Forum menu
Doesn't surprise me one bit, the NHS it utterly reliant on IT and largely refuses to invest money on it.
Doesn't surprise me one bit, the NHS it utterly reliant on IT and largely refuses to invest money on it.
Moreover, when they do invest it's not always wisely. I was once involved in a large NHS roll-out and it was clear from the outset that what they'd bought was never going to work / do what they wanted. Multi-million pound system, was still a cluster-youknowwhat when I'd stopped being involved and I believe it was scrapped in the end.
If you don't have a sprawling lashed up desktop environment that is still using Windows XP.It's trivial to stop
Group Policy still applies to XP, it is (IIRC) Windows 2000 technology.
Good background [url= https://www.scmagazineuk.com/hospitals-turn-patients-away-as-nhs-caught-up-in-global-ransomware-attack/article/658864/ ]here[/url]
While WannaCryptor is a ransomware tool, the chaos caused by this incident comes from the fact that it is able to jump from computer to computer using EternalBlue/MS17-010/SMB, a vulnerability [b]developed by the NSA[/b] and released into the wild by Shadow Brokers.
Rachel the business continuity procedures involve cancelling all appointments. Staff not being able to contact each other. Thats not without consequences.
Had a double MRI today after a 4 week wait, hoping data isn't lost although I will not complain as its not life threatening to have to re-do them.
Ahh sounds about right, so the need to snoop on anyone and everyone to 'keep us safe from terrorist attacks' just Brought a national health system to its knees, potentialy causing many more deaths than any terrorist attack.
And now we also have the snoopers charter in the UK to worry about too.
Slow clap. Well done everyone. I'm sure I read one news story that one A&E was essentially telling people no to come as they were effectively shut down... If that's not costing life then I don't know what is.
I thought clapping had been banned!
vulnerability developed by the NSA and released into the wild by Shadow Brokers.
I think you mean exploit, not vulnerability. The vulnerability is in Windows SMB server and a patch was issued mid-March.
If it is that exploit, then it kind of explains things.
[i]In March, Microsoft patched the SMB Server vulnerability (MS17-010) exploited by ETERNALBLUE, and it's clear that some people have been slow to apply the critical update, are unable to do so, or possibly just don't care.
The fix is available for Windows Vista SP2, Windows 7, Windows 8.1, Windows RT 8.1, Windows 10, Windows Server 2008 SP2, Windows Server 2008 R2 SP1, Windows Server 2012 and Windows Server 2012 R2, Windows Server 2016, and Server Core. If you have an older vulnerable system, such as XP or Server 2003, you're out of luck[/i].
https://www.theregister.co.uk/2017/04/21/windows_hacked_nsa_shadow_brokers/
Jesus.
Security patches have to be tested by large organisations, they can't afford to just click 'update now' and hope for the best. That's assuming the infrastructure is up to date, it really wouldn't surprise me if server 2003 is still part of the NHS.
What a cluster F.
Of course 2003 is still in use. It is all over the place outside of the NHS too. I doubt it's anything to do with the cause of this.
The vulnerability is in Windows SMB server and a patch was issued mid-March.
AIUI the vulnerability was identified in March, it was patched in April. Not that it makes a vast amount if difference, but waiting a few weeks before patching in case of a broken patch is much less heinous than just lazy patching.
it really wouldn't surprise me if server 2003 is still part of the NHS.
It wouldn't surprise me if OS/2 Warp is still part of the NHS.
[quote=Cougar said]
It wouldn't surprise me if OS/2 Warp is still part of the NHS.
Great OS !
I work 1 evening a fortnight at NHS 111. Tonight is that night and it's mental here! A lot of services are falling back to us and it's just nuts busy. Never seen anything like it. Drafted in as many extra staff as could be found and it's buzzing but it's still mental.
It wouldn't surprise me if OS/2 Warp is still part of the NHS.
Great OS !
It's likely to be running on the cash machines the crooks will use to take their ill-gotten gains or from.... If they ever do.
Around 74 countries affected by this ransomware attack, apparently.
How much of the estate is still on XP and if so a choice was made to bin extended support on it, so MS wouldn't even have created a custom patch(es) for the Vuln(S) never mind getting round to deploying it.
https://www.theregister.co.uk/2015/05/26/uk_gov_bins_extended_windows_xp_support_contract/
I was sat in a session with Cisco today where we were looking at Stealthwatch along with Umbrella, Trustsec and ISE which would have seen the change in network traffic and you could have most likely spotted and isolated the affected machines pretty dammed quickly at a network level.
As we were playing with the Demo VM's of it all, one of the guys (different company to me) shouts out "my client (one of the authorities) has an worm outbreak and not to open any mail from them"
I'm in the process of looking at a network refresh of a large manufacturer and things like this will make my job a hell of a lot easier in recommending splitting the enterprise/production networks and putting some serious controls in place.
Not looking good for a lot of people.
[url= https://intel.malwaretech.com/WannaCrypt.html ]https://intel.malwaretech.com/WannaCrypt.html[/url]
Russell96 - MemberHow much of the estate is still on XP and if so a choice was made to bin extended support on it
Sadly Russ from what I have seen "quite a lot" is the answer ๐
To give you an idea of how this sort of thing happens.-
At work we get a few spam, malicious , phishing scam emails. We have an in house IT guy who lets us know the latest threats and not to open them.
I opened our inbox and 2nd email was from an ex- employeee , he left about a year ago. In the subject line was " Invoice to Nic XXXXX "
Nic was standing next to me. I asked him if he had spoken to xyz in the last year , or had any dealings with him.
Nic answered in the negative so I knew it was hooky so without opening it I imediatly deleted the email .
