Ransomware & HSE

flask_fan · 25-05-2021 11:51am

Please explain the part in bold.

rusty cole wrote: »

Seth Brundle wrote: »

What do you expect him to say?[/QUOT

I expect him to explain how seriously they take the data whilst obtaining information illegally on Autistic children?

https://www.irishtimes.com/news/health/call-for-inquiry-into-dossiers-collected-on-children-with-autism-1.4520038

Or why for example they didn't take important data seriously as regards contacting women in about their smear tests, this could have saved lives.

The HSE only take data seriously when it has been compromised AND ONLY then allowed to be in the public domain. I'm glad they got caught out and I'd be first in line to sue them into obscurity on this alone.

It would be hilarious if somebody set up face book page for victims who've been contacted and had their very personal information sold to the highest bidder.
They fought dying women tooth and nail into court and now they're flying the please don't sue us kite with this jockstrap attached the working end of it.

flask_fan · 25-05-2021 11:53am

Hibernicis wrote: »

An apology
An explanation
Something that shows empathy for this e impacted
The establishment of an independent enquiry
An statement setting out high level remedial actions

Or just keep his trap shut

Anything other than "the HSE takes people's data very seriously" when even their most ardent supporters would have to say that that statement is seriously suspect and of very questionable merit in light of recent experience.

Why are you entitled to an apology?
You wouldn't understand the explanation. (Not you personally but 'you' in general (in this specific case alse you personally))

Who is affected and how?

An enquiry will doubtless be set up and sixty barristers will buy houses in Dalkey out of the proceeds.

ClosedAccountFuzzy · 25-05-2021 12:00pm

Just be thankful he didn’t mention seatbelts and trampolines. However, whatever about the choice of words and the person in the political hot seat, it changes nothing about the mess we are finding ourselves in, likely due to decades of underinvestment and not taking IT very seriously.

These ambitious eHealth plans need to be toned down if there’s inadequate infrastructure to run them.

BattleCorp · 25-05-2021 12:19pm

rusty cole wrote: »

The HSE only take data seriously when it has been compromised AND ONLY then allowed to be in the public domain. I'm glad they got caught out and I'd be first in line to sue them into obscurity on this alone.

I'm happy to go against the grain here.

Almost any organisation can get hacked. Very few foolproof systems out there.

It's very difficult to stop a determined team of hackers, especially in an organisation with 67,000 direct employees. All it takes is one person to click a link and you can be undone.

Secondly, you are glad they got caught out. So you are glad that people's sensitive information is out there? Why are you glad that people's personal medical records or PPS numbers are out there?

Thirdly, if a load of people sue, and win their case, that's more money that will come out of the pot leaving less money for health services and will only increase the burden on the taxpayer. So, why do you want to sue them into obscurity?

cadaliac · 25-05-2021 12:26pm

rusty cole wrote: »

wrote: »

What do you expect him to say?[/QUOT

....
Or why for example they didn't take important data seriously as regards contacting women in about their smear tests, this could have saved lives.

The HSE only take data seriously when it has been compromised AND ONLY then allowed to be in the public domain. I'm glad they got caught out and I'd be first in line to sue them into obscurity on this alone.

It would be hilarious if somebody set up face book page for victims who've been contacted and had their very personal information sold to the highest bidder.
They fought dying women tooth and nail into court and now they're flying the please don't sue us kite with this jockstrap attached the working end of it.

This highlighted text speaks volumes about you.

25-05-2021 12:27pm

BattleCorp wrote: »

Thirdly, if a load of people sue, and win their case, that's more money that will come out of the pot leaving less money for health services and will only increase the burden on the taxpayer. So, why do you want to sue them into obscurity?

You're ignoring the obvious answer - to get free money.

BattleCorp · 25-05-2021 12:31pm

Deleted User wrote: »

You're ignoring the obvious answer - to get free money.

