[Ed P]

It is easy for a politician to speak out of both sides of his mouth. Politicians are well practised at buck passing or giving orders while simultaneously saying ‘No Extra Money’.

My Hospital Trust invested wisely and avoided the IT problems but was placed in ‘special measures’ for ignoring budget constraints. Maybe yours was as well Richard!

Anyway to turn to less contentious items and get the taste of Hunt out of my mouth; one piece of good news was that some Brit probably accidentally saved the world megabucks in productivity by stopping the Ransomware worm’s propagation dead in its tracks (at least for a time). Link to hero and his story – this could easily get Slashdotted as I think the individual only has a limited bandwidth.

[Ed P]

Update I managed to grab the workstation service manual for a Philips CT scanner. I have no idea what OS it runs from this documentation. I would defy any IT Manager to risk putting his paws on what appears to be a fully integrated server, DASD and Process Control computer whose main access is direct to the Hospital’s database system. I could probably manage to break (as in destroy) something in a system like this but I would not risk trying to do anything constructive such as patching it. The Philips machine is to all extents and purposes a black box that happens to contain a computer. I stand by my earlier speculation that any firmware updates are OEM only.

 

[Ed P]

Actually Richard if you search on CT scanners it is very hard to find out exactly what embedded operating system they are using.  I do not think you can blame any technician for not knowing what is in the box any more than you can blame a PC user for not knowing they have Linux in their router. IF (deliberate emphasis) there is the unlikely event that Windows CE was used in a CT scanner, no-one would know.

I would bet that Siemens use their OS and that Toshiba use a Linux variant, but it is anyone’s guess what GE use. However you can be pretty sure that they all use smb as a generic interface, and I would bet big money that until a year or so ago it was the generic smb1 in their firmware. I would further guess that firmware upgrades (if only for medical insurance reasons) are under the strict control of the CT provider and their maintenance agreements.

My additional guess is that any PC equipment (none are shown in any used CT equipment purchasing list)  is wired alongside the CT scanner and used as a comms device to interface to the hospital network. Just whose inventory that appears under is anyone’s guess but I’ll place a small bet that it is not office systems. I’ll also place a small bet that it is very low down in the pecking list for an upgrade.

All speculation I’ll admit but based on known facts and reasonable extrapolations. Bottom line, do not blame the hospital techs. If you must blame anyone then blame Hunt and his inflexible targets.

[Ed P]

Even if the US drops US dollar bills they are valueless as the DPRK have probably one of the best dollar bill forgery set-ups in the world. link

[Ed P]

“PPS, it is time to black block list all software crapware vendors who mandate only one browser ever be used with their crapware until such time as they make their offering agnostic. As for insisting on the use of IE6 or something else a dinosaur sat on or used when it was at school, bankrupt the stupid XXXXs with extreme prejudice. There was an offering a little while ago that could ape obsolete software while running on secure, usable hardware/software, was it Browsium and is it still available? A quick check suggests it is still offered and its web site suggests it would have been of some interest to those stuck with crapware.”

Dave could give a definitive response (if he is allowed), but IIRC nearly all IE6 requirements in the UK were as a result of Civil Service failures to spend the money to update XP era software that was written to Civil Service specs  but  hard-coded with OLE controls. i.e. it was caused by clueless Mandarins reporting to clueless Ministers failing to grasp that software like hardware depreciates over time.

[Ed P]

I accept that there are always crude ways of air-gapping such as using a USB stick or even printing.

Forgetting for the moment the horrendous control problems with sticks, if you go back to manually transporting all the data you lose a lot of productivity. Mandating air-gapping everything deemed critical brings its own (I think bigger) issues.

There are of course ways of accomplishing pseudo-airgapping (for example a crude method could be interposing a secure Linux box with rigorous rules on file transfers). However these ‘solutions’ cost money and add complexity. Better I think to address the root cause and get the NHS funding and targets sorted out.

As said earlier asking a Hospital Administrator to choose between drugs and PC upgrades was an impossibly hard requirement.

(It has always been one of my biggest bitches about the UK Government/Civil Service, they do not seem to understand the differences between expense, depreciation and capital.)

[Ed P]

The Duke wrote:

a good old subvert US lead coup is probably on cards. I love a good thriller.

