The “Ooops” page that many workplace computer users saw, displayed by hackers from the WannaCry worm last Friday, seemed almost cordial, as if making a mock of the Brexit vote last year, or of Donald Trump’s election. It looked like a customer service page. Can I get my data back? Sure, if you pay up in time.
This almost looks like a hostile takeover. Or is it a rebellion against the behavioral and personal performance norms of the civilized world in the digital age (and post)? We’re in charge now, the welcome screen says; you do what we tell you to do, and you’ll be OK. The bullies win. Might makes right, because there was no right before.
There are a lot of remarkable facts about this one. First of all, the problem seems to have come from a leak of one of the NSA’s own tools, through Snowden and Wikileaks-like mechanisms. The government wants its own back door, and it got left open.
Second, it seems to have affected certain kinds of businesses the most, mainly those overseas that happen to be less tech oriented and have less incentive to keep up. It’s remarkable that one of the most visible victims was Britain’s National Health Service, and it’s easy to imagine how libertarians can use this fact to argue against single-payer and socialized medicine systems. The government-run system didn’t give employees a personal incentive to stay tech-current. (The what about intelligence services and the military? They’re still government.)
But it is true, individuals and tech-oriented small businesses know how to keep up and do keep operating systems and security patches updated. So do larger businesses with a core interest in tech infrastructure. Your typical bank, insurance company, brokerage house or other financial institution usually keeps the actual consumer accounts on legacy mainframes, which are much harder for “enemies” to attack (although insider vulnerabilities are possible, as I learned in my own 30-year career). Typically they have mid-tiers or presentation layers on Unix systems, not Windows, and these are harder to attack. Publishing service providers and hosting companies usually put their customer’s content on Unix servers (although Windows is possible, and my legacy “doaskdotell” site is still on Windows, and seems unaffected).
On the other hand, in Europe, most of all in Russia and former Soviet republics, there is a culture of cutting corners and sometimes using pirated software, which is much easier to attack.
A typical workplace infection might destroy all the data on employees’ own desktops (like Word memos) but not source code on a mainframe or Unix server, and not customer data.
This kind of ransomware cannot directly affect the power grids. The computers that control distribution of power run on proprietary systems (not Windows) normally not accessible to hackers. However, in the book “Lights Out” (2015), Ted Koppel had described some ways a very determined hacker could try to corrupt power distribution and overload critical transformers.
There are other particulars in this incident. Microsoft patched its latest server against the NSA vulnerability in mid March 2017. All modern companies and ISPs or hosts would have applied this patch. But there could have been a risk of this worm getting unleashed before the patch.
Windows 10 does not have the vulnerability, but apparently all previous versions did. While media reports focuses on Britain’s NHS using Windows XP, it would seem that any PC with an earlier Windows operating system could be vulnerable it not patched after May 13, 2017. Even the monthly update, applied May 12, might not have the fix.
From the best that I know, Carbonite or other cloud backups are not affected. But users who do not network their Windows machines at home and who make physical backups (like on Seagate drives or even thumb drives) regularly are not the same danger of losing data. I haven’t seen much information on how quickly the major security companies like Trend, Webroot or Kaspersky update their detection capabilities.
The fact that the worm spread among Windows computers in a network, without action by any users after the first one as attracted attention. It seems as though the original infection usually comes from email attachments disguised to look as if they came from inside the workplace. But it is possible for an unprotected computer to be infected merely by visiting a fake website (the way scareware infections can take over a computer, often based on misspellings of real sites with “System Response” and 800 numbers for fake support). There are reports that infection is possible in unnetworked computers by leaving certain ports open (like 445) without adequate firewall.
Another problem is that, since introducing Windows 8 and later versions, Microsoft has become much more aggressive about pressuring users to replace operating systems on older hardware. Often the loaded versions of operating systems like Windows 10 Creators Update, while loaded with the latest security, don’t run very well on older PC’s. In the interest of providing gaming and tablet capabilities, Microsoft has made its systems less stable for people with ordinary uses (like blog posts). Microsoft’s own PC’s, as compared to those with third party hardware (HP, Dell, ASUS, Acer, Lenovo, etc) may have fewer problems with updates inasmuch as they don’t have to deal with third party firmware (often from China) which may not be perfect. Stability has become a much bigger issue since about 2013 with the introduction of Microsoft’s tablet systems. I had a Toshiba laptop fail in 2014 when going from Windows 8 to Windows 8.1 because it overheated due to inadequate engineering of the power components.
There was a stir over the weekend when CBS reported that President Trump had ordered emergency meetings at DHS, as if he had intended to take some kind of action on his earlier “no computer is safe” idea. His use of Twitter seems to contradict his previous dislike of computers as a way to get around dealing with people and salesmanship. I had wondered if he could propose liability rules for companies or individuals who leave computers unprotected and allow them to be used in conducting attacks (as like home PC’s that become botnet nodes in DDOD attacks).
It was a couple of two young male programmers (each around 22), one in Britain and one in Indiana, who helped break the attack. One programmer found an unregistered domain as a “killswitch” and found he could stop the worm by buying the domain himself for about $11. I started wondering if Trump would talk about a killswitch for many portions of the Internet, as he threatened in December 02 2015 in early debates. “Shut down those pipes.”
My other legacy coverage of this incident is here.
Wikipedia screenshot of the user greeting.
Malware Tech is one of the resources fighting the work.
(Posted: Tuesday, May 16, 2017 at 2 PM EDT)