359,000 computers infected, dozens of nations affected world-wide! A worm exploiting a Windows OS vulnerability that looks to the network for more computers to infect! This is the most pernicious, evil, dangerous attack, ever.
The Big One Wired pronounced.
“An unprecedented attack”, said the head of Europol.
Queue the gnashing of teeth and hand-wringing!
Wait, what? WannaCry isn’t unprecedented! Why would any professional in the field think so? I’m talking about Code Red, and it happened in July, 2001.
Since then dozens, perhaps hundreds of Best Common Practice documents (several of which I’ve personally worked on) have been tireless written, published, and evangelized, apparently to no good effect. Hundreds of thousands, perhaps millions of viruses and worms have come and gone.
Our words ‘update your systems, software, and anti-virus software’ and ‘back up your computer’, ignored. The object lesson taught by Code Red, from almost sixteen years ago, forgotten.
Criminal charges should be considered: Anyone who administers a system that touches critical infrastructure, and whose computers under their care were made to Cry, if people suffered, or died, as is very much the possibility for the NHS patients in the UK, should be charged with negligence. Whatever ransom was paid should be taken from any termination funds they receive, and six weeks pay deducted, since they clearly were not doing their job for at least that long.
Harsh? Not really. The facts speak for themselves. A patch was available at least six weeks prior (and yesterday, was even made available by Microsoft for ‘unsupported’ platforms such as Windows XP), as was the case with Code Red.
One representative from a medical association said guilelessly, in one of the many articles I’ve read since Friday ‘we are very slow to update our computers’. This from someone with a medical degree. Yeah, thanks for the confirmation, pal.
The worm has been stopped from spreading. For now. iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com was registered by a security researcher, and sinkholed.
Sorry, forget it. I went for a coffee while writing this, and predictably WannaCry V2 has since been spotted in the wild, without the kill-switch domain left dangling.
What have we learned from all of this, all of this for a lousy $26,000?
If someone gets arrested and charged, and by someone, I mean systems administrators, ‘CSOs’ and anyone else in line to protect systems who abjectly failed this time, a lot. WannaCry infections to critical infrastructure are an inexcusable professional lapse. Or, we could just do all of this again, next time, and people may die.
Afterthought: My organization, CAUCE.org recently turned 20 years old. When it started, we didn’t believe things could get this bad, but it wasn’t too soon after that it became apparent. I issued dire warnings about botnets in 2001 to the DHS, I made public pronouncements to these ends in 2005 (greeted by rolled eyes from an RCMP staff sergeant). I may have been a little too prescient for my own good at the time, but can anyone really say, in this day and age, that lives are at stake, and we are counting on those responsible for data safety to at least do the bare minimum? I await your comments, below.
