Pwnd
The upshot of this that if you were vulnerable to wannacrypt last week then you've been owned by the NSA for years.
A feared second wave of WannaCrypt ransomware attacks has failed to materialize, but 16 UK National Health Service Trusts are still grappling with last week's infection. WannaCrypt spread like wildfire last Friday, infecting computers and disrupting operations at 47 NHS Trusts, US firms including FedEx, Spain's Telefonica, …
The cure for Intel AMT is dead simple on a desktop. Install a NIC and move the cable to it. AMT only works on the integrated onboard NIC. Taking control of your remote management options is essential.
For good measure depopulate the onboard port or fill it with epoxy. Which you should have done on arrival.
Fix works also for AMD platforms.
Notebooks? That's a different story.
I was thinking more large corporates with thousands of machines. Windows updates will have a tried and tested and largely automated patch process (because it happens so often). Not so much when trying to patch/update a processor/chipsets. Installing NICs isn't really an option. Even identifying vulnerable machines will be quite a challenge.
"Even identifying vulnerable machines will be quite a challenge."
To be vulnerable a machine has to have been specifically set up by an administrator, and vulnerable machines can be found by a portscan.
Patching or disabling look less work than gluing up the port and installing a new NIC.
"The NHS's online arm said that Windows XP use within the health service had fallen to 4.7 per cent"
Which sounds very good until you realise that, under some measures, the NHS is the 5th largest employer in the world with some 1.7 million workers.
The large army of cooks, porters and cleaners wont need their own PC of course, but still that's a lot of computers running a more than 15 year old OS.
http://www.telegraph.co.uk/news/uknews/9155130/NHS-is-fifth-biggest-employer-in-world.html
"Some expensive hardware (such as MRI scanners) cannot be updated immediately, and in such instances organizations will take steps to mitigate any risk, such as by isolating the device from the main network,"
Shouldn't that be "have already taken steps"? You know, like when they first knew they weren't getting any more security updates. Back in the days of floppies we called it sneakernet although write protection to ensure data only went one way was easier then. I imagine some similar protocol can still be done but it still relies on meatsacks getting it right.
That's what makes me personally so mad about all of this. 90% of this was completely avoidable if people had just been following good security procedure. Yes, there are always going to be zero day exploits, and there are always going to be idiots that click on links in emails - but since we KNOW that's always going to be the case, people should be putting measures into place with that in fucking mind!
Add up the cost of delaying, IDK, say 10,000 ops a few days. let's say there's a 1% mortality increase: That's £100m (by UK standard actuarial stats, as I remember it -- may be more nowadays.) Then the cost of, say, two days of overtime by the outsourced SPs and inhouse IT, if there still are any. Assuming they get paid overtime -- and I don't know about anyone else, but in 21 years in IT and 11 employers, only one has paid IT or security droids overtime) -- but this is the public sector, and they still have unions, so let's make a wild guess and say... 1.5m staff... say... 25,000 IT staff total, only half of who will be junior enough to be dragged in at the weekend. Let's say they did 10h days over the weekend. 12,500 * 20h @ £40 = £10m.So, grand total: £110m.
On the other hand, three years of Windows licenses ... bulk discounts.. say £50 each * 500,000 machines = £25m. Some fraction of those machines will be too old to run W8 or 10; let's say half need forklift upgrades, at £500 each (including boxdropper pay): 250,000 * £500 = £125m.
So we're already at £150m without factoring in the cost of doing all the OTHER security things apart from "apply patches" (you'll recall there's a bit more to it than that, and if it's worth doing, it's worth doing properly, right?) and I'm certain if I thought about it there are many other costs I've neglected.
Now imagine you're running a hospital trust, on a fixed budget allocated by external forces out of your control. People are lined up on trolleys in the corridors, it's a 6h wait to be seen in A&E for everyone except stroke, heart attack or major trauma cases. Meanwhile you have 300 elderly people clogging wards because you can't discharge them because there's no social care available. Oh and you're short of your budgeted complement of nurses to the tune of 12%, and you're facing annual budget cuts of around 5% for the next five years. How would you feel about the suggestion that they spend £150m+ on replacing computers that, to your eyes, appear to be working just fine, just as they have for the last decade?
And that's more or less what happened: £1Bn was raided from the infrastructure and IT budget to pay for opex -- clinical staff, pharmaceuticals, keeping the lights on,
They've taken a decision that a couple of days without email (or completely down) once a decade is less expensive that hiring the number of sec analysts and managers needed to implement comprehensive best practices (not to mention the disruption and capex overhead caused by, say, forcing 2fa for desktop access.) All I can tell you is that they're rich and I'm not, so who's the smart guy here?
