Hackers Used Nasty "SMB Worm" Attack Toolkit Against Sony 177
wiredmikey writes Just hours after the FBI and President Obama called out North Korea as being responsible for the destructive cyber attack against Sony Pictures, US-CERT issued an alert describing the primary malware used by the attackers, along with indicators of compromise. While not mentioning Sony by name in its advisory, instead referring to the victim as a "major entertainment company," US-CERT said that the attackers used a Server Message Block (SMB) Worm Tool to conduct the attacks. According to the advisory, the SMB Worm Tool is equipped with five components, including a Listening Implant, Lightweight Backdoor, Proxy Tool, Destructive Hard Drive Tool, and Destructive Target Cleaning Tool. US-CERT also provided a list of the Indicators of Compromise (IOCs), which include C2 IP addresses, Snort signatures for the various components, host based Indicators, potential YARA signatures to detect malware binaries on host machines, and recommended security practices and tactical mitigations.
Super Mario Bros. Worm (Score:4, Funny)
How often do you see Server Message Block spelled out in news stories? I guess someone really wanted to avoid implying that Sony Computer Entertainment's rival Nintendo might be behind the attack.
Re: (Score:2)
US-CERT does and so when an article is just copy-n-pasted from the cert notice the article does too.
Re: (Score:2)
Why didn't they use the name everyone would recognize? Windows file sharing.
Is there any protection against SMB worm ? (Score:1)
Hacking activities are happening around us, from companies managing parking garages to Sony to Staples to whatnots ...
I've read Schneier's article which in essence telling us that there is no foolproof way to prevent hacking attempt
I do reckoned that "foolproof" in the IT field is nothing short of fairy tales, but still, I do think there ought to be ways, online and offline, that we can do, to at least cut down, to minimize, our companies' exposure to the (oft state-sponsored) hacking groups
Any link (or lin
Threatpost, professional, processes (Score:5, Insightful)
Thereatpost.com is a good source to stay on top of the latest news and threats. There is new stuff posted several times per week, so staying on top of it takes at least a couple of hours per week.
You can get pretty darn good security at a very reasonable cost, but I can't fit much useful info in a Slashdot post. I read a 586 page book just on securing Apache - there's a ton of information to know and concepts to understand. For a business, especially a web-based business, it probably makes the most sense to hire in the right professional to spend a few hours with you, going over your processes and systems. I've been doing web security for 17 years; before that I did physical security and I'm still learning, so there's just a lot to know.
Maybe the most important principle is to get rid of what isn't needed. Turn off unneeded services on computers, don't store credit card numbers if you don't absolutely have to, don't have multiple copies of sensitive data on different systems. I can't hack what isn't there.
If you consult with a professional, be prepared to alter some of your processes to alternatives that are approximately just as easy to use, but different. Sftp is as easy to use as ftp, so don't let "we've always done it this way" be an excuse to not improve your processes. A FEW changes may be much less convenient, but necessary. That is to say, your professional may say once or twice "yes, this way is more time consuming, but it really is necessary for security ". Be prepared for that, but also expect your professional to work with you to find ways to make security relatively painless most of the time. It'll likely follow strict, but painless, rules if done properly.
Security is mostly about process, not products, and much of the best security software is open source, so the right professional won't be selling you stuff, just spending some time to find what you need and get it set up for you, then help your IT understand a bit and know where to find documentation.
The right professional will also be able to explain the purpose of any recommendations in a way that you can fully understand. "Because security " is not a valid answer and is most frequently used by people who don't understand the "security" measures they are improperly applying, often in a way that weakens your system rather than strengthens it. It might seem strange to emphasize this, but I've seen a LOT of sysadmins severely damage system security by trying to strengthen it but not really understanding what they're doing. In almost all cases, the people doing crap "security" couldn't explain in detail why they did what they did, and became annoyed when asked to explain in detail. It's a good way to distinguish the few who know their stuff from the vast majority, who don't actually know what they're doing.
Threatpost, professional, processes (Score:4, Interesting)
The first thing I did was make sure that no computer had any file sharing or any other services running on it, instead users would have to share files by placing them on a properly managed server and printers had their own dedicated print server box or were replaced with network printers. All the PCs then had local firewalls enabled to effectively make sure that there were no open ports on them even if some errant software got installed.
All users were given regular user accounts, no admin access granted. Some users that were doing things like software testing who had to constantly install software were given admin access to a virtual machine so they could do all their testing on that VM.
