Ransomware WannaCry: Realistically, what can we do about it?

The ransomware WannaCry attack is called unprecedented in its scope. But isn’t this simply what many expected will sooner or later happen? Isn’t “unprecedented” basically a new normal regarding cyberattacks, and realistically what can we do about it? Read few comments.

Tobias Eggendorfer, Professor für IT-Sicherheit, Hochschule Ravensburg-Weingarten

I do not think it is „unprecedented“, we had ransomware attacks in the past, with Locky locking down hospitals here in Germany by encrypting patient data. The same happened in the UK.

I believe we will see more of these ransomware attacks in the future, since this is a very efficient and „clean“ way to earn easy money to spend on new attacks.

I remember back in the early nineties the evening TV news warned about viruses such as Michelangelo etc., because they were about to delete files on Michelangelo’s birthday. We had the Blaster worm shutting down ATMs in Germany and continuously rebooting computers with a localised Windows version on them in the early 2000s, I believe it was 2003. The reason Blaster kept rebooting here were minimal differences in the memory layout between the US and the German version of Windows, which changed the behaviour of the code injection.

At the same time, Swiss traffic news in the radio warned not to open an email with a „love letter“ attached, a Trojan.

All of these were major attacks at their time – and we got used to them.

The bad news are neither have we nor the software manufacturers learnt our lessons. Software security is not a requirement when purchasing operating systems or applications. We accept an inferior level of quality assurance in software. If cars were built that way, roads were jammed to to broken down cars. Remember when MS Windows 98 was demonstrated by Gates and it blue screened? Instead of talking of the low quality, everyone was like „it doesn’t only happen to me, that’s good, it’s not my fault“. Compare this again to Mercedes, when they introduced the A-class which fell on its side during testing – and the joking international and national press, the massive effort Mercedes went through to re-establish their image.

Microsoft blames the NSA and governments not to protect their citizen and rather support their security agencies with zero day exploits (). However, they built the buggy system first, they keep re-introducing bugs, just think of the Ping-of-Death re-occuring in Windows updates in 2013. They hardly check for similar issues if one was found. Looking back at Blaster: It was a buffer overflow in the RPC service. One out of only four remote attachable network services in Windows at this time. Sasser was the second of these. No one driving a car with one tire running flat due to cuts wouldn’t check the other tires.

German courts rule that software is buggy – because it is believed to be to complex to be bug free. Cars are way more complex. But better not sell a new car under German legislation with a tiny scratch in the leather upholstery. Courts will rule that this is actually a fault.

It is possible to build secure software, OpenBSD being one the most visible examples. They go through the effort of coding standards, code reviews, automatic and manual testing. Which results in almost zero bugs.

It is not that Microsoft’s (or others) bugs are any special, require lots of knowledge to exploit, but they keep repeating the same bug patterns since decades. The first description of a buffer overflow was in 1972. They are easy to avoid with simple coding standards and reviews. However they are still the default exploit today.

What we really need to do is change our software procurement process, require bug-freenees, enforce pen-testing and make software vendors liable for security holes. That is what we can do, where our governments could help by passing laws. For privacy, the new EU privacy law does exactly this, it asks for privacy-by-design as wall as privacy-by-default and introduces heavy fines for privacy breaches: 10 million €. That will change the market, if it is really enforced.

The same is need for software security…

Although, on a side note, I don’t see the new EU privacy law being enforced. The German government is upgrading to Windows 10, an operating system all privacy officers over here agree is not according to our privacy laws.

Since you are the editor for defence matters, allow me to look at the military impact: Most of Europe’s military relies heavily on Windows. Our defence systems might be disabled at once, with attacks like „WannaCry“. Along with public infrastructure, obviously. Instead of using a national Linux / BSD / OpenSolaris / whatever port, which has been code reviewed and security enhanced, we stick to unknown systems with massive issues. Again, something our governments should think about.

As customers, all we can really do is start to think about what we need. To me most of the time a computer is a tool. And tools need to work. And last. Which a screwdriver does, a proper chainsaw as well. And they don’t need set-up or update time, I’ll just grab them, use them and done. Whenever I have a choice I therefore suggest to use Linux / BSD / Solaris etc. Because they are way more like tools.

Unfortunately, Steve Jobs as well understood the „tool concept“ very well – which means Apple’s MacOS does the same. Except for it not being entirely Open Source and thus being harder to verify. However they just work.

So, we as customers, should stop buying the same crap over and over, and change to other systems with higher quality. This will (slowly) change the market.

Until then: Install all updates as quickly as possible, have firewalls properly set up, run malware scanners, never a trust an email neither their attachments, disable JavaScript and Flash and the like while surfing, never click on links in mails. In short: Don’t use the computer the way it was intended to be, as a comfortable tool.

