back to article NHS computers hit by voracious, data-stealing worm

The UK’s National Health Service has been hit by a voracious, data-stealing worm that’s easily detected by off-the-shelf security software, according to researchers who directly observed the mass compromise. Researchers from anti-virus provider Symantec have been monitoring the Qakbot worm since last May and have documented its …

COMMENTS

This topic is closed for new posts.
  1. John Smith 19 Gold badge
    Stop

    In perspective

    1100 PCs on a network as big as the NHS is *not* that big a number (remember the NHS is the 3rd biggest institution after the Indian Railway and the Chinese army)

    But it's still 1100 PC too many.

    Question is how many patient data manipulating apps *have* a browser interface? And are they all IE6?

    Hope all Reg readers in the UK have run off their copy of the NHS data opt out form. The one PCT have *not* included in their friendly and not at all biased "Information" pack.

  2. TeeCee Gold badge
    FAIL

    Easily detected?

    By off-the-shelf products?

    So they're not only running while well behind on Critical patches, they're also not running any vaguely current AV / security tools?

    Also I note that Qakbot clients get to shove gob-loads of data out to the wider world through their firewalls and it takes Symantec sitting outside to point this out.

    Gosh! I'm not sure that the English language even has a word for that level of incompetance. We're below "Computer security for Dummies" here and well into "The Ladybird book of computers" as the standard of IT literacy required to avoid this one.

  3. Anonymous Coward
    Flame

    I just don't get it

    WHY, time and time and time again, do large bespoke systems (like the NHS one) use Windows; an OS with a proven and demonstrably atrocious security and integrity record?

    I can (almost) understand using Windows if you need to use some software that isn't available on another platform and it's only a small network you are deplaying. But when your software is bespoke anyway, why not use an OS that is stable and secure? And before anyone screams "they use Word" or "they use MS SQL", well, there are plenty of alternatives to these things. An organisation like NHS is big enough to dictate use of such software without risking leaving itself out in the cold in terms of external supplier interfacing etc, so this is no excuse at all.

    It's bonkers!!!!

    1. Pascal Monett Silver badge

      It's a twofold problem

      First of all, management wants people to work quickly without much training. Instead of creating a Linux network with a bespoke application and spending money on hours of training to use the platform, they prefer the idea of a Windows network with a bespoke application and spending money on a small booklet that will explain the salient points, leaving users to guess the rest.

      Second, there is the support issue. And today, whether you like it or not, consultants and technicians who know Windows are a dime a dozen. Those who know Linux are . . . well nobody even knows how many there are.

      1. Anonymous Coward
        Flame

        MS-"consultants" talking, obviously

        "Instead of creating a Linux network with a bespoke application and spending money on hours of training to use the platform"

        They use 10* times more money to training for avoiding the faults in MS-systems. Not very bright from any point of view. Platform (at UI-level) is so easy that a monkey could use it, no difference in there.

        "Second, there is the support issue. And today, whether you like it or not, consultants and technicians who know Windows are a dime a dozen"

        Bullshit. There are consultants who _claim to know_ Windows a dime in a dozen, called MSCE, and they charge a arm and a leg from you for this so-called knowledge.

        Obviously you haven't actually needed these people, ever. Learning a guide by heart isn't actually knowledge.

        On the other hand, unix-people tend to know what they are doing. You see, it's not the amount that counts but capabilities. Also you need one (full-time) maintainer/support for 20 unix-machines and one for every 5 windows-machines. Even if you pay unix-guys double pay, you are still on the winning side, by a large margin.

        There's a slight difference between professional and consultant. First knows how to do things, second one knows how to tell you how things should be done.

        MS systems tend to lure consultants like light lures moths in the night. They smell easy money.

        1. Anonymous Coward
          Unhappy

          Budgets and Management

          @ AC Monday 26th April 2010 03:33 GMT

          "They use 10* times more money to training for avoiding the faults in MS-systems. Not very bright from any point of view. "

          I agree but it may be down to how the budget is apportioned. Upfront costs are often disliked by executives who want to show an overall reduction in costs (or an increase in profit) to justify crazy bonuses. In this light, spending less now and more over the lifetime makes sense.

          Alternatively if training is handled by a different budget stream there is no incentive for the purchaser to reduce training costs.

          "Bullshit. There are consultants who _claim to know_ Windows a dime in a dozen, called MSCE, and they charge a arm and a leg from you for this so-called knowledge."

          Again that doesnt matter. Systems are driven by budgetary constraints. The manager to spends the least is looked at in the best light. As a result of this anyone who can brain dump an MCP exam becomes a Windows Consultant and gets the jobs. When the inevitable epcifail happens it doesnt matter because someone else is in the chair then and the budgets have moved over.

          The saddest part of it all is this is a crazy system we the public seem to want to enforce on the NHS.

  4. alain williams Silver badge

    Why, oh why ...

    do people use Microsoft for systems of life critical function and hold sensitive information ?

    This has happened many times before. Surely these muppets have learned that MS is completely unsuitable for a trusted system ?

  5. Anonymous Coward
    Unhappy

    Well

    Given that the NHS pay less than half the market rate for infosec staff and have a hiring policy that makes it inordinately difficult for non-NHS staff to be recruited into security roles, is this really all that surprising?

