[Closed] NHS in large scale IT shutdown

Government 'efficiency' back in 2015:

[url= http://https://www.theguardian.com/technology/2015/may/26/uk-government-pcs-open-to-hackers-as-paid-windows-xp-support-ends?CMP=Share_iOSApp_Other ]https://www.theguardian.com/technology/2015/may/26/uk-government-pcs-open-to-hackers-as-paid-windows-xp-support-ends?CMP=Share_iOSApp_Other[/url]

I'm going to stick up for Microsoft here. The vulnerability was shared with them, they released a fix for it on supported OS's in April. Now people on unsupported OS's got hit and it's somehow MS's fault.

A reminder that Microsoft had a fix for "unsupported" OS back in April as well, but only released it to customers paying for custom support.

1) should UK government have kept paying for custom support given known reliance on old OS in key departments?
2) as NSA created the exploit, do they have a responsibility to help protect others from its use?
3) if Microsoft had a fix, but withheld it from so many customers at risk, is their approach damaging?

XP was superseded 11 years ago, there comes a point when they have to stop general support and encourage users onto more recent editions.

We only support supported OS's on our software but it will work on Windows 2000 plus. It's certainly going to be good ammunition when a customer says "But why won't you support your software on Windows XP?".

That's fine, but conversely we've had suppliers tell us they are not making their systems compatible with the newer OS yet (8/10) because older OS are still on support or extended support. Same for office integration.. We have one that isn't planning on introduce O2016 compatibility until Qtr4 2018!

Plus, vista was a nightmare... many suppliers bypassed on any development on it completely and held out for windows 7

Simple fact is we want to upgrade our OS as soon as possible, the Microsoft EA is the same whether we do or not but we are prevented from doing so by external factors

XP was superseded 11 years ago, there comes a point when they have to stop general support and encourage users onto more recent editions.

Encourage users by making the upgrade path as clean as possible, and making your new offering enticing.

The OS iterations that followed XP were best avoided by anyone creating/using critical software in a life saving/threatening environment. For ages XP was the safest bet, and now big investment is needed to catch up, in companies and organisations left behind.

While we wait for that to happen, withholding a security patch that protects users from a state sponsored exploit raises questions.

Yes, "keep your OS up to date", is good advice… but don't use that to stop questions about how key parties have acted on this particular exploit.

When users are "at fault" by not upgrading, it doesn't mean no one else should look hard at the big decisions made by governments and suppliers.

That's fine, but conversely we've had suppliers tell us they are not making their systems compatible with the newer OS yet (8/10) because older OS are still on support or extended support.

If a supplier isn't making their systems compatible "yet" for a five year old OS which has been superseded twice then you need different systems. That's an absolutely outrageous claim for a software developer to be making.

If your "older OSes" are actually Vista / W7 then it should be the work of minutes to fix any compatibility issues, assuming there even are any.

XP came out in 2002 (and as Jonny says was replaced in 2006), the notion that you should still be reliant on a 15-year old OS which is years out of mainstream support by the company who made it is utterly ludicrous.

Also, PCI compliance anyone?

XP came out in 2002 (and as Jonny says was replaced in 2006), the notion that you should still be reliant on a 15-year old OS which is years out of mainstream support by the company who made it is utterly ludicrous.

Yes. Upgrading should happen. Should be a priority. It is not finished though. Not even close.

Until that is mostly finished, what should UK government, NSA & Microsoft have done about protecting NHS systems generally, and more specifically about this exploit?

A reminder that Microsoft had a fix for "unsupported" OS back in April as well, but only released it to customers paying for custom support.

1) should UK government have kept paying for custom support given known reliance on old OS in key departments?
2) as NSA created the exploit, do they have a responsibility to help protect others from its use?
3) if Microsoft had a fix, but withheld it from so many customers at risk, is their approach damaging?

And, again, a reminder that XP has hung around for so long because of Micosoft missteps that followed it.
They bear some of the responsibility for it still being in use.

Encourage users by making the upgrade path as clean as possible, and making your new offering enticing.

The OS iterations that followed XP were best avoided by anyone creating/using critical software in a life saving/threatening environment. For ages XP was the safest bet, and now big investment is needed to catch up, in companies and organisations left behind.

