Ransomware as a warning
I’ve seen quite a bit more MSM coverage in the British papers than the American ones about the recent Ransomware computer attack that threatened a great many businesses that use Microsoft. They were vulnerable because they had failed to update regularly enough, and because of revelations revealed by Wikileaks:
A statement from Microsoft president and chief legal officer Brad Smith on Sunday criticised the way governments store up information about security flaws in computer systems.
“We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world,” he wrote.
Media captionFirms must patch their systems before Monday morning, Europol chief warns…
He added: “The governments of the world should treat this attack as a wake-up call.”
The organisation also said that many organisations had failed to keep their systems up to date, allowing the virus to spread.
Microsoft said it had released a Windows security update in March to tackle the problem involved in the latest attack, but many users were yet to run it…
…A UK security researcher known as “MalwareTech”, who helped to limit the ransomware attack, predicted “another one coming… quite likely on Monday”.
I was puzzled by this reference to updates. My updates happen automatically. But apparently, according to the article, for large systems such as those run by companies, updates are much more complex to perform, and only happen automatically if those entities pay extra.
Towards the end of the article you can find this tidbit:
MalwareTech, whose name was revealed in UK media to be 22-year-old Marcus Hutchins, was hailed as an “accidental hero” after registering a domain name to track the spread of the virus, which actually ended up halting it.
Hutchins seems a character sent from Central Casting. Is he real? You be the judge:
Marcus Hutchins has been credited with stopping the WannaCry ransomware attack from spreading across the globe by accidentally triggering a “kill switch”.
The self-taught 22-year-old took just a few hours to stop the breach, which had already spread to more than 200,000 victims – including the NHS – across 150 countries…
He is believed to stopped the attack from a small bedroom in his parents’ house. Last night, pictures emerged of his self-made IT hub, crammed with takeaway pizza boxes, video games and computer servers.
Oh, why not? Even though Hutchins sounds like someone invented by fabulist Steven Glass, why shouldn’t he be the real deal? The world has gotten that surreal.
Here’s some pizza supposedly consumed by Mr. Hutchins:
This exploited vulnerability was in any non-Windows 10.
“The NHS is working to bring its systems back online after it became the highest-profile victim of a global ransomware attack …
90% of (UK’s National Health Service) trusts were using Windows XP, then (2014) a 15-year-old system”
https://www.theguardian.com/society/2017/may/12/hospitals-across-england-hit-by-large-scale-cyber-attack
Microsoft’s support expired, and even for those who paid to have it extended, that lasted until 2014.
https://en.wikipedia.org/wiki/Windows_XP
Windows XP use (that accesses the internet) is still at 7% of all desktop users.
https://www.netmarketshare.com/
Microsoft issued an emergency patch, disregarding their support policy, given the scale of this issue.
http://www.zdnet.com/article/wannacrypt-ransomware-microsoft-issues-patch-for-windows-xp-and-other-old-systems/
There is still a level of complacency over “cyber security” in all its facets, even in the C-suite of many organizations.
It is an expenditure that doesn’t have a direct return on investment, and is a risk that is hard to quantify or even fathom in some cases, so gets low priority.
FYI, only Windows 8.1 (not 8.0) and 10 are in (free) supported status. Only 33% of the desktop users connecting to the internet are using one of these two versions.
https://www.netmarketshare.com/
Only Windows 7 and up are eligible for extended (paid) support. I believe security updates continue until this period ends for each version, but could be wrong. 48% of those desktop users are on Win 7.
Fortunately, I am a Windows 10 user.
