[dba-Tech] Wanna Cry/WannaCrypt

Jim Lawrence accessd at shaw.ca
Fri May 26 11:44:51 CDT 2017 

Hi Peter:

I don't think stopping the use of SMB1 is mandatory, within a network, but all external access points and forward facing applications should block ports 139 and 445. That should be an easy fix on any router or smart-switch.

Here is another article of the Wannacry malware from Cisco, which describes the worms function in greater detail:
http://blog.talosintelligence.com/2017/05/wannacry.html

Another, suggestion that the article makes is, unless absolutely required, block TOR instances. Using VPNs, SSL and SSH protocols might be a safer way to securely transfer data and manage remote systems. Another comment is to simply close all external ports that are not being absolutely required...port 80 of course has to remain open. In your router turn on the firewall and if you have it (any router over $30 does have it built in) enable SPI security: 
https://en.wikipedia.org/wiki/Stateful_firewall

I think the attack, was just a start of things to come. This piece of malware was polite in comparison to what could have been deployed. Imagine if the designer had not bothered to put in a kill-switch or had the app activation time-delayed, for a couple weeks so it could be secured in many more sites. The damage might have extended to hundreds of thousands of machines and would keep running for months. It should be noted that both the CIA and NSA's war-chest of hacks and malware was completely looted and the components are being sold off world wide, to the highest bidders.

Aside: One of the most used and damaged products out there is WordPress:
http://thehackernews.com/2017/02/wordpress-hack-seo.html

Updates are not automatic or should not be as doing the updates can clobber the configuration files. We just keep checking for updates and do them manually. A real PIA. Fortunately, our WP site is in a Container so there is no danger of collateral damage but we have been hacked twice. It might be necessary to turn off the blog and just hard-code the site until the team at WordPress figures out how to secure their databases while not destroying all the third-party plug-ins, that make it so popular.
 
Jim 

----- Original Message -----
From: "Peter Brawley" <peter.brawley at earthlink.net>
To: "Discussion of Hardware and Software issues" <dba-tech at databaseadvisors.com>
Sent: Wednesday, May 24, 2017 3:39:38 PM
Subject: Re: [dba-Tech] Wanna Cry/WannaCrypt

Some sites are recommending that we disable SMB1 on pre-2008 Windows 
versions. Anybody know anything about that?

PB

-----

On 5/23/2017 13:07, Jim Lawrence wrote:
> Hi All:
>
> The is a rather late comment on the Wannacry worm that spread around the planet.
>
> <rant mode on>
> People have been quick to blame Microsoft for their hacked systems when the problem could have been easily blocked and recovered from by just using the most basic steps. I personally find it amazing that even though PCs have been around for a generation, few seem grasp the basics of planning for failure. Failure of your system is guaranteed. Consider your computer like a light bulb...all fail eventually and if you career or business depends on your data, plan for system failure one way or the other. The Wannacry worm was a wake up call.
>
> Aside: I strong disagree with the creation and storage of hidden system vulnerabilities. Not matter how well hidden they always get out and if not, when used, they are like a gas attack. It takes a wary opponent hours to reciprocate and because of our highly technical society we end up getting hammered to pieces, far worse. Can you imagine what would have happened if after Japan was nuked, within hours, Japan was nuking the west coast, in retaliation?
> </rant mode off>
>
> XP was really not the problem as how could anyone expect a ancient system to not be easily hackable? The real problem is that of how the system's routers were setup. To start with, secure mode should always be set, on the router. This mode shuts down every port except port 80 unless specifically requested by the user and that requires a manual entry. The hack, passed through the router, using port 139, that was used by NetBIOS and in conjunction with port 445, for direct TCP/IP SMB. No one uses these ports anymore so they should be turned off. Even as far back as 1995, when install Windows 3.1 workgroup, Microsoft was recommending not using applications that required these ports. If you want to check to see if these ports are open on your router or network, browse to one of many external port checkers. I use the following online app as it is generic and works on everything:
>
> http://www.yougetsignal.com/tools/open-ports/
>
> When arriving on the opening screen find and click on the button, on the right saying "Scan all common ports". If ports 139 and 445 show up as open turn them off through your router.
>
> Backup are the essential for every PC that has data that is worth anything. The MAC has an excellent, fully automated system called the timemachine, that initialises with a hard-drive image and then does a regular/continuous backup of all changed files. Linux has many excellent backup systems...a package called Cronopete emulates the features of the Apple Timemachine. Both these products allow your system, from a hard down, to operational within an hour. MS Windows may have something similar, I don't know...all I can say is they didn't use to.
>
> I don't want to make the following appear as a rant against Microsoft but there are some major faults in Window design. Its greatest strength and weakness is it backward compatibility. With that compatibility comes an inability to sand-box or isolate a process, a user or application. That is just the way it is designed from the ground up and the cost of rebuilding millions of lines of ancient of code is prohibitive. I am pleased to see Microsoft is adopting more and more Linux modules. At one time, in the future, in may just become another flavour of Linux. In the meantime, while MS is going through this migration process, I just use Linux. Linux is also great for walling in and protecting your Windows servers as Linux is much better at being front facing. Linux today, runs most of the best routers (ie. Cisco) but not all are expensive and many older routers can be upgraded using products like OpenWrt, pfSense, OpenVPN to name but a few industry standards. (They are also O!
 SS!
>   .)
>
> One last comment on Windows and Linux comes from TechRepublic. A quote from the article goes as follows; "The important question here is this: Have there been any ransomware attacks on the Linux desktop? The answer is no. With that in mind, it's pretty easy to draw the conclusion that now would be a great time to start deploying Linux on the desktop.":
>
> http://www.techrepublic.com/article/wannacrypt-makes-an-easy-case-for-linux/
>
> Jim
>   
>
> _______________________________________________
> dba-Tech mailing list
> dba-Tech at databaseadvisors.com
> http://databaseadvisors.com/mailman/listinfo/dba-tech
> Website: http://www.databaseadvisors.com
>



_______________________________________________
dba-Tech mailing list
dba-Tech at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/dba-tech
Website: http://www.databaseadvisors.com

More information about the dba-Tech mailing list