Thursday, May 18th 2017
WannaCry: Its Origins, and Why Future Attacks may be Worse
WannaCry, the Cryptographic Ransomware that encrypted entire PCs and then demanded payment via Bitcoin to unlock them, is actually not a new piece of technology. Ransomware of this type has existed nearly as long as the cryptocurrency Bitcoin has. What made headlines was the pace with which it spread and the level of damage it caused to several facilities dependent on old, seldom-updated software (Hospitals, for example). It's not a stretch to say this may be the first cyberattack directly attributable to a civilian death, though that has not been concluded yet as we are still waiting for the dust to settle. What is clear however is WHY it spread so quickly, and it's quite simple really: Many users don't have their PCs up to date.
Indeed, the bug that WannaCry utilized to spread this rather old-school ransomware tech had been patched in Windows for about 2 months at the date of the outbreak. But many users were still not patched up. To be clear, this is not just hospital equipment and such that may be difficult to directly patch, but also end user PCs that simply aren't patched due to user ignorance or outright laziness. That as a cultural issue can be fixed relatively easily (and to some degree already is with the push of Windows 10 which handles this automatically for the user). But there is a more sinister twist to this story, one that indicates future outbreaks may be worse. The bug that enabled this to happen was leaked directly from the NSA, and had been known for much much longer than the patch for it has existed. In other words, this bug had been stockpiled by the US government for use in cyberwarfare, and its leak caused this attack.
Let me play you a theoretical scenario, one not so farfetched I would think. What if Microsoft had NOT had a patch ready at the time of this outbreak? What if the bug (which exists in the file sharing stack and has most Windows PC vulnerable by default) was exposed and we had to wait a couple days for a patch. What can you do to protect yourself then?
This seemingly nightmarish scenario is a good illustration of why stockpiling vulnerabilities in common software rather than reporting them is a bad practice rather than a good one. Of course, in the above situation, you could just turn your PC off until it all blows over, or turn off SMB1 file sharing in Windows (google will help you here). Or best yet, you could use a decent firewall setup that does NOT expose SMB ports to the internet (you can even block the ports in Windows Firewall, google again has the answers). But not all of us are power users. Most out there aren't, actually. A lot of users actually plug their computers directly into their modems. I know, because I've worked IT. I've seen it. And what about when someone finds a worse vulnerability, like in the TCP/IP stack? What then? Do you unplug your computer from the internet entirely? Ok, but who got infected first to tell you to do that? Someone had to take one for the team. Either way, damage has been done people.
This is why the practice of stockpiling exploits has to stop. The US government (and others, for that matter) should report exploits, not store them as cyber weapons. As weapons of war, they are as likely to hurt us in the end as our enemies, and that makes them very bad weapons in the perspective of one of the first rules of warfare; Don't hurt your own team.
Call me crazy, but that just seems like a weapon I'd rather not use. If a weapon hurts as many of your own team as your enemy or even close to that number, its time to retire that weapon. Of course, we aren't talking a literal injury or body count here, but the concept is the same. This is just a bad practice, and it needs to stop.
Let me play you a theoretical scenario, one not so farfetched I would think. What if Microsoft had NOT had a patch ready at the time of this outbreak? What if the bug (which exists in the file sharing stack and has most Windows PC vulnerable by default) was exposed and we had to wait a couple days for a patch. What can you do to protect yourself then?
This seemingly nightmarish scenario is a good illustration of why stockpiling vulnerabilities in common software rather than reporting them is a bad practice rather than a good one. Of course, in the above situation, you could just turn your PC off until it all blows over, or turn off SMB1 file sharing in Windows (google will help you here). Or best yet, you could use a decent firewall setup that does NOT expose SMB ports to the internet (you can even block the ports in Windows Firewall, google again has the answers). But not all of us are power users. Most out there aren't, actually. A lot of users actually plug their computers directly into their modems. I know, because I've worked IT. I've seen it. And what about when someone finds a worse vulnerability, like in the TCP/IP stack? What then? Do you unplug your computer from the internet entirely? Ok, but who got infected first to tell you to do that? Someone had to take one for the team. Either way, damage has been done people.
This is why the practice of stockpiling exploits has to stop. The US government (and others, for that matter) should report exploits, not store them as cyber weapons. As weapons of war, they are as likely to hurt us in the end as our enemies, and that makes them very bad weapons in the perspective of one of the first rules of warfare; Don't hurt your own team.
Call me crazy, but that just seems like a weapon I'd rather not use. If a weapon hurts as many of your own team as your enemy or even close to that number, its time to retire that weapon. Of course, we aren't talking a literal injury or body count here, but the concept is the same. This is just a bad practice, and it needs to stop.
57 Comments on WannaCry: Its Origins, and Why Future Attacks may be Worse
As for government finding exploits and not talking about them: remember that the NSA likely used an exploit like this (or maybe this very one) to launch a successful cyber attack against Iran's centrifuges. No one got hurt and Iran's nuclear ambitions were hugely damaged/delayed. I think NSA should adapt a policy like Google. If it finds an exploit, it gives itself some time to use it, then it notifies whomever can fix it (in this case Microsoft), and then it publishes a document detailing the exploit some time after that. NSA gets their covert tools and the holes get plugged (which helps the government too because there's a lot of Windows systems around).
Obviously in that instance, care had been taken and the potential for network/internet abuse of that exploit was 0.
However, if it was a networkable worm (unclear on this) what would've happened had that been leaked? You know the answer. The NSA isn't a vault of security as of late.
It may not even have been an exploit for that matter. More likely, knowing that USB drivers are privileged, it was simply a modified USB stick. That's relatively trivial if you know firmware programming.
If they could do this, and point the finger at the "Russkies" (or the next "Axis of Evil"), they would.
Its all fun and games for them (quite literally).
edit : Microsoft still haven't patched XP have they ?
Cant say much since I'll be accused of m$ bashing...
on second thought, I dont give a shit, if m$ receives any bashing, its prolly well deserved in one way or another, and maybe they might even step up a bit more often and fix exploits before they release them intentionally to the NSA/CIA/paying governments.
[INDENT]Proposed PATCH Act forces U.S. snoops to quit hoarding code exploits
www.theregister.co.uk/2017/05/18/senate_introduces_patch_act_to_force_intel_agencies_to_fix_found_exploits/
Two U.S. senators have proposed a law limiting American intelligence agencies' secret stockpiles of vulnerabilities found in products.
The Protecting our Ability To Counter Hacking (PATCH) Act would set up a board chaired by an Department of Homeland Security (DHS) official to assess security flaws spies have found in code and hardware, and decide if manufacturers should be alerted to the bugs so they can be fixed for everyone.[/INDENT]
Now all we have to do is get the pinheads in D.C. to pass the legislation into law....
That's what I was referring to.
Get everything into the net is a horrible horrible idea. It is just TNT waiting for a spark. Unfortunately the Wannacry situation showed as there are no shortages of such spark.
At least there's intelligent enterprise routers out now that perform deep packet inspection to find and stop malicious activity. Systems like that need to be rolled out to all consumers stopping widespread infections before they start.
Worth noting is how windows 10 was/is not affected by the SMB spreading exploits.
blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/