Page 9 of 10 FirstFirst ... 78910 LastLast
  1.    30 Jun 2017 #81
    Join Date : Jun 2017
    Posts : 124
    Windows 10.0.15063 (Version 1703) Pro 64-bit

    Quote Originally Posted by bro67 View Post
    AndreTen, I think that we can at least now state to enable Firewall protection full time on any system, whether it is running Linux, Mac OS or Windows. When troubleshooting problems, we are all going to have to remember to address the issue of if a person has a firewall enabled and make sure that everyone asks what security software they are running also. The fact that if someone blocks or disables Netbios and/or SMB ports, it will break the system.
    I have extremely strict firewall rules that disables NetBIOS and SMB completely, I absolutely agree. I don't use those protocols and it's not necessary.

    f14tomcat, I legitimately thought you were trying to be a smarty pants and prove me wrong otherwise and I mistakened it for not being a genuine advice based question.


    Quote Originally Posted by AndreTen View Post
    Guys, don't worry so much about SMBv1 for home networks (OK, it's not something you really need), unless you have some irresponsible admin user in your network. This is not 1st line of attack. Any router will block this.

    Main danger for home users is still phishing with attachments and browsing on internet.
    You dismiss Petya's attack vector too simply.

    If there is an admin with admin$ shares enabled, connected to other clients or hosts OR SMB v1 enabled AND OR NetBIOS enabled, petya will have a feast on the network and scan for lateral infection. Anyone with a share is a possible target from a PSEXEC remote file execution and infecting the system (target user needs administrative privileges). Windows Management Instrumentation command-line is also a method used to propagate itself on the local network as well if PSEXEC fails.

    Petya utilizes ports 137, 138, 139 and 445 being outbound and inbound on another local, outbound connections must be blocked or restricted to by application demand.

    Then you have nothing to worry about, regardless of having a router with basic set up.

    Shares will be accessed, so it is a pertinent threat to home users once infected.
      My ComputerSystem Spec
  2.    30 Jun 2017 #82
    Join Date : Oct 2014
    Posts : 17,596
    Windows 10 Insider Preview Build 16281

    Quote Originally Posted by f14tomcat View Post
    Thanks, I have uninstalled that feature. The only reason I asked was this was a clean install about a month ago, and it was enabled by default. I did not proactively enable the feature. Not running XP. And don't have an old printer. That is odd to me.
    I've seen quotes here and there that SMB1 was no longer enabled since March, but when I went in to check, it was enabled in my machine and I had to manually disable it. So, someone must have gotten the wrong information . . .

    Whoops! Gotta check out both of the Laptops and the other partition on this desktop. I'm pretty sure they'll have SMB1 enabled too.
      My ComputerSystem Spec
  3.    30 Jun 2017 #83
    Join Date : Oct 2014
    Posts : 17,596
    Windows 10 Insider Preview Build 16281

    Quote Originally Posted by Hydrate View Post
    I'll challenge myself here to translate into laymen terms. The blue flags indicate where Microsoft's protection against the ransomware is available and mitigated the threat and eliminated it.

    1. A malicious software update containing the petya.dll (dynamic link library) provided by the threat actor (entity responsible for this madness) was executed upon patient zero's machine knowing it had been vulnerable, supposedly a client of a Ukrainian account company who has run into similar security issues. AppLocker would have restricted access to executable files, therefor stopping petya.
    2. This allows the malware to propagate and hijack the master boot record with full privileges from SeDebug.


    I just got too lazy to continue, but essentially the SMB exploits spread across the networks from available from the other machines running SMB v1 and steals network credentials, find a list of all other machines, and spreads itself again using commands from WMIC and PSEXEC for remote execution across a network and allow petya.dll to spread and hijack more MBRs.
    Thanks, Hydrate! Alls I can say is that it's a good thing I don't have to do anything; otherwise I'd prolly be a goner!
      My ComputerSystem Spec
  4.    30 Jun 2017 #84
    Join Date : Oct 2014
    Posts : 17,596
    Windows 10 Insider Preview Build 16281

    Quote Originally Posted by Hydrate View Post
    I have extremely strict firewall rules that disables NetBIOS and SMB completely, I absolutely agree. I don't use those protocols and it's not necessary.

    f14tomcat, I legitimately thought you were trying to be a smarty pants and prove me wrong otherwise and I mistakened it for not being a genuine advice based question.




    You dismiss Petya's attack vector too simply.

    If there is an admin with admin$ shares enabled, connected to other clients or hosts OR SMB v1 enabled AND OR NetBIOS enabled, petya will have a feast on the network and scan for lateral infection. Anyone with a share is a possible target from a PSEXEC remote file execution and infecting the system (target user needs administrative privileges). Windows Management Instrumentation command-line is also a method used to propagate itself on the local network as well if PSEXEC fails.

    Petya utilizes ports 137, 138, 139 and 445 being outbound and inbound on another local, outbound connections must be blocked or restricted to by application demand.

    Then you have nothing to worry about, regardless of having a router with basic set up.

