My Take On WannaCry

Reading media coverage of the WannaCry, ransomware attack has been excruciatingly frustrating because little to no information was offered on how infection happens and how to protect yourself.

This issue has been a bit frustrating and unhelpful as an IT professional and user if I didn’t find the right answers there is something seriously wrong.  I couldn’t find the important information in any of the mainstream articles so certainly a novice or amateur user would have no chance of protecting themselves.

How Did WannaCry Infect and Spread?

Long version here from Malwarebytes

One of the key ways is still the oldest “phishing” trick in the book, via e-mail which many users are tricked into opening infected attachments.  This was not readily available in media coverage and this simple warning or announcement could have prevented a lot of new infections.  I believe this is a key factor that has not been discussed since many networks will be behind NAT and external SMB services would be blocked, having users on the LAN install the worm is an easy way to get inside and spread the infection to areas that are hardened on the outside.

The more technical explanation there is an exploit called “ETERNALBLUE” which was a hacking tool leaked from the NSA which exploited a weakness in Microsoft’s implementation of SMB (Server Message Block/filesharing protocol).   This has been widely reported but the simple way to prevent automatic infection through this method has not.

Once infected the worm essentially scans your LAN and then the internet to spread the infection further which quickly multiplied the damage and scope of this attack.

How to protect yourself?

  1. First and foremost is to update your Microsoft Windows regardless of OS (whether you have XP, Vista, 7, 10, 12 or any Server) because all Microsoft versions are apparently impacted by MS17-010 ETERNALBLUE/WannaCry
  2. Disable SMB/Filesharing in Windows and if that is not possible at least use firewall settings to block SMB/filesharing/CIFS.
  3. If the above is not possible you should physically unplug any impacted machines from the network (it could be a simple as disabling all ports on your network/switch or even unplugging entire switches if possible).

Who is to blame?

There is plenty of blame to go around but currently a lot of it is coming from Microsoft who is blaming users for not patching and the NSA for hoarding these exploits and not notifying them or users beforehand.

In all fairness Microsoft did issue patches for even unsupported OS’s like Vista and XP on March 14th, 2017.

Many have mused that the NSA should have at last notified Microsoft the moment they realized their hacking tools were leaked.

At the end of the day the question is how could Microsoft have left open such a serious vulnerability for so long?  Was it an intentional backdoor and was it collaboration between Microsoft and the NSA or other third parties?

Some Can’t Patch

Some systems may be running on internal networks on their own LAN but were still infected so they wouldn’t be patched.  To make matters worse the chances are these would more likely be critical data and infrastructure that are impacted in this case.

Other machines are not managed properly or remotely and are deployed with internet access making them sitting ducks for these types of attacks.

There are also some who just don’t patch because the risk to impacting existing services is too great.  Although I would argue the risk is much higher to not patch and not upgrade or migrate your applications to a more secure platform if you get hit with ransomware like this.

These Issues Are Nothing New

With the Snowden revelations many have worried that US tech companies being forced to provide backdoor access to the NSA would be vulnerable should other hackers discovery the vulnerabilities or intentional backdoors on their own, or in this case when the tools and exploits were somehow leaked.

In the wider scope of things Microsoft has seen worms of this scale in the past, it’s nothing new.  There are no worldwide protocols for notifying users or defending against such worms and this will certainly become an increasingly problem with more and more devices online especially with IoT and so many devices that are connected that we don’t think about, and that don’t get patched or may not have an easy or automatic way of updating.

Apple CEO Tim Cook’s Business Decision to Fight the FBI/Court Order

Mr. Cook has clearly made a strategic decision to be one of the first and few tech companies to challenge a court order of this magnitude, and if anyone can do it, it would be Apple.

Now to be clear there is a very serious matter in this case, and it is a tricky rope for investigators and business to get it right.  A crime has been committed and the authorities have presumably presented credible evidence and there is a court order, however the order is essentially unlimited access to all Apple devices.  The business (Apple) has two choices, co-operate or deal with the consequences of not doing so, in Apple’s case there is little financial consequence to not co-operate.  The opposite case could be made that Apple recognizes that if the public finds out that they complied that their encryption is as good as useless, their analysts probably put a price tag on the customer backlash and likely predicted a huge drop in AAPL shares.  Aside from the business case, it looks like now that the issue of privacy has come knocking on his doorstep, he has no choice but to take a bold and very public stand.

This is not a typical court order but is in effect a blanket and mass surveillance project.  Apple is basically being asked to make an app and backdoor to bypass their encryption, or at least disable the 10-try mechanism so they can try traditional bruteforce password methods.  Tim Cook stated very clearly that the ramifications would go far beyond this one case and validated his concerns by mentioning there would be little control over oversight over such a mechanism if Apple complied, which could mean the backdoor could be abused without due cause, as has been the case in the past with other surveillance.

One wonders if Apple has pondered its next move because it is unlikely that Apple can indefinitely delay or win the fight in the end.  They are legally under US jurisdiction and must win their challenge or comply.  Failing that Apple’s only option would be to move overseas/off-shore and this would be a huge blow for the US economy, tech sector and other companies may follow suit, such as McAfee’s weighing in on the issue and offer to crack the iPhone.

My philosophy has always been the US is a great place to do business with huge potential, but I always advise people to understand that any traffic transiting the US and especially data stored there is subject to US laws and regulations.

It will be interesting to watch where this goes, I have a feeling that most are cheering for Apple and Tim Cook at the moment and it is really no wonder with what is at stake.