NHS computer systems hacked!?

[Glaucus]

Actually no. Windows XP is being used by the majority of NHS system and it hasn't been patched and never will be because Microsoft ended XP support in 2014.

firstly

also wonder how many systems on nhs are still running xp and cant be updated ( I'm assuming ms hasn't patched it in xp, seeing as its long assed its support life)

secondly, shouldn't we start finning companies who do not keep their systems secure. Companies should not be running xp at all. Its a major issue and its grown, companies already have legal obligations to keep data secure, yet seem to get away with not doing that. If a company uses xp, it should be an open and shut case in court.
Then you would see how long it would take them to upgrade.

 

[PapaLazaru]

Agree with that. There is zero reason for such a large organisation to be running XP, none.

I work for a huge multinational and we are on Win10 now.

 

[V F]

Agree with that. There is zero reason for such a large organisation to be running XP, none.

I work for a huge multinational and we are on Win10 now.

You're not a tight ass, cheap, stingy government though.

 

[Dolph]

You're not a tight ass, cheap, stingy government though.

And this is why things shouldn't be run by the state, even if access is facilitated by them.

 

[Glaucus]

You're not a tight ass, cheap, stingy government though.

thing is, its not just public companies, its a large number of all companies.

 

[Sheff]

Biggest fallacy in IT. Attackers develop vectors for popular OSEs, as market share grows for alternative desktop OS's on other platforms attacks will be developed.

Sorry, I didn't fully explain myself; a free OS for trusts which is developed, patched and tested centrally and designed to be compatible with legacy systems via vm should help.

 

[PapaLazaru]

You're not a tight ass, cheap, stingy government though.

This is the thing though, how much would MS charge in reality for an upgrade to Win10 for so many PC's? They have charged me as a consumer nothing since 7! 8 was free with 8.1 and again with 10.

I have not paid in years since my original 7 retail license.

 

[HoneyBadger]

Actually no. Windows XP is being used by the majority of NHS system and it hasn't been patched and never will be because Microsoft ended XP support in 2014.

Whilst this is true, it is only true for home users of XP.
You could actually enter into a extra enhanced support contract on XP Pro to extend its life, this was done because of things like the NHS, Banks, ATM's. It was an expensive option but less expensive than rolling out a new OS and all the hurdles that come with it.

However, I believe that extra support ended in Jan of 2016.

 

[Caged]

This is the thing though, how much would MS charge in reality for an upgrade to Win10 for so many PC's? They have charged me as a consumer nothing since 7! 8 was free with 8.1 and again with 10.

I have not paid in years since my original 7 retail license.

Volume Licensing for Enterprise versions of the software and support contracts are a completely different world to your consumer one. They aren't running XP because they like it so much, it's because some other piece (or pieces) of software that cost millions over a decade ago and aren't scheduled to be replaced rely on some 16 bit component to run.

 

[neil_g]

Agree with that. There is zero reason for such a large organisation to be running XP, none.

I work for a huge multinational and we are on Win10 now.

2 words - legacy apps.

I used to work for a national retailer, with an as400 backend most of the accounting plugins were only xp compatible. Upgrading the as400 to a level where those xp plugins disappeared ran into £100,000s.

Edit - and that was for a pair of as400 boxes. To upgrade and patch the entire NHS to current software versions, including upgrading any legacy apps? I hate to think of the cost. To the taxpayer.

 

[opethdisciple]

Aren't companies able to take out support contracts with Microsoft if they still rely on Windows XP?

I'm fairly sure that's the case. MS will make patches for you if you have a special support contract.

I don't think that's the issue here.

There isn't much you can do against 'Email + attachments + end user stupidity'.

 

[Rroff]

it's because some other piece (or pieces) of software that cost millions over a decade ago and aren't scheduled to be replaced rely on some 16 bit component to run.