Tim Stevens, Lecturer in Global Security, King’s College London

We did not know precisely when an incident like this would occur, nor what type, but we have expected something major to hit critical infrastructures for many years. This is for two reasons. One, that no computer security is perfect. This is due to coding mistakes (bugs) but also because of user error, which allows vulnerabilities in social and technical systems to be exploited. Two, the Internet is a complex system and all systems of this type have the potential for cascading effects. That is, when a single failure in one place can trigger failures elsewhere in a network. Many experts have suggested that ransomware, in particular, might be the cause of such an incident but our systems continue to be poorly defended against these forms of malware (malicious software).

Every year we are seeing incidents of ever-greater scale, sophistication and impact. In this sense, each new instance of data loss, cyber fraud, infrastructure failure, information warfare, is unprecedented. WannaCry is not a cyber attack but an example of what happens when network defence is not treated seriously enough. In the UK and elsewhere, critical systems were running old Windows operating systems (e.g. Windows XP), which were not updated either by Microsoft or the operators of these networks. Security software was left unpatched and vulnerable. Organisations were slow to upgrade their information technology systems to newer and better protected operating systems. Users were not sufficiently aware of the risks and consequences of particular online behaviours.

No system security is perfect but keeping software updated and users well-educated are essential to reduce the possibility and impact of ransomware and other forms of malware. Organisations must also maintain secure back-ups of important data and have business continuity plans in place that mean they can continue operating should something like this happen again.

Mariarosaria Taddeo, Researcher, Oxford Internet Institute

It was expected, bound to happen, but it’s unprecedented in its scope and gravity. In 2016, cyber-attacks increased from 480 million to 1.6 billion, indicating a massive increasing of their frequency. It is reasonable to expect these numbers to continue to grow given the progressive weaponization and militarisation of cyberspace, as well as the reliance on malware for state-run cyber operations (like Titan Rain, Red October, and Stuxnet). Escalation is not just about the frequency of cyber conflicts. The recent WannaCry cyber-attack, the Mirai botnet DDOS attack, the 2016 Russian cyber-attack against Ukraine power plant, and the Russian infiltration in US Federal Offices show that cyber conflicts have intensified their impact, as they now target and cripple key infrastructures of our societies.

We are witnessing an intensification, an escalation, of number and impact. This is a trend. Cyber attack will continue to hit and to do it harder. The measures span over a wide range and identify responsibilities of different actors.
Cyber hygiene is crucial, security updates are essential to bound the spreading of malware like this one. Users’ awareness of how malware spread is crucial. Much like people were made aware that washing hands was crucial to spot the flu virus, they need now to understand and learn that ICTs requires some hygiene measures.

At the same time, big ICTs firms have the responsibilities of ensuring the security of all their hardware and software, independently of how old it is.

Finally, it is worrisome to know that states stock-up vulnerabilities, like the NSA did. It is a fallacy to think that state can keep secure vulnerabilities that it can keep secure nuclear or kinetic weapons. Stealing the former is exponentially easier, as we just saw.

There is need for these three groups of actors, citizens, private companies, and state, to start collaborate and coordinate to make cyberspace a safer place.

Myriam Dunn Cavelty, Deputy for Research and Teaching, Center for Security Studies (CSS), Senior Lecturer for Security Politics, ETH Zürich – Eidgenössische Technische Hochschule Zürich

Good observation: yes, many experts have warned against such a scenario, especially in the context of hospitals, which are notorious for weak cybersecurity.

It is also true that we see more “big” events in the cyber-realm. I think that has to do with the professionalization of the cyber-criminals. They go for big scams, which equal big money. Ransomware has been one of the prime concerns for quite a while now.

What can be done? UPDATE the security of the systems! Also, make sure phishing scams have little effect (there is always ONE person who clicks on a link they shouldn’t click). Have computers or parts of computers that are not connected to the internet. If you are the victim of a ransomeware attack: do not pay!

Olaf MaennelProfessor for Cyber-Security, Tallinn University of Technology

As you probably know very well, it is believed that the WannaCry ransomware use the EternalBlue exploit, which is believed to have been developed by the NSA (and leaked by “The Shadow Brokers” in April). This would probably lead us into discussions about ‘cyber deterrence’ and how useful it is to keep vulnerabilities secret rather than making systems more secure by disclosing vulnerabilities to the developers. However, this is a rather political topic and not a technical — and that’s really not my area and thus i would like to refrain from commenting on this topic. However, i do agree with you that we are currently living in “very interesting times”.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: