Ransom Attack. Microsoft Blames Everybody But Themselves.

wholbr

New member
Hi everybody.
I have just finished a fourteen hour work shift as all day my company myself included has been endeavouring to help out one of our largest customers who has been hit by the well-publicised worldwide ransom attack on Windows operating system computers. In the foregoing, on returning home I was appalled to see on the BBC news a Microsoft senior executive state that "the world needed to wake up and protect itself more securely from this type of criminal activity".

Surely in the above, it should be Microsoft that wakes up, and looks to its commercial customer base and starts treating that body with the service they now demand and deserve. Microsoft's commercial users are the last market that the Redmond Corporation has any dominance in, and yet when things go wrong Microsoft seem to wring their hands with an attitude of "it is nothing to do with us".

Microsoft seems to be (at least partly) blaming the United States government for leaking information in regard to the security of the Windows operating system. However, if Microsoft where working with the any US government department for whatever purpose, they have a joint responsibility for whatever data is passed to that department and the security on it.

I believe the ransom attack is even much more widespread than is being stated, as many commercial companies are not revealing that they have been subject to this criminal action, fearing the effect in confidence that may have on their suppliers and customers.

Speaking late this afternoon to one of our customers senior employees who was clearly very upset and stressed at the day's events, I am sure that Microsoft's "excuses" will only add insult to clear injury when seen by her. I stated to her that it was perhaps time to look around and walk away from this bungling Redmond giant as there are other operating systems out there far better serviced in the long-term as my own company has found out.

Let us hope that her company and many others will now walk away from Microsoft which would be no more than they deserve.

Bill
 
Last edited:
Another reason why Im glad to have a Mac (I know PC's are better for gaming) But Mac's do have better security with their computers.
 
There is another side to this as well which is relating to updates. From what I've understood from the various sources some organisations have been (for whatever reason - often for testing purposes) slower to install some Windows updates that fix security holes like the one used by this ransom attack. From memory the update has been around since March.

Shane
 
Hi again Shane and everybody.
There is another side to this as well which is relating to updates. From what I've understood from the various sources some organisations have been (for whatever reason - often for testing purposes) slower to install some Windows updates that fix security holes like the one used by this ransom attack. From memory the update has been around since March.
Shane

Shane, the problem is that in recent months Microsoft have put out many "updates" seemingly believing that commercial companies have nothing better to do than have personnel analysing and deciphering which updates are urgent and which can be disregarded in their own operations. We live in a capitalist society where commercial competition is the basis of the way we live. The above commercial organisations have to pare operating costs to a minimum to remain competitive in their field.

In the above, Microsoft have become outdated in their operating system and maintenance of it. In my own humble opinion the Google OS system (which my own company uses) is now far in advance of the windows system in that all security is taken care of by Google in the cloud and that system has not been hacked in any way in the more than five years of its existence.

The foregoing in my view is progress, and one which Microsoft are now attempting to follow, but once again are late to the party at cost to their customer base.

Bill
 
Last edited:
Just a add-on to my above posting, over on the Google plus forum someone has just stated that Microsoft in demanding subscription for security updates to non supported windows versions (XP, Vista etc) they, are no better than the ransom demanders.

If you sale Windows XP to the British National Health Service at cost to them of hundreds of millions, do Microsoft not have an obligation to maintain security on that system for at least twenty or twenty five years?

Bill
 
Last edited:
If you sale Windows XP to the British National Health Service at cost to them of hundreds of millions, do Microsoft not have an obligation to maintain security on that system for at least twenty or twenty five years?
MS has an obligation to provide what was agreed at the time of sale. Most trusts just took the standard terms and conditions, which were quite clearly stated at the time, and relied on being able to extend support if needed. Then they stopped extending it, usually claiming that they couldn't afford new machines to run newer, supported, operating systems. Others did special deals at time of purchase, and got the support for the agreed period, and then did nothing when that period ended. When support become unavailable other options existed but were not taken up. People within NHS were well aware of the risk they were taking and chose to accept it. The real question is why, with the knowledge that they were exposed and vulnerable, did these sites not screw down their machines so tightly that it wasn't possible to get infected in the first place? It's elementary IT administration practice. Of course, they weren't alone in failing to secure their networks.
 
