NHS cyber attack ..

Gagaryn

To be clear NHS wasn't specifically targeted, this was a widespread phishing attack. It appears that NHS Lancashire was the first trust to be infected and it is likely a large part of the spread throughout the NHS originated there. Updates tend to be slowly rolled out and lots of NHS machines still run XP.

Danji

Looking at the Trusts affected you can see who has patching in place.

Fretwired

From today's Times ..

Blogger ‘halts spread of malware by accident’

A British researcher who claims to have found a “kill switch” that can stem the tide of yesterday’s global cyberattack said he stumbled upon the solution by accident.

The cybersecurity blogger, tweeting as @MalwareTechBlog, has been credited with protecting thousands of IT systems from malicious software which caused chaos in the NHS yesterday and affected computers in more than 70 countries.

By paying $10.69 to take control of a web domain linked to the bug, he was said to have stopped its spread to new computers. However, those already affected will not be helped and the researcher warned that other strains of the ransomware may exist.

“I will confess that I was unaware registering the domain would stop the malware until after I registered it, so initially it was accidental,” he tweeted last night.

“I can only add ‘accidentally stopped an international cyberattack’ to my résumé.”

The domain was reportedly hidden in the malware’s code in case the hackers wanted to stop it spreading. Analysts said it was a stroke of fortune that the cybercriminals hadn’t registered it first.

Monitors tracking the spread of the malware, known as WannaCry, showed a sharp decline in the number of new addresses being infected shortly after the domain was registered before rising again.

“So long as the domain isn’t revoked, this particular strain will no longer cause harm, but patch your systems ASAP as they will try again,” @MalwareTechBlog tweeted. He said he was sharing information with the FBI to help notify affected organisations.

The researcher has not been named but works for the security firm Kryptos Logic, according to the technology website Ars Technica.

Axe_meister

I recon there will be people driving up and down the country with new hard drives (with new image) replacing the old ones that will be taken back to a lab and decrypted if possible to try and retrieve what information they can. This is going to cost a fortune

monquixote

Axe_meister said:

I recon there will be people driving up and down the country with new hard drives (with new image) replacing the old ones that will be taken back to a lab and decrypted if possible to try and retrieve what information they can. This is going to cost a fortune

The encryption used in these things is crazy strong. They won't be decrypting it unless the hackers have really screwed up.

viz

monquixote said:

Axe_meister said:

I recon there will be people driving up and down the country with new hard drives (with new image) replacing the old ones that will be taken back to a lab and decrypted if possible to try and retrieve what information they can. This is going to cost a fortune

The encryption used in these things is crazy strong. They won't be decrypting it unless the hackers have really screwed up.

Yep, cryptolocker was in 2013 and that had something like a 128-bit decryption key - these things are basically unbreakable. 

eSully

monquixote said:

Axe_meister said:

I recon there will be people driving up and down the country with new hard drives (with new image) replacing the old ones that will be taken back to a lab and decrypted if possible to try and retrieve what information they can. This is going to cost a fortune

The encryption used in these things is crazy strong. They won't be decrypting it unless the hackers have really screwed up.

Yep. I've a feeling the NHS will just have to take a hit on this one. It might not be quiet as bad as the press make out. Scanned images and forms etc should be held in backed up and failed over servers/databases. It will only be files actually on the computer that will be lost. I would imagine the machines we be Re-imaged and that work will need to be redone. 

digitalscream

Not read the whole thread, but there are a few things of note...

1 - Everybody in the IT industry (except the third party companies contracted to carry out the work) told the £12bn NHS IT project that it was doomed to failure and there was a simpler, cheaper-by-orders-of-magnitude way to do it, but they were ignored in favour of a single-vendor centralised system (otherwise known as a single point of failure). Like it or not, the project was politically-motivated rather than brought about by a technical need; Blair's obsession with modernisation-in-the-face-of-common-sense is the only thing that let the project continue...after two years it was four years behind, and would've been shitcanned under any other government.

2 - Everybody in the IT industry told them that they'd be better off spending a fraction of that money on a rolling OS upgrade plan for the sake of security. Also ignored in favour of shiny things.

3 - All Windows versions from XP to Server 2012 were vulnerable until March, when Microsoft released a patch for the vulnerability that this worm uses to propagate. Unsurprisingly, the NHS didn't bother to apply it because of bureaucracy.

4 - Because servers were vulnerable and unpatched, it's not just a case of wiping the desktops and refreshing.

5 - As with all ransomware, finding the decryption key is only a matter of time - it's down to the security experts to decompile the worm and find it, though. Given the time it takes to do this, though, it's unlikely to save anyone's job (or life, for that matter).

6 - If you're using Windows 8 or above, you should be protected by default. Same if you keep up-to-date with security patches.

7 - There are going to be a lot of calls for NSA/MI5/etc to stop hoarding exploits, and they'll just blame Snowden et al for ruining their security-by-obscurity.

The short version of all of this is that it's a clusterfuck with so many actors involved that the circle-jerk of blame will continue for years.

