After 20 years in IT, listening to all the bullshit by "Management" about "Audits" and "accepting the risk", "lessons learned" and whatnot.
Honestly, I would be glad if a high impact issue like this, would change any of that for the better. I am unfortunately also a cynic (after 20 years in, well anywhere really) so I doubt it will. This means it will only negatively impact people who need the healthcare, and a bunch of consultants will make millions on sweeping up the mess, and creating the next failure-to-be.
Fault will be leveled against Bitcoin for facilitating the ransom, against Microsoft, against NHS budget underfunding... everywhere EXCEPT where the blame belongs. Products liability law applied to IT security would put a quick end to most vulnerabilities.
Seems strange to not mention the ransomers as having culpability.
I'm 100% in favor of better systems/processes/technology to prevent exploits, but I'm also 100% in favor of blaming the perpetrators of the ransom also.
In the real world we don't accept the argument that the victim is primarily at fault.
* leaving your car unlocked doesn't mean that is OK for someone to steal it and demand a ransom for its return
* leaving your house/apartment unlocked doesn't mean that it is OK for someone to swap out the locks and demand ransom for the new keys
And it really isn't about being locked/unlocked. Doors and locks can generally be easily broken or bypassed, doesn't mean that everyone should have to purchase industrial strength doors and locking systems (and windows, and...).
You're confusing ethics with legal liability. Nobody is saying IT is ethically responsible, they're saying they are legally responsible since the entire reason they get a paycheck is to prevent these sorts of things. Reduce it to a contractual matter if that assuages your conscience.
If you hire a bodyguard and still get shot while the bodyguard is on his phone both the perpetrator goes to jail and the bodyguard gets fired/pays restitution. Not that unheard of. It's not like one person gets all of the legal and ethical blame and everyone else is entirely absolved.
I'm not confusing things. I'm saying that public discussion seems to migrate towards prevention/mitigation and de-emphasizes the criminality. I'm arguing that we not forget that and pointing out that it was missing from the post I responded to.
In your bodyguard example I don't think in that type of a situation that people fixate on the quality of the security detail. They rightly demand that the shooter be tracked down.
People talk about it that way because locking your doors is more pragmatic than eliminating every criminal in the world for all time? Because the purpose of conversation about preventable injuries should be constructive, rather than idle? Because whether someone should do bad things should be a discussion between people who do bad things, but people who are victims should be discussing how not to be victims? Because when someone trusts you to protect something, there's 1) an assumption that that thing could be damaged, or else no reason to have hired you to protect it, and 2) a moral responsibility as the person entrusted with guarding it to do a good job, or else your taking money is wasteful and your promise made in order to get it is fraud?
Any number of reasons all boiling down to the same reason: what does calling bad people bad accomplish? Best for people who want to be good to talk about how to be good.
We have the same likelihood of bringing the criminals to justice as someone who left a laptop on a bench at an international airport for several days and then went back to look for it.
We can blame the criminals, but we will always have criminals when the crime is easy.
Those who are really responsible here are the ones who allowed themselves to become dependent on an ancient and insecure operating system.
To me, the buck should stop with the head of the hospitals.
What's the point of discussing criminality? The criminal justice system is centralized and functions independent of public interest in getting results from it. (And, in fact, functions better when the public is mostly unaware of crime, re: jury selection.)
The civic justice system, on the other hand, is completely driven by public interest—nothing gets done to change things unless somebody (or some class) bothers to sue.
Exactly, and if you had someone's important confidential information sitting on the seat (or even on an un-encrypted laptop), you would be liable for that loss.
Of course the ransomware authors/controllers should be (and are) culpable.
But when financially lucrative attacks can be carried out with very little risk of being caught, and the results are so bad, organizations who don't take security very seriously are at fault for not recognizing the threat landscape, and government is at fault for not recognizing that the market isn't solving this problem, stepping in and requiring higher quality assurance or liability for software.
> In the real world we don't accept the argument that the victim is primarily at fault.
If you're worried about X, and Y promises to prevent X for a cost, you seek recourse against Y.
X: I can't miss this flight. Y: Pay this surcharge to reserve a seat. Overbooking ensues. I'm blaming Y and not the other passengers.
X: Really don't want this disease to kill me. Y: Take these pills to not die. Death ensues. I'm (well somebody else is) blaming Y and not the disease.
In life we can't always control the cause so we aim to minimize the effect. Thus, while the ransomers are culpable for the blast, IT security are accountable for the size of the blast radius.
They're not the same but when you can't control the cause what's the difference?
Due to the nature of the web, unless you unplug from the Internet, the risk is persistent. So although a cybercrime-free world would be swell, until that day arrives we must control the effects.
I'm not convinced this isn't the answer. What are we gaining by putting hospital networks on the Internet? Are those gains worth the cost in increased vulnerability?
How we talk about these situations and the expectations we have are very important. If we collectively signal that extortion is OK and just something everyone needs to get used to then you are de-stigmatizing criminal behavior. I don't think that is a good idea.
I agree, extortion is not OK. Simply saying that this could have been mitigated and if there's someone's job to mitigate things like this, it's on them.
In both those situations whilst it isn't the victims fault, it will invalidate their insurance and any loss is theirs to sort out. So when buying IT services you need to include in the contract the security of it too, a Ransomware attack such as this (and not just because one user infects one machine) would be the fault of the IT provider
Very few people would argue that it's "OK" to commit crimes that you are capable of getting away with. It's the victim's "fault" as it is the fault of a person who doesn't wear a seatbelt and dies a preventable death in a car accident that they died i.e. not a moral failure, just a failure.
Of course they're culpable, but crime is an environmental problem you have to deal with, just like bad weather. No amount of shaking your fist at the clouds is going to mitigate the problem of a leaky roof.
I'm am explicitly rejecting that analogy. Human behavior is not like weather at all. The expectations that we set for our community/society is important.
Bad weather is indifferent to the shaking fists. It won't get worse or more frequent if people fail to shake their fist. But human behavior is very much responsive to feedback from other humans. I'm arguing that we should all be shaking our fists when we see extortionists at work as well as tracking them down and punishing them. And we should also take care to protect ourselves from them. It isn't a binary choice.
The first words I wrote were 'of course they're culpable.' Human behavior is very much like the weather in that our actions today shape the environment of tomorrow, albeit by long and often obscure causal chains.
Nowhere id I assert that it's a binary choice, and that interpretation of ym words only make sense if you ignore chunks of what I'm saying. Over the near term, you're not going to eliminate crime by moral suasion so it's important to have a strategy to mitigate its predictable incidence while we also work on the problem of how to reduce crime through deterrence, reducing incentives, and so on.
Crime is a public health issue. It shares common causes with ill health, particularly poverty, and fear of violent crime is itself a major cause of anxiety. Community development in pre-school education, parental education, and among ethnic minorities, both reduces crime and promotes better health, for example in reducing the effects of alcohol and illicit drugs. Health workers should contribute in full to community development.
I note that I'm standing with my earlier characterisation of a public health domain rather than weather, but both carry very strong similarities, including a risk / forecast / mitigations approach.
I'd eschew the gun metaphor because rifht to bear arms, etc.