Hi sailorDan and everybody.
MS has an obligation to provide what was agreed at the time of sale. Most trusts just took the standard terms and conditions, which were quite clearly stated at the time, and relied on being able to extend support if needed. Then they stopped extending it, usually claiming that they couldn't afford new machines to run newer, supported, operating systems. Others did special deals at time of purchase, and got the support for the agreed period, and then did nothing when that period ended. When support become unavailable other options existed but were not taken up. People within NHS were well aware of the risk they were taking and chose to accept it. The real question is why, with the knowledge that they were exposed and vulnerable, did these sites not screw down their machines so tightly that it wasn't possible to get infected in the first place? It's elementary IT administration practice. Of course, they weren't alone in failing to secure their networks.

SailorDan, there is much in your above posting which is correct and I can agree with. However, the British NHS is one of the largest single health suppliers and employers in the world. In the foregoing as you state Microsoft only had to supply what was agreed at the time for sale. However, almost all commercial companies in the UK having a customer of that size would go beyond the "terms of supply" in an endeavour to maintain contact and good relations with "the customer" which is an investment in future sales.

The above is practised by very many small to medium size British companies which has brought the UK economy towards now being the fifth largest in the world. That stated, not so for Microsoft, they are still acting as if they are the sole supplier of the only operating system that organisations can adopt, so terms and conditions is all they supply. That along with their lack of any inovation since the millennium has already seen the Remond corporation fall a long way at the expense of their shareholders, and I believe the events of the last few days will take them down even further.

Yes, there have been failings in the NHS in this matter,, but the failings in Microsoft have been far greater, with the excuses they have made today pathetic.
Bill
 
Just said on Sky news that NHS digital made the patch available at the end of April for the NHS Trust to install which would have stopped this attack, now just who's fault is it that some "Trust Managers" decided not to bother and ignore it?

From another source it appears that MS gave NHS Digital the patch 6 weeks earlier.

Now who needs that Wakeup call I wonder?
 
However, the British NHS is one of the largest single health suppliers and employers in the world. In the foregoing as you state Microsoft only had to supply what was agreed at the time for sale. However, almost all commercial companies in the UK having a customer of that size would go beyond the "terms of supply" in an endeavour to maintain contact and good relations with "the customer" which is an investment in future sales.

My guess is (and it's pure speculation) that MS likely went well 'beyond the terms of supply' and offered NHS licencing for a newer OS that would be supported at bargain prices, but it wasn't taken up because the hardware wouldn't support it. You may as well ask 'Why didn't the hardware manufacturer go 'beyond the terms of supply' and provide drivers for this old hardware so that NHS could upgrade the OS?'. Their potential sales value is much higher then MS, and NHS is likely a much larger proportion of their customer base. Did NHS have agreements with hardware suppliers that the hardware would support any future MS OS? The reason for their inaction, like Microsoft's, is that they would prefer to supply new product than patch old product. MS has admitted that XP is, in some respects, just not able to be adequately secured. These guys have had a very long time in which to find these holes, and they are incredibly obscure.

Obviously there is fault all round. But the practice ought to be to look at those points of failure where prior action could have actually achieved some benefit - those are the issues that need to be addressed now.
 
It's funny how it always seems somebody else's fault when it all goes wrong. If we all demanded 20-25 years support for our OS, let alone the additional up front cost it would entail, we would probably still be using 16 bit systems, while even Linux my preferred OS is currently considering dropping 32 bit in preference to a total 64 bit..

This ransom attack struck machines running Windows Vista, Xp and 8.0, of which it is common knowledge two have been extremely vulnerable for ages and there has been a free upgrade and ample opportunity to upgrade Windows 8.0 to 8.1 or 10 in the past eleven months. I appreciate many companies including the British NHS use dedicated bespoke applications which perhaps cannot be migrated to these later OS however such applications are frequently mega bucks, and I have little sympathy left for those responsible for failing to quantify and mitigate the long term risks when opting for off the shelf OS to run them in such acquisitions.

