Last Friday, a large-scale ransomware attack, known as “WannaCry” attacked several hospitals in the United Kingdom along with other government and commercial entities. This week, it increased its presence to an estimated 300,000 computers in 150 countries. By and large, the systems exploited appear to have resulted from a user responding to a phishing attack, but the exploit itself utilized an attack that was identified and patched by Microsoft on March 14, 2017. It is also becoming apparent that while this exploit was only going to target Windows OS, it may have been developed and stockpiled by National Security Agency (NSA) as a potential cyber-warfare weapon that was subsequently stolen and released into the wild.
My first criticism is for any user who is still using an Operating System the has exceeded its end of life such as Windows XP. Support and updates for this operating system ceased three years ago. While this venerable OS has enjoyed wide recognition for its stability and reliability for both home and business users, this OS was released in 2001. Folks, that’s 16 years ago, which is about four millennia in “computer years”. There is absolutely no valid reason for anyone at this point in time to be running Windows XP on any machine connected to the Internet. If you are a company still running XP as a corporate operating system, you really need to crawl out from your cave and start walking upright. Your malaise is part of what caused this exploit to advance so quickly.
Next up, any user or organization still using Windows 7…it’s about time for you to start walking upright, as well. As with XP, Windows 7 has been a reliable stalwart for both home and business users. But, here’s the deal…at the time of this writing, Windows 7 will reach end of support in just over two years.
As a home user, you may not see any need to upgrade your computer. It still suits your needs. You’re able to go online and check the news, pay your bills through your bank’s web site, check the Powerball numbers and generally surf around. You probably haven’t updated your Microsoft Office products, and you may still be using Quicken 2012 because they still work. But here’s the problem…while you’ve been comfortable in sticking with “what works”, there have been numerous “bad guys” out there figuring out how to exploit the older operating systems and applications. Identity theft is increased, in part, because of these exploits. Access to bank accounts have been compromised, and viruses have been spread, or, even worse, lay dormant waiting for their creator to spin them up and attempt some large-scale exploit as we just experienced with WannaCry.
Mr. and Mrs. home user, it’s time for you to spend a few bucks and upgrade your computer, your operating system and your applications. If you’re unable to do that, do the rest of the world a favor and unplug yourself from the Internet. By not upgrading periodically you’re becoming a harm to yourself as well as your online neighbors.
Businesses and organizations – now it’s time to call you out directly. Just what in the H – E – Double hockey sticks are you doing still using either Windows XP or Windows 7 in a production environment? Yes, yes, yes…we all know that Windows 8…well, there’s no delicate way to put it…it sucks. Every once in a while Microsoft puts a stinker out there…I’m sure we all remember horror stories surrounding DOS 4.0, Windows ME and, of course, that debacle that was Windows Vista, but, so far, Windows 10 is showing all signs of being the next coming of Windows XP and 7 – not to mention that there have been no reports of WannaCry infecting or affecting Windows 10 because the bulk of users have automatic updates enabled and received the patch to this exploit back in March, 2017.
It is past time for businesses and organizations to allow your network administrators and network security teams to gain the training required to deploy a secure Windows 10 desktop environment for your users, and appropriate server versions such as Windows 2008 or Windows 2012. I’m sure you already have a test lab to verify patch compatibility for your Windows 7 environment, and you can do the same thing with Windows 10. I don’t think it would be too much speculation to say that many organizations have moved to Virtualization, so spin up a couple of Windows 2012 virtual machines and test those, as well.
Now, if you find that you have legacy software that’s not compatible with a modern operating system, that’s another story…and one that should probably include a healthy dose of chastising as well for not maintaining current versions. Yes, IT infrastructure is expensive and is always being upgraded – one of the reasons why it’s being upgraded is to help prevent attacks such as the one that occurred on Friday. It was just dumb luck that the 22-year-old who’s being credited with stopping this attack identified and registered the kill-switch domain. What happens when the next version that’s released by the bad guys simply inverts their logic? If it gets an answer back from a valid domain which they control, the virus spreads and only shuts down if it doesn’t receive a response. Now, stumbling upon the kill switch is going to be far more difficult.
And, finally, let’s call out the Government for stockpiling these weapons in an insecure manner. Don’t you realize that you need to treat cyber weapons like any other highly volatile weapon? You’re not going to leave a high-yield nuclear warhead laying around unguarded, or a biological to be taken home in the briefcase of a chemist, are you? I would certainly hope not, but, being the government, it seems you are inherently stupid so you just might. Keep these cyber weapons locked down. Closed and segregated networks only for development and testing. If someone plugs in a flash drive on one of the workstations in that closed network, alarms should go off and no copy operations should be permitted without proper security credentials. Storage should be completely off-network. Treat cyber weapons like any other weapon of mass destruction because they are nothing more and nothing less than exactly that: a weapon of mass destruction. I don’t fault you for developing cyber weapons, especially since other state players are obviously doing the exact same thing. But show some situational awareness, please!