Saturday 13 May 2017

Cyberattack on our NHS!!!

Actually, it wasn't an attack, and it wasn't directed at the NHS.

It was ransomware, and each affected computer demands $300 (in bitcoin, to make it difficult to trace) to restore the data. $300 isn't much, but if the NHS has 1.2 million staff, I'd guess maybe half a million computers? Plus, can you trust the criminals who control this operation, to actually give you the decryption key after you paid? And what happens to data that has been encrypted by two different computers?

I have great sympathy for the NHS IT staff who now have to clear up this mess.

The NHS wasn't actually attacked. If you look at where affected computers are located, they mostly aren't in the UK. Cold comfort for a doctor cut off from her patients' data. But what can be done?

Three things. But first, let's have a look at how this thing "Wannacry" got in, and got widespread.

It spreads in two ways. the first is via an attachment in an incoming email, the second is via Windows file sharing (using port 443). So, don't click on attachments in incoming emails! Simple. But that doesn't work, and I'll explain why not.

Drive down any motorway, and look at the distances between cars. They are *far* too close. If the car in front has to brake hard, the car behind will slam into their rear. People have no real concern about personal safety, so why should they have any concern about computer safety? I am *strongly* opposed to any computer security scheme that includes user education, because I'm strongly of the belief that you cannot educate users in computer safety. If you can't educate them in personal safety, why would you think something as abstract as computer safety would matter?

The answer is to make it actually impossible to click on attachments in incoming emails, and the way you do that is to A) remove the attachements and B) don't implement the ability to click on things, in an email client.

So Herr Badhomme emails something including an attachment which, if clicked on, installs the ransomware. And in the email, he gives a compelling reason (compelling to maybe 1% of readers) why they absolutely must look at this. BUT! The email client drops the attached file, and doesn't give a link to click on. Problem solved.

Yes, this makes email a bit less useful. But it also makes it a lot more safe. You have to choose - do you want to keep on updating an antivirus product that misses 90% of incoming malware, or do you want an email system that isn't going to blow up in your face?

The second way that Wannacry spread, was via Windows file sharing. I use that (otherwise known as SMB, or Samba) even though I use Windows hardly at all, because it's a convenient way to share files across a network. But I just checked my firewall, and it explicitly disallows outside computers from file sharing on my inside network. So, check your firewall, and make sure that port 443 isn't open from the outside world. If you really do need to allow outside access via port 443, then you should restrict the IP addresses that are allowed access.

Next - I visited my GP recently, and she measured my lung function, then went to look up the recorded number to see what that translated to. And she couldn't. She evidently needs, and has, web access to the outside world, but recently her IT people changed her Internet Explorer to Chrome (good idea) but didn't port across her bookmarks (stupid).

I didn't notice anthing blocking javascript, and I didn't notice an ad blocker. NHS computers should have both. And should be moved off Internet Explorer (I use Firefox, Chrome is also good). I use Noscript to block javascript (except where I decide to allow it, which isn't often) and I use uBlock Origin to block ads.

The reason for blocking javascript, is that if you allow it, then you're allowing any web site that you visit, to run any software it wants on your computer. Not a good idea. And the reason for blocking advertisements, is malvertising - adverts that are specifically crafted to take control of your computer. And because advertising is done via middlement, even the most reputable web site can find itself displaying malvertising. And that's exactly what happened to in 2004.

So will the NHS make the necessary changes? Maybe there's someone there who reads this blog. We can only hope.


  1. Good breakdown - it's a global ransomware plot - not targetting the NHS.
    Re: Samba - aren't Windows machines at risk whether 443 is open or not because of the NSA developed exploit 'Eternalblue'?

  2. No - Eternalblue relied on port 443 being open. That would often be the case internally, so it would get int via a clicked-on email attechement, then spread more widely via port 443.