Microsoft says the outbreak of WannaCry ransomware on 12 May reveals why governments shouldn’t stockpile software vulnerabilities.
Microsoft’s president and chief legal officer Brad Smith thinks governments’ hoarding of flaws is a “problem.”
These bugs might be valuable to the CIA and NSA, government agencies which can and do exploit flaws to advance the national security interests of the United States government.
But bad guys invariably find and leak these security holes, which places ordinary users at risk of attackers using exploit code to target unpatched systems.
As Smith explains in a blog post:
“Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state action and organized criminal action.”
Obviously, Smith is referring to the events of 12 May.
On that day, an updated version of WannaCry ransomware infected the United Kingdom’s National Health Service (NHS), the telecommunications provider Telefonica, and other high-profile within a matter of hours. As of today, it had spread to over 150 countries and reached more than 200,000 victims in an attack that exploited CVE-2017-0143, a Windows-based remote code execution (RCE) vulnerability.
The Redmond-based tech giant patched the bug on the latest Windows versions in March 2017. But there was no fix initially for Windows XP, an operating system which many customers continue to use notwithstanding its end-of-life status.
Microsoft therefore took the highly unusual step to release an update for Windows XP users and urge them to update their software (if possible) as soon as possible.
Microsoft also had something to say to governments that make attacks like the WannaCrypt outbreak possible. Smith delivers the message perfectly:
“The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits. This is one reason we called in February for a new ‘Digital Geneva Convention‘ to govern these issues, including a new requirement for governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them.”
WannaCry helps illustrate the importance of governments cooperating with the private sector and the security industry to protect users. But as we all know, public agencies have lots of interests besides defending ordinary people, and some of those goals don’t benefit from transparency.
Let’s just hope the memory of this outbreak leads to some governments to work towards patching rather than stockpiling vulnerabilities. The world doesn’t need another WannaCry attack months or years from now to remind us all of what could happen otherwise.
For more discussion on the issue, make sure to listen to this episode of the “Smashing Security” podcast.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
A big thank you to our sponsors, Recorded Future.
Recorded Future arms threat analysts, security operators, and incident responders to rapidly connect the dots and reveal unknown threats.
Their patented technology automatically collects and analyzes threat intelligence from technical, open, and darkweb sources. Why?
To provide invaluable context for faster human analysis and real-time integration with your existing security systems.
Sign up to their Cyber Daily newsletter and get the latest insights from Recorded Future at recordedfuture.com/intel.
Recorded Future arms threat analysts, security operators, and incident responders to rapidly connect the dots and reveal unknown threats.
Their patented technology automatically collects and analyzes threat intelligence from technical, open, and darkweb sources. Why?
To provide invaluable context for faster human analysis and real-time integration with your existing security systems.
Sign up to their Cyber Daily newsletter and get the latest insights from Recorded Future at recordedfuture.com/intel.
Smashing Security, Episode 21: WannaCry, Who's to Blame? With Carole Theriault and Graham Cluley.
Hello, hello everybody, and welcome to another episode of Smashing Security, number 21 for the 18th of May, 2017. And I'm joined as always by my buddy Carole.
Hello, hello everybody, and welcome to another episode of Smashing Security, number 21 for the 18th of May, 2017. And I'm joined as always by my buddy Carole.
Graham, why is it that when you call me when we're not in the podcast, you never sound this happy? This is the way I would like you to call me from now on. Hello, hello. It's great.
Hello, hello, Carole. This is your buddy Graham calling you. Oh, I love it.
Okay, perfect.
We can do that. And we are joined today by our special guest, security researcher Paul Baccas, also known as Pob. How are things, Pob?
Hello, Graham. Hello, Carole. And hello to Jason Isaacs. Things are great, Graham.
Who's Jason Isaacs?
What?
What?
He's an actor.
He's an actor?
He's an actor.
Jason Isaacs. What's he been in?
He's been in all the Harry Potter movies. He was Lucius Malfoy. And this is an internet meme, Graham. You're aware of memes, I hope.
Oh, I am so not on trend. I am so not on trend.
Well, Google even did "Hello to Jason Isaacs" if you typed Jason Isaacs into the search engine once upon a time.
Okay, so there's just a meme whereby people say hello to this actor who's in a Harry Potter movie.
Yeah.
All right. Okay. Well, hello, Jason Isaacs. And thank you, Pob, for introducing us to this meme. Actually, I should explain.
Pob isn't just here to say hi to Jason Isaacs from the Harry Potter movies. He's also here because we brought him in to talk about the big story of the last week.
Actually, did anything happen in the last week? Has anyone noticed?
Pob isn't just here to say hi to Jason Isaacs from the Harry Potter movies. He's also here because we brought him in to talk about the big story of the last week.
Actually, did anything happen in the last week? Has anyone noticed?
I think we've all been a little bit busier than normal last week, don't you think?
It has been a little busy.
And the reason is, of course, the WannaCry ransomware. And Pob, you're going to talk to us about it today. But I think we should keep people in suspense for a little bit longer.
We should—
This is a teaser, really. Later in the show, we're going to talk about WannaCry.
Everyone on Twitter was saying, "I wonder what Smashing Security is going to speak about this week." Yes, we are going to talk about WannaCry, but we're going to do it a little bit later in the show, if that's all right with you.
Everyone on Twitter was saying, "I wonder what Smashing Security is going to speak about this week." Yes, we are going to talk about WannaCry, but we're going to do it a little bit later in the show, if that's all right with you.
What a great idea you've had, Graham.
That was Carole Theriault's idea.
No, no, no, no, no.
