Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Locked thread
cinci zoo sniper
Mar 15, 2013




Wiggly Wayne DDS posted:

it's confirmed:
https://twitter.com/PolarToffee/status/879709615675641856

congrats on people not patching after the previous major incident

that's the wannacry 2: electric tears?

Adbot
ADBOT LOVES YOU

Wiggly Wayne DDS
Sep 11, 2010



cinci zoo sniper posted:

that's the wannacry 2: electric tears?
considering there isn't a domain to conveniently sinkhole just prior to the us business networks waking up ya

cinci zoo sniper
Mar 15, 2013




Wiggly Wayne DDS posted:

considering there isn't a domain to conveniently sinkhole just prior to the us business networks waking up ya

welp time to start the hospital counter i guess :rip: hopefully someone learned

spankmeister
Jun 15, 2008






I hope this one comes in via email and then spreads internally

FlapYoJacks
Feb 12, 2009

cinci zoo sniper posted:

welp time to start the hospital counter i guess :rip: hopefully someone learned

hahahhhahahahahhaa.

Wiggly Wayne DDS
Sep 11, 2010



spankmeister posted:

I hope this one comes in via email and then spreads internally
i saw talk of email spreading petya earlier before eternalblue got mentioned so i'd expect that amongst other spreading mechanisms

spankmeister
Jun 15, 2008






Wiggly Wayne DDS posted:

i saw talk of email spreading petya earlier before eternalblue got mentioned so i'd expect that amongst other spreading mechanisms

good, gooood


because that was wannacry's greatest flaw imo, it would _only_ spread through eternalblue

cinci zoo sniper
Mar 15, 2013




ratbert90 posted:

hahahhhahahahahhaa.

i know, right. im just really not looking forward to a major life/-support system being hit by this poo poo, affect it me or not

FlapYoJacks
Feb 12, 2009

cinci zoo sniper posted:

i know, right. im just really not looking forward to a major life/-support system being hit by this poo poo, affect it me or not

Hello! If you are seeing this it's because your pacemaker is no longer accessible, because it has been encrypted. Perhaps you are looking for a way to recover your heartbeat?

Wiggly Wayne DDS
Sep 11, 2010



ratbert90 posted:

Hello! If you are seeing this it's because your pacemaker is no longer accessible, because it has been encrypted. Perhaps you are looking for a way to recover your heartbeat?
i thought we all agreed to disable the heartbeat extension

FlapYoJacks
Feb 12, 2009

Wiggly Wayne DDS posted:

i thought we all agreed to disable the heartbeat extension

THE HEARTBEAT EXTENSION IS MISSION-CRITICAL AND REQUIRED WORDPRESS 2.0!

ThePeavstenator
Dec 18, 2012

:burger::burger::burger::burger::burger:

Establish the Buns

:burger::burger::burger::burger::burger:
explanation I gave over the weekend for what encryption is: "imagine a lock and key, but they're made of math"

Phone
Jul 30, 2005

親子丼をほしい。

Subjunctive
Sep 12, 2006

✨sparkle and shine✨

ThePeavstenator posted:

explanation I gave over the weekend for what encryption is: "imagine a lock and key, but they're made of math"

great work

Shifty Pony
Dec 28, 2004

Up ta somethin'


spankmeister posted:

good, gooood


because that was wannacry's greatest flaw imo, it would _only_ spread through eternalblue

it also would fail to properly execute on XP, causing the computer to blue screen instead of becoming encrypted.

seems like that happens in this one too:

https://twitter.com/PolarToffee/status/879718578798436352

who knows how many people were saved by the accidental triggering of the kill switch in wannacry and thought that they weren't vulnerable as a result.

spankmeister
Jun 15, 2008






Shifty Pony posted:

it also would fail to properly execute on XP, causing the computer to blue screen instead of becoming encrypted.

seems like that happens in this one too:

https://twitter.com/PolarToffee/status/879718578798436352

who knows how many people were saved by the accidental triggering of the kill switch in wannacry and thought that they weren't vulnerable as a result.

It wasn't even meant to be a kill switch, we got really lucky with that one

infernal machines
Oct 11, 2012

we have sealed ourselves away behind our money, growing inward, generating a seamless universe of self.
ars has a peice on the anti-malware engine exploits tavis found

anthonypants
May 6, 2007

by Nyc_Tattoo
Dinosaur Gum
"three weeks ago tavis said a dll had never been fuzzed. we asked microsoft and they said they used fuzzing." great work

Subjunctive
Sep 12, 2006

✨sparkle and shine✨

msft uses fuzzing a lot, it's a little surprising that they missed a part of their AV kit

Subjunctive
Sep 12, 2006

✨sparkle and shine✨

though they weren't fuzzing IE as of 2007, after the big internal push, so who knows

Shifty Pony
Dec 28, 2004

Up ta somethin'


spankmeister posted:

It wasn't even meant to be a kill switch, we got really lucky with that one

did they figure out what it was actually supposed to be?

the whole wannacry worm seemed like someone hosed up and shipped a beta build.

flakeloaf
Feb 26, 2003

Still better than android clock

Shifty Pony posted:

the whole wannacry worm seemed like someone hosed up and shipped a beta build.

do you mean wcry or windows

akadajet
Sep 14, 2003

Jewel posted:

Another day, another bitcoin ransomware.

https://twitter.com/ankit5934/status/879681380686340096

https://twitter.com/mikko/status/879702057829138433

"The way it is spreading suspects usage of eternalblue or eternalrock"

amber? should have gone with green.