It was decided that the offices around the world would be linked up so that direct access to the network could be obtained all over the world. Now every office just plugged their new router into the LAN and gave full access to everything. I however installed a firewall on the new WAN link that restricted remote offices to accessing only 2 servers on our network and only on specific ports to access the services that we wanted to provide access to.
I was so pleased I did all this as one day the WAN link seemed to be going slow, so I broke out the network monitor to see what was going on to find thousands of connection attempts coming from all of our international offices. As it turns out one of the US PCs had got infected with a worm and it was spreading over the whole global network. I could smugly say that apart from the slow WAN performance we were not effected at all. Our offices ran as normal while the rest of the company lost days of productivity trying to clear up the mess. It was at that point that finally the company started to listen to my calls for better security.
Re:Threatpost, professional, processes (Score:4, Insightful)
"The state of corporate IT can be shocking. When I took over the IT at the UK branch of an international technology company I couldn't believe what I saw. Regular office staff had file sharing switched on individual PCs, Software developers had systems operated as root or administrator. People routinely downloaded whatever they wanted and installed it on their computers.
The first thing I did was make sure that no computer had any file sharing or any other services running on it"
You were doing it wrong, then, and probably the company employees hate you.
The first thing you should have done is understanding why computers/lans were configured that way. I can't count the times I've seen security just going all the place closing this and that without providing working alternatives to the function the user was achieving that way, just to put productivity to a halting grind.
People don't go out of their way to share their hard disks or to install this or that simply because they have nothing better to do but because they need to do something and do it that way because they don't know anything better.
Corporate security is more about providing secure ways to do what it's needed to be done (as defined by the end user, not the top brass) and less about tying users' hands but very short numbers of "IT security people" seem to understand that.
Re: (Score:2)
Re: (Score:2)
"They were sharing their drives because they knew no better"
No, they were sharing their drives because they knew no better *and* they still find cases when sharing files is useful for their work.
"Providing a central server..."
Blah, blah, blah... you still didn't address the main point: *Why* users shared their local drives instead of using the central server (or ask for administrative privileges on their computers, or you find they are using something like dropbox, etc.). I've more than 20 years in this in
Re: (Score:2)
Blah, blah, blah... you still didn't address the main point: *Why* users shared their local drives instead of using the central server (or ask for administrative privileges on their computers, or you find they are using something like dropbox, etc.). I've more than 20 years in this industry and every single time I've seen an environment like that has been because of incompetent IT.
Some folk think that having to log in or run as anything but administrator, or have any restrictions on their activity at all is killing their productivity. They want Thumb drives, they want dropbox, they want to set up their own email server on their machine. They want to have an open ftp on their machine
Perhaps in your 20 years of experience, you have found a way to allow people to do whatever they want, while providing proper security? You should write a book.
Re: (Score:2)
...every single time I've seen an environment like that has been because of incompetent IT.
That might be said in this case, but GP is not to blame for the fact that there was no policy spelling on the proper way to do things. If such a policy had been in place, users would not have been able to "solve problems" by creating file shares on their own PC's. His predecessors neglected their responsibility and allowed a mess to be made. GP came in, found the mess, cleaned it up, and provided a useful alternative to the insane "solution" the users were allowed to create.
Re: (Score:2)
"His predecessors neglected their responsibility and allowed a mess to be made. GP came in, found the mess, cleaned it up, and provided a useful alternative"
Back to square one. From his own words, first he did was "...make sure that no computer had any file sharing or any other services running on it", which is what I blamed him for.
First you do is understand the situation, not closing useful services. Once you understand the situation you go and close unsecure services *once* you are in the position to o
Re: (Score:3)
You were doing it wrong, then, and probably the company employees hate you.
The first thing you should have done is understanding why computers/lans were configured that way.
Yes, it's true that unprotected sex with strangers without a condom feels better, but that doesn't mean you can protect them from STD's or pregnancy without them changing any of their habits.
Same goes for computer users. Folks who look at productivity as not having to log in, or if you make them, want to use a password of "Password1", or their child's name or just the really quick to log in 1234567, or set up a dropbox, or really want to use thumbdrives, because "it's so quick and convenient, and those ni
Re: (Score:3)
"Folks who look at productivity as not having to log in"
I'll take this as an example. In my not so short experience, people usually have no problem to log in; people do have a problem having to log in half a dozen times to different systems within the same company, when they already provided their credentials to their computers at the begining of their work day. And they do have a problem with having to change every 30 days their passwords in crazy ways on those half a dozen different systems.
To follow on
Re: (Score:2)
"I'd fire your ass in a heartbeat."
