44net

44net@mailman.ampr.org

3 participants
3172 discussions

Re: [44net] the current worldwide Windows ransomware situation

by Gabriel Medinas

Grettings to the group, this Rasomware theme is an evolving project, some employe just opened an infected email and it was an attack vector on the internal platform that runs around the LAN via the port 445 SMB protocol using a security hole that already Microsoft solved two months ago. Precisely the attackers know that many companies do not update the OS of their internal pc for issues of licensing and budget that make them vulnerable, also do not pay much attention to the safety of their equipment, here was shown how fragile it is the windows platform for these attacks and is the bulk of the equipment that these large companies have, such as the case of Telefonica in Spain, FEDEX, hospital networks in England, etc. These themes are every day in BBVA Corporation in my IT Security (Cybersecurity) Venezuela work, see this problem in a important evolution but it is more to come because they will continue looking for new possibilities to be able to collect the money with the Bitcoins. On the question of the domains, those that are in the common Internet those are not relevant, only the important are the .onion underground that they use to recolet the extortion money from people-companies through these crypto tools attacks. As Brian says, linux and mac are safe for now... 73 de Gabriel YV5KXE Venezuela AMPR-Coordinator Message: 2 Date: Sat, 13 May 2017 04:51:33 +0000 From: R P <ronenp(a)hotmail.com> To: AMPRNet working group <44net(a)hamradio.ucsd.edu> Subject: Re: [44net] the current worldwide Windows ransomware situation Message-ID: <BY2PR14MB04246C791B6C331478C3B033C7E30@BY2PR14MB0424. namprd14.prod.outlook.com> Content-Type: text/plain; charset="iso-8859-1" IM not sure that this is the right group but as i wrote before here we have top experts in it field so Ill try I read the explain on the virus in the sites ... The domain is well known .. someone pay for it is it so problem to catch the person who paid for this domain ??? what about shutting out this domain and by that stop the spread of the software ?

7 years, 8 months

Re: [44net] the current worldwide Windows ransomware situation

by Rob Janssen

> Yes, I can see your example. Fortunately, one thing I have seen so far > is routers being supplied with all inbound connections stopped. > Furthermore, mine doesn't allow you to totally disable the firewall, > only for specific hosts (which I have done for some key Linux systems), > or for specific ports on specific hosts (which I did on Windows for > testing - I never leave Windows exposed to the net). Now with a router > like mine, your scenario wouldn't work, because the temporary IP > addresses would never be allowed to pass. > So, there are ways to build it into the router design to make it harder > for people to shoot themselves in the foot. :) Yes, I think there has been some ISP/Manufacturer working group to get this cleared up and defined. My ISP waited with IPv6 rollout until this was resolved, and the router they deliver does exactly what you describe above. When IPv6 was designed, the idea was still that every host should be able to communicate with every other host. That has proven to be a bad idea on an open network, so IPv6 had to be crippled to make it viable. But that at the same time removes one of the major incentives to roll it out, as NAT can be used as an alternative solution in most situations. Many places have still not started IPv6 rollout... Rob

7 years, 8 months

the current worldwide Windows ransomware situation

by Brian Kantor

If you're interested in reading more about the current Windows worm/ransomware, these two sites have brief articles explaining what's up. http://blog.talosintelligence.com/2017/05/wannacry.html https://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-wid… Note that they recommend blocking ports 139 and 445 to help prevent the spread of the worm infection. Amprgw has been blocking those ports for quite some time, but that doesn't prevent the infection from spreading within a group of computers or an organization. It is strongly suggested that people running Windows should be sure that all issued patches have been applied. As usual, systems running non-Windows OS's (Linux, etc) are immune to this attack. - Brian

7 years, 8 months

Where is the statistics page ?

by R P

I could find only the Erros s (firewall drops ) page but not the statistics

7 years, 8 months

router stats

by Brian Kantor

I know that very few of you are looking at the amprgw router statistics, but for those who do care: the current statistics (packet/byte counts) accumulate since router boot time. Would it be more helpful/meaningful if the totals reset at midnight so that they reflect daily trends? Also, some of the numbers are getting large enough that they're not intuitively meaningful. There's no convenient way to insert thousands separators. Would 'scientific notation' (eg, 1.56e9) be helpful? (This is the 'g' format specifier in 'C'.) Or alternatively, notation such as 1.5k, 2.4M, 8.1G, or 1.2T could possibly be generated. - Brian

