An NSA-derived ransomware worm is shutting down computers worldwide

Chat about just about anything else
lexon
Level 5
Level 5
Posts: 999
Joined: Sat Jan 31, 2009 10:53 pm
Location: MA USA

An NSA-derived ransomware worm is shutting down computers worldwide

Postby lexon » Fri May 12, 2017 2:45 pm

Lindows, Linspire, Freespire, Ubuntu, Mint 15 Cinnamon, Mint 16 XFCE, Mint 17 Cinnamon 64 bit. MInt 18 64 bit Cinnamon.

User avatar
Pjotr
Level 18
Level 18
Posts: 8849
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland)
Contact:

Re: An NSA-derived ransomware worm is shutting down computers worldwide

Postby Pjotr » Fri May 12, 2017 3:01 pm

Windows.....
computers running Microsoft Windows XP through Windows Server 2012,


So: no worries for Linux users. :mrgreen:
Unless you're being hit by a public service that's shutting down because of this, of course.
Tip: 10 things to do after installing Linux Mint 18.2 Sonya
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.

User avatar
mrjohnbates
Level 1
Level 1
Posts: 8
Joined: Fri May 12, 2017 2:14 pm

Re: An NSA-derived ransomware worm is shutting down computers worldwide

Postby mrjohnbates » Fri May 12, 2017 3:16 pm



Thanks for the info. I missed this. Always good to keep abreast of what's going on.
Anna Smith: You can't take it sitting down because you're not guilty of any wrong, and before it's over, I'm going to tell the world.
John Bates: Are you? I'm not sure the world is listening.

Habitual
Level 13
Level 13
Posts: 4866
Joined: Sun Nov 21, 2010 8:31 pm
Location: 0.0.0.0

Re: An NSA-derived ransomware worm is shutting down computers worldwide

Postby Habitual » Fri May 12, 2017 3:46 pm

The fix published March 14th, 2017 by Microsoft.
Image

User avatar
mike acker
Level 6
Level 6
Posts: 1284
Joined: Wed Jul 31, 2013 6:29 pm
Location: Kalamazoo, MI

Re: An NSA-derived ransomware worm is shutting down computers worldwide

Postby mike acker » Fri May 12, 2017 6:08 pm

Habitual wrote:The fix published March 14th, 2017 by Microsoft.


Yes, and it's been public knowledge for years that MSFT systems must be patched promptly.

The hack -- called "Wannacry" or "Wanna Decrypt" made the front page on Drudge with a link to the Intercept; also Yahoo linked to a CNN report.

Wannycry Ransomware Hack also BBC

Sysadmin are caught between a Rock and a Hard Place on this: apply the patches,-- "next day" -- and hope none of your mission critical apps malfunctions right after that, -- or -- take what may very well have become an un-acceptable risk: getting hacked. in thinking about this we ought best note that (a) there is no assurance the hackers will provide the decrypt key, and (b) there is no assurance the decryption will be accurate.

I would like to note here that the goons pushing this software are affecting our medical systems. This is not something we can just shrug off, thinking "all computers get hacked".

Generally, bashing MSFT/Windows on a Linux forum is considered bad form although I'll have to admit I have participated in our "Windows Comedy Hour". so at this point, i'll just not do that; there's no point to it, really.

But this is no comedy. It's a tragedy.

the only action I see possible short term is to make sure software that has to run on the MSFT/Windows -- particularly the Win32 API -- is run on an intranet that can be isolated from the general net. if external access is mandatory in certain areas then perhaps a VPN could be a solution.
My Computer: IBM 360/50 c. 1975
¡Viva la Resistencia!

User avatar
Portreve
Level 5
Level 5
Posts: 819
Joined: Mon Apr 18, 2011 12:03 am
Location: Florida

Re: An NSA-derived ransomware worm is shutting down computers worldwide

Postby Portreve » Fri May 12, 2017 7:19 pm

The only thing to do is to push as hard as each of us can for companies, and for our brother and sister humans, to switch to libre software running on a libre OS.

I firmly believe in the mantra that friends don't let friends run proprietary software.
Everything is in hand. With this tapestry... and with patience, there is nothing one cannot achieve.

No hamsters were harmed in the authoring of this post.

Habitual
Level 13
Level 13
Posts: 4866
Joined: Sun Nov 21, 2010 8:31 pm
Location: 0.0.0.0

Re: An NSA-derived ransomware worm is shutting down computers worldwide

Postby Habitual » Fri May 12, 2017 7:22 pm

I am grateful that Mike Acker did all the heavy lifting.
All I have to know is "Meh, Windows" and I'm glad for that.

