The WannaCry ransomware (also known as WCry or WCrypt or Wana Decryptor) burst onto the scene spectacularly today after NHS hospitals across the UK ground to a standstill, as the ransomware encrypted files and caused staff to cancel operations.
I can only imagine the chaos.
As you can imagine it’s “been a bit busy” here too. Every time I try to write something the media grab me for an interview, and I spent an hour or so in a BBC studio in Oxford while they tried to work out why they couldn’t beam me live down the wire to their studios in London.
(They never did find out what the gremlins were, but thought it “probably” wasn’t the WannaCry ransomware.)
The NHS wasn’t targeted. They’re just a huge organisation which has had insufficient investment in computer security over the years. In short, it has a lot of computers and at least some of them weren’t able to withstand an attack like this.
The state of the NHS’s cybersecurity becomes obvious when you consider that it still relies heavily on computers running Windows XP, which Microsoft started to tell people to dump way back in 2007, and finally stopped patching in April 2014.
If you were still running Windows XP after that date – well, you had something bad coming to you.
The UK Government did end up paying Microsoft over £5.5 million of taxpayers’ money to receive support and security updates for a further 12 months after April 2014 (did they not pay any attention to Microsoft’s warnings since 2007?) but that really was the last chance saloon.
But it would be wrong to think that the NHS was targeted. They weren’t. This is extortion – 21st century style. The bad guys release ransomware (in this carried by a worm which exploits a vulnerability), and their intention is to infect as many PCs as possible to make as much cash as possible.
Hitting the NHS wasn’t necessarily their intention, but it is a soft target due to its poor defences. And, of course, the implications of a widespread NHS infection is felt by many people.
Meanwhile, other organisations in other countries were also impacted. For instance, Telefonica in Spain, and FedEx.
WannaCry appears to have spread at an astonishing pace because it has been spread by a worm exploiting a Microsoft vulnerability – MS17-010. Once one computer in your organisation is hit, the worm hunts for other vulnerable computers to attack.
Before you know it, you’ve got a big problem.
You probably don’t care about this if you’ve had your computers hit by WannaCry, but the story behind the MS17-010 vulnerability is an interesting one.
The vulnerability was first found by the NSA. However, they chose not to tell Microsoft about it. (Which is a shame, because that would have meant computers would have been patched earlier).
Instead, the intelligence agencies kept the details of the exploitable vulnerability to themselves, so they could use it to infiltrate computers and spy upon them. They dubbed the exploit “ETERNALBLUE”.
However, a group of hackers called the Shadow Brokers stole details of this and other exploits used by US intelligence agencies, put them up for sale, openingthe door for other criminals to exploit the vulnerabilities.
Microsoft responded with a patch, but wouldn’t it have been better if the NSA had done the decent thing for all of us on the internet and told Microsoft about the flaw as soon as they discovered it?
Sometimes you protect your country best not by spying on others, but by ensuring that everyone in the world (including the people you may want to snoop on) is better defended.
I’ll update this page with more on WannaCry as it becomes available, but for now you can either follow me on Twitter at @gcluley or (perhaps most importantly) ensure that you have applied Microsoft’s vulnerability patch MS17-010 from earlier this year.
Stay safe folks. And remember to make sure that you have a secure backup regime.
For more discussion on the issue, make sure to listen to this episode of the “Smashing Security” podcast.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
A big thank you to our sponsors, Recorded Future.
Recorded Future arms threat analysts, security operators, and incident responders to rapidly connect the dots and reveal unknown threats.
Their patented technology automatically collects and analyzes threat intelligence from technical, open, and darkweb sources. Why?
To provide invaluable context for faster human analysis and real-time integration with your existing security systems.
Sign up to their Cyber Daily newsletter and get the latest insights from Recorded Future at recordedfuture.com/intel.
Recorded Future arms threat analysts, security operators, and incident responders to rapidly connect the dots and reveal unknown threats.
Their patented technology automatically collects and analyzes threat intelligence from technical, open, and darkweb sources. Why?
To provide invaluable context for faster human analysis and real-time integration with your existing security systems.
Sign up to their Cyber Daily newsletter and get the latest insights from Recorded Future at recordedfuture.com/intel.
Smashing Security, Episode 21: WannaCry, Who's to Blame? With Carole Theriault and Graham Cluley.
Hello, hello everybody, and welcome to another episode of Smashing Security, number 21 for the 18th of May, 2017. And I'm joined as always by my buddy Carole.
Hello, hello everybody, and welcome to another episode of Smashing Security, number 21 for the 18th of May, 2017. And I'm joined as always by my buddy Carole.
Graham, why is it that when you call me when we're not in the podcast, you never sound this happy? This is the way I would like you to call me from now on. Hello, hello. It's great.
Hello, hello, Carole. This is your buddy Graham calling you. Oh, I love it.
Okay, perfect.
We can do that. And we are joined today by our special guest, security researcher Paul Baccas, also known as Pob. How are things, Pob?
Hello, Graham. Hello, Carole. And hello to Jason Isaacs. Things are great, Graham.
Who's Jason Isaacs?
What?
What?
He's an actor.
He's an actor?
He's an actor.
Jason Isaacs. What's he been in?
He's been in all the Harry Potter movies. He was Lucius Malfoy. And this is an internet meme, Graham. You're aware of memes, I hope.
Oh, I am so not on trend. I am so not on trend.
Well, Google even did "Hello to Jason Isaacs" if you typed Jason Isaacs into the search engine once upon a time.
Okay, so there's just a meme whereby people say hello to this actor who's in a Harry Potter movie.
Yeah.
All right. Okay. Well, hello, Jason Isaacs. And thank you, Pob, for introducing us to this meme. Actually, I should explain.
Pob isn't just here to say hi to Jason Isaacs from the Harry Potter movies. He's also here because we brought him in to talk about the big story of the last week.
Actually, did anything happen in the last week? Has anyone noticed?
