Ransomware & HSE

penny piper

penny piper wrote: »

People are forgetting that anyone working for the hse/receiving salary/ pensions won't receive them this week if payroll/salary system is not working.

Link?

FishOnABike

Adelman of Beamfleot wrote: »

I had thought that the question was so preposterous that no one would take it seriously

https://en.m.wikipedia.org/wiki/Poe's_law

kingtiger

kingtiger wrote: »

so they may of used rclone to grab some directories from the file servers and send it back to a cloud drive, pretty much like a copy paste

If the HSE password protected their sensitive files there is not much they can do

this is not the work of some criminal masterminds

This is not a post by an infosec expert.

magicbastarder

not suggesting that this is the same as what happened the HSE, but it's a good read on how some of these attacks can be carried out.
note that the belief is that the systems had been compromised at least a year before the actual active attacks started.

https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers

Flinty997

AndrewJRenko wrote: »

When have unions ever blocked improved IT security?

Unions can block anything. For example adoption of a new system. Generally a new system has better security than an old one. Working with unions and public sector projects is very different to working in the private sector. You have to tip toe around IR issues.

None of the that is relevant here though. Large organisations often have lots of legacy systems. Even then this hack might have nothing to do that. As new systems have often been hacked.

magicbastarder

Flinty997 wrote: »

Unions can block anything. For example adoption of a new system. Generally a new system has better security than an old one.

we have to deal with the german works councils where i work.
a lot of security agents now can be problematic in what info they gather, because the data they gather is not held in an on-site db, it's uploaded to the cloud and a lot of the time you don't even know what that data is 100% of the time. and they can gather a *lot* of info, down to which files the user is opening. which obviously can put unions on edge.

suicide_circus

These fools need a good drone strike.

The blackmailers not the HSE.

Flinty997

kowloonkev wrote: »

What concerns me is that we are supposed to trust cyber security experts, possibly from other countries who would be well capable of both the attack and getting paid for the defence of it. Maybe I'm being paranoid.

For the cyber security experts among us here, as someone with limited knowledge, is there any way that the government could prevent access to people from outside the state from entering the HSE portals, or block emails from foreign IP addresses (I know probably not possible with VPNs)? But there really is no need for anyone outside the country to be able to use or come into contact with HSE systems or most public services for that matter.

I am almost certainly talking utter drivel so excuse me.

They generally have taken over control of a number of computers inside the host country and go through them. Geofencing is easily bypassed, but it does filter out a lot of low tech stuff, that otherwise would be a nuisance.

There are things like International Traffic in Arms Regulations (ITAR) in the US which prevent certain industries from hiring non nationals. But since a lot of espionage and hacking comes from a countries own citizens you could argue is really only useful in protectionism of employment.

https://en.m.wikipedia.org/wiki/International_Traffic_in_Arms_Regulations#:~:text=International%20Traffic%20in%20Arms%20Regulations%20(ITAR)%20is%20a%20United%20States,further%20U.S.%20foreign%20policy%20objectives.

Flinty997

magicbastarder wrote: »

we have to deal with the german works councils where i work.
a lot of security agents now can be problematic in what info they gather, because the data they gather is not held in an on-site db, it's uploaded to the cloud and a lot of the time you don't even know what that data is 100% of the time. and they can gather a *lot* of info, down to which files the user is opening. which obviously can put unions on edge.

You can obviously dictate contractually where they are allowed to hold data where that is a concern. You would then need to audit it.

But as you say it can be something simple as metrics on activity which unions can see as productivity monitoring by stealth.

Again it's kinda irrelevant for this incident. Only that implementing software in large public organisations isn't as simple as you might think.

magicbastarder

Flinty997 wrote: »

You can obviously dictate contractually where they are allowed to hold data where that is a concern. You would then need to audit it.

yes, some vendors have been moving storage to the EU because of customer requirements, which previously had been held in the states.

but some vendors won't give you 100% of the info on what they gather, which is fair enough because they don't want people knowing how the product works if they can help it, because that might aid development of workarounds.

AndrewJRenko

AndrewJRenko wrote: »

When have unions ever blocked improved IT security?

I know if one hospital in this country that has state of the art access control system (I maintain it) where the security guards refuse to use it. If you ring them to open a door the other side of the hospital they will walk to it and use their card instead of just a click at the monitoring station. Their argument is that they're not trained to use it (they were) and are not getting any extra money for using it!

Junglejoe

How do you know you've got rid of them and they're not hiding somewhere in the HSE network after you clean it up ?

Like if you decide not to pay and the hackers just do it all over again ?

