If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
|
Thread Tools | Rate Thread | Display Modes |
#1
|
|||
|
|||
WannaCry and SMB1
Since disabling SMB1 seems to be the way to thwart WannaCry, why isn't
it disabled in Windows 10? It's easy enough to do manually: Control Panel Programs and features Turn Windows features on or off Wait for the table to be populated, scroll down and uncheck SMB1. |
Ads |
#2
|
|||
|
|||
WannaCry and SMB1
Alek wrote:
Since disabling SMB1 seems to be the way to thwart WannaCry, why isn't it disabled in Windows 10? It's easy enough to do manually: Control Panel Programs and features Turn Windows features on or off Wait for the table to be populated, scroll down and uncheck SMB1. If you know what the effects of doing that are, go right ahead. WinXP only has SMBv1. So if you have a mixed network, disabling SMBv1 on the Win10 machine, means WinXP cannot access a share on it. If all your Windows OSes are more modern than WinXP, then that's probably not a problem. I don't think WannaCrypt needs a lot of thwarting. Do you use a NAT router in the computer room ? That's an example of a *direct* threat. One that must be attended to. If you don't have an IPV4 NAT router protecting you, if your ports "stick out" when you scan yourself on the Internet, that's a pretty significant risk factor. The port inside the perimeter is still a risk. *But*, consider your own track record. Have you been hit by Locky ? If not, then if your perimeter is secure (no Port Forwarding of 445 and friends), then you still need an infection vector for Locky or WannaCrypt to get in. Bolting down ports within the perimeter, can be done by patching the current exploit. Disabling the protocol, would be suspenders to go with that patch for SMBv1 which is the belt. Sure, you can use it, but remember that it only becomes engaged, when WannaCrypt gets onto one of your machines via social engineering. It still does not reduce the damage done, to zero. It just means a few less disks to restore from *full backup*. I don't care what people do, as long as they keep this stuff in perspective. The things you do for an organization with 10,000 computers, is entirely different than your home LAN with two computers. Scale makes a big difference. On a home LAN with two computers, there really isn't much difference between an attack by Locky versus WannaCrypt. Even Locky can damage (parts of) the second computer. All it takes is file sharing mounts, *implemented on any SMB flavor*. Just doing sharing in the computer room, means slightly more than one machine will be damaged by Locky. I wouldn't care about Locky, except someone in one of my other groups got it. And if a USENET person gets it, that's like a canary in a coal mine. That's your first warning, that you too should have a disaster recovery plan. So rather than just sad stories about people who put their backup on Dropbox, and Locky encrypted the backup, even people on USENET are getting it. The interesting thing about this initial WannaCrypt attack, is there was no social engineering vector (it wasn't sent as an email attachment). And that should tell you this was released by a white hat or gray hat. And not by a professional criminal. It was too poorly done for a first strike. The Locky people are pros at this stuff now. Burning a vector this way, shows a criminal probably didn't do this one. Was it a script kiddie ? The whole thing is a little too weird for my tastes. ******* Flip the switch, and test. Do you like the outcome ? Then keep your SMBv1 mitigation. Paul |
#3
|
|||
|
|||
WannaCry and SMB1
Alek wrote:
Since disabling SMB1 seems to be the way to thwart WannaCry, why isn't it disabled in Windows 10? It's easy enough to do manually: Control Panel Programs and features Turn Windows features on or off Wait for the table to be populated, scroll down and uncheck SMB1. SMB has legitimate purposes within a network. https://en.wikipedia.org/wiki/Server_Message_Block It is unlikely that you need SMB to the Internet (i.e., outside your intranet), so disable port 445 at your router (many cable modems have one built-in). Use GRC's ShieldsUp to see what other ports are open to inbound unsolicited connection requests through your router/cable modem (https://www.grc.com/x/ne.dll?bh0bkyd2). After proceeding, click on the buttons in the bars to pick which test to perform. |
#4
|
|||
|
|||
WannaCry and SMB1