Pob isn't just here to say hi to Jason Isaacs from the Harry Potter movies. He's also here because we brought him in to talk about the big story of the last week.
Actually, did anything happen in the last week? Has anyone noticed?
I think we've all been a little bit busier than normal last week, don't you think?
It has been a little busy.
And the reason is, of course, the WannaCry ransomware. And Pob, you're going to talk to us about it today. But I think we should keep people in suspense for a little bit longer.
We should—
This is a teaser, really. Later in the show, we're going to talk about WannaCry.
Everyone on Twitter was saying, "I wonder what Smashing Security is going to speak about this week." Yes, we are going to talk about WannaCry, but we're going to do it a little bit later in the show, if that's all right with you.
Everyone on Twitter was saying, "I wonder what Smashing Security is going to speak about this week." Yes, we are going to talk about WannaCry, but we're going to do it a little bit later in the show, if that's all right with you.
What a great idea you've had, Graham.
That was Carole Theriault's idea.
No, no, no, no, no.
So it's actually been a little bit difficult finding other stories, hasn't it?
I know, right?
As to what's going on, everyone's talking about WannaCry, one of that. One thing though, which I thought was interesting.
In fact, I was talking to the BBC about this particular issue and then WannaCry happened. So I think they never actually published their story about this.
It's about HP laptops and a bunch of Swiss security researchers discovered that the audio driver being shipped on a number of HP laptops didn't just drive your audio and do all sort of audio sort of things.
It also secretly logged every key press which you made.
In fact, I was talking to the BBC about this particular issue and then WannaCry happened. So I think they never actually published their story about this.
It's about HP laptops and a bunch of Swiss security researchers discovered that the audio driver being shipped on a number of HP laptops didn't just drive your audio and do all sort of audio sort of things.
It also secretly logged every key press which you made.
Oh no.
I know, extraordinary.
And where did it send that stuff? Did it send it off somewhere or it just was keeping it locally?
Well, it just kept it locally.
So I mean, the first thing that HP did when this was found out was like, "We're not getting any of these key presses," which obviously could have included password details and credit card information.
All, you know, basically everything you type, right? All of your, all of the sexy messages which you may send in the office.
So I mean, the first thing that HP did when this was found out was like, "We're not getting any of these key presses," which obviously could have included password details and credit card information.
All, you know, basically everything you type, right? All of your, all of the sexy messages which you may send in the office.
Oh yeah.
All the corporate.
I send so many of those. Gosh, I can't breathe for sexy messages.
But all of that is being captured locally. In a directory, well, it's in your public users directory, in a file called mictrade.log.
Now, the reason why these keystrokes were being kept was actually because the programmers who were writing the audio driver were using it as a debugging method.
They wanted to capture whether things like function keys were being pressed in order to mute the microphone or unmute it and all that kind of jazz.
Now, the reason why these keystrokes were being kept was actually because the programmers who were writing the audio driver were using it as a debugging method.
They wanted to capture whether things like function keys were being pressed in order to mute the microphone or unmute it and all that kind of jazz.
Right, and they just forgot to turn it back off.
They forgot to take it out. And then it shipped that way, which in itself is pretty disastrous, right? I mean, you need to have better quality control than that.
You need to be confident that your software, you know, you want it tested.
You want it tested and you want to know it's the software which you expected to ship, which you're actually shipping.
So, you know, it's bad enough there are thousands of Trojan horses being released all the time that spy on people's keyboards without also having legitimate software silently collecting it.
And even if it was unlikely that remote hackers might be able to grab hold of this information, imagine being at home, maybe you've got a jealous partner or you have a business rival.
If they gained access to your laptop, they'd be able to find everything, wouldn't they? On that, in that file, everything which you'd been typing. Pretty bad stuff.
You need to be confident that your software, you know, you want it tested.
You want it tested and you want to know it's the software which you expected to ship, which you're actually shipping.
So, you know, it's bad enough there are thousands of Trojan horses being released all the time that spy on people's keyboards without also having legitimate software silently collecting it.
And even if it was unlikely that remote hackers might be able to grab hold of this information, imagine being at home, maybe you've got a jealous partner or you have a business rival.
If they gained access to your laptop, they'd be able to find everything, wouldn't they? On that, in that file, everything which you'd been typing. Pretty bad stuff.
This is not the first time you've brought up this whole concept of jealous partners. Do you think that lots of people live in that kind of world?
Well, yeah.
Leading double lives?
Well, no, I don't think it's necessarily double lives, but there certainly are people who are in difficult relationships or they're in a relationship which they're breaking out of and someone might be snooping on them.
I've done some work before with the Digital Stalking Trust who are, you know, trying to share information and spread advice about how to avoid being spied on and stalked online.
So, you know, I think this is a real fear. Now, of course, this big stink got kicked up over this, right? Oh, how can they do this? And HP, you know, they did the right thing.
They issued an update.
I've done some work before with the Digital Stalking Trust who are, you know, trying to share information and spread advice about how to avoid being spied on and stalked online.
So, you know, I think this is a real fear. Now, of course, this big stink got kicked up over this, right? Oh, how can they do this? And HP, you know, they did the right thing.
They issued an update.
And you think, "Oh, wonderful." And I'm sure they did that fairly quickly, and they issued it out. Perfect.
They did.
End of story?
Well done, Carole Theriault. End of story. End of story.
I'm just guessing the way you're cueing it up, it isn't.
Mais non. Malheureusement, Carole. It was not the end of the story. Because they didn't actually take the keylogging functionality out of the driver.
What they did was they changed the registry key, the setting, to turn it off. Which means, in theory, I mean, obviously that—
What they did was they changed the registry key, the setting, to turn it off. Which means, in theory, I mean, obviously that—
It could be turned on.
Exactly. Someone could turn it on. If someone wanted to spy on you, they would be able to do that.
So, well, they did a quick fix, and who knows, maybe they're planning to do a much bigger fix.
You know, they just wanted to get something out really quickly, and maybe this was the way to do it.