But if you find a cooler with a vial of Ebola on the street, take it home instead of turning it in, then have it stolen and have that strain implicated in an outbreak?
Yeah... that's definitely at least partly on your hands.
I never thought about it like that before. Interesting.
The 'arms' in 'right to bear arms' is not clearly defined, and the founders would not have had any concept of software or weaponised software, but I can't think of an argument against people owning malicious software if the argument for owning firearms is also in play.
It's more like finding out you can shoot someone's door knob off with your gun, creating a documented process to make that easier, and hiding it from the public despite your pledge to disclose door knob vulnerabilities.
It shouldn't be a surprise when someone else starts shooting off doorknobs.
How do product liability laws cover vulnerabilities no one knew exist. Let's say it isn't a case of lack of forethought or ignoring bug and vulnerability reports, how do these laws treat it then?
>Products liability law applied to IT security would put a quick end to most vulnerabilities
No, it would make IT security about as expensive as good lawyers. Just to cover the losses. A method to reliably produce vulnerability-free software is not invented yet.
> A method to reliably produce vulnerability-free software is not invented yet
That's not the goal. Well it is, but it's unachievable. We need to get people to care about security beyond ensuring that teenagers can't trivially get in—the current state of affairs for enterprise IT.
A law would at least require companies to give a fuck beyond the "can the CEO's niece break in" level.
On the lower end of the spectrum, sound type systems prevent a class of vulnerabilities including buffer overflows. On the upper end, https://sel4.systems/, a formally verified microkernel, is used in security-critical systems.
Software development seems to be one of the rare branches of engineering where people and businesses are ready to accept such low quality standards, both in terms of functionality and security.
We wouldn't accept from a civil engineer that "the bridge might collapse" but that it's "no big deal, takes a moment to rebuild".
It was one thing when software was controlling some random machinery in a basement or fueling our BBSes, but nowadays large-scale software failure can end a lot of lives, nothing less. And yet, society is largely oblivious to how fragile it all is...
Tbf, a lot of civil engineering is pretty basic physics with huge safety margins applied, and if the requisite test was "will it withstand a targeted attack at the most vulnerable point?" most structures would never have got off the ground.
I think most of society has experienced enough software crashes and had enough anti-virus warnings to realise computers are a wee bit unstable and insecure (as well as being well aware they can't judge secure software from insecure software). If anything, it's HN that's the outlier for faith in internet-connected software to do stuff like drive our cars safely.
Civil projects are certainly over engineered because the life safety risks are clearly understood by all parties making the decisions. Unfortunately the "most of society" argument is clearly not true yet. Otherwise they would be springing the cash for proper IT and software security.
When talking about bridges, roads, buildings, tunnels, power grids and sewage pipelines - just to name a few - there is one additional factor that we should always consider.
Once made available, all of these will see constant use and they become part of the fabric of society. Taking parts of core infrastructure out to fix then has severe repercussions. Total cost of invasive maintenance will be a lot higher than the fairly simply calculated cost of on-site fixes.
I will gladly accept overengineering and nearly ludicrous safety margins.
As someone who worked in Civil Engineering (EIT) who writes software now I'll agree.
When an engineer gets a license from the state they stamp the drawings. If anything goes wrong, they go write back to the engineer who stamped it. When I was in civil engineering we were asked to redo another firms calculations when things didn't go well (mostly slope stability).
Though for software, I did work on mission critical systems (radar), and they did have a pretty good review/testing regimen. They tested a lot.
For smaller shops, there is pressure to get it done fast and ship yesterday, quality isn't the first consideration. I think liability for attacks from your boxes that have been hacked is low, so even then people aren't as vigilant. See IOT devices..
A bridge is a largely static unmoving object, but even bridges require maintenance - some bridges require more maintenance frequent maintenance than others. It's not that bridges are necessarily of low quality.
If a the bridge maintainer instructed you that a column needed replacing it would be replaced.
Everything constructed in reality requires maintenance in one way or another. Your house, your car, your bridge and yourself for example. To suggest that software should be different is an interesting point of view.
> A bridge is a largely static unmoving object, but even bridges require maintenance - some bridges require more maintenance frequent maintenance than others. It's not that bridges are necessarily of low quality.
That's a laymans impression of what a bridge is. In reality bridges are in an extremely dynamic environment with loads changing magnitude and direction constantly, unpredictably. The fact that you think that a bridge is 'a largely static unmoving object' is a tribute to the engineers that designed it and the contractors that built it, it's whole function can be described as 'appear not to move'.
But if you looked at the bridge in a little bit more detail and you would see how the bridge copes with the load your estimate would change to 'a bridge is an extremely versatile structure that dynamically responds to a wide variety of loads by rejecting those loads onto the foundation and soil around it'.
Ok yes well. Mostly they can still be describe as largely static relatively, because thats the whole point of building them. Something stable to move across
Isn't one of the premises of modern engineering that you work within a regulatory framework to ensure safety for the public?
It seems to me that most software development is not engineering in this sense and I assume that we will get to that stage at some point, but right now things like public institutions being hacked, because their software security was not up to par, will happen.
I've also become a cynic. I welcome national services to lose control of their systems and their data. I have had countless talks with people here in Germany about why computers and therefore open and libre software and hardware are a matter of national interest. Obvious disaster, at least and last, will hopefully make them get what I mean.
Having said that, I feel bad, but I just don't see any other way.
You're frustrated, but what are you doing to provide a better alternative? If national services lose control of their systems, what then? What is it that you expect to happen? The same people in charge, but making better decisions? A revolution that will magically fix everything?
I understand that you've been trying to persuade people of the merits of openness, but as you have experienced it's very difficult for an individual to persuade people of things without being a politician or offering some commercial bargains. Managers keep making bad decisions because they can always find someone who will write the code instead, but for some reason developers are unwilling to act in concerted opposition to this and so find themselves endlessly ignored and overruled.
> Managers keep making bad decisions because they can always find someone who will write the code instead, but for some reason developers are unwilling to act in concerted opposition to this and so find themselves endlessly ignored and overruled.
A labor union that protects you when you refuse to implement things that should not be implemented?
IMHO it is a difficult thing to manage and integrate into the tech culture.
It suits the management class very well to minimize the formation of organizational structures among technologists.
While I'm not a big fan of unions or guilds - insofar as they rely on internal hierarchies that just reproduce existing and faulty control structures - those who resist or deny the possibility of organization among technologists are not necessarily disinterested in the outcome.
I agree as to that it sounds moronic. Maybe it even is.
However, think about a levee about which you know that it will not hold when a storm comes, but people don't believe you and are not even willing to listen to you. Would you think it's moronic to welcome a storm as a shot across the bows so people realized what you are talking about?
The constructive solution to this problem is to find a way to convey the message such that people are willing to listen. But that can be very difficult.
In a similar vein Karl Marx is said to have been pro free trade, as it would lead to what he believed would happen to capitalism much faster. Also the colloquial expression "kick in the teeth". Often actual change requires drastic consequences.
I don't feel you're moronic and I absolutely get your sense of frustration, but welcoming a storm is implicitly saying that you think the suffering of some others is an acceptable price to pay for opening the eyes of the higher-ups. I'd like to suggest that the reason people in management don't listen to people in IT is because the people in IT aren't willing to make them, despite having direct and often primary access to the organizational levers of power.
