Jump to content
rsc204

Major flaw in Windows systems... make sure you've patched it.

52 posts in this topic Last Reply

Recommended Posts

  • Original Poster
  • For the most part, you won't get the infection unless you open an attachment in a malicious e-mail or inadvertently download something nasty from the web. But better safe than sorry, although for the most part the issue has been stopped already from spreading. However, now the exploit is in the wild, that won't stop others trying to use it, so patching is the only safe answer.

    Share this post


    Link to post
    Share on other sites

    I think, this is a time to implement revision backup system. Some people (due to storage price) just copied a backup (not incremented) to external drive to ensure they aren't infected by ransomware. But, if the drive is corrupted by ransomware, those people can't restore the data. Is there 'Git-like' backup system but it's free for all platforms and doesn't decrease the space drastically.

    By the way, the name is WannaCrypt/WannaCry. Some counters in some hospital in Indonesia had this malware. The counter is error. I don't know the counters have sensitive data or not.

    The attack is targeted to 99 countries including US and Indonesia. However, some IP has been 'taken down' by the malware itself. But, the data still encrypted and (possibly) stole by the creator if the victim doesn't pay.

    Share this post


    Link to post
    Share on other sites
  • Original Poster
  • 6 minutes ago, Chief ZDN said:

    I think, this is a time to implement revision backup system.

    How do you do this for TB's of data without cost? Backups are expensive for most people, not to mention the technical ability to do so is not so widely understood.

    The simple solution for the average person is to have a fully patched and up to date system, then the issue couldn't have caused you harm.

    Share this post


    Link to post
    Share on other sites
    Just now, rsc204 said:

    How do you do this for TB's of data without cost? Backups are expensive for most people, not to mention the technical ability to do so is not so widely understood.

    The simple solution for the average person is to have a fully patched and up to date system, then the issue couldn't have caused you harm.

    Read my second sentence. There is explanation the backup problem.

    Share this post


    Link to post
    Share on other sites
  • Original Poster
  • I can talk you through the various levels of backup redundancy if you want me to bore you... the fact is that for the average person, there is no simple/cheap (i.e. free) way to do this well. Most people don't even have a backup at all. People use technology, few wish to understand it.

     

    Share this post


    Link to post
    Share on other sites

    Simpliest way to back up is only 100 dollars (50 for 1tb and another 50 for a usb 3.1 to sata) and just copy everything over. First time to backup will take potentially hours, but after that once a week for only new/updated files will go quickly. Now I do go a bit more in depth in that I also use a Raid 1 array and a TPM module.

    And for emails - I have my own domain. I have all attachments go to its own unmonitored and emptied weekly email address unless it has a particular key in the email header. Got tired of the spam will all the malware attachments.

    And I delay delay delay all window updates till I know they are safe. Otherwise if your not a techie by all means update and backup frequently.

    Share this post


    Link to post
    Share on other sites

    @rsc204 and others: I'm the worst with computers, so I want to make sure everything is cool. I have Windows 10 and have accepted all updates since I got my laptop about a year ago. Is it likely that I have this 'patch' you're speaking about? How can I tell/where do I check on my computer? Any input would be helpful. Thank you.
    Sincerely,
    A Computer Dummy

    Share this post


    Link to post
    Share on other sites
  • Original Poster
  • 2 hours ago, redfox85 said:

    And I delay delay delay all window updates till I know they are safe. Otherwise if your not a techie by all means update and backup frequently.

    But, that's actually really bad for you. Because in the meantime, your PC is vulnerable to everything you've failed to patch.

    Yes, MS really did a number on updates for Win7 / 8 users and tanked people's trust in the process. It is a lot more work to weed out the security patches from those that might allow MS to do things you dislike. But if you don't patch vulnerabilities, it's the equivalent of not locking your house. If you really know what you are doing and have backups, you might be fine. But it really comes down to what you stand to loose against the insurance of protection from threats. For the average user, patching is the only smart choice.

    51 minutes ago, Brooklyn81 said:

    I have Windows 10 and have accepted all updates since I got my laptop about a year ago. Is it likely that I have this 'patch' you're speaking about?

    Windows 10 is unique in that control of patches is no longer in your hands as a user. They are applied automatically, whether you like it or not. As such, you can safely assume you are protected from this issue.

