|
Some amazing luck right there
|
# ? May 13, 2017 01:29 |
|
|
# ? Apr 28, 2024 13:05 |
|
https://twitter.com/NerdPyle/status/719977329548664832 https://twitter.com/NerdPyle/status/863203884595953664
|
# ? May 13, 2017 05:18 |
|
A rare moment where the hackers get dumpstered.
|
# ? May 13, 2017 06:57 |
|
https://twitter.com/hacks4pancakes/status/863296709681721344 Just when MS thought they were out, they got pulled back in.
|
# ? May 13, 2017 08:47 |
|
Kind of a bandaid on the gunshot, if you ask me. They should offer a free upgrade to people who got hit by the malware, maybe like they did for Windows 10. They need to take this insecure software out of circulation.
|
# ? May 13, 2017 10:24 |
|
I don't think people still running XP / Server 2003 are doing it because of the cost of the software license.
|
# ? May 13, 2017 10:52 |
|
Yeah, but it's a good incentive.
|
# ? May 13, 2017 10:55 |
|
it's really not, the bespoke bullshit software they paid hundreds of thousands of dollars for that only works on xp is going to be a bigger factor always
|
# ? May 13, 2017 10:57 |
|
https://twitter.com/mspoweruser/status/863308870688546816
|
# ? May 13, 2017 12:54 |
|
Cup Runneth Over posted:Yeah, but it's a good incentive. The computer still running XP for the X-Ray machine software is not getting updated to Windows 10 because now it's $0 instead of $100. It is not getting upgraded for any reason, unless the reason is "the manufacturer is giving us a free version of their newest software and sending a tech out gratis to handle the migration and also they're buying a new computer and also they're compensating us heavily for the cost of our machine being out of commission while they do it" Except the manufacturer went bust 10 years ago so that's never even a theoretical Volmarias fucked around with this message at 12:57 on May 13, 2017 |
# ? May 13, 2017 12:55 |
|
https://twitter.com/hackerfantastic/status/863359375787925505
|
# ? May 13, 2017 13:03 |
|
MS spent zero money on that patch because they already made it for POSready.
|
# ? May 13, 2017 14:22 |
|
Double Punctuation posted:MS spent zero money on that patch because they already made it for POSready.
|
# ? May 13, 2017 14:24 |
|
Absurd Alhazred posted:https://twitter.com/hacks4pancakes/status/863296709681721344 So weird to see someone I know IRL quoted here.
|
# ? May 13, 2017 14:36 |
|
This is wonderful.
|
# ? May 13, 2017 15:02 |
|
flosofl posted:So weird to see someone I know IRL quoted here. I can't imagine the anglophone security field is that big, ultimately.
|
# ? May 13, 2017 17:54 |
|
Absurd Alhazred posted:I can't imagine the anglophone security field is that big, ultimately. ...really? I would think it was most of the security field, by a large margin.
|
# ? May 13, 2017 18:08 |
|
Subjunctive posted:...really? I would think it was most of the security field, by a large margin. Nah, there's a lot of really really smart people from Eastern Europe, Asia-Pac, and Latin America in security. The number UK/US/AUS based security people isn't tiny, but it's not a hugely populated field compared to other IT disciplines. So you tend to be at one or two removes from people in the first place. It just never ceases to be weird to me when I see people I've worked with, been on the same softball team or been out drinking with cited on the Internet or are SME's on a news show, etc...
|
# ? May 13, 2017 19:35 |
|
Volmarias posted:The computer still running XP for the X-Ray machine software is not getting updated to Windows 10 because now it's $0 instead of $100. It is not getting upgraded for any reason, unless the reason is "the manufacturer is giving us a free version of their newest software and sending a tech out gratis to handle the migration and also they're buying a new computer and also they're compensating us heavily for the cost of our machine being out of commission while they do it" Which is why they need to start protecting these devices the same way they protect ICS and SCADA systems. There's no excuse to have these machines worm accessible this late in the game.
|
# ? May 13, 2017 19:53 |
|
BelDin posted:Which is why they need to start protecting these devices the same way they protect ICS and SCADA systems. There's no excuse to have these machines worm accessible this late in the game. You're going to get sad when you learn how some people protect ICS and SCADA systems.
|
# ? May 13, 2017 20:38 |
|
Trabisnikof posted:You're going to get sad when you learn how some people protect ICS and SCADA systems. Already know how some do it, and it does make me sad. Fortunately, I make a living off people that are forced to secure theirs thanks to FERC. Nobody does anything until they're forced to....
|
# ? May 13, 2017 21:03 |
|
BelDin posted:Which is why they need to start protecting these devices the same way they protect ICS and SCADA systems. There's no excuse to have these machines worm accessible this late in the game. It's cute that you think those systems are held to a higher standard. Even NERC-CIP gives a huge amount of leeway to accept risk and do fuckall about it. This is an industry that is still largely suspicious of the concept of patching, because "things only break when you change them"
|
# ? May 13, 2017 21:54 |
|
BangersInMyKnickers posted:It's cute that you think those systems are held to a higher standard. Even NERC-CIP gives a huge amount of leeway to accept risk and do fuckall about it. This is an industry that is still largely suspicious of the concept of patching, because "things only break when you change them" Might just be my experience in an organization with a strong governance model and senior level buy in for security. Definitely the exception, but I've seen it work. Patches and new releases were rolled out after testing on the telecom side, and the systems guys were the only ones that needed the stick to get on board. They have the added incentive of being able to capitalize new hardware, so everything in the field that's IP based is only a few years old at the most. Business networks and multiple SCADA networks were separated based on device classification, and nothing had direct (or even indirect in most cases) internet or internal business network access. Device management had to be performed through a VDI system that had no local device access, copy and paste was disabled, and remote drive access was disabled as well. So yeah, some of them get it, and was talking about those that do.
|
# ? May 13, 2017 22:32 |
|
flosofl posted:Nah, there's a lot of really really smart people from Eastern Europe, Asia-Pac, and Latin America in security. Sure, but how many of them don't speak English? If you're not in China you really need to interact with the rest of the industry if you're going to have a career, and that means English.
|
# ? May 14, 2017 00:32 |
|
BangersInMyKnickers posted:It's cute that you think those systems are held to a higher standard. Even NERC-CIP gives a huge amount of leeway to accept risk and do fuckall about it. This is an industry that is still largely suspicious of the concept of patching, because "things only break when you change them" Yeah, also you get the the joys of working with engineers (usually EEs) that think they can do your job because how hard could it be really and expect everything to have a 20 year lifetime.
|
# ? May 14, 2017 02:57 |
|
Apparently this was sent out by someone at an Israeli company. Translation from the Hebrew follows: "Hello, I assume you're aware of the recent international ransomware cyber-attack. Please see the attached file from the Cyber Bureau (an actual government agency in Israel --- AA). Exercise Caution in Opening Attached Documents The virus is commonly distributed via PDF files. We recommend that you avoid opening such files in the next few days. If you have the smallest suspicion, please get in touch with us, so we can confirm that the file is valid. Thanks Meir" Absurd Alhazred fucked around with this message at 19:26 on May 14, 2017 |
# ? May 14, 2017 18:09 |
|
I hope the PDF just says "What did I just tell you dumbass!"
|
# ? May 14, 2017 18:24 |
|
Rectus posted:I hope the PDF just says "What did I just tell you dumbass!" That would be funnier, but according to the person who posted this, it is actually a document from the National Cyber Bureau in the Israeli Prime Minister's Office.
|
# ? May 14, 2017 18:31 |
|
|
# ? May 14, 2017 19:04 |
|
There's just no way I can win...
|
# ? May 14, 2017 19:25 |
|
This dude bought us enough time to push patches to everything we could find that was deficient and is a goddamn hero.
|
# ? May 14, 2017 19:44 |
|
The guy that registered that deactivation domain just registered it because it was a random sting they found and didn't connect it (at the time) to a function (which we now know prevents the spread). His frame of thought was in a tweet he did after the fact. Thinking about it more that was an actual super dangerous thing to do to register a domain without knowing why it's in the malware. It could have been a flag delete all keys immediately to prevent recovery, a signal to begin ramp up of the spread, or a sign for the malware to constantly mutate itself to prevent pattern based AV. EVIL Gibson fucked around with this message at 23:56 on May 14, 2017 |
# ? May 14, 2017 19:50 |
|
EVIL Gibson posted:The guy that registered that deactivation domain just registered it because it was a random sting they found and didn't connect it (at the time) to a function (which we now know prevents the spread). This was in a tweet he did. The Infosec version of the age old trope 'I wonder what this button does?'
