Ransomware & HSE

plodder

Tow wrote: »

They will wash their hands of it, just as they did for the FTDI driver which deliberately bricked devices a few years ago.

https://hackaday.com/2014/10/24/ftdi-screws-up-backs-down/

I'm sure they won't volunteer to be on the hook for open-ended damages, but I'm saying if an organisation suffers a loss due to negligence in how they operate the signing program then they should be sued. Not that it applies in this case with the HSE I would guess. What's the point of driver signing if they don't do due diligence on it though?

Hotblack Desiato

plodder wrote: »

Well, there's no mitigation possible for that.

I think Microsoft could/should be held liable to some extent for any damage resulting from that kind of screw-up.

Appalling response from MS there, "oh it's only a rootkit so you'd need to gain privileges some other way" which totally misses the point.

If you plug in your new device from Company XYZ and a dialog pops up saying you need to install the XYZ driver, signed by Microsoft, of course you're going to say yes

So that's MS saying they really don't care about the security of non-corporate users at all, and that their driver signing programme is just theatre. How's that going to instil confidence in enterprise users either?

pioneerpro

Hotblack Desiato wrote: »

where are you getting that nugget from?

Try and appraise yourself of the facts of the case at hand before you start disputing them in bad faith.

https://www.thejournal.ie/hse-cyber-attack-ransonware-started-5443370-May2021/

This is the last time I'll be providing basic citations like that for you.

Now that's complete and utter bullshít.

Radiotherapy went down. Chemotherapy went down.

And who brought them down? The HSE booking systems are held together with sticky-tape at the best of times. Panicking due lack of formally documented and tested procedure lead to an exponentially greater loss of uptime, and subsequently life.

Adherence to accepted best practice would have had them up and running with parity of IT service within 24 hours. Now we have a situation whereby some systems may never restore the parity of information and functionality they had pre-attack.

https://www.thejournal.ie/hse-cyber-attack-ransonware-started-5443370-May2021/

This is 100% the HSE's cross to bear. There are any number of scenarios whereby they need to initiate a backup and restore from a known good backup. Ransomware is just the one that caught them out - and lucky for them, they have a malfeasant actor to point to.

https://www.irishtimes.com/opinion/big-data-and-cybercrime-require-far-sharper-focus-1.4583426



Also, we've this new policy of discarding working (and already trained-in) hardware due to software and systems architecture deficiencies... Must have missed that memo! 30,000 laptops due for the skip out of arrogance and incompetence.

https://www.thejournal.ie/cyber-attack-hse-laptops-5463583-Jun2021/

How do you know what is being rebuilt? Wasn't it reported that they were decrypting at least some servers?

As of June 10th, HSE officials said 33% of servers had now been decrypted and 58% of end user devices are now connected. You can google the citations yourself.

In short, outside of public reports - which you're obviously not reading - I get my knowledge from working in industry, writing these plans, working with their current disaster recovery contractors... I could go on, but no one with a NDA is going to be able to meet your burden of proof.

ClosedAccountFuzzy

Seems the cyber attack is now allegedly preventing us from complying with an EU regulation requiring the introduction of Digital Covid Certs tomorrow, 1 July. We are the only EU country that isn’t ready.

https://twitter.com/rtenews/status/1410327006915485704?s=20

Rather incompetent looking.

pioneerpro

FuzzyThinking wrote: »

Seems the cyber attack is now allegedly preventing us from complying with an EU regulation requiring the introduction of Digital Covid Certs tomorrow, 1 July. We are the only EU country that isn’t ready.

Rather incompetent looking.

I've said it a few times here, but this attack is the greatest thing to ever happen to the HSE. They now have a boogeyman to absolve them of all responsibility and blame for the ****show they've made of Core Provisioning Services.

Someone in the HSE needs to be held criminally responsible for what has happened here. No ifs, no buts. Someone didn't do their job. Simple as.

And before anyone accuses me of being facetious or flippant, the original issues with the HSE executive structure started with the original county board setup. There's a reason there's 4 hospitals for a population of 100k in Galway, there's a reason SouthDoc has to exist in Kerry, and there's a reason that we have hospital trolley 'crises' every year at the same time.

It's not to do with lack of money, and it certainly isn't to do with lack of meetings. Its to do with people working in the HSE at a policy making level who are not acting in the best interests of the holistic health outcomes of the population.

This has always been the case, and the blatant mismanagement of funds and burning of them on administrative nonsense, has been in black and white in the HSE reports for 20+ years. Look at the KPIs from their last major recruiting drive.

https://assets.gov.ie/3809/051218170729-3c47aa5559f8463a863ba8232220d241.pdf

~


And please please don't get me started on 'Ireland's Call'. How they treated the Doctors and Nurses who were willing to come out of retirement and literally work for free for the national good was absolutely appalling. Some of the younger ones who flew back will never work in Healthcare in this country ever again as a result.

https://www.irishtimes.com/news/health/doctors-returning-to-fight-covid-19-feel-betrayed-says-imo-1.4283771

ClosedAccountFuzzy

Well internationally what it looks like is poor public infrastructure and lack of resilience.

