Wana Decryptor Ransomware Using NSA Exploit Leaked By Shadow Brokers To Spread Ransomware Worldwide (threatpost.com) 197
msm1267 quotes a report from Threatpost: A ransomware attack running rampant through Europe today is spreading via an exploit leaked in the most recent Shadow Brokers dump. Researchers said the attackers behind today's outbreak of WannaCry ransomware are using EternalBlue, an exploit made public by the mysterious group in possession of offensive hacking tools allegedly developed by the NSA. Most of the attacks are concentrated in Russia, but machines in 74 countries have been infected; researchers at Kaspersky Lab said they've recorded more than 45,000 infections so far on their sensors, and expect that number to climb. Sixteen National Health Service (NHS) organizations in the U.K., several large telecommunications companies and utilities in Spain, and other business throughout Europe have been infected. Critical services are being interrupted at hospitals across England, and in other locations, businesses are shutting down IT systems.
An anonymous Slashdot reader adds: Ransomware scum are using an SMB exploit leaked by the Shadow Brokers last month to fuel a massive ransomware outbreak that exploded online today, making victims all over the world in huge numbers. The ransomware's name is Wana Decrypt0r, but is also referenced online under various names, such as WannaCry, WannaCrypt0r, WannaCrypt, or WCry. The ransomware is using the ETERNALBLUE exploit, which uses a vulnerability in the SMBv1 protocol to infect vulnerable computers left exposed online. Microsoft issued a patch for this vulnerability last March, but there are already 36,000 Wana Decrypt0r victims all over the globe, due to the fact they failed to install it. Until now, the ransomware has laid waste to many Spanish companies, healthcare organizations in the UK, Chinese universities, and Russian government agencies. According to security researchers, the scale of this ransomware outbreak is massive and never-before-seen.
UPDATE: The Guardian reports that "An 'accidental hero' has halted the global spread of the WannaCry ransomware" by discovering a kill switch involving "a very long nonsensical domain name that the malware makes a request to." By registering that domain, the spread of the ransomware was effectively halted.
UPDATE: The Guardian reports that "An 'accidental hero' has halted the global spread of the WannaCry ransomware" by discovering a kill switch involving "a very long nonsensical domain name that the malware makes a request to." By registering that domain, the spread of the ransomware was effectively halted.
Say "thanks" to your "security"-agency... (Score:5, Insightful)
Re: (Score:2)
Re:Say "thanks" to your "security"-agency... (Score:5, Insightful)
But this isn't a zero-day. "Microsoft issued a patch for this vulnerability last March, but there are already 36,000 Wana Decrypt0r victims all over the globe, due to the fact they failed to install it."
Blame lax IT policies and ineffective management for leaving exposed machines to the internet unmatched. Of course your going to get hosed. Most know to put a firewall, enable the machine's firewall, or air-gap their systems.
Re:Say "thanks" to your "security"-agency... (Score:5, Insightful)
Since there were so many people that turned off updates to avoid getting MS Windows 10 unasked I don't think blaming the victims is a useful approach.
Re: Say "thanks" to your "security"-agency... (Score:2)
No. The update process was manageable. Maybe not for most home users, but certainly for the British NHS. Certainly they should have blocked SMB shares from the internet.
That is not how it infects (Score:5, Informative)
That's not how it it gets on a network, even a large one like that. Somebody gets tricked into installing the malware from an email attachment or link via a vunerablity in IE or MS Office (Outlook not so good) and then it spreads across a local network via a weakness in an SMB implementation. Multiple levels of "fail" but not at the firewall, and not a lot that Microsoft's customers can do about it especially in a tight budget situation with IT as a very low priority.
Your suggestion (while a good one that would have already been done since it's so obvious) would not have helped.
Re: (Score:2)
That's how most malware is spread. But WannaCry, according to reports, was a fully automated exploit that did NOT need users to open an attachment or click on a link.
If a Windows computer running SMB was exposed to the internet, it could be infected and from there infect machines connected on the internal network.
The lack of human interaction needed was how it spread so quickly.
Re: (Score:2)
Maybe read something a little more credible and try again. There were dozens of ways anything like that would have got "owned" in minutes years before this new thing surfaced.
Re: (Score:1)
Blocking SMBv1 protocol from the internet won't stop this attack. Any medical staff from within NHS can click a phishing site or open a malicious email attachment and the ransomware would still scatter like wildfire within NHS LAN.
