The discussion started in “tips”, but as the most important thing to do ‘right off the bat’ was to down any internet connected computers, I didn’t put up a new posting right away, so several important links and some discussion is to be found starting here: (h/t to Larry Ledwick) https://chiefio.wordpress.com/2017/05/02/tips-may-2017/#comment-83247
At this point, having confirmed it is a Microsoft OS centered attack exploiting an SMB fault (and not running Samba on anything), I’m bringing my systems back up. Since most of my stuff runs on Linux or Macintosh, I’m feeling OK about that. My old Windows XP boxes generally sit turned off in the corner, mostly being insurance for document recovery should I encounter something on an old backup that nothing current can read.
At this point, I’ve got the Android Tablet and a Mac Laptop in service. Later I’ll be booting up the Linux stuff that is my desktop.
A “tip” on how I handle this kind of thing:
I use a system that is “disposable” in that it can be erased at will. Should it get infected with crap, I just reset it. In this case I used the tablet. I remove the SD card that has everything personal on it (downloads too, I point everything to it most of the time) and the base tablet is largely just the OS and anything I don’t care about. At that point, doing a reset mostly just means I need to reenter any network passwords and logins.
Android has also been fairy impervious to exploits in my experience. So I’m comfortable with it as my ‘window on the world’ during an Aw Shit Event. This is also part of why I have a variety of systems. Any given “event” tends to hit one class of operating system. Once identified, I can continue operations on the one (or ones) not targeted.
Now, it is possible to corrupt the firmware on systems to gain “persistence” for an exploit. Even to the degree of planting things in the firmware of attached hard disks. For this reason I have a second level of Aw Shit System. I have a “disposable SD Chip” for the R.Pi system. Normally, all but one hard disks are not plugged in nor powered up. By air-gap definition, 99.99% of my data is secure from ransomware. I have an SD card in the Pi, but it has a recent backup in one of the offline hard disks. Things get hincky I can toss the $8 SD chip, flash another one, and since the Pi firmware is loaded at boot time from the SD card, even that is fairly safe.
The one “mostly used” hard disk is a $40 or so few years old 500 MB USB disk with swap and a home directory on it. The home directory also has an offline / powered off copy (several, actually). For a while I ran from a $20 USB Stick so it, too, was disposable, but as the old disks got ‘less interesting’ to save, have moved onto one of them. Essentially, my entire “Daily Driver” is disposable if needed.
Now, during any event, I don’t really want to toss those bits. So what I do is immediately down that system. Plus any others in the house. Scrapers, NFS servers, whatever. Essentially “go dark” other than the Telco supplied boundary router. (If it looks bad enough and network gear is being hit, I’m willing to down it as well, but since Telcos like to be able to push patches, that comes at the cost of perhaps missing that push in the first round.)
IFF I need that desktop system back up, I’ll take my ‘Disposo System Chip’ out of the chip jar, put it in, unplug the hard disk, and boot. At that point all that is at risk is an $8 SD card and MAYBE a $35 Pi, but it is highly unlikely even they have any real risk of “persistent” infection. Just not enough smarts in them, mostly, but also “uninteresting” to most hackers. (The IOT exploits would be interested in small ARM based systems, though…) Now I’ve got a fully functioning Linux box to work with, but one that is essentially immune from 90%+ of all exploits (as they are aimed at Microsoft) and trivially reset if it is infected; plus entirely disposable if, somehow, a persistence exploit gets into it.
Every other system in the house stays down until the event is shown to be over.
I have two levels of firewall. The Disposo System is plugged directly into the Telco router. More exposed to the world, but all the OTHER home systems are behind yet another NAT firewall, so to some degree protected from the Disposo System, should it fall to an attacker, and something wasn’t powered off. I watch the “blinky lights” on the Telco Router for any activity NOT synchronized with my usage of the Disposo System. (For this reason I have ALL automatic update and ‘phone home’ features turned off on the system. I don’t need an automatic update of FireFox to look like I’m being attacked with lots of unexplained blinky lights on the router and hard disk… as I would immediately pull the plug on it.)
That generally gets you through almost anything short of a directed attack by a TLA Three Letter Agency.
In this case, I was watching Sky News and they had enough Tech Talk to say it was an SMB based attack on older Windows machines. That told me I was likely 100% safe as “Friends don’t let friends use Microsoft” directs my system choices. Since news can be wrong, I followed my “shutdown protocol” anyway. But I did allow myself the luxury of using the Tablet as my world monitor AND leaving the ROKU based TV running. Not a lot of exploits for the ROKU anyway.
This morning I’m getting the Macintosh gear back up, so this is being typed on the MacBook that I recovered from the discard pile after the Solid State Disk died. It runs off of a mico-SD card in an adapter, so it is very slow, but also in that 100% disposable system group. I can just flash the card with a backup copy from the powered down disk farm, if ever needed. Later in the day, the spousal Mac will be back up. One layer at a time, keeping a wary eye on the news.
Later this evening, I’ll bring up some of the more important Linux systems, including my desktop.
Way over the top cautious? You bet! These things often cause copycats to come out to play, attacking other systems. Sometimes they go for a ‘double tap’. It pays to exercise a full on defense profile anyway.
So, with that, anyone with a Macintosh, Android, or Linux system ought to be fine. Folks with a Windows box that has patches up to date ought to be OK, for now. The world will slowly recover as boxes are scrubbed and backups + patches applied. Some few folks will have cried and paid.
Hopefully everyone can learn a few more defensive behaviours and our government will have learned: It is a Very Bad Idea to build exploits into systems or develop a secret attack system. The simple fact is that nothing is secret forever, and that you can have a 100% security focus, or be insecure. There is no such thing as a small security hole. When the Government finds one, it ought to immediately and secretly inform the manufacturer so they can immediately push a patch, not “bank it” for use as an exploit. Any exploit YOU find, someone else has already found or will find tomorrow.