Kitz Forum
Announcements => News Articles => Topic started by: Bowdon on May 12, 2017, 09:32:41 PM
-
http://www.dailymail.co.uk/news/article-4500738/NHS-hack-huge-global-cyber-attack.html (http://www.dailymail.co.uk/news/article-4500738/NHS-hack-huge-global-cyber-attack.html)
https://www.theguardian.com/society/2017/may/12/hospitals-across-england-hit-by-large-scale-cyber-attack (https://www.theguardian.com/society/2017/may/12/hospitals-across-england-hit-by-large-scale-cyber-attack)
http://www.bbc.co.uk/news/health-39899646 (http://www.bbc.co.uk/news/health-39899646)
https://www.theregister.co.uk/2017/05/12/nhs_hospital_shut_down_due_to_cyber_attack/ (https://www.theregister.co.uk/2017/05/12/nhs_hospital_shut_down_due_to_cyber_attack/) UK hospital meltdown after ransomware worm uses NSA vuln to raid IT
From what I understand about ransomware.. most of it comes via email attachements. I'm sure this is whats happened in this situation. Maybe the emails were targetted to the nhs email addresses but people clicked on the fake attachments.
I don't know why any good technician couldnt have setup the email attachments so only outgoing emails can send them. Also have checks on all external links going through some kind of scanner. But like a lot of tech people these days I don't think they are that up to date with the current hardware/software. I've heard people say some computers are still on windows 95.
UK needs to stop dragging its heals when it comes to technology.
-
Imho the probem lies with the attitude that we'll be safe if we tick all the boxes... Latest OS, AV, update etc. Utter nonsense. No amount of OS updates or AV will give the slightest protection, if you are among the first to be targetted when new malware is unleashed.
The answer, to me, lies in getting the message across to big institutions like the NHS and the banks... IT is fundamentally insecure. Period.
Encryption is no real defence, as vulnerabilities will be found that allow it to be cracked - as has always happened, and always will. Conduct your business on the assumption you will be successfuly attacked, just plan for dealing with it. And don't be surprised when it happens, regardless of any assurances you may have been given by highly paid 'security specialists'.
-
Imho the probem lies with the attitude that we'll be safe if we tick all the boxes... Latest OS, AV, update etc. Utter nonsense. No amount of OS updates or AV will give the slightest protection, if you are among the first to be targetted when new malware is unleashed.
Now, I understand what you mean, but in this instance, this situation was entirely caused by a lack of updates. The ransomware strain in question makes use of MS17-010, a vulnerability that was patched over a month ago, to spread between Windows systems. In this case, if the NHS had been using a modern and up to date OS, this would not have occurred on the scale it has.
While this is not true for all strains of malware, this specific type and strain has many proven solutions to prevent it, including solutions from many AV vendors, and even included in Windows Defender on newer OS builds such as Windows 10.
Encryption is no real defence, as vulnerabilities will be found that allow it to be cracked - as has always happened, and always will. Conduct your business on the assumption you will be successfuly attacked, just plan for dealing with it. And don't be surprised when it happens, regardless of any assurances you may have been given by highly paid 'security specialists'.
I do agree with you here. Encryption is not a defence, it is simply a measure to reduce the damage once an attack has occurred. In this situation, no amount of encryption would have stopped the ransomware spreading, but in the case where the data was stolen, it would have prevented access assuming the encryption keys weren't also stolen, and that a good algorithm was used, such as 256 bit AES.
Vulnerabilities will always be found in systems, and OEMs will always do their best to patch them if they are found before they are exploited, but in some cases they are exploited first. Ensuring systems are up to date is still a key step to ensuring systems are kept secure, but yes, you still have to expect that you will be attacked successfully, otherwise you risk much harsher repercussions, especially with the EU General Data Protection Rules coming into force soon, with their much harsher penalties.
-
Now, I understand what you mean, but in this instance, this situation was entirely caused by a lack of updates.
I disagree. This situation was entirely caused by a bunch of crooks out to make money.
Chances are the crooks will make an great mountain of money, enough to attract better programming talent than the OS authors, or AV vendors, could hope to recruit.
For the likes of me and (I assume) thee, things are different. Little ol' me is unlikely to attract the massed efforts of the world's most advanced IT experts, chasing after my holiday snaps or worthless App source code. So AV and updates will make me reasonably safe. But for big value targets, the crooks will always win, and probably at a moment of their choosing - regardless of precautions.
Just my opinion.
-
The answer, to me, lies in getting the message across to big institutions like the NHS and the banks... IT is fundamentally insecure. Period.
The ones who need that message are the people who make budgets for such organisations.
Once that organisation is hooked into the technology, then lifelong maintenance spending is required. It is no good for, say, a government to go on an austerity drive, and shut down budgets.
But when push comes to shove, what gives? Another ward? Or next year's Win 95 upgrade budget?
-
But when push comes to shove, what gives? Another ward? Or next year's Win 95 upgrade budget?
As long as the consultant gets to turn up at his exclusive golf course in a shiny new Aston Martin, I doubt they care either way.
-
Most PC's I see in hospitals which are on the desktop tend to be running windows XP.
The gov also signed a contract with microsoft last year to get extended support for XP as well.
The NHS is so overwhelmed, I imagine keeping IT up to date is not a high priority. Consider in such a large organisation all the software used which all has to be tested if it works properly on a new OS before a rollout.
-
looked into this somewhat, its apparently using the leaked NSA exploit's, which if true were zero day meaning even up to date systems are/were vulnerable.
It is also a worm meaning it can automatically infect other machines without human intervention, the question is how did the first NHS machine get infected, but once that first machine was infected, then it could spread via the LAN automatically.
Its always good to use a layered approach to security and assume that any one layer you use can be breached. I apologise for not yet doing work on the security wiki here as I have been given the opportunity to do, I will try to get something compiled this month to help people.
-
Can't help thinking the UK media is missing the point to some extent, portraying it as an 'NHS issue', whereas it actually seems to be a global outbreak. The Guardian had a link to a Kaspersky article that makes interesting reading. It does mention the NHS, but is a bit more balanced. Also it is a decent technical description....
https://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/
Personally, I wonder if things are going to get a lot worse over coming days. I'm guessing that the ransom is only displayed after encryption is complete, and I'd have thought it might take many hours/days to encrypt a few big multi TB disks...
-
A recent article in PC Pro suggested that the software could lay dormant on PC's for many months, I think it may have even said that it could be encrypting files as well in that time, I suppose if they encrypted files that hadn't been accessed for a long time first then there's a far less chance of it not being noticed.