Junglejoe

Junglejoe wrote: »

How do you know you've got rid of them and they're not hiding somewhere in the HSE network after you clean it up ?

Like if you decide not to pay and the hackers just do it all over again ?

Imagine the exploit will be patched so reusing that specific one should fail.

Junglejoe

[Deleted User] wrote: »

Imagine the exploit will be patched so reusing that specific one should fail.

Would that be part of the hackers strategy though

A plan B if you try to cleanup without paying ?

Flinty997

magicbastarder wrote: »

yes, some vendors have been moving storage to the EU because of customer requirements, which previously had been held in the states.

but some vendors won't give you 100% of the info on what they gather, which is fair enough because they don't want people knowing how the product works if they can help it, because that might aid development of workarounds.

Where I've worked, they wouldn't get the contract and we couldn't use their services. Its usually part of the tender.

AndrewJRenko

Flinty997 wrote: »

But as you say it can be something simple as metrics on activity which unions can see as productivity monitoring by stealth.

Flinty997 wrote: »

Unions can block anything. For example adoption of a new system. Generally a new system has better security than an old one. Working with unions and public sector projects is very different to working in the private sector. You have to tip toe around IR issues.

I was looking for examples, rather than theory.

magicbastarder wrote: »

we have to deal with the german works councils where i work.
a lot of security agents now can be problematic in what info they gather, because the data they gather is not held in an on-site db, it's uploaded to the cloud and a lot of the time you don't even know what that data is 100% of the time. and they can gather a *lot* of info, down to which files the user is opening. which obviously can put unions on edge.

The unions are doing you a favour. How can you ensure compliance with GDPR if you don't know where your data is held?

Badly fukt wrote: »

I know if one hospital in this country that has state of the art access control system (I maintain it) where the security guards refuse to use it. If you ring them to open a door the other side of the hospital they will walk to it and use their card instead of just a click at the monitoring station. Their argument is that they're not trained to use it (they were) and are not getting any extra money for using it!

This smells off. Any hospital security guard I've seen in decades are outsourced contractors, not hospital employees. Outsource security companies aren't renowned for listening to unions. Why don't you name the hospital?

Calahonda52

magicbastarder wrote: »

using what method?

Billings perhaps, or maybe reverse-billings
or toe gunter that great Wham song
Pull me out before you go go
https://www.youtube.com/watch?v=pIgZ7gMze7A

AndrewJRenko

AndrewJRenko wrote: »

This smells off. Any hospital security guard I've seen in decades are outsourced contractors, not hospital employees. Outsource security companies aren't renowned for listening to unions. Why don't you name the hospital?

Not outsourced in the 3 hospitals in the West I deal with for work, security are direct employees. Naming them would name my employer so won't be doing that!

Ash.J.Williams

McGaggs wrote: »

Didn't this happen to the HSE about 3 years ago? I wonder what lessons they learned from it?

I do recall they paid Microsoft for out of service support for XP a while back

Ash.J.Williams

topdecko wrote: »

Having worked in the NHS and then in Irish primary care there is a stark difference in the security aspect of IT infrastructure. In UK was all smart cards, individual PC logins, encryption on NHS mail if sending external mails etc. There was more of an effort and a better grasp of IT by everyone in organisation.
Coming back over here it was quite a culture shock - everyone using same desktop logins, simple passwords, fax still being used, lack of use healthmail in hospitals etc.
My question i suppose is do we need to rebuild from ground up and have a basic level of security - smart cards for everyone as a basic starting point... would that improve resilience in the system and reduce vulnerabilties

This is true, access control to the hse network is poor, I believe it can take weeks to get your account set up and while you wait you can use someone elses

_Kaiser_

The users themselves in pretty much any place I've worked are a massive part of the problem where security and just good practise are concerned.

Anyone who has worked in the Support side of IT will know all about the users who log tickets for basic, trivial things that seem completely ridiculous to those supposed to answer them.

The problem is that companies hire staff to sit in front of computers all day answering calls or processing data - generally for as little as they can get away with and with minimal training - but pay no interest to whether these staff are IT literate or just competent with the technology they're using 8 hours a day. The attitude is "that's IT's job sure!"

As a result you have staff with no knowledge or interest, and IT staff run ragged trying to keep on top of their requests and figuring out what "my computer isn't working" ACTUALLY means, and this in turn saps time and resources needed for far more important tasks (because most companies don't have massive, function-specific IT departments), checks and project/upgrade works, because of course those same users and their managers will be the first to complain if their tickets aren't being turned around quickly enough.

In an era where IT and computers feature in pretty much every role nowadays, I've long said that every interview for any role in a company (but especially those that do everything through a computer) should have an IT literacy element and the potential employee should be able to not just accurately describe an issue, but know their way around the basics of the OS and Office suite.

