Nobody thinks this and the NHS are related?
Telefónica does provide VoIP and Network facilities to the NHS as far as I know.
Workers at Telefónica's Madrid headquarters were left staring at their screen on Friday following a ransomware outbreak. Telefónica was one of several victims of a widespread file-encrypting ransomware outbreak, El Pais reports. Telefónica has confirmed the epidemic on its intranet while downplaying its seriousness, saying …
BBC are reporting the following:
"A massive ransomware campaign appears to have attacked a number of organisations around the world.
Screenshots of a well known program that locks computers and demands a payment in Bitcoin have been shared online by parties claiming to be affected.
There have been reports of infections in the UK, USA, China, Russia, Spain, Italy, Vietnam, Taiwan and others."
Difficult to definitely link them as there are probably ransomware hits around the world every day anyway and therefore this is just normal, however it could be a significant outbreak.
I'm pretty sure it's not related in that way. It only affects Windows PC's (AFAIK Windows 7, maybe other versions too), none of those services are Windows systems. It's not impacting operations per se... but if an operator needs access to those systems and he needs to do it from his Windows seat, he's screwed.
I suspect it also might be related to Windows preferring to execute emailed malware rather than than scan it. It nicely removes the user actually having to do anything.
This is Avery good reminder why windows is such a security cesspit, and unless you need to run Windows stuff, you are far more secure running a Chromebook with its signed read-only runtime.... It's pretty much unhackable
While I understand that we have to declare war on Eurasia soon, our dear idiot Geography teacher and fuhrer wannabie is a bit rushing it here.
The common denominator between Telefonica R&D and NHS are that they are underfunded badly maintained Windows shops. I have had dealing with both, there is plenty of unpatched machines running "this special application" which prevents them from updates and upgrades, they are networked in a flat non-segmented network and it is a perfect environment for a network worm.
There is no attack. There is just a mass infection of populations which are vulnerable by design and were going to be infected sooner rather than later.
There will be more of that, but the root cause in both - flat networking, lack of zoning and chronic underfunding will not be fixed.
Experienced enough to never open an email attachment or follow a link from an email address I don't know.
Experienced enough to recognise an email attachment from an email address I do know and a link in an email from an address I do know could be dangerous. The body of the message usually gives enough clues as to the legitimacy of the email.
Linux and Windoze user... Who's last virus infection was the Saddam virus on my Amiga 500. Getting old sucks but the wisdom it brings has benefits.
>The body of the message usually gives enough clues as to the legitimacy of the email
Actually, if you can be bothered, get into the habit of adding some personalized content when you share links. Something that is recognizably yours.
"Dude, this reminds of that time we had that really bad beer", rather than just "check this out!".
It's not uncommon for infections to spread via email contacts. Make it clear it's actually you and get your friends to understand you appreciate the favor returned.
I get a lot of emails from addresses I know with attachments or links to somewhere. I can always tell if they are legit. It is obvious that it is a spoofed sender or hacked account email. In fact It is painfully obvious. I don't think I am particularly smart.. to be honest I can be pretty stupid. I just know my clients even though I have many of them.
I sign all my emails with PGP and send all in plain text. I also explain this to my clients and send my public key attached. If they click on a link or open an attachment from an email that looks like it is from me that is not signed... fsck 'em. I can't look after every slow thinker on the planet.
I also see my received emails in plain text. Who needs html email? Aint that what websites are for?
Wisdom is definitely a handy by-product of the grey hair but for the SMB vulnerability being referenced as a possible vector for this to spread, you also need wisdom from everyone else on your network or an IT shop that provides its employees with properly patched/protected systems.
The diagnostics and analysis on how this thing actually arrived and spread may prove quite entertaining.
Reserving a little smugness in the belief that the vulnerability is Windows only, but not too much as the NSA et al may yet have the kit to do similar to Linux.
I had a CFO and CEO, both of whom are sharper than me, persistently arguing with me that the quote for business that they had received from a trading partner with an outlook applied signature must be released.
They expected a lookalike, and didn't let up until I had the make and model of the virus to display to them, and would have attempted forwarding to phones and switching off wifi. Murphy's law.
The business fashion of being abrupt and minimalist in communication is easy to spoof.