Re: (Score:2)
Sure it is. If there's a hole in the wall because some idiot used a scattergun to try and kill a fly, it's still the idiot's fault.
Microsoft has actually been quite sensible for this very reason. Way too many idiots think the solution to any problem they have is to turn off windows update. I'll wager that the majority of those who "turned off" windows update to avoid windows 10 actually knew what they were doing and didn't turn it off but rather curated them.
Personally I think the best thing would be:
a) not
and microsoft isnt fixing winbdows 7 (Score:2)
they stopped helping 50% of windows users
ergo windows 7
get ready cause to be infected "the im not migrating to crap spyware that the nsa has more holes in then swiss cheese is now swiss cheese too"
thank microsoft too whom helps them
btw waving from
Re: It's not an old patch either. (Score:2)
It seems this is another implication they may want to consider when deciding which patches they want to put off applying until too late.
Or maybe move to a system that isn't so brittle that changes have to be evaluated for months.
National Insecurity Agency (Score:5, Informative)
Also, while the NSA seems to have compiled a formidable array of exploits and tools to compromise enemy systems, that doesn't mean that everyone else isn't playing the exact same game. The only difference between the NSA and EVERY other state intelligence agency on the planet is that they seem to be able to properly secure their black ops toys. Being one of the largest agencies of this sort, there are going to be a lot of people in the know. And the more people involved, the harder it is to keep a secret.
Mind you, that doesn't make this any less tragic or regrettable. I sort of hope the CIA decides that it is in the US interest to find and vanish anyone connected with this ransomware to make an example of them. Alas, that sort of thing only happens in implausible Hollywood scripts.
Re: (Score:3)
Remotely exploitable network vulnerabilities shouldn't happen, but there seems no practical hope that they'll stop anytime soon. It would be negligent of legitimate spy agencies to fail to search for them and arguably be able to take advantage of them. Imagine you're trying to find out when an ISIS group is planning a bombing and you discover they're running a messageboard on a Windows machine with an SMB exploit, do you tell Microsoft to patch the exploit?
You never know which of the vulnerabilities you'll
Re: (Score:2)
Interesting.
1.) Who determines "illegal?" .... problem? Solution. Doesn't even need to be public in the world we live in. Secret orders, secret courts, secret laws. We're already there.
2.) I like the idea, basically. I wouldn't use a name already in public purview. Not "Shadow Brokers" but maybe "Not Somebody Anonymous" or a similar name that people suspect might be the NSA, but can't prove is the NSA.
Re: (Score:2)
I sort of hope the CIA decides that it is in the US interest to find and vanish anyone connected with this ransomware to make an example of them.
Sounds suicidal.
Re: (Score:2)
And why do you think Microsoft was able to patch this *before* the exploit was leaked by Shadow Brokers?
Re: (Score:2)
Re: (Score:1)
I guess the question is why wasn't there a plan in place to patch the holes going on in secret also? If you're going to weaponize something you want to be able to neutralize it also. True since rocks.
Re:Say "thanks" to your "security"-agency... (Score:5, Insightful)
No. Say thanks to Micro$oft for making people extremely gunshy after their concerted efforts to force Windows 10 down everyone's throats.
It's bad enough to worry that an update to a bad driver will brick your machine without the problem of waking up to find Windows 10 on your machine.
I'm sure there's enough blame to go around here, but don't forget that the update paranoia around Windows OS's was brought to you by none other than Micro$oft themselves.
Re: (Score:1)
microsoft is partly guilty in this for sure because A LOT of people have the updates turned off since the windows 10 debacle, the lies, the telemetry, the diagtrack process, the broken windows update service that sits iddle consuming 25% of your cpu, etc
but even a monkey like me that hears about the smb vuln, even if i dont know what it means exactly because im just a user and not an engineer, i could tell it was BAD, so i patched the living shit out of my computer
sorry but if youve had experiences with bla
Re:That only happened to idiots. (Score:4, Insightful)
Microsoft told lie after lie after lie about their intentions. There was absolutely no reason to believe that setting your update threshold to "Critical Only" would save you from an unsolicited Windows 10 installation.
The only rational course of action for those who didn't want Windows 10 was to turn off Windows Update entirely. Deny this all you want, but be prepared for justified accusations of victim-blaming.
