Security or obscurity

I think just at present some people are probably glad that RO is obscure.

I wonder how long we can rely on this to hide from the worlds bad side?

For now, I think we’re a long way off from needing to worry, but it would be nice to factor in some security features, like better memory protection and privledge seperation, in a future version.

Thing is, backwards compatability is RO’s achilles heel. Maybe a good practice is to maintain support in RO5 but encourage better coding practices so it the majority will work on a future version like RO7, which will incorporate more important features, when RO7 is released

I think having totally open and insecure networks, running unpatched and obsolete software, your screwed. ;)
But from a RISC OS perspective, chain of trust is the only thing we can rely on

Don’t open the email called naughtynurse.mpg.virus.exe

Without trust life becomes hellish.

I agree that backwards compatibility can become a burden. Wistful fantasies are often beaten down by decisions made in simpler times, which in retrospect became shackles. Unfortunately we do not have the luxury of starting afresh with a clean sheet.

I think having totally open and insecure networks, running unpatched and obsolete software, your screwed. ;)

A junior colleague referred to our actions on Friday as “going into turtle mode”
Win7¹ fully patched, firewalls limiting in and out to specific ports, AV fully up to date², authentication on all network ports and we still cut the outside links and entered “turtle mode”³
Suppliers complain about how restrictive we are, “tough” sums up our response.

Don’t open the email called naughtynurse.mpg.virus.exe

I delete half of the internal mail⁴, never mind the external spam, but that sounds rather nice :)

¹ Internal firewall for protecting manufacturers “tat” and limit where it can talk to
² But this is a zero-day job so that would make much difference
³ You could call it paranoid, but we’re aiming for the quiet life
⁴ I have a, uncomplimentary, pet name for the “communications” department and a bit bin for their produce.

A junior colleague referred to our actions on Friday as “going into turtle mode"

Oh thank god. I saw the story breaking and thought about you…

Don’t open the email called naughtynurse.mpg.virus.exe

Of course. These days one just Googles stuff. And… mpg? mkv!

More seriously now… One can have a more secure system. One can, as a programmer, jump through many hoops and battle the kernel, play chess with the devil, and cryptographically sign every line of code.
You know what? You can still be pwned. Not only that, but sometimes the pwnage is running beneath the OS itself.
My two Linux based IP cameras. One is horribly insecure (if there’s telnet access, root and 123456 will get you in), the other I haven’t hacked yet. The supplier MCLSamar has ignored my request for GPL code, what a surprise… Firmware update? Don’t be silly.

So while having a more secure system would be nice, some of the best steps you can take are to keep it sectioned away from the outside world. My Pi can talk out, but only port 80 is allowed in. No unnecessary services are running (no ShareFS, no Samba…). This means the real worry is contaminated software, something that, thankfully, is mostly of another age. Messing with people’s RISC OS machines won’t make anybody any bitcoin, so there’s so much less reason…
That’s no guarantee, of course, but a quick look at The Register and you’ll see that even with hardened security, it can be compromised. Well, what do you think it actually means to jailbreak a phone/tablet? ;-)

I wonder how long we can rely on this to hide from the worlds bad side?

As long as we want, since it’s a Windows only threat…
Anyway, RISC OS is not security by obscurity, since its source is available. It’s just totally insecure :)

maintain support in RO5 but encourage better coding practices so it the majority will work on a future version like RO7, which will incorporate more important features, when RO7 is released

That’s what’s so good about the RISC OS community… optimism.

My response was a general statement of most networks out their BTW, I have no knowledge of the NHS networks (thankfully).
The fact that your replying to this and not still working is a testament to the response.
Well done!

“But from a RISC OS perspective, chain of trust is the only thing we can rely on”

Yes but you need more. Users introducing rougue software is only one avenue of your computer being attacked. Remote exploits are very common.

At the moment, I’d be surprised if someone is malicously targetting RO users, but if they do, things will be easy for them.

The fact that your replying to this and not still working is a testament to the response.