Probably yes.
And probably you'd be in the majority.
That explains why IT is on average the miserable nightmare that it is.
On the other hand, I'm the kind of guy that first looks to understand why the users do what they do and then I go to provide secure alternatives that, in many cases, just go transparent to said end users. They just still do their stuff in the easiest way for them and I produce for them an environment where the easiest way happens to be the secure enough
Re: (Score:2)
I'd fire your ass in a heartbeat.
You work for Sony by any chance?
What he's described is pretty standard IT security. What you want is complete fucking data loss.
Fire him? With cunts like you running the business he'll leave and get a job at a competent firm anyway.
Re: (Score:2)
You can take my root/admin acess from my cold, dead model M wielding hands.
-Software dev
Re: (Score:2)
Hacking activities are happening around us, from companies managing parking garages to Sony to Staples to whatnots ...
I've read Schneier's article which in essence telling us that there is no foolproof way to prevent hacking attempt
I do reckoned that "foolproof" in the IT field is nothing short of fairy tales, but still, I do think there ought to be ways, online and offline, that we can do, to at least cut down, to minimize, our companies' exposure to the (oft state-sponsored) hacking groups
Any link (or links), suggestion, recommendation, whatever, that you guys (and gals) can share?
Thanks !
Is there any protection against SMB worm ?
I've always considered SMB to be a steaming pile of crap for reasons that have nothing to do with security and this incident just adds another steaming shovel full of manure to that pile. The best protection agains SMB worms is not to use crap like SMB but pick something more secure instead, that is to say if such an animal even exists. In that case you can either try to find a vendor who offers a similar product and does a better job of testing and patching it than Microsoft does or go with an Open Source
Re: (Score:2)
I was thinking of Samba like smb://. :D
Re: (Score:3)
There is a difference? Could someone finally point it out, from afar the parties look too identical.
Re: (Score:1)
Sure there is a big difference. One is a right wing party. The other is fascist.
Supreme Leader (Score:5, Insightful)
Re:Supreme Leader (Score:4, Insightful)
"Never let a good crisis go to waste". They don't seriously think it was North Korea. Instead, there is an ulterior motive for blaming North Korea.
Inviting that squarehead fatso to Gitmo, perhaps ? (Score:1)
Instead, there is an ulterior motive for blaming North Korea
I never thought I would want to see people being imprisoned in Gitmo, but for that square-head fatso, hey, that's one helluva perfect permanent resident tailor made for Gitmo
Re: Inviting that squarehead fatso to Gitmo, perha (Score:3, Insightful)
Toppling strong leaders didn't go down so well in Iraq and Libya. 11 years later Iraq us even worse than before. The Taliban were toppled in Afghanistan and it's still a disaster 13 years on. ISrael poisoned Ararat with polonium and there is no peace there. And Obama tried to topple Assad in Syria and now it's a hotbed for Islamic extremists. Sometimes the evil dictators are necessary to keep divided countries stable.
Re: (Score:2)
I'm totally receptive to the idea that it's not North Korea, but I gotta insist that any "skeptic" provide an alternative positive explanation.
I mean, like, what exactly makes you think "they don't seriously think it was North Korea"?
Re: (Score:2)
Uh, I have one!
The US Government have found out that The Interview is also making fun of it, and of NSA/FBI/CSI, and ordered the cyber-attack as a cover-up for threatening Sony bosses to withdraw the movie.
Afterwards, they blamed the attack on North Korea, in a move that is oddly reminiscent of the humor used in The Interview.
no?
Re: (Score:2)
I mean, like, what exactly makes you think "they don't seriously think it was North Korea"?
Silly boy, because everyone know's it's the "Best Korea".
Re: (Score:2)
Sorry, but why am I expected to have the information to provide an explanation? I'm skeptical about what the government says because they have been shown to lie about as often as to tell the truth. Probably more often in publicized statements, but often you can't tell. This doesn't point at anyone else in particular. There are several plausible candidates. Somebody who's mad about how Pirate Bay has been treated is plausible. So is the Russian Mafia. North Korea's name is in the hat, but until there'
Re: (Score:3)
You're like the guy who watches a magician conjure an elephant and smugly go, "He had it up his sleeve".
Re: (Score:1)
Personally, I think this is actually a conspiracy by the North Koreans to make us think the Americans did it. You see, the North Koreans hatched a scheme to do something that looks like a scheme that the Americans would cook up just so they could blame it on the North Koreans. At least that's what I come up when I shave it with Occam's Razor.