You know, they just wanted to get something out really quickly, and maybe this was the way to do it.
Oh, you're so nice, Carole. You're like Mother Teresa, aren't you?
I'm always nice. Thanks. Yeah. People have often commented that we look similar. So, anyway.
Yeah. So basically, sheesh. And I think we expect big software companies to do better than this, don't we?
Yeah.
What do you think, Paul?
I think this is bad. I think HP have done— you're right. They've done the right thing in issuing an update, but I expect them to completely update the software now.
You can kind of understand why somebody leaves debugging code in software, but there should be a QA and they shouldn't have done it.
I would expect now Trojans just to be turning that registry key back on and seeing what's in there.
You can kind of understand why somebody leaves debugging code in software, but there should be a QA and they shouldn't have done it.
I would expect now Trojans just to be turning that registry key back on and seeing what's in there.
Well, I bet, I guess HP actually are quite, they must be kind of secretly a little bit glad that it came out at the same time when there's this ginormous nightmare.
So it may have got buried in the press.
So it may have got buried in the press.
Yeah, well, I mean, it's a good— it would be a good time to have released bad news.
Yeah, I know it's an awful thing to say, isn't it? It's an awful thing to say, but I don't know.
You must be— it's nice that it's maybe not made it on all the top of the front pages.
You must be— it's nice that it's maybe not made it on all the top of the front pages.
Well, look, we have given it prominence here in the podcast. So if you have got an HP computer, make sure you update it.
Make sure that you're running the very latest version of the audio drivers so that they're not secretly logging any key presses. Maybe look for that file, mictray.log.
So it's mic as in microphone.
Just to make sure that it's not there and indeed that you haven't been backing it up somewhere because there may be copies of it elsewhere because you do back up your computers, don't you, and your data.
Make sure that you're running the very latest version of the audio drivers so that they're not secretly logging any key presses. Maybe look for that file, mictray.log.
So it's mic as in microphone.
Just to make sure that it's not there and indeed that you haven't been backing it up somewhere because there may be copies of it elsewhere because you do back up your computers, don't you, and your data.
If we haven't learned a valuable lesson this week, right?
Back, back up. Hey, back it up, back it up.
Yes, yes, I was just thinking we should put that in. And I'm backing up, backing up, backing up, backing up.
Because my daddy taught me good. I'm backing the hell out of there.
And I'm like, oh my God.
I think we can't hold on any longer.
Back it up.
I think we've got to unleash it, haven't we?
Shall we?
I think it's time for Paul to talk about the story of the week, if not the story of the month. Is it the story of the year?
It's probably gonna be the story of the year, Graham, just because it was so big.
It wasn't so big that I think you'll find that was another email-aware virus from about 2000. Sorry, I've been a bit nerdy there.
I know.
That's right, but this wasn't an email-aware virus. So this was a network worm. This is going back to the old days of computer security.
When was the last one? When was the last one of these?
I think it was probably Stuxnet was the big worm.
That's so long ago.
But before that, there was obviously Conflicker and Slammer. Yeah. And I wasn't working at the time of the Morris worm.
And you were probably still in kindergarten, Carole, but I'm sure Graham remembers the Morris worm.
And you were probably still in kindergarten, Carole, but I'm sure Graham remembers the Morris worm.
I wasn't working in the computer security industry at the time, but yeah, that was a pretty big deal, wasn't it?
Yeah. So let's talk about WannaCry. Okay, so what do we know about WannaCry? Well, it was ransomware, and ransomware is the topic du jour of the last 18 months, 2 years.
Everything is ransomware. Yeah, no longer are people writing worms and viruses for fun to impress their mates. They're doing it for financial gain.
And so the bad part about WannaCry is it was ransomware, and as people have said it will make you want to cry.
It was a network worm and it exploited a known vulnerability in SMB, Windows network sharing software.
And the particular vulnerability was publicized by the Shadow Brokers NSA hack, and it's been patched for about 10 weeks now. But there were actually two vulnerabilities used.
So there was a vulnerability called EternalBlue, and that allowed people to write a file to a remote SMB share.
And there was another vulnerability called DoublePulsar that allowed you to execute files from a remote SMB share.
Everything is ransomware. Yeah, no longer are people writing worms and viruses for fun to impress their mates. They're doing it for financial gain.
And so the bad part about WannaCry is it was ransomware, and as people have said it will make you want to cry.
It was a network worm and it exploited a known vulnerability in SMB, Windows network sharing software.
And the particular vulnerability was publicized by the Shadow Brokers NSA hack, and it's been patched for about 10 weeks now. But there were actually two vulnerabilities used.
So there was a vulnerability called EternalBlue, and that allowed people to write a file to a remote SMB share.
And there was another vulnerability called DoublePulsar that allowed you to execute files from a remote SMB share.
Now, these crazy names, these are names which the NSA gave these exploits, don't they? Because they always have code names names for the exploits which they use.
And they created basically these exploits, having found the vulnerabilities in Microsoft's code, in order to spy and snoop on people, didn't they?
And they created basically these exploits, having found the vulnerabilities in Microsoft's code, in order to spy and snoop on people, didn't they?
Well, that is the NSA's job. And so—
Well, it's half of their job, isn't it? Half of their job is to collect intelligence and to spy and snoop.
But the other half of their job, and part which arguably they failed to do on this particular occasion, is also to protect and secure the United States and other organizations against these sort of threats.
But the other half of their job, and part which arguably they failed to do on this particular occasion, is also to protect and secure the United States and other organizations against these sort of threats.
Well, I suppose if you're being pedantic, they were to protect the US government's communications and non-US government organizations they don't have to protect.
But yes, and I think we'll talk about that more in a minute, Graham.
So this exploit, this worm used these two exploits and most people first heard about it when Telefónica alerted on this, telling its employees to shut down their computers amid a massive ransomware strike.
But yes, and I think we'll talk about that more in a minute, Graham.
