Ransomware & HSE

riclad

We dont have detailed info on the attack ,the pipeline company in america
was hacked because they were using an old version of microsoft exchange email software.
The problem with bitcoin is it provides an easy way to collect payments without being identified or using a bank account.
its important that all companys make daily backups of all data, and update to the latest versions of all software .
cloud storage and disk drives are very cheap,And these backups should be encrypted and protected .
eg backup process started ,once backup is finished the backup pcs are shutdown and disconnected from the network.
So even if the hse data is hacked they have a backup of customer data and medical information.

Adelman of Beamfleot

I still don't think it's too much to ask that Stephen Donnelly and Paul Reid at least know their way around Kali Linux

jmayo

Adelman of Beamfleot wrote: »

I still don't think it's too much to ask that Stephen Donnelly and Paul Reid at least know their way around Kali Linux

donnelly doesn't know his way around his home town much less the workings of something based on Debian.

magicbastarder

jmayo wrote: »

donnelly doesn't know his way around his home town much less the workings of something based on Debian.

Ah he does. He's ordered half a million doses of it, and I'd just trying to decide between 4 or 6 weeks between the first and second jabs.

hmmm

Supercell wrote: »

Just read up on the Conti ransomware thats its reported as being, what options do they really have here? Damned if they pay up and records released/sold on and published anyhow and damned if they dont and end up having to rebuild everything. I cannot see this being a quick fix.

You usually have to rebuild everything anyway if you want to be sure.

How do you know they haven't left any backdoors which they can activate in the future - you think someone who encrypts hospitals is going to be an honest dealer if you pay a ransom? If your backups are intact, how far back do you restore from to be sure you're not restoring a compromised system?

This will be huge job to investigate.

MrMusician18

After getting it back running, the next question is what was compromised. I guess if it's like the Scottish EPA it's likely that the full extent will never be known. So what kind of databases are in the HSE.

Of course there's staff and internal Comms, medical appointments, diagnostic imaging etc that we can deduce from the systems that have stopped working today. But a lot of the health service is still paper based so have charts been compromised? GP records, are they for example in their system? Test results?

Hurrache

Hurrache wrote: »

You're guaranteed to find Twitter threads full of people asking for the head of the minister for heath and the head of the HSE for not finding these exploits.

Yeah, it's not a question for now on which heads should roll. When the dust settles there will need to be a thorough investigation into what went wrong and if people are to be found at fault so be it.

irelandpride

This is what happens when you run outdated hardware and software and paying people huge salaries who don't have a clue about Security and try to make themselves look good by keeping IT costs down to the bare minimum every year.

The Whole IT setup is a complete and utter shambles and needed proper updating and better people in charge 10 years ago.

It was going to happen eventually. Let's just hope their backups are in good order and were regularly tested.

Kiith

Having worked at a company who went through a randomware attack, i feel sorry for all the IT staff in the HSE right now.

Unbelievably stressful trying to deal with it. And certainly not helped by assholes online throwing **** at them when they have no idea what they are talking about.

fael

MrMusician18 wrote: »

After getting it back running, the next question is what was compromised. I guess if it's like the Scottish EPA it's likely that the full extent will never be known. So what kind of databases are in the HSE.

Of course there's staff and internal Comms, medical appointments, diagnostic imaging etc that we can deduce from the systems that have stopped working today. But a lot of the health service is still paper based so have charts been compromised? GP records, are they for example in their system? Test results?

It would be great if large breaches would be treated as incidents/accidents in aviation. An independent entity investigates and publishes what went wrong, why it went wrong and what can be done about it to avoid it in the future.
No apportioning blame, just to learn from it. Keeping it secret means the lessons learned will be confined to the original organisation.

I think the infosec community is pretty good at this anyway and lots is learned from most breaches. But it would be great if you can get an analysis based on first hand info.

Kiith

Kiith wrote: »

Having worked at a company who went through a randomware attack, i feel sorry for all the IT staff in the HSE right now.

Unbelievably stressful trying to deal with it. And certainly not helped by assholes online throwing **** at them when they have no idea what they are talking about.

Yep get a lot of that from the usual types once an attack is successful especially when a government agency is involved.
They might want to be paying a bit more attention to what's happening with the likes of Facebook in the same realm of data security.

