Cyber Warfare / Cyber Crime

[Davkaus]

Most software used in hospitals only runs on Windows, and there are no alternatives. It's not like an office that can switch to Linux and Libreoffice or Google Apps. You won't find a web-based or Linux PAS or EPMA system. 

[limpid]

1 hour ago, Davkaus said:

Most software used in hospitals only runs on Windows, and there are no alternatives. It's not like an office that can switch to Linux and Libreoffice or Google Apps. You won't find a web-based or Linux PAS or EPMA system. 

No, but you can get them delivered as virtual applications to a thin client and protect the server with an application aware firewall.

I'm not saying this is the right thing to do - I've no idea what those systems are; but there are alternatives for running ancient software without forcing endpoints to be equally ancient.

[limpid]

Seeing the media reaction to what is an (easily) preventable "attack"; I'm not looking forward to the day the keys for the Intel Management Engine or AMD's PSP get cracked / leaked.

[NurembergVillan]

5 hours ago, Demitri_C said:

Not entirely true. Some trusts choose not to use some of their budgets for upgrading their IT systems. I work for one of the biggest trusts in the country and they truly wasted a lot of money on rubbish before upgrading to windows 7 end of last year. The money was there they just chose to use it on other things. The government are to blame for a lot of things but not this.

I would have guessed they'd moved the money around the budget to pay for stuff like beds and medicine, so I'd honestly be interested to know what rubbish it was wasted on instead.

[Midfielder]

Having read more since the news broke, correct me if I'm wrong, but the bulk of it is down to trusts running XP or really old OS, and regardless of that, for those running recent OS Micorosoft released patches three months ago that (could) have prevented some of this (and some haven't even updated)?

Regardless of the news and the scope of the scandal that is kind of unforgivable in terms of risk assessment and business continuity, from the affected NHS trusts who have an absolute obligation to safeguard something so sacred as all of our personal data. When I posted yesterday I didn't know more of the facts, reading more today, this is absolutely pathetic. 

Naturally the Daily Mail et al will jump on it and make it their latest thing but forget them and their spin, the basis of what has happened and how it could have maybe been avoided in part , that is literally almost shocking for me. Almost, as I can totally believe it. I used the word "archaic" yesterday in reference to systems and approaches. 

Regardless of how much deficit NHS trusts are in, all departments have annual budgets and each respective IT / systems infrastructure allocation should have been sent more in the direction of such safeguarding. Easy for me to say I don't work in IT but any public sector worker on here will know all the mandatory training we have to renew annually that goes on about our individual rights and as employees our obligations to protect yours. Jesus it is quite pathetic. 

The original post of this thread by NV yeah, even more so, let the media take this further. More has to be done. 

You IT chaps on VT, business opportunities for you my friends. NHS It infrastructure not fit for purpose and you know how our commissioners love to bring in consultants 

Edited May 13, 2017 by Midfielder

[Awol]

10 hours ago, limpid said:

It is possible to protect against most smaller actors though. The weak link is almost always human and companies are REALLY bad at training their staff. 

I'm unarmed as a newborn in this arena but know some good guys who do cyber. We spent 18 months hawking them around the bazaars in town a few years ago, visiting banks, regulatory authorities and government ministries - all of whom were then being hit regularly.

The customers wanted a box with flashing lights that could be plugged into a corner of the office and make everything go away. My blokes weren't pushing hardware and wanted to talk about functional cyber hygiene, training individual users of the systems and developing holistic master security plans managed by dedicated CIO's.

The customers wanged that idea into the too difficult tray, went for the flashing boxes and are still being spanked today.

Strengthening every single link in the chain sufficiently is a Herculean task almost no 'normal' organisation working at scale is capable of doing well enough to be (relatively) secure. 

[Demitri_C]

3 hours ago, NurembergVillan said:

I would have guessed they'd moved the money around the budget to pay for stuff like beds and medicine, so I'd honestly be interested to know what rubbish it was wasted on instead.

You ever heard of the expression too many chiefs and not enough Indians that's a start!