(And is anyone else horrified by the Microsoft common clipboard proposed between devices in Windows 10 Creator Fall edition?)
Its a huge coincidence that the day the NHS suffers a ransomeware attack, so do many other large organisations around the globe.
I'm willing to punt a pint they are all related attacks. Too much of a coincidence that several un-related attacks would all be launched on the same day.
We usually roll them out within a fortnight - the ones we can roll out.
MS have made it a lot harder of late by putting too much in each basket. I would not be surprised if several of these places could not apply this patch because one of the other things in the same blob broke something important.
US DoD, for years, has allowed ten days to deploy patches to Category I vulnerabilities, which the vulnerability in question surely is given that it involves remote code execution. It now is 58 days since the patch was made available and 47 days since The Register reported leak of the EternalBlue tool. We were allowed 60 days, if I remember correctly, for significantly less severe Category II vulnerabilities. Requirements were not always met, but failure carried a requirement for detailed and frequent requirements and the implied threat of suspension of an Authority to Operate for the affected devices.
I was caught a few times with WSUS auto-approval on my learning curve with AD servers. Can I suggest having your preparation notes on AD rollback and Microsoft's Lingering Objects Liquidator tool done in advance?
And when it gets to serious stuff...
the manufacturing devices and system have to undergo at least system verification before patches goes into production.
So they get their own private offline WSUS / RHN equivalent and VLANs.
Set the Quality dept vs the Accounts dept and let them yell at each other.
>So what happens when a patch for a Cat I vulnerability broke something critical in the process, creating a dilemma because the critical machine was inoperable either way?
You reduce the attack surface by making sure critical systems are segregated and get extra protection. For example, you don't run web browsers or email clients on critical servers. Maybe you don't map drives to large swathes of critical files, make sure write access is only granted to those who really need it; maybe provide terminal server access for things which are important, so you can control the environment more easily.
Standard security precautions really. How much have you saved by not hiring a security team? Are you sure you've saved money?
Quite right... 10 days for cat I. But boy oh boy is the actual implementation completely random! God help you if you are a poor bastard at an ashore installation and get caught with your, er, patches down.
But then I go shipboard and find unpatched, unsecured, bog standard Win XP running radars (Northrup Sperry... looking at you) that are actually networked with the ships' nets. So I ask the obvious questions. What it all comes down to is that the more powerful program offices and septic think tanks can get waivers due to a combination of stupidity and raw political clout. Gotta love it!
Yes, it ran very nicely on XP - at one time it was the most effective AND least intrusive scanner available.
From memory, package updates ended about 3 years ago, and virus signature updates about a year* ago.
* Length of a year may vary, depending on which planet you live on.
"Do these things do anything useful?"
The updates you get today should protect you against stuff that's been known for x* days. That means that some people will be infected in the period between release and the discovery and distribution of the AV update. In the normal state of affairs this will be a small proportion of vulnerable systems. When the virus spreads as rapidly as this today's updates are already too late.
*where x is however long it takes for the vendor to confirm reports and put together their update.
So, erm, I'm going to say it first.. This is why government organisations shouldn't hoard vulnerabilities. They will get leaked and they will get used by others who are less trustworthy (grey area..). If you find a vulnerability and don't want to be a part of breaking the internets, please submit it in privacy to the vendor.
NSA didn't "hoard" vulnerabilities, it stockpiled, it weaponised, it planned to use them for its own attacks. MS probably knew about the vulns all along, but when news spread about their being imminently released, MS pointedly patched SOME OF its operating systems. So your appeal is definitely aimed at somebody else's choir.
Here's an IPA for the El Reg reader(s) who pointed out a way to shut down SMB (which I obviously didn't need) a couple of weeks ago, on my two XP systems, as a vaccine for the Doublepulsar vuln. Downvote me for mentioning XP or for mentioning India, or for implicitly criticizing MS; nobody but you will know precisely which.
... it only goes to show that they are not up to the task of running computers in a security critical environment.
This worm spreads over SMB, a service you only need on fileservers. A service which is known to be one of the most complex file sharing protocols, which is therefore likely to have a significant amount of security critical bugs. This particular bug was found before and apparently even patched already.
