@ricedg
Forum Replies Created
-
AuthorPosts
-
Just watching Have I Got News for You and it’s amazing how much has already moved into myth i.e. it was targeted at the NHS by the norks and was stolen from the NSA.
What has come through unscathed is the Govts awful track record on IT projects. As was pointed out the £6 billion wasted on the CSC project could have paid for the XP upgrade.
I think Handbrake will create the VOB files?
Fake nooos ?
That’s funny Bob, because Norton claim to have done the same. Symantec has uncovered two possible links that loosely tie the WannaCry ransomware attack and the Lazarus group:
They were the first to discover Conoptee.
The idea that Lazarus are linked to North Korea comes from the Americans in the first place, there is no “proof” that I know of.
I see in a carefully worded denial the NSA say the code “was not a tool developed by the NSA to hold ransom data. This was a tool developed by culpable parties, potentially criminals or foreign nation-states.” AFAIK no-one had said the NSA created Wannacry but they did write the code that allowed it to spread.
Funny how it all involves the Americans in one way or another.
I’m just changing the charity from Norton to Bitdefender Gravity Zone. All over the website.
“Bitdefender next-generation machine-learning and memory introspection technologies ensure that Enterprises worldwide have always been safe from the WannaCry ransomware mega-attack and the underlying EternalBlue zero-day exploit”
I’m sure it’s all true but you cannot rely on anything to stop zero day so you need to take steps to mitigate any attacks that get through. In the case of ransomware, if it can see it it’ll encrypt it. So you have to make sure it can’t see your backup device, or that device has decent versioning so you can roll back to an unencrypted version. But that versioning database has to be hidden away or it’ll get encrypted too.
That’s why I use Cloud Station. The only thing visible on the PC is the Cloud Station folder(s). The previous versions are all out of sight on the Synology NAS. I also have PCs imaging themselves to a NAS share which could get encrypted, but that share is backed up to an external drive on the NAS which again is out of sight. TBH I don’t worry too much about the PCs, they are easily rebuilt these days, it’s the data where the business value lies.
The early theories were it wasn’t a nation state as it’s quite crude. If it is, China and Russia have been hit badly but in the last 24 hours Putin was saying lay off the Norks.
Let’s not forget where the original code for the exploit actually came from.
Does remind me of some threads on here that I have definitely contributed to (mine is the superior onion).
My kids sent me this today Theresa May – Strong and Stable (Windows XP Edition)
The idiot newspapers reviewers on Sky this morning were speculating about planes falling from the sky. They were sports journalists FFS.
Going back a few posts to the IE6 issue, I couldn’t possibly comment as I don’t know the definitive answer. But I wouldn’t be at all surprised if the speculation was true.
EDIT just seen Jeremey Hunt trying to totally divert attention away from himself. Blaming Corbyn etc. for voting against the latest RIPA laws and lots of totally irrelevant party political bollocks. Where are the people who can ask the proper questions of these jerks? Even the BBC Breakfast red sofa lot did a better job this morning on the Govt security bod put in front of them.
Legacy compatibility. Legacy is the thorn in the side of Microsoft. MS tried ditching legacy with W8 for ARM, look where that ended up.
There is a Microsoft blog from 2015 “The Deprecation of SMB1 – You should be planning to get rid of this old SMB dialect”.
This is publicly available information issued in advance of the patches, all you need is a (free) Microsoft Account. Then go here – use IE or Edge – and set your preferences with options to receive email notifications such as this:
The Comprehensive Updates version serves as an incremental supplement to Microsoft’s Security Notification Service. It provides advance notification of upcoming security bulletins and timely notification of any minor changes to previously released Microsoft Security Bulletins as well as notification of new or revised Security Advisories. These notifications are written for IT professionals and contain in-depth technical information.