And I don't know about your local hospitals but at my trust they have these check in kiosks  (that cost over 50k each one) well after large opposition from staff prior to coming in they have dumped the whole load as they are a pile of crap and now patients check in with the receptionists as it use to be.

That's only two examples of a number of colossal f ups it's a absolute disgrace 

[darrenm]

44 minutes ago, Awol said:

I'm unarmed as a newborn in this arena but know some good guys who do cyber. We spent 18 months hawking them around the bazaars in town a few years ago, visiting banks, regulatory authorities and government ministries - all of whom were then being hit regularly.

The customers wanted a box with flashing lights that could be plugged into a corner of the office and make everything go away. My blokes weren't pushing hardware and wanted to talk about functional cyber hygiene, training individual users of the systems and developing holistic master security plans managed by dedicated CIO's.

The customers wanged that idea into the too difficult tray, went for the flashing boxes and are still being spanked today.

Strengthening every single link in the chain sufficiently is a Herculean task almost no 'normal' organisation working at scale is capable of doing well enough to be (relatively) secure. 

Your guys were absolutely correct. Flashing boxes in the corner can help but there needs to be protection at every point including the weakest point, the employees.

It can be done at a very large scale it just needs the right approach from the top.

[Midfielder]

22 minutes ago, Demitri_C said:

You ever heard of the expression too many chiefs and not enough Indians that's a start!

And I don't know about your local hospitals but at my trust they have these check in kiosks  (that cost over 50k each one) well after large opposition from staff prior to coming in they have dumped the whole load as they are a pile of crap and now patients check in with the receptionists as it use to be.

That's only two examples of a number of colossal f ups it's a absolute disgrace 

Hey Demetri, same here pal. Those check in flat screen modules. Have no idea how much they cost but I'll take your word for it though ours probably cheaper , more simple, still though no sign of being turned on but are placed around. They work well in GP practices in our region but the compatibility across secondary care systems is not sorted nor is anywhere near to being. Anyway. 

Also. As I have been critical and slagged off my employer's infrastructure in this thread, for legal disclaimer purposes I work for Royston Vasey NHS Hospitals Trust. Just out of paranoid reference there. 

[Davkaus]

18 hours ago, Demitri_C said:

 

And I don't know about your local hospitals but at my trust they have these check in kiosks  (that cost over 50k each one) 

 

Which trust is this, and where did you get this number?

Here are some in Grimsby that cost £5k each.

http://www.nlg.nhs.uk/news/new-self-check-kiosks-installed-outpatients/

Quote

 

Five units have been installed for patients to use when they arrive for their appointment. Two are also adjustable so that people in wheelchairs can easily access them.

The £25,000 investment follows other improvements to the department.

 

Here are some in Lothian that cost £3000 a pop

http://www.bbc.co.uk/news/uk-scotland-edinburgh-east-fife-17523292

Quote

 

There are four kiosks being used in the pilot, which will last three months.

If successful, the devices, which cost about £3,000, could be rolled out to other areas across NHS Lothian.

 

 

I can't cite a news source, but I know that the ones in Nottingham cost somewhere in the middle of those numbers, just under 5k, and that includes not just the devices themselves, but the deployment costs, development costs of software features to support them, and the support costs during the initial rollout.

I don't know where you've got £50,000 per device from, but I strongly suspect that it's very wide of the mark.

[Demitri_C]

32 minutes ago, Davkaus said:

Which trust is this, and where did you get this number?

Here are some in Grimsby that cost £5k each.

http://www.nlg.nhs.uk/news/new-self-check-kiosks-installed-outpatients/

Here are some in Lothian that cost £3000 a pop

http://www.bbc.co.uk/news/uk-scotland-edinburgh-east-fife-17523292

 

I can't cite a news source, but I know that the ones in Nottingham cost somewhere in the middle of those numbers, just under 5k, and that includes not just the devices themselves, but the deployment costs, development costs of software features to support them, and the support costs during the initial rollout.

I don't know where you've got £50,000 per device from, but I strongly suspect that it's very wide of the mark.

I work for royal free London. I was sat in the meeting and they specifically told us each these machines would cost 50k each and that these machines would in theory save money long term for the nhs "as you would.not require receptionists anymore" they of course didn't realise that receptionists do.more than check in patients and give directions! Go figure!

[hippo]

All NHS licensing used to handled centrally - basically in meant we got a copy of windows for around £10. This central purchasing was scrapped leaving NHS trusts to do there own deal with Microsoft. The trust I work for paid around £30 for a win 7 desktop license. - Some trusts just buried there heads in the sand - the cost being a significant factor .

It was always a daft decision not to used the NHS massive buying power en mass  to buy windows licenses. It now looks a very costly one.

 

[andyh]

Considering the amount of coverage this story has been given, I find it strange that there has been explanation as to how the 'virus' is spread, in what format, and what people should do to stop their computers becoming infected.

most people know not to open dodgy emails or attachements, but it's plainly clear that many do not.

[hogso]

I was half expecting my workplace (DWP) to have been hit when firing up this morning. It hadn't. Our IT infrastructure isn't nearly as antiquated as the NHS, although we do get phished frequently ofc. Training isn't too bad on the whole, and generally even those who aren't au fait with IT are very suspicious of any email / software they don't recognise. More so than those who are a bit more clued up, if anything.

[limpid]

2 hours ago, andyh said:

Considering the amount of coverage this story has been given, I find it strange that there has been explanation as to how the 'virus' is spread, in what format, and what people should do to stop their computers becoming infected.

most people know not to open dodgy emails or attachements, but it's plainly clear that many do not.

The big attack on Friday (attacks are continuous) was spread by abusing a broken part of Microsoft's SMB protocol stack. It required that people who should know better were making this stack accessible from the internet - however getting a click on an email from a single user on a machine inside your network would mean that it was at that point internal and could freely access all machines on an internal network. Once it got onto a PC it's currently believed that it didn't do anything but encrypt things on the local disk. It could however have exfiltrated data and PII. The reason most news hasn't gone into detail is because none of this means anything to most people.

Microsoft committed to their trustworthy computing initiative 15 years ago and there is still this junk underpinning everything else they do.

The advice for home users is clear and hasn't changed. Update ALL your software ALL the time. Don't run anything out of support. Have good endpoint protection and update that even more often.

[choffer]

2 hours ago, andyh said:

most people know not to open dodgy emails or attachements, but it's plainly clear that many do not.

As Head of IT for a variety of different companies in the last 15 years, I can assure you that the overwhelming majority of people are indeed rather stupid. I'd estimate that out of a user base of only a few hundred, our helpdesk get at least 10 calls a week from staff who've clicked a link and got a warning message on their screen. When you bear in mind that we use thin clients / virtual desktops in the office (which hugely minimises the risk from such attacks), it's clear that these calls are from staff using their own computers at home. The thought process is clearly:

1. Don't protect my home computer in any way, shape or form

2. Don't pay attention to what I click on / open

3. Make it my company's responsibility to fix the problem I made

[snowychap]

31 minutes ago, limpid said:

The advice for home users is clear and hasn't changed. Update ALL your software ALL the time. Don't run anything out of support.

Allowing for the inevitable Microsoft/Winduhs response , there is a problem with this when you consider the issues with automatic Windows updates over the past year or two or, in a few years, when support for windows 7 ends.

[limpid]

54 minutes ago, snowychap said:

Allowing for the inevitable Microsoft/Winduhs response , there is a problem with this when you consider the issues with automatic Windows updates over the past year or two or, in a few years, when support for windows 7 ends.

No there isn't. When win7 becomes unsupported you must not use it if you want to protect yourself.

Or like you hint at; stop using Windows.

[snowychap]

3 hours ago, limpid said:

No there isn't.

Yes there is. The simple mantra of Update ALL your software ALL the time would have had me (and others) on the GWX.exe upgrade merrygoround for all the time until they stopped offering it.

Yes, yes - don't use Windows.

[Davkaus]

5 hours ago, snowychap said:

Allowing for the inevitable Microsoft/Winduhs response , there is a problem with this when you consider the issues with automatic Windows updates over the past year or two or, in a few years, when support for windows 7 ends.

Bloody good job that Microsoft forced unsuspecting users on to Windows 10 then. How nice of them.