NSLIG – May 2017

Back to Meeting Notes 2017

Notes from the May 2017 Meeting

There was no regular Linux News video for the meeting because Nick Vespo was unable to be with us, but the fill-in video was was recorded on 14th May and was just as interesting and very topical – it was about the current ransomware attack.  The Wannacrypt attack was said to have affected more than 200,000 computers in 150 countries. European countries, including the United Kingdom, were most affected, and manufacturers and hospitals were severely affected.

The vast majority were machines using Windows XP or Vista, with a few that were using Windows 7 or Windows 8. Update — more recent analysis suggests many more Windows 7 systems were infected than were originally thought. No machines running Windows 10 or Linux are known to have been compromised at the time of writing.

The attack software was/is sophisticated, entering via a known but unpatched Windows vulnerability. Microsoft had issued a patch for the vulnerability in March, but the patch was not applicable to Windows XP. The apparent reason for many machines still using XP is their reliance on software written in the past that has not been updated to run in a Windows 10 environment. In some cases, it has not been possible to modify the software, in others it was thought too difficult or expensive. But the expense now comes in the form of a ransom demand for $300 per machine and the extra remediation costs. A temporary fix was found by a U.K.-based programmer, but it is not known how quickly the ransomware authors will respond.

In the Open Forum session that followed the video, discussion continued about the ransomware and its effects. There was particular interest in the propagation of the ransomware between inter-connected machines, which was thought to be because of a security weakness in the SMB implementation. The overall message for users is to backup, backup and backup. If possible, disconnect the device used for backup from the network once the backup is complete.

After the social break (and it is not difficult to guess a major topic of conversation during the break), it was time for the main presentation of the evening when David Hatton spoke about and demonstrated the Lynis audit tool. Lynis started as a commercial project, but is now free to private users. The project gets its finance from charges to enterprise users. It can be downloaded from the project web site at https://cisofy.com/lynis and is open source. Linux is supported, along with a number of other operating systems, mostly those that have Unix as an ancestor.

Lynis can be installed in the normal manner by adding the lynis repository to the package manager sources. You can also download from the lynis website and install in any convenient directory. David installed Lynis in /usr/local, where it can be run by a user with superuser privileges. Lynis scans the system, and its scans are described as “opportunistic”, in that it looks for problems with installed components.

When run, lynis produces a large volume of output to the /var/log directory structure. The latest run will overwrite a previous run’s output, so if you want to keep older output the generated files should be copied to another convenient directory. Lynis makes suggestions about what should be changed, but the user must action the change if he/she agrees with the suggestion. In spite of the voluminous output, Lynis scans are quite quick.

In the demonstration system there were several suggestions for changes to the SSH configuration, among others. David also ran the “rkhunter” tool – one of the lynis suggestions – to check for any rootkit on the system. It detailed all the types of rootkit it looked for and did not find. The attendees found the evening’s session very informative and interesting. They were also comforted by the knowledge that the chance of being infected with the current ransomware is very low. One of the benefits of using Linux.