[dba-Tech] Wanna Cry/WannaCrypt

Peter Brawley peter.brawley at earthlink.net
Fri May 26 13:20:42 CDT 2017


Jim, many thanks.

PB


On 5/26/2017 11:44, Jim Lawrence wrote:
> I don't think stopping the use of SMB1 is mandatory, within a network, but all external access points and forward facing applications should block ports 139 and 445. That should be an easy fix on any router or smart-switch.
>
> Here is another article of the Wannacry malware from Cisco, which describes the worms function in greater detail:
> http://blog.talosintelligence.com/2017/05/wannacry.html
>
> Another, suggestion that the article makes is, unless absolutely required, block TOR instances. Using VPNs, SSL and SSH protocols might be a safer way to securely transfer data and manage remote systems. Another comment is to simply close all external ports that are not being absolutely required...port 80 of course has to remain open. In your router turn on the firewall and if you have it (any router over $30 does have it built in) enable SPI security:
> https://en.wikipedia.org/wiki/Stateful_firewall
>
> I think the attack, was just a start of things to come. This piece of malware was polite in comparison to what could have been deployed. Imagine if the designer had not bothered to put in a kill-switch or had the app activation time-delayed, for a couple weeks so it could be secured in many more sites. The damage might have extended to hundreds of thousands of machines and would keep running for months. It should be noted that both the CIA and NSA's war-chest of hacks and malware was completely looted and the components are being sold off world wide, to the highest bidders.
>
> Aside: One of the most used and damaged products out there is WordPress:
> http://thehackernews.com/2017/02/wordpress-hack-seo.html
>
> Updates are not automatic or should not be as doing the updates can clobber the configuration files. We just keep checking for updates and do them manually. A real PIA. Fortunately, our WP site is in a Container so there is no danger of collateral damage but we have been hacked twice. It might be necessary to turn off the blog and just hard-code the site until the team at WordPress figures out how to secure their databases while not destroying all the third-party plug-ins, that make it so popular.



More information about the dba-Tech mailing list