Ransomware & HSE

kippy

Wombatman wrote: »

Source?

It was in the PDF linked to a few pages back although I don't think the privilege of the credentials was noted, still a bit shy on detail but credentials were compromised
https://www.ncsc.gov.ie/pdfs/HSE_Conti_140521_UPDATE.pdf

AndrewJRenko

hmmm wrote: »

And 20 milion - I'd say more like starting at 200 million, and heading towards a billion to make an impact.
.

Which other health services are you going to cut by a billion to fund this? Cancer services or mental health or disability care or what?

AndrewJRenko

AndrewJRenko wrote: »

Which other health services are you going to cut by a billion to fund this? Cancer services or mental health or disability care or what?

Wages.

10000maniacs

kippy wrote: »

Apologes about the perception of sneering at other posters - maybe that's what I am doing, but it isn't the intention.

These things are never as black and white as they may appear on the outside - is pretty much the message I am trying to put across.

You seem to think that keeping the obsolete machines is a great idea. No it is not.
They should have been replaced even if the malware didn't hit.
The big questions that have not been answered from the Government and HSE are did they do a backup on the night before the malware hit? And how many machines were affected...er...wiped out by the malware? The drip from the government seems to be getting worse every day.
Because they haven't been forthcoming on either question, I would assume the answers are no and quite a lot.

riclad

It's well known the Russian government does not act against hackers , hackers attack foreign company's and even American
hospitals and almost any company outside Russia.
We do not have info on how the hackers got in,
Even a system that has all the latest software and security updates can be hacked
Large company's employ pen testers eg independent security professionals they examine the whole network for vulnerabilitys that a hacker might use
Every week on the security now podcast they discuss all the Latest
news about security vulnerabilitys and what hackers are
up to
And give basic advice on how to avoid getting hacked

Flinty997

10000maniacs wrote: »

You seem to think that keeping the obsolete machines is a great idea. No it is not.
They should have been replaced even if the malware didn't hit.
The big questions that have not been answered from the Government and HSE are did they do a backup on the night before the malware hit? And how many machines were affected...er...wiped out by the malware? The drip from the government seems to be getting worse every day.
Because they haven't been forthcoming on either question, I would assume the answers are no and quite a lot.

From recent articles posted above the attacks haven't stopped, and at least 90k computers (thus far) will needed attention.

Often the choice is between obsolete equipment and no equipment.

StupidLikeAFox

https://twitter.com/ProfPatOConnor/status/1394632530905735170?s=19

A professor of sociology, expert in gender equality and, apparently, a part time IT expert

kippy

10000maniacs wrote: »

You seem to think that keeping the obsolete machines is a great idea. No it is not.
They should have been replaced even if the malware didn't hit.
The big questions that have not been answered from the Government and HSE are did they do a backup on the night before the malware hit? And how many machines were affected...er...wiped out by the malware? The drip from the government seems to be getting worse every day.
Because they haven't been forthcoming on either question, I would assume the answers are no and quite a lot.

Where have I said keeping obsolete machines is a great idea?
I've said that many organisations run end of life software for one reason or another. They have an aim to replace them and have put steps in place to mitigate the risks around them.
You don't seem to understand this.
Yes answers are needed.

AndrewJRenko

[Deleted User] wrote: »

Wages.

Genius idea - we're struggling to recruit and retain doctors, consultants, nurses, IT staff, including IT security staff, and you want to make things just a bit worse?

AndrewJRenko

StupidLikeAFox wrote: »

https://twitter.com/ProfPatOConnor/status/1394632530905735170?s=19

A professor of sociology, expert in gender equality and, apparently, a part time IT expert

"their IT company"


Insert Goodfellas Ray Liotta laughing clip here.

Such innocence.

FishOnABike

10000maniacs wrote: »

You seem to think that keeping the obsolete machines is a great idea. No it is not.
They should have been replaced even if the malware didn't hit.
The big questions that have not been answered from the Government and HSE are did they do a backup on the night before the malware hit? And how many machines were affected...er...wiped out by the malware? The drip from the government seems to be getting worse every day.
Because they haven't been forthcoming on either question, I would assume the answers are no and quite a lot.