    Share this post


    Link to post
    Share on other sites
    Posted (edited)
    11 hours ago, rsc204 said:

    That's a very helpful link. It was a very slow download with a lot of windows to open. But I was able to patch my 8.1 win. I feel a little better and a little less paranoid. But just a little. I made copies of what I think are important files including the whole Windows folder to an exterior hard disk, disconnected it and shelved it. Hope that's enough security.

    And I just heard on the radio that if NSA had warned people right from the beginning, we wouldn't be where we are at now.

    BTW, there are patches for Win XP -and other OS- and in different flavors in the same link you gave.

    EDIT : (later in the day). In spite their efforts, looks like different WIN XP updates are in english only. Mine is french. No good. Tried them all. No good.

    Then WIN 8.1 : got an "unable to install... blah, blah, blah". and bummed out of it too. I'm back to freaking out a little more and becoming a little more paranoid too.

    Over 200 000 major computers infected as of this hour. Whew !


      Edited by huzman  

    update

    Share this post


    Link to post
    Share on other sites

    I think this a very serious theme -thread- that requires everyone's cooperation. On my latest update, here what's happening :

    XP3 : have to wait for french versions. Not good.
    WIN 8.1 : I have a good bunch of patches, at least 6 of them. When I launch them, the comp gets hung up with "checking for updates on this computer" (my translation), but it keeps on checking for hours with no results. I can't even end the process with "cancel". Have to go to the Task Manager to stop the process. I mean hours ? not good either. Has anyone done those patches ? What were your results ?

    Share this post


    Link to post
    Share on other sites

    To further understand the causes behind the massive attack and the why  firewall failures

    Double Pulsar

    Widespread attacks all over the world

    note: Geographical target distribution telemetry

    We live strange times ... 

    MS17-018  March 14, 2017 ??? not alerted

    out of control

    Microsoft Releases XP Patch for WannaCry Ransomware

    Is this the price for upgrades ?? Not for me ..

    NC.

    Share this post


    Link to post
    Share on other sites
  • Original Poster
  • 2 hours ago, NCGAIO said:

    To further understand the causes behind the massive attack and the why  firewall failures

    It's not a firewall failure. The ports are open by default, if your firewall failed it's because you didn't configure it to block them. It's like moaning your alarm system failed when you simply didn't turn it on in the first place. Granted, most users wouldn't have known it was necessary to block it and perhaps it should not have been on by default. That said, were it not for the buffer overflow issue, it wouldn't be a problem either.

    2 hours ago, NCGAIO said:

    Is this the price for upgrades ?? Not for me ..

    What exactly do you mean? The flaw was well publicised in March as an issue in SMB v1. You don't need the patch to disable that, just a properly configured firewall or manual deactivation of this feature of Windows. Some of those who ran into problems, clearly weren't being managed properly by the sysadmins against known threats.

    But specifically in relation to the patch/upgrade, what is the price you mention? There is no drawback detailed in your argument or links, yet you seem to suggest people might not want to patch their machines for some reason? That's illogical, why wouldn't you patch this? Perhaps you like it when your computer stops working and is infected with malware?

    All the patch does is what most people wouldn't know how to do manually, which is disable a file-sharing protocol with a flaw in it. One that's hideously out of date and not even used by most home users anyway. The average user has nothing to fear from installing this fix.

    4 hours ago, huzman said:

    but it keeps on checking for hours with no results. I can't even end the process with "cancel". Have to go to the Task Manager to stop the process. I mean hours ? not good either.

    Wouldn't surprise me if the servers at MS are overloaded right now. It'll calm down in a few days, but the link I gave should allow you to manually download and patch the issue for now. I did notice this after installing the patch on my XP machines as well, but Windows Update has had this flaw for a long time. You might find this information helpful.

    Share this post


    Link to post
    Share on other sites
    17 hours ago, rsc204 said:

    But, that's actually really bad for you. Because in the meantime, your PC is vulnerable to everything you've failed to patch.

