An NSA-derived ransomware worm is shutting down computers worldwide

[lexon]

https://arstechnica.com/security/2017/0 ... worldwide/

L

[Pjotr]

Windows.....

computers running Microsoft Windows XP through Windows Server 2012,

So: no worries for Linux users.
Unless you're being hit by a public service that's shutting down because of this, of course.

[Habitual]

The fix published March 14th, 2017 by Microsoft.

[mike acker]

The fix published March 14th, 2017 by Microsoft.

Yes, and it's been public knowledge for years that MSFT systems must be patched promptly.

The hack -- called "Wannacry" or "Wanna Decrypt" made the front page on Drudge with a link to the Intercept; also Yahoo linked to a CNN report.

Wannycry Ransomware Hack also BBC

Sysadmin are caught between a Rock and a Hard Place on this: apply the patches,-- "next day" -- and hope none of your mission critical apps malfunctions right after that, -- or -- take what may very well have become an un-acceptable risk: getting hacked. in thinking about this we ought best note that (a) there is no assurance the hackers will provide the decrypt key, and (b) there is no assurance the decryption will be accurate.

I would like to note here that the goons pushing this software are affecting our medical systems. This is not something we can just shrug off, thinking "all computers get hacked".

Generally, bashing MSFT/Windows on a Linux forum is considered bad form although I'll have to admit I have participated in our "Windows Comedy Hour". so at this point, i'll just not do that; there's no point to it, really.

But this is no comedy. It's a tragedy.

the only action I see possible short term is to make sure software that has to run on the MSFT/Windows -- particularly the Win32 API -- is run on an intranet that can be isolated from the general net. if external access is mandatory in certain areas then perhaps a VPN could be a solution.

[Portreve]

The only thing to do is to push as hard as each of us can for companies, and for our brother and sister humans, to switch to libre software running on a libre OS.

I firmly believe in the mantra that friends don't let friends run proprietary software.

[Habitual]

I am grateful that Mike Acker did all the heavy lifting.
All I have to know is "Meh, Windows" and I'm glad for that.

Have a Good Weekend.

[mike acker]

The only thing to do is to push as hard as each of us can for companies, and for our brother and sister humans, to switch to libre software running on a libre OS.

I firmly believe in the mantra that friends don't let friends run proprietary software.

someplace in the recent discussion of Win10s -- the "Windows must die 3d" stuff there was a note of explanation regarding legacy software and the Win32 API. Discussion/ZD Net

Legacy apps that rely on this Win32 API are not going to be readily ported to some other API.

this is why I note -- "short term" -- the best option is to isolate vulnerable systems from the open net. if user must have access to open net browser or e/mail -- give them a chrome book to do e/mail and web.

It should be clear to everyone by now that troubles with MSFT are not going to end -- when they control the WCry bug. There will be another one, and another after that...

Just my thoughts here on Friday.

[Penn]

Perhaps this isn't to place to express how my views tend to be different but perhaps it is relevant in a way that should be discussed.

My first thought is "NSA derived". How did these hackers get NSA utilities to alter? Wasn't that availability of information huge and didn't it include Linux vulnerabilities?

In the three years I've been using Linux I have never seen the amount of kernel updates we have been seeing lately and the only person I know who has been using Linux almost since its inception can't recall seeing this many security updates. Is there a link to these last two paragraphs?

At this point I am just hoping all holes in Linux security related to the NSA leak are fixed before those who would choose to do harm realize Linux based servers have a high value especially since I'm sure that could be adapted to desktop distros. At least the inherent flaws don't exist in Linux as exist in Windows, especially the API version Mike has mentioned but all operating systems were included in the leak.

But hey, all hail the hero for exposing what any reasonable person already knew was happening. Over time this will help with security in the world of the internet age. Just get past the bumps in the road.

[jimallyn]

My first thought is "NSA derived". How did these hackers get NSA utilities to alter? Wasn't that availability of information huge and didn't it include Linux vulnerabilities?

My understanding is that the NSA's own people couldn't develop the stuff they wanted, so they hired hackers to do it. Who, as anybody with an IQ higher than their shoe size would have anticipated, took the stuff they developed with them when they left. And I think yes, there were some Linux vulnerabilities included.

[killer de bug]

This is again the proof that when intelligence agencies decrease on purpose the security of a system (they did not reveal this 0 day exploit), all of us are impacted.
Special congrats to the NHS in England. Still proudly using XP. Congrats. You are the best.

[LIGNUX]

In fact, many critical, strategic sectors of the society (intelligence, military, energy, health, etc.) still heavily rely on MS as their OS. As usual in other similar attacks, the human factor remains the weakest point: clicking on a link or opening an attached document in emails, so basic, but also so effective and, alas, so hard to prevent. Institutions holding strategic sectors, at least the public ones, should be accountable for the consequences. It is totally irresponsible to run such unsafe OS as MS when you have in your hands the health or the security of people for instance. No OS is perfect and bulletproof, but alternatives exist and they are free (reducing public expenses and increasing the security of key sectors).

Another lesson to learn is that, unlike we could think, MS and intelligence agencies are not working hand in hand, or at least very partially and occasionally, often a case by case situation.

This specific case, like so many before and many coming, is another good reason to use alternative free/open source OS.

Even if it could be hardly applicable to enterprises, etc., but at least to individual/personal level it could work : you should not store anything essential/important on your HD. Personally mine is empty, just the OS and a few stuffs, all other data, files, etc. are saved on a USB key (itself copied on another USB as a backup and external HD never in contact with internet), this flash drive is plugged only when the internet connection is disconnected, just the time to transfer the saved files. That way even if the worst would happen (ransomware, major crash, etc.), the lost would be minimal or none.

Until the world will get its internet 9/11, and all its dramatic consequences, nothing will change in the habit of people.

[killer de bug]

Another lesson to learn is that, unlike we could think, MS and intelligence agencies are not working hand in hand, or at least very partially and occasionally, often a case by case situation.

I would not bet too much here.
The patches for these 0 day exploit was released in March, just a few weeks before it went public. That's a strange coincidence.
Experts have also noted that in this case no acknowledgements were given for these patches. Normally, Microsoft acknowledges the origin of the fix.

Therefore, I would not bet that the NSA did not help Microsoft on this one, when they realized their tools were in the wild and that they deeply needed a quick fix.

[mike acker]

{snip}

Therefore, I would not bet that the NSA did not help Microsoft on this one, when they realized their tools were in the wild and that they deeply needed a quick fix.

in addition to which: patches have been made available back to XP: MSFT/Technet ("EternalBlue")

Excerpt

We also know that some of our customers are running versions of Windows that no longer receive mainstream support. That means those customers will not have received the above mentioned Security Update released in March. Given the potential impact to customers and their businesses, we made the decision to make the Security Update for platforms in custom support only, Windows XP, Windows 8, and Windows Server 2003, broadly available for download (see links below).
...
Further resources: 
Download English language security updates: Windows Server 2003 SP2 x64, Windows Server 2003 SP2 x86, Windows XP SP2 x64, Windows XP SP3 x86, Windows XP Embedded SP3 x86, Windows 8 x86, Windows 8 x64
To download localized versions for the security update for Windows XP, Windows 8 or Windows Server: http://www.catalog.update.microsoft.com ... =KB4012598

on top of which various web reports indicate "EternalBlue" was released by the "Shadow Brokers" from stolen NSA Data

Wcry uses weapons-grade exploit published by the NSA-leaking Shadow Brokers.

combine this with the Snowden leaks and then make your own conclusions

new this morning (VOX)

By the time the Shadow Brokers released the sensitive information, Microsoft had already released a software upgrade fixing the issue (experts think the NSA may have tipped Microsoft off). The problem is that in many cases, IT professionals failed to install the upgrade, leaving many computers vulnerable to the attack.

[Portreve]

I've posted the TechRepublic links and other ars-technica links in the past on Twitter, Google+, and Facebook so that friends and others cannot claim to be unaware of the issues, not that I'm personally aware that friends are at this point still running WinXP on their own equipment, for those actually using Windows.

I don't do this formally, but I definitely do engage in GNU+Linux advocacy because of the benefits attached thereto, and I waste no time in pointing out to folks that one runs a proprietary OS and/or proprietary software, regardless of the legitimate need to do so, at one's own peril.

The last time I ran a proprietary OS (well, yes one can make the argument that Android is proprietary, so I mean "besides Android") and proprietary software, it was to finish the job of liberating the last of my data from whatever arcane and proprietary formats it was in, and I did so only for that reason, and only for the length of time required to accomplish that goal. I literally finished up the last of the data which needed to be ported, and the next morning I nuked-n-paved my computer, and I no longer have a personal reason to "once again briefly run" a proprietary OS.

