Ransomware & HSE

SEPT 23 1989

bit of a whiff of an inside job off this

irishgeo

ineedeuro wrote: »

The HSE was shut down, data was lost. GDPR rules broken. They are open to millions and millions of claims.

If that was a company people would be fired from top to bottom. In fact they wouldn't even wait to get fired, the CISO would already have handed in notice and be long gone.

Fastway did they sack anyone for leaving a database open to the internet. Despite trying to claim it was a hack.

l

Seth Brundle

nc6000 wrote: »

I never said it might show us as a force to be reckoned with. What exactly have Russia done to help us with this so far? It's just over a week now since the HSE announced the hack. If Russia helped us to get the decryption file then what took them so long? It was obvious last weekend that this was going to cause huge disruption.

When the IRA were up to their murderous nonsense, would you have been happy if the Irish Ambassador to the UK was expelled because of their actions?
Would you have agreed to Ireland helping the UK on that basis?

MrMusician18

Seth Brundle wrote: »

When the IRA were up to their murderous nonsense, would you have been happy if the Irish Ambassador to the UK was expelled because of their actions?
Would you have agreed to Ireland helping the UK on that basis?

Well the UK embassy was burned down after bloody Sunday

nc6000

Seth Brundle wrote: »

When the IRA were up to their murderous nonsense, would you have been happy if the Irish Ambassador to the UK was expelled because of their actions?
Would you have agreed to Ireland helping the UK on that basis?

I don't want to derail the thread with talk of the troubles but I think the difference here is that Russia seem quite happy to turn a blind eye to these attacks as long as it doesn't affect them.

DublinWriter

Ash.J.Williams wrote: »

A blue screen or a bios looking screen probably meaning it’s too late

The ransomware deliberately avoids encrypting binary executable files (EXE, COM, DLL) for that exact reason. It just encrypts data files.

saabsaab

MrMusician18 wrote: »

Well the UK embassy was burned down after bloody Sunday

No need for burning Embassies. Maybe just send over a few agents to St Petersburg secretly to track down the source.

riclad

networks can be hacked even if the security is good and all the systems are updated.
But systems need to have a 24,7 back up policy,
all patient data is backuped every day.
backups are encrypted and read only.
each pc and user should have strong passwords ,
not all users have acess to the whole network
there are backup logs of all user activity on the network
if all the pcs are hit by malware the backups are there and the whole system can be restored off line if all the network pcs are erased .
they hackers were on the network for 2 weeks this does not inspire confidence in the level of security on the network.
Maybe the hse has union contracts re salarys for all staff and management
eg they cannot compete with the level of pay that private companys offer to
high level security experts

DublinWriter

plodder wrote: »

They probably used a key generation algorithm to generate individual keys from a master key.

They do, but there's no 'master key'. The contents of every subdirectory is encrypted with a unique key and a ransom .txt file is left in each.

Infini

nc6000 wrote: »

We should be making noises about expelling the Russian embassy staff from Ireland. I don't think it would keep Putin up at night but we have to stick up for ourselves somehow. It sounds like the Russian government know what these guys are up to and turn a blind eye.

Some might feel like just lashing out at the Russians but the best way to get the point across at them is not to simply kick them out but make it clear that there is consequences to either doing nothing or continuing to allow this sort of thing to keep happening. Remember we are part of the EU and our way of doing things has always been through soft power. Getting the rest of the EU on board as well as the US on something like this is the better way to go because they can help apply diplomatic pressure as well as economic pressure on Russia if they do nothing which can be far more damaging. Attacking a private company is one thing because they are the ones who need to be resonsible for their internal affairs but its a whole different ball game to attack a countries health system during a time of crisis, its the same as if during a conflict a combat force were to start attacking medical and hospital facilities. It's a low level to stoop to and it invites retaliatory strikes on them as well.