Paul wrote on 5/22/2017 3:16 PM:
Alek wrote: Since disabling SMB1 seems to be the way to thwart WannaCry, why isn't it disabled in Windows 10? It's easy enough to do manually: Control Panel Programs and features Turn Windows features on or off Wait for the table to be populated, scroll down and uncheck SMB1. If you know what the effects of doing that are, go right ahead. WinXP only has SMBv1. So if you have a mixed network, disabling SMBv1 on the Win10 machine, means WinXP cannot access a share on it. If all your Windows OSes are more modern than WinXP, then that's probably not a problem. I don't think WannaCrypt needs a lot of thwarting. Do you use a NAT router in the computer room ? That's an example of a *direct* threat. One that must be attended to. If you don't have an IPV4 NAT router protecting you, if your ports "stick out" when you scan yourself on the Internet, that's a pretty significant risk factor. The port inside the perimeter is still a risk. *But*, consider your own track record. Have you been hit by Locky ? If not, then if your perimeter is secure (no Port Forwarding of 445 and friends), then you still need an infection vector for Locky or WannaCrypt to get in. Bolting down ports within the perimeter, can be done by patching the current exploit. Disabling the protocol, would be suspenders to go with that patch for SMBv1 which is the belt. Sure, you can use it, but remember that it only becomes engaged, when WannaCrypt gets onto one of your machines via social engineering. It still does not reduce the damage done, to zero. It just means a few less disks to restore from *full backup*. I don't care what people do, as long as they keep this stuff in perspective. The things you do for an organization with 10,000 computers, is entirely different than your home LAN with two computers. Scale makes a big difference. On a home LAN with two computers, there really isn't much difference between an attack by Locky versus WannaCrypt. Even Locky can damage (parts of) the second computer. All it takes is file sharing mounts, *implemented on any SMB flavor*. Just doing sharing in the computer room, means slightly more than one machine will be damaged by Locky. I wouldn't care about Locky, except someone in one of my other groups got it. And if a USENET person gets it, that's like a canary in a coal mine. That's your first warning, that you too should have a disaster recovery plan. So rather than just sad stories about people who put their backup on Dropbox, and Locky encrypted the backup, even people on USENET are getting it. The interesting thing about this initial WannaCrypt attack, is there was no social engineering vector (it wasn't sent as an email attachment). And that should tell you this was released by a white hat or gray hat. And not by a professional criminal. It was too poorly done for a first strike. The Locky people are pros at this stuff now. Burning a vector this way, shows a criminal probably didn't do this one. Was it a script kiddie ? The whole thing is a little too weird for my tastes. ******* Flip the switch, and test. Do you like the outcome ? Then keep your SMBv1 mitigation. Paul 1) I'm talking about a 4 PC LAN, all Windows 10. 2) If I knew half of what you were talking about, I'd be all smiles. :-) I think you're saying that there's no need to disable SMB1 in Windows 10, right? |
#5
|
|||
|
|||
WannaCry and SMB1
VanguardLH wrote on 5/22/2017 4:19 PM:
Alek wrote: Since disabling SMB1 seems to be the way to thwart WannaCry, why isn't it disabled in Windows 10? It's easy enough to do manually: Control Panel Programs and features Turn Windows features on or off Wait for the table to be populated, scroll down and uncheck SMB1. SMB has legitimate purposes within a network. SMB1? https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/ https://en.wikipedia.org/wiki/Server_Message_Block It is unlikely that you need SMB to the Internet (i.e., outside your intranet), so disable port 445 at your router (many cable modems have one built-in). Use GRC's ShieldsUp to see what other ports are open to inbound unsolicited connection requests through your router/cable modem (https://www.grc.com/x/ne.dll?bh0bkyd2). After proceeding, click on the buttons in the bars to pick which test to perform. Thanks. Only 22, 78, 80 and 443 are open. |
#6
|
|||
|
|||
WannaCry and SMB1
Alek wrote:
