We moved to Win7 VMs 18/12 ago, which works fine except for the fact that I suspect some of our network is base 10 Ethernet.

However, there are a heck of a lot of old PCs about and the one on my desk has a ‘Made for Windows XP’ sticker on it (even if it’s running a Win 7 VM)

The problem is that money is tight and it’s really hard to justify replacing IT infrastructure that (sort of) works at the expense of clinical staff/equipment.

Right security appliance installed, AMP and Snort running, Windows now running again, just hope I don’t get drowned in too many alerts now.

Anyway. I’ve just had a phone call, so now I’m going to have to drive to work. Not an infection but helping to keep it that way. Wish me luck.

I’ve been at work for a long time already with an aim of reducing the attack exposure. Have fun!

Hang on – W7 wasn’t released until 2009

Aargh – yes they are broken if they’re running XP! Are they actually airgapped as Cougar suggests (which has to include a very robust policy regarding the connection of USB devices)?

Though I’m kind of surprised that W7 won’t work – the real requirements are very little different to XP (I’ve run W7 on some very old hardware and extremely resource limited VMs – though it does help a lot if you tune it to get rid of a lot of rubbish).

aracer
MSP » XP was superseded 11 years ago
Hang on – W7 wasn’t released until 2009

Vista?

Yeah, but he said “superseded”

There’s loads of xp apps that won’t work on 7

Same for 2003 and 2008

Big corporate here. No un airgapped XP left for us though I suspect there are A few boxes hidden in cupboards just in case and it only takes one person..

We are currently rolling out a new patch on W7. Just to be sure to be sure.

Not even using compatibility mode? I have a few which need that, but can’t recall ever coming across one which didn’t work with it.

I have a bit of experience of this, having done transition from XP to W7 in a school – the XP installation was supporting lots of really old software, including some from last century. Was fully expecting to tell the teachers they needed to move on to newer software, but in the event there wasn’t anything we couldn’t make work.

@aracer, opposite experience for me. Never found a single application where compatibility mode helped. We’ve still got a couple of xp machines kicking around our place running specific bits of software, but they aren’t allowed a network connection.

@fifeandy & @aracer compatibly mode helps in ‘some’ simple cases when that fails I’ve never had any issues when I’ve made a proper compatibility shim using the app compatibility toolkit (or on occasion AppV to really fool an app into working on a later OS) yes its lots more work to do it that way but it works.

Though I’m kind of surprised that W7 won’t work – the real requirements are very little different to XP

we’ve got some expensive bits of kit at work, apparently sometimes vendor support can be limited if you run something they don’t authorise (nb I’m not directly involved but that’s what I’ve heard) so guess stuff would probably work just fine but they don’t want hassle of supporting multiple OSes or “none standard” kit

Also have kit with isa controller cards, def a few w2k boxes knocking around, think might be some earlier as well (none are networked)

Ah, we have the answer to one little mystery

http://www.bbc.co.uk/news/technology-39907049

Not even using compatibility mode? I have a few which need that, but can’t recall ever coming across one which didn’t work with it.

Anything that needs hardware drivers could be problematic.

Ah, we have the answer to one little mystery

I knew about that from Twitter – described by another security blogger as “stopping a speeding train.” Saying it was an accident is a bit harsh, from what I could tell he knew exactly what he was doing.

So, I’m struggling to understand quite how its had such a big impact?

If it spreads via a SMB vulnerability, does this mean that each of these organisations have a WAN facing SMB port open on a machine that hasn’t been patched? Then once inside it hunts out other SMB ports on the LAN and spreads itself?
If this is the case, in the NHS for example is it just infecting servers or also desktop machines? If so why do the desktop machines have the SMB port open anyway? Is it open by default?

Eg. at home I’ve got a little W7 PC that I use as a SMB server. It is behind a NAT and the port isn’t forwarded to the WAN. Lets say its not patched (not sure if it is or not). So other than me clicking on a link in a spam email or visiting a malicious site, infecting one of the other computers on my LAN and it then spreading to my W7 SMB server, it can’t get in right?

So how has it spread so far?!?

I’m not sure anyone can say at the moment how the original package got onto the NHS Network (N3). Could well have been a phishing email if you believe the media.

I think the problem may be compounded by the slightly misguided belief that N3 is nice and secure so you can trust anything on it. Not saying that applies to all NHS organisations but the impression I have personally is that some NHS organisations have their internet connectivity locked down far more than their N3 connectivity.

but once into the NHS network then, lets say via an email link, is it just infecting servers or do they have desktops with SMB services running? Can’t understand why they would?

http://blog.talosintelligence.com/2017/05/wannacry.html

That’s a good writeup of the issue.

At least this problem wasn’t self-inflicted. Unlike the one a few months ago when an IT contractor emailed every nhs.net email address (about a million iirc), and then peoplpe started clicking Reply All to say “I don’t think this is meant for me”.

mrjmt – Member – Block User – Quote
So, I’m struggling to understand quite how its had such a big impact?

If it spreads via a SMB vulnerability, does this mean that each of these organisations have a WAN facing SMB port open on a machine that hasn’t been patched?

No, its introduced via the usual- emails, downloaded attachments.

Then once inside it hunts out other SMB ports on the LAN and spreads itself?

AIUI, it uses any mapped SMB resources to explore, log, and then spread under that users credetials- easy with SSO setups.

