Luthman Sent: Monday, May 15, 2017 10:45 AM To: Nathan Fink <nefink@gmail.com> Cc: nanog@nanog.org Subject: Re: Please run windows update now
Link?
I only posted it as reference to the vulnerability.
Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373
On Sat, May 13, 2017 at 2:07 AM, Nathan Fink <nefink@gmail.com> wrote:
I show MS17-010 as already superseded in SCCM
On Fri, May 12, 2017 at 1:44 PM, Josh Luthman <josh@imaginenetworksllc.com
wrote:
MS17-010 https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373
On Fri, May 12, 2017 at 2:35 PM, JoeSox <joesox@gmail.com> wrote:
Thanks for the headsup but I would expect to see some references to the patches that need to be installed to block the vulnerability (Sorry for sounding like a jerk). We all know to update systems ASAP.
-- Later, Joe
On Fri, May 12, 2017 at 10:35 AM, Ca By <cb.list6@gmail.com> wrote:
This looks like a major worm that is going global
Please run windows update as soon as possible and spread the word
It may be worth also closing down ports 445 / 139 / 3389
http://www.npr.org/sections/thetwo-way/2017/05/12/ 528119808/large-cyber-attack-hits-englands-nhs-hospital- system-ransoms-demanded
https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wa... Look near the bottom under Further Resources. On May 15, 2017, at 10:44 AM, Keith Medcalf <kmedcalf@dessus.com<mailto:kmedcalf@dessus.com>> wrote: I do not see any links to actually download the actual patches. Just a bunch of text drivel. -- ˙uʍop-ǝpısdn sı ɹoʇıuoɯ ɹnoʎ 'sıɥʇ pɐǝɹ uɐɔ noʎ ɟı -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of timrutherford@c4.net<mailto:timrutherford@c4.net> Sent: Monday, 15 May, 2017 09:23 To: 'Josh Luthman'; 'Nathan Fink' Cc: nanog@nanog.org Subject: RE: Please run windows update now I should clarify, the link in my email below is only for windows versions that are considered unsupported. This one has links for the currently supported versions of windows https://support.microsoft.com/en-us/help/4013389/title -----Original Message----- From: timrutherford@c4.net [mailto:timrutherford@c4.net] Sent: Monday, May 15, 2017 11:12 AM To: 'Josh Luthman' <josh@imaginenetworksllc.com>; 'Nathan Fink' <nefink@gmail.com> Cc: 'nanog@nanog.org' <nanog@nanog.org> Subject: RE: Please run windows update now They even released updates for XP & 2003 http://www.catalog.update.microsoft.com/search.aspx?q=4012598 -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Josh Luthman Sent: Monday, May 15, 2017 10:45 AM To: Nathan Fink <nefink@gmail.com> Cc: nanog@nanog.org Subject: Re: Please run windows update now Link? I only posted it as reference to the vulnerability. Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Sat, May 13, 2017 at 2:07 AM, Nathan Fink <nefink@gmail.com> wrote: I show MS17-010 as already superseded in SCCM On Fri, May 12, 2017 at 1:44 PM, Josh Luthman <josh@imaginenetworksllc.com wrote: MS17-010 https://technet.microsoft.com/en-us/library/security/ms17-010.aspx Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Fri, May 12, 2017 at 2:35 PM, JoeSox <joesox@gmail.com> wrote: Thanks for the headsup but I would expect to see some references to the patches that need to be installed to block the vulnerability (Sorry for sounding like a jerk). We all know to update systems ASAP. -- Later, Joe On Fri, May 12, 2017 at 10:35 AM, Ca By <cb.list6@gmail.com> wrote: This looks like a major worm that is going global Please run windows update as soon as possible and spread the word It may be worth also closing down ports 445 / 139 / 3389 http://www.npr.org/sections/thetwo-way/2017/05/12/ 528119808/large-cyber-attack-hits-englands-nhs-hospital- system-ransoms-demanded --- Keith Stokes
<https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/> https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wa...
Look near the bottom under Further Resources.