You know, like when they first knew they weren't getting any more security updates.
Which is day one. On quite a few of these you are out of warranty and liability coverage on a 10M+ piece of equipment which can whack a patient with a potentially lethal dose of radiation if you touch the base OS outside the vendor specified params.
What NHS (and many other large enterprises) do is putting such equipment on the general purpose network instead of isolating it and treating it as industrial and process control kit (the way it should be treated).
"Some expensive hardware (such as MRI scanners) cannot be updated immediately, and in such instances organizations will take steps to mitigate any risk, such as by isolating the device from the main network,"
This sounds like misdirection. With 4.7% of NHS computers running XP, are they really suggesting that something approaching one computer in twenty has some fancy diagnostic equipment which is at least 8 years old attached to it? This must be a tiny proportion of the XP computers in the NHS. What about the rest?
Hunt told reporters that the level of criminality associated with the outbreak was at the "lower end" of what the government had expected.
What level of criminality do we call a decision not to bother with security updates for thousands of XP machines, to save a few million quid? How much has the last few days cost, Mr Ffrynt-Botham?
@Brewster's thingy
But where would that money have come from?
An interesting point. Surely the purpose of a 'Secretary of State for Health' is to work out how to provide the necessary funds to do the necessary tasks. If he can't do that then he's a bit of a waste of oxygen.
Obviously there are different priorities, but it's not a matter of either/or. Would he suggest not-buying antibiotics to pay for more nurses? Or reducing ward hygiene (even more)? No. There comes a point when the solution is actually more money. Where does that come from? There are many options...
"Would he suggest not-buying antibiotics to pay for more nurses?"
I think he's been doing it the other way round: buying the drugs but increasing the workloads of nurses to the point where patients aren't getting fed or are developing bed sores.
"Or reducing ward hygiene?"
Yup, that seems to have been going on as well.
And we haven't talked about patients on trolleys and the increases in waiting times. (That's probably where it would have ended up: increased waiting times.)
Worst case?
BTW as others have noted many of those PC's already boot in Win7, then go to a VM running XP. Obviously this is not a very secure VM.
Root cause remains WTF can those applications not be disentangled from a 17YO OS and it's browser and why can't a newer version be certified fit for purpose by the NHS?
At the end of the day the healthcare system is a large set of large databases with a series of applications built on top of it with a series of browser GUI pages.
Just like a 100 other f**king apps.
So just exactly why is getting a health app to run on a current OS so f**king difficult?
I don't work in health, but in research and I expect the issues are the same.
There are pieces of technical equipment which do a perfectly good job and do not need replacing, but which have legacy hardware systems and cannot be upgraded or run from a modern (Win7 plus, or MacOS10) PC. These are often very expensive pieces of equipment (my own personal favourite was a half-million dollar MALDI-TOF Mass Spec which was running on NT) that you just don't toss away when MS or Apple stop supporting the OS.
I am sure that in some cases there is lack of proper upgrading, but you don't replace equipment worth hundreds of thousands of dollars (or pounds) on the same frequency that you replace PC or operating systems. Be as outraged as you like, but then calm down and look at the real situation - it is legacy hardware that is still running old versions of the OS and an upgrade is simply not available.
"You don't replace equipment worth hundreds of thousands of dollars (or pounds) on the same frequency that you replace PC or operating systems." Quite correct.
You also do not put them on an intranet that touches the public Internet. Certainly not with an unsupported OS, and best never, as the cost if compromised may be a machine physically dangerous to users and others, and may be proportionate to the machine cost.
This post has been deleted by its author
100113.1537 said:
- "There are pieces of technical equipment which do a perfectly good job and do not need replacing, but which have legacy hardware systems and cannot be upgraded or run from a modern (Win7 plus, or MacOS10) PC. These are often very expensive pieces of equipment (my own personal favourite was a half-million dollar MALDI-TOF Mass Spec which was running on NT) that you just don't toss away when MS or Apple stop supporting the OS.
I am sure that in some cases there is lack of proper upgrading, but you don't replace equipment worth hundreds of thousands of dollars (or pounds) on the same frequency that you replace PC or operating systems. Be as outraged as you like, but then calm down and look at the real situation - it is legacy hardware that is still running old versions of the OS and an upgrade is simply not available."
tom dial said:
- "You also do not put them on an intranet that touches the public Internet. Certainly not with an unsupported OS, and best never, as the cost if compromised may be a machine physically dangerous to users and others, and may be proportionate to the machine cost."
