Forum menu
Banks have been (relatively) unaffected as far as we know;
There's been two Russian banks affected that I'm aware of. And if you were an affected bank, would you disclose that?
@kelvin: agree but does not excuse culpability.
Jeez!......this just gets better n' better....so you spent all day whizzing down slides and rolfing about in ball pits?, sounds like a perfect job
Obviously, you have to test the UX.
What about the use of third party media - personal memory sticks plugged into work network as an example.
Pendrives have become less of a threat since autorun was disabled by default. But it's still a threat. (A fun trick for hackers / pen-testers is to 'accidentally' drop a loaded pendrive in the car park outside an organisation...)
And with round 2 starting at early breakfast time on Monday.......
'Cyber-attacks that have hit 150 countries since Friday should be treated by governments around the world as a "wake-up call", Microsoft says.
The computing giant said software vulnerabilities hoarded by governments have caused "widespread damage".
Let's work on the assumption that the 'kill switch' vulnerability has now been disabled so this could be an interesting week.
So is this attack purely ransomeware, or might there be other things happening, data gathering, perhaps?
And I guess it isn't a co-incidence that my Win10 had a big update yesterday.
Let's work on the assumption that the 'kill switch' vulnerability has now been disabled so this could be an interesting week.
Several reports on Twitter of version 2 with the kill switch removed already in circulation.
[quote=dirtydog ]Several reports on Twitter of version 2 with the kill switch removed already in circulation.
I would have been surprised if it wasn't.
Though whilst getting caught by the first round was excusable, anybody getting hit now when patches for the vulnerability are available on all platforms is completely incompetent. Any company with a clue should have been getting their Cougars in over the weekend.
Well now.
And with round 2 starting at early breakfast time on Monday
The thing here as that the worm (what causes it to spread) and the payload (what does the damage) are separate entities. What I've been doing this weekend is targeting the former*. Despite what the mainstream media would have you believe, the latter doesn't run on XP.
The elephant in the room is that it would be trivial to repackage this exploit. A different payload, a different (or more likely, no) killswitch. That's something I could talk about at length but is out of scope here. What makes this vulnerability so headline-y dangerous is its efficiency of propagation.
(* - the latter is broadly sorted but is a longer story.)
whilst getting caught by the first round was excusable, anybody getting hit now when patches for the vulnerability are available on all platforms is completely incompetent.
Maybe, maybe not, it's economies of scale. If you've got three PCs to worry about then sure. But we're a service provider, with the best will in the world this isn't a coffee break fix.
We've had our best people (obvs, hiya!) battering this at short notice over the weekend, and we've kicked the shit out of it. Seriously, with no intention to humblebrag we've kicked it out of the park, we had one non-critical accidental reboot due to a misunderstanding and beyond that there has been zero downtime whilst we've bounced every internal, customer-facing and other server we own. My company has its failings but we've been a well-oiled machine on this one an I'm truly proud of the work my colleagues and I have done here.
On top of all the mainstream managed machines that fall under WSUS, and the work my colleagues have done, I've personally patched ~60 servers manually in the last two days. These are the machines outside of domains, the ones that fall between the cracks. Legacy systems put in place decades ago.
Are we done? We've smashed the stuff we know about but practically we've still a way to go. We're now into the realms of plucking at test servers, at development machines, at VMs engineers have spun up on their own laptops under their own steam, this sort of thing. My day job is running a tech lab and I've not even had chance yet to look at my own estate, there's probably another couple of dozen uncontrolled servers in there. This is going to run and run, but we're ahead of the game. Any company who tells you they've sorted it right now either has exponentially fewer assets than we do, is naive, or is is lying.
We will nail it though, I have no doubt. And we'll nail it before many many others will, we've got an incredibly competent man at the rudder of this. It's been a while since I last found myself impressed by a role model.
Any company with a clue should have been getting their Cougars in over the weekend.
That made me smile, thank you.
And I guess it isn't a co-incidence that my Win10 had a big update yesterday.
3 updates this month I belive?
You can go and see what they were https://www.lifewire.com/patch-tuesday-2625783
YOur Windows update settings page will also tell you
THe other thing coming out at the moment is the Creator Update which is the big one that has been hitting newer hardware earlier on
https://www.microsoft.com/en-us/windows/upcoming-features
I belive it's been deployed in stages while they see if there are any compatibility problems
Slacker 😆 . In the office at 7:30 this morning after two 17 hour days in a row. Still mopping.Just downed tools. 12 hours today.
Any company with a clue should have been getting their Cougars in over the weekend.
