Major hack / IT attack against UK NHS in progress

[Samson]

As I type this most hospitals in England are under attack by ransomware. Many hospitals and other sites such as GP's are turning off their computers and using pen and paper. Most telephone systems are down. Patients are being asked to not come to hospital and use 999 or 112 phone services.

I blame the Torys, they cancelled a planned upgrade of the electronic patient records but mostly 'cos I want to blame them. I think in reality a lot of the blame has to be with the people who implemented the system. Email servers should detect this sort of thing (in a virtualized environment), systems should be designed with minimal contact with the outside world but that takes work. Software should be written with security concerns 1st, rather than as a last minute addition. Windows should not be allowed near critical systems.

[EDIT]
Links: Grundiad Indescribably boring

Could it be more global? Apparently:

A ransomware outbreak is wreaking havoc all over the world, but especially in Spain, where Telefonica — one of the country's biggest telecommunications companies — has fallen victim, and its IT staff is desperately telling employees to shut down computers and VPN connections in order to limit the ransomware's reach.

The culprit for these attacks is v2.0 of the WCry ransomware, also known as WannaCry or WanaCrypt0r ransomware.

 

[Kyriakos]

Was it Russia? It probably had no gain in doing this, but all hacking is done by Russia. Or maybe Russia did the hacking exactly so that people would think it can't have been Russia this time, so as to divert attention from being hack-pirates :/

Or maybe it is Corbyn - if he has ties to Russia.

 

[Kozmos]

Well it's not so much about Windows or Russia necessarily, it's more like IT equipment and staff netsec training for public sectors is always at near atrocious levels if it exists at all. Private companies are not much better, unless they deal with sensitive financials or are IT themselves. Even then, the whitehat hacks of bank interfaces I've been shown by certain people pretty much confirmed my long held suspicion that 90% of people and organizations don't know what they are doing. Even if they did, IT security is devilishly hard to accomplish.

I mean what do you do when your boss countermands you on strong passwords for board members, because they are too complicated and long for them? It's really a crap job to have.

 

[uppi]

Windows should not be allowed near critical systems.

The most important thing is to not allow critical system to be near the internet.

 

[Broken_Erika]

Now it's been spotted in 74 countries
http://www.bbc.com/news/technology-39901382

 

[Kozmos]

We had a pretty bad sweep here in the Balkans, a little less than a year ago. A lot of private and public organization were hit. I had a good laugh, especially because we told most of them before hey your setup is crap, you got to spend more money to fix this and they were like lol no. This seems to be linked with the leak of NSA/CIA tools which explains how hard it is hitting now and all at once.

 

[EnglishEdward]

The most important thing is to not allow critical system to be near the internet.

The digital transformation policy has been since 2010 to make all UK public services accessible to smartphones via the Internet.

The government's financial policy in the UK has been to reduce costs by closing down local government offices.

The UK government' s efficiency policy is that it is too expensive to have multiple (in person, paper post, telephone
and browsing) means of access to services; so that all, but the online internet access route, would be closed down.

They'd outsource removing one's appendix to a surgeon in a third world call centre to do by remote control if they could.

 

[civvver]

so how susceptible are personal pcs? To get a worm like this don't you usually have to open something first or visit an infected site?

 

[Zelig]

Windows should not be allowed near critical systems.

Or you know, just don't leave your systems unpatched and don't run regular users in admin mode.

Properly hardened Windows-based stacks aren't particularly more vulnerable than *nix ones.

so how susceptible are personal pcs? To get a worm like this don't you usually have to open something first or visit an infected site?

Not in this case - it looks like it's due to an SMB vulnerability that was fixed several months ago: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

When MS says Security Updates are critical, they're not just kidding around. You really shouldn't ignore them for months.

If you keep your OS and software up to date and don't execute untrusted (assuming a good trust model) files, you'll be fine.

 

[Samson]

Properly hardened Windows-based stacks aren't particularly more vulnerable than *nix ones.
...
When MS says Security Updates are critical, they're not just kidding around. You really shouldn't ignore them for months..