So this exploit, this worm used these two exploits and most people first heard about it when Telefónica alerted on this, telling its employees to shut down their computers amid a massive ransomware strike.
Yeah, just to try and stop the spread, right?
To try to stop the spread. And then the newswires went crazy about a cyber attack on the NHS.
So it seems that lots of NHS trusts— and for non-UK-based listeners, the NHS isn't one homogenous organization.
It's lots of federated hospitals that come under the umbrella of the NHS.
So it seems that lots of NHS trusts— and for non-UK-based listeners, the NHS isn't one homogenous organization.
It's lots of federated hospitals that come under the umbrella of the NHS.
That's a good point to make, actually. It's a really good point to make.
And so each trust, each hospital trust, has a different IT system, though some of them are shared.
And the NHS got hit quite badly to the effect that A&E waiting times went up, hospitals stopped surgery. They stopped MRI scans because their computers didn't work.
Reports are that businesses and organizations in over 150 countries got hacked.
And the NHS got hit quite badly to the effect that A&E waiting times went up, hospitals stopped surgery. They stopped MRI scans because their computers didn't work.
Reports are that businesses and organizations in over 150 countries got hacked.
Yeah.
Including parts of the Russian Ministry of the Interior.
And this all came to an end early in the UK evening, about 6 or 7 o'clock, when somebody registered a domain that was in the code.
And this all came to an end early in the UK evening, about 6 or 7 o'clock, when somebody registered a domain that was in the code.
This was on Friday. This was on Friday.
This was on Friday. Yeah. And let's just quickly go down a little rabbit hole there.
So a young computer researcher was looking at the code and he saw a domain that was looked up by the virus or worm, and he registered that domain so he could track how many computers had been infected.
So a young computer researcher was looking at the code and he saw a domain that was looked up by the virus or worm, and he registered that domain so he could track how many computers had been infected.
We're pinging it. Yeah.
And that had the effect of stopping the spread of this worm.
So that was very fortunate, wasn't it?
So the action which was taken by that guy, MalwareTechBlog he is on Twitter, if you want to give him a thumbs up and what he did, had this really positive effect because it prevented the malware from spreading any further.
It effectively was a kill switch on the malware.
So the action which was taken by that guy, MalwareTechBlog he is on Twitter, if you want to give him a thumbs up and what he did, had this really positive effect because it prevented the malware from spreading any further.
It effectively was a kill switch on the malware.
Yeah, that's exactly what it was.
It was a kill switch for lots of them. It wasn't a kill switch if you were using a proxy.
Right, exactly. So yes, if you—
And lots of companies use proxies, right?
That's true. Yeah, we can't criticize MalwareTech for that though.
No, no, no, I'm not.
I wasn't for a minute suggesting, I'm just saying I had a problem with the word kill switch that the media used because I think it gave people a false sense of security.
I wasn't for a minute suggesting, I'm just saying I had a problem with the word kill switch that the media used because I think it gave people a false sense of security.
Yeah.
So good for home users who have auto update turned on. Sure, most home users don't use proxies, I get that, but lots of companies do.
So the upshot of all of this is the ransomware hit really hard and it hit organizations around the world, encrypted people's data, which obviously is pretty scary if you don't have a backup to recover from.
And clearly it hit the UK's National Health Service, but also hit very hard in Russia and elsewhere around the world.
Maybe what would be interesting for us to discuss is whose fault is this?
Because it seems there's a lot of blame and a lot of finger-pointing which is going on right now as to who should be taking some flak.
And clearly it hit the UK's National Health Service, but also hit very hard in Russia and elsewhere around the world.
Maybe what would be interesting for us to discuss is whose fault is this?
Because it seems there's a lot of blame and a lot of finger-pointing which is going on right now as to who should be taking some flak.
Why don't we go through in order? Let's— why don't we just— All right, okay, so who should we start with, Paul?
Well, who's to blame? Well, it was Microsoft's software.
Yeah, but Microsoft patched as soon as it was made aware of the exploits.
And I don't know if the NSA told them about it, but they certainly patched those in all the supported systems quite quickly and said it was a critical update.
And that was about two months before this actually exploded.
And I don't know if the NSA told them about it, but they certainly patched those in all the supported systems quite quickly and said it was a critical update.
And that was about two months before this actually exploded.
And I do think whenever Microsoft announces that they've got a critical problem in their software, everyone should listen up, prick up their ears and think, crikey, if they are going public saying we've got a serious, serious problem with our software, here is the patch, please, please apply it.
Yeah, when I got into the industry 15 years ago, I was saying this, right?
So it's not changed. It's a bit of a failure if people then don't do it.
And also let's not forget, okay, Microsoft did have a bug in their software, naughty, naughty, but what programmer can put his hand up and say he's never written a program with a bug in it?
Yes or she? So, I mean, Paul, you're a programmer. Have you ever written a buggy program?
And also let's not forget, okay, Microsoft did have a bug in their software, naughty, naughty, but what programmer can put his hand up and say he's never written a program with a bug in it?
Yes or she? So, I mean, Paul, you're a programmer. Have you ever written a buggy program?
I don't think I've written more than 10 lines of code without a bug in it, Graham.
Right, there you go. So there you go. And even the mighty Google— Google, who find vulnerabilities in everyone else's software all the time.
You know, there are bugs found in Android all the time, aren't there? Which is sometimes quite serious as well.
You know, there are bugs found in Android all the time, aren't there? Which is sometimes quite serious as well.
So bugs found— everybody has bugs. And so, right, can we blame Microsoft for having a bug?
No.
Can we say that they should have done maybe more looking for their own bugs? Maybe, yeah. Who else can we blame? Well, we can blame the NSA for creating it in the first place.
Yeah, as we kind of touched on earlier, this bug was made public by the Shadow Brokers who stole it from the NSA. Is it the NSA's fault for writing this bug?
Well, the NSA's job, and just like GCHQ's job, is signal intelligence, and it's to try to steal secrets from foreign governments and enemies of the state.
