Page 1 of 5 1 2 3 ... LastLast
Results 1 to 30 of 122

Thread: Cyber Security

  1. #1
    Join Date
    Dec 2011
    Posts
    4,954
    Mentioned
    156 Post(s)

    Cyber Security

    Cyber Security. Information Security. Whatever you want to call it, it is in just about everything now. Sometimes we need to discuss the more technical aspects of these things. Leaked data from major companies, hacked emails from political candidates, hospitals and public transit being shut down from attacks, nuclear processing facilities being sabotaged, whistleblowers leaking NSA data, NSA losing their hacking tools, the Internet of Things fucking everything up... it's only going to get worse!





    ...Original discussion from a politics thread starts below....
    Last edited by DigitalChaos; 05-12-2017 at 11:21 PM.

  2. #2
    Join Date
    Dec 2011
    Posts
    4,954
    Mentioned
    156 Post(s)

    Cyber Security

    So, there is a mega ransomware worm spreading over every country right now, extremely quickly. Hospitals are being shut down by it and many other big orgs. It looks like it is spreading using one of the leaked NSA tools from a month ago. Microsoft did supply a patch, but lots of people are behind on patches.

    But I was thinking... Trump fired the White House infosec chief a few months back and I don't believe that seat was ever replaced. Sure would be a shame of a whole lot of evidence surrounding this Russia investigation were suddenly destroyed with something like this... (I have no reason to even slightly suspect this... it's just one of those "people would sure lose their shit if" type thoughts.

  3. #3
    Join Date
    Dec 2011
    Location
    san fransisco
    Posts
    823
    Mentioned
    30 Post(s)
    Quote Originally Posted by DigitalChaos View Post
    So, there is a mega ransomware worm spreading over every country right now, extremely quickly. Hospitals are being shut down by it and many other big orgs. It looks like it is spreading using one of the leaked NSA tools from a month ago. Microsoft did supply a patch, but lots of people are behind on patches.

    But I was thinking... Trump fired the White House infosec chief a few months back and I don't believe that seat was ever replaced. Sure would be a shame of a whole lot of evidence surrounding this Russia investigation were suddenly destroyed with something like this... (I have no reason to even slightly suspect this... it's just one of those "people would sure lose their shit if" type thoughts.
    calling bullshit unless you have a link to a CVE or reliable source in just got done with a job for a major national medical group that starts with an"A" there was no ransome-ware worm or anything else only findings were some anonymous ports left open that is all
    -Louie

  4. #4
    Join Date
    Dec 2011
    Posts
    4,954
    Mentioned
    156 Post(s)

    Trump 2017: Year Zero

    Open twitter and search for WannaCry. Also, check the news about NHS. There are others. Even Russian Ministry was hit.

    https://motherboard.vice.com/en_us/a...over-the-world

    https://www.theregister.co.uk/2017/0...=1494623587590


    It's using a few vectors, and the NSA eternalblue (smb and rdp) is the worming vector.
    Last edited by DigitalChaos; 05-12-2017 at 04:15 PM.

  5. #5
    Join Date
    Jul 2013
    Location
    In your underpants.
    Posts
    643
    Mentioned
    21 Post(s)
    Quote Originally Posted by DigitalChaos View Post
    So, there is a mega ransomware worm spreading over every country right now, extremely quickly. Hospitals are being shut down by it and many other big orgs. It looks like it is spreading using one of the leaked NSA tools from a month ago. Microsoft did supply a patch, but lots of people are behind on patches.
    That's not how it works. It seems like wherever you read that from is a sensationalism piece that has no factual basis.
    I implore you to check out this video:


    Now I highly doubt it but it is possible that they haven't updated and gotten those patches, but even if they didn't; that environment for Windows 10 LTSB (Long Term Servicing Branch) is usually self contained and doesn't get access to internet.
    It's usually used for an intranet that is a database with only callback functions and archiving.
    Read here for more information on W10LTSB: https://www.howtogeek.com/273824/win...tsb-explained/
    Last edited by ziltoid; 05-12-2017 at 05:43 PM.

