Ransomware & HSE

Anita Blow

Wombatman wrote: »

I pity the IT staff in there. Must be under so much pressure. Hard not to succumb to guilt or being guilt tripped into working crazy hours.



https://www.rte.ie/news/ireland/2021/0603/1225850-cyber-attack/

In my own hospital while I've been working nights the IT staff have been on-site working away up til 2/3am. They're doing fantastic

irishgeo

The army are in helping too.

Gregor Samsa

Gregor Samsa wrote: »

For enterprises, cloud services are for providing active services, not for backups. No-one moves a datacenter or app server to AWS and then thinks "grand, Amazon are looking after all that for me". Or at least they definitely shouldn't think that.

For consumers, of course things are a little different. Many cloud services do pitch themselves as backup services, and many people do use them as such. But it's not a "backup" if it's the only place you have your data, which people are increasingly doing (with iCloud, Google Drive, OneDrive, etc). Local copy, cloud copy, another cloud copy with a different provider would probably be enough for most people to mitigate against most risks, with offsite backups on a robust physical medium for the most valuable data worth doing too.

After reading here today I added AWS to "back-up" my files, which I need for income tax returns etc. I also have them on 3 other cloud locations. Would never rely on one. As for hard drives at home, apart from fire risk etc, I've encountered too many failures to trust.

Hotblack Desiato

Gregor Samsa wrote: »

There isn't just one encryption key. Each file is encrypted with a separate key. So even if you get the keys, it takes ages to run though all the files and decrypt them.

That is not the case at all.

A well written Conti decryptor will unencrypt a PC in between 20 mins - 3 hours depending on number of files and disk speed.

Gregor Samsa

Hotblack Desiato wrote: »

That is not the case at all.

A well written Conti decryptor will unencrypt a PC in between 20 mins - 3 hours depending on number of files and disk speed.

And how many computers are there?

Emsisoft themselves say their tool (the one the HSE is using), does about 180GB an hour on mechanical disks. At a rough calculation, if 700TB of data was stolen, and we assume that much was encrypted, it would therefore take 3,982 hours to decrypt it which is 165 days.

Obviously you could do multiple machines at a time in parallel, but you still have setup and verification time to add on top of that. Plus that’s just decrypting the data, not removing the malware or resetting all the damage done. You also want the systems to end up in a better and more secure state than they were when they were compromised, which is time intensive too.

So yeah, it’s not that quick.

Hotblack Desiato

There are two massive projects running in parallel - server decryption, cleaning, verification and trust/AD restoration

and the same with endpoints.

My post was in relation to the latter but public posts from Reid etc. state that the server decryption process has been proceedling at a good pace, the next step after that is to verify no lurking malware etc. then restore to the domain and bring services back.

That's no use without endpoints though, and these were either knocked offline or physically unplugged to try to limit damage, each has to be visited, decrypted, inspected and plugged back in individually, and when they're scattered all over the place that's a big task.

Lewis_Benson

No one to blame only themselves.
A mate of mine was in hospital this week.
Left in a consulting room on his own for 20 mins.

Workstation in front of him, user logged in, unlocked, and a username and password on a post it note stuck to the monitor.

kippy

Lewis_Benson wrote: »

No one to blame only themselves.
A mate of mine was in hospital this week.
Left in a consulting room on his own for 20 mins.

Workstation in front of him, user logged in, unlocked, and a username and password on a post it note stuck to the monitor.

Noone to blame only themselves?
Really?
You don't blame those that actually infiltrated the network or carried out the crime?

Not condoning the second part of your post mind, that's one of the challenges security has in large scale and complex environments but that does not absolve the perpetrators of the majority of blame.

plodder

Gregor Samsa wrote: »

And how many computers are there?

Emsisoft themselves say their tool (the one the HSE is using), does about 180GB an hour on mechanical disks. At a rough calculation, if 700TB of data was stolen, and we assume that much was encrypted, it would therefore take 3,982 hours to decrypt it which is 165 days.

