The world of information technology is reeling from last week’s massive ransomware attack that affected machines all over the globe. The WannaCry program is a malicious software that infects Windows computers taking advantage of a security flaw that was made public earlier this year by a hacking collective called the Shadow Brokers. The flaw is believed to have been created by the NSA to exploit a flaw in the Windows Server Message Block (SMB) protocol, which allows an attacker to gain control over the computer’s main functions. The WannaCry software infects computers and encrypts all of their contents, displaying a warning message telling users to pay a ransom in Bitcoin to regain access to their files. At the time of writing the spread of the malware had been devastating, infecting more than 230,000 computers in over 150 countries, and particularly affecting the UK’s national health service badly.

It is possible to learn many lessons from the attack. The security flaw was released over two months ago, which prompted a quick response from Microsoft to plug the exploit with a quick update. However, it has become clear that millions of machines were left unpatched, making it easy for hackers to target them and take control of the systems. People do not update their systems regularly, particularly old Windows systems that are still widely in use all over the world. Patching and keeping a system updated must become a priority of anyone with a computer, and businesses should be particularly held to account over failures to perform such actions.

The UK government has been particularly neglectful in this regard. It is incredible that hospital computers performing vital functions such as X-rays and storing test results were using outdated software and were left unpatched. It boggles the mind that any mildly competent IT department would leave such important services open to attack, and it tells a story of just how low of a priority cybersecurity is for many people in power. Things are even worse when we consider that the government was warned last year about precisely this issue, and still failed to take action.

The US government is guilty of making it easier for hackers to massively take advantage of security flaws by reportedly stockpiling such exploits to gain access to enemy systems. It has become clear that the NSA either created the EternalBlue flaw, or it learned about it and kept it secret until it was leaked. Either way, this shows a disregard for collective cybersecurity of monumental proportions. To stockpile vulnerabilities and keep them in less than secure locations is akin to keeping missiles where they can be easily taken by the public.

But perhaps one of the most interesting aspects of the WannaCry attack is that it serves as a reminder of why we should continue to deny those who favour the creation of government-mandated backdoors to technologies. If you recall, the UK government was very vocal not long ago about the fact that they do not have access to encrypted conversations from potential terrorists. The problem with that argument is that to gain access to those communications, you need some sort of backdoor that could very easily be leaked by hackers, just as the EternalBlue fault was leaked. The argument that only governments will use exploits has been shown to be the big fat lie that many of us warned against in the first place.

Perhaps the next time a terrorist atrocity takes place, politicians will not rush to score quick political points by asking for access to communications. If they do, we can point out to WannaCry as evidence of just how misguided they are.


4 Comments

Avatar

Richard Johns · May 18, 2017 at 1:08 pm

Speaking as someone who works in one of the “mildly competent” NHS ICT departments, the issue isn’t that we don’t bother to patch, or don’t care about the impact of not patching. The issue is that some of the older applications that the NHS uses cannot be patched so one could say that the fault on the part of the government is in not making the necessary level of funding available to replace said systems. When it’s a choice between spending £2M on a new Laboratory IT system or replacing a few hundred hips where’s the public going to expect the money to go?

When you consider what a business like Telefonica spends on ICT systems and cyber security resources in comparison to the NHS (not to mention the fact that telecoms and the associated security is actually their core business) and then look at how WannaCry affected them and other multinationals, I’d be bold enough to suggest that given the comparatively rudimentary tools we have to work with, and the very limited budgets, the fact that the outbreak affected such a small proportion of NHS networks and systems is actually testament to what a bloody good job my team, and the rest of my mildly competent colleagues across the country, manage to do.

    Avatar

    Andres · May 19, 2017 at 11:01 am

    Thanks for the inside information, absolutely correct, it is part of the underfunding of the service. I was at an NHS hospital recently and was amused by the software, I even commented it to the doctor, who sort of rolled her eyes and said that they had the same system since she had been there.

    I still think that IT should be considered a priority investment, it helps everything else.

Avatar

arjaybe · May 18, 2017 at 4:45 pm

Richard Johns, you’re right. Yet another case of the people who stint on the resources they make available blaming the people who rely on those resources.

On another note, I remember when we (the people) expressed our concerns about the increasing invasions of our privacy — such as these back doors — and were cynically reminded that privacy is passe, get used to it. And besides, they said, if you’re not doing anything wrong, then you’ve got nothing to worry about.

Can I start worrying now?

rjb

Avatar

Ryan · June 5, 2017 at 4:35 am

To prevent WannaCry, you must: 1. Install and use an up-to-date antivirus solution (such as Microsoft Security Essentials) 2. Make sure your software is up-to-date 3. Avoid clicking on links or opening attachments or emails from people you don’t know or companies you don’t do business with 4. Ensure you have smart screen (in Internet Explorer) turned on, which helps identify reported phishing and malware websites and helps you make informed decisions about downloads 5. Have a pop-up blocker running on your web browser 6. Regularly backup your important files

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.