Don't feel bad for falling for it, though - the North Koreans are exceedingly cunning and circumlocutious.
Re: (Score:1)
Re: (Score:2)
If you're right they blew it. They should have blamed Russia and added more pressure. As it happens I don't think they're just making stuff up.
Re: (Score:2)
Why in fuck would you take a highly visible attack with serious consequences to an international business homed outside this country, and blame the wrong people?
Other than conspiracy retards, I can't think of any reason why you would want to piss them off like that. I pride myself on arguing any side of any argument, but I can't see any reason other than "illuminati have their reasons" horseshit.
I don't even care about facts on this one, I just want to know what this serves that we couldn't otherwise accomp
Re: (Score:1)
Ah, but the real comedy is the reaction to the threats. Worth every penny. And now that we know these kind of threats actually work, we should see some regular old extortion and blackmail pretty soon. Sounds like a real money maker, better than real estate.
Re: (Score:2)
When I heard our great leader say Sony should have asked him first what they should do, it reminded me of the type of guy who says "if I was there, I would've kicked their ass", whose friends look awkwardly at each other, sure thing Barry, sure thing.
Or maybe because relations with foreign powers, particularly hostile governments, is actually the President's job. But sure, keep up with the Barry nonsense.
Re:Supreme Leader (Score:5, Interesting)
Why would North Korea reveal its capabilities and tactics in such dramatic fashion to achieve nothing of any value.
Because they are obsessed with the "respect" to their Dear Leader. It is a cult obcession with these people, don't try to read logic into it. Think "Scientologists".
Re: (Score:2)
They built a GUI using visual basic and tracked the hackers' IP address.
Re: (Score:2)
They built a GUI using visual basic and tracked the hackers' IP address.
It's a Unix system, I know this
Re: (Score:3)
Except for a privileged few, North Koreans are completely blocked off from the outside world
Umm, I think you answered that question already. You don't think North Korea's cyberterrorism military unit just might be part of those "privileged few"?
Why would North Korea reveal its capabilities and tactics in such dramatic fashion to achieve nothing of any value
Maybe because their Supreme Leader is a total loon? This is the same guy who has among hundreds of other insane actions decreed that anyone with his name needed to change it immediately. He lives for drama and vanity and wants his citizens to think of him as a demigod. He's a fucking international drama queen of the highest level...
Re:Supreme Leader (Score:5, Insightful)
What I really want to know is how did the FBI figure out it was the work of North Korean government agents. Except for a privileged few, North Koreans are completely blocked off from the outside world and would never hear of this movie even if it won more Oscars than the Titanic. Why would North Korea reveal its capabilities and tactics in such dramatic fashion to achieve nothing of any value. It seems to me that all the speculation that was in the news recently about Kim's disappearance from public life and his possible overthrow was far more damaging to the cult of the Supreme Leader than some silly comedy.
Ssssssssssshhhhhhhhhh. You're asking questions, you shouldn't do that.
Just trust the government.
Re: (Score:2, Insightful)
No, ask all the questions you want. Just realize, when you assure people that it "must" be a ruse to provide an excuse to attack North Korea, you sound as loony as the NK leadership.
I'm not saying NK definitely did plan a cyberattack against Sony; it's an open question at this point. But when you smugly assert that you know it's our own government, with your only proof being your own paranoid crazy logic, you're really not advancing the conversation any.
Re: (Score:1)
It seems to me that all the speculation that was in the news recently about Kim's disappearance from public life and his possible overthrow was far more damaging to the cult of the Supreme Leader than some silly comedy.
With thinking like that, clearly you don't have what it takes to make it in the Dictator business.
BTW, has anybody seen Chaplin's "The Great Dicatator"? It's truly a masterpiece. Then again, Seth Rogen ain't no Chaplin... Of course, I haven't seen "The Interview", but it flunks what I call "The Trailer Test." Typically, they put the highlights of a movie in the trailer, so if the trailer isn't funny/interesting/appealing, there isn't much hope for the rest of the movie. And so it is with "The Interview
Re: (Score:2)
Also, Umm, Sony? could you do more to be idiots when it comes to security within and without your business groups?
Re: (Score:1)
You'll sent to NK for questioning the supreme agency FBI of USA.
Re: (Score:1)
Re: (Score:3)
If I bought one of their rootkit CDs and infected my system, I could see getting a bit miffed, especially after that idiotic statement of how ""Most people, I think, don't even know what a rootkit is, so why should they care about it?" and the "settlement" which essentially said Sony can do whatever they please and don't even get a slap on the wrist.