So it's actually been a little bit difficult finding other stories, hasn't it?
I know, right?
As to what's going on, everyone's talking about WannaCry, one of that. One thing though, which I thought was interesting.
In fact, I was talking to the BBC about this particular issue and then WannaCry happened. So I think they never actually published their story about this.
It's about HP laptops and a bunch of Swiss security researchers discovered that the audio driver being shipped on a number of HP laptops didn't just drive your audio and do all sort of audio sort of things.
It also secretly logged every key press which you made.
In fact, I was talking to the BBC about this particular issue and then WannaCry happened. So I think they never actually published their story about this.
It's about HP laptops and a bunch of Swiss security researchers discovered that the audio driver being shipped on a number of HP laptops didn't just drive your audio and do all sort of audio sort of things.
It also secretly logged every key press which you made.
Oh no.
I know, extraordinary.
And where did it send that stuff? Did it send it off somewhere or it just was keeping it locally?
Well, it just kept it locally.
So I mean, the first thing that HP did when this was found out was like, "We're not getting any of these key presses," which obviously could have included password details and credit card information.
All, you know, basically everything you type, right? All of your, all of the sexy messages which you may send in the office.
So I mean, the first thing that HP did when this was found out was like, "We're not getting any of these key presses," which obviously could have included password details and credit card information.
All, you know, basically everything you type, right? All of your, all of the sexy messages which you may send in the office.
Oh yeah.
All the corporate.
I send so many of those. Gosh, I can't breathe for sexy messages.
But all of that is being captured locally. In a directory, well, it's in your public users directory, in a file called mictrade.log.
Now, the reason why these keystrokes were being kept was actually because the programmers who were writing the audio driver were using it as a debugging method.
They wanted to capture whether things like function keys were being pressed in order to mute the microphone or unmute it and all that kind of jazz.
Now, the reason why these keystrokes were being kept was actually because the programmers who were writing the audio driver were using it as a debugging method.
They wanted to capture whether things like function keys were being pressed in order to mute the microphone or unmute it and all that kind of jazz.
Right, and they just forgot to turn it back off.
They forgot to take it out. And then it shipped that way, which in itself is pretty disastrous, right? I mean, you need to have better quality control than that.
You need to be confident that your software, you know, you want it tested.
You want it tested and you want to know it's the software which you expected to ship, which you're actually shipping.
So, you know, it's bad enough there are thousands of Trojan horses being released all the time that spy on people's keyboards without also having legitimate software silently collecting it.
And even if it was unlikely that remote hackers might be able to grab hold of this information, imagine being at home, maybe you've got a jealous partner or you have a business rival.
If they gained access to your laptop, they'd be able to find everything, wouldn't they? On that, in that file, everything which you'd been typing. Pretty bad stuff.
You need to be confident that your software, you know, you want it tested.
You want it tested and you want to know it's the software which you expected to ship, which you're actually shipping.
So, you know, it's bad enough there are thousands of Trojan horses being released all the time that spy on people's keyboards without also having legitimate software silently collecting it.
And even if it was unlikely that remote hackers might be able to grab hold of this information, imagine being at home, maybe you've got a jealous partner or you have a business rival.
If they gained access to your laptop, they'd be able to find everything, wouldn't they? On that, in that file, everything which you'd been typing. Pretty bad stuff.
This is not the first time you've brought up this whole concept of jealous partners. Do you think that lots of people live in that kind of world?
Well, yeah.
Leading double lives?
Well, no, I don't think it's necessarily double lives, but there certainly are people who are in difficult relationships or they're in a relationship which they're breaking out of and someone might be snooping on them.
I've done some work before with the Digital Stalking Trust who are, you know, trying to share information and spread advice about how to avoid being spied on and stalked online.
So, you know, I think this is a real fear. Now, of course, this big stink got kicked up over this, right? Oh, how can they do this? And HP, you know, they did the right thing.
They issued an update.
I've done some work before with the Digital Stalking Trust who are, you know, trying to share information and spread advice about how to avoid being spied on and stalked online.
So, you know, I think this is a real fear. Now, of course, this big stink got kicked up over this, right? Oh, how can they do this? And HP, you know, they did the right thing.
They issued an update.
And you think, "Oh, wonderful." And I'm sure they did that fairly quickly, and they issued it out. Perfect.
They did.
End of story?
Well done, Carole Theriault. End of story. End of story.
I'm just guessing the way you're cueing it up, it isn't.
Mais non. Malheureusement, Carole. It was not the end of the story. Because they didn't actually take the keylogging functionality out of the driver.
What they did was they changed the registry key, the setting, to turn it off. Which means, in theory, I mean, obviously that—
What they did was they changed the registry key, the setting, to turn it off. Which means, in theory, I mean, obviously that—
It could be turned on.
Exactly. Someone could turn it on. If someone wanted to spy on you, they would be able to do that.
So, well, they did a quick fix, and who knows, maybe they're planning to do a much bigger fix.
You know, they just wanted to get something out really quickly, and maybe this was the way to do it.
You know, they just wanted to get something out really quickly, and maybe this was the way to do it.
Oh, you're so nice, Carole. You're like Mother Teresa, aren't you?
I'm always nice. Thanks. Yeah. People have often commented that we look similar. So, anyway.
Yeah. So basically, sheesh. And I think we expect big software companies to do better than this, don't we?
Yeah.
What do you think, Paul?
I think this is bad. I think HP have done— you're right. They've done the right thing in issuing an update, but I expect them to completely update the software now.
You can kind of understand why somebody leaves debugging code in software, but there should be a QA and they shouldn't have done it.
