The recent WannaCry ransomware

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
ResearchMed
Posts: 6874
Joined: Fri Dec 26, 2008 11:25 pm

The recent WannaCry ransomware

Post by ResearchMed » Sat May 13, 2017 5:03 pm

Is this correct, that the malware was really "only" a problem on older, unsupported Windows XP systems?

http://www.cnbc.com/2017/05/13/microsof ... ttack.html

It seems a patch had already been issued for the more recent and supported WIndows versions.
(And for those with custom support for XP.)

If so, that means 1) some critical organizations are/were using unsupported XP, and 2) those of us with later, supported Windows ersions (and non-Windows systems) don't need to worry about getting hit with this.

-->> And for anyone here still running XP, there seems to be a patch available for this.

I'm also curious about any more details about the person who apparently hit the "kill switch".
I've heard that it was (as described per link above) a "22 year old" who "discovered" it, but I also heard that it was an accident... a very fortunate one.

So... do those of us without XP systems not need to worry (and perhaps never did)?
(And are that many critical organizations (such as hospitals) still running XP without getting custom support?)

Thanks.

RM
This signature is a placebo. You are in the control group.

mpsz
Posts: 279
Joined: Sat Jan 09, 2016 7:11 pm

Re: The recent WannaCry ransomware

Post by mpsz » Sat May 13, 2017 5:24 pm

No. It affects other versions of Windows as well: https://krebsonsecurity.com/tag/wanna-cry-ransomware/

The reason that Windows XP receiving a patch is newsworthy is that Windows XP (and Windows Vista) have reached "end-of-support" state from Microsoft. This means that under ordinary circumstances, these OSes are not receiving any kind of updates at all -- not even security updates. This is bad enough that Microsoft is providing one-time updates for these OSes.

The best way to protect yourself against ransomware, etc. is to have an offline backup of your system. As in, an external hard drive with your backups, that is unplugged from your system after the backup has completed.

PFInterest
Posts: 1677
Joined: Sun Jan 08, 2017 12:25 pm

Re: The recent WannaCry ransomware

Post by PFInterest » Sat May 13, 2017 5:33 pm

It was really a non issue for anyone with a supported UTD system.

User avatar
whaleknives
Posts: 1210
Joined: Sun Jun 24, 2012 7:19 pm

Re: The recent WannaCry ransomware

Post by whaleknives » Sat May 13, 2017 5:43 pm

All I know is what I read, but:
"I'm an indexer. I own the market. And I'm happy." (John Bogle, "BusinessWeek", 8/17/07) ☕ Maritime signal flag W - Whiskey: "I require medical assistance."

User avatar
whaleknives
Posts: 1210
Joined: Sun Jun 24, 2012 7:19 pm

Re: The recent WannaCry ransomware

Post by whaleknives » Sat May 13, 2017 5:53 pm

This was prescient; it seems British NHS computers were attacked in January.
"I'm an indexer. I own the market. And I'm happy." (John Bogle, "BusinessWeek", 8/17/07) ☕ Maritime signal flag W - Whiskey: "I require medical assistance."

User avatar
nedsaid
Posts: 9907
Joined: Fri Nov 23, 2012 12:33 pm

Re: The recent WannaCry ransomware

Post by nedsaid » Sat May 13, 2017 6:02 pm

The UK National Health Service was still 90% on Windows XP? Man, they were just asking for trouble. It was a huge accident just waiting to happen as XP is now just a giant security hole.
A fool and his money are good for business.

hoops777
Posts: 2298
Joined: Sun Apr 10, 2011 12:23 pm

Re: The recent WannaCry ransomware

Post by hoops777 » Sat May 13, 2017 6:20 pm

The whole idea of basing everything that runs our society on the internet that is not secure is just so comforting.One of these days we will come to regret it,no doubt.Someday our elections might even be effected somehow :D
I bet if we actually knew the truth about all of this stuff and the vulnerabilities we have it would not go over well.
I always love the that could never happens.Just like the stock market could never lose 50 pct.
On that note,my beloved Warriors are heavily favored to beat the Spurs.So many experts could never be wrong,right?
K.I.S.S........so easy to say so difficult to do.

ResearchMed
Posts: 6874
Joined: Fri Dec 26, 2008 11:25 pm

Re: The recent WannaCry ransomware

Post by ResearchMed » Sat May 13, 2017 6:52 pm

whaleknives wrote:All I know is what I read, but:
The description of how it was stopped is scary.
It would seem too, too easy to change that one part of the code, and also replace it with something more difficult for any outsider to "fix" - especially as now, outsiders will know where to look, etc.

It also seems like a lazy way to have made the kill switch.
Had they required *some* sort of password to do it.... this would have continued longer, and spread more...

RM
This signature is a placebo. You are in the control group.

User avatar
Phineas J. Whoopee
Posts: 7234
Joined: Sun Dec 18, 2011 6:18 pm

Re: The recent WannaCry ransomware

Post by Phineas J. Whoopee » Sat May 13, 2017 8:41 pm

Large organizations frequently delay application of updates, because they want to keep every computer at a standard build for less expensive maintainability, they need to test compatibility with everything they use, and they may be under legal restrictions. It is known that the practice creates vulnerabilities, therefore they're expected to be scrupulous about data backups, stored onsite and off, and about creating and rehearsing major incident plans. Some aren't.

This is a reasonable article about it: The Malware Attacking the U.K.'s National Health Service Could've Been Stopped. Here's Why It Wasn't.

PJW
Last edited by Phineas J. Whoopee on Sat May 13, 2017 8:45 pm, edited 1 time in total.

2015
Posts: 1703
Joined: Mon Feb 10, 2014 2:32 pm

Re: The recent WannaCry ransomware

Post by 2015 » Sat May 13, 2017 8:42 pm

mpsz wrote:
<snip>

The best way to protect yourself against ransomware, etc. is to have an offline backup of your system. As in, an external hard drive with your backups, that is unplugged from your system after the backup has completed.
This would be me. Don't need a crystal ball to see this type of thing is coming to an online storage site and/or online password manager near you.

User avatar
whaleknives
Posts: 1210
Joined: Sun Jun 24, 2012 7:19 pm

Re: The recent WannaCry ransomware

Post by whaleknives » Sat May 13, 2017 8:45 pm

"Penny wise and £ foolish" is a British saying.
"I'm an indexer. I own the market. And I'm happy." (John Bogle, "BusinessWeek", 8/17/07) ☕ Maritime signal flag W - Whiskey: "I require medical assistance."

User avatar
whaleknives
Posts: 1210
Joined: Sun Jun 24, 2012 7:19 pm

Re: The recent WannaCry ransomware

Post by whaleknives » Sat May 13, 2017 8:56 pm

Phineas J. Whoopee wrote:. . . This is a reasonable article about it: The Malware Attacking the U.K.'s National Health Service Could've Been Stopped. Here's Why It Wasn't.
Except this article, like many others, doesn't differentiate between Windows versions. The comment "The NHS had two months to install this patch and inoculate itself from WannaCryptor—but it didn’t" assumes Windows 7 or later. NHS is running XP, and the XP patch wasn't available until today.
"I'm an indexer. I own the market. And I'm happy." (John Bogle, "BusinessWeek", 8/17/07) ☕ Maritime signal flag W - Whiskey: "I require medical assistance."

JDot
Posts: 361
Joined: Fri Apr 24, 2015 10:15 pm

Re: The recent WannaCry ransomware

Post by JDot » Sat May 13, 2017 10:11 pm

It's more complicated for organizations than for individuals. They cannot simply do day one updates in some instances. Servers especially. Supposedly the patch was issued in March of this year so any personal computer running a supported windows version with auto updates on would presumably be protected. But organizations who simply do not update as they should were exposed. But also organizations who try to do their best, yet perhaps they had not updated in the last couple of months due to compatibility issues, etc. were also exposed.

At least, this is how my IT dept explained it to me.

User avatar
Phineas J. Whoopee
Posts: 7234
Joined: Sun Dec 18, 2011 6:18 pm

Re: The recent WannaCry ransomware

Post by Phineas J. Whoopee » Sat May 13, 2017 10:25 pm

whaleknives wrote:
Phineas J. Whoopee wrote:. . . This is a reasonable article about it: The Malware Attacking the U.K.'s National Health Service Could've Been Stopped. Here's Why It Wasn't.
Except this article, like many others, doesn't differentiate between Windows versions. The comment "The NHS had two months to install this patch and inoculate itself from WannaCryptor—but it didn’t" assumes Windows 7 or later. NHS is running XP, and the XP patch wasn't available until today.
Good thing for me I didn't write perfectly accurate in every respect, just reasonable. The article goes through some of the motivations behind update delays, whether they're to Windows 7 or moving from Windows XP to a more recent and still supported version. I stand by my word reasonable, which I chose carefully.
PJW

User avatar
whaleknives
Posts: 1210
Joined: Sun Jun 24, 2012 7:19 pm

Re: The recent WannaCry ransomware

Post by whaleknives » Sat May 13, 2017 10:29 pm

Phineas J. Whoopee wrote:Good thing for me I didn't write perfectly accurate in every respect, just reasonable. The article goes through some of the motivations behind update delays, whether they're to Windows 7 or moving from Windows XP to a more recent and still supported version. I stand by my word reasonable, which I chose carefully.
Didn't mean to sound critical; it's the clueless reporting that's driving me crazy. 8-)
"I'm an indexer. I own the market. And I'm happy." (John Bogle, "BusinessWeek", 8/17/07) ☕ Maritime signal flag W - Whiskey: "I require medical assistance."

kjvmartin
Posts: 1191
Joined: Wed Jan 21, 2015 8:57 am

Re: The recent WannaCry ransomware

Post by kjvmartin » Sat May 13, 2017 10:32 pm

JDot wrote:It's more complicated for organizations than for individuals. They cannot simply do day one updates in some instances. Servers especially. Supposedly the patch was issued in March of this year so any personal computer running a supported windows version with auto updates on would presumably be protected. But organizations who simply do not update as they should were exposed. But also organizations who try to do their best, yet perhaps they had not updated in the last couple of months due to compatibility issues, etc. were also exposed.

At least, this is how my IT dept explained it to me.
It drives me insane when my government organization says "Do not update your work phone" each time iOS updates. 3-4 months later, they send out a "go ahead, it's safe" e-mail. Usually, the next update is available by then. We were also on Win XP up till very recently.

We are so secure it's unreal.. VPN, frequent password resets for about 10 different programs we use (all with differing requirements). What they don't realize is that no one can remember all of this junk and people are all forced to write it down & stick it in a drawer. How secure is that?

Calygos
Posts: 465
Joined: Tue Jan 13, 2015 3:48 pm

Re: The recent WannaCry ransomware

Post by Calygos » Sat May 13, 2017 10:40 pm

FWIW, we're a very heavy Windows desktop and server shop at work and our Windows engineers (I'm the one Linux guy) stopped everything yesterday to patch all even improbably at-risk systems against this. It's a big deal.

User avatar
Nicolas
Posts: 1007
Joined: Wed Aug 22, 2012 7:41 am

Re: The recent WannaCry ransomware

Post by Nicolas » Sat May 13, 2017 11:01 pm

I'm glad I switched from a PC to an iMac last year.

User avatar
munemaker
Posts: 3278
Joined: Sat Jan 18, 2014 6:14 pm

Re: The recent WannaCry ransomware

Post by munemaker » Sat May 13, 2017 11:21 pm

Nicolas wrote:I'm glad I switched from a PC to an iMac last year.
Because of this virus?

SittingOnTheFence
Posts: 294
Joined: Sun Sep 27, 2015 5:30 pm

Re: The recent WannaCry ransomware

Post by SittingOnTheFence » Sat May 13, 2017 11:27 pm

Nicolas wrote:I'm glad I switched from a PC to an iMac last year.
But don't let your guard down:
https://blog.malwarebytes.com/threat-a ... ndows-mac/

User avatar
Nicolas
Posts: 1007
Joined: Wed Aug 22, 2012 7:41 am

Re: The recent WannaCry ransomware

Post by Nicolas » Sat May 13, 2017 11:48 pm

munemaker wrote:
Nicolas wrote:I'm glad I switched from a PC to an iMac last year.
Because of this virus?
Yes, that was the intent of my post. I'm immune from this one due to its only affecting Windows. I know I'm not immune from every virus/malware, but there are far fewer. But on the whole I like the iMac better. Also I have quite a bit of AAPL that I've held since January 2010 so I feel good about that too, I'm up 410% :moneybag
Last edited by Nicolas on Sun May 14, 2017 12:02 am, edited 1 time in total.

Mudpuppy
Posts: 5889
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: The recent WannaCry ransomware

Post by Mudpuppy » Sun May 14, 2017 12:01 am

As noted by others, this vulnerability affects Windows all the way up through Windows 10. Also, this was patched in March, which is relatively recently when it comes to corporate patch cycles. Due to corporate policies, such as vetting that patches do not disrupt critical systems, patch release cycles can run behind in certain environments. That is why this is affecting corporate environments more widely than the home consumer.

And if you do have an older Windows system, this is severe enough that Microsoft has issues a patch for older systems, such as Windows XP. View more at the following Microsoft page: https://blogs.technet.microsoft.com/msr ... t-attacks/

User avatar
ThePrune
Posts: 897
Joined: Wed Nov 10, 2010 9:38 am
Location: Midland, MI

Re: The recent WannaCry ransomware

Post by ThePrune » Sun May 14, 2017 5:09 am

mpsz wrote:The best way to protect yourself against ransomware, etc. is to have an offline backup of your system. As in, an external hard drive with your backups, that is unplugged from your system after the backup has completed.
+1

I've been doing this for years. It really works. About 4 years ago my wife clicked on an attachment on an email and infected our secondary home computer with ransomware. After a thorough virus stubbing I simply copied all files back onto the computer.

Getting the virus scrubbed away was actually tougher than I expected. I ended up needing to use the offline version of MS Windows Defender (free from Microsoft website) to get the last bits removed.

One final point. We have two Windows computers at our house. They are NOT connected on a single network primary to prevent a virus on one of them from infecting both simultaneously.
Investment skill is often just luck in sheep's clothing.

User avatar
munemaker
Posts: 3278
Joined: Sat Jan 18, 2014 6:14 pm

Re: The recent WannaCry ransomware

Post by munemaker » Sun May 14, 2017 5:18 am

Nicolas wrote:
munemaker wrote:
Nicolas wrote:I'm glad I switched from a PC to an iMac last year.
Because of this virus?
Yes, that was the intent of my post. I'm immune from this one due to its only affecting Windows. I know I'm not immune from every virus/malware, but there are far fewer. But on the whole I like the iMac better. Also I have quite a bit of AAPL that I've held since January 2010 so I feel good about that too, I'm up 410% :moneybag
As far as the virus, if you keep your updates current, then I don't think it is a problem.

I mostly use Chromebooks, which are naturally virus immune, but we do have one PC. It has Windows 10 and is updated automatically.

Wakefield1
Posts: 807
Joined: Mon Nov 14, 2016 10:10 pm

Re: The recent WannaCry ransomware

Post by Wakefield1 » Sun May 14, 2017 12:34 pm

The entire phenomenon that computers can be remotely commanded to encrypt their hard drive data files by a key which is stored in the commanding (attacker's) computer or server--is that strictly a Windows problem?

Calygos
Posts: 465
Joined: Tue Jan 13, 2015 3:48 pm

Re: The recent WannaCry ransomware

Post by Calygos » Sun May 14, 2017 1:18 pm

Wakefield1 wrote:The entire phenomenon that computers can be remotely commanded to encrypt their hard drive data files by a key which is stored in the commanding (attacker's) computer or server--is that strictly a Windows problem?
It's not just local hard drives that can be affected but network drives as well, and when you have multi-terabyte network drives, that gets much harder to back up.

