I was having a chat with a journalist over the weekend, talking about what the future looks like for cyber-security risk in the UK. Here’s a transcript:
J: Where does it all go from here?
BR: Lots of hot air from politicians. Nothing done for months. A massive deal for ATOS or someone to refresh NHS desktops and security. Takes years, is late, doesn’t deliver real improvement in cyber-security practice. A lot more global outbreaks using the ShadowBrokers toolkits. A lot of people following the Russo-French lead and going back to pen & paper (yes, really). A properly nasty bank hack. A properly nasty cyber-terror outbreak with casualties. It isn’t going to get better – it’s going to get worse.
J: Which other large public-sector orgs are vulnerable? Still using XP! Are Macs as vulnerable?
BR: Everyone is vulnerable. NHS is worst because not part of central govt directly, heavily IT dependent and historically slack on security (leaving ward PCs logged in etc). DWP would be a good place to look, and perhaps civil service. Macs are also vulnerable, especially if not patched – ShadowBrokers had Linux tools, and Macs are also a Unix variant, so the technology may cross over.
J: What else is in the toolkit?
BR: You can download the toolkit; it’s mostly old news (which is why the “NHS uses Windows XP” issue was relevant) – but we don’t know what they got hold of and *didn’t* release. And of course we don’t know what the NSA still has (Snowden commented: “Quick review of the #ShadowBrokers leak of Top Secret NSA tools reveals it’s nowhere near the full library, but there’s still so much here that NSA should be able to instantly identify where this set came from and how they lost it. If they can’t, it’s a scandal.”).
BR: Remember the Scada/Stuxnet thing that originally targeted Iran? Analysts think that was them + possibly Mossad. There’ll be a lot of stuff targeted at industrial control systems (like Stuxnet was) because they’re rarely updated – so look out for attacks on factories, power stations etc. Also worry about traffic control, transport systems. Anything that doesn’t look like a computer, but actually is one – like airport announcement boards, adverts, ATMs etc – is probably running old software and not updated often enough. Worry about SAP too: lots of people using it for critical functions, but it’s under-researched from a security PoV. Follow the money, though – terrorists are still focused on blowing stuff up with RDX rather than TCP/IP. For now.
J: Do you really believe this MalwareTech kid helped?
BR: He definitely helped. By accident, but so what? The danger is people think this is over as a result. It’s not. The next worm won’t have an accidental kill switch. Does indicate that Wanna was stitched together by muppets – there’s definitely a good story on the “ransomware for rent” and “exploit mash-up” biz – providing tools in easy-to-use form for wannabe cycbercrims without real skills, in return for a cut of the profits and a useful cut-out between the real perp and the vics.
J: Would be interesting to dig into the US case of the guy who leaked the original toolkit.
BR: I don’t think anyone’s doxxed the ShadowBrokers yet, not AFAIK.