The Wannacrypt ransomware attack is in the news because it's causing havoc world-wide in major corporations and government institutions. It's a textbook lesson in a number of subjects including (but not limited to): the hopeless incompetence of major institution management in general, and IT management in particular; the worthlessness of most people said to be experts; how dead simple most cyber-security is; the rank illiteracy of otherwise highly educated journalists about computing; the incompetence of our super-spook institutions.
The authoritative New York Times
Of course, we turn to the venerable NYT to get the facts about this important story. Here's the head:
It's clear from the headline that the substance of the story is beyond the grasp of the generally super-bright Times authors (look at the bottom of the story, the author had lots of help), so we're going to have a treat: lots of experts!
First some facts
Let's start with a couple simple facts.
The software in question is "ransomware" that users are tricked into running on their computers. The software is normally an attachment to an email message that an unwitting user (being kind here) clicks on. Once it runs, the software encrypts all the files on the computer, making them unusable. It then displays a helpful announcement of what it's done and how to get your files back. Here's a sample, taken from a nice summary of the situation:
At this point, most people panic. Loads of hospitals in the UK were infected, for example, and mostly shut down.
There's more! Once installed, the software probes all the computers connected to the same network, and tries to infect them with the ransomware using an error in some deep-in-the-guts thing normal users would never encounter called SMB. This means that once a single user in an organization has fallen for the bait and gotten the software, it quickly spreads. This part of the evil software is the "worm."
Here's how the New York Times describes it:
The underlying reality -- the important facts
Here are the most important things to know about this "audacious global cyberattack."
- The ransomware spread by the usual means: emails to gullible users. To their credit, the Microsoft Windows Defender group quickly identified the problem and released an update that detects and removes it.
- Only obsolete and improperly maintained Microsoft Windows computers were affected by the worm. Loads of systems were hit in hospitals running Windows XP, which Microsoft stopped supporting years ago. Supported versions of Windows that had installed all recent patches were not hurt. The relevant patch was released months ago. It is the worm part of the malware that infects servers, which is particularly harmful.
- The bad guys are only charging $300 in Bitcoin to unlock your computer. That's a small price to pay to learn the lesson of keeping your system up to date!
- If you really don't want to pay, all you have to do is wipe your machine and restore it from a backup. And then maintain it properly. I gather from all the furor that on top of using obsolete software, the affected sites fail to follow standard backup procedures.
- The bad software itself has been publicly available for months, ever since being walked out of the NSA and published. It was only a matter of time.
- It's not exactly genius software. A clever guy managed to do a simple thing that disabled the worm aspect of it worldwide! Details here from the guy himself.
The Experts weigh in
Since my regard for experts could hardly get lower, the NY TImes article changed nothing. But perhaps some examples might be amusing.
I love this one:
The price goes up to $600 if you delay. Let's assume everyone delays but pays. That means no less than $1B/$600 = 1,666,667 sites would have paid, if the experts are right. I checked the relevant Bitcoin accounts a few minutes ago, and the total had yet to exceed $30,000. Way to go, experts!
I also love the choice given: "pay the digital ransom or lose data." Right. First of all, you're stupid because you're running obsolete software. Then, you can't restore from a backup? You deserve to lose all your data, and then your job -- remember, we're not talking about naive consumers here, we're talking about richly paid computer professionals!
Our next expert dares to be named:
Here's the part I like: "Despite people's best efforts, this vulnerability still exists..." Of course it does! Updating Windows makes the problem disappear. You can't make people update their software -- even though it's their job to maintain it!!
"...experts said that computer users in the United States had so far been less affected than others because a British cybersecurity expert inadvertently stopped the ransomware from spreading."
First, the guy who stopped the worm part was brilliant. He did what he did very much on purpose -- he just referred to what he did as something "accidental," being sleep-deprived and modest. Second, what he stopped wasn't the initial infection into a site, but the spread of the worm once it was in. There were loads of US sites infected -- the numbers are random, as you would expect from whatever email list the bad guys used, and the odds of professional users clicking on the attachment.
The Times itself attempts to explain how the clever guy managed to halt the worm aspect of the malware. Completely screwed it up. Sorry guys, maybe you should stick to quoting experts who get it wrong instead of being obviously wrong yourselves.
Then we have security experts weighing in:
"Yet security experts said the [Microsoft] software upgrade, while laudable, came too late for many of the tens of thousands of machines that were locked and whose data could be erased."
The Microsoft software upgrade was made months ago. It was not too late. It's the people responsible for the machines in question who are too late. If they let their data be erased it's on them -- either pay up, wipe and restore from backup, or slink away in shame.
As to the NSA that created and released the software in question: shame on you. You probably have yet to implement the measures that would prevent more of the same in the future.
Summary
When you read stories like this, it's natural to form a set of impressions, including:
- There are mysterious hackers out there who are really smart and really bad.
- The evil hackers can cause havoc.
- All we can do is bring in experts and try to clean things up quickly.
- Let's hope it's not worse next time.
All these are reasonable thoughts for a layperson to have, reading the published material.
The truth of the matter is closer to the following:
- The richly funded NSA develops evil software and can't keep it secure, in spite of having a budget larger than most countries.
- Opportunistic hackers comb through stuff and sometimes put together something that could make some money.
- A shocking fraction of the big government agencies and corporations fail to follow the most basic computer maintenance procedures (keeping software up to date and making backups), in spite of spending megabucks on IT, and so are vulnerable.
- The experts quoted in news stories are ignorant and/or wrong, along with the stories themselves.
- The guy who stopped the worm part of the software from working was at the opposite end of the competence spectrum from all the highly-paid executives who weren't doing their jobs.
- Most organizations will change nothing, so something very similar will happen again.
Sigh.
Comments