If this is the case, in the NHS for example is it just infecting servers or also desktop machines?

Its agnostic re desktops or servers, it just wants to find as many files as it can and encrypt/infect.

If so why do the desktop machines have the SMB port open anyway? Is it open by default?

They need SMB ports open to access mapped resources, but internally only.

just think if a major bike forum and a few internet cycle retailers went down, there would be massive cycle anger in the uk, and a huge increase in production in most uk and world wide offices of cyclists

They need SMB ports open to access mapped resources, but internally only.

Ah, thats the bit I misunderstood, makes sense now I think about it, but I’d assumed that it was only computers that hosted SMB shares that were vulnerable, but the ports sit open (and are vulnerable to the exploit) even if you only access shares on other machines and don’t actually host any.

Aracer, it’s pretty much been answered but in short, compatibility mode is sod all help ime. Big environment 1000s of users, multiple businesses and loads of bespoke or niche software that wouldn’t run on w7

If it spreads via a SMB vulnerability, does this mean that each of these organisations have a WAN facing SMB port open on a machine that hasn’t been patched? Then once inside it hunts out other SMB ports on the LAN and spreads itself?

No, its introduced via the usual- emails, downloaded attachments[/quote]

There’s nothing to indicate email was involved at all.

So yes, it could be that organisations have SMB exposed to the public Internet. It only takes one machine to be patient zero. It could also have brought in with a device; a user picks up an infection at home, brings their laptop into work where it automatically logs in to the Wi-Fi and boom, we’re away.

Anyway, just got home.

We’re a managed services provider for a lot of household names. Our internal machines are managed with WSUS, and our customer-facing cloud solution likewise falls under WSUS. Though of course, it’s not that simple as the patch requires a reboot, so even though we’ve got multiple layers of redundancy you still have to be a little bit frosty about it.

We’ve also got various stand-alone servers, legacy systems, odds and sods dotted all over the place for various reasons. That’s what I was asked to look at, so I’ve just spent seven hours hunting down and manually patching them. Fun.

All done? Will you sleep well now?

Now on a conference call…

It never ends.

Just got off the phone. That only took an hour. At least I get to (watch Doctor Who and) go to bed, the other guys are still at it. Reconvene at 9 tomorrow.

The last time this happened to me was the Millennium Bug, and we had ages to prepare for that.

Just had misfortune of hearing edwina currie on radio pontificating about this.
She clearly knows nothing other than the sensationalist headlines but that didn’t stop her; one suggestion – ‘go to imperial college, get a PhD student and tell them to sort it’.
Dopey cow.
Multiple references to ‘hackers’ but no mention of ransomeware.
No mention of widespread infections across multiple countries and business sectors.
No mention of NSA.
No mention of the ‘kill switch’.
No discussion of possible perpetrators.
Much general criticism of Microsoft with no specifics or evidence.
She should not be used by broadcast media and then put down.

As for possible perpetrators – any takers for North Korea?

Cougar – Moderator

The last time this happened to me was the Millennium Bug, and we had ages to prepare for that.

And then ages after of people going “don’t see what all the fuss was about, everything worked out fine, why do we listen to you bloody techies…”

I had the misfortune of hearing edwina currie on R5 a few weeks ago pontificating on cuts to disability benefit, I’d personally go on record as stating that I’d like to punch her in the face repeatedly until her face is reduced to a pulp, she is utterly repulsive and anyone who defends the decrepit Tory hag would be next in line to receive the same treatment.

@somafunk – so you’re not her biggest fan?

We could start a thread – ‘Who hates edwina currie – no reason required’.
Reasons would be good though.

She is vile, ignorant and condescending.

And then ages after of people going “don’t see what all the fuss was about, everything worked out fine, why do we listen to you bloody techies…”

Yeah, that really, really makes me cross. “Nothing happened, what was all the fuss about?” Nothing happened because a lot of people put a lot of work into ensuring that nothing happened. At the turn of the Millennium when most people were having the party of their lives, I was sat in the office on my own with nothing further to do just in case “anything happened” (I spent most of the time shooting the breeze on the phone with a colleague in another company who’d got saddled with the same gig).

You have a shit IT dept and everyone notices, “what do we pay you for?”; you have a fantastic IT dept and no-one notices, “what do we pay you for?” It’s a thankless bloody task.

(Point of order, I’m not IT any more though I’ve spent many years doing it. I got drafted in tonight as I was best placed to do this particular job and the primary teams were slammed with their own problems.)

so you’re not her biggest fan?

That’s certainly one polite way of expressing my disregard for her right to existence.

On the same program/discussion she mentioned that there was absolutely no poverty in this country and there was no need for societal use of food banks. Needless to say I utterly **** despise her and her ilk and would personally consider it a service to humanity to drag the decrepit whore by the hair round a few “choice” housing estates to explain her words to those who rely on such non-essential services. Of course for her to do this I’d have to remove or refrain from pounding her smug face with my fist which would leave me in a quandary, would I be satisfied with seeing her ripped apart by a baying crowd?, I suspect i would garner a certain thrill from seeing her fed to the wolves so to speak.

Well to be fair, anybody with that job would surely appreciate that the start of the new millenium was actually a year later.

nice trolling NW – it was good to see Cougar so precisely following the script you’d given him the cue for!

NW wasn’t trolling, he was empathising, is how I read it at least.

200!