Ransomware Troubles? Blame Legacy Apps And Patch Problems

Status
Not open for further replies.

nzalog

Respectable
BANNED
Jan 2, 2017
541
0
2,160
Yeah I work for the server team at a hospital and our infosec department has a pretty aggressive patch schedule for all our servers. It still cracks me up when our application analysts give us shit for patching their servers because "it occasionally breaks things". I rather occasionally break things in a controlled fashion than occasionally have huge gaping security holes that occasionally brings entire organizations to their knees. It's like they think we get some pleasure out of patching servers... ffs... make me angry just thinking about it.
 

brucek2

Distinguished
Dec 31, 2008
117
0
18,680
It was not reasonable for Microsoft to withdraw security patch support for those older operating systems, despite their being customer willingness to pay to fund the effort.

The costs of ongoing patch support are affordable to the economy as a whole, and the large organizations that are stuck on legacy software would pay for it.

The costs of having to rewrite all the software that is essentially invisible 'appliance' infrastructure software that runs throughout manufacturing plants, retail points of purchase, control centers, hospitals, military, etc etc etc is not a realistic cost. It is no more realistic than say expecting homeowners to redo their home's plumbing or electrical wiring every few years.

Lawsuits and/or legislation should be aimed at Microsoft until they rethink their calculus on withholding this support. We have liability laws in this US and this would seem a good use of them. I do not expect them to incur perpetual losses with this support - they should be able to charge for it and they would have no trouble doing so - but placing the global economy and infrastructure at risk in the false hopes that they could force upgrade the world's medical terminals to Windows 10 so as to display ads on them is not reasonable.
 

alidan

Splendid
Aug 5, 2009
5,303
0
25,780
I have in the past had 6 windows updates bluescreen loop, I am VERY hesitant to update anything and with microsoft not allowing me to patch security only, or at the very least not reset to apply a patch, I usually only patch once. I found offline patching a while back, and am doing that for security but microsoft refuses to patch my os from the patcher because I have ryzen. I refuse to use windows 10 for many reasons, but number 1 is the very legitimate fear of getting windows to think some hardware has an update, the hardware breaking because of it, me reverting that update only to have windows rebreak the hardware again, 7 already does this with my tablet but once set up it won't re break it.

Now you want to have a solution for this issue? Long term service branch for hardware. Get a board together, and life critical hardware+software and standardize them, and there you go, you got a testbed organization that will all use the same hardware and the same software that will be supported and patched indefinitely, or at least until the viability of the hardware its using is no longer supported.

And how do you get hospitals to be on board? regulation, you make it a law that they are required to have these systems in place by X date, then subsidized to some extent if not fully the hardware upgrade. Then to top it off, allow for experimental/unsupported hardware to be allowed, but it can not be on the grid by law so you use thumb drives or something similar to take data from place to place, and there you go, a simple solution if you really want to fix the problem.
 

therealduckofdeath

Honorable
May 10, 2012
783
0
11,160
Well, you get the right to sue Microsoft for not patching a 16 year old operating system the moment you buy the rights to that code, Brucek2. Your arguments that hospitals don't have the competent IT staff to disable the built in promotions for other Microsoft apps and therefore are in their rights to use outdated software is so uneducated it really doesn't deserve a response. I would be more successful winning a lawsuit against you for spreading backwards reasoning on the internet than anyone would be if they'd sue Microsoft for not supporting software they sold when a smartphone was a phone capable of reading email headers. :)
 

therealduckofdeath

Honorable
May 10, 2012
783
0
11,160
I definitely agree with the writeup that bad procedures are the cause of the success of this ransomware. The fact that it seems like it was more successful in organisations sticking to the de facto security guidelines set up by amongst others the HSE in the UK should be an alarm clock. I'm not sure that it would be a smart idea to start developing custom applications on every level. Remember, it was after all custom applications that got most organisations, like the HSE, stuck on Windows XP to begin with. I think, the solution would have to be more in the line of having a more skilled people in charge of investments, to ensure the organisation will have a minimal risk of steering their applications platforms down an unsupported cul de sac. I've worked for several large corporations and some of them has really terrible IT structures, with several layers of applications to make sure the new hardware works with the old core applications they don't have any available software support for. Those applications were once custom built for core businesses and are considered too critical to tamper with. It was inevitable that this would happen, as this is a pretty common scenario for large organisations that's had wide infrastructures running for decades.
The "pecking order" within corporations probably had its responsibility when they decide to stick with old operating systems on computers all over their networks. Hardware and operating systems are often considered components that will just have to be kept in a state that supports old applications.
I don't know if Windows 10 will fix this but, I do think it's at least the smartest solution to make those organisations rethink their security procedures.
I guess they can consider themselves lucky that this was "only" ransomware, to extort bitcoins in return for an encryption key. It could just as easily have been the largest data theft crisis since the internet was founded.
 

brucek2

Distinguished
Dec 31, 2008
117
0
18,680

You are entitled to your opinion. However I'd note 1) you did respond and 2) Microsoft did issue a patch. You and I are not going to be the only two members of civilization having this discussion and whatever pressures led to Microsoft's policy reversal in this instance may be just beginning.

