Microsoft to spooks: WannaCrypt was inevitable, quit hoarding In the midst of the ongoing WannaCrypt attacks, Microsoft has issued an unusually strongly-worded warning to governments around the world to quit hoarding vulnerabilities. The bug exploited by the attack was hoarded by the United States national security agency (NSA), leaked earlier this year and since patched by Microsoft – …
If you cannot patch it, quarantine it. The reason why Wannacrypt spread like wildfire was the flat design of large enterprise networks with large number of old unpatched machines. While some of the victims fell due to plain idiocy and laziness, others (f.e. some of the NHS X-ray machines) were running XP because there was no way to upgrade them without breaking their core functionality.
The criminal idiocy is why systems like this were widely exposed and not isolated so that their vulnerabilities are no longer exploitable by half of the world.
Unfortunately, the criminally incompetent people running NHS IT and their bretheren in other large enterprises will never be held responsible for this and it will happen again, and again, and again.
> "You don't need funds to block port 445 for machines that don't need it and to segregate VLANs"
Actually, you do. It's called slack staff time. The NHS IT is run on a very constrained budget, and what you're suggesting needs someone to look at what's on the network, and work out a plan for sorting it out. From my (limited) experience with them, they don't have enough staff time to do that.
"From my (limited) experience with them, they don't have enough staff time to do that."
They have enough time and budget to run an entirely pointless £10bn IT project.
They have enough budget to replace a perfectly good phone system with one that doesn't work.
They have enough time to bulk export patient data for Google and the Department of Health.
The sad truth is that protecting patient confidentiality and keeping the NHS actually treating patients takes a back seat to vanity projects.
The NHS budget is £123bn. That sort of money buys a lot of negotiating power with suppliers. Or it would if wielded properly.
They have enough time and budget to ...
You are assuming that "they" are in a position to choose what they do. In all the cases you've cited, some PHB, or committee, will have decided what projects are going on - the grunts at the coal face just get told what they are doing.
Besides, some of the projects you have mentioned are not related to the separate projects of running the various local networks. You have to remember that there isn't "the NHS" - there is a collection of hundreds of trusts, commissioning groups, blah, blah.
I assume by "entirely pointless £10bn IT project" you mean the national IT backbone and slurp everything project. That was a completely different group not connected to any of the trusts affected by the ransomware outbreak.
If you look back up the thread to the OP, "they" is the "criminally incompetent people running NHS IT and their bretheren". Criminality remains, of course, unproven.
NHS IT covers everything I mentioned, and it's all part of the same government department. If it were one trust we were talking about you may have a point, but it isn't.
You are assuming that "they" are in a position to choose what they do. In all the cases you've cited, some PHB, or committee, will have decided what projects are going on - the grunts at the coal face just get told what they are doing.
"They" applies to the PHBs and committees.
I wish more folk round here would remember that IT don't exist in isolation. They have to follow what the business wants. The best one can do is advise; strongly and in writing if necessary.
One difficulty is that the decision makers find it difficult to understand risk. They're choosing between the certainty* of a new, shiny and probably very useful development on the one hand and a list of things which you can't be certain will go wrong on the other. They'll choose the shiny almost all the time
*And ignoring any project risks.
... Which will be delivered by one or more of the usual suspects, very late, probably not before the perceived needs for it have expired, waaay over budget, the project reset at least 7 times, and incredibly tarnished and scratched.
Sadly, that's the certainty.
How many politicians dead in A & E will it take before the remaining few bite the bullet and REQUIRE that all NHS software moves to FOSS?
Triggering that and making it available worldwide would probably be worth several times our foreign aid budget.
NHS IT a (not the) clearing house for a vast international effort?
>The NHS IT is run on a very constrained budget, and what you're suggesting needs someone to look at what's on the network, and work out a plan for sorting it out.
The incompetence doesn't necessarily refer to the techies, but would more properly be assigned to those who made the decision that funds would be better allocated on something other than security.
Now where is their cost saving?
And for a large and complex estate that's not trivial. There'll be a lot of special cases to analyse.
Even in our small (relatively) network, there are bits of specialist kit that the people out in the business *have* to be able to use. In some cases, those bits of kit are 10-15 years old and we don't have the budget to buy New! Shiney! to replace them.
So you have to get quite creative to maintain access to business-critical stuff while trying to protect them from the network and the network from them..
You need funds to do anything. Even blocking ports requires someone to do it and then, most crucially, test that whatever piece of mission critical hardware you've just modified still does what it is supposed to. Time really is money, and doubly so in any large and overstretched organization like the NHS.
atleast have an airgap! so what if the technician has to copy a few files to a pendrive and then onto another system(that can easily sit on the same desk and be used for general use). I just hope other vital services haven't been put online like our power plants for example... but I know common sense is a pretty rare thing.