Obviously you could do multiple machines at a time in parallel, but you still have setup and verification time to add on top of that. Plus that’s just decrypting the data, not removing the malware or resetting all the damage done. You also want the systems to end up in a better and more secure state than they were when they were compromised, which is time intensive too.

So yeah, it’s not that quick.

I thought it was 800 GB. Whatever it was would have to have been encrypted over night. Otherwise, someone would have noticed the problem sooner?

Hibernicis

Gregor Samsa wrote: »

And how many computers are there?

Emsisoft themselves say their tool (the one the HSE is using), does about 180GB an hour on mechanical disks. At a rough calculation, if 700TB of data was stolen, and we assume that much was encrypted, it would therefore take 3,982 hours to decrypt it which is 165 days.

Obviously you could do multiple machines at a time in parallel, but you still have setup and verification time to add on top of that. Plus that’s just decrypting the data, not removing the malware or resetting all the damage done. You also want the systems to end up in a better and more secure state than they were when they were compromised, which is time intensive too.

So yeah, it’s not that quick.

The amount of data stolen was said to be 700GB, not 700TB. Based on the reports to date there is no link between the amount of data which was stolen and the amount of data which was encrypted as the data was stolen first with the encryption happening later.

seamus

Lewis_Benson wrote: »

No one to blame only themselves.
A mate of mine was in hospital this week.
Left in a consulting room on his own for 20 mins.

Workstation in front of him, user logged in, unlocked, and a username and password on a post it note stuck to the monitor.

This is not necessarily a security issue. I've seen similar in hospitals, but when you observe the staff using it, for every application they open, they get prompted for a username and password that isn't the one on the post it note.

The post it note can be there just in case the machine gets locked by accident, but it's been otherwise configured to run open so that staff aren't slowed down. If the logged-in user has zero privileges, there's no real issue.

If you were in a busy A&E and everyone had to log into every workstation with their own credentials, it would be massive hindrance as staff move from room to room and cubicle to cubicle.

Fils

Is RTE safe David^

ineedeuro

kippy wrote: »

Noone to blame only themselves?
Really?
You don't blame those that actually infiltrated the network or carried out the crime?

Not condoning the second part of your post mind, that's one of the challenges security has in large scale and complex environments but that does not absolve the perpetrators of the majority of blame.

If we only had the same attitude towards criminals in Ireland. The standard reaction is to blame the Garda and when a criminal is caught we hear about "what a lovely family he is from".

Also the HSE have hired and paid people to stop these people, if Garda get the blame because of the actions of criminals in Ireland do the HSE not have any blame for not doing their job?

Wombatman

seamus wrote: »

This is not necessarily a security issue. I've seen similar in hospitals, but when you observe the staff using it, for every application they open, they get prompted for a username and password that isn't the one on the post it note.

The post it note can be there just in case the machine gets locked by accident, but it's been otherwise configured to run open so that staff aren't slowed down. If the logged-in user has zero privileges, there's no real issue.

If you were in a busy A&E and everyone had to log into every workstation with their own credentials, it would be massive hindrance as staff move from room to room and cubicle to cubicle.

There is so much wrong with this I don't know here to start.

You are saying they have to login to use every application but that logging into the endpoint itself would be a massive hinderance. Maybe use SSO then?

Why are you assuming the logged in user has no privileges?

The case cited it the ultimate horror in terms of endpoint security and flies in the face of any basic security training an end user should receive.

We all feel for the IT staff in the HSE but that shouldn't make us apologists for the horrible IT practices in the organisation.

ineedeuro

seamus wrote: »

This is not necessarily a security issue. I've seen similar in hospitals, but when you observe the staff using it, for every application they open, they get prompted for a username and password that isn't the one on the post it note.

The post it note can be there just in case the machine gets locked by accident, but it's been otherwise configured to run open so that staff aren't slowed down. If the logged-in user has zero privileges, there's no real issue.

If you were in a busy A&E and everyone had to log into every workstation with their own credentials, it would be massive hindrance as staff move from room to room and cubicle to cubicle.