Anyway it's made me start updating my backups, I have a constant back up to the cloud but also keep a few hard drives at my brothers which I collected a couple of weeks ago to refresh the backups and hadn't got around to doing. Turns out I last backed up to these drives in Agust 2015 :no:
-
depends on the ransomware used, some will just encrypt documents and desktop, others will scan all drives, and others will also scan network mounts. The more that is encrypted the more likely the person will be desperate, but on the flipside it takes longer to encrypt reducing the chance of completion.
Some of the ransomware is completely mitigated simply by disabling built in ntfs encryption features in the registry, no ransomware I am aware off is clever enough to enable it if its disabled, it simply just fails instead. However it wont mitigate all ransomware as not all ransomware use that encryption function.
-
It's also interesting that microsoft released an update to Defender when the exploit first came to their attention (this version appeared in february). I suspect the update only applied to windows 10 and maybe windows 7, 8, and 8.1 . But if they are using xp, does xp have a built in anti virus program?
Its also interesting that some NHS hospitals arent effected. I know my lung function department I visit regularly isnt using windows xp.. I think they were using win8 or 8.1 when I last visited there at the start of the year. That hospital hasnt been effected.
-
Seems the Nissan plant at Sunderland is another victim...
http://www.bbc.co.uk/news/uk-england-39906534
-
I think one of the issues with these systems getting attacked is that they allow too many external connections. I see no reason for much of this as we all know the fewer open ports the less chance of getting attacked, also these systems should not allow any personal use or email and web surfing. All emails should go to one isolated server to be validated prior to being passed on. I remember years ago at one government office I went to they had zero external connections directly into their network and only one PC with external access but no internal access and they had some software which did not allow any usb devices to connect to their networked PCs unless previously processed by one PC to again validate the contents. Another client I had dealings with had one system which was approved as secure by the US Dept of Defense and in order to gain that certification it had zero external connections!
In today's connected world nothing is 100% secure.
Stuart
-
https://www.theguardian.com/technology/2015/may/26/uk-government-pcs-open-to-hackers-as-paid-windows-xp-support-ends (https://www.theguardian.com/technology/2015/may/26/uk-government-pcs-open-to-hackers-as-paid-windows-xp-support-ends) UK government PCs open to hackers as paid Windows XP support ends
Looks like the gov didn't have xp support from april last year (2016). That article is from may 2015.
-
According to the British Medical Journal earlier this week, 90% of NHS computers still run XP.
In April 2015 the Government Digital Service decided not to extend essential extended support and security updates crucial for keeping hackers at bay. Thus saving £5.5m. Quote
“Technology leaders met last month and took a collective decision to not extend the support arrangement for 2015. The current support agreement ended in April 2015.”
Wow that was some false economy!!! :-X
How ironic that the BMJ warned on the 10th of May 2017 the prospect of hospitals being held to ransom.
"We should be prepared: more hospitals will almost certainly be shut down by ransomware this year."
It would appear similar cases were already starting to occur in the US with hospitals supposedly being held to ransom for several $million.
http://www.bmj.com/content/357/bmj.j2214
-
Some very interesting reading about the WannaCrypt ransomware here:-
https://www.troyhunt.com/everything-you-need-to-know-about-the-wannacrypt-ransomware/
Note how the code contained a kill switch.
A researcher registered the domain name yesterday which has caused a drop off of new cases being propogated, otherwise this could be much bigger globally. Bit late for the NHS though. :(
I'm yet to see a good analysis on why the kill switch existed in the first place and why discovery and circumvention was so simple. It seems entirely counter-intuitive to the goal of infecting as many machines as possible as quickly as possible and I hope we see some good analysis of that soon. The important thing here though is that based on the analysis we're seeing, this variant shouldn't be spreading any further however... there'll almost certainly be copycats.
-
kitz since it was zero day I think they still would have been vulnerable anyway.
The microsoft patch has been issued "after" the NHS compromise.
Looking at that page you linked to, the SMB protocol is likely they spread via windows file sharing, which I expect is likely enabled on a huge chunk of NHS machines, so my speculation of it spreading over LAN I expect is correct, of course its unlikely the first machine got infected via SMB hence my question of how did the first machine get infected.
Those of us with pfsense machines I can think of an idea, but not sure how to implement it.
Basically figure out a way to make the resolver always reply with the rfc1918 ip that routes to the local blank page for any domain name that exceeds a certian length. Meaning if any variant of this is relaunched into the wild but still has a kill switch on a new random domain the kill switch would be activated.
-
kitz since it was zero day I think they still would have been vulnerable anyway.
According to Microsoft, any [XP] machines with extended support should be OK as long as they installed the security update available to them in March.
The following applies to Windows platforms in custom support including XP, Windows 8 and Windows Server 2003
In March, we released a security update which addresses the vulnerability that these attacks are exploiting. Those who have Windows Update enabled are protected against attacks on this vulnerability.
It looks like yesterday Microsoft made a decision to release the Security update and make it available to all who run one of the operating systems still in custom support regardless if they have purchased extended support or not. Still too late for the NHS :/
See https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
-
ok thanks for the correction.
The NHS with its problems, I can sympathise with the low priority IT maintenance has been given. The money to payout to microsoft I know is a tiny % of the overall NHS budget, but if you think of it another way, how many tablets does it buy, how many operations dees it fund, how many staff does it pay? its understandable why the shortcut was made. They may have even laid off the IT staff that would have carried out this work as well, wouldnt surprise me.
-
Re the killswitch, I think that's just given a bit of breathing space to some machines which could have become infected.
The way I read things from what others were saying that as long as WannaCrypt could reach the domain then the machine was not infected. However, like you say... that does not stop any future similar virus changing the domain. By all accounts it appears that it was a manually typed domain rather than random generated.
Basically it was just the quick action of someone buying that domain which gave a temporary reprieve to some [unpatched] machines.
Infections for WannaCry/WanaDecrpt0r are down due to @MalwareTechBlog registering initial C2 domain leading to kill-switch #AccidentalHero
-
The NHS with its problems, I can sympathise with the low priority IT maintenance has been given. The money to payout to microsoft I know is a tiny % of the overall NHS budget, but if you think of it another way, how many tablets does it buy, how many operations dees it fund, how many staff does it pay? its understandable why the shortcut was made. They may have even laid off the IT staff that would have carried out this work as well, wouldnt surprise me.
Ain't that the truth. :'(
-
According to Microsoft, any [XP] machines with extended support should be OK as long as they installed the security update available to them in March.
