Ransomware is ...
probably a licenced extra...
Sophos updated its website over the weekend to water down claims that it was protecting the NHS from cyber-attacks following last week's catastrophic WannaCrypt outbreak. Proud website boasts that the "NHS is totally protected with Sophos" became "Sophos understands the security needs of the NHS" after the weekend scrub-up. …
...already easily stopped by software such as Sophos Intercept X which is based on their purchase last year of HitmanPro.alert.
Clearly they need to roll this out more widely, but then it also needs the tight-arsed beggars controlling the NHS purse to invest in better detection such as via this or similar products, or isolate at-risk networks from the internet completely.
I'm not intimate with this virus or Sophos products, but to state "Ransomware is already easily stopped..." is probably what Sophos thought, so... But, to flag any 1 type of software as easily stopped is a little crazy considering a computer sees ransomware no different than a calculator or this picture I'm looking at right now (Sophos would flag this pic!!).
Funny you should say that, a series of customer PCs and servers once got locked down due to some Sophos update colleagues were applying and went wrong, Sophos thought it was a virus and refused to be removed! (I don't know all the details but the customer us on some other solution now..)
inevitable until the OS supports user application level permissions and comprehensive delta sand boxing of all external content (SMB, Browser, Email) not white listed, without the document/software being aware it is in a sandbox and monitored lures provided to assist malware detection.
It is about bloody time that each applications had sensible default, limited filesystem access permissions, to limit the damage they or scripts they run can cause, because a lot of applications don't need to and shouldn't have access to a whole users profile, or even some external resources, without at least an admin. mode dialog. to OK or whitelist this! We shouldn't have to rely on separate security software to maybe do this, it should be OS security functionality!
Using a modern transactional, regular delta snapshot filesystem like ZFS would better help recover from unnoticed nasties like this, easier than dated, logging filesystems like NTFS and the bolt-on file versioning in some newer versions of Windows!
My home ZFS server snapshots every minute, with another process tidying snapshots. Only root can delete retained snapshots and root can only log in physically. I cryptolockered the lot from a windows VM and could easily recover every file.
The emphasis on the NHS problem is incorrect in my opinion. You could have the most up-to-date O/S and A/V and still potentially suffer a similar attack. The most effective mitigation is surely at the storage level.
I believe medical, legal and financial documents should be kept in file systems that retain every version indefinitely. Even without ransomware, you've still got to protect from insider attacks and user incompetence. Keep every single version, and remove user access (at least write/Delete) to older versions. Storage is cheap and data loss is expensive!
I thought it was all Microsoft's fault, as they didn't show sufficient philanthropic spirit in supporting and patching every version of Windows going back to 3.1 for free.
Even though the NHS knew and discounted the risks in using vintage operating systems?
It's great for the tech news websites all the same
As far as I know it governments had been struggling with the big question - 'which is cheaper, pay Microsoft to keep XP running or update the whole NHS?' for a number of years. Teresa May was Home Secretary and Jeremy Hunt Health Secretary when they decided to make the balance sheet look a little better and not bother with either. They were warned about the risk at the time and many times since.
For some reason they seem to be reticent to talk about it now.
"Trust a vendor 100% if you want..." of course they do.... thats why they put all their eggs in one basket with nice contracts - senior management can point at the contract and show they mitigated the risk, whilst the vendor can point to their get-out-of-jail-free clauses and prove they did the right thing.... everyone's a winner... oh... except the public of course.....
Big Brother icon because... well.... why not?
Now reads 'End-to-End Security to Protect Patient Data'.
Actually I'm not over sold on beating Sophos up for the NHS actually having problems (not really their fault nor a problem they can completely prevent) - but I do like to see a reduction in the marketing 'smug-level' when overreaching claims are thrown in to sharp relief by a bit of harsh reality.
From Reddit, the original PR is at https://silver.agency/portfolios/sophos-nhs/ - interesting how long that stays visible since the Google cached copies have disappeared already. Also the withdrawn video is at https://vimeo.com/136184973 at least for now - lots of patients very happy with their suspiciously unbranded health care enjoying unfeasibly good weather for the UK and totally protected by Sophos.
I think Sophos should have to take a good deal of the heat if their 'not entirely correct claims' led to a false sense of security and complacency.
What really pisses me off is that these 'not entirely correct claims' will be taken as ammunition by those who like to tell us that experts know nothing and shouldn't be trusted.
"Actually I'm not over sold on beating Sophos up for the NHS actually having problems"
I am. We get loads of sales reps touting their latest MagicBox™ that completely and totally makes everything secure. Sophos was clearly doing that, and they should absolutely be brought down to earth.
"We get loads of sales reps touting their latest MagicBox™ that completely and totally makes everything secure. Sophos was clearly doing that, and they should absolutely be brought down to earth."