  6. #6
    Join Date
    Dec 2011
    Posts
    4,954
    Mentioned
    156 Post(s)

    Trump 2017: Year Zero

    Quote Originally Posted by ziltoid View Post
    That's not how it works. It seems like wherever you read that from is a sensationalism piece that has no factual basis.
    I implore you to check out this video:


    Now I highly doubt it but it is possible that they haven't updated and gotten those patches, but even if they didn't; that environment for Windows 10 LTSB (Long Term Servicing Branch) is usually self contained and doesn't get access to internet.
    It's usually used for an intranet that is a database with only callback functions and archiving.
    Read here for more information on W10LTSB: https://www.howtogeek.com/273824/win...tsb-explained/
    It was an abbreviation as my point was to convey a hypothetical insanity that connects to Trump.

    But as to your tech focused commentary: "It's fine if not public facing" is exactly what is allowing a huge portion of WannaCry to spread. Your firewall means shit when a single person in your network infects themselves with an email dropper (which has been seen) and then the ransomware worms via the SMB & RDP exploit. I doubt any of the infected machines are Win10.


    Also, even the public facing scans showed huge numbers of unpatched machines. Hundreds of thousands. So, naturally, there are many more behind a firewall that can be attacked with something like an email dropper vector.


    Edit: that dude fucked up within the first minute of his video
    Last edited by DigitalChaos; 05-12-2017 at 04:39 PM.

  7. #7
    Join Date
    Jul 2013
    Location
    In your underpants.
    Posts
    643
    Mentioned
    21 Post(s)
    Quote Originally Posted by DigitalChaos View Post
    It was an abbreviation as my point was to convey a hypothetical insanity that connects to Trump.

    But as to your tech focused commentary: "It's fine if not public facing" is exactly what is allowing a huge portion of WannaCry to spread. Your firewall means shit when a single person in your network infects themselves with an email dropper (which has been seen) and then the ransomware worms via the SMB & RDP exploit. I doubt any of the infected machines are Win10.

    Also, even the public facing scans showed huge numbers of unpatched machines. Hundreds of thousands. So, naturally, there are many more behind a firewall that can be attacked with something like an email dropper vector.


    Edit: that dude fucked up within the first minute of his video
    It's an old video that was made when the news broke out about the Shadow Broker NSA thing, if you are talking about how old it is.

    It took me a while to understand what it is you were saying because I was skeptical about what you posted and I assumed it was just a rehash of the old Shadow Broker news, my bad.
    Yeah it's stupid of them to not update all their platforms to the latest version for exactly this reason, whatever their reason is for not updating I bet they feel really stupid especially since it is easily avoidable.
    This is purely speculation on my part until we learn more about the behaviors of the worm; Now, if they have any knowledgeable I.T. person with networking skills in their employment they can rollback all servers that are infected. Depending on how bad the infection is and how modern the equipment is it can be somewhat easily fixed (for servers with back-ups) but they will most likely lose any of the new data that was inputted. Again only for servers, not with desktop environments, which would be another different process (most extreme way would be to do a fresh install). Also it is possible to set global settings to block all traffic in a network and slowly check which systems are infected, this process would be very tedious way to see how far infected a network and its nodes are but it is doable. Also, I predict that those infected serves and computers are being turned into zombies for a possible DDOS attack sometime in the near future.

    Quote Originally Posted by Louie_Cypher View Post
    calling bullshit unless you have a link to a CVE or reliable source in just got done with a job for a major national medical group that starts with an"A" there was no ransome-ware worm or anything else only findings were some anonymous ports left open that is all
    -Louie
    Took me a bit to track down some reliable sources but here you go:
    https://www.theregister.co.uk/2017/0..._cyber_attack/
    https://www.bleepingcomputer.com/new...-on-a-rampage/

    Also this subreddit shows which updates you pc should have to make sure you can't get infected:
    https://www.reddit.com/r/netsec/comm...g_just_before/

  8. #8
    Join Date
    Dec 2011
    Posts
    4,954
    Mentioned
    156 Post(s)
    If you want the most complete breakdown on the tech, go here: https://gist.github.com/rain-1/98942...93ee6efbc0b168

    More is still being worked out of course.

