NHS ATTACKED

[Richard]

At least you have stopped the fertilizer dump, I d hope you will be stumping up for the investment in what is it 40,000 PCs, 80,000 PCs?

Just why are a whole raft of other businesses also suffering?

Or would it be impudent to ask they they are affected?

Were you even aware that PCs cost money, and that deployment can cost three times or more of their purchase price. Still we could cancel a NHS few appointments.

Or we could get rid of some of the dross managers, like the one empire builder I know of who was slowing down work so that other departments would apply pressure and he could try to justify a bigger staff count to give him more clout at managerial meetings.

Or staff who did not care to know that a process could do 40 times the work rate it was currently doing if it was used correctly? The bringer of this information was happy to move onto another location when the staff were unable to use the information or equipment correctly.

Come to think of it, that might have paid for a few of the PCs that you so crave.

At least those switched on locations who pulled their internet/intranet plugs this afternoon did the right thing, hooray for them if, big IF that is the whole story.

Relax and stop the fertilizer shower.

[Dave Rice]

As usual I am now totally lost as to what Richard’s point is and who it’s aimed at.

So some other large organisations were as bad at IT security as the NHS, probably lack of timely patching or still running obsolete o/ses on the production LAN. It’s no excuse for the NHS to say we weren’t alone. EDIT did TalkTalk defend their data breach by saying we’re not the only one? If they did the response would have been why didn’t you learn then? This is also by no means the first ransomware attack on an NHS Trust.

I know of large Corporates who still run XP machines where they have to, but they are on thoroughly isolated LANs in the same way you’d deal with a Secret network (as in Protected C information level).

What happens when the “island” Trusts reconnect to the wider network, which they will have to do soon as many systems are national? Like Sasser, once this infection is in a network it spreads from vulnerable to vulnerable PC and you can’t patch an old XP or Vista box, the patch doesn’t exist.

The investment in replacement PCs should have been done gradually over the years, like everyone else did. Not ignored until the inevitable happened.

I’m not sure about fertilizer showers, but I can see a total lack of understanding of the situation as it really is.

Be in no doubt, this one is big and it’s going to be very difficult to recover from in a timely fashion.

EDIT – just watching Newsnight and it’s the best coverage I’ve seen so far. Mangled terminology but the meaning is there. No data “loss”?, well may be if the backups of encrypted data aren’t robust and then there’s the data changed between the backup and now. There’s certainly data loss whilst the system is down hence the cancelling of treatment. But the thrust is lack of investment is the major factor in the problems of mitigating the effects.

For those that remember a recent thread on ransomware my argument was that you put your efforts into mitigation. Sure you do all you can to prevent it i.e. Av and patch, which would have stopped this one, but you plan for the worst. hence my strategy of using Synology NAS and Cloud Station with versioning, daily backups to an external drive and weekly archiving to AWS.

For those here that still think that having ultimate control of your patching is the show stopper for migrating to 10, this is a wake up call. Whatever o/s you are on let MS do what MS think is best. Sure there’s the occasional PITA but compared to this…

[Ed P]

As I mentioned earlier, it is NOT the NHS that has been attacked, just the parts of it that have not invested wisely, be that in equipment or staff training. My local medical systems are all up and running as normal. Although they generally run Windows 7, I do not recollect seeing XP era kit anywhere within this region’s Health Authority.

However, I guess even this region are going to have to budget for a Win10 upgrade within the next couple of years as Win7 support stops iirc in 2020. What to me was a bit of a killer blow was the Ars mention that Windows Server 2012 was vulnerable as I doubt that any local servers of that vintage have been upgraded. Hopefully that was a typo.

[Dave Rice]

Server 2012 is still supported, the MS life cycle isn’t that short!

Products Released Lifecycle / Start Date Mainstream / Support End Date / Extended Support End Date
Windows Server 2012 Essentials / 01/02/2013 / 10/09/2018 / 10/10/2023
Windows Server 2012 R2 Essentials / 11/25/2013 / 10/09/2018 / 10/10/2023
Windows Storage Server 2012 R2 Essentials / 9/25/2014 / 10/09/2018 / 10/10/2023

[Les.]

Obviously this is down to XP or unpatched other windoze use, but is some of this made worse by the fact that ONLY XP can support some of the old (in computer terms) equipment which is still young in hardware terms?

Obviously if this is so, then as Dave says, it should be fully isolated from www access.

Les.

[Ed P]

Gizmodo has a fairly good international overview of the ransomware picture. Old kit or poor software maintenance are the issues.

