Alert - Disconnect Wd My Book, If You Own One

Apparently all files are being wiped off devices.
Info:
https://www.digitaltrends.com/news/wd-my-book-live-owners-need-to-act-now-to-protect-their-data/
https://community.wd.com/t/help-all-data-in-mybook-live-gone-and-owner-password-unknown/268111

 

Wow! That is not good. I sure hope, once all is done and over with, that it is not revealed that this malware exploited a vulnerability WD already knew about but failed to act accordingly - as seems to be a major factor in most security breaches in the last few years.

This malware (or its delivery method) would have to be pretty sneaky to get past a computer's anti-malware defenses. According to the article the last firmware update was years ago so it does not appear to be caused by a recent compromised update from WD. I would suspect some form of socially engineered method of distribution - a clever, legitimate-looking scam/scheme that enticed those users to click on some link allowing the malware in.

 

I finally found the WD advisory on the site
https://www.westerndigital.com/supp...urity-measures-wd-mybooklive-wd-mybookliveduo

 

it's not malware and requires no user interaction to exploit. The firmware itself contains a years old vulnerability.
https://www.wizcase.com/blog/hack-2018/

 

I am starting to confuse myself because I am involved in several discussions on this topic on several different sites - and am forgetting what I posted where! Somewhere, after further research, I noted that it was not malware, as you point out here.

That said, you are suggesting this latest issue is related to those in your post. We don't know that, but it seems like it might be.

But regardless, you are right - to fall victim to this attack, the user does not need to download any malware.

HOWEVER, the user does have to allow remote access via their routers - a feature that is disabled by default in every router I have ever seen.

 

What is disabled can be enabled.

 

Sure! But that does not make it WD's fault if the user enables that access. Many users intentionally bought NAS devices that allow remote access just so they could access their own files from the Internet.

Ultimately, security always falls on the weakest link - and that is always the user.

 

Blaming people for expecting the product they purchased works as advertised is wrong.

 

Huh?

Hold on! Let's keep my comment in context here. If WD advertised these NAS devices to allow remote access to ONLY the purchaser and those the purchaser explicitly granted access to, then you would be right. But WD didn't do that.

I note most NAS devices are used "locally" - that is, to allow users/computers on the same "local" network to share files. Most NAS users do not intend to access their NAS devices from the Internet.

A NAS is just another computer. A special purpose computer but a computer just the same. And just like our personal PCs, most of us do not allow access to our personal computers, by other people, from outside our personal "local" networks.

I have a NAS and I made sure access (in and out) is blocked in my router.

The latest cars with the latest safety and accident avoidance technologies are marketed as being safe. But it is still the user's fault (assuming no mechanical failure, or other driver mistake) if they get into an accident.

I agree 100% with you if these products, which "are" marketed as "Internet-connected" devices, have bugs in them that allow unauthorized access when setup in accordance with WD instructions, that is indeed WD's fault. But it does not change my claim - "Ultimately, security always falls on the weakest link - and that is always the user."

 

Another day and another zero-day exploit. Here's a July 2nd problem reported.
https://krebsonsecurity.com/2021/07/another-0-day-looms-for-many-western-digital-users/

My thoughts: I'm not buying a WD device that has MyCloud on it. I don't want my files in the cloud. I want them stored locally. (I own 7 WD drives and none have this "feature".)

 

I'm not ready for that either - though I expect one day, we will have no choice. I am not afraid they will get lost. My fear is that there will be so many copies out there it will be impossible to delete them, if I wanted too. But my biggest fear is bad guys hacking my cloud account due to some incompetence of the host administrators failing to properly secure the cloud servers in a timely manner.

After all, the vast majority of corporate accounts are due to the admins and their managers failing to apply available patches, improper/inadequate training of their people, or some other human error that could have easily been prevented with just a little bit of due diligence on their parts.

 

If you dont need to access your data from multiple devices across the network, then you dont need cloud storage!

Its more secure than most local machines/networks are, and makes life a whole lot simpler! ...