Bad malware, worse reporting

The Wannacry malware that has infected some UK hospital computers should interest not just security researchers but also people interested in what drives fake news.

Some made errors of fact: the Daily Mail inititally reported the ransom demand as 300 bitcoin, or £415,000, rather than $300 in bitcoin. Others made errors of logic: the Indy, for example, reported that “Up to 90 percent of NHS computers still run XP, released in 2001”, citing as its source a BMJ article which stated that 90% of trusts run this version of Windows. And some made errors of concurrency. After dinner I found inquiries from journalists about my fight with the Prime Minister. My what? Eventually I found that the Guardian had followed something Mrs May’s spokesman had said (“not aware of any evidence that patient data has been compromised”) with something I’d said a couple of hours earlier (“The NHS are saying that patient privacy hasn’t been compromised, but if significant numbers of hospitals have been negligently running unpatched computers for two months after the patch came out, how do they know?”). The Home Secretary later helpfully glossed the PM’s stonewall as “No patient data has been accessed or transferred in any way” but leaving the get-out-of-jail card “that’s the information we’ve been given.”

Many papers caught the international political aspect: that the vulnerability was discovered by the NSA, kept secret rather than fixed (contrary to the advice of Obama’s NSA review group), then stolen from the CIA by the Russians and published via wikileaks. Scary stuff, eh? And we read of some surprising overreactions, such as the GP who switched off his networking as a precaution and found he couldn’t access any of his patients’ records.

As luck would have it, yesterday was the day that I gave my talk on entomology – the classification of software bugs and other security vulnerabilities – to my first-year security and software engineering class. So let’s try to look at it calmly as I’d expect of a student writing an assignment.

The first point is that there’s not a really lot of this malware. The NHS has over 200 hospitals, and the typical IT director is a senior clinician supported by technicians. Yet despite having their IT run by well-meaning amateurs, only 16 NHS organisations have been hit, according to the Register and Kaspersky – including several hospitals.

So the second point is that when the Indy says that “The NHS is a perfect combination of sensitive data and insecure storage. And there’s very little they can do about it” the answer is simple: in well over 90% of NHS organisations, the well-meaning amateurs managed perfectly well. What they did was to keep their systems patched up-to-date; simple hygiene, like washing your hands after going to the toilet.

The third takeaway is that it’s worth looking at the actual code. A UK researcher did so and discovered a kill switch.

Now I am just listening on the BBC morning news to a former deputy director of GCHQ who first cautions against alarmist headlines and argues that everyone develops malware; that a patch had been issued by Microsoft halfway through March; that you can deal with ransomware by keeping decent backups; and that paying ransom will embolden the bad guys. However he claims that it’s clearly an organised criminal attack. (when it could be one guy in his bedroom somewhere) and says that the NCSC should look at whether there is some countermeasure that everyone should have taken (for answer see above).

So our fourth takeaway is that although the details matter, so do the economics of security. When something unexpected happens, you should not just get your head down and look at the code, but look up and observe people’s agendas. Politicians duck and weave; NHS managers blame the system rather than step up to the plate; the NHS as a whole turns every incident into a plea for more money; the spooks want to avoid responsibility for the abuse of their stolen cyberweaponz, but still big up the threat and get more influence for a part of their agency that’s presented as solely defensive. And we academics? Hey, we just want the students to pay attention to what we’re teaching them.

Hope this helps!

22 thoughts on “Bad malware, worse reporting

  1. I agree with your conclusions. The Guardian website has some additional examples that support your observations regarding the proportion of sites that were not hit.

    For example:
    ‘At NHS Greater Glasgow and Clyde, the health board released a statement saying: “We can confirm that four GP practices have experienced disruption to their IT systems today.” A spokesman at NHS Dumfries and Galloway confirmed three family practices had been “initially affected”.’

    That suggests that both of these health boards are in control of their major sites but some GP practices are not. Indeed, seven GP practices across two health boards is a reassuringly small number.

  2. Thanks for this analysis.

    I do want to quibble about your use of the tag “fake news” to cover mistakes such as “errors of fact” and “errors of logic”. I think that’s unhelpful. The term “fake news” was coined to describe complete fabrications. Poor quality reporting, and even PR spin, is a different beast.

    1. Completely agree. “Fake news” is overused and incorrectly applied. Not least by Donald Trump as a buzz-word-come-get-out-of-jail-free-card. But I digress…

  3. Thanks for your post. One minor correction though – the vulnerability exploited here, ETERNALBLUE, was leaked from the NSA by ShadowBrokers. The leaks by Wikileaks of CIA information (Vault7) is unrelated and didn’t contain vulnerability details anyway.

