Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Businesses Sony Worms IT

Hackers Used Nasty "SMB Worm" Attack Toolkit Against Sony 177

wiredmikey writes Just hours after the FBI and President Obama called out North Korea as being responsible for the destructive cyber attack against Sony Pictures, US-CERT issued an alert describing the primary malware used by the attackers, along with indicators of compromise. While not mentioning Sony by name in its advisory, instead referring to the victim as a "major entertainment company," US-CERT said that the attackers used a Server Message Block (SMB) Worm Tool to conduct the attacks. According to the advisory, the SMB Worm Tool is equipped with five components, including a Listening Implant, Lightweight Backdoor, Proxy Tool, Destructive Hard Drive Tool, and Destructive Target Cleaning Tool. US-CERT also provided a list of the Indicators of Compromise (IOCs), which include C2 IP addresses, Snort signatures for the various components, host based Indicators, potential YARA signatures to detect malware binaries on host machines, and recommended security practices and tactical mitigations.
This discussion has been archived. No new comments can be posted.

Hackers Used Nasty "SMB Worm" Attack Toolkit Against Sony

Comments Filter:
  • by tepples ( 727027 ) <.tepples. .at. .gmail.com.> on Friday December 19, 2014 @11:58PM (#48639949) Homepage Journal

    How often do you see Server Message Block spelled out in news stories? I guess someone really wanted to avoid implying that Sony Computer Entertainment's rival Nintendo might be behind the attack.

    • by sholden ( 12227 )

      US-CERT does and so when an article is just copy-n-pasted from the cert notice the article does too.

    • Hacking activities are happening around us, from companies managing parking garages to Sony to Staples to whatnots ...

      I've read Schneier's article which in essence telling us that there is no foolproof way to prevent hacking attempt

      I do reckoned that "foolproof" in the IT field is nothing short of fairy tales, but still, I do think there ought to be ways, online and offline, that we can do, to at least cut down, to minimize, our companies' exposure to the (oft state-sponsored) hacking groups

      Any link (or lin

      • by raymorris ( 2726007 ) on Saturday December 20, 2014 @12:49AM (#48640139) Journal

        Thereatpost.com is a good source to stay on top of the latest news and threats. There is new stuff posted several times per week, so staying on top of it takes at least a couple of hours per week.

        You can get pretty darn good security at a very reasonable cost, but I can't fit much useful info in a Slashdot post. I read a 586 page book just on securing Apache - there's a ton of information to know and concepts to understand. For a business, especially a web-based business, it probably makes the most sense to hire in the right professional to spend a few hours with you, going over your processes and systems. I've been doing web security for 17 years; before that I did physical security and I'm still learning, so there's just a lot to know.

        Maybe the most important principle is to get rid of what isn't needed. Turn off unneeded services on computers, don't store credit card numbers if you don't absolutely have to, don't have multiple copies of sensitive data on different systems. I can't hack what isn't there.

        If you consult with a professional, be prepared to alter some of your processes to alternatives that are approximately just as easy to use, but different. Sftp is as easy to use as ftp, so don't let "we've always done it this way" be an excuse to not improve your processes. A FEW changes may be much less convenient, but necessary. That is to say, your professional may say once or twice "yes, this way is more time consuming, but it really is necessary for security ". Be prepared for that, but also expect your professional to work with you to find ways to make security relatively painless most of the time. It'll likely follow strict, but painless, rules if done properly.

        Security is mostly about process, not products, and much of the best security software is open source, so the right professional won't be selling you stuff, just spending some time to find what you need and get it set up for you, then help your IT understand a bit and know where to find documentation.

              The right professional will also be able to explain the purpose of any recommendations in a way that you can fully understand. "Because security " is not a valid answer and is most frequently used by people who don't understand the "security" measures they are improperly applying, often in a way that weakens your system rather than strengthens it. It might seem strange to emphasize this, but I've seen a LOT of sysadmins severely damage system security by trying to strengthen it but not really understanding what they're doing. In almost all cases, the people doing crap "security" couldn't explain in detail why they did what they did, and became annoyed when asked to explain in detail. It's a good way to distinguish the few who know their stuff from the vast majority, who don't actually know what they're doing.