So any organisation can be blamed for 3 main things:
1. Running Windows
2. Running Windows with the SMB server enabled on non servers
3. Not updating Windows quickly after security critical bugs get public
If they avoided any of those things, they wouldn't have had any problem with this.
"This particular bug was found before and apparently even patched already."
And considering it came to light in the NSA toolkit leak, it's been around for a long time and US officialdom, at least in the NSA, was aware of the potential but did nothing about it. I wonder if any affected US orgs will try suing the agency whose role includes protecting the US for knowingly failing to do their job? Likewise, allies of the US are not likely to be happy that they didn't share this info sooner.
People who have been in the Malicious Software field for as long as I have will remember the Aids Information Floppy disk (5 1/4"!) of 1989. That was an early ransomware hit, and the fact that it was presented as a quasi-medical service ensured a wide copy across the UK medical services.
People in technical specialisms are often very unthinking about security when communicating with their colleagues...
Which stovepipe's budget is going to be picking up the cost of cancelled appointments, wasted time, etc?
Will it be the IT directors, IT departments and their suppliers?
If not, why not? Who else is responsible?
Surely there's an SLA in this picture? Nothing can go wrong if there's an SLA, can it?
Where there's a claim there's a blame...
When you leave school/college/uni you'll find in business, finances are finite. So the Head of IT/Director has to go cap in hand to some idiot bean counter [FD/CFO] who sees IT as a cost and not as an integral part of the business - to simplify it for you, accountants see IT like plumbing, not a shiny store front.
Add to that it's the NHS, where, you know, things are a little 'tight'... And we'll cancel your Granny's hip replacement and a few dozen heart transplants because something 'might' happen?
Getting the picture yet?
Yes, there's probably some bad network designs out there, and less than perfectly configured PC/Servers, often for some long forgotten historical reason i.e. PoS software/hardware. But your post shows an infantile understanding of both business and the complexity and scale of NHS IT
If budgets are that tight then they are not running shiney new windows and apps, so then what does old windows offer that you couldn't get more securely from a Linux Distro and those available apps. In fact, if money is that tight then Linux and those apps should be used. Certainly changes would be required but TCO would be significantly lower over time. Maybe the NHS could through a few million per annum at Debian or other to help ensure updates and new dev continues. Honest to F&%# it's not that difficult. Although the cash packets and jobs would stop flowing to the purchasers/decision makers, so won't ever happen.
I doubt it would save money. Someone will need to support that mammoth project. Most hospitals still have xp machines running some critical hardware (i know of at least one MRI scanner in Carlisle hospital that uses xp). Enterprise linux support doesnt come cheap at all and MS will be giving massive discounts.
@AC - Downvoted, not because I don't agree that the NHS would be better with Linux, but because you haven't considered that lots of the old kit is connected to specialist equipment, and who knows whether the custom app will run on Wine? And what about all those staff who believe they know how to use Windows, and can't learn Linux? But mostly because you wrote, "Honest to F&%# it's not that difficult."
I apologize for the offensive language. I thought it was obvious that not all systems would be moved immediately to Linux. I do believe that an extremely large purchaser like the NHS would have the power to tell manufacturers to write their software to run natively on Linux. If not the NHS alone then if several decided that is the direction they wanted to move then I'm sure manufacturers would follow quite quickly.
There are ways to create far less expensive, up-to-date and secure networks. Stories like this make me believe that a lot of money or jobs guarantees, stock, and/or whatever changes hands, obviously at the top of these Corporate structures to ensure that a very small number of software companies maintain control.
"Maybe the NHS could through a few million per annum at Debian"
does that include the massive amounts of Windows and MSOffice centric apps and templates in use across the entire NHS too? That' would be an amazingly cheap deal. You should email your local GP and tell him/her about it and |I'm sure he/her will have the people in overall charge of the NHS immediately act on it.
"your post shows an infantile understanding of both business and the complexity and scale of NHS IT"
Rant away, but maybe look at the message too, and the 'learning opportunities' which will arise from this week's experience, and which arose from those before (and those which will follow, unless something changes at the top).
"When you leave school/college/uni you'll find in business, finances are finite. "
Of course finances are usually finite. So why waste money on badly designed systems that are inevitably going to fail and cause expensive chaos when they fail. There will be costs, sooner or later, why not do the job properly, sooner rather than later? (I know, beancounters don't work like that).