Mudpuppy
Posts: 5889
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: The recent WannaCry ransomware

Post by Mudpuppy » Sun May 14, 2017 1:23 pm

Wakefield1 wrote:The entire phenomenon that computers can be remotely commanded to encrypt their hard drive data files by a key which is stored in the commanding (attacker's) computer or server--is that strictly a Windows problem?
Oh boy, what a can of worms with this question.... Given the recent Intel AMT firmware vulnerability announcement and the fact that the BIOS-level fix for that one has not yet even been released by all hardware vendors, we're sitting on a ticking clock of a massive, widespread vulnerability window that could affect any vulnerable Intel system, regardless of what operating system is installed on top of it. So now we have to wait and see what comes first: widespread patching of the affected systems or malware targeting the affected systems. Intel's press release: http://www.intel.com/content/www/us/en/ ... ement.html

So in general, no, these are not strictly concerns for Windows systems. But the WanaCry problem specifically is strictly a Windows problem.

randomguy
Posts: 6010
Joined: Wed Sep 17, 2014 9:00 am

Re: The recent WannaCry ransomware

Post by randomguy » Sun May 14, 2017 1:39 pm

Wakefield1 wrote:The entire phenomenon that computers can be remotely commanded to encrypt their hard drive data files by a key which is stored in the commanding (attacker's) computer or server--is that strictly a Windows problem?
No it can happen on any computer system/OS. OS X, iOS, Linux, and android have all had ransomware attacks in the past couple of years. The less popular an OS is though, the less likely someone will take the time to attack them.

azurekep
Posts: 1179
Joined: Tue Jun 16, 2015 7:16 pm

Re: The recent WannaCry ransomware

Post by azurekep » Sun May 14, 2017 5:28 pm

I switched from XP to Linux a couple of years ago, but I'm curious how my then locked-down XP would have fared in a WannaCry situation. So these are my questions:

1. Is the actual trigger for the attack the result of the user doing something stupid? I.e., clicking on an untrusted email attachment or a web link.

2. Would having all the file-sharing related (and other) service ports closed be of use?

3. Would using an executable filter like TrustNoExe be of any help?

4. Would prevention of privledge escalation be of any use? I.e., using a Limited Account in Windows. I believe I read that WannaCry doesn't need privledge escalation but it would be useful to confirm.

The above assumes other standard security practices are in place like NAT firewall, avoiding ads (some employ malware), and so on...

Again, just to reiterate, I have moved on to Linux. I need no warnings against XP. Thanks.

Mudpuppy
Posts: 5889
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: The recent WannaCry ransomware

Post by Mudpuppy » Sun May 14, 2017 5:43 pm

azurekep wrote:I switched from XP to Linux a couple of years ago, but I'm curious how my then locked-down XP would have fared in a WannaCry situation. So these are my questions:

1. Is the actual trigger for the attack the result of the user doing something stupid? I.e., clicking on an untrusted email attachment or a web link.

2. Would having all the file-sharing related (and other) service ports closed be of use?

3. Would using an executable filter like TrustNoExe be of any help?

4. Would prevention of privledge escalation be of any use? I.e., using a Limited Account in Windows. I believe I read that WannaCry doesn't need privledge escalation but it would be useful to confirm.

The above assumes other standard security practices are in place like NAT firewall, avoiding ads (some employ malware), and so on...

Again, just to reiterate, I have moved on to Linux. I need no warnings against XP. Thanks.
You're thinking as a home user. This isn't really hitting many home users (some, but not many). It's primarily hitting corporate environments where employees don't have the control over the system to do many of the items on your list. They're reliant on how the corporate IT department configured things.

And the big issue for a corporate environment is that this attack has a worm feature to spread automatically by SMB. The SMB spread also looks for Internet-facing SMB devices to attack them without any user intervention required. The initial attack wave appears to have been spread by email (to get inside corporate environments that don't have Internet-facing SMB systems), but all it would take is one gullible employee to open the email and then it sweeps through the corporate SMB network like wildfire.

Wakefield1
Posts: 807
Joined: Mon Nov 14, 2016 10:10 pm

Re: The recent WannaCry ransomware

Post by Wakefield1 » Sun May 14, 2017 6:02 pm

I suspect the worm behavior could get into unpatched systems from the Internet eventually.
Possibly vendors" firewall programs might stop the worm if the AV vendor gets updates to the firewall in time? Also the firewall might interfere with the cryptocrimeware stage of the attack if it can block the 'ware from calling home to get the key (if this encryption functions in a similar way to the original Cryptolocker)-malware gets installed with privilege to run(bypass UAC?),calls home,gets key and does its dirty work,then deletes the key (or a necessary part of it) which remains on the attacker's server as well as specific means to identify that victim computer (Some ransomware schemes were simpler and used the same key for all victims,some of those victims can get decrypted by Kaspersky or others who have some of such keys as I understand)

AlwaysBeClimbing
Posts: 143
Joined: Fri Mar 31, 2017 10:39 am

Re: The recent WannaCry ransomware

Post by AlwaysBeClimbing » Sun May 14, 2017 8:34 pm

Mudpuppy wrote:
Wakefield1 wrote:The entire phenomenon that computers can be remotely commanded to encrypt their hard drive data files by a key which is stored in the commanding (attacker's) computer or server--is that strictly a Windows problem?
Oh boy, what a can of worms with this question.... Given the recent Intel AMT firmware vulnerability announcement and the fact that the BIOS-level fix for that one has not yet even been released by all hardware vendors, we're sitting on a ticking clock of a massive, widespread vulnerability window that could affect any vulnerable Intel system, regardless of what operating system is installed on top of it. So now we have to wait and see what comes first: widespread patching of the affected systems or malware targeting the affected systems. Intel's press release: http://www.intel.com/content/www/us/en/ ... ement.html

So in general, no, these are not strictly concerns for Windows systems. But the WanaCry problem specifically is strictly a Windows problem.
Consumer grade PCs are not affected ( per the announcement).