        • by Going_Digital ( 1485615 ) on Saturday December 20, 2014 @06:52AM (#48640827)
          The state of corporate IT can be shocking. When I took over the IT at the UK branch of an international technology company I couldn't believe what I saw. Regular office staff had file sharing switched on individual PCs, Software developers had systems operated as root or administrator. People routinely downloaded whatever they wanted and installed it on their computers.

          The first thing I did was make sure that no computer had any file sharing or any other services running on it, instead users would have to share files by placing them on a properly managed server and printers had their own dedicated print server box or were replaced with network printers. All the PCs then had local firewalls enabled to effectively make sure that there were no open ports on them even if some errant software got installed.

          All users were given regular user accounts, no admin access granted. Some users that were doing things like software testing who had to constantly install software were given admin access to a virtual machine so they could do all their testing on that VM.

          It was decided that the offices around the world would be linked up so that direct access to the network could be obtained all over the world. Now every office just plugged their new router into the LAN and gave full access to everything. I however installed a firewall on the new WAN link that restricted remote offices to accessing only 2 servers on our network and only on specific ports to access the services that we wanted to provide access to.

          I was so pleased I did all this as one day the WAN link seemed to be going slow, so I broke out the network monitor to see what was going on to find thousands of connection attempts coming from all of our international offices. As it turns out one of the US PCs had got infected with a worm and it was spreading over the whole global network. I could smugly say that apart from the slow WAN performance we were not effected at all. Our offices ran as normal while the rest of the company lost days of productivity trying to clear up the mess. It was at that point that finally the company started to listen to my calls for better security.

          • by turbidostato ( 878842 ) on Saturday December 20, 2014 @07:16AM (#48640853)

            "The state of corporate IT can be shocking. When I took over the IT at the UK branch of an international technology company I couldn't believe what I saw. Regular office staff had file sharing switched on individual PCs, Software developers had systems operated as root or administrator. People routinely downloaded whatever they wanted and installed it on their computers.
            The first thing I did was make sure that no computer had any file sharing or any other services running on it"

            You were doing it wrong, then, and probably the company employees hate you.

            The first thing you should have done is understanding why computers/lans were configured that way. I can't count the times I've seen security just going all the place closing this and that without providing working alternatives to the function the user was achieving that way, just to put productivity to a halting grind.

            People don't go out of their way to share their hard disks or to install this or that simply because they have nothing better to do but because they need to do something and do it that way because they don't know anything better.

            Corporate security is more about providing secure ways to do what it's needed to be done (as defined by the end user, not the top brass) and less about tying users' hands but very short numbers of "IT security people" seem to understand that.

            • They were sharing their drives because they knew no better, it is what they did at home. Not only did this mean they were causing security issues they were also risking losing their files as they were not backed up. Providing a central server where there files were kept meant they were on a RAID array so they were always available and were backed up to tape every day. It also meant that when their PC let out the magic smoke or was being replaced with a newer model they could continue to work and access thei
              • "They were sharing their drives because they knew no better"

                No, they were sharing their drives because they knew no better *and* they still find cases when sharing files is useful for their work.

                "Providing a central server..."

                Blah, blah, blah... you still didn't address the main point: *Why* users shared their local drives instead of using the central server (or ask for administrative privileges on their computers, or you find they are using something like dropbox, etc.). I've more than 20 years in this in

                • Blah, blah, blah... you still didn't address the main point: *Why* users shared their local drives instead of using the central server (or ask for administrative privileges on their computers, or you find they are using something like dropbox, etc.). I've more than 20 years in this industry and every single time I've seen an environment like that has been because of incompetent IT.

                  Some folk think that having to log in or run as anything but administrator, or have any restrictions on their activity at all is killing their productivity. They want Thumb drives, they want dropbox, they want to set up their own email server on their machine. They want to have an open ftp on their machine

                  Perhaps in your 20 years of experience, you have found a way to allow people to do whatever they want, while providing proper security? You should write a book.

