WannaCry and SMB1

Since disabling SMB1 seems to be the way to thwart WannaCry, why isn't
it disabled in Windows 10?

It's easy enough to do manually:

Control Panel Programs and features Turn Windows features on or off

Wait for the table to be populated, scroll down and uncheck SMB1.

Alek wrote:
Since disabling SMB1 seems to be the way to thwart WannaCry, why isn't
it disabled in Windows 10?

It's easy enough to do manually:

Control Panel Programs and features Turn Windows features on or off

Wait for the table to be populated, scroll down and uncheck SMB1.

If you know what the effects of doing that are,
go right ahead.

WinXP only has SMBv1. So if you have a mixed network, disabling
SMBv1 on the Win10 machine, means WinXP cannot access a share on it.

If all your Windows OSes are more modern than WinXP, then
that's probably not a problem.

I don't think WannaCrypt needs a lot of thwarting. Do you use
a NAT router in the computer room ? That's an example of a *direct*
threat. One that must be attended to. If you don't have an IPV4 NAT
router protecting you, if your ports "stick out" when you scan yourself
on the Internet, that's a pretty significant risk factor.

The port inside the perimeter is still a risk. *But*, consider
your own track record. Have you been hit by Locky ? If not, then
if your perimeter is secure (no Port Forwarding of 445 and friends),
then you still need an infection vector for Locky or WannaCrypt
to get in.

Bolting down ports within the perimeter, can be done by patching
the current exploit. Disabling the protocol, would be suspenders
to go with that patch for SMBv1 which is the belt. Sure, you can
use it, but remember that it only becomes engaged, when WannaCrypt
gets onto one of your machines via social engineering. It still
does not reduce the damage done, to zero. It just means a few
less disks to restore from *full backup*.

I don't care what people do, as long as they keep this
stuff in perspective. The things you do for an organization
with 10,000 computers, is entirely different than your home
LAN with two computers. Scale makes a big difference. On a
home LAN with two computers, there really isn't much difference
between an attack by Locky versus WannaCrypt. Even Locky can
damage (parts of) the second computer. All it takes is file
sharing mounts, *implemented on any SMB flavor*. Just doing
sharing in the computer room, means slightly more than one
machine will be damaged by Locky.

I wouldn't care about Locky, except someone in one of my other
groups got it. And if a USENET person gets it, that's like
a canary in a coal mine. That's your first warning, that
you too should have a disaster recovery plan. So rather than
just sad stories about people who put their backup on
Dropbox, and Locky encrypted the backup, even people on
USENET are getting it.

The interesting thing about this initial WannaCrypt attack,
is there was no social engineering vector (it wasn't sent
as an email attachment). And that should tell you this was
released by a white hat or gray hat. And not by a professional
criminal. It was too poorly done for a first strike. The Locky
people are pros at this stuff now. Burning a vector this way,
shows a criminal probably didn't do this one. Was it a
script kiddie ? The whole thing is a little too weird
for my tastes.

*******

Flip the switch, and test. Do you like the outcome ?
Then keep your SMBv1 mitigation.

Paul

Alek wrote:

Since disabling SMB1 seems to be the way to thwart WannaCry, why isn't
it disabled in Windows 10?

It's easy enough to do manually:

Control Panel Programs and features Turn Windows features on or off

Wait for the table to be populated, scroll down and uncheck SMB1.

SMB has legitimate purposes within a network.

https://en.wikipedia.org/wiki/Server_Message_Block

It is unlikely that you need SMB to the Internet (i.e., outside your
intranet), so disable port 445 at your router (many cable modems have
one built-in).

Use GRC's ShieldsUp to see what other ports are open to inbound
unsolicited connection requests through your router/cable modem
(https://www.grc.com/x/ne.dll?bh0bkyd2). After proceeding, click on the
buttons in the bars to pick which test to perform.

Paul wrote on 5/22/2017 3:16 PM:
Alek wrote:
Since disabling SMB1 seems to be the way to thwart WannaCry, why isn't
it disabled in Windows 10?

It's easy enough to do manually:

Control Panel Programs and features Turn Windows features on or off

Wait for the table to be populated, scroll down and uncheck SMB1.

