Microsoft: Lessons from last week’s cyberattack

Written by

Microsoft Blog, on the WannaCrypt ransomeware attack:

The WannaCrypt exploits used in the attack were drawn from the exploits stolen from the National Security Agency, or NSA, in the United States. That theft was publicly reported earlier this year. A month prior, on March 14, Microsoft had released a security update to patch this vulnerability and protect our customers. While this protected newer Windows systems and computers that had enabled Windows Update to apply this latest update, many computers remained unpatched globally. As a result, hospitals, businesses, governments, and computers at homes were affected.

And:

This attack demonstrates the degree to which cybersecurity has become a shared responsibility between tech companies and customers. The fact that so many computers remained vulnerable two months after the release of a patch illustrates this aspect. As cybercriminals become more sophisticated, there is simply no way for customers to protect themselves against threats unless they update their systems.

Amen. This has long been a bugaboo shared by Windows and Android and to a far lesser extent by macOS and iOS. Getting your users to update to the latest OS is a non-trivial problem.

More from Microsoft:

This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem. This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state action and organized criminal action.

This should be a wake up call. But just as the OS installed base is hopelessly fractured, the decision making mechanic behind these exploits is similarly fractured, mainly due to the need for secrecy. What are the chances the NSA, CIA and Microsoft are going to collaborate to work towards a solution?

[H/T John Kordyback]