Cyber attack on hospitals

[Alastair]

Windows is a good target for hackers always has been. I really don't know how it's survived for so long

• Windows is popular partly because of market dominance, partly because it's what users are used to, and mostly because it just plain works 99% of the time for 99% of uses.
• Mac OS is just as vulnerable, it's just a lot less attractive as a target because it's not as dominant in the workplace.
• Linux and its ilk are so niche it's not worth the effort of targeting.

But the point that's being missed is this. Regardless of what OS the affected organisations were using, they all share the common situation that they cannot just roll out OS upgrades on a weekly basis.

Now there will be some here too young to remember the Millennium Bug scare of the late '90s. To the innocent observer it would appear that nothing much happened, a few minor systems suffered problems but by and large IT systems ticked over to the new century without hitch. But what wasn't seen was millions of man-hours spent nationally checking over systems, upgrading and patching, developing mitigations, replacing systems, and where necessary isolating known problems to localise the impact.

If you run a safety critical system (medical device software controllers, ambulance dispatch system, medical records repository, nuclear submarine*, power station, etc.) you face a Millennium Bug challenge with every patch/upgrade to the OS. These are situations where driver incompatibility isn't as trivial as an update roll-back.


* Michael Fallon reassured the UK public that the Vanguard-class nuclear missile submarine fleet were safe from the Win XP exploit because they are still running Win 95.

 

[wave01]

Let's be honest windows was marketed so well by Bill Gates it dominated the world. But from its beginnings as DOS it underpinned windows for years. I gave up years ago with windows after years of looking for drivers and patches and security systems. It seems the the Microsoft team hasn't learnt a lot of the years. I am sure people will say I am wrong but I think nothing has changed since DOS people still have upgrade problems and security issues. Let's see what the future brings.

 

[Mr Bump]

Windows is a good target for hackers always has been. I really don't know how it's survived for so long

so let me gues your a mac or linux user?
so out of the two above what enterprise class solution does apple offer then that is scaleable for the NHS and other massive companies?

answers on a postcard?

 

[wave01]

Well yes I now use a mac. I was a windows user for 30 years. But I would substitute the look at unix as an alternative.
I have already said Bill Gates marketed windows very well so for a lot of the world we are stuck with it

 

[neil_g]

Let's be honest windows was marketed so well by Bill Gates it dominated the world. But from its beginnings as DOS it underpinned windows for years. I gave up years ago with windows after years of looking for drivers and patches and security systems. It seems the the Microsoft team hasn't learnt a lot of the years. I am sure people will say I am wrong but I think nothing has changed since DOS people still have upgrade problems and security issues. Let's see what the future brings.

Because no other OS has to issue regular security updates?

Crypto malware isn't limited to windows either.

 

[neil_g]

I have already said Bill Gates marketed windows very well so for a lot of the world we are stuck with it

Feel free to develop a server architecture that is equally as easy to admin and integrate seamlessly as a Windows server network. Because I can't think of any alternative that comes close.

 

[LongLensPhotography]

weird really as working in IT for 17 years I've never had any of the systems I've looked after been hacked.

I have been through many major organisations (as IT end user) and I have seen nothing but major problems with Windows systems. Frequent viruses, failed backups, downtime, and impossible to deal with IT support out la la land.

 

[neil_g]

I have been through many major organisations (as IT end user) and I have seen nothing but major problems with Windows systems. Frequent viruses, failed backups, downtime, and impossible to deal with IT support out la la land.

I wouldn't like to comment on the competency of those IT teams..

 

[Alastair]

I have been through many major organisations (as IT end user) and I have seen nothing but major problems with Windows systems. Frequent viruses, failed backups, downtime, and impossible to deal with IT support out la la land.

.. and there has been one constant throughout all that time..

 

[Marc]

I have been through many major organisations (as IT end user) and I have seen nothing but major problems with Windows systems. Frequent viruses, failed backups, downtime, and impossible to deal with IT support out la la land.

