Reply to post: Re: Am I the only one appalled that an attack like WannaCry can happen to the NHS?

Project Gollum: Because NHS Caring means NHS Sharing


Re: Am I the only one appalled that an attack like WannaCry can happen to the NHS?

Remember that the tool used to spread the malware originated from a "friendly" security agency (NSA) who's toys were stolen.

So we have:

* security flaw in OS

* security service exploits this, stockpiles it and does not carry out responsible disclosure

* security service gets hacked, hack tools stolen, still doesn't carry out responsible disclosure

* Hacker's dump tools online

* Software/OS vendors hastily provide patches for most flaws

* NHS (and others) either fall to patch or are using unsupported OS versions (XP, Vista)

* Random crim's choose ransomware as a payload for one of the leaked tools (an SMB worm) and release it into the wild, most likely expecting to hit a reasonable number of individual's PC's and get some coin.

* Desktop machines in the NHS (and others) get widely affected, pull the plug to stop spread. Everyone checks their estates for patching etc. And begin wiping infected machines etc.

* Servers (storing almost all sensitive data & having a far stricter patching and backup regimen) were not a primary target here and were not part of the reportedly affected machines.

NSA faults:

* policy of hoarding exploits

* not securing those exploits

* not carrying out responsible disclosure once they'd been raided

* a question mark over whether the random crim's made the initial shower of the infection or the NSA had previously shower the infection and the crim's just pushed a payload of malware through the backdoor it created.


* Although it was their flaw, they responded well with patches.

* Win 10 (i.e. the up to date OS) still has question marks over privacy/dial home, so it's not yet a no-brainer for business or secure institutions like the NHS

NHS/UK gov

* Not upgrading OSes to supported versions

* Not patching OSes

* Using SMB/windows network drives where they may not be needed (allowing the worm to spread)

* If there's a reliance on Windows, then kiosk mode, or having the desktop run in a VM on a different (independently patched) host OS (with VM backups) might have either protected the machines or sped up recovery respectively.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022