Telefonica Hit with Ransomware
-
@Tim_G said in Telefonica Hit with Ransomware:
But what I would improve upon, with a vulnerability of this scale, knowing what would happen... I would have given more time, or at least withheld some details... allowing appropriate parties to fix things, before leaking everything.
I'd agree there except, I'm pretty confident that they had a lot of time to get this fixed and declined to do so. Patches takes very little time. The NHS was hit, and Telefonica too I suspect, because that safety didn't matter to them, it wasn't a priority and they chose to take that risk for whatever reason.
-
@Tim_G said in Telefonica Hit with Ransomware:
Microsoft fixed the vulnerability a month ago. Great, keep your systems up to date and you're okay... Then if you get infected it's your own fault (as in the NHS's case). But only a month between the patch and malware release?
Only a month? that's a long time.
-
@Tim_G said in Telefonica Hit with Ransomware:
Of course that depends on the NHS's patch schedule, if any... but you get my point?
Lives depend on them patching daily. Lives. This isn't a game. If their patch schedule isn't "as needed" it's reckless and unsafe.
-
Example... NTG's patch schedule is "every six hours." Why is the NHS struggling with months, they have one of, if not the, largest IT budget in the world. What could their excuse possibly be?
-
So because the world doesn't work in the "ideal" way that it "should" regarding patching... vulnerabilities should be leaked immediately and hackers should go ahead release their malware. If people die, they die, because you "should" have been keeping your systems up to date... good game.
-
@Tim_G said in Telefonica Hit with Ransomware:
So because the world doesn't work in the "ideal" way that it "should" regarding patching... vulnerabilities should be leaked immediately and hackers should go ahead release their malware. If people die, they die, because you "should" have been keeping your systems up to date... good game.
There is one way to fix this, people patching appropriately. The vulnerabilities are out there and that's not going to cheap. Idealism is nice, but realism is better. In this case, they kind of line up.
The other option is "hope the bad guys play nice so that the 'good guys' don't have to be competent." It's not realistic.
-
@Tim_G said in Telefonica Hit with Ransomware:
So because the world doesn't work in the "ideal" way that it "should" regarding patching... vulnerabilities should be leaked immediately and hackers should go ahead release their malware.
In an ideal world we don't have hackers. Nor do we have anything to leak.
This is purely about a practical method of dealing with the problem. We have people who decided not to patch systems, there is nothing we should say to excuse that. They have jobs where they are tasked with patching systems and securing them to protect lives and didn't. Sure, the NSA and hackers (those are kind of the same and we have to equate any attack using NSA code to a direct NSA attack) are the worst people here, but the leakers are basically bystanders. The NSA/hackers and the NHS slackers (hackers and slackers) are the parties that are truly at fault without question and need to be held accountable.
When we blame the leakers for exposing these malicious parties, we excuse bad behaviour and make it sound like those that didn't bother to do their jobs aren't responsible too.
-
@Tim_G said in Telefonica Hit with Ransomware:
If people die, they die, because you "should" have been keeping your systems up to date... good game.
This is where we literally are today. People dying or possibly dying because they should have properly patched systems and decided, for some reason, that not patching was better. Is patching going to protect against every case? no. But it would have protected against this one.
Imagine saying this about any other field. Oh, the patient died from an infection because the doctor should have washed his hands first... only in an ideal world would doctors wash their hands. of course that is silly. We know that doctors need to be held accountable for washing up, and they do because we don't accept excuses for not doing their basic job with basic diligence. We would never call it an impossible ideal for doctors to wash up. Why is IT seen as different, we are talking about something similarly basic. In fact, we are talking about systems that would have patched themselves if someone didn't intentionally disable that feature, right?
-
@scottalanmiller said in Telefonica Hit with Ransomware:
@Tim_G said in Telefonica Hit with Ransomware:
If people die, they die, because you "should" have been keeping your systems up to date... good game.
This is where we literally are today. People dying or possibly dying because they should have properly patched systems and decided, for some reason, that not patching was better. Is patching going to protect against every case? no. But it would have protected against this one.
Imagine saying this about any other field. Oh, the patient died from an infection because the doctor should have washed his hands first... only in an ideal world would doctors wash their hands. of course that is silly. We know that doctors need to be held accountable for washing up, and they do because we don't accept excuses for not doing their basic job with basic diligence. We would never call it an impossible ideal for doctors to wash up. Why is IT seen as different, we are talking about something similarly basic. In fact, we are talking about systems that would have patched themselves if someone didn't intentionally disable that feature, right?
Yeah, great way of looking at it actually.
-
I mean I know it all sucks and it would be awesome if all the right people got all the right info and took all the right actions. but they don't and won't. So we need to push everyone that we can to do what they can. It's just what we have to work with.
