The NSA's hack on old Microsoft operating systems is weaponised and released to the internet, most publicly massively impacting the UK's NHS, which had taken the decision not to move forward from Windows XP, a product for which support by its authors ceased in 2012.

  1. This was meant to be quick and a source list for a blog article, but as ever it took too long.
  2. An internet worm was unleashed on the internet over the weekend, implementing a ransom attack. The target and propagators are/were old systems of Windows, specifically those that Microsoft no longer supported: XP, Vista and Windows Server 2003.
  3. This was reported in the BBC, the Register, and by Glynn Moody
  4. Ross Anderson, one of, if not the, UK's leading civil IT security researcher[s] is a bit more sanguine about the impact and catalogues some of the news stories inaccuracies,
  5. He also deals with the intelligence services culpability,
  6. Many papers caught the international political aspect: that the vulnerability was discovered by the NSA, kept secret rather than fixed (contrary to the advice of Obama’s NSA review group), then stolen from the CIA by the Russians and published via wikileaks. Scary stuff, eh? And we read of some surprising overreactions, ....
  7. Ars Technica reports in two stories,
  8. But Amber Rudd, who is leading politically for the government suggests that patient records may have been lost
  9. And because I was so slow to publish, I get to share this, which says its W7 that was the problem, not XP; shame for me with the anti-Tory agenda.
  10. I should add that W7 was supported and the patch was therefore available. This i a problem with patching policy not necessarily money.
  11. The Source & Response

  12. The source of the code that caused this catastrophe would seem to have been leaked/stolen from the NSA. I mention this above, but the story was also reported by the Register,
  13. Microsoft released patches for their supported OS's once the shadow brokers released the hack; they fixed the vulnerability on the systems that they stated they were issuing security patches for, and over the weekend they actually back ported it to XP & W7.
  14. The ORG points at GCHQ's role in all this, as they criticise the lack of a plan from the theft.
  15. Why were they still using this obsolete software?

  16. The decision that the NHS stay on XP and WS2003 was deliberate and based on cost, we cannot know if a cost based risk assessment was taken.
  17. Old systems are more vulnerable because people have more time to find the weaknesses and at some point the authors/copyright owners stop fixing vulnerabilities.
  18. The Mirror covers the NHS Management and political culpability here .... , as does the Guardian.
  19. Sky also covers this, although the headline is misleading since the patch for the vulnerable operating systems was not available until this week.
  20. Tim reports that Amber Rudd, of hashtag fame, suggesting that patient records may have been lost compounding the availability failure. (See above also).
  21. Good Defence

  22. Standard good practice states the importance of applying vendor security patches and abandoning out of date software. These are key controls specified as part of ISO 27001, it's not as if we don't know how to prevent this attack. Regulated industries are asked if they perform this work and fined or sanctioned if they don't. The lesson for all CIOs (and Boards) is to take full spectrum IT security seriously, this is not a-la-carte dining where you only have what you want ... defenders have to be right all the time, the bad guys only have to get it right once, and this case they had some very well equipped helpers. The second lesson is that Governments are no better at keeping your secrets than you are, proven by the fact that the code seems to have come from the NSA. Probably best not to give them legal privilege and backdoors to perform activities which would be illegal if conducted by private individuals or companies.
  23. ISO 27001 12.6 specifically refers to operations security and mandates the use of up to date software.
  24. If this were a private sector concern, then the regulators would be asking why the decision was taken, in the case of all industries the Data Protection Act requires that systems have adequate technical protection against availability failures, and in large banks such actions would also lead to failures in their "Living Wills" compliance.
  25. I am somewhat sad that I can't embed Medium articles, but this by John Elliot also explain how we got here and sets out the questions to be answered.
  26. Consequences

  27. Let's start to finish on a slightly lighter note, the IT Crowd recognised the weakness in Microsoft Vista.
  28. "We're Going to Die!"
  29. Rather Frighteningly

  30. But more scarily another version of an old Windows product is used to run Britain's Nuclear Deterrent. Another proof point that the NSA should have told Microsoft, and that failing to do so jeopardises, well, everyone.