Ransomware & HSE

gmisk

It is pretty mad this has now been going on for over a week (well NCSC was notified on 14th) god knows how long it took before they were notified

Larbre34

Fuascailteoir wrote: »

Liam Neeson would suffice

Send Pierce Brosnan and Michael Fassbender along with him.

"I prefer.........Magneto"

gmisk

hmmm wrote: »

This is fake news, the media are misinterpreting a chat log on the gangs website. We still don't know (publicly) the source for certain.

Publicly yes...but privately everything I have seen indicates that was the source (OBE if that's how you want to classify it)

Cluedo Monopoly

Larbre34 wrote: »

I'm aware of the Rangers. This is not what they are for.

Long term immersion on foreign soil posing as civilians is not what they do. I can't imagine any of them being fluent in Russian either.

They are special operations military, not secret intelligence agents.

Ye are watching too many action movies lads

ineedeuro

So now the HSE have got the key, they should release a public tender to review their security environment.

Then if they hire the same companies they hired prior to the attack some serious questions need to be asked.

Roger_007

I’m not an IT expert, (far from it), but I would have thought that the management system of back end database that contains the data should have inbuilt protection to prevent the encryption of its data. I know that may sound simplistic but I haven’t heard any talk about possible deficiencies in the data base management software itself. All the emphasis seems to be on ‘how did they get in’.

Hurrache

Dempo1 wrote: »

Adrian Weckler from the Indo acting the expert on the late debate, a complete G******

él statutorio wrote: »

Weckler doesn't know his arse from his elbow.

He should stick to reviewing phones and the like.

He just regurgitates PR fed to him from the various tech companies, particularly Apple. It's always been how he operates, the worse of the so called tech experts that are rolled out to talk ****e.

runawaybishop

suicide_circus wrote: »

I'd honestly use the $20m they wanted in ransom to hire some people to dispose of these hackers

ixoy

ineedeuro wrote: »

Then if they hire the same companies they hired prior to the attack some serious questions need to be asked.

Only if the company failed to identify the issues. They may very well have but, if the HSE fails to act on them then it's not really the fault of the company.

kippy

Roger_007 wrote: »

I’m not an IT expert, (far from it), but I would have thought that the management system of back end database that contains the data should have inbuilt protection to prevent the encryption of its data. I know that may sound simplistic but I haven’t heard any talk about possible deficiencies in the data base management software itself. All the emphasis seems to be on ‘how did they get in’.

Well, there are a number of angles BUT - if you have "access", whether that be logical (ie on the network) (or better still physical) and a set of the right privildged credentials and the time and knowdledge you can cause one hell of a lot of carnage - no matter what the protections in place on the data itself.

Again, there's not a lot of info on what data exactly has been conpromised and how (there's lots of large catch all reports but nothing specific).

ednwireland

Roger_007 wrote: »

I’m not an IT expert, (far from it), but I would have thought that the management system of back end database that contains the data should have inbuilt protection to prevent the encryption of its data. I know that may sound simplistic but I haven’t heard any talk about possible deficiencies in the data base management software itself. All the emphasis seems to be on ‘how did they get in’.

we supply a complicated database based software, we have had customers who have to rebuild there software after an attack the last one they found a username on a web server running our front end. shut down immediately and a new server spun up we worked the weekend to get them back up.

plodder

Roger_007 wrote: »

I’m not an IT expert, (far from it), but I would have thought that the management system of back end database that contains the data should have inbuilt protection to prevent the encryption of its data. I know that may sound simplistic but I haven’t heard any talk about possible deficiencies in the data base management software itself. All the emphasis seems to be on ‘how did they get in’.

All software works under an assumption that its data is "left alone" by other components of a system. That is why users with administrative privileges can do any amount of damage if they do the wrong thing, eg by deleting files or even editing files they aren't supposed to because as administrators they have to have access to everything.

What this implies, is that even with a decryption tool, there is no guarantee that all the HSE's systems could be restored with it, because the systems whose data was encrypted aren't expecting their data to be encrypted and then decrypted a week later. It might work, but there could be inconsistencies and some loss of data.

ineedeuro

ixoy wrote: »

Only if the company failed to identify the issues. They may very well have but, if the HSE fails to act on them then it's not really the fault of the company.