You see, when the law fails, vigilantes are not far.
Re: (Score:2)
There are tons of people out there that could be pissed with Sony in general for any number of reasons, such as publishing their credit card details from PSN 2011 hack or whatever.
Also, if there is any country that would see japanese megacorps take hits, it's actually South Korea - their actual economic rival. Or China. If this is more of industrial espionage, corporation scale cyberwar i can think of a couple large ones that might have resources and will to do this - and then implicate the funny NORKs.
Re: (Score:2)
Except for a privileged few, North Koreans are completely blocked off from the outside world
Which is a pretty good reason why if a hacking attempt originated in North Korea, it would be state-run or at least state-sponsored.
Re: (Score:3)
Guess who owns the endpoints on the fiber?
China...
Can we stop the embellishment? (Score:5, Insightful)
I haven't seen any evidence that the mechanics of the attack itself is at all noteworthy, yet we keep hearing about how this attack was unstoppable, "nasty", etc. -- not just from Sony's PR guys, but from the FBI. As if it could have targeted literally any company and caused just as unmitigated damage.
To me, a "nasty" worm is Stuxnet: it spread in a very standard innocuous way and seemed like any other worm, but ended up being highly targeted.
This Sony hack just seems like your average trojan worm leaking an admin password back to someone. The only noteworthy part of this hack is that Sony had such horrifyingly moronic security practices that one attack was able to compromise such a large and varying corpus of valuable data.
Re: (Score:2)
I haven't read anything that suggests North Korea would have been successful if Sony switched to using two factor authentication on sensitive devices. Then again, I haven't read anything about Sony hiring NSE's after any of the times the have been ownt. Then again, karma for the root kit and not hiring people that can protect them is two factor in its own way.
Re:Can we stop the embellishment? (Score:4, Insightful)
Really? Apparently they quickly took control of almost every one one of Sony's servers and workstations. Literally took entire control, stole all of the useful data, wiped out all of their servers, and then owned all of the workstations so that they were useless but able to broadcast any message they wanted to them.
That's a *bit* more coordinated than "your average trojan worm". Unless you really think based on extremely limited information you know more than all of the security researchers and government investigators looking into it... (hint: sorry, you don't).
Re:Can we stop the embellishment? (Score:4, Interesting)
Really? Apparently they quickly took control of almost every one one of Sony's servers and workstations.
Wired mentions (without giving a source) an interview with a self-proclaimed member of GoP who claims Sony's network was infiltrated for a year.
I'm not sure what you consider "quickly," but a year is a long time, even while rooting around in a corporate network as large as Sony's.
Re: (Score:2)
You could take control quickly and hold it for a year. You could infiltrate and hold it for a year, then quickly take control.
You seem to say that the only reason your GoP source said it that way is that it took a year to execute.
Reading comprehension and citations; that's how discussion moves forward.
Re: (Score:2)
Yeah, I had read that, too. By took control I meant literally "took control". They infiltrated it (and there are rumors there was an insider to help with that) but then they activated everything very quickly, without warning, and basically stole data and destroyed the servers before anyone had a chance to do anything.
My point was the overall attack was way WAY beyond some simple trojan worm getting an admin password...
Re:Can we stop the embellishment? (Score:5, Interesting)
It's common practice to put all of your servers and workstations in an active directory domain, and once you have a tiny foothold on an active directory domain it is almost always trivially easy to get administrative privileges over the whole domain (have been working as a pentester for 10+ years and never failed to get domain admin when the job scope allowed it)...
Once you have domain admin, you typically have access to pretty much everything. Even if the organisation has devices which aren't linked to active directory (typically unix boxes, routers, switches etc), you will probably find that the guys responsible for managing these devices do so from a windows workstation which is part of the domain, so you just find their workstation and start keylogging (or in many cases just find the textfile full of passwords).
Also in my experience, very few companies notice once you take control of their domain, and as a legitimate pentester i'm not trying to cover my tracks. The chances of most organisations noticing someone who is being careful is virtually 0.
Re: (Score:2)
Really? Apparently they quickly took control of almost every one one of Sony's servers and workstations. Literally took entire control, stole all of the useful data, wiped out all of their servers, and then owned all of the workstations so that they were useless but able to broadcast any message they wanted to them.
That's a *bit* more coordinated than "your average trojan worm". Unless you really think based on extremely limited information you know more than all of the security researchers and government investigators looking into it... (hint: sorry, you don't).