                • by Jawnn ( 445279 )

                  ...every single time I've seen an environment like that has been because of incompetent IT.

                  That might be said in this case, but GP is not to blame for the fact that there was no policy spelling on the proper way to do things. If such a policy had been in place, users would not have been able to "solve problems" by creating file shares on their own PC's. His predecessors neglected their responsibility and allowed a mess to be made. GP came in, found the mess, cleaned it up, and provided a useful alternative to the insane "solution" the users were allowed to create.

                  • "His predecessors neglected their responsibility and allowed a mess to be made. GP came in, found the mess, cleaned it up, and provided a useful alternative"

                    Back to square one. From his own words, first he did was "...make sure that no computer had any file sharing or any other services running on it", which is what I blamed him for.

                    First you do is understand the situation, not closing useful services. Once you understand the situation you go and close unsecure services *once* you are in the position to o

            • You were doing it wrong, then, and probably the company employees hate you.

              The first thing you should have done is understanding why computers/lans were configured that way.

              Yes, it's true that unprotected sex with strangers without a condom feels better, but that doesn't mean you can protect them from STD's or pregnancy without them changing any of their habits.

              Same goes for computer users. Folks who look at productivity as not having to log in, or if you make them, want to use a password of "Password1", or their child's name or just the really quick to log in 1234567, or set up a dropbox, or really want to use thumbdrives, because "it's so quick and convenient, and those ni

              • "Folks who look at productivity as not having to log in"

                I'll take this as an example. In my not so short experience, people usually have no problem to log in; people do have a problem having to log in half a dozen times to different systems within the same company, when they already provided their credentials to their computers at the begining of their work day. And they do have a problem with having to change every 30 days their passwords in crazy ways on those half a dozen different systems.

                To follow on

          • by Rinikusu ( 28164 )

            You can take my root/admin acess from my cold, dead model M wielding hands.

            -Software dev

      • Hacking activities are happening around us, from companies managing parking garages to Sony to Staples to whatnots ...

        I've read Schneier's article which in essence telling us that there is no foolproof way to prevent hacking attempt

        I do reckoned that "foolproof" in the IT field is nothing short of fairy tales, but still, I do think there ought to be ways, online and offline, that we can do, to at least cut down, to minimize, our companies' exposure to the (oft state-sponsored) hacking groups

        Any link (or links), suggestion, recommendation, whatever, that you guys (and gals) can share?

        Thanks !

        Is there any protection against SMB worm ?

        I've always considered SMB to be a steaming pile of crap for reasons that have nothing to do with security and this incident just adds another steaming shovel full of manure to that pile. The best protection agains SMB worms is not to use crap like SMB but pick something more secure instead, that is to say if such an animal even exists. In that case you can either try to find a vendor who offers a similar product and does a better job of testing and patching it than Microsoft does or go with an Open Source

    • by antdude ( 79039 )

      I was thinking of Samba like smb://. :D

  • Supreme Leader (Score:5, Insightful)

    by Dorianny ( 1847922 ) on Saturday December 20, 2014 @12:07AM (#48639991) Journal
    What I really want to know is how did the FBI figure out it was the work of North Korean government agents. Except for a privileged few, North Koreans are completely blocked off from the outside world and would never hear of this movie even if it won more Oscars than the Titanic. Why would North Korea reveal its capabilities and tactics in such dramatic fashion to achieve nothing of any value. It seems to me that all the speculation that was in the news recently about Kim's disappearance from public life and his possible overthrow was far more damaging to the cult of the Supreme Leader than some silly comedy.
    • Re:Supreme Leader (Score:4, Insightful)

      by whoever57 ( 658626 ) on Saturday December 20, 2014 @12:25AM (#48640067) Journal

      What I really want to know is how did the FBI figure out it was the work of North Korean government agents.

      "Never let a good crisis go to waste". They don't seriously think it was North Korea. Instead, there is an ulterior motive for blaming North Korea.

