WannaCry Over Spilled Data

The WannaCry ransomware attack has highlighted a serious problem. If there is negligence in your IT strategy, you are increasingly risking the functioning of your organisation, and the privacy of your customers. If you are being careless with data you don’t own, and of which you are legally only the custodian, if you are storing personal information in ways that are against the law, then you face an increasing risk of prosecution.

The WannaCry attack wasn’t exactly ‘targeted’ as far as we know. America was remarkably unaffected, as was most of European commerce. It was discriminating in that it could attack only those organizations with chaotic IT. Organizations who, despite warnings, were storing departmental data, organizational data and sensitive personal information on PCs with unpatched operating systems. This data should have been placed on a server securely, backed up, audited, and subject to planned high-availability and disaster recovery.

The security aspects of WannaCry are interesting. Exploiting a known vulnerability in Microsoft’s Server Message Block (SMB) file-sharing services, on unpatched versions of Windows XP, the WannaCry virus could encrypt every file visible to the users, even over a network connection. It could also have copied anything it considered valuable to a remote server. One hopes that the NHS networks would have spotted this traffic.

I happened to call into my dentist the morning after the attack. All their systems were down, not because of any attack, but because the part of their network that was shared with the NHS was down. Was that overload? Has the data of the healthcare of the entire UK population been copied to the dark side of the web? I have no idea, but we know for certain that highly-sensitive private data was wide open to what was frankly quite an amateurish attack. This would, for a private company, risk prosecution by the Information Commissioners Office.

We also don’t know who else may have exploited this SMB vulnerability, when, or how. We could wait a while before finding out. There is often a long time between a data breach and the confirmation that the data was made public: six months (Trillian) is not uncommon. The patients of the National Health Service have a right to know a lot more about how their data is held because, even if no data was stolen this time, important databases were compromised, with personal data rendered unavailable for the purposes for which it was collected.

Is the WannaCry incident a wakeup call for the industry? Certainly, it serves to demonstrate that cowboy IT practices that neglect both security and sensible backup really do harm organizations and their customers.

Commentary Competition

Enjoyed the topic? Have a relevant anecdote? Disagree with the author? Leave your two cents on this post in the comments below, and our favourite response will win a $50 Amazon gift card. The competition closes two weeks from the date of publication, and the winner will be announced in the next Simple Talk newsletter.

  • 2155 views

  • Rate
    [Total: 10    Average: 4.4/5]
  • Cela

    From what I read it was Windows 7 machines that mostly were hit with this ransomware. Also, you gotta wonder why so many systems had port 445 publicly open to begin with. In my eyes, if nobody had SMB open externally, this wouldn’t have happened to begin with.

    • William Brewer

      I’d have thought that any windows networking, including printer sharing, would require SMB port 445 to be publicly open. (please correct me if I’m wrong!). I’m relying on certain ‘freedom of information’ requests to the NHS trusts for saying that XP is still being used, but this could be out of date now. The point I’d want to make is that PCs, however well patched, aren’t ever a suitable place to hold this kind of private information about patients. A server can easily have 445 closed, I’d have thought. http://practicalrambler.blogspot.co.uk/2011/10/how-to-close-port-445-in-windows-7.html

      • Cela

        Not quite, you’d need SMB open internally it do file and print sharing on your network. Outside access should be prevented by your perimeter router/firewall.

        The link you provided describes disabling the “Server” service, but Windows Firewall should (I believe) block access to SMB by default, and create an exception if file sharing is enabled automatically.

        Also, I agree that an end point device shouldn’t ever hold client information, in this case however once an endpoint device becomes comprimised, then it will have access to everything in the corporate network as well, including file shares. It’ll encrypt everything it can read/write to. If you are on a corporate network and want to expose any ports publicly, such as a web server enabling outside access via 80 or 443, then you’d want to be in a DMZ. That way, even if it gets compromised, then it won’t affect any of the other devices on your corporate network as it well be on a different network entirely.

  • Annieo

    Agreed …

  • willliebago

    The technical debt finally became due. Literally! Hopefully, one of the windows administrators had been clamoring to get the patches on the list things to do, but never got the time because of “higher” priorities. Upper management was probably pushing for more and more servers for new and exciting things. What executives heard is probably “IT is requesting to provide deliverables at 50% for the next three quarters”. Hopefully, organizations do wake up and consider security more than technical debt even though there isn’t an immediate ROI.