Have a Good Weekend.
Image

User avatar
mike acker
Level 6
Level 6
Posts: 1284
Joined: Wed Jul 31, 2013 6:29 pm
Location: Kalamazoo, MI

Re: An NSA-derived ransomware worm is shutting down computers worldwide

Postby mike acker » Fri May 12, 2017 7:37 pm

Portreve wrote:The only thing to do is to push as hard as each of us can for companies, and for our brother and sister humans, to switch to libre software running on a libre OS.

I firmly believe in the mantra that friends don't let friends run proprietary software.


someplace in the recent discussion of Win10s -- the "Windows must die 3d" stuff there was a note of explanation regarding legacy software and the Win32 API. Discussion/ZD Net

Legacy apps that rely on this Win32 API are not going to be readily ported to some other API.

this is why I note -- "short term" -- the best option is to isolate vulnerable systems from the open net. if user must have access to open net browser or e/mail -- give them a chrome book to do e/mail and web.

It should be clear to everyone by now that troubles with MSFT are not going to end -- when they control the WCry bug. There will be another one, and another after that...

Just my thoughts here on Friday.
My Computer: IBM 360/50 c. 1975
¡Viva la Resistencia!

Penn
Level 5
Level 5
Posts: 643
Joined: Tue Jun 10, 2014 1:12 pm

Re: An NSA-derived ransomware worm is shutting down computers worldwide

Postby Penn » Sat May 13, 2017 12:06 am

Perhaps this isn't to place to express how my views tend to be different but perhaps it is relevant in a way that should be discussed.

My first thought is "NSA derived". How did these hackers get NSA utilities to alter? Wasn't that availability of information huge and didn't it include Linux vulnerabilities?

In the three years I've been using Linux I have never seen the amount of kernel updates we have been seeing lately and the only person I know who has been using Linux almost since its inception can't recall seeing this many security updates. Is there a link to these last two paragraphs?

At this point I am just hoping all holes in Linux security related to the NSA leak are fixed before those who would choose to do harm realize Linux based servers have a high value especially since I'm sure that could be adapted to desktop distros. At least the inherent flaws don't exist in Linux as exist in Windows, especially the API version Mike has mentioned but all operating systems were included in the leak.

But hey, all hail the hero for exposing what any reasonable person already knew was happening. Over time this will help with security in the world of the internet age. Just get past the bumps in the road.

User avatar
jimallyn
Level 16
Level 16
Posts: 6702
Joined: Thu Jun 05, 2014 7:34 pm
Location: Wenatchee, WA USA

Re: An NSA-derived ransomware worm is shutting down computers worldwide

Postby jimallyn » Sat May 13, 2017 3:07 am

Penn wrote:My first thought is "NSA derived". How did these hackers get NSA utilities to alter? Wasn't that availability of information huge and didn't it include Linux vulnerabilities?

My understanding is that the NSA's own people couldn't develop the stuff they wanted, so they hired hackers to do it. Who, as anybody with an IQ higher than their shoe size would have anticipated, took the stuff they developed with them when they left. And I think yes, there were some Linux vulnerabilities included.
Image

“If the government were coming for your TVs and cars, then you'd be upset. But, as it is, they're only coming for your sons.” - Daniel Berrigan

User avatar
killer de bug
Level 14
Level 14
Posts: 5310
Joined: Tue Jul 08, 2008 1:49 pm
Location: Graz, Austria

Re: An NSA-derived ransomware worm is shutting down computers worldwide

Postby killer de bug » Sat May 13, 2017 3:19 am

This is again the proof that when intelligence agencies decrease on purpose the security of a system (they did not reveal this 0 day exploit), all of us are impacted.
Special congrats to the NHS in England. Still proudly using XP. Congrats. You are the best. :roll:
Image
If it ain't broke, fix it until it is.

User avatar
LIGNUX
Level 1
Level 1
Posts: 25
Joined: Wed Jan 11, 2017 6:15 am

Re: An NSA-derived ransomware worm is shutting down computers worldwide

Postby LIGNUX » Sat May 13, 2017 4:20 am

In fact, many critical, strategic sectors of the society (intelligence, military, energy, health, etc.) still heavily rely on MS as their OS. As usual in other similar attacks, the human factor remains the weakest point: clicking on a link or opening an attached document in emails, so basic, but also so effective and, alas, so hard to prevent. Institutions holding strategic sectors, at least the public ones, should be accountable for the consequences. It is totally irresponsible to run such unsafe OS as MS when you have in your hands the health or the security of people for instance. No OS is perfect and bulletproof, but alternatives exist and they are free (reducing public expenses and increasing the security of key sectors).

Another lesson to learn is that, unlike we could think, MS and intelligence agencies are not working hand in hand, or at least very partially and occasionally, often a case by case situation.