It's really serious when they deploy the MILF's 😉
I suspect that there are some fortunate people who will have an easy budget session this year for their IT spending requirements.
I am not really too sympathetic about 12 hour days - my normal shift is 13 hours and I believe much tougher than computer wizardry no matter how difficult or important. What you describe would be an easy day for someone like Drac ( whose job is tougher than mine)
What you describe would be an easy day for someone like Drac ( whose job is tougher than mine)
Morning. Well yeah I do 12 hours day as the norm at one time they were 15-16 hour days but I'm lucky these days thanks to a job change I no longer get very many late finishes. That said I got a txt last night to say we have a meeint this afternoon, I've also got one on Wednesday monring. Both will be in my own time.
Howver that's my job it's normal for me. It's not normal for the others on here so I do have a little sympathy.
My wife is back in to work today first after her trust was attacked, she is not looking forward to it.
tjagain - Member
I am not really too sympathetic about 12 hour days - my normal shift is 13 hours and I believe much tougher than computer wizardry no matter how difficult or important
Given most of these people will have already worked a full week before giving up their weekends, cancelling plans and getting stuck in to fix a very serious problem I have a lot more respect and thanks for these people. Without their efforts many more systems would have been effected and more impacts would have been felt. Somebodies payroll server gets locked out, a delivery system or an order system. No drugs to hospitals, no money in your bank account etc.
It actually takes decent skills, effort and concentration to do some of this stuff, it may not be physically harder but it's very mentally demanding.
Given the response from a few here whenever being asked to do extra or cancel plans comes up is foot down, call the union and it's not worth my free time etc. a great number of people just got on with it.
You can play the I work in the NHS card a few times but don't wear it out.
fair point mike
We patched an seriously large number of devices (end-user, servers but also Fiery printers etc) in a short space of time. Over 15000 laptops were not on the network as people had taken them home for the weekend or at least locked them in a cupboard. Hence a large part of that was managing not to get 15000 devices downloading a large-ish update of patches in a very short space of time on Monday morning when everyone arrived, but at the same time avoiding the kind of solution that meant 15000 people arrived at work and were told they couldn't work... We also had fun because Sunday is a working day across much of the middle east, so had to work around business hours and live users there.
As some have said, not physically exhausting, but blimey a helluva lot going on to keep track of, and also brainstorm for solutions whilst preparing a list of all the random other systems that may need attention, and hatching a plan for them.
There's at least one UK bank that's been hit. Mate of mine did 36 hours straight, at work since lunchtime on saturday until midnight last night sorting it out. They work within IT security for one of the larger UK banks.
I'd guess (hope?) it's the "non-banking" side of things.
They were apparently back in 7 this morning.
And no, i'm not surprised it's not been publicised. I'd not tell anyone either.
Unless i lost all their money.......
Glad I've managed to dodge the bullet on this one so far, we do IT consultancy for some NHS Trusts but thankfully I'm not on those projects. That said the government agency I'm currently working on is a real eye opener when it comes to complexity that I think most, even experienced IT folk, don't realise.
They finally moved to Win7 last year after an 18 month migration project, it took that long as they have well over a hundred bespoke apps (even those using COTS apps are heavily customised). Some of those are classed threat to life systems (as in downtime is an order of magnitude more serious than the boss can't get to his Internet cat pics) and each one has to be extensively tested and issues fixed.
As for patching, it's done quarterly as standard as it's simply too risky to patch more frequently as patches are far from infallible (and again key systems need to be properly tested first). Fortunately the main environment isn't Internet connected and end points are heavily locked down so the human error factor is largely mitigated but I can imagine IT in the NHS must be a nightmare to support and they have to be much more open and have a much less IT savvy general user base.
This does remind me rather of the Cory Doctorow story - " when sysadmins ruled the earth"
https://craphound.com/overclocked/Cory_Doctorow_-_Overclocked_-_When_Sysadmins_Ruled_the_Earth.html
So cougar - which one are you?
"“Yeah.” Van was a type-two sysadmin, over six feet tall, long pony-tail, bobbing Adam’s apple. Over his toast-rack chest, his tee said CHOOSE YOUR WEAPON and featured a row of polyhedral RPG dice.
Felix was a type-one admin, with an extra seventy or eighty pounds all around the middle, and a neat but full beard that he wore over his extra chins. His tee said HELLO CTHULHU and featured a cute, mouthless, Hello-Kitty-style Cthulhu. "
Due to 'precautions' being taken at my work today email and access to networks and servers is being restricted until all the company computers are updated. Thankfully I checked the company news before going in this morning so I just stayed in bed instead.
