WannaCry – the dust settles (a bit)

What we know so far

The WannaCry ransomware attack that caused so much harm and alarm around the world earlier this month has now fizzled into the darkness behind other important events: TRUMP!™ (USA), COMEY!™ (USA), RUSSIANS!™ (USA), PIPPA!™ (UK), ELECTION!™ (UK), KimKardashiansCellulite!™®© (world).

We thought that our reader, who really has better things to do than surf computer tech sites deciphering acronyms, might like to have a quick, top-level review of the current state of knowledge about the WannaCry attacks, so that he or she can get back to tracking the really important stuff (list above).

In the turmoil of the first shock-and-awe of the attack, the media, bless 'em, grabbed anyone they could find to explain what was happening to their consumers. That first wave of 'expert' opining turns out to have been mostly rubbish.

What we know now

The first wave of the attack at least was not launched by people opening email attachments or clicking on links in emails – the attack spread too rapidly for this to be the case. Instead, the attackers searched the public internet for Windows computers offering Server Message Block (SMB) services. An SMB service is an old fashioned and very risky way of making files, printers and many other things that are part of a local network available from the internet.

As an analogy, suppose a group of restaurants in a town wanted to set up a shared wine cellar on one of their premises. The physical access to the cellar would normally be through the premises of the restaurant itself. In practice this would be inconvenient, so the host restaurant would have a door knocked through to their cellar from the street. Each of the participating restaurants gets a key to the door. However, the local Wine Lovers' Association (WLA) spots that there is a fault in the particular make of lock on that door. In fact, someone has already made a skeleton key to open it and let you in. The members of the WLA not only have access to the wine cellar but can roam around all the other parts of the host restaurant at will and invite their friends to join them. They may even lock you out of your own wine cellar.

Back in the computer world, a hospital trust might share files and services between participating hospitals and medical practices using SMB services. Very foolishly, as it turns out, because the National Security Agency (NSA), the people supposedly protecting us, had already developed the skeleton key to the Windows systems offering SMB services, thinking it might be a handy tool to spy on someone's data.

This tool was called EternalBlue. The NSA also developed a remote command execution tool called DoublePulsar, which 'persists' the vulnerability and takes over the target system. Once DoublePulsar has been installed, the cellar door is wedged open permanently, as are all other doors in the building. The attacker can now install whatever they want on the target. In the present attack it was the WannaCry ransomware, which encrypted every piece of attached storage on the system.

The NSA 'lost' a suite of such tools at the beginning of this year (we think). A hacker group calling themselves The Shadow Brokers tried to auction off the package, finally making it public anyway. Microsoft responded quickly and issued an update for vulnerable Windows machines in March.

The question why 'official' computer systems were attacked so quickly and almost no private systems suffered can now be answered: most private users let Microsoft do their updating automatically or semi-automatically. The lock on their street door had been upgraded in March and the skeleton key was useless. Furthermore, few private users are running a server and choose publicly to share their data. The attackers would never find them.

In contrast, the computers on networked systems are administered centrally and as such, cannot just be updated on an ad hoc basis. The administrators of such systems need to check that the updates will work well on all the machines in their systems and collaborate with all the applications, most probably custom-made, that they use. This verification is a tedious and time-consuming procedure that requires highly qualified technical people. They are scarce and expensive.

We also now learn that all the huffing and puffing about the vulnerabilities in Windows XP and Server 2003 was completely pointless: the implementation of EternalBlue used in the attack could not work reliably on those systems. Most of the systems affected were running Windows 7 or Server 2008.

Those who have been attacked by the WannaCry exploit not only need to restore their data from backups, they also need to make sure that DoublePulsar is still not lurking on their systems: in other words, they can't close and lock the cellar door unless they have taken the wedge out that is holding it open. A restore of some data is therefore not the end of the matter.

What we always knew

Email

Email was not the distribution method for the WannaCry attack – at least in the beginning – but it remains the single greatest vulnerability for any system. Only follow links or open attachments from sources that are completely trustworthy.

Updating

We Windows 7 users were annoyed for a whole year by Microsoft misusing its Windows Update system as a marketing tool to push us into using Windows 10. Some of us switched off auto-updating, some, tired of doing monthly battle with this demon, even stopped updating at all. Some remnants of this annoyance may have been a factor in the current tardiness in updating Win 7 systems: once bitten, twice shy, but system admins should really know better.

Since then, some sort of sanity has returned, although there is still the problem of the totally useless – for the user at least –update previews and the single package updates, which allow no choice of which updates are applied.

Keep your operating system up to date.

Antivirus software

Don't rely on antivirus software. Such applications only work on historical malware for which a detection method and fix has already been found. It is useless against new threats until a new definition is available, the creation of which requires that a number of victims have already been infected and that the software providers get to hear of the attack and come up with the vaccine.

Don't believe me? Of the many nasty tools in the NSA package only one – one – was detectable by antivirus software.

Keep backups offline

As we noted elsewhere in relation to backup procedures, ransomware attacks are particularly dispicable because they lock up every disk attached to a computer. If you are a model user and make regular backups to a separate disk but leave this disk permanently attached to your system then a ransomware attack will lock that up along with all your other data. The best defence is the 'air-gap', that is, keep the backup disk physically and galvanically separated from the computer.

The same caution applies for people using Network Attached Storage (NAS). If it's attached it can be accessed.

Heap contempt upon politicians who demand 'back-doors' and compromised encryption in the interests of 'fighting terror'.

EternalBlue and DoublePulsar were back-doors which a government agency kept handy for its own dark purposes. Sooner or later such things leak, leaving everyone's systems vulnerable to the baddies. As far as we know, the NSA chose not to tell Microsoft about the vulnerabilities, either.

Your author can remember a time in that Garden of Eden that was early computing when many pieces of equipment, modems, routers and even computers were protected by user-defined passwords. Somewhere in the handbooks, which, let's face it, only the nerds read, was the tip: if the user has forgotten the password, enter the admin password '0000' (or '1234' or that really tricky one, 'admin'). That was a backdoor. It was insecure then and anything like it is insecure now.

Whilst we are on the tedious subject of the idiots and incompetents who rule over us, many of them also talk about 'back-doors to encryption'. We should make it clear: there is no back-door in an encryption system. Data is encrypted using complex mathematical manipulations using the public and the private keys. In order to decrypt data you must have the requisite keys: no substitute keys will work; no trick can bypass this process; you cannot tell a computer 'I am from the cop-shop and I require you to decrypt this message', because it will immediately respond: 'Yes sir! Keys, please'.