So the NSA were doing their job by creating this, and it looks like, given the timing of the Microsoft patch, the NSA did tip Microsoft off about it when they knew that the Shadow Brokers were going to release this exploit.
Yeah, as we kind of touched on earlier, this bug was made public by the Shadow Brokers who stole it from the NSA. Is it the NSA's fault for writing this bug?
Well, the NSA's job, and just like GCHQ's job, is signal intelligence, and it's to try to steal secrets from foreign governments and enemies of the state.
So the NSA were doing their job by creating this, and it looks like, given the timing of the Microsoft patch, the NSA did tip Microsoft off about it when they knew that the Shadow Brokers were going to release this exploit.
Because Shadow Brokers didn't initially release the exploits themselves, but they did release some information about what they had in their hands, which included the code names Eternal Blue and Double Pulsar, which obviously was enough to scare the willies out of the NSA and thought, crikey, the game's up.
We better tell Microsoft. There's another reason why maybe we can apportion some blame to the NSA. If we go— I love this.
We're going through our little blame list here, which is the NSA got hacked and the NSA are meant to be all about security. And here they go again.
Having a very embarrassing data breach. And I seem to recall they had another quite a big data breach, didn't they, a few years ago involving that contractor, Eddie Snowden?
We better tell Microsoft. There's another reason why maybe we can apportion some blame to the NSA. If we go— I love this.
We're going through our little blame list here, which is the NSA got hacked and the NSA are meant to be all about security. And here they go again.
Having a very embarrassing data breach. And I seem to recall they had another quite a big data breach, didn't they, a few years ago involving that contractor, Eddie Snowden?
That's right. Did they issue any statement about this breach? I didn't see one.
I think it's not their habit to confirm these sort of things and exactly whether the information is real or not.
But you kind of think they owe the country a bit of a, "Sorry guys, mea culpa." So the—
So now that's Italian, I think, isn't it?
Yes, it's Italian, Graham. Yes.
Well, Latin.
No, no, no, no, don't tell him.
I knew that. So the NSA got hacked by what many would consider a state-level actor. And again, that's what state-level actors do. So who are Shadow Brokers?
Shadow Brokers claim to be an independent hacking team.
Shadow Brokers claim to be an independent hacking team.
Well, I think we should take them at their word about that. I think they're probably entirely trustworthy.
Indeed, they're fine, upstanding people. But others would claim that they are part of the state apparatus in Russia. So we could say they're the FSB.
We would say, well, you get hacked by the KGB. Again, that's what the KGB is designed to do, to hack people like the NSA.
We would say, well, you get hacked by the KGB. Again, that's what the KGB is designed to do, to hack people like the NSA.
Okay, so the Shadow Brokers partly to blame, we're saying, because they stole the information and then they put it up for sale.
And they made it public. Yeah, they put, yeah.
And the rest of it. Lots of people complaining the NHS should have patched. I mean, that seems reasonable, doesn't it? They should have patched, shouldn't they?
Well, the NHS is an interesting one because we know it's a system. I mean, it's a big, big network. They don't have a lot of cash.
I am convinced loads of them are running legacy systems that are not running the latest and greatest. I wouldn't be surprised if there's even XP machines still running.
And, you know, how—
I am convinced loads of them are running legacy systems that are not running the latest and greatest. I wouldn't be surprised if there's even XP machines still running.
And, you know, how—
I think we could put our hands on our hearts and say there were XP machines running in the NHS. Oh yeah.
The issue with the NHS, like universities, is they don't often have one overarching IT system.
So the radiology department might have a slightly different system to the ICU or the ER or different parts.
And no disrespect to the IT guys in the NHS, they're not getting paid an awful lot of money, and they're getting run ragged keeping up to date with all the other things they have to do, allowing the doctors to use their iPads and whatever else they have on their plate.
So it's very difficult.
The issue with the NHS, like universities, is they don't often have one overarching IT system.
So the radiology department might have a slightly different system to the ICU or the ER or different parts.
And no disrespect to the IT guys in the NHS, they're not getting paid an awful lot of money, and they're getting run ragged keeping up to date with all the other things they have to do, allowing the doctors to use their iPads and whatever else they have on their plate.
So it's very difficult.
Furthermore, they will have medical hardware like MRI machines and X-ray scanners and things like that. Which are maybe 15, 20 years old.
Yeah.
And maybe were designed to be run by software which runs on XP and they've got the drivers for XP, but the person who wrote that software, that company no longer exists.
And so they don't have any more recent updates to the software and, you know, they can't get a Windows 10 machine to drive that piece of medical hardware.
And it would cost an absolute fortune, much more than replacing a computer to replicate this. And I think they're making that decision all the time.
It's like, well, we can spend this extraordinary amount of money and secure ourselves against some of these threats, or we can—
And so they don't have any more recent updates to the software and, you know, they can't get a Windows 10 machine to drive that piece of medical hardware.
And it would cost an absolute fortune, much more than replacing a computer to replicate this. And I think they're making that decision all the time.
It's like, well, we can spend this extraordinary amount of money and secure ourselves against some of these threats, or we can—
But we'd like a few more beds open, you know?
Yeah, well, as well, yes. That's going to be where the priority is for the cash.
So for those who don't live in Britain or aren't aware, you know, the UK's National Health Service is pitifully underfunded.
So for those who don't live in Britain or aren't aware, you know, the UK's National Health Service is pitifully underfunded.
Okay, I've got the big question now. So who is most to blame out of these three? The NHS, NSA, or Microsoft?
Well, I think there are other people we could blame.
There are, but you know, those are the biggies, right? We know shadow brokers. We know, okay, we know, we know. They stole it, they made it available.
You know, no one's saying they're not very responsible here. But if we had to go to, you know—
You know, no one's saying they're not very responsible here. But if we had to go to, you know—
Okay, Pob, we're gonna nail you down. We're gonna nail you down. Who's to blame?
Of these three?
Just answer the bloody question. Who's to blame?