Re: (Score:3)
Actually, I think many of them were primarily used by people who didn't even know they were using a computer. They thought they were using an XRay machine or some such. And that those people had no authority to tamper with the software.
I'll grant that there were lots of other infected groups, but many of them had good reason to not update their systems. The problem is those machines should never have been connected to the net, and THAT is at least 2/3 on the manufacturers. But MS doesn't deserve any den
Re: (Score:2)
I think you're either lying or incompetent. Possibly because you don't use MS Windows. I know that I don't, but this same effect has been reported by enough different people that to deny it is unreasonable. I'm *not* certain that it was true for all editions of MS Windows, as there have been simultaneous reports where some people said it was happening despite being turned off and others denied that they were seeing the effect. One possible explanation is that different editions of MS Windows acted diffe
Say "thanks" to leakers (Score:2)
Like any weapon, this one is dangerous (deadly!) in the wrong hands. It was not the NSA, who placed it into the wrong hands, however.
Re: (Score:2)
It was the NSA who failed to properly secure and protect their "weapon" that could wreak havoc globally if it got into the wrong hands. It was and is their responsibility.
Re: (Score:1)
Yes, they were certainly negligent. A person, whose gun is stolen can be charged with negligence. But the murderer is still responsible for the murder — not the gun's hapless owner.
Re: (Score:3)
Re: (Score:2, Interesting)
Re: (Score:2)
If the NSA wasn't the wrong hands, why didn't they cause this bug to be fixed years ago? It was already in the wrong hands...and probably not only those of the NSA.
Re: (Score:1)
Did you miss the part where Microsoft patched this 2 months ago [microsoft.com] and the only people being infected are the ones that are grossly (even negligently) behind?
I honestly don't care about whether you blame the NSA for developing an exploit or not reporting it earlier. At this junction, however, 100% of the blame lies with these IT departments that can't get their shit patched.
Re: Say "thanks" to your "security"-agency... (Score:1)
Micro&Soft build their system with a crapy backdoor. No one to blame, if not them.
Re: (Score:2)
"rather than having them fixed"
The patch for the exploit used has been been publicly available on Windows Update since March 14.
Re: (Score:2)
Re: (Score:3)
Pain is what makes the lesson sink in. The world's pain will motivate it to demand that our Intelligence agencies disclose vulnerabilities rather than sit on them, and further will demand enough transparency that they can prove they are doing this.
It won't happen immediately. But as hospital deaths roll in, and the seriousness of this failure starts to sink in, claims that this is all the fault of those who leaked the exploit will fall on some very deaf ears.
That's not what will happen at all. Nobody in government (that matters) will be held accountable for these attacks using their own leaked tools. They will not change, they will change the rules as in no more general purpose computers.
Governments will simply push for the elimination of general-purpose computers owned by the general public at large. One will have to show cause to own a GP computer and it will be licensed and registered with government, as will any device allowed to connect to the internet.
Str
Re: (Score:2)
Governments couldn't advocate for the "elimination of general purpose computers". The split second they did so, you'd have every industry on earth screaming bloody murder, along with various groups like the EFF, FSF, ACLU, etc.
It's already illegal to root your iPhone. It's called the DMCA. EFF, FSF, and ACLU did indeed scream bloody murder. No one cared. You don't even know what it meant. There are 2.1 billion pocket computers in use today, and for the vast majority of them, it is illegal for their owner to assume full control of the software of the device.
Think about that for a while.
Re: (Score:2)
Spot on. The transition away from general-purpose PCs is already well underway. As more and more people begin using their cellphones, tablets, etc almost exclusively and use their home desktops and even laptops less and less, it soon will be hard to find PCs for sale new as demand shr
Re: (Score:1)
Bah! Who is Russia? Compared to Microsoft? [youtube.com]
Tally (Score:3)
Number of affected worldwide when it leaks: Tens of thousands to potentially millions
Obscurity is not security. (Score:5, Insightful)
I've said it before but it bears repeating. [slashdot.org]
When you create an exploit, you create a weapon but when you submit a fix, you make that weapon ineffective. So now instead of having the world's best armor, we have an absurd cache of weapons and those weapons have been stolen. The moral isn't to protect your weapons better, it's that you should be making better armor.