If you know what the effects of doing that are,
go right ahead.

WinXP only has SMBv1. So if you have a mixed network, disabling
SMBv1 on the Win10 machine, means WinXP cannot access a share on it.

If all your Windows OSes are more modern than WinXP, then
that's probably not a problem.

I don't think WannaCrypt needs a lot of thwarting. Do you use
a NAT router in the computer room ? That's an example of a *direct*
threat. One that must be attended to. If you don't have an IPV4 NAT
router protecting you, if your ports "stick out" when you scan yourself
on the Internet, that's a pretty significant risk factor.

The port inside the perimeter is still a risk. *But*, consider
your own track record. Have you been hit by Locky ? If not, then
if your perimeter is secure (no Port Forwarding of 445 and friends),
then you still need an infection vector for Locky or WannaCrypt
to get in.

Bolting down ports within the perimeter, can be done by patching
the current exploit. Disabling the protocol, would be suspenders
to go with that patch for SMBv1 which is the belt. Sure, you can
use it, but remember that it only becomes engaged, when WannaCrypt
gets onto one of your machines via social engineering. It still
does not reduce the damage done, to zero. It just means a few
less disks to restore from *full backup*.

I don't care what people do, as long as they keep this
stuff in perspective. The things you do for an organization
with 10,000 computers, is entirely different than your home
LAN with two computers. Scale makes a big difference. On a
home LAN with two computers, there really isn't much difference
between an attack by Locky versus WannaCrypt. Even Locky can
damage (parts of) the second computer. All it takes is file
sharing mounts, *implemented on any SMB flavor*. Just doing
sharing in the computer room, means slightly more than one
machine will be damaged by Locky.

I wouldn't care about Locky, except someone in one of my other
groups got it. And if a USENET person gets it, that's like
a canary in a coal mine. That's your first warning, that
you too should have a disaster recovery plan. So rather than
just sad stories about people who put their backup on
Dropbox, and Locky encrypted the backup, even people on
USENET are getting it.

The interesting thing about this initial WannaCrypt attack,
is there was no social engineering vector (it wasn't sent
as an email attachment). And that should tell you this was
released by a white hat or gray hat. And not by a professional
criminal. It was too poorly done for a first strike. The Locky
people are pros at this stuff now. Burning a vector this way,
shows a criminal probably didn't do this one. Was it a
script kiddie ? The whole thing is a little too weird
for my tastes.

*******

Flip the switch, and test. Do you like the outcome ?
Then keep your SMBv1 mitigation.

Paul



1) I'm talking about a 4 PC LAN, all Windows 10.
2) If I knew half of what you were talking about, I'd be all smiles. :-)

I think you're saying that there's no need to disable SMB1 in Windows
10, right?

VanguardLH wrote on 5/22/2017 4:19 PM:
Alek wrote:

Since disabling SMB1 seems to be the way to thwart WannaCry, why isn't
it disabled in Windows 10?

It's easy enough to do manually:

Control Panel Programs and features Turn Windows features on or off

Wait for the table to be populated, scroll down and uncheck SMB1.

SMB has legitimate purposes within a network.

SMB1?

https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/

https://en.wikipedia.org/wiki/Server_Message_Block

It is unlikely that you need SMB to the Internet (i.e., outside your
intranet), so disable port 445 at your router (many cable modems have
one built-in).

Use GRC's ShieldsUp to see what other ports are open to inbound
unsolicited connection requests through your router/cable modem
(https://www.grc.com/x/ne.dll?bh0bkyd2). After proceeding, click on the
buttons in the bars to pick which test to perform.

Thanks. Only 22, 78, 80 and 443 are open.

Alek wrote:

VanguardLH wrote on 5/22/2017 4:19 PM:

Use GRC's ShieldsUp to see what other ports are open to inbound
unsolicited connection requests through your router/cable modem
(https://www.grc.com/x/ne.dll?bh0bkyd2). After proceeding, click on
the buttons in the bars to pick which test to perform.

Thanks. Only 22, 78, 80 and 443 are open.