Those are the links appear to be patches for older versions of Windows. The link that Josh sent initially is probably the most straight forward for currently supported versions. https://technet.microsoft.com/en-us/library/security/ms17-010.aspx Scroll down below “Affected Software and Vulnerability Severity Ratings” and click on the link in the left column it will being you to the MS Update Catalog download page for the patch in question. Keep in mind that since MS started doing monthly patch rollups instead of individual patches, they are listing a “rollup” KB# and “security only” KB# for each version of Windows. For example, look at Windows 2012/2012R2 above – there are four different KB#s depending on the OS version and update method being used. KB4012217 : “monthly rollup” version for 2012 (gets delivered via windows update - contains this patch and several others) KB4012214 : “security only” version for 2012 for this one patch KB4012216 : 2012R2 version of the rollup KB4012213 : 2012R2 version of the security only patch -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Keith Stokes Sent: Monday, May 15, 2017 11:49 AM To: Keith Medcalf <kmedcalf@dessus.com> Cc: nanog@nanog.org Subject: Re: Please run windows update now <https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/> https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wa... Look near the bottom under Further Resources. On May 15, 2017, at 10:44 AM, Keith Medcalf < <mailto:kmedcalf@dessus.com%3cmailto:kmedcalf@dessus.com> kmedcalf@dessus.com<mailto:kmedcalf@dessus.com>> wrote: I do not see any links to actually download the actual patches. Just a bunch of text drivel. -- ˙uʍop-ǝpısdn sı ɹoʇıuoɯ ɹnoʎ 'sıɥʇ pɐǝɹ uɐɔ noʎ ɟı -----Original Message----- From: NANOG [ <mailto:nanog-bounces@nanog.org> mailto:nanog-bounces@nanog.org] On Behalf Of <mailto:timrutherford@c4.net%3cmailto:timrutherford@c4.net> timrutherford@c4.net<mailto:timrutherford@c4.net> Sent: Monday, 15 May, 2017 09:23 To: 'Josh Luthman'; 'Nathan Fink' Cc: <mailto:nanog@nanog.org> nanog@nanog.org Subject: RE: Please run windows update now I should clarify, the link in my email below is only for windows versions that are considered unsupported. This one has links for the currently supported versions of windows <https://support.microsoft.com/en-us/help/4013389/title> https://support.microsoft.com/en-us/help/4013389/title -----Original Message----- From: <mailto:timrutherford@c4.net> timrutherford@c4.net [ <mailto:timrutherford@c4.net> mailto:timrutherford@c4.net] Sent: Monday, May 15, 2017 11:12 AM To: 'Josh Luthman' < <mailto:josh@imaginenetworksllc.com> josh@imaginenetworksllc.com>; 'Nathan Fink' < <mailto:nefink@gmail.com> nefink@gmail.com> Cc: 'nanog@nanog.org' < <mailto:nanog@nanog.org> nanog@nanog.org> Subject: RE: Please run windows update now They even released updates for XP & 2003 <http://www.catalog.update.microsoft.com/search.aspx?q=4012598> http://www.catalog.update.microsoft.com/search.aspx?q=4012598 -----Original Message----- From: NANOG [ <mailto:nanog-bounces@nanog.org> mailto:nanog-bounces@nanog.org] On Behalf Of Josh Luthman Sent: Monday, May 15, 2017 10:45 AM To: Nathan Fink < <mailto:nefink@gmail.com> nefink@gmail.com> Cc: <mailto:nanog@nanog.org> nanog@nanog.org Subject: Re: Please run windows update now Link? I only posted it as reference to the vulnerability. Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Sat, May 13, 2017 at 2:07 AM, Nathan Fink < <mailto:nefink@gmail.com> nefink@gmail.com> wrote: I show MS17-010 as already superseded in SCCM On Fri, May 12, 2017 at 1:44 PM, Josh Luthman <josh@imaginenetworksllc.com wrote: MS17-010 <https://technet.microsoft.com/en-us/library/security/ms17-010.aspx> https://technet.microsoft.com/en-us/library/security/ms17-010.aspx Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Fri, May 12, 2017 at 2:35 PM, JoeSox < <mailto:joesox@gmail.com> joesox@gmail.com> wrote: Thanks for the headsup but I would expect to see some references to the patches that need to be installed to block the vulnerability (Sorry for sounding like a jerk). We all know to update systems ASAP. -- Later, Joe On Fri, May 12, 2017 at 10:35 AM, Ca By < <mailto:cb.list6@gmail.com> cb.list6@gmail.com> wrote: This looks like a major worm that is going global Please run windows update as soon as possible and spread the word It may be worth also closing down ports 445 / 139 / 3389 <http://www.npr.org/sections/thetwo-way/2017/05/12/> http://www.npr.org/sections/thetwo-way/2017/05/12/ 528119808/large-cyber-attack-hits-englands-nhs-hospital- system-ransoms-demanded --- Keith Stokes
participants (29)
-
Aaron C. de Bruyn -
Alexander Maassen -
Andrew Kerr -
Brad Knowles -
bzs@theworld.com -
Ca By -
Carl Byington -
Eliezer Croitoru -
J. Oquendo -
Joe -
JoeSox -
John Levine -
Jonathan Roach -
Jorge Amodio -
Josh Luthman -
Karl Auer -
Keith Medcalf -
Keith Stokes -
LHC (k9m) -
Matt Palmer -
Nathan Brookfield -
Nathan Fink -
Phillip White -
Randy Bush -
Rich Kulawiec -
Royce Williams -
timrutherford@c4.net -
valdis.kletnieks@vt.edu -
William Waites