TR Forums

http://gizmodo.com/today-s-massive-rans ... 1795179984

I'm all patched. Anyone hit by this?

Microsoft provided the patch on March 14.

This is one of the reasons I always keep my system updated. Now this may be a Windows flaw that was exploited, I'm sure that the NSA also had hacking tools for Linux and the BSD that were leaked as well.

JustAnEngineer wrote:

Microsoft provided the patch on March 14.

I know they provided the patch then, but that certainly does not mean every user or server is patched up.

If you're too lazy to patch your systems, I hope that you've got good backups and you don't mind the effort of wiping and restoring.

That virus, or maybe worm, is vicious. It had multiple languages and everything.

I had to check our tools and report up all the ways we can stop it, even though we are mostly patched (stale systems FTL). It's no joke. What make me sad I'd all the stories of health care being hit. You would think with the skills these people have they could make a fine living as a white hat.

Losergamer04 wrote:

That virus, or maybe worm, is vicious. It had multiple languages and everything.

I had to check our tools and report up all the ways we can stop it, even though we are mostly patched (stale systems FTL). It's no joke. What make me sad I'd all the stories of health care being hit. You would think with the skills these people have they could make a fine living as a white hat.

Up until 2013, the local hospital was running XP with IE6.....only because their intranet needed IE6. So honestly.......not surprised one bit.

Losergamer04 wrote:

...You would think with the skills these people have they could make a fine living as a white hat.

I wonder in whose interests the leakers of the tools were working. The conduit appears to be the usual lawless and/or alienated types, but they could have been used for the purpose. I can't imagine an agency or other responsible org releasing stuff like this that came into their possession, knowing that it would be widely exploited by criminal and religious groups.

Losergamer04 wrote:

You would think with the skills these people have they could make a fine living as a white hat.

Yeah but they'd have to get up in the morning and put on a tie.

Another reminder why updates are more than just an annoyance.

I've also moved away from traditional heuristic-based enterprise antivirus since it never catches anything important anyway. Late last year I subscribed my main company to Sophos Intercept X because it's seemingly the main anti-ransomware product for enterprise; Any kind of encryption that happens triggers a copy of the unencrypted file by Sophos first, followed by allowing the encryption to take place. If it turns out that the encryption was malicious, the process is locked down and cleaned, alerts generated and the original files restored from memory/cache.

We had a couple of very minor ransomware infections last year (yes, Flash and Java from PC's that need it for horrible-yet-business-critical online tools) and only hourly snapshotting of our storage saved our bacon. I've always thought a lot of MalwareBytes, but I'm tempted to buy a corporate license to cover the couple dozen machines that still have to run Flash/Java. It terrifies me if a senior member of staff who has almost full access to the company network drives gets infected. Their one workstation could single-handedly ransomware-encrypt a quarter-petabyte of data in a night, thanks to crazy fast flash-based SANs!

:O

Hopefully this is the wake-up call for other antivirus vendors to start taking note of malware, sandboxing Java and Flash properly, and perhaps finally having something effective against ransomware.

I haven't seen that Sophos product but gear we have uses it and it's been not that great. Check out Cylance for those machines. It's by far the most effective av we use (long story on why e use 4 av products).

Anyone seeing Fireeye at work? They are considered to be leaders in intelligence and handling of persistent threats.

Fireeye is good stuff. It's best at protecting zero days. It launches stuff in VMs on the appliances. In theory one it finds something it updates all other appliances with the signature. It also can block call outs, too, preventing the callouts from getting the encryption key or commands (assuming its in line and blocking). I would think that it would have been effective after seeing the attack. I'll have to check their site if I remember to later.

Fireeye is good stuff, but as pretty much best of breed, they are very expensive. They have also started loosing out to others when it comes to cloud integrations when people are starting to move off-premises like office 365 and having external email, etc.

Yes they are expensive. The ROI isn't very good unless you are big or your data is worth a lot. I saw a demo of their cloud email service and thought it looked really slick. The link swap it stuff looked like it works will against phishing.