  • Keith Rowley

    As with so much in the world this comes down to funding. The NHS is notoriously underfunded for actually treating people, it’s not unexpected that it lacks IT funding to do things right.

  • AlexGay

    What most people in the UK don’t realise is that the NHS is not one large monolithic organisation, it is a series of independent healthcare providers, known as NHS Trusts, and a few national Government organisations that provide “Leadership and Guidance” as well as managing the larger national infrastructure projects like the NHS Wide Web (NWW) which links all healthcare trusts to the national spine service, which in turn provides access to the Secondary Use Service (SUS) which is that national repositories of (pseudonymous) patient data that can be used for purposes not directly relating to patient care, but that are essential to support the NHS Business Model . Each individual NHS Trust is only allowed access to data on patients that they treat (so a random staff member cannot request your health records).
    The problem with ageing IT Estate is because there is no centralised strategy for managing hospitals, each Trust is responsible for their own infrastructure, out of their own budget. To throw a further spanner into the works, some of the big, national projects ordered by previous administrations had it written into their requirements that they must work with IE6 (which was the latest version at the time), but after a few years planning and then the 5-10 years of the contract with the suppliers to implement and support the products nationally has left essential core systems only capable of running on what is now outdated and unsupported operating system.
    I won’t go into the prevalence of Windows XP Embedded in big ticket diagnostic equipment such as CT Scanners and MRI suites which at multi-million pounds are expected to have a working lifetime far in excess of the OS’s official support period.

  • glenfitch

    There are more such attacks to come. The NSA had several exploits in their armoury that somehow got to the dark side of the web. They’re on Github now. Wannacry uses NSA’s EternalBlue and DoublePulsar exploits. EternalRocks is the latest exploit to emerge, though it seems to be benign at the moment. It evidently spreads using the NSA’s EternalBlue, EternalChampion, EternalRomance and EternalSynergy SMB exploits, along with NSA tools used for spying such as DoublePulsar, ArchiTouch and SMBTouch. There is no option but to patch. All these attack tools are in the public domain.

  • Dave Poole

    The cost of an MRI scanner means that it has to have a life of 10+years.
    Given that it’s a machine with a tightly defined function no-one expected to have to upgrade it’s user interface or software.

    The budgetary issues are smoke and mirrors. First it gets blamed on cuts, then it turns out that it’s a shift from paying with capital expenditure to paying out of operational expenditure then it turns out both budgets are irrelevant because a specific budgetary provision for IT had been made separate to the normal budget pots and the NHS Digital budget has been increased, not decreased.

    What it really boils down to is lack of sufficiently broad management experience. This leads to lack of understanding as to what is essential foundation stones and IT vanishing up it’s own ports in a fit of CV driven development

  • rogerthat

    Until management sees the preventative maintenance aspect of custom and 3rd party software as vital as the maintenance of any other equipment, the lessons will be as be as hard as failed brakes on an automobile.

  • Peter Schott

    Was reading today that some white hat hackers decided to help by porting WannaCry to Windows 10. Not sure how that’s helpful, but yay for more platforms to affect?

    As for whether this will be a wakeup call or not – it’s hard to say. I remember SQL Slammer hitting and that got attention, was patched, and things changed a little but not a lot. Maybe the thought of losing every important document for the company is enough to increase security, but I think that will always be balanced against convenience. Too much security can lead to people finding ways around it. Too little and you’re infected before you realize it. Worse are the ones who set the policy but demand exceptions for themselves or give in to exceptions for the “important people” who then don’t pay attention to the details and bring the infection in.

    The company I’m at now takes security pretty seriously, even though we’re likely small in the bigger scheme. We got warnings shortly after the outbreak became public, but regularly get reminders anyway about what websites we visit, what we download/install, getting strange emails, and so on. We have anti-malware scanners and anti-virus scanners on the machines that are kept up to date and run scans one way or another, even if the machines are turned off. Those can’t stop everything, but the combination of reminders, regular training, very quick blurbs in the all-hands meetings, and the software do help. Add in backups in case of something really bad and we’re better than some other companies.

    I’ve had to deal with a friend getting the “FBI Warning” malware that just moved/hid their docs and files a while back. Took me a couple of days to find and fix everything, but got it back and running eventually. I installed the latest/greated anti-malware, gave some quick training on avoiding that stuff, and gave the PC back. I think they were hit one more time by something not quite as bad and haven’t been affected by anything since. Saw similar things with an older friend of ours after he let the grandkids play on his machine. Cleaned it up and cautioned him about letting the kids have free reign. šŸ™‚