Researchers have detected a new worm that is spreading via SMB, but unlike the worm component of the WannaCry ransomware, this one is using seven NSA tools instead of two.
The worm's existence first came to light on Wednesday, after it infected the SMB honeypot of Miroslav Stampar, member of the Croatian Government CERT, and creator of the sqlmap tool used for detecting and exploiting SQL injection flaws.
The worm, which Stampar named EternalRocks based on worm executable properties found in one sample, works by using six SMB-centric NSA tools to infect a computer with SMB ports exposed online. These are ETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY, which are SMB exploits used to compromise vulnerable computers, while SMBTOUCH and ARCHITOUCH are two NSA tools used for SMB reconnaissance operations.
Once the worm has obtained this initial foothold, it then uses another NSA tool, DOUBLEPULSAR, to propagate to new vulnerable machines.
Source: BleepingComputer
(Score: 1, Insightful) by Anonymous Coward on Sunday May 21 2017, @02:34PM (11 children)
... as long as individual consumers have little control over what their devices can do.
Sure, transistor-to-app FOSS will produce insecure systems, but at least I would be able to take care of myself if I so chose; relying on central planners (e.g., Apple, Samsung, government, etc.) to define your world will only ever end in the tears of impotent rage.
(Score: 1, Insightful) by Anonymous Coward on Sunday May 21 2017, @03:30PM (6 children)
This is true. It also includes open source.
My TV has tons of opensource junk in it. Busybox distro. It will never see another up date from LG. They moved on years ago to newer shiny toys.
It is like the vulin Intel just had with their stuff. Unless all of the OEMs go back and reissue. Well though.
Fixes are usually easy with a good test case (open or closed). Patching is the hard bit. Closed source is not really that closed. I have seen dudes reverse engineer pretty much every electronic device out there. It is just a mater of time and usually a copy of IDA Pro. It is just obfuscated. I have seen dudes pick out the bits off a piece of silicon to find the internal program just so they can reverse engineer it and then find exploits.
It is *all* open. All of it. It is worse than you think or dream.
(Score: 2) by SomeGuy on Sunday May 21 2017, @05:24PM
I have recently been trying to explain to some people how products with such embedded "fancy" extra software or internet features can actually become a very bad thing.
Anything internet related is almost guaranteed to stop working after a couple of years. Protocols change, servers move, "cloud" services disappear, companies go out of business. And even while such a product is fully supported it can be vulnerable to to attack.
I shit you not, in the not too distant future, all these wifi/cloud connected "smart" thermostats that AC installers are forcing on people these days will wind up with some kind of ransomware that will freeze or fry people until they pay up. They could also be used to spy on people or display advertising.
But all the retarded consumeroids out there don't understand or care and are perfectly happy to buy a new product in two years when the old one stops working right. Of course, the manufacturers love that too.
(Score: 0) by Anonymous Coward on Sunday May 21 2017, @06:03PM (4 children)
It may all be "open" but it certainly isn't free, try distributing it and you will find out, likely painfully. And things like the DMCA say you can't even poke at devices you've bought...
There is plenty of open source junk. But not nearly as much a proprietary junk. And you won't be betting on a pig in a poke either.
Nihilism is a great way of life but don't expect it to lead you anywhere.
(Score: 0) by Anonymous Coward on Sunday May 21 2017, @08:26PM (3 children)
http://opensource.lge.com/index [lge.com]
I do not need to distrubute any of it to create a worm now do I? I am already being a dick. Do you think some copyright law is going to stop me?
Its all crap. All of it. The only thing open source gives me is the ability to to look at the code in a human readable format. It does not give me the exact toolchain to fix anything. It would take me months of my time to 'fix' my TV. I yanked the plug. My thermostat is a simple digital control or analog mercury switch. To keep the company who decides it needs to talk to a server just so I can change the temp of my house from turning me off when they go under.
Nihilism is a great way of life but don't expect it to lead you anywhere.
Hardly. It is fucked up. I keep hearing how open source is going to 'save the world'. But what do I see? More closed source junk with a thin veneer of open source. Which only reduces their cost and sticks me with code that is 10+ years old shipped with known vulins and known passwords. You think the current IoT storms that are brewing were written on closed source? They sit upon the backs of open source. We sit back and say it is easy to fix. Yes all bugs are easy once an example is found that is the foundation of software engineering and QA. But the patching bit is the bitchy part which no one wants to talk about and then get personal when someone points it out. Open and closed source have the exact same issues here. Open source will not magically fix this monumental growing problem of old hardware or old software no one wants to look at anymore because its not cool anymore. I am not being nihilist. I am being practical. We are being sold a bill of goods and 'open source' is the kool aid.
Some of the largest bot nets out there right now, today, are open source routers and IoT devices. Good luck getting the company that cranked out 200k of some insecure camera that went under 3 years ago to give you firmware to update and then get 200k+ customers to patch them.
(Score: 0) by Anonymous Coward on Sunday May 21 2017, @09:51PM
FOSS. Look it up.
You're fighting a straw man.
(Score: 2) by DECbot on Monday May 22 2017, @03:36PM
You're making a damn good argument to go back to analog and discrete digital components and forgo the reliance of software defined devices. Perhaps the current software everywhere model would make sense if all the devices required support contracts to keep them up to date. Consumers won't bite on that though. They will tend to go for the shiniest bobble for the price, support be damned. So perhaps low end and consumer models should stay analog while those willing to pay for the support contract can have the luxury of a software defined device. Realistically, that won't happen as the software genie is out of the bottle. The only why to bring security back to consumer devices is to require to hold the manufactures liable for defects and vulnerabilities. That will encourage manufactures to replace the cheap software defined devices back to analog/discrete components or expensive software defined devices that require support contracts after a initial "warranty" period. Having to write a monthly check to your thermostat is sure to ensure that it will keep working and also keep the company behind it from going out of business. I'll probably go back to the mercury switch--or write my own arduino sketch and keep the damn thing off
my lawnthe internet.cats~$ sudo chown -R us /home/base
(Score: 0) by Anonymous Coward on Monday May 22 2017, @04:55PM
why do you keep blaming F/OSS for your inability to buy from a responsible company or not to buy at all? You knew the situation before you bought, but you're a fucking sell out, so you bought anyways. now you're whining about it? you funded it, bitch! demand that companies foster dev+user community and make flashing their devices easy, etc. People always blame the people that are trying to help them while kissing up to their masters. you're transparent.
(Score: 2) by fadrian on Sunday May 21 2017, @04:47PM (3 children)
Ha ha ha. You don't have the wherewithal to "make" your computer secure. It's insecure from the ground up. We could have done better. We didn't. Now you live with your insecure system because no matter how much you patch, there are always going to be new holes. And even if you keep up today, there's always tomorrow.
That is all.
(Score: 0) by Anonymous Coward on Sunday May 21 2017, @06:11PM (2 children)
That's a pretty arrogant thing to say to somebody you know absolutely nothing about.
(Score: 0) by Anonymous Coward on Monday May 22 2017, @04:18AM
Actually not really, we've had plenty of stories come through here about computers being compromised on the hardware level. Maybe you can be more secure than some, but never fully secure as long as you have a connection to the net.
(Score: 2) by fadrian on Tuesday May 23 2017, @01:06PM
Get back to me when you've proven your BIOS to be error free. And you haven't even gotten to the OS level yet.
That is all.
(Score: 4, Insightful) by aiwarrior on Sunday May 21 2017, @03:42PM (19 children)
United States is no longer morally superior to other countries, and worse it's population is getting beaten with news of it. I remember reading, and agreeing, that Kissinger considered essential for the survival and thriving of the USA, that it's people had an ambivalence between national interest and moral grounds.
I guess the news of NSA's own weapons laying virtual destruction throughout the world, when it's intrinsic value could have been to protect morally legitimate American and humanities interest, does not bode well for this American identity.
Another nail in the ambivalence is seeing a president being hailed and pampered by leaders who are of the sort which despise the moral value of anything. Look at who the president gets Kudos from: new deals with Saudi Arabia, friendly talks with Putin and comrades. Damn, even Eduterte was rehabilitated, a man who the very face of evil, as in no-rules populism.
The only one who smiles is China: see the great train Chinese belt that goes from Beijing to Hannover. As an European it saddens me to see the beacon go dark.
(Score: 1, Informative) by Anonymous Coward on Sunday May 21 2017, @04:19PM (1 child)
That beacon went dark at least fifteen years ago. The only thing I'm saddened about is that it took this long for the world to realize it.
(Score: 0) by Anonymous Coward on Sunday May 21 2017, @11:19PM
The beacon went dark as early as the Korea war.
(Score: 0) by Anonymous Coward on Sunday May 21 2017, @04:27PM (12 children)
It is certainly morally superior to China, Bangladesh, and ISIS.
It was never morally superior to all, nor is it likely to become morally inferior to all.
It has fallen in the ordering, but it is definitely still morally superior to plenty of countries.
(Score: 0) by Anonymous Coward on Sunday May 21 2017, @05:02PM (11 children)
The USA lays claim to 50%+ to the typical productive person's resources through direct taxation and fees, and up to 88% of that same person's production through taxes and "costs of compliance" which results in massively-increased prices for goods and services.
If it is assumed that 100% confiscation of production is slavery, what is 50-88% confiscation? Not a lot of room for any moral superiority there. "Hooray, we leave you with 12% of the resources you worked for! USA! USA! USA! USA!"
(Score: 1, Insightful) by Anonymous Coward on Sunday May 21 2017, @05:11PM
You'd expect that for that much money you could get at least one of healthcare and education :)
(Score: 2, Insightful) by Anonymous Coward on Sunday May 21 2017, @05:46PM (2 children)
No, that's theft. Slavery is ownership of humans.
If a citizen doesn't consent to their being governed, and democracy doesn't grant the government legitimacy to rule nonconsenting parties, then it's theft.
It's the same theft performed by all currently extant governments which I'm aware of, simply in a greater degree. But it's worth noting that most USAians do consent to be governed by the USG, and so in the majority of cases it isn't theft.
Now certainly the fact they only steal from a small number of people who don't consent to be governed doesn't make it more moral, nor does the fact that most other countries also steal, certainly not. But we're talking about morality _relative_ to other governments, so the fact that (almost, probably all) others do it _is_ relevant to the morality of the USG _relative_ to those other governments.
When countries like China murder their innocent citizens to harvest their organs for party members, and when countries like Mauritania, Sudan, Nigeria, Yemen, Saudi Arabia, Qatar, Somalia, Iran, and ISIS kill gays for being gay, that does in fact leave a lot of room for moral superiority.
(Score: 0) by Anonymous Coward on Monday May 22 2017, @09:39AM (1 child)
Well, if theft is permanent and non-optional then you could argue it is a slavery. However, if you can opt out, like in "renounce citizenship" then you are not a slave, but then again, it is a choice between being domesticated or being a game, or even more precisely, being a domesticated in household A vs. being a domesticated in household B.
(Score: 0) by Anonymous Coward on Monday May 22 2017, @11:02AM
Slavery doesn't describe a lived experience, it describes a legal situation. One _cannot_ tell from direct experience whether a situation constitutes slavery because slavery doesn't describe an experience but a legal state.
If a person was kidnapped, and forced to work on a farm for life, but it was illegal then that wouldn't be slavery. It would be physically indistinguishable from slavery, but slavery does not describe a _physical_ thing, but rather a legal situation.
Slavery only exists within the concept of a legal system.
Perhaps we ought to have a word for forced labour, and another for such extreme theft, but presently I'm not aware of any English words fitting the bill. Perhaps you should coin some, or go find some in another language, but you ought not redefine extant and well-defined words.
(Score: 0) by Anonymous Coward on Sunday May 21 2017, @08:25PM (1 child)
Then why is the government budget not even half the GDP?
(Score: 0) by Anonymous Coward on Sunday May 21 2017, @09:03PM
I don't hold his position, but this argument is flawed.
One's contribution to the GDP can be increased without increasing one's income, and govt. revenue doesn't exclusively come from VAT.
(Score: 2) by Lagg on Sunday May 21 2017, @09:54PM (4 children)
Funny you mention that. I went to H&R block because I could afford to do my contractor's taxes "really" for the first time instead of mailing checks every year. After paying off what I apparently owed for realsies, I am now preparing to sell my house and have not been paid in 1+ months because I'm trying to do payroll "correctly". There's no way I can sustain that kind of thing as a freelancer. Apparently some of the tax penalty was because I don't have health insurance (also unsustainable). Kind of a loop, and I only got out of it by finally giving up on aspirations for independent business.
Murika. I blame the aliens [youtube.com].
Also this is offtopic in a manner of speaking, but if you guys can't see the connection in the wider scale and system when it comes to our government's hostility. Pls rerun your eval loop.
http://lagg.me [lagg.me] 🗿
(Score: 0) by Anonymous Coward on Monday May 22 2017, @04:26AM (3 children)
(Score: 2) by Lagg on Monday May 22 2017, @06:30AM (2 children)
Paperwork requirements, can't drive, the payroll company needing more information.
I generally expect for things like this to happen and they always do. You've never had that happen? I budget for that shit it's happened to me so many times. It's one reason I tried doing the contractor thing in the first place. Clearly I was naive in expecting the burden to be /less/ as a private contractor.
http://lagg.me [lagg.me] 🗿
(Score: 0) by Anonymous Coward on Monday May 22 2017, @04:38PM (1 child)
Sorry, I am still missing something. You are saying that you have so much paperwork to fill out after freelancing for a bit that it is basically a full time job for months?
(Score: 2) by Lagg on Monday May 22 2017, @10:10PM
No, sorry. Guess this is an issue of me not liking to discuss financial stuff on the internet too much out of safe precaution and not wanting to speak out of turn due to lack of education on the subject. But no, it's mostly just a matter of waiting for bureaucracy. It's a very common occurrence for me to send stuff in, wait for a response that decided additional information was required, repeat. I did have a lot of paperwork to settle what I owed, but that's why I went to H&R Block (and hope I can afford it next year).
The paperwork was indeed from freelancing for a bit though, unfortunately. I thought I could wing it. Turns out sending a check and 1040-V isn't even close to enough.
http://lagg.me [lagg.me] 🗿
(Score: 0) by Anonymous Coward on Sunday May 21 2017, @04:51PM
You speak as if this is a recent turn of events. That ship sailed decades ago [wikipedia.org].
(Score: 1, Interesting) by Anonymous Coward on Sunday May 21 2017, @06:26PM (2 children)
Torture buddy, you forgot torture. https://en.wikipedia.org/wiki/Senate_Intelligence_Committee_report_on_CIA_torture [wikipedia.org] Read all about it, it's absolutely disgusting. And unsurprisingly ineffective. And how the CIA lied about everything to the people and the congress among others.
The sad thing is people will cheer when China puts US to its place, when the hated master falls down and will be trodden upon. And then it will dawn on other nations: Meet the new boss, same as the old boss...
(Score: 2) by Runaway1956 on Sunday May 21 2017, @08:59PM (1 child)
"Meet the new boss, same as the old boss..."
Probably not. Different history, different culture, different values. There will be some whose lives are better, or at least perceived to be better, under Chinese domination. There are others whose lives will be worse. And, there will be yet others to whom it makes no difference at all.
But, China has no equvalent to our respect for liberties, nor does it have any respect for individualism. Better or worse, life will be different.
Abortion is the number one killed of children in the United States.
(Score: 2) by aiwarrior on Monday May 22 2017, @05:25PM
Strange to say, but I agree with you (sorry Runaway1956, but we rarely agree). On-topic:
They have quite a different culture and in a sense their current state management is very similar to imperial China. They invest and provide real benefits to surrounding peoples for not more than acknowledgment of the power and demand tributes which are normally based on whims of the ruling caste.
(Score: 3, Interesting) by shortscreen on Sunday May 21 2017, @06:00PM
Sega CD fans at the NSA?
(Score: 3, Informative) by Anonymous Coward on Sunday May 21 2017, @09:23PM (1 child)
From MS - SMB Ports 445/139 (TCP) & 137/138 (UDP) protection via:
Disable SMBv1 on the SERVER, configure the following registry key:
Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Registry entry: SMB1
REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled
Default: 1 = Enabled
Enable SMBv2 on the SERVER, configure the following registry key:
Registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Registry entry: SMB2
REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled
Default: 1 = Enabled
---
Disable SMBv1 on the CLIENT, run the following commands:
sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
sc.exe config mrxsmb10 start= disabled
Enable SMBv2 & SMBv3 on the CLIENT, run the following commands:
sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi
sc.exe config mrxsmb20 start= auto
---
* The above is per https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012/ [microsoft.com]
APK
P.S.=> For a SINGLE 'standalone' non-networked PC (no home network/LAN but TCP/IP connected online) turn off Server & Workstation services.
That shuts off any "handles" (port 445) this thing propogates thru + turn off NetBIOS over TCP/IP in your internet connection & uncheck/disable Client for Microsoft Networks + File and Print Sharing. Port 139 & 445 always pop up issues over time. It also makes your packet trains smaller (no encapsulation of LanMan)
I covered all this 11++ yrs. ago in a security guide I wrote for users with a single system & apparently, its advice STILL STANDS THE "TEST OF TIME" https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=HOW+TO+SECURE+Windows+2000/XP&btnG=Google+Search&gbv=1/ [google.com] vs. even today's threats like this one.
* This effectively makes this threat a non-issue + saves you CPU cycles/RAM & other I/O wasted on services you don't NEED as a single PC user only... & you don't. They're just wastes with a single PC really. Many services are (covered in guide above based on CIS Tool guidance (who took fixes to their ware from "yours truly" too, no less)) & again, no more encapsulated packet bulk.
AND?
Don't be STUPID & click on attachments in bogus malicious emails this thing propogates thru also (Chrome/Opera/Webkit users - BEWARE of the ShellControlFile issue that just popped up (.scf file) noted here-> http://www.theregister.co.uk/2017/05/17/chrome_on_windows_has_credential_theft_bug/ [theregister.co.uk] ) ... apk
(Score: 2) by DECbot on Monday May 22 2017, @03:46PM
Nice!
When you looked those up, did you happen to see any mention if the Apple, Linux, and BSD implementations of SMB (client and server) also suffered from the same vulnerabilities?
cats~$ sudo chown -R us /home/base