Soldato
- Joined
- 18 May 2010
- Posts
- 22,990
- Location
- London
Did they target the victims of this virus specifically or the NHS and others have just been unlucky?
NHS computer systems hacked!?
- Thread starter Tone1979
- Start date
It appears to have been customised with compromising corporations like the NHS but not specifically targetting the NHS or medical facilities, etc. it probably wouldn't take much imagination though to know it would do that.
On the one hand I think it was almost accidental it played out at such a scale in one go but on the other I almost get the feeling it was a large scale attack masking a more specific target (not the NHS) possibly utilities infrastructure or military/intelligence.
Air gap older kit, no access to internet etc. You can keep using it relatively safely but might just lose some functionality. No excuse for not having replaced anything with XP/98 by now or at least having removed it from the network.
That is all well and good until as I've mentioned before someone (IT admin role) comes along and plugs their (infected) personal laptop into an air gapped production network
especially funny when they spent a lot of time riding other people over network security and as it turns out didn't practise what they preached with their own hardware.Unfortunately, there is an excuse. Those are often crazy expensive machines and there is nothing wrong with the data they produce or fetch other than age of the OS. It's easy to say air gap them or take them off the network when the money spent on them, or worse, the iron clad contract clauses demanding other earthly penalties they were surrounded with back in a day won't allow for retirement. I kid you not - there are places out there, where to this day you will find old Elonex or DEC boxes running Windows on Novell, with DOS window open fetching data to lotus symphony spreadsheets off serial port equipped Reuters APMs hooked up to ISDN lines. And some commodity markets would probably collapse the next day if those things were discontinued while the only way to air gap them would be to create daisy chain of students feeding and moving floppy drives with every cycle of the batch script. Vast lists of telecom and satellite equipment both on earth and in heavens with no viable or barely any data encryption possible operated day to day with equipment and systems so old that it's scary. And they have to be, in a massive simplification, accessible over the net. Obviously, in most cases they benefit from slightly better IT than the underpaid glorified janitors that populate NHS basements, but the point still stands - this isn't fault of people forced to operate and rely on those machines and OSes - I blame Microsoft and Microsoft alone. And I hope someone shakes that tree to the roots.
Last edited:
I've actually done this as a job (not for air gap purposes just because of using 2 antiquated systems that no one still existed who knew how to make them talk to each other), and well paid at that, kind of did myself out of it in the long run showing them a proof of concept of how to connect the two but it was getting silly.
Soldato
- Joined
- 14 Dec 2010
- Posts
- 3,030
- Location
- Nottingham
The main reason they were stuck using old hat OS' was compatibility with legacy software that would cost an insane amount of money to replace.
Some Trusts managed to migrate the data across to newer platforms but it's extremely costly and time consuming. There isn't room for downtime and this data is updated constantly day to day. If you're a Trust under special measures, the focus will always be on clinical care first.
Some Trusts managed to migrate the data across to newer platforms but it's extremely costly and time consuming. There isn't room for downtime and this data is updated constantly day to day. If you're a Trust under special measures, the focus will always be on clinical care first.
I understand the argument for time, software costs for moving etc but xp has been dead for what 8 years now? Surely that's enough time? My doctors still uses xp. It's good clinical care is first but knowing a system is easily breakable is also quite worrying if it's not upgraded eventually. That's just in xp case.
The hole that was found out was a serious one and that's now proven. They needed to patch it even with downtime risks, all I can see is all the companies saying Microsoft shouldn't of had the hole to begin with
The hole that was found out was a serious one and that's now proven. They needed to patch it even with downtime risks, all I can see is all the companies saying Microsoft shouldn't of had the hole to begin with
Associate
- Joined
- 25 Oct 2007
- Posts
- 1,932
Problem , reaction , solution..............http://temporaldefense.com/
The problem is with upper management not understanding the ramifications and technology leadership not having the balls to do whats right.
We see this all the time at work and the hilarious thing is these people complain about the "cost to change" and ignore the "cost once compromised" aka completely ******.