They all have culpability, but do they have the ultimate culpability? No. I can't say I would blame any of them.
I can.
Well, then you can. But I mean—
The NSA. I blame the NSA for not for creating them, but for not keeping them secure. It seems to me if you create a bad poison of some sort, you keep it under lock and key.
And we're not just talking a flimsy lock and a flimsy key.
And we're not just talking a flimsy lock and a flimsy key.
Yeah, good point.
So, you know, they are at the cutting edge of what's going on cybersecurity-wise, so they should know what the latest tricks are, and they should have proper defenses for it.
But ultimately, the person responsible for WannaCry is the guy who wrote it, right?
Ultimately, the person responsible for WannaCry is the author of this malware.
We might be upset with others, but that's the person who needs a big kick up the backside.
Yeah.
I don't believe the author of WannaCry knew what they were doing. I suspect that this spread faster than they could have believed.
I think triggering the ransomware immediately was probably silly of the author because the best pathogens want to keep their hosts alive.
In biological terms, it's no good killing patient zero, which this nearly did. There were several coding errors.
Reports are coming in now that the bitcoin code may not have worked properly.
I think triggering the ransomware immediately was probably silly of the author because the best pathogens want to keep their hosts alive.
In biological terms, it's no good killing patient zero, which this nearly did. There were several coding errors.
Reports are coming in now that the bitcoin code may not have worked properly.
Yeah, yeah, I saw that, yeah.
Which would be the ultimate irony, wouldn't it?
Yeah.
That they affected this many computers, and it appears the latest reports are that the actual payment mechanism built into WannaCry had a bug in it.
And so this may be why it appears that so few payments have actually been made.
I think the last time I looked it was something like about $70,000, which, yeah, sure, it's great for a week's work, isn't it?
But for the scale of this attack, you would've expected them to have made more than that.
And so this may be why it appears that so few payments have actually been made.
I think the last time I looked it was something like about $70,000, which, yeah, sure, it's great for a week's work, isn't it?
But for the scale of this attack, you would've expected them to have made more than that.
Anyway, ultimately, we should tell people, lay off the NHS. They have a lot to deal with right now. And I'm sure they've learned their lesson and they're doing good every day.
So back off.
So back off.
So our 3 pieces of advice to organizations out there.
Likely don't know though, but anyway, go ahead.
Our 4 pieces of advice for organizations out there are patch, patch, patch, and backup.
Yeah.
Yeah.
Well, yeah, I mean, backup, backup, patch, backup, patch, backup. I don't know.
Carole, get us out of this. What have you got for us? That's WannaCry, everybody. I hope you enjoyed it.
I'm going to take you guys to the movies. Well, figuratively speaking.
Actually, speaking of movies, did you hear, did you guys read about the Texan who is suing his date for texting during a 3D screening of The Guardians of the Galaxy Vol. 2?
Actually, speaking of movies, did you hear, did you guys read about the Texan who is suing his date for texting during a 3D screening of The Guardians of the Galaxy Vol. 2?
Is it that bad a movie?
The 37-year-old, okay, his name's Brandon Vezmar, is asking for a whopping $17.31, which was the price of the ticket.
Hang on, you said he's suing his date?
He's suing his date. It was a first date and he's suing his date. Now, okay, I laughed too when I first read this, okay? And I wanted to read a bit more, and it turns out—
Surely taking your date to a movie on the first date's not very sociable.
Neither is suing them, Paul.
No!
Well, exactly.
So I laughed at the first as well, but then it turns out he's actually maybe a bit of a douche, okay?
Oh, really?
Yeah.
You surprise me.
He owns his own comms firm. He owns his own communication consulting firm. So that gives me a bit of a, oh God, he's looking for a position. You know, a bit of publicity.
Anyway, apparently texting is one of his biggest pet peeves.
So he's asked this girl who's basically texting— she says she's texting because her friend's having some crisis, so she's just telling, you know, giving a few replies.
And he says, can you stop texting? When she doesn't, he tells her to go outside. So she does and does what any girl would do and doesn't come back.
Anyway, apparently texting is one of his biggest pet peeves.
So he's asked this girl who's basically texting— she says she's texting because her friend's having some crisis, so she's just telling, you know, giving a few replies.
And he says, can you stop texting? When she doesn't, he tells her to go outside. So she does and does what any girl would do and doesn't come back.
Is he texting her from the cinema?
I hope not. This is a few days later. She could countersue. She refuses, right? She's like, look, you asked me on a date, sorry if you didn't like it, but you know, there you go.
He then— he's reportedly contacted her little sister chasing up the payment, and then he goes and sues her. So as I said, douche, right? She probably have a tattoo in his forehead.
Anyway, that's just—
He then— he's reportedly contacted her little sister chasing up the payment, and then he goes and sues her. So as I said, douche, right? She probably have a tattoo in his forehead.
Anyway, that's just—
Could you just remind me of his name?
Yes, his name is Brandon Vezmar.
Okay, everybody, so there you are.
Austin, Texas.
Austin, Texas. Brandon Vezmar. How old is he? Do we know?
Uh, 37.
37-year-old. Okay, so look out for him, ladies and gentlemen. Brandon Vezmar. I suggest you don't go on a date with him. Right.
Anyway, that had nothing to do with security at all, but it was quite interesting. So movies.
You might have heard that the latest blockbuster— we don't know exactly which one, but people are thinking it's probably Pirates of the Caribbean— has been stolen from Disney.
Now, Chief Bob Iger says that the hackers have stolen it and they are demanding ransom for it. So this is not the first time we've seen this in Hollywood, has it?
Wasn't there— it was a few weeks ago, wasn't it? It was Orange Is the New Black. Yes, that was taken from Netflix.
You might have heard that the latest blockbuster— we don't know exactly which one, but people are thinking it's probably Pirates of the Caribbean— has been stolen from Disney.
Now, Chief Bob Iger says that the hackers have stolen it and they are demanding ransom for it. So this is not the first time we've seen this in Hollywood, has it?