They had access for over a year...
http://www.businessweek.com/ne... [businessweek.com]
Sony didn't even have rudimentary security established. Pretty much any teenager with basic skills could have taken them out.
Re: (Score:2)
No, I'm just saying that those here who keep saying "any 16 year old with a computer" could have done it are way underestimating it. Since I'm assuming most here are older than 16 and have a computer, are you all saying you could do this trivially given a few hours, a pizza, and a couple Mountain Dews? Bullshit.
Re: (Score:2)
Exactly. And the media keeps making out like it could happen to any company. I should seriously hope not. I'd like to think they're not all this stupid.
Re:Can we stop the embellishment? (Score:5, Insightful)
Yes, yes they are...
Most companies have a horrendously insecure internal network, with virtually everything tied to an active directory domain which is laughably easy to compromise. They follow what they believe are best practices by installing patches every month, using strong passwords, setting account lockouts etc, but because of how the system is designed it only takes one weakness to make everything fall down. And then they will probably spend a lot of money buying "security software" that just makes the systems run far slower, while not fixing any of the underlying weaknesses.
Most company networks are like a tardis, they use a network firewall to ensure that only a tiny fraction is visible from the outside, but once you get inside it's much bigger. All it takes is for one minor breach in the firewall by someone semi competent and 99% of companies would be looking at a catastrophic breach. If it hasn't happened to your company yet then it's either a) luck, or b) it has happened but the perpetrators have other motives than publicity
Re: (Score:2)
every system has it's weaknesses.
linux is not immune from this either, but all the tools to manually secure a network are built in and some have guides on the internet as how to secure them.
do you honestly believe a system used to connect 30,000 people is going to be easy to secure? and those people need to do computer tasks and office tasks and make art and special effects etc.
keep in mind Microsoft claims all it's products are 'secure' if you patch them. all the real windows security content i've paged t
Re: (Score:2)
I've seen big corporate networks that didn't work that way.
They're not all like that.
Re: (Score:2)
It isn't happening to Amazon or Google or Paypal or any other company with tech chops.
Re: (Score:2)
You are right, and so is the FBI.
Yes, this was only possible because Sony had such horrifyingly moronic security practices.
And yes, this could have targeted (nearly) any company and caused just as much unmitigated damage.
Re: (Score:2)
It was kind of nasty, though, was it not? Muhahahahahaha... *evil laughter*
SMB, eh? (Score:2)
<troll>Ah, Windows... the gift that keeps on giving.</troll>
Seriously, though... this is pretty ugly. It checks back every five minutes for each machine. You would think that Sony IT would notice that network traffic (or, say, the fact that all of their Windows desktops started listening on port 443). The moral of this story is run an IDS, scan your network, and pay attention to it all! :(
Re:SMB, eh? (Score:4, Insightful)
You're assuming that it spread by trying to guess usernames and passwords, which is highly unlikely.
Chances are it spreads using usernames and password hashes that it already knows. If you compromise a single windows host you can extract the local admin hashes (which are often the same across many hosts because they were all built from a stock image), you can also extract the hashes as well as the plain text password of any currently logged in account including domain accounts, and any account which is saved in the registry for use to start services (i've seen networks where the antivirus is running as a domain admin on every host - ensuring that an admin password is extractable from every single host).
Using this hash passing approach you can almost always spread throughout a network.
As for logging...
Your IPS will probably ignore SMB traffic, because it's extremely common and expected.
The hacker will target the workstations first, they are probably not configured to send their logs back somewhere centrally... Chances are at least one workstation will have a valid domain admin hash available on it at some point. You only start hitting the servers once you have confirmed valid logins, valid SMB logins from internal workstations won't trigger any IPS because they are expected.
Windows logging especially is usually quite shit, it's either far too verbose (the attack gets lost in the noise), or utterly useless... You might be able to detect a flood of invalid login attempts against the domain or directly against core servers, but a competent hacker is highly unlikely to try that.
Otherwise your logs are only really useful "after the fact" to try and determine what went wrong, because by that point you now have time and budget to sit and comb through them. Ofcourse this also only works if your logs are sufficiently detailed, and are still intact. If the system hosting your logs was on the domain, or accessed from workstations which are part of the domain then your logs are effectively worthless, a competent hacker would have deleted or modified them to cover their own actions.
So they're stuck with poorly designed tools (ie windows), that have gaping design flaws that make such attacks easy to perform and hard to detect or stop. You could go to significant effort and expense to make such attacks more difficult, but many companies just won't have the budget for that in terms of the number and quality of staff (competent people are expensive), all the various expensive third party software and all the extra time (or extra staff) required to do things in a more secure but far more time consuming way.
