Protecting Against Ransomware

[Bob Williams]

Great explanation, mind at rest, panic over, TY Dave!

When the Thought Police arrive at your door, think -
I'm out.

[JayCeeDee]

Cheers Dave.?

Caution is a wonderful thing, but reality trumps it every time!! The problem is, all you get is the scare/buy me/do this that in actuality is glorified marketing, and very little – understandable – information regarding what to do and how to do it.

If/when your ankle/legs get to the stage they impact your ability to do what you’re doing now, you would have a good option as a blogger/writer. Your clear, lucid, easy-to-get-your head round style make things easy to get the gist of and act accordingly – sort of “IT News for Dummies” style!!

[Ed P]

Researchers at Bleeping Computer have discovered that 98% of Wannacry victims were using Windows 7! So I’m afraid I’ll contradict Dave and say that you should disable smb1. Few if any programs should now require this – the only ones that may are obsolete streaming devices. It is easy to switch off smb1 and very easy to turn it on in the unlikely event you need it.

You cannot use the Control Panel to turn off smb1 on a Win7 machine. People report confusion on following Microsoft’s instructions so I’ll give a cut-down version.  Use the following method.

Switch to an Administrator account (important) then run cmd as an Administrator (you will find it in Accessories, right-click and choose to run as Administrator). This gives you a sort of super admin access to the command line.

Once you have the command line program running carefully enter the following – one line at a time: (you cannot copy and paste in Windows 7 cmd.exe)

sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi

note that there is a space between = and bowser (important). Let it run, it should report success

sc.exe config mrxsmb10 start= disabled

note the space after equals.! Let it run, it should report success

Thats it smb1 is switched off

In the unlikely event you need it back, just follow the same procedure to get a super-admin cmd, and enter this:

sc.exe config mrxsmb10 start= auto

You are now vulnerable again

 

 

[Richard]

Thank you ED, that was interesting, very interesting. Were those Windows 7 machines running current patch levels since it was supposed to have been patched via the recent patch release? I was unable to find the current patch status of my WHS system with regard to SMBx, though it was up to date, so I resorted to the manual registry patch, which was a nerve bending to say the least. I have seen no issues to date, but apart from some elderly attached devices, scanners, printers and the like I have no devices likely to have been affected. I have seen no problems with my Windows 10 machines, where I did perform the Control Panels fix and disabled the option, even though they too were patched up to date.

The SMB version in dispute dates back to the last century with Windows 98, which few are currently using – (I assume) and has been vigorously depreciated since then. Any, no make that ALL makers who want to use such a service should be forced to also ensure the use of quill pens rather than suggest users do anything as stupid as to force perpetuating discredited systems. I wonder if the sales of goods acts would be any help for the private users of the crap devices that try to force them back into the 20th century?

[Dave Rice]

Richard, it’s not so much in the Windows world that SMB1 is prevelant, it’s in devices like NAS boxes.

I’ve just looked at the manual for the Buffalo LinkStation 210 (£85 with 2TB on E-Buyer) and SMB2 is disabled by default.

[Richard]

Dave, One has to ask why?

So their slogan is :

Forward to the Past with Buffalo

I trust they mark the crap not to be used with Windows, though I guess not.

Trades description act anyone?

[Ed P]

Richard – I know no more than Bleeping reveals, your guess is as good as mine.  Probably not, but some ‘kind’ person has apparently  rewritten the malware to work more reliably on XP (which it mostly did not) and later versions of Windows.

Just to be contentious and building on Dave’s reply, Linux is the main problem!

SMB as you point out is a Windows standard (built on the back of an IBM protocol), while Samba is the open software clone. Samba frequently had problems connecting with later versions of the Server Message Block (SMB), while vendors tended to use embedded Linux chips in their devices as these were cheap and carried no Windows ‘tax’. Following from this they tended to set their device to SMB-1 as this could (more or less) be guaranteed to connect with anything. For many years vendors would default to SMB-1 even when SMB2/3 etc were available as this pretty much guaranteed that they could talk to old routers, modems, and other intelligent devices. There are probably zillions of such devices that have never had a firmware update since their installation and still use SMB-1.

That is no excuse for the Buffalo device. I do agree that devices should no longer be sold defaulting to an obsolete standard, but Buffalo et al will have a devil of a problem convincing naive customers that it is their fault for trying to connect to an ancient router/switch etc., and that the problem sits squarely on their obsolete kit.