Then if the HSE failed to act people should be fired.

It's one or the other. People need answers. Not excuses. So far I see a lot of excuses even on this thread.

Wombatman

Roger_007 wrote: »

I’m not an IT expert, (far from it), but I would have thought that the management system of back end database that contains the data should have inbuilt protection to prevent the encryption of its data. I know that may sound simplistic but I haven’t heard any talk about possible deficiencies in the data base management software itself. All the emphasis seems to be on ‘how did they get in’.

Absolutely, data should be encrypted in transit and at rest. This won't stop the data files being locked by further encryption but it will stop the data being stolen.

The problem is these hackers usually find a way of acquiring the privileges necessary to access the data in the clear, like a regular user would. Then it is only a matter of exporting and exfiltration.

Hopefully the sensitive HSE data was adequately protected to the point that it couldn't be read without the necessary least privileges.

kippy

ineedeuro wrote: »

Then if the HSE failed to act people should be fired.

It's one or the other. People need answers. Not excuses. So far I see a lot of excuses even on this thread.

What is an answer? What is an excuse?

Why was this not done, even though it was in the report? Well we only had XMillion to spend. It was envisaged that the risk was low of this happening because of X,Y,Z

There is a serious amount of consideration that has to go into each and everything you do in an infrastructure like that of the HSE - everything has consequences.

As for firing people - a very tricky road to go down.

Roger_007

plodder wrote: »

All software works under an assumption that its data is "left alone" by other components of a system. That is why users with administrative privileges can do any amount of damage if they do the wrong thing, eg by deleting files or even editing files they aren't supposed to because as administrators they have to have access to everything.

What this implies, is that even with a decryption tool, there is no guarantee that all the HSE's systems could be restored with it, because the systems whose data was encrypted aren't expecting their data to be encrypted and then decrypted a week later. It might work, but there could be inconsistencies and some loss of data.

Editing or deleting data files wouldn’t be much of a problem provided you have sufficient generations of back ups to roll back the system to a point prior to the incident. I acknowledge that there may be some loss of the most recent data in doing this.
What I cannot understand is how the data in the data files could be encrypted either accidentally or deliberately without this activity being detected. It would certainly qualify as ‘unusual activity’. Even the amount of processing time and the volume of transactions involved in encrypting 700Gb of data would surely alert someone that something unusual was taking place.

seamus

Roger_007 wrote: »

I’m not an IT expert, (far from it), but I would have thought that the management system of back end database that contains the data should have inbuilt protection to prevent the encryption of its data. I know that may sound simplistic but I haven’t heard any talk about possible deficiencies in the data base management software itself. All the emphasis seems to be on ‘how did they get in’.

You're right, it is simplistic.

The DBMS is a piece of software that provides access to the data in a specific way and pile of management functions around it. Yes, they usually include the ability to protect the data from being maliciously altered, but the DBMS's domain is access the data that has been stored and providing a way of retrieving it. The data itself still sits inside files on a disk somewhere which can be directly manipulated without any interaction with the DBMS. That's also a simplistic way of putting it. But basically once you have access to the underlying operating system, there's next to fvck all that any piece of software can do to stop you messing with its data.

Imagine you have a word document with sensitive information in it. So you password-protect it. Great. Now if anyone wanted to access or change your data, they'd need to launch microsoft word, enter the password and change the data.
But if they wanted to fvck with you, they wouldn't need MS word at all. They can just take your "allmypasswords.docx" file, and encrypt it. They may not be able to see what's in it; but now neither can you.
And therein lies the core of what these criminal gangs want; to prevent you getting access to your data so you'll pay the ransom to get it back.

The fact that they did get access to a lot of data says that much of the data inside the files was not encrypted (known as "encryption at rest"). And while you might immediately go, "OMG, incompetence! Files not encrypted at rest!", encryption-at-rest is quite a difficult one to pull off. You wouldn't do it for stacks of word documents* and files on peoples' computers, you'd generally use it for database files in sensitive database.