      • Instead, there is an ulterior motive for blaming North Korea

        I never thought I would want to see people being imprisoned in Gitmo, but for that square-head fatso, hey, that's one helluva perfect permanent resident tailor made for Gitmo

      • They don't seriously think it was North Korea. Instead, there is an ulterior motive for blaming North Korea.

        I'm totally receptive to the idea that it's not North Korea, but I gotta insist that any "skeptic" provide an alternative positive explanation.

        I mean, like, what exactly makes you think "they don't seriously think it was North Korea"?

        • by GNious ( 953874 )

          Uh, I have one!

          The US Government have found out that The Interview is also making fun of it, and of NSA/FBI/CSI, and ordered the cyber-attack as a cover-up for threatening Sony bosses to withdraw the movie.
          Afterwards, they blamed the attack on North Korea, in a move that is oddly reminiscent of the humor used in The Interview.

          no?

        • I mean, like, what exactly makes you think "they don't seriously think it was North Korea"?

          Silly boy, because everyone know's it's the "Best Korea".

        • by HiThere ( 15173 )

          Sorry, but why am I expected to have the information to provide an explanation? I'm skeptical about what the government says because they have been shown to lie about as often as to tell the truth. Probably more often in publicized statements, but often you can't tell. This doesn't point at anyone else in particular. There are several plausible candidates. Somebody who's mad about how Pirate Bay has been treated is plausible. So is the Russian Mafia. North Korea's name is in the hat, but until there'

      • Personally, I think this is actually a conspiracy by the North Koreans to make us think the Americans did it. You see, the North Koreans hatched a scheme to do something that looks like a scheme that the Americans would cook up just so they could blame it on the North Koreans. At least that's what I come up when I shave it with Occam's Razor.

        Don't feel bad for falling for it, though - the North Koreans are exceedingly cunning and circumlocutious.

      • If you're right they blew it. They should have blamed Russia and added more pressure. As it happens I don't think they're just making stuff up.

      • Why in fuck would you take a highly visible attack with serious consequences to an international business homed outside this country, and blame the wrong people?

        Other than conspiracy retards, I can't think of any reason why you would want to piss them off like that. I pride myself on arguing any side of any argument, but I can't see any reason other than "illuminati have their reasons" horseshit.

        I don't even care about facts on this one, I just want to know what this serves that we couldn't otherwise accomp

    • Ah, but the real comedy is the reaction to the threats. Worth every penny. And now that we know these kind of threats actually work, we should see some regular old extortion and blackmail pretty soon. Sounds like a real money maker, better than real estate.

    • Re:Supreme Leader (Score:5, Interesting)

      by Frosty Piss ( 770223 ) * on Saturday December 20, 2014 @12:41AM (#48640119)

      Why would North Korea reveal its capabilities and tactics in such dramatic fashion to achieve nothing of any value.

      Because they are obsessed with the "respect" to their Dear Leader. It is a cult obcession with these people, don't try to read logic into it. Think "Scientologists".

    • by dwywit ( 1109409 )

      They built a GUI using visual basic and tracked the hackers' IP address.

      • by genner ( 694963 )

        They built a GUI using visual basic and tracked the hackers' IP address.

        It's a Unix system, I know this

    • by Dahamma ( 304068 )

      Except for a privileged few, North Koreans are completely blocked off from the outside world

      Umm, I think you answered that question already. You don't think North Korea's cyberterrorism military unit just might be part of those "privileged few"?

      Why would North Korea reveal its capabilities and tactics in such dramatic fashion to achieve nothing of any value

      Maybe because their Supreme Leader is a total loon? This is the same guy who has among hundreds of other insane actions decreed that anyone with his name needed to change it immediately. He lives for drama and vanity and wants his citizens to think of him as a demigod. He's a fucking international drama queen of the highest level...