The following applies to Windows platforms in custom support including XP, Windows 8 and Windows Server 2003
It looks like yesterday Microsoft made a decision to release the Security update and make it available to all who run one of the operating systems still in custom support regardless if they have purchased extended support or not. Still too late for the NHS :/
See https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
The issue was patched on systems from Windows Vista SP2 through to Windows 10 over a month ago. The fix released yesterday was explicitly for XP and Server 2003. This was not a zero day in any shape or form, although it may appear to be due to the scale of the impact. The issue highlighted here is that many large organisations do not have the systems in place to ensure that every vulnerable device is patched or removed from the network if a patch is not ever going to be available.
-
Re the killswitch, I think that's just given a bit of breathing space to some machines which could have become infected.
The way I read things from what others were saying that as long as WannaCrypt could reach the domain then the machine was not infected. However, like you say... that does not stop any future similar virus changing the domain. By all accounts it appears that it was a manually typed domain rather than random generated.
Basically it was just the quick action of someone buying that domain which gave a temporary reprieve to some [unpatched] machines.
Some firewall vendors are now blocking this domain for some reason, so if you are in a business, double check that the site is accessible to ensure your network remains safe if there are unpatched systems.
-
It looks like yesterday Microsoft made a decision to release the Security update and make it available to all who run one of the operating systems
Now that's good to know, thanks. :)
I still have an XP box, AV licence long-since expired, that's called into service once in a blue moon for the odd things that OS X and Linux can't do. Definitely worth applying that patch.
-
I may be living in cloud cuckoo land but after being hit by ransomeware about 3 or 4 years ago I did some searching and found Cryptoprevent. Having read the blurb and other comments I thought it was worth a try and installed it. Although I still visit a lot of sites including naughty ones I have not had a second attack. What do the experts here think of it? It is available for free download from a site called foolishIT
Tony
-
I think theres a few of us on here who use Cryptoprevent. In fact it was one of the guys on here who recommended it and the reason why I use it.
iirc there was a discussion somewhere in the Windows section about it.
-
its a very good security layer.
basically cryptoprevent is a frontend for the very powerful software restriction policy which itself is effectively an anti exe. Anti exe security policies tend to be a way better means of defense than traditional patching and a/v.
However since this is a worm which doesnt need a human to execute it for infection and we know it spread via SMB, I dont think SRP would have stopped it unless the original machine was infected via a human running an original binary. The NHS is very unlikely to have SMB open to the internet, so how the first machine got infected remains a curiosity of mine.
The only issue with cryptoprevent is its out of the box config uses a blacklist rather than whitelist approach (for user friendlyness), whitelisting is always more effective than blacklisting.
On my rig, any folder that can be written to by a browser cannot execute a file (via SRP), meaning there is a conundrum for malware, it may make it to the disk, but if it does it wont be able to run. I also extend this limited permissions to any folder thats writeable by any non elevated process on my entire system covering all drives. It has meant I have had to whitelist all my games/apps etc. but I feel its worth it. You can whitelist trusted certificates tho which makes it somewhat more user friendly, so e.g. whitelisting the google cert will allow any google binary to run without a specific whitelist.
Applocker which is the newer version of SRP is way more user freindly, it has a wizard you can run which will scan folders for existing programs and automatically create rules for them, however since windows 8, its on no consumer version of windows, it was useable in windows 7 ultimate.
SRP and Applocker can also block dll injection so e.g. using something like rundll32.exe to load a malware dll can also be blocked by both SRP and Applocker.
SMB can be significantly hardened tho, although I dont know if a hardened configuration would have mitigated this worm.
Typically ransomware aimed at consumers is in the form of a binary, maybe attached to an email or drive by virus in a browser.
Whilst businesses may heavily use shared network drives aka windows file sharing, and as such its clear to me this worm targeted businesses.
-
If it spreads via SMB then I would a very likely way into a 'secure' corporate network with no public access would be...
Member of staff, takes laptop home, where it attaches to his WiFi.
Kids, or Kids' friends, then connect devices of unknown sanitation to same WiFi, malware on said device finds laptop, laptop gets infected.
Next day, laptop is back on corporate network, passes it on....
-
I think one of the issues with these systems getting attacked is that they allow too many external connections. I see no reason for much of this as we all know the fewer open ports the less chance of getting attacked, also these systems should not allow any personal use or email and web surfing. All emails should go to one isolated server to be validated prior to being passed on. I remember years ago at one government office I went to they had zero external connections directly into their network and only one PC with external access but no internal access and they had some software which did not allow any usb devices to connect to their networked PCs unless previously processed by one PC to again validate the contents. Another client I had dealings with had one system which was approved as secure by the US Dept of Defense and in order to gain that certification it had zero external connections!
In today's connected world nothing is 100% secure.
The NHS N3 network is, I guess, like a huge corporate LAN. Each GP, clinic, hospital has, effectively, a private leased line into the network. It doesn't look to be accessed, say, via using a VPN over a vanilla internet connection. Email should be going through central servers, and "external access" (outside the LAN) should go centrally too.
But that makes a huge set of locations where, as 7LM says, a member of staff can accidentally introduce some malware from a trip home, which could then feed into the core of the LAN, and onwards.
In such a setup, you'd think the core would firewall each site/trust from the others. And, from the way different trusts have reported their problems, it seems like this has happened.
The way it hit multiple trusts, and places outside the UK, all at the same time, suggests to me that it has perhaps been infecting machines for a while, but only activated the payload yesterday.
-
If it spreads via SMB then I would a very likely way into a 'secure' corporate network with no public access would be...
Member of staff, takes laptop home, where it attaches to his WiFi.
Kids, or Kids' friends, then connect devices of unknown sanitation to same WiFi, malware on said device finds laptop, laptop gets infected.
Next day, laptop is back on corporate network, passes it on....
good point forgot about laptops
-
I made a point elsewhere about the lack of an "Internet OFF" switch, seems a display of the wartime posters "The Enemy is listening " wouldn't be a bad idea either. (Much of Rommel's success was due a US army colonel who ignored security .)
-
One problem nowadays is there's quite a strong social pressure to provide your WiFi password to any reasonably close friends or relatives who visit. A reasonably safe answer might be to scan their devices for malware first, but people might be offended by that. And in any case, if the friend were reasonably scurity-aware him/herself, he'd not want to trust my scanning software, especially if I wanted to plug in any flash drives etc.