I agree maintaining IT is time consuming and costly, it's a corporate overhead, as is running a fleet of vehicles, trains, etc. none of which we would wish to travel on if they had not been appropriately maintained, inspected etc. A maintenance server can be configured to poll workstations to ensure OS, applications, antivirus etc. are all kept up to date, as can old IT be protected from the outside world by secure encrypted infrastructures. However there needs to be the will to get on and do it and not as we have seen this past week and likely many time previous in our own workplaces or indeed our own homes the apathy of head in the sand it won't happen to me or the leave it to others syndrome. Peter
 
Hi Malc and everybody.
As I have stated already, yes their have been failings in the NHS in this matter. However, Microsoft are "thick" with updates especially in the last few months. Many organisations with cost considerations have difficulty in supplying staff to evaluate all that Microsoft "churn out" and fall behind in that regard.

The above stated, there is now operating system technology that allows the supplier to take over and supervise the security of their supplied systems allowing their customers to concentrate all their resources on their operations. Of coarse true to Microsoft's track record in recent years the Remond Corporation has fallen behind in the development of the above technology to the detriment of their existing customers. They therefore have not been give the option option of transfering to that lower cost technology, with it being the larger the organisation the more difficult it is to change to another operating system bringing forward the new technology from a different supplier.

Many smaller companies such as my own have made the above change and for the better. Unfortunately for cash starved organisations such as the NHS that has not bee possible, and as demonstrated over the last few days Microsoft has proven to be no help to them at all in this crisis

Bill.
 
Hi again Shane and everybody.


Shane, the problem is that in recent months Microsoft have put out many "updates" seemingly believing that commercial companies have nothing better to do than have personnel analysing and deciphering which updates are urgent and which can be disregarded in their own operations. We live in a capitalist society where commercial competition is the basis of the way we live. The above commercial organisations have to pare operating costs to a minimum to remain competitive in their field.

In the above, Microsoft have become outdated in their operating system and maintenance of it. In my own humble opinion the Google OS system (which my own company uses) is now far in advance of the windows system in that all security is taken care of by Google in the cloud and that system has not been hacked in any way in the more than five years of its existence.

The foregoing in my view is progress, and one which Microsoft are now attempting to follow, but once again are late to the party at cost to their customer base.

Bill

And in the security world it is accepted these days that no one does security better than Microsoft. Security is to a large part procedures making sure that the operating systems being run are current and patched. That backups are made on a regular basis on devices that are disconnected from the computer in case encryption malware arrives.

To be classed as a government secure operating system and certified the standard used to be it was only certified on one set of hardware and the operating system had to be in production without patches for two years.

I once had a discussion with a government "security" specialist about the encryption method we were using. He couldn't get past the idea that it was software and not physical cogs he could see.

Software is complex and complexity is the enemy of security. No one person can now understand the whole of Windows 10 software its too complex. The technical term is attack surface. Google will only update Android on devices for two years. Got a three year old Google device such as a Nexus 7 and Google will not update it to the latest version of android.

Apple well I forget how many thousand of their apps were infected in China, trouble was they are so far behind in the world of security that once the apps got in there was little to stop them running amok.

Unix, depends on the flavour, but it is not reknown for security. Same basic design as windows, IOS etc they all grew out of multics.

If the US government puts resources into finding vulnerabilities in commercial software then the responsible thing to do is to report them and have them patched.

It's the connected world we live in. If a computer is not connected to the internet then strangely enough it seems not to get infections. It's the cost of connecting to the Internet and its been a very long time since I've seen a Windows update cause any problems with software. Again if you are commercial take the suite approach Microsoft will have tested any updates with Word etc so run Microsoft office.

So use gmail for email you lose privacy but on the other hand their spam and malware filters are very good.

Finally google and the cloud, well yes it works for simple things but it needs an internet connection your documents are flowing through the Internet so the CIA now have a back up copy and the American government has access to it all. Your Internet connection goes down, digger in the road etc sorry you can't access your documents. Want to run Blender, it doesn't run under the Google operating system. Want to run TANE, again it doesn't run under the Google operating system. You are very limited in the software you can run. It might work for a small organisation doing simple stuff but for a larger one Microsoft Word and visual basic allows you to automate so many things. Pulling in data from databases merging with mailing lists etc. etc. Oh and if you are working with the disabled then Microsoft Windows have the best solutions and that can be a deal breaker if you are government having something that will support the disabled in the work place.

We took a serious look at replacing Word with Open Office which had political wishes attached. It was fine on the very simple stuff but after that forget it.