This specific case, like so many before and many coming, is another good reason to use alternative free/open source OS.

Even if it could be hardly applicable to enterprises, etc., but at least to individual/personal level it could work : you should not store anything essential/important on your HD. Personally mine is empty, just the OS and a few stuffs, all other data, files, etc. are saved on a USB key (itself copied on another USB as a backup and external HD never in contact with internet), this flash drive is plugged only when the internet connection is disconnected, just the time to transfer the saved files. That way even if the worst would happen (ransomware, major crash, etc.), the lost would be minimal or none.

Until the world will get its internet 9/11, and all its dramatic consequences, nothing will change in the habit of people.
Last edited by LIGNUX on Sat May 13, 2017 7:50 am, edited 1 time in total.

User avatar
killer de bug
Level 14
Level 14
Posts: 5310
Joined: Tue Jul 08, 2008 1:49 pm
Location: Graz, Austria

Re: An NSA-derived ransomware worm is shutting down computers worldwide

Postby killer de bug » Sat May 13, 2017 7:04 am

LIGNUX wrote:Another lesson to learn is that, unlike we could think, MS and intelligence agencies are not working hand in hand, or at least very partially and occasionally, often a case by case situation.

I would not bet too much here. :wink:
The patches for these 0 day exploit was released in March, just a few weeks before it went public. That's a strange coincidence.
Experts have also noted that in this case no acknowledgements were given for these patches. Normally, Microsoft acknowledges the origin of the fix.

Therefore, I would not bet that the NSA did not help Microsoft on this one, when they realized their tools were in the wild and that they deeply needed a quick fix. :wink:
Image
If it ain't broke, fix it until it is.

User avatar
mike acker
Level 6
Level 6
Posts: 1284
Joined: Wed Jul 31, 2013 6:29 pm
Location: Kalamazoo, MI

Re: An NSA-derived ransomware worm is shutting down computers worldwide

Postby mike acker » Sat May 13, 2017 8:17 am

killer de bug wrote:{snip}

Therefore, I would not bet that the NSA did not help Microsoft on this one, when they realized their tools were in the wild and that they deeply needed a quick fix. :wink:


in addition to which: patches have been made available back to XP: MSFT/Technet ("EternalBlue")

Excerpt
We also know that some of our customers are running versions of Windows that no longer receive mainstream support. That means those customers will not have received the above mentioned Security Update released in March. Given the potential impact to customers and their businesses, we made the decision to make the Security Update for platforms in custom support only, Windows XP, Windows 8, and Windows Server 2003, broadly available for download (see links below).
...
Further resources: 
Download English language security updates: Windows Server 2003 SP2 x64, Windows Server 2003 SP2 x86, Windows XP SP2 x64, Windows XP SP3 x86, Windows XP Embedded SP3 x86, Windows 8 x86, Windows 8 x64
To download localized versions for the security update for Windows XP, Windows 8 or Windows Server: http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598


on top of which various web reports indicate "EternalBlue" was released by the "Shadow Brokers" from stolen NSA Data

Wcry uses weapons-grade exploit published by the NSA-leaking Shadow Brokers.

combine this with the Snowden leaks and then make your own conclusions

new this morning (VOX)
By the time the Shadow Brokers released the sensitive information, Microsoft had already released a software upgrade fixing the issue (experts think the NSA may have tipped Microsoft off). The problem is that in many cases, IT professionals failed to install the upgrade, leaving many computers vulnerable to the attack.
My Computer: IBM 360/50 c. 1975
¡Viva la Resistencia!

User avatar
Portreve
Level 5
Level 5
Posts: 819
Joined: Mon Apr 18, 2011 12:03 am
Location: Florida

Re: An NSA-derived ransomware worm is shutting down computers worldwide

Postby Portreve » Sat May 13, 2017 9:18 am

I've posted the TechRepublic links and other ars-technica links in the past on Twitter, Google+, and Facebook so that friends and others cannot claim to be unaware of the issues, not that I'm personally aware that friends are at this point still running WinXP on their own equipment, for those actually using Windows.

I don't do this formally, but I definitely do engage in GNU+Linux advocacy because of the benefits attached thereto, and I waste no time in pointing out to folks that one runs a proprietary OS and/or proprietary software, regardless of the legitimate need to do so, at one's own peril.

The last time I ran a proprietary OS (well, yes one can make the argument that Android is proprietary, so I mean "besides Android") and proprietary software, it was to finish the job of liberating the last of my data from whatever arcane and proprietary formats it was in, and I did so only for that reason, and only for the length of time required to accomplish that goal. I literally finished up the last of the data which needed to be ported, and the next morning I nuked-n-paved my computer, and I no longer have a personal reason to "once again briefly run" a proprietary OS.
Everything is in hand. With this tapestry... and with patience, there is nothing one cannot achieve.

