Re: [tor-relays] WannaCry fallout FYI

2017-05-14 Thread grarpamp 
On Sun, May 14, 2017 at 6:28 PM, Roger Dingledine  wrote:
> "Additionally, organizations should strongly consider [buying our
> fancy proprietary "threat intelligence" tools]. Enabling this to be
> blacklisted will prevent [thing that we're trying to scare you about
> without explaining, or even understanding ourselves]."

Did you have an epiphany about corporations, my friend?
Welcome.
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] WannaCry fallout FYI

2017-05-14 Thread niftybunny 

> On 15. May 2017, at 01:42, Mirimir  wrote:
> 
> On 05/14/2017 11:56 AM, niftybunny wrote:
>> The last time I checked .onion domains don’t need exits. Every Tor
>> node can be a chain of the path to the .onion domain. So it is
>> completely pointless to block all the exits and second: Exits are
>> the end of the chain to the “normal” internet, if you don’t want
>> outgoing Tor traffic from your internal network you fucking block
>> guards and entry/middle nodes not exits
> 
> Ummm, that's basically what I said. It was stupid for the writer to say
> "exits". But you know that blacklists include all Tor relays.

Okay, they will overkill/overblock all nodes but they are out of luck with 
bridges. So it is pointless but they will feel better? Wow, much secure, so 
block, such ASL, wow!


> 
>> …. btw, good luck with blocking all guards ….
> 
> Guards are public, bro. But not all bridges, of course.

You are right, my bad.

> 
>> niftybunny
>> ab...@to-surf-and-protect.net 
>> 
>> Where ignorance is bliss, 'Tis folly to be wise.
>> Thomas Gray 
>> 
>> PS: >In accordance with known best practices, any organization
>> who has SMB publically accessible via the internet (ports
>> 139, 445) should immediately block inbound traffic.
>> 
>> WTF?!??!?!??!?!? WHY WOULD YOU EVEN ALLOW SMB TRAFFIC FROM
>> UNTRUSTED INTERNET SOURCES INTO YOUR NETWORK? WH?
> 
> Because you're a dumbass motherfucker ;)

Firewall default is to block all traffic. You have to allow this traffic. 
Without using an VPN this is a special case of stupid …

> 
>>> On 15. May 2017, at 00:08, Mirimir  wrote:
>>> 
>>> On 05/14/2017 08:54 AM, niftybunny wrote:
> Known TOR exit nodes are listed within the Security Intelligence
> feed of ASA Firepower devices. Enabling this to be blacklisted
> will prevent outbound communications to TOR networks.
 Wait, what?
>>> 
>>> | WanaCrypt0r will then download a TOR client from
>>> | https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip
>>> | and extract it into the TaskData folder.  This TOR client is used to
>>> | communicate with the ransomware C2 servers at gx7ekbenv2riucmf.onion,
>>> | 57g7spgrzlojinas.onion, xxlvbrloxvriy2c5.onion,
>>> | 76jdd2ir2embyv47.onion, and cwwnhwhlz52maqm7.onion.
>>> 
>>> https://www.bleepingcomputer.com/news/security/wana-decryptor-wanacrypt0r-technical-nose-dive/
>>> 
>>> Sad but true.
>>> 
>>> But what they want to block are guards and directory servers. But their
>>> list will probably include all relays, so whatever.
>>> 
>>> Longer term, it's pointless, because malware authors can just hard code
>>> bridges. Even custom unlisted bridges.
>>> 
 niftybunny
 ab...@to-surf-and-protect.net
 
 Where ignorance is bliss, 'Tis folly to be wise.
 
 Thomas Gray 
 
> On 14. May 2017, at 21:45, Jon Gardner  wrote:
> 
> From the SNORT folks...
> 
> http://blog.talosintelligence.com/2017/05/wannacry.html?m=1 
> 
> 
> " Additionally, organizations should strongly consider blocking 
> connections to TOR nodes and TOR traffic on network. Known TOR exit nodes 
> are listed within the Security Intelligence feed of ASA Firepower 
> devices. Enabling this to be blacklisted will prevent outbound 
> communications to TOR networks."
> 
> <><
> Jon L. Gardner
> Mobile: +1 979-574-1189
> Email/Skype/Jabber: j...@brazoslink.net 
> AIM/iChat/MSN: j...@mac.com 
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
 
 
 
 
 ___
 tor-relays mailing list
 tor-relays@lists.torproject.org
 https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
 
>>> ___
>>> tor-relays mailing list
>>> tor-relays@lists.torproject.org
>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>> 
>> 
>> 
>> 
>> ___
>> tor-relays mailing list
>> tor-relays@lists.torproject.org 
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays 
>> 
>> 
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org 
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays 
> 
___
tor-relays mailing list
tor-relays@lists.torproject.org

Re: [tor-relays] WannaCry fallout FYI

2017-05-14 Thread Mirimir 
On 05/14/2017 11:56 AM, niftybunny wrote:
> The last time I checked .onion domains don’t need exits. Every Tor
> node can be a chain of the path to the .onion domain. So it is
> completely pointless to block all the exits and second: Exits are
> the end of the chain to the “normal” internet, if you don’t want
> outgoing Tor traffic from your internal network you fucking block
> guards and entry/middle nodes not exits

Ummm, that's basically what I said. It was stupid for the writer to say
"exits". But you know that blacklists include all Tor relays.

> …. btw, good luck with blocking all guards ….

Guards are public, bro. But not all bridges, of course.

> niftybunny
> ab...@to-surf-and-protect.net
> 
> Where ignorance is bliss, 'Tis folly to be wise.
> Thomas Gray 
> 
> PS: >In accordance with known best practices, any organization
  >who has SMB publically accessible via the internet (ports
  >139, 445) should immediately block inbound traffic.
> 
> WTF?!??!?!??!?!? WHY WOULD YOU EVEN ALLOW SMB TRAFFIC FROM
> UNTRUSTED INTERNET SOURCES INTO YOUR NETWORK? WH?

Because you're a dumbass motherfucker ;)

>> On 15. May 2017, at 00:08, Mirimir  wrote:
>>
>> On 05/14/2017 08:54 AM, niftybunny wrote:
 Known TOR exit nodes are listed within the Security Intelligence
 feed of ASA Firepower devices. Enabling this to be blacklisted
 will prevent outbound communications to TOR networks.
>>> Wait, what?
>>
>> | WanaCrypt0r will then download a TOR client from
>> | https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip
>> | and extract it into the TaskData folder.  This TOR client is used to
>> | communicate with the ransomware C2 servers at gx7ekbenv2riucmf.onion,
>> | 57g7spgrzlojinas.onion, xxlvbrloxvriy2c5.onion,
>> | 76jdd2ir2embyv47.onion, and cwwnhwhlz52maqm7.onion.
>>
>> https://www.bleepingcomputer.com/news/security/wana-decryptor-wanacrypt0r-technical-nose-dive/
>>
>> Sad but true.
>>
>> But what they want to block are guards and directory servers. But their
>> list will probably include all relays, so whatever.
>>
>> Longer term, it's pointless, because malware authors can just hard code
>> bridges. Even custom unlisted bridges.
>>
>>> niftybunny
>>> ab...@to-surf-and-protect.net
>>>
>>> Where ignorance is bliss, 'Tis folly to be wise.
>>>
>>> Thomas Gray 
>>>
 On 14. May 2017, at 21:45, Jon Gardner  wrote:

 From the SNORT folks...

 http://blog.talosintelligence.com/2017/05/wannacry.html?m=1 
 

 " Additionally, organizations should strongly consider blocking 
 connections to TOR nodes and TOR traffic on network. Known TOR exit nodes 
 are listed within the Security Intelligence feed of ASA Firepower devices. 
 Enabling this to be blacklisted will prevent outbound communications to 
 TOR networks."

 <><
 Jon L. Gardner
 Mobile: +1 979-574-1189
 Email/Skype/Jabber: j...@brazoslink.net 
 AIM/iChat/MSN: j...@mac.com 
 ___
 tor-relays mailing list
 tor-relays@lists.torproject.org
 https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>>>
>>>
>>>
>>>
>>> ___
>>> tor-relays mailing list
>>> tor-relays@lists.torproject.org
>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>>>
>> ___
>> tor-relays mailing list
>> tor-relays@lists.torproject.org
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> 
> 
> 
> 
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> 
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] WannaCry fallout FYI

2017-05-14 Thread niftybunny 
The last time I checked .onion domains don’t need exits. Every Tor node can be 
a chain of the path to the .onion domain. So it is completely pointless to 
block all the exits and second: Exits are the end of the chain to the “normal” 
internet, if you don’t want outgoing Tor traffic from your internal network you 
fucking block guards and entry/middle nodes not exits …. btw, good luck with 
blocking all guards …. 

niftybunny
ab...@to-surf-and-protect.net

Where ignorance is bliss, 'Tis folly to be wise.
Thomas Gray 

PS: >In accordance with known best practices, any organization who has SMB 
publically accessible via the internet (ports 139, 445) should immediately 
block inbound traffic.