Cheerio John
 
Most ransom notices are bogus, and by clicking on nothing, and instantly going to Task Manager (Ctrl Alt Del) and shutting down the process, or shutting the returning process down several times, ie: Firefox, IE, Chrome ... or restarting your PC will get you out ... once you start clicking the ransom site: OK, Cancel buttons ... etc ... etc ... they know they have your active IP address
 
Hi Everybody.
It would seem that some are placing responsibility for the consequences of the ongoing ransomware attack at the feet of the Microsoft's Windows system commercial user base. However, that user base has over the years consisted of businesses both large and small as well as huge government agencies such as the British National Health Service.

In the above, all would in their various operations encounter problems in how to secure and protect the data stored on their systems​ and in that Microsoft have most certainly not made that task easy. The below link contains a timeline of the Windows operating system upgrades from its conception in 1985 until the present day. The timeline does not contain all the various patches released for security and bug fixing which without doubt would extend the list into many pages if included​.

Therefore, I would invite forum members reading the following to ask themselves how they would expect small business personnel to “keep abreast" of all the changes while at the same time fighting to make a living. The problems for large organisations can be the sheer scale and plausibility of the task. By example, if a large organisation spent many millions setting up their system based on windows XP, are they expected to spend those same multiple millions again a few years later because Microsoft wishes to expand its profitability by bringing forward yet another new version.

Details of the Windows version timeline can be viewed by following this link:-
https://en.m.wikipedia.org/wiki/Timeline_of_Microsoft_Windows.

In all the above, the search for an alternative to Microsoft Windows by small and medium sized business began, with that becoming earnest in the last two years. Google brought forward its full cloud based OS system in July 2011 which was originally aimed at the education market with huge success. However, Google soon broadened its product to attract casual and small business users and from a non existent user base are today rapidly expanding its market share. The pros and cons of using the system in business can be seen in the following link which describes exactly the experience we have found in my own company.

https://www.business.com/articles/chrome-os-for-business-faq/

Evidence of the competition the above system is bringing to the education and small/medium business IT market can be witnessed by the fact that Microsoft are now to launch their own full cloud based operating system complete with low cost laptops and desktops in the autumn of this year.

In my own company case, I can genuinely state that we have never looked back since those first Chromebooks and Chromebase desktops were brought into our office in 2013.

Now back to work
Bill
 
Last edited:
Shock and awe that 16 year old software is vulnerable given the time to understand its quirks. It really doesn't matter who the developer is however, Microsoft, Google, etc, all have the same bottom line of generating profit. Products will come and go and the obligation to support said products for so long isn't realistic. As John stated above, Android builds are supported for a couple of years at best then abandoned, and depending on your handset, you'll be lucky to see an Android revision change at all during the life of the device. XP lasting as long as it did is remarkable in its own right however. Microsoft did provide clear warning years in advance of its support discontinuation, they did everything they should have. It's understandable that a system with majority share (Windows as en ecosystem) in home and business environments would be targeted the most, that fact that this happens much less frequently is outstanding in of itself. You see this far less on Macintosh and any ARM/x86 Google affair because the user base isn't there to target...

I was in hospital roughly 2 months ago and it did catch my attention the sheer number of Windows 2000 and XP machines still in use and networked no less. This simply isn't good enough given how critical it is they don't go down, as we discovered. I'm no fan of Toryism either, and their lack of modernisation of IT infrastructure within the NHS in the 7 years they have had power, never mind the other issues that plague the service, is not helping.

There is no perfect solution mind, proper training of staff in networking safety is important if you want a truly secure ecosystem. Unfortunately there are far too many "I don't do computers" types of individuals who are wilfully ignorant around the subject when they cannot afford to be, especially in data sensitive environments such as the NHS.

From my Computer Science degree study point of view however, this whole episode is fascinating, and does raise numerous questions around government IT policy and cyber security as a whole.

Jack
 
A note to Bill one problem area is documents and reports especially printed ones. The typefaces used are copyrighted which means when you convert a 300 page complex document with footnotes etc page boundaries and line boundaries change. You change the look of the document. When you have a report that needs input from a number of areas it helps if they all use the same typefaces which means software and that's why large organisations use products such as Microsoft Word and if you are working with them exchanging documents the layout and printing process is much simpler if you use the same software.

