Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 15 submissions in the queue.

Log In

Log In

Create Account  |  Retrieve Password


posted by takyon on Saturday May 13, @01:26PM   Printer-friendly
from the shadow-brokers-strike-back dept.

NSA-created cyber tool spawns global ransomware attacks

From Politico via Edward Snowden via Vinay Gupta:

Leaked alleged NSA hacking tools appear to be behind a massive cyberattack disrupting hospitals and companies across Europe, Asia and the U.S., with Russia among the hardest-hit countries.

The unique malware causing the attacks - which has spread to tens of thousands of companies in 99 countries, according to the cyber firm Avast - have forced some hospitals to stop admitting new patients with serious medical conditions and driven other companies to shut down their networks, leaving valuable files unavailable.

The source of the world-wide digital assault seems to be a version of an apparent NSA-created hacking tool that was dumped online in April by a group calling itself the Shadow Brokers. The tool, a type of ransomware, locks up a company's networks and holds files and data hostage until a fee is paid. Researchers said the malware is exploiting a Microsoft software flaw.

Thoughts on a similar scenario were published by the Harvard Business Review two days before this incident.

One or more anti-virus companies may have been hacked prior to WannaCrypt infecting 75000 Microsoft Windows computers in 99 countries. First, anti-virus software like Avast fails to make HTTP connections. Second, five million of ransomware emails are rapidly sent. Although many centralized email servers were able to stem the onslaught, many instances of anti-virus software had outdated virus definitions and were defenseless against the attack. Indeed, successful attacks were above 1%. Of these, more than 1% have already paid the ransom. Although various governments have rules (or laws) against paying ransom, it is possible that ransoms have been paid to regain access to some systems.

Also, file scrambling ransomware has similarities to REAMDE by Neal Stephenson. Although the book is extremely badly written, its scenarios (offline and online) seem to come true with forceful regularity.

Further sources: BBC (and here), Russia Today, DailyFail, Telegraph, Guardian.

Telefónica reportedly affected. NHS failed to patch computers which affected US hospitals in 2016. 16 divisions of the UK's NHS taken offline with aid of NSA Fuzzbunch exploit. The fun of a public blockchain is that ransom payments of £415,000 have been confirmed. Cancellation of heart surgery confirmed. Doctors unable to check allergies or prescribe medication. Patient access to emergency treatment denied in part due to hospital telephone exchange being offline.

It also appears that one of the affected parties refused to answer a Freedom of Information request in Nov 2016 about cyber-security due to impact on crime detection. Similar parties provided responses to the same request.

UK National Health Service Paralysed by Windows Ransomware Attack

The Guardian and the BBC report respectively about a large-scale ransomware attack on its Microsoft Windows computer systems in England and Scotland. This particular piece of malware is called "WanaCryp0r 2.0" or WannaCry and encrypts the PC's hard disk and demands bitcoin to decrypt it.

About 40 hospitals, GP surgeries and other NHS organisations are affected. Patients have had operations cancelled, ambulances have been diverted and wards have been closed.

From one of the Guardian reports:

According to one junior doctor who works in a London hospital, the attack left hospitals struggling to care for people. "However much they pretend patient safety is unaffected, it's not true. At my hospital we are literally unable to do any x-rays, which are an essential component of emergency medicine."

The NHS has stressed that patients' electronic medical records have not been compromised.

From InfoSecurity, FastCompany and elsewhere:

A major ransomware attack has been reported, with targets including banks and NHS Trusts all being hit.

According to Russia Today, a number of NHS employees have been reported as being hit by the ransomware, while one user posted on Twitter a screenshot of the ransomware which asks for "$300 worth of Bitcoin".

Australian Brodcast Corporation reports:

'Biggest ransomware outbreak in history' hits nearly 100 countries with data held for ransom

A global cyberattack has hit international shipper FedEx, disrupted Britain's health system and infected computers in nearly 100 countries.

The ransomware attack hit Britain's health service, forcing affected hospitals to close wards and emergency rooms with related attacks also reported in Spain, Portugal and Russia. [...] [the attack] is believed to have exploited a vulnerability purportedly identified for use by the US National Security Agency (NSA) and later leaked to the internet. [...] Private security firms identified the ransomware as a new variant of "WannaCry"[pt] that had the ability to automatically spread across large networks by exploiting a known bug in Microsoft's Windows operating system.
[...] Leading international shipper FedEx Corp said it was one of the companies whose system was infected with the malware that security firms said was delivered via spam emails.

[...] Only a small number of US-headquartered organisations were infected because the hackers appear to have begun the campaign by targeting organisations in Europe, a research manager with security software maker Symantec said. By the time they turned their attention to US organisations, spam filters had identified the new threat and flagged the ransomware-laden emails as malicious, Vikram Thakur said.

Also at WLTX: Massive, Fast-moving Cyberattack Hits 74 Countries

Shadow Brokers Flaw Used in Ransomware

The Los Angeles Times reports that a security bug in Microsoft Windows, made public when the Shadow Brokers released exploits claimed to have been taken from the NSA, is being used in ransomware. According to the story, a patch for the bug was released by Microsoft in March.

The Spanish government said several companies, including Telefonica, were targeted [...] a message that was purportedly sent to workers at Telefonica carried a subject line referencing a wire transfer and asked them to check a website for more details. That link — when launched on a Windows computer suffering from the vulnerability discovered by the NSA — unleashed the program that rendered files inaccessible.

As recently as last week, about 1.7 million computers connected to the Internet were susceptible to such an attack [...]

Among the organisations compromised by the ransomware were the UK's National Health Service and Russia's Interior Ministry.

Related: Windows Servers at Risk [UPDATED]
"Shadow Brokers" Release the Rest of Their NSA Hacking Tools
Former NSA Contractor May Have Stolen 75% of TAO's Elite Hacking Tools
The Shadow Brokers Identify Hundreds of Targets Allegedly Hacked by the NSA
NSA Contractor Accused of "Stealing" Terabytes of Information, Charged Under Espionage Act
Probe of Leaked U.S. NSA Hacking Tools Examines Operative's `Mistake'
Cisco Begins Patching an NSA Exploit Released by the Shadow Brokers
NSA `Shadow Brokers' Hack Shows SpyWar With Kremlin is Turning Hot
"The Shadow Brokers" Claim to Have Hacked NSA

Extra: 'Accidental hero' finds kill switch to stop spread of ransomware cyber-attack
Threat seen fading for now


Original Submission #1Original Submission #2Original Submission #3Original Submission #4Original Submission #5Original Submission #6Original Submission #7

Related Stories

"The Shadow Brokers" Claim to Have Hacked NSA 13 comments

A group is claiming that they hacked the NSA and obtained advanced malware and hacking tools (such as Stuxnet):

A mysterious hacker or hackers going by the name "The Shadow Brokers" claims to have hacked a group linked to the NSA and dumped a bunch of its hacking tools. In a bizarre twist, the hackers are also asking for 1 million bitcoin (around $568 million) in an auction to release more files.

"Attention government sponsors of cyber warfare and those who profit from it!!!!" the hackers wrote in a manifesto posted on Pastebin, on GitHub, and on a dedicated Tumblr. "How much you pay for enemies cyber weapons? [...] We find cyber weapons made by creators of stuxnet, duqu, flame."

The hackers referred to their victims as the Equation Group, a codename for a government hacking group widely believed to be the NSA.

Also at Computerworld:

The whole episode screams elaborate SCAM, but maybe it is legit as Twitter chatter by some security experts seem to lean toward believing it. On the flipside, it doesn't appear as if many trust it enough yet to have coughed up bitcoins. Other hackers are suggesting the auction is made up of really old vulnerabilities; this is partially based on the "free" files being offered by Shadow Broker as proof of hacking the Equation Group. Or it could be a mix, old and new, to keep everyone off-balance. Another oddity, pointed out in a Pwn All The Things tweet, is that the "free sample" file size is actually larger than the auction file size.

Yet security pro Matt Suiche dived into the free files offered by Shadow Broker, then took to Medium to say, "Most of the code appears to be batch scripts and poorly coded Python scripts. Nonetheless, this appears to be legitimate code." Suiche said the main targets in the dump he reviewed "appeared to be Fortigate, TopSec, Cisco and Juniper firewalls." He described some of the codenamed-exploits such as Eligible Bachelor, Extra Bacon and Banana Glee. The latter, he pointed out, is "particularly interesting because it allows references to the JETPLOW explanation from the 2014 NSA's Tailored Access Operations (TAO) catalog."


Original Submission

Book Review: REAMDE by Neal Stephenson 43 comments

This review contains spoilers.

I thought I'd got a remaindered, 1000 page, hardback book, from a prominent author, at an absolute bargain price because the publisher made a typo on the cover. Unfortunately, that typo is deliberate. It was made by one of the characters in the book and gets propagated widely in malware.