    Yes, MS really did a number on updates for Win7 / 8 users and tanked people's trust in the process. It is a lot more work to weed out the security patches from those that might allow MS to do things you dislike. But if you don't patch vulnerabilities, it's the equivalent of not locking your house. If you really know what you are doing and have backups, you might be fine. But it really comes down to what you stand to loose against the insurance of protection from threats. For the average user, patching is the only smart choice.

    Windows 10 is unique in that control of patches is no longer in your hands as a user. They are applied automatically, whether you like it or not. As such, you can safely assume you are protected from this issue.

    Ah but some windows 10 patches have caused massive headaches to users. Plus when you are like me and use max security on a PC its extremely unlikely for anything to get through.

    Share this post


    Link to post
    Share on other sites

    Thanks for the patch ! I will save it into USB or CD for install someone PC who still using outdated Windows XP right now. Plus.... I HATE RANSOMWARE!!!!

    Share this post


    Link to post
    Share on other sites

    Last year, the company I worked for had this happen to them.  I came in one morning and saw my boss's computer with a black screen and a bunch of text from some dude named Drake asking for $1000 in bitcoins  for a password that would give him back access to his newly-encrypted computer.  I remember laughing to myself thinking, "better him than me!"  ...and then I saw my computer.  And our coworkers' computers.  Every last computer on our network was blocked by this ransomware and we were almost completely frozen for the whole day.  In a manufacturing plant where even the machines are hooked up to the network this was seriously bad news.  Management did end up having to pay the ransom to get the password (which did work) for a thousand bucks in bitcoins, but at a loss of nearly an entire day's worth of production.  I was working 12 hour days for more than a week as we tried to play catch-up to the damage those bastards caused.  I wish there was a way to catch the people responsible for this sort of thing, but they seem to be able to get away with it with ease...

    Share this post


    Link to post
    Share on other sites

    Thanks for posting the reminder.

    I also came across the following article, featuring a nice summary & breakdown of the steps to protect against the flaw:

    https://www.askwoody.com/2017/how-to-make-sure-you-wont-get-hit-by-wannacrywannacrypt/


    The fact Microsoft has patched an almost 16 year old operating system in Windows XP, 3 years past its EOL, just shows the scale and seriousness of the threat. The big issue is the ease of which the worm can spread and cripple all machines on a network.

    Please everyone, don't take the risks. Take the precautions, make backups and keep one step ahead of this pure evil. Because by using common sense, installing patches, and always being aware of how you use the internet, the chances of falling victim to these traps can be greatly reduced.

    Share this post


    Link to post
    Share on other sites

    AskWoody is a wonderfully useful blog now that Windows automatic updating has become woefully unpredictable and even outright perilous and had reported warnings almost a month ago on the need to get up-to-date with the proper security patches, particularly the MS17-010 batch released in March, in anticipation of this particular outbreak.

     

    Share this post


    Link to post
    Share on other sites
    6 hours ago, rsc204 said:

    manually download and patch...

    That's how I'm doing it. I downloaded every I could from the link in your first post. I have 6 files for WIN 8.1. Haven't been able to install anything as a "Searching for updates inn this computer" goes on and on, for several hours.

    Maybe it's time for this remark : Why this site is not secured ?

    Share this post


    Link to post
    Share on other sites
  • Original Poster
  • 6 hours ago, redfox85 said:

    Ah but some windows 10 patches have caused massive headaches to users. Plus when you are like me and use max security on a PC its extremely unlikely for anything to get through.

    I do appreciate that updates don't always work the way they are supposed to. But a failed update is usually recoverable (roll back), it's a minor annoyance. Whereas a problem like the one outlined here is catastrophic by comparison.

    It's like the way medicine works, there are always side effects to them, but most people are better off as a result of using such cures. Even if in a small percentage of people end up worse off, overall it's the best course of action for the largest number of people.

    If you choose not to update, that's your business, but know you are vulnerable to some nasty things floating around as a result.

    28 minutes ago, huzman said:

    Maybe it's time for this remark : Why this site is not secured ?

    Because changing that isn't within the control of the site I suspect. When the people developing the software secure the site with HTTPs, then it will be.

    You have to understand what "Not Secured" means in this context though. It doesn't mean you are in danger, because aside from anything else, we don't keep sensitive information. So even if someone managed to see your Username and Password, they aren't getting into your bank account, finding your address or other sensitive information. The real risk comes from using the same logon/password over multiple sites, which might make this data more valuable to miscreants. But you really should not be doing that, it's against all common sense security advice.