Port 22: SSH
You need someone SSH'ing (remote accessing) into your host? Or did you
punch a hole in your firewall to allow external access to one of your
intranet hosts? Hopefully that SSH serving intranet host is in a DMZ
network.

Port 80/443: HTTP/S
You are running a web server to which you grant public access from the
Internet? Hopefully you are not on a personal-use service tier with
your ISP who likely bans the use of public servers on non-business
hosts.

Port 78: vettcp
http://www.ietf.org/proceedings/44/I...rot-mac-00.txt
http://www.ietf.org/proceedings/42/I...prot-v2-03.txt
What process is the listener on this port? Use TCP View to find out.

Alek wrote:
Paul wrote on 5/22/2017 3:16 PM:
Alek wrote:
Since disabling SMB1 seems to be the way to thwart WannaCry, why isn't
it disabled in Windows 10?

It's easy enough to do manually:

Control Panel Programs and features Turn Windows features on or off

Wait for the table to be populated, scroll down and uncheck SMB1.
If you know what the effects of doing that are,
go right ahead.

WinXP only has SMBv1. So if you have a mixed network, disabling
SMBv1 on the Win10 machine, means WinXP cannot access a share on it.

If all your Windows OSes are more modern than WinXP, then
that's probably not a problem.

I don't think WannaCrypt needs a lot of thwarting. Do you use
a NAT router in the computer room ? That's an example of a *direct*
threat. One that must be attended to. If you don't have an IPV4 NAT
router protecting you, if your ports "stick out" when you scan yourself
on the Internet, that's a pretty significant risk factor.

The port inside the perimeter is still a risk. *But*, consider
your own track record. Have you been hit by Locky ? If not, then
if your perimeter is secure (no Port Forwarding of 445 and friends),
then you still need an infection vector for Locky or WannaCrypt
to get in.

Bolting down ports within the perimeter, can be done by patching
the current exploit. Disabling the protocol, would be suspenders
to go with that patch for SMBv1 which is the belt. Sure, you can
use it, but remember that it only becomes engaged, when WannaCrypt
gets onto one of your machines via social engineering. It still
does not reduce the damage done, to zero. It just means a few
less disks to restore from *full backup*.

I don't care what people do, as long as they keep this
stuff in perspective. The things you do for an organization
with 10,000 computers, is entirely different than your home
LAN with two computers. Scale makes a big difference. On a
home LAN with two computers, there really isn't much difference
between an attack by Locky versus WannaCrypt. Even Locky can
damage (parts of) the second computer. All it takes is file
sharing mounts, *implemented on any SMB flavor*. Just doing
sharing in the computer room, means slightly more than one
machine will be damaged by Locky.

I wouldn't care about Locky, except someone in one of my other
groups got it. And if a USENET person gets it, that's like
a canary in a coal mine. That's your first warning, that
you too should have a disaster recovery plan. So rather than
just sad stories about people who put their backup on
Dropbox, and Locky encrypted the backup, even people on
USENET are getting it.

The interesting thing about this initial WannaCrypt attack,
is there was no social engineering vector (it wasn't sent
as an email attachment). And that should tell you this was
released by a white hat or gray hat. And not by a professional
criminal. It was too poorly done for a first strike. The Locky
people are pros at this stuff now. Burning a vector this way,
shows a criminal probably didn't do this one. Was it a
script kiddie ? The whole thing is a little too weird
for my tastes.

*******

Flip the switch, and test. Do you like the outcome ?
Then keep your SMBv1 mitigation.

Paul



1) I'm talking about a 4 PC LAN, all Windows 10.
2) If I knew half of what you were talking about, I'd be all smiles. :-)

I think you're saying that there's no need to disable SMB1 in Windows
10, right?

There's a patch, first of all.

Work through this article and check your patch level. I doubt you're
unpatched. I have one Win10 machine which is, in actual fact, not patched!
That's because it stays off, or does not connect to the Internet
all that much. It's not patched, but it's not typically
on my LAN. I could fix that, if I remembered to do it.

https://www.askwoody.com/2017/how-to...crywannacrypt/

*******

If you want to disable SMBv1 on top of that, you can. If all the machines
are Win10, that would be a natural.

