Published: Fri, May 19, 2017
Hi-Tech | By Ellis Neal

WannaCry Malware Attacks Persist

WannaCry Malware Attacks Persist

"Sixteen hospitals in the United Kingdom were forced to divert emergency patients after computer systems there were infected with Wanna", reported cybersecurity blog Krebsonsecurity. But do Microsoft and the National Security Agency share the blame? "Otherwise they're literally fighting the problems of the present with tools from the past".

Under former President Barack Obama, the US government created an inter-agency review, known as the Vulnerability Equities Process, to determine whether flaws should be shared or kept secret.

But the NSA's role in the creation of WannaCry has been misunderstood: The intelligence agency did not actually create WannaCry, but played an inadvertent role in midwifing the bug. It was benign because it contained a flaw that prevented it from taking over computers and demanding ransom to unlock files but other more malicious ones will likely pop up. It could have been used to wipe out the data on computers it infected.

Indian businesses, organisations and financial institutions largely escaped the impact of WannaCry malware attack, though India was the third most affected after Russian Federation and Ukraine. For Microsoft, that makes it an uncomfortable reminder of how devastating even one software vulnerability can be. As soon as we received the alert, we chose to work over the weekend.

Avivah Litan, a cybersecurity analyst at Gartner, agreed that the government is "is negligent not doing a better job protecting companies", but added that it's not like "you can stop the US government from developing cybertools" that then work as intended.

Pankit Desai, co-founder and chief executive officer at cyber security start-up Sequretek, said India's unorganised sector may have escaped dire consequences so far, but the attack is ongoing.

"Cyber attacks can shut down grid systems". He notes that in February Microsoft called for a new "Digital Geneva Convention" to address these issues, "including a new requirement for governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them".

Therein lies the uncomfortable irony for Microsoft.

The Department of Homeland Security began an "aggressive awareness campaign" to alert industry partners to the importance of installing the Microsoft patch shortly after it was released in March, an agency official working on the attack said. Hackers will sometimes encourage you to keep your computer on and linked to the network, but don't be fooled.

The malware targets the outdated or legacy computer systems that run on old versions of Microsoft operating systems (OS). The company rushed out a patch on Saturday, however. Enterprise and government systems can rarely afford the potential downtime that goes along with a software patch or upgrade. But for a host of reasons, even patching computer systems is a hard challenge. Updating software will take care of some vulnerability.

Complex software interacts in sometimes unforeseeable ways with its component parts, and this makes IT managers loathe to push updates without a battery of tests.

It's a scary scenario for politicians, some of whom heard testimony calling into question the military and intelligence sectors' ability to defend the USA from cyber attacks just last week, in a hearing of the Senate Armed Services Committee. "Yet, when a serious vulnerability is discovered in software, many companies respond slowly or say it's not their problem". Computer scientists estimate that for every 1,000 lines of code written, there will be between 15 and 50 errors. But from the perspective of the NSA, Microsoft is asking the signals intelligence agency to unliterally disarm, which it isn't going to do. Therefore, when the vulnerabilities got into the wrong hands, it is akin to the "US military having some of its Tomahawk missiles stolen" without the necessary defence to protect consumers.

Like this: