That ransomware attack

[Feline]

NHS should have been moving anything needing winXP onto citrix thin clients or equivalent. Then when ransomware hit, just kill the client.

But that would have required investment. Requiring money.

Anyone in IT that told me that kind of stuff would be soooooo sacked.
Oh wait, my computer is a Mac so on this occasion I don't have to worry.

[Greenbank]

The malware writers are starting to increase their focus on Macs. The "I'm safe, I have a Mac" attitude of many Mac users (I know you said "...on this occasion I don't have to worry." so I guess you're not part of that group) is exactly the attitude Malware authors want as it makes it easier to get a foothold on that platform.

The recent Handbrake (DVD ripper and re-encoding software) incident (https://www.cybereason.com/labs-proton-b-what-this-mac-malware-actually-does/) shows that you really have to be vigilant. Most people would have blindly trusted the Handbrake site for its downloads and hardly anyone would have checked the checksums (mainly because if you can change the download file on the site then changing the checksum to match it, also on the same site, should be trivial.)

If anything, something that sits silently on your machine allowing remote access, exfiltrating important files (browser password caches, keychain files, etc) and keylogging is a whole lot worse than something very visual like ransomware which announces its presence loudly.

Again, malware writers are missing a trick here. A period of logging and file exfiltration followed by a ransomware attack would give them multiple bites at the cherry, it's only time before they get more sophisticated. (This isn't Mac specific.)

[Feline]

The malware writers are starting to increase their focus on Macs. The "I'm safe, I have a Mac" attitude of many Mac users (I know you said "...on this occasion I don't have to worry." so I guess you're not part of that group) is exactly the attitude Malware authors want as it makes it easier to get a foothold on that platform.

The recent Handbrake (DVD ripper and re-encoding software) incident (https://www.cybereason.com/labs-proton-b-what-this-mac-malware-actually-does/) shows that you really have to be vigilant. Most people would have blindly trusted the Handbrake site for its downloads and hardly anyone would have checked the checksums (mainly because if you can change the download file on the site then changing the checksum to match it, also on the same site, should be trivial.)

If anything, something that sits silently on your machine allowing remote access, exfiltrating important files (browser password caches, keychain files, etc) and keylogging is a whole lot worse than something very visual like ransomware which announces its presence loudly.

Again, malware writers are missing a trick here. A period of logging and file exfiltration followed by a ransomware attack would give them multiple bites at the cherry, it's only time before they get more sophisticated. (This isn't Mac specific.)

If you come after my Mac then you need to be aware that I have the latest malware and antivirus protection, and an incremental backup system going back 7 years

[Greenbank]

If you come after my Mac then you need to be aware that I have the latest malware and antivirus protection, and an incremental backup system going back 7 years

Rock and a hard place.

The antivirus programs are often the easiest targets for the malware writers. They're full of security holes themselves and often run with elevated privileges solving a major hurdle after infection.

Bit old (June 2016) but highlights the point: http://www.computerworld.com/article/3089872/security/security-vulnerabilities-in-symantec-and-norton-as-bad-as-it-gets-warns-researcher.html

ESET was a more resent one with a major flaw discovered (March 2017).

[Feline]

If you come after my Mac then you need to be aware that I have the latest malware and antivirus protection, and an incremental backup system going back 7 years

Rock and a hard place.

The antivirus programs are often the easiest targets for the malware writers. They're full of security holes themselves and often run with elevated privileges solving a major hurdle after infection.

Bit old (June 2016) but highlights the point: http://www.computerworld.com/article/3089872/security/security-vulnerabilities-in-symantec-and-norton-as-bad-as-it-gets-warns-researcher.html

ESET was a more resent one with a major flaw discovered (March 2017).

All well and good, but noone has managed to actually attack my Mac as of yet. Nice not to need to pay for the latest OS also 

[Jaded]

Oh look! A squirrel!

[Martin]

whilst some of you take the piss out of and generally spout about the NHS management of this I've today had to deal with the loss of a large section of an entire laboratory in a major London teaching hospital which we hope to resolve in the next few hours; we've been well aware of the vulnerability of XP and have been taking steps to ensure compliance / isolation of the XP systems in use for a couple of years; they are due to be replaced very soon so rather than waste thousands on very short term replacements we've come up with a satisfactory solution which unfortunately may have been affected by this malicious and stupid attack

NHS should have been moving anything needing winXP onto citrix thin clients or equivalent. Then when ransomware hit, just kill the client.

But that would have required investment. Requiring money.

