In order to increase resilience against this threat while large networks patch and upgrade, there are additional measures that can be taken
I'd say those are the first things that should be done, regardless of the presence of exploits; exposing a port/listening service to the Internet you don't need, especially one that can remotely give complete control to an attacker, is always a bad idea. Fortunately the majority of computers out there are probably behind a NAT, which helps greatly to keep them from being hacked remotely.
Disable remote Desktop Services if they are not required. Disabling unused and unneeded services helps reduce exposure to security vulnerabilities overall and is a best practice even without the BlueKeep threat.
Very good advice --- too bad latest Windows versions have not-so-clearly-described tons of services running by default, many of which phone home in some way, and some of which are nearly impossible to disable...
It's pretty amazing that there are over 900k accessible vulnerable endpoints sitting there waiting to be attacked. This is why they're freaking out about it.
It’s hard to run a windows server remotely without RDP. Most remote administration tools are terrible. Stupid thing like you can’t update windows using remote powershell (which also takes ages to come online after the machine booted).
Rather than disabling RDP which I think is unrealistic, I think a simple way to increase greatly the security is to set up an IP whitelist. Have a list stored on a secure and reliable location (S3 bucket for instance) and a script running every 5 minutes, looking for changes to that list. If it changed run a simple command to update the remote IP restriction to all the administrative services in the windows firewall.
No solution is bullet proof but this allows you to manage the server remotely with very little inconvenience, without requiring to set up a VPN or an internal network, and goes a long way to reduce the exposure to vulnerabilities and brute force attacks.
If you have the luxury to do that, but if you run a VM, or a single box in colocation, or rent a physical server, that may not be an option. My point is introducing an IP whitelist inside the server doesn't require to change the physical set up, nor any current process relying on the server being directly accessible. It's a low cost quick win.
NAT traversal is possible if you happen to be in control of the machines behind the NAT --- that's not very relevant here, since it requires running a special server on the machine you want to exploit (and if you can already do that, i.e. run code on the machine, then there's no point in exploiting RDP...)
The scenario I'm referring to, and the one the article describes, is a remote attacker trying to connect to port 3389 of a machine behind a NAT --- without being able to already access the machine in the first place. In other words: you have a public IP X; there's a machine with private IP Y (which you don't know but may be able to guess easily) behind its NAT. No ports are forwarded. You have no access to the machine. How do you establish a connection to port 3389 (or for that matter, any other listening port) on it?
They probably meant to say that most were behind a firewall. NAT is not any sort of particular protection against anything. Because NAT almost always comes with a firewall there is a tendency to conflate the two things.
It means that it’s good to have a backdoor you can use, it’s bad if your enemy can also use it. So the moment NSA pushes you to patch it’s because it’s no longer exclusive to them so the backdoor is no longer an asset but a liability.
From all the vulnerabilities they know, they chose to publish one that's known and only concerns outdated software. Maybe I'm too skeptical but when the NSA starts leaking fixes for zero day exploits, I'll take them more seriously.
I can't exactly say that I trust NSA, and I don't doubt that they have knowledge of vulnerabilities that they aren't releasing.
But I still don't see how that could be a reason to not take this warning seriously.
I think that the cynical view of this would rather be that they consider the potential harm from someone they don't like, making a 1m machines botnet from this, to be greater that the benefit they get from themselves making a 1m machines botnet.
Maybe you're right and I'm too cynical, but I see this more like a PR piece to attract talent to their organization.
I think the NSA has a real image problem. They released ghidra. They admitted it was a recruitment tool. They now release this warning which basically tells us to update our software. Anyways, if they really want to improve their image, they need to release zero day exploits and prove it's not just an offensive but also a defensive agency.
The release of an exploitable bug might deny them a couple of targets but will protect millions.
Why would they leak vulnerabilities they've spent millions of dollars to find? Seems like that would be a waste of money with zero benefit to their mission.
I really wonder what the utility for that distribution form is, are there people printing these out? Or is there some requirement for them to generate a document ID that they could not get for plain web/HTML documents?
Do you mean to ask why is the same content published in PDF format? I quite like PDFs these days. Self-contained, archiveable, readable, sane layout, JavaScript-free, (usually) ad/cookie/tracking-free, no social media sharing buttons... the only drawback is no/poor reflow of text to fit device screen size. But I’ll live with that.
Kind of, mainly since the PDF looks different enough that it implies manual effort being involved. It felt like an odd choice but I get your points, might just be me then. Thanks.
Because the NSA has an unknown exploit on Adobe Acrobat PDF Reader, and therefor wants as many downloads of this malicious pdf as possible. From people like us, in positions like us.
I can almost picture the NSA staff meeting: "Let's bait Hacker News randos by issuing an advisory about a nearly internet-wide vulnerability that gives unrestricted access to Windows computers. Then, when they visit our website to learn more, we'll nab them!"
Thanks for taking a bullet for the team on this one, Internet stranger.
Reminds me of the UK UFO trap story. In the UK it's illegal to listen to police on scanners so detectives transmitted a hoax radio message about a UFO landing near Doncaster, South Yorkshire, then arrested several people who turned up at the spot, charging them with illegally using scanners to monitor police radio transmissions.
Sounds slightly similar to the boat sweepstakes story.
Some cops somewhere decided to send a letter to everyone who had a warrant stating they won a boat. To make sure they didn’t immediately run they went through a couple fake formalities like pictures and such until they opened the door to the boat garage. Inside were uniformed officer waiting to make the arrest.
If this was a story on a paywalled site and I had a non paywall link then I would share it for the benefit of others.
Similarly, if a story is on a website owned by paranoid people with a track record of harm I would prefer to read a third party report. I don't believe I am alone in that.
I'm not worried about anything. Just that an organization whose prime objective it is to hack, exploit, cheat, deceive, and exfiltrate has no place giving advice to the general public.
I'd say those are the first things that should be done, regardless of the presence of exploits; exposing a port/listening service to the Internet you don't need, especially one that can remotely give complete control to an attacker, is always a bad idea. Fortunately the majority of computers out there are probably behind a NAT, which helps greatly to keep them from being hacked remotely.
Disable remote Desktop Services if they are not required. Disabling unused and unneeded services helps reduce exposure to security vulnerabilities overall and is a best practice even without the BlueKeep threat.
Very good advice --- too bad latest Windows versions have not-so-clearly-described tons of services running by default, many of which phone home in some way, and some of which are nearly impossible to disable...