Re: Obscurity is not security. (Score:1)
The usual answer is more weapons.
Re: (Score:2)
The usual answer is more weapons.
Software security isn't your usual war so the usual answers do not apply.
It hit the NHS hard (Score:5, Interesting)
I'm a doctor in the NHS. It hit my hospital hard. The bosses triggered the MAJAX protocols meaning everyone off work was called to come in and help. Computers are used for everything, so blood tests, admissions, scan requests, referrals, all had to be done by hand. The public were asked to keep away from A+E because hundreds of people were waiting. It was terrifying how little failsafe infrastructure there was. The hospital just stopped working.
Re:It hit the NHS hard (Score:4, Insightful)
And you use unpatched computers in a hospital WHY? How the hell is it that the PC my kid plays Minecraft on is patched, but the ones you use for MEDICAL CARE are not!? WTF!?
Re:It hit the NHS hard (Score:5, Informative)
They may remain unpatched because of a fear that the patch could cause serious errors in the same systems. Most large organizations don't immediately apply patches throughout their infrastructure. They test the patches extensively before deciding to deploy them. In many cases there are laws and regulations in place that say systems have to be certified before they are deployed. Getting the certification for a patched systems, even when the unpatched system is certified, can be a huge and expensive task which may involve hiring specialized firms to run extensive tests.
Some organizations are just negligent and risk problems by not patching while others are super vigilant and risk different problems by delaying patches.
Re: (Score:2)
inside of a bureaucracy... (Score:2, Insightful)
common sense tends to get driven out by a business MBA who is an expert in efficiency.
proprietary software created by a vendor that is 4 guys in an office somewhere on the other side of the planet, who just got bought out by megacorp which then spun off as dildicorp and fired all the original creators... does not have a flying clue about why your Blobnatz75 driver doesn't work on Windows 10, nor are they going to get an answer anytime soon.
Re: (Score:2)
However an unpatched PC or server would break laws relating to compliance. PCI compliance for example, all security patches must be installed within 30 days of the patch being released.
Re: (Score:2)
So firewall the shit out of them, don't let them access the web, don't give them USB connectors ... problem solved.
The only computers 99% of hospital computers should be able to connect to should be the data servers for the applications and the computers handling remote management. Even those computers handling remote management shouldn't by default be able to just communicate with them on all ports, because modern IT is too fucking retarded to be relied on not to fuck that up.
Re: (Score:3, Informative)
Due to microsoft's continuous fuckery with win10, telemetry, updates which break shit and now rolled up updates which makes vetting them(*) an order of magnitude harder and more time consuming the last time my win 7 install was updated was sept 2016 and even that was a due to more fuckery by microsoft.
I left my machine set to 'check for updates but don't install' yet it suddenly flips to install updates automatically after several years without any warning or change by myself - suspicious eh? Since then i h
Re: (Score:2)
Abso-fucking-lutely! I'm only on 7 because M$ made a coupla changes to Direct X and the game producing herd bleated acquiescence - so if I wanted to play most recent games I needed to be on Win 7. I installed it for the first time about the time 10 came out, thus missing the abortion called 8, and then we got hit with the bullshit about auto "upgrading". Yeah. Auto updates are OFF, still running GWX control panel, any possible telemetry nuked both in the registry and on my router. So, thanks to the sof
Re:It hit the NHS hard (Score:5, Insightful)
And you use unpatched computers in a hospital WHY?
Because patches are often broken. Imagine these hospitals had applied the patch when Microsoft released it, but the patch was faulty in some way, and all of the hospital computers went down as a result. Instead of complaining the hospitals were running unpatched, you and/or many people like you would be bitching and moaning that they were negligent to install the patch too soon.
Updates from Microsoft frequently include at least one broken patch. There was one update last year that broke millions of peoples' webcams. There have been several updates that interfered with settings and reverted them back to default configurations, and several more updates that seemingly deleted group policy objects that had been configured by the domain administrator. There was a patch around the new year that inadvertently disabled the DHCP service, despite the update itself having nothing to do with DHCP. (Things that make you go hmmm.) This particular fuck-up rendered a lot of machines not only broken, but totally irreparable without manual human intervention, i.e. dispatching someone clueful to each of your premises to clean up the mess.