The legal, moral, and political issues at play here are complex. On top of that all 3 may have to give way to practical issues as the global economy is not going to accept constant shutdowns, yet rewriting all of the world's legacy software that is not compatible with the currently supported versions of Windows in one week, month, or year is not possible.

I agree that plenty of hospital IT staffs can "disable the built in promotions" but that's not what is required. Being able to rewrite decades worth of legacy software baked into every nook and cranny of a large complex enterprise is what is required, and it is a different skill set, a different amount of labor required, and it assumes they have the source code or the original vendor is still in business, yet neither may be true.

Your assertion that a society will forego all legal and political remedies against a product that is dangerous just because it is old are also incorrect - research for example asbestos, tobacco, and thalidomide.
 
All I can say is backup backup backup.

Lets face it. These users would not be pushing this ransomware without people paying the fee. These same backups also make rolling back from a bad update fairly painless.

I personally can not expect MS to patch Windows XP forever. Windows 10's update policy may suck, but the forced updates should actually reduce these issues. Home users will not longer be able to leave updates queued for months on end(Even I have a bad habit of doing this on my Media Center system[but have been pretty good as of late]).
 

alextheblue

Distinguished

Hi my name is Alidan and I'm having problems with Windows 7 on Ryzen even though I know that's not a supported combination - and I don't care because I refuse to use Windows 10 for some stupid reason even though Ryzen systems run it no problem. Also I run Windows 7 on a tablet which is hilarious. Now if you'll excuse me, even though I'm using a bad combination of old software and new hardware and/or a tablet, I need to whine about it in every single Microsoft-related article even though it's really tiring to read. It's all Microsoft's fault!
 

Altherix

Honorable
Jul 18, 2013
13
0
10,510

You're entitled to support stupid people and continue the reason this mess happened in the first place.
When the first businesses that got ransomware and instead of listening to law enforcement that told them, "Don't pay the ransom." and they paid anyway because the upfront cost seemed cheaper than a long term solution.

Now today, we're at that can these companies kicked down the road, it became profitable for ransomware writers, so surprise, they launched a bigger attack to get more money. Why wouldn't they, businesses have proven they're more than willing to throw money for a short term solution instead of fixing the issue.

Your reasoning is the same, "These are all critical systems, it would be too costly, too hard, too difficult to replace all these systems!" So you continue the problem for a short term solution which in the long term will cost you more, look at the bigger picture.

Microsoft's patch release for dead OSes is just a product of our society that I'll point out you're enabling. Our legal system needs an overhaul because, "Well, I'm an idiot." is an accepted legal defense.

Also, as far as I know asbestos, tobacco, and thalidomide were always bad for you, so your comparison makes no sense. Not like 98, ME, Vista and XP were always insecure, they became insecure because Microsoft stopped supporting them, which they were very vocal and clear to customers that they should stop using them after a certain date.
 

chicofehr

Distinguished
Jan 29, 2012
538
0
18,990
If enterprise is scared of updates breaking stuff on older OS then they would be very scared of windows 10 which gets too many updates. So I doubt anything will get better.
 

hoofhearted

Distinguished
Apr 9, 2004
1,020
0
19,280
Plain and simple. Security departments need more authority and governance within the organization. Your app is broke. Suck it up Nancy! It was probably part of the problem to begin with.
 

zodiacfml

Distinguished
Oct 2, 2008
1,228
26
19,310
I agree. It is also not that bad these days as consumers have become beta testers which is the reason Microsoft is pushing updates in Windows 10 as much as possible to consumers while giving the option to delay these updates to other versions of Windows 10.

Windows XP is a different kind of a problem though but has a workaround. These machines has to have their own VLAN or network to isolate them from the internet or systems in the organization



 

brucek2

Distinguished
Dec 31, 2008
117
0
18,680
I guess I shouldn't be surprised that on an IT blog, IT employees are taking the position that their employer was "stupid" to prioritize spending on say doctors and healthcare equipment, vs. on rewriting software at enormous expense for no positive benefit to anyone other than Microsoft's bottom line.