  4. Although I applaud the comments about the scale of the impact of the attack compared to the total size of the NHS, it is not true that “typical IT director is a senior clinician supported by technicians”. Most NHS Trusts have a Chief Information Officer who is an Informatics specialist/professional and they run the Directorate with the technicians. They are helped by a senior clinician who now typically takes on the role of Chief Clinical Information Officer and although they do help in the decision making, their funadmental role is clinical engagement on informatics issues with their clinical colleagues. IT security will be led by the CIO.

  5. I agree with everything. But the March patch was only available to users paying Microsoft for support. Yes the IT system is perhaps more robust but someone still took the decision in 2015 to run an obsolete operating system with no updates or security. For 2 years. Some one needs to be held to account and not be allowed to keep saying “lessons will be learned”. The time for that has long passed.

    1. “But the March patch was only available to users paying Microsoft for support.” Do you mean that the vast majority of users, who do not have a paid support contract, but do allow Windows Update to run regularly, do not have the patch that protects against this vulnerability? I understood from elsewhere that the fix had been distributed via normal Windows Update. Could you clarify what you meant?

      1. The March patch had a public variant for software still under support (win 10 etc) and a private version for those using obsolete software (win xp etc.) but paying fees to Microsoft. The government stopped paying that fee in 2015 so (unless individual organisations payed for it) the NHS wasn’t covered by the patch. Microsoft has since released the patch for the “common good” (if you believe the PR)

  6. This is a most helpful corrective. One small addition – relevant to the comment by Mark Lomas – I was told by a nurse at a GP practice in London which runs EMIS on XP systems that they were rung every 15 minutes or so on Friday to see if they had problems until 2.30 – when they were told to shut down because a practice using EMIS on XP had become infected.

    1. I have since been told by the provider of cloud back-up services to EMIS that recovery for those still running XP takes minutes, not hours.

      I will be checking with my source, a practice nurse, if there is news “on the clinical grapevine” as to how long it actually took.

  7. I now hear that most of the infections were of unpatched windows 7. A lot of the XP is in things like oscilloscopes that are not connected to the network. And in any case a well-run organisation would have blocked SMB at the firewall for years; Cambridge University has

    1. Blocking at the firewall is great, but it doesn’t help if an infected machine is brought inside the firewall and connected to the trusted part of the network (e.g. a laptop that’s been infected via public wifi that is returned to the office).

      1. Most public wifi (and indeed home systems) will be using NAT and so it’s unlikely that any incoming traffic on tcp/445 will be delivered to a laptop. So although bringing infected machines inside the perimeter is often an issue, it’s unlikely to be all that relevant in this case where, so far as we currently know, the only infection vector is the SMB worm.

  8. I just watched the explanation on computerphile and have a question for the experts. If in windows 10 automatic updates cannot be switched off what is stopping some malicious code from triggering an update and retreiving a trojan update from a site masqurading as the real update site via a changed DNS entry ?

    1. The short answer is that windows update uses SSL/TLS to do the actual communication with the update servers. This will allow the machine to detect that it isn’t talking to a real Microsoft server, and abort the transfer.

  9. Last night I was told a GP practice which uses XP and communicates regularly with Barts was still (on Monday 15th) being told not to power up because of the risk of infection. in consequence all prescribing was at a halt. I was also told that Barts A&E was closed and all diagnostic equipment connected to the network switched off – with all tests except for basic ECG halted. If such a lock down is indeed confined to Barts and a handful of others, it appears rather important to learn why.

    P.S. I also learned that my source first heard of the problem over whatsapp when a colleague in a neighbouring GP practice asked for help after the ransomware screen appeared.

  10. There are indeed questions to ask about why A&E was shut at several hospitals. Trusts are supposed to run regular major incident exercises, and one of the contingencies to test is loss of network service. A&E in particular is designed to work without records if need be: you treat what you see. So why the panic? We also need to know why some hospitals didn’t patch their Windows 7 machines (though most did) and why some of them didn’t block SMB at the firewall. Indeed, why do hospitals and GPs have to pay extra for a “secure” NHS network, when a bog-standard home router would have stopped this? I’m having parliamentary questions put down in Edinburgh, where the government is still working normally.

  11. I contributed to a programme on BBC Horizon tonight about the worm, but it was rather disappointing. Apart from a number of minor technical errors and a good dose of sensationalism, its main contribution was to duck the issue of accountability. Rather than bringing out the fact that the worm hit about 5% of hospitals and the other 95% were fine (which points to negligence by the 5%) it represents the NHS just one in a long list of casualties – collateral damage in a new cyber-war. That’s not consistent with what I and other experts told them. The whole point of the programme was to say “We’re the NHS and we’re splendid and we’ll never let you down” rather than to show contrition that they did let people down. The BBC should never have hired a doctor to present this.

Leave a Reply

Your email address will not be published. Required fields are marked *