Anyone doing dedicated IT Support, whether in house or not, will know of this service. Larger organisations will have a more in depth relationship with MS which was the case where I was. In the normal course of events we (the outsourced Technical Dept) compiled the information for discussion with the customers Security Dept. in advance of Patch Tuesday and dealt with the roll out process, Change Control etc. In cases such as this Security would pre-empt that by saying we want MSxxxxx rolled out to an accelerated timetable and may attend Change Control meetings with us so there was no doubt in peoples minds that this was a priority (Change Control can by nature be very conservative).
There is no excuse whatsoever for any IT Dept to say they don’t know what patches are coming up and what they are for and I doubt that is where the problem lies.
A quick explanation of Change Control. If you wish to change specific parts of the infrastructure or over a certain percentage of the estate you must get permission from the Change Control board. You need to present your implementation plan in a highly formal way and also include the plan for roll back in the case of problems arising. Before you even attend the board you need to get sign off of those plans by certain high level technical and production representatives. I’ve spent many a happy hour before cut off chasing some very senior people. At the board you present your plan which is then discussed and you either get the go ahead or are told to have a rethink because they don’t like X, Y or Z. I used to hate it as you get some very senior (career threatening level) types attending or listening in and sometimes you have to be robust in defending your corner.
And you thought it was all button pressing ?
As Ed mentioned in the other thread, board members, like civil servants, often have arts or legal degrees. They’ve usually got up the greasy pole by back stabbing and can be entirely self serving. One particular IT manager I knew used to make sure he didn’t spend all his budget to impress his boss (the Finance Manager) at appraisal time of his financial acumen. I used to spend all mine and go back for more ?
Such “embedded” devices or even separate control PCs are widespread in the defence and postal sectors too. But as I mentioned earlier they are thoroughly isolated and air gapped. The problem that I have seen with my own eyes is that XP isn’t just in use on such systems, it’s still in widespread use on clinicians PCs too.
Speculation. Just getting the patches out on (maybe) unaffected PCs (this malware can lie dormant for weeks) will I suspect be a manual affair as you can’t risk putting a machine back on the network. Problem is if they’ve disabled the USB and DVD drives by policy or software you may not be able to do even that (as you have to have it on the network to change the policy). I think I’d just be rebuilding the lot and be done with it.
The problem I have seen with line of business software isn’t so much that it won’t work on a particular o/s, but that it will only work in a particular browser. And of course it costs money to put that right. The other thing with obsolete o/ses is that you may not be able to run up to date apps and those apps will have vulnerabilities too. Patch XP and you still have holes elsewhere.
EDIT – Ed MS did warn of dire consequences. Each patch comes with an Affected Software and Vulnerability Severity Rating by o/s. I used to put these into a matrix for review by the Security Dept to decide if an accelerated roll out was required for a particular patch. In cases like this Security would have been on to us as MS would have pre warned them.
In the case of MS17-010 it’s Critical / Remote Code Execution pretty much across the board link, enough to have alarm bells ringing.
The problem with repeaters is there’s rarely a power socket in the right place, even if you know where the right place is. Mostly Joe Public think it’s where there is no signal.
Back on topic, personally I can’t think of a single place where a smart plug would be of any use to me. Apart from some pranking.
Ed, it probably won’t surprise you to know it’s in the wider Finance sector i.e. not a bank but a similar mentality at the top.
I have to say all the Corporate accounts I’ve worked on (postal, defence, nuclear) have a very pragmatic approach that balances caution with speed. They are also not afraid to let the Security bods override the process. In turn they take their brief from MS and other industry sources. However I’ve been to the dreaded change control meeting to present an accelerated roll out and had to bring in big guns from HQ more than once. Some tin gods love hassling contractors, but watch them back down when someone who can threaten their career appears.
Clearly not ?
Making an automatic backup is easy, keeping it away from the PC is the hard part. The cloud is as always connected as a plugged in USB drive is if you use automatic synchronisation.
