nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

back to article
Sophos waters down 'NHS is totally protected' by us boast

Anonymous Coward

Ransomware is ...

probably a licenced extra...

7
0
Silver badge
Joke

Re: Ransomware is ...

Roll up, roll up only £99.99/month per infected machine. Get yours now!

[see icon]

1
0
Anonymous Coward

Re: Ransomware is ...

...already easily stopped by software such as Sophos Intercept X which is based on their purchase last year of HitmanPro.alert.

Clearly they need to roll this out more widely, but then it also needs the tight-arsed beggars controlling the NHS purse to invest in better detection such as via this or similar products, or isolate at-risk networks from the internet completely.

6
3
Silver badge

Re: Ransomware is ...

Thing is, intercept-x (we use the onsite version) is cheap. We pay less than a fiver per machine as an "add on" to endpoint. It hasn't triggered over the weekend but has triggered for other things in the past.

2
0
Silver badge

Re: Ransomware is ...

I'm not intimate with this virus or Sophos products, but to state "Ransomware is already easily stopped..." is probably what Sophos thought, so... But, to flag any 1 type of software as easily stopped is a little crazy considering a computer sees ransomware no different than a calculator or this picture I'm looking at right now (Sophos would flag this pic!!).

3
0
Anonymous Coward

Re: Ransomware is ...

Funny you should say that, a series of customer PCs and servers once got locked down due to some Sophos update colleagues were applying and went wrong, Sophos thought it was a virus and refused to be removed! (I don't know all the details but the customer us on some other solution now..)

2
0
Bronze badge
Flame

Re: Ransomware is ...

inevitable until the OS supports user application level permissions and comprehensive delta sand boxing of all external content (SMB, Browser, Email) not white listed, without the document/software being aware it is in a sandbox and monitored lures provided to assist malware detection.

It is about bloody time that each applications had sensible default, limited filesystem access permissions, to limit the damage they or scripts they run can cause, because a lot of applications don't need to and shouldn't have access to a whole users profile, or even some external resources, without at least an admin. mode dialog. to OK or whitelist this! We shouldn't have to rely on separate security software to maybe do this, it should be OS security functionality!

Using a modern transactional, regular delta snapshot filesystem like ZFS would better help recover from unnoticed nasties like this, easier than dated, logging filesystems like NTFS and the bolt-on file versioning in some newer versions of Windows!

4
1

Re: Ransomware is ...

Sophos would flag this pic!!

It depends...

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

2
1
Silver badge

ZFS

My home ZFS server snapshots every minute, with another process tidying snapshots. Only root can delete retained snapshots and root can only log in physically. I cryptolockered the lot from a windows VM and could easily recover every file.

The emphasis on the NHS problem is incorrect in my opinion. You could have the most up-to-date O/S and A/V and still potentially suffer a similar attack. The most effective mitigation is surely at the storage level.

I believe medical, legal and financial documents should be kept in file systems that retain every version indefinitely. Even without ransomware, you've still got to protect from insider attacks and user incompetence. Keep every single version, and remove user access (at least write/Delete) to older versions. Storage is cheap and data loss is expensive!

7
2
Silver badge

Re: Ransomware is ...

... already easily stopped by patching your Windows machines, unless of course they're running Windows XP in which case either pay Microsoft to support them or cut the f***ing internet cable with an axe.

Either way, Sophos is useless.

0
3
Silver badge

Re: Ransomware is ...

it also needs the tight-arsed beggars controlling the NHS

Their backside does not appear to be as tight when it comes to MS, they fork billions over to Redmond!

With that alone, they could run their own distro, complete with kernel hackers and co!

0
0
Bronze badge
Childcatcher

Wait a minute

I thought it was all Microsoft's fault, as they didn't show sufficient philanthropic spirit in supporting and patching every version of Windows going back to 3.1 for free.

Even though the NHS knew and discounted the risks in using vintage operating systems?

It's great for the tech news websites all the same

17
17

Re: Wait a minute

As far as I know it governments had been struggling with the big question - 'which is cheaper, pay Microsoft to keep XP running or update the whole NHS?' for a number of years. Teresa May was Home Secretary and Jeremy Hunt Health Secretary when they decided to make the balance sheet look a little better and not bother with either. They were warned about the risk at the time and many times since.