Have you ever considered the possibility that management deliberately selects for this kind of passivity and conflict aversion when staffing IT departments, hiring exactly the sort of people who might roll their eyes or grumble at things but will reliably do what they're told?
You do realise that very nearly every engineering standard ever established, or regulation imposed, is written in the blood and memorialises the souls of those who died because it wasn't in place.
Turn on your gas stove for a moment, but don't light it.
That smell you detect is a memorial to the 295 students and teachers of the New London School:
Early in 1937, the school board canceled their natural gas contract and had plumbers install a tap into Parade Gasoline Company's residue gas line to save money. This practice—while not explicitly authorized by local oil companies—was widespread in the area. The natural gas extracted with the oil was considered a waste product and was flared off. As there was no value to the natural gas, the oil companies turned a blind eye. This "raw" or "wet" gas varied in quality from day to day, even from hour to hour.
I disagree. Every day we become more and more dependent on computers, and more specifically, networked computers. The IoT is exploding with horrific security implications. Everyone is focused on the next big thing, and no one is paying attention to the house of cards we are building.
So for something like this to happen now is much better than it happening later, because people need events like this to wake up and motivate action.
It's so easy to throw up a veil of security while doing absolutely nothing at all.
Just today I was helping somebody retrieve an export of older transactions from PayPal, and they were forced to go through a series of steps to sign up for "secure" access to a special account in order to download a "secure" zip file that PayPal had uploaded containing the transactions.
Which doesn't just mean that file had a crap password; I'd be willing to bet it means a whole bucket or type of files has the same password. So at least there's that.
Have you considered going on strike along with the other IT people? I can well imagine how draining 20 years of management BS is (I grew up with one), but one of the reasons I decided to get out of corporate IT after a decade in it was the realization that the IT were frequently used as a buffer between management and the rest of the workforce.
I certainly don't blame you for making popcorn, but surely part of why poor operating practices and decisions get entrenched if that the people doing the work passively go along with whatever bad idea management is proposing while hoping that either inevitable failure or some higher level of management will intervene to vindicate the initial objections of the technical people and topple a few of the more inept managers from their perches. Because IT people tend not to be organized into a union or professional association, they have little to no political leverage of their own so any personal sense of organizational mission or ethical scruples don't count for much in the event of a conflict with the management people, who may sweep aside objections on the basis that the IT person 'doesn't understand the big picture' or somesuch.
I don't mean to suggest that you should be reiterating old faulty models of social organization like unions or guilds; if anything the lesson of technology is that we should be restructuring our pyramidal structures of control and authority (whether corporate, political or whatever) into more effective network paradigms. But I do think that if you just munch on popcorn and hope to see some bad managers ousted and some technical people finally lifted up to positions of seniority within the existing decision structure, then it will just be more of the same until the system is forced into a state of collapse.
Why leave everything to he management and consulting types 'sweeping up the mess, and creating the next failure-to-be' as you eloquently put it, when you have one of those rare opportunities to force change?
Just as in the performance review process, Management (aka "the winners", be default and decree) write the story.
I remember spending more time pushing against the inertia and self-interest, than actually solving the problems. Solutions that, in a fairly straightforward and rather conservative fashion, stopped problems like these.
We are already seeing the uptake of the "rubber hose" in IT/IS oversight. Up to the Federal level, in the U.S.
It's not going to be a matter of who is responsible and who is technically capable. It's going to be the rubber hose and the lead pipe.
The alternative is massive investment in security, which would raise costs to insurers/patients, and introducing procedures that would slow down the speed of medical practice, which is already too slow. One example i've seen is the "medical system", a conglomerate of healthcare providers under one brand.
At a high level, the priority is simply to swallow up as many healthcare solutions as you can, to reduce cost and increase profit, and make healthcare process more seamless for the patients.
At a medium level, this means you have 50 different organizations connected to your network, and you may or may not have centralized control over any of them. You don't have the cash, time or resources to go in and overhaul all the networks. So you tell them all to connect through your central office and throw every single transparent filter or proxy at them to try to catch all the crap flying out the door (and there is a lot of it).
At a local level, doctors are already stymied by the complex process of providing care to patients. I've worked with them to try to find tailored solutions to speed up simple things like returning lab results. It's surprisingly difficult to improve on. Add new security procedures and their time shrinks even more, adding on top of all their existing procedure.
Healthcare is just always going to suck at security. The alternative is more costly and slower healthcare.
People will have to die before that happens without a regulation push. Possibly in a horrific way but done remotely. A few entered my mind. The risk is there. Thing is, it took things like THERAC poisoning in the past to establish importance of software safety. Security will probably be similar as it has been damage first, correct behavior second in other sectors.
According to Spain's CCN-CERT it's spreading through a remote code execution vulnerability in Windows' SMB Server, affecting pretty much all versions of Windows.
IIUC the security updates have been available since March. I can understand bureaucratic entities having shitty security policies, but Telefónica? It's just... wow.
SMB vulns courtesy of the NSA? As to shitty - how long do you think it takes reasonably to test these patches on thousands of servers? What no test on a critical health system?
It's literally as easy as installing a Windows update organization-wide. What is there to test? These aren't servers. These are workstations of common workers. Windows desktops mostly used for spreadsheets and playing solitaire.
I'd rather deploy a Windows update within 2 months of its release and be safe from a RCE vuln.
Funny you should say that regarding attitude, doctor. One networking guy who used to work in a big hospital told me he hated working at the hospital because of the attitude of doctors there. Doctors with attitude of 'I'm god' really turned him off from working in the hospital setting.
No one in this thread claimed to be God. It's worth remembering that the whole point of Hospital IT is to facilitate the doctors' and administrators' work.
You have to test the patch against your images! You cannot simply roll out whatever shit Redmond send you down the pipe especially when they had to rush it out themselves due a tip off. That would be gross negligence what if there was some device attached to that workstation keeping someone's machine on? How would you know what that workstation is doing?
When I worked night shift in emergency dispatch, our base network ops center pushed out an update that took our phone workstations offline. The phones that receive installation 911 calls and communiques from the command post. With no warning or notification of such an update.
Their reasoning? "We didn't think anyone would need it at 0300"
And hopefully they have well-designed and regularly audited firewalling and access control paradigms. There are good reliability reasons behind not just sucking down every patch, but it needs to be coupled with smart security work.
And in any case that doesn't seem to be the issue here, per reporting. It's not NHS's reliability-critical systems that are owned, it's all their PCs.
Which they use to communicate between staff. I was at a renal clinic this afternoon and the staff there couldn't check to see if my doctor wanted them to do some bloods - so I can go back onto the transplant list.
If I am unlucky this means I could miss out on a potential doner kidney due to the delay
Terrorism is the wrong word. But in general it's game theoretically optimal to have a policy of never giving into blackmail. If you take a bunch of hostages and start making demands, the police will never let you get away with what you want. Because they know if they did, it would inspire many copycat crimes. For some reason cyber ransom is seen differently. Even though the stakes are much lower than a hostage situation.