    If they realised that a good IS manager is going to want >£60k a year and that demanding prior NHS experience is crazy, then they might bring someone in who knows enough to solve their problems.

    At the moment their organisational inbreeding means this is going to happen again and again and again and....

  6. Anonymous Coward
    Pint

    Not sure if it was Qakbot

    ...but I had the fun of presenting one of the execs in my company with around 50 pages of his search history (including lots of porn), chat transcripts, basically everything typed into his computer for about a week. The look on his face was priceless.

    I think he got the hint this time about surfing more carefully. (third time I've cleaned infections from his laptop)

    1. John Smith 19 Gold badge
      Pint

      AC@12:50

      "...but I had the fun of presenting one of the execs in my company with around 50 pages of his search history (including lots of porn), chat transcripts, basically everything typed into his computer for about a week."

      Nice.

      *Nothing* focuses management types on the need for better infosec (well *having* infosec in some cases) than the knowledge that someone who works for them ( whose job they barely understand and frankly don't believe is *really* necessary) knows *exactly* what "work" they've been doing over the last week to earn the rather substantial package they receive.

      Definitely worth raising a glass to.

  7. Anonymous Coward
    Badgers

    confidential patent medical records

    What does this say about the ability of the NHS to secure my confidential medical records ?

    1. Jeff Deacon

      No a lot!

      You don't really need an answer to that question, just say NO

  8. Anonymous Coward
    Boffin

    DOH!

    This is why I NEVER use computers in the hospital I work at to do ANY online banking, shopping or account-based surfing. Anyone who does, really doesn't get just how crap IT in the NHS is...

  9. Anonymous Coward
    FAIL

    Fire the Firewall Admins

    ...for not detecting the C&C data streams. Not to speak of the Exfiltration Data Streams, which must be significant.

    But maybe there *are no* Admins to fire .....

  10. Cucumber C Face
    FAIL

    re: confidential patent medical records

    >What does this say about the ability of the NHS to secure my confidential medical records ?<

    Well at least that's one upside of NHS Connecting for Health / National Pogrom for IT, BT, CSC, iSoft et al inability to deliver a patient administration system, let alone anything remotely resembling an electronic medical record.

  11. BristolBachelor Gold badge
    Troll

    Surely not ?

    "...exploiting patched vulnerabilities in Microsoft's Internet Explorer and Apple's QuickTime software"

    So you are confirming then that the APPLE quicktime browser pluggin is both buggy and causes security holes?

    (My own experience also says that it is a bit of a resource hog, and likes to associate itself with multiple media types, despite what else may be installed, and even if it can play those files properly)

  12. Al fazed
    Happy

    Oooh Nooo !

    It can't be true !

    What then for all the other data collecting muppet schemes in the Government sponsored "let's totally fuck Britain up" project ?

    As I understand it, the Houses of Pillarymunt run under Windows 2K, mandating IE 6 as their browser of choice, as do the deliverers of our Nuclear Incapability at sea the Royal Navvy (In case of enemy fire, just reboot the system).

    No doubt our "friends" up there in Cheltenham will be snooping through our digital shit with the same blythe "Up Yours" attitude that they have always shown to us lesser mortals when going through the bins, and I expect nothing other from their brothers in arms, the scambags responsible for the Police National Database, the National Identity Scheme Database, et fucking al.

    Please tell me, as a concerned Anarchist, is there any National institution in the UK NOT running Win2K with IE6 ?

    ALF

    1. John Smith 19 Gold badge
      Happy

      @Al fazed

      "Please tell me, as a concerned Anarchist, is there any National institution in the UK NOT running Win2K with IE6 ?"

      The BBC?

  13. Beanzy

    Maybe that's why.......

    ......they failed to get my CT scan letter out to me so I was unaware it was booked? Now having had the 'automated' letter gobbled up (can you believe they don't offer e-mail?) my cancer went unmonitored for another two months. I always said it wouldn't be the treatments that kill me it'll be the admin.

  14. John Smith 19 Gold badge
    WTF?

    @Beazy

    Email not even an *option*?

    After 10 *years* of this programme.

    Good luck with the treatment. Treatments have improved both in what's available and how it's used but the big one is getting it early.

  15. Michael Orton
    FAIL

    Keep yer details from the commissars!

    Makes damn good propaganda for those of us campaigning AGAINST inclusion on the summary care records(SCR).Just "Say NO folks"

  16. lukewarmdog
    Badgers

    Simply

    This is what happens when you have absolutely terrible, awful IT departments, consisting of like 5 people who would just rather users didn't use their computers. They're happy to stick with IE6 because updating would mean them knowing what they were doing and then actually doing it. The jumped up boss sends out missives saying "due to bandwidth, users may only go online for personal use for half an hour at dinner time" then follow it up with one that says "too many user are going online at dinner time so all private Internet use is now banned".

    Sad but until managers get more IT savvy, nothing will change.

  17. adam payne

    NHS IT

    If they insist on using Windows they should have (bare minimum) a network group policy that locks the machine down, AV software that updates from a central server and Windows Server Updates Services to auto push out approved windows updates.

    A internet usage policy as well wouldn't go amiss.

This topic is closed for new posts.