Ransomware hackers have stolen hospitals and doctors' offices across the UK, using a leaked NSA cyberweapon


#1

Originally published at: http://boingboing.net/2017/05/12/save-our-nhs.html


#2

When Bruce Stirling wrote about the USAF shaking down motorists with a “bake sale”, I thought that was pretty wierd, but I let it slide, because that was fiction. This story, though, fails my suspension of disbelief test. I think Ill unplug and watch “little house on the prarie” for a while now.


#3

I had just been thinking that reality-as-fiction has definitely been stretching the suspension of disbelief lately, on multiple fronts. You’ve got politics going on that, if it were in a really broad satire would still be “too much,” and then you have things like this. Now if it turns out that this attack had something to do with bluetooth salt shakers, that would be peak absurdity.

Edit:
Haruki Murakami: “we are living a world that has an even lower level of reality than the unreal world”


#4

The NSA bears a big chunk of blame here, but so do hospitals, where security practices are poor to nonexistent. Much has been written on the subject (Google is your friend). It’s particularly damning that Microsoft patched this vulnerability back in March, a full month before it was leaked.

What we’re witnessing is a perfect storm of global security incompetence. Government, law enforcement, institutions, companies, and especially USERS (who apparently haven’t run Windows Update in at least two months) all bear a measure of blame.

We are not taking security seriously, and it’s hurting us, worse and worse.


#5

We can add Cumbria to that list

http://www.newsandstar.co.uk/news/latest/NHS-cyber-attack-Cumbrian-hospitals-and-GP-surgeries-hit-f44e7eac-a289-43e3-92eb-e269e787f3d9-ds

Oxford seems to be OK for now, but is “on alert”


#6

Hopefully this is a big enough and well publicized enough disaster that maybe now medical providers will start taking this shit seriously.


#7

[quote=“GeekMan, post:4, topic:100915, full:true”]
What we’re witnessing is a perfect storm of global security incompetence. Government, law enforcement, institutions, companies, and especially USERS (who apparently haven’t run Windows Update in at least two months) all bear a measure of blame.[/quote]
Depends on who you mean by “users”. Windows Update will be disabled and updates will be done (or not done) by IT staff.


#8

That’s how it should be in any significant organization, but not how it necessarily IS in many situations.


#9

My Wife’s hospital network got hit, so she had to leave her laptop at work and cannot chart this weekend.


#10

All the things I’ve heard about “charting” suggest that this may be a small blessing.


#11

We are a long way from the clinic, so she gets up and heads out early. Last patient is supposed to be scheduled for 5 pm. but she usually gets out a couple of hours later. Then when she gets home, she eats a bit, then set the work laptop on the coffee table, and charts until 11 pm or later. It is the weekend, so she has all weekend to get caught up.
But not this weekend. The IT people have to fix the issue and get everything running properly. Meanwhile charting needs to happen so that the billing people can do their magic.


#12

One of the things I’ve read about the subject is that systems in many environments like that have to be thoroughly inspected, tested, and certified. Changes can require a lengthy and possibly expensive recertification process. A bad patch could break a driver and be hard to rollback, cause glitches or data corruption that goes unnoticed for a long time, etc. Recent bad patches have bricked hardware, caused cascading failures that took datacenters offline, installed entirely new operating systems that were incompatible with the old software or hardware, etc.

A big institution like a hospital can’t afford to have that sort of thing suddenly break out all over their systems. And with as many and varied systems (some very expensive and without many testing spares) that they would have to upgrade, test, and recertify, it makes sense that it could take a lot longer than two months. If there is an incompatibility, then the software (or hardware) that isn’t compatible with the patch would have to be rewritten, updated, or replaced (which could take months) before the patch could be applied. Probably why some of those places are still running Windows XP and/or things that only work in IE 6.

And given that Microsoft is known for releasing bad ‘patches’ recently like GWX that act like malware and could shut all of those systems down, it is unfortunately reasonable not to trust the latest patch. It’s a real issue that security patches can’t be trusted.

As a developer, my job is to make improvements - patch it to the newest and best, and if it breaks, deploy another patch as quickly as possible to fix it. But I understand IT’s counterargument and reluctance to change, especially in complex environments with critical components like that. The unfortunate result, however, is what we’re seeing today. IT is between a rock and a hard place and I’m not envying their jobs right now.


#13

I thought maybe if you take all plastics out of hospitals you’ll
improve hygiene 50%…

but it won’t get rid of crying children or ransomware


#14

#15

I think we can all agree that this is simply the price of freedom, amirite?


#16

It figures. There’s always someone trying to bring reality to the hyperbole festival.


#17

Do you work for the National Ransomware Association?


#18

I think there’s an important angle on this story, in that it is a direct result of hard-right political war in the US. The dump of this NSA tool was done in direct retaliation by Trump’s fascist ‘base’ for his not-rightwing-enough policies to date, specifically at the time of the dump the Syrian missile strike. Certainly anybody could have used the tool once it’s released, but it’s in the wild for a very specific reason.


#19

We had to change the name. Our consumer research department tells us that people feel “Ransomware” has negative connotations, which we feel is unfair and totally unjustified. Going forward we will refer to ourselves as the Federated Union for Consumer Unity.


#20

As of this writing

BB Topic:
Ransomware hackers have stolen hospitals and doctors’ offices across the UK, using a leaked NSA cyberweapon.
Comments: 18

BB Topic:
Rapper Bow Wow got caught lying about taking a private plane, hilarity ensues
Comments: 44

I think I see part of the problem.

Edit: Sigh. It is so much fun to read topics in chronological order, but lousy for comments like this. Looks like this topic is spread across multiple articles.