Living near the edge – some of our staff went up the road to George Eliott (Nuneaton) when they asked for an assist. Not really much hope shutting the stable door…

You may have seen some NHS establishments say they were not informed, Au contraire the inforation is distributed.
Whether the recipients have the resource to do anything with it is another question.

Naughty nurses, eh? Chance’d be a fine thing!

I too am surprised to see you here, Steve. I thought you’d be stuck at the coal face. Four aspects of this whole affair spring to mind, though there might well be many more.

1. We’ll never be rid of the threat so long as there are berks out there who see ransomeware as a means to a fast bitcoin.

2. The NHS’s unwillingness or inability (for inability, read “being hamstrung by the Treasury’s penny-pinching”) to migrate away from XP. I’m amazed at the number of XP boxes I see whenever I have a medical appointment; I’m at that age when I have a season ticket from the local trust so I see XP everywhere.

3. Hunt’s short-sightedness in cancelling the support package from Microsoft. Whether or not that would have saved us from this weekend’s fiasco, I don’t know.

4. We’ll never be rid of the threat so long as there are berks out there who click on links without thinking.

Now, back to the naughty nurses…

I too was surprised to see Steve’s posting here but it shows some in the NHS know what to do.

It is all to easy to say that the NHS being crippled by money constraints is the real cause or that the government is as well but though they may be at fault for a lot of things it isn’t so clear cut here I think.

These are individual NHS trusts that receive large amounts of money with various high paid NHS professionals running things, at least we are told this, so some of this can be clearly laid at the door of those who manage and run those IT departments.

As Steve pointed out some things could have been done to lock things down that may have stopped this in the first place or limited it’s impact.

Plus if they don’t have a back up routine in place then that is an even bigger failure to undertake risk management and any Trust that is in that position should be asked to explain why.

Finally I have mixed feelings about Microsoft at the moment on the one hand you can say they have been great at pushing out a fix to unsupported OS’s in less than a day but on the other hand they knew of this issue and the surrounding publcity by those that exposed the issue a while back and did nothing

I appreciate that many people just have to blame the government for everything, but morons cancelling support contracts without any understanding of what they are doing is endemic everywhere.
To be blunt that’s the problem when you have far too many managers, managing F’All!
There’s a reason why companies refuse billion pound contracts to “upgrade” these kinds of things.
When you can’t pay anyone enough to upgrade ‘em, you know there’s a fundamental problem.

To be fair to M$, it’s up to the companies IT Security to ensure that systems are patched, not M$. After all you have to judge the risk and make a call. Can’t expect M$ to do that for all companies.
The warnings were very, very clear.
To be affected this soon afterwards is unlucky. (once is unlucky, as long as the lesson is learned)

These are individual NHS trusts that receive large amounts of money with various high paid NHS professionals running things, at least we are told this, so some of this can be clearly laid at the door of those who manage and run those IT departments.

If you reference against businesses IT spend vs. their total budget and compare with the typical budget for NHS IT and total budget then the NHS spend is best described as “pitiful”.
It also doesn’t help when the political decisions are pushed at private contractors benefit rather than best service.¹

far too many managers, managing F’All!

“Cuff-links” is the short form comment used by one of my colleagues.

¹ I know of a surgery/health centre that has it’s IT network covered by what used to be the PCT (CCG’s these days) with a private firm doing the PC & systems. I could tell you what the password is on every PC that firm installs. The replication is bad enough, the brainless simplicity of the password is just…

Ah the other thing, the “support” that was cancelled in this case I think was extended, extended support for windows xp. Which not surprisingly was insanely expensive. So vaguely understandable.

Cuff-links that’s awesome. :D

Nice password rotation policy then!
Take ’em outside and shoot them.

The replication is bad enough, the brainless simplicity of the password is just…

At work, some stuff is locked with combination padlocks. I can pick these easily (look inside the gaps below the number wheels and the mechanism is clear, I might to write a blog article on it).
If I was picking a lock without looking, I’d try 0000, 1234, 9999, and the current and past three years (2014-2017).

