NHS! Attacked

[Inertia]

If the media reports are true - and I think they’re only partial truth - then it certainly wasn’t clever thinking. (*)

He saw that the malware was trying to contact a specific domain. He thought “I wonder what that domain does”, and registered it. He got lucky - it acted as a “kill switch” and inhibited the growth of the malware. That was luck.

But he didn’t know in advance that that would happen. It was just good luck, and he’s now a hero. But what if the existence of that domain had been designed to have precisely the opposite effect - a switch to increase the targeting and aggressiveness of this code?

He was examining a bomb. He found a secret button. He pressed it, without knowing whether that button was “disarm” or “detonate”.

(*) I am guessing - and hoping - that the media reports on this are just as inaccurate as they have been on the rest of the incident, and that the behaviour had been analysed in a sandbox before they created this new domain.

I've never heard of a virus working that way, they are aggressive as possible by default, there would be no reason to design in that way. Except in a movie to freak the hero out.

He isn't inexperienced at this though so he seems pretty clever to me, no one else figured it.

The process was not entirely accidental: he registered several thousand domains in the last year in his work combating computer viruses.
But no one anticipated that simply registering the domain would halt the spread of this attack.

 

[bruce1530]

I've never heard of a virus working that way, they are aggressive as possible by default, there would be no reason to design in that way.

This one looks like it might be scope limited. NHS has apparently been devastated, but other areas have been largely unimpacted. We’ve had no reports of the same devastation in .co.uk, or .gov.uk, or schools, or.... The creation of the domain could easily have removed or changed the scope limitation or targeting.

But as I said earlier, i suspect it had been tested in a sandbox before the domain had been created....

 

[Inertia]

This one looks like it might be scope limited. NHS has apparently been devastated, but other areas have been largely unimpacted. We’ve had no reports of the same devastation in .co.uk, or .gov.uk, or schools, or.... The creation of the domain could easily have removed or changed the scope limitation or targeting.

But as I said earlier, i suspect it had been tested in a sandbox before the domain had been created....

im not sure what you mean by scope, AFAIK the attack was by email attachment and then spread. How would the domain affect it?

I believe NHS was vulnerable because of poor security but I guess it will come out.

 

[ufkacbln]

I've never heard of a virus working that way, they are aggressive as possible by default, there would be no reason to design in that way. Except in a movie to freak the hero out.

He isn't inexperienced at this though so he seems pretty clever to me, no one else figured it.

Not all of these viruses are intended to be self propagating in this way. The intended impact is limited and for that reason a "kill switch" is apparently not unknown

Edited...

This article suggests why there may have been a kill switch

 

[ufkacbln]

[QUOTE 4800937, member: 259"]Are you feeling quite alright, Cuno?[/QUOTE]

No ......on the mobile and they have updated the auto-correction

Now edited

 

[Inertia]

Not all of these viruses are intended to be self propagating in this way. The intended impact is limited and for that reason a "kill switch" is apparently not unknown

Edited...

This article suggests why there may have been a kill switch

Thanks for the article, I do understand that side of it though.

 

[bruce1530]

NHS security may not be brilliant, but there are other sectors that are of similar standard. And they have not been impacted. Which makes me suspect that there is something within this malware that is specifically targeting certain areas.

 

[screenman]

How come so many are accusing the victim rather than the criminal.

 

[classic33]

How come so many are accusing the victim rather than the criminal.

Who's the criminal?

 

[slowmotion]

Who's the criminal?

I was idly wondering how many bitcoins he might have right now. Some people must have paid up.

 

[slowmotion]

How come so many are accusing the victim rather than the criminal.

There's an election on.

 

[screenman]

Who's the criminal?

Not a clue.

 

[classic33]

Not a clue.

They need someone to blame.

 

[MichaelW2]

According to TheRegister, who are well informed on such matters, the ransomeware payload was bolted onto an exploit developed bt the US NSA which was stolen and released by wikileaks.
This is exactly the scenario suggested by opponents of government plans to incorporate backdoors into end-to-end cryptography. Sooner or later the bad guys find out about the gaping hole, and walk in to fiddle with your data. The choice is clear, terrorists chatting in encryptef forms OR NHS shutdowns, maybe banking or transport shutdowns. This NHS palava is a terrorist dream scenario.

 

[bruce1530]

Nobody is accusing the victim rather than the criminal. We’re saying that the victim could perhaps have acted better to minimise the risk.

A friend of mine drives a vauxhall. It has a known fault in its heater switch, which may cause a fire. Vauxhall have issued a recall. Vauxhall have written to her 4 times, saying to come into the garage to get it fixed. But she hasn’t done anything about it. If her car goes on fire, who’s at fault?

This particular vulnerability had been known about for several months. A patch was issued 2 months ago. It apparently had not been deployed.

The vast majority of the breaches that we see are exploiting “old bugs”. Teenage script kiddies that are exploiting vulnerabilities that are older than themselves! There are large parts of the industry that historically have been far too complacent about patching.