Ransomware Hacking

stonemuse

Had no idea this cost the NHS so much.

“WannaCry ransomware cyber attack cost the National Health Service almost £100m and led to the cancellation of 19,000 appointments, the Department of Health has revealed.”

https://zdnet.com/article/this-is-how-much-the-wannacry-ransomware-attack-cost-the-nhs/?ftag=TRE9b79da2&bhid=24734811385871236995146691857641

Leroy Ambrose

All cos they weren't patched. What a shit show.

stonemuse

Leroy Ambrose said:

All cos they weren't patched. What a shit show.

Indeed.

Addickted

Leroy Ambrose said:

All cos they weren't patched. What a shit show.

Nothing to do with the thieving bastards whose criminal intent has not only cost you, me and the rest of the country £100m that could be desperately utilised elsewhere, but caused untold suffering to 19,000 people, some of whom may have subsequently died as a result.

Leroy Ambrose

Addickted said:

Leroy Ambrose said:

All cos they weren't patched. What a shit show.

Nothing to do with the thieving bastards whose criminal intent has not only cost you, me and the rest of the country £100m that could be desperately utilised elsewhere, but caused untold suffering to 19,000 people, some of whom may have subsequently died as a result.

You're missing the point. Patch systems. It's the bare minimum that is required in IT Security. If these systems were patched, none of this would have happened. This isn't rocket science - and the malware wasn't developed specifically to target the NHS, it was indiscriminate. Some people drive like pricks. You don't tempt fate by walking down the middle of the fucking road hoping they won't hit you.

Hex

Leroy Ambrose said:

Addickted said:

Leroy Ambrose said:

All cos they weren't patched. What a shit show.

Nothing to do with the thieving bastards whose criminal intent has not only cost you, me and the rest of the country £100m that could be desperately utilised elsewhere, but caused untold suffering to 19,000 people, some of whom may have subsequently died as a result.

You're missing the point. Patch systems. It's the bare minimum that is required in IT Security. If these systems were patched, none of this would have happened. This isn't rocket science - and the malware wasn't developed specifically to target the NHS, it was indiscriminate. Some people drive like pricks. You don't tempt fate by walking down the middle of the fucking road hoping they won't hit you.

You're both right but I agree whole heartedly with the sent @Addickted and would like to see hackers hung drawn and quartered for the damage they do to the world ;-)

Addickted

Leroy Ambrose said:

Addickted said:

Leroy Ambrose said:

All cos they weren't patched. What a shit show.

Nothing to do with the thieving bastards whose criminal intent has not only cost you, me and the rest of the country £100m that could be desperately utilised elsewhere, but caused untold suffering to 19,000 people, some of whom may have subsequently died as a result.

You're missing the point. Patch systems. It's the bare minimum that is required in IT Security. If these systems were patched, none of this would have happened. This isn't rocket science - and the malware wasn't developed specifically to target the NHS, it was indiscriminate. Some people drive like pricks. You don't tempt fate by walking down the middle of the fucking road hoping they won't hit you.

Not denying that.

My point if there weren't bastards like this, then there would be no need for varying levels of IT security.

Criminals, who when caught and convicted should have every single asset they have taken and then spend the rest of their lives working to repay the damage they've caused.

MuttleyCAFC

Addickted said:

Leroy Ambrose said:

Addickted said:

Leroy Ambrose said:

All cos they weren't patched. What a shit show.

Nothing to do with the thieving bastards whose criminal intent has not only cost you, me and the rest of the country £100m that could be desperately utilised elsewhere, but caused untold suffering to 19,000 people, some of whom may have subsequently died as a result.

You're missing the point. Patch systems. It's the bare minimum that is required in IT Security. If these systems were patched, none of this would have happened. This isn't rocket science - and the malware wasn't developed specifically to target the NHS, it was indiscriminate. Some people drive like pricks. You don't tempt fate by walking down the middle of the fucking road hoping they won't hit you.

Not denying that.

My point if there weren't bastards like this, then there would be no need for varying levels of IT security.

Criminals, who when caught and convicted should have every single asset they have taken and then spend the rest of their lives working to repay the damage they've caused.

I think governments should go after them and lock them up and throw away the key. I seriously do - that is how you stop it happening.

wrighty

This.

Leroy Ambrose

MuttleyCAFC said:

Addickted said:

Leroy Ambrose said:

Addickted said:

Leroy Ambrose said:

All cos they weren't patched. What a shit show.