I think if you are even vaguely suspected of being involved in planning for a coup then you will end up like the poor sod at KL airport, a swift whiff of Tabun, Sarin or Vx up your nose. In all probably the same then happens to the next couple of levels of your friends, family and colleagues. After 60 years or so of autocratic rule and brain-washing in schools I think a coup option is currently unlikely.

[Ed P]

“And you thought it was all button pressing ?!

It used to be pretty much that, except that a lot more info was given up front, whether you wanted it or not. Times have changed!

[Ed P]

Richard if I go back nearly 30 years ALL our process control computers were completely air-gapped from the outside world.

Unfortunately (or should I say fortunately) times have moved on, driven by productivity and convenience. Just before this debacle I had to go to my local hospital for scheduled dental work that required a CT scan to show the details of my sinus cavity, and its relationship to the roots of a tooth. The radiography department was a five minute walk from the dental department, but when it was all over the radiographer just pressed a button to wing it all over to the dental surgeon. He did not have to wait for or use a hospital porter, and neither did the dental surgeon. What would have consumed an hour of my time in the old days took maybe 15minutes at the most. I would estimate that through the day the surgeon gets an extra hour of productive time, and saves a couple of hours in hospital porter time.

As it happens I know that this hospital was completely unaffected by the exploit so the embedded device was either patched or attached to a fully patched server. (Visible PCs are all Windows 7).

[edit] There is a fair chance that the CT scanner uses an embedded Linux device rather than Windows and Samba would be the normal interface medium.

[Ed P]

True Dave , but unfortunately a ‘Critical’ warning is not the same as saying ‘There is zero day exploit code already in the wild for XP, Windows server 2003 and all later versions’ which was the message coming out just a few weeks ago.  If things are really serious people need a degree of panic in order to overcome inertia.

[Ed P]

Richard, without making excuses, in the other NHS thread,Dave explained why ‘instant’ application of patches is difficult and time-consuming in environments where some bean-counter has ‘saved money’ by insisting on not replacing/upgrading all the components of a whole systems environment. Add in a dash of caution – Managers getting heavily censured by their Board equivalents for the outages/delays caused by failed patching/upgrading and there are a lot of pressures to thoroughly test each patch in each of the different variety of machines within the IT eco-system (using sand-boxed cloned test machines). This all takes time, and I could easily see such testing taking a month even for a clean well managed system. more if ‘Management’ insist on getting ‘Industry’ experience/feedback before doing the wholesale patch. (Patching individual elements is often not possible).

Three months ago Microsoft released the patches as part of their normal security update cycle. There were no fanfares announcing the dire consequences of delaying the patch (that only emerged a couple of weeks ago.). While I think a three month delay in patching is unacceptable you are perfectly correct to point a condemning finger at not only the IT bods but also their Management (all the way to the top of the tree.)

Education of a bunch of Arts graduates and Legal bods (MPs and Secretarial level Civil Servants) in the practicalities of running a complex IT system would be a laudable but I fear impractical goal and outcome for this mess.

[Ed P]

M$ were damned if the did nothing, just as they are damned for giving lazy management a get out of jail free card.

I’m just waiting for similar malware to hit India – then we should get some squeals of pain from the traitorous bean-counters who ‘right-shored’ our vital IT systems. It is not just Indian PCs and Servers that are vulnerable, computer mainframe’s are just as susceptible to virus/Trojan attack – perhaps even more so as few believe or know that they are equally capable of being pwned. (It is however a lot harder to write such a VMS Trojan and get it installed – but the cost of subverting or pressuring an employee in India is a lot lower).

The day a Corporate or major Bank’s cloud gets nadgered is the day the criminals really hit pay-dirt. (particularly if the criminals let five or six backup cycles elapse before triggering their malware!).

[Ed P]

Drezha wrote:

PlaneMan wrote:

Was up early so did the shot of the Magic Roundabout. https://kuula.co/post/7lm1j

A bit more attractive than the Magic Roundabout I used to have to use (or avoid).

There used to be a lot of USAAF bases to the north of Hemel Hempstead, and the Yanks I knew would drive miles out of their way in order to avoid it. To them it had all the horrors of National Lampoon’s European Vacation cubed!

[Ed P]

I can watch kuula VR on Windows using Edge but it just gives a black screen in Firefox under Linux. Anyone know what it is missing to activate the feature?

[Ed P]

Someone who failed Science GCSE wrote that and confused horizontal range with altitude!

The DPRK have been producing viable missiles for years – the now venerable Scud missile originated there. Given times have moved forward 25 years or so it would not surprise me to learn that they now have one or two rockets capable of ICBM range – accuracy and reliability is however far more questionable. It is also questionable whether they have yet miniaturised their nuclear weapons to the extent that they fit on such a rocket. IRBMs are a different and far more thorny issue – they have demonstrated such rockets both for land and submarine based assets, they may well be nuclear capable The shorter range missiles could cause immense damage in the Japan/ROK/Pac Islands area and there is a remote possibility that even Hawaii could be threatened by their submarine based rockets.

You raised a much more thorny question with  your post heading. Heavy weight first-strike military options by the US are restricted by the knowledge that the consequent DPRK retaliation would cripple South Korea, severely hurt Japan and maybe eliminate the major US staging posts in Okinawa and Guam. It may even drag a reluctant China into armed opposition. The US had real diplomatic opportunities in the 90s (a coal for food program), but stupid hawks in the US Senate blew that chance, and the DPRK then escalated and hardened their position following the TBLiar/Bush illegal invasion of Iraq. Asians have long memories and I think would completely distrust approaches by the US

Realistically the US can do little without risking a major damaging conflict, they can only encourage China to try and find moves to de-escalate tensions then take it from there. It may be that Russia could be the best hope of an ‘honest’ broker to kick things off – they still have good relations with both the DPRK and China.

[Ed P]

I can see value as a burglar deterrent while we are away on vacation, and perhaps link it with a couple of these (lounge, bedroom etc). Although CCTV deters thieves, there is nothing more inviting than a home that looks unoccupied. Timers are OK but they are too inflexible to simulate house occupation and the normal random light switching that takes place.

[Ed P]

Graham I assume Dave was responding to you, but a snippet I heard on the Beeb implied that pinch-penny measures had resulted in zero separation in control between vulnerable PC systems e.g. email, and Office and the far more critical process control systems that interface with CT/MIR scanners.

Someone being interviewed claimed that his CT scan was stopped mid-scan by the whole system falling over. This suggests to me that the vulnerable system was processing ‘live’ data rather than something that was buffered off-line before being squirted to the Consultant. Nadgering a piece of process control kit is in my mind far more serious and worrying than just stuffing up emails and appointment systems – hopefully the person being interviewed go it wrong and the system only fell over when it could not handshake with the ‘office’ system.

[Ed P]

Graham I’m sure that many in the NHS IT departments could teach us a thing or two particularly outdated pharts like me. The ones you really want to read this are the clueless senior managers and those who set the budgets in Whitehall.

As an interviewee on the Beeb said, ‘it is grossly unfair to criticise a Hospital Trust for prioritizing cancer treatments over a possible threat to computer systems’, the huge impacts of which just would not be appreciated or believed by those in power. (They probably do now but are still scurrying around in cya mode).

[Ed P]

I can see where the UK Corporate was coming from, but it serves them right for not standardising their hardware and software interfaces.

Back when I had systems responsibilities the one word that made us shudder was ‘interfaces’. The interface between the mainframe and the PC network was always and always will be a nebulous PITA.Today the Cloud must have added yet another layer of interface complexity and journalling/versioning management problems. Back in those distant days we insisted on standardising to eliminate as many variables as possible, and luckily we had a management who understood IT systems and would (reluctantly) support upgrading as required.

Its an area where KISS (keep it stupid simple) really pays off, and you pray that your system never gets nadgered during a period when you are clueless on the state of play across the system (halfway in doing a megabuck SWIFT bank transfer for example). I fear this is going to be a rude awakening and tough learning curve for a lot of companies and their senior managers. However I do feel a lot of sympathy for the poor IT and Accounting sods who will have had a totally ruined weekend and are probably going to pull 18 hour days for the next week or two – not to mention answering a load of stupid post-Audit questions and writing lengthy position papers to try and do a cya for their managers..

[Ed P]

Gizmodo has a fairly good international overview of the ransomware picture. Old kit or poor software maintenance are the issues.

Long term security I think will require not just Cloud backup but also a local air-gapped version. It is otherwise not hard to envision an attack on the PC/Cloud interface such as a “Man in the Middle” exploit, I’m afraid that I view the Cloud as a potential actor in future exploit scenarios. For those reasons I think Dave’s belt, braces and piece of string backup regime is probably a good blueprint.

[Author]

Posts