NHS ATTACKED

[Dave Rice]

I don’t see why these MRI scanners cannot be isolated on their own network with some kind of bridging third party machine performing a routing type function.

[Richard]

Dave Rice wrote:

I don’t see why these MRI scanners cannot be isolated on their own network with some kind of bridging third party machine performing a routing type function.

I totally agree, I did this 30 plus years ago and I was no rocket scientist. It really pissed off one of the suppliers who would have liked to sell some multi dollar device.

The point is that the medical content is NOT being messed with, the original is always there to be cross checked. It is only the file or files that gets passed without manipulation. A few £1~3 million scanners (and other devices) getting saved would normally justfy some effort and costs. They do not justify shoals of old device unprotected still littering the place.

Does anyone yet know the entry vector for the worm?

[Ed P]

The entry vector has been pinned down to an attack via smb1 directly onto networks. i.e. no stupid browsing or silly email opening by any NHS personnel, just an NSA/GCHQ style smash through security and a dump of Trojans.

“the first iteration of the malware – the one that got into the railways, telcos, universities, the UK’s NHS, and so on – required no such interaction. According to research by boffins at Malwarebytes, email attachments weren’t used. Instead, the malware’s operators searched the public internet for systems running vulnerable SMB services, and infected them using the NSA’s leaked EternalBlue and DoublePulsar cyber-weapons. Once on those machines, Wannacry could be installed and move through internal networks of computers, again using EternalBlue and DoublePulsar” El Reg link

While all this could have been averted by software upgrades or the sort of network isolation we all referred to, the next sales tranche of NSA/GCHQ Trojans and viruses provides far more worrying scenarios as they cover apparently unknown zero day vulnerabilities in most operating systems (including Linux). I suspect that one of these may well be the Intel Mobo/NIC backdoors that have at last been admitted by Intel.

Unfortunately if the even more sensitive router and network hacks are sold off then no-one will be invulnerable. I certainly would not want to rely solely on Cloud servers as I’m sure that servers were top of the NSA/GCHQ target list.

Make sure your off-line backups are up to date!

[Richard]

Yes, thank you ED, after posting my query I was tied up on a couple of things and was reading the Reg link while you were posting. I came back to post an answer to my own question only to find it was already there.

It does blow away the early suggestions that e-mail was involved such report with one confidently stating the mail’s title and possible contents… Sometime what gets reported is worse than the miner’s spoil heap or other ‘outflows’.

The speed with which makers churn out tat and fail to update it is a substantial source of concern, as is their willingness to use old routines that should have been discarded from packages a long time ago. Still it makes some of their kit cheap – though you might not recognise that fact from the prices they charge and very, very nasty. No one appears to dodge that accolade.

[Ed P]

By no means proven, but it looks like WannaCry has a South-East Asia origin.  A linguistic analysis of all the various Wannacry ransom notes indicates that the original note was written in Chinese. link, and a first translation was done from this document into English by someone who did not have English as their first language. All the other translations apparently were done using Google Translate. They must have used ‘phrasing’ to identify a Southern China dialect (Spoken South China dialect certainly has a different rhythm and phrasing to Mandarin) This analysis probably rules out all locations north of Shanghai as well as Singapore.. I’d personally rule out Singapore too, as all Singaporeans younger than thirty are brainwashed into only using Mandarin – dialect would get a wrap over the knuckles. Dialect can however be found in Vietnam (Cantonese in the main), Malaysia (Hokkien/Fujian mainly) and Thailand (Teochew). Indonesia is less likely but would be similar to Malaysia. It really is quite amazing what can be done using cluster analysis and word frequency counts.

This is not a ‘proof’ that the DRPK were not the authors but it makes a North Korean origin a little less likely. From my limited knowledge of Korea I’d have expected them to detect Mandarin as a first/fluent language rather than a South China dialect.

[Ed P]

The latest Wannacry analysis by Kaspersky makes it even more likely that this was a ‘common crim’ attack rather than actions by a Nation State such as North Korea. Their analysis shows a number of quite major coding errors:

” Most of the whoopsies make it possible to restore files with the help of publicly available software tools. In one case a mistake in the malware’s read-only file processing mechanism does not allow it to encrypt read-only files at all. Instead, the malware creates encrypted copies of the files, while the original files remain untouched and are only given a “hidden” attribute, which is easy to undo.”

El Reg precis

It makes one wonder about some of the other evils attributed to DPRK as a convenient scape-goat. I am not condoning other obviously evil actions by the NORKs just complaining  that sometimes the propaganda gets in the way of rooting out the real villains

[JayCeeDee]

One thing that always concerns me is the more publicity that is given to the specific screw ups in the code, the more others get to refine the damn thing so it does a better job next time!! Are the likes of Kaspersky ( and I’m one of their customers ) becoming Beta testers for the script kiddies/criminals. :scratch:

I do realise that Kaspersky and others are using the info to refine their protection algorithms, but there will still be a lot out there with less than basic protection, even after this latest episode. :negative:

[Ed P]

I think it is possibly their reaction to the propagandists plus pointing out that maybe some people do not have to pay £300+. Kaspersky have a long history of digging out the original perpetrators – pinning responsibility for the Stuxnet usb worm back on the US was one such action.

However to get back to your point. I can only draw analogies.  I am deeply conflicted whether (for example) Metasploit should be praised or condemned. On the one hand metasploit provides tools that enable security audits of business enterprises. On the other hand it provides script-kiddies with prime examples to use on the low-hanging fruit in the general public. The annual Black-Hat convention falls into a similar camp but there have been major advances as its result e.g. sandboxing browsers etc.

Bottom line it is probably a slightly different example of the NRA’s mantra ‘It is not the fault of the weapon, it is the fault of the user’.

I finish by thinking that it is acceptable provided the public falls into thinking that the Internet is a modern Wild West and they had better come well protected.

[Dave Rice]

Sorry JCD I don’t understand where you’re coming from on this. Part of the AV scene is that all the good guys collaborate and share information as the bad guys are doing that too. The black hats will have done their own research.

I attended a global webinar run buy BitDefender on the very subject of Wannacry where they were doing just that. Informing people like me how to make their customers safer. I will be attending a Synology hands on seminar in July where the very first session is “System and Data Protection: Advance Configuration”. The first thing you need to understand is what the threats are.

In the case of Wannacry there is speculation over all aspects of it and much misdirection from the institutions that got caught. The Governments involved in having the ultimate oversight, and in this case having written the code that allowed it to spread, will do anything to point the finger elsewhere. Do we want to just be fed information from them?

This had amateur written all over it from day one as it has been done very much better before. That’s why if you had patched and run AV then you would have been protected because of the lessons learned, and shared, before. It’s those that ignored the freely available information that got caught with their pants down.

[JayCeeDee]

Hi Dave – it was intended as an observation on the fact that it now seems it was an amateur attack – including crap code, basic errors as below ( from EdP’s post ) and mistakes.

 

Most of the whoopsies make it possible to restore files with the help of publicly available software tools. In one case a mistake in the malware’s read-only file processing mechanism does not allow it to encrypt read-only files at all. Instead, the malware creates encrypted copies of the files, while the original files remain untouched and are only given a “hidden” attribute, which is easy to undo

 

It could then be taken on-board by those perpetrators as a lesson on how to improve it and get it right for next time. Being told where you went wrong gives them the opportunity to issue a better improved MkII version which despite Kasperky et al’s best efforts, will then still catch a lot of people out.

 

My last sentence  – I do realise that Kaspersky and others are using the info to refine their protection algorithms, but there will still be a lot out there with less than basic protection, even after this latest episode. :negative:  – was similar to what Ed said – ……….. the Internet is a modern Wild West and they had better come well protected. and what Dave said – It’s those that ignored the freely available information that got caught with their pants down.

 

That was where I was coming from. :good:

 

EDIT – I suppose what I’m saying is if the Police explain everything a burglar did wrong, who didn’t realise he’d trodden on a pressure pad and walked through an infra-red beam, setting off a silent alarm, he’ll know what look out for next time and do a better job of burgling!!

 

 

[Ed P]

Don’t get on the subject of burglars with out searching You Tube on ‘Picking Locks’. A retired Police Inspector pointed me in that direction a few years ago. It made me quite paranoid for a while (changed out my old original Eurolocks). Unfortunately it wasn’t until I had done all that when he said the punchline ‘ Of course now that you have made all your locks secure they will just go around the back and smash in your patio doors.’

Sometimes you cannot win which is a lesson that applies equally well to PC security. No matter how secure you make your PC there are other bits of kit such as routers that seem to have deliberate in-built insecurity!

[JayCeeDee]

I’ve been meaning to change my patio door locks for THESE – anti-snap and anti bump. First instinct is to go for the 3* @ £33 a pop, but with two sets of doubles and two singles that’s £200. Still mustn’t scrimp, so I’ll bite that bullet sometime soon when SWMBO brings up the subject of security for when we are away on holiday. On smashing the glass in the doors, that’s a noise many thieves won’t want to risk.

[Ed P]

Since the May reductions in Police numbers we have had quite a number of break-ins in the Southern Counties where thieves have said ‘the hell with subtlety and noise and just used a 3lb hammer on the patio window or back door frame. The noise is less than you might hope – my neighbour had theirs burgled via the patio and although I heard noises I thought they were just working on their house. (they had not said they were out for the day).

Better investments are locked side-gates and a visible security camera eyeing up the gate.

It is however worth having your front door lock anti-snap/bump – there are videos of how a thief can quickly open a door using a vibrating sex-toy and lock-pick to open an old style door in a manner and time which makes it look as though he has been given a key. These are normally opportunistic thieves who just happen to see a family taking off for their weekly shop. They often leave very little mess and are selective in only taking small high value things which tends to delay theft discovery until they are in the next town/county.

[Dave Rice]

JCD – my point is that it’s already been done better! This was a bunch of amateurs. They couldn’t learn the lessons from those that went before them.

But the NRA and UK Gov would have you believe it was a nation state. Would you rather only they were allowed to comment?

[JayCeeDee]

Dave Rice wrote:

JCD – my point is that it’s already been done better! This was a bunch of amateurs. They couldn’t learn the lessons from those that went before them.

 

OK – see where you’re coming from:)

 

 

 

But the NRA and UK Gov would have you believe it was a nation state. Would you rather only they were allowed to comment?

 

Most definitely NOT!!:( Wouldn’t trust either.

[Bob Williams]

Some years ago, a Traffic Sergeant mate told me that the most secure street to live in, was a cul-de-sac with nosy neighbours. At the time we lived on the longest street in our old village. The pit had closed, there was no work and burglaries were rife: my lad had his car nicked. It was recovered, minus an expensive audio which was taken by ripping out the whole centre console. That was one of the reasons why we moved here and I actually now live at the closed end of a cul-de-sac. When I moved here, I phoned my old mate, by then retired, and told him that I had found a cul-de-sac to live in. The Close was Sheltered Housing until this year: the government has decreed that Sheltered Living no longer exists and gradually others are moving in, but we still have the nosy neighbours I’m glad to say. Some of them are insomniacs and are up, lights bazing and TV’s on, at all hours.

To my mind, that’s a deterrent, as is the fact that this village has a great community spirit and we all look out for each other.

When the Thought Police arrive at your door, think -
I'm out.

[Author]

Posts