WannaCry or the Cyber-Event that should never have happened
Ok, the WannaCry tears are drying and InfoSec and IT professionals around the world are catching up on sleep lost over the weekend. A fair number of them are probably, like me, wondering how this became so ugly and so widespread. While I know this cyber event had real world implications, in all honesty, this should never have happened nor been as bad as it was. This event was 100% avoidable, and without taking “extraordinary measures”. I guess one should never underestimate technical debt of backwards compatibility, or humans in general.
Oh, I hear you now “John you can’t be serious this thing took out hundreds of thousands of computers and their files and cause financial, technical and real world impacts!”. Yes, you are right, but that does not change the fact that simple housekeeping processes, care and feeding, if you will, would have prevented this from happening. This is the hard truth.
The vector for the WannaCry ransomware was leaked over six weeks ago when the Shadow Brokers dumped a bunch of NSA cyber resources on the internet, including a bunch of exploits that the NSA was holding onto for its own use. This was a previously undisclosed issue in an older, backdated protocol used by Microsoft Windows file sharing (SMBv1). This protocol was only necessary if you were using outdated software and unsupported operating system versions for backwards compatibility. Soon after this was leaked, Microsoft released a bulletin about the issues, and released patches for supported versions of Windows soon afterwards. If people had applied these patches a month ago this would have been much ado about nothing.
But no – we can’t patch, we can’t take an outage, it’s too hard, we are running obsolete software, blah blah blah. The chorus of reasons to not patch apparently held sway at a large number of networks.
Look, I get it. There is never enough time to patch. Never enough resources, etc., but this crisis was not (in my opinion) the fault of Microsoft, nor the NSA (two organizations I can’t recall coming to the defense of in the past…) but the fault of every person at these organizations who approved not patching, or worse, did not request to patch. There are a few situations where patching may not have been possible, where the offending OS was embedded into the device (such as medical devices) and could not be upgraded, but that is the exception not the rule. In those cases though do you really need to have it connected to the internet and fully exposed? Really?
What I really fear is the (already started) spewing of pseudo-science and marketing FUD from security vendors trying to sell quick fixes for the security debt incurred by bad practices and management. You cannot buy Security. Security is a verb, something you do, not something you can go to your local Wal-Mart and buy a box of. If it was, we would all be on line to get a metric crap ton of it. Yes, security can be hard, understanding risk and taking responsibility for reasonable choices is a pain in the ass at times, but it is the world we live in.
Sorry for the rant, but I’ve been following the press and info on this, 99% of which is complete crap. Here is a link to some of the best info on this, including the technical gory details.
I couldn’t end this rant without a shout out to our new InterWebs Hero, MalwareTechBlog, who unknowingly and completely accidentally pretty much shut this whole thing down by registering a domain name found in the malware’s code. I tip my hat to you bud … and while it does not compare to a year’s free pizza, I will buy you a beer should we cross paths at some security conference 🙂
The moral of this story is simply, stay current on your systems, keep your patches up to date, and for the love of God and the Flying Spaghetti Monster’s many tentacles, do not click on shit in email – period‡. Your Infosec team will thank you for this!
‡ Yes this means YOU. Put down the mouse and step away from the computer … and no one will get hurt!