    • Re:Supreme Leader (Score:5, Insightful)

      by X.25 ( 255792 ) on Saturday December 20, 2014 @01:15AM (#48640187)

      What I really want to know is how did the FBI figure out it was the work of North Korean government agents. Except for a privileged few, North Koreans are completely blocked off from the outside world and would never hear of this movie even if it won more Oscars than the Titanic. Why would North Korea reveal its capabilities and tactics in such dramatic fashion to achieve nothing of any value. It seems to me that all the speculation that was in the news recently about Kim's disappearance from public life and his possible overthrow was far more damaging to the cult of the Supreme Leader than some silly comedy.

      Ssssssssssshhhhhhhhhh. You're asking questions, you shouldn't do that.

      Just trust the government.

      • Re: (Score:2, Insightful)

        by rockout ( 1039072 )

        No, ask all the questions you want. Just realize, when you assure people that it "must" be a ruse to provide an excuse to attack North Korea, you sound as loony as the NK leadership.

        I'm not saying NK definitely did plan a cyberattack against Sony; it's an open question at this point. But when you smugly assert that you know it's our own government, with your only proof being your own paranoid crazy logic, you're really not advancing the conversation any.

    • It seems to me that all the speculation that was in the news recently about Kim's disappearance from public life and his possible overthrow was far more damaging to the cult of the Supreme Leader than some silly comedy.

      With thinking like that, clearly you don't have what it takes to make it in the Dictator business.

      BTW, has anybody seen Chaplin's "The Great Dicatator"? It's truly a masterpiece. Then again, Seth Rogen ain't no Chaplin... Of course, I haven't seen "The Interview", but it flunks what I call "The Trailer Test." Typically, they put the highlights of a movie in the trailer, so if the trailer isn't funny/interesting/appealing, there isn't much hope for the rest of the movie. And so it is with "The Interview

      • Exactly, if NK had half a brain, they would realize that Seth Rogen movies are on a pretty steep downward trend. Let it die, and look on with a little smugness, a little pity.

        Also, Umm, Sony? could you do more to be idiots when it comes to security within and without your business groups?
    • by AqD ( 1885732 )

      You'll sent to NK for questioning the supreme agency FBI of USA.

    • North Korea threatened war with the US over The Interview back in June 2014. Sounded like typical NK bluster back then. "Merciless retaliation" on the US would occur if the movie came out. Source: See: http://www.bbc.com/news/world-... [bbc.com] Sony got hacked over The Interview. What other entity, other then North Korea, would bother to screw with Sony to such an extent unless they were deeply offended? The timing of the attack is not likely a coincidence.
      • If I bought one of their rootkit CDs and infected my system, I could see getting a bit miffed, especially after that idiotic statement of how ""Most people, I think, don't even know what a rootkit is, so why should they care about it?" and the "settlement" which essentially said Sony can do whatever they please and don't even get a slap on the wrist.

        You see, when the law fails, vigilantes are not far.

      • There are tons of people out there that could be pissed with Sony in general for any number of reasons, such as publishing their credit card details from PSN 2011 hack or whatever.
        Also, if there is any country that would see japanese megacorps take hits, it's actually South Korea - their actual economic rival. Or China. If this is more of industrial espionage, corporation scale cyberwar i can think of a couple large ones that might have resources and will to do this - and then implicate the funny NORKs.

    • by Rakarra ( 112805 )

      Except for a privileged few, North Koreans are completely blocked off from the outside world

      Which is a pretty good reason why if a hacking attempt originated in North Korea, it would be state-run or at least state-sponsored.

  • by PhrostyMcByte ( 589271 ) <phrosty@gmail.com> on Saturday December 20, 2014 @12:21AM (#48640049) Homepage

    I haven't seen any evidence that the mechanics of the attack itself is at all noteworthy, yet we keep hearing about how this attack was unstoppable, "nasty", etc. -- not just from Sony's PR guys, but from the FBI. As if it could have targeted literally any company and caused just as unmitigated damage.

    To me, a "nasty" worm is Stuxnet: it spread in a very standard innocuous way and seemed like any other worm, but ended up being highly targeted.

    This Sony hack just seems like your average trojan worm leaking an admin password back to someone. The only noteworthy part of this hack is that Sony had such horrifyingly moronic security practices that one attack was able to compromise such a large and varying corpus of valuable data.