Except it's not free. It's taxpayers money. And the consequence is that other people will miss out on medical treatment because there is less money to fund it.

I'd bet they'd be the type of people to complain about waiting lists etc.

TomOnBoard · 25-05-2021 12:34pm

Donald Trump wrote: »

I applied for a job at the HSE network security as a pen tester. They weren't interested as I had no experience with felt-tipped. Only biros and fountain.

They told me I needed more lead in my pencil! :mad:

kippy · 25-05-2021 12:41pm

ineedeuro wrote: »

Really?
The whole HSE is affected. If they improve the security controls they might get attacked again but this could be minimise to sectors of the HSE and not across the entire organisation

So are they using network segmentation? if not if they introduce that if a sector gets attacked then it is restricted to that sector

From what is suggested the hackers had free reign around the entire HSE for a number of weeks. This can be stopped so it never happens again. Do you not agree?

Do they have a SOC/SIEM? was the rules set up correctly to see this type of activity across the network? can they be updated? if not this can be added/updated to track better.

This is just a start.

It is impossible to be 100 percent secure.
That is a fact.

It is possible to have layers of risk mitigation in place, constrained by practical, budgetry, politicial, legal and business requirements but not possible to be 100 percent secure.

And again, I will ask you, if the HSE and Irish government are so poor from an ICT security PoV - aren't you surprised it has taken so long for their security to have been breached?

No doubt, learnings will be taken from then, as they are from breaches globally but is there any rational for the HSE to release in specific detail their security polocies and procedures (surely for obvious reasons)

Donald Trump · 25-05-2021 12:46pm

TomOnBoard wrote: »

They told me I needed more lead in my pencil! :mad:

A good place to go to get yourself sorted would be Pen Island. You can guess their domain name.

AndrewJRenko · 25-05-2021 12:50pm

BattleCorp wrote: »

I'm happy to go against the grain here.

Almost any organisation can get hacked. Very few foolproof systems out there.

It's very difficult to stop a determined team of hackers, especially in an organisation with 67,000 direct employees. All it takes is one person to click a link and you can be undone.

In general I agree with you, but is the 'click a link' a bit of an over-simplification?

If the person in question has no admin rights to install software on their local device, what harm will come from clicking the link?

Donald Trump · 25-05-2021 12:56pm

AndrewJRenko wrote: »

In general I agree with you, but is the 'click a link' a bit of an over-simplification?

If the person in question has no admin rights to install software on their local device, what harm will come from clicking the link?

There may be an exploit in the payload which is used to gain elevated privileges.

Suppose you download a dodgy pdf. You can open pdfs normally. This one that you download also opens fine. But the hacker has embedded something in the pdf that exploits something in the version of Adobe Acrobat Reader you use. That is a very naive simplification of my understanding.

Tow · 25-05-2021 1:02pm

AndrewJRenko wrote: »

If the person in question has no admin rights to install software on their local device, what harm will come from clicking the link?

Makes no difference what admin rights the users has.

Seth Brundle · 25-05-2021 1:15pm

The Oireachtas is finally hearing a bit of sense in terms of the renumberation for the director of the NCSC. Now they finally might attract someone into the role...

The salary on offer for vacant role of director of the National Cyber Security Centre (NCSC) should be between €220,000 and €290,000 in order to compete with the private sector, TDs and Senators have been told.

That’s considerably more than the €106,000 to €127,000 pay that had been on offer for the role.

https://www.irishtimes.com/news/politics/cyber-security-centre-director-salary-should-be-up-to-185-000-higher-tds-told-1.4574677

plodder · 25-05-2021 2:07pm

AndrewJRenko wrote: »

In general I agree with you, but is the 'click a link' a bit of an over-simplification?

If the person in question has no admin rights to install software on their local device, what harm will come from clicking the link?

I'd say it was all kicked off by a user with administrative access to their own PC. It's probably a lot more common than people acknowledge.

