Schneier on Security

Clive Robinson • August 16, 2024 10:29 AM

@ ALL,

Whilst various people such as the security researcher are saying,

“Considering its harm, I will not disclose more details in the short term
“

It’s already effectively disclosed by the patch, that almost certainly has been reversed engineered by now.

So I suspect attacks are either “in progress” or “will be soon”.

The problem is that Microsoft has a long history of “patches with problems” so there is justifiable hesitancy around “Mission Critical Systems”.

Knowing the history of Microsoft and it’s acquired network code and subsequent additions I suspect that there is a reasonable probability this goes back a ways in time…

Thus those running “nolonger supported” MS OS’s might find they are going to get bitten.

For various reasons people should think about getting experience of proficiency of “segregation by layers”.

One such is run a *nix as the base OS and run MS OS’s in VM’s on it and then run your apps there.

If that will help as a mitigation in this case is “unknown” untill we “know more” but I doubt that it will make things worse.

Ultimately “pulling the plug” on external communications will be an effective mitigation. But from an “MBA in Management” perspective that will potentially be against the business being agile etc.

Hopefully enough people will patch or mitigate to prevent this popping up on the “Top Ten Most Unwanted” worms/malware but I guess we will have to wait and see.

Clive Robinson • August 17, 2024 8:26 AM

@ , ALL,

Re : CyberStrike SNAFU.

As you note,

“With the Crowdstrike snafu only a couple of weeks ago Windows users are going to be conflicted.”

But CrowdStrike is just the latest in a long stream of such patch and update issues.

Which is why the traditional advice was have a “lab” separate to your live systems where you did a

“Cautious add and test deeply before deployment.”

Which in general non adversarial or opponent with agency scenarios is the sensible way to proceed.

But now opponents with agency are apparently able to turn an update / patch release into a working attack or get an attack out within an hour or less of patch release things have changed somewhat.

It can be argued quite reasonably from a technical aspect the sensible thing is still to “use a test lab”, only now you use a “hard mitigation” of “Go off line” untill the tests are completed.

However that plays merry hell with the availability figures, and the way things are going currently with malware etc your systems would be unavailable for ever increasing periods and possibly upto half the time already…

One partial solution to the frequency of hard mitigations is to significantly reduce complexity of the hosts.

However as far as commercial / consumer OS and Apps are concerned the Software Industry want’s to needlessly drive up complexity for shall we call it “Marketing Reasons”.

Thus we get a game of “Russian Roulette” played on mass virtually every day with the not unexpected result that “sometimes the hammer drops and a scream in the night is heard”.

Thus people are actively asking at one end of the scale,

How to reduce complexity and thus the likelihood any configuration is vulnerable.

And at the other end,

On the assumption they will be hit, how they reduce the risk to little more than annoyance.

As with most things that sit on a scale or in a spectrum, there is a “sweet-spot” that moves as things change, so it’s an ever changing game of catch up you can never win called “A red Queen’s Race” or “The hamster wheel of pain” depending on your background and current state of your spleen which leaves open the door on some more choice phrases that are very much NSFW.

The obvious answer is to direct the pain to where it originates, but those senior execs in the Software Industry put a lot of effort and resources into ensuring that does not happen, and I’m sure the legislators et al are most thankful for that.

Thus the question arises as to where the pain threshold is for them. That is at what point does the harm they cause so rile society that the call for this madness to stop gets to a point where things have to be done.

We are at a point with Alphabet/Google where an opportunity exists, but past history suggests that the ball will be dropped in return for a few meaningless headlines and a small fraction of profits as a fine that will just be written off against taxes one way or another.