London's road, traffic control centres, CCTV and road tunnels are entirely running on unpatched Windoze. Their network is almost completely open to the wider Internet - they have "Firewalls", but they're frequently circumvented by the need to make access easier (and to make recalcitrant stuff actually work). There's no real security at all. The situation is similar on the Underground as well. Patching or OS upgrades aren't possible because doing either breaks the functionality of their poorly piecemeal-written crudware. It's only a matter of time before chunks of London grind to a halt because of a malware attack of some kind.
Yes, Incompetent.
In every security audit I have done in the last 15 years I always included a reccomendaton that windows administrators should disable the use of SMBv1.0 beause it is extremely insecure and hasn't been requred by any windows verson after windows 98.
most windows admins were surprised that there were different versions of SMB in use and refused to disable v1.0 in case something still needed it.
That one change would have stopped this infestation, even on unpatched XP systems.
-- disable the use of SMBv1.0 beause it is extremely insecure and hasn't been requred by any windows verson after windows 98.
I thought Window XP only worked with SMB1, as does Server 2003. There are probably quite a few older print servers still solidly working away which may need SMB1
This post has been deleted by its author
> I thought Window XP only worked with SMB1, as does Server 2003.
Yes. From the Samba docs:
SMB2: Re-implementation of the SMB protocol. Used by Windows Vista and later versions of Windows. SMB2 has sub protocols available.
SMB2_02: The earliest SMB2 version.
SMB2_10: Windows 7 SMB2 version.
SMB2_22: Early Windows 8 SMB2 version.
SMB2_24: Windows 8 beta SMB2 version.
In every security audit I have done in the last 15 years I always included a reccomendaton that windows administrators should disable the use of SMBv1.0 beause it is extremely insecure and hasn't been requred by any windows verson after windows 98.
Given the rather lacking funding of public health service IT, would any of their staff have time to actually go through all the network-connected hardware and check whether or not certain devices actually need it or not? Yes, I realise Win98 was almost 20 years ago, but there's probably a lot of stuff that was written for that version still in use on expensive hardware today, more that crept into XP after that because people re-use old code and write to old standards and so on.
Most of the staff will be fulltime+overtime+unpaid overtime engaged in just trying to prevent the creaks and groans in the aged hardware from outpacing the creaks and groans in the patients, knowing that a hardware failure in IT can result in a hardware failure in a patient, with somewhat fatal results.
How many NHS-funded hospitals have been able to afford one of your audits? Why weren't they spending the money in more important areas? That's the problem many of them seem to face, at least based on reports about NZ hospitals.
Erm hold on - weren't Microsoft hoarding patches for "end of life" XP unless you paid to be part of a Enterprise service agreement? Sounds very similar to hoarding vunerabilities by the NSA/GCHQ. i.e. the fact XP Embedded (cash machines etc) still gets/got patches.
The only people that lose are the poor bastards using Microsoft proprietary software, but equally, it's not as though they weren't told clearly they would be held to ransom by Microsoft, once XP reached "end of life". It was, in effect Corporate "pre-payment" Ransomware.
What's not being said, is why were in this situation, it's all commercial - an artificial situation - to sell the next new big shiny version of Microsoft Windows (the same shit, with baked in basic AV), to the next clueless NHS Manager, who thinks the Microsoft "NHS Half Billion on licences" way, or the highway.
Also, no mention yet of all the Windows 7 SP1 machines that had Windows Update conveniently 'borked' during the first year of rollout of Windows 10, that means/meant (if you know the fix) it can take 10-12 hours+ (overnight) for Win7 Windows Update to find the relevant patches, leaving the machine exposed for many hours.
Windows Update is, was (has always been) a very loose bag of clunky Nails.
My Windows 7 machine at home with all the Windows 10 patches diligently blocked last year has so far spent 48 hours searching for updates. You might as well not have automatic updates, at least then people wouldn't get some false sense of security.
@Dan 55 - there's a fix for Win7 taking hours to decide which updates are required. I had the same problem but I can't remember the specifics of the fix. Google it; it requires you to download and run a specific update which you've skipped in the past.
I installed the hotfix and restarted and I'm pretty sure the computer accepted all updates before MS started pushing Windows 10... I have no interest in deleting everything and reinstalling, life is too short for that, so I'll just let it sit there until it's finished, even if it takes a week.
@Dan 55 - so I'll just let it sit there until it's finished, even if it takes a week.
I found with these systems, simply stop the explicit user initiated update check, change the update setting to autocheck and download but inform me when ready and leave the system running. For some reason this seems to get the first set of updates, after this the system will typically tell there are further updates waiting. Also as your system is so far behind, just get the 'Important' updates - some 'Recommended' updates seem to cause conflicts with 'Important' updates causing the updater to sit there, once you're up-todate on the Important updates then enable 'Recommended' and repeat.