Nothing to do with the thieving bastards whose criminal intent has not only cost you, me and the rest of the country £100m that could be desperately utilised elsewhere, but caused untold suffering to 19,000 people, some of whom may have subsequently died as a result.

You're missing the point. Patch systems. It's the bare minimum that is required in IT Security. If these systems were patched, none of this would have happened. This isn't rocket science - and the malware wasn't developed specifically to target the NHS, it was indiscriminate. Some people drive like pricks. You don't tempt fate by walking down the middle of the fucking road hoping they won't hit you.

Not denying that.

My point if there weren't bastards like this, then there would be no need for varying levels of IT security.

Criminals, who when caught and convicted should have every single asset they have taken and then spend the rest of their lives working to repay the damage they've caused.

I think governments should go after them and lock them up and throw away the key. I seriously do - that is how you stop it happening.

Almost impossible to catch them. The vast majority of ransomware comes from organised gangs in Easeltern Europe using malware code that is pretty much impossible to trace to an individual, exploiting weaknesses in systems that exist because software companies don't take security seriously. So, you're talking about a cross-border police force with a global reach, when the police won't even currently investigate burglaries because they don't have the resources to do so, nor the CPS prosecute people for dangerous driving when they have incontrovertible video evidence of it because of the high chance a jury won't convict based on their own prejudices, and where trials regularly become a farce because lawyers use legal loopholes and 'reasonable doubt' to get what should be nailed on certain convictions for murder downgraded to manslaughter.

And you think there's a serious chance of us bringing malware authors and the gangs behind them to justice?

Just patch the fucking systems for Christ's sake! It's by far the easiest solution to it - doesn't cost any money and is 100% foolproof every single time (bar niche case scenarios where someone with the power of a nation state is actively targeting someone with a zero day vulnerability)

1StevieG

Leroy Ambrose said:

MuttleyCAFC said:

Addickted said:

Leroy Ambrose said:

Addickted said:

Leroy Ambrose said:

All cos they weren't patched. What a shit show.

Nothing to do with the thieving bastards whose criminal intent has not only cost you, me and the rest of the country £100m that could be desperately utilised elsewhere, but caused untold suffering to 19,000 people, some of whom may have subsequently died as a result.

You're missing the point. Patch systems. It's the bare minimum that is required in IT Security. If these systems were patched, none of this would have happened. This isn't rocket science - and the malware wasn't developed specifically to target the NHS, it was indiscriminate. Some people drive like pricks. You don't tempt fate by walking down the middle of the fucking road hoping they won't hit you.

Not denying that.

My point if there weren't bastards like this, then there would be no need for varying levels of IT security.

Criminals, who when caught and convicted should have every single asset they have taken and then spend the rest of their lives working to repay the damage they've caused.

I think governments should go after them and lock them up and throw away the key. I seriously do - that is how you stop it happening.

Almost impossible to catch them. The vast majority of ransomware comes from organised gangs in Easeltern Europe using malware code that is pretty much impossible to trace to an individual, exploiting weaknesses in systems that exist because software companies don't take security seriously. So, you're talking about a cross-border police force with a global reach, when the police won't even currently investigate burglaries because they don't have the resources to do so, nor the CPS prosecute people for dangerous driving when they have incontrovertible video evidence of it because of the high chance a jury won't convict based on their own prejudices, and where trials regularly become a farce because lawyers use legal loopholes and 'reasonable doubt' to get what should be nailed on certain convictions for murder downgraded to manslaughter.

And you think there's a serious chance of us bringing malware authors and the gangs behind them to justice?

Just patch the fucking systems for Christ's sake! It's by far the easiest solution to it - doesn't cost any money and is 100% foolproof every single time (bar niche case scenarios where someone with the power of a nation state is actively targeting someone with a zero day vulnerability)

Some of these firms were still using windows XP ffs.

Hex

Leroy Ambrose said:

MuttleyCAFC said:

Addickted said:

Leroy Ambrose said:

Addickted said:

Leroy Ambrose said:

All cos they weren't patched. What a shit show.

Nothing to do with the thieving bastards whose criminal intent has not only cost you, me and the rest of the country £100m that could be desperately utilised elsewhere, but caused untold suffering to 19,000 people, some of whom may have subsequently died as a result.

You're missing the point. Patch systems. It's the bare minimum that is required in IT Security. If these systems were patched, none of this would have happened. This isn't rocket science - and the malware wasn't developed specifically to target the NHS, it was indiscriminate. Some people drive like pricks. You don't tempt fate by walking down the middle of the fucking road hoping they won't hit you.