I would expect now Trojans just to be turning that registry key back on and seeing what's in there.
You can kind of understand why somebody leaves debugging code in software, but there should be a QA and they shouldn't have done it.
I would expect now Trojans just to be turning that registry key back on and seeing what's in there.
Well, I bet, I guess HP actually are quite, they must be kind of secretly a little bit glad that it came out at the same time when there's this ginormous nightmare.
So it may have got buried in the press.
So it may have got buried in the press.
Yeah, well, I mean, it's a good— it would be a good time to have released bad news.
Yeah, I know it's an awful thing to say, isn't it? It's an awful thing to say, but I don't know.
You must be— it's nice that it's maybe not made it on all the top of the front pages.
You must be— it's nice that it's maybe not made it on all the top of the front pages.
Well, look, we have given it prominence here in the podcast. So if you have got an HP computer, make sure you update it.
Make sure that you're running the very latest version of the audio drivers so that they're not secretly logging any key presses. Maybe look for that file, mictray.log.
So it's mic as in microphone.
Just to make sure that it's not there and indeed that you haven't been backing it up somewhere because there may be copies of it elsewhere because you do back up your computers, don't you, and your data.
Make sure that you're running the very latest version of the audio drivers so that they're not secretly logging any key presses. Maybe look for that file, mictray.log.
So it's mic as in microphone.
Just to make sure that it's not there and indeed that you haven't been backing it up somewhere because there may be copies of it elsewhere because you do back up your computers, don't you, and your data.
If we haven't learned a valuable lesson this week, right?
Back, back up. Hey, back it up, back it up.
Yes, yes, I was just thinking we should put that in. And I'm backing up, backing up, backing up, backing up.
Because my daddy taught me good. I'm backing the hell out of there.
And I'm like, oh my God.
I think we can't hold on any longer.
Back it up.
I think we've got to unleash it, haven't we?
Shall we?
I think it's time for Paul to talk about the story of the week, if not the story of the month. Is it the story of the year?
It's probably gonna be the story of the year, Graham, just because it was so big.
It wasn't so big that I think you'll find that was another email-aware virus from about 2000. Sorry, I've been a bit nerdy there.
I know.
That's right, but this wasn't an email-aware virus. So this was a network worm. This is going back to the old days of computer security.
When was the last one? When was the last one of these?
I think it was probably Stuxnet was the big worm.
That's so long ago.
But before that, there was obviously Conflicker and Slammer. Yeah. And I wasn't working at the time of the Morris worm.
And you were probably still in kindergarten, Carole, but I'm sure Graham remembers the Morris worm.
And you were probably still in kindergarten, Carole, but I'm sure Graham remembers the Morris worm.
I wasn't working in the computer security industry at the time, but yeah, that was a pretty big deal, wasn't it?
Yeah. So let's talk about WannaCry. Okay, so what do we know about WannaCry? Well, it was ransomware, and ransomware is the topic du jour of the last 18 months, 2 years.
Everything is ransomware. Yeah, no longer are people writing worms and viruses for fun to impress their mates. They're doing it for financial gain.
And so the bad part about WannaCry is it was ransomware, and as people have said it will make you want to cry.
It was a network worm and it exploited a known vulnerability in SMB, Windows network sharing software.
And the particular vulnerability was publicized by the Shadow Brokers NSA hack, and it's been patched for about 10 weeks now. But there were actually two vulnerabilities used.
So there was a vulnerability called EternalBlue, and that allowed people to write a file to a remote SMB share.
And there was another vulnerability called DoublePulsar that allowed you to execute files from a remote SMB share.
Everything is ransomware. Yeah, no longer are people writing worms and viruses for fun to impress their mates. They're doing it for financial gain.
And so the bad part about WannaCry is it was ransomware, and as people have said it will make you want to cry.
It was a network worm and it exploited a known vulnerability in SMB, Windows network sharing software.
And the particular vulnerability was publicized by the Shadow Brokers NSA hack, and it's been patched for about 10 weeks now. But there were actually two vulnerabilities used.
So there was a vulnerability called EternalBlue, and that allowed people to write a file to a remote SMB share.
And there was another vulnerability called DoublePulsar that allowed you to execute files from a remote SMB share.
Now, these crazy names, these are names which the NSA gave these exploits, don't they? Because they always have code names names for the exploits which they use.
And they created basically these exploits, having found the vulnerabilities in Microsoft's code, in order to spy and snoop on people, didn't they?
And they created basically these exploits, having found the vulnerabilities in Microsoft's code, in order to spy and snoop on people, didn't they?
Well, that is the NSA's job. And so—
Well, it's half of their job, isn't it? Half of their job is to collect intelligence and to spy and snoop.
But the other half of their job, and part which arguably they failed to do on this particular occasion, is also to protect and secure the United States and other organizations against these sort of threats.
But the other half of their job, and part which arguably they failed to do on this particular occasion, is also to protect and secure the United States and other organizations against these sort of threats.
Well, I suppose if you're being pedantic, they were to protect the US government's communications and non-US government organizations they don't have to protect.
But yes, and I think we'll talk about that more in a minute, Graham.
So this exploit, this worm used these two exploits and most people first heard about it when Telefónica alerted on this, telling its employees to shut down their computers amid a massive ransomware strike.
But yes, and I think we'll talk about that more in a minute, Graham.
So this exploit, this worm used these two exploits and most people first heard about it when Telefónica alerted on this, telling its employees to shut down their computers amid a massive ransomware strike.
Yeah, just to try and stop the spread, right?