I read this book to the end so that I could provide a fair review for SoylentNews but I really wish that I hadn't. At around the 75% mark, I wanted to abandon the book. Around the 95% mark, I was more interested in my bookmark than the book itself. The problem is that the book is too detailed and yet not detailed enough. The plot flips from a semi-autobiographical character to a dodgy Scottish accountant for the Russian Mafia to a needlessly exotic Black, Welsh, lesser-known contemporary of Osama bin Laden. Internal motive is rarely explained and therefore Welsh's Islamic subjugation of another needlessly exotic character makes her seem like a really irritating Mary Sue when it should have been a highly researched study of cultural belief.

Until reading What ISIS Really Wants, I thought the book would have benefited highly from Mary Sue being killed in the first half. Either way, it may be beneficial to read this book while referring to an atlas. It certainly seems to be written that way.

[More...]

NSA ‘Shadow Brokers’ Hack Shows SpyWar With Kremlin is Turning Hot 15 comments

Excerpt:

"It's certainly possible that an NSA [National Security Agency] hacker goofed massively and left files in the wrong place at the wrong time. Human error can never be ruled out. Russian cybersleuths carefully watch for possible NSA operations online—just as we look for theirs—and even a single slip-up with Top Secret hacking tools could invite a disastrous compromise.

However, it's far more likely that this information was stolen by an insider. There's something fishy about the official story here. It's far-fetched to think a small group of unknown hackers could infiltrate NSA. Furthermore, explained a former agency scientist, the set-up implied in the account given by The Shadow Brokers makes little sense: "No one puts their exploits on a [command-and-control] server...That's not a thing." In other words, there was no "hack" here at all.

It's much more plausible that NSA has a Kremlin mole (or moles) lurking in its ranks who stole this information and passed it to Russian intelligence for later use. This isn't surprising, since NSA has known since at least 2010 of one or more Russian moles in its ranks and agency counterintelligence has yet to expose them."


Original Submission

Cisco Begins Patching an NSA Exploit Released by the Shadow Brokers 15 comments

Cisco is releasing patches for an exploit disclosed by an entity calling itself the Shadow Brokers:

Cisco Systems has started releasing security patches for a critical flaw in Adaptive Security Appliance (ASA) firewalls targeted by an exploit linked to the U.S. National Security Agency. The exploit, dubbed ExtraBacon, is one of the tools used by a group that the security industry calls the Equation, believed to be a cyberespionage team tied to the NSA.

ExtraBacon was released earlier this month together with other exploits by one or more individuals who use the name Shadow Brokers. The files were provided as a sample of a larger Equation group toolset the Shadow Brokers outfit has put up for auction.

[...] There is a second Equation exploit in the Shadow Brokers leak that targets ASA software. It is called EpicBanana and exploits a vulnerability that Cisco claims was patched back in 2011 in version 8.4(3). Nevertheless, the company published a new advisory for the flaw in order to increase its visibility. A third exploit, BenignCertain, affects legacy Cisco PIX firewalls that are no longer supported. Cisco investigated the exploit and said only versions 6.x and earlier of the PIX software are affected. Users who still have such devices on their networks should make sure they're running software versions 7.0 and later, which are not affected.

There is speculation that the hacks are actually leaks from a "second (third?) Snowden". A linguistic analysis of the "broken English" used by the Shadow Brokers determined that the text was written by someone pretending to not know English.

Previously:
"The Shadow Brokers" Claim to Have Hacked NSA
NSA 'Shadow Brokers' Hack Shows SpyWar With Kremlin is Turning Hot


Original Submission

Probe of Leaked U.S. NSA Hacking Tools Examines Operative's ‘Mistake’ 5 comments

Arthur T Knackerbracket has found the following story:

The tools, which enable hackers to exploit software flaws in computer and communications systems from vendors such as Cisco Systems and Fortinet Inc, were dumped onto public websites last month by a group calling itself Shadow Brokers.

The public release of the tools coincided with U.S. officials saying they had concluded that Russia or its proxies were responsible for hacking political party organizations in the run-up to the Nov. 8 presidential election. On Thursday, lawmakers accused Russia of being responsible.

Various explanations have been floated by officials in Washington as to how the tools were stolen. Some feared it was the work of a leaker similar to former agency contractor Edward Snowden, while others suspected the Russians might have hacked into NSA headquarters in Fort Meade, Maryland.

But officials heading the FBI-led investigation now discount both of those scenarios, the people said in separate interviews.

NSA officials have told investigators that an employee or contractor made the mistake about three years ago during an operation that used the tools, the people said.

That person acknowledged the error shortly afterward, they said. But the NSA did not inform the companies of the danger when it first discovered the exposure of the tools, the sources said. Since the public release of the tools, the companies involved have issued patches in the systems to protect them.

Investigators have not ruled out the possibility that the former NSA person, who has since departed the agency for other reasons, left the tools exposed deliberately. Another possibility, two of the sources said, is that more than one person at the headquarters or a remote location made similar mistakes or compounded each other's missteps.

Representatives of the NSA, the Federal Bureau of Investigation and the office of the Director of National Intelligence all declined to comment.


Original Submission

NSA Contractor Accused of "Stealing" Terabytes of Information, Charged Under Espionage Act 33 comments

Federal prosecutors have charged former NSA contractor Harold T. Martin III under the Espionage Act:

Harold T. Martin III is expected to appear at a federal courthouse in Baltimore on Friday for a hearing to consider whether he should remain in U.S. custody, as prosecutors announced in a court filing that they plan to file Espionage Act charges against him.

The FBI is investigating whether Martin may have transferred six bankers boxes' worth of paper documents and 50,000 gigabytes of electronic materials to anyone else, according to documents filed Thursday. So far, investigators said they have not found any connection to a foreign power. Martin's public defenders, James Wyda and Deborah Boardman, have said that he presents no flight risk and that "there's no evidence he intended to betray his country."

Martin, a former Navy reservist, has been in federal custody since late August. That's when FBI agents executed search warrants at his suburban Maryland home, uncovering what they describe as "overwhelming" proof he mishandled classified information. Among the materials they found: the personal information of government employees and a top-secret document "regarding specific operational plans against a known enemy of the United States and its allies," according to the court filing.

The trove of information reportedly includes hacking tools that were recently offered for sale by a group that calls itself The Shadow Brokers.

12-page court filing: United States of America v. Harold T. Martin, III

Previously:
NSA Contractor Harold Martin III Arrested
Probe of Leaked U.S. NSA Hacking Tools Examines Operative's ‘Mistake’


Original Submission

The Shadow Brokers Identify Hundreds of Targets Allegedly Hacked by the NSA 5 comments

The Shadow Brokers are back, and they have a treat for you:

"TheShadowBrokers is having special trick or treat for Amerikanskis tonight," said the Monday morning post, which was signed by the same encryption key used in the August posts. "Many missions into your networks is/was coming from these ip addresses." Monday's leak came as former NSA contractor Harold Thomas Martin III remains in federal custody on charges that he hoarded an astounding 50 terabytes of data in his suburban Maryland home. Much of the data included highly classified information such as the names of US intelligence officers and highly sensitive methods behind intelligence operations. Martin came to the attention of investigators looking into the Shadow Brokers' August leak. Anonymous people with knowledge of the investigation say they don't know what connection, if any, Martin has to the group or the leaks.

[...] According to analyses from researchers here and here, Monday's dump contains 352 distinct IP addresses and 306 domain names that purportedly have been hacked by the NSA. The timestamps included in the leak indicate that the servers were targeted between August 22, 2000 and August 18, 2010. The addresses include 32 .edu domains and nine .gov domains. In all, the targets were located in 49 countries, with the top 10 being China, Japan, Korea, Spain, Germany, India, Taiwan, Mexico, Italy, and Russia. Vitali Kremez, a senior intelligence analyst at security firm Flashpoint, also provides useful analysis here. [...] Other purported NSA tools discussed in Monday's dump have names including DEWDROP, INCISION, JACKLADDER, ORANGUTAN, PATCHICILLIN, RETICULUM, SIDETRACK, AND STOCSURGEON. Little is immediately known about the tools, but the specter that they may be implants or exploits belonging to the NSA is understandably generating intrigue in both security and intelligence circles.

Previously:

"The Shadow Brokers" Claim to Have Hacked NSA
NSA 'Shadow Brokers' Hack Shows SpyWar With Kremlin is Turning Hot
Cisco Begins Patching an NSA Exploit Released by the Shadow Brokers
Probe of Leaked U.S. NSA Hacking Tools Examines Operative's 'Mistake'
NSA Contractor Harold Martin III Arrested
NSA Contractor Accused of "Stealing" Terabytes of Information, Charged Under Espionage Act


Original Submission

Former NSA Contractor May Have Stolen 75% of TAO's Elite Hacking Tools 35 comments

On Monday, The Washington Post reported one of the most stunning breaches of security ever. A former NSA contractor, the paper said, stole more than 50 terabytes of highly sensitive data. According to one source, that includes more than 75 percent of the hacking tools belonging to the Tailored Access Operations. TAO is an elite hacking unit that develops and deploys some of the world's most sophisticated software exploits.