This is the bit so many overlook. This can be especially a problem when there wasn't enough foresight at the time and now you are stuck with something that you might not have full source for, or relying on a programming language like obscure variants of COBOL where many of the industry professionals with relevant experience and skill have since retired, etc. Meaning a replacement can run into massive figures as anyone coming in has to build a complete understanding of your bespoke needs, potentially dealing with data formats where documentation is lost in the mists of time, etc.

 

[Glaucus]

2 words - legacy apps.

I used to work for a national retailer, with an as400 backend most of the accounting plugins were only xp compatible. Upgrading the as400 to a level where those xp plugins disappeared ran into £100,000s.

but this is because its been allowed to happen. It should be against the law and if it was you would bet that such software wouldn't be left for deacdes with no updates. It would be regularly worked on.
At some point we have to say enough is enough and tighten it up in law. everyone is getting hacked left right and centre and most of the time there's no reason for it, they use known and patched exploits. Just because some company has spent zero money for years on legacy software.
and the sooner its addressed the better, as it would be one of those legislations that wouldn't come into force for like a decade after its implemented, giving plenty of time for compliance.

 

[Rroff]

but this is because its been allowed to happen. It should be against the law and if it was you would bet that such software wouldn't be left for deacdes with no updates. It would be regularly worked on.
At some point we have to say enough is enough and tighten it up in law. everyone is getting hacked left right and centre and most of the time there's no reason for it, they use known and patched exploits. Just because some company has spent zero money for years on legacy software.

I think you underestimate the potential logistics - the company I work for has since ~2011 been updating the IT platform as a matter of some urgency - just the initial pass cost 1.6million not including hardware costs and it was basically 5 years before all the ME and XP systems could be finally removed forever.

 

[Dynix]

Should the NSA take (some) responsibility for this mess? If I understand some reports correctly, it's being said that the malware is making use of MS17-010 which was leaked as part of the NSA tool dump. Such a serious exploit could've been disclosed to Microsoft when they found it - is it known how long they've had the exploit themselves? - rather than when it was going to be leaked and then they may have had the opportunity to make a judgement as to whether to push out a public fix for it on all affected OS. It must be at least 15 years since I've seen an exploit of this severity being used.

All the recent chat about how the security services should have some kind of backdoor in services is a prime example as to why they shouldn't.

 

[Feek]

Actually no. Windows XP is being used by the majority of NHS system and it hasn't been patched and never will be because Microsoft ended XP support in 2014.

Irrelevant. MS still provide patches for some businesses. I don't know for sure if the NHS are one of those but I heard something earlier today which suggests they are.
Apart from which, this is affecting other versions of Windows as well, even those fully patched. It's not just the NHS running XP who are victims.

/edited to strike out my error.

 

[Glaucus]

I think you underestimate the potential logistics - the company I work for has since ~2011 been updating the IT platform as a matter of some urgency - just the initial pass cost 1.6million not including hardware costs and it was basically 5 years before all the ME and XP systems could be finally removed forever.

how a I doing that, I'm well aware it takes ages and costs a lot, hence I said it would take like a decade. but we need to start. It is not acceptable in this daty and age that companies are allowed to do it because of historic penny pinching. Bad now, Imagine in a decade when pretty much everything is automated/computer controlled.

 

[jimjamuk]

Is this an extension of the Skewski end to end encryption argument???

i.e encrypt everything

 

[Rroff]

All the recent chat about how the security services should have some kind of backdoor in services is a prime example as to why they shouldn't.

This is just the tip of the iceberg compared to what the whole snooper's charter thing could unleash :|

 

[jimjamuk]

how a I doing that, I'm well aware it takes ages and costs a lot, hence I said it would take like a decade. but we need to start. It is not acceptable in this daty and age that companies are allowed to do it because of historic penny pinching. Bad now, Imagine in a decade when pretty much everything is automated/computer controlled.

But once you start and it takes 10 years - the initial apps developed will be 10 years old when you get back round to sorting them out again