Not targeted?

What the hell is an important system like that doing with Microsoft-ware on it in the first place? Unimportant sites such as the Job Centres are failing every week. It is expected. It makes us losers that can't get work feel part of the community.

And may we take it as read that had the NHS been specifically targeted, the condition would still be chaotic in several months time?

NRSA (No Reliable Systems Advice) anyone?

"An investigation into how the computer system became infected is ongoing"

They used Windows. Investigation over.

How much time / money / any other relevant resources could NHS save just by switching to Linux ?

Of course minus the expected flip-ups during the conversion time...

As I remember clearly I haven't had a problem with virus / trojans / spyware since early 1995 when I changed my desktop to Linux.

On top of it since that time I also spent my money only on the hardware.

Since when You have to pay for the Operating System ? U get a computer in the store without the OS an it is just a piece of expensive junk.

I'll go a bit hardcore... how many people have died because there was not enough specialists / cleaners / hardware or drugs to go around and money was spent on rubbish software ?

Is there a double meaning to a BSOD on the life support machine ?

While I am of the opinion that they would be better off using Linux -- I still find it hard to believe that their IT department can't, or aren't allowed to, lock down their IT systems in any way. Group policy should simply not allow executing of Outlook attachments, never mind the fact that any executables should be blocked before they even hit the exchange servers. The other option, of course, is to have an up-to-date anti-malware system in place and keep it patched.

Who the hell is in charge of a system with that many holes? I take it the It security teams and the like are all in the NHS because they were fired from private sector companies for incompetence.

Check the staffing level of the places, compared to what would be expected in commerce. I think you'll find that many NHS IT departments are staffed at about 1/4 or less than the commercially expected minimums on the technical staff.

The perception in NHS management is that IT just happens by magic, and it's not difficult, so why get people to do nothing but switch machines off when they don't work and turn them back on again?

As someone who works in a Canadian Hospital IT department, I can confirm a few comments from above:

1. The staffing levels mentioned by Juillen, are correct. For example, we have 7000 desktops + servers spread through 3 major locations and a further 20 Minor location, and we have only 3 full time network staff (covering internal network gear, as well as Firewalls/VPN etc). The only thing worse than our understaffing is the overstaffing of PMO at 2-3 PMO for each technical member.

2. Windows vs. Linux, most medical software is built on a Windows platform. Since most of the software has to undergo stringent testing at the government (or government agency level) the vendors select the most wide adopted option (i.e Windows). Additionally any critical changes to the platform such as AV/Security patches updates require retesting so most vendors bypass this process. We can not implement the fixes/updates or we take on the liability of the device. We are starting to undertake architecture that will isolate these devices, but see note 1 above for the related timelines...

Over all, I can sympathize with the issues experienced above, but I am sure that they will learn a fair amount from the error and will hopefully get the funding that is required to make the changes (or at least most of them).

Not withstanding the above, healthcare is a great place to work, as there are many projects that you get to work on that greatly improve the care provided to patients, and this is just not something you can get at any work place.

The rumour going round the hospital is that someone decided not to renew the maintenance on the antivirus software.

A great saving! I'm sure.

Someone earlier mentioned group policies as a way to improve security...

Group policies are fundamentally flawed in their implementation...

Let's bring up the example of the policy which is supposed to prevent you from opening a command prompt.

So you run cmd.exe, and it pops up a message saying your not allowed to do that...

Now in any sensible implementation, it would be the OS which is doing that... But that's simply not the case.

The cmd.exe program itself executes, and within the program itself checks for the presence of a registry key forbidding cmd.exe use, if it finds it then it displays the message and exits. So the OS does nothing to stop you executing the program, the program does its own check.

So what if you run a different command interpreter, say command.com? Yes, that still works, since they didn't implement the same check into command.com.

And if you have the ability to introduce your own binaries, which you almost certainly do, then you can simply execute a modified cmd.exe that has the check removed (very simple with a hex editor, just change the registry key it looks for so it wont be found).

Also, cmd.exe will still let you execute batch files regardless...

And then there's regedit/regedt that will exit, but reg.exe from the commandline will still work, and you could just supply your own regedit.

Same with restrictions on browsing drives, supply your own apps and they bypass the half assed restrictions.

And when it comes to users supplying their own binaries, on a unix machine you would mount all the areas a user could potentially write to (including removable media) with the noexec flag, windows has no equivalent of this and you need to implement third party binary whitelisting...

Now specifically to the mytob worm, this spreads by exploiting the LSASS vulnerability i believe, and the systems were clearly not patched against it. Surely it would have been more sensible, on workstations at the very least, to disable any listening network services... There really is no need for these services to be available to the network, and if you turn them all off even an un-patched machine won't become infected.

Ofcourse the stupid thing is that such complex bloated services ship enabled by default on a workstation OS.

Yep I have seen a computer, recently as well running Windows ME.....

Feel safe now.....

Paris because even she knows better