Anyone in IT that told me that kind of stuff would be soooooo sacked.
Oh wait, my computer is a Mac so on this occasion I don't have to worry.

please do come to my Trust and show me and the rest of my team how easy it is to move the many stand-alone pc's within it to Thin client (with associated secure remote hosting / data centres) as you obviously have far more experience

[Feline]

whilst some of you take the piss out of and generally spout about the NHS management of this I've today had to deal with the loss of a large section of an entire laboratory in a major London teaching hospital which we hope to resolve in the next few hours; we've been well aware of the vulnerability of XP and have been taking steps to ensure compliance / isolation of the XP systems in use for a couple of years; they are due to be replaced very soon so rather than waste thousands on very short term replacements we've come up with a satisfactory solution which unfortunately may have been affected by this malicious and stupid attack

NHS should have been moving anything needing winXP onto citrix thin clients or equivalent. Then when ransomware hit, just kill the client.

But that would have required investment. Requiring money.

Anyone in IT that told me that kind of stuff would be soooooo sacked.
Oh wait, my computer is a Mac so on this occasion I don't have to worry.

please do come to my Trust and show me and the rest of my team how easy it is to move the many stand-alone pc's within it to Thin client (with associated secure remote hosting / data centres) as you obviously have far more experience

Wow, patronising. You assume I would not know how to do that but actually you're wrong. However you couldn't afford me 

[David Martin]

If Martin's lab is like many others then it runs bespoke software on PCs tied to instruments that require to be networked for data transfer. Thin clients would be challenging in that respect. What typically needs doing is proper network segmentation to move vulnerable machines behind firewalls, allowing data through. Unfortunately this usually requires reworking vast quantities of legacy software, whilst ensuring the system stays functional.

[Jaded]

whilst some of you take the piss out of and generally spout about the NHS management of this I've today had to deal with the loss of a large section of an entire laboratory in a major London teaching hospital which we hope to resolve in the next few hours; we've been well aware of the vulnerability of XP and have been taking steps to ensure compliance / isolation of the XP systems in use for a couple of years; they are due to be replaced very soon so rather than waste thousands on very short term replacements we've come up with a satisfactory solution which unfortunately may have been affected by this malicious and stupid attack

NHS should have been moving anything needing winXP onto citrix thin clients or equivalent. Then when ransomware hit, just kill the client.

But that would have required investment. Requiring money.

Anyone in IT that told me that kind of stuff would be soooooo sacked.
Oh wait, my computer is a Mac so on this occasion I don't have to worry.

please do come to my Trust and show me and the rest of my team how easy it is to move the many stand-alone pc's within it to Thin client (with associated secure remote hosting / data centres) as you obviously have far more experience

Wow, patronising. You assume I would not know how to do that but actually you're wrong. However you couldn't afford me 

It is unclear whether Martin is having a go at you or mrcharly, I think.

[mrcharly-YHT]

whilst some of you take the piss out of and generally spout about the NHS management of this I've today had to deal with the loss of a large section of an entire laboratory in a major London teaching hospital which we hope to resolve in the next few hours; we've been well aware of the vulnerability of XP and have been taking steps to ensure compliance / isolation of the XP systems in use for a couple of years; they are due to be replaced very soon so rather than waste thousands on very short term replacements we've come up with a satisfactory solution which unfortunately may have been affected by this malicious and stupid attack

NHS should have been moving anything needing winXP onto citrix thin clients or equivalent. Then when ransomware hit, just kill the client.

But that would have required investment. Requiring money.

Anyone in IT that told me that kind of stuff would be soooooo sacked.
Oh wait, my computer is a Mac so on this occasion I don't have to worry.

please do come to my Trust and show me and the rest of my team how easy it is to move the many stand-alone pc's within it to Thin client (with associated secure remote hosting / data centres) as you obviously have far more experience

Not having a pop, I know it would take substantial work, time and money, hence my saying it would have required investment and money that you aren't getting. I'm not naive or inexperienced about large projects.

I wish you luck in sorting out your problems.

[MikeFromLFE]

If Martin's lab is like many others then it runs bespoke software on PCs tied to instruments that require to be networked for data transfer. Thin clients would be challenging in that respect.
What typically needs doing is proper network segmentation to move vulnerable machines behind firewalls, allowing data through. Unfortunately this usually requires reworking vast quantities of legacy software, whilst ensuring the system stays functional.

Having spent 35+ years in hospital pathology laboratories, before fatefully moving into 'management', I saw a couple of attempts to move at least some of the processing onto Thin Clients - these well meant endeavouvours always neglected exactly what you describe - the issues of bespoke software running complex bespoke hardware. Typically - in desperation - the hardware and the bespoke software could run standalone without being networked (eg if the network was lost), but the manual inputting and data extraction was laborious and 'not fit for purpous' given the demands on modern hospital laboratory science.
Martin - I don't think anyone's taking the piss out of your situtation (And, I'm surprised that NHS trusts don't keep a register of people like me ( no longer HPC registered)who could volunteer in extremis.

[DuncanM]

If you come after my Mac then you need to be aware that I have the latest malware and antivirus protection, and an incremental backup system going back 7 years

Rock and a hard place.

The antivirus programs are often the easiest targets for the malware writers. They're full of security holes themselves and often run with elevated privileges solving a major hurdle after infection.

Bit old (June 2016) but highlights the point: http://www.computerworld.com/article/3089872/security/security-vulnerabilities-in-symantec-and-norton-as-bad-as-it-gets-warns-researcher.html

ESET was a more resent one with a major flaw discovered (March 2017).

All well and good, but noone has managed to actually attack my Mac as of yet. Nice not to need to pay for the latest OS also 

This demonstrates that Macs aren't invulnerable, even when used by clueful people:
https://panic.com/blog/stolen-source-code/
Backups and such aren't going to stop someone stealing your data...

[Jaded]

Yes, but there's a question of scale and balance.

No computer is invulnerable. However the most widely used desktop OS is not the most secure, by any means.

look! A squirrell!!

[simonp]

If ransomware can compromise your system then it can compromise a locally connected backup.

[Polar Bear]

Which is why I've taken to using USB sticks and a network drive which I only connect to do the backups.   I physically disconnect the computer from the network but of course nothing will protect me if the malware has already somehow snuck under the radar.

[Afasoas]

It looks like decryption might be possible for some wannacrypt infestations:

https://github.com/aguinet/wannakey

[Feline]

Which is why I've taken to using USB sticks and a network drive which I only connect to do the backups.   I physically disconnect the computer from the network but of course nothing will protect me if the malware has already somehow snuck under the radar.

I agree with you there, and these days USB drives have become so cheap it's perfectly feasible to do monthly backups of photos and all important data ay home and file it away permanently never to be over-written. It's certainly what I do these days so all my eggs are not in the 'cloud' basket or even the network backup drive basket which can get pinched along with your laptop by actual burglars in person (or fire)! I've always stored backups off site both at home and work in case of fire. Of course NHS staff can't be marching home with important backups in their pockets, so not going to help them much.

[Martin]

If Martin's lab is like many others then it runs bespoke software on PCs tied to instruments that require to be networked for data transfer. Thin clients would be challenging in that respect.
What typically needs doing is proper network segmentation to move vulnerable machines behind firewalls, allowing data through. Unfortunately this usually requires reworking vast quantities of legacy software, whilst ensuring the system stays functional.

Having spent 35+ years in hospital pathology laboratories, before fatefully moving into 'management', I saw a couple of attempts to move at least some of the processing onto Thin Clients - these well meant endeavouvours always neglected exactly what you describe - the issues of bespoke software running complex bespoke hardware. Typically - in desperation - the hardware and the bespoke software could run standalone without being networked (eg if the network was lost), but the manual inputting and data extraction was laborious and 'not fit for purpous' given the demands on modern hospital laboratory science.
Martin - I don't think anyone's taking the piss out of your situtation (And, I'm surprised that NHS trusts don't keep a register of people like me ( no longer HPC registered)who could volunteer in extremis.

Thanks; it was some comments that suggested incompetence and penny pinching in the NHS that got my goat;

FYI my Trust knew about the XP problem for a couple of years before MS withdrew support, the DOH did indeed purchase extended support after official support ended and during that time we planned a strategic removal of all XP pc's from the network whilst replacing the networked ones with W7 in a phased approach. Remember that many of the XP pc's were all very long in the tooth anyway and would need replacement whatever. But there was the problem with the bespoke software much of which was not W7 compatible and would eventually be sunsetted. We are nearly there but due to ongoing procurement within the labs we still have to keep a few XP machines running (effectively isolated from all but the instruments they serve). It's simply not possible to move these onto Citrix etc as they are usually one off installs a few metres away from the kit with a clone box next to them as redundancy, often requiring an engineer onsite to apply fixes / patches ets where Thin Clients would not work.

[Wombat]

A view from outside...