WTF?!??!?!??!?!? WHY WOULD YOU EVEN ALLOW SMB TRAFFIC FROM UNTRUSTED INTERNET 
SOURCES INTO YOUR NETWORK? WH?


> On 15. May 2017, at 00:08, Mirimir  wrote:
> 
> On 05/14/2017 08:54 AM, niftybunny wrote:
>>> Known TOR exit nodes are listed within the Security Intelligence
>>> feed of ASA Firepower devices. Enabling this to be blacklisted
>>> will prevent outbound communications to TOR networks.
>> Wait, what?
> 
> | WanaCrypt0r will then download a TOR client from
> | https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip
> | and extract it into the TaskData folder.  This TOR client is used to
> | communicate with the ransomware C2 servers at gx7ekbenv2riucmf.onion,
> | 57g7spgrzlojinas.onion, xxlvbrloxvriy2c5.onion,
> | 76jdd2ir2embyv47.onion, and cwwnhwhlz52maqm7.onion.
> 
> https://www.bleepingcomputer.com/news/security/wana-decryptor-wanacrypt0r-technical-nose-dive/
> 
> Sad but true.
> 
> But what they want to block are guards and directory servers. But their
> list will probably include all relays, so whatever.
> 
> Longer term, it's pointless, because malware authors can just hard code
> bridges. Even custom unlisted bridges.
> 
>> niftybunny
>> ab...@to-surf-and-protect.net
>> 
>> Where ignorance is bliss, 'Tis folly to be wise.
>> 
>> Thomas Gray 
>> 
>>> On 14. May 2017, at 21:45, Jon Gardner  wrote:
>>> 
>>> From the SNORT folks...
>>> 
>>> http://blog.talosintelligence.com/2017/05/wannacry.html?m=1 
>>> 
>>> 
>>> " Additionally, organizations should strongly consider blocking 
>>> connections to TOR nodes and TOR traffic on network. Known TOR exit nodes 
>>> are listed within the Security Intelligence feed of ASA Firepower devices. 
>>> Enabling this to be blacklisted will prevent outbound communications to TOR 
>>> networks."
>>> 
>>> <><
>>> Jon L. Gardner
>>> Mobile: +1 979-574-1189
>>> Email/Skype/Jabber: j...@brazoslink.net 
>>> AIM/iChat/MSN: j...@mac.com 
>>> ___
>>> tor-relays mailing list
>>> tor-relays@lists.torproject.org
>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>> 
>> 
>> 
>> 
>> ___
>> tor-relays mailing list
>> tor-relays@lists.torproject.org
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>> 
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] WannaCry fallout FYI

2017-05-14 Thread John Ricketts 
Roger,

Exactly! bahahaha.

John

> On May 14, 2017, at 17:24, Roger Dingledine  wrote:
> 
> On Sun, May 14, 2017 at 09:54:55PM +0200, niftybunny wrote:
>>> Known TOR exit nodes are listed within the Security Intelligence feed of 
>>> ASA Firepower devices. Enabling this to be blacklisted will prevent 
>>> outbound communications to TOR networks.
>> 
>> Wait, what?
> 
> To help you be less surprised next time, the template to look for is:
> 
> "Additionally, organizations should strongly consider [buying our
> fancy proprietary "threat intelligence" tools]. Enabling this to be
> blacklisted will prevent [thing that we're trying to scare you about
> without explaining, or even understanding ourselves]."
> 
> --Roger
> 
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] WannaCry fallout FYI

2017-05-14 Thread Mirimir 
On 05/14/2017 08:54 AM, niftybunny wrote:
>> Known TOR exit nodes are listed within the Security Intelligence
>> feed of ASA Firepower devices. Enabling this to be blacklisted
>> will prevent outbound communications to TOR networks.
> 
> Wait, what?

| WanaCrypt0r will then download a TOR client from
| https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip
| and extract it into the TaskData folder.  This TOR client is used to
| communicate with the ransomware C2 servers at gx7ekbenv2riucmf.onion,
| 57g7spgrzlojinas.onion, xxlvbrloxvriy2c5.onion,
| 76jdd2ir2embyv47.onion, and cwwnhwhlz52maqm7.onion.

https://www.bleepingcomputer.com/news/security/wana-decryptor-wanacrypt0r-technical-nose-dive/

Sad but true.

But what they want to block are guards and directory servers. But their
list will probably include all relays, so whatever.

Longer term, it's pointless, because malware authors can just hard code
bridges. Even custom unlisted bridges.

> niftybunny
> ab...@to-surf-and-protect.net
> 
> Where ignorance is bliss, 'Tis folly to be wise.
> 
> Thomas Gray 
> 
>> On 14. May 2017, at 21:45, Jon Gardner  wrote:
>>
>> From the SNORT folks...
>>
>> http://blog.talosintelligence.com/2017/05/wannacry.html?m=1 
>> 
>>
>> " Additionally, organizations should strongly consider blocking 
>> connections to TOR nodes and TOR traffic on network. Known TOR exit nodes 
>> are listed within the Security Intelligence feed of ASA Firepower devices. 
>> Enabling this to be blacklisted will prevent outbound communications to TOR 
>> networks."
>>
>> <><
>> Jon L. Gardner
>> Mobile: +1 979-574-1189
>> Email/Skype/Jabber: j...@brazoslink.net 
>> AIM/iChat/MSN: j...@mac.com 
>> ___
>> tor-relays mailing list
>> tor-relays@lists.torproject.org
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> 
> 
> 
> 
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> 
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] WannaCry fallout FYI

2017-05-14 Thread John Ricketts 
Exactly what I was thinking.

On May 14, 2017, at 14:51, niftybunny 
> wrote:

>Known TOR exit nodes are listed within the Security Intelligence feed of ASA 
>Firepower devices. Enabling this to be blacklisted will prevent outbound 
>communications to TOR networks.

Wait, what?


niftybunny
ab...@to-surf-and-protect.net

Where ignorance is bliss, 'Tis folly to be wise.

Thomas Gray

On 14. May 2017, at 21:45, Jon Gardner 
> wrote:

>From the SNORT folks...

http://blog.talosintelligence.com/2017/05/wannacry.html?m=1

" Additionally, organizations should strongly consider blocking connections 
to TOR nodes and TOR traffic on network. Known TOR exit nodes are listed within 
the Security Intelligence feed of ASA Firepower devices. Enabling this to be 
blacklisted will prevent outbound communications to TOR networks."

<><
Jon L. Gardner
Mobile: +1 979-574-1189
Email/Skype/Jabber: j...@brazoslink.net
AIM/iChat/MSN: j...@mac.com
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] WannaCry fallout FYI

2017-05-14 Thread niftybunny 
>Known TOR exit nodes are listed within the Security Intelligence feed of ASA 
>Firepower devices. Enabling this to be blacklisted will prevent outbound 
>communications to TOR networks.

Wait, what?


niftybunny
ab...@to-surf-and-protect.net

Where ignorance is bliss, 'Tis folly to be wise.

Thomas Gray 

> On 14. May 2017, at 21:45, Jon Gardner  wrote:
> 
> From the SNORT folks...
> 
> http://blog.talosintelligence.com/2017/05/wannacry.html?m=1 
> 
> 
> " Additionally, organizations should strongly consider blocking 
> connections to TOR nodes and TOR traffic on network. Known TOR exit nodes are 
> listed within the Security Intelligence feed of ASA Firepower devices. 
> Enabling this to be blacklisted will prevent outbound communications to TOR 
> networks."
> 
> <><
> Jon L. Gardner
> Mobile: +1 979-574-1189
> Email/Skype/Jabber: j...@brazoslink.net 
> AIM/iChat/MSN: j...@mac.com 
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

[tor-relays] WannaCry fallout FYI

2017-05-14 Thread Jon Gardner 
From the SNORT folks...

http://blog.talosintelligence.com/2017/05/wannacry.html?m=1

" Additionally, organizations should strongly consider blocking connections 
to TOR nodes and TOR traffic on network. Known TOR exit nodes are listed within 
the Security Intelligence feed of ASA Firepower devices. Enabling this to be 
blacklisted will prevent outbound communications to TOR networks."

<><
Jon L. Gardner
Mobile: +1 979-574-1189
Email/Skype/Jabber: j...@brazoslink.net
AIM/iChat/MSN: j...@mac.com___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays