That ransomware attack

[Pickled Onion]

According to The Register NHS trusts decided not to bother paying for extended support for Windows XP. What did they expect to happen? 

[Jaded]

Hmmm. Amber Rudd says this will make the NHS spend money updating its systems. You'd better give it some more money then, Amber!

As for the rolling news yesterday...
I learnt from experts that no protection would have stopped this attack and that ALL operating systems were at risk from this malware. Also that the best approaches might be to restore from back-up or pay the attackers. Except they weren't clear how the NHS could get some many bitcoins together.

At least today's BBC report states it only affects Windows systems, so they seem to have grasped the nature of the threat better than the industry experts they used yesterday.

[psyclist]

According to The Register NHS trusts decided not to bother paying for extended support for Windows XP. What did they expect to happen? 

Whilst I agree with your sentiment, your statement is not supported by the article, which states in the final sentence "Individual government departments and agencies were free to sign their own extended support agreements with Microsoft". The missing bit of information is how many do not have a support arrangement, which is where negligence starts to creep in, rather than just poor decision making.

[Morat]

From early reports, https://www.theregister.co.uk/2017/05/12/nhs_hospital_shut_down_due_to_cyber_attack/
The attack is called WannaCrypt and rides a SMB vulnerability MS17-010.
There was a patch for Windows last month but not for XP which is out of support.
MS have now released a free patch for XP (gee, thanks!)

[Pickled Onion]

The missing bit of information is how many do not have a support arrangement, which is where negligence starts to creep in, rather than just poor decision making.

OK, The Register is maybe not the best source of impartial news, but it's clear the infected PCs either did not have extended support, or, if they did they didn't bother installing the security patch they paid for. Either way it's negligence.

Imagine an NHS Trust board meeting:

- Quite a lot of our security guards are retiring next year, what should we do?
- Security guards are really expensive to employ, and they don't appear to do a lot.
- Ok, let's not bother hiring new ones, we could spend the money on other things!

I learnt from experts that no protection would have stopped this attack and that ALL operating systems were at risk from this malware. Also that the best approaches might be to restore from back-up or pay the attackers. Except they weren't clear how the NHS could get so many bitcoins together.

There was a patch released two months ago. It was free to anyone with a supported OS, and available for anyone with an extended support agreement.

It's possible that a decision was taken that extended support was more expensive than 0.15 BTC per PC. It probably is. What's not clear is why *any* document would be stored on a local PC if it couldn't be replaced quickly and easily. Anything could happen; rebuilding a PC to a clean state should be quick and easy.

[Greenbank]

I learnt from experts that no protection would have stopped this attack and that ALL operating systems were at risk from this malware.

Sort of. All Windows operating systems were vulnerable, but only the older systems (XP, Windows Server 2003, etc) were vulnerable to infection without user interaction.

The malware can get onto your computer in one or more ways:-
1) You actively download it and run it (surprising how many people download random programs off the Internet and just run them)
2) You actively double click an attachment to an email (which may be a word doc, PDF or powerpoint presentation, etc)
3) You visit a malware ridden website using a web browser that is not fully patched
4) You visit any website that has advertising where the advertising (malvertising) has an infection vector if your browser isn't up to date
5) You computer is remotely vulnerable and is infected by another computer nearby

The latter (#5) is how 'worms' spread, and how a large number of infections of this ransomware spread. Someone double clicks on a dodgy attachment to get their local machine infected and then it tries all of the nearby machines to see if it can remotely infect them (using mostly the Samba vulnerability that was part of the NSA's arsenal [EternalBlue] ).

If you had a patched OS and followed sensible guidelines of not opening attachments from unknown people, or unexpected attachments from known people, then you'd generally be ok.

The NHS's (and general corporate IT) problem is that it has thousands of XP and Windows Server 2003 machines that are required to run legacy software. Or they don't have the funds to upgrade everything all the time.

Luckily a security researcher found that it stopped infecting any further machines if a specific domain name had been registered, so he registered it, but that doesn't help the people already infected.

It won't be long before it's picked apart and used as the basis for version after version and the variants may be even nastier. And it won't be long before malware like this start to include Mac and Linux infection vectors and codebases so it can spread regardless of the underlying operating system (this is what I would do if I was given the job of making an uber-malware).

[Pickled Onion]

MS have now released a free patch for XP (gee, thanks!)

I'm not sure I understand your sentiment—are you saying MS should provide patches for free for anyone running MS-DOS 1.0 onwards?

While not wishing to defend the bunch of MGBs* they provided a patch to anyone who paid for it in advance, either through buying a supported OS or paying for support.



*Money Grabbing Bastards

[Greenbank]

It's possible that a decision was taken that extended support was more expensive than 0.15 BTC per PC. It probably is. What's not clear is why *any* document would be stored on a local PC if it couldn't be replaced quickly and easily. Anything could happen; rebuilding a PC to a clean state should be quick and easy.

Exactly, at one point we used to run a semi-scorched earth policy on our desktops.

Every 2 weeks we had to reinstall the OS on our desktop. This taught us to:-
a) Store our data safely in one place (where it was easier for a centralised backup to do its job)
b) Automate the process of OS reinstallation and, more importantly, application installation and configuration
c) Not be so reliant on a specific machine, too many times we had "that's the only machine that can build X or run Y"
d) Be sure that we backed up everything we needed, otherwise you had to redo the last 2 weeks' work that you may have lost if not. It also ensure that our backup policy worked because we regularly had to use the backups.

It kind of tailed off but the principles have stuck with me.

[TheLurker]

According to The Register NHS trusts decided not to bother paying for extended support for Windows XP. What did they expect to happen? 

IIRC the Trusts didn't decide.  Jeremy Hunt decided for them. Fact check required, but I can't be arsed.

[Morat]

It's possible that a decision was taken that extended support was more expensive than 0.15 BTC per PC. It probably is. What's not clear is why *any* document would be stored on a local PC if it couldn't be replaced quickly and easily. Anything could happen; rebuilding a PC to a clean state should be quick and easy.

Exactly, at one point we used to run a semi-scorched earth policy on our desktops.

Every 2 weeks we had to reinstall the OS on our desktop. This taught us to:-
a) Store our data safely in one place (where it was easier for a centralised backup to do its job)
b) Automate the process of OS reinstallation and, more importantly, application installation and configuration
c) Not be so reliant on a specific machine, too many times we had "that's the only machine that can build X or run Y"
d) Be sure that we backed up everything we needed, otherwise you had to redo the last 2 weeks' work that you may have lost if not. It also ensure that our backup policy worked because we regularly had to use the backups.

It kind of tailed off but the principles have stuck with me.

MS have now released a free patch for XP (gee, thanks!)

I'm not sure I understand your sentiment—are you saying MS should provide patches for free for anyone running MS-DOS 1.0 onwards?

While not wishing to defend the bunch of MGBs* they provided a patch to anyone who paid for it in advance, either through buying a supported OS or paying for support.



*Money Grabbing Bastards

Well, honestly I'm not sure either. But given that this vuln was known, and known to be in the wild, it was pretty clear that it was going to be exploited sometime. It's all a bit "stable door" but of course the people who suffer this time round includes NHS patients. Between MS, NHS and the actual malware writers there's plenty of blame to go round

[Pickled Onion]

According to The Register NHS trusts decided not to bother paying for extended support for Windows XP. What did they expect to happen? 

IIRC the Trusts didn't decide.  Jeremy Hunt decided for them. Fact check required, but I can't be arsed.

LOL! You are right!

Not necessarily a decision by Hunt himself, but surely heads should roll for this. The sub-headline on the article (written two years ago): "Migration continues, but they're risking it for a biscuit". Would they risk any other infrastructure they were warned was unsafe?

Win Server 2008 has been available for NINE years and end of support for XP was signalled ten years ago.

[Ham]

.... And it won't be long before malware like this start to include Mac and Linux infection vectors and codebases so it can spread regardless of the underlying operating system (this is what I would do if I was given the job of making an uber-malware).

With much greater impact, as the current approach is "Mac / Linux don't get virus" so (1) nobody even has the infrastructure to deal with an outbreak (2) xLinux runs the world (as opposed to MAC which is only a user platform - but significant if loads of them stop being able to be used).

Creating malware for the Linux world is obviously more challenging, but it would be a fool who would say it was impossible.

Being fairly close to the economics of the deals that set up IT support, my conclusion is there really just isn't the money in the system to provide the protection. The health services are especially vulnerable because of the nature of their organically grown systems and the lack of funds; there are moves afoot to put a better security foundation at the heart of everything Government aligned, but the size of that task is more than huge. Another group who are particularly vulnerable are retail - notably parsimonious with their spend and investment. financial institutions tend to be better protected and have a (statutory duty to) have secure systems. Industrials, are less vulnerable so as long as they are built on best principles (and most energy etc are) because of the isolation of the Process Control Network, that doesn't mean their admin systems will be safe.

It really doesn't need much imagination to realise that the major powers will be putting substantial effort not only into defeating these attacks, but creating one of their own (as appears to be the case here). With the globalisation of IT, the same problems exist trying to using this malware as a attack vector as there are in using poison gas. Doesn't stop it being made, though.

[Jaded]

This attack isn't about Linux and OSX, it is about the vulnerability of the OSs that run 90% plus of the worlds desktops. Still, nothing like a smokescreen.

M$ want users to upgrade. Once a large organisation goes computerised it slams a massive capital peak into the business plan every x years. The patch should have been automatic and free. The organisations will upgrade eventually.

[Ham]

Did I say industrials were OK? Nissan appears to have succumbed, allegedly (although it could always just be desktops)

This one may not be about Linux/OSX, but imagine if it was. Yes, it is more difficult, but not impossible (eg, Apache)

[Pickled Onion]

Anything that you buy has an expected lifetime. A hospital wouldn't expect to buy a bed and have it maintained by the manufacturer for ever. Why should computers be any different?

