On 13 May 2017, at 03:23, Brian Kantor Brian@UCSD.Edu wrote:
Note that they recommend blocking ports 139 and 445 to help prevent the spread of the worm infection. Amprgw has been blocking those ports for quite some time, but that doesn't prevent the infection from spreading within a group of computers or an organization. It is strongly suggested that people running Windows should be sure that all issued patches have been applied.
Blocking 139 and 445 would prevent the direct propagation between nodes with direct connection, not using NAT.
Almost all of the affected networks are behind NAT. It takes just one user to open an attachment, visit a web page included in a spam or, say, plugging a hostile memory stick to have one compromised computer attacking the internal network.
Local area networks are usually flat. Most network hardware doesn't have the capability to apply usable port filters, and even that is hard to manage.
And even if preventing p2p local traffic would have helped, guess what the affected organizations are using in their servers? Yes, the same OS.
This is actually pretty similar to the worm incidents in the early 2000s. At some point it took like 5 minutes for a freshly connected computer to get infected. But this time the crazy spread has happened within local networks.
There are several already known lessons. Unfortunately the measures are really complicated to deploy.
And the elephant in the room is: is it still reasonable for a software maker whose products are ubiquitous thanks t illegal monopoly actions to avert responsibility?
Patches are often applied late because it's not rare to experience serious disruption. Anyway the software being patched is poorly made in the first place. The problems caused by patches are actually another sign of very poor software design.
To make it worse, monoculture has always been a really bad idea. Diversity helps.
And of course I don't know what the idiots of the US government agencies have in mind. One of the three letter agencies has reportedly been hoarding serious security bugs with the hope of exploiting them. Maybe this has been useful to them, but they are severely hurting users in their own country and allied countries. Moreover, how do I know that Microsoft or Apple haven't been helping the US government in some way?
I am very wary of Chinese software (if only because it's really atrocious!) but the doomsday scenarios I imagined coming from products controlled by the Chinese government are actually coming from US companies.
Borja - EA2EKH