Jabor
Jul 16, 2010

#1 Loser at SpaceChem

Shifty Pony posted:

did they figure out what it was actually supposed to be?

poorly-conceived anti-analysis tech was the prevailing assumption afaik.

malware sandboxes typically send stock "yes it exists" replies to dns queries for a bunch of reasons. so you make a request to a bogus domain name that's never gonna be registered, and if dns claims it exists then you're probably in a malware sandbox so you should bail out to avoid leaking your secrets.

sounds like a good idea until you notice the kill-switch potential.

AARP LARPer
Feb 19, 2005

THE DARK SIDE OF SCIENCE BREEDS A WEAPON OF WAR

Buglord

flakeloaf posted:

do you mean wcry or windows

:sandance:

cinci zoo sniper
Mar 15, 2013





no wanna no cry

spankmeister
Jun 15, 2008






Jabor posted:

poorly-conceived anti-analysis tech was the prevailing assumption afaik.

malware sandboxes typically send stock "yes it exists" replies to dns queries for a bunch of reasons. so you make a request to a bogus domain name that's never gonna be registered, and if dns claims it exists then you're probably in a malware sandbox so you should bail out to avoid leaking your secrets.

sounds like a good idea until you notice the kill-switch potential.

This.

What they did was use a single, hard-coded, unregistered domain to check if the sample is running in a sandbox. It was then trivial to register that domain. The guy (MalwareTech) didn't even know the malware would stop working if the domain were registered. He just thought he was sinkholing it.

Now, to do this properly you should use domains that are randomly-generated on the spot and not beforehand, and you query several so you can recover from a false positive if a random domain happens to be registered.

Migishu
Oct 22, 2005

I'll eat your fucking eyeballs if you're not careful

Grimey Drawer
Looking forward to the Wiggly Wayne DDS overview of Defcon videos

spankmeister
Jun 15, 2008






Migishu posted:

Looking forward to the Wiggly Wayne DDS overview of Defcon videos

not going this year so :same:

flakeloaf
Feb 26, 2003

Still better than android clock

Migishu posted:

Looking forward to the Wiggly Wayne DDS overview of Defcon videos

the best part of defcon

RISCy Business
Jun 17, 2015

bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork
Fun Shoe
https://twitter.com/gossithedog/status/879745509015072769

Wiggly Wayne DDS
Sep 11, 2010



Migishu posted:

Looking forward to the Wiggly Wayne DDS overview of Defcon videos
eh i never do defcon (nor ever have), rarely anything of value. based on their speaker page for this year there's only a handful of interesting talks, and even then it's just further details of public research (sha-1 collision)

spankmeister
Jun 15, 2008






Wiggly Wayne DDS posted:

eh i never do defcon (nor ever have), rarely anything of value. based on their speaker page for this year there's only a handful of interesting talks, and even then it's just further details of public research (sha-1 collision)

You don't go to def con for the talks tbqh

Shifty Pony
Dec 28, 2004

Up ta somethin'


a lot of reports from people dealing with infections of Petya seem to talk about affected systems rebooting to the ransom screen nearly simultaneously.

I wonder if there is some sort of coordination between infected systems to pull that off.

AARP LARPer
Feb 19, 2005

THE DARK SIDE OF SCIENCE BREEDS A WEAPON OF WAR

Buglord
does anyone here have a good sec twitter list they can point me to? i'd really appreciate it, because left to my own devices i'd probably end up with dudes like thrurrott on my list and my pants on my head.

anthonypants
May 6, 2007

by Nyc_Tattoo
Dinosaur Gum

WAR DOGS OF SOCHI posted:

does anyone here have a good sec twitter list they can point me to? i'd really appreciate it, because left to my own devices i'd probably end up with dudes like thrurrott on my list and my pants on my head.
@thegrugq is the first one who comes to mind, just follow good people and you'll find them

cinci zoo sniper
Mar 15, 2013




spankmeister posted:

You don't go to def con for the talks tbqh

you go there to have a runin with exceptionally smelly mcaffee?

syscall girl
Nov 7, 2009

by FactsAreUseless
Fun Shoe

cinci zoo sniper posted:

you go there to have a runin with exceptionally smelly mcaffee?

seeing other goons irl is funny but gently caress las vegas sideways

maskenfreiheit
Dec 30, 2004

spankmeister posted:

You don't go to def con for the talks tbqh

Vegas will have dispenaries open by Defcon so that should be... interesting.

Adbot
ADBOT LOVES YOU

Wiggly Wayne DDS
Sep 11, 2010



Shifty Pony posted:

a lot of reports from people dealing with infections of Petya seem to talk about affected systems rebooting to the ransom screen nearly simultaneously.

I wonder if there is some sort of coordination between infected systems to pull that off.
it spreads internally very fast and will spread for an hour before rebooting - the gap in machines rebooting is how long it took to infect them

WAR DOGS OF SOCHI posted:

does anyone here have a good sec twitter list they can point me to? i'd really appreciate it, because left to my own devices i'd probably end up with dudes like thrurrott on my list and my pants on my head.
i threw together a rough list that is kept vaguely updated: https://twitter.com/zylche/lists/security

given it's 2017 it's v hard to separate politics from pure sec feed though

  • Locked thread