Do we have actual, hard data backing this up ? I see this touted each time ransomware is involved, sometimes backed with the 'logical' argument that the business model would crumble if that wasn't the case. But I have yet to see any research into whether those ransomware really do unlock those files.
Not the commentor, and also don't have data other than some anecdotal, but what benefit do the hackers gain by not unlocking data? If they stop unlocking, then people stop paying. It would become a lose lose situation if they didn't follow through with their promises. Even criminals understand that.
I think the main benefit would be that they have a better chance of getting paid. Developing an unlocking mechanism is technically challenging and takes time and money to implement. It also adds risk - if there's an unlocking mechanism it's possible someone can crack it.
By not developing an unlock in the first place they can get it out quicker and have less risk. Sure, the next hacker may not get paid because they aren't trusted but for the most part we're talking about individual operations.
> if there's an unlocking mechanism it's possible someone can crack it.
Not at all. This is run-of-the-mill encryption. You pay the bitcoins, your computer receives the decryption key. There is no possible way to crack it, otherwise the entire internet would be broken. (i.e. TLS)
I don't follow - are you referring to this specific malware (which tbh I don't know much about) or ransomware in general? There have been plenty of ransomware cracks and decryptors released - programmers aren't perfect.
Oh, just ransomware in general. I was under the impression that most of the big ones just did simple encryption, and hold the decryption key ransom on an external server. It would defeat the purpose if they kept the decryption key on the local machine, because yeah, then you could just release a tool like the ones you mentioned.
Except there've been multiple cases of ransomware where the encryption was improperly implemented and trivially cracked.
Similar to the entire internet, while the tools to securely encrypt things exist, incompetence can cause people to roll their own, or roll things out improperly.
Encryption is difficult to get right. Multiple ransomwares have failed because they screwed it up and it was possible to decrypt without paying. It's also time consuming. It takes a long time to encrypt every file on a hard drive and antivirus will scan for that kind of behavior.
Whereas throwing together a program that corrupts every file on the hard drive is not too difficult.
Oh yeah I saw that, but this was also interesting:
> This is not really a mistake from the ransomware authors, as they properly use the Windows Crypto API. Indeed, for what I've tested, under Windows 10, CryptReleaseContext does cleanup the memory (and so this recovery technique won't work)
It's a tragedy of the commons problem. For any individual author of cryptolocker malware, your incentive is to just not bother writing an unlock mechanism. It's easier to just overwrite everything from /dev/urandom.
If a sufficiently large proportion of cryptolocker malware didn't actually have an unlock mechanism, it would become apparent quite quickly. We'd see reports on places like HN and SO, ultimately trickling out into the popular press. Only the most naive victims would ever bother paying the ransom, because it would be common knowledge that it doesn't work.
In the long run, ransomware is only successful if paying the ransom usually works. There may be an element of collusion amongst organised criminals, or simply a sense of personal pride by the authors.
"but for the most part we're talking about individual operations" I'd actually argue against this. From what I've read, most of these are run by organized crime in eastern European countries or Russia.
I don't have any data, but a professor who taught me said that this is how it works. He's an expert on botnets and is in close contact with major AV vendors.
Yes (citation required, but I've read articles to that exact effect). This is what distinguishes this as organised crime vs petty vandalism. If the mob smashed up your place even after you paid the protection money, they'd go out of business.
Sure, but if we were to use the same argument on that ransomware as the standard "encrypting" type, then if you pay before the time limit is up, it's still going to give you back your files.
Are there any examples where that's not the case? Where regardless of payment, you're still fucked (either by files not being decrypted or by them deleting regardless of payment?)
What about really old ransomware where the payment release systems are no longer maintained? Are there some cases where old dead ransomware is still infecting people, but the scripts to unlock things on payment are no longer running?
More likely the ransomware is not sophisticated and uses the same address for all its victims.
Typically it's just hard-coded and then they ask you to just email them with which transaction is yours to unlock. So you could just wait for somebody else to pay and then quickly claim their transaction first..
I would guess that multiple people within the NHS may also just be acting in an uncoordinated manner to see if a relatively tiny sum can just make this go away. I would further expect that a spend on this small scale would be in the discretion of many managers at the NHS.
(UPDATE: sounds like there are many more impacted parties since I first commented, so my comment is likely much less correct.)
I guess I read it too fast and made a confusion with the numbers. I thought it was 300 bitcoins, which at ~$1800 each would total 540k USD. Too bad I got downvoted just because of this.
Telefonica (the largest telecom operator in Spain) is having the same issue. There are a few thousands of workers that are not working; it's a disaster!
I don't mean to be dramatic here folks, but multiple coordinated infrastructure attacks are a form of warfare. This is literally shaping the battle space. Correlation is not causation and all that, but while people are standing around comparing their knowledge of how to deploy zero-day exploits and which isms it would be satisfying to blame during some future retrospective, the systems we depend on are being actively compromised.
From my knowledge of NHS IT, it is reasonably hard at the perimeter but with a very soft chewy unprotected centre. I am not surprised this went round like Billy-O once inside.
A 'coordinated' attack apparently unless it is a very agile worm, lots of disparate unconnected levels being hit - such as GP surgeries (local clinics) to large hospitals A&E (ER). The common factor being the widescale abuse of @nhs.net as the email provider for all. Local GPs not meant to be using it at all.
What is the reason local GPs are not meant to use NHS.net email? I work in the sector and I thought it was policy to have them use it as the approved platform to securely communicate with secondary care.
GPs absolutely do use nhs.net; that's how they communicate. It's supposed to be secure enough to send medical records. If you go for a blood test or something, that's how the results come back.
It's apparently using the leaked NSA SMB exploits, so once it hits their internal networks any systems which aren't patched are probably going to get exploited pretty much instantly.
> A nominated Local Organisation Administrator (LOA). For primary care organisations, specifically GP practices, pharmacies, optometrists and dentists this is provided by NHS England Area Teams. Where appropriate, Department Administrators may be nominated.
Not necessarily a coordinated attack, it could be a technique which is exploiting some weakness in security practices and they happen to have hit on these systems.
'Cyberattack' seems to be the latest buzzword that tech journalists like to use. I'll agree that all the information I've seen points at this being a regular trojan rather than some targeted hacking. Will be interesting to see how it started.
Note: I've zero idea if that screenshot is legit but it's posted on The Health Care Journal website so it likely is.
Edit:
- Earliest Google result for "WanaDecryptor" is from Aug 2015 (All other search results are from today):
> almost all of the files on the D drive is encrypted. C is not touched by the disc. file found is in the ProgramData folder, there is a hidden folder, the virus in it. When you delete a folder that is created again and the process starts again.
At a security seminar last year I got to hear an expert talk about tracking down ransomware over the course of a couple of years. He said, no matter what the value of bitcoin the price gets adjusted to be equivalent to $300. That is the presumed sweet spot where people realize it's worth the money to save their data.
Shutting everything down seems like a really rash response, especially when these systems seem to be used for critical communication e.g. the phones too. The Twitter messages seem to suggest that doctors are seeing this on their personal machines, but why would this impact the phone system? Are they not separated out?
