The world and it's dog have been bashing away at reporting the recent cyber / security / hacking / terrorism / world-ending / NHS-targeting / death-to-all-humans computer worm which did the rounds last week.( pick whichever title you want, I'm sure they've all been used) The problem is, that while most of the reporting has been accurate to at least some degree, pretty much all of it, even some from respected technology websites, has been over-sensationalised and misleading. Let's look at some of the facts & hype in this case:

1) This "cyber attack" was terrorism. It was carried out by x country. It was aimed at y country / organisation. It was a "global coordinated ransomware attack on thousands of private and public sector organizations across dozens of countries"
WRONG, this was just a computer "worm" (a program which exploits a bug to infect and spread amongst PCs) which was designed to earn the perpetrators money. Very similar worms which encrypt files have been doing the rounds for the last couple of years.

2) The worm was aimed at the NHS.
WRONG - it was just a worm which attacked vulnerable Windows computers, anywhere on the planet. It targeted anything it could get into, it didn't discriminate.

3) The worm could only attack Windows XP.
WRONG - it could attack any unpatched version of Windows up to Windows 10. (so XP, Vista, 7, 8, 8.1, Server 2003, Server 2008, Server 2008R2, Server 2012, Server 2012R2)

4)  Jeremy Hunt caused this worm to spread in the NHS.
WRONG - while his cancelling the NHS contract with Microsoft (for security patches for XP) certainly didn't help, it was up to the NHS and the individual trusts to update their computers to something more modern than XP.

5) If I left my PC turned off over the (last) weekend, I'm safe.
WRONG - this worm is still spreading around the internet and will still infect any computers which remain accessible and are unpatched.

6) The NSA instigated this attack.
WRONG - while the Windows exploit which this worm attacked was indeed discovered by the NSA, and the actual code used to create the worm was also written by the NSA, they did not release the code "into the wild". You've got a group called The Shadow Brokers (who are likely to be Russian) to thank for that one.

7) But it's fine now. That "accidental hero" fixed it.
WRONG - While it is true that a computer security engineer did stumble upon a reference to a domain name in the [already] reverse-engineered code that makes up this worm and subsequently registered that domain; he didn't know what doing that would achieve at the time. It was luck that this domain name turned out to be a "kill switch" in the software. However, the original miscreants who wrote the code (or actually, anyone else after making a few bucks) have now altered the code within WannaCrypt so that it no longer pays any attention to that domain name. It will still spread to any unpatched PC it can find!

8) Microsoft should have patched this years ago.
PARTIALLY WRONG - Yes, Microsoft should have patched this years ago; unfortunately the NSA didn't tell them about the vulnerability as the NSA were actively using it, and the tools they wrote, to spy on people's computers throughout the world. When Microsoft were told about the vulnerability (in February this year), they wrote patches for all their OS versions and released those patches for supported versions of Windows in the March "Patch Tuesday" updates.

9) You should use a mac. Macs aren't vulnerable; Windows is crap.
OH YOU POOR DELUDED FOOL - while in this particular case the MacOS was not vulnerable, if you are stupid enough to believe that age old lie of "Macs don't get viruses", you need to put your head in the sand and disconnect your computer from the internet. Oh wait; as you're using a mac, you're probably browsing the internet with Safari, so loads of it won't work anyway. And let's not forget; there's a different internet specifically for macs, isn't there?

 

OK, enough of the joking around; what's the actual analysis of the WannaCrypt outbreak?

The primary issue with WannaCrypt is that sysadmins haven't patched the affected versions of Windows. Bearing in mind that this includes Windows 7 (and the associated server products), pretty much every version of Windows needed patching. What this tells us is that the age old issue sysadmins have of "not being allowed" to patch systems because companies have unrealistic uptime demands is indeed a major issue. Every sysadmin knows this and they've doubtless been telling their bosses for years. Unfortunately those bosses rarely listen.

Microsoft released the SBM1 patch in March 2017, so there's really no reason why it hadn't been applied to systems before May!

For example, in my previous place of work, the person who had ultimate say in whether we could perform any maintenance during business hours (out of hours work was not officially allowed, unpaid, and we certainly won't going to make a habit of doing it) absolutely refused to allow any systems to even be rebooted. Thus, patches tended to pile up for 3 or 4 months at a time before we'd be able to patch systems. However, in my current place of work, the IT director, who does have ultimate say on system availablility, had (and still has) absolutely no idea what patches have or haven't been applied to what systems. (this is not due to any communications issues); thus it was very easy for me to build in a couple of subtle system reboots at quiet times to make sure all patching was (and continues to be) at most a week behind path availability.

 

 

Here are some useful links:

Cisco's Talos Inteligence report into WannaCrypt

No More Ransom

Today's Weather

 

Thought for the day...

A bird in the hand - might just file for assault, be careful out there boys!

Member Login