For some reason they seem to be reticent to talk about it now.

21
0
Silver badge

Further correction

"Sophos now understands the security needs of the NHS in the light of recent events"

Maybe Sophos management can tell us why it all went wrong at their annual results shindig this very Wednesday? Couldn't have been timed better.

3
0
Silver badge

Re: Further correction

Sophos now understands

So it did not understand it before. Well... then WTF was it charging it for?

6
3
Silver badge

Re: Further correction

I guess they were charging for endpoint anti-virus not intercept-x

1
0
Anonymous Coward

You've got to love the stock markets...

"Quick, buy anti-virus and malware - it's going to be in demand".

Some days later the news filters in that people had it, but it didn't help.

Anyone fancy picking the stock up for a bargain when the price falls?

4
1
Anonymous Coward

Re: You've got to love the stock markets...

If they had the right anti-malware products then this would not have happened. Trust a vendor 100% if you want, but better to do your own homework and look at alternatives and ideally have a layered approach to security than a single AV product.

4
1
Big Brother

Re: You've got to love the stock markets...

"Trust a vendor 100% if you want..." of course they do.... thats why they put all their eggs in one basket with nice contracts - senior management can point at the contract and show they mitigated the risk, whilst the vendor can point to their get-out-of-jail-free clauses and prove they did the right thing.... everyone's a winner... oh... except the public of course.....

Big Brother icon because... well.... why not?

1
0
Facepalm

Ferret mk 2

Now reads 'End-to-End Security to Protect Patient Data'.

Actually I'm not over sold on beating Sophos up for the NHS actually having problems (not really their fault nor a problem they can completely prevent) - but I do like to see a reduction in the marketing 'smug-level' when overreaching claims are thrown in to sharp relief by a bit of harsh reality.

From Reddit, the original PR is at https://silver.agency/portfolios/sophos-nhs/ - interesting how long that stays visible since the Google cached copies have disappeared already. Also the withdrawn video is at https://vimeo.com/136184973 at least for now - lots of patients very happy with their suspiciously unbranded health care enjoying unfeasibly good weather for the UK and totally protected by Sophos.

7
0
Silver badge
FAIL

Re: Ferret mk 2

I think Sophos should have to take a good deal of the heat if their 'not entirely correct claims' led to a false sense of security and complacency.

What really pisses me off is that these 'not entirely correct claims' will be taken as ammunition by those who like to tell us that experts know nothing and shouldn't be trusted.

2
0
Bronze badge

Re: Ferret mk 2

"Actually I'm not over sold on beating Sophos up for the NHS actually having problems"

I am. We get loads of sales reps touting their latest MagicBox™ that completely and totally makes everything secure. Sophos was clearly doing that, and they should absolutely be brought down to earth.

12
1
Anonymous Coward

Re: Ferret mk 2

"We get loads of sales reps touting their latest MagicBox™ that completely and totally makes everything secure. Sophos was clearly doing that, and they should absolutely be brought down to earth."

Yes, and so should every PHB (and government minister) who puts all the security eggs in one vendor's basket (or allows Crapita and ilk to do so). Multilayer protection from multiple vendors - and air gap the network if there is sensitive material on it. If the boss says no, write it up. Sooner or later someone has to accept they pay professionals to do a job, if they tried and the PHB & beancounters prevent that, then the PHBeans are the ones who should face the consequences - as should their political masters

4
0
Anonymous Coward

proof is in the pudding.

narf.

0
0
Silver badge

Fault?

It's not Microsoft's fault or Sophos.

AV is a waste of CPU resource and money.

User training not to open stuff is better.

The problem is poor management, not doing the IT properly and not training the users properly.

4
25
Anonymous Coward

Re: Fault?

It's not as simple as people clicking on things that they obviously shouldn't. This is more sophisicated than that. Users probably could do with better training but all mainstream software needs regular security updates and since there have been no updates for XP for 5 years (when it was already a decade old) someone should have cleaned house and moved these systems to something supportable. A combination of poor management and diverting of resources to try and cover gaps in budgets for most other things hasn't helped. There are currently 40,000 nursing vacancies. IT is not the only thing not going well in our 'strong and stable' land. (Sing to the tune of Jerusalem in place of 'green and pleasant' and Mrs May will make sure everything will be alright, not.)