Not denying that.

My point if there weren't bastards like this, then there would be no need for varying levels of IT security.

Criminals, who when caught and convicted should have every single asset they have taken and then spend the rest of their lives working to repay the damage they've caused.

I think governments should go after them and lock them up and throw away the key. I seriously do - that is how you stop it happening.

Just patch the fucking systems for Christ's sake! It's by far the easiest solution to it - doesn't cost any money and is 100% foolproof every single time (bar niche case scenarios where someone with the power of a nation state is actively targeting someone with a zero day vulnerability)

I agree about the patching but there is so much more to IT security and costs of installing and maintaining the types of applications you see in local government and probably the NHS are significant because of that security. It's expensive keeping the hackers out.

Leroy Ambrose

Hex said:

Leroy Ambrose said:

MuttleyCAFC said:

Addickted said:

Leroy Ambrose said:

Addickted said:

Leroy Ambrose said:

All cos they weren't patched. What a shit show.

Nothing to do with the thieving bastards whose criminal intent has not only cost you, me and the rest of the country £100m that could be desperately utilised elsewhere, but caused untold suffering to 19,000 people, some of whom may have subsequently died as a result.

You're missing the point. Patch systems. It's the bare minimum that is required in IT Security. If these systems were patched, none of this would have happened. This isn't rocket science - and the malware wasn't developed specifically to target the NHS, it was indiscriminate. Some people drive like pricks. You don't tempt fate by walking down the middle of the fucking road hoping they won't hit you.

Not denying that.

My point if there weren't bastards like this, then there would be no need for varying levels of IT security.

Criminals, who when caught and convicted should have every single asset they have taken and then spend the rest of their lives working to repay the damage they've caused.

I think governments should go after them and lock them up and throw away the key. I seriously do - that is how you stop it happening.

Just patch the fucking systems for Christ's sake! It's by far the easiest solution to it - doesn't cost any money and is 100% foolproof every single time (bar niche case scenarios where someone with the power of a nation state is actively targeting someone with a zero day vulnerability)

I agree about the patching but there is so much more to IT security and costs of installing and maintaining the types of applications you see in local government and probably the NHS are significant because of that security. It's expensive keeping the hackers out.

Nope. Patching. Every time. Trust me. Having worked in IT Security for nigh on 15 years - it's always patching.

Yes, there are other considerations (application control, url filtering, network segmentation to prevent spread, securing code etc) but almost all of them boil down to patching Windows, Office, Adobe and Java's shitty redistributables.

If you patch every month, run a decent, updated anti-malware client on all machines and a layer 7, application aware firewall with IPS capability, you won't be fingered. Patch against the vulnerabilities and you won't get smashed. Simple.

ShootersHillGuru

Not a techy and bow to the input of those that are on this but ultimately it comes not down to inefficiency of NHS computer scientists but the lack of funding for the departments that are supposed to protect the systems.

I know it’s a boring comment but I still don’t think people quite grasp just how underfunded the NHS really is. Clinical services are stretched and anything remotely as background as IT is completely strangled.

Leroy Ambrose

ShootersHillGuru said:

Not a techy and bow to the input of those that are on this but ultimately it comes not down to inefficiency of NHS computer scientists but the lack of funding for the departments that are supposed to protect the systems.

I know it’s a boring comment but I still don’t think people quite grasp just how underfunded the NHS really is. Clinical services are stretched and anything remotely as background as IT is completely strangled.

That's definitely part of it. But it's also people having far too much authority over IT when they shouldn't have. Patching systems is actually pretty easy, it doesn't cost money and once it's been set up properly it doesn't require any extra work even (group policies, wsus or sccm and a third party patching solution for Adobe reader, Flash, java etc). Put simply, middle managers are able to kybosh patching by not even letting IT departments reboot workstations regularly - simply because they don't want the inconvenience of having to wait for their machine to start up after patching. That's a far bigger problem than the lack of budget.

Strasburger

I am sure that all the IT pros on here are aware but windows 7 has been put end of life by MS. January 2020 which sounds like an age away but is only 15 months. At our company (a local MSP) we have in our estate over 1200 windows 7 machines that clients will have to replace god only knows how many more are out there.