[The Duke]

I’m reading a book regarding the history of worms and exploits. Only a third of the way through. But is SMB a more secure/evolved  irc backbone.  As I see all the early exploits took advantage of that.

I’m swinging in the dark here, probably way off. Before this came to news lately I always though SMB referred to a samba. And before the book that irc was just a chat system. But now it seems chat ran on top of irc, and samba could be an extention/relation of it.

I’m learning so be nice.

The book is ‘Worm:The first digital war’ by Mark Bowden.

[Richard]

Ed P wrote:

Richard –  That is no excuse for the Buffalo device. I do agree that devices should no longer be sold defaulting to an obsolete standard, but Buffalo et al will have a devil of a problem convincing naive customers that it is their fault for trying to connect to an ancient router/switch etc., and that the problem sits squarely on their obsolete kit.

Original message truncated to save space, Buffalo and all others should be called out over their use of fully depreciated and unsuitable comms in their crapware. I understand the point about new things not working with old junk, it happened with rather newer items such as printers and scanners being rendered unusable without them carrying any such risks. If someone wants to continue with something best supplied by Steptoe and Sons no one can really stop them, but at least they should know the issues.

However, why should other folk have to suffer the side effects of this stupidity? A cheap NAS is not a 1, 2 or more pounds health supporting scanner when all is said and done. Were the crap modems/NASs/miscellaneous other crap the real reason for problem?

Perhaps drawing attention to the NHS suffering due to SMBv1 and noting that the Buffalo (and possible other OEM) crap wants users to suffer the same fate, might spur some to action. I still fancy a class action style assault on these bozos. Shipping the more reliable option disabled is plain stupid and some means of stopping them needs to be found.

I agree that the historical picture is both sordid and complex.

[Dave Rice]

I was in a hurry this morning so just looked at Buffalo as I had an inkling it was an easy target.

Just looking now at Seagate Personal Cloud 3TB Home Media Storage (£121) and there is no technical information worth finding. But it does say you can access via File Explorer so that says SMB. Likewise WD My Cloud 2TB Personal Cloud NAS Drive. No SMB settings anywhere. At least the Buffalo allowed you to turn on ver 2.

My Synology comes with SMB turned off by default, and you can set a minimum and maximum of SMB1, SMB 2, SMB2 with large MTU or SMB 3. Plus lots of other SMB related settings I don’t pretend to understand.

As Ed says, the default is always the lowest common denominator.  It’s the backward compatibility issue. Just think what IoT has waiting for us  :wacko:

[Richard]

OOPs I should have said a bit of cheap tat is not a £1~3 million scanner in my earlier posting.

Dave, does file explorer have to mean SMBv1? I have turned off SMBv1 and register blocked it in the server, yet file explorer still works into my server, so I am a bit puzzled.

[Dave Rice]

If your target only supports ver 1 then you’ll have to run ver 1.

Your WHS 2011 is based on Windows Server 2008 R2 so supports SMB 2.1 as does W7 and above.

[Ed P]

Richard, if you really want to delve you will need to install Wireshark (or similar) and take a look at ports 445 and 139. There are plenty of ‘Tubes’ on setting up Wireshark to look  only at your smb traffic. This is one such Tube.

[Richard]

Thank you Dave for giving an answer that eluded me in previous searches.

Surely though, if the target only supports SMBv1, then its target should be the skip?

That way it will not become the source of further problems.

Thank you ED, I will try to look into Wireshark (again), I can see I did look into it a little back in 2015 as I have a PDF of instructions relating to its capabilities, though the reason for my then interest eludes me now. I believe that I have removed all chance of SMBv1 existing on my network with the possible exception of the de-powered and unused Windows XP machine that have not yet been cannibalised. They would have their capabilities ‘modified’ before they would ever be used, though they do have some old files (and storage space) available – if they still work. Looking will not be today as there are too many other distractions, interruptions and appointments planned for me to handle already.

[Dave Rice]

I’m attending a webinar (horrible word) at 2pm “Debrief: The anatomy of WannaCry by IDC and Bitdefender”.

As mentioned devices are still being produced in large volumes aimed at the sector least likely to understand any of the issues. The same sector IoT is aimed at, who love a bargain too.

Microsoft and the whole security world has for some time been urging IT professionals to dump it and have provided the tools to search it out.

2 slides from the webinar (EK = exploit kit)

 

I believe they think it’s not a nation state or organised crime. Its not just sloppy code, how to retrieve the ransom wasn’t thought through.

The advice was exactly the same as has been mentioned here. Patch, AV, backup on remote devices, disable SMB v1.