  9. #9
    Join Date
    Dec 2011
    Posts
    4,954
    Mentioned
    156 Post(s)

    Trump 2017: Year Zero

    And yeah, the vast majority of "critical infrastructure" doesn't get properly maintained. Shit like this will continue to happen. All the typical recovery mechanisms for ransomware tend to be asking too much of an organization who can't keep their shit patched as a start.

  10. #10
    Join Date
    Dec 2011
    Location
    san fransisco
    Posts
    823
    Mentioned
    30 Post(s)
    remind me to never question anyone in an internet message board no sooner did I hit reply then my phone started ringing now it's going to be a long evening and a long weekend my apologies for calling bs
    -louie

  11. #11
    Join Date
    Dec 2011
    Posts
    4,954
    Mentioned
    156 Post(s)
    Haha. Well, that's what I get for skipping over the technical aspect with the intent of not going too off topic. If you happen to find a screenshot of one of the infection emails please send my way. It's the last piece of the puzzle for me.


    But yeah, imagine if this Ransomware worm were to decimate all the Trump/Russia evidence. It would just top off the insanity of this week.

  12. #12
    Join Date
    Jul 2013
    Location
    In your underpants.
    Posts
    643
    Mentioned
    21 Post(s)
    Quote Originally Posted by DigitalChaos View Post
    And yeah, the vast majority of "critical infrastructure" doesn't get properly maintained. Shit like this will continue to happen. All the typical recovery mechanisms for ransomware tend to be asking too much of an organization who can't keep their shit patched as a start.
    Funny how all this reminds me of this: http://www.csoonline.com/article/3132360/mobile-security/researcher-unveils-second-samsung-pay-vulnerability.html
    and this: https://arstechnica.com/security/201...m-https-pages/


    And this is why I take issue with Artificial Intelligence, Organizations, Companies, and Internet of All Things if they can't maintain their security and they don't take the necessary steps with redundancies then anyone can have their information stolen and sold, but that is a discussions for another time, perhaps in a thread about Cyber Security.

    Edit: Make a new thread and have a moderator move the pertinent posts in there.
    VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
    Last edited by ziltoid; 05-12-2017 at 06:10 PM.

  13. #13
    Join Date
    Dec 2011
    Posts
    4,954
    Mentioned
    156 Post(s)

    Trump 2017: Year Zero

    Totally down with a "info sec headlines" thread. Maybe "The Cybers" ?? I dunno. We can figure out later.


    I'll clone these last few posts over there when I get home if someone doesn't beat me.

    I've been shitting up this thread with almost all of it. Luckily, most of the big stories have been tied to politics! (Legitimately though... not like my weak ass attempt today)

  14. #14
    Join Date
    Nov 2011
    Posts
    9,095
    Mentioned
    717 Post(s)
    Quote Originally Posted by DigitalChaos View Post
    Totally down with a "info sec headlines" thread. Maybe "The Cybers" ?? I dunno. We can figure out later.


    I'll clone these last few posts over there when I get home if someone doesn't beat me.

    I've been shitting up this thread with almost all of it. Luckily, most of the big stories have been tied to politics! (Legitimately though... not like my weak ass attempt today)
    Are we talking about this from General Headlines?

    http://www.echoingthesound.org/commu...546#post349546

    Jesus this is crazy shit:
    https://mobile.twitter.com/i/moments...4161536000?m=1
    Last edited by allegro; 05-12-2017 at 11:05 PM.

  15. #15
    Join Date
    Dec 2011
    Posts
    4,954
    Mentioned
    156 Post(s)
    alright, we officially have a thread dedicated to info sec! I'll manage to fuck this one up too...