Identifying how many systems were affected and how far back you have to go to get an uncompromised backup for each system is a body of work in itself. There's no point in restoring last night's, or even last week's or month's backup if it only results in bring up compromised systems again.

whippet

i've almost given up talking to people about this. While i'm not a techie - i am in the IT industry and have been involved in recovery projects like this (but not at the same scale).

Unfortunately the public at large will never understand the cause and the effect of the attached and also would have no comprehension as to what entails a recovery effort.

Keyzer

10000maniacs wrote: »

Sorry I missed your answer.
You would get in the company who originally carried out the installation to certify that the conversions were done correctly. Simples.

Don't mean to sound dismissive but you don't have a clue what you're talking about.

ineedeuro wrote: »

One question to ask yourself

The HSE pays external consultants to advise them what to do, like all government agencies. This is for security and everything

When the poo hit the fan take a stab who the HSE brought in? I am 99% sure it the same lads who have advised them all along

Now are they going to admit they done a shoddy job or just cover this up, which the HSE will also cover up because it suits them

External consultants will assess a situation, provide advice and potentially run a program to implement suggested improvements. They are not decision makers. If a senior management team chooses to ignore the advice given to them, that's not the consultants fault.

ineedeuro wrote: »

I don't know the HSE setup so I can't comment. The hackers stayed in the HSE environment for weeks without detection. That's more than a "oppsie"

Who would I sack? the CISO/head of security for a start. How many CISO's would last in a company after such a failure as this? most would already have handed in notice.
Then if as I suggested they have a Security Assessment with a strategic plan, if this was blocked by another member of the HSE which resulted in underfunding of the Security department they should walk.

What is your plan? give them a pat on the back and tell them well done?

Too early to be talking about sacking anyone. I don't even know if the HSE has a CISO but, like my point above, if the CISO recommends a certain initiative/course of action and the senior management team don't support it, its not the CISO's fault.

Too often, the CISO becomes the scapegoat in these instances. The CEO is fully accountable for all facets of the organisation/business, including cyber security. If they don't know anything about cyber security, then they must hire someone who does and listen to what they are saying.

kippy wrote: »

Cost for install and maintenance across 20,000 odd devices?

Its actually not that expensive in the grand scheme of things.

10000maniacs wrote: »

Well I would use €20 million to make a start on upgrading the system instead of coughing up that money to the hackers. They are going to have to do it anyway.

Again, more nonsense. You're taking a very singular view of this situation. There could be 100's of applications & systems with dependencies on each other. Upgrade one, 99 stop working.

You don't know the situation but yet you keep coming up with "silver bullet" proposals to fix the issue. There is no silver bullet, no magic wand.

Deliverance XXV wrote: »

It really doesn't matter a whole lot if the environment is full of Win 7 or fully patched Win 10 if the attacker is already in the network. The odds are very much stacked in favour of the attacker either way. If an attacker gets in and has a whole lot of time, they will get admin creds and from there can compromise the majority of the network.

This is very true. If I were to give any organisation advice on what they should focus on protecting first it would be their privileged admin accounts. If you get hacked but the attacker cannot elevate their privileges to cause maximum damage because you've got your admin/privileged accounts under lock and key with moniitoring and alerting in place, then you're in a good spot.

skimpydoo wrote: »

All I have seen on here is coulda, woulda, shoulda. Right now we don't know exactly what happened. So there is no point on appointing blame just yet. Speculating will get us nowhere. We should be thinking about getting the system back up and running as soon as it is safely possible. We should also be looking at making sure we can greatly lessen the chances of this happening as nothing is 100% secure.

Agreed 100%

whippet wrote: »

i've almost given up talking to people about this. While i'm not a techie - i am in the IT industry and have been involved in recovery projects like this (but not at the same scale).

Unfortunately the public at large will never understand the cause and the effect of the attached and also would have no comprehension as to what entails a recovery effort.