[Ed P]

Just to tack onto Dave’s point, Microsoft recommended using Wireshark to check if the measures taken were effective and to help identify those devices still using smb1. I think since then that M$ have issued a tool to automate this checking but I’m not sure if it is generally available. Dave may know more about this.

[Dave Rice]

It’s all in the MS STorage Stop using SMB1 Blog and it can be convoluted. However apparently a “smb.dialect.index == 5” filter with wireshark will work.

However they provide SMB1 usage auditing in Windows 10 and Windows Server 2016 “Set-SmbServerConfiguration –AuditSmb1Access $true” Then examine the SMBServer\Audit event log on the systems.

The comments tell of a story where SMB v1 is in still in use in line of business tools, and it ain’t XP. IBM ISAM sticks out (it’s to do with database indexes) and it’s typically used by small outfits where a full blown SQL alternative is too complicated or expensive.

It seems Ricoh printers and Toshiba copiers are the same. The MS  answer is “I wonder what they will say when you tell them you are switching vendors.” How naive. Ricoh (or Aficio) MFPs are the mainstay of the pay per page lease business and people will have long contracts in place. Although apparently newer machines do have SMB v2 but you have to Telnet to them to enable it. looks like some HP MFPs have the same issue.

Earlier on I turned off SMB1 on the charity’s Synology NAS which has a share used as the target for the scanner on their ancient MFP. They don’t do much scanning but I’m just waiting for the phone call….

So it is industry wide on all sorts of devices that can’t just be thrown out or isolated. This is what I meant by my comment on the ZDNet article. No business works in an MS only world where you can “just upgrade to this years model”. When the phone call to the non scanning comes in my answer cannot be go and replace £1,400s worth of printer.

EDIT just realised I’m “panicking” unnecessarily. SMB 1 can still stay turned off on the PCs. Only the Synology will need v1 so the printer can drop the scan onto the share. As it’s a mapped drive from the PC it would be vulnerable to encryption, but who cares too much about a bunch of PDFs that would have been copied to the Cloud Station via the PC?

[Ed P]

Maybe there is a market for a secure little smb1<->smb2 black-box translator device. A business opportunity for someone!

[Dave Rice]

On my recommendation the charity have bought a Lexmark CX510de as the HP printer in Finance has died (this is not the printer I mentioned earlier, the 2 support branches use Konica Minolta bizhub c224e MFPs on page per page leases – not my idea!).

At almost £400 it’s not cheap, but it’s full duplex print and scan (via an ADF), 30ppm b&w and colour, low running costs (0.12 and 0.72) and ships with 8k Black & 4k CMY Toners (cost £385 to replace), a 4 Year On-Site Warranty and a free Kindle Fire (to bribe the budget holder with). So actually in terms of TCO it’s a billy bargain!

The point is this is firmly aimed at SMBs. It was delivered today and I’m off to configure it tomorrow. So check the SMB specs. Not a sniff but in the Scan to Network Folder Setup instructions it clearly supports XP so I think we all know the answer by now.

But, there may be light at the end of the tunnel. Looking at “Scanning to a computer using the Embedded Web Server”  and “Setting up Scan to Computer” we see “This feature is supported only in Windows Vista or later”. May be a  :good:

There is also a Scan for E-mail option but that will mean setting up a gmail account for “less secure apps” as they don’t have any free domain email addresses. Also it means setting up a destination to every user individually. That’s 15 of them not counting staff turnover.

Hey Ho, it will be fun. How much do you want to bet I’ll just go for the easy SMB v1 to a Synology share option? Actually very high as the Konica printers mean SMB v1 will active anyway and the perimeter and local security defences are very good. I am not worried about a man in the middle scenario.

There appears to be an app of sorts that may sort this, we’ll see tomorrow.

[Wheels-Of-Fire]

Just a note on the run as admin option mentioned above. Windows XP created just one local session (session 0) when it booted and everything ran in that. Windows Vista and above use terminal services to create the initial session (still session 0) that runs system services and presents you with the secure login box. If you log in as a standard user then the windows session manager creates session 1 for all your processes to run in and marks it with a standard user security token. If you log in as admin then windows STILL creates session 1 with a standard user token but it also creates session 2 with an admin security token. Most of the time admin accounts are running in session 1 with all its restrictions but they have the authority to switch to session 2. The switch over is handled by the user access control (UAC) service which can be trigered by runing a program that requires admin rights or by using the run as admin option for any program.

[Author]

Posts