I'm also really curious as to how this started. The article mentions a "bug" in the IT systems - some sort of novel zero day in the software they're using that was exploited remotely? Or is it more likely someone screwed up and ran something without thinking?
There are reports on twitter that this is impacting X-rays, pagers as well as the phone system. This is ridiculous if true and suggests there have been some major failings when putting this infrastructure in place. Perhaps underinvestment in IT is to blame.
Or, indeed, over-investment in trash-tier IT services provided by blood-sucking IT consulting companies.
I've seen the insides of some UK Government IT systems (not the NHS), and it's astonishing how little functional software one can get in exchange for a few hundred million sterling.
That, and the bitrot of holding on to ancient, never-updated IT systems.
[Edit], back on topic, I sincerely hope whoever did this is burned alive for their crimes.
To be fair - healthcare IT infrastructure sucks everywhere, even in the country most well-known for remarkably expensive privatised healthcare. It's not really obvious at this point how to fix it. Have the Government Digital Service or similar work on it directly and ditch the contractors?
> Have the Government Digital Service or similar work on it directly and ditch the contractors?
Basically, yes. Bring it all in-house, ban the contractors/consultants/mercenaries/etc. Remove the profit motive and suddenly you don't have millions of dollars/pounds being siphoned off by vampiric consultancies and third-party vendors. Suddenly you can spend tax-payers money in a sane and rational way.
Hire a bunch of talented people who care about the wellbeing of their nation state, pay them well enough and task them with building the best systems possible in the most efficient way possible.
This is what should have happened instead of the disastrous NPfIT. It took years and none of the big players (Accenture, BT, Fujitsu, CSC) could even agree what a fucking medical record should look like because nobody was willing/able to concede anything.
If it had been an in-house project with actual experts employed in building/deploying on a smallish scale (say, a town or county) and then rolling out it could have been a thing of beauty.
> Hire a bunch of talented people who care about the wellbeing of their nation state, pay them well enough
This is impossible. Any large organization eventually resorts to using pay scales to combat corruption. When the right people will be 10+x more effective than the wrong people, pay scales are impossible.
Literally the entire reason why large organizations resort to hiring contractors is because they know it's impossible for them to hire good people directly.
I agree with your solutiom, but there is far, far less blood sucking going on than you might imagine and far, far more organizational incompetence. That is, organizations hire contractors and then dont know how to tell them what they want, but simultaneously refuse to let the contractor have initiative because they dont know how to set up a pay structure for it. Businesses screw themselves.
Yeah but the truth isn't as exciting as thinking you can write DJango app to save the NHS. It's far more fun to think you can knock something up with your friends in a few months.
Then requirements start coming in, the stakeholders, the politics. The multi faceted organizations, the disparate teams with never ending edge cases.
3 years later when it's past phase 2 and creaking at the seams, along comes the next upstart... DJango! Which idiot picked that?!!! Me n my friends could....
Without giving too much away, I've been involved in just such an initiative, and it was _awesome_.
However, in the context of an established organisation it's really hard to pull off, and so we eventually ran into serious pushback from other factions within the org, particularly the established IT Ops folk.
Still, it can be done, and it can be a raging success. Especially gratifying when you spend two days writing up a system in Python which replaces some 90's garbage that's costing the organisation 200k per year in licenses.
This. A million times this. I think at this point the tech community should be vocal about this issue.
Tech has improved ten-fold this last decade, and IT consulting services simply don't care because they profit hugely from it. What makes this issue even harder to solve is the fact that IT is so simple to hide because society does not understand it enough.
Similar to the Tech Pledge, we should stand and be very vocal about the fact that you CAN build strong, secure and relatively cheap systems. If we don't do this, who else will ?
We're stuck between a part of the industry which benefit from this (and especially the big bosses, they don't care about the developers either) and a society which doesn't see the value of homegrown (as in company/government-grown) tech talent and the tenfolds decreases in IT spending it could entail.
Can I ask, how did the employees fit in with the payment structure? My feeling has been that the NHS simply can't hire talented staff on the wages they expect because the pay grades don't go up that high. Hence hiring contractors.
How does it suck? Everywhere I look hospitals have dumb pc's connnected securely to cloud services for applications, primarily Citrix or web based portals hosted by a trusted contractor or the hospital themselves.
There's an awful lot of network-connected, really badly written, often unsupported software in healthcare, that uses proprietary formats. VDI doesn't save you if what's on the other end has to be Windows XP to run your shitty software that'd cost your IT department's entire budget for a year to replace and retrain users.
The whole EHR market is absolute crap in Canada too. You have around 10 competing standards with no interoperability, multiple data sources cobbled together through webpage links, and all running on a slow as fuck central server that you Citrix into.
Another research department I worked at was seriously underfunded, which resulted in questionable decisions, such as using round cube for email, and a central shared drive with a Microsoft access database containing patient data. Hospitals have terrible security.
It's a terrible UI for webmail, and our webmail was subject to a hack a few weeks ago, and they've since closed off WAN access. I'm pretty sure it was related to roundcube. Which is a bummer.
I wonder if it would be appropriate to "dramatically overreact" and send in the SAS or similar to send a polite message that mucking with the NHS is really not a good idea.
Maybe post offer a decent reward - say £10 million for information leading to the identification of the culprits.
Labour won't attack on this because they know it might have happened to them just as easily, whereas it fits the Tory narrative that "the NHS is useless and should be privatised" with almost no spin.
Most of my local Tories know that any kind of direct assault on the NHS would result in instant annihilation at the next election.
There are more subtle methods of course including outrageously broken internal market management restructures (Stafford Hospital Trust, 'fund holding GPs' in the time of Thatcher) and the like.
I suspect that if this does happen it will more likely be the French retaliating against the hacking of the election the French version of SAS/DELTA don't fuck about.
Or, indeed, over-investment in trash-tier IT services
Yeah, I think this is probably closer to what's happening.
I've worked with some of these Enterprise-level IT consultancies in the past. I do understand that it's quite a different market from the lean, tech-focused web development market, but some of the solutions I've seen implemented are shockingly* bad.
Everything is a "bug" according to most journalists. We'll probably get something a bit more coherent from Ars Technica or The Register.
WRT the failings: I've worked in IT in the UK for more than 25 years, and I have never (until now) worked in a place that took security seriously. That includes schools, a large accountancy firm, several well-known public sector establishments, a political campaign, etc. "Optimistic security" is the model here, and hospitals have huge rambling networks with many legacy systems and third-party solutions. I would be surprised if they don't have security issues. Where they are secure, it's probably down to some unsung hero(es) somewhere, who took it on themselves to push security. (I've done this myself and it's a thankless task; nobody notices or cares. Dogs not barking, etc.)
> Your experiences with UK IT make for depressing reading.
I am astonished that even skilled techies don't take security seriously, using passwords like their car registration or company name - I've seen that with a military contractor, ffs. People who had signed the Official Secrets Act and had network links into supposedly secure sites. It depresses me too.
People have this insane notion that one line of defense is enough or they have the equally insane notion that no wants to take something they have.
People have a really hard time evaluating simple risk/reward models. You have to make the reward of attacking you higher than any possible reward to have a reasonable chance at security. If anyone anywhere on the Internet can profit by your loss, eventually someone will try.