No hamsters were harmed in the authoring of this post.

User avatar
Pierre
Level 15
Level 15
Posts: 5865
Joined: Fri Sep 05, 2008 5:33 am
Location: Perth, AU.

Re: An NSA-derived ransomware worm is shutting down computers worldwide

Postby Pierre » Sat May 13, 2017 9:26 am

and Microsoft has released an Emergency Patch:
https://blogs.technet.microsoft.com/msr ... t-attacks/

Download English language security updates:
- Windows Server 2003 SP2 x64,
- Windows Server 2003 SP2 x86,
- Windows XP SP2 x64,
- Windows XP SP3 x86,
- Windows XP Embedded SP3 x86,
- Windows 8 x86,
- Windows 8 x64
Image
Please edit your original post title to include [SOLVED] - when your problem is solved!
and DO LOOK at those Unanswered Topics - - you may be able to answer some!.


Bill_KY
Level 1
Level 1
Posts: 28
Joined: Sat Feb 21, 2009 11:32 am
Location: Loveland, CO

Re: An NSA-derived ransomware worm is shutting down computers worldwide

Postby Bill_KY » Sat May 13, 2017 1:50 pm

My thanks to the contributors above for a very helpful discussion of a nasty threat we all face, directly or indirectly. Let’s see if I have the message correctly.

1. Ransomware can impact all of us at least indirectly if only by taking down the servers on which we depend for so many tasks. The only way to be safe is to spend as little time as possible in the “connected” world. Effective maybe, but hardly practical for most of us.

2. Direct attacks on our desktop machines are aided by lazy users running porous operating systems. At the least keep your OS updated and use such effective anti-malware protection as there is for whatever you run. Very much better is to not run any commercial desktop OS. If malware/ransomware criminals have not cracked it, they will.

3. It follows that you should not rely on any Windows (or Mac?) desktop OS for any digital tasks or data you are not prepared to sacrifice without warning.

4. Do any critically important computing tasks off-line if possible. (You really can walk into a bank and do business!) If these must be done on-line do them with a free OS and free applications. Linux qualifies. (Chromebooks apparently qualify, though I have no personal experience with them.)

5. Expect the malware/ransomware assault to continue. I believe that is because the criminals who launch these schemes are making very large amounts of money. They have no interest in honest creativity because it does not pay nearly as well for most of them. The probability that they will be identified and apprehended is very small as against the possibility of very great rewards.

6. Question: Is it possible to eliminate “untraceable” payment schemes/pseudo-currencies? Back in the pre-digital day when kidnappers had to get their payment in real currency law-enforcement quickly learned to follow the money back to the thieves. If there some similar strategy available here?

User avatar
mike acker
Level 6
Level 6
Posts: 1284
Joined: Wed Jul 31, 2013 6:29 pm
Location: Kalamazoo, MI

Re: An NSA-derived ransomware worm is shutting down computers worldwide

Postby mike acker » Sat May 13, 2017 4:49 pm

Bill_KY wrote:My thanks to the contributors above for a very helpful discussion of a nasty threat we all face, directly or indirectly. Let’s see if I have the message correctly.{snip}


Remember carefully: the object of the computer criminal is not to steal your password but to get un-authorized programming running in your computer. I don't think there is any simple answer that would lead to secure computing.

hopefully a few more good folks here will watch Joanna Rutowska presentation at 32C3 (Nov 2015):

joanna rutkowska 32C3 Nov2015 stateless computer solution to corrupt firmware

"EternalBlue" is one thing. This "Management Engine" is another.

Always remember: repressive governments always seek to control communication. Their main reason for surveillance is to identify and neutralize dissidents before effective opposition can be organized. Dissent is necessary for good government. It's why we have our 1st and 4th amendments. Dissent is necessary to expose and root out corruption.
My Computer: IBM 360/50 c. 1975
¡Viva la Resistencia!

User avatar
jimallyn
Level 16
Level 16
Posts: 6702
Joined: Thu Jun 05, 2014 7:34 pm
Location: Wenatchee, WA USA

Re: An NSA-derived ransomware worm is shutting down computers worldwide

Postby jimallyn » Sat May 13, 2017 8:04 pm

Bill_KY wrote:Question: Is it possible to eliminate “untraceable” payment schemes/pseudo-currencies?

That seems pretty unlikely. If they find a way to trace Bitcoin, for example, we will soon see Bitcoin 2.
Image

“If the government were coming for your TVs and cars, then you'd be upset. But, as it is, they're only coming for your sons.” - Daniel Berrigan


Return to “Open chat”