Wasn't there— it was a few weeks ago, wasn't it? It was Orange Is the New Black. Yes, that was taken from Netflix.
Yes.
Yeah. And they were basically saying, if you don't pay up, we're gonna publish the episodes. And I think they did publish them. They did put them up on Pirate Bay.
So it's a similar situation here where they're saying if they don't pay up— and they haven't declared the sum that they're being asked, but they're asking for a large sum, a huge sum according to the Disney chief, in bitcoin— and otherwise they're threatening to release the first 5 minutes, and then they're going to release 20-minute chunks of the film until the financial demands are met.
Now, what's interesting—
So it's a similar situation here where they're saying if they don't pay up— and they haven't declared the sum that they're being asked, but they're asking for a large sum, a huge sum according to the Disney chief, in bitcoin— and otherwise they're threatening to release the first 5 minutes, and then they're going to release 20-minute chunks of the film until the financial demands are met.
Now, what's interesting—
Will they be in order?
Well, yeah, exactly. I wondered that too. I wondered that too. I looked, but I couldn't find out.
I couldn't find it because the plots of The Pirates of the Caribbean have been getting more incomprehensible as they've been going on, and maybe doing them out of order would actually be an editorial success.
I have to say, I would prefer it in a 20-minute chunk rather than 2 hours 20 or whatever it was.
Well, this is the fifth film. This is a billion-dollar business, this whole Johnny Depp as Captain Jack Sparrow.
Now the thing is, this movie is supposed to be released on the 26th of May, so that's— is that next week? That's next week. So they don't have very long to get their money in.
And the thing is, how is this happening repeatedly? So how is it that hackers are getting their hands on these final cuts?
I am sure these cuts are being watched with— by people's lives, how much money they cost. You know, there's a lot of— this is huge money.
So how do you think this may have got out?
Now the thing is, this movie is supposed to be released on the 26th of May, so that's— is that next week? That's next week. So they don't have very long to get their money in.
And the thing is, how is this happening repeatedly? So how is it that hackers are getting their hands on these final cuts?
I am sure these cuts are being watched with— by people's lives, how much money they cost. You know, there's a lot of— this is huge money.
So how do you think this may have got out?
Well, I imagine that if you create a TV series or if you create a new blockbuster, that you're probably working with lots of external agencies and marketing companies and the people who do the subtitles or the people who dub it into Taiwanese or whatever.
And, you know, you're putting your trust in their computer security as well.
So even if you, as the boss of Disney, are thinking, "Oh yeah, our computer security is really locked down and everything," those partners of yours may not be as careful.
There's both the danger, the sort of insider threat danger of someone leaking the movies, and maybe they're getting more on top of that these days because there's been so much piracy in the past.
But there's also the computer security, isn't there, of external hackers. And it does seem that some of the hacking gangs have been particularly interested in doing this recently.
I guess because—
And, you know, you're putting your trust in their computer security as well.
So even if you, as the boss of Disney, are thinking, "Oh yeah, our computer security is really locked down and everything," those partners of yours may not be as careful.
There's both the danger, the sort of insider threat danger of someone leaking the movies, and maybe they're getting more on top of that these days because there's been so much piracy in the past.
But there's also the computer security, isn't there, of external hackers. And it does seem that some of the hacking gangs have been particularly interested in doing this recently.
I guess because—
Well, it gets a lot of press. It gets a lot of press.
Everyone wants to talk about the Hollywood celebs, and it gives them a chance actually probably to put an ad up for the movie so they can get, you know, the newscaster, they know that the articles can get, or rather the publications can get a bit more attention.
Everyone wants to talk about the Hollywood celebs, and it gives them a chance actually probably to put an ad up for the movie so they can get, you know, the newscaster, they know that the articles can get, or rather the publications can get a bit more attention.
Oh, are you suggesting maybe this is a bit of a publicity stunt to promote the fifth incarnation of the Pirates of the Caribbean movie?
Look, we know that it's a very over-budget film. We also know that, well, I don't think very many people are actually going to go and download this and watch it via torrent.
Do you guys? I mean, what percentage of people that go to the theater might do that?
Do you guys? I mean, what percentage of people that go to the theater might do that?
The only reason to watch it surely is Keira Knightley in bodice. But, and you'd want to see that in 6-foot high. But, speak for yourself. Where was I going?
Yeah, Graham wants to see Jack Sparrow.
I want to see Captain Keith Richards doing that shtick again.
So, yeah, I think you're right about not many people watching it, but I was thinking about this when you said you're going to talk about it earlier.
And maybe it's not just the people who are working on this, it's people who have to review it. It might have gone to the directors, or just to have final say.
And all I could think of was Mission: Impossible and this message must be destroyed after 5 seconds.
So they really need a way to play the movie and wipe it completely so you can't maybe copying it in these kind of scenarios.
And maybe it's not just the people who are working on this, it's people who have to review it. It might have gone to the directors, or just to have final say.
And all I could think of was Mission: Impossible and this message must be destroyed after 5 seconds.
So they really need a way to play the movie and wipe it completely so you can't maybe copying it in these kind of scenarios.
Oh, that's interesting. There are solutions which do that, you know. I'm aware of some companies which offer services for sharing files with, and they give you the ability—
In a safe room.
Yeah, well, yeah, exactly.
And so they're sharing files inside a sort of encapsulated bubble or whatever, which gives them the ability to, you know, zap a file permanently, you know, and prevent people from copying it in unauthorized fashions.
And so they're sharing files inside a sort of encapsulated bubble or whatever, which gives them the ability to, you know, zap a file permanently, you know, and prevent people from copying it in unauthorized fashions.
So you do it for example, in big, you know, business deals. If you're doing a big company merge or something, you might do it in that instance.
But yeah, that's a really good suggestion, actually. The other thing is I don't think they're losing a lot of money.
