NHS computer systems hacked!?

h4rm0ny said:
It looks to me like a half-way between the two. It is a case of some lesser criminals piggy backing on the NSA's escaped "military grade" arsenal. It's not some kid in a bedroom though. The way it appeared simultaneously in disparate places without apparent travel says it's more than that. But on the other hand, it doesn't require a network of ultra-professionals, either. It looks to me like a group with a decent amount of know how and enough of them to coordinate and think this is a great idea, but that's about it. All IMHO, anyway.
Click to expand...


suppose for a group that usualy say skims card numbes from cash machines its not compeltley out of thier leauge but something that could get out of hand.
 
Rroff said:
Hard to say - very few people seem to be looking at it in any depth (at least publicly).

The whole thing is quite confusing for instance initially it was largely blamed on Windows XP - however:



Almost everything people are assuming about this outbreak is actually completely wrong but for some reason no one seems to be inclined to check if what they assume is right or look at it any deeper including many who work in this field professionally :(
Click to expand...


maybe they rushd the win xp patch as while fewer systeams ran it they where more vital (tying into legacy machines)

or just out the the patch teams win xp team did it first lol
 
m4cc45 said:
I've seen malware, such as Locky and WannaCry, come in via mail.
Click to expand...

Are you sure about that...

Tefal said:
maybe they rushd the win xp patch as while fewer systeams ran it they where more vital (tying into legacy machines)

or just out the the patch teams win xp team did it first lol
Click to expand...

Or the fact that the dropper mechanism (the SMB spreader) was incapable of detecting XP machines that were vulnerable so wouldn't exploit them. If you ran the actual ransomware on the machine it would encrypt it, however, it couldn't be infected by the normal mechanism used to spread it.

ianh said:
380 replies to this thread so far on with about 15 actually having useful info and 365 armchair experts arguing - Love You GD :D
Click to expand...

I've got to say, this thread has been hilarious to read through.
 
From SuperUser.com:
Among the new ports used by Windows 2000 is TCP port 445 which is used for SMB over TCP. The SMB (Server Message Block) protocol is used among other things for file sharing in Windows NT/2000/XP. In Windows NT it ran on top of NetBT (NetBIOS over TCP/IP), which used the famous ports 137, 138 (UDP) and 139 (TCP). In Windows 2000/XP, Microsoft added the possibility to run SMB directly over TCP/IP, without the extra layer of NetBT. For this they use TCP port 445.

At its simplest NetBIOS on your LAN may just be a necessary evil for legacy software. NetBIOS on your WAN or over the Internet, however, is an enormous (read foolish...) security risk. All sorts of information, such as your domain, workgroup and system names, as well as account information is obtainable via NetBIOS. It really is in your best interests to ensure that NetBIOS never leaves your network.

If you are using a multi-homed machine i.e. more than 1 network card, then you should disable NetBIOS on every network card, or Dial-Up Connection under the TCP/IP properties, that is not part of your local network.
Click to expand...
And
To disable Port 445:

Add the following registry key:

Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters Name: SMBDeviceEnabled Type: DWORD (REG_DWORD) Data: 0

Don’t forget to restart your computer after disabling the above ports for effect. Also, to check that those ports are disabled, you can open a command prompt and type netstat -an to confirm that your computer is no longer listening to those ports.
Click to expand...
Running netstat -an produces some interesting / disturbing results on a fully patched Windows 7 system.

In a "SOHO" environment with a number of machines, which might be running Windows XP through Windows 10 but where no files are shared, I assume that disabling SMB would cause no problems?

How would one tell whether 139 & 445 are open on a Modem/Router and if they are, how would one disable them?
 
Last edited:
Homer-Simpson said:
Or the fact that the dropper mechanism (the SMB spreader) was incapable of detecting XP machines that were vulnerable so wouldn't exploit them. If you ran the actual ransomware on the machine it would encrypt it, however, it couldn't be infected by the normal mechanism used to spread it.


.
Click to expand...

sorry why would that speed the patch development/release?
 
Tefal said:
sorry why would that speed the patch development/release?
Click to expand...

Now I'm confused by your comment? The quote you commented on was talking about infections and how everyone was originally blaming the NHS/companies for running Windows XP. Lots of news outlets were claiming that is why it spread so far/so fast.
 
Homer-Simpson said:
Now I'm confused by your comment? The quote you commented on was talking about infections and how everyone was originally blaming the NHS/companies for running Windows XP. Lots of news outlets were claiming that is why it spread so far/so fast.
Click to expand...


i was talking about how the xp patch came out first despite being only a small % of infections
 
Tefal said:
i was talking about how the xp patch came out first despite being only a small % of infections
Click to expand...

Patches for the specific vulnerability it used (for current supported OS) came out in March. The XP/2003/Win 8 patches were developed at the same time but only released to customers paying for the extended support. The general public only got the patch on 13th of May when Microsoft decided it would release it for free to everyone.
 
Homer-Simpson said:
Patches for the specific vulnerability it used (for current supported OS) came out in March. <SNIP>
Click to expand...
As I understand it, the "issue" that Microsoft fixed with this patch was an overflow that resulted from moving a 32 bit variable into a 16 bit variable. I was under the impression that this sort of bug would normally be spotted by the complier or "lint".

If both of these things are true, wouldn't it suggest that either some developer at Microsoft was incredibly careless, that Microsoft use a lousy development environment -or- that it was deliberate?


Incidentally, there is an article on @MalwareTech on the Grauniad here => https://www.theguardian.com/technol...-hero-marcus-hutchins-super-invasive-tabloids - the guy seems pretty philosophical about what has happened to him - I admire his choice of Charities :)
 
Last edited:
This is either really scary & he's been arrested (& hidden apparently) unfairly or he was involved in wannacry. Either way this is looking proper mental. It's like a movie script.
 
Waterboarded into confessing no doubt.

Not impossible he was in some way connected to it - but it had the appearance at least of a bigger orchestrated effort than just the work of one person.
 
CREATIVE!11 said:
He was the malware creator maybe?!?!

Imagine the controversy.
Click to expand...

You'd have to be a very, very special kind of idiot to help build a piece of malware that paralysed vital systems globally and then draw attention to yourself by "defeating it".

He ran WannaCry malware through debugging tools. Noticed that it either contained a reference to or called out to a particular and odd domain name. And exercised his curiosity by registering the domain. Which turned off WannaCry because it turned out to be a built-in killswitch. Smart, but there's nothing at all implausible there.

So it seems that he's been out of contact for eighteen hours now. :(
 
You must log in or register to reply here.
Back
Top Bottom