    Firefox and Google are trying to force this change, by informing users for every site, to bring the issue to light. But this is based on presenting users with a problem that many of them don't really understand. Yes it would make the internet slightly safer and is a good idea. But it's not anything like as important here as some sites. CB already explained things in more detail, see here for that information:

    Share this post


    Link to post
    Share on other sites
    15 minutes ago, rsc204 said:

    The real risk comes from using the same logon/password over multiple sites

    Yes, that is common sense alright. Your answer to my question has brought me a little peace, but just a little. Thanks

    Share this post


    Link to post
    Share on other sites
  • Original Poster
  • That's why the browser companies are trying to force the change. Because people do re-use logons/passwords and so securing the sites is another way to protect people from themselves. But changing software costs money, so it's a form of bullying sites to do what they think is best, by making users worried. Some will simply stop using sites, assuming it's somehow dangerous, forcing sites to comply, even when it's not really necessary.

    The real solution is providing a decent one-logon for all the web for users. Sadly no such thing has ever really taken off or worked. But it's almost inevitable that most users have problems remembering possibly hundreds or more different logons/passwords and keeping them secure.

    Share this post


    Link to post
    Share on other sites

    This is a wake-up call that civil structures critical to life support should not be using consumer electronics and software and should not be connected to the public network, and persons involved in initiating attacks which impact any critical life support system must be prosecuted by law as severe dangerous offenders.

    Share this post


    Link to post
    Share on other sites
    4 hours ago, rsc204 said:

    I do appreciate that updates don't always work the way they are supposed to. But a failed update is usually recoverable (roll back), it's a minor annoyance. Whereas a problem like the one outlined here is catastrophic by comparison.

    It's like the way medicine works, there are always side effects to them, but most people are better off as a result of using such cures. Even if in a small percentage of people end up worse off, overall it's the best course of action for the largest number of people.

    If you choose not to update, that's your business, but know you are vulnerable to some nasty things floating around as a result.

    Because changing that isn't within the control of the site I suspect. When the people developing the software secure the site with HTTPs, then it will be.

    You have to understand what "Not Secured" means in this context though. It doesn't mean you are in danger, because aside from anything else, we don't keep sensitive information. So even if someone managed to see your Username and Password, they aren't getting into your bank account, finding your address or other sensitive information. The real risk comes from using the same logon/password over multiple sites, which might make this data more valuable to miscreants. But you really should not be doing that, it's against all common sense security advice.

    Firefox and Google are trying to force this change, by informing users for every site, to bring the issue to light. But this is based on presenting users with a problem that many of them don't really understand. Yes it would make the internet slightly safer and is a good idea. But it's not anything like as important here as some sites. CB already explained things in more detail, see here for that information:

    Do you know Let's Encrypt? They are providing us with FREE certificates! I'm not their staff/sponsor. I'm just support their action. The certificate is free, but with short lifetime (I think about 3 months, can be auto-renew'd with a script). Based on a research (you can find it on Google), HTTPS website is immune from any eavesdropping. HTTPS also provide protections of path censor (usually, websites are censored by IP/domain name, but in some countries, websites are censored partially). I think, IPS has option to enable HTTPS. If you still see HTTP-version of the site even you've installed the cert, you must redirect it by configuring .htaccess or nginx settings.

    Back to the topic, the IPS cloud hosting (that are used to host this site) should be safe because they aren't running Windows (Win licenses aren't cheap). If their hosting is compromised, they'll restore last good backup. They'll fix the problem shortly

    Thanks.

    Share this post


    Link to post
    Share on other sites
    On 15/05/2017 at 0:06 AM, rsc204 said:

    It's not a firewall failure. The ports are open by default, if your firewall failed it's because you didn't configure it to block them. It's like moaning your alarm system failed when you simply didn't turn it on in the first place. Granted, most users wouldn't have known it was necessary to block it and perhaps it should not have been on by default. That said, were it not for the buffer overflow issue, ?????  it wouldn't be a problem either. ......