    • I haven't read anything that suggests North Korea would have been successful if Sony switched to using two factor authentication on sensitive devices. Then again, I haven't read anything about Sony hiring NSE's after any of the times the have been ownt. Then again, karma for the root kit and not hiring people that can protect them is two factor in its own way.

    • by Dahamma ( 304068 ) on Saturday December 20, 2014 @01:18AM (#48640191)

      Really? Apparently they quickly took control of almost every one one of Sony's servers and workstations. Literally took entire control, stole all of the useful data, wiped out all of their servers, and then owned all of the workstations so that they were useless but able to broadcast any message they wanted to them.

      That's a *bit* more coordinated than "your average trojan worm". Unless you really think based on extremely limited information you know more than all of the security researchers and government investigators looking into it... (hint: sorry, you don't).

      • by TubeSteak ( 669689 ) on Saturday December 20, 2014 @02:41AM (#48640391) Journal

        Really? Apparently they quickly took control of almost every one one of Sony's servers and workstations.

        Wired mentions (without giving a source) an interview with a self-proclaimed member of GoP who claims Sony's network was infiltrated for a year.

        I'm not sure what you consider "quickly," but a year is a long time, even while rooting around in a corporate network as large as Sony's.

        • You could take control quickly and hold it for a year. You could infiltrate and hold it for a year, then quickly take control.

          You seem to say that the only reason your GoP source said it that way is that it took a year to execute.

          Reading comprehension and citations; that's how discussion moves forward.

        • by Dahamma ( 304068 )

          Yeah, I had read that, too. By took control I meant literally "took control". They infiltrated it (and there are rumors there was an insider to help with that) but then they activated everything very quickly, without warning, and basically stole data and destroyed the servers before anyone had a chance to do anything.

          My point was the overall attack was way WAY beyond some simple trojan worm getting an admin password...

      • by Bert64 ( 520050 ) <.moc.eeznerif.todhsals. .ta. .treb.> on Saturday December 20, 2014 @05:16AM (#48640611) Homepage

        It's common practice to put all of your servers and workstations in an active directory domain, and once you have a tiny foothold on an active directory domain it is almost always trivially easy to get administrative privileges over the whole domain (have been working as a pentester for 10+ years and never failed to get domain admin when the job scope allowed it)...
        Once you have domain admin, you typically have access to pretty much everything. Even if the organisation has devices which aren't linked to active directory (typically unix boxes, routers, switches etc), you will probably find that the guys responsible for managing these devices do so from a windows workstation which is part of the domain, so you just find their workstation and start keylogging (or in many cases just find the textfile full of passwords).
        Also in my experience, very few companies notice once you take control of their domain, and as a legitimate pentester i'm not trying to cover my tracks. The chances of most organisations noticing someone who is being careful is virtually 0.

      • Really? Apparently they quickly took control of almost every one one of Sony's servers and workstations. Literally took entire control, stole all of the useful data, wiped out all of their servers, and then owned all of the workstations so that they were useless but able to broadcast any message they wanted to them.

        That's a *bit* more coordinated than "your average trojan worm". Unless you really think based on extremely limited information you know more than all of the security researchers and government investigators looking into it... (hint: sorry, you don't).

        They had access for over a year...
        http://www.businessweek.com/ne... [businessweek.com]

        Sony didn't even have rudimentary security established. Pretty much any teenager with basic skills could have taken them out.

    • Exactly. And the media keeps making out like it could happen to any company. I should seriously hope not. I'd like to think they're not all this stupid.

      • by Bert64 ( 520050 ) <.moc.eeznerif.todhsals. .ta. .treb.> on Saturday December 20, 2014 @05:23AM (#48640621) Homepage

        Yes, yes they are...
        Most companies have a horrendously insecure internal network, with virtually everything tied to an active directory domain which is laughably easy to compromise. They follow what they believe are best practices by installing patches every month, using strong passwords, setting account lockouts etc, but because of how the system is designed it only takes one weakness to make everything fall down. And then they will probably spend a lot of money buying "security software" that just makes the systems run far slower, while not fixing any of the underlying weaknesses.

        Most company networks are like a tardis, they use a network firewall to ensure that only a tiny fraction is visible from the outside, but once you get inside it's much bigger. All it takes is for one minor breach in the firewall by someone semi competent and 99% of companies would be looking at a catastrophic breach. If it hasn't happened to your company yet then it's either a) luck, or b) it has happened but the perpetrators have other motives than publicity

        • by kesuki ( 321456 )

          every system has it's weaknesses.

          linux is not immune from this either, but all the tools to manually secure a network are built in and some have guides on the internet as how to secure them.

          do you honestly believe a system used to connect 30,000 people is going to be easy to secure? and those people need to do computer tasks and office tasks and make art and special effects etc.

          keep in mind Microsoft claims all it's products are 'secure' if you patch them. all the real windows security content i've paged t

        • I've seen big corporate networks that didn't work that way.

          They're not all like that.

    • You are right, and so is the FBI.

      Yes, this was only possible because Sony had such horrifyingly moronic security practices.

      And yes, this could have targeted (nearly) any company and caused just as much unmitigated damage.

    • It was kind of nasty, though, was it not? Muhahahahahaha... *evil laughter*

  • <troll>Ah, Windows... the gift that keeps on giving.</troll>

    Seriously, though... this is pretty ugly. It checks back every five minutes for each machine. You would think that Sony IT would notice that network traffic (or, say, the fact that all of their Windows desktops started listening on port 443). The moral of this story is run an IDS, scan your network, and pay attention to it all! :(

  • I mean OK, you cannot run a Windows system without SMB in a useful way. However how could this spread. SMB is not a protocol that was designed to work outside of broadcast domains. It does, but you loose some of the features people take for granted.

    I seriously wonder how this could spread, after all you don't just have a large Ethernet domain in your international company. You have smaller domains routed together, and in between you can trivially filter. SMB is one of the first things to go. Since it's hard

    • > It does, but you loose some of the features people take for granted.

      Excuse me, but so what? This is not a "taken for granted" usage of the protocol.

      > I seriously wonder how this could spread, after all you don't just have a large Ethernet domain in your international company.

      Oh, my dear lord. I'm assuming you've never worked in a large environment. _Of course_ they have a single large or several large domains (in the Microsoft Active Directory sense) for unified email authenticatoin, and potentially

      • Just because apparently several companies are stupid and use unsuitable security practices doesn't mean it's not really bad security. I mean we all refuse to do support for people who put their malware ridden gaming rig into their main LAN, why do companies get away with that?

        • > Just because apparently several companies are stupid and use unsuitable security practices doesn't mean it's not really bad security

          It's more than "several", I'm afraid. It's extremely common place. A significant portion of my annual salary comes from helping teach and implement improved security practices. And a large part of that income comes from explaining the trade-offs, time and risk and resources.

          > I mean we all refuse to do support for people who put their malware ridden gaming rig into the

    • by Bert64 ( 520050 )

      SMB is indeed commonly used outside of broadcast domains, hosts can find each other through dns (or wins etc), and happily communicate across ethernet segments. In many cases most of the servers will be in a different ethernet segment to the workstations etc.

      SMB will almost never be filtered internally because it's used for domain logons and file sharing, and users will have a need to access files stored on servers in other parts of the company.

      On the other hand, SMB is a terrible protocol... Not only does

  • US-CERT Link (Score:4, Informative)

    by Anonymous Coward on Saturday December 20, 2014 @01:44AM (#48640267)

    Link to the actual US-CERT alert:

    US-CERT TA14-353A [us-cert.gov]

  • Sony? (Score:4, Informative)

    by the_Bionic_lemming ( 446569 ) on Saturday December 20, 2014 @01:57AM (#48640295)

    Is anyone really upset that they got hacked? Has everyone forgot they sent out compact discs loaded with a backdoor to fight argggh pirates?