  16. #16
    Join Date
    Dec 2011
    Posts
    4,954
    Mentioned
    156 Post(s)
    Quote Originally Posted by allegro View Post
    Are we talking about this from General Headlines?

    http://www.echoingthesound.org/commu...546#post349546

    Jesus this is crazy shit:
    https://mobile.twitter.com/i/moments...4161536000?m=1
    Yeah, it is related to the first link there. Someone basically used the leaked NSA weapon to spread ransomware that spread to ~100 different countries in a few hours. It's what took down NHS and lots of other entities.

    Now that we are in the infosec thread, i'll give a quick rundown of how we got here and what's next.


    - A hacking group called ShadowBrokers managed to get their hands on these NSA tools. They released a small amount as a sample and then claimed to be trying to sell the rest to the highest bidder. Nobody ended up paying and many doubt ShadowBrokers really wanted to sell them.

    - Mid march, Microsoft released a patch for 6 serious Windows vulnerabilities. Nobody noticed much at the time. Looking back, everyone assumes the NSA worked with Microsoft to get these patches out, as they were for exploits in the NSA tools that would leak a month later.

    - Mid April, ShadowBrokers releases the rest of the NSA tools. In the tool set were exploits for the 6 serious Windows vulnerabilities. These were nasty vulnerabilities that required no user interaction. You just point the tool at the IP address and instantly get complete access to the machine and its permanent. ETERNALBLUE is the exploit name and DOUBLEPULSAR is the backdoor that gets installed. A lot of people are now saying "fucking apply those Microsoft patches from March ASAP!!" and other say "Yes, patch, but chill with the hyperbole... this exploit only works on machines that are not behind a firewall." Using this tool on its own, yes, you can only infect machines that have been exposed directly to the internet, or machines that you happen to share a local network with. But that's a pretty narrow view of a tool's potential... which we will see a month later.

    - Scans are repeatedly done of every public facing machine. Roughly 1 million machines, last I saw a week ago, were either vulnerable (aka still unpatched) or actively infected with this vulnerability. The vulnerabilities that ETERNALBLUE goes after live inside the network file sharing and/or remote desktop connections. It's pretty stupid to put that stuff directly on the internet like that, but we are surrounded in horribly insecure setups like this.

    - Today, the ransomware worm called WannaCry hits the internet. Each machine that gets hit demands $300-600 in bitcoin to unlock. Phishing emails were sent out with a dropper (code is executed when you click the link) that launched a ransomware infection. Then, the ETERNALBLUE exploit code was used to infect other vulnerable machines on the local network and public internet. So much for "unpatched machines are safe behind a firewall"!! All it took was one person inside the network to get infected and then they attack the rest of the internal network. This infection very well may have also gone after the many public facing machines too.

    - WannaCry spread amazingly fast. A dozen countries in just a couple hours. I think we broke 100 countries by the time the infection was blocked (seemingly). It could have spread much farther, but someone found a way to kill it or at least heavily neuter it. The code behind WannaCry was actually really crappy according to many. Even the ransomware was amateur as fuck, requiring manual redemption for the payment & unlock. As such, they had an accidental kill switch built into the infection code. Basically, if a specific URL suddenly became live, then any new infection would fail to execute. Someone noticed this and brought a website up a this URL. The subsequent infections around the world slowed to a crawl after that.

    - The attack was halted after a few hours. Europe and Asia were hit during the day. The USA lucked out and woke up to it being mostly finished. This is important because it requires user intervention to kick off on a network. This could have been MUCH worse. And it still could be if they release an improved version.


    So here we are. 2 months after the MS Windows patch was issue and 1 month after the critical "holy shit its bad fucking patch" and we have all these environments who failed to do so and are suffering. Sadly, this is common to see. It's also very common to see in a lot of the environments we consider "critical infrastructure" like hospitals, public utilities, etc. We also still have a ton of these machines unpatched because it's not like, after 2 months of not patching, they are going to suddenly fix their shit in a few hours on a friday. This exact ransomware worm code could be reenabled with a single modification. And shit, this is just for ONE type of vulnerability. There are new types of vulnerabilities all the time. Hospitals were getting saturated in ransomware all the time, we just haven't seen any of it spread as a worm before.

