How vulnerable is the internet?

[Clitheroekid]

I understand nothing at all about how ransomware and other malware is designed to bypass security mechanisms, but the last two widely reported attempts seem to have been remarkably successful in technical terms if not financial ones.

It sounds particularly alarming to me as a layman that the very recent NotPetya attack appears to have succeeded against computers that had presumably updated the latest Windows patches.

So my basic question to those who understand such matters is whether a hostile government with effectively unlimited resources and able to hire the best technical skills in the world could design and launch a program that could cause widespread and permanent destruction of data - in effect to cripple entire sections of the internet.

On the face of it I would have thought that a more powerful and sophisticated version of the recent ransomware could be used but without any ransom element - destruction for the sake of destruction and for political / military reasons. Indeed, it seems that the NotPetya attack may have been just such an attack, as the ransom element apparently didn't work and may have been included just to disguise the motives of those who launched the attack.

And following on from my original question, as on the face of it such a program would attack the attacker just as much as the victims, would it be possible to target it solely at a particular country or countries?

[Alaric]

And following on from my original question, as on the face of it such a program would attack the attacker just as much as the victims, would it be possible to target it solely at a particular country or countries?

If you were able to run the computers in your own country on an exclusively home made operating system, that ought to be reasonably invulnerable to external attack. Not connecting computers to the Internet unless absolutely necessary is another defence.

Whilst being able to control your central heating or fridge from a thousand miles away is a "cool" idea, unless you have the security set up properly, the guy sitting next to you in the bar could gain the same access.

[flint]

These are three reasons that I recently read about:

Some large organisations struggle to get their staff to comply with directions - such as do not open attachments. Any laptop connected to the system can infect the whole system.

One large organisation did not keep the updates up to date - saying that they could not shut down their computer to download them as they must run 24/7. Most individuals get updates automatically when they are issued, on the first occasion that they switch off.

Some run old operating systems.

[superFoolish]

These latest attacks are using a far more sophisticated attack vector than email phishing; it appears that notpetya was transmitted by attacking the update servers of a legitimate and widely used accounting package.

To answer CK's question, it appears likely that the underlying transmission methods were developed by USA security agencies who, instead of advising Microsoft of the vulnerability, kept it a secret so they could use it for spying. However, their own security was not so hot, because someone hacked / leaked the government agency's hacking toolbox, and made it public. These tools are now being used by either other governments or criminals.

It would appear that it is within the means of governments to launch major attacks. However, I suspect that even though they are capable, they use their hacking tools more discreetly in order to keep attack vectors secret.

[UncleEbenezer]

It's not the Internet that's vulnerable. It's certain users.

In answer to the OP, the story you really want to look at is stuxnet. A successful attack by the most powerful and ruthless state in the business on another state.

There have been suggestions - that may or may not be pure conspiracy theory - of NSA backdoors in Windows, dating back to last century. There have also been a few scares concerning hardware, particularly when proposals like "secure boot" threaten to lock down the hardware so the user can't install their own free choice of operating system.

[didds]

Its also a reason why many crucial servers don;t use windows - w.g. Linux. Not that linux servers don't have their own vulnerabilities - I spend much of my life patching vulnerabilities it seems ! - but generally speaking they don;t seem to get targeted for viruses. And neither does that mean they are totally "bullet-proof"

didds

[UncleEbenezer]

Unfortunately, many of these malware attacks involve the user clicking on a mail attachment or giving permission to run an executable on their computer. While there are still people around who will click "OK" on just about anything presented in front of them, I see it being very difficult to prevent these kinds of outbreaks.

Actually it is possible to protect against that: run mail in a sandbox. Sadly that's extra faff.

The MIME standards - the underlying standards for email attachments - actually make it very easy to protect yourself and quarantine any potential danger. The original standard was published in 1992, when the world was waking up to the need to secure the 'net in the wake of the original Internet Worm in 1989. The 1992 standard (and 1993 revision) not merely describes what to do, but contains an informational section warning of the risks of failing to comply.

Just under five years later, Microsoft does its about-turn and decides to join the 'net. They need to play some pretty aggressive catchup. In doing so, they deliberately break the MIME standards. This was targeting the browser space and the battle with Netscape: a web application that relied on MIME standards would fail in MSIE, and to MS's vast numbers of users it would appear to be the website at fault. So web software was forced to accommodate MS standards (and many sites used them in pure ignorance), and now Netscape and other browsers looked broken. Bottom line, everyone had follow MS to stay in the market. Not helped by Netscape's own cavalier attitude to (other) standards when it suited them.

This opened the door for the first generation of email "viruses", like Melissa and Lovebug. Indeed, the 1992/3 standard practically include the recipe for writing those.

And though MS has very much reformed itself since then, the legacy lives on. We still can't easily secure our email as designed by looking at MIME types and quarantining anything risky. Instead, we have far more complex antivirus playing perpetual catchup.

[UncleEbenezer]

Its also a reason why many crucial servers don;t use windows - w.g. Linux.
didds

Up to a point.