Very true. I mentioned before that I was involved in one of these situations (not in Ireland) a couple of years ago. It was a nightmare from start to finish, trying to unravel decades of negligence that led to the incident occurring. Its an experience I hope I never have to go through again. After weeks of work, we upgraded to Windows 10 and that fixed everything :P:P:P

It's a bit like where Father Ted goes just play the bloody note except replace play with pay and note with ransom.

whippet

Turk 182 wrote: »

It's a bit like where Father Ted goes just play the bloody note except replace play with pay and note with ransom.

from experience paying the ransom is hit and miss.

Yes they may send you over the decryption keys - but trying to find out what key is for what can take forever - across circa 100000 endpoints !!

plus you need to make sure there isn't any surprises left anywhere to bring the whole house of cards back down

eastie17

We rightly found the money for PUP and other things that were needed during a national emergency
We need to find the money to fix this properly across our critical infrastructure in this other national emergency.
The challenge is, that once this is fixed, and its going to take weeks, its quiet likely that the story will move on and it will happen again.
Money on its own wont solve this, it needs expertise, determination, a good plan and to stick with it, but you definitely wont be able to do it without money. And it actually isn't a choice

ineedeuro

People are suing the HSE. The government out complaining. The reason people are suing is because we are sick of incompetence.
Maybe if enough people sue we might actually get the truth from the HSE and not this waffle about zero day etc

notAMember

It's been a week.

Have they started taking action to rebuild, or are they still investigating I wonder, churning a million options?

What amount of data loss are they willing to accept. 1 month, 6 months?

Someone needs to make some hard decisions here, and in a quick timeframe. Either accept the lost data so they can move forward and rebuild from that point, or, pay the ransom. Whoever that is, they will most likely be vilified, but it has to be done, right? Otherwise it's indecision for another month+ with no new records going in to the system.

Never waste a good crisis is the cliche. If there was ever a justification to get some funding for decent IT systems, here it is on a plate.

Who is stepping up to this, or are they all just looking at each other, afraid to make this call?

Keyzer

notAMember wrote: »

It's been a week.

Have they started taking action to rebuild, or are they still investigating I wonder, churning a million options?

What amount of data loss are they willing to accept. 1 month, 6 months?

Someone needs to make some hard decisions here, and in a quick timeframe. Either accept the lost data so they can move forward and rebuild from that point, or, pay the ransom. Whoever that is, they will most likely be vilified, but it has to be done, right? Otherwise it's indecision for another month+ with no new records going in to the system.

Never waste a good crisis is the cliche. If there was ever a justification to get some funding for decent IT systems, here it is on a plate.

Who is stepping up to this, or are they all just looking at each other, afraid to make this call?

The Minister for Health has been very vocal on this issue - he was on radio this morning. Its reported daily through the mainstream channels. Updates are being provided if you care to look for them.

You've no idea the amount of effort required to recover from a situation like this and bring critical systems back online. Point the finger of blame when the dust settles and a report is issued detailing the events that led to this situation.

In the meantime, you should just give them a break and let them fix the issue.

ineedeuro

Keyzer wrote: »

The Minister for Health has been very vocal on this issue - he was on radio this morning. Its reported daily through the mainstream channels. Updates are being provided if you care to look for them.

You've no idea the amount of effort required to recover from a situation like this and bring critical systems back online. Point the finger of blame when the dust settles and a report is issued detailing the events that led to this situation.

In the meantime, you should just give them a break and let them fix the issue.

The HSE from day 1 has lied to the public, they have used RTE to run a PR campaign for them & the government.
The finger is already pointing at everyone else. Even today going on about people suing so to change the topic of conversation.

We will never be told the truth based on what has happened already. People need to stop making excuses and demand answers. Otherwise it will be swept under the carpet.

giles lynchwood

The problem with the hse is the people it running there is waste at every level with every product they use.I was in a taxi the other day and the driver had theatre grade medical gloves and i quote "the wife works in a hospital and brought home 3 boxes".My father(rip) had a hse cleaner come in twice a week,one time she said "i won't be here next week but if anyone from hse ring's you tell them i was" my father said no.The government are aware of this and know with this culture in place funding is like throwing money into the black hole of Calcutta.The only realistic way to tackle this problem is to bite the bullet.
and get rid of the present hse admin by way redundancy's,you can' teach a old dog new trick's. No matter how small the item is they all add up and in a system as big as the hse that can be enormous .
In any other Eu state head's would roll and rightly so,not here when this hack is solved the government will clap themselves on the back for solving a problem they created by not addressing the waste due to theft .The only part of the health service which is not only self sustaining but makes a profit are the privately run coffee shops in our hospital's.I wonder why.