EDIT - To make life even more difficult sometimes the attack provides gains indirectly. Imagine one group of politicians attacking a service supported by another political faction, just that service going down profits the first group if it changes who voters vote for.
From my perspective its a fundamental problem with incentives. Good security costs time and money, never gets return gains, and no one will put money up that wont ever see a ROI. So incredibly short sighted, depressing indeed.
Is there some kind of saying: You can't secure a network that contains legacy systems?
Start from scratch, don't connect anything legacy. Assume the LAN is already penetrated and design for that. Store no data locally, client machines run something like ChromeOS by default. Timeout anything that's not used for 6 months. Don't use passwords, only SmartCards. Snapshot data for ease of restore.
> Start from scratch, don't connect anything legacy
The myth of the clean sweep. Personally, I've found such systems tend to be late, wrong and inevitably end up resembling what they replace, warts-and-all. This is because systems tend to mirror the organisational and political context they are in, and most programmers today are not significantly better than those who came before them. Quote me all the exceptions you like, this is my experience.
Don't you think that, perhaps, replacing a dependency on a centralized infrastructure by replacing the entire system by centralized infrastructure, owned by a foreign company, might not be the smartest idea ?
Systems that can't depend on the outside, obviously, cannot use cloud services. That means no chromeOS, no active directory, nothing but the local network. This is beyond obvious, and yet, I actually believe we'll be stupid enough to do exactly the centralization thing.
Paying $300 to these crooks, incidentally, will be a LOT cheaper than whatever microsoft or any other company will ask for the centralized infrastructure. Not that I suggest doing that, but still.
$300 per machine. Issue is that ransomware also encrypts all files on shared drives.
But a problem with the approach of centralization taken by something like ChromeOS which uses Google accounts (or I guess Win10S which uses ms accounts) is that you're attempting to prevent one player from holding you hostage by giving yourself hostage to another. This is not going to work to prevent paying through the nose, although yes, your new hostage takers will probably realize that the NHS will be able to pay more when it actually takes care of patients. Not too well, of course, good enough to make sure it isn't replaced or repealed. Badly enough so that constant complaints ensure a fresh budget injection every quarter.
They're already being held hostage by 1000s of companies who won't update their crappy software so it runs properly, allowing them to install OS updates rapidly.
As I said, like ChromeOS, it's perfectly possible to run your own servers, don't need to pay Google or Microsoft.
This is apparently part of coordinated ransomware campaign targeting large corporations in Europe, only a few of which are making the news at this time. Some other links:
Caught wind of this earlier today with a European client. We were advised to not connect to their network via VPN. Looks like it's a large scale attack that's affecting more than just hospitals in England.
It's almost certainly simply a widely-targeted email that was "intended" to hit individuals via mass spam that happened to hit the wrong individual (who is probably having a Very Bad Day now) and took down the NHS. And my "almost certainly" is really just my inner engineer hedging; the fact that they're asking hundreds of euros worth of ransom for so much is basically proof of what I said.
Unfortunately, the state of security right now is such that these wide-band transmissions can still pick up a lot of hits.
NHS systems are remarkably un-integrated.
Communication, especially between trusts and external organisations like GPs, is often by email.
I'll be surprised if this isn't an email worm.
A number of NHS organisations have reported to NHS Digital that they have been affected by a ransomware attack which is affecting a number of different organisations.
The investigation is at an early stage but we believe the malware variant is Wanna Decryptor.
At this stage we do not have any evidence that patient data has been accessed. We will continue to work with affected organisations to confirm this.
NHS Digital is working closely with the National Cyber Security Centre, the Department of Health and NHS England to support affected organisations and to recommend appropriate mitigations.
This attack was not specifically targeted at the NHS and is affecting organisations from across a range of sectors.
Our focus is on supporting organisations to manage the incident swiftly and decisively, but we will continue to communicate with NHS colleagues and will share more information as it becomes available.
Notes to editors
As at 15.30, 16 NHS organisations had reported that they were affected by this issue.
===end quote===
I'd be interested to know how many patients are under the care of those 16 organisations.
NHS IT is, of course, vastly under-funded compared to even modest startups, and entangled in bureaucracy of upgrades. I used to work with someone who was one of two sysadmins for a hospital of several thousand staff.
This is partly a consequence of the NHS Connecting for Health debacle, which on an original budget of £2.3 billion managed to hit a projected cost of £12.4bn with almost nothing to show for it apart from a patchy implementation of Choose and Book.
Two weeks ago I contacted my Congressman explaining how important encryption and general IT security is. While he said he agreed with me in principle, he said that terrorism is such a huge problem that things like back doors, weaker encryption, etc. are more important than strong encryption and general IT security. His reply was lengthy, but didn't say what I wanted to hear.
This would be a good time to follow up. Point to the real world example of how in the real world terrorists, foreign nations, etc can and will use the backdoors for FAR more evil than they could ever do good.
Hey, this congresscritter actually answered. You have it on record saying something that may haunt it. My congresscritter ignores that kind of missive.
Plus potentially hundreds of cancelled procedures, including all electives for the next two days, cancelled GP appointments, etc. etc. The lesson is going to cost a lot more than $300 per machine (and as it's per machine that could end up being $300k per hospital when you consider the number of machines they have).
I didn't consider the 'storing data' aspect as I'm not sure how the ransomware works. I thought it was taking each machine hostage (not just the networked storage).
A GP in the NHS may see as many as 70 or more patients per day. Multiply that by half a dozen or more of those doctors working in a medium or large practice, and even just losing this morning's data potentially means hundreds of patients being affected if the server at that surgery is compromised. That's for a single surgery; there are dozens of surgeries in my city alone.
In the NHS, GPs are usually the first point of contact for anything serious that doesn't result in an immediate trip to hospital, as well as for general medical advice or minor treatment, so the effects could be anything from disrupting someone's recovery from a sports injury to losing a referral to a specialist for something serious like cancer or a heart condition.
Obviously if this affects the systems used by the specialists who are actively treating serious conditions, the consequences could also be horrendous: lost records of appointments, medical histories, test results that can take weeks to obtain, etc.
There will, sadly, be nothing cheap about the lesson here. The cost will almost certainly be measured in human lives, and whoever did this should be charged with at least attempted murder.
The NHS is notorious for using outdated software, so I'm surprised it's taken so long. We build websites for third-sector organisations who often deal with the NHS and we're only just now persuading them to drop support for Windows XP / IE8.
Yeah, I left the NHS in 2009 after much frustration in trying to implement modern(ish) replacements for various reporting systems. Every idea was discussed and watered down until what's left was neither use nor ornament.
There are many great and extremely dedicated employees but the vendor lock-in has painted them into many (disparate) corners.
Classic. GCHQ and NSA are joined at the hip. If telefonica are right and it's spreading through the NSA hacks revealed by the Shadow Brokers then GCHQ/5-eyes has some responsibility for what's been happening.
Exactly. I'd hope something good would come out of this, i.e. no exploit hoarding by the NSA/CESG, but instead they'll double down and use it as a reason to remove even more of our rights online.