    It's also worth considering the overall public benefit vs damage from the NSA on this. It's very likely that people are going to die as a result of the NHS closures. And do we really trust that these people are going to keep things like "crypto backdoors" secure? lol...
    Last edited by DigitalChaos; 05-13-2017 at 12:38 AM.

  17. #17
    Join Date
    Dec 2011
    Posts
    4,954
    Mentioned
    156 Post(s)
    jesus christ what a fucking wall of text. I promise its worth it though. It's a better summary than you'll find in any news article thus far AND you'll understand how precarious our critical infrastructure is. This will continue to get worse.

    Happy to answer any questions on this whole cluster fuck.

    here is a picture to make up for the text. It's my favorite WannaCry image. It shows the infection spreading around a classroom/lab.


  18. #18
    Join Date
    Dec 2011
    Posts
    4,954
    Mentioned
    156 Post(s)
    If anyone remembers the Conficker worm from 2008... well that thing spread everywhere and its STILL active and one of the more common pieces of malware that is alive. But Conficker was/is slightly more than an annoyance. WannaCry completely fucks your shit up.

    https://en.wikipedia.org/wiki/Conficker

  19. #19
    Join Date
    Nov 2011
    Posts
    9,095
    Mentioned
    717 Post(s)
    So was the Win patch an auto update? I have Win 7 (my Win computer is from 2006, too old to install Win 10), is there a patch for older Win machines?

    Did the NHS have backups?

    Obviously the perp is from a country where English is not their first language; the post-hack message shows it.

  20. #20
    Join Date
    Dec 2011
    Location
    san fransisco
    Posts
    823
    Mentioned
    30 Post(s)
    i feel it's being reactive instead of pro-active even when you give a list of libraries need to be updated and patched to much trouble when it's so easy today single line bash scripts and cron-jobs especially with things like pip and apt-get it boggles my mind, i find it very lazy and very why bother until their infra structure is compromised
    -louie

  21. #21
    Join Date
    Nov 2011
    Posts
    9,095
    Mentioned
    717 Post(s)
    Well, and I did some research and found THIS.

    From JANUARY of 2017. Hmmm ...

    I still have one Windows machine (a Dell) because my boss and my Mom run Windows 7 and sometimes they use me as a Help Desk and I can't help them fix their computer unless I get ON my Win machine and tell them what to do. However, at some point I'm going to ditch the Dell and just get a Mac Mini for my basement office. Or, I'm gonna just use my MacBook Pro in both offices. (My 2009 24" iMac is croaking.)

    @Louie_Cypher , yes, very true.
    Last edited by allegro; 05-14-2017 at 12:14 PM.

  22. #22
    Join Date
    Dec 2011
    Posts
    4,954
    Mentioned
    156 Post(s)
    @allegro - if you are on a supported version of windows, it should be getting rolled out via autoupdate. No harm in manually checking though.

  23. #23
    Join Date
    Dec 2011
    Location
    san fransisco
    Posts
    823
    Mentioned
    30 Post(s)
    Quote Originally Posted by allegro View Post
    Well, and I did some research and found THIS.

    From JANUARY of 2017. Hmmm ...

    I still have one Windows machine (a Dell) because my boss and my Mom run Windows 7 and sometimes they use me as a Help Desk and I can't help them fix their computer unless I get ON my Win machine and tell them what to do. However, at some point I'm going to ditch the Dell and just get a Mac Mini for my basement office. Or, I'm gonna just use my MacBook Pro in both offices. (My 2007 iMac is croaking.)

    @Louie_Cypher , yes, very true.
    I'll tell you what I tell most people pick up a few raspberry pi's, it's secure it's powerful cheap and can do pretty much anything a mac mini can do peripheral's are cheap most apps are open source and free
    -Louie

  24. #24
    Join Date
    Dec 2011
    Posts
    4,954
    Mentioned
    156 Post(s)
    few updates:

    MS actually just rolled out patches for several of their unsupported versions: XP, 2003, 8.
    https://krebsonsecurity.com/2017/05/...-windows-8-xp/
    not sure if they autoupdate or are manual. You'd think it would be auto if they went through the trouble to head this thing off.