What impressed me is that their platform is practically mandatory for many tier-3 financial firms. I was hoping that they have basic detection services for local networked content and cloud e-mail that's priced for consumers, even if the installs also serve as crowd source intelligence points. But all they offer is paid high-end premises stuff with consultation. Even their PC security agents appear to be continually managed by back ends and teams at various levels.

Losergamer04 wrote:

Yes they are expensive. The ROI isn't very good unless you are big or your data is worth a lot. I saw a demo of their cloud email service and thought it looked really slick. The link swap it stuff looked like it works will against phishing.

The problems comes when you start implementation and actually look at specifics, for you to use their cloud based see that it breaks a few checks. Don't remember if it was SPF that it can handle, or something else, but I remember our mail guys have been muttering a fair bit since they answer from fireeye support was basically, oh, people use that, nah, we don't care about that, so you want to use our service, you cant rely on any of those checks for you or your customers.

JustAnEngineer wrote:

If you're too lazy to patch your systems, I hope that you've got good backups and you don't mind the effort of wiping and restoring.

I know someone that got hit. Fortunately, there's these things called Snapshots. People refusing to use network drives were sad, though most of those had their own backups.

Turned out to be more annoying than catastrophic. No idea why the machines weren't patched, but that's not my department (literally).

JustAnEngineer wrote:

If you're too lazy to patch your systems, I hope that you've got good backups and you don't mind the effort of wiping and restoring.

Or if you're dumb enough to run Windows 7 or 8.1 on a system that Microsoft no longer supports, like Ryzen or Baby Kale.

derFunkenstein wrote:

JustAnEngineer wrote:

If you're too lazy to patch your systems, I hope that you've got good backups and you don't mind the effort of wiping and restoring.

Or if you're dumb enough to run Windows 7 or 8.1 on a system that Microsoft no longer supports, like Ryzen or Baby Kale.

Still one of MS'es worst moves this year...

Waco wrote:

derFunkenstein wrote:

JustAnEngineer wrote:

If you're too lazy to patch your systems, I hope that you've got good backups and you don't mind the effort of wiping and restoring.

Or if you're dumb enough to run Windows 7 or 8.1 on a system that Microsoft no longer supports, like Ryzen or Baby Kale.

Still one of MS'es worst moves this year...

Not really. You shouldn't be running Windows 7/8.1 as a real OS on such platforms. It is akin trying to run Windows 9x/NT4 with an Athlon 64 and Pentium 4 D back in the day.

But the reason you shouldn't be running it is because MS discontinued updates. The idea that MS discontinued updates because you shouldn't be running it on modern platforms is the very definition of circular logic.

derFunkenstein wrote:

But the reason you shouldn't be running it is because MS discontinued updates. The idea that MS discontinued updates because you shouldn't be running it on modern platforms is the very definition of circular logic.

"It's a bad idea to do something the vendor discourages" might be annoying but it's not circular. You can blame MS all you want; And you'd be right to do so. But the facts are that Windows 7 is abandonware and it's generally considered bad to run abandonware as a serious OS, especially if it was formerly really popular.

On a side note, I've recently been running Windows 98SE on a VM as an Internet browsing host, and it's pretty cool - essentially no malware will run on it. That said, most browsers won't run on it either so I need to get myself a Windows RT machine before they go away completely.

Vhalidictes wrote:

But the facts are that Windows 7 is abandonware and it's generally considered bad to run abandonware as a serious OS, especially if it was formerly really popular.

Yet another entry point in my long-running chronicles for Federal Agency X (and this time Y), and their IT follies.

Agency X requires its insured institutions to report quarterly using an on-line system driven by Silverlight. If you run FireFox, Chrome, or Edge, and let your browsers update themselves, you can't get into the app. You either need to back up to FF 51 or use IE11. Nothing on Agency X's page for this service even notices that this is an issue. Oh, and X still runs Win 7 for no reason I can see (damn thing has resisted all my attempts to remove its lockdowns).

