[HacktionLab] WannaCry question

Kate Dawson k4t at 3msg.es
Sun May 14 10:17:01 UTC 2017 

I think you are missing at least some options.

(i) The poor soul in the NHS accounts who clicked on
"invoice_1.xlsx.exe" in an email and became "patient zero" ( actually I
woudn't do it like this.  I'd link to a dropbox, download the executable
from that ( in a word/excel macro ). Exploit the client, and then put
a timer/check to test that it was connected to large LAN ( by looking
for NetBIOS broadcasts, WINS Servers etc.. ). After finding a large
enought vulnerable community, then deliver the payload, and start to
spread.) 

(j) Organisational financial controllers who chose to prioritise
some resources over others ( specifically IT infrastructure )



All software has bugs in it...

https://scarybeastsecurity.blogspot.co.uk/2016/11/0day-exploit-compromising-linux-desktop.html

However, this kind of thing seems to be a consequence of many
structural design choices over the last 20 years. Windows XP being one
of them.. In my recollection the XP OS has been nothing but a nightmare.
When MS pushed Internet Explorer into the kernel ( to stop the
organisation being broken up in an the antitrust actions ), it set
Internet security back by the best part of a decade.  XP was released in
2001, and it wasn't until SP3, released in 2008, that it became Internet
safe.  Drive by web page activex exploits ?

1. The LAN being seen as trusted, then the Internet happening.

2. Crapitalism and getting products with features to market fast, with
"security" not being a feature.

The best comment I saw on twitter was 

https://twitter.com/AlecMuffett/status/863480740025159681

'For Britain to have viable "cyber preparedness" we must pursue "herd
immunity" as with vaccination; not merely "ethical hackers & filters"'

True Story... I was working in a FE College a few years ago, and
noticed students playing network quake.  We found the installer for it,
set up our own quake server process ( but giving ourselves god mode ), kicked
the students of their server, so they joined ours, and proceeded to whup
their asses.  Shortly after the AV scanner started going crazy.  Turned
out that the quake installer had virus in it, and since we had "Domain Administrator"
with write access to EVERYTHING, every file was getting infected. 

So re.  The virus being different... It's just the monetization that has
made worms a feature.. In those happier times malware authors just wanted to
pop up a box saying "I love you" and we got away with it.  But nearly every 
organisation is just a couple of clicks away from a disaster.

And with a Tin foil hat on, you could say that this is actually quite a
simple infection to deal with. It is easy to resolve, as long as you
have backups, and a mechanism to put systems back into a known good
state. If you wanted to actually do harm, you would sit quietly, and
just flip bits and corrupt files over several months. 

It's a live fire offensive/defensive security test.  The last large one
I saw was against the JANET network,
http://www.uis.cam.ac.uk/incidents/2015/2015-12-08-janet-denial-of-service-attack/02-update-from-jisc

There is no point in these attacks, except as a test of
offensive/defensive weaponry.

So back to the original question...Who to blame...

Assuming organised crime/criminal malware ( No tinfoil hat required )
IMO ... 

(a) Those who wrote [ and distributed ] the virus/worm...

but ranking after that.  

(j) financial controllers who ignored the issue

(c) IT function for not patching.

(b) Microsoft, for not opensourcing XP




On Sun, May 14, 2017 at 09:39:35AM +0100, Mike Harris wrote:
> Hi all,
> 
> I have a question in my head regarding the WannaCry virus.
> 
> If the virus was a success due largely to people running a 15 year old
> unsupported operating system (XP, or W2003), and if a security alert and
> patch was issued seven weeks ago, and if the exploit was allegedly
> developed/discovered by the NSA, or a group linked to the NSA, and if
> the World weren't informed about it upon it's discovery, but rather when
> another group made public this knowledge, and if the information about
> how to exploit it was published publicly quite a long time before it was
> exploited, time sufficient for systems to be patched, who is really to
> blame for it?
> 
> a) Those who wrote the virus.
> 
> b) Microsoft.
> 
> c) IT administrators.
> 
> d) The NSA
> 
> e) The Ruskies
> 
> f) Kim Jong-Un
> 
> g) Aliens
> 
> h) All of the above.
> 
> The press and governments give a sensationalist viewpoint on it,
> mentioning cyber-attacks, cyber-hackers, but this virus doesn't seem to
> me to be really any different to those I used to get 30 years ago on my
> Atari ST from some dodgy floppy disk that I'd inserted; it's just that
> the means of spreading the virus is these days much, much more
> effective.  Yes it was a bad thing to do, and yes it's no doubt criminal
> damage, and yes, it's also extortion, but it's also indicative of an
> industry that has tied people into running a 15 year old proprietary
> operating system that is very widespread still but that hasn't had any
> security patches for three years, and which, I imagine, a lot of
> organisations haven't had the time, money, resources and/or inclination
> to mass upgrade.
> 
> Mike.
> 
> -- 
> 
> Mike Harris . XtreamLab
> w: https://xtreamlab.net
> e: mike.harris at xtreamlab.net
> t: 07811 671 893
> s: adelayde
> 
> 
> 
> _______________________________________________
> HacktionLab mailing list
> HacktionLab at lists.aktivix.org
> https://lists.aktivix.org/mailman/listinfo/hacktionlab

-- 
"The introduction of a coordinate system to geometry is an act of violence"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.aktivix.org/pipermail/hacktionlab/attachments/20170514/c9537772/attachment.sig>

More information about the HacktionLab mailing list