Dempo1

I see Paul Reid saying they won't pay any ransom, I wonder had he Paid to deal with well highlighted IT issues at the HSE for years would this have happened, indeed only recently a world renowned expert said THE HSE very exposed and its common knowledge as far back as early 2019 its IT systems were on the brink of collapse.

I fear the Ransom will be paid and we'll hear not a word about it, anything to save the top echelons of the HSE any blushes.

It's a disgusting attack, the lowest of the low attacking a health care IT infrastructure but sadly its been on the cards for years, almost waiting to happen.

whippet

irelandpride wrote: »

This is what happens when you run outdated hardware and software and paying people huge salaries who don't have a clue about Security and try to make themselves look good by keeping IT costs down to the bare minimum every year.

The Whole IT setup is a complete and utter shambles and needed proper updating and better people in charge 10 years ago.

It was going to happen eventually. Let's just hope their backups are in good order and were regularly tested.

What utter scutter

VinLieger

Dempo1 wrote: »

I see Paul Reid saying they won't pay any ransom, I wonder had he Paid to deal with well highlighted IT issues at the HSE for years would this have happened, indeed only recently a world renowned expert said THE HSE very exposed and its common knowledge as far back as early 2019 its IT systems were on the brink of collapse.

I fear the Ransom will be paid and we'll hear not a word about it, anything to save the top echelons of the HSE any blushes.

It's a disgusting attack, the lowest of the low attacking a health care IT infrastructure but sadly its been on the cards for years, almost waiting to happen.

There is not a grain of truth or evidence to any of the the garbage conspiracy theories you've claimed in this post.

AndrewJRenko

seamus wrote: »

Tbh, I'd be skeptical of the "zero day" claim. I've seen companies roll it out before in order to keep the heat off and stop any speculation that they left the door wide open.

There are bigger targets available if you have a good 0-day and you want a big cash payment.


This is known as Spear Phishing and it's insanely effective. All it takes really is one distracted employee and a decently crafted mail and you're in.

Companies don't get called before the Public Accounts Committee or other Dail committees to explain their actions. It would be a very foolish public official that tried spoofing on this.

I think if any data is lost, despite the soundbites a ransom will have to be paid in the interest of patient safety. It's not like a financial services company where they can somewhat absorb a data loss. There are lives at stake.

They are coming out very early saying they won't pay it. Hopefully the backups are sufficient and DR has been sufficiently tested.

irelandpride

VinLieger wrote: »

There is not a grain of truth or evidence to any of the the garbage conspiracy theories you've claimed in this post.

https://www.irishexaminer.com/news/arid-30974569.html

Tells you all you need to know.

AndrewJRenko

fael wrote: »

You can't mitigate against the 0day itself. Just against what happens after. Basic stuff like segmenting your network, a proper backup system (including regularly restoring backups to make sure it's working), etc, etc... to make sure you can clean up and get going again.
.

So all the stuff the HSE are doing right now, as we speak.

schrodinger wrote: »

And let's be clear here. This was not a zero day exploit. Every time someone says a zero day was used, I loose a year from my life expectancy. Is it the HSE's fault? Absolutely not. I've literally seen and investigated organisations with a much stronger security posture than the HSE get hit with ransomware. So, all the "expert" and idiot criticism of HSE I.T. staff needs to be taken some where else. All of those people can go some where and bang their knuckles off a rock and see who's the leader.

I.T. staff in these kinds of places are not security engineers, security analysts, forensic investigators, incident responders, malware analysts, etc.. They are system engineers, system administrators, network engineers, developers, technical support staff, applications supports staff, multiple hats staff - and people want to throw shade? Shame on those who do.

I've no direct knowledge, but I'd be very surprised if the HSE don't have their own in-house Security Operations Centre with expert security staff, supplemented by external experts on contract.

Having said that, I fully agree with the general thrust of your post.

frozenfrozen

irelandpride wrote: »

https://www.irishexaminer.com/news/arid-30974569.html

Tells you all you need to know.

you think you know more than you do.

windows 7 under extended support is fine

irelandpride

frozenfrozen wrote: »

you think you know more than you do.

windows 7 under extended support is fine

Out of the all the PC's in HSE do you actually think all of them have their patches and are fully 100% up to date?