[Jaded]

It is an interesting question. You'd have to go ask the Boards.

Do beds get malware?

[TimO]

Over the years, we've had more and more security issues, due to a mixture of poorly written and implemented software, and peoples tendency to not not bother implementing any security themselves, and click on anything that's offered to them.

Slowly, people are noticing this, and gradually implementing solutions, but the black hats move faster.

Some security solutions have been implemented; things like Windows Defender and fairly freely available anti-Virus software from many of the commercial anti-Virus companies, but on the flip side, email clients which let you freely click on anything, poorly secured things like Shockwave via web-browsers, and Windows networking, have all made it far too easy for the average user to become infected.

Ultimately, I'm not sure what the solution is, but organisations like the NHS, ought to be quite capable of ensuring reasonable security, if they (i) back up PCs, (ii) ensure out of date vulnerable OSes and applications are replaced, (iii) update current OS and applications with patches, (iv) block most attachments to emails at their Intranet borders, and (v) have fairly stringent firewalls.  I do most of that at home, so your average organisation should be capable of achieving it.

[David Martin]

I would expect beds to be vulnerable, after all lightbulbs are.

[Pickled Onion]

It is an interesting question. You'd have to go ask the Boards.

Do beds get malware?

They break. They get replaced. It's an expected cost, you build it in to the normal running costs.

If the manufacturer said the expected life is ten years but you decided to risk using it for longer to save money, and then the legs fell off, should the manufacturer say "we told you not to use it for more than ten years, but here's some free replacement legs"?

[Ham]

Most hospitals have failback paper for critical systems, only it ain't that simple, as this demonstrates. Those backup systems are focussed on avoiding deth by IT. Only, thats not the whole story.

There are multiple and complicated reasons why the systems are downversion, normally because of the cost associated with remediation. Most organisations get around that sort of thing by setting artificial dates by which the old systems will be decommissioned, separate from the budget needed to do so. The patching frequency is only one element of the picture. I'd hazard a guess that it's only a minority of user systems on XP, anyhow.

[Morat]

Between the NHS and MS, the computer systems that run our health service were left vulnerable to an attack that was always going to come. MS know the NHS run XP, the NHS knew they were vulnerable*. The management of each organisation should be ashamed of themselves.

*if they didn't know, they're equally culpable.

[Kim]

I would expect beds to be vulnerable, after all lightbulbs are.

Let's not even think about the actual medical equipment.  Security through obscurity is the standard.

[Kim]

It's possible that a decision was taken that extended support was more expensive than 0.15 BTC per PC. It probably is. What's not clear is why *any* document would be stored on a local PC if it couldn't be replaced quickly and easily. Anything could happen; rebuilding a PC to a clean state should be quick and easy.

Exactly, at one point we used to run a semi-scorched earth policy on our desktops.

[...]

It kind of tailed off but the principles have stuck with me.

This is by far the best approach, IMHO.  Not so much because it prevents disasters, but because it greatly increases your immunity to them.  It's much easier to robustly back up data in one place where it's looked after by competent tech people, and as soon as you've got more than a handful of desktops, everything that isn't automated becomes a massive time sink.

Plus it's a mug's game trying to recover data, be it from malware infection or hardware failure.  Blow it away or replace the faulty part and restore the data from backup: One procedure that you test often enough to be sure that it works, rather than hours of fucking about and still not being sure that the malware is gone.


Anyway, the NHS IT bods already know what they're doing.  They just don't have the resources to do things properly on the massive scale involved.  I'm sure as much of that is structural, as well as budgetary.



It was only a matter of time before something like this happened.  And the NHS is just the canary, on account of the newsworthiness of a large failure.

[Asterix, the former Gaul.]

It's a lot bigger than just our NHS.

MS bear some of the blame IMO. 

Many jobs can be done using software everyone can buy, but some businesses need programs that perform very specific jobs - so they build their own.
For example. a broadcaster might need specialist software to track all the satellite feeds coming into the newsroom, and a hospital might need custom-built tools to analyse X-ray images.
Developing niche but useful software like this can be very expensive - the programming, testing, maintenance and continued development all adds up.
Then along comes a new version of Windows, and the software isn't compatible.

Years ago we built an information system based on DOS.  Fine until MS dropped DOS.  Then our expensive application was toast.  So was the company providing the intermediate programs.  That would have cost millions.  MS simply couldn't care less.

[Bledlow]

Anything that you buy has an expected lifetime. A hospital wouldn't expect to buy a bed and have it maintained by the manufacturer for ever. Why should computers be any different?

Are you saying that software wears out? Interesting. Could you explain the process, please?

I'd be happy to be able to pay a reasonable amount & have up to date security patches, instead of having to get all-new software with built-in downgrades & bugs, but I can't. I'd also like the option to buy minor upgrades at a reasonable price, but again, that's not offered.