Patch deployment in any enterprise environment requires extensive testing. You have to coordinate with your software vendors to make sure their applications are compatible with the update. If you install Patch XYZ without first getting approval from Vendor123, you wind up invalidating your support contracts with them. All of this takes time. In 2016, there were several months in a row where Microsoft had to un-issue, repair, supersede, and re-release a broken patch they'd pushed out. Put yourself in the shoes of an admin team who got burned by Windows Update breaking your systems, especially repeatedly. Are you going to be in any hurry to patch? If you were bitten by the DHCP bug, do you trust that the "critical SMB patch" really only touches SMBv1, and isn't going to inexplicably corrupt Office or remove IPV4 connectivity on every computer it touches?
If the PC your kid plays Minecraft on gets hosed by a broken patch, it's not that big of a deal. The business world is a different story.
Re: (Score:1)
i have a box at home, with a system made by some dude with very thick glasses in some basement somewhere, its that thing called linux
it gives me less problems when i update than the marvelous and modern windows do on my other boxes, which is sad considering i dont know jack shit about linux
maybe, just maybe, the affected big companies should consider moving away from microsoft, which has not been able to deliver a proper product since windows 7
Re: (Score:2)
More than patches are broken is that applications sometimes are written to handle the the unpatched version and when the patch arrives then the workaround blows up.
Re: (Score:2)
It also requires them to be curmudgeons and for management to stop thinking of themselves as masters of the universe.
By overconfident management and hipster IT combined we got BYOD.
Doh (Score:2)
He is a doctor not an IT consultant, this is failure of IT management failure.
NHS Digital is provided by outside private sector IT Consultancies and has been beset with failure for years.
Re: (Score:2)
It's not just an IT failure. It's a management failure AND a failure of law AND a failure of manufacturing. Many medical devices should NOT have IP connections. They should send and receive text streams that are ONLY data, not executable, even by an interpreter. The laws about certification of equipment should recognized that unpatched devices should be forbidden contact with the internet. Etc. And manufactures should be liable if their device connects to the internet and they don't insist that patche
Hospitals used to work equally well in the 1990s (Score:2)
I don't understand why any critical infrastructure (which, like a hospital, should function even in cases of catastrophy or war) connects any vital computer to a public network.
Re: Hospitals used to work equally well in the 199 (Score:2)
Hospitals still operate with the same amount of people than the 90s but the population has nearly doubled. There is also a ton more diagnostics being done by the little beeping machines. There is still no reason to run Windows though.
Re: (Score:2)
One thing that's important is to build up a segmented network where each department is insulated from the other departments and only exchange of approved information is going to be allowed.
Same goes for internet communication. Limit that to necessary services.
Mail services should go on virtual servers that are sandboxed, or even on a remote desktop server.
Re: (Score:2)
They want low priority "cases" to stay away, not everybody, especially not ambulance admissions. By way of example how A&E sometimes (often) gets abused, I had a boss once who cut his finger while operating a turret press. He had the only staff member present other than myself drive him to the nearest A&E because, as a guitar player, he said he might have done some serious damage. I downed tools until they returned as I'm fucked if I'm running sheet metal on industrial hardware alone on a night s
Re: (Score:2)
get used to it (Score:2)
What boggles my mind (Score:4, Informative)
Is that there are still 45k Windows machine that are directly connected to the Internet.
Any Windows machine I manage (mostly very specific medical software and medical machines) are either VM (and thus behind a firewall and any service proxied to a BSD or Linux host) or airgapped.
Re: (Score:3, Interesting)
Re: (Score:2)
Yup, plus a single exposed machine which is infected will then turn around and start scanning it's own subnet which may include machines which may not even have internet access.
Re: What boggles my mind (Score:2)
Then they ARE connected to the Internet, having a proxy to the entire network is the same as having no firewall. From my understanding this isn't being done via social engineering though (yet), a coordinated "attack" (I would call it a test) would devastate these Windows-only enterprises.
Rule number one on any network: everything else is hostile. Not sure how even Microsoft hasn't figured that one out.
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
File a lawsuit against ... (Score:2)
... the NSA.
Lots of demonstrable dollar loss.
Microsoft plugged this hole back in March.
The NSA should Compensate.... (Score:1)
Re:The NSA should Compensate.... (Score:5, Insightful)
EVERY Person, and EVERY Business, that this will do damage to. Its their tool, POORLY secured, that caused this ENTIRE MESS!