One note, however- even if the updates are automatic, you still have to take action to implement them, notably, you have to shut down and restart. I know a lot of people who only put their computers in sleep mode at the end of the day. It is always good practice to shut the computer down whenever you get an update- don’t wait.
neo: They were vulnerable because they had failed to update regularly enough, and because of revelations revealed by Wikileaks
That’s lazy reading. Wikileaks had nothing to do with this:
1. Microsoft made mistake in code
2. NSA found it and decided not to tell Microsoft about it
3. Microsoft doesn’t care too much about patching old code. There’s more money in new code, new systems.
4. NSA use mistakes to make tools for spying on computers
5. Thieves steal tool and use it to lock many computers and data
6. Microsoft blames NSA for storing mistakes and storing them unsecure (remember Wikileaks). Microsoft also blames users for not buying newer products.
7. neo blames users and Wikileaks.
My updates happen automatically. But apparently, according to the article, for large systems such as those run by companies, updates are much more complex to perform, and only happen automatically if those entities pay extra.
It depends on the system(s) involved, and the bean counters behind them. Most good sized and above outfits will set aside resources to run their own update server. They can download the current patch sets once, saving bandwidth, to this update server, and then distributes them to the local network on a schedule that can be set locally. And they can set policies about which patches get pushed out and to which machines.
Applying patches to your web server or domain controller can be a…terrifying thing to do [*]. You hope it boots, or if something goes sideways that you can back the patches out. Some bean counters count any down time as a Bad Thing, so it gets pushed back.
Additionally, I know for a fact that the UK pays Microsoft extra money to keep their versions of XP updated. They just couldn’t move forward with newer offerings, since they were supporting “legacy” applications, probably for the NHS which may explain why they got hit so hard.
That said, you can get your own copy, including updates for Office products: http://download.wsusoffline.net/ I have no affiliation with wsusoffline other than as a happy customer. I can install a fresh copy of Windows, run the wsus offline installer and get a reasonably up-to-date install without having to be connected to the internet.
So theoretically, when I connect that machine to the internet it is mostly resistant to crapware.
[*] so I’ve heard. I run a linux shop, and it is much less terrifying.
Fortunately I don’t use windows.
Many businesses, including government agencies that I have personal experience with, “manage” Windows updates themselves to prevent certain patches from being applied, because their “management tools” use the same exploits the NSA uses, and patching the exploits would destroy the managers’ ability to spy on employees.
Because of this, it’s pretty clear the fallout of the NSA leak is just getting started. So of course Microsoft is blaming Trump for it.
I may be the only person old enough to remember how the counterculture disdained “planned obsolescence.” Now the tech companies, uber-progressives all, live on it.
The ‘mistakes’ are put in as backdoors DELIBERATELY, and at the behest of the NSA.
It started this policy … in 1947.
EVERY encyphering scheme has been attacked from the outset by the NSA… with the new mechanism compelled to ‘leave the keys under the doormat.’
This reality only becomes public knowledge sporadically.
Hackers look upon these, so-called, mistakes as Easter eggs that they must track down.
Oh, and Hutchins is indeed a hero of the cyber age, just for finding WannaCry’s killswitch and hitting it. It’s the sort of thing anyone could have done, but he’s the guy that actually did it.
Just remember, the next one might not be designed with a working killswitch… or worse, have a “destroy all data” switch disguised as a “decrypt the data you encrypted and deactivate” switch.
Reprise: I don’t use Windows; neither should you,
And bad pizza.
This is the downside of tech. There are always people looking for ways to swindle someone else. And the internet provides a wonderful hunting ground for them. My wife’s computer was hit by ransomware. She immediately shut it down and took it to her local techie to get fixed. The ransomware was asking for $199 to unlock her computer. The local techie charged her $250. I got the impression the ransomware jerks knew what the price was to unblock the computer and were under bidding that price. Maybe I give them too much credit for knowing their market.
That said, I ask you, how is ransomware different from burglarizing your house or sticking you up on the street? IMO, it isn’t. This is serious property crime, not to mention the endangerment of lives when they attack hospitals. Our society has got to make it much more difficult and dangerous for these tech burglars. The sooner the better.
Many large companies and government departments don’t enable autoupdate, or if they do they run their own repositories of updates that the workstations connect to instead of the ones Microsoft themselves provide.