Mudpuppy
Posts: 5889
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: The recent WannaCry ransomware

Post by Mudpuppy » Sun May 14, 2017 10:01 pm

AlwaysBeClimbing wrote:
Mudpuppy wrote:
Wakefield1 wrote:The entire phenomenon that computers can be remotely commanded to encrypt their hard drive data files by a key which is stored in the commanding (attacker's) computer or server--is that strictly a Windows problem?
Oh boy, what a can of worms with this question.... Given the recent Intel AMT firmware vulnerability announcement and the fact that the BIOS-level fix for that one has not yet even been released by all hardware vendors, we're sitting on a ticking clock of a massive, widespread vulnerability window that could affect any vulnerable Intel system, regardless of what operating system is installed on top of it. So now we have to wait and see what comes first: widespread patching of the affected systems or malware targeting the affected systems. Intel's press release: http://www.intel.com/content/www/us/en/ ... ement.html

So in general, no, these are not strictly concerns for Windows systems. But the WanaCry problem specifically is strictly a Windows problem.
Consumer grade PCs are not affected ( per the announcement).
Depends on the PC. Some high-end chipsets do have vPro enabled, which is what you need to look for in the Intel specs for your processor to see if you could be affected. For example, the Intel i5-2500 CPU, which launched during the vulnerability window, has vPro enabled: http://ark.intel.com/products/52209/Int ... o-3_70-GHz


User avatar
just frank
Posts: 1455
Joined: Sun Nov 02, 2014 4:13 pm
Location: Philly Metro

Re: The recent WannaCry ransomware

Post by just frank » Mon May 15, 2017 4:05 am

Sorry, this is not an internet or NSA problem...it is a MIcrosoft problem. They have been selling products with badly substandard security practices for decades.

People like to think that this is a problem needing innovation, or that people only attack Windows systems...nope. The basics of how to make a computer OS secure were worked out when Gates was in short pants...and are used by every other OS out there for obvious reasons. AS with many monopolies, monopoly power means selling a substandard product is ok. Microsoft has been cheaping out and only integrating some of those best security practices after disaster (involving mass customer data and privacy loss) strikes.

This was already apparent back in the DOS and Win 3.1 days....and why I have never owned a machine with a Microsoft OS or trusted one with my data.

User avatar
mrc
Posts: 1151
Joined: Sun Jan 10, 2016 6:39 am

Re: The recent WannaCry ransomware

Post by mrc » Mon May 15, 2017 4:44 am

NPR reporting that the many unlicensed (pirated) copies of Windows in circulation, many in China, cannot be patched. Interesting question for Microsoft corporate: Could substandard security (where pirated software isn't patchable) be purposeful?
People often hate what they fear

JDot
Posts: 361
Joined: Fri Apr 24, 2015 10:15 pm

Re: The recent WannaCry ransomware

Post by JDot » Mon May 15, 2017 10:03 am

kjvmartin wrote:
JDot wrote:It's more complicated for organizations than for individuals. They cannot simply do day one updates in some instances. Servers especially. Supposedly the patch was issued in March of this year so any personal computer running a supported windows version with auto updates on would presumably be protected. But organizations who simply do not update as they should were exposed. But also organizations who try to do their best, yet perhaps they had not updated in the last couple of months due to compatibility issues, etc. were also exposed.

At least, this is how my IT dept explained it to me.
It drives me insane when my government organization says "Do not update your work phone" each time iOS updates. 3-4 months later, they send out a "go ahead, it's safe" e-mail. Usually, the next update is available by then. We were also on Win XP up till very recently.

We are so secure it's unreal.. VPN, frequent password resets for about 10 different programs we use (all with differing requirements). What they don't realize is that no one can remember all of this junk and people are all forced to write it down & stick it in a drawer. How secure is that?
I read an article recently that said that having employees frequently change their passwords offered very little for the work/time expended. In fact, doing so can be worse for the reasons stated.

3-4 months seems insane.

Rupert
Posts: 3445
Joined: Fri Aug 17, 2012 12:01 pm

Re: The recent WannaCry ransomware

Post by Rupert » Mon May 15, 2017 10:14 am

kjvmartin wrote:
We are so secure it's unreal.. VPN, frequent password resets for about 10 different programs we use (all with differing requirements). What they don't realize is that no one can remember all of this junk and people are all forced to write it down & stick it in a drawer. How secure is that?
Funny you should ask. I actually read an article in the wake of this ransomware attack this weekend that recommended you write it all down and stick it in a drawer. Fact is, we've reached a point where the likelihood of an actual person breaking into your home or office and stealing your passwords is much much more remote than the likelihood of someone hacking you in some other way (or hacking into LastPass or other similar service).

