MS is right to force push updates because of lazy IT admins / users?

[Elixer]

It seems that a ton of systems have been compromised by using the SMB exploit that MS patched back in March. (https://technet.microsoft.com/en-us/library/security/ms17-010.aspx)

Every single one of those computers hasn't seen an update of any type in months (years?).
Seriously, what kind of IT Admin allows that to happen?

Since there are so many people that don't install updates, this only seems to prove that MS is correct in wanting to force push updates no matter what.
Though, I wish they would split out the security updates from the other stuff.

And, about this specific malware,

There are three hard coded bitcoin addresses in the WanaCrypt0r ransomware. These bitcoin addresses are 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94']13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94, 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw']12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw, and 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn']115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn. Maybe I am missing something, but what I do not understand is if so many people are utilizing the same bitcoin address, how will the ransomware developers be able to differentiate the victims that have paid from those who have not?

For example, people have paid ransom to my assigned bitcoin address, yet the program still states I did not pay.

https://www.bleepingcomputer.com/news/security/wana-decryptor-wanacrypt0r-technical-nose-dive/

So, it seems even if you pay, you are screwed.

 

[VirtualLarry]

On the flip side of the coin, how do you feel about Microsoft REFUSING to allow updates, even when the admin wants to apply them?

(Speaking of Kaby Lake systems, running Windows 7.)

 

[Elixer]

On the flip side of the coin, how do you feel about Microsoft REFUSING to allow updates, even when the admin wants to apply them?

(Speaking of Kaby Lake systems, running Windows 7.)

I wouldn't have done that, but, I do see where they are coming from.
They should just throw up a big disclaimer asking people if they understand, then proceed at their own risk.

 

[Gryz]

Pushing updates ? My machine, I get to decide what I want to happen.

The problem is that companies like Microsoft do not give their users clear choices. Microsoft is not alone. Lots of companies that sell to individuals consumers do that now. You have no control over your PC, your Mac, your TV, your phone, your tablet.

What I want is a clear distinction between updates.
1) security bug-fixes
2) OS bug-fixes
3) application bug-fixes
4) OS enhancements
5) application enhancements
6) stuff the vendors want you to use
7) spyware, advertising tools, statistical data gathers, personal information gathering, and more of that shit.

I don't think asking for a clear distinction is out of line. My machine, I get to decide. I heard TVs now do commercials by themselves. I heard people bought a particular TV especially because it was reported it didn't do its own commercials. Six months later, the TV updates its software. And suddenly it does do commercials in its menus, its apps, etc.

I turn off all automatic updates. I depend on my router blocking stuff. I depend on plugins in my browser (NoScript, AdBlocker, Ghostery) to keep me relatively safe. I'm not running a virus-scanner. I install the minimum of software on my windows-PC. I won't upgrade to Win10 until I really really have to. I'm using Linux for work. Etc, etc.

One reason that I don't do automatic upgrades is that it often breaks stuff that should be unrelated. I don't have time for that shit. I install patches when I run into a bug that bothers me. I install security-patches when I hear about potential problems. (I installed the SMB fix yesterday. Also because this time they supplied an explicit security fix without other stuff).

Being an admin in a (large) company is another thing. You're being paid to do that stuff. But even then, their jobs would be a lot easier if vendors would make clear distinctions between security fixes and other fixes.

 

[pmv]

Came in this forum to see if there was a discussion on this attack. It seems a pretty major one, with some hospitals almost grinding to a halt.

It doesn't seem as if there's enough information yet to blame 'lazy admins'. But I gather a lot of the systems effected were still running XP, which seems absurd to me. It's said that many systems have to run software that won't work on later Windows versions, but I don't see how that's an excuse - OK, keep those computers on XP but update all the others, and isolate the XP boxes as much as possible. Certainly don't store any critical information on them. But (pardon my ignorance) do MS not still offer bespoke XP security support for large organisations willing to specifically pay for it? Or has even that come to an end now? Did some of these affected have such an extended support contract and still fail to install updates, or is it that the updates didn't exist for XP?

Anyway, on the whole I think this does tend to vindicate MS's aggressive pushing of updates for Win 10 (even if it still exasperates me when my PC reboots to update when I'm in the middle of doing something, or comes out of hibernate to do so and then doesn't rehibernate, meaning it stays on unnecessarily for days afterwards).

 

[pmv]

Pushing updates ? My machine, I get to decide what I want to happen.

The problem is that companies like Microsoft do not give their users clear choices. Microsoft is not alone. Lots of companies that sell to individuals consumers do that now. You have no control over your PC, your Mac, your TV, your phone, your tablet.

What I want is a clear distinction between updates.
1) security bug-fixes
2) OS bug-fixes
3) application bug-fixes
4) OS enhancements
5) application enhancements
6) stuff the vendors want you to use
7) spyware, advertising tools, statistical data gathers, personal information gathering, and more of that shit.

I don't think asking for a clear distinction is out of line. My machine, I get to decide. I heard TVs now do commercials by themselves. I heard people bought a particular TV especially because it was reported it didn't do its own commercials. Six months later, the TV updates its software. And suddenly it does do commercials in its menus, its apps, etc.

I turn off all automatic updates. I depend on my router blocking stuff. I depend on plugins in my browser (NoScript, AdBlocker, Ghostery) to keep me relatively safe. I'm not running a virus-scanner. I install the minimum of software on my windows-PC. I won't upgrade to Win10 until I really really have to. I'm using Linux for work. Etc, etc.

One reason that I don't do automatic upgrades is that it often breaks stuff that should be unrelated. I don't have time for that shit. I install patches when I run into a bug that bothers me. I install security-patches when I hear about potential problems. (I installed the SMB fix yesterday. Also because this time they supplied an explicit security fix without other stuff).