Keyzer

ineedeuro wrote: »

The HSE from day 1 has lied to the public, they have used RTE to run a PR campaign for them & the government.
The finger is already pointing at everyone else. Even today going on about people suing so to change the topic of conversation.

We will never be told the truth based on what has happened already. People need to stop making excuses and demand answers. Otherwise it will be swept under the carpet.

How did the HSE lie to the public? Give me some examples backed up with evidence, not hearsay or opinion.

Under GDPR, citizens may have the right to sue the state if it is deemed basic/neccesary information security controls and measures were not in place. At present, we don't know if that's the case.

And for the record, I'm not supporting the HSE or Government here. I simply don't have enough information at this moment in time to inform my opinion.

eastie17

The first narrative from the media has been one of sympathy for the HSE, which frankly is misplaced imho. Yes it is a cruel act to hack a health service at this time, but the impact would have been the same whenever it happened.
From reading the indications of compromise and the path they took, this wasn't super sophisticated, the spokespeople were hiding behind that spin as well "well it was really sophisticated, nothing we could do boss" isnt really good enough. They stopped the attack on the DoH with some fairly standard security hygiene.

I dont think they have the luxury of saying, "we wont pay" if that is really their intent. Understand there is always the possibility that they do that in the background and not publicise it. These conglomerates will generally let you get back to normal if you pay up, however if you are going around with your chest out saying "we're not paying" not only will it take you a really long time to get back to normal operations, there is every chance they will hit you again just when you think you are getting back to normal as a warning to other potential "customers"

Keyzer

giles lynchwood wrote: »

The problem with the hse is the people running there is waste at every level with every product they use.I was in a taxi the other day and the driver had theatre grade medical gloves and i quote "the wife works in a hospital and brought home 3 boxes".My father(rip) had a hse cleaner come in twice a week,one time she said "i won't be here next week but if anyone from hse ring's you tell them i was" my father said no.The government are aware of this and know with this culture in place funding is like throwing money into the black hole of Calcutta.The only realistic way to tackle this problem is to bite the bullet.
and get rid of the present hse admin by way redundancy's,you can' teach a old dog new trick's. No matter how small the item is they all add up and in a system as big as the hse that can be enormous .
In any other Eu state head's would roll and rightly so,not here when this hack is solved the government will clap themselves on the back for solving a problem they created by not addressing the waste due to theft .The only part of the health service which is not only self sustaining but makes a profit are the privately run coffee shops in our hospital's.I wonder why.

Jesus wept - so the HSE are to blame for people robbing equipment from hospitals and other staff committing fraud?

Heads might roll on this, at the moment they are in recovery mode, I'd expect a detailed investigation to be carried out to find out why this happened.

But the solution is sack everyone right?

eastie17

giles lynchwood wrote: »

The problem with the hse is the people running there is waste at every level with every product they use.I was in a taxi the other day and the driver had theatre grade medical gloves and i quote "the wife works in a hospital and brought home 3 boxes".My father(rip) had a hse cleaner come in twice a week,one time she said "i won't be here next week but if anyone from hse ring's you tell them i was" my father said no.The government are aware of this and know with this culture in place funding is like throwing money into the black hole of Calcutta.The only realistic way to tackle this problem is to bite the bullet.
and get rid of the present hse admin by way redundancy's,you can' teach a old dog new trick's. No matter how small the item is they all add up and in a system as big as the hse that can be enormous .
In any other Eu state head's would roll and rightly so,not here when this hack is solved the government will clap themselves on the back for solving a problem they created by not addressing the waste due to theft .The only part of the health service which is not only self sustaining but makes a profit are the privately run coffee shops in our hospital's.I wonder why.