User avatar
flamesabers
Posts: 1728
Joined: Fri Mar 03, 2017 12:05 pm
Location: Rochester, MN

Re: The recent WannaCry ransomware

Post by flamesabers » Mon May 15, 2017 10:28 am

Rupert wrote:
kjvmartin wrote:
We are so secure it's unreal.. VPN, frequent password resets for about 10 different programs we use (all with differing requirements). What they don't realize is that no one can remember all of this junk and people are all forced to write it down & stick it in a drawer. How secure is that?
Funny you should ask. I actually read an article in the wake of this ransomware attack this weekend that recommended you write it all down and stick it in a drawer. Fact is, we've reached a point where the likelihood of an actual person breaking into your home or office and stealing your passwords is much much more remote than the likelihood of someone hacking you in some other way (or hacking into LastPass or other similar service).
I agree it's highly unlikely a total stranger will break into your home/office just to steal some passwords. However, it's not unheard of for individuals who have access to your home/office such as cleaning crews or repair technicians (or people posing as such) to steal such information or other valuables if the opportunity presents itself.

Mudpuppy
Posts: 5889
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: The recent WannaCry ransomware

Post by Mudpuppy » Mon May 15, 2017 11:36 am

Rupert wrote:
kjvmartin wrote:
We are so secure it's unreal.. VPN, frequent password resets for about 10 different programs we use (all with differing requirements). What they don't realize is that no one can remember all of this junk and people are all forced to write it down & stick it in a drawer. How secure is that?
Funny you should ask. I actually read an article in the wake of this ransomware attack this weekend that recommended you write it all down and stick it in a drawer. Fact is, we've reached a point where the likelihood of an actual person breaking into your home or office and stealing your passwords is much much more remote than the likelihood of someone hacking you in some other way (or hacking into LastPass or other similar service).
If that was the Kreb's article, it's not new advice. Unique passwords have been promoted as the most important security metric the personal consumers can use to protect themselves online for at least half a decade. Preferably, you would use something like a password vault, but if you have to write it down, that's okay too. Just secure the paper somehow (e.g. don't leave it on a post-it note on your monitor at work, put it in your locked drawer or wallet instead).

In fact, I wrote about the importance of unique passwords here on Bogleheads 5 years ago: viewtopic.php?f=11&t=97664&p=1411052

User avatar
prudent
Moderator
Posts: 5555
Joined: Fri May 20, 2011 2:50 pm

Re: The recent WannaCry ransomware

Post by prudent » Mon May 15, 2017 11:46 am

I was at my neighbor's once helping him with an Excel issue, and noticed a list of passwords on a bulletin board next to his computer desk. Many were for financial sites. I started to tease him about making it so easy for a burglar or someone in the house perhaps not as honest as me when he cut me off and told me not to assume the password next to the name of a site was the password for that site, or even the password for any of those sites. He had some mental algorithm he used to decode which password belonged to which site and how to massage the cryptic string of characters into the actual password. I had to admit it was pretty clever.

Rupert
Posts: 3445
Joined: Fri Aug 17, 2012 12:01 pm

Re: The recent WannaCry ransomware

Post by Rupert » Mon May 15, 2017 11:52 am

Mudpuppy wrote:
Rupert wrote:
kjvmartin wrote:
We are so secure it's unreal.. VPN, frequent password resets for about 10 different programs we use (all with differing requirements). What they don't realize is that no one can remember all of this junk and people are all forced to write it down & stick it in a drawer. How secure is that?
Funny you should ask. I actually read an article in the wake of this ransomware attack this weekend that recommended you write it all down and stick it in a drawer. Fact is, we've reached a point where the likelihood of an actual person breaking into your home or office and stealing your passwords is much much more remote than the likelihood of someone hacking you in some other way (or hacking into LastPass or other similar service).
If that was the Kreb's article, it's not new advice. Unique passwords have been promoted as the most important security metric the personal consumers can use to protect themselves online for at least half a decade. Preferably, you would use something like a password vault, but if you have to write it down, that's okay too. Just secure the paper somehow (e.g. don't leave it on a post-it note on your monitor at work, put it in your locked drawer or wallet instead).

In fact, I wrote about the importance of unique passwords here on Bogleheads 5 years ago: viewtopic.php?f=11&t=97664&p=1411052
It was in the New York Times. The advice about unique passwords is noncontroversial. It's the "writing it down and sticking it in a drawer" part that has kinda come around again, after being poo-pooed by most computer security experts for years. I don't advocate writing "My Vanguard password is 1234!" on a post-it note and sticking it under the glass on your desk. But writing down passwords (especially for your less sensitive accounts, so that you only have to memorize the passwords for your most sensitive accounts) and storing them in a locked drawer is not a bad plan these days for most people (if you work for the CIA, are Kim Jong-un, or are a high-ranking officer for a frequently-targeted corporation, different rules obviously apply).

Mudpuppy
Posts: 5889
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: The recent WannaCry ransomware

Post by Mudpuppy » Mon May 15, 2017 11:55 am

Rupert wrote:
Mudpuppy wrote:
Rupert wrote:
kjvmartin wrote:
We are so secure it's unreal.. VPN, frequent password resets for about 10 different programs we use (all with differing requirements). What they don't realize is that no one can remember all of this junk and people are all forced to write it down & stick it in a drawer. How secure is that?
Funny you should ask. I actually read an article in the wake of this ransomware attack this weekend that recommended you write it all down and stick it in a drawer. Fact is, we've reached a point where the likelihood of an actual person breaking into your home or office and stealing your passwords is much much more remote than the likelihood of someone hacking you in some other way (or hacking into LastPass or other similar service).
If that was the Kreb's article, it's not new advice. Unique passwords have been promoted as the most important security metric the personal consumers can use to protect themselves online for at least half a decade. Preferably, you would use something like a password vault, but if you have to write it down, that's okay too. Just secure the paper somehow (e.g. don't leave it on a post-it note on your monitor at work, put it in your locked drawer or wallet instead).