Note to Jack its something they don't talk about normally on computer science courses but it has a huge impact. The width of the character varies with the typeface and you only need one character to be different to cause chaos. Look up leading as well.

Cheerio John
 
Another reason why Im glad to have a Mac (I know PC's are better for gaming) But Mac's do have better security with their computers.

Actually the reverse is true; Apples have horrible security. However very few illicit programs are made for Mac, so there is less need for as high of security as with Windows & Linux. Apple's security plan is: "let's hope no one makes a virus for our computers." This will come back and bite Apple, soon; with more and more people, especially in the IT fields, switching to Apple from Linux boxes; more illicit software developers are making viruses, ransomware, etc for Apple.

peter
 
A lot of this issue has to do with company management and an educated user base. Management do not want to spend money on upgrading infrastructure just as the governments do not want to, or reluctantly do, invest in roads and railways. Management sucks every cent out of the companies and never puts anything in. IT is there to supply the services and needs to be able to upgrade., however, IT is considered a cost-center and is treated by the beancounters as an operating liability on the books. This means less funds are allocated to IT than is sometimes needed to build up and maintain their infrastructure. IT is also sometimes, more often than not, lumped under another department's cost center such as operations. This too means that they may see even less than the minimum requirements for system maintenance and upgrades. This was the problem where I worked at one location.

Now the problem here is management will never allow a full upgrade. I know I worked for many companies, big and small, with one being Oracle and the others being a former Polaroid spin-off, Polaroid, and much smaller organizations. In all cases we had to beg, borrow, and steal to get a budget to support everything we had whether it was new UPS batteries, backup tapes, or even replacement fans and some hot-swap hard drives for the file servers. There was never any planning for spare parts so if a hard drive went in the RAID, I had buy it myself and ask for a reimbursement. Hard drives for the Compaq server were only $250 to $300 each!

At one of the places mentioned, my manager thought that the UPS batteries were optional and would not authorize the spending of $300, yes that's $300 with the trade-in of the old batteries, and that included free shipping both ways. Nope no replacement batteries, and we lost a server, due to a major surge, which took out a RAID, SCSI controller, and the motherboard. I warned him multiple times about this, but he ignored my requests. Oh wait warranty coverage? I had to fight for that too and didn't have that so we were stuck. But... when it came to executive bonuses, the hands were out, while the rest of us got nothing, and we were stuck using ca. 2000-2001 PCs on our desktops in 2010, which were so slow I hated working on them.

Oracle wasn't much better. They just upgraded in 2012 to Windows 7 from Windows XP. Yes... Windows 7, and are probably still "upgrading" there machines. Scary!


Just because users "know" how to use a computer because they have one at home, doesn't mean they have the knowledge of safe computing practices! Sometimes safe computing needs to educated, and other times it needs to be enforced using group-policy settings which disallow access to specific functions on the PC such as thumb drive access via USB ports, and locked down access via proxy settings and network security policies. These policies along with user education and help prevent attacks such as this.

The current attacks are caused by clicking on a message with a bogus attachment/link in it. While I worked in IT, I took the time to educate my users. In the smaller companies, I trained my users on what to do with emails, such as being suspicious of attachments they were not expecting, etc. It got to a point where they would call me if they got a suspicious email and have me look at it before a decision was made, which was to delete it. In the end we had very minimal malware issues, which were handled by our antimalware software that was installed on all file servers and the Exchange Server. Much later, while at Oracle, I continued the practice of training people. When the rounds of new hires came in, I took about 20 minutes out of my busy schedule to attend their orientation classes. I did a quick lecture on malware and safe computing. This didn't prevent all the attacks, however, it cut down many of them.


Proprietary software and proprietary hardware requirements. This is not uncommon, especially with specialized equipment such as medical devices, database software, and other hardware such as engraving machines, embroidery machines, CNC, and RIPs for printing, for example.

In cases such as these, this equipment should be isolated from the internet, if they have to networked as in the case of a RIP, and not treated as a user-PC. In other words, they are specialized devices such as a RIP used for printing images to an image setter, and not a user workstation where they can browse the internet.

