Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Pages: 1 ... 3 4 [5] 6

Author Topic: NHS hit by ransomware!  (Read 21178 times)

sevenlayermuddle

  • Helpful
  • Addicted Kitizen
  • *
  • Posts: 5369
Re: NHS hit by ransomware!
« Reply #60 on: May 16, 2017, 08:34:48 AM »

IMHO Apple do charge a premium for iPhone but not so much for MacBooks. The latter compare favourably with a Windows PC if you look at like with like on such matters as case, display and SSD. Which? often picks Macs as best buys in laptops.

My main day to day workhorse remains my 2009 Mac Mini, cost circa £500, and supported on new OS versions all the way through to last year.   They even sneaked in an EFI(/BIos) update somewhere along the way, that raised the RAM ceiling from 4 GB to a much more useful 8GB. 

I finally have a reason to replace it as mine won't run Sierra.  I want to buy another Mini.   Only trouble is, they seem a bit half-hearted about the Mini these days, no new versions since late 2014. :'(
Logged

petef

  • Reg Member
  • ***
  • Posts: 135
Re: NHS hit by ransomware!
« Reply #61 on: May 16, 2017, 09:17:34 AM »

My main day to day workhorse remains my 2009 Mac Mini, cost circa £500, and supported on new OS versions all the way through to last year.   They even sneaked in an EFI(/BIos) update somewhere along the way, that raised the RAM ceiling from 4 GB to a much more useful 8GB. 

I finally have a reason to replace it as mine won't run Sierra.  I want to buy another Mini.   Only trouble is, they seem a bit half-hearted about the Mini these days, no new versions since late 2014. :'(

I was disappointed when Apple made El Capitan the end of the line for our vintage of hardware. While they are still pushing out updates I am not too bothered. I would not use the two main features of Sierra: Siri and improved connectivity with other iThings.
Logged

roseway

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 43467
  • Penguins CAN fly
    • DSLstats
Re: NHS hit by ransomware!
« Reply #62 on: May 16, 2017, 09:59:11 AM »

With respect chaps, this is rather off-topic...
Logged
  Eric

Ronski

  • Helpful
  • Kitizen
  • *
  • Posts: 4300
Re: NHS hit by ransomware!
« Reply #63 on: May 16, 2017, 10:12:04 AM »

It seems to me, the 'spread by SMB' factor is the scariest thing about this whole issue.   If I understand right, just by connecting to a LAN to which an infected machine also connects, a vulnerable device can get infected?    :o

Example scenario:  Most of us will connect to a Hotel's guest WiFi without much thought, but I wonder how many hotel networks enforce isolation between clients..?  And how could we tell?

Would the fact that Windows  seems to default to public profile for new networks and thus file sharing is turned off mean that SMB is not compromised? Can't remember if XP works that or not.
Logged
Formerly restrained by ECI and ali,  now surfing along at 390/36  ;D

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP
Re: NHS hit by ransomware!
« Reply #64 on: May 16, 2017, 11:10:25 AM »

To answer the earlier question regarding cryptoprevent, given it seems it was originally delivered by email payload binary, the answer is maybe.  Since cryptoprevent only uses blacklisting, it depends if the filename matched any of the masks configured by cryptoprevent.

I think the NHS really shouldnt be allowing their staff to get emails delivered with binary attachments, but this may be harsh given still dont know 100% of the specifics.

Regarding sophos, the problem they had and what most of the AV industry has is that they protect via blacklist definitions which always lose against 0 day.  These vendors work on how to detect compromises that have already entered the system instead of preventing in the first place.  Ironically sophos owns hit man pro alert which is a product that aims to prevent malware via memory exploits prior to even hitting the disk.  But hit man pro alert started suffering when they started only reacting to malware after it was already in the wild instead of a preventative system.

The best type of protections tend to be whitelist focused and some examples are.

Reputation based systems, deny by default unless good reputation.
Anti exe, deny by default, needs whitelisting.
HIPS (behaviour analysis), HIPS is very powerful but also not consumer friendly, since security vendors aim for set and forget solutions HIPS is not very popular, emsisoft has a dumbed down HIPS with their behaviour blocker.
Memory exploits is where malware does its work all in memory and as such not needing to write to disk to run a payload, certian software such as EMET (free), hit man pro alert and malware bytes anti exploit aim to prevent that type of malware, some a/v like nod32 have exploit protection built in as well.

Before memory exploits it was quite easy to make a immune windows box.

Setup applocker/SRP and deny execution rights to all user writeable folders such as %temp%, %userprofile%, and document folders.  Whilst at the same time make sure any unpriveledged application cannot write to any executable folders like program files.  Browsers such as chrome and IE will auto sandbox and run at low privilege levels and become immune in such a configuration, firefox would need to be sandboxed by something like sandboxie.  Not even a/v would have any use in such a configuration. Finally making sure to use a limited user account for everyday tasks.

But now we have memory exploits, things are a bit harder but still not overly diffilcult, the issue is the way microsoft ships the operating system and how the consumer security vendors choose to apply their protections.

Microsoft introduced UAC with vista as a stop gap, the intention was for eventually for LUA to be the default privilege level, but instead what happened is UAC got watered down in windows 7 and admin accounts remained the default.  They also have wrappers like svchost and rundll32 which can make auditing very difficult, e.g. I get windows firewall requests to allow rundll32 to have access to some random ip, I have no idea of the originator of that request.

On linux there is no such wrappers, and in addition linux users are well used to running with restricted accounts and if they need to do maintenance they will su to root or use sudo.  Again windows has no mac restrictions system akin to selinux, the closest to it is 3rd party HIPS solutions.

Microsoft have applocker which they have decided is only suitable for enterprise when it would clearly be very useful to help consumers if enabled and had some automated configuration templates.

This is why windows has so many issues with security time and time again.

I only still use windows because of PC gaming, all my other tasks could be done in a linux/freebsd environment.
« Last Edit: May 16, 2017, 11:28:57 AM by Chrysalis »
Logged

niemand

  • Kitizen
  • ****
  • Posts: 1836
Re: NHS hit by ransomware!
« Reply #65 on: May 16, 2017, 12:25:36 PM »

Didn't realise there were so many information security experts on this forum. Will have to pay attention, might be useful for my dissertation.
Logged

NEXUS2345

  • Reg Member
  • ***
  • Posts: 235
Re: NHS hit by ransomware!
« Reply #66 on: May 16, 2017, 12:31:53 PM »

Windows 10 does a lot of stuff to improve the security of the OS. For example, everything EMET did is built directly into the OS and is enabled by default. Windows Defender is now much more powerful due to it having cloud analysis techniques. Also, the Windows SmartScreen filter tech is improving security against unknown binaries, but as many are saying, Microsoft for some reason still allow execution of .js and .ws files by default... best to set those extensions to open in notepad by default to protect users.

Also, I will remind everyone that this was not a zero day vulnerability. It was discovered and patched over a month ago, however due to the NHS using XP or just due to bad patching practices in other businesses, this patch never reached the afflicted systems. It is also worth noting that this flaw only affected systems that had SMB1 enabled. SMB2+ was unaffected, and SMB1 will be disabled by default in Windows 10 as part of the next big update. It is also worth noting one of the only reasons SMB1 remains active is because many Linux-based devices have yet to gain SMB3 support despite it being out since I believe Windows 7 or 8, so 5-7 years now, and SMB3 is an open spec, so there is no excuse with regards to it being proprietary.

Wouldn't call myself an infosec specialist mainly because I am still doing my A-levels, but I keep up to date and read into things. @SwiftOnSecurity is a good one to follow on Twitter for sysadmin and infosec stuff.
Logged
Security improvement and remediation consultant with infrastructure specialisation

IDNet Openreach FTTP 1000/115 + Asus RT-AX92U | Virgin Media 200 + SuperHub 3 + Synology MR2200ac mesh | Sky 80/20 with WiFi Guarantee on Huawei 288 cabinet

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP
Re: NHS hit by ransomware!
« Reply #67 on: May 16, 2017, 12:40:11 PM »

Sorry EMET is not all built into the OS :), microsoft did post a blog claiming it is, until someone pulled it apart which resulted in microsoft extending EMET's support. It was also pointed out microsoft cannot simply pretend windows 7 and 8.1 dont exist, if something is locked down in windows 10, it doesnt mean its not a problem as windows 7 and 8.1 are both officially supported by microsoft whether they like it or not.

http://blog.morphisec.com/emet-refuses-to-die
https://news.sophos.com/en-us/2016/11/30/moving-beyond-emet-part-2/
https://insights.sei.cmu.edu/cert/2016/11/windows-10-cannot-protect-insecure-applications-like-emet-can.html

It was zero day in the sense that sophos did not detect it until analysing it.  So in regards to sophos it was zero day, and can be the same for all other a/v vendors who needed to update definitions to detect the variant. Generally in the malware community, if any major security vendor is unnable to detect, then it qualifies as a zero day, even if the OS has a patch.