In reality, people cut corners. Even those who should know better, want to save themselves time or have to save themselves time because the company hasn't hired enough people for what they need.
Re: (Score:3)
I don't even bother "compromising" an initial host on many engagements when the engagement has me to go on site. Its trivially easy to tailgate your way onto most corporate campuses; and set yourself up in an empty conference room.
Then you wait for LLMNR or NetBIOS/tcp messages on your subnet; which nobody disables, ever. Then you just collect the hashes for a while. No need even to mess around with PTH half the time, more often than not hashcat can crack at least one before you finish your first soda an
Re: (Score:2)
The hashes you get from LLMNR/NB spoofing are slightly different and need to be hashed, you cant pass them directly although if smb signing is turned off you can mitm the connection...
But yeah, sitting and connection hashes in this way is almost always effective too.
Wait, People still allow SMB on large scale nets? (Score:2)
I mean OK, you cannot run a Windows system without SMB in a useful way. However how could this spread. SMB is not a protocol that was designed to work outside of broadcast domains. It does, but you loose some of the features people take for granted.
I seriously wonder how this could spread, after all you don't just have a large Ethernet domain in your international company. You have smaller domains routed together, and in between you can trivially filter. SMB is one of the first things to go. Since it's hard
Re: (Score:2)
> It does, but you loose some of the features people take for granted.
Excuse me, but so what? This is not a "taken for granted" usage of the protocol.
> I seriously wonder how this could spread, after all you don't just have a large Ethernet domain in your international company.
Oh, my dear lord. I'm assuming you've never worked in a large environment. _Of course_ they have a single large or several large domains (in the Microsoft Active Directory sense) for unified email authenticatoin, and potentially
Re: (Score:2)
Just because apparently several companies are stupid and use unsuitable security practices doesn't mean it's not really bad security. I mean we all refuse to do support for people who put their malware ridden gaming rig into their main LAN, why do companies get away with that?
Re: (Score:2)
> Just because apparently several companies are stupid and use unsuitable security practices doesn't mean it's not really bad security
It's more than "several", I'm afraid. It's extremely common place. A significant portion of my annual salary comes from helping teach and implement improved security practices. And a large part of that income comes from explaining the trade-offs, time and risk and resources.
> I mean we all refuse to do support for people who put their malware ridden gaming rig into the
Re: (Score:2)
SMB is indeed commonly used outside of broadcast domains, hosts can find each other through dns (or wins etc), and happily communicate across ethernet segments. In many cases most of the servers will be in a different ethernet segment to the workstations etc.
SMB will almost never be filtered internally because it's used for domain logons and file sharing, and users will have a need to access files stored on servers in other parts of the company.
On the other hand, SMB is a terrible protocol... Not only does
US-CERT Link (Score:4, Informative)
Link to the actual US-CERT alert:
US-CERT TA14-353A [us-cert.gov]
Sony? (Score:4, Informative)
Is anyone really upset that they got hacked? Has everyone forgot they sent out compact discs loaded with a backdoor to fight argggh pirates?
Re: (Score:1)
Re: (Score:2)
Not really. After they themselves engaged in infecting paying customers [wikipedia.org] with rootkits (with the difference that whoever attacked them didn't even first give them money...) AND got away with it, I can hardly say I feel sorry.
The only thing I DO feel sorry about is the insignificant damage.
Re: (Score:2)
I am the only person that thinks that vandalising millions of customers PS3's is worse (Other OS feature removal).
Re: (Score:1)
I am the only person that thinks that vandalising millions of customers PS3's is worse (Other OS feature removal).
Lets be honest here who really needed that feature? Sure it was nice if you wanted to say I have got Linux running on my PS3 but there were much better machines you could run Linux on that would work better.
I actually do have a FAT PS3 (still working) and even though I do like Linux and am writing this in Google Chrome running under Fedora 21 to put Linux on my PS3 was the last thing I was interested in doing, hence I was not worried abut removing the feature. In case you are wondering the "Other OS" feat
Re: (Score:2)
So let me get this straight: Sony advertises that you can install Linux on the PS3, users buy the PS3 and install Linux on it, Sony removes the said advertised feature, and it's the user's fault because other machines are better at running Linux?! Great logic you have there.