Yes they do, that's how they keep a track of what is going on. Otherwise a nurse could log in, the whole department use it, mistakes are made and the finger is pointed at the wrong nurse

I haven't had to use hospitals much but at my children been born it was clear as each nurse came in they logged into the computer. Even when going on break they logged out and the new nurse logged in.

If the HSE are not using SSO then I wouldn't be patting anyone on the back for staying up till 2-3, I would be asking them what the f**k they have been doing for the past 10 years.

Anita Blow

Computers have a generic login which has no user privileges, no documents/data saved or external drive access on those generic accounts in clinic rooms or open areas. It just provides access to online labs/radiology/EPR all of which require an individual username/password.

I don't really see a practical alternative to this- to log out and log in completely takes about 5 min to load your own account which wouldn't be feasible in a busy ED or 20-person clinic where you might have to pop in and out of each consultation 1-2 times. That's the utility of having generic computer logins for these areas which have minimal data or access

ineedeuro

Anita Blow wrote: »

Computers have a generic login which has no user privileges, no documents/data saved or external drive access on those generic accounts in clinic rooms or open areas. It just provides access to online labs/radiology/EPR all of which require an individual username/password.

I don't really see a practical alternative to this- to log out and log in completely takes about 5 min to load your own account which wouldn't be feasible in a busy ED or 20-person clinic where you might have to pop in and out of each consultation 1-2 times. That's the utility of having generic computer logins for these areas which have minimal data or access

Why would a login take 5 mins? haven't a number of hospitals gone paperless with the whole point of that having an online track of everything.

ineedeuro

ineedeuro wrote: »

Yes they do, that's how they keep a track of what is going on. Otherwise a nurse could log in, the whole department use it, mistakes are made and the finger is pointed at the wrong nurse

I haven't had to use hospitals much but at my children been born it was clear as each nurse came in they logged into the computer. Even when going on break they logged out and the new nurse logged in.

If the HSE are not using SSO then I wouldn't be patting anyone on the back for staying up till 2-3, I would be asking them what the f**k they have been doing for the past 10 years.

SSO for what?

Do the third party desktop applications that they use support SAML/Kerberos to your knowledge?

The Irish company that supplies the majority of pharmacy, GP and consultant based software don't.

Anita Blow

ineedeuro wrote: »

Why would a login take 5 mins? haven't a number of hospitals gone paperless with the whole point of that having an online track of everything.

Everyone has their own account which is stored centrally so when you log in all your stuff has to be loaded which takes absolutely ages. The utility of the generic logins (which themselves are specific to that clinic or ED computer) is that they’ve nothing to load so are much quicker.

Vast vast majority of hospitals have no gone paperless. Only some of the maternity hospitals and one adult hospital (SJH) have gone paperless and even then it’s an online portal which still requires the computer to be logged in (which again is just a generic Windows login)

ineedeuro

Anita Blow wrote: »

Everyone has their own account which is stored centrally so when you log in all your stuff has to be loaded which takes absolutely ages. The utility of the generic logins (which themselves are specific to that clinic or ED computer) is that they’ve nothing to load so are much quicker.

Vast vast majority of hospitals have no gone paperless. Only some of the maternity hospitals and one adult hospital (SJH) have gone paperless and even then it’s an online portal which still requires the computer to be logged in (which again is just a generic Windows login)

Sounds like single sign on, so one username and password and gets you access to all the tools you need to use?

kippy

ineedeuro wrote: »

If we only had the same attitude towards criminals in Ireland. The standard reaction is to blame the Garda and when a criminal is caught we hear about "what a lovely family he is from".

Also the HSE have hired and paid people to stop these people, if Garda get the blame because of the actions of criminals in Ireland do the HSE not have any blame for not doing their job?

Who blames the Gardai for the actions of criminals?

kippy

SSO for what?
Are posters here aware of the multitide of systems/platforms in use in the HSE?

ineedeuro

kippy wrote: »

SSO for what?
Are posters here aware of the multitide of systems/platforms in use in the HSE?