AndrewJRenko · 25-05-2021 2:21pm

Donald Trump wrote: »

There may be an exploit in the payload which is used to gain elevated privileges.

Suppose you download a dodgy pdf. You can open pdfs normally. This one that you download also opens fine. But the hacker has embedded something in the pdf that exploits something in the version of Adobe Acrobat Reader you use. That is a very naive simplification of my understanding.

So in this scenario, there would need to be a bug in Adobe Reader that allows escalation of privileges?

So this would mean either an outdated buggy version is installed, or this is a zero day exploit yet to be fixed?

If the user is running latest versions, chances of this are minimised?

AndrewJRenko · 25-05-2021 2:23pm

Seth Brundle wrote: »

The Oireachtas is finally hearing a bit of sense in terms of the renumberation for the director of the NCSC. Now they finally might attract someone into the role...
https://www.irishtimes.com/news/politics/cyber-security-centre-director-salary-should-be-up-to-185-000-higher-tds-told-1.4574677

Great news for all ICT staff in the public service!

AndrewJRenko · 25-05-2021 2:23pm

plodder wrote: »

I'd say it was all kicked off by a user with administrative access to their own PC. It's probably a lot more common than people acknowledge.

Certainly doesn't happen in my organisation though I've no idea about the HSE.

plodder · 25-05-2021 2:30pm

AndrewJRenko wrote: »

So in this scenario, there would need to be a bug in Adobe Reader that allows escalation of privileges?

So this would mean either an outdated buggy version is installed, or this is a zero day exploit yet to be fixed?

If the user is running latest versions, chances of this are minimised?

That would primarily be a bug in Windows or some other privileged software component. It's a fairly basic principle of operating system security that applications (like Adobe reader) can't grant themselves privileges, whether they have bugs in them or not.

Certainly doesn't happen in my organisation though I've no idea about the HSE.

I don't know either, but all it takes is for personal laptops to be connected, maybe even from home over VPN. I could also imagine that in hospitals particularly some staff having need for specific applications/software that isn't directly supported by central IT.

circadian · 25-05-2021 2:34pm

mcsean2163 wrote: »

No funding needed. A proper it policy and two good it people could secure and run the network.

The HSE develops nothing. Choosing and integrating the correct systems is all that is needed. Then a support desk to tell people to turn on and off their computers.

Solution: sign up with Microsoft Azure healthcare. That's half it and X millions per year saved. Instead they are using their own servers and these people (not all but a sizeable proportion), I'm sorry to say, shouldn't be let near patient data and hospital systems.

What does Azure Healthcare do, exactly? Can you provide some details on what services are available that the HSE could make use of to streamline their IT?

10000maniacs wrote: »

I am a software developer, and one of the most important aspects of the system software is to make it forward platform compatible. Win32 or Win64 does not lose functionality with newer versions. It just gains functionality. Make your software compatible with the lowest common denominator. But don't create any dependencies on third party drivers. Write all of the interfaces yourself and stick to Win32 compatibility for these interfaces. If you have to sacrifice graphics/speed in doing so, so be it.

This is all fine and well, best practice designs and all that. However, vendors often intentionally make their software difficult to upgrade/move away from. Lock in is a real thing, especially when it comes to the Health sector. The providers continue to get those sweet, sweet extended support contracts while many of the computers/vms/servers or whatever else continue to fall out of date as significant OS upgrades make the software unusable. Often these providers will offer absolutely no support at OS level, leaving you with two options.

Leave it broken.
Roll back.

When these things go out to tender for companies, I'm always surprised at the amount of people who don't look at vendor lock-in and if it's worth their time.

AndrewJRenko · 25-05-2021 2:37pm

plodder wrote: »

I don't know either, but all it takes is for personal laptops to be connected, maybe even from home over VPN. I could also imagine that in hospitals particularly some staff having need for specific applications/software that isn't directly supported by central IT.

I'd have thought that personal devices would only be permitted over Citrix or similar to avoid any risk of infection.

