There are several very important lessons to be learned from the recent enormous ransom-ware attack
(reported here, by the BBC), which
affected at least 99 countries, and had huge impact on the National Health Service (NHS) in the UK.
The attack was a worm (not a virus), meaning that infection passes directly from one networked device to another, without the need for
any user interaction (being careful about what email attachments you click on is no protection).
The attack was stopped, in part, by the efforts of a UK security researcher "MalwareTech", who found a "kill-switch coded into the worm. This kill-switch
will prevent new devices being affected by the worm, but will not decrypt already infected devices.
- Firstly, it is a timely reminder for everyone, even people who do not own a computer, smartphone or other computational device, that
the modern world is full of cyber-threats and that there is no way to guarantee protection from them. The chaos caused in the NHS shows that people's
lives can be severely disrupted, including lives put at risk, by attacks on our infrastructure. If you own or administer computers, this is a reminder of
how vital it is to take regular and frequent back-ups, and to keep those devices up to date (security patches and updates to anti-virus and firewall
software).
- It is also a reminder that organisations such as the
National Security Agency (NSA) in the USA,
who developed the hacking tool upon which this ransom-ware worm was based,
cannot keep anything secret, and cannot be trusted to develop or use such technology.
It is no use blaming WikiLeaks for publishing data on the hacking tools that the NSA had developed (as far as I know, they did not publish the actual code);
the NSA themselves are to blame for being insecure. Maybe the UK government should sue the NSA, on behalf of the NHS, for the damage caused by
them letting the exploit code leak into the wild.
- One thing to note is that the NSA, and similar organisations around the world, do not seem to be under any legal obligation to notify vendors such as
Microsoft about security holes that they find. Nowadays there are many so called white-hat hackers who, when they find a security vulnerability, notify
the responsible vendor, and give them a month or more to roll out a repair before publishing their discovery; the NSA doesn't, and the reason is that
they want systems around the world to remain vulnerable so that they can hack them themselves. If the NSA were not so leaky, this wouldn't be such a problem, but sadly
they are notoriously insecure. Microsoft themselves are warning (here)
about the dangers caused by governments storing data on software security vulnerabilities.
- Another rather important lesson here is that an obsolete operating system like Windows-XP should never be used for mission-critical purposes. It has,
officially, not been supported by Microsoft for years, and is seriously insecure (and not just because it is a Microsoft product). These PCs
should have long ago been upgraded or replaced to something more secure and under support. Personally, I would never recommend any version of Windows
for any use where security is important (Linux is inherently more secure, cheaper, and faster), but if you really want to use Windows, at least make sure it is
current and supported.
- There is also an important lesson for the UK government (or maybe for the voting public).
This report by the Mirror describes
how the government cut the support which they had been providing for all these obsolete Windows-XP computers in the NHS about a year ago; this
despite ample warnings of the cyber-security risks: the Government Digital Service, decided not to extend a £5.5million one-year support deal
with Microsoft for Windows XP. What they did not do, however, is provide central funds for replacement or upgrade, nor did they put in place a centrally
managed and funded replacement/upgrade programme; they simply told the NHS that they should take care of the problem themselves. This was arrogant
and financially motivated irresponsibility of the highest degree. If the support from Microsoft was to be continued, the cheapest and most effective way
to get it would have been through a contract with the UK government, not by piecemeal contracts with individual NHS bodies; if the PCs were to be upgraded
or replaced, again, the cheapest and most effective solution would have been a centralised programme. This situation just highlights how cheaply
the UK government values the lives and health of the populace.
As far as I know, no NHS patients died or suffered other major harm due to the cyber-attack; that is pure luck, and next time (because there will
certainly be a next time) we may not be so lucky. We have a whole host of services (electricity generation, including control of nuclear power stations,
electricity distribution, water distribution, flood prevention, mobile phone, emergency services, Internet services, traffic control, air-traffic control,
weather forecasting, weapon system control, etc.),
most of which are essential and many of which are safety-critical, which depend on computers. Hacking is relatively easy (you can buy kits to develop
hacking tools fairly cheaply) and preventing it or repairing the results is hard, expensive and time-consuming. The world really needs to learn the lessons
from this attack, urgently.
|