One reason Badlock is getting panned is that most people aren't doing SMB
signing, etc. But fooling one Windows box into thinking it's talking to a
different Windows box is pretty useful attackers, and something that you
should do something about -- once your higher-interest security debt has
been paid down. :)
As I just tweeted: If you've hardened MS or Samba SMB, #badlock weakens
them. If not, you're vulnerable to similar MITM anyway - no net new
In other words, if your SMB implementation was already weak and subject to
MITM, Badlock doesn't make it much worse.
Royce
On Tue, Apr 12, 2016 at 9:34 AM, kris laubenstein <krislaubenstein@gmail.com>
wrote:
>
> Agreed with Royce here. Not sure this deserved a logo and a name. If more
end up like this, they'll start being treated as wolf crying.
>
> But, I suppose it can't hurt to audit all potential Samba / SMB sources,
if only to update the network map.
>
> Kris Laubenstein
>
> On Apr 12, 2016 9:28 AM, "Royce Williams" <royce@tycho.org> wrote:
>>
>> I wouldn't call it urgent by any means. If you're not doing SMB signing,
you're vulnerable to similar MITM anyway. I would roll this out in the same
cycle as your usual patches.
>>
>> I think that the badlock.org people are going to get raked over the
coals for this.
>>
>> And I really do think that moving towards SMB signing is a very good
idea. You can make it optional on most platforms, and then enable logging
to see where it's not being negotiated.
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Tue Apr 12 08:06:06 2016
This archive was generated by hypermail 2.1.8 : Tue Apr 12 2016 - 08:06:06 AKDT