7 years, 8 months

Re: [44net] the current worldwide Windows ransomware situation

by Rob Janssen

> Patches are often applied late because it's not rare to experience serious disruption. > Anyway the software being patched is poorly made in the first place. > The problems caused by patches are actually another sign of very poor software design. And not the least: after 25 years of development on Windows the patching mechanism still is in a sad state, requiring unreasonable time and resources to find and install required patches. It is very clear that quality isn't a priority for Microsoft *at all*. They only care about making money, what happens to their customers and how much time they waste on using and maintaining their products does not matter to them as long as they keep buying. Rob

7 years, 8 months

Re: [44net] Critical vulnerability in Intel Active Management Technology (CVE2017-5689)]

by Rob Janssen

> To help prevent this from affecting AMPRNet systems, I am now blocking > inbound port 16992 at the amprgw gateway. I hope this won't cause you > any difficulties. Thanks for the hint. It is surprisingly difficult to get technical information from the Intel documents. Do you block TCP only or also UDP? And what about ports 16993 and 16994? (and maybe even 623 and 664?) The nice thing about such new vulnerabilities is that they allow you to identify the aforementioned scanners and put them on the permanent blacklist. Aside from shodan.io (that were already on the blocklist) I also see 52.174.52.33 census01.project-magellan.com Yet another annoying "research" project... You could try to get 44.0.0.0/8 opted out via research(a)project-magellan.com Rob

7 years, 8 months

RIP44 send speed

by Brian Kantor

In the past there have been complaints of some RIP44 packets not reaching their destination, enough so that routes sometimes vanish from the RIP44 table on the receiver. Although there is currently little I can do about packet loss on the network, I have slowed down the rip sender by 100 microseconds per sent packet to avoid saturating buffers on busy networking equipment and thereby avoid causing possible congestion loss. This means that it now takes a little over a second to send the complete set of (currently) 26 RIP44 packets to each of (currently) 435 gateways. I don't know if this was the cause nor whether this will help, but it's a cheap fix and it may help. Slightly slower packet delivery shouldn't negatively affect anyone. RIP44 transmissions are still sent every five minutes. - Brian

7 years, 8 months

Critical vulnerability in Intel Active Management Technology (CVE2017-5689)]

by Brian Kantor

On May 1st, Intel released a security advisory regarding their Active Management Technology. It's a nasty one, but luckily it doesn't seem to affect home (non-datacenter) PC firmware. > https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&lang… Intel has released a mitigation guide: > https://downloadcenter.intel.com/download/26754 Security researchers have since been able to uncover more details and release proof-of-concept exploit code. There is now a free nmap .nse plugin available to scan for this vulnerability: > https://nmap.org/nsedoc/scripts/http-vuln-cve2017-5689.html To help prevent this from affecting AMPRNet systems, I am now blocking inbound port 16992 at the amprgw gateway. I hope this won't cause you any difficulties. - Brian

7 years, 8 months

Re: [44net] unreachable gateways

by Rob Janssen

> I've been curious how many of the 435 registered gateways were reachable, > so I collected ICMP unreachable messages during a recent RIP transmission > (which of course sends to every gateway) and got the following: > 33 gateways aren't reachable or are rejecting inbound IPIP packets I think it would be a good idea to somehow keep track of this information and remove or at least mark inactive those gateways for which this condition persists for some amount of time. Especially when protocol 4 is rejected. Host unreachable could be because the internet is down or the power is out, but an explicit protocol 4 rejected indicates nonexistent configuration, that could temporarily exist because e.g. new system has just been installed that has not been configured yet, but should not persist for longer than say 2 weeks. The operator can alwayes re-enable or re-add the gateway when he has found the opportunity to re-install it. Rob

7 years, 8 months

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

44net