The company IT department then takes updates from the official server and distributes them through their own, often after months of “testing” to “ensure” that it’s all safe and “up to standards” (and there is no interference with mission critical custom software the company needs).
As a result, updates for workstations may well run half a year or more late.
Even worse, I’ve worked for companies that had official policies that prevented any software from being used that wasn’t at least 2-3 releases behind the most current ‘to prevent buggy releases from getting onto our network’.
As a result they would for example run Windows Vista now because anything newer would not pass their ‘security guidelines’ simply on account of being too new.
And that’d apply to security fixes as well. So Vista service pack 1 would not be allowed on their machines until Microsoft had released for example service pack 2 for Windows 10.
It’s insane, but some “security experts” actually think like that.
“you still have to take action to implement them, notably, you have to shut down and restart.” – Yancy
Correct, but with a qualifier…
On Windows 10, it can force a reboot on its own.
Very recently, it’s happened where we had a computer running overnight because of a long running process.
Now, Win 10 is SUPPOSED to “know” when the computer is idling for some time, but it seems the algorithms are a ways from perfect.
We had to restart the processes over again and wasted a number of hours the next day.
There may be a way to prevent this like in Win 7, but not clear where or how to force Win 10 to only notify and install only when explicitly commanded so.
om at the front of this..
and in med..
you cant autoupdate servers because they dont perform when updating… ie. so you load balance and update, some switch load and do others..
even worse… in the med area, where i work, they are abysmall and resist doing things they should and hurt employees in favor of managers… pretty much run as what a leftist would dream capitalism is about.
you guys would be paranoid if i clued you in on the med world and this compared to the banks..
well, lots of your equipment, thanks to microsoft, was done for XP… so your monitors, and other things are still running the defunct XP, and the other systems connect to them… you cant upgrade it, as the software that runs the machines wont work
why?
well, i could write books on the bad that they do in management under a socialist kind of ideal and mandates…
but lets just say they have lots of diversity programs and are number one in diversity, and like roads and such, the infrastructure is rotting under the fake fronts.
the blessing of obama care was to hide all that under a new remolding the way war does…
fun fun
but i am not credible..
just waiting for a opening in the choir triumphant.
You know what they say about news media when they are reporting on something you know about in detail..? How they can’t even get the basics right, and that you should consider this when they report on anything.
Well, I know a bit about this topic, and (I’m not surprised to say that) between you, Neo, and your commenters, the topic has been covered quite accurately. This is one of many indicators that when I come here for information and thoughts about politics and other topics, and I read this site daily, that the people here (and especially our gracious host) tend to know what they are talking about. 🙂
Well, I shut my computer down every day, at least once a day and sometimes more. I guess I’m in the minority.
ConceptJunkie:
Thanks! But tech-y things are not my wheelhouse. I must defer to my commenters on that.
When they make it so that you have to be hooked up to an implant in your head that connects mind to machine, guess whether that’ll be a good idea.
Imagine a backdoor hack into your memories.
It’s insane, but some “security experts” actually think like that.
It’s not insane, it’s manual defense, vs automatic self defense.
The best individual users control updates manually for the same reasons.
As with counter terrorism, it doesn’t matter what the centralized authorities do with patching holes, the vulnerabilities are always with the idiots and incompetents at the bottom. The weakest link in a chain. The softest target for terrorism. Harden all targets, and the softest target will still be hit.
Instead of relying on the authorities and government to own your arse and force you to be invulnerable to ransom ware, people who don’t want to be kidnapped or ransomed can fund their own training and defense. But humans aren’t motivated like, so there are always going to be the bottom echelon of 20% useless users who get taken for a ride from the top 20% of con artists.
Trying to fix this by increasing centralization misses the point. The reason why users are weak is because they refuse to increase their defense. In the same fashion that the reason why Americans are weak to crime is because they don’t want to learn how to use tools like guns or their brain as a weapon.