Linked by Thom Holwerda on Mon 25th Jul 2016 22:53 UTC
Windows

The final build of the Windows 10 Anniversary Update is build 14393. The update, which provides a range of new features and improvements, represents Microsoft's last big push to get Windows 7 and 8.1 users to upgrade to Windows 10.

The update is available right now to those who have opted in to the Windows Insider program, and it will be pushed out to Windows 10 users on the current branch on August 2. The free upgrade offer from Windows 7 and 8.1 to Windows 10, however, ends on July 29, leaving Microsoft hoping that the promise of the new update will be enough to get people to make the switch.

Correct me if I'm wrong, but I doubt many Windows 7/8 users here who haven't upgraded yet will be wooed by this new update.

If you're still running Windows XP, you're irresponsible and you should update to 7/8/10 or Linux immediately.

Thread beginning with comment 632318
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[2]: I'm irresponsible
by Bobthearch on Tue 26th Jul 2016 17:57 UTC in reply to "RE: I'm irresponsible"
Bobthearch
Member since:
2006-01-27

...

A web site was reached, and a backdoor was inserted. This backdoor starting poisoning local DNS caches and routing tables, and became a gateway for its local network. Passwords were obtained for various logins, databases, and other servers on other networks-- which were then back-doored (using legit passwords), and started handling all the traffic on THEIR networks. All anyone noticed was that the servers were running a little slowly.

By the time 2 weeks had passed, the attackers (all from IP addresses resolving to China) had owned roughly 90% of the department's servers, and knew most of their passwords, and probably downloaded the majority of their databases-- even though they were all "behind a firewall".

The department had to burn their entire network of servers and workstations to the ground, and restore from backups-- and THEN they had to notify the Feds about the breach, and then they had to notify several hundred *thousand* users that their data had potentially been compromised. I believe the total cost to the department ran into the 3-5 million dollar range-- because of one irresponsible user.

So yeah-- keep thinking you're secure. But for a moment, consider the implications to you and your company if you're wrong.


So I understand that all of the computers and servers were infected despite having the latest OS version with every security update?

Was that Sony Pictures' problem too during the 2014 hack, their servers were running Windows 2000?

Reply Parent Score: 2

RE[3]: I'm irresponsible
by grat on Wed 27th Jul 2016 03:50 in reply to "RE[2]: I'm irresponsible"
grat Member since:
2006-02-02

So I understand that all of the computers and servers were infected despite having the latest OS version with every security update?


Well, no-- One computer (the Win2k box) was infected. The rest were "upgraded" using legitimate usernames and passwords.

See, the Win2k box, because it was routing all the traffic on the local network through it, was also able to authenticate AD login requests-- after all, they're all part of AD. And if you've compromised a machine, DLL injection attacks will allow you to scarf up every single username/password combination processed by Windows.

So admin user "bob" logs into a machine on the same subnet-- well, he thinks he is. In reality he's actually authenticating against the hacked box, which then does a perfectly legitimate AD connection to the real DC to verify the password), and of course, sends that set of domain credentials off to the command/control mothership in China. Probably over an SSL connection to port 443 that no one can decipher.

Details are a bit sketchy, because the security team never released the full set of tools that the hackers used, but that's the general idea.

Now the attackers have Bob's admin credentials, and start logging into other systems via remote admin tools, and installing the same sort of malware.

It was very much a "Contagion" style scenario, starting with "server zero", and then infecting supposedly healthy and secure systems, from within, using the usual Windows management tools.

Unless you're doing much, much better monitoring than most Windows shops, you'll never even notice until it's really, really too late.

I once logged into a SuperMicro chassis at the department I'd taken over admin for, and thought it peculiar that there would be a C:\Dell directory with the file "OEM.TXT" in it (being not a Dell chassis).

I nearly fell over when I looked in the file, and discovered the username/password pairs for every person who'd logged into the box in the last month (including me).

That particular batch of infections was tracked down to an unused (but still enabled, and with "Enterprise Admin" rights) backupExec account, and took a week or two of steady extermination and password resets. It helped that I could use a sacrificial AD account to search for "C:\Dell\OEM.TXT"-- their password file became my red flag for a hacked system.

It didn't help that all of our desktops were on public IP at the time, because the powers-that-be didn't trust NAT.

I eventually implemented three GPO's-- one that made our admin accounts members of "local administrators" on all the domain machines, and a second that scrambled the local Administrator password (26-32 characters, from all 4 character sets) every time any machine booted (including servers). Then finally, I added a GPO that set the remote administration firewall ports to only accept connections from our admin boxes.

Between that, and stringent patching across the board, with daily scans to find unpatched systems, we went from "wide open" (multiple exploits a week) to an 18 month run of zero exploits. Took a couple months of hard work by our team, though. Also helped that it convinced them to let us be the pilot project for moving our workstations to private IP.

We never faced the kind of pain that other department suffered, though-- the group of hackers that targeted us was looking for disk space for their warez group. We'd locked down our systems pretty well by the time the department I mentioned earlier got hammered.

Reply Parent Score: 3

RE[4]: I'm irresponsible
by BlueofRainbow on Wed 27th Jul 2016 11:53 in reply to "RE[3]: I'm irresponsible"
BlueofRainbow Member since:
2009-01-06

Thanks for sharing the details of the attack and the approach taken for the counter-attack.

Again, the story tells of detective work aided by luck.

I had once, long ago, encountered on the family Windows XP system a virus which appeared un-removable as it kept coming back even when for user accounts without any admin privileges. It took me a while but I eventually figured out that it was hiding in plain sight in the Windows prefetch folder. Deleting the contents of the prefetch and rebooting was got rid of this virus.

Years later, at work, there was a rapidly propagating contagion of all machines (a mix of XP and 7 all with top-of-the-line antivirus software) even if they were locked-down with the user accounts devoid of any admin privileges. Despites all of best efforts, the IT person could not keep up. At a chance meeting in the coffee area, I mentioned my earlier story and asked if the contents of the prefetch folder were checked. Within hours of this chance meeting, the contagion was finally contained.

Well, given the number of configuration settings (including registry hacks) one has to go through to minimize the amount of private data going back to Microsoft and advertisement coming to the system, updating to Windows 10 for free does not appear attractive at all.

Reply Parent Score: 2