Bob, the patch didn’t include XP as it’s long out of support. However MS did release one for XP and Vista today. The NHS is still riddled with XP systems on the production LANs. I would say with I suspect 99% accuracy that the bean counters wouldn’t pay for the back end systems to be updated. It always takes something like this and it will not be a quick fix. This sort of project can take years, especially in Govt Depts.
The patch wouldn’t stop the first infection (you would hope your AV did that) but it stops it spreading via the exploit the NSA found and kept quiet about. So those organisations caught out, like Telefoncia with 85% penetration, were either running wholesale XP, which I doubt, but have a patching policy problem.
One big UK Corporate I know of (not Defence Industry, they are on the ball) had 5 “gold” builds – one for each PC hardware variant. They then had 5 or 6 flavours of software installs depending on Dept. Finance would have SAP, the customer facing parts CRM, you get the idea. Before the patches were allowed on the production LAN they have to be tested on each permutation to make sure they wouldn’t disrupt line of business. By one bloke, that’s all they would pay for.
You can see why they do it, but that ultra caution gives the bad guys time to get their act together. I wouldn’t be surprised if that’s the reason for some of the big boys getting caught out. Not incompetence as such, but a too rigid and over cautious process. Once a policy is in place in a Corporation it can be very difficult to get it changed, career threatening even.
I’m not surprised, morally they’re between a rock and a hard place on this one. They’ve done the right thing this time, but I can’t see it happening again.
In any case it won’t help with the clear up operation, the PCs are nadgered and the data is encrypted. Even when the data is restored from backups you still need a PC to access it.
Server 2012 is still supported, the MS life cycle isn’t that short!
Products Released Lifecycle / Start Date Mainstream / Support End Date / Extended Support End Date
Windows Server 2012 Essentials / 01/02/2013 / 10/09/2018 / 10/10/2023
Windows Server 2012 R2 Essentials / 11/25/2013 / 10/09/2018 / 10/10/2023
Windows Storage Server 2012 R2 Essentials / 9/25/2014 / 10/09/2018 / 10/10/2023As usual I am now totally lost as to what Richard’s point is and who it’s aimed at.
So some other large organisations were as bad at IT security as the NHS, probably lack of timely patching or still running obsolete o/ses on the production LAN. It’s no excuse for the NHS to say we weren’t alone. EDIT did TalkTalk defend their data breach by saying we’re not the only one? If they did the response would have been why didn’t you learn then? This is also by no means the first ransomware attack on an NHS Trust.
I know of large Corporates who still run XP machines where they have to, but they are on thoroughly isolated LANs in the same way you’d deal with a Secret network (as in Protected C information level).
What happens when the “island” Trusts reconnect to the wider network, which they will have to do soon as many systems are national? Like Sasser, once this infection is in a network it spreads from vulnerable to vulnerable PC and you can’t patch an old XP or Vista box, the patch doesn’t exist.
The investment in replacement PCs should have been done gradually over the years, like everyone else did. Not ignored until the inevitable happened.
I’m not sure about fertilizer showers, but I can see a total lack of understanding of the situation as it really is.
Be in no doubt, this one is big and it’s going to be very difficult to recover from in a timely fashion.
EDIT – just watching Newsnight and it’s the best coverage I’ve seen so far. Mangled terminology but the meaning is there. No data “loss”?, well may be if the backups of encrypted data aren’t robust and then there’s the data changed between the backup and now. There’s certainly data loss whilst the system is down hence the cancelling of treatment. But the thrust is lack of investment is the major factor in the problems of mitigating the effects.
For those that remember a recent thread on ransomware my argument was that you put your efforts into mitigation. Sure you do all you can to prevent it i.e. Av and patch, which would have stopped this one, but you plan for the worst. hence my strategy of using Synology NAS and Cloud Station with versioning, daily backups to an external drive and weekly archiving to AWS.
For those here that still think that having ultimate control of your patching is the show stopper for migrating to 10, this is a wake up call. Whatever o/s you are on let MS do what MS think is best. Sure there’s the occasional PITA but compared to this…
-
AuthorPosts