It'll never happen though because again, "that's IT's job!"

Flinty997

AndrewJRenko wrote: »

I was looking for examples, rather than theory.

It's not theory. Any IT person working in a similar environment with recognise those examples.

AndrewJRenko wrote: »

The unions are doing you a favour. How can you ensure compliance with GDPR if you don't know where your data is held?.

Ah the GDPR perennial. Data governance existed pre GDPR. How? You audit it and in the public sector you will be audited, and any third party systems will be part of that. You may be asked to change a system to address issues raised in an audit.

AndrewJRenko wrote: »

This smells off. Any hospital security guard I've seen in decades are outsourced contractors, not hospital employees. Outsource security companies aren't renowned for listening to unions. Why don't you name the hospital?

Unions won't let an organisation use contractors to circumvent existing agreements.

Unions blocking new systems is very common. Also happens in non union places people can be unhappy if they think a new system will make them redundant or similar.

It's not that unions are bad, it's just that is how unions negotiate terms for their members. It's part of the process in a unionised environment.

Flinty997

Ash.J.Williams wrote: »

This is true, access control to the hse network is poor, I believe it can take weeks to get your account set up and while you wait you can use someone elses

That's common in many places. It's why passwords should expire, and access audited. So as people change role, or leave, their access also changes.

On the flip side if you make it difficult for someone to do their job they will find workarounds.

Flinty997

Even on a perfect system exploits will be discovered. So it might not be anyone's fault. It's just the nature of IT systems.

Ash.J.Williams

Flinty997 wrote: »

That's common in many places. It's why passwords should expire, and access audited. So as people change role, or leave, their access also changes.

On the flip side if you make it difficult for someone to do their job they will find workarounds.

Well that’s your starting point

There’s no workaround where I work if you give someone your password or badge you will be fired instantly

Ash.J.Williams

Flinty997 wrote: »

Even on a perfect system exploits will be discovered. So it might not be anyone's fault. It's just the nature of IT systems.

Adopting the purdue network model and removing the “admin” account in favour of a token based system and disabling dangerous protocols by default (smb ) will definitely help

From what I’ve seen companies need to be hacked to see what needs to be done


Also you can’t fully vaccinate your systems because some systems will stop working with certain patches and that’s why you need to segregate

Tow

jams100 wrote: »

Does anyone know what IT company the hse works with? It's not SAP anyway afaik

Each Health Board has their own systems, more often than not from different providers. Under the HSE these are/were supposed to be consolidated, but that is another story... SAP is used by some HBs

Flinty997

Ash.J.Williams wrote: »

Adopting the purdue network model and removing the “admin” account in favour of a token based system and disabling dangerous protocols by default (smb ) will definitely help

From what I’ve seen companies need to be hacked to see what needs to be done


Also you can’t fully vaccinate your systems because some systems will stop working with certain patches and that’s why you need to segregate

Exactly.

One of the projects I'm currently working on its replacing a system because an audit was was of the opinion its framework is obsolete and no longer secure. Generally you can't replace or retire them instantly so you are given a time window in which to do it.

Also having specialist companies run penetration tests and similar even phishing tests against your users is more common now. If a system fails or a user repeatedly fails it has to be addressed.

Even if you are admin. You would be expected to only use the account appropriate to the task its for.

Flinty997

Tow wrote: »

Each Health Board has their own systems, more often than not from different providers. Under the HSE these are/were supposed to be consolidated, but that is another story... SAP is used by some HBs

I think people don't realise that when public pressure or politicians juggle organisations around. The IT systems all have to change to accommodate that. There is a lag. Often there are entirely different systems for the same functions, in different regions or departments.

RoamingDoc

Flinty997 wrote: »

I think people don't realise that when public pressure or politicians juggle organisations around. The IT systems all have to change to accommodate that. There is a lag. Often there are entirely different systems for the same functions, in different regions or departments.

There really is. When the HBs became the HSE, all those old IT systems remained separate. Nearly all of them are still separate to this day (or look like they're joined but actually aren't, e.g. the email system looks like one domain but it's still at least 8 or more regions).

Flinty997 wrote: »

Often there are entirely different systems for the same functions, in different regions or departments.

When you're working in one hospital and move to a new service and have to look up things you've looked up before on a whole new platform - you really get an insight into how fractured the whole thing is.


The political goal of the HSE was to have one management structure. IT was never factored into anything imo. The only reason we haven't had major IT issues on a national scale before is the IT people actually don't mind talking to each other and help out the other departments. But they're totally siloed.