Home / Blogs

The Criminals Behind WannaCry

Don't miss a thing – sign up for CircleID Weekly Wrap newsletter delivered to your inbox once a week.
Neil Schwartzman

359,000 computers infected, dozens of nations affected world-wide! A worm exploiting a Windows OS vulnerability that looks to the network for more computers to infect! This is the most pernicious, evil, dangerous attack, ever.

"The Big One” Wired pronounced.

"An unprecedented attack”, said the head of Europol.

Queue the gnashing of teeth and hand-wringing!

Wait, what? WannaCry isn't unprecedented! Why would any professional in the field think so? I'm talking about Code Red, and it happened in July, 2001.

Since then dozens, perhaps hundreds of Best Common Practice documents (several of which I've personally worked on) have been tireless written, published, and evangelized, apparently to no good effect. Hundreds of thousands, perhaps millions of viruses and worms have come and gone.

Our words 'update your systems, software, and anti-virus software' and 'back up your computer', ignored. The object lesson taught by Code Red, from almost sixteen years ago, forgotten.

Criminal charges should be considered: Anyone who administers a system that touches critical infrastructure, and whose computers under their care were made to Cry, if people suffered, or died, as is very much the possibility for the NHS patients in the UK, should be charged with negligence. Whatever ransom was paid should be taken from any termination funds they receive, and six weeks pay deducted, since they clearly were not doing their job for at least that long.

Harsh? Not really. The facts speak for themselves. A patch was available at least six weeks prior (and yesterday was even made available by Microsoft for 'unsupported' platforms such as Windows XP), as was the case with Code Red.

One representative from a medical association said guilelessly, in one of the many articles I've read since Friday 'we are very slow to update our computers'. This from someone with a medical degree. Yeah, thanks for the confirmation, pal.

The worm has been stopped from spreading. For now. iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com was registered by a security researcher, and sinkholed.

Sorry, forget it. I went for a coffee while writing this, and predictably WannaCry V2 has since been spotted in the wild, without the kill-switch domain left dangling.

What have we learned from all of this, all of this for a lousy $26,000?

If someone gets arrested and charged, and by someone, I mean systems administrators, 'CSOs' and anyone else in line to protect systems who abjectly failed this time, a lot. WannaCry infections to critical infrastructure are an inexcusable professional lapse. Or, we could just do all of this again, next time, and people may die.

Afterthought: My organization, CAUCE.org recently turned 20 years old. When it started, we didn't believe things could get this bad, but it wasn't too soon after that it became apparent. I issued dire warnings about botnets in 2001 to the DHS, I made public pronouncements to these ends in 2005 (greeted by rolled eyes from an RCMP staff sergeant). I may have been a little too prescient for my own good at the time, but can anyone really say, in this day and age, that lives are at stake, and we are counting on those responsible for data safety to at least do the bare minimum? I await your comments, below.

By Neil Schwartzman, Executive Director, The Coalition Against unsolicited Commercial Email - CAUCE. More blog posts from Neil Schwartzman can also be read here.

Related topics: Cybercrime, Malware, Cybersecurity

 
   

Comments

OK, fair and balanced Neil Schwartzman  –  May 14, 2017 8:03 AM PDT

I think the other side of the coin is well-represented by Professor Steven Bellovin, who isn't wrong about the realities of patching. That said, given the rampant proliferation of exploits these days, people failing to do expeditious patches in a professional environment, particularly critical infrastructure is akin to a trucking company failing to heed recalls, or do basic vehicle maintenance.

From your link:https://krebsonsecurity.com/2017/05/global-wana-ransomware-outbreak-earned-perpetrato Charles Christopher  –  May 14, 2017 9:08 PM PDT

From your link:

https://krebsonsecurity.com/2017/05/global-wana-ransomware-outbreak-earned-perpetrators-26000-so-far/#more-39367

We find the following comment:

"Steve C
May 14, 2017 at 6:26 pm
I read in the British press that due to underfunding, 90% of the hospitals there are to some degree still using Windows XP and Server 2003. This is why they were so heavily impacted.

Where I used to work I was responsible for managing WSUS. I normally would wait to approve Windows Updates after they had been out for a month, unless if something was super critical. This was done because Microsoft once or twice a year would push out an update that would trash one major system or another. After a week or two the bad patches would be silently fixed."

Yup, I have seen Microsoft "updates" break things, and one of many reason why I turn off updates on my personal equipment.

In addition to that, NSA at taxpayer expense, developed the core of this attack. So why are my tax dollars being used to author exploits rather than reporting bugs to authors so that we are all safer and more secure? And why should I blame administrators now dealing with the mess tax payers funded the authorship of?

>Criminal charges should be considered: Anyone who administers a system that touches critical
>infrastructure, and whose computers under their care were made to Cry, if people suffered, or
>died, as is very much the possibility for the NHS patients in the UK, should be charged with
>negligence.

Yup, so lets start with the NSA employees ....

