The UK’s National Health Service has been hit by a voracious, data-stealing worm that’s easily detected by off-the-shelf security software, according to researchers who directly observed the mass compromise. Researchers from anti-virus provider Symantec have been monitoring the Qakbot worm since last May and have documented its …
1100 PCs on a network as big as the NHS is *not* that big a number (remember the NHS is the 3rd biggest institution after the Indian Railway and the Chinese army)
But it's still 1100 PC too many.
Question is how many patient data manipulating apps *have* a browser interface? And are they all IE6?
Hope all Reg readers in the UK have run off their copy of the NHS data opt out form. The one PCT have *not* included in their friendly and not at all biased "Information" pack.
By off-the-shelf products?
So they're not only running while well behind on Critical patches, they're also not running any vaguely current AV / security tools?
Also I note that Qakbot clients get to shove gob-loads of data out to the wider world through their firewalls and it takes Symantec sitting outside to point this out.
Gosh! I'm not sure that the English language even has a word for that level of incompetance. We're below "Computer security for Dummies" here and well into "The Ladybird book of computers" as the standard of IT literacy required to avoid this one.
I just don't get it
WHY, time and time and time again, do large bespoke systems (like the NHS one) use Windows; an OS with a proven and demonstrably atrocious security and integrity record?
I can (almost) understand using Windows if you need to use some software that isn't available on another platform and it's only a small network you are deplaying. But when your software is bespoke anyway, why not use an OS that is stable and secure? And before anyone screams "they use Word" or "they use MS SQL", well, there are plenty of alternatives to these things. An organisation like NHS is big enough to dictate use of such software without risking leaving itself out in the cold in terms of external supplier interfacing etc, so this is no excuse at all.
It's a twofold problem
First of all, management wants people to work quickly without much training. Instead of creating a Linux network with a bespoke application and spending money on hours of training to use the platform, they prefer the idea of a Windows network with a bespoke application and spending money on a small booklet that will explain the salient points, leaving users to guess the rest.
Second, there is the support issue. And today, whether you like it or not, consultants and technicians who know Windows are a dime a dozen. Those who know Linux are . . . well nobody even knows how many there are.
MS-"consultants" talking, obviously
"Instead of creating a Linux network with a bespoke application and spending money on hours of training to use the platform"
They use 10* times more money to training for avoiding the faults in MS-systems. Not very bright from any point of view. Platform (at UI-level) is so easy that a monkey could use it, no difference in there.
"Second, there is the support issue. And today, whether you like it or not, consultants and technicians who know Windows are a dime a dozen"
Bullshit. There are consultants who _claim to know_ Windows a dime in a dozen, called MSCE, and they charge a arm and a leg from you for this so-called knowledge.
Obviously you haven't actually needed these people, ever. Learning a guide by heart isn't actually knowledge.
On the other hand, unix-people tend to know what they are doing. You see, it's not the amount that counts but capabilities. Also you need one (full-time) maintainer/support for 20 unix-machines and one for every 5 windows-machines. Even if you pay unix-guys double pay, you are still on the winning side, by a large margin.
There's a slight difference between professional and consultant. First knows how to do things, second one knows how to tell you how things should be done.
MS systems tend to lure consultants like light lures moths in the night. They smell easy money.
Budgets and Management
@ AC Monday 26th April 2010 03:33 GMT
"They use 10* times more money to training for avoiding the faults in MS-systems. Not very bright from any point of view. "
I agree but it may be down to how the budget is apportioned. Upfront costs are often disliked by executives who want to show an overall reduction in costs (or an increase in profit) to justify crazy bonuses. In this light, spending less now and more over the lifetime makes sense.
Alternatively if training is handled by a different budget stream there is no incentive for the purchaser to reduce training costs.
"Bullshit. There are consultants who _claim to know_ Windows a dime in a dozen, called MSCE, and they charge a arm and a leg from you for this so-called knowledge."
Again that doesnt matter. Systems are driven by budgetary constraints. The manager to spends the least is looked at in the best light. As a result of this anyone who can brain dump an MCP exam becomes a Windows Consultant and gets the jobs. When the inevitable epcifail happens it doesnt matter because someone else is in the chair then and the budgets have moved over.
The saddest part of it all is this is a crazy system we the public seem to want to enforce on the NHS.
Why, oh why ...
do people use Microsoft for systems of life critical function and hold sensitive information ?
This has happened many times before. Surely these muppets have learned that MS is completely unsuitable for a trusted system ?