That stuff factors in business surveys and informs investment decisions.

Our health system is already a big negative when it comes to choosing where to live. Anecdotally, I’m aware of several continental Europeans who opted to go home due to experience of A&E here or insane waiting lists for basic things.

The excuses no longer stack up. We have had adequate resources for quite a long time now and our wealth statistics put us at the top of the league, yet we’ve a healthcare system that we should be hugely embarrassed by.

pioneerpro

FuzzyThinking wrote: »

Well internationally what it looks like is poor public infrastructure and lack of resilience.

That stuff factors in business surveys and informs investment decisions.

Our health system is already a big negative when it comes to choosing where to live. Anecdotally, I’m aware of several continental Europeans who opted to go home due to experience of A&E here or insane waiting lists for basic things.

The excuses no longer stack up. We have had adequate resources for quite a long time now and our wealth statistics put us at the top of the league, yet we’ve a healthcare system that we should be hugely embarrassed by.

And what a surprise, only EU country to embarass themselves in this way - whilst also being one of the smallest and richest. Of course it's all 'de hackers'. Not a hope would they have their **** together - attack or otherwise.

https://www.rte.ie/news/coronavirus/2021/0630/1232241-covid-ireland-figures/

The European Commissioner for Justice has said that Ireland is the only European Union member state that will not be ready to comply with the EU Digital Covid Certificate for travel when it comes into effect tomorrow.

This is due to the recent cyber attack on the Health Service Executive.

Didier Reynders told a briefing in Brussels that Ireland was the only country not able to comply with the binding regulation.

"I want to confirm that we have a really good evolution with all the member states, except Ireland, til now.

Polar101

FuzzyThinking wrote: »

Seems the cyber attack is now allegedly preventing us from complying with an EU regulation requiring the introduction of Digital Covid Certs tomorrow, 1 July. We are the only EU country that isn’t ready.

Yeah.. hands up, who believes HSE (or whoever's responsibility it is) would have been ready to implement it even if the cyber attack hadn't happened? I'd bet the status would have been the same.

Because a system got hacker, we're extrapolating that every other country in the EU is capable of Covid certs but Ireland isn't?

You've taken your credibility and took a shlt on it.

plodder

The Covid cert system would be a new system developed by regular developers, not the kind of people working on restoring the HSE's systems (who probably aren't software developers for the most part). It would be based on data provided by the vaccination scheduling system, which itself is new and not affected by the hack. I would say that senior HSE management are so distracted by the hack, that the Covid certs are not a priority and has been side-lined. Or else the decision was taken at a political level, and the hack is a convenient excuse.

BluePlanet

Sounds like it will be just a another massive centralized database that holds personal identifying information on huge numbers of people, making it a new and big honey pot for hackers.

Hotblack Desiato

pioneerpro wrote: »

Try and appraise yourself of the facts of the case at hand before you start disputing them in bad faith.

https://www.thejournal.ie/hse-cyber-attack-ransonware-started-5443370-May2021/

This is the last time I'll be providing basic citations like that for you.

Where to start with this? :rolleyes:

- You assert as fact that the attack was not targeted but provide no citation.
Don't you think it's "interesting" that the only other public body attacked by them at that time was Dept. Health?

- When asked you link a f'kin Journal article which doesn't even address the issue of targeting. The user described in the article already had their PC encrypted when they clicked on the link to contact the criminals.

- then you get all shirty and say this is the last time you will provide a (non-) citation for your claims! Comical :pac:

And who brought them down? The HSE booking systems are held together with sticky-tape at the best of times. Panicking due lack of formally documented and tested procedure lead to an exponentially greater loss of uptime, and subsequently life.

Sure but given where they were, it's hard to see what else they could have done at the time. They didn't have a plan in place. They should have. But 20:20 hindsight is feck all use to anyone.

Also, we've this new policy of discarding working (and already trained-in) hardware due to software and systems architecture deficiencies... Must have missed that memo! 30,000 laptops due for the skip out of arrogance and incompetence.

https://www.thejournal.ie/cyber-attack-hse-laptops-5463583-Jun2021/

You must have missed the word "may", and there seems to be plenty of doubt about what the word "replace" actually means. They will probably accelerate the replacement of old hardware which is incapable or barely capable of running Windows 10 but there are no figures publicly available on how many, and these were surely very close to end of life already.

