[tor-relays] WannaCry fallout FYI
niftybunny
abuse at to-surf-and-protect.net
Sun May 14 22:56:56 UTC 2017
The last time I checked .onion domains don’t need exits. Every Tor node can be a chain of the path to the .onion domain. So it is completely pointless to block all the exits and second: Exits are the end of the chain to the “normal” internet, if you don’t want outgoing Tor traffic from your internal network you fucking block guards and entry/middle nodes not exits …. btw, good luck with blocking all guards ….
niftybunny
abuse at to-surf-and-protect.net
Where ignorance is bliss, 'Tis folly to be wise.
Thomas Gray
PS: >In accordance with known best practices, any organization who has SMB publically accessible via the internet (ports 139, 445) should immediately block inbound traffic.
WTF?!??!?!??!?!? WHY WOULD YOU EVEN ALLOW SMB TRAFFIC FROM UNTRUSTED INTERNET SOURCES INTO YOUR NETWORK????? WHYYYY?????
> On 15. May 2017, at 00:08, Mirimir <mirimir at riseup.net> wrote:
>
> On 05/14/2017 08:54 AM, niftybunny wrote:
>>> Known TOR exit nodes are listed within the Security Intelligence
>>> feed of ASA Firepower devices. Enabling this to be blacklisted
>>> will prevent outbound communications to TOR networks.
>> Wait, what?
>
> | WanaCrypt0r will then download a TOR client from
> | https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip
> | and extract it into the TaskData folder. This TOR client is used to
> | communicate with the ransomware C2 servers at gx7ekbenv2riucmf.onion,
> | 57g7spgrzlojinas.onion, xxlvbrloxvriy2c5.onion,
> | 76jdd2ir2embyv47.onion, and cwwnhwhlz52maqm7.onion.
>
> https://www.bleepingcomputer.com/news/security/wana-decryptor-wanacrypt0r-technical-nose-dive/
>
> Sad but true.
>
> But what they want to block are guards and directory servers. But their
> list will probably include all relays, so whatever.
>
> Longer term, it's pointless, because malware authors can just hard code
> bridges. Even custom unlisted bridges.
>
>> niftybunny
>> abuse at to-surf-and-protect.net
>>
>> Where ignorance is bliss, 'Tis folly to be wise.
>>
>> Thomas Gray
>>
>>> On 14. May 2017, at 21:45, Jon Gardner <toradmin at brazoslink.net> wrote:
>>>
>>> From the SNORT folks...
>>>
>>> http://blog.talosintelligence.com/2017/05/wannacry.html?m=1 <http://blog.talosintelligence.com/2017/05/wannacry.html?m=1>
>>>
>>> ".... Additionally, organizations should strongly consider blocking connections to TOR nodes and TOR traffic on network. Known TOR exit nodes are listed within the Security Intelligence feed of ASA Firepower devices. Enabling this to be blacklisted will prevent outbound communications to TOR networks."
>>>
>>> <><
>>> Jon L. Gardner
>>> Mobile: +1 979-574-1189
>>> Email/Skype/Jabber: jon at brazoslink.net <mailto:jon at brazoslink.net>
>>> AIM/iChat/MSN: jlg at mac.com <mailto:jlg at mac.com>_______________________________________________
>>> tor-relays mailing list
>>> tor-relays at lists.torproject.org
>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>>
>>
>>
>>
>> _______________________________________________
>> tor-relays mailing list
>> tor-relays at lists.torproject.org
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>>
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20170515/87ccbb3e/attachment.html>
More information about the tor-relays
mailing list