More on the WannaCrypt ransomware hacking fiasco
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!
May 16, 2017
On all what's been reported on the WannaCrypt ransomware since Friday, the world's largest recorded ransomware outbreak so far, no matter how you interpret the news, nobody looks good about it.
Whether you are an end-user clinging to an outdated and unprotected Windows PC (despite repeated warnings), or whether you are Microsoft, the actual author of the Windows operating system, all of this makes everybody look bad.
Even though Microsoft has been complaining about NSA exploit stockpiles, it had also been sitting on its own stockpile of security patches. Case in point-- Friday's Windows XP security patch was actually cooked up in in February of this year, so why did it wait so long to push it through? It actually waited for something like WannaCrypt to happen.
To be sure, WannaCrypt infected over 230,000 Windows computers in no less than 150 countries between Friday and Saturday, targeting unpatched Windows 7 and Windows Server 2008 or earlier systems.
And the NHS and the British government deserve to be shamed as well. They had been warned time and again but nothing was ever done. Nobody could say they couldn't have anticipated this.
Among those earlier systems hit by the malware's extortionist authors was Windows XP, the desktop operating system released in 2001 that still comprises about 7 percent of the market and for which Microsoft stopped writing security updates on April 8, 2014, except for those paying a premium for extended support packages.
The news of the end-of-support was well-flagged in advance, since April 2014, and the ramification of not acting was simple and clear: continue running XP at your own risk, and your data and your PCs were at risk from malware written after that date! What's so hard to understand about that?
At the start of 2014, the NHS in England was running around 1.086 million Windows PCs and laptops at trusts, GPs and other health groups in the run-up to Microsoft's planned end of support in March of that year.
The British government had agreed a temporary framework support agreement with Microsoft which guaranteed delivery of special security patches for XP, Office 2003 and Exchange 2003 for one year, priced at £5.584 million.
This was paid for by a central purchasing agency from the Crown Commercial Service, but seven months into the framework deal, 18 out of 140 trusts had not taken advantage of this centrally negotiated lifeline, even though it didn't even come out of their budgets (it was paid for at the Cabinet level) and even though the U.K. government made it very clear that quick action on the matter of upgrading from Windows XP was imperative.
However, not only did Whitehall fail to take control of the situation and implement the recommended security upgrades, it also did not renew its Microsoft agreement!
When the deal ended on April 14, 2015, it was decided that CCS would not purchase government-wide support for a second year. Instead, individual government departments and agencies were told they were free to allocate budget and sign their own agreements with Microsoft.
But the extended support deal of 2014 wasn't unique to just this case. Microsoft offered several support extensions to the private sector as well, but such deals were expensive. Priced at $200 a year per PC in the first year, doubling in year two, Microsoft was clear: it was a temporary measure and you had to demonstrate a plan to migrate to a more recent OS.
But yet, over two years later, vast tracts of the British state including the NHS continued to be exposed to outdated and unpatched systems.
As early as December of 2016, a Freedom of Information request by Citrix put the count of trusts with some exposure to Windows XP within the British national health services as high as 90 percent with many set to miss the April deadline.
So what are they going to do about it? Now that a serious and major security issue has surfaced with WannaCrypt, Whitehall is taking action-- well somewhat anyway.
It's doing what it does best: talking, and it's blaming the victim. U.K. Defence Secretary Michael Fallon, speaking on BBC One on Sunday, preferred to concentrate on a different set of figures: the number of PCs across the NHS as a whole that were still running Windows XP.
Echoing the NHS statement of the previous day, he claimed on Sunday that "less than five percent" were running the OS. He also complained that the government was "spending around £50 million on the NHS cyber systems to improve their security, and added that the government had "encouraged NHS trusts to reduce their exposure to the weakest system, the Windows XP".
But Microsoft acted by issuing a few emergency fixes for XP and Server 2003, as well as modern builds, within hours. And judging by the headlines, Microsoft looks like it's attempting to form a sort of narrative of the WannaCrypt event.
And it should since the NHS and the government itself are merely just actors in this whole tragedy.
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!Tweet Share on Twitter.