|
# ? May 14, 2017 22:04 |
|
Meanwhile, our UK news is surveying the aftermath of the NHS computers that were held to ransom: "This was an attack that was unprecedented in scale..." Nope. It wasn't the size of the attack. The computer program will only attack where it can get through. If anything, the size of your holes were "unprecedented".
|
# ? May 15, 2017 06:10 |
|
EVIL Gibson posted:The guy that registered that deactivation domain just registered it because it was a random sting they found and didn't connect it (at the time) to a function (which we now know prevents the spread). His frame of thought was in a tweet he did after the fact. It wasn't a whim to register. SOP when trying to "disarm" and analyze an outbreak is to try to sinkhole the C&C, which is what MalwareTech assumed this was. You do that so you can start to a) capture any active traffic for analysis and b) disrupt the C&C functions. The fact it was unregistered just made it easier to sinkhole, and you want to jump on it quickly in case it was an oversight and the attacker could correct it at any moment. The fact that the domain itself was the killswitch was happenstance, which MalwareTech points out in his twitter feed. However, this is just a welcome respite, so patch your poo poo. I've heard rumblings some moron researcher has already loaded a variant of this to VT without the killswitch which means it's probably only a matter of days before a version with either a more sophisticated kill-switch or one that has no kill-switch is released.
|
# ? May 15, 2017 06:26 |
|
Why's it bad that someone uploaded that? Isn't the idea to have a signature in place so all the AV can detect the killswitch-less version if someone removes that and pushes it out again? Thats probably a stupid question but I don't know anything about the cyber wars
|
# ? May 15, 2017 06:38 |
|
flosofl posted:It wasn't a whim to register. SOP when trying to "disarm" and analyze an outbreak is to try to sinkhole the C&C, which is what MalwareTech assumed this was. You do that so you can start to a) capture any active traffic for analysis and b) disrupt the C&C functions. The fact it was unregistered just made it easier to sinkhole, and you want to jump on it quickly in case it was an oversight and the attacker could correct it at any moment. It's all about liability. Read the Twitter message again. He didn't know what it did. They probably just did a strings and found the URL. There was no reason why the dude registered the domain without knowledge of what it would do when it happened besides it wasn't registered. Heres the actual tweet: https://mobile.twitter.com/MalwareTechBlog/status/863187104716685312 Thinking from a company point of view where if registering a domain did cause more damage, MalwareTech could be brought to court and be held liable for damages the moment the domain went online. It really seems out there, but lawsuits can be issued for less. If they had enough data to show the malware would dump after seeing the domain up; sure go ahead. It was just super dumb to register it before if they spent more time looking at it. EVIL Gibson fucked around with this message at 06:53 on May 15, 2017 |
# ? May 15, 2017 06:51 |
|
EVIL Gibson posted:It's all about liability. What is the greater damage you think he could have caused ? Infected machines are toast anyway and going to be reimaged. At last count only 20 people were dumb enough to pay the ransom and they didn't get a decryption key.
|
# ? May 15, 2017 07:47 |
|
baka kaba posted:Why's it bad that someone uploaded that? Isn't the idea to have a signature in place so all the AV can detect the killswitch-less version if someone removes that and pushes it out again? registering the domain blind was a terrible idea, and all the worse that researchers are now encouraged to do it before ramifications are known for potential publicity
|
# ? May 15, 2017 10:29 |
|
|
# ? Apr 28, 2024 13:05 |
EVIL Gibson posted:It's all about liability. And here's the actual writeup: https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html quote:Now one thing that’s important to note is the actual registration of the domain was not on a whim. My job is to look for ways we can track and potentially stop botnets (and other kinds of malware), so I’m always on the lookout to pick up unregistered malware control server (C2) domains. In fact I registered several thousand of such domains in the past year.
|
|
# ? May 15, 2017 12:45 |