WannaCry… Who Should Get The Blame?

I’ve heard Friday’s cyber attack called both “WannaCry” and “WannaCrypt”. I”ll stick with WannaCry for now.

As we know, on Friday, tens of thousands of users in about 150 countries were hit with a cyber attack that encrypted their hard drives and locked them out of their computers unless they pay $300 worth of BitCoin. After a few days, it goes up to $600 BitCoin. (I assume, for larger organizations, that’s $300 PER COMPUTER).

Obviously, governments and cybersecurity “experts” are telling those affected not to pay, and to trust those governments and experts.

My professional opinion? Pay the ransom, learn your lesson, and NEVER let it happen again. I guarantee you, $300 worth of BitCoin will be a LOT cheaper (assuming you take corrective measures) than bringing in experts to recover your systems, and of course the lost business and efficiency.

Biggest Factor

Pardon my French, but this attack was apparently VERY FUCKING EASY to prevent. The #1 factor involved was: outdated versions of Microsoft Windows, mostly Windows XP.

Background

Let’s review: Windows XP was released in 2001. I remember being very excited to get it. About that time, cybersecurity started becoming a big issue, and Microsoft had to devote a TON of resources into beefing up XP’s security rather than develop a new version of Windows. Windows XP Service Pack 2 was released in 2004. This incorporated a firewall and some new security features. Now, Microsoft was able to work on a new version of Windows, and shit out Windows Vista in 2006.

By most accounts, Vista was a flaming piece of crap. I liked it over XP, as it had some neat new productivity features, but it was a gigantic resource hog. It apparently needed 4 GB of RAM to run decently, at a time when most consumer computers came with 256-512MB. Also, Vista had some substantial changes to the system and security architecture that are still causing problems for those too stupid and cheap to upgrade from Windows XP.

The head dude in charge of Vista was fired or put aside, and Microsoft came out with Windows 7 in 2009. Windows 7 is what Vista SHOULD have been in the first place. It actually ran very well without needing a top end computer. Windows 8 followed around 2012, then Windows 10 in 2015.

I liked Windows 8, but I think I was the only person on Planet Earth who did. Most people couldn’t stand it. I’m smart enough to spend the 5 seconds I needed to on Google to figure out how to operate it, and I never had a problem. But Microsoft had to build back in the legacy features from Windows 7 because everybody else but me can’t handle change or 5 seconds on a search engine. (This includes Bill Gates, who allegedly came back to Microsoft part-time, was given a Windows 8 computer, and demanded to go back to Windows 7 because this software genius can’t handle a search engine either).

While all of these versions of Windows were going on, people got so dependent on XP that Microsoft was forced to keep supporting it. They originally intended to end support in 2008, but ended up extending a couple of times until 2013. Many companies had custom applications that were practically hard-coded to only work on XP. I knew a dentist who, in 2010, went to buy some new Windows 7 laptops. He tried to run his dental application, and it wouldn’t work. He called support, and sure enough, they didn’t support Windows 7.

I see a doctor who uses Windows Server 2003 for his application. Every freaking time I go in there, I bring this up. Sever 2k3, like XP, is long since out of support. I ask the doctor “Are you trying to get hacked? Are you trying to get my patient data, and that of all the rest of your patients, stolen?” He keeps telling me he’ll bring it up to the people who provide their IT services, but so far, nothing has happened.

I go to another doctor who does everything by paper. As much as the IT Professional in me cringes at the stacks and stacks of paper and records in his office, I realize there’s no F’ing way he’ll get hacked. Of course, an office fire, a break in, or a misplaced record will have the same effect, so you’re screwed either way. You might as well embrace IT and TAKE REASONABLE MEASURES, and yes expenses, to protect it.

Second Biggest Factor

When it comes to any type of security, your biggest threat comes from inside. It’s your users, your employees, even your family. And it’s not even because they want to be. They’re just people (or sheople) stumbling through life without paying much attention.

For a class I took last year, I had to take a cybersecurity simulation. The set up is, you’re running an IT organization for 4 quarters, and you have a budget. You can only spend so much each quarter to protect your network. You can spend it on appliances (firewall, IDS, IPS, etc.), user training, antivirus for computers, and so on. But it’s a limited budget. And I had to get at least a 95% before I could submit my certificate. I was at it for hours.

I remember one time in particular, several rounds in. I’d somewhat gotten a feel for what areas I had to cover with the limited budget. Like, you can’t just give 5 rounds of user training and forget to install a firewall. So I had two good quarters, and defeated all the cyber attacks. Then, at the end of the 3rd quarter, the simulation hit me with 3 social engineering attacks in a row. All were successful, and I had to play again. I finally got a 96% on one round, saved the certificate to pdf, and emailed it to my instructor. I was not going to try to top the score at that point.

A user can be totally subversive, or a double agent, spy, or whatever form of actively working against you. But you probably have far more to fear from casual carelessness or just not understanding security.

