I don’t typically politicise my technical Twitter account, nor this blog, but some technical problems are political. It is impossible to engage with security in any depth without confronting political issues. Earlier today, I dumped some thoughts on a private Twitter account, and a friend asked me to make them public. Here’s are those Tweets:
- SMBv1 is a widely-used file service that has been actively deprecated by Microsoft for an eternity, but which is present in lots of devices like NAS, networking kit and other networked devices like Sonos. Microsoft runs a program to help vendors deprecate SMBv1, but these are the kinds of things that hardware vendors routinely fail to do well.
- With effective network segmentation, malware like WannaCry can’t propagate widely, even if machines allow arcane protocols.
- Some instruments simply will not work if they get patched, to address issues like SMBv1 weaknesses. However, these devices need to be isolated through controls like effectively segmenting the network, or not networking them at all.
- No security professionals should be surprised that WannaCry is happening.
- The NHS (and most of the public sector) needs money to dig itself out of a mountain of technical debt. This is not an IT/security problem. It is an inevitable consequence of the Tory assault on NHS. If people die, we know who holds blame.
One further thought post-tweets. Some people may rightly point out that some of the funding issues and IT problems at the NHS began under Labour, but the world has changed significantly since the Conservatives came to power, and there has been an unequivocal failure to engage with those issues meaningfully where budgets have been slashed. It is not possible to adapt to contemporary threats with the obsolete technologies in use today. This will not be the last significant failure of critical infrastructure unless the coffers are topped up, and even then we can’t expect upgrade projects to happen more quickly at the NHS than they do elsewhere. This basically means that even if budgetary problems are instantaneously solved, it will still take more than a year with the best will in the world to get these risks down to manageable levels.
Further reading:
- Microsoft’s crystal clear plea to STOP USING SMBv1.
- Barry Dorrans (@blowdart) thoughts on all of this.
- Jessica Payne’s view of the tensions between patient care and good security practice.
- Microsoft’s current recommendations.
I’m sure I’ll be a bit more active than I have been recently on my technical Twitter account over the coming days (@tr5tn).