While we wait for that to happen, withholding a security patch that protects users from a state sponsored exploit raises questions.

Yes, "keep your OS up to date", is good advice… but don't use that to stop questions about how key parties have acted on this particular exploit.

When users are "at fault" by not upgrading, it doesn't mean no one else should look hard at the big decisions made by governments and suppliers.

If a supplier isn't making their systems compatible "yet" for a five year old OS which has been superseded twice then you need different systems. That's an absolutely outrageous claim for a software developer to be making.

Indeed, and the way the NHS can be seen as a cash cow by the private sector is sickening at times. You also have a legacy of mismanagement to contend with too, some of the PFI contracts in place have completely unrealistic refresh agreements for hardware and software.

What all these various points add up to is that upgrading the OS is not a simple answer to these problems, but it will probably be seen as such by the media, government etc

"Upgrade your OS" … wave your magic wand… don't ask any questions of suppliers and government…

And, again, a reminder that XP has hung around for so long because of Micosoft missteps that followed it.

I disagree, that's just a smoke screen for lazy devs, techs and managers. What missteps have they made to prevent companies from upgrading?

I still contend that there's nothing (much) wrong with the much-maligned Vista, but even even if that weren't the case Windows 7 came out in 2009 and there's been three further major OS releases since. There's absolutely no excuse for developers not to support NT6 platforms in 2017, and little excuse for IT infrastructure teams not to have had XP taken out and shot by now.

There's also a financial disconnect at play here, which I'm massively oversimplifying but.... IT may support the infra and hardware, however a specialist clinical app may be funded by the service that uses it. Whilst IT highlight the risks they don't own the funding to replace it or can force it upon the service. And it's a brave IT director that lets a system fail to prove a point

Cougar, I content that your points are valid for a small organisation with no reliance on third party critical proprietary software, but perhaps limited when looking at a larger organisation with specific needs, funding restrictions, and complex contract and change management issues.

"Critical proprietary software" is the issue here, I'd concur. That's what needs reviewing; if you're beholden to something like that and it's not being properly maintained, you're humped. There's [i]surely[/i] an opening in the market for better solutions here.

In other news, Renault have just been hit. They've shut down manufacturing production.

Many were due to be replaced by systems that never saw the light of day… if we're still talking NHS.

While we wait for that to happen, withholding a security patch that protects users from a state sponsored exploit raises questions.

I've just spotted, patches for XP and 2003 are now on general release from Microsoft.

https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

. There's surely an opening in the market for better solutions here.

Barriers to entry are huge, the first question most ask is 'which trusts are using your software and how do we speak to them'

Bespoke development costs can exacerbate the problem,imagine the risk in moving towards a solution that no one has used before and where the long term stability of the organisation supplying it is unclear.... and they go against the drive to have interconnected data sharing and move towards a true EHCR.

EDit: I genuinely don't know what the answer to all of this is.

I've just spotted, patches for XP and 2003 are now on general release from Microsoft

Er… if you've just spotted these, then you're not reading the posts that you're replying to!

A lot of the hardware we use is reliant on XP, upgrade the OS and the machines don't work. Not allowed to replace the machines because they're not broken. Our stock control software was only compatible with Windows 98 or 2000 (I forget which) up until last year sometime, so we had one old pc just for that.

A lot of the hardware we use is reliant on XP, upgrade the OS and the machines don't work.

Presumably though they're airgapped so it's a non-issue?

Er… if you've just spotted these, then you're not reading the posts that you're replying to!

I am but may have missed a detail. I'm reading a lot of things right now!

Anyway. I've just had a phone call, so now I'm going to have to drive to work. Not an infection but helping to keep it that way. Wish me luck.

Good luck.

Hope it's a quick fix!

It's far more complicated than you can possibly imagine. More to follow when I get back.

t's far more complicated than you can possibly imagine

He did try to strike it down.

We moved to Win7 VMs 18/12 ago, which works fine except for the fact that I suspect some of our network is base 10 Ethernet.

However, there are a heck of a lot of old PCs about and the one on my desk has a 'Made for Windows XP' sticker on it (even if it's running a Win 7 VM)

The problem is that money is tight and it's really hard to justify replacing IT infrastructure that (sort of) works at the expense of clinical staff/equipment.