Your description of your NHS experience tallies with my own experience as a long term worker in critical IT and perhaps also with my extended experience of bean-counting half-wits in senior 'management' (and in IT departments) in the NHS and elsewhere.
Fwiw, my experience includes stuff from learning about Therac-25 (look it up) to large scale secure email and a whole load of other stuff in between. Stuff which mostly has to work, or if it doesn't, there is a real cost, and therefore there's a real incentive to make it work right.
To add to the fun, I've some experience (as an informed patient and/or relative) of various NHS services in the UK too. Including visiting a large Home Counties hospital and seeing it collapse into utter chaos when an unsupervised digger cut both the grid power feed and the emergency backup feed, during construction work which had also been allowed to disable critical internal emergency lighting systems. That one really was bad for the blood pressure, especially as much of it was preventable.
It's all a bit "mixed" at best, as a well-informed person might expect.
Meanwhile the hospital admins in this picture (hopefully not IT admins) are still faffing around with things like Hospedia, a concept which many sensible people had hoped died when Patientline went bust in 2008:
(May 2017, reported elsewhere too)
http://www.independent.co.uk/news/business/news/hospital-telephone-and-tv-firm-patientline-enters-administration-877864.html (July 2008, remains of Patientline subsequently resurrected as Hospedia)
Find an alternative OS.
There are very few applications that cannot be replaced by an OSS alternative. The learning curve in some instances may be steep but you do IT right? Shouldn't be too difficult.
Windows has the edge over Linux for games, sigh. I need a CPU with VT-D or AMD-Vi. to get near native gaming performance in a Windows VM on Linux. I reckon I will be upgrading my hardware as soon as Windows 7 goes out of support. Until then I will game on Windows and work on Linux.
Meanwhile, back in the real world, there are a vast amount of business applications that are only available on Windows. You might find an OSS solution that does something similar for some of them, but you are then faced with a migration of data, user retraining, possible functionality gaps and integration with other applications such as office or your POS or CRM systems. Add to this the many developers who decide that none of the myriad number of already available database engines available out there meet their needs so roll their own arcane data storage format. Good luck migrating from that.
You can lock down Windows with whitelisting, FSRM, applocker, etc. Do this, keep patches reasonably up to date, block executables in email, block access to arbitrary websites, implement sensible permissions, use strong passwords on admin and service accounts. Don't do moronic things like expose fileshares to the internet or have wide open VPNs with partners and you have a decent fighting chance of keeping the crims out (nothing guaranteed of course). After all this, expect that you will still possibly be hit so make sure your backups are working and tested and have a recovery plan.
The problem is the number of lazy admins or support organisations who just don't take security seriously or bypass basic precautions because they make life hard. Far easier to just make users admins to get a crappy application working than to actually track down the specific registry value or file that needs its permission changing so that the said crappy app can write to it.
My phone hasn't rung yet, so hopefully no client I support has had any issues.
I made no mention of a corporate structure nor did the person I responded too. My response was for the change to a personal system.
However migration away from MS can be done over time by any corporate. Yes trying to do this in a year would be expensive but as a long term strategy.. No problem. The saving in licence fees alone would go a long way to paying for the change.
The box you are in is a Microsoft construct, what you really need to see is that there is no box.
Migration away isn't impossible, but is impractical when you have to deal with the sheer number of applications only written for Windows. Take MYOB for example. You will find this in a huge number of small and medium businesses here in Australia. There is a cloud version, but this just stores your data online so you still need a client locally. There is an OSX version, but this brings its own problems and adding macs into an environment just complicates things further, especially as they can't be managed by group policy. As a result, almost everybody uses Windows for MYOB. Since they already run Windows for this, then they naturally look for other Windows based applications. What FOSS application would you suggest as an alternative to MYOB?
Windows licensing is a small part of our costs. Since we use datacentre we can run as many Windows VMs as we want. If we moved to different OS, we would then need to replace all our support applications for backup, security integration, etc. We would probably need to make sure we have a supported version of Linux so would still end up paying fees to somebody. We would then have the initial retraining costs of teaching everyone how to use the new systems and applications, along with ongoing costs when somebody comes in with Windows and Windows application experience and need retraining.