We’ve all had a casual friend with an email account that started throwing off spam. Suddenly you get poorly worded English from them telling you to click a link. I always catch them; most people don’t. I tell the person to change their password. They probably change it from password to password1, and keep sending off spam as soon as the spammer cracks the new password. I just mark them as spam, since I don’t normally correspond with those people by email. But most people get an email with something like “You have GOT to see this!” and they click the link, which brings malware onto your network. And if you’re still stupid enough to be running Windows XP, now you’re infected.

Or, consider this scenario, which I used to explain social engineering to my wife:

<phone rings> “Random hospital, Karen speaking.”

Social Engineer: “Hi, Karen, I’m looking for John Smith.”

Karen: “There’s nobody here by that name.”

Social Engineer: “I’m sorry about that. Must be a wrong number, but I talked to John Smith from Random Hospital. Maybe you can help me, Karen.”

Karen: “Sure, what can I do for you?”

(Most people want to be helpful.)

Social Engineer: “I’m working on a proposal to upgrade Random Hospital’s computers. I’m wondering if you can tell me what operating system you’re running. I want to give you better equipment if I can.”

Karen: “I don’t know much about computers.”

Social Engineer: “That’s OK, it’ll just take a second. I can walk you through it. I really appreciate your help, Karen. Click on Start…”

<walk through of finding OS version, maybe browser version and what antivirus>

Social Engineer: “OK, so Random Hospital runs Windows XP, Internet Explorer 7, and McAfee. Thank you, Karen, I appreciate your help”.

Now, Social Engineer knows Random Hospital is stupid enough to be running an out of date, unsupported operating system with well-documented vulnerabilities. Dis gon be gud!

That’s all it takes. Or digging through a dumpster. Social engineers can get a TON of good information from all the crap users throw away.

And that’s just from an employee who was trying to be helpful, not subversive.

For the record, I don’t tell people shit over the phone. I don’t look up numbers or give names to them unless I know who they are. And it’s not that I don’t want to be helpful or friendly, but because I know how social engineering works. And I’m not going to be the idiot who compromises my organization.

I can do this all night, but I think you get my point. WannaCry could have all been prevented IF the affected organizations were running currently supported operating systems with recent patches and updates applied, which can help mitigate user carelessness.

There’s one final factor we need to look at:

The Deep State, Unaccountable Spying Agencies

Here in America, we have the National Spying Agency and Cocaine Importing Agency. From what I’ve read, the very exploit that caused all of this was built by one of them (I don’t remember which, and it probably doesn’t matter). The recent Vault 7 leaks included some malware developed by one of them and left on an insecure directory that was apparently easy to access from outside.

Heads should roll for this. Both agencies most likely need to be gutted, involving people being fired and/or prosecuted. Proper lines of control need to be drawn and enforced.

Conclusion

I saw some claim today that this is all Microsoft’s fault. They should have left Windows XP in support forever.

Right. Should your car manufacturer be forced to support whatever car you drive indefinitely? Sooner or later, things break down and you need to buy a new one. Even if we all agreed to just freeze technology where it’s at forever, to never again develop newer hardware or software, maintenance still needs to be done. As people develop new exploits, those have to be patched. Sooner or later, the best way to defend against those vulnerabilities is going to be radical changes to the architecture of the operating system and software that runs on it. So no, this is a bad idea. Plus, how are the tech companies supposed to make money if they can’t convince you that you HAVE to buy a new phone every year?

I got into IT because I’m excited by new technology, new features, and new capabilities. I’ve spent most of my career frustrated by the baby boomers and people afraid of change forcing us to keep doing things the old way. I’m convinced that email is pretty much obsolete, but the biggest tool I still use at work is Microsoft Outlook. And I finally got Office 2013 on my work computer. I’ve been running 16 at home since last year.

(I wish I could get into independent consulting, but I don’t appear to be entrepreneurial).

A lot of people in IT need to get out of it. Go find something else to do, and stop holding the rest of us back. Or actually, start learning about it so you can do it effectively. Read some books or magazines, or watch some YouTube videos that don’t cost you anything. Learn and grow.

IT is the ultimate cargo cult. Everybody thinks it should be easy and fun. How often do you hear somebody who can barely charge their phone say “I’d like to get into IT!” My wife was saying that when I met her. I was able to make her head spin enough with my own knowledge of IT to convince her it’s not a good idea. No, of course, I’m willing to help her, but once she realized what was involved in learning it, and how getting in with no experience is a pay cut and a shitty help desk job, she changed her mind.

I guarantee a lot of IT departments need to start firing people over this WannaCry episode. If you run a business and don’t know much about IT, make sure you bring in someone who does. If you contract with a 3rd party to provide your IT support, make sure they have a plan for obsolescence. What are they going to do when Microsoft releases a new version of Windows and discontinues support for the current one? If their answer is “Oh, it’ll be fine…”, DO NOT HIRE THEM!

Verified by ExactMetrics