But you can leave your *nix desktop machine unpatched and it is not likely to be a problem. Surely that makes it harder.

 

[red_elk]

Was it Russia? It probably had no gain in doing this, but all hacking is done by Russia. Or maybe Russia did the hacking exactly so that people would think it can't have been Russia this time, so as to divert attention from being hack-pirates :/

Or maybe it is Corbyn - if he has ties to Russia.

Initial Kaspersky report said 70% of new infections were in Russia. But as they admit, they may have incomplete data.
If they are correct, the pandemic might indeed start in Russia.

 

[Zelig]

But you can leave your *nix desktop machine unpatched and it is not likely to be a problem.

Not from a technical standpoint. The only way leaving a *nix desktop unpatched isn't a problem is via security through obscurity.

MS security really is about as good as it gets. Their only downsides are their products' lack of obscurity, and their continued support of legacy technologies. (The latter of which can be mitigated fairly easily - e.g. by not enabling Word macros.)

Most recently: https://twitter.com/taviso/status/861751140437839872

 

[Kyriakos]

"Ransomware" is a cool term, though.

 

[red_elk]

Live map
https://intel.malwaretech.com/botnet/wcrypt/?t=1h&bid=all

 

[Kozmos]

Nice try, russian hacker.

 

[red_elk]

It's totally harmless link, I swear!

 

[Broken_Erika]

I clicked it, wait, why do i now have a purple monkey juggling toasters on the lower right corner of my screen?

 

[innonimatu]

Not from a technical standpoint. The only way leaving a *nix desktop unpatched isn't a problem is via security through obscurity.

MS security really is about as good as it gets. Their only downsides are their products' lack of obscurity, and their continued support of legacy technologies. (The latter of which can be mitigated fairly easily - e.g. by not enabling Word macros.)

Most recently: https://twitter.com/taviso/status/861751140437839872

We haven't seen many remote code execution expoits against default installations of unix systems.

We have seen many against services that Microsoft enables by default in Windows. But then again, why compromise the system when processors are shipping with back-doors accessible bi answering a password challenge with a null string? It appears that there is no such thing as a modern secure Internet-enabled system.

 

[Zelig]

We haven't seen many remote code execution expoits against default installations of unix systems.

Security through obscurity. How many remote code execution exploits have we seen against default installations of Windows RT? (And "default installation" of unix systems is a bit disingenuous because of how little it covers. My preferred distro is Arch, which effectively doesn't have a "default" installation". RCE aren't on various Unix platforms aren't particularly uncommon though: A recent one on Apache Struts 2.)

We have seen many against services that Microsoft enables by default in Windows.

Not nearly as many if you only count zero-days.

Though I'd be happy to see MS (and every other software) move more quickly to deprecate legacy features. Flash/Java/Office macros/web advertisements/etc. are all unacceptable security risks that should be blacklisted from base OS/browser configurations.

But then again, why compromise the system when processors are shipping with back-doors accessible bi answering a password challenge with a null string?

Doubtful it's a backdoor, too sloppy for that. Falls under the standard axiom of not using software by hardware manufacturers. Vulnerability only is present when AMT is enabled and provisioned and the vulnerable Windows management software is installed.

 

[innonimatu]

Your example for an RCE on a unix platform is not comparable with windows file services exploitable in windows. You're comparing user-installed software on unix (which distributions even package and maintain struts?) to built-in software active by default on windows.

AMT (allegedly only when enabled, if you take the word of "our closed-source AMT is safe, trust us" Intel) is vulnerable to a remote attack from its associated network interfaces regardless of the operating system or drivers installed on top. Intel never publicly disclosed the source code and microprocessor design of the thing.

Don't be so partisan, Zelig. There are differences between what the likes of Intel and Microsoft have been doing and the people producing open-source software. The problem is not security by obscurity because with security the idea is that something be obscure (hidden). The problem is trusting obscure claims to security. "This is safe, trust us but don't even think of checking". When the salesmen say that... caveat emptor.

AMT, I will add, was yet another instance of Richard Stallman being proven absolutely correct on his warning made years before the "flaw" was acknowledged.