I don’t promote the fact heavily, but I am a rep for a cyber security company that is one of the few (maybe only?) that can stop attacks like the WCry Cryptolocker attack (also called by many other names such as ‘WannaCrypt’) before they even start. That’s another story, but if you’re an IT boffin in a large company and you have nightmares about APTs, worms, virus, ransomware, patches, and fear the browsing habits of the people using your companies computers, then seriously get in touch with me. Zero-day protection does exist, even on legacy systems such as XP.
Ok, (/advert), let’s talk about the new battlefront that this WCry incident has placed front-and-centre in the public psyche.
First off, if you’ve been hiding under a rock and don’t know what all the fuss is about, there’s a pretty good round-up here:
The malware, known as Wanna, Wannacry, or Wcry, has infected at least 75,000 computers, according to antivirus provider Avast. AV provider Kaspersky Lab said organizations in at least 74 countries have been affected, with Russia being disproportionately affected, followed by Ukraine, India, and Taiwan. Infections are also spreading through the United States…
… Wcry is reportedly causing disruptions at banks, hospitals, telecommunications services, train stations, and other mission-critical organizations in multiple countries, including the UK, Spain, Germany, and Turkey. FedEx, the UK government’s National Health Service, and Spanish telecom Telefonica have all been hit.
And for a moment everyone was up in arms about it. It was the cyber equivalent of the Avian Flu. The British National Health Service (where sick people in the UK go to die) were hit hard, and got most of the news coverage, however the impact was world wide.
But then something straight out of a cheap teenage cyber thriller happened (yes I’m looking at you, Hackers!): Some boffin somewhere stumbled on a kill switch for it. The best bit? He was actually on holiday! You’ll have to read his whole (very entertaining) write up on how it all went down, but here’s the moment he realised he’d killed it:
Now you probably can’t picture a grown man jumping around with the excitement of having just been ransomwared, but this was me. The failure of the ransomware to run the first time and then the subsequent success on the second mean that we had in fact prevented the spread of the ransomware and prevented it ransoming any new computer since the registration of the domain.
Yep, there’s surely going to be a movie about it, and to be honest, I’d watch that!
But here’s the bit that grabs my attention… the exploit was one the NSA had known about and been using for years! And the code that this whole attack was based on was stolen from the NSA!
Wcry copies a weapons-grade exploit codenamed Eternalblue that the NSA used for years to remotely commandeer computers running Microsoft Windows. Eternalblue, which works reliably against computers running Microsoft Windows XP through Windows Server 2012, was one of several potent exploits published in the most recent Shadow Brokers release in mid-April. The Wcry developers have combined the Eternalblue exploit with a self-replicating payload that allows the ransomware to spread virally from vulnerable machine to vulnerable machine, without requiring operators to open e-mails, click on links, or take any other sort of action. [Emphasis added]
This raises all manner of interesting issues.
- Firstly the NSA have clearly invested a great deal of energy into finding previously unknown weaknesses in computers, and then are quite happy to use those to snoop around to their hearts content rather than alerting the world to the vulnerability so they can protect themselves.
- The NSA clearly can’t be trusted to keep their own cyber-weapons safe! So should they really be trusted with US national security?
- Cyber weapons have a real-world impact, and should be treated as genuine weapons of war in every respect. There were people in the UK who couldn’t get the surgeries they needed due to Wcry, there were critical packages and pieces of information which couldn’t get where they needed to be due to the impact on Fed Ex and Telefonica respectively. Real people in the real world were hurt.
- Microsoft (an ‘evil’ private corporation, unlike the ‘good’ government agency the NSA) acted to patch the vulnerability soon after it became publicly known, taking the very unusual step of providing patches all the way back to Windows XP (a long unsupported platform which they were under no obligation to offer a patch for!) which genuinely works and closes this vulnerability. That patch is free. It’s quite literally the ‘free’ market at work… (badum-ching!)
So lets sum up.
A government agency creates and loses control of a cyber weapon it had been using against its own people for years.
A private company patches and offers the world a fix to the problem, for free, including for legacy systems it’s not obligated to support or protect.
Unfortunately not everyone gets onto the fix fast enough (updating patches on massive networks is a bigger job than most people think, but even so two months was long enough!) so another government agency, this time the NHS in the UK, gets hit hard, along with a number of private companies that need to take a good look at their cyber security.
I think libertarians need to create a new ‘catchcry’: “But without government, who will build the virus’?”
The cyber front will be the first to be hit in any new major war. And don’t assume that the companies (or government departments) that you depend on have got their cyber-security house in order…