I've worked for many large organisations for over 20 years with Windows, never seen a single virus. Have seen a fair bit of downtime but not one minute has been Windows related.

 

[stevelmx5]

I have been through many major organisations (as IT end user) and I have seen nothing but major problems with Windows systems. Frequent viruses, failed backups, downtime, and impossible to deal with IT support out la la land.

Funnily enough, every infection and CryptoLocker encryption I've dealt with across our 12,500 Wintel Server and 40,000 Windows client estate has been the result of a numpty user clicking links or opening attachments that they shouldn't have. Weird that.

 

[Keith W]

Yup

Human interface error

 

[neil_g]

Picnic.

 

[Alastair]

Picnic.

I prefer PEBKAC..

 

[Mr Bump]

Well yes I now use a mac. I was a windows user for 30 years. But I would substitute the look at unix as an alternative.
I have already said Bill Gates marketed windows very well so for a lot of the world we are stuck with it

the desktop OS is only the front face of the user experience, apple have ZERO back end system to compete with microsodt.

 

[wave01]

Just to reiterate unix is a good platform

 

[neil_g]

Iinux and Unix has its place, but in an environment where you want easy admin and integration of user accounts, email, file and print, system deployment, policy and software deployment etc etc etc windows server and desktop still wins.

 

[LongLensPhotography]

Iinux and Unix has its place, but in an environment where you want easy admin and integration of user accounts, email, file and print, system deployment, policy and software deployment etc etc etc windows server and desktop still wins.

When you drop around a billion for an IT contract you can develop pretty much any interface and backend for linux you may ever want or need. This is not to say the standard linux environment is much lacking in any way other than specialist apps you are paying for to write anyway.

This is all about the lack of "can do" attitude as well lobbying from MS and related consultancies. It is almost like we lived in a world where business users were only supposed to drive Ford cars

 

[LongLensPhotography]

Funnily enough, every infection and CryptoLocker encryption I've dealt with across our 12,500 Wintel Server and 40,000 Windows client estate has been the result of a numpty user clicking links or opening attachments that they shouldn't have. Weird that.

On a secure and well maintained system, a dumb click shouldn't immediately result in infrastructure-paralysing infection. Maybe windows can be secured, I don't know; however that would clearly require advanced tweaking and specialist security software. Once you do that you will inevitably lose user friendliness. When Win7 introduced the admin privelege elevation screen most users would disable that. While it makes sense to only allow limited accounts to most users, admin is usually the default, etc. I will also give apple some stick too as they by default open admin accounts on new installations. This is a horrible practice.

 

[stevelmx5]

On a secure and well maintained system, a dumb click shouldn't immediately result in infrastructure-paralysing infection. Maybe windows can be secured, I don't know; however that would clearly require advanced tweaking and specialist security software. Once you do that you will inevitably lose user friendliness. When Win7 introduced the admin privelege elevation screen most users would disable that. While it makes sense to only allow limited accounts to most users, admin is usually the default, etc. I will also give apple some stick too as they by default open admin accounts on new installations. This is a horrible practice.

The whole point of limited access and then elevated User Access Control it to prevent the installation/spread of malicious content. If users bypass that or kick up a fuss because they believe that they're important enough to have full admin access, they should also be intelligent enough to not open unknown attachments and allow them to run. Unfortunately, the best preventative measures are useless if the end user still clicks on links blindly.

 

[neil_g]

When you drop around a billion for an IT contract you can develop pretty much any interface and backend for linux you may ever want or need. This is not to say the standard linux environment is much lacking in any way other than specialist apps you are paying for to write anyway.

This is all about the lack of "can do" attitude as well lobbying from MS and related consultancies. It is almost like we lived in a world where business users were only supposed to drive Ford cars

It's pretty clear you've never managed any sort of IT Infrastructure.