The question is nexus.

Is SMB1 been disabled in windows 8 and 7 in updates, if no do you think that its acceptable to not patch up operating systems which are not EOL?

SMB2 is still a nasty mess, its just not quite as bad as SMB1.

Disabling SMB1 in the next big update to windows 10 proves my point really, its a "reaction" to something that has already happened. A bandaid so to speak.
« Last Edit: May 16, 2017, 12:51:22 PM by Chrysalis »
Logged

Bowdon

  • Content Team
  • Kitizen
  • *
  • Posts: 2395
Re: NHS hit by ransomware!
« Reply #68 on: May 16, 2017, 01:58:38 PM »

I think the important thing is whether the ransomware's activity could be stopped once it tried to activate.

I'm suprised that the nhs hospitals even had sophos doing their anti virus stuff.. i assumed it was windows defender.. but now i think about it, does xp even have a built in av ?

I think while its good to look in to the technical capabilities of windows versions I think its also important to keep things in context. I'm not aware of any other patched up OS getting hit. It only seems to be xp. Which suggests the issue was actually fixed and the group who did it knew that the institutions liked used xp.

There seems to be a lot of passing the buck going on too. From a group with suspected links to north korea, even though the tech experts on the ground said its actually based in china with very weak links to north korea (so weak the tech experts wouldnt link to say for sure it is NK).

Then we have the NSA making a statement yesterday on how we can protect ourselves. NO apology. NO we're sorry we wanted to spy on you so badly we just left the backdoor open. Also I DO NOT believe microsoft didn't know about this. Do a google search on microsoft colluded with nsa. M$ is well known for it. Most of this privacy information they grab is probably for the NSA.

M$ have been caught with their pants down on this and they need to do a lot to recover.

A couple of points have come out of this for me.

1. bitcoin trading needs to be tracked and have its anonymity be removed.

2. there is a good case for businesses to move to using mac or other os's instead of windows.

https://www.theregister.co.uk/2017/05/16/microsoft_stockpiling_flaws_too/
While Microsoft griped about NSA exploit stockpiles, it stockpiled patches: Friday's WinXP fix was built in February - And it took three months to release despite Eternalblue leak

Quote
Around January this year, Microsoft was tipped off by persons unknown that the NSA's Eternalblue cyber-weapon, which can compromise pre-Windows 10 systems via an SMBv1 networking bug, had been stolen and was about to leak into the public domain. In March, Microsoft emitted security fixes for supported versions of Windows to kill off the SMB vulnerability, striking Eternalblue dead on those editions.

Even when M$ knew it was compromised it still couldnt bring itself to fix it.. smh
« Last Edit: May 16, 2017, 02:08:41 PM by Bowdon »
Logged
BT Full Fibre 500 - Smart Hub 2

kitz

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 33879
  • Trinity: Most guys do.
    • http://www.kitz.co.uk
Re: NHS hit by ransomware!
« Reply #69 on: May 16, 2017, 02:59:37 PM »

Couple of points some of which Ronski has already covered.  Really bad hand day so not sure how much can type.

XP is end of life.  Microsoft will continue to support it if you pay so the option is there for the larger organisations such as the NHS which has certain [x-ray type] equipment software which will only run with XP.   I can fully understand why M$ dont continue to support forever for free.  Microsoft rollrd out a fix for those machines which were supported.  It did only affect those unsupported/unpatched machines.

How long to Apple continue to support for?  I believe its 3 generations and they too in the past have charged for upgrades.
It appears to be the way of the world.  Same thing with the mobile operating systems. 

Ummm not sure it would be a good idea to move to Apple.   Their products are overpriced for same PC spec. Not so easy to replace parts and even if you can then the cost is extortionate.   Linux maybe - Could be compatibility issues though with some software.   Apple is not immune to malware, its just less likely to be a target by hackers because its less popular.   Hackers obviously target the most popular because the returns are going to be greater.