In fact, I wrote about the importance of unique passwords here on Bogleheads 5 years ago: viewtopic.php?f=11&t=97664&p=1411052
It was in the New York Times. The advice about unique passwords is noncontroversial. It's the "writing it down and sticking it in a drawer" part that has kinda come around again, after being poo-pooed by most computer security experts for years. I don't advocate writing "My Vanguard password is 1234!" on a post-it note and sticking it under the glass on your desk. But writing down passwords (especially for your less sensitive accounts, so that you only have to memorize the passwords for your most sensitive accounts) and storing them in a locked drawer is not a bad plan these days for most people (if you work for the CIA, are Kim Jong-un, or are a high-ranking officer for a frequently-targeted corporation, different rules obviously apply).
Well, we security people are a distrustful bunch (comes with the business), so a lot of them don't trust the users to put the paper in a drawer. They basically distill their advice to something a child can follow in order to limit PEBKAC incidents. I try to at least give my users a chance to do the right thing, and only distill the advice to a child's level if they show themselves incapable of acting like a responsible adult.

Rupert
Posts: 3445
Joined: Fri Aug 17, 2012 12:01 pm

Re: The recent WannaCry ransomware

Post by Rupert » Mon May 15, 2017 12:10 pm

Mudpuppy wrote: Well, we security people are a distrustful bunch (comes with the business), so a lot of them don't trust the users to put the paper in a drawer. They basically distill their advice to something a child can follow in order to limit PEBKAC incidents. I try to at least give my users a chance to do the right thing, and only distill the advice to a child's level if they show themselves incapable of acting like a responsible adult.
Yeah yeah, I know. People in this country don't seem to be getting any smarter. But the system is well and truly broken, isn't it? It's not humanly possible to remember unique passwords for every account anymore. At last count, I had about 70 accounts that require passwords. So you have to use a service such as Lastpass or you have to write things down. It's not unreasonable for people to fear companies such as Lastpass being vulnerable to hackers now or in the future.

SimonJester
Posts: 1575
Joined: Tue Aug 16, 2011 12:39 pm

Re: The recent WannaCry ransomware

Post by SimonJester » Mon May 15, 2017 12:51 pm

Rupert wrote: At last count, I had about 70 accounts that require passwords. So you have to use a service such as Lastpass or you have to write things down. It's not unreasonable for people to fear companies such as Lastpass being vulnerable to hackers now or in the future.
70, what a slacker, my count is 324 and growing. I'm not even sure how I would write them all down...
"They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety." - Benjamin Franklin

User avatar
Bylo Selhi
Posts: 1073
Joined: Mon Feb 19, 2007 10:40 pm
Location: www.bylo.org in the Great White North
Contact:

Re: The recent WannaCry ransomware

Post by Bylo Selhi » Mon May 15, 2017 1:25 pm

Some general advice about this ransomware that I got by e-mail from an accounting firm [lightly edited]:
Protection from Latest Ransomware Attack
A series of cyber attacks across the globe have seized control of public and private sector computer systems, freezing data until a ransom is paid. While most of these attacks have happened overseas, there is evidence the malware (virus) has surfaced in Canada. We are aware of this threat and are providing the following information to help protect organizations’ computer networks.

Who’s at Risk?
Organizations or individuals who are running an older Microsoft Windows system or who have not applied a March 2017 patch are vulnerable. The ransomware spreads with the help of a file-sharing vulnerability in Windows that opens whenever it loads itself onto a new machine. It can infect an entire network.

The Threat
The ransomware, known as WannaCrypt, WanaDecrypt and WannaCry, encrypts a victim’s data until the victim pays for a key to unlock them. Without a good backup system, there currently is no solution other than to pay the ransom.

Microsoft issued a patch to fix this flaw in March 2017, but it was unavailable to older versions of Windows, such as Windows XP, leaving many organizations and individuals open to hacking.

Today Microsoft announced it has made the patch available to older, unsupported systems. It is imperative to run the patch as soon as possible. See link below.

How Do You Know if You’ve Been Infected?
One sign is not being able to access your systems, files and data base. However, in most cases a red pop-up appears on your computer screen. The red screen is the “ransom note” that demands payment to get back access to your data.

How Do You Limit Your Exposure?
• Patch your systems with the latest information from Microsoft for this “Wanna” Ransomware: https://blogs.technet.microsoft.com/msr ... t-attacks/
• Patch your systems for any other security vulnerabilities (hardware / software) as quickly as possible.
• Backup your systems. Make sure you have offline backups. Test those backups to make sure they can be restored.
• Avoid clicking on links or opening attachments or emails from people you don't know or companies you don't do business with.
• Have an antivirus / antimalware solution installed and up-to-date.
• Communicate to your organization to let them know if anything suspicious is seen to shut down their systems, remove from the network and report immediately.