Fretwired

Axe_meister said:

I recon there will be people driving up and down the country with new hard drives (with new image) replacing the old ones that will be taken back to a lab and decrypted if possible to try and retrieve what information they can. This is going to cost a fortune

You could be right, but back in the late 1990s my company wrote software for the NHS - database system to be used by GPs and shared around hospitals. By the time it was rolled out XP had arrived and I'm pretty sure the system (in an upgraded form) is still being used. Data was backed up incrementally during the day and I'm not sure how the attack works but many machines had two drives so the data wasn't held on the system drive. Not sure if that makes a difference.

Fretwired

digitalscream said:

Not read the whole thread, but there are a few things of note...

1 - Everybody in the IT industry (except the third party companies contracted to carry out the work) told the £12bn NHS IT project that it was doomed to failure and there was a simpler, cheaper-by-orders-of-magnitude way to do it, but they were ignored in favour of a single-vendor centralised system (otherwise known as a single point of failure). Like it or not, the project was politically-motivated rather than brought about by a technical need; Blair's obsession with modernisation-in-the-face-of-common-sense is the only thing that let the project continue...after two years it was four years behind, and would've been shitcanned under any other government.

2 - Everybody in the IT industry told them that they'd be better off spending a fraction of that money on a rolling OS upgrade plan for the sake of security. Also ignored in favour of shiny things.

3 - All Windows versions from XP to Server 2012 were vulnerable until March, when Microsoft released a patch for the vulnerability that this worm uses to propagate. Unsurprisingly, the NHS didn't bother to apply it because of bureaucracy.

4 - Because servers were vulnerable and unpatched, it's not just a case of wiping the desktops and refreshing.

5 - As with all ransomware, finding the decryption key is only a matter of time - it's down to the security experts to decompile the worm and find it, though. Given the time it takes to do this, though, it's unlikely to save anyone's job (or life, for that matter).

6 - If you're using Windows 8 or above, you should be protected by default. Same if you keep up-to-date with security patches.

7 - There are going to be a lot of calls for NSA/MI5/etc to stop hoarding exploits, and they'll just blame Snowden et al for ruining their security-by-obscurity.

The short version of all of this is that it's a clusterfuck with so many actors involved that the circle-jerk of blame will continue for years.

Good points - totally agree with point 1. Around £14 billion wasted for nothing.

I read this attack only affected PCs and not servers.

digitalscream

Fretwired said:

Good points - totally agree with point 1. Around £14 billion wasted for nothing.

I read this attack only affected PCs and not servers.

I don't know if the worm can drop its payload on servers, but the vulnerability it uses to propagate is definitely present on all unpatched Microsoft server operating systems up to (and including) Server 2012.

EDIT: Oh, and it wasn't entirely wasted - I believe one hospital is using the software, somewhere down south. My dad worked on the documentation for the project...oh, the stories...

Axe_meister

The biggest problem with the failed NHS project is they decided to write a custom app. A customised CRM system would have been sufficient (Both SAP and Siebel bid for the project back in the day) then the NHS made every mistake in the project management book with constant scope change (not even creep) meaning millions of pounds of development would have to be back tracked.

monquixote

digitalscream said:

Not read the whole thread, but there are a few things of note...

1 - Everybody in the IT industry (except the third party companies contracted to carry out the work) told the £12bn NHS IT project that it was doomed to failure and there was a simpler, cheaper-by-orders-of-magnitude way to do it, but they were ignored in favour of a single-vendor centralised system (otherwise known as a single point of failure). Like it or not, the project was politically-motivated rather than brought about by a technical need; Blair's obsession with modernisation-in-the-face-of-common-sense is the only thing that let the project continue...after two years it was four years behind, and would've been shitcanned under any other government.

2 - Everybody in the IT industry told them that they'd be better off spending a fraction of that money on a rolling OS upgrade plan for the sake of security. Also ignored in favour of shiny things.

3 - All Windows versions from XP to Server 2012 were vulnerable until March, when Microsoft released a patch for the vulnerability that this worm uses to propagate. Unsurprisingly, the NHS didn't bother to apply it because of bureaucracy.

4 - Because servers were vulnerable and unpatched, it's not just a case of wiping the desktops and refreshing.

5 - As with all ransomware, finding the decryption key is only a matter of time - it's down to the security experts to decompile the worm and find it, though. Given the time it takes to do this, though, it's unlikely to save anyone's job (or life, for that matter).

6 - If you're using Windows 8 or above, you should be protected by default. Same if you keep up-to-date with security patches.

7 - There are going to be a lot of calls for NSA/MI5/etc to stop hoarding exploits, and they'll just blame Snowden et al for ruining their security-by-obscurity.

The short version of all of this is that it's a clusterfuck with so many actors involved that the circle-jerk of blame will continue for years.

