Hello folks,
I don’t know how I can turn this in to a longer article, so I’ll post it to my blog and leave it at that. I joined the Sans group with a webbinar in regards to this new threat called Wanna Cry. This article from Krebs on security entitled U.K. Hospitals Hit in Widespread Ransomware Attack was posted on the 12th of May. As Brian covered, he mentioned what this was, and the fact that not only were the hospitals hit with this, but so was a telephone company. Sans’s webbinar last night said there were at least 56,000 different infections at one point, just by doing scans, nothing more. They made it clear that they never accessed any machines, just did scans.
Sans indicates that while this was bad, its only going to get worse. USCERT has a writeup entitled Indicators Associated With WannaCry Ransomware which was posted yesterday as well. The SMB system I’m not too familiar with, but this can hit even with patched systems. We’ll keep our eyes and ears open for more.
I go back to that I posted via Vocal a few days ago. You have to start at the human level. What I don’t know especially on the google aspect, was this. Was that particular E-mail which braught up the o-auth dialogue something that was sent by E-mail? Granted, I think that particular one was in a specific country and spread, but this, I’m not clear even through the webbinar on how this spread. I think the major aspect of this is the human aspect. I think the article should be given a read. Your thoughts are interesting, and it is definitely worth talking about. Thanks for your thoughts! Anyone else?
What interests me is the ransomware itself.
To be honest its not that much of a big deal in the big picture.
In theory everyone should be autoupdating their systems unless there is a spaciffic reason not to do so at the times that are usually set for updates.
I am unsure about big companies but at home on wednesday and sometimes satturday I reserve a few hours from 6 till 9 in the morning where I make sure everything gets updated, wednesday is tuesday in the us and even when there are not patches for ms out people seem to flock to updates on or round that day other commen days are thursday, friday, satturday and sunday.
I always update my workstation and I have backups.
The security floor while big still is not the issue, fishing emails are the issue.
Social enginiering attacks still exist and its our brains that are hacked before our computers we can’t install security software to our minds just yet so we need to educate ourselves not to open that message or not to click.
This thing was not a problem it was solved in march.
But unpatched systems with clickers on here and there caused the issue.
Now where the fuck are we going wrong, there are enough resources, we push it down the throats of people.
The ransomware is not a problem, the unpatched systems are not a problem, the spam and fishing emails are not a problem.
But people falling and clicking the links are again the problem.
Education can’t be it, I do think we are actually doing quite a lot, there can be only so many sites and blogs stating the same thing from time to time.
We have the resources, so where are we fucking up?
Maybe we need to start banning usb drive access for gullible people getting this stuff at home and bringing it in, blocking usb drives is hte last thing I’d want to do ofcause, portable apps, blind friendly software, a lot of stuff uses them, but now do we have to not trust usb drives on company networks and school networks since everything is on the cloud it should be relitively safe I mean you can’t take down the entire cloud network or at least you hope you can’t.
Even with that approach things could still get in.
Maybe we need to extend it further, work emails should never go home except when needed, but home networks and emails and other things shouldn’t be allowed, twitter, facebook and everything bar stuff you need from work be blocked.
Maybe we need to block the net entirely to everyone at work that doesn’t need it ofcause you can’t block phones as such but who knows.
Blocking all wireless and blouetooth access would help I guess or at least bluetooth but what about hte other stuff.
Do we need to block remote access or the net entirely except for what is needed.
Then there are home pcs as well not allow home pcs to connect to the network for companies at all, but if a file in the cloud ever got something and it can then we are back to square 1.
Whats the answer.
We could restrict the hell out of it and still not get the right answer.
I have seen some of this at workplaces, in some countries it is alegal to do any work from work at home and it costs more if someone needs to do so including answering emails, etc.
Ofcause it rarely works that way.
I do know that on a lot of networks here at work places the net is blocked until lunch time etc.
I also know from my cousin that was at school and now uni, that all access well there wasn’t any general network access, but it was all handled by cloud drives.
Ofcause there may still be a few missing all the info, but even with this in this ransomware attack shouldn’t have been anything more than another fishing issue.
Again I say there is no defence against a social attack with fishing or other things, none bar knowing that it is.
So where are we going wrong?
Its no good reacting like this, securing the current issue will not fix it, in fact even if people updated everything and still fell well.
We have the resources, the muscle, the infrastructure.
Enter your comment here…Hi Shaun,
I believe I remember hearing something about a kill switch in a piece of malware too recently, don’t remember if this was it, but I found that interesting. Don’t remember if i read it from your link, or maybe through Security now or another source. Its definitely getting interesting out there.
The only thing I need to say to this well things.
1. This is only an issue if you don’t update windows aparently from microsoft.
This does show thoughthat a lot of systems do not autoupdate, I do know windows updates can screw things from time to time but why you wouldn’t run updaters from time to time is beyond me.
I did notice that floor in march but ms is as cryptic as the ransomware they are quite secretive about what they update.
the second is a reply back at your face
http://www.standard.co.uk/news/health/nhs-cyber-attack-uk-researcher-accidentally-stops-global-spread-of-ransomware-by-activating-kill-a3538236.html
Read that and go away.