P.s. Windows 10 upgrade is still free if you have a windows 7 or 8 licence. If you do a quick search online a few posts show you how

CafcWest

I was doing some work at the NHS when this happened. Biggest issue was in the hospital trusts where lots of the equipment was running Windows XP which were vulnerable. Updating them was incredibly difficult as they used features built into XP that meant upgrading to any version of Windows was almost impossible as the programs running on XP needed to be amended and re-compiled before the operating system could be changed. All down to the cost of doing this.

TelMc32

I hosted a client event this week with a speaker from Context, a specialist in the cyber security field. They work with national governments, the nuclear and global banking sectors, who are considered some of the biggest spenders in protecting their systems.

Sadly some of the stories don’t bear that out. There is a system which many of the globes biggest banks pay millions in licence fees for each year, which is essentially useless. The Russians paid for the package a couple of years ago and cracked it. They then found a way to use it to deliver their own bugs/malware.

Our speakers view was that if they want to hack you, you will be hacked. All you can do is protect yourself as much as possible and review that protection on a regular basis. Rolling over licences on systems which have been in place for years is probably not the way to go.

cafcpolo

Leroy Ambrose said:

All cos they weren't patched. What a shit show.

Standard layer 8 issue.

razil

I’m sure I tried up to find win 10 upgrade a while back and it was chargeable (after a period of being free), has that now changed?

Hex

cafc-west said:

I was doing some work at the NHS when this happened. Biggest issue was in the hospital trusts where lots of the equipment was running Windows XP which were vulnerable. Updating them was incredibly difficult as they used features built into XP that meant upgrading to any version of Windows was almost impossible as the programs running on XP needed to be amended and re-compiled before the operating system could be changed. All down to the cost of doing this.

@Leroy Ambrose is correct about patching but as you correctly point out it is more complicated than that. In an organisation like the NHS that is made up of countless silos, a team of a few staff may operate an application that controls a piece of ageing equipment. The application may be 10, 20 or more years old and for various hardware and software reasons cannot be upgraded or replaced without considerable expense. It's a security loophole that has to be managed.

Having spent a working lifetime in computing/IT, an ever increasing amount of my time was spent struggling to make applications work in a secure environment. Unfortunately the world is far from perfect or should I say secure and the hackers and virus writers will always exploit this fact. That's why I say exterminate them !

Meanwhile, keep your IT security up to date, it won't be perfect but it's better than nothing.

Addickted

Leroy Ambrose said:

Hex said:

Leroy Ambrose said:

MuttleyCAFC said:

Addickted said:

Leroy Ambrose said:

Addickted said:

Leroy Ambrose said:

All cos they weren't patched. What a shit show.

Nothing to do with the thieving bastards whose criminal intent has not only cost you, me and the rest of the country £100m that could be desperately utilised elsewhere, but caused untold suffering to 19,000 people, some of whom may have subsequently died as a result.

You're missing the point. Patch systems. It's the bare minimum that is required in IT Security. If these systems were patched, none of this would have happened. This isn't rocket science - and the malware wasn't developed specifically to target the NHS, it was indiscriminate. Some people drive like pricks. You don't tempt fate by walking down the middle of the fucking road hoping they won't hit you.

Not denying that.

My point if there weren't bastards like this, then there would be no need for varying levels of IT security.

Criminals, who when caught and convicted should have every single asset they have taken and then spend the rest of their lives working to repay the damage they've caused.

I think governments should go after them and lock them up and throw away the key. I seriously do - that is how you stop it happening.

Just patch the fucking systems for Christ's sake! It's by far the easiest solution to it - doesn't cost any money and is 100% foolproof every single time (bar niche case scenarios where someone with the power of a nation state is actively targeting someone with a zero day vulnerability)

I agree about the patching but there is so much more to IT security and costs of installing and maintaining the types of applications you see in local government and probably the NHS are significant because of that security. It's expensive keeping the hackers out.

If you patch every month, run a decent, updated anti-malware client on all machines and a layer 7, application aware firewall with IPS capability, you won't be fingered. Patch against the vulnerabilities and you won't get smashed. Simple.

That's what I tell the missus, but she won't listen.

Strasburger

razil said:

I’m sure I tried up to find win 10 upgrade a while back and it was chargeable (after a period of being free), has that now changed?

Hi Raz this link explains it. I use these methods still most weeks for kit that is newer but had windows 7 for one reason or an other

ShootersHillGuru

I pretty much do everything I need to do on my iPad. Thus far I’ve not had any security issues but I do wonder how secure iOS is. Any thoughts ?