Ransomware: It Certainly Does Make Me WannaCry
It would be surprising if it were upon this page you heard for the first time about the massive ransomware attack that bethumped the internet on Friday. Starting at 8:00 a.m. Zulu time, it is being called the biggest outbreak ever, and showed up all across the globe. If you somehow don’t know what I’m talking about, the New York Times has provided very thorough coverage, including this summary of the facts of the WannaCry ransomware assault (and they seem to be keeping the article updated). I have something to add to the media storm around this whole episode, words of approbation and disapprobation, but first a quick PSA:
- Everyone, from the consumer to the multinational, needs to take precautions against this infestation (and any similar attacks). The specific attack has been stopped (more about that later), but it will be simple for the instigators or anyone else with a copy of the code to revise it and set it loose again. Advice on IT security measures to take is better obtained from experts in that field. Here are a few:
- Symantec and McAfee (among many others) analyzed it for a technical and semi-technical audience.
- For everyone else, I like this article and infographic provided by TrendMicro.
- The bottom line is:
- Consumers should
- install and keep up to date a computer security suite that includes anti-spam and anti-virus tools, and
- maintain current backups.
- SMEs need the same thing, as well as more sophisticated tools that monitor activity on the organization’s network.
- Larger companies don’t need me to tell them what they need to do and their IT security staff have probably been doing it all weekend.
- Consumers should
- And everybody should be VERY CAREFUL, ALWAYS, about the links you click on in an email.
Okay, here endeth the lesson. Now to some more controversial dotleadership.
Thanks is owed to the UK analyst who tripped what’s being called the kill switch for this exploit. Yes, it will be easy to modify the code to restart it, but he put a stop to the immediate crisis, and now the world is better prepared for further outbreaks. The fellow is staying anonymous for now, as I’m sure would I, had I a discovered a theft of many millions by organized crime and stopped it in its tracks; but he wrote up the weekend’s activities in a blog post of his own (in which he goes by the handle “MalwareTech”). He makes light of his actions, saying he “accidentally” stopped the attack. The media have echoed his self-deprecation: The Times’ summary says it was accidental, The Guardian call him an “Accidental hero”, and Wired says he “stumbled on a way to stop it” (while confusedly calling the disabling function itself accidental). The facts appear to be that the young man responded to the crisis by conducting a careful and intelligent analysis of the situation. He followed the procedure established at his company, took prudent actions, and that resulted – albeit incidentally and fortuitously – in the triggering of the “kill switch” (how and why this worked is pretty interesting, but I’ll let you read his account). Like police and firemen, IT security professionals who keep us safe by doing their jobs well don’t get the recognition they deserve. MalwareTech is a professional who diligently applied his sophisticated expertise – suspending his vacation to do so – and he deserves our appreciation.
But speaking of IT security professionals who are supposed to keep us safe, some who may not have done such a bang up job are to be found at the US National Security Administration. It has been widely reported, including in The New York Times and The Financial Times, that the code for this ransomware was built on stolen NSA hacking tools that were leaked last month. Apologists explain that it wasn’t the actual NSA code that was used, “but they did copy something from the tool kit.” To my mind, if a nuclear bomb goes off using technology from the Atomic Energy Commission, protestations that “it wasn’t our plutonium” would be a little beside the point. The NSA has something to answer for.
Okay, the execrable thieves who stole and then released the NSA’s toolkit are the more culpable. But the NSA wield very powerful tools with a bare minimum of legal authority and oversight, as we know very well thanks to a more high-minded thief. It isn’t the only agency with awesome power. We entrust our governments with tools and weapons that should never be deployed by private individuals or businesses; but we expect them to be safeguarded accordingly. It takes a great deal of technical ability, organization and infrastructure to make use of nuclear bombs, aircraft carriers or F-22 Raptors; the NSA’s scary technology requires not nearly so much. Maybe this makes the US armed force’s jobs easier, and the NSA’s harder; but if organized crime attacked civilians with F-22s we’d be right to hold military authorities to account. Instead, there doesn’t seem to much inquiry into the breach, and very little discussion of whether the NSA is treating the power we grant them with respect. The American public should question the safeguards under which this spy technology is held and, dare I say it, maybe even question whether it was such a great idea to develop it in the first place.
Take this as a parable of IT professionalism (something dear to my heart and about which you will hear more in these pages). IT professionals need something along the lines of the doctors’ “above all, do no harm” credo. To call ourselves professionals we need to internalize the notion that we have duty of care that transcends our personal and even our organizations’ interests. MalwareTech seems to hold this ethos; the NSA does not.
« Insurers Tripping Over the Blockchain Mentoring Benefits, Up and Down »