Is it not the case that most of the problem relates to PCs running out of date OSs because the bits of specialist equipment they are connected to, or specialist systems they run, won't run under a decent modern OS? 

WTF is wrong with the suppliers of those systems that they don't keep updates coming so their systems can be kept safe and running on a modern OS?  Things like my photo editing software, and video software regularly publish updates to keep them abreast of newer OSs, and recent issues and vulnerabilities.  Surely the suppliers of very expensive specialist software and equipment, really, really ought to be supporting them properly? 

In my recently ceased employment, I was well aware that Crapita, suppliers of broken software to manage many millions of pounds worth of assets, totally failed to keep up with such issues (or even care about usability), so I suppose I am being naive.

It relates to my hate of the fact that many useful bits of domestic computing equipment (such as scanners and printers), have to be replaced because the manufacturer is too bloody minded to update drivers for a current OS (yes, YOU, Canon!).  I know they do it for commercial stuff just to sell more new widgets,  but for serious stuff like NHS and defence things, surely its not beyond the wit of man to update driver s and maintain compatibility?  Is there not a niche for a specialist firm whose business is updating drivers etc.?

[Ham]

  Is there not a niche for a specialist firm whose business is updating drivers etc.?

They've been doing this and doing it well for years

https://www.hamrick.com/

[Wombat]

I'm aware of Vuescan, but even they only seem to do domestic types, and don't include things like the Canon microfilm scanners at the museum I do work with, so a £3500 scanner is now effectively useless, and they've had to buy a new £4000 one instead.  I was actually thinking more of obscure medical stuff that I can only guess at the function and cost of.  Bearing in mind how much that sort of thing must cost (I don't know, but having seen some of it "bloody expensive" seems an inadequate term) surely either the suppliers or another firm should be on the case.

[David Martin]

The original purchase costs of the equipment can range from a few tens of thousands to millions. Just thinking of our research facility, we have mass spectrometers [1], sample processing robots [2] and so on. The market for these is small and the requirement for reliability high. The cost of developing a driver and software update could be extremely high, especially if communication is via custom interface boards that are no longer supported by modern PC architecture. You either need a large enough market to ensure any development cost will be recovered, or it is cheaper to just upgrade to the new machine with all the hassle that involves.

A better option for process labs may be to lease the machines from the manufacturers - the advantages are that the manufacturers can then guarantee a market for updates, and the lab does not have periodic large budget items. However this is then seen as politically unacceptable, and carries the risk of suppliers viability impacting beyond the company itself. (ie if the company is bought up by a bigger company and they then decide that the lease/maintenance on that equipment is not sustainable and force an upgrade.) Or just go bankrupt and the machines are repossessed as assets.

It is an issue where the lifespan of the machines is much longer than the lifespan of the controlling tech, and there are no mechanisms in place to deal with that kind of obsolescence. I would expect that some hospital labs have key equipment connected via SCSI and upgradeable only by floppy disk.

tl;dr The problems are not trivial and need careful management, often in creative and politically difficult ways that can expose to a new set of risks.

[1] not the best example as mass spec tech moves very fast and the life cycle is compatible with PC life cycle.
[2] a better example. DNA sequencers are still working fine 20 years on, some of which originally were driven by OS/2

[mzjo]

I can't help thinking that a large part of the problem lies with the historical developement of a basically monopoly supply of computer OSs on PCs. I am sure that if there had been ten or so viable OSs on the market 25 years ago the industry would have developed in a different and far more robust manner, making it all far less vulnerable to large scale attacks. Too late - PCs are going to be the next dinosaurs!
(Just an observation, I am not a geek!)

[TheLurker]

I can't help thinking that a large part of the problem lies with the historical developement of a basically monopoly supply of computer OSs on PCs. {snip}

It's not all bad. Having so few commercially successful OSs means we get economies of scale.  A company can create a product for one OS knowing that it has a big enough market share for their dependent product to stand a chance of doing well.  It also makes it possible to support that product over multiple OSs.  Multi-OS support is a horribly difficult thing to do well, it's a hard enough problem coping with changes from one version of one OS to another,  and almost impossible to do cheaply. Only having to attempt it for two, or possibly three, OSs drastically reduces the commercial and technical issues involved.

Imagine how much more expensive software would be and the gaps in application availability from one OS to another if we had Windows, MAC, Android, BeOS, FreeBSD, OS/2, CP/M, {My Favourite} Linux, AmigaOS, Acorn RiscOS and ProDOS/Apple DOS all with roughly equal market share?