I've addressed this problem myself by configuring a separate 'guest lan', where devices can access the internet but are isolated each other and isolated from my own machines. Still there's been times where guests wanted access to the core network, say to access the media server show us some holiday photos, and then it gets awkward...
-
When microsoft talk about patching it, are they talking about windows defender? as Avast said its already updated against this ransomware months ago.
I've not heard of Cryptoprevent.. whats the address for it?
I don't understand why people even write these ransomware viruses, except I guess for money. I wonder if bitcoin become more trackable it would discourage people from doing this for money?
-
That's the whole point Bowdon, money and lots of it, the link below talks of a billion dollar industry in 2016. Once upon a time virus's were written just to cause havoc, they soon realised there's lots of money to be made, and that changed the whole landscape.
http://www.cnbc.com/2016/12/13/ransomware-spiked-6000-in-2016-and-most-victims-paid-the-hackers-ibm-finds.html
Apparently some of the ransomware 'companies' for want of a better word have better customer services than a lot of IT companies because they realise that if people don't get their data it would ruin their business model.
https://www.engadget.com/2016/09/09/customer-service-matters-when-it-comes-to-ransomware/
-
Of course in addition to the NHS, various car makers, Spanish Telecoms, Fedex in the USA etc, that have all been affected this week, we'll probably never know how many organisation were hit but just kept quiet, either wrote off the data or paid the ransom?
It's not the sort of thing they'd boast about after all, but might well make economic sense and also avoid all the public criticism as is being heaped on the NHS.
-
Here is a wish request on backup drives and isolation from any nasties jumping to them:
USB powered external drive
I'd like to leave it physically connected.
So I'd like MSWindows to be able to both "disconnect" it AND "reconnect" it via some sort of password protected system application.
That way under normal circumstances my backup drive is isolated from the computer but when I want to do the backup I then reconnect the USB drive and away we go, then I would disconnect after the backup is done.
Currently while I can electronically disconnect the drive via the 'safe hardware removal' icon, to re-connect I have to physically remove the drive's USB plug from the computer and then put it back again.
-
Does this help? https://www.raymond.cc/blog/remount-ejected-or-safely-removed-usb-device-without-unplug-and-reinsert/
-
Ah - well, well - most interesting - thank you indeed for the links. I will investigate
As an aside I've just had a circular from my local police neighborhood watch
All good advice
For all your systems and devices:
1 Keep systems and applications patched
2 Have AV software which is also kept updated
3 Create backups on to media which is then disconnected from the computer post backup
4 (More applicable to android tablets etc) Only download from the google/apple stores and do not root/jailbreak.
-
When microsoft talk about patching it, are they talking about windows defender? as Avast said its already updated against this ransomware months ago.
Currently supported MS OSs had a security patch available in March to close off the EternalBlue vulnerability.
Defender (and the other MS AVs) detects and protects against WannaCrypt since a couple of days ago.
They have just released a version of the patch for use with Windows XP, 8, etc.
https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
So all AVs should now protect against this specific attack. Microsoft have issued patches which must be applied to protect against future attacks exploiting the same security hole.
I have yet to read any security reports about the vector used for this attack. EternalBlue is how it spreads but it must start somewhere on each infected network.
[edit] I see that kitz provided this answer already in reply #18.
-
Not being sufficiently computer literate myself, can anyone here say if cryptoprevent would have protected against this recent NHS event? I have a burning desire to avoid MS's continual need to update whether it be the whole OS or just patches. It makes me more and more inclined to go with Linux. Unfortunately the time I was attacked by cryptoware it was on Linux although that was a java based version. Life is very difficult these days!!
Tony
-
That microsoft article actually gives some more insight, seems the hardening would have mitigated this attack.
The hardening I carry out disables v1 SMB protocol, and this errata suggests only v1 not v2 is/was vulnerable.
https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
-
Telefónica have confirmed that the original vector was a dropper linked in an email that was not detected by many engines of antimalware.
The scheme of attack was:
- Phase of infection: Mass spam to e-mail addresses with a dropper download link (the one that download the payload) or exploitation of vulnerable service exposed to the Internet or connection of infected equipment to the local network.
- When downloading the dropper is infected with the ransomware machine.
- From the infected machine the LAN is scanned for computers vulnerable to MS17-10 to infect that computer as well and continue infection. As announced by the CCN-CERT immediately.
The above is a Google translation of this Spanish article.
http://www.elladodelmal.com/2017/05/el-ataque-del-ransomware-wannacry.html
-
So it did come through spam emails.
I have to wonder if this isnt a set up to modify or even ban bitcoin. If bitcoin wasn't anonymous in tracking then the money incentive for these attacks would disappear.
Also this seems to have caused havoc because microsoft, on bended knee, wanted to snitch on its users and allowed the nsa to compromise its own product. I wonder if this episode will act as a wake-up call to our government that this is the risk of them wanting to spy on everyone.
-
@Bowdon that is not Microsoft's message. They have been quite vociferous that NSA should have disclosed the exploit to MS rather than hoard it for their own good/evil [delete as appropriate] intentions.
https://www.theregister.co.uk/2017/05/14/microsoft_to_spooks_wannacrypt_was_inevitable_quit_hoarding/
-
It's interesting how the blame game is being played. Govt blame NHS incomprtence, NHS blame govt cuts. The perpretrators of the attack are being blamed of course, but so are the NSA for knowing about the bug and not reporting it.
Yet no blame at all seems to be attributed to Microsoft, who published the buggy SMB software. I recognise that all software has bugs and vulnerabilities. I spent my working life writing commercial software, and was responsible for my share of bugs. But when one of my bugs surfaced I was generally expected to accept responsibilty for it, I'd never have got away with blaming the customers who were affected by it, or blaming the testers who found it.
-
Hasn't it already been noted in this thread that MS released a patch in March for supported operating systems? Hardly MS fault if people haven't updated their systems or are using systems no longer supported.
-
Ronski, I disagree, bugs don't just magically appear as a result of an OS being old, the bugs are there because they were there all along.
I'm not suggesting there should be a witch hunt to find the individual who wrote the bug or a public flogging. I'm merely pointing out that there should be better public awareness... The bug was not a result of failure to update, or failure to install AV, or by a rogue employee at NSA, it was solely a result of a mistake made by a Microsoft employee some time in the past.
Where I do think Microsoft might benefit from a flogging is the vicious circle of OS releases that need new hardware. That is the reason many of us still run XP. We have perfectly good hardware that runs XP, but Microsoft don't offer any supported OS that will run on that hardware. My machine is less than nine years old, yet Microsoft seem to think I'd have been happy to throw it in the bin after 3 or 4 years. The closest comparison, Apple, are much much better... mac hardware that is 6,7 years old or more is often fully supported with new versions of OS X, hence a lot fewer people hanging on to old versions.
-
Yes they were there all along, but my point is thus:
But when one of my bugs surfaced I was generally expected to accept responsibilty for it, I'd never have got away with blaming the customers who were affected by it, or blaming the testers who found it.
MS released a patch in March, that to me sounds like they accepted responsibility for it. If you released a patch for one of your bugs and two months later a customer phoned up complaining it hadn't been fixed because they hadn't installed the update what would you tell them????
Yes MS are responsible for the bug in the first place, but they can hardly be responsible for people not installing the update, or running out of date Operating systems such as XP. Windows 7 will run fine on 10 year old hardware and thats still in support, but hey we're getting off topic there.
-
If you released a patch for one of your bugs and two months later a customer phoned up complaining it hadn't been fixed because they hadn't installed the update what would you tell them????
In my day, we'd have apologised in the first place, when the need arose to issue a patch. We'd have aplogised for the bug, and for the inconvenience involved in fixing it. Nowadays, vendors seem to think their bugs, fixed in 'updates', are something to boast about.
If the product was out of warranty and we were unable to patch, we'd have explained that and apologised even more profusely. The customer would have to accept that, havng no legal remedy, embarrassing as it were for all concerned. We'd hope he'd understand, and remain a customer, and usually he would. But we'd never have suggested the bug was his own fault.
-
Its all very well sitting there saying this to "just upgrade"
But it ain't that easy in real life.
Someone has an £k film scanner with only XP driver available for it.
Do you tell them contemptuously to shut up, get win 7/10 and pay another £xK for a new film scanner?
How about a NHS WinXP machine running propriety bespoke written software interfacing via IE6 with an £xx million MRI scanner?
How many nurses shall we sack and how many drugs shall we not buy - just to upgrade a sodding computer and having to buy another MRI scanner on top.
Not so easy now?
-
Another issue, similar to c6em's comments, arose towards the end of my career.
We'd ship hardware & drivers to customers, who built products that needed expensive and exhaustive conformance testing in 3rd party labs, before they could deploy it and start earning money. Even the most minor change required scrutiny and cost from the conformance labs. Moving to a new version of Windows would not be a minor change, so would likely need complete testing all over again, at huge cost...
-
I'm completely aware of those issues c6em, my reply about installing W7 was directed to 7LMs comment about his XP system.
-
I quoted Telefónica earlier who said that the original vector was phishing. Since then I have read articles by Kaspersky (https://securelist.com/blog/research/78411/wannacry-faq-what-you-need-to-know-today/) and F-Secure (https://labsblog.f-secure.com/2017/05/15/wannacry-party-like-its-2003/) which are of the opinion that the exploit spread by SMB alone.
-
I'm completely aware of those issues c6em, my reply about installing W7 was directed to 7LMs comment about his XP system.
Ok, addressing that suggestion...
Would the W7 upgrade/downgrade be free, as it would with Apple, and as it would with most consume versions of Linux?
And if it caused problems, or I just didn't like it, would the licence for previous OS remain valid, as it would would with the comparisons above?
Genuinely interested in the answers, if 'Yes' I may well give it a go. :)
-
You can buy Windows 7, no it's not free, but can be found quite cheap. If you'd bought an upgrade from XP to 7, no you couldn't go back to XP, but you could if you'd bought a retail version of 7, you would also have been able to move that retail version to new hardware free of charge. I don't think you can activate XP now, but I suppose if you imaged your XP installation you would not have to worry about that. If you have a spare hard drive you could install 7 FOC for 30 days before having activate it, and see how it goes.
With Apple you pay a vast premium in the first place, so don't get me going on Apple, they beat manufactures down to the bare minimum price and charge end users the absolute maximum, which unfortunately has led to the likes of MS doing the same with hardware, as is Samsung. The only thing I ever wished I'd bought of Apples was their shares a long time ago.
Linux is well Linux, and like you say free, can't beat that so why did those hardware manufactures not use Linux for their scanners???
Anyway I'm off to bed.
-
I quoted Telefónica earlier who said that the original vector was phishing. Since then I have read articles by Kaspersky (https://securelist.com/blog/research/78411/wannacry-faq-what-you-need-to-know-today/) and F-Secure (https://labsblog.f-secure.com/2017/05/15/wannacry-party-like-its-2003/) which are of the opinion that the exploit spread by SMB alone.
It seems to me, the 'spread by SMB' factor is the scariest thing about this whole issue. If I understand right, just by connecting to a LAN to which an infected machine also connects, a vulnerable device can get infected? :o
Example scenario: Most of us will connect to a Hotel's guest WiFi without much thought, but I wonder how many hotel networks enforce isolation between clients..? And how could we tell?
-
With Apple you pay a vast premium in the first place, so don't get me going on Apple, they beat manufactures down to the bare minimum price and charge end users the absolute maximum, which unfortunately has led to the likes of MS doing the same with hardware, as is Samsung.
IMHO Apple do charge a premium for iPhone but not so much for MacBooks. The latter compare favourably with a Windows PC if you look at like with like on such matters as case, display and SSD. Which? often picks Macs as best buys in laptops.
I am typing this on a 2008 MacBook Pro. In 2013 I paid £14 to upgrade to Snow Leopard but since then OS upgrades have been free. In fairness I believe that Windows 10 is now eligible for perpetual updates.
-
Sophos have egg on their face. Shortly before the NHS meltdown they proclaimed that the "NHS is totally protected with Sophos". After the attack took hold that became "Sophos understands the security needs of the NHS".
In mitigation Sophos do provide products that proactively protected. NHS budgets do not stretch to those.
https://www.theregister.co.uk/2017/05/15/sophos_nhs/
-
SMB should have been retired a decade ago, its insecure in its design. But microsoft prefer to just apply bandaids.
-
IMHO Apple do charge a premium for iPhone but not so much for MacBooks. The latter compare favourably with a Windows PC if you look at like with like on such matters as case, display and SSD. Which? often picks Macs as best buys in laptops.
My main day to day workhorse remains my 2009 Mac Mini, cost circa £500, and supported on new OS versions all the way through to last year. They even sneaked in an EFI(/BIos) update somewhere along the way, that raised the RAM ceiling from 4 GB to a much more useful 8GB.
