The NHS 'hack'

thistle_

Garry H wrote:

They should've used pen and paper

According to the news some places were as a fallback.

A few years ago when there were problems with the credit/debit card system, shops went back to the slidy carbon copy machines. I wonder how long it will be before nobody knows how to do cope without the computer?

TheBigBean

Rick Chasey wrote:

Microsoft give NSA a broadside along the lines of BigBean.

https://blogs.microsoft.com/on-the-issu ... mqdjgbgpt6

It would be nice if at least one politician noticed.

Finally, this attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem. This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state action and organized criminal action.

The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits. This is one reason we called in February for a new “Digital Geneva Convention” to govern these issues, including a new requirement for governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them. And it’s why we’ve pledged our support for defending every customer everywhere in the face of cyberattacks, regardless of their nationality. This weekend, whether it’s in London, New York, Moscow, Delhi, Sao Paulo, or Beijing, we’re putting this principle into action and working with customers around the world.

lostboysaint

No-one mentioning the request for £5.5m of funding for additional security work that was turned down by the government last year? I

secretsam

It's because a lot of NHS organisations (and other large corporations, NHS isn't unique) still use Windows XP, which is no longer supported. Rather than accept this and pay for a pan-NHS support, the government devolved responsibility locally. With so much pressure on front line spending, the (considerable) cost of maintaining XP often fell to one side.

TheBigBean

lostboysaint wrote:

No-one mentioning the request for £5.5m of funding for additional security work that was turned down by the government last year? I

A tiny slice of the £2b that the intelligence services get to protect the country.

lostboysaint

The intelligence services shouldn't be providing anti-virus/hacking protection for government departments.

Unless you're suggesting that the provision of NHS IT services is taken into the public sector rather than delivered by private contractors

dinyull

thistle (MBNW) wrote:

Garry H wrote:

They should've used pen and paper

According to the news some places were as a fallback.

Probably down to the simple fact that a hell of a lot in the NHS don't know how to use a computer/the system properly.

Missus had to train the Dr's, Nurses and Healthcare's in her old position on how to use the online system in their goal to become paperless. She says a lot of the old guard simply refused to co-operate and would ignore the computer system and stick to paper.

TheBigBean

lostboysaint wrote:

The intelligence services shouldn't be providing anti-virus/hacking protection for government departments.

There are two questions:
(i) should they actively defend the government and citizens from attack?
(ii) should they do their utmost to undermine all security? (E.g. a few open doors on all buildings, so anyone who knows can wonder in)

Tashman

A large part of the issue is the legacy systems that we use. Updating the OS renders some of them useless, so the investment is multi-dimensional, not just a single operator

secretsam

Tashman wrote:

A large part of the issue is the legacy systems that we use. Updating the OS renders some of them useless, so the investment is multi-dimensional, not just a single operator

This.

A lot of NHS software programmes are bespoke, and have been developed based on an XP platform, so changing that is a major issue for them. It's quite hard to change systems and train up staff on new stuff when they're managing critical front-line services, which already have staff shortages.

lostboysaint

TheBigBean wrote:

lostboysaint wrote:

The intelligence services shouldn't be providing anti-virus/hacking protection for government departments.

There are two questions:
(i) should they actively defend the government and citizens from attack?
(ii) should they do their utmost to undermine all security? (E.g. a few open doors on all buildings, so anyone who knows can wonder in)

1. Don't confuse defence of the government and citizens from attack with providing anti-virus protection for software for services.

2. Not quite sure how you've made the quantum leap from an NHS software breach to the whole country being at risk but if that's what floats your boat......

TheBigBean

lostboysaint wrote:

TheBigBean wrote:

lostboysaint wrote:

The intelligence services shouldn't be providing anti-virus/hacking protection for government departments.

There are two questions:
(i) should they actively defend the government and citizens from attack?
(ii) should they do their utmost to undermine all security? (E.g. a few open doors on all buildings, so anyone who knows can wonder in)

1. Don't confuse defence of the government and citizens from attack with providing anti-virus protection for software for services.

2. Not quite sure how you've made the quantum leap from an NHS software breach to the whole country being at risk but if that's what floats your boat......

1. The level of defence that can be expected is arguable. I expect more of some thing and less of others.
2. Quantum leap? The code was written by the NSA. That's before considering all the backdoors that have been implemented.