You got it all wrong. The entity to blame is Microsoft. Their operating system is poorly secured which is the root cause of this entire mess.
Re: The NSA should Compensate.... (Score:1)
If some hacker finds an exploit, doesn't tell Microsoft, uses it for his own purposes but fails to keep it secure so other hackers get hold of it and use it to install ransomware, would you still blame Microsoft, or only if the hacker's initials are NSA?
You might as well criticize the Linux devs too because of all the unpatched security holes in Linux.
Re: (Score:1)
If some hacker finds an exploit, doesn't tell Microsoft, uses it for his own purposes but fails to keep it secure so other hackers get hold of it and use it to install ransomware, would you still blame Microsoft,
Yes, yes I would.
You might as well criticize the Linux devs too because of all the unpatched security holes in Linux.
Also yes.
Re: (Score:2)
Can you say in a serious face that the NSA HAS 0 backdoors on Linux? No really. It's not like the NSA didn't have a role in developing Redhats apoarmor or anything.
The echo chamber of anti MS hate is strong here as always but put the crackpipe down.
The NSA has keys to juniper and even a backdoor of old Nortel now Avaya routers. The NSA logs on and does what it likes
Re: (Score:2)
Can you say in a serious face that the NSA HAS 0 exploitable bugs on Linux?
A) FTFY
B) Why bring up Linux? I'm just talking about the flaws that Microsoft owned code has.
The echo chamber of anti MS hate is strong here as always but put the crackpipe down.
The only thing I've done is lay blame where blame should be laid. When a severe bug for operating system XYZ is exposed then you blame the people who developed it, not the people who exploited it. This is true for all operating systems.
Re: (Score:2)
You imply NSA is innocent and only Windows can be hacked. A false belief. Where do you think the term ROOTkit came from? Unix security was a joke before WindowsNT came into the scene as VMS was more secure because it was not written in C. I have seen hackers take over a SuSE enterprise server to host a phishing website. Just because it's opensource doesn'tean it's secure.
Re: (Score:2)
You imply NSA is innocent and only Windows can be hacked.
I did not imply either of those, you inferred that using faulty logic.
Re: (Score:2)
If anything, SELinux has saved systems from 0days by restricting the vulnerable process to only what it should do. Filesystem permissions or chroots only get you so far. SELinux goes farther. For example, it prevents a process from making outgoing IP connections.
Re: (Score:2)
IIUC the NSA has "rainbow tables" that allow them access to any Linux system. But these don't allow access to all Linux systems.
This is not to claim that the NSA don't have any exploitable tools that will handle all Linux systems, but I don't know of any. Linux systems can be stripped down and "hardened" in ways that MS intentionally doesn't allow. And, for that matter, the same is true of BSD, even slightly more-so. But not Apple, except, perhaps, their iPhones. As with MS, Apple doesn't let *you* str
Re: (Score:2)
Here is a list right now of Linux [cvedetails.com]
Re: (Score:2)
You got it all wrong. The entity to blame is Microsoft. Their operating system is poorly secured which is the root cause of this entire mess.
I dunno about this. From what I've read they fixed the problem a while ago and a patch has been available for a reasonable amount of time - enough for most people to have tested and deployed it, especially given its seemingly obvious criticality.
Your post implies that software should only be shipped when it is perfectly bug free, which I at least think is simply not possible.
Re: (Score:2)
You got it all wrong. The entity to blame is Microsoft. Their operating system is poorly secured which is the root cause of this entire mess.
I have a better idea, instead of blaming someone who had a bug in their code and patched that code the moment they discovered it, how about you blame the government entity which knew about the exploit and decided to weaponise it rather than report it.
If we blame Microsoft then all programmers should hang because I've yet to see a bug free piece of software. That includes open source security software which we all hold near and dear to our hearts.
Re: (Score:2)
I have a better idea, instead of blaming someone who had a bug in their code and patched that code the moment they discovered it
Why wouldn't you blame the people who wrote poorly secured code?
If we blame Microsoft then all programmers should hang because I've yet to see a bug free piece of software.
It doesn't have to be bug free, it just shouldn't have remotely exploitable bugs in critical systems. Critical systems include the kernel, startup configs/scripts and daemons/services. In this case, Microsoft failed to secure their WINS service.