10
1
Anonymous Coward

Re: Fault?

Didn't the NHS have a deal with Microsoft for support on XP even after the official support was ended (which was canned to save money)? Didn't the NHS send round a patch in March that if applied could have stopped this? Seems to me that some serious patching needed to happen and didn't.

5
0
Anonymous Coward

Re: Fault?

There is fault all round.

1) For MS for releasing software with the SMB-V1 service ON by default. (apparently W10 has this as well but it got patched)

2) The IT build teams in the various NHS trusts for not seeing the above and making sure that it is disabled and the offending ports blocked. There are probably a number of other vunerable ports and services open as well but I'll give them the benefit of the doubt.

As I see it, a combination of factors all conspired to allow this to happen.

I really hope that this is a mega wakeup call for the Industry (Linux and even Mainframes) and that includes those who make and ship Android Phones as well. Don't know how vunerable iDevices are but they might very well be.

Anyone saying that your system is protected should be prepared to put their money where their mouth is and prove it.

Really happy that I got out of the Industry last Crimble.

5
0
Anonymous Coward

Re: Fault?

Obsolete OSes and timely application of patches are one issue, but this could just as well have been a zero-day.

Sooner or later you're going to get an infection inside your network. What you want is (a) to detect it quickly, (b) to limit the spread, and (c) to allow the affected parts to be wiped clean easily.

In other words: compartmentalised, multi-layered security. Here's one way this could be built realistically:

- each workstation has Qubes OS installed as the bottom layer

- there's a Windows AppVM for running NHS internal applications. FirewallVM is configured to permit access to the required servers and nothing else. Passthrough of smartcard goes to this AppVM.

- there's another AppVM for sending/receiving NHS E-mails. It is permitted access to NHS mail servers and print servers only.

- another for Internet browsing and personal E-mail. This is allowed access to the Internet and print servers, but *no* other NHS resources (including other workstations on the same network).

Is this in the "too hard to do" category? I don't see why.

The apps themselves still run under whatever version of Windows they require, so are unchanged. Indeed, this makes it easy to run different apps under different versions of Windows, allowing phased migration of applications.

As for usability and training: well, agreed that Qubes is not the prettiest Window environment. But you basically get a pop-up Start menu listing the different environments, with a sub-menu for each application within that environment, which is all standard stuff. The apps themselves just appear as windows, with a nice coloured surround. This helps minimise phishing attacks where one window tries to look like a different one.

You probably want to do a bit of tweaking to lock things down, e.g. so users can't modify the NHS appVM template or install their own apps.

3
0
Silver badge

Re: Fault?

"It's not as simple as people clicking on things that they obviously shouldn't."

It pretty much is. Coupled with absolutely rubbish IT / Workstation configuration that lets stuff AUTOMATICALLY spread when the first poorly trained user opens it.

1) In an organisation this size, such attachments should never be delivered

2) The users should be better trained.

3) The IT / Network configuration is poor.

I see people are in denial about the value of AV etc. IT DOESN'T REALLY Work:

a) It's always behind.

b) It's rubbish how it works

c) Does as much damage with false positives

d) Gives false sense of security

I admit it works sometimes. But most of the machines I cleaned in 15+ years of IT support of malware did have AV. How many stories of it even stopping computers booting or slowing them to a crawl? One here in last week or too.

Fundamentally most of the industry is in denial about how workstations should be configured, on site email servers and user training. One step would be to acknowledge that most courses on MS SW and MCSE etc are just marketing the features and selling the products. Very little real world value.

9
2
Silver badge

Re: Fault?

"Microsoft for support on XP"

This keeps getting trotted out, but in the last two years at least, I've not seen an XP PC in any of the hospitals I've visited as part of my job. I know there are still some, but are they on the front line? Considering that all versions of Windows were susceptible if not patched, I'd be interest to see if anyone has done or is doing a breakdown of infection by OS version.

1
0

Re: Fault?

Obsolete OSes and timely application of patches are one issue, but this could just as well have been a zero-day.

Sooner or later you're going to get an infection inside your network. What you want is (a) to detect it quickly, (b) to limit the spread, and (c) to allow the affected parts to be wiped clean easily.