Well, one of those is correct, for each of the locks. Maybe different, but still rather evident, don’t you think?

Huh.

If I was picking a lock without looking, I’d try 0000, 1234, 9999, and the current and past three years (2014-2017).

That’s a description of the sort of numbers I’d use…

… to “scramble” things when locked except several such locks I know don’t have 9

If you reference against businesses IT spend vs. their total budget and compare with the typical budget for NHS IT and total budget then the NHS spend is best described as “pitiful”.

It may be but I think you would be surprised at the spend at some private outfits and not in a positive way.

As I said it isn’t always about money and if those in charge are good then they assess the risks and/or read the information that is sent out as you pointed out it isn’t as if they can say they were not told. Ignorance is not an accepted defence in somethings.

Those who are paid to make decisions or take responsibility for IT matters in Trusts ultimately should be held responsible if they abdicated their responsibilities but some how I can’t see that happening either so some minions will no doubt suffer as is the usual way.

At the moment, I’d be surprised if someone is malicously targetting RO users, but if they do, things will be easy for them.

Not sure. It’ll be very easy to crash it. But to attack it… that depends. On my first system, there is no incoming port opened. On my other one, there is no Internet connection.

To be honest, there is only one way to protect a computer from Internet threats: sandbox every application that use the network connection. And sign every executable.

Once you decide to make R/W SMB shares, you have NO WAY yo block the action of a ransomware. That’s just the result of a bad strategy.

To be honest, there is only one way to protect a computer from Internet threats: sandbox every application that use the network connection. And sign every executable.

Nope, not foolproof.
The actual single method involves an “air-gap” in old fashioned terms, these days you need a RF “gap” too.
Simply put, don’t connect it.

@Steve – I’d disagree even with that!
Once you decide to let Users access a computer, you also are screwed!
If you need to get data onto a computer, there is an attack vector.
So I’d say there is no way to do it.
Perhaps if you put it at the centre of Jupiter, not switched on or connected.
That would be hard to hack (in it’s 1/2ms existence) with today’s technology.

@David
You don’t need an open port to attack something, or an internet connection.
You just need a user…

Once you decide to let Users access a computer, you also are screwed!

That’s true. In my mispent youth, social engineering was always my favourite avenue.

there is only one way to protect a computer from Internet threats: sandbox every application that use the network connection

Not really the only way. W^X memory protection and chroot features aren’t sandboxing but are quite good at slowing down hackers. Sandbox is not a bad idea but it’s annoying in the real world. If I sandbox my browser and download some files, I can only access them inside the sandbox. This is why a lot of iOS apps have dropbox or google drive integrated just so you can get your files out. If you create an API to for certain activities, like saving files outside the sandbox, you’ve weakened the sandbox and that is now an avenue a hacker may use to escape the container and gain access to your computer.

For my servers and routers, I use OpenBSD because it has only had 2 remote exploits in the base software in 25 years. Even then, I can spend days securing a new server even though I often only use base software. My home router took 8-12 man hours to set up. Not because it’s hard, I could probably do it in 1 hour, but because I want it to be secure. There are no quick or simple fixes when it comes to computer security, even when using secure software.

sandbox every application that use the network connection.

Do remember that a sandbox is really just another layer to break through. There’s nothing magical about them, and they have been compromised.

And sign every executable.

Again, no guarantee. Better than wide open, but don’t be lumped into false security.

And sign every executable.

Signing is good against MITM or protecting yourself from downloading hacked software but that’s all it offers. You’re still relying on a chain of trust. If you don’t already possess the signature from a safe channel, then its pointless 9 times out of 10. OpenBSD used to be released on CDs and printed the signature on the cover. Each release also contained the key for next release so 5.9 had the key for 6.0, 6.0 had the key for 6.1 etc…

Unless you’re paranoid, then you’re relying on software to check the chain, and that then is the weak link.

I think RO is a long way away from real world benefits of signed binaries. The main fixes RO needs is changes to the kernel and overall architecture to harden the system to a hostile internet.