Yes, and so should every PHB (and government minister) who puts all the security eggs in one vendor's basket (or allows Crapita and ilk to do so). Multilayer protection from multiple vendors - and air gap the network if there is sensitive material on it. If the boss says no, write it up. Sooner or later someone has to accept they pay professionals to do a job, if they tried and the PHB & beancounters prevent that, then the PHBeans are the ones who should face the consequences - as should their political masters
It's not as simple as people clicking on things that they obviously shouldn't. This is more sophisicated than that. Users probably could do with better training but all mainstream software needs regular security updates and since there have been no updates for XP for 5 years (when it was already a decade old) someone should have cleaned house and moved these systems to something supportable. A combination of poor management and diverting of resources to try and cover gaps in budgets for most other things hasn't helped. There are currently 40,000 nursing vacancies. IT is not the only thing not going well in our 'strong and stable' land. (Sing to the tune of Jerusalem in place of 'green and pleasant' and Mrs May will make sure everything will be alright, not.)
Didn't the NHS have a deal with Microsoft for support on XP even after the official support was ended (which was canned to save money)? Didn't the NHS send round a patch in March that if applied could have stopped this? Seems to me that some serious patching needed to happen and didn't.
"Microsoft for support on XP"
This keeps getting trotted out, but in the last two years at least, I've not seen an XP PC in any of the hospitals I've visited as part of my job. I know there are still some, but are they on the front line? Considering that all versions of Windows were susceptible if not patched, I'd be interest to see if anyone has done or is doing a breakdown of infection by OS version.
There is fault all round.
1) For MS for releasing software with the SMB-V1 service ON by default. (apparently W10 has this as well but it got patched)
2) The IT build teams in the various NHS trusts for not seeing the above and making sure that it is disabled and the offending ports blocked. There are probably a number of other vunerable ports and services open as well but I'll give them the benefit of the doubt.
As I see it, a combination of factors all conspired to allow this to happen.
I really hope that this is a mega wakeup call for the Industry (Linux and even Mainframes) and that includes those who make and ship Android Phones as well. Don't know how vunerable iDevices are but they might very well be.
Anyone saying that your system is protected should be prepared to put their money where their mouth is and prove it.
Really happy that I got out of the Industry last Crimble.
Obsolete OSes and timely application of patches are one issue, but this could just as well have been a zero-day.
Sooner or later you're going to get an infection inside your network. What you want is (a) to detect it quickly, (b) to limit the spread, and (c) to allow the affected parts to be wiped clean easily.
In other words: compartmentalised, multi-layered security. Here's one way this could be built realistically:
- each workstation has Qubes OS installed as the bottom layer
- there's a Windows AppVM for running NHS internal applications. FirewallVM is configured to permit access to the required servers and nothing else. Passthrough of smartcard goes to this AppVM.
- there's another AppVM for sending/receiving NHS E-mails. It is permitted access to NHS mail servers and print servers only.
- another for Internet browsing and personal E-mail. This is allowed access to the Internet and print servers, but *no* other NHS resources (including other workstations on the same network).
Is this in the "too hard to do" category? I don't see why.
The apps themselves still run under whatever version of Windows they require, so are unchanged. Indeed, this makes it easy to run different apps under different versions of Windows, allowing phased migration of applications.
As for usability and training: well, agreed that Qubes is not the prettiest Window environment. But you basically get a pop-up Start menu listing the different environments, with a sub-menu for each application within that environment, which is all standard stuff. The apps themselves just appear as windows, with a nice coloured surround. This helps minimise phishing attacks where one window tries to look like a different one.
You probably want to do a bit of tweaking to lock things down, e.g. so users can't modify the NHS appVM template or install their own apps.
Obsolete OSes and timely application of patches are one issue, but this could just as well have been a zero-day.
Sooner or later you're going to get an infection inside your network. What you want is (a) to detect it quickly, (b) to limit the spread, and (c) to allow the affected parts to be wiped clean easily.
Well, yes, but you omitted the fundamental problem - don't, by default, assume that your computers have to be on a network. They don't. And, if they do, don't just share everything on SMB/whatever.
Whoever decided that an MRI scanner/X ray machine/whatever had to talk SMB should be fired. It would take a day to knock up a program to transfer X-ray images over a basic sockets connection, and another week to turn it into a client/server app to find and return any image.
"And, if they do, don't just share everything on SMB/whatever."
Note, not a networks guy. Is there an out of the box alternative to SMB when using roaming profiles and server based home dir/shared work dirs? Does Windows do NFS and if so is that better/as easy to use in a Windows environment with roaming profiles?