That includes open source security software which we all hold near and dear to our hearts.
Absolutely, I hold the Apache devs equally responsible for their HTTPd daemon's poor security model, especially with regard to addons like PHP. Simply put, people need to validate their inputs and mit
Re: (Score:2)
Why wouldn't you blame the people who wrote poorly secured code?
You can, just don't pretend that this is a Microsoft problem vs a programmers are human problem. You're masking the underlying issue with a blame game.
It doesn't have to be bug free, it just shouldn't have remotely exploitable bugs in critical systems.
Bugs, remotely exploitable critical bugs, same thing different label. This kind of stuff traverses all programmers, programming languages and OSes.
Nobody can do this perfectly but Microsoft is hardly trying.
I'm not sure I agree. Microsoft may look like they are hardly trying but they are also under the biggest scrutiny, and let's not forget who WanaCry actually initiates an infection: phishing email. It's also some ob
Re: (Score:2)
You're masking the underlying issue with a blame game.
I responded to a post that was specifically laying blame on the NSA. I didn't start off waving a banner and cheering, "this is Microsoft's fault" but rather I was merely correcting the original post so that blame was properly credited.
Bugs, remotely exploitable critical bugs, same thing different label.
Poppycock! You may think they are the same but one is a specific subtype of the other that doesn't just happen anywhere.
Nobody can do this perfectly but Microsoft is hardly trying.
I'm not sure I agree.
Considering the first thing the new guy at MS did was cut QA, I would say he's not interested in doing things like security reviews on existing code.
let's not forget who WanaCry actually initiates an infection: phishing email.
Actual
Re: (Score:2)
As a (anonymous coward) specialist, you should then also be aware that the vast majority of those Linux exploits are DOS or other flaws that do not pose an existential threat to the OS and filesystem itself due to the vastly superior Unix security and update model.
Still, this particular exploit--like most successful ones--depends primarily on clueless users. There is no operating system on the planet that can withstand a determined assault from a clueless user.
Brought to you by Microsoft's incompetence (Score:1)
RANSOMWARE USES BUG PATCHED IN MARCH (Score:1)
Oh, but it takes time to verify that these patches won't...
Yeah, and how long is it going to take you to recover from getting slammed, and at what cost? For something that was patched TWO MONTHS AGO.
Not a zero day, a YESTER-DAY!
And if you're still relying on XP...
Re: (Score:2)
So, no surprise that someone finally exploited
When will people get it... (Score:2)
When will people get it that, with a mission-critical computer system, it should have no more ability or authority to do _anything_ than it needs. If you computer is only there to do your financial stuff, the it doesn't need to be able to run Minecraft, so it should not be able to run Minecraft at all. Having a single all-things-to-all-people OS that, once booted, can do anything and everything, and is so complex that even its manufacturer can't track all the bugs and holes, and nobody else can even tell if
Re: When will people get it... (Score:2)
You say "if your computer". Then you proceed to define how a hardcore least privilege makes a computer not yours anymore. It belongs to whatever entity is tying your hands with respect to running it...
Re: (Score:2)
Have you ever actually installed an embedded Linux system using something like Yocto? Or are you just making money on the side posting anonymously for Microsoft?
Re: (Score:2)
If you do all that on the same machine, then any privilege escalation exploit can do all of them. To hobble the machine, though, often limits its capabilities unacceptably. This is why I generally assert that the main focus should be on restricting communication to text data only, with no commands beyond those capable of being encoded in HTML1.0 (no ECMAScript, etc.). That way data can be shared, but control is local. And, please, no auto-extracting command processors. No transmission of executable fil
Comment removed (Score:3)
Where is IT security? (Score:2)
Don't these institutions have IT security? Don't people understand how to design networks that are isolated from the internet, minimizing the attack surface of unpatched or intentionally held back machines?
Not trying to blame the victims here, well, ok I am, this is totally avoidable with some proper network design and isolation of critical and potentially vulnerable 'held back' systems.
Nothing inherently wrong with saying, "I don't want this machine's OS changed, cuz it works perfectly now." Where the pr
Re: (Score:2)
Munich government not affected (Score:3)
Remember how Munich switched to Linux? Yup, not affected.
Plenty of blame to spread around (Score:2)
2. NSA has a dual mission -- the second (neglected) mission is to ensure the security of domestic computer networks