Long term security I think will require not just Cloud backup but also a local air-gapped version. It is otherwise not hard to envision an attack on the PC/Cloud interface such as a “Man in the Middle” exploit, I’m afraid that I view the Cloud as a potential actor in future exploit scenarios. For those reasons I think Dave’s belt, braces and piece of string backup regime is probably a good blueprint.

[The Duke]

I’ve not really read anything into this, bar the first post. And not seen any tv.

Just come online and the first thing in my news feed was fro RT reporting this is worldwide now, over 100k machines and counting.

If this is an xp issue, I have no sympathy for the organisations. But do for the like of their customers /patients.

I’m sure it will be fixed eventually.

[Tippon]

Les. wrote:

Obviously this is down to XP or unpatched other windoze use, but is some of this made worse by the fact that ONLY XP can support some of the old (in computer terms) equipment which is still young in hardware terms? Obviously if this is so, then as Dave says, it should be fully isolated from www access. Les.

The problem there though is that some of the hardware needs to run on XP, and the machines need to communicate with other systems that possibly need internet access. I’ve had various scans and tests done in Wales where the system running the scanner is XP, but the results need to be sent directly to other systems. If the infection can spread across a network, it only takes one machine to get infected.

[JayCeeDee]

Microsoft are issuing a patch for XP – info HERE  on TechNet – and other out of support OS’s.

Excerpt from link:-      Additionally, we are taking the highly unusual step of providing a security update for all customers to protect Windows platforms that are in custom support only, including Windows XP, Windows 8, and Windows Server 2003. Customers running Windows 10 were not targeted by the attack today.

 

Interesting times!!

[The Duke]

Ms need to do something, but all it ultimately achieves is the mindset of “were OK now”, and overhauls will be set back.

Id like want ms to come out big, saying something like

“corporation and governments have been more than aware for many years their infrastructure was insecure due to them not maintaining  it. this is not an ms problem,  it’s what happens when you don’t adequately protect your network infrastructure. We at ms are constantly creating more secure options, and any system from win 7/8/10, form the last decade would not of been susceptible to thus latest attack.

Our latest offering are the most secure yet, and these establishments know this, they know the risks they take storing vital and sensitive data on aging software but still they decide to use an offering that is almost twenty years old.

It’s a very sad occurrence that could of been simpler avoided. We at Microsoft will setting up extra emergency department to help out any entities that have been effected by this, and those that havent upgrade to the most secure and modern system for their needs ”

That’s how I’d like ms to use this situation, use it as a marketing opportunity . It would help us all, and get ring of 1000s of zombie bot nets off the Web.

Don’t patch xp, exploit it ms. After all Patching won’t get the info it will only stop it [the same attack]  happening again. Don’t patch it I say.

 

[Dave Rice]

I’m not surprised, morally they’re between a rock and a hard place on this one. They’ve done the right thing this time, but I can’t see it happening again.

In any case it won’t help with the clear up operation, the PCs are nadgered and the data is encrypted. Even when the data is restored from backups you still need a PC to access it.

[The Duke]

Can you see the perpetrator actually giving keys out now? I can imagine they was going for this much exposure.

If id done this, I would be distancing myself from this. I’d imaging every “special agency” in the world us now on alert fir this guy. I wouldn’t be asking for random payments. I’d be hiding in my bed.

I reckon it’s a safe bet to say all date is gone. And it’s time to start again (without xp).

[Bob Williams]

I have not read all preceding posts on this thread, but Kaspersky Labs Secure List informs me that Microsoft released a patch on March 14 for the WannaCry ransomeware attack. It seems that millions of organisations were busy being Ostriches when this was released.     https://tinyurl.com/m56vwgf

The Kaspersky Total Security dashboard has “World Virus Activity Review” at lower LH side of the ‘Database Update’ feature, which is where I discovered this: I visit this section at least once a week. As I am not a business and do not use Ms Server, I don’t of course need KB4013389.

But it does demonstrate the complete inability of so many worldwide organisations, to follow the steps and take the precautions which might prevent this activity. I forecast great activity in the worldwide IT recruitment field….

When the Thought Police arrive at your door, think -
I'm out.

[Bob Williams]

Have a bitter giggle at Amber Rudd, the Home Secretary:     https://tinyurl.com/n3ptm2n

The sound of The Buck flying around, is accompanied by the usual “lessons must be learned”. The Minister who is supposedly responsible, along with the Health Minister, is basically broadcasting her lack of knowledge, whilst attempting to cover that with ‘facts’ that she has misinterpreted. She appears to believe that ‘Cyber’ is a thing: at least, that’s how she uses the word.

When the Thought Police arrive at your door, think -
I'm out.

