The biggest reason for running outdated OS in our trust are the many major clinical system suppliers who refuse to update their applications in a timely fashion. its a nightmare trying to bring stuff up to the latest version only to find in testing that critical systems still only run on bloody vista

That’s a PCI compliance issue right there.

Also (no offence but there’s a certain irony here)

You walked away from your unlocked pc with a curious dorris stood next to it!!!

That’s a very good point actually. Always lock your PC when not at your desk (even if it’s just to protect your Facebook login from “humorous” colleagues).

Agree but there’s a difference between a PC running a critical system which no doubt will be licensed to hell to only run on one or a handful of machines and the run of the mill PC’s with email and file and printer shares. Critical system devices segregate them and leave them on their current OS, all the rest bloody well update.

I’ve worked in a customer with sites that are still running Ferranti mainframes for core systems along with lots of younger systems and as the customer treats security appropriately along with targeted investment they don’t have issues, saying that I was there one day when their onsite security ejected someone from the site as the email data leakage system caught the person emailing a document that they shouldn’t (onsite security carry H&K so not to be messed with) So there’s a powerful stick for when people ignore all the mandatory training they have to complete on a regular basis.

Handy round-up for the infrastructure bods.

https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168

Oh FFS C2 is via TOR what legitimate use would the NHS have for allowing outbound to that. I know what the answer will be thou.

If you have an older vulnerable system, such as XP or Server 2003, you’re out of luck.

I’ve just twigged, this isn’t true. EternalBlue is an SMBv1 exploit. If you’re stuck with XP, switch it off!

https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012

Gotta say, it’s timely on the back of the Conservative “ban irreversible encryption” notion.
[/quote]

More FUD then? Because that sure as heck aint going to stop things like this – on the contrary it’s more likely to enable them.

Apropos of nothing, an article from September:

https://www.theregister.co.uk/2016/09/09/nhs_cyber_security_expansion/

More FUD then? Because that sure as heck aint going to stop things like this – on the contrary it’s more likely to enable them.

My point was rather “hey, let’s build a back door that only the good guys can access” is demonstrably a really good idea.

Agree but there’s a difference between a PC running a critical system which no doubt will be licensed to hell to only run on one or a handful of machines and the run of the mill PC’s with email and file and printer shares

Thing with the NHS is the critical system is the patient admin system, which needs to be on hundreds, if not thousands of computers in an average hospital. There are lots of back office staff who won’t need it but plenty who will so it’s not even limited to clinical areas.

Here’s a turnup. The crypto may be broken, seems the private keys are vulnerable. It’s potentially decryptable without paying.

https://twitter.com/khast3x/status/863114999736225793

Advice & Guidance hmm unless someones job is on the line it wont be taken seriously, private industry the board will perhaps loose something on their share options, Gov depts nothing. Look at the ICO with fines for loosing data one Gov dept fining another whats the point.

This will no doubt be spun out to be a “sophisticated attack from a nation state” only for two years down the line to be found to be a single spotted faced teenage youth pulling out the standard defense tactic. Hopefully a few successful extraditions to Gitmo Bay will add a bit of risk for them.

Winds me up something silly on the toerags who get their kicks on SWAT calls, if there is anyone worth having at the minimum a good Thomas A Smith Electric Rifle experience from the wrong side of the crosshairs.

I’ve just twigged, this isn’t true. EternalBlue is an SMBv1 exploit. If you’re stuck with XP, switch it off!

Update, I’ve just been fairly reliably informed that the remote code execution code “apparently” won’t run on XP, so this may be a non-issue.

Patient Admin System – there’s this new fangled thing called “the Web”

You can even emulate operating systems in web browsers, so input some text and get some output text could be done. So being lazy on your existing estate no need for file shares, printers all you need is a locked down PC even to the point of epoxy in the USB ports with just a browser.

Interesting – where has that come from? Is the PEM (including the private key) somewhere in the payload?

Exactly that, AIUI. (My original source had more info but the Tweet was deleted for some reason.)

cyber criminals with poor cyber security then (hopefully) – who’d have thunk it?

Advice & Guidance hmm unless someones job is on the line it wont be taken seriously, private industry the board will perhaps loose something on their share options

The evidence for this is somewhat limited.
NHS are the headlines here. Elsewhere in the world various corporations are headlining.
Patching is a nightmare especially when you are running a whole bunch of old systems since you have essential legacy software on it.

