Ransomware & HSE

Cuddlesworth

MarkEadie wrote: »

A zero day is an exploit that hasn't been found yet.

No, a "new" zero day exploit is one that hasn't been found yet. A "zero day" by reference is really just a term for a critical exploit that has to be patched/mitigated immediately upon discovery. All virus/ransomware attacks use known exploits in the very realistic hope of finding unpatched machine's and its most likely the usage of one of them that first alerted the department of health to the attack.

And regardless of that, modern IT infra assumes all devices and users are hostile. A single device getting infected shouldn't be able to wreck havoc across multiple systems and sites like it did.

Martina1991

mrjoneill wrote: »

Serious issues have arisen in the past with telephone consultations. Systems have been put in place so there will be no mistakes. I recall one incident which had tragic result and a young 21yr old died as the result when the GP could not interpret the bloods as taken down by his secretary and the follow up hospital letter the GP claimed he never got. The patient died as the result of a treatable condition which the GP claimed he was not aware of the patients condition and the hospital file had a sticky note which was not seen till after the patients death when a review was being done of the patient to determine the cause of death. Without fail-safe sys mistakes will be made, that is what makes this attack on the health services most obnoxious.

I know of the case you're talking about. That person's mother actually spoke at a medical laboratory conference I was at and it was powerful.

There are policies in place for the communication of results. There are electronic records of what result phoned, to who, the time, date etc.
The laboratory communicates critical results that require immediate attention. They will never ring unless it is urgent.

It is very difficult to phone a critical result after 5pm when GPs are closed. You're left ringing the out of ours GP services who have no clue who the patient is. The onus is on the requesting clinician to provide a contact number as the patient is ultimately in their care. But a medical scientist is left with the result and has to find a way to go through the proper channels. We have no authority to ring the patient ourselves. I've heard awful stories of having to ring the guards as a last resort to contact a patient.

It's still an area that has the potential for error with or without the cyber attack.

plodder

kippy wrote: »

This kind of thing is all well and good for small organisations with limited type of devices connecting to a network, but client certificates aren't the answer.

Sure, certainly not on their own. Whether they are worth the effort at all is debatable. I could count the number of web sites I know of that use them on one finger :pac:

Jeff2

paul71 wrote: »

LOL, so if you are over the age of 45 and ever used a pc run on MS-dos you are a hacker!

The guy on Liveline claiming he was hacked 18
years ago and pressed CLT ALT DEL sorted it was funny.
Thinking the HSE should have done that.

Specialun

ive worked on projects with hse hospitals and i really feel for the IT teams here. They dont just wake uo the morning and decide to do a rubbish job. most take their role very serious. There is no such thing as a silver bullet and regardless of what most think its near impossible to avoid being compromised.

Health care environments are some of the most complicated environments out there. Add in red tape , lack of understanding at a high kevel and just a lack of cyber security knowledge then the guys/gals were always going to get a kicking at some stage

i would like to think that the gov will learn from this but the reality is that they wont. When this is over instead of looking at the hard facts they will just look to politicalise it as a victory .

Its about time ireland take cyber security seriously. even start with looking to increase knowledge with current staff and looking to bring in more younger talent. if youre a grad from computer science or similar why would you go work for the gov when you have a security multi national throwing money at you and you can travel the world. why dont the gov pay for courses but as part of this you have to work with the gov in a cyber security role for xamount of years?

whats really annoyed me from this is just the lack of understanding or the hyperbole. reid coming out with statements like they have messed with the wrong guys here...err no pal. then add in donnelly just talking rubbish. like no everything needs a headline. just give the guys the knowledge and budget to mitigate the risk better

ineedeuro

Jeff2 wrote: »

The guy on Liveline claiming he was hacked 18
years ago and pressed CLT ALT DEL sorted it was funny.
Thinking the HSE should have done that.

Don’t tell me they didn’t reboot

realdanbreen

ineedeuro wrote: »

What would be very useful is if the hackers released a statement on what happened. Never mind the HSE doing a "review"
Explain how they got in and did they expect such a huge impact? did the actions of the HSE help or hinder the progress of the virus.