In the wider discussions that will be taking place from the perspective of the global economy as a whole, I do not believe that will be so clearly "stupid." A hospital director who decided to use his budget to improve health outcomes first will probably find support from his government and legal system. Meanwhile, Microsoft, which first caused the problem by shipping insecure software, and then secondarily caused the problem again by withdrawing support for that software even though having the capability to continue supporting it, is going to viewed in an increasingly unfavorable light, especially if attacks continue and accumulate more disruption in more areas of life.

Those arguing the blame is on the organizations not having rewritten all their software are right to the limited extent that in assessing liability courts will have to review the relative ability of each party to have mitigated these issues. But the outcome of a serious review can not be in doubt: the global costs of Microsoft to fix it once are pennies compared to thousands of enterprises each having to go it alone. Microsoft's lawyers will be stuck with the indisputable facts that Microsoft knew about vulnerabilities; had the ability to fix them and did fix them on certain of its operating systems; and made the unilateral decision to not fix them on other of its operating systems, despite having actual knowledge of them being deployed in industries throughout the world, and having been told of the dangers of withdrawing support (the latter will have been sent in droves from corporate IT departments, government analysts, press stories, etc.).

The assertion that these are "dead OSes" is strongly contradicted by the recent new stories which show that far from being dead, they are deployed in live production use throughout the world.

All of this will play out in the dozens of countries affected, each with their own legal systems. The costs of litigating or even initial research in all of the are staggering, much less than the just providing the patches in the first place, which is what should have been done from the beginning and will be the eventual outcome, the only question being how bumpy and damaging is the road to get there for all concerned.
 

ddpruitt

Honorable
Jun 4, 2012
1,109
0
11,360
This really isn't a Microsoft problem. People don't buy a car expecting the manufacturer to still make parts for it after nearly 20 years. People just cut costs in places they shouldn't cut costs. Back up your data, run a good firewall, isolate systems, and train your people not to be stupid. Granted that last one is a bit of a ah heck. If you're developing software follow good engineering practice regardless of whether its a throwaway app or something running mission critical systems.

The main problem is that people run machines with waaay to much on them. Just because you have the compute power doesn't mean you should run your exchange server, your billing software, and your main database on the same machine. That makes a system so much easier to break. Servers that have uptimes on the order of years do one thing and do it well. If you have a legacy system that requires XP fine, but only run that one piece of legacy software don't give the machine access to the internet or run peoples email on it.
 

mwryder55

Distinguished
Quite often software that was written for XP, for example, can be made to work on newer versions like Windows 10 with only a few changes to compatibility settings. It may take a couple of weeks to find all the places the changes need to be made and what they are but the end result is a more secure system then relying on an unsupported platform.
Upper management has to support the extra expense of finding a solution or to pressure the original software vendor(s) for one.
 

therealduckofdeath

Honorable
May 10, 2012
783
0
11,160
@Brusek2, again with the completely reality disconnected trolling. Show me a current, modern operating system that's never had a security patch applied.
Had Microsoft not already patched this, they could arguably had been at fault.
This was patched a long time ago. This was a widely known issue that everybody with a basic understanding in IT knew would be exploited at some point. You obviously don't understand that, so, you should really stop commenting on this.
 

brucek2

Distinguished
Dec 31, 2008
117
0
18,680
The "reality" of what happened is all over the headlines. It doesn't matter that YOU feel that upgrading to "current, modern operating systems" on Microsoft's self-chosen timeline was reasonable. What matters is that in over 100 countries around the globe, it wasn't. Enterprises weren't ready, Microsoft stopped issuing patches anyway, systems were left vulnerable, and serious consequences resulted. That's the reality.
 

curt504

Honorable
Nov 26, 2013
11
0
10,520
@adilan (blue screen loops) this is why I've turned off patch updates. ;( Like so many buried statistics my own opinion is that MS has destroyed as many computers as hackers.

So I use free Macrium image backup, daily running of cobian back up from working directories to my google docs dir etc etc.
 


I do hope you intend to forward this to the next UK government along with the details of how much it's going to cost and how you intend to finance it, because if it really is that simple you'll be in line for a knighthood.
 

extremepenguin

Distinguished
May 21, 2009
32
2
18,535
I have software that I must run that is only compatible with NT4, it took me a week messing with DLL's and file pointers but I got it stable and happy on Server 2016. I have a lot of software from the 90's that only room me on XP, we took a week playing with compatibility settings and registry entries and now it runs on Enterprise 2016 LTSB. I have a room running an impact printer the size of a Buick installed in 1963 now run through an Arduino controller and a Pi3 print server. We made a case to our accounting department for extra man hours to figure these issues out because we proved to them the costs of leaving them alone was too high. By Feb of this year we had phased out every copy of XP and Vista and got all our legacy software running on Win10.

As IT professionals we can't just sit around and accept that a piece of software doesn't run on a newer version of the platform "just because", we figure it out.
 
Status
Not open for further replies.