The ancient Microsoft networking protocol at the core of the latest global malware attack

Credit to Author: Preston Gralla| Date: Thu, 06 Jul 2017 03:20:00 -0700

Another day, another global malware attack made possible by a Microsoft security hole. Once again, attackers used hacking tools developed by the U.S. National Security Agency (NSA), which were stolen and subsequently released by a group called Shadow Brokers.

This time around, though, the late-June attack apparently wasn’t ransomware with which the attackers hoped to make a killing. Instead, as The New York Times noted, it was likely an attack by Russia on Ukraine on the eve of a holiday celebrating the Ukrainian constitution, which was written after Ukraine broke away from Russia. According to the Times, the attack froze “computers in Ukrainian hospitals, supermarkets, and even the systems for radiation monitoring at the old Chernobyl nuclear plant.” After that, it spread worldwide. The rest of the world was nothing more than collateral damage.

The NSA bears a lot of responsibility for this latest attack because it develops these kinds of hacking tools and frequently doesn’t tell software makers about the security holes they exploit. Microsoft is one of many companies that have beseeched the NSA not to hoard these kinds of exploits. Brad Smith, Microsoft’s president and chief legal officer, has called on the NSA “to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits” and stop stockpiling them.

Smith is right. But once again, a global malware attack exploited a serious insecurity in Windows, this time a nearly 30-year-old networking protocol called SMB1 that even Microsoft acknowledges should no longer be used by anyone, anywhere, at any time.

First, a history lesson. The original SMB (Server Message Block) networking protocol was designed at IBM for DOS-based computers nearly 30 years ago. Microsoft combined it with its LAN Manager networking product around 1990, added features to the protocol in its Windows for Workgroups product in 1992, and continued using it in later versions of Windows, up to and including Windows 10.

Clearly, a networking protocol designed originally for DOS-based computers, then combined with a nearly 30-year-old networking system, is not suitable for security in an internet-connected world. And to its credit, Microsoft recognizes that and is planning to kill it. But a lot of software and enterprises use the protocol, and so Microsoft hasn’t yet been able to do it in.

Microsoft engineers hate the protocol. Consider what Ned Pyle, principal program manager in the Microsoft Windows Server High Availability and Storage group, had to say about it in a prescient blog in September 2016:

“Stop using SMB1. Stop using SMB1. STOP USING SMB1!… The original SMB1 protocol is nearly 30 years old, and like much of the software made in the 80’s, it was designed for a world that no longer exists. A world without malicious actors, without vast sets of important data, without near-universal computer usage. Frankly, its naivete is staggering when viewed though modern eyes.”

Back in 2013, Microsoft announced it would eventually kill SMB1, saying the protocol was “planned for potential removal in subsequent releases.” That time is almost here. This fall, when the Windows 10 Fall Creators Update is released, the protocol will finally be removed from Windows.

But enterprises shouldn’t wait for then. They should remove the protocol right away, just as Pyle recommends. Before doing that, they would do well to read the SMB Security Best Practices document, put out by US-CERT, which is run by the U.S. Department of Homeland Security. It suggests disabling SMB1, and then “blocking all versions of SMB at the network boundary by blocking TCP port 445 with related protocols on UDP ports 137-138 and TCP port 139, for all boundary devices.”

As for how to disable SMB1, turn to a useful Microsoft article, “How to enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server.” Note that Microsoft recommends keeping SMB2 and SMB3 active, and only deactivating them for temporary troubleshooting.

An even better source for killing SMB1 is the TechNet article “Disable SMB v1 in Managed Environments with Group Policy.” It is the most up-to-date article available and more comprehensive than others.

Turning off SMB1 will do more than protect your enterprise against next global malware infection. It will also help keep your company safer against hackers who specifically target it and not the entire world.

http://www.computerworld.com/category/security/index.rss