Maybe Ryan could get them on the Late Late Show?

realdanbreen

Sierra Oscar wrote: »

Doubt they'll dump it. More lucrative to sell the data.

Ahem!, I think he meant dump it on the web.

Cluedo Monopoly

realdanbreen wrote: »

Maybe Ryan could get them on the Late Late Show?

Claire Byrne would get them to hack the HSE again live. We could view your X-rays from after the Junior C match in 2016.

I think a Vincent Browne interview would be best.

ineedeuro

realdanbreen wrote: »

Maybe Ryan could get them on the Late Late Show?

Ryan could tell them a story about a computer he bought! It would be fantastic

realdanbreen

I'm far from being an IT expert but was wondering.
These particular hackers apparently operate freely in russia provided they don't attack any russian businesses or interests. So what if we,HSE etc, put a virtual russian keyboard or something like that into our systems so the hackers malware thinks it's a russian system it's attacking and backs off, so to speak?

biko

If only it was that easy realdanbreen

realdanbreen

biko wrote: »

If only it was that easy realdanbreen

Where do you see the problem?

realdanbreen

realdanbreen wrote: »

Where do you see the problem?

I've a US and Chinese keyboard layout, doesn't mean the computer is in the U.S.or China

realdanbreen

DubInMeath wrote: »

I've a US and Chinese keyboard layout, doesn't mean the computer is in the U.S.or China

Have you a Russian layout?

Hibernicis

Reality finally starting to kick in....

"Cyber attack will cost HSE at least €100 million" Paul Reid

Mr Reid said the HSE was keen to see an independent and objective assessment of the cyberattack.

The HSE board has discussed the need for an assessment at its most recent meeting and will finalise proposals soon, he told a weekly HSE briefing on Thursday.

In addition, the international consultants who have been helping the HSE o restore services after the attack will provide it with an objective report on the incident, he said. Mr Reid stressed there was an urgent need for learning across the public services from what had happened.

Paul Reid and the HSE Board (and the Department of Health) have some really serious governance issues they need to address and questions that they need to answer.

realdanbreen

realdanbreen wrote: »

Have you a Russian layout?

I do now, computer still isn't in Russia

realdanbreen

DubInMeath wrote: »

I do now, computer still isn't in Russia

Sure, but the malware wouldn't know that.

skimpydoo

realdanbreen wrote: »

I'm far from being an IT expert but was wondering.
These particular hackers apparently operate freely in russia provided they don't attack any russian businesses or interests. So what if we,HSE etc, put a virtual russian keyboard or something like that into our systems so the hackers malware thinks it's a russian system it's attacking and backs off, so to speak?

Ronan Murphy of Smarttech247 suggested this last week.

biko

realdanbreen wrote: »

Where do you see the problem?

The problem is the hackers will know the location of the system afore they the break into it.

Your laptop could be set to use Russian, I will still know where your laptop is before I hack it.
It was a directed attack against a system that had been found to have a flaw. From the IP alone the hacker would know this was an Irish system.

Pops_20

realdanbreen wrote: »

Sure, but the malware wouldn't know that.

I'm sure the malware uses a more advanced method to check that.
In fact it probably just uses the Windows APIs RegOpenKeyA ad RegGetValueA to check the registry key "Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\Language" and to get the value of it.

The value will tell the malware the default langauge on the system and if it's set to Russian the code will just exit there.

However the Conti Ransomware is human operated to an extent, so they're probably already on the target system, and if not, they can use other methods to make sure its not a Russian system

Hibernicis

In the context of this attack having a Cyrillic keyboard attached to a laptop would be about as useful as hanging a picture of Putin on the wall of Paul Reid’s office or leaving a bottle of vodka on his desk.

This wasn’t some random virus running on a single laptop. It was a sophisticated bespoke attack on a complex environment incorporating thousands of servers and tens of thousands of PCs and laptops. It occurred in at least four phases. 1 remote access by humans to the HSE environment 2 discovery and study of the HSE environment by these humans 3 manual data selection, extract and export 4 automated data encryption. The second phase, in which the operators study the environment and the data/documents it contains would make it very clear to the operators that this was not located in Russia. And this happens before there is any automated encryption.

For anybody that is interested, this article by Sophos (one of a series) explains in detail how the Conti Ransom Attack operates.

Hibernicis

Hibernicis wrote: »

Reality finally starting to kick in....

"Cyber attack will cost HSE at least €100 million" Paul Reid

Mr Reid said the HSE was keen to see an independent and objective assessment of the cyberattack.

The HSE board has discussed the need for an assessment at its most recent meeting and will finalise proposals soon, he told a weekly HSE briefing on Thursday.

In addition, the international consultants who have been helping the HSE o restore services after the attack will provide it with an objective report on the incident, he said. Mr Reid stressed there was an urgent need for learning across the public services from what had happened.

Paul Reid and the HSE Board (and the Department of Health) have some really serious governance issues they need to address and questions that they need to answer.

The Independent (in this article) has a very worrying addition to the above:

He said that he is open to an independent assessment of the circumstances and background to the attack amid criticism that the service was not properly protected.

The HSE board is finalising details around this kind of inquiry, he added.

There is no way in hell that the Board of the HSE (or for that matter the Department of Health) should be allowed set the terms of any enquiry. It is their governance and stewardship that needs to be at the centre of the enquiry. If either of these bodies set the terms of reference we will get a report telling us absolutely nothing useful and protecting the real culprits.

ineedeuro

Hibernicis wrote: »

The Independent (in this article) has a very worrying addition to the above:



There is no way in hell that the Board of the HSE (or for that matter the Department of Health) should be allowed set the terms of any enquiry. It is their governance and stewardship that needs to be at the centre of the enquiry. If either of these bodies set the terms of reference we will get a report telling us absolutely nothing useful and protecting the real culprits.

It will be all swept under the carpet, based on people reaction on here they will have no problem with that either

nullObjects

Hibernicis wrote: »

Reality finally starting to kick in....

"Cyber attack will cost HSE at least €100 million" Paul Reid



Paul Reid and the HSE Board (and the Department of Health) have some really serious governance issues they need to address and questions that they need to answer.

They must have had no contingencies or backups at all for that sort of figure to be thrown around.
Seems like it could be months before they are back up if that is the scope of work involved

C.O.Y.B.I.B

nullObjects wrote: »

They must have had no contingencies or backups at all for that sort of figure to be thrown around.
Seems like it could be months before they are back up if that is the scope of work involved

I imagine (hope) that figure includes beefing up the existing systems although a lot of what they need to do is policy/procedural .

nullObjects

C.O.Y.B.I.B wrote: »

I imagine (hope) that figure includes beefing up the existing systems although a lot of what they need to do is policy/procedural .

I'd hope that too but I'm not sure. Hopefully they allocate money for other departments to get their IT infrastructure up to date. It would be embarrassing for them if the same thing was to happen another system

notAMember

nullObjects wrote: »

They must have had no contingencies or backups at all for that sort of figure to be thrown around.
Seems like it could be months before they are back up if that is the scope of work involved

I doubt it. That's a small number in healthcare IT terms... Replacing even one single system can be 10 million. Their whole ecosystem is gone.

And it will be years, or never for some systems I'd say. They've most likely decided to leave some dead.

ineedeuro

It's a shambles the whole thing. But sure people here will tell you that nobody is to blame :-)

plodder

Hibernicis wrote: »

Reality finally starting to kick in....

"Cyber attack will cost HSE at least €100 million" Paul Reid



Paul Reid and the HSE Board (and the Department of Health) have some really serious governance issues they need to address and questions that they need to answer.

That's shocking. It has to involve multiple systems that aren't supported or maintained and they aren't able to restore them from backups. So, they have to purchase new systems from scratch. At least, I can't imagine how they could burn that much money just on consultant's fees. There needs to be a serious enquiry into this and explanation for the disaster.