 

[petersmart]

90% of NHS kit still on XP is the reason.

And I believe many ATMs also still use XP?

 

[petersmart]

There are no excuses to not patching and not upgrading only takes money the NHS as like quite a few organisations has very poor advice.
I have working IT now for almost 30 years and have seen it so many times it is tedious.
Computers are not one time purchases, it is all about the upkeep.

makes me laugh all the recent threads from the windows 7 people who refuesed to upgrade.

I've never upgraded - in fact my Win7 can't upgrade unless I install the upgrade to upgrade the upgrader!

I use it on my host machine and use multiple VMs which run XP which I gutted with NLite and also cannot upgrade.

On the "real" PC I use Avast free and also inside all VMs.

I also use VPNs on both.

There is no browser on the "real" PC so all browsing is done inside VMs using Firefox.

And nothing important is on the PC everything is backed up to external HDDs which are only connected when needed.

This arrangement has never been hacked and even if the complete PC was compromised all I have to do is shred everything and re-install Win7.

 

[neil_g]

And I believe many ATMs also still use XP?

And some epos still run embedded xp.

All about mitigating the risk though. Atm will be on the banks secure network and not just hooked up to the internet.

Epos too, most retailers will tunnel back to hq.

 

[petersmart]

And some epos still run embedded xp.

All about mitigating the risk though. Atm will be on the banks secure network and not just hooked up to the internet.

Epos too, most retailers will tunnel back to hq.

But banks have also been hacked I believe.

 

[stevelmx5]

I've just been passed this clarification from MS (the company I work for are a Global Partner and this came from our TAM);



As above, it's not down to the OS specifically. If you haven't got the latest updates on Windows 10, you're just as vulnerable as someone on XP who hasn't manually installed the KB.

 

[Deleted sulking member 63079]

Yep, it's not to do with Windows explicitly, because Windows was patched.

The NHS is still on Windows XP, and it's out of support, so they don't get the patches. They could have had extended support, but the current government didn't want to pay for it.

 

[petersmart]

Occasionally updates can go a bit wobbly and need a second attempt but after 2-3 years your security updates will be massively out of date.

What about after 10 years or more (My Win7) and 15 or more (my XP Pro)?

 

[stevelmx5]

Yep, it's not to do with Windows explicitly, because Windows was patched.

The NHS is still on Windows XP, and it's out of support, so they don't get the patches. They could have had extended support, but the current government didn't want to pay for it.

Well, less than 5% is on XP but the other 95% are also at risk if they haven't rolled out the patch via SCCM or Windows Update.

 

[petersmart]

* Michael Fallon reassured the UK public that the Vanguard-class nuclear missile submarine fleet were safe from the Win XP exploit because they are still running Win 95.

 

[Phil V]

I have been through many major organisations (as IT end user) and I have seen nothing but major problems with Windows systems. Frequent viruses, failed backups, downtime, and impossible to deal with IT support out la la land.

Then you've been in some appallingly low rent organisations.

How many of them had over 10,000 seats?

How many of them were business critical 24/7 operations, and when I say business critical. I mean life and death?

Or major financial institutions where hundreds of thousands could be lost in an hours downtime.


Frankly it's once more obvious who's in la la land

 

[Deleted sulking member 63079]

Well, less than 5% is on XP but the other 95% are also at risk if they haven't rolled out the patch via SCCM or Windows Update.

Well, this article suggests a lot more are on XP than that : https://www.theregister.co.uk/2016/12/08/windows_xp_nhs_still/

However, the back end systems probably aren't. The damage will be to the terminals people are using, but it won't be able to touch databases or back end systems as they're probably not windows based at all. Which may be what counts for your figure? I'm not sure. Either way, the damage will cause disruption, but no real data will be lost unless something managed to damage the databases, and I assume there are several backups of these. Hopefully at least one being airgapped.

ETA: Misread it, 90% of *trusts* still using XP.