A Dutch news article is claiming that ransomware can be fixed by "big IT security companies". [1] I thought there was no fix to these cyber-attacks unless you have a backup. I am interested how any fixes are possible?
Technically speaking productivity is amount of output per unit of time worked, working less time typically reduces both the numerator and the denominator so it doesn't necessarily affect productivity.
Operations kept working, it just the office stuff that got down, and a bunch of web apps used to get status info on DSLAMS and bunch more subsistems. It is bad, but not as bad as a total disaster.
Does it not make sense to have a "sub-layer" a local network of files rather than files being accessible by outside. I guess once "something" is in, like that Iran Stuxnet PLC attack, then it's inside and can execute from within.
Unless it's like a local attack whether by a worker or something like found a thumb drive outside, plugged it into my work computer.
It seems like for that amount of money, you could have tried doing a bug bounty instead :/
I get that this is probably social hacking/phishing, so not really analogous -- but I wonder if there's a way to apply that kind of mentality to good. I wonder if there's white hat phishing (though I guess that might be oxymoronic).
Shutting everything down seems like a really rash response, especially when these systems seem to be used for critical communication e.g. the phones too. The Twitter messages seem to suggest that doctors are seeing this on their personal machines, but why would this impact the phone system? Are they not separated out?
I'm also really curious as to how this started. The article mentions a "bug" in the IT systems - some sort of novel zero day in the software they're using that was exploited remotely? Or is it more likely someone screwed up and ran something without thinking?
Edit: There are reports on twitter that this is impacting X-rays, pagers as well as the phone system. This is ridiculous if true and suggests there have been some major failings when putting this infrastructure in place.
>There are reports on twitter that this is impacting X-rays, pagers as well as the phone system. This is ridiculous if true and suggests there have been some major failings when putting this infrastructure in place.
Take a look at that operating system and the UI from the article and tell me how that's unexpected.
And medical devices cannot just be modified after they are approved for medical use. Any changes must be introduced by the original vendor (or an approved 3rd party vendor) and put through a barrage of tests and certifications needed to release such a device for use on a human. Those include EMC/EMI testing, QC testing, safety testing, RF testing, clinical trials, regulatory compliance, etc.
When you buy a medical device running Windows 3.1, it will run that until it is thrown away or replaced.
Yes. NHS has a national level support agreement for XP.
There are a lot of legacy systems and it's not just the bother of replacing the system, there are a lot of front line staff who only know how to use specific applications and are not generally computer literate so moving them to new systems will slow everything down for weeks or months as they learn a new application.
It's hopefully not connected to the internet, but to the local network.
Many medical appliances in hospitals expose remote control over regular tcp/ip, Preferably running Windows XP or CE.
I wasn't seriously suggesting it was directly connected, but my understanding (and I am far from knowledgeable when it comes to security) is that mission-critical devices should be physically 'firewalled' from the Internet, and even any network.
If you do that, how do the images get from the x-ray machine to the radiologist for analysis? How do they end up as part of the electronic health record & accessible for future use? If you create an air gap and ask people to use USB sticks to move data from "mission-critical" systems to the main network, you only slightly reduce the risk of those systems becoming infected and you now have a situation that's much less convenient (time is money) and creates a new vector for leaking personal health information.
If only intelligence agencies spent as much money and effort on securing its critical systems as they invest in sabotaging other countries' infrastructure. Maybe putting defense first would be helpful, especially considering how easy the proliferation of offensive tools is.
Something like this (though I don't know if it was targeted or a combination of luck+poor procedures) took down > 400 medical practices hosted by Greenway a few weeks ago. Some were down for as much as 9 days, and at day 11 I know of one that still didn't have access to their scanned documents.
Greenway had backup procedures in place, but they were file-based - backing up databases, transaction logs, files, etc. and able to restore them onto a new server image as required. The problem arose when they had to do that for hundreds of customer servers at once.
One of my customers knew there was a big problem when she signed onto their server (Intergy On Demand, hosted by Greenway, accessed via RDP) and saw ransom icons on the server desktop.
I would be interesting in finding a medical doctor's or a biologist's perspective on this. Suppose we consider the NHS to be a body, in the greater environment of the internet/economy/government. What traits of that environment led to the evolution of this ransomware pathogen? Now that we have had a massive, but not lethal exposure to it, how can we build up an immunity? What changes to the environment would eliminate the refuges of this pathogen?
It's like when smallpox was brought to the New World... the NHS's internal IT, existing in isolation, hasn't developed immunity to pathogens which are common elsewhere (i.e. they stopped installing Windows security updates).
There may be certain mission-critical, non-internet-connected machines for which it's still safer not to install updates, but for the average doctor's workstation it will probably become the norm to install Windows patches.
Where I live, doctors have more freedom in how they run their clinics and IT. That probably causes its own problems, but at least they're free to run a modern version of their OS and keep it patched. This kind of virus wouldn't affect us the same way since there's no top-down tech policy which prevents individual doctors from following good security practices; in fact, if you just follow all the recommended settings when installing Windows/macOS, you'll end up with automated patching by default.
So if you really want an epidemiological analogy, maybe the best one is a monoclonal, monoculture crop (e.g. the Gros Michel banana) being decimated by a pathogen which has just evolved the ability to infect it: take down one banana, and you take them all. Take down one English doctor's computer...
It says the attack hit multiple sites simultaneously. A worker said that the ransomware came through on the computers around 2pm.
This doesn't sound like a spread by phishing or attachment.
How could such an attach be co-ordinated?
I can think of two possibilities:
1) The attack has been spreading over days or weeks with a trigger date for activation.
2) The ransomware has been distributed through the desktop update system.
3) The internal networks are open enough that something worm-y can rapidly spread through bugs in common services (file shares or something like that), once it has infected one internal machine through some other channel.
I think the most interesting aspect of all this is that it's a clear evidence that even machines possessing highly sensitive data (like NHS computers) are super vulnerable to any remote penetration. The request for a ransom may just be the tip of the iceberg here.
I think it's just evidence of a decrepit IT system. They were caught because they were running Windows XP with inadequate or no anti-virus software. They would not have the problem if they'd been running patched Windows 7. Microsoft fixed the vuln in March.
I honestly do not care if people use a proprietary closed-source operating system, but it freaks me out on an existential level that important things that might kill you are closed source.
Life support machines, x-ray machines, heart-rate monitoring machines, even voting machines. Nobody knows what's going on in there, and a software fault or hack could be the end of you. Like that Toyota "unintended acceleration" bug which would've been discovered a lot sooner had other people been looking at the code.
This is also coupled with the fact that these vendors, for reasons that challenge the absolute limits of my comprehension, insist on using old versions of Windows. I would not be surprised if equipment of that sort sold today still runs unpatched versions Windows XP.
ATMs and cash-registers are likewise a total farce. Some of them are packaged so poorly it should be criminal.
Very high. The disruption caused delayed countless operations, ambulances and GP visits. People will have missed vital medical assistance as a result, and that could easily be fatal.
If I were CEO of one of the big companies I would fire the CIO for not tracking critical patching and I would later resign for not making him/her accountable until now.
How is this attack being distributed? It can't take much user involvement, or it wouldn't be hitting large numbers of systems that only run in-house applications.
