tao Posted May 22, 2017 Share Posted May 22, 2017 Chinese company creates app to search for NSA security flaws The WannaCry ransomware that affected thousands of computers across the world was based on a vulnerability stolen from the NSA from hacking group Shadow Brokers, who decided to publish it online earlier this year. Furthermore, the same hacking group also revealed some other vulnerabilities that the NSA was holding and believed to be using for breaking into computers across the world, and there’s a good chance the agency owns more security flaws that haven’t yet been made public. This is why security company Qihu developed the so-called 360 NSA Cyber Weapons Defense tool, an application whose purpose is to scan your computer and determine whether it’s vulnerable to any of the known vulnerabilities that were previously used by the NSA. Scanning for NSA vulnerabilities This involves the EternalBlue exploit, which was used for WannaCry, but also a bunch of other tools used in cyber attacks across the world, like EternalChampion, EternalRomance, and EternalSynergy. “Attackers with these NSA cyber weapons can break into more than 70% of the Windows systems in the world. An unpatched PC may be infected as soon as it connects to the Internet even without any click on a link or a file,” the security company explains. The application can scan your computer to see if it’s fully patched to block all known vulnerabilities, and if any security flaws are found, to automatically download and install the updates to keep you secure. What’s more, an Internet connection is not needed, so you can patch the system without actually going online and thus exposing to any risk of getting infected. Without a doubt, some users might be worried that a Chinese company is building a software solution to block NSA’s hacking tools, but it’s one very easy method to search for any vulnerabilities that might expose your system when going online. As usual, you can download the 360 NSA Cyber Weapons Defense tool from Softpedia, and keep in mind that an admin account is needed to patch your system. < Here > Link to comment Share on other sites More sharing options...
PriSim Posted May 22, 2017 Share Posted May 22, 2017 And what if this tool deploy the NSA's bloatware it self ? one thing more , when they really want to take you down , there is nothing than who can save you from them Happy computing ! Link to comment Share on other sites More sharing options...
steven36 Posted May 22, 2017 Share Posted May 22, 2017 LOL NSA is only part of the problem once you get the NSA out how do you get rid of the baked in spies from Microsoft ? Windows 10 Enterprise ignores various privacy settings https://twitter.com/m8urnett/status/866353982217699328 Link to comment Share on other sites More sharing options...
Togijak Posted May 22, 2017 Share Posted May 22, 2017 and how this 135 MB tool removes hardware backdoors? Link to comment Share on other sites More sharing options...
tao Posted May 22, 2017 Author Share Posted May 22, 2017 55 minutes ago, PriSim said: And what if this tool deploy the NSA's bloatware it self? From the iNet: Whatif by Shel Silverstein Last night, while I lay thinking here, some Whatifs crawled inside my ear and pranced and partied all night long and sang their same old Whatif song: Whatif I'm dumb in school? Whatif they've closed the swimming pool? Whatif I get beat up? Whatif there's poison in my cup? Whatif I start to cry? Whatif I get sick and die? Whatif I flunk that test? Whatif green hair grows on my chest? Whatif nobody likes me? Whatif a bolt of lightning strikes me? Whatif I don't grow talle? Whatif my head starts getting smaller? Whatif the fish won't bite? Whatif the wind tears up my kite? Whatif they start a war? Whatif my parents get divorced? Whatif the bus is late? Whatif my teeth don't grow in straight? Whatif I tear my pants? Whatif I never learn to dance? Everything seems well, and then the nighttime Whatifs strike again! Cheers! Link to comment Share on other sites More sharing options...
Batu69 Posted May 22, 2017 Share Posted May 22, 2017 Here another tool to scan WannaCryptor, WannaCry and EternalBlue. http://support.eset.com/alert6442/#eternalblue Topic moved from Guides & Tutorials forum. Link to comment Share on other sites More sharing options...
Recruit Posted May 22, 2017 Share Posted May 22, 2017 Extra crap is not needed anymore. Open PowerShell as admin and type : Get-SmbServerConfiguration | Select EnableSMB1Protocol, EnableSMB2Protocol It should appear like below : Greetings, Link to comment Share on other sites More sharing options...
edwardecl Posted May 22, 2017 Share Posted May 22, 2017 Removing NSA spyware from windows 10 you say, laughs. I suppose you could pull the network cable. Link to comment Share on other sites More sharing options...
BioHazard Posted May 22, 2017 Share Posted May 22, 2017 47 minutes ago, edwardecl said: Removing NSA spyware from windows 10 you say, laughs. I suppose you could pull the network cable. that works 100% edit: I forgot to turn off WIFI Link to comment Share on other sites More sharing options...
Rony Posted May 22, 2017 Share Posted May 22, 2017 Disable SMB1 through Powershell as admin : Set-SmbServerConfiguration -EnableSMB1Protocol $false Link to comment Share on other sites More sharing options...
straycat19 Posted May 23, 2017 Share Posted May 23, 2017 12 hours ago, Recruit said: Extra crap is not needed anymore. Open PowerShell as admin and type : Get-SmbServerConfiguration | Select EnableSMB1Protocol, EnableSMB2Protocol I was asked about SMB3. Because SMB2 and SMB3 share the same stack whatever you do to SMB2 will also apply to SMB3. You can also manage the configuration through a registry edit, through a group policy edit, the service controller, or through various versions of powershell.. Windows 8 Commands You do not have to restart the computer after you run the Set-SMBServerConfiguration cmdlet. To obtain the current state of the SMB server protocol configuration, run the following cmdlet: Get-SmbServerConfiguration | Select EnableSMB1Protocol, EnableSMB2Protocol To disable SMBv1 on the SMB server, run the following cmdlet: Set-SmbServerConfiguration -EnableSMB1Protocol $false To disable SMBv2 and SMBv3 on the SMB server, run the following cmdlet: Set-SmbServerConfiguration -EnableSMB2Protocol $false To enable SMBv1 on the SMB server, run the following cmdlet: Set-SmbServerConfiguration -EnableSMB1Protocol $true To enable SMBv2 and SMBv3 on the SMB server, run the following cmdlet: Set-SmbServerConfiguration -EnableSMB2Protocol $true Windows 7 Windows PowerShell 2.0 or a later version of PowerShell To disable SMBv1 on the SMB server, run the following cmdlet: Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 -Force To disable SMBv2 and SMBv3 on the SMB server, run the following cmdlet: Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB2 -Type DWORD -Value 0 -Force To enable SMBv1 on the SMB server, run the following cmdlet: Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 1 -Force To enable SMBv2 and SMBv3 on the SMB server, run the following cmdlet: Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB2 -Type DWORD -Value 1 -Force Note You must restart the computer after you make these changes. REGISTRY EDIT To enable or disable SMBv1 on the SMB server, configure the following registry key: Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\ParametersRegistry entry: SMB1 REG_DWORD: 0 = Disabled REG_DWORD: 1 = Enabled Default: 1 = Enabled To enable or disable SMBv2 on the SMB server, configure the following registry key: Registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\ParametersRegistry entry: SMB2 REG_DWORD: 0 = Disabled REG_DWORD: 1 = Enabled Default: 1 = Enabled Windows 7 and 8 Service Controller To disable SMBv1 on the SMB client, run the following commands: sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi sc.exe config mrxsmb10 start= disabled To enable SMBv1 on the SMB client, run the following commands: sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi sc.exe config mrxsmb10 start= auto To disable SMBv2 and SMBv3 on the SMB client, run the following commands: sc.exe config lanmanworkstation depend= bowser/mrxsmb10/nsi sc.exe config mrxsmb20 start= disabled To enable SMBv2 and SMBv3 on the SMB client, run the following commands: sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi sc.exe config mrxsmb20 start= auto Notes You must run these commands at an elevated command prompt. You must restart the computer after you make these changes. Group Policy Disable SMBv1 Server with Group Policy This will configure the following new item in the registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Registry entry: SMB1 REG_DWORD: 0 = Disabled To configure this using Group Policy: Open the Group Policy Management Console. Right-click the Group Policy object (GPO) that should contain the new preference item, and then click Edit. In the console tree under Computer Configuration, expand the Preferences folder, and then expand the Windows Settings folder. Right-click the Registry node, point to New, and select Registry Item. In the New Registry Properties dialog box, select the following: Action: Create Hive: HKEY_LOCAL_MACHINE Key Path: SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Value name: SMB1 Value type: REG_DWORD Value data: 0 This disables the SMBv1 Server components. This Group Policy needs to be applied to all necessary workstations, servers, and domain controllers in the domain. Disable SMBv1 Client with Group Policy To disable the SMBv1 client, the services registry key needs to be updated to disable the start of MRxSMB10 and then the dependency on MRxSMB10 needs to be removed from the entry for LanmanWorkstation so that it can start normally without requiring MRxSMB10 to first start. This will update and replace the default values in the following 2 items in the registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\mrxsmb10 Registry entry: Start REG_DWORD: 4 = Disabled HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation Registry entry: DependOnService REG_MULTI_SZ: “Bowser”,”MRxSmb20″,”NSI” Note: The default included MRxSMB10 which is now removed as dependency To configure this using Group Policy: Open the Group Policy Management Console. Right-click the Group Policy object (GPO) that should contain the new preference item, and then click Edit. In the console tree under Computer Configuration, expand the Preferences folder, and then expand the Windows Settings folder. Right-click the Registry node, point to New, and select Registry Item. In the New Registry Properties dialog box, select the following: Action: Update Hive: HKEY_LOCAL_MACHINE Key Path: SYSTEM\CurrentControlSet\services\mrxsmb10 Value name: Start Value type: REG_DWORD Value data: 4 Then remove the dependency on the MRxSMB10 that was just disabled In the New Registry Properties dialog box, select the following: Action: Replace Hive: HKEY_LOCAL_MACHINE Key Path: SYSTEM\CurrentControlSet\Services\LanmanWorkstation Value name: DependOnService Value type REG_MULTI_SZ Value data: Bowser MRxSmb20 NSI The default value includes MRxSMB10 in many versions of Windows, so by replacing them with this multi-value string, it is in effect removing MRxSMB10 as a dependency for LanmanServer and going from four default values down to just these three values above. Note: When using Group Policy Management Console, there is no need to use quotation marks or commas. Just type the each entry on individual lines as shown above: Reboot Required After the policy has applied and the registry settings are in place, the targeted systems must be rebooted before SMB v1 is disabled. Link to comment Share on other sites More sharing options...
JeffDunhill Posted May 23, 2017 Share Posted May 23, 2017 I ain't going for that free tool after reading the latest post by Cracken! These policy tweaks seems really great to me though. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.