And in active attacks like these where you have a network intruder, they may get access to your decryption keys anyway, making your encryption at rest useless.

*Though we are getting closer and closer to this being possible

DublinWriter

Roger_007 wrote: »

I’m not an IT expert, (far from it), but I would have thought that the management system of back end database that contains the data should have inbuilt protection to prevent the encryption of its data. I know that may sound simplistic but I haven’t heard any talk about possible deficiencies in the data base management software itself. All the emphasis seems to be on ‘how did they get in’.

The ransomware doesn't attack specific databases - it works through directories on network shares and encrypts individual files that it can get exclusive read/write access to.

As for 'how did they get in', they more than likely sent a phishing email with an executable attachment, or a link to one.

kippy

DublinWriter wrote: »

The ransomware doesn't attack specific databases - it works through directories on network shares and encrypts individual files that it can get exclusive read/write access to.

As for 'how did they get in', they more than likely sent a phishing email with an executable attachment, or a link to one.

A few initial answers in here:
https://www.ncsc.gov.ie/pdfs/HSE_Conti_140521_UPDATE.pdf

Will be interesting to see how that report may have changed after the first week of investigation.

plodder

Further to the "encryption at rest" point, if a PC is using Bitlocker or hardware or operating system level encryption of its data, that mainly protects against laptops being lost or someone poking around a hard-drive that was stolen or taken out of an old PC. It doesn't protect against software (eg malware) running on the computer with the privileges of a user who is allowed to read the data. The software doesn't need the decryption key. It just needs the right privilege which it probably has got from intercepting passwords at the right time.

plodder

Roger_007 wrote: »

Editing or deleting data files wouldn’t be much of a problem provided you have sufficient generations of back ups to roll back the system to a point prior to the incident. I acknowledge that there may be some loss of the most recent data in doing this.
What I cannot understand is how the data in the data files could be encrypted either accidentally or deliberately without this activity being detected. It would certainly qualify as ‘unusual activity’. Even the amount of processing time and the volume of transactions involved in encrypting 700Gb of data would surely alert someone that something unusual was taking place.

I guess that is why it was done at night. If the encryption had been done during the day, then it would have been noticed sooner, probably by people trying to use the systems getting strange errors.

It would be interesting to know as well what anti-malware tools they had deployed, that might have detected this kind of activity even when the systems were quiet at night. It's not something I am very familiar with though, as to what these tools are capable of.

Just to add, one reason why it interested me that this was claimed to be a "zero day" attack, was if they had deployed some anti-malware tools, but which did fail to detect it, and the reason being claimed is because it was a new kind of attack. I think that is one aspect that would need to be looked into in any enquiry that takes place after it's all sorted out.

CiDeRmAn

As a person with precious little technical knowledge of this type of thing, what might the process look like, when I might have an IT person comes to decrypt the devices in my department?
Currently we seem to have been lucky, with only two PCs at present encrypted, the others were turned off or had no one logged on at the time of the attack.

ineedeuro

kippy wrote: »

What is an answer? What is an excuse?

Why was this not done, even though it was in the report? Well we only had XMillion to spend. It was envisaged that the risk was low of this happening because of X,Y,Z

There is a serious amount of consideration that has to go into each and everything you do in an infrastructure like that of the HSE - everything has consequences.

As for firing people - a very tricky road to go down.

How is it tricky? you had the whole HSE shut down. Fairly easy to fire someone, they have put the lives of everyone in Ireland at risk.

If they had Xmillion to spend then what was it spent on? what wasn't it spent on. Why was the reasons they bought XYZ and not ABC?

Stop with the excuses, people need to stop accepting incompetence in the government and in the public services we pay for.

kippy

ineedeuro wrote: »

How is it tricky? you had the whole HSE shut down. Fairly easy to fire someone? they have put the lives of everyone in Ireland at risk.

If they had Xmillion to spend then what was it spent on? what wasn't it spent on. Why was the reasons they bought XYZ and not ABC?

Stop with the excuses, people need to stop accepting incompetence in the government and in the public services we pay for.

I love how easy things like this are online.