Ash.J.Williams

riclad wrote: »

networks can be hacked even if the security is good and all the systems are updated.
But systems need to have a 24,7 back up policy,
all patient data is backuped every day.
backups are encrypted and read only.
each pc and user should have strong passwords ,
not all users have acess to the whole network
there are backup logs of all user activity on the network
if all the pcs are hit by malware the backups are there and the whole system can be restored off line if all the network pcs are erased .
they hackers were on the network for 2 weeks this does not inspire confidence in the level of security on the network.
Maybe the hse has union contracts re salarys for all staff and management
eg they cannot compete with the level of pay that private companys offer to
high level security experts

That’s the angle I’m taking , also make it as difficult as possible for the attack to spread within the network, looks like they failed in both counts

Ash.J.Williams

DublinWriter wrote: »

The ransomware deliberately avoids encrypting binary executable files (EXE, COM, DLL) for that exact reason. It just encrypts data files.

I’ve experienced a blue screen and bios screen in a similar attack

Infini

nc6000 wrote: »

I don't want to derail the thread with talk of the troubles but I think the difference here is that Russia seem quite happy to turn a blind eye to these attacks as long as it doesn't affect them.

Yeah but this kind of thing if it goes on could provoke other states to launch similar attacks on THEIR infrastructure as well. Too much attention not only exposes them and puts the spotlight on them but it risks backfiring on them in the long term and if it resulted in people dying in a neutral country who are not hostile to them it risks serious damage to them.

arctictree

The nature of cyber crime is just so different than real world crime that I think the authorities are just way too far behind.

I just looked at one of our server access logs and there are hundreds of login attempts daily. Should I report this to the guards? I mean if you had hundreds of people trying to gain access to your house each day, you would have the guards down....

él statutorio

Ash.J.Williams wrote: »

That’s the angle I’m taking , also make it as difficult as possible for the attack to spread within the network, looks like they failed in both counts

As an outsider but someone who has dealt with a few of these incidents in a professional capacity. Based on the very limited info that's publicly available, it looks to me like their backup system and/or backup policy may have been their weak point.

If the backups were solid, then it's a few days of downtime while systems are wiped and restored.

Martina1991

Tom Mann Centuria wrote: »

We've had Linux based (Ubuntu I think, wallpaper is a Heron) computers set up today on wards in the hospital I work in. So we can check lab results again, It's the same lab system we used nearly 20 years ago and pretty clunky but considerably better than nothing. Can't do anything else yet, but it'll take a bit of pressure off the labs with us ringing down looking for results. (Lab staff deserve a nice bonus after all this because it's a pure slog for them at the moment).

Oh, and just a by the by, if anyone has an outpatient procedure or appointment coming up, well worth ringing them to confirm, because they won't have any access to your phone number or address to contact you.

I'm a medical scientist myself and its been an absolute clusterfukc of a disaster the last week.

Every patient's information hand typed into the analyser, print off a copy of results with no reference ranges and have to go through every test result to redact any result that is flagged or effected by interferences. Hard copies kept in large filing cabinets.

Blood transfusion dept have to manually record every detail of each blood product for use. Double and triple checks. Any simple mix up or error could have a serious impact.

Phones hopping all day with wards looking for results, on top of daft and non urgent calls from GPs and things beyond our control.

Extra staff needed at nights and weekends. Fatigued, mentally drained and no end in sight to it. After the onslaught of covid, talk about kicking you when your down.

One positve about it is that everyone (all over the hospital) has pulled together and done everything that has been asked of them with no notice. You really see how a hospital is like a machine. You have to get on with it. There's no other option.

Cuddlesworth

ineedeuro wrote: »

It's been posted here that ther HSE cannot hire any Security people because of the terrible pay they have on offer.

Its been posted here they don't offer good wages, especially on the top end. Not that they can't get staff. There will always be somebody who applies for the role regardless.

DublinWriter

Ash.J.Williams wrote: »

I’ve experienced a blue screen and bios screen in a similar attack

Interesting. What was the attack?

The National Cyber Security Centre interim report on the HSE attack notes that binaries are excluded, which is the same behaviour I originally witnessed in a similar attack ("Wannacry") on a similar Government agency back in 2017:

https://www.ncsc.gov.ie/pdfs/HSE_Conti_140521_UPDATE.pdf

Fiftyfilthy

nc6000 wrote: »

We should be making noises about expelling the Russian embassy staff from Ireland. I don't think it would keep Putin up at night but we have to stick up for ourselves somehow. It sounds like the Russian government know what these guys are up to and turn a blind eye.