The public are apathetic about this as well, we dont expect any better. The majority of people arent engaged with the health service at this time time so dont see how bad it now is. When they do, they are probably too sick to worry about anything else except getting better, and rightly so. so arent going to be going around shaking trees and making alot of noise.

This is taking some of the pressure off the leadership because we're not making enough noise about it to politicians. Meanwhile staff and patients impacted are having an absolutely horrible time of it.

plodder

eastie17 wrote: »

The first narrative from the media has been one of sympathy for the HSE, which frankly is misplaced imho. Yes it is a cruel act to hack a health service at this time, but the impact would have been the same whenever it happened.
From reading the indications of compromise and the path they took, this wasn't super sophisticated, the spokespeople were hiding behind that spin as well "well it was really sophisticated, nothing we could do boss" isnt really good enough. They stopped the attack on the DoH with some fairly standard security hygiene.

I dont think they have the luxury of saying, "we wont pay" if that is really their intent. Understand there is always the possibility that they do that in the background and not publicise it. These conglomerates will generally let you get back to normal if you pay up, however if you are going around with your chest out saying "we're not paying" not only will it take you a really long time to get back to normal operations, there is every chance they will hit you again just when you think you are getting back to normal as a warning to other potential "customers"

The only benefit of 'paying up' would be to stop the publication of data. There's no guarantee that services would be restored any sooner imo, or that the same or another hacker group wouldn't target them again.

Incidentally, I wonder what do people make of the claim by Alan Kelly TD that one of his constituents has already been contacted by a medical outfit abroad who used the stolen information? Surely no reputable medical practice would use such data. Could it just have been a coincidence or that they obtained the person's information some other way?

Keyzer

eastie17 wrote: »

The first narrative from the media has been one of sympathy for the HSE, which frankly is misplaced imho. Yes it is a cruel act to hack a health service at this time, but the impact would have been the same whenever it happened.
From reading the indications of compromise and the path they took, this wasn't super sophisticated, the spokespeople were hiding behind that spin as well "well it was really sophisticated, nothing we could do boss" isnt really good enough. They stopped the attack on the DoH with some fairly standard security hygiene.

I dont think they have the luxury of saying, "we wont pay" if that is really their intent. Understand there is always the possibility that they do that in the background and not publicise it. These conglomerates will generally let you get back to normal if you pay up, however if you are going around with your chest out saying "we're not paying" not only will it take you a really long time to get back to normal operations, there is every chance they will hit you again just when you think you are getting back to normal as a warning to other potential "customers"

There is absolutely zero guarantee that if they pay the ransom and decryption keys will be provided, zero.

The people behind this are criminals, not a conglomerate. They don't care about the impact this is having on hospitals and patients. They care about money, if there is an opportunity to get more money then they'll go for it.

There is nothing stopping them from demanding another 20/40/100 million should the ransom be paid.

Lots of naivety in this thread to be honest.

Cluedo Monopoly

I really think Paul Reid does way too much media. It's 11am and he is on Claire Byrne. He seems to be always on the radio. I would much rather him attending and prioritising internal meetings during office hours especially. He should be able to delegate media work to other managers or PR people during crisis situations.

statto25

Keyzer wrote: »

There is absolutely zero guarantee that if they pay the ransom and decryption keys will be provided, zero.

The people behind this are criminals, not a conglomerate. They don't care about the impact this is having on hospitals and patients. They care about money, if there is an opportunity to get more money then they'll go for it.

There is nothing stopping them from demanding another 20/40/100 million should the ransom be paid.

Lots of naivety in this thread to be honest.

Not only that but every device from Server, Laptop, Desktop and all in-between has been compromised and more than likely needs a rebuild. You cant just run malwarebytes on them and all is dandy!

Gael23

Lawyers getting ready to strike. https://www.thejournal.ie/several-weeks-before-hse-system-is-back-5442378-May2021/?fbclid=IwAR3fieg4hnhKJHpUHMjCfXYSGVbhpDN8cLy91W3JWzsOK3Qd0HkSI7CxErQ