Theres a link on CryptoPrevents website which shows CryptoPrevent vs WannaCry.   There's also a linked to video showing it in action.
https://www.foolishit.com/2017/05/cryptoprevent-vs-wannacry-wannacryptorwcry-wcry-ransomware/

VirusTotal shows which AVs were able to detect WCrypt.  48 out of 61 didnt - including some of the most popular names
https://www.virustotal.com/en/file/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa/analysis/1494574270/



I read something yesterday about Wcrypt speading in a way that hasn't been seen since SQLslammer.   I remember that beast well.  :'(  Jan 2003 and 36 hours before handing in my final yr network module.   All you had to do was be on the internet when that bomb was let loose.  I had MSDE installed (also doing database module) for which there was no patch.  Absolutely none of the AVs/firewalls stopped that gem either.   I watched in horror as my PC ground to a halt.  I went the best part of 3 days without sleep after having to do a full format and manual backup restore.   (Couldnt use a shadow as that would contain MSDE and open me up to re-infection again).  At least Slammer didnt encrypt that my backup data on another drive.   

Logged
Please do not PM me with queries for broadband help as I may not be able to respond.
-----
How to get your router line stats :: ADSL Exchange Checker

kitz

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 33879
  • Trinity: Most guys do.
    • http://www.kitz.co.uk
Re: NHS hit by ransomware!
« Reply #70 on: May 16, 2017, 03:10:36 PM »

Didn't realise there were so many information security experts on this forum. Will have to pay attention, might be useful for my dissertation.

I get the tone ;)  Dont think anyone is proclaiming to be an expert.   
Interesting you mention your dissertation what's the topic?    I side-tracked on mine which was primarily compression - the encounter with Slammer sparked an interest in Viruses and how they unpacked their load, found it far more interesting than data compression algorithms any day :D
Logged
Please do not PM me with queries for broadband help as I may not be able to respond.
-----
How to get your router line stats :: ADSL Exchange Checker

NEXUS2345

  • Reg Member
  • ***
  • Posts: 235
Re: NHS hit by ransomware!
« Reply #71 on: May 16, 2017, 03:32:17 PM »

With regards to SMB1 being disabled, they are first doing it on 10 as a trial to see the impact for if they decided to move to disable it on 7 and 8/8.1. This info came from a M$ engineer on Twitter.
Logged
Security improvement and remediation consultant with infrastructure specialisation

IDNet Openreach FTTP 1000/115 + Asus RT-AX92U | Virgin Media 200 + SuperHub 3 + Synology MR2200ac mesh | Sky 80/20 with WiFi Guarantee on Huawei 288 cabinet

sevenlayermuddle

  • Helpful
  • Addicted Kitizen
  • *
  • Posts: 5369
Re: NHS hit by ransomware!
« Reply #72 on: May 16, 2017, 05:15:49 PM »

I am certainly not a security expert.  However, I don't think it is solely the fact it is less popular that makes OS X a less frequent target, it is also the fact that OS X is Unix based, and benefits from Unix's user permissions model.  These permissions raise an extra level of difficulty for the bad guys - even if the he manages to find a vulnerability in say a browser or a mail client, he'll struggle to do too much damage to the OS.  Such is my understanding at least.   :-\

We at the 7LM abode have had one successful malware attacks on one of our Macs.  But the attack involved a pop-up box, asking for user password authentication before it could install itself (one of the fake AVs), kind of proving that extra barrier does work.   Unfortunately since the malware was convincingly masquerading as a flash update, which we are all accustomed to accepting on a very regular basis, one of us (the one that isn't me  :D) apparently obliged.   :(

Then again, let's not forget it was a Unix vulnerability that led to the invention of worms in the first place.  Just search for the Morris Worm.   :)
Logged

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP
Re: NHS hit by ransomware!
« Reply #73 on: May 16, 2017, 07:11:23 PM »

I didnt say no vulnerabilities existed just that linux has a more secure design out of the box.
Logged

Ronski

  • Helpful
  • Kitizen
  • *
  • Posts: 4300
Re: NHS hit by ransomware!
« Reply #74 on: May 16, 2017, 10:51:18 PM »

I think if 90% of the worlds computers were Apple based the tables would be turned completely. It's simple really, where's the most money 10% of worlds computers or 90%? Apple operating systems as with Linux may well be more secure by design but there will always be holes somewhere.

https://threatpost.com/apple-fixes-223-vulnerabilities-across-macos-ios-safari/124599/

Quote
More than a quarter of the bugs, 40 in macOS Sierra, and 30 in iOS, could lead to arbitrary code execution – in some instances with root privileges, Apple warned

*Note figures are not accurate and are purely illustrative  :P
Logged
Formerly restrained by ECI and ali,  now surfing along at 390/36  ;D
Pages: 1 ... 3 4 [5] 6