The British Navy Runs on Windows XP

mlnews

In a mark of abject embarrassment for the Crown, it has been discovered that the flagship of the British Navy, the HMS Queen Elizabeth, is running Windows XP and falls below the home line. No surprise to those working in IT, the government and military have failed to live up to even the most basic security and stability standards. That's right, chances are the little SMB businesses that you see day in and day out are likely not just taking security more seriously than the British Navy, but are more competent to do so.

The British Ministry of Defense shows the hubris of a first time SMB failing IT manager in claiming that they are unique and therefore don't need security precautions like everyone else does: "The Ministry of Defense has argued that the nuclear submarine system does not need an updated operating system simply because when the warship sails into the sea, it is isolated and hence, does not stand a great chance of getting hacked. Hence, the carrier has only been armed with a team of cyber specialists to defend it from cyber attacks, Lieutenant Commander Nick Leeson stated." This, of course, is a shocking embarrassment for anyone serving in the British armed forces knowing that they report to a command chain that should be fired from the most junior of IT roles.

This is a complete failure of the military and government here and shows that the safety of the brave men and women serving the Crown aren't given the same consideration a junior admin would give their ripped DVD collection. Hubris has no place in IT, it is the outright enemy of security and what we need to do.

scottalanmiller

I wonder how quickly there is going to be a bounty on hacking these systems. Want to guess, given what we know about the security attitudes shows, how easily it is to hack a warship that has no secure systems, no way to patch and no competent security or admin people around?

travisdh1

@mlnews Wish I could upvote this more than once.

Dashrender

@mlnews said in The British Navy Runs on Windows XP:

of cyber specialists to defend it from cyber attacks, Lieutenant Commander Nick Leeson stated." This, of course, is a shockin

As mentioned in another thread - Iran centrifuges anyone?

PenguinWrangler

So would this then be "Windows for Warships"......

scottalanmiller

@PenguinWrangler said in The British Navy Runs on Windows XP:

So would this then be "Windows for Warships"......

Wow. lol

Deleted74295

Rewind.

Are these systems accessible from the outside?

Are only authorised military personal allowed near these systems?

Does the average SMB have a squad of armed sailors to protect from physical intrusion?

This sound like a nonsense article.

DustinB3403

@Breffni-Potter said in The British Navy Runs on Windows XP:

Rewind.

This sound like a nonsense article.

They must be accessible from the outside. How else are they communicating with the command center. There is a way to communicate with the system, and because of the age of the system they are vulnerable.

Are only authorised military personal allowed near these systems?

Not any more. . .

Does the average SMB have a squad of armed sailors to protect from physical intrusion?

Why would they, they update to remain secure. Physical intrusion is almost never the goal, you want the data, not the hardware.

Are these systems accessible from the outside?

Already answered this question

momurda

@Breffni-Potter The entire military depends on communications with each other. Of course they are accessible from the outside. In fact, probably wide open given that they are using 20 year old OS.

DustinB3403

@momurda said in The British Navy Runs on Windows XP:

@Breffni-Potter The entire military depends on communications with each other. Of course they are accessible from the outside. In fact, probably wide open given that they are using 20 year old OS.

And sitting in the middle of an ocean half the time. . . .

momurda

@DustinB3403 Right, the queen of England even says they are safe when out in open water. So they probably have Windows Firewall disabled.

Dashrender

@Breffni-Potter said in The British Navy Runs on Windows XP:

Rewind.

Are these systems accessible from the outside?

That's what Scott's excerpt says.

Are only authorised military personal allowed near these systems?

Excerpt doesn't say - but let's assume so.

Does the average SMB have a squad of armed sailors to protect from physical intrusion?

No, but then they don't need it - they are hopefully updating and using more secure software.

This sound like a nonsense article.

Perhaps - though I doubt it.

As for your armed guards comment, I'm sure the Iran plant was full of armed guards, but that didn't stop the infected laptop that a technician used to make code that was transferred via USB to the air gapped network from infecting the network - the tech was there by invitation, and his infection of the network was completely unknown.

DustinB3403

@momurda said in The British Navy Runs on Windows XP:

@DustinB3403 Right, the queen of England even says they are safe when out in open water. So they probably have Windows Firewall disabled.

Which a firewall that is 20 years old, even if enabled likely isn't secure.

scottalanmiller

@Breffni-Potter said in The British Navy Runs on Windows XP:

Rewind.

Are these systems accessible from the outside?

Does it matter? How hard is it to get a USB stick in there, how hard is it to trick military staff, how hard is it to hook up something to the network.

That the Navy suggests that being offline is protection, that alone is proof that they don't even understand what the risks are.

scottalanmiller

@Breffni-Potter said in The British Navy Runs on Windows XP:

Does the average SMB have a squad of armed sailors to protect from physical intrusion?

Is physical intrusion a key concern? This is a neat question to ask, but doesn't provide any insight into how this could be secure. The bigger the squad standing around these insecure systems, the more points of failure you have.

Also, high profile target, rather than low. They need way more than a squad of soldiers because they have something insanely valuable to protect.

So by comparison, the average SMB has MORE protection physically, not less.

momurda

There's also the possibility that since they just dont give a shit about security, how many people are rolling their own wifi there on the same network critical systems are on? How much shadow IT is on these ships? Probably nightmare scenario amounts.

scottalanmiller

@Breffni-Potter said in The British Navy Runs on Windows XP:

This sound like a nonsense article.

Why? You made points that they would make, based around hubris. Exactly the top risk factor in consideration.

scottalanmiller

@DustinB3403 said in The British Navy Runs on Windows XP:

@Breffni-Potter said in The British Navy Runs on Windows XP:

Rewind.

This sound like a nonsense article.

They must be accessible from the outside. How else are they communicating with the command center. There is a way to communicate with the system, and because of the age of the system they are vulnerable.

Not only that, they need to talk to each other. The "outside" might not be just outside the ship, but around the ship. There are likely massive points of vulnerability all over the ship. I doubt that there is a squad standing around every ethernet port.

scottalanmiller

@momurda said in The British Navy Runs on Windows XP:

@Breffni-Potter The entire military depends on communications with each other. Of course they are accessible from the outside. In fact, probably wide open given that they are using 20 year old OS.

And moreso given the hubris. They are so confident that they don't need security that they skip it in the most basic of places. What are the chances they have any other security when the low hanging fruit and a national embarrassment haven't been taken care of?

scottalanmiller

@momurda said in The British Navy Runs on Windows XP:

There's also the possibility that since they just dont give a shit about security, how many people are rolling their own wifi there on the same network critical systems are on? How much shadow IT is on these ships? Probably nightmare scenario amounts.

Exactly. I'd say the chances that these yahoos even know what devices are connected to their network is about zero. They can't install a modern OS or choose an appropriate one, but we think that they can secure other things? And they couldn't contain the secret that they were massively insecure. So we already know that there has been a security breach!