I dont think anyone is claiming it is a nationstate attack. Although it does seem to be using some of the NSA exploits that were released a couple of months back.

I work for a global outfit of about 130K users I suspect that one of our countries has had a hit (rumour only at present) totally agree patching is a nightmare. If you think PC’s are bad welcome to the world of networks, I’ve seen switches and routers with 10+ years uptime aka no updates at all!

Thing is the lack of patching is usually not down to the IT/Comms teams, its usually the business either refusing downtime to update or more likely not giving any budget for it.

Some PHBs will get the bullet for this but they are fall guys, I’m now getting increasingly bolshy when in meetings with our and theirs (customer) lawyers when it comes to system updates to defend my position on it all.

Usual outcome 12-18 months down the line the customer eventually awakens and becomes aware they need to do something and sends in a change request that results in an 7-8 figure number to sort out the crap they have let build up for the last 5-10+ years. If they are awash with money they can defer against taxes they’ll spend it, if they have a national regulator breathing down their necks they’ll spend it or they will quibble over every single nut bolt and washer never mind the large bits and we will just reduce or more likely exclude items/sites from SLA’s and then when it hits the fan they will bluster we will do our best and then they will mutter and dip their hands in the pocket for a limited tactical fix, said tactical fixes over time will add up to lots more than doing it properly in the first place.

Aaaaand it looks like it has a killswitch.

https://twitter.com/GossiTheDog/status/863160534308454400

I’ve seen switches and routers with 10+ years uptime aka no updates at all!

Part of the issue here is that commands and functionality can change with new releases, it’s not as simple as “apply the patch”. Roll out a new firmware, you might need to rewrite a config to deal with deprecated / obsolescent syntax. That’s a big deal if you’ve got hundreds of units out there.

Those moaning about healthcare still using XP. I’m currently involved in writing software for a very popular radiotherapy system used worldwide. Want to guess what the OS is?

Legacy stuff is everywhere in this kind of stuff because writing new software to replace safety critical stuff that has worked well for 15 years is an unnecessary risk.

Stranger and stranger – it appears that simply stops the propagation rather than the infection. However according to the twitter thread, the domain is owned by a cyber security company and went live sometime today. It’s not apparent whether it’s chicken or egg though – is the domain owner involved, did somebody spot that in the code and make it live, or is it just a coincidence?

Using unsupported software with documented and unpatched security holes is an unnecessary risk! At some point people need to bite the bullet and upgrade the OS, because it’s only going to get worse (there might be a point where most people no longer bother attacking XP – it appears it isn’t actually targeted in this attack – but whilst people still use it it’s going to be a tempting target for some). The only exceptions can be for completely isolated systems with no contact at all with the outside world – but you’d better be damn sure there is a complete air gap.

What really grinds my gears though is designing software specific to an OS – apart from extremely specialist stuff which needs low level access anything written properly originally for an XP platform should also work on later OS versions.

Parent of one of the guys at work got caught. Paid the fee and was given the de-encryption code.. Has to be entered for every file individually… 😯

Stranger and stranger – it appears that simply stops the propagation rather than the infection. However according to the twitter thread, the domain is owned by a cyber security company and went live sometime today. It’s not apparent whether it’s chicken or egg though – is the domain owner involved, did somebody spot that in the code and make it live, or is it just a coincidence?

I don’t have the answers (yet?) but it’s both weird and interesting, isn’t it.

Parent of one of the guys at work got caught. Paid the fee and was given the de-encryption code.. Has to be entered for every file individually…

Should’ve wiped it and restored from their offline backups.

Etc, etc.

Here’s what it’s doing, story so far.

http://blog.talosintelligence.com/2017/05/wannacry.html

The thing that grips me most about this is the angle that is being portrayed by the media as a bunch of people willing to totally shut down our health services for their own profit, which as has been said, isn’t the case at all.

My analogy is of having a gate protecting your valuable assets, when it was new it was ok, but over time the years have weathered your gate an planks are falling off and there’s holes in it everywhere – and you use this gate every day, and every day you open and close it, maybe you mutter to yourself ‘should really do something about fixing this gate one day’ and then one day you discover the gate wide open and your stuff is gone.

If this was a STWer leaving their bike unlocked and complaining it got stolen they would get a lot less sympathy.