[Dave Rice]

Bob, the patch didn’t include XP as it’s long out of support. However MS did release one for XP and Vista today. The NHS is still riddled with XP systems on the production LANs. I would say with I suspect 99% accuracy that the bean counters wouldn’t pay for the back end systems to be updated. It always takes something like this and it will not be a quick fix. This sort of project can take years, especially in Govt Depts.

The patch wouldn’t stop the first infection (you would hope your AV did that) but it stops it spreading via the exploit the NSA found and kept quiet about. So those organisations caught out, like Telefoncia with 85% penetration, were either running wholesale XP, which I doubt, but have a patching policy problem.

One big UK Corporate I know of (not Defence Industry, they are on the ball) had 5 “gold” builds – one for each PC hardware variant. They then had 5 or 6 flavours of software installs depending on Dept. Finance would have SAP, the customer facing parts CRM, you get the idea. Before the patches were allowed on the production LAN they have to be tested on each permutation to make sure they wouldn’t disrupt line of business. By one bloke, that’s all they would pay for.

You can see why they do it, but that ultra caution gives the bad guys time to get their act together. I wouldn’t be surprised if that’s the reason for some of the big boys getting caught out. Not incompetence as such, but a too rigid and over cautious process. Once a policy is in place in a Corporation it can be very difficult to get it changed, career threatening even.

[Ed P]

I can see where the UK Corporate was coming from, but it serves them right for not standardising their hardware and software interfaces.

Back when I had systems responsibilities the one word that made us shudder was ‘interfaces’. The interface between the mainframe and the PC network was always and always will be a nebulous PITA.Today the Cloud must have added yet another layer of interface complexity and journalling/versioning management problems. Back in those distant days we insisted on standardising to eliminate as many variables as possible, and luckily we had a management who understood IT systems and would (reluctantly) support upgrading as required.

Its an area where KISS (keep it stupid simple) really pays off, and you pray that your system never gets nadgered during a period when you are clueless on the state of play across the system (halfway in doing a megabuck SWIFT bank transfer for example). I fear this is going to be a rude awakening and tough learning curve for a lot of companies and their senior managers. However I do feel a lot of sympathy for the poor IT and Accounting sods who will have had a totally ruined weekend and are probably going to pull 18 hour days for the next week or two – not to mention answering a load of stupid post-Audit questions and writing lengthy position papers to try and do a cya for their managers..

[Dave Rice]

Ed, it probably won’t surprise you to know it’s in the wider Finance sector i.e. not a bank but a similar mentality at the top.

I have to say all the Corporate accounts I’ve worked on (postal, defence, nuclear) have a very pragmatic approach that balances caution with speed. They are also not afraid to let the Security bods override the process. In turn they take their brief from MS and other industry sources. However I’ve been to the dreaded change control meeting to present an accelerated roll out and had to bring in big guns from HQ more than once. Some tin gods love hassling contractors, but watch them back down when someone who can threaten their career appears.

[Bob Williams]

Dave, problems within the systems and organisations you describe sound familiar to me, having served 12 years in HMF. (Probably not surprising to you, with your MOD contract experience). Introducing new ways of working, and/or new weapons and weapon systems, was often carried out against the resistance of miltary dinosaurs. My service was in the Army Air Corps when it was relatively new, and many of our Wodneys and Wuperts (Officers) came from non-tecnical backgounds at first. The result was that intelligent technicians became frustrated at the inability of their superiors, to understand technical problems and the reasons for specific solutions.

I believe that things became much easier after technical officers began to permeate up through the commisioned officer ranks. Certainly the best CO I ever served under, was a REME tech officer who became a  full Colonel, eventually a Brigadier in the UK. The Corporate accounts you mention, probably benefit from a similar promotion process.

When the Thought Police arrive at your door, think -
I'm out.

[Dave Rice]

As Ed mentioned in the other thread, board members, like civil servants, often have arts or legal degrees. They’ve usually got up the greasy pole by back stabbing and can be entirely self serving. One particular IT manager I knew used to make sure he didn’t spend all his budget to impress his boss (the Finance Manager) at appraisal time of his financial acumen. I used to spend all mine and go back for more ?

[Richard]

Dave Rice wrote:

As Ed mentioned in the other thread, board members, like civil servants, often have arts or legal degrees. They’ve usually got up the greasy pole by back stabbing and can be entirely self serving. One particular IT manager I knew used to make sure he didn’t spend all his budget to impress his boss (the Finance Manager) at appraisal time of his financial acumen. I used to spend all mine and go back for more ?

Yes the game playing is rife, I know of one who wanted more staff = more clout at meetings. He was slowing down work to obstruct others to make a fuss, so he could lay claim to need more staff and thus gain more status. Sadly he was  allegedly a ‘technically qualified’ person

[Author]

Posts