Something like this also happened at Carleton University, but they did not pay the ransom. I assume they just used backups. They have really good (and super nice) IT people.
How can I protect myself from these NSA level attacks (not attacks by NSA, but by criminals who now have these tool)? Is keeping Windows up to date enough?
300$ ransom doesn't seem like they're being targetted. The virus just spreads very, very well through corporate (i.e. Windows) intranets, including when connecting through a VPN, using a remote code execution vulnerability (see my other comment here https://news.ycombinator.com/item?id=14324592).
Considering it's already hit some tech giants, it was just a matter of time until it spread through their VPNs to their workers, clients and beyond.
I've heard from some people in Portugal that MEO is affected, as well as the Spanish Vodafone. A friend working for the Portuguese Vodafone is saying that, so far, they're unaffected.
Has anyone paid this specific ransom and had their files decrypted? I've got a client who is infected.
A member of their staff has now left for a holiday, this is a nightmare. I'm loathed to have them pay the ransom, but restoring from the last backup will cost vastly more in work product and business impact than the cost of the ransom.
If the ransomware has no vulns itself, this is going to be a hit to economy, either by paying the ransom (it's already hit some major companies) or the losses produced by it.
I've rarely worked at a place that didn't shadow copy your user directory to a network location. The only thing that SHOULD be lost is whatever hadn't been saved when they were ransomwared.
The company should be able to pull a backups from the last file change prior to that event.
Why the hell do they need thick Windows boxes to handle patient records, would a dumb terminal not do and be far more resistant to this kind of problem.
They don't need them, at all. Every business and organization that isn't using CAD or Photoshop or some other CPU / Memory intensive software could get by on thin clients alone. No problem.
Secondly, how the hell are these records being stored? These viruses usually search for pdf,jpeg,doc, and xls files. Is patient data in spreadsheets and word docs? I don't get it.
"What I will argue is that when looking at a public policy problem, the best place to create liability is where it will have the desired impact. If the goal is to stop ransomware attacks, raising the costs of paying ransoms beyond what the criminals are demanding is the best way to do that."
What proportion of costs do you think "immigrants that haven't had immunization" and "fgm" represents in the NHS versus "old people"? Here's a hint: a rounding error.
Sadly, I think there are more people that would be in favour of a private system than we'd like to admit. A lot of people have bought into the Tory idea that the NHS is unsustainable, and that the reason we're all poor is because we're paying for what they see as sub-par care.
On one side, the NHS is arguably the greatest success story of the UK, and I think many people would riot if their free healthcare was taken away. On the other, people will happily vote against a party that is looking to increase its funding, and will happily vote for a party that has made significant moves to privatise our healthcare system, so logically there must be people that aren't in favour of the NHS.
Sadly what most of those people don't realise is that the majority of their private healthcare will take place thanks to the NHS. Going private gets you into the nicer wards at many of the same hospitals, to be treated by the same doctors and nurses, and without any significant delays.
It's all well and good getting your hernia sorted out faster than on the NHS, or getting knee ligaments rebuilt without a 12 month wait for an operation but there's almost no concept of a "private" Accident & Emergency department.
Yep, you're essentially paying for the administration costs by going private, but that's not what the Bupa adverts sell you, and it's not what people seem to assume when you say you've got private healthcare. They think you're in some kind of special institution where you're pampered 24/7 by medical professionals, when in reality you're in the same NHS bed as the person next to you with some minor benefits. Additionally, as you've rightly pointed out, your private insurance will only cover non-existing illnesses. A&E isn't covered, nor is anything that might've existed before you picked up your insurance, and they'll be sure to check up on that. Take away the NHS, and the infrastructure becomes fully private, and that's when the costs will go through the roof.
For the life of me, I don't know why this isn't what Labour are driving home to people. They should be telling people "Vote Labour, or kiss the NHS goodbye".
Best value for money health service in the world absolutely no contest. Free healthcare for all no questions asked. Sounds like some johnny foreigner to me. Probably a Trump supporter chiming in with his alternative facts. Even he can get treatment here. I'm not so sure about a cure.
Users probably flagged this for being off topic. If you have a point about the NHS being one of these organizations that relates to the topic at hand, please make it directly—it helps prevent the discussion from slipping into more generic indignation.
Apparently some people haven't been following the debates around the introduction of that law very closely.
Less than stellar computer security at some of these organisations was one of the major concerns, and this incident shows that these warnings are clearly justified.
I would have thought my point to be glaringly obvious.
Perhaps rather than for being off-topic my comment may have been flagged because some don't like to hear "told you so" right in the middle of an incident that affects many people in quite dramatic ways (operations cancelled) and I can understand that. So I apologise for the insensitivity.
In the aftermath I wonder if we'll ever find out how the attack was enabled. As in, who opened the attachment. My hunch? An Executive high enough in Leadership who won't get fired. Will be interesting to see.
In a publically funded healthcare system, most employees are unionized, therefore no one will get fired for opening the attachment. And why should they? Unless it was a penis pill email, which I doubt, the employee probably wasn't intentionally trying to bring down the IT systems.
Then again (https://news.ycombinator.com/item?id=14312239) if you didn't patch your system immediately someone could email you an attachment that you never even looked at and have it compromise your system.
That was the nastyness of the earlier announced zero day. All the attacker needed was to have the file on your system when Microsoft's malware scanner ran.
It would be a bit silly to fire people for opening attachments, regardless of their position in the organisation. Sure, people need to be vigilant and follow their organisations' security practices, but if people like me (with lots of technical experience) can almost get tricked then it seems rather disproportionate.
It really should be the case that IT infrastructure is resistant to these problems.
In that tree (which is about harm to patients) the path to "consider suspension" is "were the actions as intended?" and "were adverse consequences intended?" (Did you harm the patient, did you mean to harm the patient?)
You get referral to the regulatory body (which may lead to suspension or dismissal) if someone took an unacceptable risk and there are no mitigating circumstances.
The point of NHS.Net email is that it is secure. A staff member should be able to open email without causing havoc.
Cyber security is everyone's responsibility. In the US at least, hospitals and their staff are held responsible for the proper care and handling of patient health data. In my opinion a hospital administrator should definitely be held accountable for poor computer practices that led to patient data being compromised.
The rational response in such a system if you mess up is to not tell anybody, wait, and hope the problem gets bad enough that it's not obvious where it started.
Opening an attachment can't do anything more than you could do intentionally. If some low-level nobody really has the ability to bring down the NHS systems (no matter if it's done by accident or with malicious intent), then I can point to a long list of managers and security officers in NHS that definitely need to be fired for allowing a system where this is possible.
An organization's security shouldn't be solely focused on breach prevention and placing the blame on someone for clicking on an email. Given enough time, a motivated, sophisticated adversary _will_ get in. Rather, the focus should move to detection and response: knowing where you've been pwned and knowing what to do about it
Honestly, I would be glad if a high impact issue like this, would change any of that for the better. I am unfortunately also a cynic (after 20 years in, well anywhere really) so I doubt it will. This means it will only negatively impact people who need the healthcare, and a bunch of consultants will make millions on sweeping up the mess, and creating the next failure-to-be.
I'm making popcorn.