Well, yes, but you omitted the fundamental problem - don't, by default, assume that your computers have to be on a network. They don't. And, if they do, don't just share everything on SMB/whatever.

Whoever decided that an MRI scanner/X ray machine/whatever had to talk SMB should be fired. It would take a day to knock up a program to transfer X-ray images over a basic sockets connection, and another week to turn it into a client/server app to find and return any image.

1
2
Silver badge

Re: Fault?

"And, if they do, don't just share everything on SMB/whatever."

Note, not a networks guy. Is there an out of the box alternative to SMB when using roaming profiles and server based home dir/shared work dirs? Does Windows do NFS and if so is that better/as easy to use in a Windows environment with roaming profiles?

0
0
Anonymous Coward

Re: Fault?

If they had used Citrix/Remote desktop then they could have the same roaming functionality and with all thinclients then XP nor it's need for full fat PC and it associated local maintenance and security costs.

Perhaps if they had gone the more professional route they would have also have locked it down, certainly the savings on hardware and staffing would have retuned enough money to employ a few decent staff rather than 10 monkeys per site.

0
0
Anonymous Coward

Re: Fault?

Ok genius.

Now that the machine is off the network someone still needs to visit it daily to update the antivirus definitions so that it's not popped the next time someone plugs an infected USB stick in.

Remember people still need to use the bloody machine so data has to come on and off it somehow and you've disabled the network now so the only choice is USB stick.

Well done you've turned a manageable situation in to an unmanageable nightmar.

Your second solution is even more idiotic.

Designing a custom app to take the place of a well understood standard protocol. Introduce a whole new raft of possible security bugs and a nightmare in having to employ your own programmers to adapt it every time your upgrade your OS.

TAKE MY MOENY YOU'RE HIRE.

0
0
Anonymous Coward

Training users

Unfortunately, no mater how well you train them, there are always a set who fall for "Celeb X has done Y. Click here for more..." - especially when it (appears to) come from "Friend A".

4
2

Re: Training users

You should be stripping out exe's from emails and replacing them with links to files. Repack the original to an archive and make sure the link has some obvious message like "If you open a virus, you'll be sacked. No if's, no but's, out the door".

Won't stop them ofc, but will give you cause to get rid of them.

3
2
Anonymous Coward

stripping out exe's from emails

It's not as simple as that unfortunately.

Businesses send pdfs and Office files which upon opening executes a macro which subsequently downloads the executable. Disabling exe files in attachements is not enough, and Outlook already does this by default anyway.

Many corporations use macros. All corporations use pdfs. Users cannot be fully trained to spot everything potentially suspicious since no work would get done, that's why good AV and additional products are essential. More companies switching to Linux would also avoid a lot of this, but not completely.

4
2
Anonymous Coward

Re: Training users

Or indeed "FedEx delivery issue" when their job is to deal with deliveries or "Invoice 20170515" when they deal with invoices or just "Scan from 4500cx" when that's where their scans normally come from - it's not just feckless twits after nonsense.

8
0

Re: Training users

"You should be stripping out exe's from emails" yeah thats exactly how this was spread LMFAO!

1990 called, they want their ways of spreading dodgy code back!

10
0
Silver badge

Re: Training users

we disable office VBA by default, PDFs are via fox not adobe. If a user wants macros then they sit through a lunch job of "DONT CLICK STUFF YOU DONT UNDERSTAND" session.

7
0
Silver badge

Re: stripping out exe's from emails

It is as simple as that. Though not just obviously "exes".

Anything not sent on internal mail / VPN (i.e. from the public Internet) should only be passed on as plain text. Original quarantined.

Anything suspicious ditto, even if internal.

Switching to Linux, non-Adobe PDF readers and non-MS Office Office applications would only be a short term solution. Once popular they would be targeted. The problem isn't inherently Adobe (though they are bad) or Microsoft. It's training and system configuration.

(Even though here we switched to all Linux etc last December).

3
1
Bronze badge

Re: stripping out exe's from emails

Not just exe's, but any attachment, because embedded scripts and buffer escape exploits are the main malware entry points now!