    • The problem is that it doesn't just damage the entity "Sony", but also has had a large negative effect for the thousands of workers that have nothing to do with Sony's stupid decisions. Now about the attack itself, I strongly believe that this is a false flag operation. The blocking of the movie is caricaturesque in its purpose, it was certain that it would direct all the attention to North Korea. If you can organize such a high skilled attack you can and will also invest effort in covering your tracks and
    • Not really. After they themselves engaged in infecting paying customers [wikipedia.org] with rootkits (with the difference that whoever attacked them didn't even first give them money...) AND got away with it, I can hardly say I feel sorry.

      The only thing I DO feel sorry about is the insignificant damage.

    • by MrL0G1C ( 867445 )

      I am the only person that thinks that vandalising millions of customers PS3's is worse (Other OS feature removal).

      • by donaldm ( 919619 )

        I am the only person that thinks that vandalising millions of customers PS3's is worse (Other OS feature removal).

        Lets be honest here who really needed that feature? Sure it was nice if you wanted to say I have got Linux running on my PS3 but there were much better machines you could run Linux on that would work better.

        I actually do have a FAT PS3 (still working) and even though I do like Linux and am writing this in Google Chrome running under Fedora 21 to put Linux on my PS3 was the last thing I was interested in doing, hence I was not worried abut removing the feature. In case you are wondering the "Other OS" feat

        • So let me get this straight: Sony advertises that you can install Linux on the PS3, users buy the PS3 and install Linux on it, Sony removes the said advertised feature, and it's the user's fault because other machines are better at running Linux?! Great logic you have there.

          Don't forget that many people installed the update which removed Other OS by accident, or they wouldn't dream that installing an update would purposely remove an advertised feature. I am flabbergasted that you so quickly take Sony's side

          • by Rakarra ( 112805 )

            I'll be frank -- OtherOS sucked. It always sucked. Anyone who actually tried to use it found out it sucked. It had all of one useful ability -- a low-cost number-cruncher, and the usefulness of that was quickly eclipsed by PCs again. In nearly every other application, the console was intentionally crippled because Sony was so scared it could be used to run home-brew games, pirated games, game emulators, or anything else they didn't approve of. It sucked because Sony made it that way.

            Most of us who tried Oth

  • When you are dumb enough to use operating systems insecure by design. And the whole NK attacked us, seems just to be a political manoeuvre, smoke and mirrors to distract us from the fact Sony is not the best example of corporate governance, has been making huge PR moves, and Windows is worse than a swiss cheese when it takes to security.
  • by Opportunist ( 166417 ) on Saturday December 20, 2014 @04:36AM (#48640549)

    I think it was Thomas Hesse [wikipedia.org], back when Sony distributed Rootkits with their CDs their President of Global Digital Business, who said "Most people, I think, don't even know what a rootkit is, so why should they care about it?" [wikipedia.org].

    Well, Sony? I'm fairly convinced your execs don't have the foggiest clue about malware but ... do you care about it?

  • by Anonymous Coward

    that a country which is malnourished and still suffering from the effects of famine in 1998 has resources to devote to hacking full stop

    • by donaldm ( 919619 )

      that a country which is malnourished and still suffering from the effects of famine in 1998 has resources to devote to hacking full stop

      You have heard of the Feudal System [wikipedia.org]? Well think of an extreme version of one and North Korea comes to mind. Basically in systems like this the Peasants always are the ones who suffer, the nobles or those further up the pyramid suffer the least, in fact they can live quite comfortably providing they don't question their supreme ruler.

      These highly educated elites that are trained in IT and cyber warfare are capable of instigating cyber attacks and providing they tow the party line and basically worship th

  • Why couldn't Sony just yank all the Internet connectivity until the machines were fixed?
    • ie 'nothing that bad has ever happened before and therefore it's probably not happening to us'

      http://en.wikipedia.org/wiki/N... [wikipedia.org]

      There's another bias where you feel you emotionally can't take any more responsibility and thus just pray that the worst case scenario isn't happening. Not sure it's been studied yet.

  • Why don't we hear anything from the Japanese's government? Sony Is a Japanese Corporation.

A university faculty is 500 egotists with a common parking problem.

Working...