[Pierre]

and Microsoft has released an Emergency Patch:
https://blogs.technet.microsoft.com/msr ... t-attacks/

Download English language security updates:
- Windows Server 2003 SP2 x64,
- Windows Server 2003 SP2 x86,
- Windows XP SP2 x64,
- Windows XP SP3 x86,
- Windows XP Embedded SP3 x86,
- Windows 8 x86,
- Windows 8 x64

[LIGNUX]

These should be the only real patches to be used :

https://www.linuxmint.com/download.php
https://www.linuxmint.com/download_lmde.php
https://www.debian.org/CD/http-ftp/
https://tails.boum.org/index.en.html
https://subgraph.com/sgos/download/
https://www.whonix.org/wiki/Download
https://www.qubes-os.org/downloads/
https://www.torproject.org/download/dow ... sy.html.en


GNU/Linux because Freedom is not negotiable

[Bill_KY]

My thanks to the contributors above for a very helpful discussion of a nasty threat we all face, directly or indirectly. Let’s see if I have the message correctly.

1. Ransomware can impact all of us at least indirectly if only by taking down the servers on which we depend for so many tasks. The only way to be safe is to spend as little time as possible in the “connected” world. Effective maybe, but hardly practical for most of us.

2. Direct attacks on our desktop machines are aided by lazy users running porous operating systems. At the least keep your OS updated and use such effective anti-malware protection as there is for whatever you run. Very much better is to not run any commercial desktop OS. If malware/ransomware criminals have not cracked it, they will.

3. It follows that you should not rely on any Windows (or Mac?) desktop OS for any digital tasks or data you are not prepared to sacrifice without warning.

4. Do any critically important computing tasks off-line if possible. (You really can walk into a bank and do business!) If these must be done on-line do them with a free OS and free applications. Linux qualifies. (Chromebooks apparently qualify, though I have no personal experience with them.)

5. Expect the malware/ransomware assault to continue. I believe that is because the criminals who launch these schemes are making very large amounts of money. They have no interest in honest creativity because it does not pay nearly as well for most of them. The probability that they will be identified and apprehended is very small as against the possibility of very great rewards.

6. Question: Is it possible to eliminate “untraceable” payment schemes/pseudo-currencies? Back in the pre-digital day when kidnappers had to get their payment in real currency law-enforcement quickly learned to follow the money back to the thieves. If there some similar strategy available here?

[mike acker]

My thanks to the contributors above for a very helpful discussion of a nasty threat we all face, directly or indirectly. Let’s see if I have the message correctly.{snip}

Remember carefully: the object of the computer criminal is not to steal your password but to get un-authorized programming running in your computer. I don't think there is any simple answer that would lead to secure computing.

hopefully a few more good folks here will watch Joanna Rutowska presentation at 32C3 (Nov 2015):

joanna rutkowska 32C3 Nov2015 stateless computer solution to corrupt firmware

"EternalBlue" is one thing. This "Management Engine" is another.

Always remember: repressive governments always seek to control communication. Their main reason for surveillance is to identify and neutralize dissidents before effective opposition can be organized. Dissent is necessary for good government. It's why we have our 1st and 4th amendments. Dissent is necessary to expose and root out corruption.

[jimallyn]

Question: Is it possible to eliminate “untraceable” payment schemes/pseudo-currencies?

That seems pretty unlikely. If they find a way to trace Bitcoin, for example, we will soon see Bitcoin 2.

[Penn]

My first thought is "NSA derived". How did these hackers get NSA utilities to alter? Wasn't that availability of information huge and didn't it include Linux vulnerabilities?

My understanding is that the NSA's own people couldn't develop the stuff they wanted, so they hired hackers to do it. Who, as anybody with an IQ higher than their shoe size would have anticipated, took the stuff they developed with them when they left. And I think yes, there were some Linux vulnerabilities included.

That would only explain how it got outside of NSA and ignore how "these hackers" got the info unless you are claiming it is the same people both leaving with the information and now using it as ransomware. But I think the publicized dump of NSA tools is how the current hackers attained the info and that came from the same people that exposed us all to the word "meta-data". This time it has so far only had this negative side effect. The first had both negative and positive outcomes. I don't let the positive blind me to the negative. But Asange is held as hero in some people's minds. Ironically, most who I personally know that do hold him as a hero for the already mentioned leaks also "blame" him for what he exposed this past October (or was it the first week of November) and vice versa for those I know on the other side of those debates.