So what you're essentially saying is that the NHS shouldn't just be a health service, they should also design and build all of their own medical equipment and in-house software, and never use anything external? Whilst idealistically that sounds like a great idea, I'd like at least some of my earnings to make it to my bank account rather than be taxed 100% to pay for all that, not to mention missing out on potentially life saving technologies invented by outside organisations.
You really think a company that has just spent billions on R&D for a new piece of medical equipment is just going to give away the details of how to build one yourself for anywhere near a reasonable price?
open source medicine. what could possibly go wrong
open source medicine. what could possibly go wrong
Glaucus does have a point, albeit in not the easiest way to consume.
So many businesses have legacy, unsupported software from all the mainstream vendors. Anyone who has worked in IT as a customer or a vendor will know of that business who has that application and nobody touches it because it does something important and the people who originally implemented it are long gone. I see this in finance all the time.
It's about time cyber security is taken seriously, especially in old, legacy companies where process is so rigid. If they dont die to a digital competitor they will probably die to a cyber attack.
Seems a bit stupid that a maintenance contract doesn't allow for new operating systems - or that you'd spend millions on equipment/software that the company knows will be out of date soon.
I've got nothing to do with medical software but when I worked in financial software I don't think clients would be too impressed if they couldn't migrate to new servers and/or desktops. Some code could easily be 30 years old yet still runs in various banks. It seems like a pretty poor effort either on the part of the vendors or on the part of some NHS trusts to fail to maintain or fail to pay to maintain these systems.
I've got nothing to do with medical software but when I worked in financial software I don't think clients would be too impressed if they couldn't migrate to new servers and/or desktops. Some code could easily be 30 years old yet still runs in various banks. It seems like a pretty poor effort either on the part of the vendors or on the part of some NHS trusts to fail to maintain or fail to pay to maintain these systems.
I think the problem is not so much the software, as the hardware which it runs, I have no experience in medical equipment*, but I can imagine things like xray machines etc. Have a useful life of potentially decades (how much better would one made today be compared to one from the 80s for example? Enough to justify the cost of replacing however many thousand there are across the country?)
If they rely on software which was designed to run in an 80s OS and the company that made them is long gone, then what do you do? Arguably they should be run on a local standalone machine dedicated to that equipment, or at the very least a VM on an isolated network, but when you need to do that for every piece of legacy equipment and software it can become a nightmare.
* I've had to support aging building management and test equipment software which I can imagine is similar, (I remember being told we had to support a heating controller which required an ISA card installed in the PC, connected via a BNC based network, all on a modern PC in a building with CAT5...)
If they rely on software which was designed to run in an 80s OS and the company that made them is long gone, then what do you do? Arguably they should be run on a local standalone machine dedicated to that equipment, or at the very least a VM on an isolated network, but when you need to do that for every piece of legacy equipment and software it can become a nightmare.
* I've had to support aging building management and test equipment software which I can imagine is similar, (I remember being told we had to support a heating controller which required an ISA card installed in the PC, connected via a BNC based network, all on a modern PC in a building with CAT5...)
Last edited:
Indeed,
Medical equipment is designed to do a specific job and often does it very well. Like military/space applications. Even current stuff is built using hardware/os that are a generation or two past because we know it works.
My eye surgeon has some kit that is only 5/6 years old, Yet it comes with an FDD.
Soldato
- Joined
- 10 Oct 2005
- Posts
- 8,706
- Location
- Nottingham
You are very wrong about RHEL 5. It was released in 2007 not 2014, in fact by 2014 it was already out of production support level 1 and RHEL 7 was released. With extended life cycle support it is actually supported to 2020. (Source Red Hat life cycle documentation).
The main problem is the custom applications which prevent upgrading to later versions and in some cases require insecure protocols are still used.
Yup and some code in financial software has been around for 30 years - what you're highlighting there is still an issue of maintenance agreements, upgrades etc..
What legacy hardware does that code support?