To try to stop the spread. And then the newswires went crazy about a cyber attack on the NHS.
So it seems that lots of NHS trusts— and for non-UK-based listeners, the NHS isn't one homogenous organization.
It's lots of federated hospitals that come under the umbrella of the NHS.
So it seems that lots of NHS trusts— and for non-UK-based listeners, the NHS isn't one homogenous organization.
It's lots of federated hospitals that come under the umbrella of the NHS.
That's a good point to make, actually. It's a really good point to make.
And so each trust, each hospital trust, has a different IT system, though some of them are shared.
And the NHS got hit quite badly to the effect that A&E waiting times went up, hospitals stopped surgery. They stopped MRI scans because their computers didn't work.
Reports are that businesses and organizations in over 150 countries got hacked.
And the NHS got hit quite badly to the effect that A&E waiting times went up, hospitals stopped surgery. They stopped MRI scans because their computers didn't work.
Reports are that businesses and organizations in over 150 countries got hacked.
Yeah.
Including parts of the Russian Ministry of the Interior.
And this all came to an end early in the UK evening, about 6 or 7 o'clock, when somebody registered a domain that was in the code.
And this all came to an end early in the UK evening, about 6 or 7 o'clock, when somebody registered a domain that was in the code.
This was on Friday. This was on Friday.
This was on Friday. Yeah. And let's just quickly go down a little rabbit hole there.
So a young computer researcher was looking at the code and he saw a domain that was looked up by the virus or worm, and he registered that domain so he could track how many computers had been infected.
So a young computer researcher was looking at the code and he saw a domain that was looked up by the virus or worm, and he registered that domain so he could track how many computers had been infected.
We're pinging it. Yeah.
And that had the effect of stopping the spread of this worm.
So that was very fortunate, wasn't it?
So the action which was taken by that guy, MalwareTechBlog he is on Twitter, if you want to give him a thumbs up and what he did, had this really positive effect because it prevented the malware from spreading any further.
It effectively was a kill switch on the malware.
So the action which was taken by that guy, MalwareTechBlog he is on Twitter, if you want to give him a thumbs up and what he did, had this really positive effect because it prevented the malware from spreading any further.
It effectively was a kill switch on the malware.
Yeah, that's exactly what it was.
It was a kill switch for lots of them. It wasn't a kill switch if you were using a proxy.
Right, exactly. So yes, if you—
And lots of companies use proxies, right?
That's true. Yeah, we can't criticize MalwareTech for that though.
No, no, no, I'm not.
I wasn't for a minute suggesting, I'm just saying I had a problem with the word kill switch that the media used because I think it gave people a false sense of security.
I wasn't for a minute suggesting, I'm just saying I had a problem with the word kill switch that the media used because I think it gave people a false sense of security.
Yeah.
So good for home users who have auto update turned on. Sure, most home users don't use proxies, I get that, but lots of companies do.
So the upshot of all of this is the ransomware hit really hard and it hit organizations around the world, encrypted people's data, which obviously is pretty scary if you don't have a backup to recover from.
And clearly it hit the UK's National Health Service, but also hit very hard in Russia and elsewhere around the world.
Maybe what would be interesting for us to discuss is whose fault is this?
Because it seems there's a lot of blame and a lot of finger-pointing which is going on right now as to who should be taking some flak.
And clearly it hit the UK's National Health Service, but also hit very hard in Russia and elsewhere around the world.
Maybe what would be interesting for us to discuss is whose fault is this?
Because it seems there's a lot of blame and a lot of finger-pointing which is going on right now as to who should be taking some flak.
Why don't we go through in order? Let's— why don't we just— All right, okay, so who should we start with, Paul?
Well, who's to blame? Well, it was Microsoft's software.
Yeah, but Microsoft patched as soon as it was made aware of the exploits.
And I don't know if the NSA told them about it, but they certainly patched those in all the supported systems quite quickly and said it was a critical update.
And that was about two months before this actually exploded.
And I don't know if the NSA told them about it, but they certainly patched those in all the supported systems quite quickly and said it was a critical update.
And that was about two months before this actually exploded.
And I do think whenever Microsoft announces that they've got a critical problem in their software, everyone should listen up, prick up their ears and think, crikey, if they are going public saying we've got a serious, serious problem with our software, here is the patch, please, please apply it.
Yeah, when I got into the industry 15 years ago, I was saying this, right?
So it's not changed. It's a bit of a failure if people then don't do it.
And also let's not forget, okay, Microsoft did have a bug in their software, naughty, naughty, but what programmer can put his hand up and say he's never written a program with a bug in it?
Yes or she? So, I mean, Paul, you're a programmer. Have you ever written a buggy program?
And also let's not forget, okay, Microsoft did have a bug in their software, naughty, naughty, but what programmer can put his hand up and say he's never written a program with a bug in it?
Yes or she? So, I mean, Paul, you're a programmer. Have you ever written a buggy program?
I don't think I've written more than 10 lines of code without a bug in it, Graham.
Right, there you go. So there you go. And even the mighty Google— Google, who find vulnerabilities in everyone else's software all the time.
You know, there are bugs found in Android all the time, aren't there? Which is sometimes quite serious as well.
You know, there are bugs found in Android all the time, aren't there? Which is sometimes quite serious as well.
So bugs found— everybody has bugs. And so, right, can we blame Microsoft for having a bug?
No.
Can we say that they should have done maybe more looking for their own bugs? Maybe, yeah. Who else can we blame? Well, we can blame the NSA for creating it in the first place.
Yeah, as we kind of touched on earlier, this bug was made public by the Shadow Brokers who stole it from the NSA. Is it the NSA's fault for writing this bug?