Aside:
1. Also whilst MS have stopped the GWX, I've also found it helpful to run GWX Control Panel (run once version) to ensure all the OS update settings are set to disabled, as this will further reduce the number of updates you will get.
2. Also turn off the customer experience programme and so avoid the telemetry/'spying' updates.
KB3125574 is the "everything since SP1" update.
For fixing the WU process specifically, there are updates KB3102810 (fix for Installing and searching for updates is slow and high CPU usage occurs), and KB3161608, update rollup which includes KB3161647, Windows Update client refresh June 2016
Hmm, ISTR the blogs or whatever were referring to that one bringing a major improvement to the initial waiting period, maybe as a sort of side effect. Not that I dug it up again-- I copied it out of my old comment about how the system took forever to decide it wasn't even applicable because I missed that bit about Servicing Stack. And tbh I haven't been really doing much in Windows for months, besides a couple games and LG Bridge... sorry if that was just wrong, and anyway thanks for the tip.
it requires you to download and run a specific update which you've skipped in the past.
The only ones I've skipped in the past have been the spyware/malware/breakware ones.
These days I don't have 7 on that much, and can't really justify having 2 machines running just coz one has to sit for a couple of days updating 7. Easier fix : networking is turned off in 7 (and DHCP now turned off as well, my machines are static and can have manual addresses, anyone else can learn to set up their machine without DHCP or else it obviously isn't that important they connect to my network).
Have tried various fixes, some worked some didn't. The issue is a recurring one even on a VM that has previously been allowed all updates etc it wants.
vs apt-get update && apt-get upgrade when I can trust to do it all inside of 5 minutes.. Or use the update icon and a couple of mouse clicks &done.
Turn off automatic updates and reboot the machine.
Install these two updates manually in this order, no need to reboot in between.
KB3020369
KB3172605
Re-enable automatic updates and reboot the machine again.
Sorted
Windows 7 has a long manual procedure released I had to do on my wife's machine .. it took an entire day
The aholes at MS have no idea how to release patches THAT WORK to cure update problems . It should all be automated
Erm hold on - weren't Microsoft hoarding patches for "end of life" XP unless you paid to be part of a Enterprise service agreement? Sounds very similar to hoarding vunerabilities by the NSA/GCHQ. i.e. the fact XP Embedded (cash machines etc) still gets/got patches.
Got it in one.
It's very telling that on Friday Microsoft were suddenly able to release a patch. It's almost as if they suddenly realised they had a degree of responsibility.
Now they're trying to claim the moral high ground.
> Now they're trying to claim the moral high ground.
Is this in any way dissimilar to e.g. our paid RHEL support? Or any other paid software support? If the $vendor needs to code a patch for a paying client, should the $vendor then release it for free for the non-paying customers as well, and not "hoard" the patches?
Well, it would be really nice, but a) it doesn't make economical sense and who would pay for others' patches?
> Is this in any way dissimilar to e.g. our paid RHEL support? Or any other paid software support? If the $vendor needs to code a patch for a paying client, should the $vendor then release it for free for the non-paying customers as well,
I run CentOS* and get RHEL patches, thank you.
* my clients do run RHEL and pay for support (which pays for CentOS too).
Or the NSA was preventing Microsoft from releasing a patch for this until the exploit appeared in the wild.
I'd imagine the NSA would want to keep harvesting as much data as possible from their use of the exploit, for as long as possible. They would only have given Microsoft a green-light to release the fix once the situation had reached a crisis point. As Microsoft will be legally prevented from ever revealing if this is true or not, we will never know.
So how many man hours go into testing patches? How many bugs does testing catch? Is our testing regime so sclerotic that it prevented this patch being applied before exploitation began? How easily can we back out of a patch if we find it breaks something after being applied?
Like everything else, it's a balance. Maybe we do have to pay for extra security guys so we can test patches as soon as they're released. Maybe our solutions works as is. Or maybe, for us, its best to apply patches and back out the occasional bad one. It really does depend.
Certainly WannaCrypt-scale outbreaks are going to be rare---NSA-leaked wormable exploits of dead protocols aren't going to turn up every day---but the time from patches appearing to malware targeting them are going to keep decreasing. If Linux thinks forced security updates are, on balance, the best route, why not Windows?
If Linux thinks forced security updates are, on balance, the best route, why not Windows?
Because Microsoft have form for shovelling out things that aren't security patches - and FWIW that people trust Microsoft with the NSA about as far as they can be thrown. The real problem is here is arguably closed source critical infrastructure.
There isn't much reason for 95% of NHS desktops to not be something that's more security focused and that should probably be the real discussion.
So, you've got an xp machine with core functionality.
Why isn't it vlan'd off from the rest of the herd, like the leper it clearly is?
So, you've got a herd of lepers? Take heed of that ditty from Dickinson et.al, Run to the hills...
Still, it's not just xp copping the brunt is it. Bad luck if you're dealing with this one.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