Simple, have Microsoft or a trusted security software provider extend Android and iOS application level permissions framework to desktop OS, but with sensible restricted defaults for the filesystem/registry too, like the Application install/settings folders, registry folders and default documents folder, and show an admin. screen permissions dialog., after system snapshot, if it attempts to access anything else, including in non white-listed file shares. We should not always trust applications to police their own access, because they can be compromised!

There could be application group white-lists/blacklist to save duplication e.g. for Desktop and some other common folders, this could include application installation and settings folders which should usually only be accessible by the owner application.

Any unknown Application which tries to do any file system action but create new files in it's folder, not sub-folders, or access anything else should cause an admin. screen permissions dialog., after system snapshot, for one-off OK, or white-list or black-list additions.

This could make life very difficult for lots of other kinds of malware, including camera/microphone/keyboard spyware, browser hijacks and other unwanted software installs too! :)

0
0
Silver badge

Re: stripping out exe's from emails

There is literally no evidence that email was a vector here. The cryptolocker spread by copying itself out to every machine in the subnet over port 445. So no, beefing up email defense would not have had any impact.

2
1
Anonymous Coward

Re: stripping out exe's from emails

Opening attachments on a linux box with remote viewing would have mitigate the attack but yes the idea of allowing active content to be attached to emails is just stupid and reeks of bad planning.

Better to ban all attachments and get the same functionality via posting a link to the content on an internal vetted server in a internal format rather than pdf . If the data isnt on the internal system then it is either not work related or detached from the system and needs securing by people who do know what they are doing.

0
0
Anonymous Coward

Depending on Microsoft..

It's poor PR to try and twist this into selling anti-virus software but I'm surprised more people aren't looking at the more fundamental problem of the dependency that was created on Microsoft software in the first place that has resulted in all these machines being locked to XP well out of normal support meaning more and more money is being drained out of the NHS and given to a private company who at this point can charge literally whatever they want.

These are the type of environments where you really want something custom built or built on technology that means you have real options when it comes to support and more freedom to change. Ideally we want to be training our kids to develop software and be able to support software used in this kind of environment based on open standards etc. Not give the keys of the kingdom to a private corporation and be throwing money down the drain to keep that 'supported'

I said at the time a lot of these machines were installed that it was a bad idea, nobody listened, and even now the whole thing has come to bite them in the ass, potentially costing lives, nobody is listening.

I'm not a huge fan of Linux etc. when it comes to home use, but in governments, hospitals, schools and other public services it really should be at the forefront. I fear the future of the NHS is heading firmly in the opposite direction tho, depending more and more on private companies, this is just a small taste of what happens when you allow that.

2
4
Silver badge

Re: Depending on Microsoft..

There are enough Linux worms and exploits around to not guarantee security. It's feasible that a bug in an NFS implementation could have a similar to effect to the one in Windows' CIFS that "caused" this. You'd also need to get the vendors to release their software for Linux.

Linux is my OS of choice at work (HPC), but I can see that it's not appropriate for all scenarios at the moment.

3
0
Silver badge

Re: Depending on Microsoft..

There's not much for LInux or macOS by comparison because Windows is currently the big dog in the corporate kennel. There's almost nothing for OS/2 because there's not enough users to make writing ransomware for them profitable, but if people suddently switched to OS/2 as a desktop OS (well, eCS then - the modern equivalent thereof) you can bet there suddenly would be a great deal of ransomware available for it.

It no longer matters what it's running - routers, cameras, baby monitors, routers, interactive toys, smart headphones - if it has some kind of OS on it, someone will be trying to hack it, usually for profit. And will probably succeed.

This isn't going to be the last of its kind, it's probably just the beginning of a long spate of nastier attacks. Will there ever be a malware attack using zero-day for Windows 10 that makes this look like a walk in the park? Probably - I wouldn't want to bet against it, at any rate.

5
0
Bronze badge

I am assuming that the malware writers targetted their malformed PDF to Adobe Acrobat reader users as that is the most common version. Does the ransomware still work if the user was using an alternative PDF reader such as Foxit reader or Sumatra?

0
0
Silver badge

By default Foxit blocks a lot of the more "interesting" features of pdf beyond just displaying documents

2
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

The Register - Independent news and views for the tech community. Part of Situation Publishing