Don't forget that many people installed the update which removed Other OS by accident, or they wouldn't dream that installing an update would purposely remove an advertised feature. I am flabbergasted that you so quickly take Sony's side
Re: (Score:2)
I'll be frank -- OtherOS sucked. It always sucked. Anyone who actually tried to use it found out it sucked. It had all of one useful ability -- a low-cost number-cruncher, and the usefulness of that was quickly eclipsed by PCs again. In nearly every other application, the console was intentionally crippled because Sony was so scared it could be used to run home-brew games, pirated games, game emulators, or anything else they didn't approve of. It sucked because Sony made it that way.
Most of us who tried Oth
Re: (Score:2)
You really have no clue how many PS3 were used for clustered processing? US Air Force had a very large one.
I'll just leave this here for you to peruse, it's an interesting read:
http://en.wikipedia.org/wiki/P... [wikipedia.org]
Annnnnd.... they simply didn't upgrade. The PS3's OtherOS feature still works just fine with an older BIOS. Sure, they might not be able to play the newest PS3 games and Blu-Rays, but that's not what those devices are used for anyway, is it?
Then again, the PS3 cluster was something that was useful in a small number of applications for a short period of time, and that short period of time isn't related to the OtherOS removal.
You got what you deserve (Score:2)
Then maybe we can finally answer an old question (Score:5, Interesting)
I think it was Thomas Hesse [wikipedia.org], back when Sony distributed Rootkits with their CDs their President of Global Digital Business, who said "Most people, I think, don't even know what a rootkit is, so why should they care about it?" [wikipedia.org].
Well, Sony? I'm fairly convinced your execs don't have the foggiest clue about malware but ... do you care about it?
amazing to think (Score:1)
that a country which is malnourished and still suffering from the effects of famine in 1998 has resources to devote to hacking full stop
Re: (Score:1)
that a country which is malnourished and still suffering from the effects of famine in 1998 has resources to devote to hacking full stop
You have heard of the Feudal System [wikipedia.org]? Well think of an extreme version of one and North Korea comes to mind. Basically in systems like this the Peasants always are the ones who suffer, the nobles or those further up the pyramid suffer the least, in fact they can live quite comfortably providing they don't question their supreme ruler.
These highly educated elites that are trained in IT and cyber warfare are capable of instigating cyber attacks and providing they tow the party line and basically worship th
Re: (Score:2)
So it's like the 2008 financial crisis. We peasants have to pay the big bonuses of our banking overlords and never question our supreme ruler of the day. Obama, our dear leader.
Obama entered office in 2009. I'm not sure you can blame him for the 2008 banking collapse.
Why couldn't they just pull the plug? (Score:2)
Normalcy bias (Score:2)
ie 'nothing that bad has ever happened before and therefore it's probably not happening to us'
http://en.wikipedia.org/wiki/N... [wikipedia.org]
There's another bias where you feel you emotionally can't take any more responsibility and thus just pray that the worst case scenario isn't happening. Not sure it's been studied yet.
Why don't we hear anything from the Japanese's (Score:2)
Re: (Score:2)
Not samba, SMB. Samba is just the name of the open source Windows SMB server implementation. Most likely they were targeting Windows machines (though I admit I haven't seen anything on that either way).
Also, it's highly unlikely (but also possible I guess) they had SMB open to the Internet. But they just needed to compromise one internal machine (almost trivial these days) to attack SMB...
Re: (Score:2)
You would, and so would I and probably anyone who doesn't think TCP is the Chinese secret service.
But do you think Sony would pay either your or my "asking price"? For what I would command they could easily hire three "admins". They might consider TCP the Chinese secret service and have generally zero clue about security or anything related, but hey, they will just take twice times the time I need to get something going, and with a salary a third of mine, that's still coming out ahead!
That the reason they s
Re: (Score:2)
The artist workstations at Sony Imageworks are Linux.
Re: (Score:2)
Oh really? RHEL? They've favored RH based distros in the past.
Re: (Score:2)
I don't know which distro, I just know my friend griped about me sending him links to sites that use Flash because they frequently crashed Firefox. Heh
Re: (Score:2)
Re: (Score:2)
They are the new feudal lords and do not produce anything palpable
You may have noticed that the media companies are one of the very very few American sectors that produce works that are in great demand and sold abroad. That's the government will bend over for them. They're one of the most important sectors of the economy.
Re: (Score:2)
... is that the US president thinks this is of such importance to address this in a speech. It clearly shows, IMHO, how much influence a media company has.
You don't think a media company is as important as another company of similar size/revenue/employee count? If another nation does as much catastrophic damage to an American company (it is an American subsidiary of a Japanese corporation), yes, it's the President's job to address it. Why would you think this isn't important?