The NHS were undoubtedly aware of these problems.. they’ve been widely reported on for years –

2014 – http://www.theregister.co.uk/2014/01/14/win_xp_uk_gov_hacker_deadline_miss

2016 –
http://www.theregister.co.uk/2016/12/08/windows_xp_nhs_still/

2017 –
http://www.theregister.co.uk/2017/01/17/nhs_ransomware/

The failed NHS IT programme –
https://www.theguardian.com/society/2013/sep/18/nhs-records-system-10bn

would undoubtedly have pointed out these potential issues as well.

Basically at some point the decision was made that getting rid of these ancient vulnerabilities was not a priority, and that is what we should be outraged about, not some script kiddie doing the equivalent of strolling down the street trying every car door to see whats been left unlocked

/rant

Microsoft still offer security patches for large organisations, if they pay.
The government stopped paying for this “service.”

Ransomware you say?

Some links from back in the day:

https://www.theguardian.com/technology/2014/apr/07/uk-government-microsoft-windows-xp-public-sector
https://www.theregister.co.uk/2015/05/26/uk_gov_bins_extended_windows_xp_support_contract/

So Microsoft are behind it then 😉

So Microsoft are behind it then

Private company, working in OUR* NHS? What did you expect?

😉

* Obligatory waffle as spouted by politicians these days. Never just “the NHS”, is it?

This doesn’t really come as a surprise to anyone. Glad it’s getting extensive media coverage as it should be a kick up the ass to people (whether that’s gov. or whatever) to invest in the security of data/systems – at least take security advisories seriously.

Microsoft behind the attack? Of course not, but this vulnerability is, in order of importance, down to…

UK government
NSA
Microsoft

Microsoft now rolling out a security fix for all old OS to all.
A fix already offered to those paying for extended support?

Ransomware you say?

[ edit: can’t find anything to back this up, just heard it on BBC radio without any supporting cite, so pinch of salt time ]

Have read so many articles and opinions but tbh much of what I am reading is ill informed. Without knowledge/experience of vulnerability management across a 70yr old organasiation / dependencies / risk involved in simply updating it is hard to really understand. E.g should they have updated all XP machines to Vista when it was launched? That would have caused an either bigger / more expensive issue. Do they update hardware to windows 10 making it obsolete? Interesting to read what Telefonica did – announce over megaphone for all staff to power down network connected hardware to stop. Bit harder at NHS when someone’s life potentially on the line. Is everyone still running Windows 7 also guilty for not upgrading to 10. I have nothing to do with NHS but wish everyone working to get this resolved the best, sure they are working their backside’s off right now. Not taking any view / comment re tech team at NHS as I don’t personally know anyone there, just trying to pose some questions / give a little more background. From my experience where this is well managed, every update was assessed and was a risk vs reward decision. The goal of IT security is not to make a network impenetrable as this is impossible but to make it hard enough that attackers give up. Sometimes your decision can simply fall on the wrong side, be blocked or changed due to other influences at this scale.

I can’t help thinking that a financially stretched NHS is a very vulnerable NHS.

Good post sillysilly. Personally, I think blaming anyone for not constantly updating OS is a lazy, but persistent response. Unrealistic/practical to do so in many cases. As soon as the NSA exploit was exposed, Microsoft should have been offering patches for all OS, the damage done in the last 24 hours was avoidable. Of course, the patch wouldn’t have been applied universally, but at least give your users a chance.

I’ve only just read up on the kill switch for this one… love that someone spotted and registered the domain before realising what it would do… accidental hero? Imagine if had been a trigger for something worse rather than a kill switch though…

https://m.theregister.co.uk/2017/05/13/wannacrypt_ransomware_worm/

Microsoft now rolling out a security fix for all old OS to all.
A fix already offered to those paying for extended support?

Ransomware you say?

[ edit: can’t find anything to back this up, just heard it on BBC radio without any supporting cite, so pinch of salt time ]

Found it…

We also know that some of our customers are running versions of Windows that no longer receive mainstream support. That means those customers will not have received the above mentioned Security Update released in March. Given the potential impact to customers and their businesses, we made the decision to make the Security Update for platforms in custom support only, Windows XP, Windows 8, and Windows Server 2003, broadly available for download…

https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks

We only moved on from Windows XP because it was reaching end of extended support. We will only move on from Windows 7 when the same approaches. Anything that has to run XP for legacy reasons had to be removed from the network.

But then we have 7500 employees in the UK, not 1.4 million like the NHS.

You pays your money, you makes your choices. Running with known vulnerabilities carries a risk that has now materialised.