    I have to retract my statement that there was an initial email phishing infection pathway. Despite that being widely reported by credible sources, there has been absolutely zero evidence to support it. We are far enough along that it should be redacted. So the good news is that this has the opportunity to get much worse in the future versions!


    The worm is still very much alive. People are putting honey pots on the internet and are seeing infections happen in under 3min. A lot of network security products (palo alto, avast, etc) have started blocking access to the URL that serves as an inadvertent kill switch... thus activating the worm for machines protected by those security products. Fucking DERP. Even some ISPs have started doing this, some as a security measure... some (like in the UK) as part of their stupid censorship stuff.

    Meanwhile, the one random dude who spun up a the server that is acting as a kill switch is the only thing keeping this worm mostly contained. This one dude with a shitty server on his own money that can barely handle the load... that's what is keeping the entire internet alive, oh and huge portions of the vital global infrastructure. What's up 2017! How someone hasn't DDoS'd this already is beyond me.

  25. #25
    Join Date
    Nov 2011
    Posts
    9,095
    Mentioned
    717 Post(s)
    Whoa this is some awesome and fascinating shit:

    https://www.malwaretech.com/2017/05/...r-attacks.html

  26. #26
    Join Date
    Nov 2011
    Posts
    9,095
    Mentioned
    717 Post(s)
    Quote Originally Posted by Louie_Cypher View Post
    I'll tell you what I tell most people pick up a few raspberry pi's, it's secure it's powerful cheap and can do pretty much anything a mac mini can do peripheral's are cheap most apps are open source and free
    -Louie
    I have to use MS Office Suite and I have to scan docs and shit. But thanks. My MacBook Pro is actually screaming fast and does everything I need right now if my other machines fail.

  27. #27
    Join Date
    Dec 2011
    Posts
    4,954
    Mentioned
    156 Post(s)
    Quote Originally Posted by allegro View Post
    Whoa this is some awesome and fascinating shit:

    https://www.malwaretech.com/2017/05/...r-attacks.html
    I was just reading that too. I like his interpretation that the URL was a shitty anti-sandbox attempt. Others were theorizing that it was a sloppy throttle to slow down the worm by inserting a bit of a delay in execution based on how stressed the network is. DNS resolution takes a bit of time. It's very important to throttle a global worm else it implodes. Sadly, lots of the media covering this are saying that this was an intentional kill-switch installed so that the author could kill the worm in the future... which makes very little sense.

  28. #28
    Join Date
    Dec 2011
    Location
    san fransisco
    Posts
    823
    Mentioned
    30 Post(s)
    don't worry it's secure #with a few exceptions
    -Louie

  29. #29
    Join Date
    Dec 2011
    Posts
    4,954
    Mentioned
    156 Post(s)

    Cyber Security

    So far, the initial infection has only pulled in $25k USD worth of BTC. They could have had so much more if thy didn't engineer the redemption process like it were the first ransomware ever created. I'm betting the decryption routine is so shitty that there will be a decryption tool released soon. So just keeping the infected machines on ice will be a smart move, if you need data recovery without paying.

  30. #30
    Join Date
    Dec 2011
    Location
    san fransisco
    Posts
    823
    Mentioned
    30 Post(s)
    Quote Originally Posted by DigitalChaos View Post
    So far, the initial infection has only pulled in $25k USD worth of BTC. They could have had so much more if thy didn't engineer the redemption process like it were the first ransomware ever created. I'm betting the decryption routine is so shitty that there will be a decryption tool released soon. So just keeping the infected machines on ice will be a smart move, if you need data recovery without paying.
    this is starting to look like a script kiddie level of attack so who supplied the script and why? could this be tied back to trump the Commey thing blew up in his face so we have obstruction of justice tampering publicly threatening a witness maybe my tinfoil fedora is on to tight there is something not so fresh in Denmark
    -Louie

Posting Permissions