Agency Y issues us software we use in the examination of our regulated institutions. They have certified it (as yet) only for Win 7, so that's what my (non-X) work lappy runs. I have tested it on Win 10 but, like any other intelligent user, I'm not moving until the author certifies.

Vhalidictes wrote:

derFunkenstein wrote:

But the reason you shouldn't be running it is because MS discontinued updates. The idea that MS discontinued updates because you shouldn't be running it on modern platforms is the very definition of circular logic.

"It's a bad idea to do something the vendor discourages" might be annoying but it's not circular. You can blame MS all you want; And you'd be right to do so. But the facts are that Windows 7 is abandonware and it's generally considered bad to run abandonware as a serious OS, especially if it was formerly really popular.

On a side note, I've recently been running Windows 98SE on a VM as an Internet browsing host, and it's pretty cool - essentially no malware will run on it. That said, most browsers won't run on it either so I need to get myself a Windows RT machine before they go away completely.

I don't disagree R.E. WIndows 7...but 8.1? It *shouldn't* be abandonware already. It actively cost MS money to block newer CPUs on 8.1 versus just marking them "unsupported".

I don't run either of them, but I still think it was a monumentally stupid decision.

Captain Ned wrote:

Vhalidictes wrote:

But the facts are that Windows 7 is abandonware and it's generally considered bad to run abandonware as a serious OS, especially if it was formerly really popular.

Yet another entry point in my long-running chronicles for Federal Agency X (and this time Y), and their IT follies.

Agency X requires its insured institutions to report quarterly using an on-line system driven by Silverlight. If you run FireFox, Chrome, or Edge, and let your browsers update themselves, you can't get into the app. You either need to back up to FF 51 or use IE11. Nothing on Agency X's page for this service even notices that this is an issue. Oh, and X still runs Win 7 for no reason I can see (damn thing has resisted all my attempts to remove its lockdowns).

Agency Y issues us software we use in the examination of our regulated institutions. They have certified it (as yet) only for Win 7, so that's what my (non-X) work lappy runs. I have tested it on Win 10 but, like any other intelligent user, I'm not moving until the author certifies.

I thought Silverlight was dead and MS had quit supporting it.

Exactly Captain Ned's point.

I used to do 2nd-level helpdesk as a contractor for a Fortune 500 company about 10 years ago. I have similar stories about older software than Windows 7. In late 2006 they were just completing their migration to Windows XP and depending on which intranet Java app you wanted to use, you had to install one of two different outdate Java plugins to do it and block updates. The few sad users who had to use both Java apps actually and two different machines, one for each. That was cheaper than updating the software.

whm1974 wrote:

I thought Silverlight was dead and MS had quit supporting it.

You would be correct, but the brain-dead "IT staff" at Federal Agency X hasn't cottoned to that fact, nor to the fact that all modern browsers block the plug-in. I checked this AM and X's web site still lists Silverlight as a requirement and provides a link for download. There's a train wreck coming and the agency that will cause it doesn't even appear to grok that it IS coming.

Welcome to gov't (especially Federal) IT. Dollars to doughnuts (Krispy Kremes are NOT doughnuts, only cake doughnuts qualify) there are myriad Federal PCs still running IE6 because "it'll break otherwise". It was publicized when it happened in 2014, but the IRS bought "full extended service" from MS for XP (for an unknown term) rather than upgrade.

This thread made me think. I may have a Win 8.1 PC at home. It shows "end of mainstream support for Windows 8.1" in Jan 2018. What is the difference between mainstream support and extended support?

And LOL at Captain Ned's example. My Fortune 20 company is as bad, mostly running Windows 7 on desktops.

I got *upgraded* to that last year from Win XP. Still on IE 8 which means many things do not work. Have to use Chrome except for a few internal apps.

Glacial pace.

Hawkwing74 wrote:

What is the difference between mainstream support and extended support?

Mainstream: Service Packs and feature updates.
Extended: Security updates. Win 8.1 leaves Extended 10 JAN 2023.