There's file sharing and printing. Find out whether
there's a dependency there that matters to you (for printing):

https://technet.microsoft.com/en-us/...(v=ws.10).aspx

Network Printing Protocols

Server Message Block (SMB)

The SMB protocol defines a series of commands that pass
information between computers. SMB uses four message types:
session control, file, printer, and message.

Locky needs social engineering to attack your setup.

So far, WannaCrypt has *only* entered by an exposed port 445
on the Internet. You have four computers. Maybe if you were
using IPV6 (which doesn't have NAT), maybe that could expose
a port 445. Variants of WannaCrypt will eventually be armed
like Locky, and will come as an executable email attachment
(an "invoice" for something). And that's how it will get in.

Locky can attack any mounted file share (patched or not).
That means it's "going to spray a bit" if it hits your
four machine setup.

By comparison, Wannacrypt (on unpatched machines) would
attack all of them. The more machines, the more differentiation
from Locky. If you have a four machine setup, and two of the
machines stay powered off most of the time, then your exposure
could be a bit less.

Every time one of these come out, the media goes for "max noise".
Just remember to keep these things in proportion - there
are likely things you *haven't* patched your machines for,
that you didn't happen to catch in the news. And you're
still alive and breathing.

*******

If you have a Win10 machine that works as a printing host,
flip the SMBv1 switch on it first. Then, do a test print
from one of the other machines, just to make sure that somehow
printing can work with SMBv2 or SMBv3. If that test passes,
I doubt flipping the other (non-print-hosting) machines
will make any difference to normal function.

Paul

Alek wrote:
VanguardLH wrote on 5/22/2017 4:19 PM:
Alek wrote:

Since disabling SMB1 seems to be the way to thwart WannaCry, why isn't
it disabled in Windows 10?

It's easy enough to do manually:

Control Panel Programs and features Turn Windows features on or off

Wait for the table to be populated, scroll down and uncheck SMB1.
SMB has legitimate purposes within a network.

SMB1?

https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/

https://en.wikipedia.org/wiki/Server_Message_Block

It is unlikely that you need SMB to the Internet (i.e., outside your
intranet), so disable port 445 at your router (many cable modems have
one built-in).

Use GRC's ShieldsUp to see what other ports are open to inbound
unsolicited connection requests through your router/cable modem
(https://www.grc.com/x/ne.dll?bh0bkyd2). After proceeding, click on the
buttons in the bars to pick which test to perform.

Thanks. Only 22, 78, 80 and 443 are open.

You should be a little careful with ShieldsUp.

I have a router here, with anti-scan. When I ran GRC against it,
the scan was not getting a "true" picture of the state of things.
I got a "stealth" rating, because my router stopped responding on
purpose. (Normal attacks are more carefully crafted than that.)
There were a couple status messages in the router, indicating
it had detected a sequential port scan of some kind.

As long as GRC has modified how they scan, and the router has not
"sniffed" the scan pattern, then the scan results may be actual
results. To scan properly, needs a bit more randomness in the
port selections, and perhaps backing off on a "machine-gun" approach
to test. The router in question was retired, and I don't know
how my current router responds to that particular case (it doesn't
really have an event log).

*******

This is my result today. On my current device, I have made no attempt
to optimize it. This is the out-of-the-box state.

https://s8.postimg.org/ttb1mgr4l/shieldsup_result.gif

My understanding of the result is:

blue - packet sent, NACK returned (port "closed")
red - packet sent, ACK returned (port "open")
green - packet sent, no response at all (port "steathy")

A blue block tells an attacker, something is at that address.
The scan continues (at a different port number).

A red block tells an attacker "pay dirt". They can now pound
on it with malformed packets or whatever.

A green block doesn't tell them anything. If your router has
port forwarding, some "chatty" ports, you can port forward
them to a non-existent (outside DHCP range) host address inside
your LAN and the packet just falls on the floor.