I finally have a reason to replace it as mine won't run Sierra. I want to buy another Mini. Only trouble is, they seem a bit half-hearted about the Mini these days, no new versions since late 2014. :'(
-
My main day to day workhorse remains my 2009 Mac Mini, cost circa £500, and supported on new OS versions all the way through to last year. They even sneaked in an EFI(/BIos) update somewhere along the way, that raised the RAM ceiling from 4 GB to a much more useful 8GB.
I finally have a reason to replace it as mine won't run Sierra. I want to buy another Mini. Only trouble is, they seem a bit half-hearted about the Mini these days, no new versions since late 2014. :'(
I was disappointed when Apple made El Capitan the end of the line for our vintage of hardware. While they are still pushing out updates I am not too bothered. I would not use the two main features of Sierra: Siri and improved connectivity with other iThings.
-
With respect chaps, this is rather off-topic...
-
It seems to me, the 'spread by SMB' factor is the scariest thing about this whole issue. If I understand right, just by connecting to a LAN to which an infected machine also connects, a vulnerable device can get infected? :o
Example scenario: Most of us will connect to a Hotel's guest WiFi without much thought, but I wonder how many hotel networks enforce isolation between clients..? And how could we tell?
Would the fact that Windows seems to default to public profile for new networks and thus file sharing is turned off mean that SMB is not compromised? Can't remember if XP works that or not.
-
To answer the earlier question regarding cryptoprevent, given it seems it was originally delivered by email payload binary, the answer is maybe. Since cryptoprevent only uses blacklisting, it depends if the filename matched any of the masks configured by cryptoprevent.
I think the NHS really shouldnt be allowing their staff to get emails delivered with binary attachments, but this may be harsh given still dont know 100% of the specifics.
Regarding sophos, the problem they had and what most of the AV industry has is that they protect via blacklist definitions which always lose against 0 day. These vendors work on how to detect compromises that have already entered the system instead of preventing in the first place. Ironically sophos owns hit man pro alert which is a product that aims to prevent malware via memory exploits prior to even hitting the disk. But hit man pro alert started suffering when they started only reacting to malware after it was already in the wild instead of a preventative system.
The best type of protections tend to be whitelist focused and some examples are.
Reputation based systems, deny by default unless good reputation.
Anti exe, deny by default, needs whitelisting.
HIPS (behaviour analysis), HIPS is very powerful but also not consumer friendly, since security vendors aim for set and forget solutions HIPS is not very popular, emsisoft has a dumbed down HIPS with their behaviour blocker.
Memory exploits is where malware does its work all in memory and as such not needing to write to disk to run a payload, certian software such as EMET (free), hit man pro alert and malware bytes anti exploit aim to prevent that type of malware, some a/v like nod32 have exploit protection built in as well.
Before memory exploits it was quite easy to make a immune windows box.
Setup applocker/SRP and deny execution rights to all user writeable folders such as %temp%, %userprofile%, and document folders. Whilst at the same time make sure any unpriveledged application cannot write to any executable folders like program files. Browsers such as chrome and IE will auto sandbox and run at low privilege levels and become immune in such a configuration, firefox would need to be sandboxed by something like sandboxie. Not even a/v would have any use in such a configuration. Finally making sure to use a limited user account for everyday tasks.
But now we have memory exploits, things are a bit harder but still not overly diffilcult, the issue is the way microsoft ships the operating system and how the consumer security vendors choose to apply their protections.
Microsoft introduced UAC with vista as a stop gap, the intention was for eventually for LUA to be the default privilege level, but instead what happened is UAC got watered down in windows 7 and admin accounts remained the default. They also have wrappers like svchost and rundll32 which can make auditing very difficult, e.g. I get windows firewall requests to allow rundll32 to have access to some random ip, I have no idea of the originator of that request.
On linux there is no such wrappers, and in addition linux users are well used to running with restricted accounts and if they need to do maintenance they will su to root or use sudo. Again windows has no mac restrictions system akin to selinux, the closest to it is 3rd party HIPS solutions.
Microsoft have applocker which they have decided is only suitable for enterprise when it would clearly be very useful to help consumers if enabled and had some automated configuration templates.
This is why windows has so many issues with security time and time again.
I only still use windows because of PC gaming, all my other tasks could be done in a linux/freebsd environment.
-
Didn't realise there were so many information security experts on this forum. Will have to pay attention, might be useful for my dissertation.
-
Windows 10 does a lot of stuff to improve the security of the OS. For example, everything EMET did is built directly into the OS and is enabled by default. Windows Defender is now much more powerful due to it having cloud analysis techniques. Also, the Windows SmartScreen filter tech is improving security against unknown binaries, but as many are saying, Microsoft for some reason still allow execution of .js and .ws files by default... best to set those extensions to open in notepad by default to protect users.
Also, I will remind everyone that this was not a zero day vulnerability. It was discovered and patched over a month ago, however due to the NHS using XP or just due to bad patching practices in other businesses, this patch never reached the afflicted systems. It is also worth noting that this flaw only affected systems that had SMB1 enabled. SMB2+ was unaffected, and SMB1 will be disabled by default in Windows 10 as part of the next big update. It is also worth noting one of the only reasons SMB1 remains active is because many Linux-based devices have yet to gain SMB3 support despite it being out since I believe Windows 7 or 8, so 5-7 years now, and SMB3 is an open spec, so there is no excuse with regards to it being proprietary.
Wouldn't call myself an infosec specialist mainly because I am still doing my A-levels, but I keep up to date and read into things. @SwiftOnSecurity is a good one to follow on Twitter for sysadmin and infosec stuff.
-
Sorry EMET is not all built into the OS :), microsoft did post a blog claiming it is, until someone pulled it apart which resulted in microsoft extending EMET's support. It was also pointed out microsoft cannot simply pretend windows 7 and 8.1 dont exist, if something is locked down in windows 10, it doesnt mean its not a problem as windows 7 and 8.1 are both officially supported by microsoft whether they like it or not.
http://blog.morphisec.com/emet-refuses-to-die
https://news.sophos.com/en-us/2016/11/30/moving-beyond-emet-part-2/
https://insights.sei.cmu.edu/cert/2016/11/windows-10-cannot-protect-insecure-applications-like-emet-can.html
It was zero day in the sense that sophos did not detect it until analysing it. So in regards to sophos it was zero day, and can be the same for all other a/v vendors who needed to update definitions to detect the variant. Generally in the malware community, if any major security vendor is unnable to detect, then it qualifies as a zero day, even if the OS has a patch.
The question is nexus.