Right security appliance installed, AMP and Snort running, Windows now running again, just hope I don't get drowned in too many alerts now.

Anyway. I've just had a phone call, so now I'm going to have to drive to work. Not an infection but helping to keep it that way. Wish me luck.

[quote=MSP ]XP was superseded 11 years ago

Hang on - W7 wasn't released until 2009

[quote=richardkennerley ]A lot of the hardware we use is reliant on XP, upgrade the OS and the machines don't work. Not allowed to replace the machines because they're not broken.

Aargh - yes they are broken if they're running XP! Are they actually airgapped as Cougar suggests (which has to include a very robust policy regarding the connection of USB devices)?

Though I'm kind of surprised that W7 won't work - the real requirements are very little different to XP (I've run W7 on some very old hardware and extremely resource limited VMs - though it does help a lot if you tune it to get rid of a lot of rubbish).

aracer
MSP » XP was superseded 11 years ago
Hang on - W7 wasn't released until 2009

Yeah, but he said "superseded"

There's loads of xp apps that won't work on 7

Same for 2003 and 2008

Big corporate here. No un airgapped XP left for us though I suspect there are A few boxes hidden in cupboards just in case and it only takes one person..

We are currently rolling out a new patch on W7. Just to be sure to be sure.

[quote=nemesis ]There's loads of xp apps that won't work on 7

Not even using compatibility mode? I have a few which need that, but can't recall ever coming across one which didn't work with it.

I have a bit of experience of this, having done transition from XP to W7 in a school - the XP installation was supporting lots of really old software, including some from last century. Was fully expecting to tell the teachers they needed to move on to newer software, but in the event there wasn't anything we couldn't make work.

@aracer, opposite experience for me. Never found a single application where compatibility mode helped. We've still got a couple of xp machines kicking around our place running specific bits of software, but they aren't allowed a network connection.

@fifeandy & @aracer compatibly mode helps in 'some' simple cases when that fails I've never had any issues when I've made a proper compatibility shim using the app compatibility toolkit (or on occasion AppV to really fool an app into working on a later OS) yes its lots more work to do it that way but it works.

Though I'm kind of surprised that W7 won't work - the real requirements are very little different to XP

Also have kit with isa controller cards, def a few w2k boxes knocking around, think might be some earlier as well (none are networked)

Ah, we have the answer to one little mystery

http://www.bbc.co.uk/news/technology-39907049

Not even using compatibility mode? I have a few which need that, but can't recall ever coming across one which didn't work with it.

Anything that needs hardware drivers could be problematic.

Ah, we have the answer to one little mystery

I knew about that from Twitter - described by another security blogger as "stopping a speeding train." Saying it was an accident is a bit harsh, from what I could tell he knew exactly what he was doing.

So, I'm struggling to understand quite how its had such a big impact?

If it spreads via a SMB vulnerability, does this mean that each of these organisations have a WAN facing SMB port open on a machine that hasn't been patched? Then once inside it hunts out other SMB ports on the LAN and spreads itself?
If this is the case, in the NHS for example is it just infecting servers or also desktop machines? If so why do the desktop machines have the SMB port open anyway? Is it open by default?

Eg. at home I've got a little W7 PC that I use as a SMB server. It is behind a NAT and the port isn't forwarded to the WAN. Lets say its not patched (not sure if it is or not). So other than me clicking on a link in a spam email or visiting a malicious site, infecting one of the other computers on my LAN and it then spreading to my W7 SMB server, it can't get in right?

So how has it spread so far?!?

I'm not sure anyone can say at the moment how the original package got onto the NHS Network (N3). Could well have been a phishing email if you believe the media.

I think the problem may be compounded by the slightly misguided belief that N3 is nice and secure so you can trust anything on it. Not saying that applies to all NHS organisations but the impression I have personally is that some NHS organisations have their internet connectivity locked down far more than their N3 connectivity.

but once into the NHS network then, lets say via an email link, is it just infecting servers or do they have desktops with SMB services running? Can't understand why they would?

http://blog.talosintelligence.com/2017/05/wannacry.html

That's a good writeup of the issue.