Protecting Against Ransomware

[The Duke]

My wife said she read on the BBC site that they was reporting there is a chance of pacemakers stopping because of this.

I told her to ignore any tech news, rumours or theories on the MSM. Made me chuckle thinking of an xp pc in your chest. Actually I couldn’t think of much worse.

‘are you OK sir? Yes yes, just my Pacemaker blue screening aging, I’ll be fine in a moment’.

 

[Dave Rice]

The idiot newspapers reviewers on Sky this morning were speculating about planes falling from the sky. They were sports journalists FFS.

[The VFM Addict]

Obviously autonomous pacemakers are safe but some cardiac patients are at risk where they are wifi linked to hospital monitoring systems.    For example, some people with sporadic and potentially fatal cardiac arrhythmias are actively monitored around the clock.   First sign of a serious arrhythmia developing and the monitoring tech officer phones them and despatches an ambulance to their location wherever they may be.     There are other remote patient monitoring systems and if the hospital systems go down then you are on your own !

_______________________________________________________________________________________

During the Covid-19 Epidemic I will be wearing a mask and goggles while posting so that if I become infected I won't spread it to you.

[Anonymous]

Good New Everyone! 

The ransomware WCry 2.0 works on Linux as seen here: Twitter Link

Looks like Year of the Linux desktop is close at hand!

[Richard]

Ed P wrote:

It is easy for a politician to speak out of both sides of his mouth. Politicians are well practised at buck passing or giving orders while simultaneously saying ‘No Extra Money’. My Hospital Trust invested wisely and avoided the IT problems but was placed in ‘special measures’ for ignoring budget constraints. Maybe yours was as well Richard! Anyway to turn to less contentious items and get the taste of Hunt out of my mouth; one piece of good news was that some Brit probably accidentally saved the world megabucks in productivity by stopping the Ransomware worm’s propagation dead in its tracks (at least for a time). Link to hero and his story – this could easily get Slashdotted as I think the individual only has a limited bandwidth.

Somehow they have avoided special measures though they have been slated for poor management of many aspects. Nursing care and most doctor care was rated good, but admin was between hopeless and terrible and over all management  appears to earn a crap* rating. One of the great achievements was to build something between a gypsy encampment and a Hoover city in the car park only to be told that they had to remove it as it had no planning permission. OOPs never mind it was not their money, it was partially from our tax payments. Oh and yes they have over spent.

Appointments were made for my daughter to be seen by a consultant throughout her pregnancy due to constant problems. The consultant who was never there, some of the ‘appointments’ were unknown to both the hospital and my daughter, she would turn up and the reception knew nothing, etc. Still the actual delivery suite was, I am told excellent. So sharp end, (where it mattered) good, blunt end crap. Some other clinical outcomes were less satisfactory due to the poor management from top down into those areas.

[Ed P]

Hospital Admin is always a potential issue with much of it (at least in this area) being staffed by volunteers. We are lucky in that the volunteers are mainly ex-Nursing staff with a sprinkling of retired accountants who all seem to take their jobs seriously and probably put in efforts over and beyond requirements. While I would give these people a rose for their efforts, I know only too well how crass overbearing management can quickly screw up the best volunteer-run organization in the world. Management of volunteers is an art, and one that really needs to be taught. The principles are not too different from normal management, but need a much lighter hand and recognition that the volunteer may know a hell of a lot more in practical terms than the grass-green manager.

The Trust’s funding problems were not  (afaik) due to financial mismanagement but more the legacy of a rip-off PFI. Yet another ‘Major’ catastrophe.

[The Duke]

PFi us just privatisation under another name. The last election when labour was saying the tories are going to sell off the NHS bugged the shit out of me, give new labour had already sold most of it.

All the NHS seems to be is a a few people that give money to the private sector now.

Maybe one party should come clean, tell the people the real state of the NHS in layman terms, and promise to bring it back into public ownership, or at least pen a 10 – 20 plan to return it to.

The investment would need to be huge, but these PFi setups are ridiculous, I. I some cases a hospital is costing 5-10x over its finance period what it would of cost to build themselves. . It’s been along time since I looked into it, but it doesn’t take a genius to know the politicians (tories) that first drafted this, must of been on a back hander (future promise), and the labour bods that executed it must of been getting some rather nice benefited out of selling the NHS  under the table.

If we want an NHS it needs to be fully owned and managed, otherwise we may as well privatise the lot, pay insurance, and let the market govern it.

Daily rant over. For now!  :yahoo:

[Ed P]

With respect to PFI even the Telegraph (the author of the earlier link) seems embarrassed by the obscene profits earned by one City company.

“An almost unknown City company, Innisfree, with only 14 staff, is the largest single player in the PFI market, owning or co-owning 269 PFI schools and 28 hospitals.

According to accounts filed at Companies House, Innisfree’s profit margin was 53 per cent last year. A successful FTSE 100 company makes margins of around 6 per cent. David Metter, the founder and chief executive of Innisfree, owns almost three-quarters of the company and collected pay and dividends of £8.6 million last year.”

Unfortunately unless they are breaking any contractual conditions it would be VERY expensive to break these contracts, and given the proven the lack of contractual diligence by our Civil Service I’ll bet any contractual holes are the other way around.

[Ed P]

Incidentally if you check Innisfree’s own web site, the Telegraph actually understated a lot of the facts (it owns the GCHQ building!). I could not find a list of external directors or ‘consultants’ which I think may have otherwise made interesting reading.

[The Duke]

And people think your mad when you say the world is controlled by a small amount of people.

There is a thin layer of people above the political puppet show.

[JayCeeDee]

“An almost unknown City company, Innisfree, with only 14 staff, is the largest single player in the PFI market, owning or co-owning 269 PFI schools and 28 hospitals.

 

On the Companies House page for Innisfree, – HERE – out of the 88 entries under that name, there are 55 variations at the one address – 1st Floor, Boundary House 91/93 Charterhouse Street, London, England, EC1M 6HR. Under the people tab, it shows a lot of names that re-occur across all those companies. They seem to resign as a Director or Secretary of one company and re-appear as a Director or Secretary of one of the others!! Interesting……

 

We are talking BIG numbers with this crowd. THIS document shows their Group structure on page 3 and 19. Complex or what!!?? Mind boggling numbers on pages 9 and 10, along with p*ss poor tax ( £841k on £14,682,000 profit before tax – page 17 ). Three shareholders – see page 5, – share £8m in dividends ( page 17 ). Previous year that sum was £20m!!

 

Good business this PFI what??!!

 

I realise that one document can hardly fully reflect the whole picture, but if that money was invested on the NHS’s behalf, how much good could the profits do for the NHS.

[Bob Williams]

The Hackers are attacking the wrong targets. Own Innisfree and others like it, there are bound to be bigger rewards. Find all their dirty secrets, threaten to make them public if they don’t get £Zillion or $Squintillion. Then expose the dirty washing anyway.

Life in the 21st Century is nothing like HG Wells and George Orwell foretold. Or maybe it is…

When the Thought Police arrive at your door, think -
I'm out.

[Boris]

Jukebox wrote:

I have installed a program called CryptoPrevent (free version) which is designed to protect against ransomware. See https://www.foolishit.com/cryptoprevent-malware-prevention.

I’ve recently been asked what settings to use on this (I don’t use it myself – so no idea).

Do you just go with its default, or are there different levels you can automatically apply ?

 

Thanks

Never trust an atom - they make up everything !

[Ed P]

It reads as though it is a Sandbox (like Sandboxie) . If so use the options that let as little as possible out into your normal user space, but most definitely go into your Windows control panel before hand and disable smb1 link

Whether you allow the other samba tools to run really depends on your usage. Nothing (should) need smb1 today, but some things almost certainly will use the other flavours of Samba. Disable them one at a time and suck it and see. If you can totally disable samba it might be a good idea as it certainly reduces your attack space.