Keyzer

ineedeuro wrote: »

How is it tricky? you had the whole HSE shut down. Fairly easy to fire someone? they have put the lives of everyone in Ireland at risk.

If they had Xmillion to spend then what was it spent on? what wasn't it spent on. Why was the reasons they bought XYZ and not ABC?

Stop with the excuses, people need to stop accepting incompetence in the government and in the public services we pay for.

Baying for blood and looking for people to be sacked is not the answer right now.

As I said numerous times before, a detailed investigation as to how this happened needs to be carried out. Right now, we simply don't have enough information.

If its the case that the HSE were warned of these issues and they failed to act on them then, yes, there needs to be accountability. But we need to wait until all the facts are documented.

gmisk

ineedeuro wrote: »

How is it tricky? you had the whole HSE shut down. Fairly easy to fire someone? they have put the lives of everyone in Ireland at risk.

If they had Xmillion to spend then what was it spent on? what wasn't it spent on. Why was the reasons they bought XYZ and not ABC?

Stop with the excuses, people need to stop accepting incompetence in the government and in the public services we pay for.

The fact the spend on ICT in HSE is meant to be a quarter of other comparable organisations, might give you an idea of why there are issues. The money available can only go stretch so far.
Who are you suggesting to fire? It clearly isn't due to one person imo.
The fact the HSE and other government departments cannot hire skilled people in cybersecurity due to low level of pay available, definitely not helpful either.

I am sure the finances will be looked at in detail to see if money and resources could have been better used.

hmmm

CiDeRmAn wrote: »

As a person with precious little technical knowledge of this type of thing, what might the process look like, when I might have an IT person comes to decrypt the devices in my department?

They will probably want to rebuild/reimage everything, which involves wiping all contents and giving you back a "known-good" PC. They may or may not do this for all your devices, but I'd assume they will - they don't want you to turn on some random PC and for it to restart encryption.

If you have data on the PCs which is not backed up, you should take a note of where it is (or where you think it is) and let them know it is important to recover. They'll also want to know if there is any special software running on it - I can't even begin to imagine what's involved in trying to get a hospital system rebuilt.

ineedeuro

Keyzer wrote: »

Baying for blood and looking for people to be sacked is not the answer right now.

As I said numerous times before, a detailed investigation as to how this happened needs to be carried out. Right now, we simply don't have enough information.

If its the case that the HSE were warned of these issues and they failed to act on them then, yes, there needs to be accountability. But we need to wait until all the facts are documented.

Who is baying for blood?
I am asking for answers. Not the lies we are hearing from the HSE , RTE & government. They will never do a detailed investigation if everyone sits back and waits.

How long are you willing to wait and get answers? weeks? months? years?
Anyone that is paying tax is currently paying for the HSE, yet as usual people want to roll out and let them away with the shambles that it is. From the top to bottom it is a mess and this is just another example. Yet we still have people making excuse.

If this was a private company/hospital. Do you honestly think nobody would be fired on the spot? or they would just pat them on the back for another f**k up and continue on?

realdanbreen

Dempo1 wrote: »

Intrigued by this so called heat, barely a ment of this attack outside Ireland, Bloomberg news seems to be the only international news organisation that mentioned it, nothing reported on any UK media that I'm aware of. The only heat I'm aware of is the Hot air coming out of senior HSE management

BBC, SKY, CNN,PBS, CBS and FOX all featured it.

ineedeuro

gmisk wrote: »

The fact the spend on ICT in HSE is meant to be a quarter of other comparable organisations, might give you an idea of why there are issues. The money available can only go stretch so far.
Who are you suggesting to fire? It clearly isn't due to one person imo.
The fact the HSE and other government departments cannot hire skilled people in cybersecurity due to low level of pay available, definitely not helpful either.

I am sure the finances will be looked at in detail to see if money and resources could have been better used.

Yes, the budget can only stretch so far. Hence why you have a Security assessment done and firm up what can be bought.
They also have access to the NHS and they have released plenty of information on ransomware after they got hit in 2017 so its not like they have never heard of it.

I am not sure who came up with this low pay in the HSE. That is not true at all, the package with pay/pension etc can rival anyone in the market.