Despite all the attention currently focused on Windows computers being infected with WannaCry ransomware, a defensive strategy has been overlooked. This being a Defensive Computing blog, I feel the need to point it out.
The story being told everywhere else is simplistic and incomplete. Basically, the story is that Windows computers without the appropriate bug fix are getting infected over the network by WannaCry ransomware and the Adylkuzz cryptocurrency miner.
We are accustomed to this story. Bugs in software need patches. WannaCry exploits a bug in Windows, so we need to install the patch. For a couple days, I too, ascribed to this knee-jerk theme. But there is a gap in this simplistic take on the issue. Let me explain.
The bug has to do with input data being processed incorrectly.
If a Windows computer, that supports version 1 of the Server Message Block (SMB) file sharing protocol, is listening on the network, bad guys can send it specially crafted malicious data packets that an un-patched copy of Windows does not handle correctly. This mistake allows bad guys to run a program of their choosing on the computer.
As security flaws go, this is as bad as it gets. If one computer in an organization gets infected, the malware can propagate itself to vulnerable computers on the same network.
Overlooked is that every Windows computer that uses version 1 of the SMB protocol does not have to accept unsolicited incoming packets of data.
And those that don’t, are safe from network based infection. Not only are they protected from WannaCry and Adylkuzz, but also from any other malicious software looking to exploit the same flaw.
If unsolicited incoming SMB v1 data packets are not processed, the Windows computer is safe from network based attack – patch or no patch. The patch is a good thing, but it’s not the only defense.
To make an analogy, consider a castle. The bug is that the wooden front door of the castle is weak and easily broken down with a battering ram. The patch hardens the front door. But, this ignores the moat outside the castle walls. If the moat is drained, the weak front door is indeed a big problem. But, if the moat is filled with water and alligators, then the enemy can’t get to the front door in the first place.
The Windows firewall is the moat. All we need to do is block TCP port 445. Like Rodney Dangerfield, the Windows firewall gets no respect.
GOING AGAINST THE GRAIN
It is monumentally disappointing that no one else has suggested the Windows firewall as a defensive tactic.
That the mainstream media gets things wrong when it comes to computers is old news. I blogged about this back in March (Computers in the news — how much can we trust what we read?).
When much of the advice offered by the New York Times, in How to Protect Yourself From Ransomware Attacks, comes from a marketing person for a VPN company it fits a pattern. Many computer articles in the Times are written by someone without a technical background. The advice…