 

[StewartR]

Here's something I don't understand about the NHS IT infrastructure.

Their official statement on Friday's events [1] says that 4.7% of NHS PCs run Windows XP. But back in 2014, when mainstream support for XP ended, it was reported [2] that the NHS in England had 1.086 million PCs running XP. With a headcount of around 1.2 million that implies that probably around 90% of PCs were still on XP then. So if they've managed to get down from 90% to under 5% in 3 years, why was it still at 90% in 2014?

[1] https://digital.nhs.uk/article/1493/UPDATED-Statement-on-reported-NHS-cyber-attack-13-May-
[2] https://www.theregister.co.uk/2014/02/12/nhs_microsoft_win_xp_extended_support/

 

[Deleted sulking member 63079]

• Windows is popular partly because of market dominance, partly because it's what users are used to, and mostly because it just plain works 99% of the time for 99% of uses.
• Mac OS is just as vulnerable, it's just a lot less attractive as a target because it's not as dominant in the workplace.
• Linux and its ilk are so niche it's not worth the effort of targeting.

But the point that's being missed is this. Regardless of what OS the affected organisations were using, they all share the common situation that they cannot just roll out OS upgrades on a weekly basis.

Now there will be some here too young to remember the Millennium Bug scare of the late '90s. To the innocent observer it would appear that nothing much happened, a few minor systems suffered problems but by and large IT systems ticked over to the new century without hitch. But what wasn't seen was millions of man-hours spent nationally checking over systems, upgrading and patching, developing mitigations, replacing systems, and where necessary isolating known problems to localise the impact.

If you run a safety critical system (medical device software controllers, ambulance dispatch system, medical records repository, nuclear submarine*, power station, etc.) you face a Millennium Bug challenge with every patch/upgrade to the OS. These are situations where driver incompatibility isn't as trivial as an update roll-back.


* Michael Fallon reassured the UK public that the Vanguard-class nuclear missile submarine fleet were safe from the Win XP exploit because they are still running Win 95.

Commonly known as "Windows for Warships"

 

[StewartR]

Well, this article suggests a lot more are on XP than that : https://www.theregister.co.uk/2016/12/08/windows_xp_nhs_still/.

Not necessarily. That article says that 90% of trusts still use XP, not that 90% of trusts' PCs use XP.

 

[arclight]

Interesting article:_

https://www.grahamcluley.com/wannacry-ransomware-hits-systems-worldwide/

 

[Deleted sulking member 63079]

Not necessarily. That article says that 90% of trusts still use XP, not that 90% of trusts' PCs use XP.

Yeah, I just came back to edit as I realised I'd misread it

Wouldn't surprise me if it was just the machines on the front desks, but still disruptive to service

 

[Deleted sulking member 63079]

On a secure and well maintained system, a dumb click shouldn't immediately result in infrastructure-paralysing infection. Maybe windows can be secured, I don't know; however that would clearly require advanced tweaking and specialist security software. Once you do that you will inevitably lose user friendliness. When Win7 introduced the admin privelege elevation screen most users would disable that. While it makes sense to only allow limited accounts to most users, admin is usually the default, etc. I will also give apple some stick too as they by default open admin accounts on new installations. This is a horrible practice.

Worse than that, Apple have been known to not bother patching security updates for 18 months or so. But that's fine, because their marketing has convinced people that Windows updating on a regular basis is a bad thing!

 

[Alastair]

So if they've managed to get down from 90% to under 5% in 3 years, why was it still at 90% in 2014?

When an organisation the size of the NHS decides to do something it's like a supertanker, things start to move slowly but develop a lot of momentum once they get going.

 

[StewartR]

When an organisation the size of the NHS decides to do something it's like a supertanker, things start to move slowly but develop a lot of momentum once they get going.

I guess so. And they won't have had much experience of doing really widespread systems migrations, so they could easily have underestimated how long the supertanker would take to get moving. That's understandable.