VanguardLH wrote on 5/22/2017 4:19 PM: Use GRC's ShieldsUp to see what other ports are open to inbound unsolicited connection requests through your router/cable modem (https://www.grc.com/x/ne.dll?bh0bkyd2). After proceeding, click on the buttons in the bars to pick which test to perform. Thanks. Only 22, 78, 80 and 443 are open. Port 22: SSH You need someone SSH'ing (remote accessing) into your host? Or did you punch a hole in your firewall to allow external access to one of your intranet hosts? Hopefully that SSH serving intranet host is in a DMZ network. Port 80/443: HTTP/S You are running a web server to which you grant public access from the Internet? Hopefully you are not on a personal-use service tier with your ISP who likely bans the use of public servers on non-business hosts. Port 78: vettcp http://www.ietf.org/proceedings/44/I...rot-mac-00.txt http://www.ietf.org/proceedings/42/I...prot-v2-03.txt What process is the listener on this port? Use TCP View to find out. |
#7
|
|||
|
|||
WannaCry and SMB1
Alek wrote:
Paul wrote on 5/22/2017 3:16 PM: Alek wrote: Since disabling SMB1 seems to be the way to thwart WannaCry, why isn't it disabled in Windows 10? It's easy enough to do manually: Control Panel Programs and features Turn Windows features on or off Wait for the table to be populated, scroll down and uncheck SMB1. If you know what the effects of doing that are, go right ahead. WinXP only has SMBv1. So if you have a mixed network, disabling SMBv1 on the Win10 machine, means WinXP cannot access a share on it. If all your Windows OSes are more modern than WinXP, then that's probably not a problem. I don't think WannaCrypt needs a lot of thwarting. Do you use a NAT router in the computer room ? That's an example of a *direct* threat. One that must be attended to. If you don't have an IPV4 NAT router protecting you, if your ports "stick out" when you scan yourself on the Internet, that's a pretty significant risk factor. The port inside the perimeter is still a risk. *But*, consider your own track record. Have you been hit by Locky ? If not, then if your perimeter is secure (no Port Forwarding of 445 and friends), then you still need an infection vector for Locky or WannaCrypt to get in. Bolting down ports within the perimeter, can be done by patching the current exploit. Disabling the protocol, would be suspenders to go with that patch for SMBv1 which is the belt. Sure, you can use it, but remember that it only becomes engaged, when WannaCrypt gets onto one of your machines via social engineering. It still does not reduce the damage done, to zero. It just means a few less disks to restore from *full backup*. I don't care what people do, as long as they keep this stuff in perspective. The things you do for an organization with 10,000 computers, is entirely different than your home LAN with two computers. Scale makes a big difference. On a home LAN with two computers, there really isn't much difference between an attack by Locky versus WannaCrypt. Even Locky can damage (parts of) the second computer. All it takes is file sharing mounts, *implemented on any SMB flavor*. Just doing sharing in the computer room, means slightly more than one machine will be damaged by Locky. I wouldn't care about Locky, except someone in one of my other groups got it. And if a USENET person gets it, that's like a canary in a coal mine. That's your first warning, that you too should have a disaster recovery plan. So rather than just sad stories about people who put their backup on Dropbox, and Locky encrypted the backup, even people on USENET are getting it. The interesting thing about this initial WannaCrypt attack, is there was no social engineering vector (it wasn't sent as an email attachment). And that should tell you this was released by a white hat or gray hat. And not by a professional criminal. It was too poorly done for a first strike. The Locky people are pros at this stuff now. Burning a vector this way, shows a criminal probably didn't do this one. Was it a script kiddie ? The whole thing is a little too weird for my tastes. ******* Flip the switch, and test. Do you like the outcome ? Then keep your SMBv1 mitigation. Paul 1) I'm talking about a 4 PC LAN, all Windows 10. 