I don't think it's a single encryption key I think each one is unique. The FBI advice last time they had a big outbreak was just to pay if you want your data back.

digitalscream

Axe_meister said:

The biggest problem with the failed NHS project is they decided to write a custom app. A customised CRM system would have been sufficient (Both SAP and Siebel bid for the project back in the day) then the NHS made every mistake in the project management book with constant scope change (not even creep) meaning millions of pounds of development would have to be back tracked.

The smart thing to do, IMO, would simply have been to define a data interop standard (which almost all government IT projects were focused on at the time - including the ones I was working on) and pay all the software suppliers to gradually move towards it, then use the existing central communications hub for managing cross-site communications and queries.

The company I worked for at the time submitted a proposal for a part of it, and the response was "We don't want interoperability, we want a new system". Basically, they actively put their fingers in their ears and decided to be the only government project which totally ignored the entire infrastructure that the government had built (which was actually quite good, very secure and very resilient) in favour of reinventing the wheel...presumably, because they believed they had a bottomless budget and everybody wanted on the gravy train.

If they'd gone for the more sensible solution, it would maybe have cost them £500m at an outside lots-of-things-have-gone-wrong estimate.

digitalscream

monquixote said:

digitalscream said:

5 - As with all ransomware, finding the decryption key is only a matter of time - it's down to the security experts to decompile the worm and find it, though. Given the time it takes to do this, though, it's unlikely to save anyone's job (or life, for that matter).

I don't think it's a single encryption key I think each one is unique. The FBI advice last time they had a big outbreak was just to pay if you want your data back.

OK, I was speaking for brevity there. What I actually mean is...if it's a single key, they'll find it through the usual means. If it's unique, there still has to be a generation algorithm - and, since all eyes are on this and lots of government agencies are now involved, it's only a matter of time as to when that algorithm is discovered. How much time, however, is up in the air.

I'd hazard a guess that this is actually a bunch of script kiddies who've got hold of some nasty tools and chucked it out there in the hope of making a bit of money - to make it reliant on a single, easily-hijacked domain is not the act of a well-funded organisation or an experienced cracker. They'll now be shitting themselves, because they would never have expected it to get this far out of control.

Garthy

ewal said:

capo4th said:

If the Labour Party hadn't wasted £15billion on failed IT projects everyone in the NHS would be on a mac book pro by now. Epic Fail from the Labour Party.

Why the need to politicize everything? Do you honestly think politicians are responsible for the success or failure of IT projects? Get real....

So how come you didn't pick up on ICBM & Fretwired's posts on page 1? Do you have them on ignore or something?

monquixote

digitalscream said:

monquixote said:

digitalscream said:

5 - As with all ransomware, finding the decryption key is only a matter of time - it's down to the security experts to decompile the worm and find it, though. Given the time it takes to do this, though, it's unlikely to save anyone's job (or life, for that matter).

I don't think it's a single encryption key I think each one is unique. The FBI advice last time they had a big outbreak was just to pay if you want your data back.

OK, I was speaking for brevity there. What I actually mean is...if it's a single key, they'll find it through the usual means. If it's unique, there still has to be a generation algorithm - and, since all eyes are on this and lots of government agencies are now involved, it's only a matter of time as to when that algorithm is discovered. How much time, however, is up in the air.

I'd hazard a guess that this is actually a bunch of script kiddies who've got hold of some nasty tools and chucked it out there in the hope of making a bit of money - to make it reliant on a single, easily-hijacked domain is not the act of a well-funded organisation or an experienced cracker. They'll now be shitting themselves, because they would never have expected it to get this far out of control.

My assumption is that it generates a random key and uploads it over an encrypted channel to the command and control system.

ICBM

Garthy said:

So how come you didn't pick up on ICBM & Fretwired's posts on page 1? Do you have them on ignore or something?

Be fair - we were both completely wrong, as it turns out . Or it appears so, unless it's an extremely well-disguised political operation. [/second-level conspiracy paranoia]

I also completely agree that the NHS computer system fiasco was the responsibility of the Blair government, but probably not for any actual political reason - just arrogance and incompetence with added gravy-train jumping - and I'm sure the civil service had a lot to do with it as well. Which has exactly no bearing on the current situation, either for the NHS or for politics.

olafgarten

I'm sure they will be able to reverse engineer the code and find the generation algorithm. If they don't they might be able to find the database storing the keys. 

The only issue is the time limit, the program deletes all of the data after 7 days.

Fretwired

ewal said:

capo4th said:

If the Labour Party hadn't wasted £15billion on failed IT projects everyone in the NHS would be on a mac book pro by now. Epic Fail from the Labour Party.

Why the need to politicize everything? Do you honestly think politicians are responsible for the success or failure of IT projects? Get real....

We elect politicians to run the country for us and we pay tax and expect them to spend it wisely. Health in the UK is run by a Secretary of State which is more senior than a minister. The government made the decision to create an integrated single system against the advice of experts, they awarded the contracts they negotiated the contract with the contractors so they take the blame. I'm sorry but this is political - £14 billion was wasted which could have been spent on a much cheaper solution and provided cash for front-line services.

Politicians are quick to take the credit when things go right.