As of June 10th, HSE officials said 33% of servers had now been decrypted and 58% of end user devices are now connected. You can google the citations yourself.

In short, outside of public reports - which you're obviously not reading

There you go flying off the handle again. That wasn't even a response to you, it was another poster who wrongly claimed they are rebuilding everything when as you say yourself and has been widely reported, they are not.

DecTenToo

BluePlanet wrote: »

Sounds like it will be just a another massive centralized database that holds personal identifying information on huge numbers of people, making it a new and big honey pot for hackers.

Dunno, I'd assume as they have the records available via the HSE online portal, of those that have been vaccinated, that the ability to print off your form/QR code would just be an addition to the existing portal.

For example, I checked my records online and it shows my appointment and vaccination history

Registered for a vaccine
Awaiting appointment 1
Appointment 1 scheduled
Consent given
Dose 1 Medical questions answered
Vaccine dose 1 received
Awaiting appointment 2
Appointment 2 scheduled
Dose 2 Medical questions answered
Final vaccine dose received

So pulling and generating the QR code/form, shouldn't be that much more of an addition?

OK, assuming everyone is using the same system, keeping the records up to date, and a certain amount of pre-planning?

And yes, there's an assload wide of assumptions regarding development timeframe, dependencies, security, data protection, testing, deployment and verification against the European requirements.

riclad

Just because Windows 7 is supported does not mean it had the security features of windows 10
The bíl to fix this of 500 million suggests they did not have a full featured secure backup restore system in place
Eg backups are read only when a backup is complete its put in read only mode and isolated from network acess eg it can't be deleted by hackers drive space is cheap
There should be at least 2 backups of medical data
Eg even if half of the hse pcs are destroyed there will still be a full backup of patient data from the last 24 hpurs
Backups can be done daily
Each day there's a new backup of all the data that was processed or entered in the databasr eg medical scans new admissions or appointments made or operations scheduled in the previous 24 hours

Backups are only accessed if there's a hack or some pcs lose data due to failure of pcs or network failures

Good backup procedures in the long run save money
As the whole database can be restored anytime that's needed
All you need is pcs with windows os installed and you start the restore process
Eg it's like having car and accident insurance
It's costs money but it's good practice in the long run

pioneerpro

riclad wrote: »

Just because Windows 7 is supported does not mean it had the security features of windows 10

With respect, extended support contracts generally patch the OS-Level stuff which is based on common DLL's and other shared components. There's roughly equivalent parity of support in terms of 0days and other OS-Level exploits between Win 7 and Win 10, with Win 7 on an extended support contract.

Granted, there's some significant AD and internal security changes from the client-permissions side, but no significantly large organisation should be depending on the in-built tools anyway, and would have the likes of FireEye and EndPoint deployed.

The bíl to fix this of 500 million suggests they did not have a full featured secure backup restore system in place

Suggests? It makes it explicitly clear that they had neither the appropriate processes or the basic oversight and training required in place.

This isn't 20/20 Hindsight, as plenty of other non-industry pedants have tried to point out - this is the *basic* standard for any company that has IT as a core provisioning service.

I've made the point about my own industry requiring 'five 9s' uptime or we'd be made redundant in the morning. The HSE, in contrast, are beholden to no one, opaque to everyone, and completely immune at an civil or criminal liability level.

They are utterly disinterested in organisational change and completely focused on maintaining a fiefdom of little middle-management kingdoms as a holdover from the pre-HSE county board setup.

Eg it's like having car and accident insurance
It's costs money but it's good practice in the long run

It's not even good practice in the long run, it's an essential and fundamental business continuance process - often explicitly mandated by insurance policies and client contracts. This is an unforgiveable lapse of professional judgement (and this is *not* an oversight, this was a conscious decision to act against the globally recognised best practice) and I maintain strongly that someone should in the HSE should be up on criminal charges as a result of this fiasco.

But of course, the HSE are better than all that. And they now they can say the word 'Hackers' and absolve themselves of any apology or accountability.

Hotblack Desiato

pioneerpro wrote: »

They are utterly disinterested in organisational change and completely focused on maintaining a fiefdom of little middle-management kingdoms as a holdover from the pre-HSE county board setup.

Never mind the PCs, the HSE doesn't even own most of the servers affected, they're owned by "voluntary" hospitals / hospital groups (some of which even have their own data centres.) So it's not just a holdover from the old health board system, it's a holdover from privately established organisations (usually religious) 150 and 200 years ago. Just look at the wrangle between two sets of nuns, the HSE and the government over the new national maternity hospital. Several years now trying to sort out ownership and control of that and it's still not done.