The IT guy was in an other office so I popped down to tell him we were getting phished from XYZ's email address, and that I had deleted the email. ' Right thing to do , thanks for letting me know ' was his response.
Walk back to my PC , and Nic has gone into the deleted email folder and opened the email to see what it was as it had his name in the subject line .
'Its ok, it only infects your computer if you double click ' oh really Bill Gates. WTF went through your mind, having agreed with me it was sapm, trojan etc to go into the deleted folder and open the bloody thing.
I then had to go back to the IT guy ( still seething ) with my head in hands and say " You are not going to believe this but..."
IT bloke just been around. They've just had a patch through from NHS England which is being applied to my machine now. Seems like they're on top of it.
I then had to go back to the IT guy ( still seething ) with my head in hands and say " You are not going to believe this but..."
See, this is the issue. It's an arms race between techies building bigger and better idiot-proof systems, and nature building bigger and better idiots.
I got a Meraki security appliance a while back and never got round to fitting it, today has scared me enough that its getting installed on the home network tomorrow and there's going to be a fair bit of locking down on stuff.
Need to luck at what I can blag/get at a reasonable price for a decent DNS provider that provides some filtering on the malware, C2 etc type stuff.
I then had to go back to the IT guy ( still seething ) with my head in hands and say " You are not going to believe this but
Also (no offence but there's a certain irony here)
You walked away from your unlocked pc with a curious dorris stood next to it!!! ๐
even emergency surgery requires a computer at some stage
Will the NHS just have to pay up?
still could be worse...
From arstechnica: https://arstechnica.com/security/2017/05/an-nsa-derived-ransomware-worm-is-shutting-down-computers-worldwide/
It's apparently attacking Russia disproportionately...
However, the effect it's having on mission-critical systems worldwide is catastrophic.
It's apparently attacking Russia disproportionately...
could it be a bit of CIA revenge gone wrong?
Doesn't surprise me one bit, the NHS it utterly reliant on IT and largely refuses to invest money on it.
Well it's not as though the NHS has other priorities than IT to worry about ? ๐ฏ
Well it's not as though the NHS has other priorities than IT to worry about ?
infact theyve got a lot of experience being held to ransom by amoral lowlifes
[img] 
[/img]
could it be a bit of CIA revenge gone wrong?
Gotta say, it's timely on the back of the Conservative "ban irreversible encryption" notion.
Someone bought or rented an off the shelf ransomware package, modded it to take advantage of a recent vuln that has been patched on modern machines but that in itself gives you a massive clue that it hasn't on older OS's.
Fired it off almost on a scatter gun approach via email to various orgs, with say 800K-1M users in the NHS based on the email system with some of Matty's colleagues peers how many does it take?
The email system is across the NHS but each local HA has their own network, admin, IT etc so whilst the infection vector is common across the lot, the spread of it gives a good idea on where Matty's Colleagues Peers are and who's running un-patched or XP systems.
If only there was some sort of united group of like minded nations we were members of that were introducing a law to ensure security for critical gov infrastructre was supported
http://www.silicon.co.uk/data-storage/bigdata/gdpr-approved-european-parliament-190064
The biggest reason for running outdated OS in our trust are the many major clinical system suppliers who refuse to update their applications in a timely fashion. its a nightmare trying to bring stuff up to the latest version only to find in testing that critical systems still only run on bloody vista
That's a PCI compliance issue right there.
Also (no offence but there's a certain irony here)You walked away from your unlocked pc with a curious dorris stood next to it!!!
That's a very good point actually. [i]Always [/i]lock your PC when not at your desk (even if it's just to protect your Facebook login from "humorous" colleagues).
Agree but there's a difference between a PC running a critical system which no doubt will be licensed to hell to only run on one or a handful of machines and the run of the mill PC's with email and file and printer shares. Critical system devices segregate them and leave them on their current OS, all the rest bloody well update.
I've worked in a customer with sites that are still running Ferranti mainframes for core systems along with lots of younger systems and as the customer treats security appropriately along with targeted investment they don't have issues, saying that I was there one day when their onsite security ejected someone from the site as the email data leakage system caught the person emailing a document that they shouldn't (onsite security carry H&K so not to be messed with) So there's a powerful stick for when people ignore all the mandatory training they have to complete on a regular basis.
Handy round-up for the infrastructure bods.
https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168
Oh FFS C2 is via TOR what legitimate use would the NHS have for allowing outbound to that. I know what the answer will be thou.
If you have an older vulnerable system, such as XP or Server 2003, you're out of luck.
I've just twigged, this isn't true. EternalBlue is an SMBv1 exploit. If you're stuck with XP, switch it off!
[quote=Cougar ]
could it be a bit of CIA revenge gone wrong?
Gotta say, it's timely on the back of the Conservative "ban irreversible encryption" notion.
More FUD then? Because that sure as heck aint going to stop things like this - on the contrary it's more likely to enable them.
Apropos of nothing, an article from September:
https://www.theregister.co.uk/2016/09/09/nhs_cyber_security_expansion/
More FUD then? Because that sure as heck aint going to stop things like this - on the contrary it's more likely to enable them.
My point was rather "hey, let's build a back door that only the good guys can access" is demonstrably a really good idea.
Agree but there's a difference between a PC running a critical system which no doubt will be licensed to hell to only run on one or a handful of machines and the run of the mill PC's with email and file and printer shares
Thing with the NHS is the critical system is the patient admin system, which needs to be on hundreds, if not thousands of computers in an average hospital. There are lots of back office staff who won't need it but plenty who will so it's not even limited to clinical areas.