2) If I knew half of what you were talking about, I'd be all smiles. :-) I think you're saying that there's no need to disable SMB1 in Windows 10, right? There's a patch, first of all. Work through this article and check your patch level. I doubt you're unpatched. I have one Win10 machine which is, in actual fact, not patched! That's because it stays off, or does not connect to the Internet all that much. It's not patched, but it's not typically on my LAN. I could fix that, if I remembered to do it. https://www.askwoody.com/2017/how-to...crywannacrypt/ ******* If you want to disable SMBv1 on top of that, you can. If all the machines are Win10, that would be a natural. There's file sharing and printing. Find out whether there's a dependency there that matters to you (for printing): https://technet.microsoft.com/en-us/...(v=ws.10).aspx Network Printing Protocols Server Message Block (SMB) The SMB protocol defines a series of commands that pass information between computers. SMB uses four message types: session control, file, printer, and message. Locky needs social engineering to attack your setup. So far, WannaCrypt has *only* entered by an exposed port 445 on the Internet. You have four computers. Maybe if you were using IPV6 (which doesn't have NAT), maybe that could expose a port 445. Variants of WannaCrypt will eventually be armed like Locky, and will come as an executable email attachment (an "invoice" for something). And that's how it will get in. Locky can attack any mounted file share (patched or not). That means it's "going to spray a bit" if it hits your four machine setup. By comparison, Wannacrypt (on unpatched machines) would attack all of them. The more machines, the more differentiation from Locky. If you have a four machine setup, and two of the machines stay powered off most of the time, then your exposure could be a bit less. Every time one of these come out, the media goes for "max noise". Just remember to keep these things in proportion - there are likely things you *haven't* patched your machines for, that you didn't happen to catch in the news. And you're still alive and breathing. ******* If you have a Win10 machine that works as a printing host, flip the SMBv1 switch on it first. Then, do a test print from one of the other machines, just to make sure that somehow printing can work with SMBv2 or SMBv3. If that test passes, I doubt flipping the other (non-print-hosting) machines will make any difference to normal function. Paul |
#8
|
|||
|
|||
WannaCry and SMB1
Alek wrote:
VanguardLH wrote on 5/22/2017 4:19 PM: Alek wrote: Since disabling SMB1 seems to be the way to thwart WannaCry, why isn't it disabled in Windows 10? It's easy enough to do manually: Control Panel Programs and features Turn Windows features on or off Wait for the table to be populated, scroll down and uncheck SMB1. SMB has legitimate purposes within a network. SMB1? https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/ https://en.wikipedia.org/wiki/Server_Message_Block It is unlikely that you need SMB to the Internet (i.e., outside your intranet), so disable port 445 at your router (many cable modems have one built-in). Use GRC's ShieldsUp to see what other ports are open to inbound unsolicited connection requests through your router/cable modem (https://www.grc.com/x/ne.dll?bh0bkyd2). After proceeding, click on the buttons in the bars to pick which test to perform. Thanks. Only 22, 78, 80 and 443 are open. You should be a little careful with ShieldsUp. I have a router here, with anti-scan. When I ran GRC against it, the scan was not getting a "true" picture of the state of things. I got a "stealth" rating, because my router stopped responding on purpose. (Normal attacks are more carefully crafted than that.) There were a couple status messages in the router, indicating it had detected a sequential port scan of some kind. As long as GRC has modified how they scan, and the router has not "sniffed" the scan pattern, then the scan results may be actual results. To scan properly, needs a bit more randomness in the port selections, and perhaps backing off on a "machine-gun" approach to test. The router in question was retired, and I don't know how my current router responds to that particular case (it doesn't really have an event log). ******* This is my result today. On my current device, I have made no attempt to optimize it. This is the out-of-the-box state. https://s8.postimg.org/ttb1mgr4l/shieldsup_result.gif My understanding of the result is: blue - packet sent, NACK returned (port "closed") red - packet sent, ACK returned (port "open") green - packet sent, no response at all (port "steathy") A blue block tells an