+++
Good practice is to isolate the old kit as much as possible, but that can be difficult operationally. If it is running XP, it doesn't do SMBv2*, and if your workflow involves moving information off a scanner (for example), then it is not unlikely that SMBv1 is being used to get files onto a shared fileserver. Moving stuff around by USB may not be feasible or practical**. Someone then has to set up an isolated VLAN, or physical LAN segment, install a firewall, and set up a ruleset correctly, and maintain it. Operational complexity is never good.
All of this is standard stuff for an IT department, but easy to de-prioritise.
*https://blogs.technet.microsoft.com/josebda/2013/10/02/windows-server-2012-r2-which-version-of-the-smb-protocol-smb-1-0-smb-2-0-smb-2-1-smb-3-0-or-smb-3-02-are-you-using/
**you can put an up-to-date PC next to the XP one running the scanner/other equipment. You then have to hope the software is written to allow writing the necessary files out from the XP machine, then in on the 'standard' machine (or vice-versa) - so your fixed asset count has gone up, and your operational complexity has gone up, and both machines are vulnerable to having a non-approved USB device connected.
As it happens I've a working knowledge of measurement systems and the problems of RF analogue design.
Let me make a few points.
"The send receive has to operate with a degree of thiming precision in the MHz range"
Sounds tough.
Oh wait we live in world where PC motherboards run at GHz frequencies. Now if they said the edges of those timing pulses had to be accurate to 1ns he's have some serious trouble. But he didn't.
"Timing is therefore usually handled by a single quasi autonomous card that is programmed in a unique language to trigger sequences of events. I"
IOW it's a Black Box that's handles all the precision timing. Still not a problem.
"fed their activity lists usually by an old school RISC card that is not doing anything else a"
Another Black Box. Again nothing to do with the network.
"The old school RISC card then sends the data by Ethernet to the PC (used to be SGI or SUN up tlll about 2000) which is where the issue actually is."
SOP for most network systems is
Build data buffer
Pass start address and length to interface card.
DMA squirts the data out over the link and interrupts if it receives something back or buffer runs out.
Of course if someone has saved a few £ by doing the Ethernet interface in software you're in deep s**t. :-( AFAIK the main Ethernet chips are a few £. Of course being able to make sense of the data sheet (or rather the several 100 page book listing it's registers and what their settings mean) is another matter.
Likewise if they wrote the handler code at the other end in an MS "Managed" IE interpreted language that's likely to have some timing issues. Or maybe they just wrote buggy code?
BTW I'm not a PhD but when people start talking about multi channel scopes and logic analyzers I start thinking "Bad grounding, poor bypassing, poor partitioning (high level analogue, low level analogue, digital), runt pulses"
But here's the kicker.
So what? The only PC that should be talking to is a modern PC running an up to date OS IE without SMB V1.0 as a problem to begin with.
Yes this stuff costs an arm and a leg.
Yes the are a valuable investment with a working life in decades (actually the nearest thing I can think of them was a comment that some of the animation cameras used for the computer controlled animation task, I mean actual models, not CGI, dated from the 1920's and 1930's)
So 47 trusts.What's that? 100 sites? MRI is one per site? CT is another, say a couple of ultrasound units?
Wow that's possibly 400 PC's that need TLC.
Now what about the rest of them?
GUI to embedded HW <> regular desktop PC.
So just exactly why is getting a health app to run on a current OS so f**king difficult?
There are other reasons, but in my org the main reason is managed software providers being dicks, and bamboozling the beancounters and execs into forcing IT to "just do what you need to do to make it work".
The IT managers are, as usual, little more than willing messengers.
Take a bow, Atos.
<sits up soapbox>
Ok, I've said this before and I can't believe this is being ignored (especially in light of this latest attack). Why in the hell is bitcoin still in existence?
The ONLY reason this kind of attack is being done is because there exists an anonymous way to transfer money (bitcoin). The only reason bitcoin exists is for conducting illegal transactions.
If you take this secure conduit away from the mix, and what tech savvy hacker is going to be willing to launch an attack (which could possibly be tracked back to them) if there is no way to securely get money from your activity?
Every other type of transaction can be traced (yes, even dollar bills). Tell me one single legitimate reason we need an untraceable money transfer service?
I can't think of a single scenario.
Want this stuff to stop? Kill bitcoin. Kill bitcoin. Kill bitcoin.
I can't believe this is not even being discussed.
~Just by 2 BCs.