"Microsoft once or twice a year would Neil Schwartzman  –  May 15, 2017 1:45 AM PDT

"Microsoft once or twice a year would push out an update that would trash one major system or another."

that's why we have back-ups, and try a single system before applying the patches across the board.

The platform is the problem The Famous Brett Watson  –  May 15, 2017 2:56 AM PDT

Given the risks associated with both applying updates and not applying updates in a medical environment (or similar environments where system failure has the potential to endanger lives), the problem is that they've used an operating system which is singularly unfit for purpose. Windows is the single biggest target for such attacks on the planet, has a history of ongoing vulnerability, and is frequently updated for risky non-security reasons. This kind of application needs an ultra-conservative OS with an emphasis on stability and security over novelty and generality. That OS could, in principle, be some special variant of Windows — just not the mainstream desktop-oriented one.

It's harsh to go after the systems administrators when they've had the worst of all possible worlds foisted on them by market forces outside their control. Sue the vendors if you want to apply pain where it's actually likely to have a beneficial outcome. There has to be some kind of "fitness for purpose" angle when plain old desktop Windows is embedded in critical hardware.

A friend works for Unisys. His group Charles Christopher  –  May 15, 2017 8:01 AM PDT

A friend works for Unisys. His group authors the code that runs on very high end custom "PCs", that run Linux, which emulates a VAX, so their customers can continue using their heritage software. The users of these systems everyone would recognize, most depend on them daily.

The PC is cheap, and everyone and their dog (j/k) can author reliable code for it.

That is what drives its ubiquitous use, and like the VAX, its not going away anytime soon. Back to our tax dollars recognizing this fact of life and being used to protect it, and commerce and industries in general. With all the billions spent to watch and record our every move, there is actually no incentive for our tax dollars to be used to solve these problems. Every time I am on the highway I can see NSA's Bluffdale facility, another reminder of the use of our tax dollars. That is the issue, if there was a will to harden general purpose "PCs" they would be far more secure than they are. Wannacry would not be happening right now.

We need to make a choice and verbalize it:

“Those who surrender freedom for security will not have, nor do they deserve, either one.”
- Benjamin Franklin

"I prefer dangerous freedom over peaceful slavery."
- Thomas Jefferson

https://www.aclunc.org/blog/feds-refuse-release-documents-zero-day-security-exploits

March 3, 2015

"But the effectiveness of such exploits depends on their secrecy—if the companies that make the affected software are told about the flaws, they will issue software updates to fix them. Governments thus have a strong incentive to keep information about the exploits they have developed or purchased secret from both the public and the companies who create the software we all use."

"While zero-day exploits are no doubt useful to U.S. law enforcement and intelligence agencies, their use raises serious public policy concerns. Zero-days are also regularly used by foreign, hostile governments, criminals and hackers engaging in cyberattacks. That means our government’s choice to purchase, stockpile and use zero-day exploits instead of promptly notifying manufacturers is effectively a choice to leave both the Internet and its users less secure."

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Dig Deeper

Afilias

DNS Security

Sponsored by Afilias
Verisign

Cybersecurity

Sponsored by Verisign
Afilias Mobile & Web Services

Mobile Internet

Sponsored by Afilias Mobile & Web Services

Promoted Posts

Now Is the Time for .eco

.eco launches globally at 16:00 UTC on April 25, 2017, when domains will be available on a first-come, first-serve basis. .eco is for businesses, non-profits and people committed to positive change for the planet. See list of registrars offering .eco more»

Boston Ivy Gets Competitive With Its TLDs, Offers Registrars New Wholesale Pricing

With a mission to make its top-level domains available to the broadest market possible, Boston Ivy has permanently reduced its registration, renewal and transfer prices for .Broker, .Forex, .Markets and .Trading. more»

Industry Updates – Sponsored Posts

Leading Internet Associations Strengthen Cooperation

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

Government Guidance for Email Authentication Has Arrived in USA and UK

ValiMail Raises $12M for Its Email Authentication Service

Don't Gamble With Your DNS

Defending Against Layer 7 DDoS Attacks

Understanding the Risks of the Dark Web

New TLD? Make Sure It's Secure

Verisign Releases Q2 2016 DDoS Trends Report - Layer 7 DDoS Attacks a Growing Trend

How Savvy DDoS Attackers Are Using DNSSEC Against Us

Facilitating a Trusted Web Space for Financial Service Professionals

MarkMonitor Partners with CYREN to Deepen Visibility into Global Phishing Attacks

Verisign Named to the Online Trust Alliance's 2016 Honor Roll

Verisign Q1 2016 DDoS Trends: Attack Activity Increases 111 Percent Year Over Year

Is Your TLD Threat Mitigation Strategy up to Scratch?

i2Coalition to Host First Ever Smarter Internet Forum

Encrypting Inbound and Outbound Email Connections with PowerMTA

Resilient Cybersecurity: Dealing with On-Premise, Cloud-Based and Hybrid Security Complexities