NHS computer systems hacked!?

Tefal · 13 May 2017 at 10:31

Robert said:
I'd guess people wouldn't be that open about talking about these things.

Are you totally naive?

Tbh rob having seen the "procurement process" for it equiment in some government/council stuff it was just rhe secreterues/local mangers reading the proposals by local busineses for pcs/maintainence.

They have zero ide aif they getting a good deal or ripped kff

Tefal · 13 May 2017 at 10:31

Need national expert procurment teams

Narj · 13 May 2017 at 10:33

I've seen very important stuff running on Windows 3.11 until quite recently. Just keep it isolated through tight controls or off-net completely.

Like others say, upgrading legacy systems is not always possible because the developers are long gone and there's no way to port it over.

Haggisman · 13 May 2017 at 10:36

dowie said:
Seems rather unlikely though for particularly expensive equipment that can't be easily replace tbh... ergo I'll go back to my comment re: maintenance/upgrades.

How does the cost or ease of replacement of a their product affect the chance of a company going out of business or being taken over?

v0n · 13 May 2017 at 10:40

Halfmad said:
What does any of that have to do with the NHS? These machines can be air gapped, we did that to our kit before replacing (and yes I'm talking NHS here, not fantasy land).

And yet here we are in what you call "fantasy land" marvelling upon your "air gapped" NHS with ransomware screens. Look, your thrashing about aside - my solution is simple and fitting - endlessly throwing money on IT upgrades at NHS just because developer is too lazy to fix their abysmal code isn't a solution, punishing end users with fines just because developers are too lazy to fix their excremental software is not a solution (for the reasons mentioned already on this page). The bugs and lack security of apps or OSes are fault of developer and developer alone. There isn't much to discuss here. Since it was Microsoft and their marketing team that convinced NHS that their forking OS was fit for purpose and it is more than clear it wasn't fit for the lifetime NHS needed to utilise it. So Microsoft should be penalised or forced to provide longer EOL terms or direct migration and upgrade paths (which they artificially destroyed with Windows 10 - they even wrecked their migration assistant). And they should be fixing this mess right now. No ifs, no buts, just as you would expect safety recall on a car or house equipment that suddenly becomes danger to its users after few years.

dowie · 13 May 2017 at 10:42

Haggisman said:
How does the cost or ease of replacement of a their product affect the chance of a company going out of business or being taken over?

Larger established companies are generally more stable whereas a small start up might not be around in a few years.

Robert · 13 May 2017 at 10:44

MS have released the patch to XP...how nice of them. Only when confronted with a catastrophe did they step in.

dowie said:
Larger established companies are generally more stable whereas a small start up might not be around in a few years.

What's your background?

dowie · 13 May 2017 at 10:45

Robert said:
What's your background?

financial software (among other things), as mentioned earlier in the thread

stockhausen · 13 May 2017 at 10:50

I think I heard on the radio this morning that Microsoft will shortly release a patch for XP that would have prevented this attack.

I do wonder how long Microsoft have known about and ignored this flaw in a still frequently used version of their OS. Did it (and other similar "flaws") exist to allow the NSA, GCHQ, etc. to access systems?

betanews & nhub.news said:
Microsoft stopped supporting Windows XP back in 2014, but today it releases one more security update for the ancient OS.

The software giant is taking this "highly unusual" step to fight back against the WannaCrypt ransomware cyber attacks that have so far hit nearly 100 countries around the world. And XP is not the only unsupported system receiving this patch.

Thanks Microsoft - any more "BackDoors" inyour OS we should know about?

Raumarik · 13 May 2017 at 10:50

v0n said:
And yet here we are in what you call "fantasy land" marvelling upon your "air gapped" NHS with ransomware screens. Look, your thrashing about aside - my solution is simple and fitting - endlessly throwing money on IT upgrades at NHS just because developer is too lazy to fix their abysmal code isn't a solution, punishing end users with fines just because developers are too lazy to fix their excremental software is not a solution (for the reasons mentioned already on this page). The bugs and lack security of apps or OSes are fault of developer and developer alone. There isn't much to discuss here. Since it was Microsoft and their marketing team that convinced NHS that their forking OS was fit for purpose, it is more than clear it wasn't fit for the lifetime NHS needed to utilise it. So Microsoft should be penalised or forced to provide longer EOL terms or direct migration and upgrade paths (which they artificially destroyed with Windows 10 - they even wrecked their migration assistant). And they should be fixing this mess right now. No ifs, no buts, just as you would expect safety recall on a car or house equipment that suddenly becomes danger to its users after few years.

OK firstly "my NHS"? Clearly you have absolutely no idea how the NHS works internally in terms of network, governance and structure. "My NHS" air gapped machines haven't been infected, because they can't be via this attack vector. Managing huge estates of kit is always a risk based approach, heck even procuring systems is risk based as developers can and do go out of business - no point in blaming them then, you need a plan B.