Attorneys representing Harold T. Martin III have previously portrayed the former NSA contractor as a patriot who took NSA materials home so that he could become better at his job. Meanwhile, investigators who have combed through his home in Glen Burnie, Maryland, remain concerned that he passed the weaponized hacking tools to enemies. The theft came to light during the investigation of a series of NSA-developed exploits that were mysteriously published online by a group calling itself Shadow Brokers.

[...] An unnamed US official told the paper that Martin allegedly hoarded more than 75 percent of the TAO's library of hacking tools. It's hard to envision a scenario under which a theft of that much classified material by a single individual would be possible.

Source:

https://arstechnica.com/tech-policy/2017/02/former-nsa-contractor-may-have-stolen-75-of-taos-elite-hacking-tools/


Original Submission

"Shadow Brokers" Release the Rest of Their NSA Hacking Tools 13 comments

Last August, an unknown group called the Shadow Brokers released a bunch of NSA tools to the public. The common guesses were that the tools were discovered on an external staging server, and that the hack and release was the work of the Russians (back then, that wasn't controversial). This was me:

Okay, so let's think about the game theory here. Some group stole all of this data in 2013 and kept it secret for three years. Now they want the world to know it was stolen. Which governments might behave this way? The obvious list is short: China and Russia. Were I betting, I would bet Russia, and that it's a signal to the Obama Administration: "Before you even think of sanctioning us for the DNC hack, know where we've been and what we can do to you."

They published a second, encrypted, file. My speculation:

They claim to be auctioning off the rest of the data to the highest bidder. I think that's PR nonsense. More likely, that second file is random nonsense, and this is all we're going to get. It's a lot, though.

I was wrong. On November 1, the Shadow Brokers released some more documents, and two days ago they released the key to that original encrypted archive:

EQGRP-Auction-Files is CrDj"(;Va.*NdlnzB9M?@K2)#>deB7mN

-- submitted from IRC


Original Submission

Windows Servers at Risk [UPDATED] 19 comments

[UPDATED 2017-04-17] Ars Technica reports that Mysterious Microsoft patch killed 0days released by NSA-leaking Shadow Brokers — Microsoft fixed critical vulnerabilities in uncredited update released in March.:

Contrary to what Ars and the rest of the world reported Friday, none of the published exploits stolen from the National Security Agency work against currently supported Microsoft products. This is according to a Microsoft blog post published late Friday night.

That's because the critical vulnerabilities for four exploits previously believed to be zerodays were patched in March, exactly one month before a group called Shadow Brokers published Friday's latest installment of weapons-grade attacks. Those updates—which Microsoft indexes as MS17-010, CVE-2017-0146, and CVE-2017-0147—make no mention of the person or group who reported the vulnerabilities to Microsoft. The lack of credit isn't unprecedented, but it's uncommon, and it's generating speculation that the reporters were tied to the NSA. In a vaguely worded statement issued Friday, Microsoft seemed to say it had had no contact with NSA officials concerning any of the exploits contained in Friday's leak.

Original story follows:

The "Shadow Brokers" released files that purport to expose vulnerabilities in Windows and especially in Windows Server.

Numerous Windows hacking tools are also among the new batch of files the Shadow Brokers dumped Friday. In recent months, the mysterious group has been releasing hacking tools allegedly taken from the NSA, and security researchers say they actually work.

WannaCry Ransomware Attack Linked to North Korea by Symantec 23 comments

Symantec and FireEye have linked the recent WannaCry ransomware attacks to North Korea:

Cybersecurity researchers at Symantec Corp. and FireEye Inc. have uncovered more evidence tying this month's WannaCry global ransomware attacks to North Korea.

The cyberattack that infected hundreds of thousands of computers worldwide was "highly likely" to have originated with Lazarus, a hacking group linked to the reclusive state, Symantec said. The software used was virtually identical to versions employed in attacks earlier this year attributed to the same agency, the company said in a report late Monday. FireEye on Tuesday agreed WannaCry shared unique code with malware previously linked to North Korea. "The shared code likely means that, at a minimum, WannaCry operators share software development resources with North Korean espionage operators," Ben Read, a FireEye analyst, said in an emailed statement.

[...] The initial attack was stifled when a security researcher disabled a key mechanism used by the worm to spread, but experts said the hackers were likely to mount a second attack because so many users of personal computers with Microsoft operating systems couldn't or didn't download a security patch released in March labeled "critical."

Also at NYT, Reuters, Ars Technica, and The Hill. Symantec blog (appears scriptwalled).

Here's a screenshot of Wana Decrypt0r 2.0. Note the Wikipedia licensing section.

Previously: Security In 2017: Ransomware Will Remain King
"Biggest Ransomware Attack in History" Hits Around 100 Countries, Disrupts UK's NHS
WannaCrypt Ransomware Variant -- Lacking Kill Switch -- Seen in Wild [Updated]
Decryption Utility for WannaCry is Released


Original Submission

WannaCrypt Ransomware Variant -- Lacking Kill Switch -- Seen in Wild [Updated] 71 comments

[Update at 20170515_022452 UTC: Instructions for what to do on each affected version of Windows can be found at: https://www.askwoody.com/2017/how-to-make-sure-you-wont-get-hit-by-wannacrywannacrypt/ -- I've had excellent luck in the past following his advice on when and how to update Windows. Clear, hands-on instructions are a big win in my book. --martyb]

Previously: "Biggest Ransomware Attack in History" Hits Around 100 Countries, Disrupts UK's NHS.

tl;dr: If you have not already patched your Windows computer(s), you may be at risk from a new variant of the WannaCrypt ransomware worm which lacks a kill switch and was seen over the weekend. Sysadmins are preparing for a busy Monday when countless other users return to work and boot up their PC.

WannaCrypt (aka WCry), is a ransomware worm that wreaked havoc across the internet this past weekend. It disabled Windows computers at hospitals, telecoms, FedEx, and banks (among many others). Files on user's machines were encrypted and the worm demanded $300 or $600 worth of Bitcoin to decrypt (depending on how quickly you responded). Reports first surfaced Friday night and were stopped only because a researcher discovered a domain name in the code, which when registered, caused the malware to stop infecting new machines.

We're not out of the woods on this one. Not surprisingly, a variant has been seen in the wild over the weekend which has removed the domain check. Just because you may not have been hit in the initial wave of attacks does not necessarily mean you are immune.

Back in March, Microsoft released updates to Windows to patch vaguely-described vulnerabilities. Approximately one month later, a dump of purported NSA (National Security Agency) hacking tools were posted to the web. The WannaCrypt ransomware appears to be based on one of those tools. Surprisingly, the Microsoft patches blocked the vulnerability that was employed by WannaCrypt.

In a surprising move, Microsoft has just released emergency patches for out-of-mainstream-support versions of Windows (XP, 8, and Server 2003) to address this vulnerability.

Sources: Our previous coverage linked above as well as reports from the BBC Ransomware cyber-attack threat escalating - Europol, Motherboard Round Two: WannaCrypt Ransomware That Struck the Globe Is Back, and Ars Technica WCry is so mean Microsoft issues patch for 3 unsupported Windows versions.

What actions, if any, have you taken to protect your Windows machine(s) from this threat? How up-to-date are your backups? Have you tested them? If you are a sysadmin, how concerned are you about what you will be facing at work on Monday?


Original Submission

Decryption Utility for WannaCry is Released 19 comments

Various news outlets report the release of
Wannakey, a decryption utility for files encrypted by the WannaCry ransomware. According to the author of the software, it "has only been tested and known to work under Windows XP."

From the Wired article noted below:

Now one French researcher says he's found at least a hint of a very limited remedy. The fix still seems too buggy, and far from the panacea WannaCry victims have hoped for. But if Adrien Guinet's claims hold up, his tool could unlock some infected computers running Windows XP, the aging, largely unsupported version of Microsoft's operating system, which analysts believe accounts for some portion of the WannaCry plague.

[...] Guinet says he's successfully used the decryption tool several times on test XP machines he's infected with WannaCry. But he cautions that, because those traces are stored in volatile memory, the trick fails if the malware or any other process happened to overwrite the lingering decryption key, or if the computer rebooted any time after infection.

Coverage:

Previous stories:
"Biggest Ransomware Attack in History" Hits Around 100 Countries, Disrupts UK's NHS
WannaCrypt Ransomware Variant -- Lacking Kill Switch -- Seen in Wild [Updated]


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough

Mark All as Read

Mark All as Unread

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 5, Insightful) by The Mighty Buzzard on Saturday May 13, @01:34PM (13 children)

    I hope the shit admins and beancounters who command them end up having to explain paying millions for not giving a flying fuck about securing some of our most sensitive personal information. It's never going to change until their pockets get hit.

    --
    Socialist: Someone who wants everything that you have. Except your job.
    • (Score: 2) by takyon on Saturday May 13, @01:39PM (1 child)

      by takyon (881) <{takyon} {at} {soylentnews.org}> on Saturday May 13, @01:39PM (#509138) Journal

      Judging by turgid's bit, it will become apparent soon if anybody died as a result of this. That's what we need: cyber deaths in hospitals. Long predicted, now delivered to you courtesy of the NSA's competing and counterproductive missions.

      --
      [SIG] 04/14/2017: Soylent Upgrade v13 [soylentnews.org]
      • (Score: 0) by Anonymous Coward on Saturday May 13, @04:31PM

        by Anonymous Coward on Saturday May 13, @04:31PM (#509200)

        It'll only be a reason for jacking up healthcare costs even more.

    • (Score: 1, Insightful) by Anonymous Coward on Saturday May 13, @02:00PM

      by Anonymous Coward on Saturday May 13, @02:00PM (#509144)

      They'll just use it as a new excuse to curtail internet freedoms.

    • (Score: 3, Informative) by c0lo on Saturday May 13, @02:05PM (2 children)

      by c0lo (156) Subscriber Badge on Saturday May 13, @02:05PM (#509147)

      Jeremy Cunt 'ignored warning signs' before cyber-attack hit NHS [theguardian.com]

      Jeremy Hunt has been accused of ignoring “extensive warning signs” that could have an unprecedented global cyber-attack that plunged the NHS into chaos this weekend.
      ...
      The shadow health secretary, Jonathan Ashworth, said concerns had been flagged repeatedly about the NHS’s outdated computer systems, which he said had left it vulnerable to the virus. In a letter to Hunt on Saturday, he wrote: “As secretary of state, I urge you to publicly outline the immediate steps you’ll be taking to significantly improve cybersecurity in our NHS.

      ---

      "Nobody was fired for buying Microsoft". I think there will be some heads to roll for not buying Microsoft [mirror.co.uk] (don't go there if you can avoid it).

      The Tories cut security support for the NHS’s outdated computer system a year ago, despite warnings it would leave hospitals open to hackers , it was claimed.

      The Government Digital Service, set up by David Cameron , decided not to extend a £5.5million one-year support deal with Microsoft for Windows XP.

      NHS bosses were told to replace the 14-year-old system or take out a separate deal with Microsoft.

      An April 2014 letter from the Cabinet Office and Department of Health to health­care chiefs read: “It is imperative your organisation understands the risk placed on it should the decision be not to take out a [new Microsoft deal].
      ...
      GDS said at the time: “All departments have had seven years’ warning of the 2014 end of normal support and this one-year agreement was put together... to give everyone a chance to get off XP.”
      ...
      A Sky News probe found seven NHS trusts spent nothing on cyber security in 2015.

      ---

      It's not only an IT related disease [theguardian.com]

      Somewhere in the UK there is a warehouse stuffed full of GPs’ referral letters and blood test results diagnosing the health secretary with terminal incompetence. But as it has yet to be found, Jeremy Hunt had to limit his scope to the 700,000 NHS documents that have just turned up after going missing in action for five years in answer to Labour’s urgent question in the Commons.

      “Absolutely nothing went missing,” he reassured MPs. All that had happened was that hundreds of thousands of confidential pieces of medical information had accidentally been sent to the wrong place without anyone noticing. But it was no biggy. As far as he knew, no one had died – or if they had, their death certificates had also gone AWOL, so it was much the same thing. And what it really proved was how many unnecessary tests the NHS were conducting each year. Just think of the potential savings. A couple of avoidable deaths had to be a price worth paying for not bothering with 700,000 bits of paperwork.

      Hunt was rather less cavalier with his own reputation. “I was made aware of the situation in March last year,” he sobbed. And he had begged and begged his departmental officials to let him tell the country. But they had said to him: “You mustn’t do that, Jeremy, because otherwise every hypochondriac in the country will be ringing up their GP to find out if they’ve got cancer after all and we’ll never get round to finding out just how big a cock-up you’ve made. Not that you have made a cock-up, of course.”

      • (Score: 2) by kaszz on Sunday May 14, @05:56AM (1 child)

        by kaszz (4211) on Sunday May 14, @05:56AM (#509371) Journal

        The Government Digital Service, set up by David Cameron , decided not to extend a £5.5million one-year support deal with Microsoft for Windows XP.

        Amber Rudd, minister of interior says it's a prioritized questions to find out who's responsible and put them to justice. Britain were hit hard when IT-systems in hospitals went inoperable.

        Hypocrites?
        That 5.5 million GBP could have saved a lot of trouble. Not to mention a program to transform all Microsoft Windows usage everywhere in hospitals into solid Unix platforms. Perhaps even ReactOS or Wine is a alternative.

        I can really see when the military get the same kind of infection. They will just sue the enemy! ;-)
        It's a way to operate that just won't work.

        • (Score: 0) by Anonymous Coward on Sunday May 14, @09:16AM

          by Anonymous Coward on Sunday May 14, @09:16AM (#509400)

          Amber Rudd, minister of interior says it's a prioritized questions to find out who's responsible and put them to justice.

          I mean... the person who blocked the support deal with Microsoft?
          Oh, sorry, silly me.

    • (Score: 5, Insightful) by bradley13 on Saturday May 13, @02:55PM (6 children)

      by bradley13 (3053) Subscriber Badge on Saturday May 13, @02:55PM (#509170) Homepage Journal

      Well, yes, the admins who were running insecure networks carry some fault. So does the government, that failed to disclose a weakness so that it could be repaired. This ought to be a lesson (but won't be) for all those clueless politicians who think that backdoors in encryption algorithms are a good idea. Backdoors never stay hidden, period.

      But you know what strikes me? This is where international agencies like the NSA should be earning their keep. If they, and their counterparts in other affected countries, cannot trace the people behind this, then WTF are we paying their salaries for?

      The people behind these ransomware attacks are certainly all part of an extended community. If their members were to start...disappearing...one after another, the community might just decide that the risk isn't worth the payday.

      --
      Everyone is somebody else's weirdo.
      • (Score: 3, Insightful) by AthanasiusKircher on Saturday May 13, @06:03PM (3 children)

        by AthanasiusKircher (5291) Subscriber Badge on Saturday May 13, @06:03PM (#509217) Journal

        This is where international agencies like the NSA should be earning their keep. If they, and their counterparts in other affected countries, cannot trace the people behind this, then WTF are we paying their salaries for?

        Uh, to spy on citizens, thereby increasing and consolidating governmental power, with the ultimate aim of producing a "benign" police state.

        I thought that was their obvious purpose. The only thing more nefarious-sounding than "National Security Agency" is the term "Homeland Security."

        • (Score: 3, Insightful) by kaszz on Sunday May 14, @05:59AM (2 children)

          by kaszz (4211) on Sunday May 14, @05:59AM (#509372) Journal

          You always has to ask yourself who's security against whom. There's no such thing as a universal security that makes all bad things go away.

      • (Score: 2) by Runaway1956 on Sunday May 14, @12:42AM (1 child)

        by Runaway1956 (2926) Subscriber Badge on Sunday May 14, @12:42AM (#509302) Journal

        "If their members were to start...disappearing..."

        I kinda like that idea - but if they start on one community, who is to say they won't start on another community? They came for the Jews, and I didn't speak up . . . .

        But, you're right. The NSA has all those resources available, which are wasted on silly crap. Make a phone call, so that Grandma can talk to her distant cousin in Fuckistan, and the NSA starts tracking all your phone calls? FFS, what a waste.

        --
        This broadcast is intended for mature audiences.
        • (Score: 0) by Anonymous Coward on Sunday May 14, @03:53PM

          by Anonymous Coward on Sunday May 14, @03:53PM (#509498)

          oh, it's not wasted on silly crap. it's spent on exactly what they mean to spend it on. a supranational surveillance state. has nothing to do with national defense.

  • (Score: 2) by turgid on Saturday May 13, @01:34PM (19 children)

    by turgid (4318) on Saturday May 13, @01:34PM (#509136) Journal

    It's expensive. You get what you pay for.

    /me ducks.

    --
    Don't let Righty keep you down.
    • (Score: 2) by Geezer on Saturday May 13, @01:56PM (17 children)

      by Geezer (511) Subscriber Badge on Saturday May 13, @01:56PM (#509143)

      Issue here has nothing to do with closed/open architecture, and everything to do with bad original design (Microsoft), bad internal security (NSA), idiot users (who open phishing emails), rent-seeking MBA's/PHB's who don't budget for adequate security, and lazy/incompetent sysadmins who forego/delay security patches.

      Obviously the whole world needs to run FreeBSD with pfSense and without systemd, right?

      OSS: The guaranteed panacea for every computing need!

      /sarcasm

      --
      Scruting the inscrutable for over 50 years.
      • (Score: 0) by Anonymous Coward on Saturday May 13, @03:48PM (4 children)

        by Anonymous Coward on Saturday May 13, @03:48PM (#509185)

        As an admin in a large 3 letter computer company in a previous life, updates had to be agreed on with all stakeholders via a change control process. The end result was that updates were applied twice a year, on a Sunday morning at 4am.

        I expect the NHS to be just as conservative, if not more so. All an admin can do is complain and then clean up the mess when the shit hits the fan.

        • (Score: 0) by Anonymous Coward on Saturday May 13, @04:14PM (1 child)

          by Anonymous Coward on Saturday May 13, @04:14PM (#509192)

          I too was in such a situation, and always giggled with sadistic glee when we got hit with childishly preventable problems. As the business twisted in the wind while we "cleaned up the mess", it was positively fascinating watching the blizzard of company-wide memos from horror-stricken C-levels trying to do damage control on something they brought on themselves.

          Any CIO/CTO who agrees to an update regimen as you describe is a boob, and deserves the outcome. Minions, meanwhile, can hopefully soak up the overtime pay and enjoy the new shop jokes to tell over a beer.

          There's a bright side to everything. :-)

        • (Score: 2) by sjames on Sunday May 14, @05:56PM

          by sjames (2882) on Sunday May 14, @05:56PM (#509561) Journal

          Just remember, most stake holders think progress is a vampire.

        • (Score: 2) by kaszz on Monday May 15, @02:46AM

          by kaszz (4211) on Monday May 15, @02:46AM (#509714) Journal

          Why not a Saturday morning such that you would have two days of margin instead of one?

      • (Score: 5, Insightful) by sjames on Saturday May 13, @05:12PM (11 children)

        by sjames (2882) on Saturday May 13, @05:12PM (#509205) Journal

        Let's narrow it down a bit. Don't blame the sysadmins this time, they can't apply patches that don't exist. Those rent seeking MBAs didn't renew the extended support contract nor did they provide a budget to migrate away from XP.

        And let's not forget that MS perfected the email virus. Way back in the olden days, in spite of persistent hoaxes, jokes, and paranoid ramblings, you couldn't get a virus from email or any other text document. We all had a good laugh about the honor system virus and, of course the good times virus. It took the dumbest (and possibly most expensive) series of design decisions in the history of computing on the part of MS to bring all of this to life. It's not as if they weren't warned and strenuously urged to reverse their decision to make email and documents executable. They were also warned that blurring the line between opening something and running something was a very bad idea. Then just to make sure to enable the coming avalanche of email horrors, they hid the distinction between an executable and a file that executable might open.

        Yes, the NSA gets it's share of the blame for developing a cyberweapon and then leaking it to the world. Imagine if Los Alamos had accidentally published everything you needed to build an atomic bomb shortly after Hiroshima.

        The users aren't blameless provided they have received training about the dangers of clicking on emails, but they were set up by MS's series of blunders.

        • (Score: 3, Insightful) by kaszz on Saturday May 13, @05:17PM (10 children)

          by kaszz (4211) on Saturday May 13, @05:17PM (#509206) Journal

          Email using html is a scourge and to top it of Microsoft leaves open SMB ports, which is buggy of course.

          ASCII is the right way (minus some esc codes that still may get into the open-execute-paradigm)

          • (Score: 1) by anubi on Sunday May 14, @09:07AM (9 children)

            by anubi (2828) Subscriber Badge on Sunday May 14, @09:07AM (#509399)

            Now that you mention it, the only files I feel perfectly safe opening in my computer are .txt files in notepad.

            Just like I used to open .BAT files perfectly safely with my EDT editor. No matter what they were.... perfectly safe.

            These "business-grade" systems I use these days have me on edge every time I have to open a file. Especially email attachments.

            --
            "Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
            • (Score: 2) by kaszz on Sunday May 14, @11:20AM (8 children)

              by kaszz (4211) on Sunday May 14, @11:20AM (#509427) Journal

              If they have such weaknesses, they are certainly not "business-grade". It's only something marketdroids will use.
              Why do you use a Microsoft environment to get work done?

              • (Score: 2) by mcgrew on Sunday May 14, @03:11PM (7 children)

                by mcgrew (701) <publish@mcgrewbooks.com> on Sunday May 14, @03:11PM (#509477) Homepage Journal

                Well DUH, you use the equipment the company you work for buys.

                --
                Free Martian whores! [mcgrewbooks.com]
                • (Score: 2) by kaszz on Sunday May 14, @03:28PM (6 children)

                  by kaszz (4211) on Sunday May 14, @03:28PM (#509485) Journal

                  Well that is true. But maybe you could ask for a machine where you can install Unix to work?
                  Of course that depends on the micromanagement degree of the workplace gods..

                  • (Score: 2) by mcgrew on Thursday May 18, @05:32PM (5 children)

                    by mcgrew (701) <publish@mcgrewbooks.com> on Thursday May 18, @05:32PM (#511751) Homepage Journal

                    I'm retired now, but using your own device or software at work was strictly forbidden. I need MS Office now because magazines demand stories be in .doc format. I write in Lo and Oo but need MS Word to make sure it will open the files. Business (most businesses, anyway, there are exceptions, like Ball) and governments have mostly standardized on the decidedly non-standard Microsoft.

                    I find it amusing when people ask when the "year of Linux on the desktop" will be, because if you lay your phone on a desk, you already have either Linux or BSD on the desktop depending on whether it's an iPhone or Android.

                    I've been using Linux at home since Mandrake. I hate what they've done to KDE. I'm really glad Lo will now usually write .doc files all right. It didn't used to, Oo still won't AFAIK.

                    --
                    Free Martian whores! [mcgrewbooks.com]
    • (Score: 3, Insightful) by mcgrew on Sunday May 14, @03:08PM

      by mcgrew (701) <publish@mcgrewbooks.com> on Sunday May 14, @03:08PM (#509475) Homepage Journal

      You get what you pay for.

      I suspect your tongue is firmly in your cheek, but want to point out to others that the statement is a salesman's lie. For instance, Alieve is identical to generic naproxin sodium, but costs three times as much.

      You do usually pay for what you get, and often pay more than what you get.

      --
      Free Martian whores! [mcgrewbooks.com]
  • (Score: 3, Informative) by kaszz on Saturday May 13, @01:49PM (16 children)

    by kaszz (4211) on Saturday May 13, @01:49PM (#509141) Journal

    According to Avast 99 countries are affected. Worst affected is Russia, Ukraine and Taiwan. Also British hospitals, Spanish telephone operator Telefónica, and US transportation company Fedex has been disrupted.

    The French car manufacturer Renault has been forced to stop the manufacturing in Slovenia and at facilities in France, after being hit according to AFP. In Russia banks and departments has been affected.

    This is the largest ransomware attack says Rich Barger at the IT-company Splunk, to Reuters

    Unlocking cost circa 300–600 US$.

    The used hole had a patch in 2017-03-14. (but then who trusts Microsoft to fix more than they screw up)

    When will Microsoft addicts take the hint that what they are using is digital poison?

    • (Score: 4, Insightful) by takyon on Saturday May 13, @02:02PM (15 children)

      by takyon (881) <{takyon} {at} {soylentnews.org}> on Saturday May 13, @02:02PM (#509145) Journal

      If people start running Linux and BSD on hospital/FedEx/etc. computers, then that's what the next generation of ransomware will target.

      --
      [SIG] 04/14/2017: Soylent Upgrade v13 [soylentnews.org]
      • (Score: 2) by kaszz on Saturday May 13, @02:12PM (3 children)

        by kaszz (4211) on Saturday May 13, @02:12PM (#509154) Journal

        Sure, but it's also more straightforward to protect those systems.

        Perhaps you are on to something, use as a obscure system you can live with.

        • (Score: 2) by looorg on Saturday May 13, @02:20PM (2 children)

          by looorg (578) on Saturday May 13, @02:20PM (#509159)

          Perhaps you are on to something, use as a obscure system you can live with.

          It's a bit hard to try and use security by obscurity when you are running a nation wide healthcare system like the NHS. After all people have to use and interact with the system daily.

          • (Score: 0) by Anonymous Coward on Saturday May 13, @04:16PM

            by Anonymous Coward on Saturday May 13, @04:16PM (#509194)

            Training. It's a thing. Really.

          • (Score: 2) by kaszz on Saturday May 13, @04:27PM

            by kaszz (4211) on Saturday May 13, @04:27PM (#509197) Journal

            I was thinking more about small business and the alike.

      • (Score: 5, Insightful) by Runaway1956 on Saturday May 13, @02:19PM (8 children)

        by Runaway1956 (2926) Subscriber Badge on Saturday May 13, @02:19PM (#509158) Journal

        Correct. But, there's a difference between targeting Microsoft and Linux. With Microsoft, you wait, and wait, and wait, hoping that Microsoft might offer a patch for the hole in their system. With open source software, there will probably be a patch pretty soon. If the patch is not forthcoming, you can get on the mailing lists, to see WTF is taking so long. And, if it appears that the patch isn't coming, or not coming quickly enough, you can take mitigating actions. Worst case scenario, you can make the patch yourself. Or, worst-worst-case scenario, everyone says, "Fuck it, this shit's to hard, let's just make a new application that does something similar, but works differently."

        --
        This broadcast is intended for mature audiences.
        • (Score: 0) by Anonymous Coward on Saturday May 13, @11:19PM

          by Anonymous Coward on Saturday May 13, @11:19PM (#509282)

          How many times have we seen Google's boffins go ahead and make public a hole in Redmond's ecosystem after waiting 90 days for MICROS~1 to patch that?

          ...and any time that an exploit has a logo, that's MSFT fanboys' work.
          Those guys like to make a big deal of every flaw in Linux.
          Just imagine how busy they'd be if they did the same thing for every MICROS~1-specific flaw.

          ...better still, how about putting that manpower into fixing their own bugs?

          With open source software, there will probably be a patch pretty soon

          Heartbleed [googleusercontent.com] (orig) [wikipedia.org]

          Bodo Moeller and Adam Langley of Google prepared the fix for Heartbleed. The resulting patch was added to Red Hat's issue tracker on March 21, 2014
          [...]
          Neel Mehta of Google's security team secretly reported Heartbleed [to OpenSSL, its maintainer] on April 1, 2014
          [...]
          Stephen N. Henson applied the fix to OpenSSL's version control system on 7 April

          -- OriginalOwner_ [soylentnews.org]

        • (Score: 2) by Lester on Sunday May 14, @09:52AM (6 children)

          by Lester (6231) on Sunday May 14, @09:52AM (#509405)

          As Anonymous has posted, Heartbleed probes that the thousands eyes is a myth.

          There are four reasons why OSS syztems are safer than microsoft.

          1. OSS users are more advanced. There is no secure system when to the message "This program demands to bypass security and change the system" user clicks yes. Microsoft average user is more likely to click yes than Linux or freebsd average user.
          2. A OSS user doesn't usually run as root. Many microsoft workstations are run with adminitrator powers, even nowadays, let alone old XP. Windows comes from domestic world, where user was alone so he had to be almighty, and also was not a technician, so they couldn't bother him with security complexities and tough security policías.
          3. Target windows, target 95% of world. Target linux, freebsd, target 5%. Which system are criminals going to devote more time to investigate how to crack?
          4. I looks like NSA works closely with Microsoft to keep software hackeable
          • (Score: 2) by mcgrew on Sunday May 14, @03:16PM (4 children)

            by mcgrew (701) <publish@mcgrewbooks.com> on Sunday May 14, @03:16PM (#509478) Homepage Journal

            You seem to forget that there are probably more Linux machines than Windows machines; most phones and tablets use Android, which uses the Linux kernel.

            If your phone is laying on your desk, you have Linux (or BSD if iPhone) on the desktop.

            --
            Free Martian whores! [mcgrewbooks.com]
            • (Score: 2) by Lester on Sunday May 14, @09:02PM (3 children)

              by Lester (6231) on Sunday May 14, @09:02PM (#509607)

              A) Aren't smartphones hacked? Yes, and a lot.

              B) Android is not Linux, it has a linux kernel. But an operating system is much more than its kernel.

              • (Score: 2) by mcgrew on Thursday May 18, @05:38PM (2 children)

                by mcgrew (701) <publish@mcgrewbooks.com> on Thursday May 18, @05:38PM (#511754) Homepage Journal

                A. They're hackable, any computer is, but they're far harder to crack than Windows. My guess is Android is easier than Android, since you don't have to jailbreak it to install software; you could get a dodgy APK file from the internet.

                B. Correct, Linux is not an OS, it's a kernel. Ubuntu, Red Hat, Android ar OSes. Android on the desktop is no different than Red Hat on the desktop; Linus is the kernel for both.

                --
                Free Martian whores! [mcgrewbooks.com]
          • (Score: 0) by Anonymous Coward on Sunday May 14, @04:11PM

            by Anonymous Coward on Sunday May 14, @04:11PM (#509502)

            just because it doesn't apply equally to every piece of software under the sun doesn't mean it's a myth. you're either an idiot or a liar or both.

      • (Score: 2, Informative) by butthurt on Saturday May 13, @03:24PM

        by butthurt (6141) on Saturday May 13, @03:24PM (#509174) Journal

        > [...] that's what the next generation of ransomware will target.

        As a criminological concept, target hardening has some serious deficiences. For one, it only works against opportunistic or amateurish criminals. A determined, clever criminal would probably not be deterred, and some cleverer ones might even be attracted to hardened targets. [...] Some targets are relatively unhardened, or not hardened in depth. Other, unhardened targets (ones you might never think of) become targets. Displacement effects are, of course, quite common in crime prevention, but they occur in numerous ways with target hardening. Potential offenders simply go elsewhere.

        -- https://web.archive.org/web/20070712144216/http://www.apsu.edu/oconnort/3440/3440lect06a.htm [archive.org]

      • (Score: 2) by stormreaver on Sunday May 14, @02:31AM

        by stormreaver (5101) on Sunday May 14, @02:31AM (#509322)

        If people start running Linux and BSD on hospital/FedEx/etc. computers, then that's what the next generation of ransomware will target.

        Except that getting it to spread will be much, much, Much, MUCH harder because Linux systems have much, much, Much, MUCH better internals and externals.

  • (Score: 1, Informative) by Anonymous Coward on Saturday May 13, @02:14PM (10 children)

    by Anonymous Coward on Saturday May 13, @02:14PM (#509155)

    Microsoft has issued a patch for the SMB hole, including versions for legacy OSes including Windows XP SP3 x86:

    https://technet.microsoft.com/library/security/MS17-010 [microsoft.com]

    You can use Windows Update mechanism to apply the patch.

    Alternatively, you can download the patch from Microsoft Update Catalog - search for KB4012598:

    http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598 [microsoft.com]

    NOTE: I downloaded the patches but haven't applied them yet. How was your luck with them? :)

    • (Score: 2) by takyon on Saturday May 13, @02:51PM (7 children)

      by takyon (881) <{takyon} {at} {soylentnews.org}> on Saturday May 13, @02:51PM (#509168) Journal

      With Microsoft, you wait, and wait, and wait, hoping that Microsoft might offer a patch for the hole in their system.

      --
      [SIG] 04/14/2017: Soylent Upgrade v13 [soylentnews.org]
      • (Score: 2) by butthurt on Saturday May 13, @11:32PM (6 children)

        by butthurt (6141) on Saturday May 13, @11:32PM (#509285) Journal

        That happens. However it didn't in this instance:

        Microsoft claims it addressed Windows exploits, released last week in a Shadow Brokers dump, in patches ahead of the leak.

        -- http://www.darkreading.com/attacks-breaches/microsoft-fixed-windows-vulns-before-shadow-brokers-dump/d/d-id/1328643 [darkreading.com]

        Those patches were only for their supported versions of Windows. On 12 May they issued patches for Windows XP, Windows 8 and Windows 2003:

        https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ [microsoft.com]

        Windows 8 is nearly five years old and has been out of support since January 2016.

        https://redmondmag.com/articles/2016/01/13/windows-8-loss-of-support.aspx [redmondmag.com]

        People still running it have only themselves to blame!

        • (Score: 3, Insightful) by Runaway1956 on Sunday May 14, @12:57AM (5 children)

          by Runaway1956 (2926) Subscriber Badge on Sunday May 14, @12:57AM (#509305) Journal

          "Windows 8 is nearly five years old and has been out of support since January 2016.

          https://redmondmag.com/articles/2016/01/13/windows-8-loss-of-support.aspx [redmondmag.com] [redmondmag.com]

          People still running it have only themselves to blame!"

          I strongly disagree. 1- Given that most people aren't nerdy enough to upgrade to a unix-like. 2- Given that many people "can't afford" Mac. 3- Given that people are "trapped" on Microsoft 4- Given that Windows X sucks more ass than anything Microsoft has ever published in the past.

          Might we not place the blame squarely on Microsoft? The corporation that worked so very hard to create one of the biggest monopolies in history bears responsibility for the results of that monopoly.

          Think what life MIGHT be like, had Microsoft not built such a strong monopoly. Digital Research might still be around, with it's own operating system, and Windows could be just a window manager which could be installed on DrDos. More people would still be savvy enough to actually install a window manager on top of an operating system. And, as a result, a vulnerability which affected all Microsoft OS's might only affect 20, or 40% of computers, instead of virtually all computers.

          How many other commercial operating systems folded, and/or never came to exist, because of Microsoft? OS/2 is still around, kinda, but it enjoys an insignificant percentage of the market.

          And, let's be clear about one thing: Microsoft solutions are NOT the "best" by any stretch of the imagination. Microsoft was stuffed down our throats (or up our asses) by force. That IS the nature of a monopoly.

          --
          This broadcast is intended for mature audiences.
          • (Score: 1) by butthurt on Sunday May 14, @01:59AM (1 child)

            by butthurt (6141) on Sunday May 14, @01:59AM (#509319) Journal

            Windows 10 was offered as a free upgrade from Windows 8. All people had to do was click "OK" or click on the little "X" and it would install itself...

            • (Score: 2) by Runaway1956 on Sunday May 14, @03:58AM

              by Runaway1956 (2926) Subscriber Badge on Sunday May 14, @03:58AM (#509338) Journal

              You make that sound like a "good thing". Windows 10 telemetry and ad serving is a "bad thing". Windows 10 is not an upgrade at all, it's a serious downgrade. Why would anyone in their right mind compromise the security of their system, by effectively giving Microsoft permission to read (and write) anything on their computer?

              --
              This broadcast is intended for mature audiences.
          • (Score: 2) by kaszz on Sunday May 14, @06:47AM (2 children)

            by kaszz (4211) on Sunday May 14, @06:47AM (#509380) Journal

            I strongly disagree. 1- Given that most people aren't nerdy enough to upgrade to a unix-like.

            We are also talking government run hospitals and large corporations. They both have the money and the competence.

            • (Score: 3, Insightful) by Runaway1956 on Sunday May 14, @08:55AM (1 child)

              by Runaway1956 (2926) Subscriber Badge on Sunday May 14, @08:55AM (#509397) Journal

              Point taken. Now, if only one of the *nixes could offer the purchasing agent a $50,000 rebate, and a time share condo in Bermuda . . .

              --
              This broadcast is intended for mature audiences.
              • (Score: 2) by kaszz on Sunday May 14, @10:46AM

                by kaszz (4211) on Sunday May 14, @10:46AM (#509422) Journal

                We could offer a $5 pitch fork and a time sharing presence on it. No need to fly around the world to experience it either .. :-)
                If incentives is the way. I'm sure we can adapt to it.. :p

    • (Score: 2) by mcgrew on Sunday May 14, @03:19PM

      by mcgrew (701) <publish@mcgrewbooks.com> on Sunday May 14, @03:19PM (#509480) Homepage Journal

      Tried and failed to DL that on my Linux box to install on an old XP laptop that I do NOT want on my network. I guess I'll have to shut the other computers off and plug it in for a while...

      --
      Free Martian whores! [mcgrewbooks.com]
    • (Score: 2) by kaszz on Monday May 15, @03:01AM

      by kaszz (4211) on Monday May 15, @03:01AM (#509722) Journal

      I'll bet that patch comes with free NSA backdoor.

  • (Score: 2) by looorg on Saturday May 13, @02:17PM (10 children)

    by looorg (578) on Saturday May 13, @02:17PM (#509156)

    Isn't it a bit misleading to try and pin this on the NSA? I might have misunderstood the entire news story but from what I can tell it's not the NSA that developed the Malware, they found the feature - I'm certain they exploited it for something - they even gave it a cool name (eternalblue). But this isn't or wasn't some fast way to increase some black budget post. If someone should be blamed for this it would be the Shadow Brokers that released it after their blackmail scheme backfired (as I recall they wanted to sell it, didnt work - so they just released parts of it). Microsoft for writing shitty code. Whomever wrote the Malware. So there is enough blame to go around really. I just don't see any of it landing on the NSA. Do we blame other people that find faults (or bugs) in software (and possibly exploit it -- possibly some blame in that particular case)? Normally we don't. So to blame the NSA for this seems a bit of a stretch to me, even tho it's apparently the popular thing to do.

    Interesting parts in the story is the lax attitude towards patches, updating and security in several large organizations and companies. But then it costs a lot of money. Like this won't. If they are not working around the clock now it's going to be an interesting Monday at the office when this thing start to spread like wildfire again as people come back to work.

    • (Score: 2) by kaszz on Saturday May 13, @02:21PM

      by kaszz (4211) on Saturday May 13, @02:21PM (#509160) Journal

      Patches and updates too often make software needed in production to stop working. And security in several large organizations is decided by people that lack insight (MBA, PHB the kit).

    • (Score: 5, Insightful) by c0lo on Saturday May 13, @02:41PM (8 children)

      by c0lo (156) Subscriber Badge on Saturday May 13, @02:41PM (#509163)

      Isn't it a bit misleading to try and pin this on the NSA? I might have misunderstood the entire news story but from what I can tell it's not the NSA that developed the Malware, they found the feature - I'm certain they exploited it for something

      Hold right there... because there is why NSA bears responsibility.
      If you, a governmental agency find a vulnerability, the best way to protect your citizens is not to exploit/weaponize it but to responsibly disclose it to the author to have it plugged ASAP.
      No ifs, no buts... any other ways will expose the people you sworn to protect to risks like this.

      • (Score: 0) by Anonymous Coward on Saturday May 13, @03:35PM

        by Anonymous Coward on Saturday May 13, @03:35PM (#509181)

        The thing is, if you don't do it then somebody else will.

        Yes, fix the holes. But yes, also try and hack the fuck out of them so you know what is possible.

      • (Score: 5, Insightful) by Thexalon on Saturday May 13, @04:10PM (5 children)

        by Thexalon (636) Subscriber Badge on Saturday May 13, @04:10PM (#509191) Homepage

        Regardless of appearances, the US national security state isn't really interested in defense of anybody but themselves. Their idea of defense is "kill them before they kill us", which means their real interest is in offense, and that is why they keep any and all vulnerabilities they discover to themselves. Not disclosing leaves citizens vulnerable, of course, but that helps out the portion of the national security state that treats the citizens as a potential enemy because they are outside of the national security state.

        Why oh why didn't we listen to Ike back in 1960?

        --
        If you act on pie in the sky, you're likely to get pie in the face.
        • (Score: 0) by Anonymous Coward on Saturday May 13, @11:30PM

          by Anonymous Coward on Saturday May 13, @11:30PM (#509284)

          Ike's farewell address was on January 17, 1961 [google.com]

          -- OriginalOwner_ [soylentnews.org]

        • (Score: 2) by butthurt on Sunday May 14, @12:27AM (1 child)

          by butthurt (6141) on Sunday May 14, @12:27AM (#509294) Journal

          > Why oh why didn't we listen to Ike back in 1960?

          Do you mean 1960 or 1961?

          1960:

          The nations of the world have recently united in declaring the continent of Antarctica "off limits" to military preparations. We could extend this principle to an even more important sphere. National vested interests have not yet been developed in space or in celestial bodies.

          -- http://www.presidency.ucsb.edu/ws/?pid=11954 [ucsb.edu]

          1961:

          IN THE COUNCILS of government, we must guard against the acquisition of unwarranted influence, whether sought or unsought, by the military-industrial complex.

          The potential for the disastrous rise of misplaced power exists and will persist.

          -- https://en.wikisource.org/wiki/Eisenhower's_farewell_address_%28reading_copy%29 [wikisource.org]

          • (Score: 2) by Thexalon on Sunday May 14, @03:22PM

            by Thexalon (636) Subscriber Badge on Sunday May 14, @03:22PM (#509482) Homepage

            You are quite correct: I meant 1961.

            --
            If you act on pie in the sky, you're likely to get pie in the face.
        • (Score: 2) by kaszz on Sunday May 14, @06:15AM (1 child)

          by kaszz (4211) on Sunday May 14, @06:15AM (#509374) Journal

          Here's the Ike Eisenhowers (1890 - 1969) farewell message [youtube.com] in 1961. He were president in 1953 - 1961. In 1942 he became a major general, so he also had hands on military experience.

          (at 8:50 the speech heats up)

          • (Score: 0) by Anonymous Coward on Sunday May 14, @08:16AM

            by Anonymous Coward on Sunday May 14, @08:16AM (#509391)

            That's 2 stars.
            Ike was one of a handful of 5-star general officers.
            Other places called those field marshals but that would have given us Field Marshal Marshall (the Marshall Plan guy).

            -- OriginalOwner_ [soylentnews.org]

      • (Score: 0) by Anonymous Coward on Saturday May 13, @05:31PM

        by Anonymous Coward on Saturday May 13, @05:31PM (#509210)
        The big mess here is that the other half of the NSA’s mission is actually to help protect the United States from cyberattack. Here they have not only failed utterly, but are in fact guilty of all but betraying that mission. But I suppose whatever military-type in charge here might well quip the way some Vietnam War major quipped about it becoming necessary to destroy the town in order to save it.
  • (Score: 1, Offtopic) by number6 on Saturday May 13, @06:11PM (1 child)

    by number6 (1831) on Saturday May 13, @06:11PM (#509223) Journal

     
    Read this: https://twitter.com/GossiTheDog/status/863339558364229634 [twitter.com]
     
     
    Having said that .........

    I highly recommend all Win XP users to run this simple one-click program: Seconfig XP [sytes.net]

    It is a fantastic little tool for quickly hardening your network security settings.

    Really simple to use... just start it, check all the boxes and click the "Apply" button.

    If you want a (very nice) informative read of exactly what this prog does to your system and why, click the "Help" button.

    If you click the "Apply" button, it will open a dialog box "Apply changed settings and restart computer [Yes] [No]".

    If you want to revert your system back to previous state, run the prog again and click the "Restore" button; the prog has backed up your previous settings to some registry keys.

     
    To test if Seconfig XP actually does its job .........

    Run Seconfig XP and click its "Status" button causing it to open a "Current status" message window  ...and leave it open
    also open a CMD window and run this command: 'netstat -a -n'  ...and leave it open
    Place the "Current status" and "CMD" windows side-by-side and save a screenshot of them to your desktop.

    Run Seconfig XP and apply the settings.