It's not a primary reason to use Linux: if high security were the primary goal, you'd use OpenBSD. Linux has been converging a lot with windows (can you say systemd?) as Windows tightens up and some Linux distros target the ever-looser desktop. And selinux feels like a worst-of-both-worlds thing: Solaris or any of the BSDs seem preferable to me for a secure/locked down system (though I use Linux myself for its convenience).

[Slarti]

I understand nothing at all about how ransomware and other malware is designed to bypass security mechanisms, but the last two widely reported attempts seem to have been remarkably successful in technical terms if not financial ones.

It sounds particularly alarming to me as a layman that the very recent NotPetya attack appears to have succeeded against computers that had presumably updated the latest Windows patches.

So my basic question to those who understand such matters is whether a hostile government with effectively unlimited resources and able to hire the best technical skills in the world could design and launch a program that could cause widespread and permanent destruction of data - in effect to cripple entire sections of the internet.

On the face of it I would have thought that a more powerful and sophisticated version of the recent ransomware could be used but without any ransom element - destruction for the sake of destruction and for political / military reasons. Indeed, it seems that the NotPetya attack may have been just such an attack, as the ransom element apparently didn't work and may have been included just to disguise the motives of those who launched the attack.

And following on from my original question, as on the face of it such a program would attack the attacker just as much as the victims, would it be possible to target it solely at a particular country or countries?

To answer your last question first, as shown by NotPetya, no. At least 2 Russian organisations got hit and Russia is believed to be the source of this attack.

Widespread destruction of data is what it now appear was the aim of NotPetya as it seemed to be a disk wiper, not an encrypter. Permanent, not if you've got a sensible backup strategy in place.

Windows patches don't seem to have had much to do with the spread as, as I understand it, it was using Microsoft supplied network management tools to sniff out admin passwords that were stored on PCs and use those to then get further access to more PCs and servers and once it gets to servers, big problems.

The advice coming from the infosec people is "Network Segmentation, least privilege, credential hygiene and targeted monitoring" would have stopped this dead.

Network Segmentation, break big networks up into chunks
Least privilege, don't give users more rights than they need - I often see systems where everybody has local admin status and have even seen one FT500 company where is seemed as if everybody was a domain admin.
Credential hygiene, don't store domain admin details on workstations.
Targeted monitoring, now here I'm out of my depth, totally as the talk went into which items in system logs need to be regularly monitored and stopped being in English, as far as I was concerned.

Slarti

[Slarti]

Am I right in thinking that by using gmail for all my mail, I am a little bit more secure? Certainly, compared to when I used an ISP's mail service with a PC based email client, I had an appalling amount of unsolicited mail. I simply do not get that on Gmail.

I think that the reputation of Gmail's spam filters is such that the spam flingers go for the easier targets. And some ISPs are easier than others.

Across 2 domains with 2 ISPs I see an average of 20 spam in the traps each day with bursts as high as 60 in a day.

Slarti

[didds]

Its also a reason why many crucial servers don;t use windows - w.g. Linux.
didds

Up to a point.

It's not a primary reason to use Linux: if high security were the primary goal, you'd use OpenBSD. Linux has been converging a lot with windows (can you say systemd?) as Windows tightens up and some Linux distros target the ever-looser desktop. And selinux feels like a worst-of-both-worlds thing: Solaris or any of the BSDs seem preferable to me for a secure/locked down system (though I use Linux myself for its convenience).

All very valid. Solaris seems to be dieing a death though?

didds

[didds]

Am I right in thinking that by using gmail for all my mail, I am a little bit more secure? Certainly, compared to when I used an ISP's mail service with a PC based email client, I had an appalling amount of unsolicited mail. I simply do not get that on Gmail.

My guess is that you are still getting it, but Gmail filters it out at the server level so you don't get to see it.

It also means that you don't get to see the email it thinks is spam/junk/dodgy but in fact isn't and you would want to see - so if you don't occasionally log onto the webmail for your gmail account and check, its probably worth doing occasionally just to make sure you aren't losing mail you may want to see.

didds

[Slarti]

It also means that you don't get to see the email it thinks is spam/junk/dodgy but in fact isn't and you would want to see - so if you don't occasionally log onto the webmail for your gmail account and check, its probably worth doing occasionally just to make sure you aren't losing mail you may want to see.

You need to look at least every 30 days, otherwise Gmail throws away items older than that. And you can look from your phone.

Slarti

[UncleEbenezer]

Am I right in thinking that by using gmail for all my mail, I am a little bit more secure? Certainly, compared to when I used an ISP's mail service with a PC based email client, I had an appalling amount of unsolicited mail. I simply do not get that on Gmail.

Whatever protection gmail may offer, that vanishes when you open an attachment.

A mail provider (gmail included) may offer some protection against problems like spam, malware, and phishing. But what they can do is limited: they're at best in a cat-and-mouse game (just as you can't fully automate those things politicians get exercised about, like child protection. Even the technically-vastly-simpler problem of copyright protection is, despite the vast resources the entertainment industries can throw at enforcement, still a cat&mouse game).

And there's another difficulty facing providers of protection services: attackers may use the courts or dumb politicians and civil servants against their efforts to protect us. Google has just suffered exactly such a setback, albeit from spammers rather than malware purveyors: https://www.theregister.co.uk/2017/06/2 ... ne_europe/ . And it's not just the likes of Google (who at least have resources to try to defend themselves): the true heroes of protecting us get hit too: see for example https://www.spamhaus.org/organization/s ... us-project

[UncleEbenezer]

Russia is believed to be the source of this attack.

Believed by whom?

There is classic mud-slinging here. Speculation points to someone we want to demonise. Meanwhile more expert and dispassionate sources - such as F-Secure - say otherwise.

[UncleEbenezer]

All very valid. Solaris seems to be dieing a death though?

didds

I'm not quite sure. Haven't used it or paid much attention since Oracle took over Sun and they ceased to grease my palm with gold on a monthly basis. Seems entirely plausible, though: they didn't have the developer community of the BSDs, let alone Linux. And during my time there, Sun were supporting (other) opensource communities, to the extent of contributing a lot of their best features. You could probably say FreeBSD leads the pack in inheriting the best of Solaris.

[didds]

A decade ago I administered loads of solaris.

Now I admin maybe half a dozen very old systems, and they are all scheduled mto be mothballed with their services mograted to virtual linux (centos).


The Oracle ownership seemed to have seen the decline.

didds

[Infrasonic]

Whatever protection gmail may offer, that vanishes when you open an attachment.

Surely the level of threat is dependent on whether you open an attachment 'locally' on your PC or view 'online' on their servers via a well sandboxed browser?

As the servers are part of multi billion dollar data centre investments run along Fort Knox lines, that are being attacked over a million times a day (according to a recent Microsoft public statement) then It would seem logical to assume they are way more secure than any individual or IT budget starved corporate/Govt. entity could possibly manage.

All the specialist security advice I've read over the years makes a pointed distinction between the two, although it is always going to be more/less secure never 100%. The next stage for browsers will be VM'ing them (MS' plan for Edge for Enterprise W10).
https://arstechnica.co.uk/information-t ... -you-safe/

I haven't opened attachments locally for years, always via webmail first and it's easier with Outlook.com (my main aggregator) because Office Online is integrated. Gmail/Drive can be set up to read/write MS office docs also, it's just not as slick. (I use it as a mirror).
The other advantage is that macros don't work 'online', so another potential infection route eliminated.

Local mail clients don't get used until I'm pretty certain of the veracity of the source (especially as spoofing is so easy so whitelisting won't always help). DMARC is used by the major webmail providers, but that is dependent on the sender's all being on board. From what I've seen the majors (banks et al) will have 'essential' addresses using end to end email address verification and everything else is a free for all, presumably because of cost...

Obviously if you need desktop apps, macros and all the other security hole routes switched on (SMB1 NAS' anyone?...) then it becomes infinitely more difficult to prevent issues, but quarantining online first isn't difficult if you make a bit of effort.

Same for 'shared' documents, which have the added advantage that file history will be far better protected 'online' via their extensive RAID/ container/VM structure, than all being on local/external backup drives which will be completely locked if they get encrypted by ransomware.
It can't be too long before delayed malware payloads become the norm, that will potentially scupper most 'local' file backup plans unless you are going to go to NAS/RAID/VM's et al...

For the average home/SOHO user who doesn't need all the extensive networking it's relatively simple to protect yourself by staying patched and avoiding 'local' activity where possible. My recent shields up port scans resulted in 100% 'stealth' on both scans of my W10 box.
https://www.grc.com/shieldsup

If you look at Chrome OS and Windows 10 S, which are basically thin client approaches, the logic from a security standpoint is clear.
Worst case scenario with Chrome OS is you reinstall the OS, settings and everything else is backed up to their servers, ready to roll a short time later.
It's too restrictive for me (currently...) but I can see it being a big chunk of the education/consumer (and even SMB/SME ?) market in years to come for people/businesses who have zero interest in reading up on all the security issues around 'traditional' computing or paying for the specialists to do it for them. Chrome OS is big in the USA education market, pushing the mighty Apple out...

Interesting times.

[Slarti]

Russia is believed to be the source of this attack.

Believed by whom?

There is classic mud-slinging here. Speculation points to someone we want to demonise. Meanwhile more expert and dispassionate sources - such as F-Secure - say otherwise.

By the infosec professionals I've been following.
Admittedly most are Americans, but even the Brits say they can't see it being anybody else with the skills and opportunities and wish to disrupt the Ukraine.

Anybody else who got hit was collateral damage.

Slarti

[swill453]

The Oracle ownership seemed to have seen the decline.

I was employed by Sun Microsystems during the takeover, you could definitely see the way that was going to go.

Now my son works (indirectly) for Oracle. But 90% of his job is Linux rather than Solaris.

Scott.