And I just found an article here, regarding what the test means.

http://ask-leo.com/i_cant_pass_a_fir...ould_i_do.html

*******

There are a ton of scanning techniques. I think "Todd" does some
of this stuff for a living. I don't have Wireshark sitting
on the outside of my router, so I can't tell you what
kind of scan GRC is using.

https://nmap.org/book/man-port-scanning-techniques.html

Paul

In article , says...

Since disabling SMB1 seems to be the way to thwart WannaCry, why isn't
it disabled in Windows 10?

It's easy enough to do manually:

Control Panel Programs and features Turn Windows features on or off

Wait for the table to be populated, scroll down and uncheck SMB1.

Another issue with disabling SMB1 is that it could block media sharing
with some devices. Although many probably use DLNA, some can use direct
network sharing, too.

--
If there is a no_junk in my address, please REMOVE it before replying!
All junk mail senders will be prosecuted to the fullest extent of the
law!!
http://home.comcast.net/~andyross

Andrew Rossmann wrote on 5/23/2017 9:29 AM:
In article , says...

Since disabling SMB1 seems to be the way to thwart WannaCry, why isn't
it disabled in Windows 10?

It's easy enough to do manually:

Control Panel Programs and features Turn Windows features on or off

Wait for the table to be populated, scroll down and uncheck SMB1.

Another issue with disabling SMB1 is that it could block media sharing
with some devices. Although many probably use DLNA, some can use direct
network sharing, too.


This may be a stupid question, but what are SMB2 and SMB3 for?

Alek wrote:

This may be a stupid question, but what are SMB2 and SMB3 for?

Same file sharing as SMBv1 but implemented in more secure and efficient
ways, e.g. look at the features lost with SMBv2 or SMBv3 disabled.

https://support.microsoft.com/en-us/help/2696547

You any relation to Louis Rossmann on YouTube?


--
AL'S COMPUTERS
"Andrew Rossmann" wrote in message
...
In article , says...

Since disabling SMB1 seems to be the way to thwart WannaCry, why isn't
it disabled in Windows 10?

It's easy enough to do manually:

Control Panel Programs and features Turn Windows features on or off

Wait for the table to be populated, scroll down and uncheck SMB1.

Another issue with disabling SMB1 is that it could block media sharing
with some devices. Although many probably use DLNA, some can use direct
network sharing, too.

--
If there is a no_junk in my address, please REMOVE it before replying!
All junk mail senders will be prosecuted to the fullest extent of the
law!!
http://home.comcast.net/~andyross

On 5/22/2017 2:25 PM, Alek wrote:
Since disabling SMB1 seems to be the way to thwart WannaCry, why isn't
it disabled in Windows 10?

It's easy enough to do manually:

Control Panel Programs and features Turn Windows features on or off

Wait for the table to be populated, scroll down and uncheck SMB1.

I read recently that something like 90% of the machines affected were
Windows 7 machines, and hardly any WinXP, even though WinXP would be the
most likely to be affected. Probably this is because a lot of Win7
machines are left in compatibility mode to accomodate networks full of
WinXP machines?

Yousuf Khan

Yousuf Khan wrote:

I read recently that something like 90% of the machines affected were
Windows 7 machines, and hardly any WinXP

An nameless organisation that I scanned, had over 200 vulnerable Win8.1
and Win10, and a single WinXP from a total "fleet" of about 1,200
machines - improved patching had been on their list for over a year.

On 28/05/2017 06:16, Yousuf Khan wrote:
On 5/22/2017 2:25 PM, Alek wrote:
Since disabling SMB1 seems to be the way to thwart WannaCry, why isn't
it disabled in Windows 10?

It's easy enough to do manually:

Control Panel Programs and features Turn Windows features on or off

Wait for the table to be populated, scroll down and uncheck SMB1.

I read recently that something like 90% of the machines affected were
Windows 7 machines, and hardly any WinXP, even though WinXP would be the
most likely to be affected. Probably this is because a lot of Win7
machines are left in compatibility mode to accomodate networks full of
WinXP machines?

Yousuf Khan


I thought there was a bug in the Windows XP part of the exploit as
implemented in Wanacry.

--

Brian Gregory (in the UK).
To email me please remove all the letter vee from my email address.