|
||
|
||
359,000 computers infected, dozens of nations affected world-wide! A worm exploiting a Windows OS vulnerability that looks to the network for more computers to infect! This is the most pernicious, evil, dangerous attack, ever.
“The Big One” Wired pronounced.
“An unprecedented attack”, said the head of Europol.
Queue the gnashing of teeth and hand-wringing!
Wait, what? WannaCry isn’t unprecedented! Why would any professional in the field think so? I’m talking about Code Red, and it happened in July, 2001.
Since then dozens, perhaps hundreds of Best Common Practice documents (several of which I’ve personally worked on) have been tireless written, published, and evangelized, apparently to no good effect. Hundreds of thousands, perhaps millions of viruses and worms have come and gone.
Our words ‘update your systems, software, and anti-virus software’ and ‘back up your computer’, ignored. The object lesson taught by Code Red, from almost sixteen years ago, forgotten.
Criminal charges should be considered: Anyone who administers a system that touches critical infrastructure, and whose computers under their care were made to Cry, if people suffered, or died, as is very much the possibility for the NHS patients in the UK, should be charged with negligence. Whatever ransom was paid should be taken from any termination funds they receive, and six weeks pay deducted, since they clearly were not doing their job for at least that long.
Harsh? Not really. The facts speak for themselves. A patch was available at least six weeks prior (and yesterday was even made available by Microsoft for ‘unsupported’ platforms such as Windows XP), as was the case with Code Red.
One representative from a medical association said guilelessly, in one of the many articles I’ve read since Friday ‘we are very slow to update our computers’. This from someone with a medical degree. Yeah, thanks for the confirmation, pal.
The worm has been stopped from spreading. For now. iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com was registered by a security researcher, and sinkholed.
Sorry, forget it. I went for a coffee while writing this, and predictably WannaCry V2 has since been spotted in the wild, without the kill-switch domain left dangling.
What have we learned from all of this, all of this for a lousy $26,000?
If someone gets arrested and charged, and by someone, I mean systems administrators, ‘CSOs’ and anyone else in line to protect systems who abjectly failed this time, a lot. WannaCry infections to critical infrastructure are an inexcusable professional lapse. Or, we could just do all of this again, next time, and people may die.
Afterthought: My organization, CAUCE.org recently turned 20 years old. When it started, we didn’t believe things could get this bad, but it wasn’t too soon after that it became apparent. I issued dire warnings about botnets in 2001 to the DHS, I made public pronouncements to these ends in 2005 (greeted by rolled eyes from an RCMP staff sergeant). I may have been a little too prescient for my own good at the time, but can anyone really say, in this day and age, that lives are at stake, and we are counting on those responsible for data safety to at least do the bare minimum? I await your comments, below.
Sponsored byCSC
Sponsored byWhoisXML API
Sponsored byIPv4.Global
Sponsored byDNIB.com
Sponsored byVerisign
Sponsored byVerisign
Sponsored byRadix
A World-Renowned Source for Internet Developments. Serving Since 2002.
I think the other side of the coin is well-represented by Professor Steven Bellovin, who isn’t wrong about the realities of patching. That said, given the rampant proliferation of exploits these days, people failing to do expeditious patches in a professional environment, particularly critical infrastructure is akin to a trucking company failing to heed recalls, or do basic vehicle maintenance.
From your link:
https://krebsonsecurity.com/2017/05/global-wana-ransomware-outbreak-earned-perpetrators-26000-so-far/#more-39367
We find the following comment:
“Steve C
May 14, 2017 at 6:26 pm
I read in the British press that due to underfunding, 90% of the hospitals there are to some degree still using Windows XP and Server 2003. This is why they were so heavily impacted.
Where I used to work I was responsible for managing WSUS. I normally would wait to approve Windows Updates after they had been out for a month, unless if something was super critical. This was done because Microsoft once or twice a year would push out an update that would trash one major system or another. After a week or two the bad patches would be silently fixed.”
Yup, I have seen Microsoft “updates” break things, and one of many reason why I turn off updates on my personal equipment.
In addition to that, NSA at taxpayer expense, developed the core of this attack. So why are my tax dollars being used to author exploits rather than reporting bugs to authors so that we are all safer and more secure? And why should I blame administrators now dealing with the mess tax payers funded the authorship of?
>Criminal charges should be considered: Anyone who administers a system that touches critical
>infrastructure, and whose computers under their care were made to Cry, if people suffered, or
>died, as is very much the possibility for the NHS patients in the UK, should be charged with
>negligence.
Yup, so lets start with the NSA employees ....
“Microsoft once or twice a year would push out an update that would trash one major system or another.”
that’s why we have back-ups, and try a single system before applying the patches across the board.
Given the risks associated with both applying updates and not applying updates in a medical environment (or similar environments where system failure has the potential to endanger lives), the problem is that they’ve used an operating system which is singularly unfit for purpose. Windows is the single biggest target for such attacks on the planet, has a history of ongoing vulnerability, and is frequently updated for risky non-security reasons. This kind of application needs an ultra-conservative OS with an emphasis on stability and security over novelty and generality. That OS could, in principle, be some special variant of Windows—just not the mainstream desktop-oriented one.
It’s harsh to go after the systems administrators when they’ve had the worst of all possible worlds foisted on them by market forces outside their control. Sue the vendors if you want to apply pain where it’s actually likely to have a beneficial outcome. There has to be some kind of “fitness for purpose” angle when plain old desktop Windows is embedded in critical hardware.
A friend works for Unisys. His group authors the code that runs on very high end custom "PCs", that run Linux, which emulates a VAX, so their customers can continue using their heritage software. The users of these systems everyone would recognize, most depend on them daily. The PC is cheap, and everyone and their dog (j/k) can author reliable code for it. That is what drives its ubiquitous use, and like the VAX, its not going away anytime soon. Back to our tax dollars recognizing this fact of life and being used to protect it, and commerce and industries in general. With all the billions spent to watch and record our every move, there is actually no incentive for our tax dollars to be used to solve these problems. Every time I am on the highway I can see NSA's Bluffdale facility, another reminder of the use of our tax dollars. That is the issue, if there was a will to harden general purpose "PCs" they would be far more secure than they are. Wannacry would not be happening right now. We need to make a choice and verbalize it: “Those who surrender freedom for security will not have, nor do they deserve, either one.” - Benjamin Franklin "I prefer dangerous freedom over peaceful slavery." - Thomas Jefferson https://www.aclunc.org/blog/feds-refuse-release-documents-zero-day-security-exploits March 3, 2015 "But the effectiveness of such exploits depends on their secrecy—if the companies that make the affected software are told about the flaws, they will issue software updates to fix them. Governments thus have a strong incentive to keep information about the exploits they have developed or purchased secret from both the public and the companies who create the software we all use." "While zero-day exploits are no doubt useful to U.S. law enforcement and intelligence agencies, their use raises serious public policy concerns. Zero-days are also regularly used by foreign, hostile governments, criminals and hackers engaging in cyberattacks. That means our government’s choice to purchase, stockpile and use zero-day exploits instead of promptly notifying manufacturers is effectively a choice to leave both the Internet and its users less secure."