NHS not exactly target of “cyber-attack”

The Security and Intelligence Committee takes all this cyber-thingy stuff very seriously.

I got home, put on BBC News and there was some dope being interviewed about a “cyber-attack on the NHS”, blithering on about their M3 network and how secure it is. I turned over to Sky, and there was someone from Alienvault talking sense, but not detail. Followed by the chair of the Security and Intelligence Committee, Dominic Grieve, blustering on about how seriously the government took cyber-security but admitting he didn’t know anything about technology, in case it wasn’t obvious. I have never met anyone in parliament who does (see previous rants).

So what’s actually happening? It’s not an attack on the NHS. It’s a bunch of criminals taking advantage of a big in Microsoft’s server software. Almost certainly MS17-010. An attack based on this exploit was used by NSA in America (Equation Group) until someone snaffled it and leaked it (allegedly Shadow Brokers). It’s been used in a family of ransomware called WannaCrypt, and it’s being used to extort money all over the place. I see no reason to believe the NHS has been targeted specifically. It’s targeting everyone vulnerable, all over the world. Poorer countries running more old software, or bootleg version that don’t receive updates,  are worst hit.

So why is the news full of it being the NHS, and only the NHS? One reason is that Microsoft issued a patch for MS17-010 a good while back. And the NHS didn’t apply it. Why? Because they’re still using Windows XP and Microsoft didn’t issue the patch for Windows XP. Simple.

A lot (repeat A LOT) of companies use older Microsoft systems because (a) they’ve bought them, why should they pay again; and (b) Microsoft abandoned backward compatibility with Windows 7, so a lot of legacy software (dating back to the 1980’s) won’t run any more. Upgrading isn’t so simple.

There’s a lot of money (from Crapita Illogica, Atos and G4S – amongst others) in flogging government projects dodgy Microsoft-based IT. Microsoft Servers are considered Job Security for people who can only understand how to use a wizard, but know it’ll break down regularly and they’ll be called upon to reinstall it.

No one who knows how computers work would ever use Microsoft servers except as a last resort.

Update 13-May-2017

Guess what? Microsoft has now released a patch for older versions of their server software (ie. Server 2003 and Windows XP). That was jolly quick; it’s like they had it already but didn’t release it to punish those who refused to “upgrade”.

Lincolnshire Council in £1M ransomware plot

Coat_of_arms_of_Lincolnshire_County_CouncilReports are that Lincolnshire Council has been shut down for four days because it’s been targeted by ransomware that has encrypted all its files. That they’ve been a victim of such a scam doesn’t surprise me – it’s all too common. What’s moving my eyebrows skyward is the fact that the criminals are asking for £1M to restore their data.

I’ve seen a lot of this before, and the criminals generally ask for a sum that it’s easier to pay than mess around trying to repair the damage. In other words, £500 is normal but £1M is not. For this to be credible, someone would have had to target them specifically, and come up with a plot to damage a lot of data in one go. This is possible if one PC has R/W access to a lot of files on a server, but for the criminals to expect to do this value of damage the council would have to be pretty incompetent and the criminals would have had to know this for certain. (What am I saying?)

From the BBC report there are a couple of interesting lines:

“The authority said it was working with its computer security provider to apply a fix to its systems.”

Hmm. So who is their computer security provider? If they have one that’s any good, the network would have been set up to avoid such wholesale damage. Serco took over the Council’s IT operations in April 2015. in a £70M+ deal. Whether the outsource company has outsourced the “security provision” is a little harder to know.

Further down the BBC article it says:

“Chief information officer Judith Hetherington-Smith said only a small number of files were affected.”

If that was true, restore them from a backup or take the hit – how can a small number of files be worth £1M?

Locking down the network after such an attack is a good idea, and this would disrupt office services for certain. But something just doesn’t add up here. It’s possible that the £1M ransom demand has been made up, to cover their embarrassment. Or it could just be sloppy journalism by the BBC – no facts checked and a story about some ransomware being blown out of all proportions. Serious news media haven’t had much to say on the subject. The Register has covered it, but has not repeated the £1M ransom claim.