
NSA Cybersecurity Advisory: Patch Remote Desktop Services on Legacy Windows - PatrolX
https://www.nsa.gov/News-Features/News-Stories/Article-View/Article/1865726/nsa-cybersecurity-advisory-patch-remote-desktop-services-on-legacy-versions-of/
======
userbinator
_In order to increase resilience against this threat while large networks
patch and upgrade, there are additional measures that can be taken_

I'd say those are the _first_ things that should be done, regardless of the
presence of exploits; exposing a port/listening service to the Internet you
don't need, especially one that can remotely give complete control to an
attacker, is always a bad idea. Fortunately the majority of computers out
there are probably behind a NAT, which helps greatly to keep them from being
hacked remotely.

 _Disable remote Desktop Services if they are not required. Disabling unused
and unneeded services helps reduce exposure to security vulnerabilities
overall and is a best practice even without the BlueKeep threat._

Very good advice --- too bad latest Windows versions have not-so-clearly-
described tons of services running by default, many of which phone home in
some way, and some of which are nearly impossible to disable...

~~~
crankylinuxuser
Even nat won't save you. Most NAT assumes unlimited outbound 0.0.0.0/0
tcp/udp/icmp . Almost all configuration is that permissive.

And I just need 1 packet to puncture.

[https://samy.pl/pwnat/](https://samy.pl/pwnat/)

~~~
userbinator
NAT traversal is possible if you happen to be in control of the machines
behind the NAT --- that's not very relevant here, since it requires running a
special server on the machine you want to exploit (and if you can already do
that, i.e. run code on the machine, then there's no point in exploiting
RDP...)

The scenario I'm referring to, and the one the article describes, is a remote
attacker trying to connect to port 3389 of a machine behind a NAT --- without
being able to already access the machine in the first place. In other words:
you have a public IP X; there's a machine with private IP Y (which you don't
know but may be able to guess easily) behind its NAT. No ports are forwarded.
You have no access to the machine. How do you establish a connection to port
3389 (or for that matter, any other listening port) on it?

------
sitkack
The fact that NSA does so little for cybersecurity is telling. When they say
patch something, it probably means it should be national emergency.

~~~
close04
It means that it’s good to have a backdoor you can use, it’s bad if your enemy
can also use it. So the moment NSA pushes you to patch it’s because it’s no
longer exclusive to them so the backdoor is no longer an asset but a
liability.

~~~
beepboopbeep
Right, so...patch it

~~~
close04
That goes without saying. If even the NSA is warning it means the fix was out
for quite some time and postponing is rarely (if ever) a net positive.

I was just providing my take on when and why would NSA warn for this.

------
nocturnial
I know we should always assume good faith.

From all the vulnerabilities they know, they chose to publish one that's known
and only concerns outdated software. Maybe I'm too skeptical but when the NSA
starts leaking fixes for zero day exploits, I'll take them more seriously.

~~~
save_ferris
That’s kinda like saying you’ll only take google seriously when they start
releasing their SERP algorithms.

Zero-days are far more useful to them as exploitable points of entry as
opposed to patches.

~~~
CWuestefeld
That suggests to me that there's a conflict of interest in the NSA's mission.

Perhaps it's not wise to have the same organization looking after both the
defensive aspects of our security, AND also offensive espionage operations.

------
PatrolX
The NSA and GCHQ are really concerned about the BlueKeep vulnerability.

It has the potential to do some serious damage.

------
tastroder
The advisory links to [https://www.nsa.gov/Portals/70/documents/what-we-
do/cybersec...](https://www.nsa.gov/Portals/70/documents/what-we-
do/cybersecurity/professional-resources/csa-
bluekeep_20190604.pdf?ver=2019-06-04-123329-617) (PDF)

I really wonder what the utility for that distribution form is, are there
people printing these out? Or is there some requirement for them to generate a
document ID that they could not get for plain web/HTML documents?

~~~
jl6
Do you mean to ask why is the same content published in PDF format? I quite
like PDFs these days. Self-contained, archiveable, readable, sane layout,
JavaScript-free, (usually) ad/cookie/tracking-free, no social media sharing
buttons... the only drawback is no/poor reflow of text to fit device screen
size. But I’ll live with that.

~~~
tastroder
Kind of, mainly since the PDF looks different enough that it implies manual
effort being involved. It felt like an odd choice but I get your points, might
just be me then. Thanks.

------
Theodores
Who has the fear of visiting a URL owned by a three letter agency known for
nefarious spying activities?

I do!

So here is a third party report for anyone else that views three letter agency
URLs as having all the appeal of a trip to a virtual leper colony:

[https://www.zdnet.com/article/even-the-nsa-is-urging-
windows...](https://www.zdnet.com/article/even-the-nsa-is-urging-windows-
users-to-patch-bluekeep-cve-2019-0708/)

~~~
idlewords
I can almost picture the NSA staff meeting: "Let's bait Hacker News randos by
issuing an advisory about a nearly internet-wide vulnerability that gives
unrestricted access to Windows computers. Then, when they visit our website to
learn more, we'll nab them!"

Thanks for taking a bullet for the team on this one, Internet stranger.

~~~
PatrolX
Reminds me of the UK UFO trap story. In the UK it's illegal to listen to
police on scanners so detectives transmitted a hoax radio message about a UFO
landing near Doncaster, South Yorkshire, then arrested several people who
turned up at the spot, charging them with illegally using scanners to monitor
police radio transmissions.

~~~
wil421
Sounds slightly similar to the boat sweepstakes story.

Some cops somewhere decided to send a letter to everyone who had a warrant
stating they won a boat. To make sure they didn’t immediately run they went
through a couple fake formalities like pictures and such until they opened the
door to the boat garage. Inside were uniformed officer waiting to make the
arrest.

------
JudgeWapner
_You can totally trust our advice for all your digital security needs._

\- your friendly neighborhood intelligence agency.

~~~
gruez
You don't trust NSA, so you're going to _not_ patch your systems? Are you
worried that the patch is a delivery vehicle for their APT implants?

~~~
JudgeWapner
I'm not worried about anything. Just that an organization whose prime
objective it is to hack, exploit, cheat, deceive, and exfiltrate has no place
giving advice to the general public.