The other solution for such programs as database front ends, is to use virtual machine images running on a modern operating system such as Windows 10. The VM is essentially a PC running in it's own environment, which is contained within a single file structure. In this case, Windows XP, Windows 2000, Linux, and other operating systems can run on and on without worrying about the hardware they're running on. This does, however, present an issue with hardware controllers, though, thus, it's important to keep those off the internet and behind firewalls and other protection. If handled properly, the VMs can be backed up via snapshots, and restored should there be some kind of problems. With a VM the complete machine can be restored within minutes in such cases so that situations such as this are mitigated.

Then there are backups. Backups should be done daily and kept offsite, whether on the cloud, or in a drive library somewhere, or in a vault. Backups should not be set to overwrite newer data, and thus need to be managed, circulated, and maintained. There's no good in writing over good data with an infection, which happened to one hapless user who used the cloud to backup her documents. Her cloud-based backup was set to synch her data, which in the end replicated the ransomware right over her only good backup on the cloud. So much for a good backup, and that brings up another point which I'll get to. With backups kept off of the systems, the data can be restored and a clean system brought online. The problem, however, is the IT staff needs to take the time to test their backups. A backup is no good if they can't be restored. Data needs to be restored to a test system to check the integrity of the backup systems.

I see these attacks as exposing the faults in the organization's IT infrastructure and are things that could have been prevented if they had followed common sense and common IT practices. All operating systems have bugs and vulnerabilities, whether it's Android, Apple OSx and even the 'nix-based systems. Right now these attacks are aimed at Windows-based machines and in particular those that are unpatched. This however, does not mean there will not be attacks aimed at other operating system in the future. Mitigating a malware attack takes a multiple-pronged approach. The IT staff can do all they can, if they have the resources available, but they alone cannot do it alone. They need not only management being proactive and giving them the resources to keep the infrastructure up-to-date, but also they need a user-base which is educated and does not click on things because they can. The buy in of management will mean that the user-base will be willing to follow rules as well. The IT staff doesn't have to be reactive, and the proactive approach by all is most successful.

When I was at Oracle from 2010 to 2012, I took a reactive IT environment where the team ran around crazy constantly to one where we took control and made it a proactive environment. We ensured that only specific devices had access to the internet, and resources only required to get the job done. This made for some grumbling and complaining from the users initially, but it made for a much safer working environment; a safer computing environment, that is. Machines which had previously had access to the internet, such as a kiosk computer for example, were locked down. This meant it required specific user access and specific permissions, which made things a bit inconvenient for management, but in the long run ensured unauthorized users could not access the network from that PC. In the end it made for peace-of-mind for the IT staff and made our lives much easier so we could focus on the urgent support issues such as remote user connectivity and upgrades, which were in constant motion with the nearly 700 users at the location.

Now for a real world example of what should not be done, which my brother told me about and got my hackles up as I think about it. My dad was at a local hospital for a CT-scan. The software for the equipment ran on a Windows-based computer, most likely Windows XP or Windows 2000. Instead of this machine being isolated from the internet, meaning no browser allowed, or locked down only to allow intranet access, the operator and other staff were on Facebook browsing images that were sent to one of them. Seriously! How to infect the medical-device. It's cases such as this which most likely brought the systems down at the NHS in the UK, as well as in other organizations!
 
Last edited:
A question to the IT experts out there:

If I back up to a USB connected external drive and I'm unfortunate enough to have been the victim of a security attack in any form or way, will my USB connected external drive be affected, will my backup be compromised in any way?

I back up regularly to this drive. I'm also very meticulous about installing the latest windows updates (Win10 Home 64x) and my anti-virus software is regularly updated.

Thanks in advance.

Back on topic. It seems incredible to me that organizations such as UK NHS are still running WinXP and seemingly ignoring any security update patches announced by Microsoft.

Rob.
 
Last edited:
A question to the IT experts out there:

If I back up to a USB connected external drive and I'm unfortunate enough to have been the victim of a security attack in any form or way, will my USB connected external drive be affected, will my backup be compromised in any way?

I back up regularly to this drive. I'm also very meticulous about installing the latest windows updates (Win10 Home 64x) and my anti-virus software is regularly updated.

Thanks in advance,

Back on topic. It seems incredible to me that organizations such as UK NHS are still running WinXP and seemingly ignoring any security update patches announced by Microsoft.

Rob.

Either unplug your USB dirive or power it off after making your backup. Encryption malware will encrypt every drive the machine can see.

Cheerio John
 
Back
Top