Actually it might. Russia and Ireland have a strong relationship.

plodder

DublinWriter wrote: »

They do, but there's no 'master key'. The contents of every subdirectory is encrypted with a unique key and a ransom .txt file is left in each.

Do you mean the hackers have not provided a 'master key'? If they haven't, how would you know that the individual keys were not generated from one anyway?

If I were a hacker and I wanted to encrypt each directory/folder with a unique key, that is what I would do, as it would make it much easier to provide a working decryption tool.

Cuddlesworth

Ash.J.Williams wrote: »

No disrespect to the hse but in my personal opinion network and security should get outsourced to an industry leader

I work on four of the worlds largest networks, for the outsourcer in a very senior position. I would advise otherwise.

DublinWriter

plodder wrote: »

Do you mean the hackers have not provided a 'master key'? If they haven't, how would you know that the individual keys were not generated from one anyway?

What do you mean by 'master' key? All digital keys are unique.

ineedeuro

Cuddlesworth wrote: »

Its been posted here they don't offer good wages, especially on the top end. Not that they can't get staff. There will always be somebody who applies for the role regardless.

Just because someone applies for a job doesn't mean you have to hire him/her.
Are we saying that the HSE just hire people because they have no other choice? so Mary from HR could get a job in Security because she applied and nobody else did? seems a bit crazy strategy

kippy

ineedeuro wrote: »

Just because someone applies for a job doesn't mean you have to hire him/her.
Are we saying that the HSE just hire people because they have no other choice? so Mary from HR could get a job in Security because she applied and nobody else did? seems a bit crazy strategy

The HSE, like every organisation, and sometimes moreso that private, are constrained by a large number of factors when hiring someone.
It's a pity that had to be pointed out, but we are where we are.

Mary from HR won't get a job in security - all that being said.

Are you based in the real world by the way? Or have you every worked in any type of an organisation? (I need to establish some context to your viewpoints here)

kippy

Cuddlesworth wrote: »

I work on four of the worlds largest networks, for the outsourcer in a very senior position. I would advise otherwise.

Yeah, in fairness, outsourcing everything isn't always the answer, but outsourcing has a part to play.

Cuddlesworth

ineedeuro wrote: »

Just because someone applies for a job doesn't mean you have to hire him/her.
Are we saying that the HSE just hire people because they have no other choice? so Mary from HR could get a job in Security because she applied and nobody else did? seems a bit crazy strategy

In any role, you can have good workers, bad workers and people who are just average.

In tech focused roles in IT organisations, there can be large skill differences and large pay differences between people in effectively the same official roles.

The HSE don't have to hire anybody, but its unlikely that people who have spent serious time and effort upskilling would apply for roles. The first question I ask any recruiter is the wage scale on offer and it never progresses beyond that question for the majority of roles, especially public service roles I have been approached for.

hmmm

Ash.J.Williams wrote: »

No disrespect to the hse but in my personal opinion network and security should get outsourced to an industry leader

Ultimately I think everything ends up centralised in the cloud. There isn't enough security people available to secure all the networks, and it's an impossible job for most companies and organisations when faced with sophisticated attackers even with a good security team. Only the very biggest companies have the appropriate resources, and even they are getting hacked.

In saying that you can't outsource everything. People will still click on links in emails and open funnykitten.html

plodder

DublinWriter wrote: »

What do you mean by 'master' key? All digital keys are unique.

I mean a key that is used as input to a key derivation function like this one.

Anything generated by this algorithm can be considered to be unique if you don't have the master key.

Cuddlesworth

kippy wrote: »

Yeah, in fairness, outsourcing everything isn't always the answer, but outsourcing has a part to play.

One of the worst things to outsource is the network because the network doesn't exist in relative isolation to the rest of the ecosystem but contractual obligations do.

I have so many personal examples of it failing. Including playing whack a mole with ransom-ware, at significant cost to the client.

NIMAN

Could someone update the situation on this, as I have no been listening to any talk radio or news today, and just turned on the 4 o'clock news to hear that the criminal gang provided a key to unlock the data? For nothing?

Is that right?

If so, why did they do it FOC? Did they feel guilty for attacking a health service?