Oh and I got a good laugh out of the "non-industry pedant" thing :pac: over 20 years in the industry thanks and pedants have great attention to detail and a commitment to accuracy, so to call anyone working in IT a pedant is a compliment

riclad

https://www.youtube.com/watch?v=WT-_WlcFS50
hse hack covered here time stamp 28.00
it says it will cost 600 million dollars to restore and upgrade the system
it will take months to recover the whole it system
there will be a new security centre designed to protect the hse it system from further hacking attacks
the recieved a decryptor from the hacker gang to help them to recover data

limnam

We sound like a right bloody embarrassment in that clip

Hotblack Desiato

Gibson is a tosser

ClosedAccountFuzzy

plodder wrote: »

The Covid cert system would be a new system developed by regular developers, not the kind of people working on restoring the HSE's systems (who probably aren't software developers for the most part). It would be based on data provided by the vaccination scheduling system, which itself is new and not affected by the hack. I would say that senior HSE management are so distracted by the hack, that the Covid certs are not a priority and has been side-lined. Or else the decision was taken at a political level, and the hack is a convenient excuse.

It’s not just a vaccine cert. it also has to be able to contain information about whether someone has been tested negative within X days or has recovered from COVID.

The vaccine appointment system also does not contain information for very large numbers of people who were vaccinated though GPs (or in pharmacies).

Some of those systems are impacted.

The appointment system only contains information for people who’ve been vaccinated in mass vaccination centres.

ClosedAccountFuzzy

[Deleted User] wrote: »

Because a system got hacker, we're extrapolating that every other country in the EU is capable of Covid certs but Ireland isn't?

You've taken your credibility and took a shlt on it.

The EU and Irish government extrapolated just that. We’re the only country in the EU that couldn’t launch the service as per the EU Regulation, which is in force since 01 July. We are aiming to be able to do it by 19 July.

riclad

On security now they are amazed it's gonna cost 600 million to recover the data, they are employing security contractors and they are building a new security dept to protect against future hacks,
Also there's 30,000 pcs that have to be checked and scanned or restored and backups have to scanned for malware offline
They are very Lucky they got the decryption code from the Russian hacker group

naughto

riclad wrote: »

https://www.youtube.com/watch?v=WT-_WlcFS50
hse hack covered here time stamp 28.00
it says it will cost 600 million dollars to restore and upgrade the system
it will take months to recover the whole it system
there will be a new security centre designed to protect the hse it system from further hacking attacks
the recieved a decryptor from the hacker gang to help them to recover data

Thanks for the link man they are just laughing at us

limnam

naughto wrote: »

Thanks for the link man they are just laughing at us

Yep, the "IT hub" of Europe and we can't implement a fairly basic DR strategy to some of the most important infra in the country.



Reminds me of the story when the head of ebay security came to give a talk on cyber crime. Ireland provided some gob****e from our cybercrime squad who told a story about tracking down a student via sendmail logs.


We're a laughing stock.

kippy

limnam wrote: »

Yep, the "IT hub" of Europe and we can't implement a fairly basic DR strategy to some of the most important infra in the country.



Reminds me of the story when the head of ebay security came to give a talk on cyber crime. Ireland provided some gob****e from our cybercrime squad who told a story about tracking down a student via sendmail logs.


We're a laughing stock.

Sometimes the only way to get attention and investment is to hit the floor.

johnmcdnl

riclad wrote: »

Linkedin has been hacked exposing millions of user accounts
Linked in is owned by Microsoft
It does not inspire faith in Microsofts Windows security standards

The major LinkedIn hack was in 2012. Microsoft bought LinkedIn in 2016.

plodder

FuzzyThinking wrote: »

It’s not just a vaccine cert. it also has to be able to contain information about whether someone has been tested negative within X days or has recovered from COVID.

The vaccine appointment system also does not contain information for very large numbers of people who were vaccinated though GPs (or in pharmacies).

Some of those systems are impacted.

The appointment system only contains information for people who’ve been vaccinated in mass vaccination centres.

I heard the minister responsible for it say over the weekend that the system is actually ready. They are recognising and accepting incoming certs already (as per the requirement on July 1) and they have issued a small number already to Irish residents. So, if it doesn't go ahead before July 19, it won't be for technical reasons. That's what I took from it anyway.

Though it's possible, it might not be ready for everyone.

riclad

I would hope the new pcs they buy will have tpm 2.0
And specs that make it compatible with windows 11 as it will be more secure than Windows 10
it enables more secure encryption with protection from brute force password hacking
To defend against hacking there needs 24, 7 monitoring of the network
Ordinary users should not have admin status eg only high level users can install apps or set up new admin accounts
or have acess to backup servers

riclad

I think we have high level security experts but they mostly work for Google, Facebook etc not for the civil service or the hse

Hotblack Desiato

You've heard of this phenomenon called "contractors", right? :rolleyes: