CKA Forums
Login 
canadian forums
bottom
 
 
Canadian Forums

Author Topic Options
Offline
CKA Super Elite
CKA Super Elite
 Vancouver Canucks
User avatar
Profile
Posts: 9445
PostPosted: Tue Jun 27, 2017 3:11 pm
 


BartSimpson wrote:
BRAH wrote:
Or stay off the internet. :roll:


Probably not a bad idea today.

Stay off Porn Hub too...............so I've heard. Image


Offline
CKA Moderator
CKA Moderator
User avatar
Profile
Posts: 33975
PostPosted: Wed Jun 28, 2017 6:07 am
 


The German company who's email service the Hackers were using to communicate with victims blocked that account. So, even if you pay the ransom, you won't be able to ge the key to unlock your files.

Assuming the hackers ever intended to give out keys.

Moral of the story: don't get infected. If you do, the only way out is to format your machine and restore from backup.


Offline
CKA Moderator
CKA Moderator
User avatar
Profile
Posts: 33975
PostPosted: Wed Jun 28, 2017 7:46 am
 


Microsoft has a good writeup and analysis:

https://blogs.technet.microsoft.com/mmp ... abilities/


Offline
CKA Uber
CKA Uber
 Vancouver Canucks
User avatar
Profile
Posts: 23771
PostPosted: Wed Jun 28, 2017 7:58 am
 


DrCaleb wrote:
The German company who's email service the Hackers were using to communicate with victims blocked that account. So, even if you pay the ransom, you won't be able to ge the key to unlock your files.

Assuming the hackers ever intended to give out keys.

Moral of the story: don't get infected. If you do, the only way out is to format your machine and restore from backup.

That was a dumb move. The attackers have generally unlocked the computers, because if they don't, no one will ever pay. So why block the channel that allows for this? I know people who have had to deal with ransomware attacks through my school, one of the professors was called in to help. The hackers have better customer service than 99% of the companies you deal with on a daily basis.
Image


Offline
CKA Uber
CKA Uber
 Vancouver Canucks
User avatar
Profile
Posts: 23771
PostPosted: Wed Jun 28, 2017 8:05 am
 


BartSimpson wrote:
The ransomware spreads via SMBv1 and the first recommendation is to disable SMBv1 on your firewalls if possible.

Also confirmed is that the ransomware uses the EXTERNAL BLUE exploit that was leaked from the NSA. :evil:

I assume you mean Eternal Blue?

So the same exploit that was used a month and a half ago, that was patched three months before that.

Can't say I have a lot of sympathy. The first one I can let go because most businesses have shit patch timelines. The second hit is inexcusable, they completely ignored the last attacks. People should be fired over this.


Offline
CKA Moderator
CKA Moderator
User avatar
Profile
Posts: 33975
PostPosted: Wed Jun 28, 2017 8:11 am
 


Tricks wrote:
That was a dumb move. The attackers have generally unlocked the computers, because if they don't, no one will ever pay. So why block the channel that allows for this? I know people who have had to deal with ransomware attacks through my school, one of the professors was called in to help. The hackers have better customer service than 99% of the companies you deal with on a daily basis.


Because you have to stop that channel for getting paid, or these attacks will continue and get worse. The business model must be broken before it becomes the new normal.

I would love to see a 'White Hat' hacker release one of these trojans that encrypts your documents, accepts payment, then does not deliver the keys. One finger, two words. People then might start being a little more careful.


Offline
CKA Uber
CKA Uber
 Vancouver Canucks
User avatar
Profile
Posts: 23771
PostPosted: Wed Jun 28, 2017 8:34 am
 


DrCaleb wrote:
Because you have to stop that channel for getting paid, or these attacks will continue and get worse. The business model must be broken before it becomes the new normal.
They'll just use a new channel. All they did was fuck over the victims for sure in this attack.
Quote:
I would love to see a 'White Hat' hacker release one of these trojans that encrypts your documents, accepts payment, then does not deliver the keys. One finger, two words. People then might start being a little more careful.

Clearly not, considering they ignored the last one entirely.


Offline
CKA Moderator
CKA Moderator
User avatar
Profile
Posts: 33975
PostPosted: Wed Jun 28, 2017 8:54 am
 


Tricks wrote:
DrCaleb wrote:
Because you have to stop that channel for getting paid, or these attacks will continue and get worse. The business model must be broken before it becomes the new normal.
They'll just use a new channel. All they did was fuck over the victims for sure in this attack.


I'd argue the victims were already fucked. Only the ransomers got fucked this time too.

Tricks wrote:
Quote:
I would love to see a 'White Hat' hacker release one of these trojans that encrypts your documents, accepts payment, then does not deliver the keys. One finger, two words. People then might start being a little more careful.

Clearly not, considering they ignored the last one entirely.


This one is spread through no fault of the user, as Eternal Blue uses the SMB protocols as an attack vector and steals domain credentials among other things.

But with the last one, businesses paid a lot of ransom to get their files back. Businesses that decided it was cheaper to skimp on IT and pay the ransom rather than to protect themselves in the first place.

The lengths we go to around here to protect ourselves isn't even enough. We sometimes get hit with ransomware, because some employee clicks on something that is obviously a trap. But when we have to spend many man hours to fix the problem and restore service, the employee learns that their employment hinges on them being more careful. And they don't do it again.

That's what the rest of the world needs to learn. Computers aren't new anymore. You can't grow up and get a job now without having to learn the basics about a computer, like when I was growing up. People learnt that you don't pay a crack whore $20 for sex and not receive serious consequences.

Same needs to be taught about the internet. And perhaps a few people need to lose all the selfies they took in order to learn that lesson. It's inconvenient. But having hospitals knocked offline by ransomware crosses the line from inconvenient to life threatening.


Offline
CKA Moderator
CKA Moderator
 Vancouver Canucks


GROUP_AVATAR
User avatar
Profile
Posts: 63946
PostPosted: Wed Jun 28, 2017 8:59 am
 


Tricks, you're right that the correct name is 'Eternal Blue' yet EXTERNAL BLUE is being used on several FOUO documents.

Makes me wonder if they're two separate things.


Offline
CKA Uber
CKA Uber
 Vancouver Canucks
User avatar
Profile
Posts: 23771
PostPosted: Wed Jun 28, 2017 9:44 am
 


DrCaleb wrote:
I'd argue the victims were already fucked. Only the ransomers got fucked this time too.
Except they removed the possibility of unfucking themselves.

Also that's a really fun line of sentences we just created.

Tricks wrote:
This one is spread through no fault of the user, as Eternal Blue uses the SMB protocols as an attack vector and steals domain credentials among other things.
Right, but that was patched in March by Microsoft in MS17-010. Literally anyone running that patch should not be affected. You can also block port 445 (which should be done any ways) or like bartman said earlier, disable SMBv1. None of the above was done.

Quote:
The lengths we go to around here to protect ourselves isn't even enough. We sometimes get hit with ransomware, because some employee clicks on something that is obviously a trap. But when we have to spend many man hours to fix the problem and restore service, the employee learns that their employment hinges on them being more careful. And they don't do it again.
I agree 100%, people are morons and will break things given the chance, but that's why if companies enact proper compliance policies they get hit way less, and way less harder.
Quote:
Same needs to be taught about the internet. And perhaps a few people need to lose all the selfies they took in order to learn that lesson. It's inconvenient. But having hospitals knocked offline by ransomware crosses the line from inconvenient to life threatening.

I've said it before, the best anti-virus is common sense. Don't click on fucking everything and chances are you won't get broken.


Offline
CKA Uber
CKA Uber
 Vancouver Canucks
User avatar
Profile
Posts: 23771
PostPosted: Wed Jun 28, 2017 9:44 am
 


BartSimpson wrote:
Tricks, you're right that the correct name is 'Eternal Blue' yet EXTERNAL BLUE is being used on several FOUO documents.

Makes me wonder if they're two separate things.

Typo probably that no one has bothered to fix or correct. I can't find anything called external blue.


Offline
CKA Moderator
CKA Moderator
User avatar
Profile
Posts: 33975
PostPosted: Wed Jun 28, 2017 10:04 am
 


Tricks wrote:
DrCaleb wrote:
I'd argue the victims were already fucked. Only the ransomers got fucked this time too.
Except they removed the possibility of unfucking themselves.

Also that's a really fun line of sentences we just created.


That was pretty lyrical, wasn't it. ;)

Tricks wrote:
Right, but that was patched in March by Microsoft in MS17-010. Literally anyone running that patch should not be affected. You can also block port 445 (which should be done any ways) or like bartman said earlier, disable SMBv1. None of the above was done.

...

I agree 100%, people are morons and will break things given the chance, but that's why if companies enact proper compliance policies they get hit way less, and way less harder.


Which is why I think the victims were already fucked. If you are putting unneeded ports open on the internet, if you are running unpatched servers on the internet, if you are running publicly facing servers on your internal network - you are fucked! If you are not running EMET on your public facing servers to limit any potential damage, you fucked yourself.

You fucked yourself by ignoring 30+ years of computer security. Maybe a few companies need to be bankrupted by losing all their data for the remaining companies to pay attention. :idea:

Tricks wrote:
DrCaleb wrote:
Same needs to be taught about the internet. And perhaps a few people need to lose all the selfies they took in order to learn that lesson. It's inconvenient. But having hospitals knocked offline by ransomware crosses the line from inconvenient to life threatening.