Being an admin in a (large) company is another thing. You're being paid to do that stuff. But even then, their jobs would be a lot easier if vendors would make clear distinctions between security fixes and other fixes.

I agree that that would be good, but I doubt it will happen, as the commercial pressures are always going to cause a slippage to pushing things in category 7. I still remember my PC being rebooted unexpectedly to install an important update. The incredibly important update being the change of the symbol for Latvian currency [something I've never had to type, or even seen] to the Euro!

 

[Elixer]

It doesn't seem as if there's enough information yet to blame 'lazy admins'. But I gather a lot of the systems effected were still running XP, which seems absurd to me. It's said that many systems have to run software that won't work on later Windows versions, but I don't see how that's an excuse - OK, keep those computers on XP but update all the others, and isolate the XP boxes as much as possible. Certainly don't store any critical information on them. But (pardon my ignorance) do MS not still offer bespoke XP security support for large organisations willing to specifically pay for it? Or has even that come to an end now? Did some of these affected have such an extended support contract and still fail to install updates, or is it that the updates didn't exist for XP?

In the UK hospital case, they were using XP, with a extended contract for security, BUT, they canceled it in 2015 to save $$$. From what I have read, the admins did nothing to block SMB ports once the security bulletin went out, which is mandatory reading if you are a IT admin.
In Russia, the case of pirated windows users not patching (can't patch?), along with IT admins not blocking SMB ports either seems to be the case.
Fedex apparently still has XP machines in use, IT admins did not block SMB ports either.

 

[John Connor]

The vector is an E-mail attachment, where 98% of this ransomware crap comes from. If E-mail attachments can somehow be hashed for verification it would eliminate a lot of this hacking/malware/ransomware crap.

 

[Elixer]

The vector is an E-mail attachment, where 98% of this ransomware crap comes from. If E-mail attachments can somehow be hashed for verification it would eliminate a lot of this hacking/malware/ransomware crap.

Well, this particular worm spreads via SMB.
I also don't understand why any admin would allow any attachments these days that haven't been checked.

 

[John Connor]

I've read in Wikipedia and saw on the news it's from an E-mail attachment. Once infected it spreads though SMB.

 

[Jaskalas]

The vector is an E-mail attachment, where 98% of this ransomware crap comes from. If E-mail attachments can somehow be hashed for verification it would eliminate a lot of this hacking/malware/ransomware crap.

Sounds like a feature of an email app / service. To actually scan all attachments before allowing them to pass through.

 

[pmv]

In the UK hospital case, they were using XP, with a extended contract for security, BUT, they canceled it in 2015 to save $$$. From what I have read, the admins did nothing to block SMB ports once the security bulletin went out, which is mandatory reading if you are a IT admin.
In Russia, the case of pirated windows users not patching (can't patch?), along with IT admins not blocking SMB ports either seems to be the case.
Fedex apparently still has XP machines in use, IT admins did not block SMB ports either.

Sheesh, if that's correct, about the extended contract being cancelled by the client, whoever took that decision has some serious explaining to do (or maybe just needs to lose their job). Sounds like a major error by the system managers as well.

Amazing how widespread this attack has been (e.g. German railways). Must be sloppy admins everywhere. It was reported that only the banking sector completely avoided it, so a rare case of the banks getting something right.

 

[Red Squirrel]

I'm against my computer/software turning against me in any way shape or form, I want full control. So no I don't think updates should be forced, it should be up to the users/admins. If they choose never to do it then it's on them.

At my work we get the windows 10 update experience in windows 7 because the department in charge of updates chooses to force updates at random and you have 20 minutes before you are force rebooted. PISSES me right off. At least let me finish my shift FFS.

 

[VeryCharBroiled]

im in medical. we use some custom software, and our it dept HATES updates, especially on the servers and some stand alone devices (CT scanner, spirometer, audio test equipment). in the past some updates have broken those devices. its rare, only happened once as i recall but the risk is there.

they need time they claim not to have to validate and test patches. good old management vetoes the time needed most of the time.
so... patches are way behind (except desktops, they do get most updates).

of course we do have excellent backup plans (local and off site), so there is that.

 

[Elixer]

im in medical. we use some custom software, and our it dept HATES updates, especially on the servers and some stand alone devices (CT scanner, spirometer, audio test equipment). in the past some updates have broken those devices. its rare, only happened once as i recall but the risk is there.

they need time they claim not to have to validate and test patches. good old management vetoes the time needed most of the time.
so... patches are way behind (except desktops, they do get most updates).

of course we do have excellent backup plans (local and off site), so there is that.

What I can't understand about medical devices is, why there isn't a physical switch that would be used in the event the medical device needs a patch/upgrade? All the other times, it is a read only system.
Seems some medical devices in the UK got infected because there were no safe guards.

 

[BarkingGhostar]

I would imagine that medical devices were not seen as something reachable by the outside world. Poor device design and the overwhelming belief in only good things happen is what allows bad things to get inside. The positive attitude in my own workplace (employer with >250000 employees) has this problem and can't see any negative until after it has happened and then the negative experience seems to dissipate rapidly (handful of days) and repeat, repeat and repeat again.

I think this is because it comes down to those making big decisions are technical inept and thus the blind lead the uncaring. I use to chastise when someone in the company blindly opened an email attachment when the email itself could not be attributed to any aspect of the job/company, but because the company allows it to happen then a wave of not caring sets in. People now just look at it as a pseudo-vacation as they wait for IT to re-image said computer without actually being responsible for doing any work.