No organization can get to 100%

Big difference with Windows 7 and Windows 10 not been fully patched.

VinLieger

irelandpride wrote: »

https://www.irishexaminer.com/news/arid-30974569.html

Tells you all you need to know.

So you just read the headline and not the article then?

irelandpride

VinLieger wrote: »

So you just read the headline and not the article then?

I did it just shows that how inept they are to be honest.

If they had to emergency support for Windows 7 God only knows how old their Routers, Switches, equipment, servers, Hosts and databases are.

I doubt they even have firewalls between the business side and the Operating side of the hospital. Wouldn't surprise me.

Dempo1

VinLieger wrote: »

There is not a grain of truth or evidence to any of the the garbage conspiracy theories you've claimed in this post.

Clearly your not aware of historical issues with the HSE antiquated IT systems, reports done as far back as early 2019 and before and a report earlier today n the examiner about an expert stating quite clearly whilst participating in the Web summit, that the HSE is very exposed

You seem quite the expert albeit you didn't put much thought into your absurd response, take some time to do a Google search or check your facts before claiming conspiracy theories.

Reid on now, spouting more nonsense, not disclosing amount being sought and claiming the attackers have picked the wrong people. I'm sure the perpetrators are sitting somewhere in Russia shaking in their boots.

whippet

irelandpride wrote: »

Out of the all the PC's in HSE do you actually think all of them have their patches and are fully 100% up to date?

No organization can get to 100%

Big difference with Windows 7 and Windows 10 not been fully patched.

Tell us what the big difference would be in the context of a ransom ware attack like this?

joe40

fael wrote: »

It would be great if large breaches would be treated as incidents/accidents in aviation. An independent entity investigates and publishes what went wrong, why it went wrong and what can be done about it to avoid it in the future.
No apportioning blame, just to learn from it. Keeping it secret means the lessons learned will be confined to the original organisation.

I think the infosec community is pretty good at this anyway and lots is learned from most breaches. But it would be great if you can get an analysis based on first hand info.

I like that analogy. I have zero expertise in IT security so I'm in no position to comment at this stage, but when the dust settles I hope there is a full truthful investigation.
It is kinda scary to be living in a world so dependant on the internet. Cyber security breaches should be investigated like airline disasters where each one is a learning opportunity.

SouthWesterly

irelandpride wrote: »

Out of the all the PC's in HSE do you actually think all of them have their patches and are fully 100% up to date?

No organization can get to 100%

Big difference with Windows 7 and Windows 10 not been fully patched.

Your saying win7. There's a lot of xp machines being use due to software incompatibility with newer versions of Windows.

AndrewJRenko

AndrewJRenko wrote: »

So all the stuff the HSE are doing right now, as we speak.



I've no direct knowledge, but I'd be very surprised if the HSE don't have their own in-house Security Operations Centre with expert security staff, supplemented by external experts on contract.

Having said that, I fully agree with the general thrust of your post.

Could be wrong but had in the back of my mind it was Accenture that looked after the HSE IT systems in terms of support.

Used be (could still be) Fujitsu who looked after a lot of the other Public Sector IT stuff, the Dail etc.

whippet

joe40 wrote: »

but when the dust settles I hope there is a full truthful investigation.

That is standard practice and will be conducted … but tactical restore is the priority now

ineedeuro

fael wrote: »

It would be great if large breaches would be treated as incidents/accidents in aviation. An independent entity investigates and publishes what went wrong, why it went wrong and what can be done about it to avoid it in the future.
No apportioning blame, just to learn from it. Keeping it secret means the lessons learned will be confined to the original organisation.

I think the infosec community is pretty good at this anyway and lots is learned from most breaches. But it would be great if you can get an analysis based on first hand info.

I think you should remember the proverb "You can lead a horse to water but you can't make him drink"

Most companies have learned over the years from previous attacks, the wannacry attack was huge and most companies made huge changes after this
https://www.zdnet.com/article/ransomware-how-the-nhs-learned-the-lessons-of-wannacry-to-protect-hospitals-from-attack/
This was released yesterday which is bad timing for the HSE.

If you ask the question did the HSE learn anything from wannacry I think we have the answer today.

skimpydoo

My take on the cyber attack. https://irishtechnews.ie/cyber-attack-forces-hse-to-shut-down-it-systems/