EternalBlue ms17-010/WannaCry Ransomware

Discussion in 'Business & Enterprise Computing' started by scrantic, May 13, 2017.

  1. scrantic

    scrantic Member

    Joined:
    Apr 8, 2002
    Messages:
    1,651
    Location:
    Melbourne
  2. IACSecurity

    IACSecurity Member

    Joined:
    Jul 11, 2008
    Messages:
    733
    Location:
    ork.sg
    and why have you got SMB1 still enabled..
     
  3. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    9,907
  4. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    16,183
    Location:
    Canberra
    because muh vendor still fkn uses SMB1 for their bullshit app that is fucking shit.
     
  5. scrantic

    scrantic Member

    Joined:
    Apr 8, 2002
    Messages:
    1,651
    Location:
    Melbourne
  6. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    9,907
  7. chook

    chook Member

    Joined:
    Apr 9, 2002
    Messages:
    510
    I realise this probably makes me an arrogant dick but, oh well.

    The only people getting got by this deserve it.
    • If the vendor doesn't support disabling SMB1. you need a new vendor.
    • If the vendor provides a business critical application, you need a new vendor.
    • If the vendor is the only one, you need a new vendor.
    If we stopped giving our money to vendors that were shit then there would be no more vendors :p.

    In a more serious fashion the only way to make the vendor do their job is to [DEL]punch them in the balls[/DEL] impact their bottom line. Granted that might mean a hit to our bottom line in the meantime but since we had a way to do this without the shitty vendor in the first place we can go back to doing it that way and at least be secure. I eagerly anticipate management going "but will someone please think of the profit?" The best response to that is likely "so how is that profit going for you now that all your things are gone?"
     
  8. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    9,907
    People get hit by this because they are running old unsupport software for $Reasons. *cough* Exchange 2007 *cough*.

    I'd hazard a guess that the NHS has a large number of cheap XP machines attached to a larger number of VERY EXPENSIVE medical imaging and diagnostic machines.

    The financial truth of the matter is, that it will probably be cheaper to restore or pay the ransom (even accounting for downtime) than it would be to replace those machines.
     
  9. wazza

    wazza Member

    Joined:
    Jun 28, 2001
    Messages:
    3,223
    Location:
    NSW
    It's not likely a case where the device isn't available now with a later OS, just that they bought the device however many years ago with XP, and can't justify spending upwards of $250k replacing a perfectly functioning device just because IT say the OS it's running is no longer supported. There may also be no supported way to upgrade from XP to 7/8.1/10 without buying a new machine.
     
  10. chook

    chook Member

    Joined:
    Apr 9, 2002
    Messages:
    510
    Some years ago (two? three?) the US Navy paid Microsoft about USD9M to keep providing them with security for XP I thought. That isn't a lot of $250K machines right there and could other organisations have done the same? I don't think the issue is IT said it isn't supported but that the security posture of the business will become worse and worse. That is a risk management thing, not a technology thing.
     
  11. chip

    chip Member

    Joined:
    Dec 24, 2001
    Messages:
    3,364
    Location:
    Perth
    Some of those XP machines are small components in a much larger weapons systems, ie an entire warship or submarine.
     
  12. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    16,183
    Location:
    Canberra
    You are so far removed from reality - people don't care about the peripheral devices - they care about the quality of data/reporting.

    But also, the FDA is largely responsible here as I understand. They have to approve all equipment in the Medical field - and getting that re-assessed is expensive as fuck.
     
  13. rainwulf

    rainwulf Member

    Joined:
    Jan 20, 2002
    Messages:
    3,907
    Location:
    bris.qld.aus
    I dont know about you but i wouldn't be happy knowing a robot about to perform surgery on my is running xp OR windows 10.

    Middle of a surgery "oh we are adding new features to windows and its going to reboot"

    fuuuuu
     
  14. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    16,183
    Location:
    Canberra
    except this kind of equipment is actually designed for LTSB.

    Unlike your desktop
     
  15. looktall

    looktall Working Class Hero

    Joined:
    Sep 17, 2001
    Messages:
    23,291
    Location:
    brabham.wa.au
    May have been already mentioned but there was apparently a kill switch of sorts in the code.
    https://thewest.com.au/news/world/m...er-global-cyber-attack-possible-ng-b88475582z
     
  16. chook

    chook Member

    Joined:
    Apr 9, 2002
    Messages:
    510
    Ah. So I had very cleverly started comparing apples and oranges. My bad.
     
  17. mrpats

    mrpats Member

    Joined:
    Dec 18, 2002
    Messages:
    413
    A pretty ignorant comment "The only people getting got by this deserve it."

    So how do the healthcare sector "deserve" it. ?

    It must be easy to ensure everything gets patched, you aren't running ANY legacy applications that can't be updated to a later OS and every one abides by the AUP and security recommendations.

    The primary difference between this threat and other ransomware threats is Wannacry self-propagates.

    There was another ransomware campaign being run last week, Jaff, it didn't get as much media coverage but it's still just as scary, however unlike Wannacry all it takes is a user to open an attachment to get popped, but I guess they would "deserve it" too.

    Finally, as Info security professionals we must accept that not all businesses can afford to run the latest and greatest and/or implement all the security controls and meet 100% compliance. The cost doesn't always come from the technology, but from the FTE required to maintain and administer the systems. When you talk to healthcare and schools about hiring IT guys at $100k each or nurses/teachers/support staff at ~$60k the question becomes rhetorical.

    Don't get me wrong, I too get frustrated at the mis-configurations that border on inept and negligent but work with your orgs, put your skin in the game. Don't just sit on the sidelines yelling "get a new vendor" or "won't somebody think of the security".
     
    Last edited: May 14, 2017
  18. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    9,907
    You're a hospital, and you need a Widget machine... If you're lucky, there are 2 manufacturers of Widget machines in the world, but more often there is only 1. So you buy it. What operating system it runs isn't even a question that gets asked.

    $250K machines, sign me up :).



    When software goes wrong with medical devices, bad shit can happen

    https://en.wikipedia.org/wiki/Therac-25

    It's cheaper (and for the most part, safer) to change the software from a known good configuration.

    What needs to change is how these devices get used.

    We've got a bunch-o-shit still running XP Embedded. They aren't used as general purpose computing devices, they aren't connected to the internet, and they don't share files via SMB.

    You're at a much greater risk running unsupported software exposed to the internet (ala Exchange 2007) than you are of running XP machines in their own sandbox.
     
    Last edited: May 15, 2017
  19. looktall

    looktall Working Class Hero

    Joined:
    Sep 17, 2001
    Messages:
    23,291
    Location:
    brabham.wa.au
    I'm not in the medical industry but this is the exact same situation I face with the magic science machines we use.

    You add to this that some instruments cost huge amounts to replace but the low workload they do means it takes a long time to recover those costs making it hard to justify replacing a perfectly functioning instrument.
     
  20. bcann

    bcann Member

    Joined:
    Feb 26, 2006
    Messages:
    4,248
    Location:
    NSW
    even with all this taken into account, there is ZERO reason to have this kind of a box connected to the internet at ALL. they should've firewalled/vlanned the crap out of this box and kept it in its own little isolated world.

    Unfortunately the idiots up above who no doubt overrode this decision will be let off without incident and some poor SAP will be downhill when that poo comes thundering down that hill.
     

Share This Page