How to Respond if You’ve Been Infected
• Remove any devices you suspect of having ransomware from the network immediately and shut that system down - be aware other systems may have also been infected.
• Run tools as soon as possible to discover the extent of the problem...
Re the advice to "Backup your systems," pay special attention to "Make sure you have offline backups." This ransomware encrypts data on all accessible drives on your network. If you leave a backup drive connected then that data will be compromised as well. And of course "Test those backups to make sure they can be restored." applies at all times. There's no use in making backups if they can't be restored when you actually need them.

Exterous
Posts: 208
Joined: Mon Feb 20, 2012 1:34 pm

Re: The recent WannaCry ransomware

Post by Exterous » Mon May 15, 2017 2:11 pm

SimonJester wrote:
Rupert wrote: At last count, I had about 70 accounts that require passwords. So you have to use a service such as Lastpass or you have to write things down. It's not unreasonable for people to fear companies such as Lastpass being vulnerable to hackers now or in the future.
70, what a slacker, my count is 324 and growing. I'm not even sure how I would write them all down...
I want to play! I have access to 1,045 passwords in my work LastPass account that various people have thought it might be important for me to know at one point or another. Doesn't help that we have some appliances with 3 vendor login portals (Appliance\config\DB) or applications that need a bazillion different service accounts.

Should be an interesting couple of days. If you're a big enough organization someone in your company is going to click on that link

AlwaysBeClimbing
Posts: 143
Joined: Fri Mar 31, 2017 10:39 am

Re: The recent WannaCry ransomware

Post by AlwaysBeClimbing » Mon May 15, 2017 4:05 pm

Mudpuppy wrote:
AlwaysBeClimbing wrote:
Mudpuppy wrote:
Wakefield1 wrote:The entire phenomenon that computers can be remotely commanded to encrypt their hard drive data files by a key which is stored in the commanding (attacker's) computer or server--is that strictly a Windows problem?
Oh boy, what a can of worms with this question.... Given the recent Intel AMT firmware vulnerability announcement and the fact that the BIOS-level fix for that one has not yet even been released by all hardware vendors, we're sitting on a ticking clock of a massive, widespread vulnerability window that could affect any vulnerable Intel system, regardless of what operating system is installed on top of it. So now we have to wait and see what comes first: widespread patching of the affected systems or malware targeting the affected systems. Intel's press release: http://www.intel.com/content/www/us/en/ ... ement.html

So in general, no, these are not strictly concerns for Windows systems. But the WanaCry problem specifically is strictly a Windows problem.
Consumer grade PCs are not affected ( per the announcement).
Depends on the PC. Some high-end chipsets do have vPro enabled, which is what you need to look for in the Intel specs for your processor to see if you could be affected. For example, the Intel i5-2500 CPU, which launched during the vulnerability window, has vPro enabled: http://ark.intel.com/products/52209/Int ... o-3_70-GHz
I'm doubtful anyone using that processor in a home environment is going to have anything to worry about. Intel seems very specific that consumer units are not affected and that this issue is limited to enterprise situations only. Anyway, I don't have that processor so I'm golden. 8-)

Wakefield1
Posts: 807
Joined: Mon Nov 14, 2016 10:10 pm

Re: The recent WannaCry ransomware

Post by Wakefield1 » Mon May 15, 2017 7:28 pm

Perhaps I have not understood the news articles about the ransomware or the articles don't agree as to the basic facts. One article said that the WannaCry was not coming via bad e-mail attachments or links,another didn't mention encrypted files but claimed that the computers were "locked" with ransom demanded (remember the easy to defeat ransomwares that appeared before the original Cryptolocker)
I was under the impression that most ordinary worms are blocked by every Windows from XP on up if the Windows firewall is turned on but perhaps this exploit empowers the malware to cross the firewall. And other encryption malwares in the past(that were written in the past but still sometimes updated and re released) will try to encrypt any drive connected to the infected computer even if the malware itself only installs on the computer that landed on a bad malvertisement or clicked the wrong e-mail link (Wannacry is said to not just encrypt any drive in the network but to install on any computer exposed to it. And isn't the Internet the largest network of all?
Perhaps what is notable about this malware campaign is the enormous number of attacking packets sent out (and if it really is spammed e-mail unlike what one of the articles said a LOT of spammed e-mails and/or customized e-mails produced by criminals who specifically target victims. Say they know you contract with a certain little known vendor-then they spoof that vendor as the source of the e-mail.
Last edited by Wakefield1 on Mon May 15, 2017 9:44 pm, edited 2 times in total.

User avatar
neurosphere
Posts: 2927
Joined: Sun Jan 17, 2010 1:55 pm

Re: The recent WannaCry ransomware

Post by neurosphere » Mon May 15, 2017 7:36 pm

Bylo Selhi wrote: Re the advice to "Backup your systems," pay special attention to "Make sure you have offline backups." This ransomware encrypts data on all accessible drives on your network. If you leave a backup drive connected then that data will be compromised as well. And of course "Test those backups to make sure they can be restored." applies at all times. There's no use in making backups if they can't be restored when you actually need them.
Isn't it possible for viruses/ransomware to sit dormant in your files (including offline backups) such that if you are hit with an attack and then try to restore your files, you have restored the attack?

I guess the solution is to scan your off-line backup prior to restoring your data/files. But I can imagine that in the process of reconnecting my off-line files I might end up re-triggering the attack?

Ug. :?

Post Reply