I've said it before, the best anti-virus is common sense. Don't click on fucking everything and chances are you won't get broken.


The best anti-phishing tool is people talking around the water cooler how Bob in Accounting got fired for swallowing multiple baited hooks, and how his employment isn't worth the cost of fixing his mistakes.

I've seen some well crafted phishing emails that looked exactly like they were sent from our Deputy Minister. The only thing that stopped me from clicking on the attachment was that the subject was poorly worded, like it was from someone who didn't understand the subject; and the attachment didn't interest me and seemed to not follow the subject of the email. It was the former that cause me to suspect the email, and we quickly contained the threat.

It will take a lot of work to get the regular user to my level of paranoia. You'll get here eventually, if you stay in the business long enough. ;)


Offline
CKA Uber
CKA Uber
 Vancouver Canucks
User avatar
Profile
Posts: 23771
PostPosted: Wed Jun 28, 2017 12:26 pm
 


DrCaleb wrote:
Which is why I think the victims were already fucked. If you are putting unneeded ports open on the internet, if you are running unpatched servers on the internet, if you are running publicly facing servers on your internal network - you are fucked! If you are not running EMET on your public facing servers to limit any potential damage, you fucked yourself.

You fucked yourself by ignoring 30+ years of computer security. Maybe a few companies need to be bankrupted by losing all their data for the remaining companies to pay attention. :idea:
Couldn't agree more. Hence why I don't have a lot of sympathy, they brought this on themselves by failing to protect their shit. Especially after this happened a month and a half ago. I'm by no means a security expert, but within 2 semesters of this program, I look at virtually every company I've ever worked for and just go "holy shit do they play with fire".


Tricks wrote:
The best anti-phishing tool is people talking around the water cooler how Bob in Accounting got fired for swallowing multiple baited hooks, and how his employment isn't worth the cost of fixing his mistakes.

I've seen some well crafted phishing emails that looked exactly like they were sent from our Deputy Minister. The only thing that stopped me from clicking on the attachment was that the subject was poorly worded, like it was from someone who didn't understand the subject; and the attachment didn't interest me and seemed to not follow the subject of the email. It was the former that cause me to suspect the email, and we quickly contained the threat.
I read about a spam email sent from a contractor for the DoD. I think krebs did a bit on it, was hilarious, the spammer obviously had no idea who's credentials he had managed to get.

Quote:
It will take a lot of work to get the regular user to my level of paranoia. You'll get here eventually, if you stay in the business long enough. ;)

I'm arguably at that point in that I don't open an email from someone I don't know. If I do know them and I open it and it isn't something I recognize ever talking to them about, or doesn't follow their typical email style, I ignore it unless they ask me about it :lol:


Offline
CKA Moderator
CKA Moderator
User avatar
Profile
Posts: 33975
PostPosted: Thu Jun 29, 2017 6:25 am
 


Tricks wrote:
I'm arguably at that point in that I don't open an email from someone I don't know. If I do know them and I open it and it isn't something I recognize ever talking to them about, or doesn't follow their typical email style, I ignore it unless they ask me about it :lol:


I use Thunderbird in text mode for email. No HTML, no scripting. And I don't open attachments.


Offline
CKA Moderator
CKA Moderator
User avatar
Profile
Posts: 33975
PostPosted: Thu Jun 29, 2017 6:28 am
 


And it looks like Petya was not ransomware, but destroyed data with no hope of recovery.

Quote:
Tuesday's massive outbreak of malware that shut down computers around the world has been almost universally blamed on ransomware, which by definition seeks to make money by unlocking data held hostage only if victims pay a hefty fee. Now, some researchers are drawing an even bleaker assessment—that the malware was a wiper with the objective of permanently destroying data.


https://arstechnica.com/security/2017/0 ... ansomware/

It also looks like it was a targeted attack on Ukraine.

Quote:
t leads to an uncomfortable question: what if money wasn’t the point? What if the attackers just wanted to cause damage to Ukraine? It’s not the first time the country has come under cyberattack. (These attacks have typically been attributed to Russia.) But it would be the first time such an attack has come in the guise of ransomware, and has spilled over so heavily onto other countries and corporations.


https://www.theverge.com/2017/6/28/1588 ... ine-russia


Post new topic  Reply to topic  [ 37 posts ]  Previous  1  2  3  Next



Who is online

Users browsing this forum: No registered users and 1 guest



cron
 
     
All logos and trademarks in this site are property of their respective owner.
The comments are property of their posters, all the rest © Canadaka.net. Powered by © phpBB.