Project Gollum: Because NHS Caring means NHS Sharing Even over Skype, the weeping of the National Health Service's Chief Transformation Officer could be heard even over the sound of the breaking waves here on Seven Mile Beach, Grand Cayman. No, there was no mistaking it, even over the pops and crackles from my prototype Microsoft Surface 5 Azure Edition (“always helping you by …
IPFS or Swarm for distributed storage, surely?
Not sure how you'd prevent the malicious writes, if it's read/write, but for patient records, if the (mythical technically savvy) patient controls a staging storage location, then approves the propagation of changes back to the distributed store, that's a win...? (hell, just have the NHS submit pull requests to a git repo stored on your phone with backup to a distributed store).
Or even mediate storage with Etherium (e.g.) - that way they (or the client they're exploiting) would have to pay ETH to see the files and get the storage written... ... If that were an internal implementation, the organisation could limit damage through read/write budgets for machines/users (though that becomes another vector to cripple services!).
On a more relevant point, general usage OSes might not be the best choice for healthcare. It was local files affected by the payload, not patient records, so following best practice means there should be nothing critical lost apart from the time taken to restore. If best practices aren't followed, then having a more tied down OS would help, and may reduce risk from broad spectrum exploits like this one... ...On which point: the payload was ransomware, but the root (NSA) exploit is said to be a persistent infection that's near impossible to detect - more worms could spreads on the same vector unless the machines are rebuilt with a clean, patched base image.
I know a lot of organisations that back up their data onto tapes every night. Meanwhile, at home, if Wanna Cry attacked my computer I'd more than likely get a bit annoyed, stick linux in, wipe my hard drive and start a full re-install of Windows (and probably think "Well it could do with a refresh anyway").
That this can apparently affect patient records and large swathes of the NHS is very troubling. I can understand GP surgeries, not bothering to back up regularly because they are relatively small (and overworked). Or not having the training for techie stuff, or waiting for tech support to refresh their system.
OK in my case I owe my sense of security to Microsoft, Google and Mozilla. I can understand wanting to do things in house. But, if anything, their back up systems should be more efficient and cheaper. I'd have thought.
The bottom line is I had a much needed Doctors appointment cancelled last week. And part of me feels like I should feel sorry for them and take part in the public anger against hackers. But another part of me feels annoyed I lost that appointment because someone didn't know how to do back-ups. And there seem to be a lot of those "someones" across the country.
I feel like I could do a better job blindfolded at a time I struggle to find work.......
The bottom line is I had a much needed Doctors appointment cancelled last week. And part of me feels like I should feel sorry for them and take part in the public anger against hackers. But another part of me feels annoyed I lost that appointment because someone didn't know how to do back-ups.
I think you are making an unwarranted assumption. The actual number of systems affected by the ransomware was quite small, and most were simply shut down as a precaution, and to limit the spread of the infection, which was absolutely the right thing to do at the time.
This was obviously a difficult decision, but in balancing the ability to honour appointments for a day against the likely impact of a ransomware infection, the answer is clear. There is no indication that GP surgeries do not have sufficient valid backups available.
" I can understand GP surgeries, not bothering to back up regularly because they are relatively small (and overworked). "
Not all of them - the one my wife works at (only 3.5 doctors) takes a backup at the end of each day - and yes, the backup media is stored off site.
>> and yes, the backup media is stored off site.
> Yes; In the boot of a car, parked on a <shady> street. I have seen this done :(
Yeah. On the other hand I've seen Iron Mountain destroy backups before. All you can really do is ensure that you've got more than one backup. Even the most robust DR plan using "reputable vendors" can run into problems.
Trusts have their own IT. GPs have GP Engineers or they did back in 2007. All GP sites have either links to the main netwokr or their own onsite server setup. Backups are done nightly, weekly and monthly all to tape. Tapes are kept either offsite or in another fire zone in the same building but in a fireproof safe.
So no patient data would of been affected. Any machines affected would need taking away and wiping so of course services will get cancelled. Mainly because the government have underspent on IT in years. They'd love to outsource but haven't, lucky they didn't as the likes of Capita probably would of charged them for every PC they would of had to reimage.
Remember that the tool used to spread the malware originated from a "friendly" security agency (NSA) who's toys were stolen.
So we have:
* security flaw in OS
* security service exploits this, stockpiles it and does not carry out responsible disclosure
* security service gets hacked, hack tools stolen, still doesn't carry out responsible disclosure
* Hacker's dump tools online
* Software/OS vendors hastily provide patches for most flaws
* NHS (and others) either fall to patch or are using unsupported OS versions (XP, Vista)
* Random crim's choose ransomware as a payload for one of the leaked tools (an SMB worm) and release it into the wild, most likely expecting to hit a reasonable number of individual's PC's and get some coin.
* Desktop machines in the NHS (and others) get widely affected, pull the plug to stop spread. Everyone checks their estates for patching etc. And begin wiping infected machines etc.
* Servers (storing almost all sensitive data & having a far stricter patching and backup regimen) were not a primary target here and were not part of the reportedly affected machines.
NSA faults:
* policy of hoarding exploits
* not securing those exploits
* not carrying out responsible disclosure once they'd been raided
* a question mark over whether the random crim's made the initial shower of the infection or the NSA had previously shower the infection and the crim's just pushed a payload of malware through the backdoor it created.
Microsoft:
* Although it was their flaw, they responded well with patches.
* Win 10 (i.e. the up to date OS) still has question marks over privacy/dial home, so it's not yet a no-brainer for business or secure institutions like the NHS
NHS/UK gov
* Not upgrading OSes to supported versions
* Not patching OSes
* Using SMB/windows network drives where they may not be needed (allowing the worm to spread)
* If there's a reliance on Windows, then kiosk mode, or having the desktop run in a VM on a different (independently patched) host OS (with VM backups) might have either protected the machines or sped up recovery respectively.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