Is SMB1 been disabled in windows 8 and 7 in updates, if no do you think that its acceptable to not patch up operating systems which are not EOL?
SMB2 is still a nasty mess, its just not quite as bad as SMB1.
Disabling SMB1 in the next big update to windows 10 proves my point really, its a "reaction" to something that has already happened. A bandaid so to speak.
-
I think the important thing is whether the ransomware's activity could be stopped once it tried to activate.
I'm suprised that the nhs hospitals even had sophos doing their anti virus stuff.. i assumed it was windows defender.. but now i think about it, does xp even have a built in av ?
I think while its good to look in to the technical capabilities of windows versions I think its also important to keep things in context. I'm not aware of any other patched up OS getting hit. It only seems to be xp. Which suggests the issue was actually fixed and the group who did it knew that the institutions liked used xp.
There seems to be a lot of passing the buck going on too. From a group with suspected links to north korea, even though the tech experts on the ground said its actually based in china with very weak links to north korea (so weak the tech experts wouldnt link to say for sure it is NK).
Then we have the NSA making a statement yesterday on how we can protect ourselves. NO apology. NO we're sorry we wanted to spy on you so badly we just left the backdoor open. Also I DO NOT believe microsoft didn't know about this. Do a google search on microsoft colluded with nsa. M$ is well known for it. Most of this privacy information they grab is probably for the NSA.
M$ have been caught with their pants down on this and they need to do a lot to recover.
A couple of points have come out of this for me.
1. bitcoin trading needs to be tracked and have its anonymity be removed.
2. there is a good case for businesses to move to using mac or other os's instead of windows.
https://www.theregister.co.uk/2017/05/16/microsoft_stockpiling_flaws_too/ (https://www.theregister.co.uk/2017/05/16/microsoft_stockpiling_flaws_too/)
While Microsoft griped about NSA exploit stockpiles, it stockpiled patches: Friday's WinXP fix was built in February - And it took three months to release despite Eternalblue leak
Around January this year, Microsoft was tipped off by persons unknown that the NSA's Eternalblue cyber-weapon, which can compromise pre-Windows 10 systems via an SMBv1 networking bug, had been stolen and was about to leak into the public domain. In March, Microsoft emitted security fixes for supported versions of Windows to kill off the SMB vulnerability, striking Eternalblue dead on those editions.
Even when M$ knew it was compromised it still couldnt bring itself to fix it.. smh
-
Couple of points some of which Ronski has already covered. Really bad hand day so not sure how much can type.
XP is end of life. Microsoft will continue to support it if you pay so the option is there for the larger organisations such as the NHS which has certain [x-ray type] equipment software which will only run with XP. I can fully understand why M$ dont continue to support forever for free. Microsoft rollrd out a fix for those machines which were supported. It did only affect those unsupported/unpatched machines.
How long to Apple continue to support for? I believe its 3 generations and they too in the past have charged for upgrades.
It appears to be the way of the world. Same thing with the mobile operating systems.
Ummm not sure it would be a good idea to move to Apple. Their products are overpriced for same PC spec. Not so easy to replace parts and even if you can then the cost is extortionate. Linux maybe - Could be compatibility issues though with some software. Apple is not immune to malware, its just less likely to be a target by hackers because its less popular. Hackers obviously target the most popular because the returns are going to be greater.
Theres a link on CryptoPrevents website which shows CryptoPrevent vs WannaCry. There's also a linked to video showing it in action.
https://www.foolishit.com/2017/05/cryptoprevent-vs-wannacry-wannacryptorwcry-wcry-ransomware/
VirusTotal shows which AVs were able to detect WCrypt. 48 out of 61 didnt - including some of the most popular names
https://www.virustotal.com/en/file/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa/analysis/1494574270/
I read something yesterday about Wcrypt speading in a way that hasn't been seen since SQLslammer. I remember that beast well. :'( Jan 2003 and 36 hours before handing in my final yr network module. All you had to do was be on the internet when that bomb was let loose. I had MSDE installed (also doing database module) for which there was no patch. Absolutely none of the AVs/firewalls stopped that gem either. I watched in horror as my PC ground to a halt. I went the best part of 3 days without sleep after having to do a full format and manual backup restore. (Couldnt use a shadow as that would contain MSDE and open me up to re-infection again). At least Slammer didnt encrypt that my backup data on another drive.
-
Didn't realise there were so many information security experts on this forum. Will have to pay attention, might be useful for my dissertation.
I get the tone ;) Dont think anyone is proclaiming to be an expert.
Interesting you mention your dissertation what's the topic? I side-tracked on mine which was primarily compression - the encounter with Slammer sparked an interest in Viruses and how they unpacked their load, found it far more interesting than data compression algorithms any day :D
-
With regards to SMB1 being disabled, they are first doing it on 10 as a trial to see the impact for if they decided to move to disable it on 7 and 8/8.1. This info came from a M$ engineer on Twitter.
-
I am certainly not a security expert. However, I don't think it is solely the fact it is less popular that makes OS X a less frequent target, it is also the fact that OS X is Unix based, and benefits from Unix's user permissions model. These permissions raise an extra level of difficulty for the bad guys - even if the he manages to find a vulnerability in say a browser or a mail client, he'll struggle to do too much damage to the OS. Such is my understanding at least. :-\
We at the 7LM abode have had one successful malware attacks on one of our Macs. But the attack involved a pop-up box, asking for user password authentication before it could install itself (one of the fake AVs), kind of proving that extra barrier does work. Unfortunately since the malware was convincingly masquerading as a flash update, which we are all accustomed to accepting on a very regular basis, one of us (the one that isn't me :D) apparently obliged. :(
Then again, let's not forget it was a Unix vulnerability that led to the invention of worms in the first place. Just search for the Morris Worm. :)
-
I didnt say no vulnerabilities existed just that linux has a more secure design out of the box.
-
I think if 90% of the worlds computers were Apple based the tables would be turned completely. It's simple really, where's the most money 10% of worlds computers or 90%? Apple operating systems as with Linux may well be more secure by design but there will always be holes somewhere.
https://threatpost.com/apple-fixes-223-vulnerabilities-across-macos-ios-safari/124599/
More than a quarter of the bugs, 40 in macOS Sierra, and 30 in iOS, could lead to arbitrary code execution – in some instances with root privileges, Apple warned
*Note figures are not accurate and are purely illustrative :P
-
I'd like to sincerely aplgogise to the forums for my suggestion there was anything good about Apple. In particular, I apologise for suggesting that Apple was safer from malware, compared to Microsoft.