Well, the NSA's job, and just like GCHQ's job, is signal intelligence, and it's to try to steal secrets from foreign governments and enemies of the state.
So the NSA were doing their job by creating this, and it looks like, given the timing of the Microsoft patch, the NSA did tip Microsoft off about it when they knew that the Shadow Brokers were going to release this exploit.
Yeah, as we kind of touched on earlier, this bug was made public by the Shadow Brokers who stole it from the NSA. Is it the NSA's fault for writing this bug?
Well, the NSA's job, and just like GCHQ's job, is signal intelligence, and it's to try to steal secrets from foreign governments and enemies of the state.
So the NSA were doing their job by creating this, and it looks like, given the timing of the Microsoft patch, the NSA did tip Microsoft off about it when they knew that the Shadow Brokers were going to release this exploit.
Because Shadow Brokers didn't initially release the exploits themselves, but they did release some information about what they had in their hands, which included the code names Eternal Blue and Double Pulsar, which obviously was enough to scare the willies out of the NSA and thought, crikey, the game's up.
We better tell Microsoft. There's another reason why maybe we can apportion some blame to the NSA. If we go— I love this.
We're going through our little blame list here, which is the NSA got hacked and the NSA are meant to be all about security. And here they go again.
Having a very embarrassing data breach. And I seem to recall they had another quite a big data breach, didn't they, a few years ago involving that contractor, Eddie Snowden?
We better tell Microsoft. There's another reason why maybe we can apportion some blame to the NSA. If we go— I love this.
We're going through our little blame list here, which is the NSA got hacked and the NSA are meant to be all about security. And here they go again.
Having a very embarrassing data breach. And I seem to recall they had another quite a big data breach, didn't they, a few years ago involving that contractor, Eddie Snowden?
That's right. Did they issue any statement about this breach? I didn't see one.
I think it's not their habit to confirm these sort of things and exactly whether the information is real or not.
But you kind of think they owe the country a bit of a, "Sorry guys, mea culpa." So the—
So now that's Italian, I think, isn't it?
Yes, it's Italian, Graham. Yes.
Well, Latin.
No, no, no, no, don't tell him.
I knew that. So the NSA got hacked by what many would consider a state-level actor. And again, that's what state-level actors do. So who are Shadow Brokers?
Shadow Brokers claim to be an independent hacking team.
Shadow Brokers claim to be an independent hacking team.
Well, I think we should take them at their word about that. I think they're probably entirely trustworthy.
Indeed, they're fine, upstanding people. But others would claim that they are part of the state apparatus in Russia. So we could say they're the FSB.
We would say, well, you get hacked by the KGB. Again, that's what the KGB is designed to do, to hack people like the NSA.
We would say, well, you get hacked by the KGB. Again, that's what the KGB is designed to do, to hack people like the NSA.
Okay, so the Shadow Brokers partly to blame, we're saying, because they stole the information and then they put it up for sale.
And they made it public. Yeah, they put, yeah.
And the rest of it. Lots of people complaining the NHS should have patched. I mean, that seems reasonable, doesn't it? They should have patched, shouldn't they?
Well, the NHS is an interesting one because we know it's a system. I mean, it's a big, big network. They don't have a lot of cash.
I am convinced loads of them are running legacy systems that are not running the latest and greatest. I wouldn't be surprised if there's even XP machines still running.
And, you know, how—
I am convinced loads of them are running legacy systems that are not running the latest and greatest. I wouldn't be surprised if there's even XP machines still running.
And, you know, how—
I think we could put our hands on our hearts and say there were XP machines running in the NHS. Oh yeah.
The issue with the NHS, like universities, is they don't often have one overarching IT system.
So the radiology department might have a slightly different system to the ICU or the ER or different parts.
And no disrespect to the IT guys in the NHS, they're not getting paid an awful lot of money, and they're getting run ragged keeping up to date with all the other things they have to do, allowing the doctors to use their iPads and whatever else they have on their plate.
So it's very difficult.
The issue with the NHS, like universities, is they don't often have one overarching IT system.
So the radiology department might have a slightly different system to the ICU or the ER or different parts.
And no disrespect to the IT guys in the NHS, they're not getting paid an awful lot of money, and they're getting run ragged keeping up to date with all the other things they have to do, allowing the doctors to use their iPads and whatever else they have on their plate.
So it's very difficult.
Furthermore, they will have medical hardware like MRI machines and X-ray scanners and things like that. Which are maybe 15, 20 years old.
Yeah.
And maybe were designed to be run by software which runs on XP and they've got the drivers for XP, but the person who wrote that software, that company no longer exists.
And so they don't have any more recent updates to the software and, you know, they can't get a Windows 10 machine to drive that piece of medical hardware.
And it would cost an absolute fortune, much more than replacing a computer to replicate this. And I think they're making that decision all the time.
It's like, well, we can spend this extraordinary amount of money and secure ourselves against some of these threats, or we can—
And so they don't have any more recent updates to the software and, you know, they can't get a Windows 10 machine to drive that piece of medical hardware.
And it would cost an absolute fortune, much more than replacing a computer to replicate this. And I think they're making that decision all the time.
It's like, well, we can spend this extraordinary amount of money and secure ourselves against some of these threats, or we can—
But we'd like a few more beds open, you know?
Yeah, well, as well, yes. That's going to be where the priority is for the cash.
So for those who don't live in Britain or aren't aware, you know, the UK's National Health Service is pitifully underfunded.
So for those who don't live in Britain or aren't aware, you know, the UK's National Health Service is pitifully underfunded.