attacker, something is at that address. The scan continues (at a different port number). A red block tells an attacker "pay dirt". They can now pound on it with malformed packets or whatever. A green block doesn't tell them anything. If your router has port forwarding, some "chatty" ports, you can port forward them to a non-existent (outside DHCP range) host address inside your LAN and the packet just falls on the floor. And I just found an article here, regarding what the test means. http://ask-leo.com/i_cant_pass_a_fir...ould_i_do.html ******* There are a ton of scanning techniques. I think "Todd" does some of this stuff for a living. I don't have Wireshark sitting on the outside of my router, so I can't tell you what kind of scan GRC is using. https://nmap.org/book/man-port-scanning-techniques.html Paul |
#10
|
|||
|
|||
WannaCry and SMB1
Andrew Rossmann wrote on 5/23/2017 9:29 AM:
In article , says... Since disabling SMB1 seems to be the way to thwart WannaCry, why isn't it disabled in Windows 10? It's easy enough to do manually: Control Panel Programs and features Turn Windows features on or off Wait for the table to be populated, scroll down and uncheck SMB1. Another issue with disabling SMB1 is that it could block media sharing with some devices. Although many probably use DLNA, some can use direct network sharing, too. This may be a stupid question, but what are SMB2 and SMB3 for? |
#11
|
|||
|
|||
WannaCry and SMB1
Alek wrote:
This may be a stupid question, but what are SMB2 and SMB3 for? Same file sharing as SMBv1 but implemented in more secure and efficient ways, e.g. look at the features lost with SMBv2 or SMBv3 disabled. https://support.microsoft.com/en-us/help/2696547 |
#12
|
|||
|
|||
WannaCry and SMB1
You any relation to Louis Rossmann on YouTube?
-- AL'S COMPUTERS "Andrew Rossmann" wrote in message ... In article , says... Since disabling SMB1 seems to be the way to thwart WannaCry, why isn't it disabled in Windows 10? It's easy enough to do manually: Control Panel Programs and features Turn Windows features on or off Wait for the table to be populated, scroll down and uncheck SMB1. Another issue with disabling SMB1 is that it could block media sharing with some devices. Although many probably use DLNA, some can use direct network sharing, too. -- If there is a no_junk in my address, please REMOVE it before replying! All junk mail senders will be prosecuted to the fullest extent of the law!! http://home.comcast.net/~andyross |
#13
|
|||
|
|||
WannaCry and SMB1
On 5/22/2017 2:25 PM, Alek wrote:
Since disabling SMB1 seems to be the way to thwart WannaCry, why isn't it disabled in Windows 10? It's easy enough to do manually: Control Panel Programs and features Turn Windows features on or off Wait for the table to be populated, scroll down and uncheck SMB1. I read recently that something like 90% of the machines affected were Windows 7 machines, and hardly any WinXP, even though WinXP would be the most likely to be affected. Probably this is because a lot of Win7 machines are left in compatibility mode to accomodate networks full of WinXP machines? Yousuf Khan |
#14
|
|||
|
|||
WannaCry and SMB1
Yousuf Khan wrote:
I read recently that something like 90% of the machines affected were Windows 7 machines, and hardly any WinXP An nameless organisation that I scanned, had over 200 vulnerable Win8.1 and Win10, and a single WinXP from a total "fleet" of about 1,200 machines - improved patching had been on their list for over a year. |
#15
|
|||
|
|||
WannaCry and SMB1
On 28/05/2017 06:16, Yousuf Khan wrote:
On 5/22/2017 2:25 PM, Alek wrote: Since disabling SMB1 seems to be the way to thwart WannaCry, why isn't it disabled in Windows 10? It's easy enough to do manually: Control Panel Programs and features Turn Windows features on or off Wait for the table to be populated, scroll down and uncheck SMB1. I read recently that something like 90% of the machines affected were Windows 7 machines, and hardly any WinXP, even though WinXP would be the most likely to be affected. Probably this is because a lot of Win7 machines are left in compatibility mode to accomodate networks full of WinXP machines? Yousuf Khan I thought there was a bug in the Windows XP part of the exploit as implemented in Wanacry. -- Brian Gregory (in the UK). To email me please remove all the letter vee from my email address. |
|
Thread Tools | |
Display Modes | Rate This Thread |
|
|