25-05-2021 2:41pm

flask_fan wrote: »

Please explain the part in bold.

OK just cos it's you, I'll bite but just as you've been under a rock it seems the last few years.

read below from a national press publication at the time.
People could have indergone trial treatment etc and lives could have been saved.
I dont think anyone disputes this, or do you?

what more do you need to know as to how the HSE handle important information and data?
It seems even when they have control over it, they still mishandle/withhold/omit the bloody thing!

Mr Reid said he is “really sorry” for the undue concern caused to a lot of women: “I sincerely apologise to all of the women involved.”

He described the handling of the delayed reporting of cervical smear results as a “major communications failure.”

It emerged that 4,088 women were affected by an information technology problem that disrupted the distribution of smear test results from Quest Laboratories in the United States.

Mr Reid commissioned Brian MacCraith to conduct a “rapid review” of delays in issuing cervical screening HPV retest results.

His report found there was a decision not to communicate with women about the IT glitch for six months this year.

Between February and last week, there was no communication with most of the women involved.

Mr Reid said the HSE “accepts entirely” the findings of the MacCraith review and that the health authority will quickly and carefully implement each of the recommendations in full.

“The HSE wishes to reiterate its apology to all of the women impacted by the delays in issuing important information to them,” he said.

He also wants to “sincerely apologise” to patient advocates who felt “let down” by the health authority and “left out of the loop” in communications on the latest controversy.

rusty cole wrote: »

plodder · 25-05-2021 3:17pm

AndrewJRenko wrote: »

I'd have thought that personal devices would only be permitted over Citrix or similar to avoid any risk of infection.

That might be reasonable policy. Can it be enforced though? Can they even detect if someone plugs their own PC/equipment into the network in the office?

I know some places will protect wifi networks with systems like SecureW2, but the wired networks are completely open, depending on physical building security, and people obeying the rules. But, rules are often bent, exceptions made etc.

Ash.J.Williams · 25-05-2021 4:04pm

Personal devices absolutely should not the company WiFi if it’s integrated with the main network , there is encryption packages for firms to permit devices if required .

Token based Guest WiFi for limited personal WiFi

DublinWriter · 25-05-2021 4:11pm

AndrewJRenko wrote: »

In general I agree with you, but is the 'click a link' a bit of an over-simplification?

If the person in question has no admin rights to install software on their local device, what harm will come from clicking the link?

Not really. A user may have no admin rights on their local device, but if they've got a group/sectional network file-share open with read/write access to tens thousands of files, then it's open-season for ransomware.

People tend to over-complicate these attacks. 50% of them are all about social-engineering. In the original 'Wannacry' attack I witnessed, the user received a very convincing email from Eircom regarding their account.

Wombatman · 25-05-2021 4:27pm

DublinWriter wrote: »

Not really. A user may have no admin rights on their local device, but if they've got a group/sectional network file-share open with read/write access to tens thousands of files, then it's open-season for ransomware.

People tend to over-complicate these attacks. 50% of them are all about social-engineering. In the original 'Wannacry' attack I witnessed, the user received a very convincing email from Eircom regarding their account.

They usually enter using phished credentials or via malware that enables command-and-control.

Once in they can use an attack like this to bypass user account control.

https://www.securityinbits.com/malware-analysis/uac-bypass-analysis-stage-1-ataware-ransomware-part-2/

dingding · 25-05-2021 7:08pm

plodder wrote: »

That might be reasonable policy. Can it be enforced though? Can they even detect if someone plugs their own PC/equipment into the network in the office?

I know some places will protect wifi networks with systems like SecureW2, but the wired networks are completely open, depending on physical building security, and people obeying the rules. But rules are often bent, exceptions made etc.

There can be MAC address access enforced at switch level. It can be set up that the first device plugged in is the only MAC address it will allow. Plugging in anything else, will not be allowed through the network.