Okay, I've got the big question now. So who is most to blame out of these three? The NHS, NSA, or Microsoft?
Well, I think there are other people we could blame.
There are, but you know, those are the biggies, right? We know shadow brokers. We know, okay, we know, we know. They stole it, they made it available.
You know, no one's saying they're not very responsible here. But if we had to go to, you know—
You know, no one's saying they're not very responsible here. But if we had to go to, you know—
Okay, Pob, we're gonna nail you down. We're gonna nail you down. Who's to blame?
Of these three?
Just answer the bloody question. Who's to blame?
They all have culpability, but do they have the ultimate culpability? No. I can't say I would blame any of them.
I can.
Well, then you can. But I mean—
The NSA. I blame the NSA for not for creating them, but for not keeping them secure. It seems to me if you create a bad poison of some sort, you keep it under lock and key.
And we're not just talking a flimsy lock and a flimsy key.
And we're not just talking a flimsy lock and a flimsy key.
Yeah, good point.
So, you know, they are at the cutting edge of what's going on cybersecurity-wise, so they should know what the latest tricks are, and they should have proper defenses for it.
But ultimately, the person responsible for WannaCry is the guy who wrote it, right?
Ultimately, the person responsible for WannaCry is the author of this malware.
We might be upset with others, but that's the person who needs a big kick up the backside.
Yeah.
I don't believe the author of WannaCry knew what they were doing. I suspect that this spread faster than they could have believed.
I think triggering the ransomware immediately was probably silly of the author because the best pathogens want to keep their hosts alive.
In biological terms, it's no good killing patient zero, which this nearly did. There were several coding errors.
Reports are coming in now that the bitcoin code may not have worked properly.
I think triggering the ransomware immediately was probably silly of the author because the best pathogens want to keep their hosts alive.
In biological terms, it's no good killing patient zero, which this nearly did. There were several coding errors.
Reports are coming in now that the bitcoin code may not have worked properly.
Yeah, yeah, I saw that, yeah.
Which would be the ultimate irony, wouldn't it?
Yeah.
That they affected this many computers, and it appears the latest reports are that the actual payment mechanism built into WannaCry had a bug in it.
And so this may be why it appears that so few payments have actually been made.
I think the last time I looked it was something like about $70,000, which, yeah, sure, it's great for a week's work, isn't it?
But for the scale of this attack, you would've expected them to have made more than that.
And so this may be why it appears that so few payments have actually been made.
I think the last time I looked it was something like about $70,000, which, yeah, sure, it's great for a week's work, isn't it?
But for the scale of this attack, you would've expected them to have made more than that.
Anyway, ultimately, we should tell people, lay off the NHS. They have a lot to deal with right now. And I'm sure they've learned their lesson and they're doing good every day.
So back off.
So back off.
So our 3 pieces of advice to organizations out there.
Likely don't know though, but anyway, go ahead.
Our 4 pieces of advice for organizations out there are patch, patch, patch, and backup.
Yeah.
Yeah.
Well, yeah, I mean, backup, backup, patch, backup, patch, backup. I don't know.
Carole, get us out of this. What have you got for us? That's WannaCry, everybody. I hope you enjoyed it.
I'm going to take you guys to the movies. Well, figuratively speaking.
Actually, speaking of movies, did you hear, did you guys read about the Texan who is suing his date for texting during a 3D screening of The Guardians of the Galaxy Vol. 2?
Actually, speaking of movies, did you hear, did you guys read about the Texan who is suing his date for texting during a 3D screening of The Guardians of the Galaxy Vol. 2?
Is it that bad a movie?
The 37-year-old, okay, his name's Brandon Vezmar, is asking for a whopping $17.31, which was the price of the ticket.
Hang on, you said he's suing his date?
He's suing his date. It was a first date and he's suing his date. Now, okay, I laughed too when I first read this, okay? And I wanted to read a bit more, and it turns out—
Surely taking your date to a movie on the first date's not very sociable.
Neither is suing them, Paul.
No!
Well, exactly.
So I laughed at the first as well, but then it turns out he's actually maybe a bit of a douche, okay?
Oh, really?
Yeah.
You surprise me.
He owns his own comms firm. He owns his own communication consulting firm. So that gives me a bit of a, oh God, he's looking for a position. You know, a bit of publicity.
Anyway, apparently texting is one of his biggest pet peeves.
So he's asked this girl who's basically texting— she says she's texting because her friend's having some crisis, so she's just telling, you know, giving a few replies.
And he says, can you stop texting? When she doesn't, he tells her to go outside. So she does and does what any girl would do and doesn't come back.
Anyway, apparently texting is one of his biggest pet peeves.
So he's asked this girl who's basically texting— she says she's texting because her friend's having some crisis, so she's just telling, you know, giving a few replies.
And he says, can you stop texting? When she doesn't, he tells her to go outside. So she does and does what any girl would do and doesn't come back.
Is he texting her from the cinema?
I hope not. This is a few days later. She could countersue. She refuses, right? She's like, look, you asked me on a date, sorry if you didn't like it, but you know, there you go.
He then— he's reportedly contacted her little sister chasing up the payment, and then he goes and sues her. So as I said, douche, right? She probably have a tattoo in his forehead.
Anyway, that's just—
He then— he's reportedly contacted her little sister chasing up the payment, and then he goes and sues her. So as I said, douche, right? She probably have a tattoo in his forehead.
Anyway, that's just—
Could you just remind me of his name?
Yes, his name is Brandon Vezmar.
Okay, everybody, so there you are.
Austin, Texas.