    Oh my god ... all these years and we understand everything wrong ... well, from now on we will consult you whenever we need to configure Firewalls OK!*:thumb:

    Note: Did you read it? ...  if yes (it seems so because it now remembered to quote SMBv1) then it must have escaped something that you did not understand about the uselessness referred to as breaking.

    A little bit to update today (Compare with previous post)

    Quote

     GReAT 15 de maio de 2017. 5:06 pm

    How did it all start? Was there an e-mail attack vector? Phishing link?

    To date, we could not find an e-mail attack vector for Wannacry. We are still investigating leads that suggest compromised sites were used to target some customers. So far, we can confirm that our users are getting attacked using an implementation of the famous EternalBlue exploit leaked by the Shadowbrokers in April. The exploit installs the DoublePulsar backdoor, which is further leveraged to infect a system. Even if the EternalBlue exploit fails in the first place, the attack code still tries to leverage the DoublePulsar backdoor which might have been installed in a previous attack.

    Perhaps the main reason why Wannacry was so successful is the fact that the EternalBlue exploit works over the Internet without requiring any user interaction. It works on top of TCP port 445. Last week, our internet facing sensors registered an uptick in port 445 connections on Thursday May 11th, one day before the major outbreak noted on Friday. This means it’s possible the worm was released on Thursday, possibly even late Wednesday evening. The uptick in Port 445 traffic is also confirmed by the SANS DShield project’s graphics.

    Another interesting passage

    Quote

    Why did the attackers add a killswitch in the first place?

    This is a very good question. Some possible explanations:

    - They were afraid the attack might get out of control and wanted a way to stop the propagation  ......

    source:https://securelist.com/blog/research/78411/wannacry-faq-what-you-need-to-know-today/

    The reason for posting and clarifying is that ransonware attacks are not new stuff and also use assets for security imposed by the OS that  begin in  "Windows Vista" (data encryption for XP is an example of not warned update) even for a simple user basic

    https://www.microsoft.com/security/portal/mmpc/shared/ransomware.aspx

    a look into the ransomware ecosystem

    Service from windows 10 frees from the need for specific hardware and opens several ports for malicious purposes.

    IMO - No update should be automatic and if being necessary should be announced with clarification and be optional, exactly as it was before as everyone should remember
      . Our opinion and also of hundreds satisfied clients (some with sad memories for KB2823324 and also users Del, Sansung, etc ...)

    NC

     

    Share this post


    Link to post
    Share on other sites
  • Original Poster

  • First result on google for "Wannacyrpt Buffer Overflow"... [link]

    The flaw in Widows that allows the software to wreck havoc is a Buffer Overflow. This has all been public knowledge since March when the flaw was first exposed. Seriously, why do I always have to fight with you before you'll accept facts?

    Quote
    • An exploit for MS17-010 written in Python with example shellcode. This is based on the Eternalblue tool stolen from the NSA, and was developed by infosec biz RiskSense. It reveals that the SMB server bug is the result of a buffer overflow in Microsoft's code. A 32-bit length is subtracted into a 16-bit length, allowing an attacker to inject more data than they should into the networking service and ultimately hijacking the system. Disabling SMBv1 disables the bug, and is recommended in any case. You should also firewall off SMB ports 139 and 445 from the outside world, and restrict access to the service where possible on internal networks.

    Share this post


    Link to post
    Share on other sites

    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an Account  

    Sign up to join our friendly community. It's easy!  

    Register a New Account

    Sign In  

    Already have an account? Sign in here.

    Sign In Now


    • Recently Browsing   0 members

      No registered users viewing this page.

    ×

    Help Keep Simtropolis Online, Open & Free!

    stexcollection-header.png

    Would you be able to help us catch up after a bit of a shortfall?

    We had a small shortfall last month. Your donation today would help us catch up for this month.

    Make a Donation, Get a Gift!

    We need to continue to raise enough money each month to pay for expenses which includes hardware, bandwidth, software licenses, support licenses and other necessary 3rd party costs.

    By way of a "Thank You" gift, we'd like to send you our STEX Collector's DVD. It's some of the best buildings, lots, maps and mods collected for you over the years. Check out the STEX Collections for more info.

    Each donation helps keep Simtropolis online, open and free!

    Thank you for reading and enjoy the site!

    More About STEX Collections