    Shares will be accessed, so it is a pertinent threat to home users once infected.
    I don't know if anyone has thought about this one, or if it could present a problem, so I'll just throw it out here to see what y'all think about it . . .

    Click image for larger version. 

Name:	Security.PNG 
Views:	40 
Size:	40.6 KB 
ID:	141927
      My ComputerSystem Spec
  5.    30 Jun 2017 #85
    Join Date : Nov 2013
    Chicagoland
    Posts : 33,940
    Dual boot Windows 10 FCU Pro x 64 & Insider 10 Pro

    Quote Originally Posted by Wynona View Post
    I don't know if anyone has thought about this one, or if it could present a problem, so I'll just throw it out here to see what y'all think about it . . .
    I have mine set on and "PCs on my local network, and PCs on the Internet" on my Insider builds only, for I have no personal files there. I set it to off on my CU partition. I'll wait a bit longer for that to update to the next OEM Fall release. Although, they state that it's safe, I don't trust hackers so far as my CU is concerned.

    Can Delivery Optimization access my personal files?

    Delivery Optimization doesn’t access your personal files or folders or change any files on your PC.
    Windows Update Delivery Optimization: FAQ
      My ComputersSystem Spec
  6.    01 Jul 2017 #86
    Join Date : Jun 2015
    UK
    Posts : 2,101
    Windows 10 Home x64 (Laptop), Windows 10 Pro x64 (Desktop)

    Quote Originally Posted by Hydrate View Post
    I have extremely strict firewall rules that disables NetBIOS and SMB completely, I absolutely agree. I don't use those protocols and it's not necessary.

    f14tomcat, I legitimately thought you were trying to be a smarty pants and prove me wrong otherwise and I mistakened it for not being a genuine advice based question.




    You dismiss Petya's attack vector too simply.

    If there is an admin with admin$ shares enabled, connected to other clients or hosts OR SMB v1 enabled AND OR NetBIOS enabled, petya will have a feast on the network and scan for lateral infection. Anyone with a share is a possible target from a PSEXEC remote file execution and infecting the system (target user needs administrative privileges). Windows Management Instrumentation command-line is also a method used to propagate itself on the local network as well if PSEXEC fails.

    Petya utilizes ports 137, 138, 139 and 445 being outbound and inbound on another local, outbound connections must be blocked or restricted to by application demand.

    Then you have nothing to worry about, regardless of having a router with basic set up.

    Shares will be accessed, so it is a pertinent threat to home users once infected.
    Should home users be blocking those ports and NetBios and if so, what's the best way of doing this?
      My ComputersSystem Spec
  7.    01 Jul 2017 #87
    Join Date : Jun 2015
    UK
    Posts : 2,101
    Windows 10 Home x64 (Laptop), Windows 10 Pro x64 (Desktop)

    Quote Originally Posted by f14tomcat View Post
    Wasn't worried about anything. Just curious why it was enabled by default. Haven't had any problems, and don't intend to.

    And the only admin user on this box is me........
    SMB 1.0 was on by default on all three W10 PCs I have.
      My ComputersSystem Spec
  8.    01 Jul 2017 #88
    Join Date : Nov 2013
    Chicagoland
    Posts : 33,940
    Dual boot Windows 10 FCU Pro x 64 & Insider 10 Pro

    Quote Originally Posted by essenbe View Post
    No, I have no evidence or have heard none that the Russians did it, but they are big state sponsors of cyberattacks. Most of the sources state it did start with an Accounting Software Company in Russia though. That puts it a lot closer to Russia than anyone else. But yes, still speculation.
    You mean to say it was an Accounting Software Company in Ukraine, yes? At least that was in the articles linked in the OP. Have you found otherwise?

    So far as accusations that Russians being a “big state sponsors of cyberattacks”; Not doubting that, but how about our own government with possible attacks and proven hacking to spy on we citizens? Or any country for that matter. Isn’t that an attack on our privacy? That’s the whole motive using EternalBlue and other spyware. Thank our government for their insecure systems to ultimately give these idiots the tools they needed.

    Anywho, here’s a report from MS:

    On June 27, 2017 reports of a ransomware infection began spreading across Europe. We saw the first infections in Ukraine, where more than 12,500 machines encountered the threat. We then observed infections in another 64 countries, including Belgium, Brazil, Germany, Russia, and the United States.
    New ransomware, old techniques: Petya adds worm capabilities Windows Security
      My ComputersSystem Spec
  9.    01 Jul 2017 #89
    Join Date : Jun 2017
    Posts : 124
    Windows 10.0.15063 (Version 1703) Pro 64-bit

    Quote Originally Posted by Wynona View Post
    Thanks, Hydrate! Alls I can say is that it's a good thing I don't have to do anything; otherwise I'd prolly be a goner!
    Of course! My specialty is InfoSec and IT security. So, I've really invested my time into this new wiper.

    Quote Originally Posted by Steve C View Post
    Should home users be blocking those ports and NetBios and if so, what's the best way of doing this?
    To reduce the attack surface and minimize the probability of the malware spreading and to prevent future attacks, yes. I recommend blocking these ports unless you use NetBIOS. I agree with Symantec as they explain if you do not use SMB or Windows Network File Sharing capabilities, turn off NetBIOS and SMB, as well as adding the port configurations for extra protection.

    Quote Originally Posted by Wynona View Post
    I don't know if anyone has thought about this one, or if it could present a problem, so I'll just throw it out here to see what y'all think about it . . .

    Click image for larger version. 

Name:	Security.PNG 
Views:	40 
Size:	40.6 KB 
ID:	141927
    Not necessarily a problem unless you have other P2P clients and services running on your IP address, (assuming poorly configured firewall and router, best to assume the worst to be secure) which can be used by attackers for a remote execution exploit or run some arbitrary code if those software are not updated and remain vulnerable.

    I turn it off because I have high speed internet and all the time in the world to download updates (automatically).

    Quote Originally Posted by Steve C View Post
    Should home users be blocking those ports and NetBios and if so, what's the best way of doing this?
    If you do not use NetBIOS, I suggest you turn it off in services to reduce attack surface, it's a great way for hackers to get in on a Windows box.









    I found all the rules required to block the current strain of Petya we know of: (thanks logo-symantec-dark-source <3)



    • Add the following Inbound network rules:
      • Action: Deny, Protocol: Both TCP and UDP, Local Port: 137, Remote IP: Any, Remote Port: Any
      • Action: Deny, Protocol: Both TCP and UDP, Local Port: 138, Remote IP: Any, Remote Port: Any
      • Action: Deny, Protocol: Both TCP and UDP, Local Port: 139, Remote IP: Any, Remote Port: Any
      • Action: Deny, Protocol: TCP, Local Port: 445, Remote IP: Any, Remote Port: Any

    • Add the following Outbound network rules:
      • Action: Deny, Protocol: Both TCP and UDP, Local Port: Any, Remote IP: Any, Remote Port: 137
      • Action: Deny, Protocol: Both TCP and UDP, Local Port: Any, Remote IP: Any, Remote Port: 138
      • Action: Deny, Protocol: Both TCP and UDP, Local Port: Any, Remote IP: Any, Remote Port: 139
      • Action: Deny, Protocol: TCP, Local Port: Any, Remote IP: Any, Remote Port: 445




    My policy is that for the ports listed, you access your Firewall (assuming for Windows 10) it's from:










    Create new firewall rules accordingly to the rules I have described above.

    If you would like, I will create a powershell script to append the same rules to your current firewall configurations!
      My ComputerSystem Spec
  10.    02 Jul 2017 #90
    Join Date : Jun 2015
    UK
    Posts : 2,101
    Windows 10 Home x64 (Laptop), Windows 10 Pro x64 (Desktop)

    Great post 89 by Hydrate! I disabled NetBios as suggested. I also see you can disable NetBIOS via the TCP settings from the network adapter. Which is the best approach?

    I use Kaspersky Total Security and tried disabling the ports in KTS. However, video streaming from BBC iPlayer stops as soon as I disable port 137. It seems disabling these ports is not a good idea for me. It would be useful to know what these ports are used for so people can decide whether to disable them.
    Last edited by Steve C; 02 Jul 2017 at 01:36.
      My ComputersSystem Spec

 
Page 9 of 10 FirstFirst ... 78910 LastLast


Similar Threads
Thread Forum
Prophetic BMJ letter - did this make NHS target for Ransomware attack?
It seems possible that this prophetic British Medical Journal letter from May 10 edition (online May 11, the day before the WannaCry Exploit hit the world) may have focussed the current ransomware attack on UK NHS hospitals: 135086 The...
Windows 10 News
Ransomware hits Chicago Med (TV drama series)
So tonight, on the American TV show Chicago Med, the show dealt with the issue of ransomware. In this episode, the hospital’s entire computer network was locked out by Ransomware thus crippling the entire hospital. For the record, Chicago Med...
Chillout Room
Watch Live from PAX EAST March 10-12th 2017
PAX (originally known as Penny Arcade Expo) is a series of gaming festivals held in Seattle, Boston, Melbourne, and San Antonio. PAX was created by Jerry Holkins and Mike Krahulik, the authors of the Penny Arcade webcomic, because they wanted to...
Windows 10 News
Solved Virus spreading over Wi-Fi!?
So, my Dad is going to purchase a new Windows Device for me (A bit late for XMas). My Dad also owns devices that have been infected be Viruses and other infections. If I connect to the Wi-Fi on my Windows Device, can Viruses and other infections...
AntiVirus, Firewalls and System Security
New Ransomware attack
Only 5 days out and Win10 being screwed with. This link was in an E-Mail today: New Windows 10 scam will encrypt your files for ransom | ZDNet
AntiVirus, Firewalls and System Security
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 13:49.
Find Us
Twitter Facebook Google+ Ten Forums iOS App Ten Forums Android App



Windows 10 Forums