Killing bitcoin would have no lasting effect; they'd just move on to another way of accepting payments (as some already have implemented)
https://www.bleepingcomputer.com/news/security/decrypted-alpha-ransomware-accepts-itunes-gift-cards-as-payment/
There's no reason they couldn't request any other type of pre-paid card, either. Not even going to touch on the 'why' of bitcoin's existence, as you've pretty clearly closed up your mind to anything anyone could put forth.
Actually, I'll give you one; you called soapbox, after all. Bitcoin and other cryptocurrencies deprive the government/regulators/whoever of any significant level of control over who can and cannot make financial transactions. The analogy of 'digital cash' is not a very good one, but the benefits/detriments of cash and cryptocurrencies very often align.
"Bitcoin and other cryptocurrencies deprive the government/regulators/whoever of any significant level of control over who can and cannot make financial transactions."
So you have found a way of stopping people handing large amounts of cash to each other?! Do tell us more...
I suppose I should've given additional context there; the intended context was with respect to other digital transactions. Also, India may or may not have achieved such a thing with their recent demonetization of some specific bank notes; I do not have any insight into whether this was truly effective or not. Removing hands is another potential solution (/s)
Bitcoin isn't anonymous.
Every transaction is in the universal ledger, which everybody has access to by design.
The hard part is matching a given bitcoin payment address to an individual legal entity, which is very easy if they ever "cash out".
It is probably quite hard if they spend the bitcoin as bitcoin, however the money trail remains and could be followed.
"The hard part is matching a given bitcoin payment address to an individual legal entity, which is very easy if they ever "cash out"."
That's easy to avoid. There exist multiple services that "rinse" bitcoin transfers across many small transactions between multiple accounts specifically to enable fairly decent anonymity.
Indeed.
PHB's in the health software companies that won't move their decades old software off a 17YO OS.
PHB's in NHS trusts who don't see why this is car crash of a problem waiting to happen, or pushed to migrate the hospital management systems off XP
PHB's in the Ministry of Health who didn't push for it either.
PHB's in NHS central IT who didn't push to certify new versions on new OS's (despite a lot of those PC's actually running XP in a VM anyway.
And of course the PHB in chief Mr Hunt.
Will any of them earn any kind of penalty, or be called to account for their (in)actions?
What do you think?
"Why in the hell is bitcoin still in existence?"
Absolutely - we must ban it immediately. Along with the US Dollar - which is by far the criminal currency of choice - and can be carried round as bits of paper without any trace or audit trail!!!!
Excuse me for asking this question... but he who dares wins...
I've been involved in computing since IBM DOS.
However, blockchain has simply passed me by.
No matter... I have gleaned an overview that all transactions are registered (rightly or wrongly).
So I'm wondering (as an uneducated person in this field)... why it is that these payments can be counted... yet the ultimate recipients cannot be identified.
Can anybody provide an answer?
As long as the transactions stay within the blockchain then it's reasonably anonymous. The ledger will just show that those ransom payments have been made to certain anonymous addresses.
The problem will arise when the miscreants try to convert their ill-gotten gains to either fiat currency or use them to buy other goodies. Half the security services in the world, as well as countless other people are going to be tracking exactly where each of those ransom payments goes from now on and will pounce as soon as anyone reveals the slightest connection to them.
If the hackers have two braincells to rub together, they'll not go near those coins, as they're the digital equivalent of radioactive waste now.
Expect him to throw his toys out of the pram again once he realises he's not the center of attention.
probably deploying the 82nd airborne* against anyone using TOR, or declaring war on the Norks, depending on how much he is ignoring his advisers today.
* or whoever... drawing on my fiction reading for sources.
Unless the people behind this hack were better than the average criminal (and I can't see any evidence of that so far) then it's more than likely they botched generating the encryption keys. Certainly enough that the massive computing power (plus special algorithms) packed by the boffins at GCHQ/NSA should be able to provide a good stab at delivering the decryption keys.
Which (in this commentards humble opinion) is *exactly* the sort of thing they should be doing. Certainly before hoovering up all our web searches.
I know they are understandably cagey about their capabilities, but is it too much to hope that in between tweets and election gaffes, the US and UK have in place a mechanism to release decryption keys without it being obvious ? Bearing in mind there's still a mystery over how the Crysis keys were leaked online.
"Certainly enough that the massive computing power (plus special algorithms) packed by the boffins at GCHQ/NSA should be able to provide a good stab at delivering the decryption keys."
If this was a TV show, teams would have already tracked down the source and arrested them, got the keys from them and released a friendly virus (written in a few minutes on a top secret quantum computer, natch) to replace the nasty one while leaving a trail of freshly protected PCs in it's wake and the world would safe again, at least until next weeks gripping episode.