If they had used Citrix/Remote desktop then they could have the same roaming functionality and with all thinclients then XP nor it's need for full fat PC and it associated local maintenance and security costs.
Perhaps if they had gone the more professional route they would have also have locked it down, certainly the savings on hardware and staffing would have retuned enough money to employ a few decent staff rather than 10 monkeys per site.
Ok genius.
Now that the machine is off the network someone still needs to visit it daily to update the antivirus definitions so that it's not popped the next time someone plugs an infected USB stick in.
Remember people still need to use the bloody machine so data has to come on and off it somehow and you've disabled the network now so the only choice is USB stick.
Well done you've turned a manageable situation in to an unmanageable nightmar.
Your second solution is even more idiotic.
Designing a custom app to take the place of a well understood standard protocol. Introduce a whole new raft of possible security bugs and a nightmare in having to employ your own programmers to adapt it every time your upgrade your OS.
TAKE MY MOENY YOU'RE HIRE.
"It's not as simple as people clicking on things that they obviously shouldn't."
It pretty much is. Coupled with absolutely rubbish IT / Workstation configuration that lets stuff AUTOMATICALLY spread when the first poorly trained user opens it.
1) In an organisation this size, such attachments should never be delivered
2) The users should be better trained.
3) The IT / Network configuration is poor.
I see people are in denial about the value of AV etc. IT DOESN'T REALLY Work:
a) It's always behind.
b) It's rubbish how it works
c) Does as much damage with false positives
d) Gives false sense of security
I admit it works sometimes. But most of the machines I cleaned in 15+ years of IT support of malware did have AV. How many stories of it even stopping computers booting or slowing them to a crawl? One here in last week or too.
Fundamentally most of the industry is in denial about how workstations should be configured, on site email servers and user training. One step would be to acknowledge that most courses on MS SW and MCSE etc are just marketing the features and selling the products. Very little real world value.
You should be stripping out exe's from emails and replacing them with links to files. Repack the original to an archive and make sure the link has some obvious message like "If you open a virus, you'll be sacked. No if's, no but's, out the door".
Won't stop them ofc, but will give you cause to get rid of them.
It's not as simple as that unfortunately.
Businesses send pdfs and Office files which upon opening executes a macro which subsequently downloads the executable. Disabling exe files in attachements is not enough, and Outlook already does this by default anyway.
Many corporations use macros. All corporations use pdfs. Users cannot be fully trained to spot everything potentially suspicious since no work would get done, that's why good AV and additional products are essential. More companies switching to Linux would also avoid a lot of this, but not completely.
It is as simple as that. Though not just obviously "exes".
Anything not sent on internal mail / VPN (i.e. from the public Internet) should only be passed on as plain text. Original quarantined.
Anything suspicious ditto, even if internal.
Switching to Linux, non-Adobe PDF readers and non-MS Office Office applications would only be a short term solution. Once popular they would be targeted. The problem isn't inherently Adobe (though they are bad) or Microsoft. It's training and system configuration.
(Even though here we switched to all Linux etc last December).
Not just exe's, but any attachment, because embedded scripts and buffer escape exploits are the main malware entry points now!
Simple, have Microsoft or a trusted security software provider extend Android and iOS application level permissions framework to desktop OS, but with sensible restricted defaults for the filesystem/registry too, like the Application install/settings folders, registry folders and default documents folder, and show an admin. screen permissions dialog., after system snapshot, if it attempts to access anything else, including in non white-listed file shares. We should not always trust applications to police their own access, because they can be compromised!
There could be application group white-lists/blacklist to save duplication e.g. for Desktop and some other common folders, this could include application installation and settings folders which should usually only be accessible by the owner application.
Any unknown Application which tries to do any file system action but create new files in it's folder, not sub-folders, or access anything else should cause an admin. screen permissions dialog., after system snapshot, for one-off OK, or white-list or black-list additions.
This could make life very difficult for lots of other kinds of malware, including camera/microphone/keyboard spyware, browser hijacks and other unwanted software installs too! :)
Opening attachments on a linux box with remote viewing would have mitigate the attack but yes the idea of allowing active content to be attached to emails is just stupid and reeks of bad planning.
Better to ban all attachments and get the same functionality via posting a link to the content on an internal vetted server in a internal format rather than pdf . If the data isnt on the internal system then it is either not work related or detached from the system and needs securing by people who do know what they are doing.
It's poor PR to try and twist this into selling anti-virus software but I'm surprised more people aren't looking at the more fundamental problem of the dependency that was created on Microsoft software in the first place that has resulted in all these machines being locked to XP well out of normal support meaning more and more money is being drained out of the NHS and given to a private company who at this point can charge literally whatever they want.