Everyone is aware of the systems, it was just a discussion.

ineedeuro

kippy wrote: »

Who blames the Gardai for the actions of criminals?

Go and ask a Garda and see what they say.

Hibernicis

kippy wrote: »

SSO for what?
Are posters here aware of the multitide of systems/platforms in use in the HSE?

I wouldn't take that poster's views too seriously. Based on the following she/he hasn't a clue what they are talking about and is just spamming this thread incessantly.

Anita Blow wrote: »

Computers have a generic login which has no user privileges, no documents/data saved or external drive access on those generic accounts in clinic rooms or open areas. It just provides access to online labs/radiology/EPR all of which require an individual username/password.

ineedeuro wrote: »

Sounds like single sign on, so one username and password and gets you access to all the tools you need to use?

Having a generic logon for the PC with different logins for accessing subsequent systems is the exact opposite to SSO (single sign on).

seamus

You are saying they have to login to use every application but that logging into the endpoint itself would be a massive hinderance. Maybe use SSO then?

Logging into the terminal itself is a slow process. You have used Windows, right? So staff are moving from terminal to terminal, they could see 50 patients in a night. Sometimes Windows might take ten minutes to log off the previous user and log in the new one.

What will happen then is that staff will just log into terminals at the start of the day using their own credentials and leave them open all night, rather than logging in and out constantly. Complete with whatever local and network privileges that SSO user may have. That's a security issue.

In this scenario, leaving the terminals open but with zero privileges is the more secure solution.

What should work in theory and what actually works in practice often conflict. For years we were told that the gold standard in user security was regular password changes and complex passwords. Every 90 days at most, every 30 days if you want to be really secure. 10 characters, 1 uppercase, 1 lowercase, 1 number, 1 special character.

Now though, if you have complexity requirements like these, you will be marked down on any security assessment. Considered less secure. Why? Because it turns out that doing this makes things less secure. People are bad at remembering passwords. So when they have to change them frequently, they use the simplest password they can get away with, they increment passwords (Password01!, Password02!, Password03!, etc), or they write them down. Which makes it more likely that an attacker will compromise the account.

Now the gold standard is a slightly less complex password with multi-factor authentication. A compromised password still doesn't allow access to the account, and when the user changes it, they will use something completely different.

Why are you assuming the logged in user has no privileges?

Why are you assuming they have any privileges? I'm merely pointing out that an open terminal isn't necessarily the massive security flaw one might think it is. In some contexts it's standard practice and it's adequately secure when configured correctly.

kippy

ineedeuro wrote: »

Everyone is aware of the systems, it was just a discussion.

Why don't they use SSO? Was the question as if SSO is a very straightforward thing to implement. Do people really think that if SSO was a realistic option it wouldn't have been in place already?

ineedeuro

Hibernicis wrote: »

I wouldn't take that poster's views too seriously. Based on the following she/he hasn't a clue what they are talking about and is just spamming this thread incessantly.





Having a generic logon for the PC with different logins for accessing subsequent systems is the exact opposite to SSO (single sign on).

The poster said that when they log onto the PC everything they need is loaded up for them. That is why it takes 5 mins. They never said anything about then having to log in with a different user id & password. Unless I am reading it incorrectly?

ineedeuro

kippy wrote: »

Why don't they use SSO? Was the question as if SSO is a very straightforward thing to implement. Do people really think that if SSO was a realistic option it wouldn't have been in place already?

If you know what you are doing then SSO can be implemented. Hence why hospitals all over the World use it.

Plus based on the description above SSO is implemented. Unless you can say otherwise? the problem was not SSO, the problem was the speed at which the users desktop was loading.

ineedeuro

ineedeuro wrote: »

If you know what you are doing then SSO can be implemented. Hence why hospitals all over the World use it.

Plus based on the description above SSO is implemented. Unless you can say otherwise? the problem was not SSO, the problem was the speed at which the users desktop was loading.

Any evidence that hospitals all over the world use SSO?

Active Directory login with either Citrix desktop or roaming profiles which best describes what the poster said isn't SSO.