Secondly it's not always the developers fault, I've seen in the past (private company) our management deciding not to pay for continued support despite the developer saying they'd EOL the product in a few years as per the contract signed many years ago. That was on our managements head, years of lack of planning and unwillingness to air gap, isolate or pay the £400!!! to have it at least patched yearly.

Destination · 13 May 2017 at 10:52

Tefal said:
Need national expert procurment teams

Frankly this wouldn't be a bad idea, I know the local dental hospital pays almost twice for some of the items they purchase in great bulk than we do, as no one is designated with driving a deal on procurement.
Its madness. They could easily afford extra staff if someone pushed the suppliers for bulk discount.

Greebo · 13 May 2017 at 10:57

Hikari Kisugi said:
Frankly this wouldn't be a bad idea, I know the local dental hospital pays almost twice for some of the items they purchase in great bulk than we do, as no one is designated with driving a deal on procurement.
Its madness. They could easily afford extra staff if someone pushed the suppliers for bulk discount.

I've never understood this. Same with schools. My local school wrote to all parents wanting donations for five digital whiteboard they wanted to buy at two grand each. Our IT equipment supplier quoted us £1100 for the same boards so I said I would donate one and the school could buy the other four through me and save £4500 and politely got told they couldn't do that as they had to use the company who had the national contract for supplying IT to schools and couldnt buy privately. What a rip off.

C.R.A.Z.Y · 13 May 2017 at 11:02

Greebo said:
I've never understood this. Same with schools. My local school wrote to all parents wanting donations for five digital whiteboard they wanted to buy at two grand each. Our IT equipment supplier quoted us £1100 for the same boards so I said I would donate one and the school could buy the other four through me and save £4500 and politely got told they couldn't do that as they had to use the company who had the national contract for supplying IT to schools and couldnt buy privately. What a rip off.

Yeah saw the same nonsense when I was a youth worker, dedicated suppliers and greedy contractors that chucked an extra 20-30% on once they knew it was a council contract.
To be fair though in a lot of cases it's also the buyers to blame, people can be very frivolous and lazy when spending other peoples money :mad:

quickshot89 · 13 May 2017 at 11:07

So I was up till 2 last night on calls on how t deal with this. I know the backstory and its not a targetted attack at all, some numpty has opened a link on an email, and the thing has spread over smb

The NHS is only impacted as much due to the different local systems. Has it been on a larger single system, such as MOD, DWP, etc, then there would bigger issues.

Now to plan how to patch over 10K servers in a week

Coffee, lots of coffee

malachi · 13 May 2017 at 11:07

That's how is goes, if you are an organisation funded or linked to the government then of course you are going to get ripped off. Not as if schools, NHS, police forces will go bust. Many don't like the government so they get the max out of them, after all we all pay our taxes to them anyway.

Nasher · 13 May 2017 at 11:12

malachi said:
That's how is goes, if you are an organisation funded or linked to the government then of course you are going to get ripped off. Not as if schools, NHS, police forces will go bust. Many don't like the government so they get the max out of them, after all we all pay our taxes to them anyway.

Yes but now it's backfiring and government organisations are telling contractors to sod off when the renewal dates come around. We just gave the can to the guys that cover all our PC hardware, they wanted £ per item they were covering, instead of a fixed price for everything as in previous years. So we figured out it was cheaper just to buy own own spares. I hear multiple sites are doing the same, so now the company is probably about to go under.

h4rm0ny · 13 May 2017 at 11:26

HoneyBadger said:
Whilst this is true, it is only true for home users of XP.
You could actually enter into a extra enhanced support contract on XP Pro to extend its life, this was done because of things like the NHS, Banks, ATM's. It was an expensive option but less expensive than rolling out a new OS and all the hurdles that come with it.

However, I believe that extra support ended in Jan of 2016.

And the reason it was expensive was because even Microsoft themself were desperate to drop XP and maintenance for it. Windows XP is fundamentally poor on security. With Vista they changed the basic security model of Windows and conceptually it became as secure of GNU/Linux. (And then with Windows 7 they also made it usable).

Rannoch · 13 May 2017 at 11:28

Tefal said:
If the thing sits dormant for x time wouldbt it be included in potentaly days/wreks/months of vack ups?

Perhaps, but it may be possible to clean it from a restored image before it activates.

Nasher · 13 May 2017 at 11:31

h4rm0ny said:
And the reason it was expensive was because even Microsoft themself were desperate to drop XP and maintenance for it. Windows XP is fundamentally poor on security. With Vista they changed the basic security model of Windows and conceptually it became as secure of GNU/Linux. (And then with Windows 7 they also made it usable).

And then with 10 they added spyware

h4rm0ny · 13 May 2017 at 11:39

Angilion said:
With Win10, another obvious reason is security. Since Win10 is designed to be spyware and a rootkit, it's at least debateable whether it's the right thing to be used for anything that might have any confidential information on it.

Enterprise Windows can be set not to spy on you and you have a great deal of control over it. It's only we peons with Home and Professional that get spied on. And Professional only spies on you a little bit.

NHS computer systems hacked!?

Capodecina