And the other thing is they're getting a lot of publicity about the film, because I can't imagine that, you know, if I didn't know anything about the films, which actually I don't, right, I might go, oh, it's a popular film because someone's stolen it and is now holding it for ransom.
So I think there's some kind of weird sense that it actually makes the film more important and more people will actually go see it to see what the fuss is about.
But yeah, that's a really good suggestion, actually. The other thing is I don't think they're losing a lot of money.
And the other thing is they're getting a lot of publicity about the film, because I can't imagine that, you know, if I didn't know anything about the films, which actually I don't, right, I might go, oh, it's a popular film because someone's stolen it and is now holding it for ransom.
So I think there's some kind of weird sense that it actually makes the film more important and more people will actually go see it to see what the fuss is about.
I just can't imagine it's any good as a movie, can you?
No, I don't think I've seen— I actually don't think I've seen any of them.
Have you not?
No, I listen to podcasts. That's what I do for fun.
Good idea. Yeah, there are some good podcasts out there, you know, isn't there?
There's some great ones.
Oh, there's some really good ones. Oh yes, you know, and in fact, if you wanted to subscribe to a good one, Carole, there's one I'd recommend on computer security.
It's called Smashing Security, and you can find it on iTunes. You can leave a review if you like as well.
It's called Smashing Security, and you can find it on iTunes. You can leave a review if you like as well.
You involved me in that cheesy, cheesy segue.
Yeah, Carole, we're getting desperate for the reviews now, right?
We're not desperate. I've never been desperate in my life.
Have you not?
Never. Hmm.
It's also on Google Play Music, Stitcher, I didn't say anything, Overcast.
But if you like the podcast, please subscribe, and that means you will automatically get it every time we release a new episode, which is normally every Thursday.
But if you like the podcast, please subscribe, and that means you will automatically get it every time we release a new episode, which is normally every Thursday.
And a big shout out to Recorded Future, our sponsors this week. You can sign up to their Cyber Daily newsletter and get their latest insights at recordedfuture.com/intel.
So that just about wraps it up. Thank you for tuning into the podcast. Pob, thank you very much for joining us today.
Tinkety tonk, old fruit.
Tinkety tonk, old fruit. If you want to know more or listen to past episodes, go to www.smashingsecurity.com.
You'll find our email contact form and you can find a link to our Twitter as well.
You'll find our email contact form and you can find a link to our Twitter as well.
Yes, and tell us if you like the show.
Until next time, bye-bye.
Bye.
Bye.
Most infected computers are in Russia and it's a sign that WannaCry is a planned cyber-attack
against Russian organizations and institutions, including Ministry of Internal Affairs
of Russia and Investigative Committee of Russia as it's said there
https://malwareless.com/wannacry-ransomware-massively-attacks-computer-systems-world/.
Russian hackers never attacked computers inside their country with ransomware in order
to avoid further problems with police and FSB
Don't tell Trump…not that he'd understand any of what you have said here. Too many big words…sad! What worries me is if these guys attacked the National Grid? Can u imagine the chaos?
I don't think you understood what Graham has said, particularly the paragraph that begins "But it would be wrong to think that the NHS was targeted." This was a worm, not a targeted hack.
This looks like a lucky strike on very vulnerable internal system rather than a specific targeting of the NHS. I wonder if there are multiple encryptors due the the worm capability. Typically there is one PC infected and it does the encryption buit in this case there are reports of the ransom mesage appearing on many systems – -imagine the mess if the documents had been encrypted multiple times by multiple instances, the only way to return the files would be to decrypt in the reverse order the files were encrypted. Maybe this would mean that decryption was nearly impossible even when paying ransom.
Fingers crossed for robust backups!
Morrison's self-service tills run XP. I saw one booting up the other day.
That would be a version of embedded XP which still gets supported by Microsoft. Runs on an awful lot of Point-of-Sale systems and is supported until 2019
The WannaCry looks like the ".Locky" virus to me but they say that this virus needed users to download or open a file but this is not true because i picked .Locky" up on a dedicated machine that was talking to the Tor vidalia software so that i could screen scrape sites without being tracked. Browsers were not used on the machine.
No wonder Bitcoins have been going up for the past few weeks because you have to use these coins to pay for decryption key to get your files back.
Microsoft says we need updates, last thing that i will be doing since this virus they say go deployed by there NSA backdoor going wrong
I liked Tor and would not say this was it not true but see over the coming weeks if i am right or not.
Interesting to note that I tried to withdraw cash from HSBC on Thursday (the day before this) and every cash machine I tried said "Out of Service" on it. I thought at the time that something big must be going down for them to take every cash machine offline.
"These hackers "have caused enormous amounts of disruption— probably the biggest ransomware cyberattack in history," said Graham Cluley, a veteran of the anti-virus industry in Oxford, England."
You're a veteran!
Yeah, the media don't phone me up anymore either.
Amazing how some news agencies say that this is the best time to upgrade to Windows 10. There you go Microsoft, free advert and a huge jump in Windows 10 sales. Imagine if this happened when Windows 10 was still free!
Stop using Windows especially for critical systems. The only time it worked out positively is when the Iranians were stupid enough to use it at their nuclear facilities.
The problem for institutions is that they have a big investment in software (often bespoke) that runs under Windows. Changing operating system, even in some cases updating to the latest Windows, will cost them much more than just changing the operating system. Maybe this event will provide sufficient motivation.
Well. you can pay for it now or really pay for it later.
How ironic when the heads of the US intelligence and security agencies are stating they would not use Kaspersky, that the NSA is somewhat culpable in causing this massive security breach? Maybe if they had said Kaspersky was OK to use, it would not have happened?! (Massive tongue in cheek there!) Or do the NSA chiefs have lots of shares in Microsoft, hoping lots of Windows 10 sales come out of this?!
I am not an expert in these matters, but get the daily email from Graham to keep up to date with cyber security and protect myself. Thanks to you I now use a password manager after too many years of not bothering!
Which password manager do you use Barry?
Don't tell him, Pike!