What about support? If I run commercial software, I have support I can contact. What support do I have running some obscure FOSS product? Forums? Authors good will? Is it backed with an SLA?
All this for what? To replace a stable, well managed network that runs applications users want to use and know how to use with something that users will struggle with, that may not integrate as well as we need it to. So yes it is possible, but no, it isn't sensible.
I am OS agnostic. I run some Linux servers where appropriate. As more Windows applications are replaced with cloud based or mobile alternatives then there may come a point where it does become viable to migrate away. That point isn't now, or for the foreseeable future.
It's times like these that I ponder some interesting philosophies.
In an ideal society mathematicians and coders would currently be working together to find a way to break this ransomware and reverse its effects with minimal effort.
However what we probably have is some poor IT staff contemplating the fact that they are going to have to re-image thousands of machines and restore servers from backups taking days and days. That's not even taking into account the machines connected to life saving machinery that will require custom installs or the fact that if they don't do it properly and with updated images they will be back to square one in an instant because someone somewhere will boot up an infected machine.
I do question what will be the outcome after all this has been sorted but I've had the feeling for a long time that the government is running the NHS into the ground ready for privatisation so this is a convenient nail in that coffin albeit poorly timed due to the election.
I believe it is somewhere in the region of 850,000 machines. If it infected the prescription network, then a lot more, because they are provided by the NHS, but not operated by NHS employees.
GCHQ are on the case, maybe they have people who can break the encryption? Unlikely though unless the malware authors messed up.
Someone whisper in Mayhem's ear - The NSA are a terrorist outfit. Extradite someone. We need to demand heads. heads I tell you, before someone gets embarrassed.
Alternatively, someone hit her very hard and loud with the truth - this sort of thing is EXACTLY why gvt mandated back doors are a VERY bad idea. EVERYTHING will leak / be stolen eventually, especially if it's "owned" by government.
"Alternatively, someone hit her very hard and loud with the truth"
And accomplish zilch. You think Steve Jobs had a reality distortion field?
Twas but the merest wisp of gossamer in a raging gale compared to that wielded by politicians in high office.
Truth washes around them, with never so much as a ripple disturbing them.
What we need is more surveillance and backdoors to encryption. Simples. Also vote Team May. Sorted.
I would have posted my wisdom on The Daily Mail but I got bored waiting for it to load up the Celebrity Tits and Arses.
Obviously this Forum will be more receptive to the message.
Looking forward to a huge up-vote on this one.
"Do you think the military run fucking ghey Linux? "
There are plenty of documented refs. to the fact that they do ! A (few) examples
BTW In the case of human viral protection one of the most important factors in resistance is biological diversity . Ditto with IT security
I must be slow today.
It has only just occurred to me that this is a godsend to some. I imagine an encrypted hard-drive is evidence enough for the IRS when claiming that tax records have been "lost".
*Much* better than a flood or fire, much less indiscriminate in its destruction.
It's like a Neutron Bomb for tax dodgers.
If anyone is hit by this today, because you are using un-updated Windows, this might be a fix.
Our warnings that Windows is not a good environment have not been heeded. Here is my computing landscape:
Windows - don't use it, bad security, bad UI, use Linux.
Linux - don't use it - more secure than Windows, but not enough, and still bad UI - really for use in servers, not end-user systems. Use MacOS.
MacOS - better security because each IPC call is brokered through Mach. Excellent UI. If you really want security use Burroughs/Unisys MCP systems.
MCP systems - mainframes meant for servers. Each instruction is checked for things like out-of-bound access. Something that must be in all system architectures in the future. As Rik Ferguson (security expert at Trend Micro) says - security should be built in from the ground up. All these virus scanners, etc are just after-the-fact detection. MCP-like systems for end users are critical to develop in the future.
Nothing is invulnerable to failure though. As Mark Nunnikhoven (associate of Rik Ferguson), Vice President, Cloud Research Trend Micro noted in a talk to our students recently (while running Keynote slides on MacOS), go out and buy a second 3-4 TB hard drive to backup your files. Way cheaper than $300 which ransomware will claim.