I am of course entitied to my opinion that Apple products are rather good, and I have tried to quantify that opinion by measured technical discussions. But I need to be more sensitive to the forum's preferences, and to toe the line.
I will therefor make no further comment in this thread.
-
7LM, I'm sorry that you appear to be aggrieved by what I wrote, it was certainly not my intention and was also my own opinion, and I actually agreed they may well be more secure.
-
Letter in Yesterday's Times from ex boss of GCHQ
Basically blames Microsoft along the lines of MS was told, had fix, knew that XP was being used by lots, it was a mega hole and they did nowt.
https://www.thetimes.co.uk/article/former-spy-chief-accuses-microsoft-over-hacking-35xkg7xzm (https://www.thetimes.co.uk/article/former-spy-chief-accuses-microsoft-over-hacking-35xkg7xzm)
Looks like we might be moving in the direction of General aviation where a product is "supported" when it comes to critical airworthiness issues occurring forever, while not being supported for spares etc as its out of production - often by decades. Those aircraft where the manufacturers have ceased to exist being called orphaned.
-
There is an awful lot of noise here about which system are secure or not or which systems are more/less likely to be hit. I think what everyone needs to remember is that if you are online you ARE exposed and may well get hit, yes some systems are better at protecting you from malicious installs than others but no one is immune. There are all sorts of things you can do to help but probably the most common reason for getting hit is either doing nothing about security or opening random files from someone you do not know or trust and that is what the hackers are relying on. I do feel that other systems like Linux and even Apple will become greater targets in future especially Apple tablet and phone type devices (as well as Android of course) as they are so common now. If only we could get Joe Public to take the idea of personal security and responsibility very seriously then we may start to reduce the impact.
On a slightly different tack I am worried about some of the media hype about all this, they seem to me to be promoting the idea that it is all someone else's responsibility/problem and are not making enough of the reasons why everyone should be careful.
Stuart
-
I agree 100% with your last point, Stuart. We live in a world in which people always look for someone else to blame when things go wrong. Of course several organisations could (and should) have done more, but if there was better observation of basic security principles at user level, it would be much harder for malware to gain entry.
-
I was suggesting Apple's too 7LM! :)
I've also been reading today about Windows 10 S https://www.microsoft.com/en-gb/windows/windows-10-s (https://www.microsoft.com/en-gb/windows/windows-10-s)
Apparently its a very locked down microsoft only version of Windows 10, so everything has to be verified by microsoft to run. In effect its a white listed OS. I wonder if this is their answer to the recent problems as it'll be much more difficult for a virus program to actually run without it being approved.
http://www.techradar.com/news/windows-10-cloud-release-date-news-and-rumors (http://www.techradar.com/news/windows-10-cloud-release-date-news-and-rumors)
http://www.zdnet.com/article/is-windows-10-s-for-you-the-good-the-bad-and-the-target-users/ (http://www.zdnet.com/article/is-windows-10-s-for-you-the-good-the-bad-and-the-target-users/)
-
its an improvement but the whitelisting should be under the control of the administrator not the OS vendor.
Also in regards to smart screen, I agree its a definite improvement over what they did in the past but its not a true whitelist filtering mechanism, its a cross between blacklisting and whitelisting, it wont outright block programs with a neutral reputation and doesnt block if the internet is down.
I probably came across as very anti microsoft in my earlier post, I acknowledge they cannot just change the OS in one night removing established features as that would alienate an aweful lot of users, they need to strike a balance, of course some things are just down to bad decisions by microsoft tho which they only have themselves to blame for.
Of course as well each establishment is responsible for their own deployments, so its also wrong for someone like the NHS to blame microsoft, it is true if they were patched they likely would have only very limited damage (original compromise via email), not the mass spread via SMB.
-
Found this, which might be useful to some, but far too late for the majority.
Wanakiwi tool decrypts WannaCry files across all Windows versions, as long as you've not rebooted.
http://www.bit-tech.net/news/bits/2017/05/22/wanakiwi-decrypts-wannacry/1
-
Found this, which might be useful to some, but far too late for the majority.
Wanakiwi tool decrypts WannaCry files across all Windows versions, as long as you've not rebooted.
http://www.bit-tech.net/news/bits/2017/05/22/wanakiwi-decrypts-wannacry/1
Good find. It is interesting that this tool utilises another hole in M$ systems where the private key exists in memory until the next reboot. It has also been suggested that this other hole is there at the behest of some well known 3 letter acronym organisations - I could not possible comment ;) ;)
Stuart
-
It wouldn't surprise me in the slightest.
-
Good find. However this bit "It can only operate if the system has been recently infected and not rebooted since, " could be problematic.
I should imagine the majority of users would shut down the PC as soon as they see they are infected. :(
-
I'm suprised that the nhs hospitals even had sophos doing their anti virus stuff.. i assumed it was windows defender.. but now i think about it, does xp even have a built in av ?
I think while its good to look in to the technical capabilities of windows versions I think its also important to keep things in context. I'm not aware of any other patched up OS getting hit. It only seems to be xp. Which suggests the issue was actually fixed and the group who did it knew that the institutions liked used xp.
The exploit didn't infect XP machines - the exploit scanner scanned them and decided not to infect(wrongly - code was taken from Metasploit). Everyone was raving about XP in the media - XP didn't get infected over the network, it would be OSs later than that that were spreading it. :)
-
The exploit didn't infect XP machines - the exploit scanner scanned them and decided not to infect(wrongly - code was taken from Metasploit). Everyone was raving about XP in the media - XP didn't get infected over the network, it would be OSs later than that that were spreading it. :)
A quick search yields many media reports confirming what you say. :)
That does not surprise me. Malware writers are far more likely to target recent or current OS versions, simply because that is where they'll find the greatest number of vulnerable systems. The fact that the old systems are no longer updated is compensated by the fact there will always be plenty of nice juicy vulnerabilities, even if not 'new', in more modern OS.
It could even be argued (with some caution) that a valid defence is to always run old versions, where possible. Note the smiley, this is meant tongue in cheek. Mostly, or for debate in a separate thread at least. :D
-
I think it was more of a scanner mistake than design, if you manually infected an XP machine it would infect other network PCs like any other - as I said they just copied some Metasploit code AFAIK.
-
Informed opinion is now that XP was neither infected nor used to spread the malware. At worst it would BSOD. The spread and damage was on later Windows that had not been patched.
https://www.theregister.co.uk/2017/05/31/windows_xp_probably_too_primitive_to_spread_wannacrypt/