These are the type of environments where you really want something custom built or built on technology that means you have real options when it comes to support and more freedom to change. Ideally we want to be training our kids to develop software and be able to support software used in this kind of environment based on open standards etc. Not give the keys of the kingdom to a private corporation and be throwing money down the drain to keep that 'supported'
I said at the time a lot of these machines were installed that it was a bad idea, nobody listened, and even now the whole thing has come to bite them in the ass, potentially costing lives, nobody is listening.
I'm not a huge fan of Linux etc. when it comes to home use, but in governments, hospitals, schools and other public services it really should be at the forefront. I fear the future of the NHS is heading firmly in the opposite direction tho, depending more and more on private companies, this is just a small taste of what happens when you allow that.
There are enough Linux worms and exploits around to not guarantee security. It's feasible that a bug in an NFS implementation could have a similar to effect to the one in Windows' CIFS that "caused" this. You'd also need to get the vendors to release their software for Linux.
Linux is my OS of choice at work (HPC), but I can see that it's not appropriate for all scenarios at the moment.
There's not much for LInux or macOS by comparison because Windows is currently the big dog in the corporate kennel. There's almost nothing for OS/2 because there's not enough users to make writing ransomware for them profitable, but if people suddently switched to OS/2 as a desktop OS (well, eCS then - the modern equivalent thereof) you can bet there suddenly would be a great deal of ransomware available for it.
It no longer matters what it's running - routers, cameras, baby monitors, routers, interactive toys, smart headphones - if it has some kind of OS on it, someone will be trying to hack it, usually for profit. And will probably succeed.
This isn't going to be the last of its kind, it's probably just the beginning of a long spate of nastier attacks. Will there ever be a malware attack using zero-day for Windows 10 that makes this look like a walk in the park? Probably - I wouldn't want to bet against it, at any rate.
All IT professionals overestimate how well users are familiar with computers and how well they can be trained.
In many healthcare settings I've seen nurses have notebooks full of:
"To do X,
Click lowermost left, click second up third to right",
going on in for however many steps the custom software needs to perform things. I've wondered why it doesn't have buttons that does the X, Y and Z that the nurses have made their own 27-step lists on how to do through the convoluted interfaces...
That is the level of user sophistication we need to design for, ladies and gentlemen.
Tech drone, not sales drone thank you - Adaptive Defense 360 blocks unknown and unclassified processes regardless of the source, ie malware, shareware, custom application etc, until they are classified as Goodware, so we would have blocked the encrypter software as an unknown process. We've had zero infections with Wannacrypt on AD360 covered machines.
Also, the product is 5 out of 5 stars recommended in PC Pro this month. You can bash this as a sales pitch but if it saves people losing data or having to pay ransoms then job done.
This post has been deleted by its author
Possibly because those same unlabeled patches have inflicted users with advertisements for an OS they don't want, break things that work, and change settings in unwanted ways?
Stop teaching users that updates are mystical things that with unwanted effects, and they'd likely be more willing to update to improve their security. Trust is in very short supply between users and many large software houses.
It's almost as if it's being made intentionally worse, so that a subscription cloudy version can be sold. After all, that never goes down or loses data, right?
Disgusting on all sides.
... Alfred Nobel would personally raise from the dead and create a Nobel Prize for Informatics to hand them to them. You cannot determine what a program is doing by looking at it. It's called the halting problem and it was proven long before computers came into widespread use. If Sophoses claims were true, they'd have disproven something that has been mathematically proven over and over again. It's like finding a triangle on a flat surface where the angles don't ad up to 180°.
And looking at what an already existing program does, obviously doesn't work. First of all, it already had some something bad, secondly, file compresion/archival software looks just like ransomware, if you only look at what is happening at an API level. It's impossible to get a detection which is sharp enough to lower the false positives to something acceptable while still detecting what you want.
@ Christian Berger:
Your description of the halting problem didn't sound right to me...
"The halting problem is the problem of determining, from a description of an arbitrary computer program and an input, whether the program will finish running or continue to run forever."
I was under the impression that other vendors released an update to battle this as well (e.g McAfee , ...)
It should also be noted , sophos released several updates (based on the original variant ) , especially around 1 am from memory , making the previous update redundant. Saying you pushed an update at a specific time doesn't really count when you released several more afterwards (implying the original one wasn't working). Just my perspective (NHS infrastructure person).
1. XP infection rate from wanna Cry is minimal
2. if NHS had it resource to patch, it wouldn't have mattered
3. Sopos Intercept X and Exploit Provention (EXP) have been out for 6 months and Have yet to be beaten
4. Intercept X is exploit based and signatureless
5. No-one woth Intercepet X or EXP got WannaCry
6. Sophos are prevelent in the NHS.
7. We had neither patched or Intercept X and did not get Wanna Cry