Austin, Texas. Brandon Vezmar. How old is he? Do we know?
Uh, 37.
37-year-old. Okay, so look out for him, ladies and gentlemen. Brandon Vezmar. I suggest you don't go on a date with him. Right.
Anyway, that had nothing to do with security at all, but it was quite interesting. So movies.
You might have heard that the latest blockbuster— we don't know exactly which one, but people are thinking it's probably Pirates of the Caribbean— has been stolen from Disney.
Now, Chief Bob Iger says that the hackers have stolen it and they are demanding ransom for it. So this is not the first time we've seen this in Hollywood, has it?
Wasn't there— it was a few weeks ago, wasn't it? It was Orange Is the New Black. Yes, that was taken from Netflix.
You might have heard that the latest blockbuster— we don't know exactly which one, but people are thinking it's probably Pirates of the Caribbean— has been stolen from Disney.
Now, Chief Bob Iger says that the hackers have stolen it and they are demanding ransom for it. So this is not the first time we've seen this in Hollywood, has it?
Wasn't there— it was a few weeks ago, wasn't it? It was Orange Is the New Black. Yes, that was taken from Netflix.
Yes.
Yeah. And they were basically saying, if you don't pay up, we're gonna publish the episodes. And I think they did publish them. They did put them up on Pirate Bay.
So it's a similar situation here where they're saying if they don't pay up— and they haven't declared the sum that they're being asked, but they're asking for a large sum, a huge sum according to the Disney chief, in bitcoin— and otherwise they're threatening to release the first 5 minutes, and then they're going to release 20-minute chunks of the film until the financial demands are met.
Now, what's interesting—
So it's a similar situation here where they're saying if they don't pay up— and they haven't declared the sum that they're being asked, but they're asking for a large sum, a huge sum according to the Disney chief, in bitcoin— and otherwise they're threatening to release the first 5 minutes, and then they're going to release 20-minute chunks of the film until the financial demands are met.
Now, what's interesting—
Will they be in order?
Well, yeah, exactly. I wondered that too. I wondered that too. I looked, but I couldn't find out.
I couldn't find it because the plots of The Pirates of the Caribbean have been getting more incomprehensible as they've been going on, and maybe doing them out of order would actually be an editorial success.
I have to say, I would prefer it in a 20-minute chunk rather than 2 hours 20 or whatever it was.
Well, this is the fifth film. This is a billion-dollar business, this whole Johnny Depp as Captain Jack Sparrow.
Now the thing is, this movie is supposed to be released on the 26th of May, so that's— is that next week? That's next week. So they don't have very long to get their money in.
And the thing is, how is this happening repeatedly? So how is it that hackers are getting their hands on these final cuts?
I am sure these cuts are being watched with— by people's lives, how much money they cost. You know, there's a lot of— this is huge money.
So how do you think this may have got out?
Now the thing is, this movie is supposed to be released on the 26th of May, so that's— is that next week? That's next week. So they don't have very long to get their money in.
And the thing is, how is this happening repeatedly? So how is it that hackers are getting their hands on these final cuts?
I am sure these cuts are being watched with— by people's lives, how much money they cost. You know, there's a lot of— this is huge money.
So how do you think this may have got out?
Well, I imagine that if you create a TV series or if you create a new blockbuster, that you're probably working with lots of external agencies and marketing companies and the people who do the subtitles or the people who dub it into Taiwanese or whatever.
And, you know, you're putting your trust in their computer security as well.
So even if you, as the boss of Disney, are thinking, "Oh yeah, our computer security is really locked down and everything," those partners of yours may not be as careful.
There's both the danger, the sort of insider threat danger of someone leaking the movies, and maybe they're getting more on top of that these days because there's been so much piracy in the past.
But there's also the computer security, isn't there, of external hackers. And it does seem that some of the hacking gangs have been particularly interested in doing this recently.
I guess because—
And, you know, you're putting your trust in their computer security as well.
So even if you, as the boss of Disney, are thinking, "Oh yeah, our computer security is really locked down and everything," those partners of yours may not be as careful.
There's both the danger, the sort of insider threat danger of someone leaking the movies, and maybe they're getting more on top of that these days because there's been so much piracy in the past.
But there's also the computer security, isn't there, of external hackers. And it does seem that some of the hacking gangs have been particularly interested in doing this recently.
I guess because—
Well, it gets a lot of press. It gets a lot of press.
Everyone wants to talk about the Hollywood celebs, and it gives them a chance actually probably to put an ad up for the movie so they can get, you know, the newscaster, they know that the articles can get, or rather the publications can get a bit more attention.
Everyone wants to talk about the Hollywood celebs, and it gives them a chance actually probably to put an ad up for the movie so they can get, you know, the newscaster, they know that the articles can get, or rather the publications can get a bit more attention.
Oh, are you suggesting maybe this is a bit of a publicity stunt to promote the fifth incarnation of the Pirates of the Caribbean movie?
Look, we know that it's a very over-budget film. We also know that, well, I don't think very many people are actually going to go and download this and watch it via torrent.
Do you guys? I mean, what percentage of people that go to the theater might do that?
Do you guys? I mean, what percentage of people that go to the theater might do that?
The only reason to watch it surely is Keira Knightley in bodice. But, and you'd want to see that in 6-foot high. But, speak for yourself. Where was I going?
Yeah, Graham wants to see Jack Sparrow.
I want to see Captain Keith Richards doing that shtick again.
So, yeah, I think you're right about not many people watching it, but I was thinking about this when you said you're going to talk about it earlier.
And maybe it's not just the people who are working on this, it's people who have to review it. It might have gone to the directors, or just to have final say.
And all I could think of was Mission: Impossible and this message must be destroyed after 5 seconds.
So they really need a way to play the movie and wipe it completely so you can't maybe copying it in these kind of scenarios.
And maybe it's not just the people who are working on this, it's people who have to review it. It might have gone to the directors, or just to have final say.
And all I could think of was Mission: Impossible and this message must be destroyed after 5 seconds.
So they really need a way to play the movie and wipe it completely so you can't maybe copying it in these kind of scenarios.
Oh, that's interesting. There are solutions which do that, you know. I'm aware of some companies which offer services for sharing files with, and they give you the ability—
In a safe room.
Yeah, well, yeah, exactly.
And so they're sharing files inside a sort of encapsulated bubble or whatever, which gives them the ability to, you know, zap a file permanently, you know, and prevent people from copying it in unauthorized fashions.
And so they're sharing files inside a sort of encapsulated bubble or whatever, which gives them the ability to, you know, zap a file permanently, you know, and prevent people from copying it in unauthorized fashions.
So you do it for example, in big, you know, business deals. If you're doing a big company merge or something, you might do it in that instance.
But yeah, that's a really good suggestion, actually. The other thing is I don't think they're losing a lot of money.
And the other thing is they're getting a lot of publicity about the film, because I can't imagine that, you know, if I didn't know anything about the films, which actually I don't, right, I might go, oh, it's a popular film because someone's stolen it and is now holding it for ransom.
So I think there's some kind of weird sense that it actually makes the film more important and more people will actually go see it to see what the fuss is about.
But yeah, that's a really good suggestion, actually. The other thing is I don't think they're losing a lot of money.
And the other thing is they're getting a lot of publicity about the film, because I can't imagine that, you know, if I didn't know anything about the films, which actually I don't, right, I might go, oh, it's a popular film because someone's stolen it and is now holding it for ransom.
So I think there's some kind of weird sense that it actually makes the film more important and more people will actually go see it to see what the fuss is about.
I just can't imagine it's any good as a movie, can you?
No, I don't think I've seen— I actually don't think I've seen any of them.
Have you not?
No, I listen to podcasts. That's what I do for fun.
Good idea. Yeah, there are some good podcasts out there, you know, isn't there?
There's some great ones.
Oh, there's some really good ones. Oh yes, you know, and in fact, if you wanted to subscribe to a good one, Carole, there's one I'd recommend on computer security.
It's called Smashing Security, and you can find it on iTunes. You can leave a review if you like as well.
It's called Smashing Security, and you can find it on iTunes. You can leave a review if you like as well.
You involved me in that cheesy, cheesy segue.
Yeah, Carole, we're getting desperate for the reviews now, right?
We're not desperate. I've never been desperate in my life.
Have you not?
Never. Hmm.
It's also on Google Play Music, Stitcher, I didn't say anything, Overcast.
But if you like the podcast, please subscribe, and that means you will automatically get it every time we release a new episode, which is normally every Thursday.
But if you like the podcast, please subscribe, and that means you will automatically get it every time we release a new episode, which is normally every Thursday.
And a big shout out to Recorded Future, our sponsors this week. You can sign up to their Cyber Daily newsletter and get their latest insights at recordedfuture.com/intel.
So that just about wraps it up. Thank you for tuning into the podcast. Pob, thank you very much for joining us today.
Tinkety tonk, old fruit.
Tinkety tonk, old fruit. If you want to know more or listen to past episodes, go to www.smashingsecurity.com.
You'll find our email contact form and you can find a link to our Twitter as well.
You'll find our email contact form and you can find a link to our Twitter as well.
Yes, and tell us if you like the show.
Until next time, bye-bye.
Bye.
Bye.
I think this whole story is BS. Microsoft is the one responsible because they want to get rid of the old (Windows XP) and force the new crappy windows 10 spyware on everyone.
Governments should not hold back vulnerability knowledge: the information may become known by a breach, or by an accidental or intentional leak. It may, as a result, become known to criminals who likely will use it for criminal purposes, or sell it on to others who will. On the other hand, governments can use vulnerabilities in ways that many would consider more beneficial than harmful.
Criminals should not hold back vulnerability knowledge: they are likely to use the information for criminal purposes or sell it on to others who will. We can pretty much guess how well that will work out.
Private (non-criminal) organizations should not hold back vulnerability knowledge: the likely purpose of doing so is to sell it on to governments or other private organizations, some of which might use the information for criminal purposes or sell it on further to others who will.
Both governments and private organizations may obtain information about vulnerabilities by their own research, by stealing it from other governments or private researchers, purchasing it from private organizations, or taking advantage information leaked either intentionally or by accident.
In the aggregate, private research into vulnerabilities, including by developers and vendors such as Microsoft, probably exceeds similar government and government sponsored research by an order of magnitude or more. Government activity, including by the NSA and CIA is reasonably a matter for some concern, but focusing on these two agencies, or even all similar government agencies is a serious misdirection.
Those who fell victim to this particular exploitation generally were
– users of products for which Microsoft discontinued support two or more years past;
– users of unauthorized Microsoft products that do not qualify for updates;
– users who had not applied patches for very high severity vulnerabilities that had been available for about eight weeks.
The extremely rapid spread, in addition, seems likely to have been facilitated by overly permissive firewall configurations that exposed an outdated and deprecated version of the SMB protocol on the public Internet.
The NSA may be in for some blame, but there is more than enough for others, the first of which is Microsoft, which developed the vulnerable software and apparently overlooked the vulnerability for 15 years or more.