Keep backup disks offline - only putting them online to do backup, so minimise any risk. That kind of defeats TimeMachine (Apple's realtime backup and versioning system), but it means backup disks won't be encrypted by ransomware because they are also online. I haven't done this yet, but have budgeted in next month's expenditure. Meanwhile, I just turn on backup disk and TimeMachine once a week. Most stuff also backed up in iCloud for $5 per month.
for what it's worth, here's my take on this (and all the other instances where some virus has trashed a network).
Most viruses arrive by email, generally spoofed messages either purporting to come from another user inside the network, or from a trusted external contact. The user then opens the message, then the attachment, (or clicks the link), and then allows the attachment to run macros. This then allows the malware to download the nasty bit of itself, and possibly contact the command and control network.
The nasty stuff then starts encrypting files on the servers - and on the local PC. it will open every drive that the user has mapped, and will create an encrypted version of every file it can see, before deleting the original. Some variants (like this one) will also seek out all other machines on the network to infect them.
So, how do we stop this from happening? or at least slow down the spread when it does hit, or limit it's effectiveness when it arrives.
1. Educate the users so that they stop blindly opening any and all emails they receive.
2. Stop users from treating their work computers like their home PC's - they are not, they are for business use only, but people are very rarely held responsible for the state of their computer, and the higher up they are, the less likely they are to be held accountable.
3. Have working email filters that can identify internal email addresses and reject them as spam (spoofed). Also some external email scanning to remove spam and viruses before it even hits the perimeter of the network.
4. Use file filters to prevent the malware from creating it's encrypted version of the file - this stops it from deleting the original. The desktop might be infected, but as long as the file servers are OK, all user data should be safe. It would actually be better to have a file filter that only allows specific file types to be saved to the server, but I am not aware of any way to do that at the moment.
5. Stop using a single AV product across an organisation. There should be one (or more) AV engines scanning emails coming in, a second in use on client desktops, and a third for the servers.
6. Currently the UK compliance rules (well known) are that all critical and security patches released by vendors should be installed within 3 months - this is too long (as proven here). But everyone in IT is well aware that if they install a patch and something breaks, they get the blame - so there is reluctance to force the issue, instead they use staged patching and try and limit any blame they might get.
7. Stop using out of date Operating Systems - the excuse about testing software for compatibility only holds up for so long - Windows 7 is reaching end of life, and many organisations have not even started testing their software works on Windows 8, never mind 8.1 or 10. and to still be using Windows XP is poor.
8. Stop having non-technical people making decisions about technology. Put some qualified people in place and give them the authority and budget they need to put proper controls in place, back them up in their decisions, and test it properly to make sure that it meets (or exceeds) their designs.
9. Ensure that your internet connection is not allowing malware to come down - perhaps by limiting file downloads to only a few approved users or computers.
10. Use firewalls on local machines - they are often turned off, or opened to the point of uselessness simply to make life easier for everyone.
11. As one person found out, the original variant stopped when it attempted to contact a specific web address and got a response - this could be fairly simple, configure your network so that all unidentified URL's receive a response from a specific internal web server - as the malware gets a response, it exits. And if a user goes to an invalid URL, they will see a web site advising them what they did wrong - it becomes a win/win. (implementation may be difficult to accomplish on some environments)
There are other things that could also be done to help limit the effectiveness of malware - nothing will ever truly kill it off.
How is any of that stuff particulaly relevant when "opening a specially crafted JPG file can allow an unauthenticated attacker to " execute code of the attacker's choosing on the machine being attacked? It's been going on for years, and it's still a problem with "up to date" MS software. Don't take my word for it, search for "specially crafted JPG file" and "Windows" and see what delights show up, how far back they go, and how recent some of the affected software is.
JPEGs don't involve macros, don't involve clicking on attachments, don't need to involve remote file access. View an embedded image in a vulnerable app (which seems to be loads of MS stuff), get owned. It's 2017, ffs.
AV is a bit of a joke too. Statistically there may be more known exploits that are covered by AV products, than there are unkown ones. Unfortunately for AV vendors sensible people are beginning to realise that it's the unknown ones are the ones that can do most damage most quickly, and AV is no help there. This was one of the lessons which should have been learnt from Stuxnet (back in 2010, remember?), and as various other similar (simpler) exploits since should have reminded people.
Biting the hand that feeds IT © 1998–2019