Given that the NHS pay less than half the market rate for infosec staff and have a hiring policy that makes it inordinately difficult for non-NHS staff to be recruited into security roles, is this really all that surprising?
If they realised that a good IS manager is going to want >£60k a year and that demanding prior NHS experience is crazy, then they might bring someone in who knows enough to solve their problems.
At the moment their organisational inbreeding means this is going to happen again and again and again and....
Not sure if it was Qakbot
...but I had the fun of presenting one of the execs in my company with around 50 pages of his search history (including lots of porn), chat transcripts, basically everything typed into his computer for about a week. The look on his face was priceless.
I think he got the hint this time about surfing more carefully. (third time I've cleaned infections from his laptop)
"...but I had the fun of presenting one of the execs in my company with around 50 pages of his search history (including lots of porn), chat transcripts, basically everything typed into his computer for about a week."
*Nothing* focuses management types on the need for better infosec (well *having* infosec in some cases) than the knowledge that someone who works for them ( whose job they barely understand and frankly don't believe is *really* necessary) knows *exactly* what "work" they've been doing over the last week to earn the rather substantial package they receive.
Definitely worth raising a glass to.
confidential patent medical records
What does this say about the ability of the NHS to secure my confidential medical records ?
No a lot!
You don't really need an answer to that question, just say NO
This is why I NEVER use computers in the hospital I work at to do ANY online banking, shopping or account-based surfing. Anyone who does, really doesn't get just how crap IT in the NHS is...
Fire the Firewall Admins
...for not detecting the C&C data streams. Not to speak of the Exfiltration Data Streams, which must be significant.
But maybe there *are no* Admins to fire .....
re: confidential patent medical records
>What does this say about the ability of the NHS to secure my confidential medical records ?<
Well at least that's one upside of NHS Connecting for Health / National Pogrom for IT, BT, CSC, iSoft et al inability to deliver a patient administration system, let alone anything remotely resembling an electronic medical record.
Surely not ?
"...exploiting patched vulnerabilities in Microsoft's Internet Explorer and Apple's QuickTime software"
So you are confirming then that the APPLE quicktime browser pluggin is both buggy and causes security holes?
(My own experience also says that it is a bit of a resource hog, and likes to associate itself with multiple media types, despite what else may be installed, and even if it can play those files properly)
Oooh Nooo !
It can't be true !
What then for all the other data collecting muppet schemes in the Government sponsored "let's totally fuck Britain up" project ?
As I understand it, the Houses of Pillarymunt run under Windows 2K, mandating IE 6 as their browser of choice, as do the deliverers of our Nuclear Incapability at sea the Royal Navvy (In case of enemy fire, just reboot the system).
No doubt our "friends" up there in Cheltenham will be snooping through our digital shit with the same blythe "Up Yours" attitude that they have always shown to us lesser mortals when going through the bins, and I expect nothing other from their brothers in arms, the scambags responsible for the Police National Database, the National Identity Scheme Database, et fucking al.
Please tell me, as a concerned Anarchist, is there any National institution in the UK NOT running Win2K with IE6 ?
"Please tell me, as a concerned Anarchist, is there any National institution in the UK NOT running Win2K with IE6 ?"
Maybe that's why.......
......they failed to get my CT scan letter out to me so I was unaware it was booked? Now having had the 'automated' letter gobbled up (can you believe they don't offer e-mail?) my cancer went unmonitored for another two months. I always said it wouldn't be the treatments that kill me it'll be the admin.
Email not even an *option*?
After 10 *years* of this programme.
Good luck with the treatment. Treatments have improved both in what's available and how it's used but the big one is getting it early.
Keep yer details from the commissars!
Makes damn good propaganda for those of us campaigning AGAINST inclusion on the summary care records(SCR).Just "Say NO folks"
This is what happens when you have absolutely terrible, awful IT departments, consisting of like 5 people who would just rather users didn't use their computers. They're happy to stick with IE6 because updating would mean them knowing what they were doing and then actually doing it. The jumped up boss sends out missives saying "due to bandwidth, users may only go online for personal use for half an hour at dinner time" then follow it up with one that says "too many user are going online at dinner time so all private Internet use is now banned".
Sad but until managers get more IT savvy, nothing will change.
If they insist on using Windows they should have (bare minimum) a network group policy that locks the machine down, AV software that updates from a central server and Windows Server Updates Services to auto push out approved windows updates.
A internet usage policy as well wouldn't go amiss.