Our latest technical guidance, recommendations come after the analysis:
[url= https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/ ]https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/[/url]
More general customer guidance:
[url= https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ ]https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/[/url]
So cougar - which one are you?
He's clearly a 2.
On topic.. I think that people have learned from the XP situation, and things are done quite differently now than they were 10 or 15 years ago.
We strongly dissuade people from customising our apps, even though they fully support it, because it makes things hard to upgrade so people don't, and they end up in this situation.
so when does Hunt get fired?
[quote=kimbers ]so when does Hunt get fired?
> https://www.thetimes.co.uk/edition/news/experts-told-minister-last-year-of-nhs-hacking-risk-qrpjbdh5d
br />
june 8th with any luck.
[quote=Cougar ]Maybe, maybe not, it's economies of scale. If you've got three PCs to worry about then sure. But we're a service provider, with the best will in the world this isn't a coffee break fix.
Sure - wasn't meaning to downplay what you've done. But if you're not on top of it in the way you are, there are at least some other steps you can take to control the situation whilst you get there. Meanwhile I imagine some will have rocked up Monday morning and then started to think about what to do.
Not followed the whole thread but haven;t seen this;
[img] 
[/img]
civil service here, win 7 patches getting applied today. We still have many xp machines too! We had a ransomware attack just before xmas too.
Still waiting for the fix. Apparently it has to be applied to every pc separately one at a time yo check it's worked.
so when does Hunt get fired?
I'd like to know how he'd get fired. From the end of a 155mm howitzer with a bit of luck. Useless h[s]c[/s]unt
Hunt will not be fired - he is there to destroy the NHS and he is doing a good job of it.
Well the good news is - there goes all the shitty old W2k. Never to be turned on again. Result.
Given the response from a few here whenever being asked to do extra or cancel plans comes up is foot down, call the union and it's not worth my free time etc. a great number of people just got on with it.
I'm a firm believer in "the door swings both ways," and I've been afforded a -lot- of slack and freedom in the past to deal with personal issues. It'd have been churlish of me to say no, frankly. Plus, y'know, I get paid.
We patched an seriously large number of devices (end-user, servers but also Fiery printers etc) in a short space of time.
I've just had a conversation with a mate who was humblebragging about how he did 200 machines in 40 minutes. On our primary estates that's precisely what happened, our internal servers & PCs and our cloud platform both have dedicated teams with robust patching policies and procedures in place.
However, I got to deal with all the off-domain cruft that was left over. We had to control individual reboots / failovers to redundant systems and so forth, with unique per-box login credentials, sometimes on systems that no-one we could find knew much about, on disconnected systems that weren't necessarily accessible from a single management point. It just wasn't practical (or safe) to to it in bulk.
And today, I actually got to make a start on my own kit. I manage what we call the Lab which is an area engineers can use to set up kit before it goes to site, build simulations for exams, and generally use it for their own nefarious purposes. I've got a VMware infrastructure with a homogeneous melting pot of OSes on there from Server 2003 to 2016, Windows 7 / 10, various flavours of Linux, virtual appliances and all sorts. Much of it predates my time there. So I've been playing "patch it or delete it" all day, if nothing else it's done wonders for the disk space in the array.
Well the good news is - there goes all the shitty old W2k. Never to be turned on again. Result.
A couple of years back, I got asked to help an engineer with a wonky PC they'd uplifted from a customer. His question was "mate, WTF is this?" He'd never seen it before - it was Windows 3.11.
Ah yes Windows Mac looks likey. I was reminiscing yesterday over the pile of crap that was Windows 95.
Hunt will not be fired - he is there to destroy the NHS and he is doing a good job of it.
Well... probably not entirely accurate. His one job (which he failed to do) was to keep Health out of the papers. He's only still in post as a Cameron loyalist because everyone else recognises Health is career suicide.
My NHS Day
No Internet, No Email, No Systems. Have access to MS Office though
My NHs day, 10,000 pcs in our estate, guys in all weekend keeping an eye on things. Not one of compromised so far.
Directors and senior managers nowhere to be seen, not one compliment incoming or even a comment that we must have been on top of our patching.
Hmm sounds like you are providing more than the absolute minimum necessary service
Please consider yourself ready to be outsourced
My nhs day
Everything worked as normal all day.
My wife's NHS day
Not allowed to switch computer on
No Internet, No Email, No Systems. Have access to MS Office though
No internet, internal email only, [i]most[/i] systems working here.