    After reboot, run a new instance of "Seconfig XP status" and "CMD netstat" windows

    Compare to your screenshot.
     

    • (Score: 1) by anubi on Sunday May 14, @09:33AM

      by anubi (2828) Subscriber Badge on Sunday May 14, @09:33AM (#509404)

      Could someone please tell me why my parent is modded offtopic?

      I am a bit ignorant here and there may be more to this than I am seeing. It looks more like "informative" to me, but I am out of modpoints.

      --
      "Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
  • (Score: 2, Informative) by pnkwarhall on Saturday May 13, @06:41PM (2 children)

    by pnkwarhall (4558) on Saturday May 13, @06:41PM (#509227)

    I am a Neal Stephenson fan, and I wholeheartedly agree. It was one of the worst books I've ever read; I think i managed to finish it solely based on hope it would somehow eventually get better.

    --
    Lift Yr Skinny Fists Like Antennas to Heaven
    • (Score: 3, Funny) by Gaaark on Saturday May 13, @07:50PM (1 child)

      by Gaaark (41) Subscriber Badge on Saturday May 13, @07:50PM (#509240) Homepage Journal

      Now try Adolf Hitler's 'Mein Kampf'.

      'My Struggle' is a good title for that book, as you will STRUGGLE to read it the whole way through, lol.

      --
      --- I wish i had a cig for every sig i've ever had: i'd have cancer and wouldn't you feel bad for looking here. ---
      • (Score: 2) by Runaway1956 on Sunday May 14, @01:02AM

        by Runaway1956 (2926) Subscriber Badge on Sunday May 14, @01:02AM (#509307) Journal

        You're exactly right. And, in fact, I didn't make it all the way through. Which is a little embarrassing, because I've read so much other crap about Hitler that was difficult to read. Ehhh . . .

        --
        This broadcast is intended for mature audiences.
  • (Score: 2) by FunkyLich on Saturday May 13, @09:15PM (1 child)

    by FunkyLich (4689) on Saturday May 13, @09:15PM (#509259)

    Reading the article - to be entirely correct, the summary of the article - I just thought of these two pieces of dialogue in the original "Ghost In The Shell" movie of 1995.

    * * * Dialogue 1 * * *
    Puppet Master: I refer to myself as an intelligent life form because I am sentient and I am able to recognize my own existence, but in my present state I am still incomplete. I lack the most basic processes inherent in all living organisms: reproducing and dying.

    Major Kusanagi: But you can copy yourself.

    Puppet Master: A copy is just an identical image. There is the possibility that a single virus could destroy an entire set of systems and copies do not give rise to variety and originality. Life perpetuates itself through diversity and this includes the ability to sacrifice itself when necessary. Cells repeat the process of degeneration and regeneration until one day they die, obliterating an entire set of memory and information. Only genes remain. Why continually repeat this cycle? Simply to survive by avoiding the weaknesses of an unchanging system.

    * * * Dialogue 2 * * *
    Togusa: There's something I've wanted to ask ever since I started. Why did you transfer a guy like me from the police force?

    Major Kusanagi: Because we need a guy like you.

    Togusa: Huh?

    Major Kusanagi: Number one: You're an honest cop. Number two: You've never stepped out of line. Three: You're a family man. And, except for the slight brain augmentation, your body's almost completely human. If we all reacted the same way, we'd be predictable. And there's always more than one way to view a situation. What's true for the group is also true for the individual. It's simple. Overspecialise and you breed in weakness. It's slow death.
    * * *

    And immediately I thought: Why should everything be so vulnerable to this latest ransomware attack? Because after all, all the affected machines are nothing more than the same system copied and replicated over and over and over again.

    • (Score: 0) by Anonymous Coward on Sunday May 14, @05:15PM

      by Anonymous Coward on Sunday May 14, @05:15PM (#509529)

      Indeed. https://en.wikipedia.org/wiki/Monoculture#Disease [wikipedia.org]

      While I kinda liked the original GitS, I hear some many bad things about the new remake I don't think I'll watch it any time soon.

  • (Score: 3, Interesting) by NotSanguine on Saturday May 13, @09:43PM (3 children)

    by NotSanguine (285) Subscriber Badge on Saturday May 13, @09:43PM (#509262) Homepage Journal

    US-CERT posted Advisory TA17-132A [us-cert.gov] which gives significant technical detail as to the workings of WannaCrypt, as well as detection and mediation information.

    I found one of the bits from the advisory of particular interest:

    The WannaCry ransomware received and analyzed by US-CERT is a loader that contains an AES-encrypted DLL. During runtime, the loader writes a file to disk named “t.wry”. The malware then uses an embedded 128-bit key to decrypt this file. This DLL, which is then loaded into the parent process, is the actual Wanna Cry Ransomware responsible for encrypting the user’s files. Using this cryptographic loading method, the WannaCry DLL is never directly exposed on disk and not vulnerable to antivirus software scans.

    The newly loaded DLL immediately begins encrypting files on the victim’s system and encrypts the user’s files with 128-bit AES. A random key is generated for the encryption of each file.
    [emphasis added]

    Given that the tool uses random (or more likely, pseudo-random) keys to encrypt each file, it's highly unlikely that paying the ransom would (even if the miscreants wanted to do so) allow decryption.

    I imagine that these attacks could serve as a competency test, both for users (don't click on links in email), and for IT administrators (have quality, well-tested, frequent back ups).

    I'm glossing over the SMB vulnerability [microsoft.com], since a fix has been available for almost two months. I would say that since Microsoft has bundled its updates in an attempt to force its spying^W telemetry code down everyone's throat, it wouldn't surprise me if this update wasn't as widely implemented as it should be.

    Microsoft continues to make decisions that compromise the security of their users and products. As a former MS employee, this doesn't surprise me. Microsoft is, and has always been, run by the folks with sales and marketing backgrounds. I could elucidate, but I think my point is clear.

    --
    No, no, you're not thinking; you're just being logical. --Niels Bohr
    • (Score: 1) by Empyrean on Saturday May 13, @10:27PM (1 child)

      by Empyrean (5241) on Saturday May 13, @10:27PM (#509274)

      If it is using pseudo-random numbers (most probably) and the seed is known to the attackers (or victims) then it would be possible to decrypt all the files.

      • (Score: 2) by kaszz on Sunday May 14, @06:44AM

        by kaszz (4211) on Sunday May 14, @06:44AM (#509379) Journal

        Wouldn't that require some kind of information to be sent back to the ransomware writers in order for them to be able to provide the un-encrypt code?
        And the question then becomes, how is that return channel setup.

    • (Score: 2) by kaszz on Monday May 15, @02:27AM

      by kaszz (4211) on Monday May 15, @02:27AM (#509706) Journal

      Now Microsoft President and Chief Legal Officer wants a Digital Geneva Convention [microsoft.com] to protect computer systems. No mention of their own idiotic engineering or rather total lack of it. In addition to their slimy juridical dealings using "audits" to blackmail corporations.

  • (Score: 0) by Anonymous Coward on Sunday May 14, @05:20PM

    by Anonymous Coward on Sunday May 14, @05:20PM (#509531)

    Running this path will fix all your problems. real-trustworthy-winders-pathcv-from-migrosoftie.png.exe [malwarrrrre.ru]

    (Apologies to russia for attribution, I just wanted to make it as sleazy and disgusting as possible.)

  • (Score: 0) by Anonymous Coward on Sunday May 14, @05:23PM (1 child)

    by Anonymous Coward on Sunday May 14, @05:23PM (#509534)

    Are all those infected really being so amazingly negligent to either

    1) run software in production that's more than a month unpatched
    2) run windoze xp

    If so, it's really REALLY hard to feel even a little bit sorry for them.

    • (Score: 2) by kaszz on Monday May 15, @02:16AM

      by kaszz (4211) on Monday May 15, @02:16AM (#509697) Journal

      It's often the case of equipment in laboratories. Think machines doing blood analysis at (British?) hospitals. Where the many million of dollars machine runs on a particular version of Microsoft.. XP? anyway, patching it will make it stop working or at least risk just that. Obviously if you try to change the operating system, it will no longer work. This could be because a combination of userland software that needs a specific software infrastructure and kernel drivers needing a specific Windows kernel.

      On top of that, the machine may need to be networked with other Windows machines to report results. Because the program to handle patient journals is only available for that shit platform. And of course that program also have issues with patches.

      People should demand other operating systems for lab equipment than a proprietary one. Because those can't be sufficiently be maintained. But that requires people to make the PHB and MBAs to follow professional advice and also admitting this is something they lack knowledge in. Which snowflake VIP just can't take with their grandiose personality disorder.

      Nor will even a competent developer be allowed near such machine to try to develop a free driver and software such that the machine may continue to be used after official support from Microsoft has ended. Because it may be the only one that facility have and needs to run daily business and certification may be lost on unauthorized software.

  • (Score: 2) by kaszz on Monday May 15, @03:08AM

    by kaszz (4211) on Monday May 15, @03:08AM (#509728) Journal
(1)