You can normally get similar free protection by using Ubuntu inside VirtualBox for all your on-line stuff. Most (perhaps all) Ransomeware programs switch themselves off if they detect they are running in a virtual machine as it makes attempts to break their encryption a lot easier. So far Ransomeware and Trojans etc leave virtual machines alone for that reason, but I’m afraid all that may change if the NSA/GCHQ ring-3 mobo malware becomes publicly available to script kiddies. :negative:

[JayCeeDee]

Ed P wrote:

It reads as though it is a Sandbox (like Sandboxie) . If so use the options that let as little as possible out into your normal user space, but most definitely go into your Windows control panel before hand and disable smb1 link  

 

That link – despite being from Microsoft – got me bogged down in server/client, registry talk, that I couldn’t easily get the little bit info I needed from the multiplicity that I didn’t. :negative:

A little searching gave me THIS one from ZDNet ( anything to do with the publisher Ziff Davis?? ) which was a lot more down to earth and straightforward. :good: A quick restart sorted it out.

[Ed P]

Yes sorry, the link is written for cli minded folk. As you say, the control panel method is a lot easier.

“Open Control Panel (just start typing Control in the search box to find its shortcut quickly). Click Programs, and then click Turn Windows features on or off (under the Programs heading). Clear the check box for SMB 1.0/CIFS File Sharing Support, as shown here. That’s it; you’re protected.”

[Richard]

I agree, it is far from simple and basic, but probably well worth it in the long run. It can be a bit of a pain on the older systems with registry fixes.

[Tippon]

What does SMB 1 actually do? Considering most of us upgrade our OS, and probably have legacy programs etc., is disabling it likely to affect anything?

[JayCeeDee]

Tippon wrote:

What does SMB 1 actually do? Considering most of us upgrade our OS, and probably have legacy programs etc., is disabling it likely to affect anything?

 

From my ZDNet link:-

Your PCs that run Windows 10 were protected from that exploit, but that doesn’t mean you’ll be so lucky the next time.

In the interests of implementing a comprehensive, multi-layer security policy, Microsoft recommends that you disable the SMBv1 protocol completely. The world has already moved on to SMBv3, and there’s no excuse for continuing to let that old and horribly insecure protocol run on your network.

[Dave Rice]

EDIT  In Jay CeeDee’s link ZDNet describes a very MS centric world where we all  buy the latest MS products. This is so far from the real world of both business and home it’s amazing they can tout such  a situation.

SMB = Server Message Block, also known as the Common Internet File System (CIFS). It’s Microsoft’s protocol for sharing files, printers and serial ports via a network. You can read the history and techie stuff here

SMB ver 1 is very inefficient and also written in the days when security was not the issue it is today. The likes of Cisco brought in WAN Acceleration products to get around the performance issues on high latency links (such as t’internet) which adds to the “it ain’t broke don’t fix it” mentality. This is also when port 445 started becoming important.

MS brought in SMB ver 2 with Vista and ver 3 with Win 8. But as you can see from this table

any business running pre W8 has no choice but to run ver 1 because who the hell was using Vista? Also some of the cheaper NAS boxes would have only run ver 1 and provided a “solution” when Vista PCs could no longer see their shares. That solution wasn’t to provide ver 2 on their products but a regedit to put your product back to using ver 1. Problem solved, but as we found out later, hole opened.

SMB is a proprietary MS protocol so the SAMBA project has to keep up to  provide interoperability for Linux and Unix and the NAS provider has to implement those changes. Another reason to buy Synology or QNAP. As “business” products they have to keep up as fast as possible or they lose their credibility as a solution (to whatever) in a Windows world without actually running Windows.

So to answer Tippon’s question of should I disable it? The answer is Yes if you have nothing else that relies upon it. But TBH modern o/ses have plugged the hole and modern AV products are watching the plugged hole just in case. That’s why the vast majority of systems were not affected.  Don’t panic Mr Mainwaring.

[Author]

Posts